myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


Yet another Client Push help request thread

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Yet another Client Push help request thread Page: [1]
Login
Message << Older Topic   Newer Topic >>
Yet another Client Push help request thread - 8/25/2008 11:53:38 AM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		I was trying hard not to post this thread, but we're at a loss.

Here's the situation:
  • Half of our machines installed the client happily (about 350)
  • Half refuse to install the client.
  • If you turn off the firewall on an individual machine, the client installs fine.
  • wbemtest returns 0x800706ba on the computers that fail to install the client.
  • I viewed pfirewall.log on the client and manually made exceptions for the ports that were dropping packets, but it seemed to keep picking another random port in the 3700-4000 range and dropping packets on that port.
  • The client machines can't start the MS DTC Transaction Manager with error code 0x5 (this could be a red herring)
  • Firewall exceptions include:
    • Inbound Remote Administration,
    • Inbound File and Printer Sharing,
    • ICMP,
    • Inbound Remote Desktop,
    • Inbound Port Exceptions: 135, 26675, 3389
    • Inbound Program Exceptions: Sessmgr.exe, Unsecapp.exe

I'll be monitoring this thread and will post answers to any questions ASAP!  Thanks for looking.

Doug Chase
Post #: 1
RE: Yet another Client Push help request thread - 8/25/2008 12:05:41 PM   
hcortez463


Posts: 780
Score: 62
Joined: 4/8/2005
Status: offline 		dont know if this helps.. but it does sound like your on the right track.. Is your policy seetings enabled throught GPO? 
http://technet.microsoft.com/en-us/library/bb632618.aspx

_____________________________

If it Helps, Please rate....

(in reply to dchase)
Post #: 2
RE: Yet another Client Push help request thread - 8/25/2008 12:12:00 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		I've been on the right track for like two months :(

The settings I listed above are all set through GPO. 

Let me also post a ccm.log entry: 
---> Attempting to connect to administrative share '\\DDS-PED-13\admin$' using machine account. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:48:42 AM 17020 (0x427C)
---> Connected to administrative share on machine DDS-PED-13 SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:48:42 AM 17020 (0x427C)
---> Attempting to make IPC connection to share <\\DDS-PED-13\IPC$> SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:48:42 AM 17020 (0x427C)
---> Searching for SMSClientInstall.* under '\\DDS-PED-13\admin$\' SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:48:42 AM 17020 (0x427C)
CWmi::Connect(): ConnectServer(Namespace) failed. - 0x800706ba SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:49:24 AM 17020 (0x427C)
---> Unable to connect to WMI on remote machine "DDS-PED-13", error = 0x800706ba. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:49:24 AM 17020 (0x427C)
---> Deleting SMS Client Install Lock File '\\DDS-PED-13\admin$\SMSClientInstall.DDS' SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:49:24 AM 17020 (0x427C)
Retry request id for "PBPYMVIW" set to "DDS-PED-13" SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:49:24 AM 17020 (0x427C)
Stored request "DDS-PED-13", machine name "DDS-PED-13", in queue "Retry". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:49:24 AM 17020 (0x427C)
<======End request: "DDS-PED-13", machine name: "DDS-PED-13". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 10:49:24 AM 17020 (0x427C)



< Message edited by dchase -- 8/25/2008 12:13:20 PM >

(in reply to hcortez463)
Post #: 3
RE: Yet another Client Push help request thread - 8/25/2008 12:54:07 PM   
jnelson993


Posts: 900
Score: 127
Joined: 2/18/2005
From: Minneapolis, MN
Status: offline 		Have you turned on security logging in your windows firewall settings? (control panel applet)  Does it mention explicitly blocking anything?






_____________________________

Number2 (John Nelson)
MyITForum - Blog
MyITForum - Forum Posts

(in reply to dchase)
Post #: 4
RE: Yet another Client Push help request thread - 8/25/2008 12:56:33 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		I viewed pfirewall.log on the client and manually made exceptions for the ports that were dropping packets, but it seemed to keep picking another random port in the 3700-4000 range and dropping packets on that port.

Is that what you mean, or are there other logs I need to look at?

I'll post the relevant log entries in a second.


< Message edited by dchase -- 8/25/2008 12:57:24 PM >

(in reply to jnelson993)
Post #: 5
RE: Yet another Client Push help request thread - 8/25/2008 1:00:53 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		Every time I tried to push manually, I'd get a log entry like this and I'd make a firewall exception for the specified port.  However, it seemed like it would just pick a different port on the next attempt - feels like it's picking a random port in a range maybe.  These entries are from a few separate attempts, after manually opening the specified port.

2008-08-25 09:51:41 DROP TCP 141.213.143.210 141.211.159.118 3797 1295 189 AP 3015688870 142353904 65133 - - - RECEIVE

2008-08-25 10:15:40 DROP TCP 141.213.143.210 141.211.159.118 3895 1295 48 S 340059939 0 65535 - - - RECEIVE

2008-08-25 10:16:01 DROP TCP 141.213.143.210 141.211.159.118 3903 1295 48 S 1080241619 0 65535 - - - RECEIVE

2008-08-25 12:40:53 DROP TCP 141.213.143.210 141.211.159.118 4594 1295 48 S 1136123776 0 65535 - - - RECEIVE

2008-08-25 12:41:11 DROP TCP 141.213.143.210 141.211.159.118 4595 1295 48 S 3719244620 0 65535 - - - RECEIVE

2008-08-25 12:41:14 DROP TCP 141.213.143.210 141.211.159.118 4595 1295 48 S 3719244620 0 65535 - - - RECEIVE


< Message edited by dchase -- 8/25/2008 1:05:49 PM >

(in reply to dchase)
Post #: 6
RE: Yet another Client Push help request thread - 8/25/2008 1:05:13 PM   
jnelson993


Posts: 900
Score: 127
Joined: 2/18/2005
From: Minneapolis, MN
Status: offline 		Ah, I hear ya.  Missed that.

Man, if you have remote administration,  TCP 135 and unsecapp, you should be covered for the 0x800706BA error with WMI..

http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx



_____________________________

Number2 (John Nelson)
MyITForum - Blog
MyITForum - Forum Posts

(in reply to dchase)
Post #: 7
RE: Yet another Client Push help request thread - 8/25/2008 1:09:06 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		I know, we've been staring at this off and on for weeks and can't figure out what the heck the issue is.


(in reply to jnelson993)
Post #: 8
RE: Yet another Client Push help request thread - 8/25/2008 1:14:27 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		Well, I just realized I was making exceptions for the SOURCE ports and not the DESTINATION ports.  I made an exception for 1295 and the behavior is different: it seems to have installed the client successfully but I still get a "Cannot connect to WMI" error - albeit a different 0x code.

But... why 1295??? 


Waiting for change in directory "C:\Program Files\Microsoft Configuration Manager\inboxes\ccr.box" for queue "Incoming", (30 minute backup timeout). SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:22 PM 300 (0x012C)
Received request: "RZJUYMGC" for machine name: "DDS-PEDO-13" on queue: "Incoming". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:23 PM 300 (0x012C)
Stored request "RZJUYMGC", machine name "DDS-PEDO-13", in queue "Processing". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:23 PM 300 (0x012C)
----- Started a new CCR processing thread. Thread ID is 0x4c10. There are now 1 processing threads SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 300 (0x012C)
Submitted request successfully SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 300 (0x012C)
Getting a new request from queue "Incoming" after 100 millisecond delay. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 300 (0x012C)
Waiting for change in directory "C:\Program Files\Microsoft Configuration Manager\inboxes\ccr.box" for queue "Incoming", (30 minute backup timeout). SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 300 (0x012C)
======>Begin Processing request: "RZJUYMGC", machine name: "DDS-PEDO-13" SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Warning: no remote client installation account found SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Attempting to connect to administrative share '\\DDS-PEDO-13\admin$' using machine account. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Connected to administrative share on machine DDS-PEDO-13 SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Attempting to make IPC connection to share <\\DDS-PEDO-13\IPC$> SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Searching for SMSClientInstall.* under '\\DDS-PEDO-13\admin$\' SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> System OS version string "5.1.2600" converted to 5.10 SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Service Pack version from machine "DDS-PEDO-13" is 2 SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
CWmi::Connect(): ConnectServer(Namespace) failed. - 0x8004100e SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Unable to connect to WMI (r) on remote machine "DDS-PEDO-13", error = 0x8004100e. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Creating \ VerifyingCopying exsistance of destination directory \\DDS-PEDO-13\admin$\system32\ccmsetup. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Copying client files to \\DDS-PEDO-13\admin$\system32\ccmsetup. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Copying file "C:\Program Files\Microsoft Configuration Manager\bin\I386\MobileClient.tcf" to "\\DDS-PEDO-13\admin$\system32\ccmsetup\MobileClient.tcf" SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Copying file "C:\Program Files\Microsoft Configuration Manager\bin\I386\ccmsetup.exe" to "\\DDS-PEDO-13\admin$\system32\ccmsetup\ccmsetup.exe" SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:25 PM 19472 (0x4C10)
---> Created service "ccmsetup" on machine "DDS-PEDO-13". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:26 PM 19472 (0x4C10)
---> Started service "ccmsetup" on machine "DDS-PEDO-13". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:27 PM 19472 (0x4C10)
---> Deleting SMS Client Install Lock File '\\DDS-PEDO-13\admin$\SMSClientInstall.DDS' SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:27 PM 19472 (0x4C10)
---> Completed request "RZJUYMGC", machine name "DDS-PEDO-13". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:27 PM 19472 (0x4C10)
Deleted request "RZJUYMGC", machine name "DDS-PEDO-13" SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:27 PM 19472 (0x4C10)
<======End request: "RZJUYMGC", machine name: "DDS-PEDO-13". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 1:11:27 PM 19472 (0x4C10)


< Message edited by dchase -- 8/25/2008 1:51:36 PM >

(in reply to dchase)
Post #: 9
RE: Yet another Client Push help request thread - 8/25/2008 3:05:13 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		I just tried this same fix on a second machine, and it didn't work.  So 1295 isn't the magic bullet here. 

(in reply to dchase)
Post #: 10
RE: Yet another Client Push help request thread - 8/25/2008 3:09:57 PM   
hcortez463


Posts: 780
Score: 62
Joined: 4/8/2005
Status: offline 		so if you disable the firewall comletely can the client be isntalled and configured?

_____________________________

If it Helps, Please rate....

(in reply to dchase)
Post #: 11
RE: Yet another Client Push help request thread - 8/25/2008 3:37:45 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		Yes, that's right.  The client always installs if the firewall is turned off.

(in reply to hcortez463)
Post #: 12
RE: Yet another Client Push help request thread - 8/25/2008 3:38:15 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		Would gpresults be helpful?



(in reply to dchase)
Post #: 13
RE: Yet another Client Push help request thread - 8/25/2008 3:44:10 PM   
hcortez463


Posts: 780
Score: 62
Joined: 4/8/2005
Status: offline 		see if thsi post helps, looks like your same issue
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3629884&SiteID=17

_____________________________

If it Helps, Please rate....

(in reply to dchase)
Post #: 14
RE: Yet another Client Push help request thread - 8/25/2008 3:46:55 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		That does look familiar and I haven't seen that thread yet.  Thanks!  Reading eagerly now.

(in reply to hcortez463)
Post #: 15
RE: Yet another Client Push help request thread - 8/25/2008 3:54:55 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		Sounds very similar.  The issue that wound up being his problem - the firewall exception scope - is not the issue here, however.  Our exceptions are currently set up to accept from * in order to remove that variable.

Is that thread really suggesting that I open up ports from 1024-65535 on all my client workstations?  That can't be right.  Surely every corporate customer running SCCM doesn't have all those ports open on their clients.


(in reply to dchase)
Post #: 16
RE: Yet another Client Push help request thread - 8/25/2008 4:47:32 PM   
dchase

 

Posts: 14
Score: 0
Joined: 5/13/2008
Status: offline 		OK, trying this on another machine. 



---> Attempting to make IPC connection to share <\\DDS-MCOHR-12\IPC$> SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:55 PM 18984 (0x4A28)
---> Searching for SMSClientInstall.* under '\\DDS-MCOHR-12\admin$\' SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:55 PM 18984 (0x4A28)
CWmi::Connect(): ConnectServer(Namespace) failed. - 0x800706ba SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:56 PM 18984 (0x4A28)
---> Unable to connect to WMI on remote machine "DDS-MCOHR-12", error = 0x800706ba. SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:56 PM 18984 (0x4A28)
---> Deleting SMS Client Install Lock File '\\DDS-MCOHR-12\admin$\SMSClientInstall.DDS' SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:56 PM 18984 (0x4A28)
Retry request id for "VUYYCERU" set to "DDS-MCOHR-12" SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:56 PM 18984 (0x4A28)
Stored request "DDS-MCOHR-12", machine name "DDS-MCOHR-12", in queue "Retry". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:56 PM 18984 (0x4A28)
<======End request: "DDS-MCOHR-12", machine name: "DDS-MCOHR-12". SMS_CLIENT_CONFIG_MANAGER 8/25/2008 4:36:56 PM 18984 (0x4A28)


After this process, here are the relevant pfirewall.log entries: 

2008-08-25 16:04:17 OPEN-INBOUND TCP 141.213.143.210 141.211.156.47 1654 139 - - - - - - - - -
2008-08-25 16:04:17 OPEN-INBOUND TCP 141.213.143.210 141.211.156.47 1653 445 - - - - - - - - -
2008-08-25 16:04:17 CLOSE TCP 141.211.156.47 141.213.143.210 445 1653 - - - - - - - - -
2008-08-25 16:04:17 OPEN-INBOUND TCP 141.213.143.210 141.211.156.47 1656 135 - - - - - - - - -
2008-08-25 16:04:17 OPEN-INBOUND TCP 141.213.143.210 141.211.156.47 1657 135 - - - - - - - - -
2008-08-25 16:04:17 OPEN-INBOUND TCP 141.213.143.210 141.211.156.47 1659 135 - - - - - - - - -
2008-08-25 16:04:26 CLOSE TCP 141.211.156.47 141.213.143.210 139 1654 - - - - - - - - -
2008-08-25 16:05:47 CLOSE TCP 141.211.156.47 141.213.143.210 135 1656 - - - - - - - - -
2008-08-25 16:05:47 CLOSE TCP 141.211.156.47 141.213.143.210 135 1657 - - - - - - - - -
2008-08-25 16:06:17 CLOSE TCP 141.211.156.47 141.213.143.210 135 1659 - - - - - - - - -


As you can see, no dropped packets here, although the FW is set up to log drops.  This is very odd!

Edit to say: Even though there are no dropped packets in this pfirewall.log, turning off the firewall still allowed the client to install.

I'm about to try Wireshark captures on a machine to see if that helps at all.  Aaaagh.



< Message edited by dchase -- 8/25/2008 5:19:45 PM >

(in reply to dchase)
Post #: 17
Page:   [1]
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Yet another Client Push help request thread Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.297