How to reconnect the 2000 nodes of the agent (configuration manager) to be detected by SCCM?

How are you installing the SCCM client?  Do you have discovery and client push enabled?

I am sure about it as i just take this project.

yes

If you don't have CMTrace: I would load that.  You can copy CMTrace.exe to your C: drive from

\\sccmserver\c$\Program Files\Microsoft Configuration Manager\tools

Then open ccm.log from here

\\sccmserver\c$\Program Files\Microsoft Configuration Manager\Logs

That should lead you to the issue.  You can also upload the log file here for us to view.

Sure.

Is there a limitation to SCCM that can only store up to a max of OU object.

SCCM supports up to 125,000 clients per site without a CAS, so I highly doubt you are running into a limitation with the product.  What does the log show?

I am off duty now. I can only provide you on trm morning.

Can you ps provide me some of the troubleshooting guide as i've never use SCCM before in this newly join company. Tks.

My recommendation would be grab the ccm.log file from \\sccmserver\c$\Program Files\Microsoft Configuration Manager\Logs and upload it within your question here and then we can take a look.

Possibilities are:

Boundary not defined for clients
Boundary incorrect for clients
Client firewall blocking File and Printing sharing (i.e. SCCM server can't reach c$ share)
Discovery setup incorrectly or not turned on
Client push not turned on
Invalid credentials for client push account
Improper rights for client push account

Noted w tks.

see attached logs as request
ccm.log

Hi,

From what you've written so far, you are just beginning to use SCCM, presumably after someone left and you were chosen "to do SCCM".
My advice: buy a book and read it. Charge the company for it if you can/like. It is NOT a product to sit there guessing what to click and wonder how it works.

As to your problem, Adam's suggestions are good. I would start by looking at the Discovery Methods, and in particular WHERE it is pointing.
There is a good chance that whoever set it up, pointed the "System Discovery" at an OU above where you want or expect.
e.g.
Domain
    Sales
    Finance
    Engineering
          Users
          Computers <<<<

If Discovery is pointing at Engineering\Computers you will NOT see any machines that happen to be in Sales or Finance.

The other point I will make, from your screenshot is that all the collections are pointing at "All Systems". That is scary. Scary because All Systems really does mean EVERYTHING. If you make a typing mistake and the query/rule you put is wrong, it can just include every machine including servers, Domain Controllers etc. You deploy anything and it will install to all those.
The solution: create Limiting collections. Start with "All Windows 7" at least and then any new collection set the limit to "All Windows 7".
Doing just that alone will avoid serious IT accidents.

Mike

Looks like a client firewall issue or the service accounts defined in SCCM do not have admin access to the clients:

---> ERROR: Unable to access target machine for request: "2097172275", machine name: "LTSP18BSD5144AB", access denied or invalid network path.      SMS_CLIENT_CONFIG_MANAGER      6/14/2018 8:17:33 AM      36984 (0x9078)

Plan of attack:

1. I would try pinging one of the computers in CCM.log not installing and make sure it's online.
2. On that same computer: make sure either SMRTTIBS\sccmcfg or SMRTTIBS\sccmaccess is in the local administrators group of the client
3. If 1&2 are OK: try disabling the Windows firewall (if enabled) on the same computer and see if you can push the client.  You can do that on-demand by going to the same computer in the SCCM console, right-click computer object, choose Install client, follow the prompts and then re-check the CCM.log.

Hi Adam,

Can we have the 1:1 live chat so that you can advice me how to troubleshoot accordingly?

Thanks.

Lennet

Hi Lennet,

Unfortunately that won't be possible with me, I work a full time job and answer in my spare time.

No problem. Tks.

Hi Adam,

Could it be these issues as stated in below for your advice.

1. DNS issue (enable scavenging) with computers, which cannot install SCCM client??
Could it be missing DNS record is DNS scavenging causing SCCM. What is the PRO and CON if I turn off or extend Refresh from 7 days to 30 days.

2. VMI is next issue to install SCCM Client??
Unable to connect to WMI on remote machine, error = 0x800706ba

3. Symantec Antivirus Ports were blocked? What port should be open? Client firewall or Company firewall (checkpoint, Cisco)  

Thanks.

Lucky

1.  You should be able to ping some of the computers it can't install to listed in CCM.log.  That is as simple as picking a few that failed and doing a ping to them.  I doubt you have 3000 stale DNS entries....though it's possible.  You want to start simple before jumping to a DNS issue.

2 & 3: I would try disabling the firewall completely on ONE machine and try installing the client.    Did that work?  Very easy to test that.  If disabling the client firewall completely worked, then you need to open some ports.

See https://docs.microsoft.com/en-us/sccm/core/clients/deploy/windows-firewall-and-port-settings-for-clients. You'll need these open on the client:

Outbound and inbound: File and Printer Sharing

Inbound: Windows Management Instrumentation (WMI)

You may want to open these as well for using remote control to the clients:

Inbound: TCP Port 2701

Hi Adam,

1. Checked Firewall on Client is disabled
2. Uninstall Configuration Manager Agent in Client Machine
3. Uninstalled Symantec. Push client manual from SCCM again
4. See Configuration Manager Agent on Control Panel and SCCM status from inactive to active
Not sure is this consider working as what you've suggested. If i what to check the log from the client and how to read the log  that has successfully pushed down to clients machines.

Can I know how to configure the  "configuration manager agent" and windows updates & security patches, Baseline l(CPU,RAM,Disk,etc)  from AD GPO to push down to 2000 client machine at one go?



Tks.

Lcuky

The installation log on the client will be in C:\windows\ccmsetup\ccmsetup.log and C:\windows\ccm\logs\ClientIDManagerStartup.log.  If it shows Active in the SCCM console: then it sounds like it was registered successfully.

Software updates...you will need to setup Software Upgrade Groups (SUGs)...you will probably want to open a new question on that as it's a topic within itself.

If you want to deploy the SCCM client via GPO, you can use this guide: https://enterinit.com/guide-deploying-sccm-client-using-group-policy/

I've always done automated client push right from SCCM, but GPO should work as well.  You'll need to copy the CCM client to your SYSVOL so you can point to it from the GPO.

Hi Adam,

I've tried to troubleshoot as follow:-

1. Checking user hostname in nsmrt08215 in SCCM > Device > Client: Yes & Client Activity: Yes

2. User able to ping SCCM server

3. Checked AD DNS and found no user dns record. Then do a ipconfig /registerdns & ipconfig /flushdns on SCCM, is this right?

4. Checked user ccmsetup log unable to go in with error denied permission to access this folder. Then grant user local admin right, is this correct?

5. Checked local computer account group > domain admin > sccmaccess

6. Go to SCCM server to run ccm log to check. How to ensure SCCM server is correctly push to client machine? See logs below:
Successfully retrieved information for machine NSMRT08215 from DB      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Execute query exec [sp_CP_GetPushRequestMachineIP] 16791796      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Execute query exec [sp_CP_GetPushRequestMachineResource] 16791796      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Execute query exec [sp_CP_GetPushMachineName] 16791796      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Received request: "16791796" for machine name: "NSMRT08215" on queue: "Incoming".      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Stored request "16791796", machine name "NSMRT08215", in queue "Processing".      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Execute query exec [sp_CP_SetPushRequestMachineStatus] 16791796, 1      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)
Submitted request successfully      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:26:23 PM      7580 (0x1D9C)

---> Attempting to connect to administrative share '\\NSMRT08215\admin$' using account 'SMRTTIBS\SccmAccess'      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:54 PM      27692 (0x6C2C)
---> Connected to administrative share on machine NSMRT08215 using account 'SMRTTIBS\SccmAccess'      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:54 PM      27692 (0x6C2C)
---> Attempting to make IPC connection to share <\\NSMRT08215\IPC$>      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:54 PM      27692 (0x6C2C)
---> Searching for SMSClientInstall.* under '\\NSMRT08215\admin$\'      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:54 PM      27692 (0x6C2C)
---> System OS version string "6.1.7601" converted to 6.10      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:55 PM      27692 (0x6C2C)
---> Mobile client on the target machine has the same version, and 'forced' flag is not turned on. Not processing this CCR      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:55 PM      27692 (0x6C2C)
---> Deleting SMS Client Install Lock File '\\NSMRT08215\admin$\SMSClientInstall.HQ1'      SMS_CLIENT_CONFIG_MANAGER      19/6/2018 6:27:55 PM      27692 (0x6C2C)

7. How to check user logs. I went to windows>ccmsetup log and can't see user has been updated with latest date. How check Configuration Manager is push down latest windows update and security patches?

Ps advice accordingly.

Tks.

Lcuky

Well, the easiest way is see if your client counts go up in the SCCM console after you make your changes, then you are on the right track.

If you look at the attachment I just uploaded, you'll see two clients side-by-side.  If you have more than 2 actions listed then the client is successfully registered.

In terms of software updates & SCCM, check out this link: https://www.reddit.com/r/SCCM/comments/8pjnbu/video_deep_dive_in_microsoft_sccm_software/

File attached

Hi Adam,

Still can't connect to SCCM.

1. Disabled firewall and symantec.
2. Can ping to IP & hostname
3. SCCM can discovered
4. Client is No and Client activity is empty.
5. Ensure user is in the sccmaccess member group
6. Below is the logs

---> Unable to connect to WMI on remote machine "LIOEBSD1854LC", error = 0x800706ba.      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:44:31 PM      8224 (0x2020)
---> Deleting SMS Client Install Lock File '\\LIOEBSD1854LC\admin$\SMSClientInstall.HQ1'      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:44:31 PM      8224 (0x2020)
Stored request "2097170275", machine name "LIOEBSD1854LC", in queue "Retry".      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:44:31 PM      8224 (0x2020)
<======End request: "2097170275", machine name: "LIOEBSD1854LC".      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:44:31 PM      8224 (0x2020)
Successfully retrieved information for machine LIOEBSD1854LC from DB      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:52:09 PM      5052 (0x13BC)
Received request: "2097170275" for machine name: "LIOEBSD1854LC" on queue: "Retry".      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:52:09 PM      5052 (0x13BC)
Stored request "2097170275", machine name "LIOEBSD1854LC", in queue "Processing".      SMS_CLIENT_CONFIG_MANAGER      20/6/2018 4:52:09 PM      5052 (0x13BC)

Hi Adam,

Could be background Intelligent services and win 7 version caused incompatibility?

Tks.

Hi Adam,

I observed that some of the client with Syamantec but still can be  installed with SCCM Configuration Manager.

I'm confuse what exactly was the caused as I need to explain the root cause of this issue to prevent reoccurrence in future.

Can you ps suggest what is the best practice and explain how does SCCM work based on high level logic?  

Tks.

Lucky

Can you get to \\LIOEBSD1854LC\c$ from your desktop logged in as an administrator?

Looking at https://msitpros.com/?p=303, this could be a DNS issue.  If you ping LIOEBSD1854LC from another PC and do a ipconfig at LIOEBSD1854LC, do the results match up?

I can't login through the UNC and resolve the ip address but I found there DNS hostname and IP address is correct.

Then,

Get-ADComputer -Identity "LIOEBSD1854LC" -Properties *

Found there The lastlogon date is 22/06/2018.

How am I support to find the remote user login name with the computer name (hostname)? Then I can try to go down to the PC to see check the firewall whether is block or not as user may manually go to enable back again.

Tks.

Lcuky

I'm assuming you have no inventory system to say who's computer this is, what I would do is something like this: https://www.windows-commandline.com/current-logged-in-user-name-command/

1. Create a file share somewhere that domain users can write to
2. Create a login script GPO (https://support.microsoft.com/en-us/help/556007) and use the command echo %username% >> \\someserver\someshare
3. Apply GPO to this computer only
4. Wait until the GPO applies and check the file share you created for the username.

Or the cheater way would be to disable the computer account in Active Directory and see who calls the Help Desk, then re-enable it like nothing happened :)