Configuration Loader Health Monitor (Mobile Device Manager Log)

Configuration Loader (Aspect)

The configuration loader provides access to configuration from the administration services database. The services drivers and Web services use this loader to access their configuration. This aspect contains the Configuration Loader objects that you can monitor in the Device Management Administration Service. These health monitors include the following detectors.

Green Health State

• Event ID 6001: ADMIN_SERVICES_CONFIG_UPDATED - The configuration loader for the X component has successfully updated the component's configuration.

Yellow Health State

• Event ID 6104: ADMIN_SERVICES_DATABASE_RETRY - The X component has failed to connect to the admin services database. The component will retry the connection.

Red Health State

• Event ID 6201: ADMIN_SERVICES_CONFIG_DB_FAILURE - The configuration loader for the X component was unable to access the database. Configuration items for this component may be out of date.

New Diagnoser (Diagnoser)

This condition occurs if MDM Device Management Server cannot communicate with the database server. This issue may occur if any of the following conditions are true:

• There is a network connectivity issue between MDM Device Management Server and the database server.
• The Device Management Server does not have the proper permissions on the database, or is not in the appropriate group.
• The database is offline or malfunctioning.
• The database and sqlinstance keywords in the SCMDM 2008 Dependencies SCP are incorrect.
• There is a loopback security unauthorized exception.

A network connectivity issue is the most likely cause of this condition. To diagnose the database connection failure events, check the following:

Is the server connected to the corporate network or Intranet appropriately? Is there network connectivity between MDM Device Management Server and the database server?

To check network connectivity, ping the database server from MDM Device Management Server.

1. Select Start, select Run, type cmd, and then select OK.
2. At the command prompt, type ping IP_address, where IP_address is the IP address of the database server, and then press ENTER.

   If the ping is successful, you will receive a reply similar to the following:

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=20ms TTL=59

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=6ms TTL=59

   If you cannot successfully ping by IP address, the server might be offline, or there might be a network connectivity or firewall configuration issue.

Is SQL Server configured to accept connections?

Verify that the SQL Server Surface Area Configuration is set to allow TCP/IP connections if running on a separate computer from MDM Device Management Server, or Named Pipe connections if running on the same server.

Is the database server service connection point (SCP) set correctly in Active Directory?

You can verify the database server URI by using the SCPUtil.exe file in the System Center Mobile Device Manager 2008 Resource Kit at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=116260.

1. From the command console, run SCPUtil.exe.
2. Verify that the DB Values are correct. If they are not correct, see the "Setting the database server uri" resolver.

Is the Device Management Server in the SCMDM 2008 Device Management Servers Active Directory security group?

1. In Active Directory Users and Computers, on the View tab, select Advanced Features.

2. Open the SCMDM2008 Infrastructure Groups organizational unit (OU).

3. Right-click SCMDM2008DeviceManagementServers group, and then select Properties.

4. Verify that Device Management Server is listed on the Members tab.

Check database connectivity (Resolution)

Identify and resolve HTTPS communication issues if there are problems with the MDM Device Management Server and/or database server networking. Problems with HTTPS communications can affect proper MDM operations. Verify that you can access other security-enhanced sites, and that the server is connected to Active Directory.

Ping the server to determine if there is an issue with network connectivity, firewall configuration, or DNS host name resolution:

1. From the local computer, ping the IP address of the target computer. For example, if the problem is that MDM Device Management Server cannot communicate with MDM Enrollment Server, then from MDM Device Management Server, ping the IP address of the database server.
2. To use the Ping tool, select Start, select Run, type cmd, and then select OK.
3. At the command prompt, type ping IP_address, and then press ENTER. For example, type ping 192.168.1.5

   If the ping is successful, you will receive a reply similar to the following:

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=20ms TTL=59

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=6ms TTL=59

4. If the ping is successful, ping the fully qualified domain name (FQDN) of the target computer. To do this, type ping target_computer_FQDN, and then press ENTER. For example, type ping server1.contoso.com

   If you cannot ping the terminal server by IP address, this indicates a network connectivity or firewall configuration issue. To identify and resolve the issue, follow the steps in the "Troubleshooting Steps for Network Connectivity Issues" section later in this topic.

   If you can ping the target computer by IP address but not by FQDN, this indicates an issue with DNS host name resolution. To identify and resolve this issue, perform the steps in the "Troubleshooting Steps for DNS Server Accessibility" section and, if needed, the "Troubleshooting Steps for Firewall Configuration Issues" section later in this topic.

Troubleshooting Steps for Network Connectivity Issues

1. Ping other computers in the network to help isolate the network connectivity issue.
2. If you can ping other servers but not the target computer, try to ping the target computer from another computer. If you cannot ping the target computer from any computer, check the network settings on the target computer.
3. Check the TCP/IP settings on the local computer:
   • Select Start, select Run, type cmd, and then select OK.
   • At the command prompt, type ipconfig /all, and then press ENTER.
   • Make sure that the information listed is correct.
   • Verify that you can ping the local IP address, the default gateway, and the DNS servers.
   • Ping the loopback address of 127.0.0.1 to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
   • Test whether you can ping the local IP address. If you can ping the loopback address but cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
   • If the target computer is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling or other connectivity hardware.
4. Check the Event Viewer for any error messages.
5. In Device Manager, check the status of the network adapter.
6. Check network connectivity indicator lights at the server, hub, and/or router.
7. Check network cabling.
8. Check firewall settings. Determine whether Internet Control Message Protocol (ICMP) traffic (ping) is allowed.
9. Verify whether Internet Protocol security (IPsec) policy filters are defined to block or secure ICMP traffic.

Troubleshooting Steps for DNS Server Accessibility

To determine if the DNS servers are configured and accessible, do the following:

1. Select Start, select Run, type cmd, and then select OK.
2. At the command prompt, type ipconfig /all, and then press ENTER.
3. In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
4. Ping the listed DNS servers to determine whether they are accessible.
5. If you cannot ping the DNS server, make sure that the DNS server is running. You can also test connectivity from other hosts in your network to help isolate the issue.

Also, if the DHCP Client service is stopped on the terminal server, then name resolution will not function correctly. For more information about identifying and resolving DNS issues, please visit http://go.microsoft.com/fwlink/?LinkId=115516.

Troubleshooting Steps for Firewall Configuration Issues

For problems with communication on the database server, ensure that there is no firewall between servers that blocks necessary ports. Microsoft SQL Server uses port 1433 (by default). To enhance security, you can control which ports are being used so that your firewall router can be configured to forward traffic only to these Transmission Control Protocol (TCP) ports. For more information, see the Firewall Settings topic in the SCMDM 2008 Planning Guide at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=117776.

You can use commands such as Telnet and Netstat to assist in verifying that the appropriate ports enable communication. You should also verify that your firewall configuration is not blocking ICMP replies, which would result in false positive responses. For information about Telnet, please visit http://go.microsoft.com/fwlink/?LinkID=48891. For information about Netstat, please visit http://go.microsoft.com/fwlink/?LinkID=48892.

Configure SQL Server for MDM (Resolution)

In MDM, Microsoft SQL Server 2005 Standard Edition with Service Pack 2 is the supported and tested database management implementation. SQL Server Express Edition and Microsoft SQL Server 2008 are not supported for MDM. For more information about how to deploy SQL Server, see the SQL Server 2005 Readme and supporting documentation at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=105613.

Hardware Requirements for all MDM Servers

The following requirements apply to all MDM servers: MDM Enrollment Server, MDM Device Management Server, and MDM Gateway Server.

Hardware	Requirement
Processor	x64-bit architecture-based server with Intel processor that supports Intel 64 architecture (formerly known as Intel EM64T) AMD processor that supports the AMD64 platform Recommended: Dual processors at 2700 megahertz (MHz) or faster
Memory	4 gigabytes (GB) of RAM. You may have to increase this amount for servers that are running SQL Server. Refer to SQL Server documentation for more information.
Disk Space	100 gigabytes (GB) of free hard disk space for installation and data storage
Network	One network adapter for each server that is running SQL Server, MDM Enrollment Server, and MDM Device Management Server. Must be 100 Mb/s or faster. Two network adapters for each MDM Gateway Server. Must be 100 Mb/s or faster.

You must set the domain in which you install MDM to Windows Server 2003 functional level. MDM does not support Windows 2000 mixed domain functional level or Windows Server 2008 domain functional level.

Requirements for Managed Devices

Windows Mobile powered devices that you manage by using MDM must be running Windows Mobile 6.1. For more information about support for Windows Mobile devices in MDM, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=107520.

Software Requirements for MDM Servers

Each server role in MDM has specific software prerequisites for the installation. Make sure that you update all Windows Server® 2003 operating systems to include the most recent service packs, and that you configure the Windows-based operating system correctly before you start deployment.

To view administrator options to update Windows-based operating system servers to include the most recent updates, see the Microsoft Web page: http://go.microsoft.com/fwlink/?LinkId=106611. For more information about Microsoft security, see the Microsoft Security Web page: http://go.microsoft.com/fwlink/?LinkId=62649.

The MDM infrastructure described in this section assumes that all servers are using a clean installation of the Windows-based operating systems, applications, and services listed. All software versions listed show the minimum version required.

The MDM Best Practices Analyzer Tool helps you analyze a group of servers to determine if prerequisites for deploying MDM are met. The tool also lets you analyze servers post-deployment to verify settings such as port settings. To download MDM Best Practices Analyzer Tool, see the MDM Resource Kit Tools page at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=108953.

Role	Operating system	Applications and services
SQL database server	Windows Server 2003 with Service Pack 2 (SP2)	Member of the Active Directory® domain Microsoft SQL Server® 2005 Standard Edition SP2 or a later version Full product version of SQL Server must be installed; Express Edition is not supported Microsoft SQL Server 2008 is not supported Do not install SQL Server on a server that is running MDM Install the English or local language version of SQL Server
MDM Device Management Server	Windows Server 2003 Standard x64 Edition with SP2	Member of the Active Directory domain Internet Information Services (IIS) 6.0 and World Wide Web Publishing Service .NET Framework 2.0 Windows Software Update Server (WSUS) 3.0 SP1 Microsoft Report Viewer Redistributable 2005 (optional)
MDM Enrollment Server	Windows Server 2003 Standard x64 Edition with SP2	Member of the Active Directory domain Internet Information Services (IIS) 6.0 and World Wide Web Publishing Service .NET Framework 2.0
MDM Gateway Server	Windows Server 2003 Standard x64 Edition with SP2	Stand-alone server Internet Information Services (IIS) 6.0 and World Wide Web Publishing Service .NET Framework 2.0

Set the database SCP (Resolution)

To set the database server URI and instance name, perform the following operations using SCPUtil.exe distributed with the MDM 2008 Resource Kit Tools . To download this utility, see the MDM Resource Kit Tools page at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=108953.

1. Open a Command Console window (Start > Run > cmd.exe).
2. Run the command "SCPUtil.exe" to see the currently configured Active Directory Service Connection Points.
3. Run the command "SCPUtil.exe /config /dbserver:<servername> /sqlinstance:<sql instance name>".

An alternative method for setting the database server URI and instance name is to check the SCMDM2008Dependencies object under the System/SCMDM2008 object (for example, CN=SCMDM2008Dependencies,CN=SCMDM2008,CN=System,DC=contoso,DC=com).

Examine the keywords property to determine the current settings for the database URI and instance.

Add Computer Account to SCMDM 2008 AD Groups (Resolution)

Add Computer Account to SCMDM 2008 Active Directory Groups

SCMDM 2008 AD Groups are used to grant permissions to servers and services to perform MDM operations. If a computer account was removed from an SCMDM 2008 AD Group, you may see permissions errors. To resolve this issue, follow these steps:

<UnitMonitor ID="Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.AdminServiceCore.ConfigurationLoader.MobileDeviceManager.NewDiagnoser.EventBased.UnitMonitor" Accessibility="Public" Enabled="onEssentialMonitoring" Target="Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.AdminServiceCore.ClassType" ParentMonitorID="SystemHealth!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.3SingleEventLog3StateUnitMonitorType" ConfirmDelivery="true">

  <Category>StateCollection</Category>

  <AlertSettings AlertMessage="Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.AdminServiceCore.ConfigurationLoader.MobileDeviceManager.NewDiagnoser.EventBased.UnitMonitor.AlertMessage">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="FirstEventRaised" HealthState="Success"/>

    <OperationalState ID="Warning" MonitorTypeStateID="SecondEventRaised" HealthState="Warning"/>

    <OperationalState ID="Error" MonitorTypeStateID="ThirdEventRaised" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>Mobile Device Manager</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Device Manager</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>6001</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>Mobile Device Manager</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Device Manager</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>6104</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </SecondExpression>

    <ThirdComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ThirdComputerName>

    <ThirdLogName>Mobile Device Manager</ThirdLogName>

    <ThirdExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Device Manager</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>6201</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </ThirdExpression>

  </Configuration>

</UnitMonitor>