Event ID 771 — Rogue Detection

  • Article

Applies To: Windows Server 2008 R2

Windows Deployment Services requires interaction with Active Directory Domain Services for several critical functions. One of these functions is rogue detection, which determines whether the Pre-Boot Execution Environment (PXE) server is authorized to provide services in the domain. Rogue detection is also known as Dynamic Host Configuration Protocol (DHCP) authorization.

Event Details

Product: Windows Operating System
ID: 771
Source: WDSPXE
Version: 6.1
Symbolic Name: W_WDSPXE_ROGUE_CACHED_AUTH_RESULTS
Message: The Windows Deployment Services server was unable to update its rogue detection state when contacting Active Directory Domain Services. The server will continue to use its current setting: the server is authorized as a valid DHCP/PXE server and will process incoming client requests.

Resolve

Authorize the server in Active Directory

The WDSServer service must be authorized in Active Directory Domain Services in order to pass the rogue detection process. To resolve this issue, first authorize the service (open a Command Prompt window and run wdsutil /set-server /authorize:yes.) If this command returns an error, this means that it was not possible to authorize the server. In this case, do the following in the specified order until the issue is resolved:

  • Ensure that the domain controller is reachable.
  • Ensure that the machine account has sufficient permissions.
  • Ensure that the registry configuration data is correct.

Ensure that the domain controller is reachable

If you can ping the domain controller by IP address, reachability is not the problem. If you cannot ping it by IP address, ensure that:

  • The domain controller computer is turned on.
  • The Active Directory service is running and has network connectivity.
  • The Windows Deployment Services server has network connectivity.

Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before using these steps, determine whether the firewall or Internet Protocol security (IPsec) settings on your network permit Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.

To perform these procedures, you must either be a member of the local Administrators group or have been delegated the appropriate authority.

To determine whether there is a network connectivity problem:

  1. On the Windows Deployment Services server, open the Command Prompt window.
  2. At the command prompt, run ping <server FQDN>, where <server FQDN> is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com).
  3. At the command prompt, run ping <IP Address>, where <IP Address>  is the IP address of the domain controller.
  4. Note the following:
    • If you can successfully ping the domain controller by IP address, but not by FQDN, this indicates a possible issue with DNS host name resolution.
    • If you cannot successfully ping the domain controller by IP address, this indicates a possible issue with network connectivity, the firewall configuration, or the IPsec configuration.

If necessary, you can perform the following additional steps to help identify the root cause of the problem:

  • Ping other computers on the network to determine the extent of the connectivity issue.
  • If you can ping other servers but not the domain controller, try to ping the domain controller from another computer. If you cannot ping the domain controller from any computer, first ensure that the domain controller is running. If the domain controller is running, check its network settings.
  • Check the TCP/IP settings on the local computer by doing the following:
    1. Open the Command Prompt window, run ipconfig /all at the command prompt,** **and then ensure that the output is correct.
    2. Run ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If this command is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
    3. Run ping <local IP address>. If you can ping the localhost address but not the local address, there may be an issue with the routing table or with the network adapter driver.
    4. Run ping <DNS server IP address>. If there is more than one DNS server on your network, you should ping each of them in turn. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers.
    5. If the domain controller is on a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this might indicate a problem with the network adapter, the router or gateway device, the cabling, or other connectivity hardware.
  • In Device Manager, check the status of the network adapter. (To open Device Manager, click Start, click Run, type devmgmt.msc, and then click OK. )
  • Check the network connectivity indicator lights on the computer and at the hub or router. Check all of the network cabling.
  • Check the firewall settings by using the Windows Firewall with Advanced Security snap-in.
  • Check the IPsec settings by using the IP Security Policy Management snap-in.

If none of these steps resolves your issue, use the procedure in the following section to ensure that the machine account has the required permissions.

Ensure that the machine account has sufficient permissions.

On the server that contains Active Directory directory services, grant server permissions to the machine account for the Windows Deployment Services server so that it can read the Service Control Point (SCP).

To perform this procedure, you must either be a member of the local Domain Admins group or have been delegated the appropriate authority.

To grant permissions to the SCP object:

  1. Open the Active Directory Users and Computers MMC Snap-in.
  2. Click View, and then click Advanced Features (if it is not already enabled).
  3. Access the properties of the Windows Deployment Services server’s computer account.
  4. On the Remote Install tab, click Advanced Settings.
  5. On the Security tab, click Add.
  6. Select the user, and then click Full Control on this object.

If the SCP object has the correct permissions, use the instructions in the following section to ensure that the registry data is correct.

Ensure that the registry configuration data is correct

If neither of the first two solutions in this topic fixes your issue, the registry data may be corrupt. To determine whether this data is corrupt, run the WDSUTIL /get-server /server:<server name> command at** **the command prompt. If this command fails or if the output is corrupted, you will need to reinitialize the server. To do this, run wdsutil /uninitialize-server at the command prompt, and then run wdsutil /initialize-server /reminst:<path to RemoteInstall folder>.

Verify

To verify that your PXE server is authorized:

  1. Open the Command Prompt window. (Click Start, point to All Programs, click Accessories, and then click Command Prompt.)
  2. At the command prompt, run wdsutil /get-server /show:config.
  3. Verify that Rogue detection (under PXE Bind Policy) is set to Enabled, and that the Authorization status (under Server Authorization) is set to Authorized.

Rogue Detection

Windows Deployment Services