none
MP suddenly stop responding to number of sites

    Question

  • Hi

    Out of 150 Secondary site Servers, suddenly 140 servers  started showing a common error

    "MP Control Manager detected management point is not responding to HTTP requests.  The HTTP status code and text is 401, Unauthorized."


    All Secondary site servers are itself MP and they report to Primary Site Server that ultimately reports to Central Site Server. We have three Primary Site servers and 50 secondary site servers responds to one Primary site.

    I am wondering how come MP suddenly stop responding for all sites?  Logs would be handy but wondering this problem should be looked with birds eye perceptive not correcting to individual site one by one...

    Requires some inputs from experts..

    Thanks




    Server Engineer
    Tuesday, December 23, 2008 1:09 AM

Answers

  • Thanks John & Torsten

    I checked SQL logs and there were no records for unsuccessful connection attempts.

    WSUS is already configured for some different port..

    .... Today to one of the affected site.. I deleted MP and after half an hour readded Management point to the site. Now it seems problem is fixed for the site and I can see green tick infront of site status for that site.

    So i reckon.. deleting MP and readd it should resolve this issue...  I am just wondering.. Is I have to do this for rest 190 sites manually.. and also Is there any after effects of deleting MP and re-add it to the site server? Can it screw up anything ?

    Thanks for your replies guys...

    Veday

    Server Engineer
    • Marked as answer by veday001 Thursday, December 25, 2008 2:17 PM
    Wednesday, December 24, 2008 12:53 AM

All replies

  • Logs would certainly be helpful in focusing attention in the right place.  Chances are that what is wrong on one is the same thing affecting the other 139.

    On the problematic management points, is IIS running, BITS installed and extension allowed, and WebDAV extension allowed?  Have any permissions in IIS changed?  Could there be a security policy in your company that has been implemented via a GPO (or something that would automate a widespread settings change) to lock something in IIS down which is interfering with MP access?  Perhaps this is what occurred and is affecting a large portion of your sites (I assume the secondary sites are using a proxy MP).  Judging by the fact that you have 150 secondary sites I assume you are in a pretty large environment, which would make me think you probably have a security group that may have set something in motion that had unintended consequences.  That's where I would start.  Who changed a GPO or pushed something out recently that corresponds with the appearance of the issue.
    John DeVito
    Tuesday, December 23, 2008 1:23 AM
  • Thanks John

    When i tried to run http://siteserver/sms_mp/.sms_aut?mplist , http://siteserver/sms_mp/.sms_aut?mpcert to one of the affected site. I received error stating Internet Explorer cannot download .sms_aut?.... from site server.

    mpcontrol.log at that site

    Call to HttpSendRequestSync failed for port 80 with status code 401, text: Unauthorized
    Http test request failed, status code is 401, 'Unauthorized'.
    Successfully performed Management Point availability check against local computer.   Component SMS_MP_CONTROL_MANAGER


    I double checked settings for default website for IIS, BITS installed, and WebDAV extension allowed

    Last week we pushed Internet Explorer (IE) Security Vulnerability (Patch Implementation) as part of Windows update.

    As such, i am not aware of any changes that been made by security group but i will enquire about it.

    What other log files can be helpful?

    Thanks





    Server Engineer
    Tuesday, December 23, 2008 2:13 AM
  • I think the 401 says it all.  You can compare the IIS settings to those on a working MP.    What are the permissions on the Application Pools, virtual directories?  You could try reading the following article if you haven't seen it:

    http://technet.microsoft.com/en-us/library/cc180191.aspx

    Especially the items about IIS IWAM and IUSER account requirements.

    If you can't identify a lockdown in IIS or some such thing then you might try something like removing the management point role on a site, allowing the site to process it, then re-installing the role.
    John DeVito
    Tuesday, December 23, 2008 2:41 AM
  • Thanks John.....Article was good.

    Is the Default Web Site Configured for Port 80?

    Below is stat for port 80 where PID is 4

     Proto Local Address    Foreign Address      State          PID
     TCP   0.0.0.0:80    0.0.0.0:0              LISTENING       4

    Matching the output information against the processes running in the task list by running tasklist /svc.

    Image Name   PID       Services                                     
    svchost.exe  2732      W3SVC

    **** I couldn’t find PID 2732 linked to any of the process obtained by running netstat command.

    Can it be issue?? Someone told me.. it doesn't matter if PID is different..

    Just Wondering .. Is this anything that can cause

    "MP Control Manager detected management point is not responding to HTTP
    requests.  The HTTP status code and text is 401, Unauthorized."

    As i reckon, it is related to authentication issue. I checked IUSR, IWAM account... Accounts are not locked out.

    I am still able to send test packages to affected site from central server. However few of the sites are generating reports, others are not.

    You guys reckon,..Is all can be related to the same issue?

    Thanks


    Server Engineer
    Tuesday, December 23, 2008 7:32 AM
  • My guess is that it has nothing to do with the local IIS installation or configuration. I would focus on the communiction between the secondary site (proxy MP) to the database of its parent site. Do you see any errors in the SQL logs (assuming that SQL is configured to log unsuccessful connection attempts)?
    Tuesday, December 23, 2008 1:27 PM
  • PID number won't matter so you don't need to worry about that.

    Just another thought in case Torsten's doesn't turn up any errors...

    Your site is using port 80, correct?  How about WSUS?  Do you recently move WSUS and have the Software Update Point installed on port 80 on the central server as well?  Then there is the reporting point that uses 80 as well.  Could there be a port conflict that is causing contention on 80 that is messing you up?  You could try moving WSUS to 8530 (very easy.  Look up the command options for WSUSUTIL on how to move the port and web site and then you'll have to change the port used in ConfigMgr.  The command line may fail if the Microsoft article still has the wrong option listed for the custom web site.  I can't recall it off the top of my head, but it was pretty easy to guess the one time I had to use it.)

    John DeVito
    Tuesday, December 23, 2008 4:01 PM
  • Thanks John & Torsten

    I checked SQL logs and there were no records for unsuccessful connection attempts.

    WSUS is already configured for some different port..

    .... Today to one of the affected site.. I deleted MP and after half an hour readded Management point to the site. Now it seems problem is fixed for the site and I can see green tick infront of site status for that site.

    So i reckon.. deleting MP and readd it should resolve this issue...  I am just wondering.. Is I have to do this for rest 190 sites manually.. and also Is there any after effects of deleting MP and re-add it to the site server? Can it screw up anything ?

    Thanks for your replies guys...

    Veday

    Server Engineer
    • Marked as answer by veday001 Thursday, December 25, 2008 2:17 PM
    Wednesday, December 24, 2008 12:53 AM
  • Removing and reinstalling an MP shouldn't cause you any problems.  Out of curiosity, have you switched from Mixed to Native mode recently and would that correspond to the start of the issue you are having?  I know that I had a site that I switched from Mixed to Native and had a problem with the MP not working and I found a Microsoft (I believe) article that suggested removing the role and reinstalling it.  After that everything worked.

    Just remember, ConfigMgr is not an instant gratification program.  You should wait for a period to make sure the MP is fully removed before reinstalling it.  You can tell by the MPCONTROL log or status category if the uninstall is complete.
    John DeVito
    Wednesday, December 24, 2008 2:55 PM
  • Thanks John....

    All sites were configured for Mixed mode and all are still in Mixed mode.  Its strange that error causing issue is 401 which says authentication issue but reinstalling MP cured the issue.. My next tough and boring task would be to remove and reinstall MP on all 140 servers manually. Thanks for info..about mpcontrol log. It would be handy to perform this task.



    Server Engineer
    Thursday, December 25, 2008 2:10 PM