SQL Server Connectivity Health Monitor (Mobile Device Manager Log)

This aspect contains the SQL Server Connectivity objects that you can monitor in the Enrollment Administration Service. These health monitors include the following detector.

Green Health State

• Event ID 2210: ENROLLMENT_ADMIN_SQL_CONNECTION_SUCCEEDED - Enrollment Administration Web site successfully connected to SQL.

Red Health State

• Event ID 2211: ENROLLMENT_ADMIN_SQL_CONNECTION_ERROR - Enrollment Administration Web site failed to connect to SQL server.

You can verify SQL Server connectivity for the MDM Enrollment Administration Service by checking for the following event:

Task	Event numbers confirming success
ENROLLMENT_ADMIN_SQL_CONNECTION_SUCCEEDED	2210

This condition occurs if MDM Enrollment Server cannot communicate with the database server. This issue may occur if any of the following conditions are true:

• There is a network connectivity issue between MDM Enrollment Server and the database server.
• MDM Enrollment Server does not have the proper permissions on the database, or is not in the appropriate group.
• The database is offline or malfunctioning.
• The database and sqlinstance keywords in the SCMDM SCP are incorrect.
• There is a loopback security unauthorized exception.

A network connectivity issue is the most likely cause of this condition. To diagnose the database connection failure events, check the following:

Is the server connected to the corporate network Intranet appropriately? Is there network connectivity between MDM Enrollment Server and the database server?

To check network connectivity, ping the database server from MDM Enrollment Server.

1. Select Start, select Run, type cmd, and then select OK.
2. At the command prompt, type ping IP_address, where IP_address is the IP address of the database server, and then press ENTER.

   If the ping is successful, you will receive a reply similar to the following:

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=20ms TTL=59

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=6ms TTL=59

   If you cannot successfully ping by IP address, the server might be offline, or there might be a network connectivity or firewall configuration issue.

Is SQL Server configured to accept connections?

Verify that the SQL Server Surface Area Configuration is set to allow TCP/IP connections if running on a separate computer from MDM Enrollment Server, or Named Pipe connections if running on the same server.

Is the database server service connection point (SCP) set correctly in Active Directory?

You can verify the database server URI by using the SCPUtil.exe file in the System Center Mobile Device Manager Resource Kit at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=116260.

1. From the command console, run SCPUtil.exe.
2. Verify that the DB Values are correct. If they are not correct, see the "Set the database service connection point" resolver.

Is the Enrollment Server in the SCMDM Enrollment Server's Active Directory security group?

1. In Active Directory Users and Computers, on the View tab, select Advanced Features.

2. Open the SCMDM Infrastructure Groups organizational unit (OU).

3. Right-click SCMDMEnrollmentServers group, and then select Properties.

4. Verify that Enrollment Server is listed on the Members tab.

Identify and resolve HTTPS communication issues if there are problems with MDM Device Management Server and/or database server networking. Problems with HTTPS communications can affect proper MDM operations. Verify that you can access other security-enhanced sites, and that the server is connected to Active Directory.

Ping the server to determine if there is an issue with network connectivity, firewall configuration, or DNS host name resolution:

1. From the local computer, ping the IP address of the target computer. For example, if the problem is that MDM Device Management Server cannot communicate with MDM Enrollment Server, then from MDM Device Management Server, ping the IP address of the database server.
2. To use the Ping tool, select Start, select Run, type cmd, and then select OK.
3. At the command prompt, type ping IP_address, and then press ENTER. For example, type ping 192.168.1.5

   If the ping is successful, you will receive a reply similar to the following:

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=20ms TTL=59

   Reply from IP_address: bytes=32 time=3ms TTL=59

   Reply from IP_address: bytes=32 time=6ms TTL=59

4. If the ping is successful, ping the fully qualified domain name (FQDN) of the target computer. To do this, type ping target_computer_FQDN, and then press ENTER. For example, type ping server1.contoso.com

   If you cannot ping the terminal server by IP address, this indicates a network connectivity or firewall configuration issue. To identify and resolve the issue, follow the steps in the "Troubleshooting Steps for Network Connectivity Issues" section later in this topic.

   If you can ping the target computer by IP address but not by FQDN, this indicates an issue with DNS host name resolution. To identify and resolve this issue, perform the steps in the "Troubleshooting Steps for DNS Server Accessibility" section and, if needed, the "Troubleshooting Steps for Firewall Configuration Issues" section later in this topic.

Troubleshooting Steps for Network Connectivity Issues

1. Ping other computers in the network to help isolate the network connectivity issue.
2. If you can ping other servers but not the target computer, try to ping the target computer from another computer. If you cannot ping the target computer from any computer, check the network settings on the target computer.
3. Check the TCP/IP settings on the local computer:
   • Select Start, select Run, type cmd, and then select OK.
   • At the command prompt, type ipconfig /all, and then press ENTER.
   • Make sure that the information listed is correct.
   • Verify that you can ping the local IP address, the default gateway, and the DNS servers.
   • Ping the loopback address of 127.0.0.1 to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
   • Test whether you can ping the local IP address. If you can ping the loopback address but cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
   • If the target computer is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling or other connectivity hardware.
4. Check the Event Viewer for any error messages.
5. In Device Manager, check the status of the network adapter.
6. Check network connectivity indicator lights at the server, hub, and/or router.
7. Check network cabling.
8. Check firewall settings. Determine whether Internet Control Message Protocol (ICMP) traffic (ping) is allowed.
9. Verify whether Internet Protocol security (IPsec) policy filters are defined to block or secure ICMP traffic.

Troubleshooting Steps for DNS Server Accessibility

To determine if the DNS servers are configured and accessible, do the following:

1. Select Start, select Run, type cmd, and then select OK.
2. At the command prompt, type ipconfig /all, and then press ENTER.
3. In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
4. Ping the listed DNS servers to determine whether they are accessible.
5. If you cannot ping the DNS server, make sure that the DNS server is running. You can also test connectivity from other hosts in your network to help isolate the issue.

Also, if the DHCP Client service is stopped on the terminal server, then name resolution will not function correctly. For more information about identifying and resolving DNS issues, please visit http://go.microsoft.com/fwlink/?LinkId=115516.

Troubleshooting Steps for Firewall Configuration Issues

For problems with communication on the database server, ensure that there is no firewall between servers that blocks necessary ports. Microsoft SQL Server uses port 1433 (by default). To enhance security, you can control which ports are being used so that your firewall router can be configured to forward traffic only to these Transmission Control Protocol (TCP) ports. For more information, see the Firewall Settings topic in the MDM Planning Guide at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=117776.

You can use commands such as Telnet and Netstat to assist in verifying that the appropriate ports enable communication. You should also verify that your firewall configuration is not blocking ICMP replies, which would result in false positive responses. For information about Telnet, please visit http://go.microsoft.com/fwlink/?LinkID=48891. For information about Netstat, please visit http://go.microsoft.com/fwlink/?LinkID=48892.

To set the database server URI and instance name, perform the following operations using SCPUtil.exe distributed with the MDM Resource Kit Tools . To download this utility, see the MDM Resource Kit Tools page at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

1. Open a Command Console window (Start > Run > cmd.exe).
2. Run the command "SCPUtil.exe" to see the currently configured Active Directory Service Connection Points.
3. Run the command "SCPUtil.exe /config /dbserver:<servername> /sqlinstance:<sql instance name>".

An alternative method for setting the database server URI and instance name is to check the MDM instance object under the System/SCMDM object (for example, CN=SCMDM,CN=<instance name>,CN=System,DC=contoso,DC=com).

Examine the keywords property to determine the current settings for the database URI and instance.

<UnitMonitor ID="Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.EnrollmentAdministrationServices.SQLServerConnectivity.MobileDeviceManager.None.EventBased.UnitMonitor" Accessibility="Public" Enabled="onEssentialMonitoring" Target="Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.EnrollmentAdministrationServices.ClassType" ParentMonitorID="SystemHealth!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">

  <Category>StateCollection</Category>

  <AlertSettings AlertMessage="Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.EnrollmentAdministrationServices.SQLServerConnectivity.MobileDeviceManager.None.EventBased.UnitMonitor.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="FirstEventRaised" HealthState="Success"/>

    <OperationalState ID="Negative" MonitorTypeStateID="SecondEventRaised" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>Mobile Device Manager</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Enrollment</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>2210</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>Mobile Device Manager</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Enrollment</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>2211</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </SecondExpression>

  </Configuration>

</UnitMonitor>