locked
FCS MOM server stops receiving heartbeat from it self after client upgrade from WSUS RRS feed

  • Question

  • Hi

     

    The setup:

     

    2003 SP2 domain member server with the RTM evaluation version of forefront CS server installed.

    The server is hosting all forefront server roles ( Not the update distribution role - it is on my existing WSUS 3 server)

     

    When i first install the forefront management suite on the server everything is fine and the server sees itself through the mom console, and hertbeating is operational between the mom server and the same servers mom agent.

     

    This communication however is broken the first time the server gets updates from the WSUS, when it updates the forefront client components ( including the mom agent ). After this the mom server no longer receives herbeats from its own mom agent. It looks as if the agent gets upgraded to a incompatible version or something.

     

    The other clients running only the FCS client components ( TWO Vista pc's, Three 2003 servers and an XP PC) doesn't get broken by the Client Security Upgrade and continues to communicate with the MOM/Forefront server.

     

    in the eventlog on the server it start giving these errors every time i reboot the server:

     

    Event Type: Information
    Event Source: Microsoft Operations Manager
    Event Category: MOM Server
    Event ID: 21218
    Date:  20-06-2007
    Time:  05:00:43
    User:  NT AUTHORITY\SYSTEM
    Computer: PANDA1
    Description:
    The Server could not load any cached configuration information.
    This error may occur when the configuration cache file is not present (which will be the case when
    an agent/server gets installed for the first time), or when the file becomes corrupted.
    Management Group: ForefrontClientSecurity

    The Server will not process data until it successfully retrieves configuration information.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    *****************************************

    Event Type: Information
    Event Source: Microsoft Operations Manager
    Event Category: MOM Agent
    Event ID: 21218
    Date:  20-06-2007
    Time:  05:00:43
    User:  NT AUTHORITY\SYSTEM
    Computer: PANDA1
    Description:
    The Agent could not load any cached configuration information.
    This error may occur when the configuration cache file is not present (which will be the case when
    an agent/server gets installed for the first time), or when the file becomes corrupted.
    Management Group: ForefrontClientSecurity

    The Agent will not process data until it successfully retrieves configuration information.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Any clues on debugging this?

     

    Soeren Lambaek

    KPC Byg a/s

     

    Friday, June 22, 2007 11:59 AM

Answers

  • No and Yes ;-)

     

    No:

    I Never had the original test server fixed. None of the info postet in this thread helped solve the problem. I reinstalled this TRIAL FCS server several times and allways ended up with this problem.

     

    Yes:

    I started deploying the production FCS server based on non-trial installation media and this server has now been running for a couple of month now and it never had this problem. It is running 100% OK.

     

    Hope this will help you.

     

    Regards Soren

    Friday, November 9, 2007 8:37 AM
  • If I were to guess, I'd bet that the trial FCS server had a MOM agent installed on it by the installation package coming from WSUS.  For more info see:  http://forums.microsoft.com/ForeFront/ShowPost.aspx?PostID=2121235&SiteID=41

     

    Thanks,

    Craig

    Tuesday, November 13, 2007 5:13 PM

All replies

  • Hi Soeren,

     

    As per Microsoft: "An informational error appears in the Event log with the Event ID of 21218 when an agent cannot load any cached configuration information. This error occurs if the cache configuration file is missing. This file is not present when a Management Server and agents are newly installed. This error is expected and no action is required". See "Troubleshoot MOM 2005 Agent Installation" for more details.

     

    futher more, the MOM agent is not updated from WSUS updates, but only from the mom server incase you upgrade service pack or something similar. anyway, maybe some of the other windows updates have somehow changed windows configuration and blocked something the mom agent uses (just a theory)...

     

    try and see if you recieve any other error messages on the application/system log and post them here.

     

     

    Sunday, June 24, 2007 7:50 PM
  • Hi Yaniv

     

    You say that wsus doesn't upgrade the mom agent, but when the forefront client is installed windows installer log's events saying that it installs both the forefront client and the mom agent. This also makes perfectly sence since if i put a FCS policy on a workstation then WSUS will indeed install both the FCS and the mom agent. It seems like the two are bundled together.

     

    Problem is that the FCS embedded mom server somehow can't stand having it's FCS client automatically upgraded from wsus.

     

    I actually had the server running for about a week, but didn't put a FCS policy on the server itself. But during this week everything was fine.

     

    But when WSUS kept complaining that the FCS was outdated i then put a policy on the FCS server and when it pulled the upgrade communication stopped. I tryed making it work again by repairing the forefront server components from the add/remove programs but that didn't help.

     

    Then I reinstalled the forefront server and communication immediately started working again. But at the next scheduled WSUS auto update I got the same problem again. And the FCS update was the only update installed!

     

    Offcourse I can just defer from putting the policy on the forefront server, but then it will be running outdated scanning engines and that is clearly not a good solution.

     

    I don't get any other errors in the eventlog than the ones i allready postet so no further clues to get there!

     

    Can you by any chance confirm that the mom agent running locally on a mom server must be the same version?

     

    This is a big issue to me since we allready ordered FCS licenses for our entire organisation, and now it seem's something is broken  

    I will go through the troubleshooting steps that you linked in your post, and the i will get back to you with the result.

     

    Regards

    Søren Lambæk

     

    Sunday, June 24, 2007 9:27 PM
  • Hi

     

    Going through the troubleshooting guide Yaniv posted earlyer.

     

    Here are my notes and thoughts:

     

    1:Agent Behind Firewall Fails to Connect to MOM Server

          N/A - since the agent not connecting is on the server it self ( and the firewall is not enabled ).

     

    2:Agent Installation Fails Due to Security Settings

          N/A - since the agent installed by the forefront client update from WSUS is logging nothing but success in the windows eventlog

     

    3:Check Agent Installation Logs for Failure Information

          Here it states that under the directory: "%ProgramFiles%\Microsoft Operations Manager 2005\Agent Logs folder" i should check the logs. This directory does not exist on the server since it is not at real mom server but the mom embedded into the client security solution.

    However i found a similar path: "C:\Program Files\Microsoft Forefront\Client Security\Server\Microsoft Operations Manager 2005\AgentLogs" on the server but unfortunately no files are found here.

     

    4:Error Code: 5 Access Is Denied

         N/A - since the agent installed by the forefront client update from WSUS is logging nothing but success in the windows eventlog

     

    5:Agent Does Not Appear in Pending Actions After Installation

         This one is actually very interesting. Since it discusses a problem that somehow resembles what i am having. Since I know for a fact that the agent was reinstalled by wsus and not by the mom server it self, this could mean that some kind of token between the server and the agent is no longer valid.

          The fix described where you delete the discovery rule for the problem workstation in order to have it rediscovered under pending actions seems like something i would like to do to fix my problem.

         BUT -  since this is the management server it's discovery rule can not be deleted, only all the other managed systems can be deleted.

     

    6:Error: Event ID 21218

         This one has allready been covered by Yaniv's post, but as a footnote I can say i get this every time i reboot the server, but i guess it is because the faulty agent has not yet talked to the management server.

     

    I'm blank here! What else do i check.

     

    regards

    Søren Lambæk

    Tuesday, June 26, 2007 8:44 AM
  • H Soren,

     

    have you tried uninstalling the MOM agent bits from the server itself?

    if the wsus has installed it as you said, you should have the ability to remove it from the add/remove programs on the control panel.

    this should fix your problem after reboot i believe.

     

     

     

    Wednesday, June 27, 2007 5:29 AM
  • in addition to my last post, you can try this one as well...

     

    http://www.myitforum.com/articles/2/view.asp?id=10096 

    Wednesday, June 27, 2007 5:32 AM
  • Hi Yaniv

     

    Uninstalled the mom agent from add/remove programs as you suggested, only to end up with the momservice no longer able to start :-(

     

    Tried running a repair on the mom server in add/remove programs but this didn't help.

     

    So now i reinstalled forefront client security and removed the policy from the management server so that i doesn't get upgraded by WSUS. I will leave the management server in this state during my summer vacation starting today.

     

    I would very much appreciate some kind of insight into microsoft's experience with this!

    Can it be confirmed that this is actually a problem with the product?

    If it's not a known issue then I will need to know what kind of information to provide in order to give you the possibility to investigate this.

     

    I must admit that I am having a hard time understanding how this can be a configuration error that I made! If it is not safe to just let WSUS upgrade the scanning engine on the forefront server then how can it be that it is actually doing so? Shouldn't there be somekind of WSUS internal package metadata that would deny it on the server!

      

    regards

    Søren  ( who will be on vacation during week 27-28-29 :-)

    Thursday, June 28, 2007 9:23 AM
  • Did you ever find a solution to this issue.  I have the same issue.

     

    Please advise.

     

    Thursday, November 8, 2007 7:15 PM
  • No and Yes ;-)

     

    No:

    I Never had the original test server fixed. None of the info postet in this thread helped solve the problem. I reinstalled this TRIAL FCS server several times and allways ended up with this problem.

     

    Yes:

    I started deploying the production FCS server based on non-trial installation media and this server has now been running for a couple of month now and it never had this problem. It is running 100% OK.

     

    Hope this will help you.

     

    Regards Soren

    Friday, November 9, 2007 8:37 AM
  • If I were to guess, I'd bet that the trial FCS server had a MOM agent installed on it by the installation package coming from WSUS.  For more info see:  http://forums.microsoft.com/ForeFront/ShowPost.aspx?PostID=2121235&SiteID=41

     

    Thanks,

    Craig

    Tuesday, November 13, 2007 5:13 PM
  • I bet you are 100% right on this! :-)

     

    But at the time I was reporting this you ( MS) where not able to help me out since you didn't know about the problem at that time.

     

    Just a shame it took you so long to investigate this! I Did post this in mid june and it was quite easy to reproduce the problem.

     

    But hey *** happens and i am running forefront now and so far i like what i see

     

    Regards

    Soeren

     

    Wednesday, November 14, 2007 8:18 AM