Out of Band Management Console Issues
Updated: June 1, 2011
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
This topic provides troubleshooting information to help you resolve issues related to using the out of band management console in Configuration Manager 2007 SP1 and later.
|The information in this topic applies only to Configuration Manager 2007 SP1 and later.|
For issues related to provisioning a computer for AMT, see AMT Provisioning Issues for Out of Band Management.
|For issues that are specific to AMT, such as behavioral differences between versions, how to install and configure the Intel translator, and how to configure AMT, refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001).|
For additional troubleshooting information, see The Out of Band Management Support Team blog (http://go.microsoft.com/fwlink/?LinkId=183661).
Out of band management has a number of prerequisites that must be met before the out of band management console can successfully manage AMT-based computers. Before investigating specific errors, ensure that all these prerequisites have been met.
To verify that you have met all the prerequisites, see Prerequisites for Out of Band Management.
The out of band management console is not supported on workstations running Windows XP on versions earlier than Service Pack 3 nor on servers running Windows Server 2003 on versions earlier than Service Pack 2. A workstation running Windows XP Service Pack 2 or a server running Windows Server 2003 SP1 fails to connect to AMT-based computers and logs the following entry in the <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log file:
GetAMTPowerState fail with result:0x80072EE9
Upgrade the workstation to Windows XP Service Pack 3 or the server to Windows Server 2003 Service Pack 2, or run the out of band management console on an alternative platform that Configuration Manager supports for the out of band management console. For more information about supported platforms, see Configuration Manager Supported Configurations.
If the computer running the out of band management console cannot connect to an AMT-based computer that is configured with an out of band wireless profile, it might be because name resolution fails to use an IP address that is currently in use by the AMT-based computer. The computer running the out of band management console must resolve the FQDN of the AMT-based computer to a current IP address before it can connect to it. Name resolution requires the Windows DNS client and one or more DNS servers to retrieve an IP address for the FQDN of the AMT-based computer. Because computers that move between physical locations are likely to get different IP addresses with each connection, this might result in the DNS client failing to use the current IP address in the following scenarios:
The DNS client has previously resolved the FQDN of the AMT-based computer, and this name-to-IP address resolution is in the client DNS cache. Instead of sending a new name resolution request to the DNS server, the DNS client uses the IP address in its DNS cache.
The DNS client sends its name resolution request to a DNS server that is not authoritative for the domain name. When this DNS server has previously resolved the FQDN of the AMT-based computer and this name-to-IP address resolution is in the server DNS cache, the DNS server returns the IP address in its DNS cache to the DNS client.
DNS replication latency results in the DNS client or DNS server retrieving an out of date IP address for the FQDN of the AMT-based computer.
|The time to live (TTL) value in the DNS record determines how long an entry is retained in the DNS cache.|
Additionally, when there are multiple IP addresses for the same computer name (for example, one address for a wired connection and another for a wireless connection), an authoritative DNS server responds by using the DNS round-robin technique. This means that it is nondeterministic which IP address is returned for the AMT-based computer. If the AMT-based computer is on a wireless network only and if the IP address for the wired network is returned to the DNS client, the out of band management console fails to connect. The next time this authoritative DNS server receives a request to resolve the same computer name, it returns a different IP address.
You might be able to identify these scenarios if a ping command using the FQDN of the AMT-based computer fails with a time-out message. However, ping packets can also be blocked by network devices, such as routers and firewalls.
To prevent the DNS client from using a cached IP address, delete the DNS cache on the computer running the out of band management console, by running the following command in a command prompt: ipconfig /flushdns.
If this does not resolve the issue, try connecting later. If you can verify the current IP address of the AMT-based computer, you can also use DNS troubleshooting techniques such as running the command nslookup <FQDN_AMTcomputername> to discover the IP address that is returned by the DNS client.
If the computer running the out of band management console cannot connect to an AMT-based computer that was successfully provisioned out of band and that does not have an operating system installed, it might be because there is no host record in DNS to resolve the FQDN to the IP address of the AMT-based computer. There is no DNS client supplied with versions of AMT that are supported in Configuration Manager 2007 SP1 and later. Therefore, other methods must be used to create and update this record in DNS. When an operating system is installed, this can update DNS directly or through a DHCP record. However, when provisioning out of band, the initial host name of the AMT-based computer will be a factory default name and might be used on multiple computers rather than be unique. Although your choice of FQDN is written to AMT during the provisioning process, AMT cannot update the initial DHCP record with this new computer name. This results in name resolution failing for the FQDN when the out of band management console tries to connect to the AMT-based computer, and the following entry is logged in the <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log file:
GetAMTPowerState fail with result: 0x800703E3
When an operating system is installed with the same FQDN that was supplied during AMT provisioning, a host record will be added to DNS either directly or by using DHCP and out of band management communication will then succeed. To manage the AMT-based computer out of band before an operating system is installed, you must manually create host records in DNS for these computers that resolves their FQDN supplied in the Import Computer for Out of Band Management wizard to their current IP address in AMT. You can locate their current IP address from the BIOS extensions, or if you know the MAC address, you can find the corresponding IP address from DHCP.
For new computers that are not yet provisioned for AMT, perform the following steps:
Create a DHCP reservation for this computer and supply the MAC address of the AMT-based computer.
Manually create a host record in DNS such that the host name matches the FQDN supplied in the Import Computer for Out of Band Management wizard and the IP address matches the address in the DHCP reservation.
If the out of band management console cannot connect to the selected AMT-based computer, it will display Connecting until you disconnect or exit the console.
Refer to the following log file for the connection failure reason: <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log.
If no AMT User Accounts are specified, the out of band management console might unload when you try to connect to AMT-based computers.
Specify at least one AMT User Account that contains a Windows user account or security group to be used to connect to computers by using the out of band management console. Then update the provisioning data in the management controller memory. For more information, see How to Configure AMT Settings and AMT User Accounts and How to Update AMT Settings in Provisioned Computers Using Out of Band Management.
If the out of band management console connects to the selected AMT-based computer but displays information about the power status only, this could be a configuration issue in the AMT-based computer's BIOS extensions for serial over LAN and IDE redirection.
Check the settings in the BIOS extensions for serial over LAN and IDE redirection. This capability must be enabled with the setting to disable the user name and password, which forces Kerberos authentication.
Because the out of band management console requires Kerberos authentication, the option to disable the user name and password for the serial over LAN and IDE redirection is required so that Kerberos authentication can succeed.
Refer to your computer manufacturer documentation if you need help with configuring the BIOS extensions.
If the out of band management console connects to the selected AMT-based computer but fails to restart the computer or cannot establish a serial connection, another out of band management console might already be connected to the AMT-based computer. Out of band management supports running multiple out of band management consoles but not to the same AMT-based computer at the same time.
The second and subsequent consoles will be able to retrieve status, auditing, and configuration information and will be able restart the computer. But when the actions to start a serial connection or power off the computer are initiated from the second console, these will fail until the first console has disconnected from the computer. Before the first console is disconnected, attempting to start a serial connection will result in an error message indicating that another serial over LAN connection has already been established.
To help identify this scenario, look for the error code 0x80004005 in the log file <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log.
Do not connect more than one out of band management console to the same AMT-based computer. If you have connected another console to the same AMT-based computer, disconnect the first console and retry the functions that failed.
If you power on an AMT-based computer using the out of band management console and you are prompted for a power-on password, it might not be accepted if the password contains uppercase letters or symbol characters.
There is a known problem with some AMT-based computers that fail to correctly accept uppercase letters and symbol characters for the power-on password.
Contact the computer manufacturer to confirm whether this is a known problem for your computer and to obtain instructions to resolve the problem.
A less secure alternative is to specify a password that does not use uppercase letters or symbol characters.
If IDE redirection and serial over LAN does not work in the out of band management console when successfully connected to an AMT-based computer, these options might be configured as disabled in the BIOS extensions or they might not be enabled by the computer manufacturer.
To help identify this scenario, on the site server computer, look for the following entries in the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:
Error: cannot put change to AMT_RedirectionService instance. SMS_AMT_OPERATION_MANAGER <date> <time> 3120 (0x0C30)
Error: CSMSAMTProvTask::StartProvision Fail to call AMTWSManUtilities::EnableRedirectionService SMS_AMT_OPERATION_MANAGER <date> <time> 3120 (0x0C30)
If these options are disabled in the BIOS extensions, you can enable them. Before doing so, check that enabling them does not conflict with your company security policy because these functions enable highly privileged management options. Refer to your computer manufacturer documentation if you need help with configuring the BIOS extensions.
Because these functions enable highly privileged management options, it is possible that they have been intentionally not enabled by the manufacturer. Contact your manufacturer for more information, and also see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.
IDE redirection requires that the AMT administrator using the out of band management console has local administrator rights on the computer used to run the out of band management console when this computer supports user account control (UAC). For example, this includes Windows Vista and Windows Server 2008.
To help identify this scenario, on the computer running the out of band management console, look for the following data in the Oobconsole.log file, with an entry that begins IMR_IDEROpenTCPSession<number> with user = and then contains user and drive information. This log file is located in the folder <ConfigMgrInstallationPath>\AdminUI\AdminUILog on the computer that runs the out of band management console.
fail with result:0x2, description:Invalid Parameter
Add the user account to the local Administrators group on the computer running the out of band management console.
If you change any of the AMT settings, such as adding a new AMT User Account or enabling ping responses, these changes do not automatically update for computers that are already provisioned for AMT.
When you block a Configuration Manager client that is provisioned for AMT, the resulting behavior for out of band management depends on whether you are running Configuration Manager 2007 SP1 or Configuration Manager 2007 SP2:
Computers that are blocked by Configuration Manager 2007 SP1 continue to accept out of band management communication. You must decide what action to take if the client was blocked because it is untrusted.
Computers that are blocked by Configuration Manager 2007 SP2 cannot continue to be managed out of band, although their AMT status remains Provisioned. If you block a Configuration Manager client that is installed on an AMT-based computer and later decide to unblock the client, you will not be able to manage the computer out of band until you take additional action.
Out of band management does not support IPv6. If an AMT-based computer is using IPv6 and establishes an out of band connection with another computer that is using IPv6, responses will be very slow because IPv6 connections are attempted first and retried before failing over to IPv4 connections. For example, you will see slow responses when using the out of band management console and also when provisioning and sending power action commands from the Configuration Manager console.
In this scenario, the following warning is written to the log file <ConfigMgrInstallationPath>\Logs\amtopmgr.log on the out of band service point and also sent in a status message ID of 7217 with the component name of SMS_AMT_OPERATION_MANAGER:
Warning: The computer is configured to use IPv6 before IPv4. When out of band management uses IPv4 only, this configuration can negatively impact the performance of managing this computer out of band. You can change the precedence order by typing the following commands in a command prompt: “netsh interface ipv6 delete prefix ::ffff:0:0/96 “ and then “netsh interface ipv6 add prefix prefix=::ffff:0:0/96 precedence=45 label=4”.
To improve performance for out of band management communication, run the netsh command on the server running the out of band service point, as described in the warning message. The server will then initiate all connections by using IPv4 and try connections only by using IPv6 if IPv4 fails.
If an AMT-based computer is provisioned and then has its computer name changed or is moved to a different domain without first deleting the provisioning information and reprovisioning, the out of band management console no longer connects to the computer. In this scenario, when the client for Configuration Manager 2007 SP1 or later is installed, the connection will fail because the certificate subject value on the AMT-based computer does not contain the new FQDN. When the client for Configuration Manager 2007 SP1 or later is not installed in this scenario, the connection will fail because the out of band management console still attempts to connect by using the original FQDN.
You can identify client computers that are in this situation by using the following query: select disc.* from SMS_R_System disc INNER JOIN SMS_AMTMachineInfo info on disc.ResourceId = info.MachineID where disc.ResourceNames <> info.FQDN.
For computers running the client for Configuration Manager 2007 SP1 or later, remove the provisioning information from the AMT-based computer, and then reprovision the computer.
For computers that have been imported and are not running the client for Configuration Manager 2007 SP1 or later, import these computers again and specify their new FQDN. Then remove the provisioning information for these computers, and reprovision them.
For more information, see the following topics:
If you reassign an AMT-based computer to another Configuration Manager site and you do not remove the AMT provisioning information and then reprovision the computer in the new site, you will not be able to manage the AMT-based computer out of band in the new site. In this scenario, the AMT Status displays Detected.
Reassign the computer to original site, remove the provisioning information, reassign the computer to the new site, and then provision the computer again in the new site. If you cannot temporarily reassign the computer to the original site, you can manually remove the provisioning information by configuring the BIOS extensions, and then reprovision the computer in the new site.
TasksAMT Provisioning Issues for Out of Band Management
ConceptsLog Files for Out of Band Management
Other ResourcesTroubleshooting Out of Band Management
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.