This aspect contains the enrollment connection objects that you can monitor in the MDM Wipe Service Driver. These health monitors include the following detectors.
This condition occurs if the Device Management Server cannot communicate with the Enrollment Server. This issue may occur if any of the following conditions are true:
A network connectivity issue is the most likely cause of this condition. To diagnose enrollment connection failure events, perform the following checks:
Is the server connected to the corporate network or Intranet appropriately? Is there network connectivity between the Enrollment Server and Device Management Server?
Ping the Enrollment Server from the Device Management Server to check network connectivity:
If the ping was successful, you will receive a reply similar to the following:
Reply from IP_address: bytes=32 time=3ms TTL=59 Reply from IP_address: bytes=32 time=20ms TTL=59 Reply from IP_address: bytes=32 time=3ms TTL=59 Reply from IP_address: bytes=32 time=6ms TTL=59
If you cannot successfully ping by IP address, the server might be down, or there might be a network connectivity or firewall configuration issue.
Are the Enrollment Server and appropriate services operating properly?
To ensure that the Enrollment services are running properly, follow these steps:
Is the Device Management Server in the proper security group in AD?
In Active Directory Users and Computers, on the View tab, choose Advanced Features.
Open the SCMDM2008 Infrastructure Groups organizational unit (OU).
Right-click the SCMDM2008DeviceManagementServers group, and then select Properties.
Verify that the Device Management Server is listed on the Members tab.
If the server contains a trusted installation of the SCMDM 2008 Device Management Server and is not a member of the appropriate security group above, the server should be added as a member. See the Add Computer Account to SCMDM 2008 AD Groups resolver to resolve this issue.
Is the Enrollment Server on the same computer as the Device Management Server?
In scaled-out topologies with load-balanced MDM Device Management Server arrays, a managed device may receive the following error message when it tries to connect:
HTTP 401.1 - Unauthorized: Logon Failed.
This issue occurs if you install Windows® XP with Service Pack 2 (SP2) or Windows Server 2003 with Service Pack 1 (SP1). These Windows-based operating systems include a loopback-check security feature that helps prevent reflection attacks on your computer.
This issue occurs when the Web site uses Integrated Authentication and has a name that maps to the local loopback address. In a Network Load Balancing (NLB) array, a server accesses the Web services on itself through NLB. This issue can also occur if the fully qualified domain name (FQDN) or custom host header does not match the local computer name.
Diagnosis: HTTP 401 Unauthorized Logon Failed using Loopback connector.
Diagnosis | Resolver to use |
The Device Management Machine cannot connect to network. | Fix network connectivity issues |
HTTP 401 Unauthorized Logon Failed using Loopback connector. |
HTTP 401 Unauthorized Logon Failed using Loopback connector |
Server is not in proper security groups. |
Add Computer Account to SCMDM 2008 AD Groups |
This issue occurs if you install Windows® XP with Service Pack 2 (SP2) or Windows Server 2003 with Service Pack 1 (SP1). These Windows-based operating systems include a loopback-check security feature that helps prevent reflection attacks on your computer.
To resolve this issue, follow these steps to disable the loopback check on any computers that are running MDM Device Management Server:
Identify and resolve HTTPS communication issues if there are issues with MDM Device Management Server and MDM Enrollment Server network connectivity.
Issues with HTTPS communications impacts normal MDM operations. Verify that you can access other secure sites, and that the server is connected to Active Directory.
Ping the server to determine if there is a network connectivity, firewall configuration, or DNS host name resolution issue:
If the ping is successful, you will receive a reply similar to the following:
Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=20ms TTL=59
Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=6ms TTL=59
If you cannot ping the terminal server by IP address, this indicates a network connectivity issue or firewall configuration issue. To identify and resolve the issue, follow the steps in "Troubleshooting Steps for Network Connectivity Issues" later in this topic.
If you can ping the target computer by IP address but not by FQDN, this indicates an issue with DNS host name resolution. To identify and resolve this issue, perform the steps in "Troubleshooting Steps for DNS Accessibility" and, if needed, "Troubleshooting Steps for Firewall Configuration Issues" later in this topic.
Troubleshooting Steps for DNS Accessibility
To determine if DNS servers are configured and accessible, follow these steps:
Also, if the DHCP Client service is stopped on the terminal server, then name resolution will not function correctly. For more information about identifying and resolving DNS issues, please visit http://go.microsoft.com/fwlink/?LinkId=115516.
Troubleshooting Steps for Firewall Configuration Issues
For issues with communication between the Device Management Server and the Enrollment Server, if the Device Management Server and the Enrollment Server are installed on separate computers, ensure that there is no firewall between servers that blocks necessary ports. Enrollment Server administration uses HTTPS over port 8445 (by default) and Device Management Server administration uses HTTPS over port 8446 (by default). To enhance security, you can control which ports are being used so that your firewall router can be configured to forward traffic only to these Transmission Control Protocol (TCP) ports. For more information, see the Firewall Settings topic in the SCMDM 2008 Planning Guide at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=117776.
You can use commands such as Telnet and Netstat to assist in verifying that the appropriate ports enable communication. You should also verify that your firewall configuration is not blocking ICMP replies, which would result in false positive responses. For information about Telnet, please visit http://go.microsoft.com/fwlink/?LinkID=48891. For information about Netstat, please visit http://go.microsoft.com/fwlink/?LinkID=48892.
Add Computer Account to SCMDM 2008 Active Directory Groups
SCMDM 2008 AD Groups are used to grant permissions to servers and services to perform MDM operations. If a computer account was removed from an SCMDM 2008 AD Group, you may see permissions errors. To resolve this issue, follow these steps:
In Active Directory Users and Computers, on the View tab, select Advanced Features.
Open the SCMDM2008 Infrastructure Groups organizational unit (OU).
Right-click the SCMDM2008DeviceManagementServers group, and then select Properties.
On the Members tab, select Add.
Select Account Types.
Select Computer Accounts, and then click OK.
Type the name of the computer account that you want to add to the SCMDMDeviceManagementServers group. You should add a computer only if there is a trusted SCMDM2008 Device Management server on this computer. Do not add a computer to a group before running SCMDM 2008 Setup.
Click OK to close the dialog box.
Click OK again to close the dialog box.
You can repeat the above steps for other server groups (such as SCMDM EnrollmentServers) as necessary.
Target | Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.WipeServiceDriver.ClassType | ||
Parent Monitor | System.Health.AvailabilityState | ||
Category | StateCollection | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.2SingleEventLog2StateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.WipeServiceDriver.EnrollmentConnection.MobileDeviceManager.EnrollmentConnection.EventBased.UnitMonitor" Accessibility="Public" Enabled="onEssentialMonitoring" Target="Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.WipeServiceDriver.ClassType" ParentMonitorID="SystemHealth!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">
<Category>StateCollection</Category>
<AlertSettings AlertMessage="Microsoft.SystemCenter.MobileDeviceManager.2008.1_0.WipeServiceDriver.EnrollmentConnection.MobileDeviceManager.EnrollmentConnection.EventBased.UnitMonitor.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="FirstEventRaised" HealthState="Success"/>
<OperationalState ID="Negative" MonitorTypeStateID="SecondEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>Mobile Device Manager</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Device Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>1004</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>Mobile Device Manager</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Device Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>1003</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>