Identifying Network Issues Affecting Configuration Manager
Almost all Configuration Manager functionality
depends on adequate network services. The next sections will look at
some of the features most often affected by network issues. These
features include site system and client installation, software
distribution, and data synchronization across the hierarchy :
The following sections discuss some indicators
of possible network issues that you may see in the status messages and
logs. In addition to troubleshooting, you can use this information to
configure proactive monitoring for ConfigMgr, helping to spot many
problems before they impact service delivery.
The following discussion is by no means an
exhaustive list of possible network issues. It does cover some of the
more common issues, and should give you an idea of how to use these
tools effectively.
Network Issues Affecting Site System Installation
When there is a problem installing or
configuring a site system, this will generally show up in the Site
Component Manager status. In the ConfigMgr console, expand System Center
Configuration Manager -> Site Database -> System Status ->
Site Status -> <Site Code> <Site Name>
-> Component Status. Right-click SMS_SITE_COMPONENT_MANAGER and
choose View Messages -> All. If network problems are preventing a
site system installation, you will typically see status messages similar
to the ones detailed in Table 1.
Table 1. Site Component Manager Status Messages Indicating Network Problems
| Severity | Message ID | Description |
|---|
| Error | 1037 | SMS
Site Component Manager could not access site system “\\MINEOLA.” The
operating system reported error 2147942453: The network path was not
found. |
| | | Possible cause: The site system is turned off, not connected to the network, or not functioning properly. |
| | | Solution: Verify that the site system is turned on, connected to the network, and functioning properly. |
| | | Possible cause: SMS Site Component Manager does not have sufficient access rights to connect to the site system. |
| | | Solution: Verify that the site server’s computer$ account has administrator rights on the remote site system. |
| | | Possible cause: Network problems are preventing SMS Site Component Manager from connecting to the site system. |
| | | Solution: Investigate and correct any problems on your network. |
| | | Possible cause: You took the site system out of service and do not intend on using it as a site system any more. |
| | | Solution:
Remove this site system from the list of site systems for this site.
The list appears in the Site Systems node of the ConfigMgr console. |
| Error | 1028 | SMS Site Component Manager failed to configure site system “\\MINEOLA” to receive SMS server components. |
| | | Solution: Review any previous status messages to determine the exact reason for the failure. |
| | | The
SMS Site Component Manager cannot install any ConfigMgr server
components on this site system until the site system is configured
successfully. The Site Component Manager will automatically retry this
operation in 60 minutes. To force SMS Site Component Manager to retry
this operation immediately, stop and restart SMS Site Component Manager
using the SMS Service Manager. |
| Error | 578 | Could
not read Registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS” on
computer MINEOLA. The operating system reported error 11001: No such
host is known. |
| | | Resolution: Troubleshoot name resolution. |
You will find additional information in the log
file sitecomp.log. Network problems are indicated by errors such as
ERROR: NAL failed to access NAL path....
Network Issues Affecting Client Installation
When Client Push Installation is enabled, the
Client Configuration Manager component on the site server is responsible
for installing the client on those systems that are discovered
and targeted for installation. When an installation attempt fails, a
Client Configuration Request (.CCR) file is copied to the folder <%ProgramFiles%\ConfigMgrInstallPath>\inboxes\ccrretry.box (where <ConfigMgrInstallPath> indicates the folder in which Configuration Manager is installed, by default Microsoft Configuration Manager.
It is not unusual for a client installation to
take more than one attempt, and you may see some files in the
ccrretry.box folder as part of normal operations. However, a large
backlog of files in this location may indicate a problem pushing out the
client software. Problems will also show up under the status for Client
Configuration Manager (in the console under System Center Configuration
Manager -> Site Database -> System Status -> Site Status ->
Component Status -> SMS_CLIENT_CONFIG_MANAGER).
Note: About Offline Clients
You may see a backlog of CCR retries and
numerous status messages indicating client installation failures, which
occur simply because the machines were temporarily disconnected or shut
down when Client Configuration Manager attempted to contact them. The
Client Configuration Manager may also be attempting to reach machines
that are permanently offline but previously discovered by ConfigMgr
2007. This is a particularly common issue with Active Directory system
discovery. If your Active Directory contains machine accounts for
computers that no longer exist, AD system discovery will discover these
machines, and Client Push (if enabled) will attempt to install the
client on them. Your change control process should include removal of
stale computer accounts from Active Directory.
Table 2 lists some messages that indicate possible network issues.
Table 2. Client Configuration Manager Status Messages Indicating Network Problems
| Severity | Message ID | Description |
|---|
| Warning | 3014 | SMS
Client Configuration Manager cannot connect to the machine “MINEOLA.”
The operating system reported Error 5: Access is denied. |
| | | Possible cause: The client is not accessible. |
| | | Solution:
Verify that the client is connected to the network and that the SMS
Service account or (if specified) the SMS Client Remote Installation
account has the required privileges, as specified in the SMS
documentation. |
| | | Possible
cause: A remote client installation account was not specified in the
SMS Admin console, the account is not valid, is disabled, or has an
expired password. |
| | | Solution:
Ensure one or more valid and active remote client installation accounts
are specified in the ConfigMgr console, that the account names and
passwords are correct, and that the account has the required
administrator rights on the target machines. |
| Warning | 3010 | In the past %3 hours, SMS Client Configuration Manager (CCM) has made %1 unsuccessful attempt(s) to install SMS on client %2. CCM will continue to attempt to install this client. |
| Error | 3011 | SMS Client Configuration Manager (CCM) failed to complete the SMS installation on client. |
| Warning | 3015 | SMS Client Configuration Manager cannot find machine %1 on the network. |
You may find additional information in the log
files ccm.log on the site server and ccmsetup.log on the client (the
ccmsetup log only exists if the attempted installation progressed far
enough for the setup process to start on the client).
Table 3 lists log entries that can help identify network issues.
Table 3. Log File Entries Indicating Network Problems with Client Installation
| Log File Name | Log File Entry | Description | Troubleshooting Steps |
|---|
| ccm.log | The network path was not found (Error Code 53). | Unable to resolve or contact client | Follow basic network troubleshooting between the site server and client (note: the client may simply have been offline). |
| ccm.log | The network name cannot be found (Error 67). | Unable to connect to client | Verify
that File and Printer Sharing for Microsoft Networks is enabled on the
client and not blocked by firewall or security software. |
| ccmsetup.log | Failed to send HTTP request (Error 12029). | Error communicating with management point | Review the LocationServices log to identify the MP. Test the connection to the MP. |
| ccmsetup.log | Failed to successfully complete HTTP request. | Error communicating with management point | Review the LocationServices log to identify the MP. Test the connection to the MP. |
Missing or Incorrect Service Principal Name Registration
Service Principal Names (SPNs) provide
information used by clients to identify and mutually authenticate with
services using Kerberos authentication. Services use Active Directory
SPN registration to make the required information available to clients.
Missing or incorrect SPN registration is a common cause of problems with
client communications with site systems, such as failure to download
content or client approval problems. HTTP 401 errors in client log
files, including the Datatransferservice.log and ccmexec.log, may
indicate problems with SPN registrations. To register the required
Service Principal Names properly, refer to the following documentation:
If you are running the SQL Server
service using a domain account on the site database server or other
roles requiring SQL Server, you must follow the instructions in http://technet.microsoft.com/enus/library/bb735885.aspx
to register the SPN. If the SQL Server service is configured to run
under the local system account, you do not need to manually register the
SPN. However, running SQL Server in the local system context is not
recommended for security reasons.
For
site systems that require IIS, if the system is registered in DNS using a
CNAME (a DNS alias rather than the actual computer name), you will need
to register the SPN using the procedure described in http://technet.microsoft.com/en-us/library/bb694288.aspx.
If you are using a management point configured as a network load-balancing (NLB) cluster in a mixed mode site, refer to http://technet.microsoft.com/en-us/library/bb735879.aspx for instructions on SPN registration.
Network Issues Affecting Software Distribution
Software
distribution relies on networking to send packages to distribution
points and for clients to download policy from management points and
content from distribution points. Figure 1
shows the principal network exchanges involved in software
distribution. In this figure, the directional arrows indicate the
principal direction of data transfer.
You will find status information relating to
the general functioning of package deployment under System Center
Configuration Manager -> Site Database -> <System Status> -> Site Status -> Component Status -> SMS_DISTRIBUTION_MANAGER.
Table 4
shows Distribution Manager status messages that may indicate network
problems preventing package distribution. You can also find status
information for individual packages under System Center Configuration
Manager -> Site Database -> System Status -> Package Status.
Additional details are available in Distmgr.log.
Table 4. Distribution Manager Status Messages Indicating Possible Network Problems
| Severity | Message ID | Description |
|---|
| Error | 2302 | SMS Distribution Manager failed to process package %1 (package ID = %2). |
| Error | 2307 | SMS Distribution Manager failed to access the source directory %1 for package %2. |
| Error | 2328 | SMS Distribution Manager failed to copy package %1 from %2 to %3. |
| Error | 2332 | SMS Distribution Manager failed to remove package %1 from distribution path %2. |
| Error | 2344 | Failed to create virtual directory on the defined share or volume on distribution point %1. |
Some general status information about
advertisements is available in the Configuration Manager console.
General statistics about advertisements are located under System Center
Configuration Manager -> Site Database -> System Status ->
Advertisement Status.
To view status messages for a particular
advertisement, expand out the Advertisement Status node, select the
advertisement, right-click the site of interest from the right window,
choose Show Messages, and then select an interval of interest. Status
message ID 10051, for example, indicates that the package was not
available on the distribution point. Detailed troubleshooting of
advertisement problems often requires looking at the client logs.
Table 5 shows some key entries to check in the client logs.
Table 5. Client Log File Entries Related to Locating and Retrieving Advertised Content
| Log File Name | Log File Entry | Description | Troubleshooting Steps |
|---|
| LocationServices.log | Distribution Point=<server name> | Informational. Shows what DP is used for the package, based on the PackageID. | A UNC (Universal Naming Convention) path (e.g., \\<servername>\<share>\<packageID>) indicates an SMB connection. Transfer details will be in FileBITS.log. |
| | | | A URL (e.g., http://<servername>/<directory>/<packageID>) indicates a BITS download. Transfer details will be in DataTransferService.log. |
| LocationServices.log | Retrieved <local|proxy|default> Management Point | Informational. Shows the MP systems. | None. |
| PolicyAgent.log | Received delta policy update with <number of> assignments | Informational. Shows the policy download occurred and the number of assignments. | None. |
| CAS.log | Failed to get DP location... | Possible boundary issue. | Review the LocationServices log. |
| CAS.log | Download failed for content... | Error communicating with distribution point (DP). | Review the log for additional details. Follow basic network troubleshooting between the client and the DP. |
| CAS.log | Download failed for download request... | Error communicating with distribution point. | Check BITS functionality on the client; reinstall BITS if necessary. |
| DataTransferService.log | ERROR (0x80070422) | BITS communication failure. | Follow basic network troubleshooting between the client and DP. |
| FileBITS.log | Encountered error while copying files | SMB error. | Review the log for additional details. Follow basic network troubleshooting between the client and the DP. |
Configuration Manager provides an option to
enable Network Abstraction Layer (NAL) logging, which adds detailed
logging of network connection processing to the log for components that
use network resources. NAL logging increases the log size substantially
and logs many apparent errors that may be misleading; however, it can
also be an essential tool for network troubleshooting. In general, you
should only enable NAL logging when you need it to troubleshoot a
specific issue.
|
As
changes occur in your network topology, such as new or modified IP
subnets, it is important to modify the boundaries of your Configuration
Manager sites and protected site systems to reflect these changes.
Failure to update ConfigMgr boundaries to reflect network changes is a
common cause of problems with software distribution and automatic site
assignment. Use appropriate change control procedures to ensure
Configuration Manager 2007 stays up to date with your network
environment.
If you are using Active Directory for your
site boundaries, you can monitor the Windows System event log for
specific Event IDs based on the version of Windows Server:
For Windows Server 2003 and Windows
Server 2008 domain controllers, look for Event ID 5807, Type: Warning,
Source: NETLOGON on each domain controller. On Windows 2000 domain controllers, the Event ID will be 5778.
This event indicates that one or more
computers have connected to the domain controller from an IP address
that is not part of a defined Active Directory site. For information on
troubleshooting and remediating this issue, see http://support.microsoft.com/kb/889031.
|
Network Issues Affecting Site Communications
Problems with site-to-site communications can
cause problems such as new or modified objects at parent sites not
replicated to child sites, and data from child sites not updated at the
parent site. An indication of problems with site communications is often
a backlog of files in the folders used by the site-to-site
communications components:
<ConfigMgrInstallPath>\inboxes\schedule.box\outboxes\<sender name> is the outbox for the sender (where <sender name> is the name of the sender; for the standard sender this will be LAN).
Files
used by the sender are queued here for processing. A backlog of send
request (.srq) files may indicate that the sender is having problems
processing requests or a problem connecting or transferring data to
another site.
<ConfigMgrInstallPath>\inboxes\schedule.box\requests stores send requests before sending them to the sender.
<ConfigMgrInstallPath>\inboxes\schedule.box\tosend stores package and instruction files to transfer to another site.
If you find a backlog
of files in any of these folders, check the sender log (sender.log) for
errors. You may also view the sender status in the ConfigMgr console,
under System Center Configuration Manager -> Site Database ->
System Status -> Site Status -> Component Status ->
SMS_LAN_SENDER.
