locked
all clients show components as installed, not enabled RRS feed

  • Question

  • I have been banging my head on the keyboard for three weeks with this one.

    I built a 2008 R2 server with SCCM 2012 on it, connecting to a SQL 2008 server.  They talk fine with each other.

    SCCM has the boundary and boundary groups set up.  I have ad discovery (tried with and without subnets) and those work. 

    Auto installing the client upon discovery works.

    The clients find their MP and know their site code.  All clients show approved (automatically) in the console - mpcontrol log lists 200 OK

    The logs show that they prepare their scheduled eval and send it.  When I initiate a hardware policy update, I can netstat and see the connection on various ports to the server

    I ran wireshark (OPNET) and initiated a reinstall and can see communication between the client and the server and the server and the sql server.

    Everything seems to work correctly, I find some errors in the logs, but nothing that jumps out as the cause.

    The problem is all clients have components listed as not installed and only machine and user policy retrieval listed.

    In the console, the clients show Client Check - no results, nothing under Hardware or Software scan

    I have research THOROUGHLY on the internet on all logs as well as the issue I just described, tried a million things, redoing webdav, ccmclean, etc)

    Any thoughts - they would be greatly appreciated!



    Wednesday, September 4, 2013 5:21 PM

All replies

  • The problem is all clients have components listed as not installed and only machine and user policy retrieval listed.


    That tells you that the client was not able to retrieve policies from the management point. See ClientIDManagerStartup.log (if the client was registered), ClientLocation.log and LocationServices.log

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, September 4, 2013 8:38 PM
  • in clientIDmanager I see multiple "client is already registered" entries  and one that says "unable to backup CCM Identity in any identity stores (ox8000ffff)

    In clientlocation is sees my MP name, and once and hour it gives me rotating assigned management point from %myserver% to %my server%  this is the same server, and it does it twice in a row once an hour

    in clientlocation it correctly lists the ad place it sits

    ???

    Thursday, September 5, 2013 7:55 PM
  • Can you upload all of the client logs to skydrive?

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, September 6, 2013 8:04 AM
  • Torsten,

    Thanks for looking - here they are (I had to remove certain names)

    https://skydrive.live.com/redir?resid=9833B548057E1734!109&authkey=!ADium40C2JBMt5A



    Friday, September 6, 2013 7:13 PM
  • I couldn't spot any obvious errors. Have you already checked if the system is approved? You can add the 'approved' column in the console to check that.

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, September 6, 2013 8:12 PM
  • all machines that are discovered get the client automatically installed and then show approved

    now you see why I am banging my head on the keyboard!

    Friday, September 6, 2013 8:19 PM
  • I keep marking as answered sorry cruiser.

    Maybe "unable to backup CCM Identity in any identity stores"has something to do with how the OS has been configured. Look at what GPO's are applied to the clients if all else fails.


    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Monday, September 9, 2013 12:46 PM
  • Rob,

    I do see that this error is unique as far as many other logs on the internet.  I started researching it and found, in the wmiporv.log, 1 entry per day saying Impersonation Failed - Access denied. 

    I added to "Impersonate Client after Authentication" my sccm admin account, local service, and network service (the service group was already there, but I added the others anyway)  I still get access denied

    - what would I be looking for in GPO that could affect this?

    Thanks for the input!


    Monday, September 9, 2013 2:25 PM
  • i can also go to a client and initiate a machine policy retrieval and see the impersonation error show up in that log within 1 minute, so this has to have something to do with it I would imagine
    Monday, September 9, 2013 4:23 PM
  • interesting log from server (MP_Policy.log)

    Detected at least one row in the result set from PolicyAssignment table which does not have a Signature, rejecting all rows

    this error repeats over and over - any idea how to check this out (google was not of much help)

    Monday, September 9, 2013 6:08 PM
  • That's hard to tell without sitting in front of the server ... have you already rebooted it? Or tried a site reset?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, September 9, 2013 7:58 PM
  • i just did a site reset - I did one about a month ago - it seems to go well.  I will let it bake in over night and see what happens - perhaps reinstall a client as well
    Monday, September 9, 2013 8:27 PM
  • why did you do a site reset a month ago? did you restore/rebuild the site?

    http://www.enhansoft.com/

    Monday, September 9, 2013 10:03 PM
  • I did the site reset a month ago for this problem - SCCM 2012 has never worked and that was one of the initial troubleshooting items in the first couple weeks of digging deeper -
    Monday, September 9, 2013 10:36 PM
  • So what was the problem a month ago?, they could they be related.

    http://www.enhansoft.com/

    Monday, September 9, 2013 11:20 PM
  • it was for the same issue at the top of this thread - I have been trying to get this new install working that long and feel like I am at the bottom of the barrel of things to try!
    Tuesday, September 10, 2013 1:36 AM
  • What exactly are your boundaries and what exactly is the IP address and subnet mask on your clients?


    http://www.enhansoft.com/

    Wednesday, September 11, 2013 1:53 PM
  • my boundaries are AD sites

    Site A

    Site B

    Subnet boundaries are multiple for each site (one for printers, one for clients, one for servers, etc)

    I created two boundary groups

    Site Assignment Boundary Group (members Site A, Site B, and the client subnet range for Site A)

    Software Distro Boundary Group (members, Site A, Site B, and the client subnet range for Site A)

    I have also tried just using subnets in the boundary and also just AD sites

    client IP info is 10.10.72.1-10.10.75.254  the description in the boundary is %mydomain.net%/Site A/10.10.72.0/22

    Wednesday, September 11, 2013 2:02 PM
  • To be clear you client have an IP address with a subnet mask like:

    10.10.73.68 255.255.252.0?

    How exact is the subnet setup in AD?

    10.10.72.0/22


    http://www.enhansoft.com/

    Wednesday, September 11, 2013 2:52 PM
  • well, the computer actually has a /24 as the subnet, even though the boundary discovers a /22.......sites and services lists it as the following though:

    Site A Management 10.10.180.0/24

    Site A Server 10.10.182.0/24

    Site A Client 10.10.184.0/24

    Site A Management 10.10.68.0/23

    Site A Server 10.10.70.0/23

    Site A Client 10.10.72.0/22

    Wednesday, September 11, 2013 3:15 PM
  • So you subnet masks are not matching between the client and AD. This is might be your problem.

    Remember that CM clients will compare their subnets mask to the AD subnet and they will not match.  

    So try this:

    1. Create a new boundary  IP Address range of 10.10.72.0 – 10.10.75.254   and add it to your boundary group.
    2. Make sure that the Use this boundary group for site assignment is set for the boundary group.
    3. Confirm that the IP Address Range is added to AD
    4. ~10 minutes later, on 1 PC in the 10.10.73.x (or 74 or 75) range, open the CM applet within the control panel
    5. Click find site on the site tab. Does it find your site?

    http://www.enhansoft.com/

    Wednesday, September 11, 2013 4:03 PM
  • 1) created and added to boundary group.  There is still the original discovered entry in the boundary, which is the same range except it starts with 10.10.72.1-10.10.75.254

    2) confirmed

    3) this has always been in AD as a /22.

    5) it does find the site, but this has never been a problem, all the clients have been able to do this all along........I initiated a machine policy retrieval and can see in the logs that it raises the request event, thinks it sends the event, thinks it receives the info, and then says no changes needed.  I see this on the client logs

    Wednesday, September 11, 2013 6:22 PM