myITforum and Windows IT Pro Forums

 Issues with the BannedGuids feature

Author Message
*.3di

  • Total Posts : 2
  • Scores: 0
  • Reward points : 1210
  • Joined: 10/7/2011
  • Status: offline
Issues with the BannedGuids feature Friday, October 07, 2011 5:10 AM (permalink)
0
We're running SCCM 2007 R2 (4.00.6487.2000), and we're having troubles imaging machines with identical HW GUIDs. The problem is originating from the fact that Dell is not always inserting the service tag values inside the BIOS of their computers, and since the GUIDs are derived from these values... 
 
We have learned about the BannedGuids key, and how to set it in the server registry with this command: 
 
wdsutil /set-server /bannedguidpolicy /add /GUID:44454C4C-2000-1020-8020-A0C04F202020 
 
We also tried setting it manually, before discovering the above method.

From TechNet...: 
---------------------------------------------------------------------------------------------------------------------------------------
Banned GUIDs

Various system builders and vendors have failed to implement GUIDs correctly per the PXE spec. The most common errors occur when no GUID is set or when several computers have the same GUID. The duplicate GUID problem seems to be more prevalent on x64-based computers. Because it is difficult to change the GUID on a computer, Windows Deployment Services filters known “bad” (not valid) GUIDs. To configure this behavior, you first must identify any duplicate GUIDs and then add the GUIDs to the BannedGuids registry key (see Windows Deployment Services Registry Entries). Then, if a computer with a banned GUID attempts a network boot, the GUID will be stripped from the packet so that the packet will contain only the MAC address of the client.
 
The registry location of the banned GUIDs is as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE

Name: BannedGuids

Type: REG_MULTI_SZ

Value: GUID strings, with one string per line. The correct format is as follows: 1acbf447-3993-e543-a92a-fadb5140f1c8, which should match what you see when you perform a PXE boot on a client.
--------------------------------------------------------------------------------------------------------------------------------------- 

We have verified that the BannedGuids key was written to the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE, and we have restarted the WDS service, but still, the machine with our specific GUID is recognized by its GUID, not by its MAC address, thus when the imaging is done, the machine usually has "stolen" the identity of one of the other machines with identical GUID...

We've checked the smspxe.log, and we can't see any differences after setting the BannedGuids. Should we expect to see any differences there if we get BannedGuids working...?  Is there other logs which might tell us if we've actually managed to enable the BannedGuids feature...?

Has anybody actually got BannedGuids to work as intended...? Are we missing something obvious here...? 
 
Thanks for any help!  
<message edited by *.3di on Friday, October 07, 2011 5:53 AM>
 
#1
    skissinger

    • Total Posts : 4972
    • Scores: 481
    • Reward points : 141420
    • Joined: 9/13/2001
    • Location: Sherry Kissinger
    • Status: offline
    Re:Issues with the BannedGuids feature Friday, October 07, 2011 7:50 AM (permalink)
    0
    "Dell is not always inserting the service tag values inside the BIOS of their computers" I always thought that when the service tag is missing, it's because at some point in time in the life of the computer, the motherboard was replaced and the tech doing the replacing didn't run the utility to put the servicetag back.
    mofmaster@myitforum.com
    My Blog
    Microsoft MVP - ConfigMgr
     
    #2
      *.3di

      • Total Posts : 2
      • Scores: 0
      • Reward points : 1210
      • Joined: 10/7/2011
      • Status: offline
      Re:Issues with the BannedGuids feature Friday, October 07, 2011 8:14 AM (permalink)
      0
      Yes, that's also a scenario, but we've seen it on brand new Dell computers as well. Besides, there are other brands of computers, at least older ones, where the GUIDs are for instance all 'F's or all '0's.

      In order to circumvent these problems, we're trying to get the BannedGuids feature to work. It is an official feature, so we're wondering how to make it function as intended.
       
      #3
        jsandys

        • Total Posts : 1438
        • Scores: 131
        • Reward points : 71080
        • Joined: 3/24/2005
        • Location: San Antonio, TX
        • Status: offline
        Re:Issues with the BannedGuids feature Friday, October 07, 2011 9:12 AM (permalink)
        0
        I suggest you contact CSS.

        Here's a blog post from CSS on duplicate GUIDs and they don't mention this feature: http://blogs.technet.com/b/configurationmgr/archive/2010/04/12/osd-task-sequence-fails-with-there-are-no-task-sequences-available-for-this-computer-if-multiple-machines-have-the-same-smbios-guid.aspx?wa=wsignin1.0.

        However, if the feature does truly work (which would be great for a lot of folks), then it needs to get some "love" from CSS. Note that I've seen this question (or similar)asked on the public forums and internal Microsoft discussion lists and I've never heard of anyone mention the BannedGUIDs registry value. So, if it works, or is supposed to work, getting CSS involved would be great for the community.
        Jason
        Configuration Manager MVP
        My Blog
        Twitter @JasonSandys
         
        #4
          madluka

          • Total Posts : 47
          • Scores: 3
          • Reward points : 15950
          • Joined: 9/30/2008
          • Location: Yorkshire, England, United Kingdom
          • Status: offline
          Re:Issues with the BannedGuids feature Friday, October 07, 2011 9:55 AM (permalink)
          0
          Oddly enough I have been troubleshooting the very same issue with machines not PXE booting just yesterday, and uncovered the same BannedGUID's article on Technet.  It seems my customer has a batch (3 found so far) of HP 6200 PC's that share the same UUID.

          Jason, I figure the reason why CSS probably never heard of this is that the BannedGUIDs 'fix' seems only to apply to the WDS service and just getting the machine PXE booted.  Starting an affected machine from USB/CD boot media also fails to return any Task Sequence advertisements.

          When the client looks for available Task Sequence policies it communicates with the MP and performs a client Identity request which seems biased toward the System UUID and not the MAC address.  The Netbios name retrieved and displayed in the smsts.log is that of a client system (or a manual machine entry with SMBIOS guide) already in the ConfigMgr database and policy is returned for that.

          I tried importing the new computer using both its MAC Address and the SMBIOS GUID but this didn't create a new object and just resulted in the existing client record having its Netbios and Name properties overwritten.

          For my customer, it wasn't such a big deal to simply remove the existing client machine with the same UUID from ConfigMgr in order to get the new system built.  The existing client will heartbeat its way back into the ConfigMgr DB.  It was more important for them to have the machine built than it was to retain historic inventory data for the deleted machine.

          Andy
           
          #5
            Stig

            • Total Posts : 5
            • Scores: 0
            • Reward points : 15820
            • Joined: 11/8/2007
            • Status: offline
            Re:Issues with the BannedGuids feature Tuesday, October 11, 2011 5:54 AM (permalink)
            0
            "When the client looks for available Task Sequence policies it communicates with the MP and performs a client Identity request which seems biased toward the System UUID and not the MAC address.  The Netbios name retrieved and displayed in the smsts.log is that of a client system (or a manual machine entry with SMBIOS guide) already in the ConfigMgr database and policy is returned for that. "
             
            That quote may actually be the conclusion of this problem. IF we get the bannedguids feature to work, it would only work at PXE boot level and not inside the WINPE GUI, because the client performs a request against the MP at this time and not WDS.
             
            However, this should be a feature within SCCM, because our client-environment contains a lot of these GUIDS from older computers:
            FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
            00000000-0000-0000-0000-000000000000
            03000200-0400-0500-0006-000700080009
            11111111-2222-3333-4444-555555555555
             
            To solve this on a hardware level should not be necessary IF the MAC adress could be used instead.
            <message edited by Stig on Tuesday, October 11, 2011 6:01 AM>
             
            #6
              jsandys

              • Total Posts : 1438
              • Scores: 131
              • Reward points : 71080
              • Joined: 3/24/2005
              • Location: San Antonio, TX
              • Status: offline
              Re:Issues with the BannedGuids feature Tuesday, October 11, 2011 10:20 AM (permalink)
              0
              What happens when you get a duplicate MAC then?
              Or if a system has multiple NICs?
              Or you move a NIC from one system to another?

              MACs are not necessarily unique to a single system so I think that's a worse path to follow in the long run. Hardware vendors need to be held accountable for not following the standards. If you get a NIC from a vendor with a duplicate MA, wouldn't you call the vendor and demand a new one. Absolutely -- I've done it before.

              Here's an interesting blog post: http://myitforum.com/cs2/blogs/idany/archive/2008/10/22/how-to-enable-osd-with-duplicate-uuid-in-configuration-manager.aspx.

              I have not verified these changes and they are of course totally unsupported so use at your own risk (or peril) -- although it is just changing a couple of stored procs which should be easy to change back. Me posting this is in no way an endorsement or suggestion to make these changes; however, I am curious to see if they "resolve" the issue.
              Jason
              Configuration Manager MVP
              My Blog
              Twitter @JasonSandys
               
              #7
                Stig

                • Total Posts : 5
                • Scores: 0
                • Reward points : 15820
                • Joined: 11/8/2007
                • Status: offline
                Re:Issues with the BannedGuids feature Wednesday, October 12, 2011 9:25 AM (permalink)
                0
                Thank you for that blog post! This may actually resolve the issue. We should do a test of this workaround in our test-environment. Though, I think you misunderstood the bannedguids feature. It only bans the duplicate GUID string you specify at the registry key "bannedguids" (reg_multi_sz key) WDS will then discard the specified GUID string at the PXE boot, and use the MAC address instead. The odds of booting a duplicate GUID and a duplicate MAC at the same time is very small and would likely not happen in our environment of 2000 clients. The issue of moving a nic around is present, but this have to happen on the clients that have been banned from GUIDS in WDS.
                 
                #8
                  Online Bookmarks Sharing: Share/Bookmark

                  Jump to:

                  Current active users

                  There are 0 members and 1 guests.

                  Icon Legend and Permission

                  • New Messages
                  • No New Messages
                  • Hot Topic w/ New Messages
                  • Hot Topic w/o New Messages
                  • Locked w/ New Messages
                  • Locked w/o New Messages
                  • Read Message
                  • Post New Thread
                  • Reply to message
                  • Post New Poll
                  • Submit Vote
                  • Post reward post
                  • Delete my own posts
                  • Delete my own threads
                  • Rate post

                  2000-2014 ASPPlayground.NET Forum Version 3.9