Enrollment Connection Health Monitor (Mobile Device Manager Log)

This issue occurs if you install Windows® XP with Service Pack 2 (SP2) or Windows Server 2003 with Service Pack 1 (SP1). These Windows-based operating systems include a loopback-check security feature that helps prevent reflection attacks on your computer.

To resolve this issue, follow these steps to disable the loopback check on any computers that are running MDM Device Management Server:

1. On the Start menu, choose Run, type regedit, and then choose OK.
2. In Registry Editor, find and select the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then select DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck and then select Modify.
6. In the Value box, type 1, and then choose OK.

Identify and resolve HTTPS communication issues if there are issues with MDM Device Management Server and MDM Enrollment Server network connectivity.

Issues with HTTPS communications impacts normal MDM operations. Verify that you can access other secure sites, and that the server is connected to Active Directory.

Ping the server to determine if there is a network connectivity, firewall configuration, or DNS host name resolution issue:

1. From the local computer, ping the IP address of the target computer. For example, if the problem is that MDM Device Management Server cannot communicate with MDM Enrollment Server, then from MDM Device Management Server, ping the IP address of MDM Enrollment Server.
2. To use the Ping tool, select Start, select Run, type cmd, and then select OK.
3. At the command prompt, type ping IP_address, and then press ENTER. For example, type ping 192.168.1.5.

   If the ping is successful, you will receive a reply similar to the following:

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=20ms TTL=59

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=6ms TTL=59

4. If the ping is successful, ping the fully qualified domain name (FQDN) of the target computer. To do this, type ping target_computer_FQDN, and then press ENTER. For example, type ping server1.contoso.com

   If you cannot ping the terminal server by IP address, this indicates a network connectivity issue or firewall configuration issue. To identify and resolve the issue, follow the steps in "Troubleshooting Steps for Network Connectivity Issues" later in this topic.

   If you can ping the target computer by IP address but not by FQDN, this indicates an issue with DNS host name resolution. To identify and resolve this issue, perform the steps in "Troubleshooting Steps for DNS Accessibility" and, if needed, "Troubleshooting Steps for Firewall Configuration Issues" later in this topic.

Troubleshooting Steps for Network Connectivity Issues

1. Ping other computers in the network to help isolate the network connectivity issue.
2. If you can ping other servers but not the target computer, try to ping the target computer from another computer. If you cannot ping the target computer from any computer, check the network settings on the target computer.
3. Check the TCP/IP settings on the local computer:
   • Select Start, select Run, type cmd, and then select OK.
   • At the command prompt, type ipconfig /all, and then press ENTER.
   • Make sure that the information listed is correct.
   • Verify that you can ping the local IP address, the default gateway, and the DNS servers.
   • Ping the loopback address of 127.0.0.1 to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
   • Test whether you can ping the local IP address. If you can ping the loopback address but cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
   • If the target computer is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling or other connectivity hardware.
4. Check the Event Viewer for any error messages.
5. In Device Manager, check the status of the network adapter.
6. Check network connectivity indicator lights at the server, hub, and router.
7. Check network cabling.
8. Check firewall settings. Determine whether Internet Control Message Protocol (ICMP) traffic (ping) is allowed.
9. Verify that Internet Protocol security (IPsec) policy filters are defined to block or secure ICMP traffic.

Troubleshooting Steps for DNS Accessibility

To determine if DNS servers are configured and accessible, follow these steps:

1. Select Start, select Run, type cmd, and then select OK.
2. At the command prompt, type ipconfig /all, and then press ENTER.
3. In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
4. Ping the listed DNS servers to determine if they are accessible.
5. If you cannot ping the DNS server, make sure that the DNS server is running. You can also test connectivity from other hosts in your network to help isolate the issue.

Also, if the DHCP Client service is stopped on the terminal server, then name resolution will not function correctly. For more information about identifying and resolving DNS issues, please visit http://go.microsoft.com/fwlink/?LinkId=115516.

Troubleshooting Steps for Firewall Configuration Issues

For issues with communication between the Device Management Server and the Enrollment Server, if the Device Management Server and the Enrollment Server are installed on separate computers, ensure that there is no firewall between servers that blocks necessary ports. Enrollment Server administration uses HTTPS over port 8445 (by default) and Device Management Server administration uses HTTPS over port 8446 (by default). To enhance security, you can control which ports are being used so that your firewall router can be configured to forward traffic only to these Transmission Control Protocol (TCP) ports. For more information, see the Firewall Settings topic in the SCMDM 2008 Planning Guide at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=117776.

You can use commands such as Telnet and Netstat to assist in verifying that the appropriate ports enable communication. You should also verify that your firewall configuration is not blocking ICMP replies, which would result in false positive responses. For information about Telnet, please visit http://go.microsoft.com/fwlink/?LinkID=48891. For information about Netstat, please visit http://go.microsoft.com/fwlink/?LinkID=48892.

Add Computer Account to SCMDM 2008 Active Directory Groups

SCMDM 2008 AD Groups are used to grant permissions to servers and services to perform MDM operations. If a computer account was removed from an SCMDM 2008 AD Group, you may see permissions errors. To resolve this issue, follow these steps: