Enrollment Connection Health Monitor (Mobile Device Manager Log)

Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.WipeServiceDriver.EnrollmentConnection.MobileDeviceManager.EnrollmentConnection.EventBased.UnitMonitor (UnitMonitor)

Knowledge Base article:

Enrollment Connection (Aspect)

This aspect contains the enrollment connection objects that you can monitor in the MDM Wipe Service Driver. These health monitors include the following detectors.

Green Health State

Event ID 1004: WIPE_ENROLLMENT_CONNECTION_SUCCESS - Device enrollments revoked. Remote Wipe service is connected to the Enrollment service.

Red Health State

Event ID 1003: WIPE_ENROLLMENT_CONNECTION_FAILURE - Device enrollments not revoked. Remote Wipe service failed to connect to the Enrollment service.

Enrollment Connection (Diagnoser)

This condition occurs if MDM Device Management Server cannot communicate with MDM Enrollment Server. This issue may occur if any of the following conditions are true:

There is a network connectivity issue between the MDM Device Management Server and MDM Enrollment Server (or the MDM Enrollment Server load balancer).
MDM Enrollment Server is malfunctioning.
MDM Device Management Server is not in the proper security group.
There is a loopback security unauthorized exception.

A network connectivity issue is the most likely cause of this condition. To diagnose enrollment connection failure events, perform the following checks:

Is the server connected to the corporate network or Intranet appropriately? Is there network connectivity between MDM Enrollment Server and MDM Device Management Server?

Ping MDM Enrollment Server from MDM Device Management Server to check network connectivity:

Select Start, select Run, type cmd, and then select OK.
At the command prompt, type ping IP_address, where IP_address is the IP address of the terminal server, and then press ENTER.
If the ping was successful, you will receive a reply similar to the following:

Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=20ms TTL=59 Reply from IP_address: bytes=32 time=3ms TTL=59 Reply from IP_address: bytes=32 time=6ms TTL=59
If you cannot successfully ping by IP address, the server might be down, or there might be a network connectivity or firewall configuration issue.

Are the enrollment services operating properly?

To ensure that the services for MDM Enrollment Server are running properly, follow these steps:

Select Start, point to All Programs, point to Administrative Tools, and then select Services.
In the Services console, scroll down and make sure that the SCMDM Enrollment services are started and running properly.

Is MDM Device Management Server in the proper security group in Active Directory?

In Active Directory Users and Computers, on the View tab, select Advanced Features.
Open the SCMDM Infrastructure Groups organizational unit (OU).
Right-click the SCMDMDeviceManagementServers group, and then select Properties.
Verify that the Device Management Server is listed on the Members tab.

If the server contains a trusted installation of the SCMDM Device Management Server and is not a member of the appropriate security group above, the server should be added as a member. See the Add Computer Account to SCMDM Active Directory Groups resolver to resolve this issue.

Is MDM Enrollment Server on the same computer as MDM Device Management Server?

In scaled-out topologies with load-balanced MDM Device Management Server arrays, you may receive the following error message when it tries to connect:

HTTP 401.1 - Unauthorized: Logon Failed.

This issue occurs if you install Windows® XP with Service Pack 2 (SP2) or Windows Server 2003 with Service Pack 1 (SP1). These Windows-based operating systems include a loopback-check security feature that helps prevent reflection attacks on your computer.

This issue occurs when the Web site uses Integrated Authentication and has a name that maps to the local loopback address. In a Network Load Balancing (NLB) array, a server accesses the Web services on itself through NLB. This issue can also occur if the fully qualified domain name (FQDN) or custom host header does not match the local computer name.

Diagnosis: HTTP 401 Unauthorized Logon Failed using Loopback connector.

Diagnosis	Resolver to use
MDM Device Management Server cannot connect to network.	Check network connectivity
HTTP 401 Unauthorized Logon Failed using Loopback connector.	HTTP 401 Unauthorized Logon Failed using Loopback connector
Server is not in proper security groups.	Add Computer Account to SCMDM Active Directory Groups

HTTP 401 Unauthorized Logon Failed using Loopback connector. (Resolution)

To resolve this issue, follow these steps to disable the loopback check on any computers that are running MDM Device Management Server:

On the Start menu, select Run, type regedit, and then select OK.
In Registry Editor, find and select the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then select DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then select Modify.
In the Value box, type 1, and then select OK.

Check network connectivity (Resolution)

Identify and resolve HTTPS communication issues if there are problems with MDM Device Management Server and/or MDM Enrollment Server networking

Problems with HTTPS communications proper Mobile Device Manager operations. Verify whether you can access other secure sites and the server is connected to Active Directory.

Use ping to determine whether there is a network connectivity, firewall configuration, or DNS host name resolution issue

From the local computer, ping the IP address of the target computer. For example, if the problem is that MDM Device Management Server cannot communicate with MDM Enrollment Server, from the Device Management Server, ping the IP address of MDM Enrollment Server.
To use the Ping tool, select Start, select Run, type cmd, and then select OK.
At the command prompt, type ping IP_address, and then press ENTER. For example, type ping 192.168.1.5
If the ping was successful, you will receive a reply similar to the following:

Reply from IP_address: bytes=32 time=3ms TTL=59

Reply from IP_address: bytes=32 time=20ms TTL=59

Reply from IP_address: bytes=32 time=3ms TTL=59

Reply from IP_address: bytes=32 time=6ms TTL=59
If the ping was successful, ping the fully qualified domain name (FQDN) of the target computer. To do this, type ping target_computer_FQDN, and then press ENTER. For example, type ping server1.contoso.com

If you cannot ping the domain controller, server, or database server by IP address, this indicates a network connectivity issue or firewall configuration issue. To identify and resolve the issue, follow the steps in "Perform additional troubleshooting steps to identify possible network connectivity issues" later in this topic.

If you can ping the target computer by IP address but not by FQDN, this indicates an issue with DNS host name resolution. To identify and resolve this issue, perform the steps in "Perform troubleshooting steps to determine whether DNS servers are accessible" and, if needed, "Perform troubleshooting steps to identify possible firewall configuration issues," later in this topic.

Perform additional troubleshooting steps to identify possible network connectivity issues

Ping other computers in the network to help isolate the network connectivity issue.
If you can ping other servers but not the target computer, try to ping the target computer from another computer. If you cannot ping the target computer from any computer, check the network settings on the target computer.
Check the TCP/IP settings on the local computer:
- Select Start, select Run, type cmd, and then select OK .
- At the command prompt, type ipconfig /all, and then press ENTER.
- Make sure that the information listed is correct.
- Verify whether you can ping the local IP address, the default gateway and the DNS servers.
- Ping the loopback address of 127.0.0.1 to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
- Test whether you can ping the local IP address. If pinging the loopback address works, but you cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
- If the target computer is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling or other connectivity hardware.
Check the Event Viewer for any error messages.
In Device Manager, check the status of the network adapter.
Check network connectivity indicator lights at the server and at the hub or router.
Check network cabling.
Check firewall settings. Determine whether ICMP (ping) traffic is allowed.
Verify whether Internet Protocol security (IPsec) policy filters are defined to block or secure ICMP traffic.

Perform troubleshooting steps to determine whether DNS servers are accessible

To determine whether DNS servers are configured and are accessible, do the following:

Select Start, select Run, type cmd, and then select OK.
At a command prompt, type ipconfig /all, and then press ENTER.
In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
Ping the listed DNS servers to determine whether they are accessible.
If you cannot ping the DNS server, make sure that the DNS server is running. You can also test connectivity from other hosts in your network to help isolate the issue.

Also verify whether the DHCP Client service is stopped on the terminal server. If this is the case, name resolution will not function correctly.

For more information about identifying and resolving DNS issues, see Troubleshooting DNS on the Microsoft Web site.

Perform troubleshooting steps to identify possible firewall configuration issues

For problems with communication between the server and the target computer, ensure that there is no firewall on both servers or between them that blocks necessary ports. For more information, see the Firewall Settings topic in the SCMDM Planning Guide.

You can use commands such as Telnet and Netstat to assist in verifying that the appropriate ports enable communication.

You should also verify whether your firewall configuration might be blocking ICMP replies, which would result in false positive responses.

Add Computer Account to SCMDM Active Directory Groups (Resolution)

Add Computer Account to SCMDM Active Directory Groups

SCMDM Active Directory Groups are used to grant permissions to servers and services to perform MDM operations. If a computer account was removed from an SCMDM Active Directory Group, you may see permissions errors. To resolve this issue, follow these steps:

In Active Directory Users and Computers, on the View tab, select Advanced Features.
Open the SCMDM Infrastructure Groups organizational unit (OU).
Right-click the SCMDMDeviceManagementServers group, and then select Properties.
On the Members tab, select Add.
Select Account Types.
Select Computer Accounts, and then select OK.
Type the name of the computer account that you want to add to the SCMDMDeviceManagementServers group. You should add a computer only if there is a trusted SCMDM Device Management server on this computer. Do not add a computer to a group before running SCMDM Setup.
Select OK to close the dialog box.
Select OK again to close the dialog box.

You can repeat the above steps for other server groups (such as SCMDM EnrollmentServers) as necessary.

Element properties:

Target

Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.WipeServiceDriver.ClassType

Parent Monitor

System.Health.AvailabilityState

Category

StateCollection

Enabled

True

Alert Generate

True

Alert Severity

MatchMonitorHealth

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.2SingleEventLog2StateMonitorType

Remotable

True

Accessibility

Public

Alert Message

Enrollment Connection Alert

{0}

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.WipeServiceDriver.EnrollmentConnection.MobileDeviceManager.EnrollmentConnection.EventBased.UnitMonitor" Accessibility="Public" Enabled="onEssentialMonitoring" Target="Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.WipeServiceDriver.ClassType" ParentMonitorID="SystemHealth!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">

  <Category>StateCollection</Category>

  <AlertSettings AlertMessage="Microsoft.SystemCenter.MobileDeviceManager.2008.1_1.WipeServiceDriver.EnrollmentConnection.MobileDeviceManager.EnrollmentConnection.EventBased.UnitMonitor.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="FirstEventRaised" HealthState="Success"/>

    <OperationalState ID="Negative" MonitorTypeStateID="SecondEventRaised" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>Mobile Device Manager</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Device Manager</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>1004</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>Mobile Device Manager</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Device Manager</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>1003</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </SecondExpression>

  </Configuration>

</UnitMonitor>