Export (0) Print
Expand All

Configuration Manager Client Native Mode and Internet-Based Client Management Issues

Updated: April 1, 2010

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

This section provides troubleshooting information to help you resolve issues that are specific to Configuration Manager 2007 clients when they are operating in a native-mode site, and it includes troubleshooting issues for Internet-based client management. For issues that affect both mixed-mode and native-mode clients, see Configuration Manager Client General Issues.

For administrator checklists for configuring native mode and Internet-based client management, see the following:

Native mode and Internet-based client management have a number of prerequisites that, if not met, can result in numerous issues and error conditions. Before investigating specific errors, make sure that all these prerequisites have been met.

Solution

To verify that you have met all the prerequisites, see the following:

If you are using Active Directory Certificate Services with Windows Server 2008, do not use version 3 templates. Using these certificate templates creates certificates that are not compatible with Configuration Manager. For example, a version 3 certificate template that is used to request the site server signing certificate results in the status message 5115 from the component SMS_POLICY_PROVIDER when attempting to sign the site policies, instead of the success status message of 5116. For more information about verifying the successful use of the site server signing certificate, see How to Verify Native Mode Migration Is Complete.

Version 3 templates can be identified in the Windows Server 2008 Certificate Templates Console by referencing the Minimum Supported CAs column. Version 3 templates display in this column as Windows Server 2008. When you duplicate an existing certificate template, you are prompted to select the template version, with version 3 templates displayed as Windows Server 2008, Enterprise Edition. The default for duplicated templates is version 2 (the option Windows Server 2003, Enterprise Edition), which is compatible with Configuration Manager native mode.

Solution

Do not use version 3 templates to create the certificates that support Configuration Manager native mode.

The following reports do not display any client data until clients have run the Configuration Manager Native Mode Readiness tool:

  • Clients incapable of native mode

  • Summary information of clients capable of native mode

Solution

This utility is installed with Configuration Manager 2007 clients, in the folder %windir%\system32\CCM. It must be run with local administrator privileges on client computers that have the Configuration Manager 2007 client installed.

To run the utility, run Sccmnativemodereadiness.exe from the CCM folder.

For more information, see How to Determine Whether Client Computers Are Ready for Native Mode.

If some or all clients assigned to a Configuration Manager 2007 site stop receiving policy and do not send inventory information to the site after the migration to native mode, it might be because of one or more of the following reasons:

  • The native mode prerequisites are not met.

  • Certificate issues are preventing communication.

  • Clients have not received an instruction to switch to native-mode communication.

  • Migration is not yet complete.

Solution

If clients are assigned to a fallback status point, use the reports to identify the specific native mode communication issue. For more information about using the fallback status port reports, see the following topics:

Refer to the following checklist to ensure the correct procedures were followed and resolve missing steps if necessary: Administrator Checklist: Migrating a Site to Native Mode.

If you configure any of the client settings specified in the Site Properties: Site Mode tab, the settings are published to Active Directory Domain Services and used by client push installation. For these settings to configure a native mode client after they have been installed, all the following circumstances must be true:

  • You have extended the Active Directory schema for Configuration Manager 2007.

  • The site is successfully publishing to Active Directory Domain Services.

  • Clients belong to the same Active Directory forest.

  • Clients are not configured for Internet-only management.

Solution

Refer to the following table to resolve each situation listed above.

 

Situation Solution

The Active Directory schema is not extended for Configuration Manager 2007.

Extending the Active Directory schema is not a requirement for native mode, but makes configuring native mode much easier than if the schema is not extended.

For more information about how to extend the Active Directory schema:

Without the schema extended, configure the native mode settings you require during installation, manually specifying CCMSetup installation properties or using client push installation:

For additional information, see How to Configure Native Mode.

The site is not published to Active Directory Domain Services.

Configure the site to publish to Active Directory Domain Services:

To verify publication of site information:

Clients do not belong to same Active Directory forest as the site server's forest.

These clients cannot access the site settings published to Active Directory Domain Services and therefore need to be manually configured using CCMSetup installation properties or automatically configured using client push:

For additional information, see How to Configure Native Mode.

Clients are configured for Internet-only management.

These clients cannot access the site settings published to Active Directory Domain Services and therefore need to be manually configured using CCMSetup installation properties:

For additional information, see the following:

In native mode, a network load balancing (NLB) management point must be configured with a fully qualified domain name (FQDN), and native mode clients must be able to locate this FQDN in Active Directory Domain Services, or a server locator point.

Solution

Refer to the following table to resolve issues related to the preceding requirements.

 

Problem Solution

The NLB management point is configured with an IP address instead of an FQDN.

This configuration is not supported for native mode, and the NLB management point must be configured with an FQDN:

The Active Directory schema is not extended for Configuration Manager 2007.

Because native mode clients cannot locate NLB management points in DNS or WINS, they locate the NLB management point using either Active Directory Domain Services or a server locator point.

For more information, see Configuration Manager and Service Location (Site Information and Management Points).

For more information about how to extend the Active Directory schema:

For more information about installing a server locator point:

Clients are from a separate forest or a workgroup.

These clients cannot locate management points from Active Directory Domain Services, even if their site is publishing to Active Directory Domain Services. In this scenario, these clients must locate their NLB management point with a server locator point.

For more information, see Configuration Manager and Service Location (Site Information and Management Points).

For more information about installing a server locator point:

Clients fail to connect to a native mode NLB management point if the public key infrastructure (PKI) certificates are missing or are incorrectly configured for the NLB management point.

Solution

Each site system server in the NLB management point must have a PKI certificate that contains both the FQDN of the NLB management point and the site system server name. For more information, refer to the certificate requirements listed in the section "Network Load Balancing Management Points or Network Load Balancing Software Update Points" in the topic Certificate Requirements for Native Mode.

noteNote
For information about specifying multiple names in the certificate Subject Alternative Name field, see How to Request a Certificate With a Custom Subject Alternative Name (http://go.microsoft.com/fwlink/?LinkId=189292).

If a Configuration Manager 2007 client uses a new site server signing certificate that chains to a different root certificate than was used with the previous site server signing certificate, the client will not accept the new site server signing certificate when it receives policies signed with the new certificate.

This will occur if the root certificate for the site server signing certificate changes from the client's point of view—for example, in the following circumstances:

  • If you move a Configuration Manager 2007 client from one Configuration Manager 2007 hierarchy to another (for example, a company merger).

  • If you configure the site to use a new site server signing certificate from a different root certification authority than the one that issued the previous site server signing certificate.

  • You renew your root certificate with a new key pair and then issue a new site server signing certificate.

This behavior provides security prevention against clients accepting a new site server signing certificate from a compromised management point. In this scenario, clients will not attempt to download the new site server signing certificate and will reject the policy they have downloaded, sending an error to the management point to alert the administrator to the fact that policy authorization failed.

Solution

Either delete the copy of the previous site server signing certificate on the Configuration Manager client, or uninstall or reinstall the client.

For more information about this scenario and remedial actions, see Renewing or Changing the Site Server Signing Certificate.

When Configuration Manager 2007 is operating in native mode, clients communicate with the site using a public key infrastructure (PKI) certificate that has client authentication capabilities. By default, if Configuration Manager 2007 finds more than one valid client for this communication, it will not attempt to communicate with its default management point and will be unmanaged.

You can confirm the existence of multiple certificates on a computer by using the Windows Certificates snap-in on the client or by using Configuration Manager 2007 reports if clients are assigned to a fallback status point. For more information, see About Reports for Configuration Manager Clients.

Solution

There are different solutions to this problem, depending on your particular requirements for using multiple certificates. Use the following table to identify the correct course of action for your particular requirement.

 

Requirement Solution

Multiple certificates are required on the computer, and the Configuration Manager 2007 client needs to select the correct one to use for Configuration Manager 2007 native mode communication.

Configure the certificate selection criteria:

Multiple certificates are not required on the computer (for example, they are the result of certificate deployment testing, or they are no longer needed for their original purpose).

Delete the unwanted certificates only after verifying that they are not required.

ImportantImportant
If you are at all in doubt about whether the certificates are required, back them up before removal by exporting them and then store them securely.

This leaves just one valid client certificate in the local certificate store, which the computer will use for Configuration Manager 2007 native-mode communication.

You do not mind which certificate is used for Configuration Manager 2007 native-mode communication.

Configure the client to select any valid certificate that includes client authentication capability. Additionally, in Configuration Manager 2007 SP1 and later, the certificate with the longest validity period is selected, which is appropriate if you are using Network Access Protection with IPsec enforcement.

noteNote
This might result in successful native-mode communication, but it is a less reliable configuration than specifying the certificate selection criteria because the client certificate might not be trusted by the native mode site system server.

For more information:

Front-end or back-end firewalls must be configured correctly to allow traffic to and from Internet clients to their Internet-based site systems.

Solution

Refer to the following topic for a list of ports associated with Internet-based client management:

Refer to the following topic for information about the external dependency for intervening firewalls or proxy servers:

noteNote
This issue has been resolved with the Configuration Manager 2007 SP1 client.

A Configuration Manager 2007 client that accesses its Internet-based site using a proxy server does not dynamically pick up changes for the proxy server configuration, such as a new proxy server name or a change in credentials.

The new proxy server details will be used when the Configuration Manager 2007 client detects a network change or is restarted. Therefore, you are most likely to see this scenario for an Internet-only client.

Solution

Expedite the discovery of the new proxy server details using any of the following methods:

  • Disconnect and reconnect the client.

  • Release and renew the client's IP address.

  • Restart the SMS Agent Host service on the client computer.

  • Restart the client computer.

For a longer-term solution, upgrade the client to Configuration Manager 2007 SP1.

On Windows XP and Windows Server 2003, the Configuration Manager 2007 client's Internet tab in Configuration Manager displays the configuration options under the Proxy Settings section as read-only. However, on computers running Windows Vista, the configured options are not displayed, even though they are configured.

Solution

None. If you need to confirm the proxy settings for Internet clients, access this tab as a high-rights user. For example, log on as the local administrator, and then view the properties of Configuration Manager and click the Internet tab.

If you delete the client's configured Internet-based management point when the client is on the Internet, without replacing it with another Internet-based management point, the client will be unable to communicate with its default management point and will be unmanaged on the intranet until you restart the client service (SMS Agent Host).

Solution

To resolve this situation, perform one of the following actions:

  • Restart the client service (SMS Agent Host). This action requires local administrator rights.

  • Restart the computer.

Advertisements fail to run on the Internet when you are using the Internet-based client management feature. However, other features, such as hardware inventory and software updates, succeed on the Internet.

Solution

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft