locked
SCCM (1710) Client installation - Multiple domain/client push accounts RRS feed

  • Question

  • Hi All,

    I have multiple domains tied up in our SCCM environment and have client push account for each domain.

    DomainA\ClientInstall

    DomainB\ClientInstall

    DoaminC\ClientINstall  . . D  E  F

    Lately I have not been able to install client out side main domain. Been looking at ccm.log all day and it seems to be only using DomainA\ClientInstall account and not trying others.

    Any ideas on how long before it give-up on best shot account and try others? 


    Friday, January 12, 2018 6:20 AM

Answers

  • Can't say I've tried multiple accounts in 1710 so it certainly could be a bug.

    For troubleshooting, I'd disable auto-client push and remove all of the accounts. Then I'd restart the ccm thread, and re-add one account at a time and try manually pushing to a client each time to validate whether it is seeing the accounts or not.

    If this ultimately yields the same results, I'd say it's a bug you need to open a case with Microsoft CSS on.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by TJSccm Tuesday, January 16, 2018 8:58 AM
    Friday, January 12, 2018 2:59 PM

All replies

  • Hi,

    What error do you see in the ccm.log file? Anything else changed in domain setup? so it actually can connect but fails on something else..

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Friday, January 12, 2018 6:47 AM
  • Take his steps, apply them to your situation. It can be summarized like this:

     

    - Communications between the intended management point and the "other domain" clients

    - The SCCM administrator account from your current domain has admin permissions on your "other domain" (meaning it has the permissions that Microsoft documentation asks for a SCCM admin)

    - The sccm admin account and the servers accounts have full control over the "System Management" container in your "other domain" active directory.

    - You have enabled "System Discovery" in your current domain, and also added the "other domain" to be discovered. (With this task it may not be a good practice to just add "theotherdomain.com" to the system discovery, it would be best to add specific containers or groups in order to have a more granular approach in finding clients)

     

    There are other permissions that Microsoft documentation and also several tutorials here can help you out in order to take control over the clients in another forest wether if it is untrusted or not. Peter van der Woude even has a tutorial to take control over clients in Workgroups!! That's fantastic!

     

    Anyway, what I wrote were really simple steps to get you going.

    Friday, January 12, 2018 7:35 AM
  • Only thing changed to what I know is update to 1710, it was all working before that, In past CCM.log would show using other account if one fails, but now it just keeps using one account.

    Computer is on domain C but but SCCM is not using ClientInstall account for C after failing to use domain A account. Monitored log for few hrs 8 ClintInstall account and only 1 is being used over and over again.

    I can successfully ping this computer from within SCCM using RCT

    ccm.log

    ======>Begin Processing request: "2097152535", machine name: "STCTBOLU01" SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:13 PM 19984 (0x4E10)
    Execute query exec [sp_IsMPAvailable] N'SP1' SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:13 PM 19984 (0x4E10)
    ---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0) SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:13 PM 19984 (0x4E10)
    ---> Attempting to connect to administrative share '\\STCTBOLU01.domainC.com\admin$' using account 'DomainA\ClientInstall' SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:13 PM 19984 (0x4E10)
    Submitted request successfully SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:15 PM 15280 (0x3BB0)
    Getting a new request from queue "Retry" after 100 millisecond delay. SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:15 PM 15280 (0x3BB0)
    Sleeping for 60 minutes for queue "Retry". SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:15 PM 15280 (0x3BB0)
    ---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account DomainA\ClientInstall (00000035) SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:57 PM 19984 (0x4E10)
    ---> The device STCTBOLU01.domain.com does not exist on the network. Giving up SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:57 PM 19984 (0x4E10)
    ---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0) SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:57 PM 19984 (0x4E10)
    ---> Attempting to connect to administrative share '\\STCTBOLU01.domainC.com\admin$' using account 'DomainA\ClientInstall' SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:19:57 PM 19984 (0x4E10)
    ---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account DomainA\ClientInstall (00000035) SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    ---> The device STCTBOLU01 does not exist on the network. Giving up SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    ---> ERROR: Unable to access target machine for request: "2097152535", machine name: "STCTBOLU01",  access denied or invalid network path. SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    Execute query exec [sp_CP_SetLastErrorCode] 2097152535, 53 SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    Stored request "2097152535", machine name "STCTBOLU01", in queue "Retry". SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097152535, 2 SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    Execute query exec [sp_CP_SetLatest] 2097152535, N'01/12/2018 08:20:01', 645 SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    <======End request: "2097152535", machine name: "STCTBOLU01". SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:01 PM 19984 (0x4E10)
    CCR count in queue "Retry" is 2. SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:09 PM 14696 (0x3968)
    Sleeping for 754 seconds... SMS_CLIENT_CONFIG_MANAGER 12/01/2018 7:20:09 PM 14696 (0x3968)


    • Edited by TJSccm Friday, January 12, 2018 9:39 AM wording
    Friday, January 12, 2018 9:38 AM
  • Take his steps, apply them to your situation. It can be summarized like this:

     

    - Communications between the intended management point and the "other domain" clients

    - The SCCM administrator account from your current domain has admin permissions on your "other domain" (meaning it has the permissions that Microsoft documentation asks for a SCCM admin)

    - The sccm admin account and the servers accounts have full control over the "System Management" container in your "other domain" active directory.

    - You have enabled "System Discovery" in your current domain, and also added the "other domain" to be discovered. (With this task it may not be a good practice to just add "theotherdomain.com" to the system discovery, it would be best to add specific containers or groups in order to have a more granular approach in finding clients)

     

    There are other permissions that Microsoft documentation and also several tutorials here can help you out in order to take control over the clients in another forest wether if it is untrusted or not. Peter van der Woude even has a tutorial to take control over clients in Workgroups!! That's fantastic!

     

    Anyway, what I wrote were really simple steps to get you going.

    Sorry, but none of that has anything to do whatsoever with the OPs problem.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, January 12, 2018 2:56 PM
  • Can't say I've tried multiple accounts in 1710 so it certainly could be a bug.

    For troubleshooting, I'd disable auto-client push and remove all of the accounts. Then I'd restart the ccm thread, and re-add one account at a time and try manually pushing to a client each time to validate whether it is seeing the accounts or not.

    If this ultimately yields the same results, I'd say it's a bug you need to open a case with Microsoft CSS on.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by TJSccm Tuesday, January 16, 2018 8:58 AM
    Friday, January 12, 2018 2:59 PM
  • Thanks for tip Jason, I removed the account that was constantly getting used, looked at ccm.log and all other client push accounts started penetration. Added removed account back in action, so far no issues and client install doing it's magic. 
    Tuesday, January 16, 2018 9:02 AM
  • Excellent. Strange, one-off bug probably but at least it was an easy work-around.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, January 16, 2018 2:16 PM