Windows Deployment Services requires interaction with Active Directory Domain Services for several critical functions. One of these functions is rogue detection, which determines whether the Pre-Boot Execution Environment (PXE) server is authorized to provide services in the domain. Rogue detection is also known as Dynamic Host Configuration Protocol (DHCP) authorization.
Windows Deployment Services requires interaction with Active Directory Domain Services for several critical functions. One of these functions is rogue detection, which determines whether the Pre-Boot Execution Environment (PXE) server is authorized to provide services in the domain. Rogue detection is also known as Dynamic Host Configuration Protocol (DHCP) authorization.
Event IDs 768, 774 -- Check the registry data and permissions
The Windows Deployment Services PXE server must be able to read the necessary configuration settings from the registry so that is can provide network boot programs to client computers. To resolve this issue, ensure that the registry data is not missing or corrupt, and that the PXE server has the correct permissions.
Event IDs 771, 770, 772, 773, 776 -- Authorize the server in Active Directory
The WDSServer service must be authorized in Active Directory Domain Services in order to pass the rogue detection process. To resolve this issue, first authorize the service (open a Command Prompt window and run wdsutil /set-server /authorize:yes.) If this command returns an error, this means that it was not possible to authorize the server. In this case, do the following in the specified order until the issue is resolved:
Ensure that the domain controller is reachable.
Ensure that the machine account has sufficient permissions.
Ensure that the registry configuration data is correct.
Event IDs 768, 774 -- Check the registry data and permissions
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To perform this procedure, you must either be a member of the local Administrators group or have been delegated the appropriate authority.
To ensure the registry data and permissions:
Open the Registry Editor. (Click Start, type regedit in the Start Search box, and then press ENTER).
Ensure that the WDSPXE registry key exists at the following location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE.
If this key exists at the specified location, ensure that the SYSTEM account used by WDSPXE has permission to read from the registry. To do this, right-click the WDSServer node, click Permissions, click SYSTEM, and then ensure that Full Control is selected.
If the key is not present or is corrupt, you will need to reinitialize the server. To do this, open the Command Prompt window, run wdsutil /uninitialize-server, and then run wdsutil /initialize-server /reminst:<path to RemoteInstall folder>.
Event IDs 771, 770, 772, 773, 776 -- Authorize the server in Active Directory
Ensure that the domain controller is reachable
If you can ping the domain controller by IP address, reachability is not the problem. If you cannot ping it by IP address, ensure that:
The domain controller computer is turned on.
The Active Directory service is running and has network connectivity.
The Windows Deployment Services server has network connectivity.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before using these steps, determine whether the firewall or Internet Protocol security (IPsec) settings on your network permit Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.
To perform these procedures, you must either be a member of the local Administrators group or have been delegated the appropriate authority.
To determine whether there is a network connectivity problem:
On the Windows Deployment Services server, open the Command Prompt window.
At the command prompt, run ping <server FQDN>, where <server FQDN> is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com).
At the command prompt, run ping <IP Address>, where <IP Address> is the IP address of the domain controller.
Note the following:
If you can successfully ping the domain controller by IP address, but not by FQDN, this indicates a possible issue with DNS host name resolution.
If you cannot successfully ping the domain controller by IP address, this indicates a possible issue with network connectivity, the firewall configuration, or the IPsec configuration.
If necessary, you can perform the following additional steps to help identify the root cause of the problem:
Ping other computers on the network to determine the extent of the connectivity issue.
If you can ping other servers but not the domain controller, try to ping the domain controller from another computer. If you cannot ping the domain controller from any computer, first ensure that the domain controller is running. If the domain controller is running, checkits network settings.
Check the TCP/IP settings on the local computer by doing the following:
Open the Command Prompt window, run ipconfig /all at the command prompt, and then ensure that the output is correct.
Run ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If this command is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
Runping <local IP address>. If you can ping the localhost address but not the local address, there may be an issue with the routing table or with the network adapter driver.
Run ping <DNS server IP address>. If there is more than one DNS server on your network, you should ping each of them in turn. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers.
If the domain controller is on a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this might indicate a problem with the network adapter, the router or gateway device, the cabling, or other connectivity hardware.
In Device Manager, check the status of the network adapter. (To open Device Manager, click Start, click Run, type devmgmt.msc, and then click OK. )
Check the network connectivity indicator lights on the computer and at the hub or router. Check all of the network cabling.
Check the firewall settings by using the Windows Firewall with Advanced Security snap-in.
Check the IPsec settings by using the IP Security Policy Management snap-in.
If none of these steps resolves your issue, use the procedure in the following section to ensure that the machine account has the required permissions.
Ensure that the machine account has sufficient permissions.
On the server that contains Active Directory directory services, grant server permissions to the machine account for the Windows Deployment Services server so that it can read the Service Control Point (SCP).
To perform this procedure, you must either be a member of the local Domain Admins group or have been delegated the appropriate authority.
To grant permissions to the SCP object:
Open the Active Directory Users and Computers MMC Snap-in.
Click View, and then click Advanced Features (if it is not already enabled).
Access the properties of the Windows Deployment Services serverӳ computer account.
On the Remote Install tab, click Advanced Settings.
On the Security tab, click Add.
Select the user, and then click Full Control on this object.
If the SCP object has the correct permissions, use the instructions in the following section to ensure that the registry data is correct.
Ensure that the registry configuration data is correct
If neither of the first two solutions in this topic fixes your issue, the registry data may be corrupt. To determine whether this data is corrupt, run the WDSUTIL /get-server /server:<server name> command at the command prompt. If this command fails or if the output is corrupted, you will need to reinitialize the server. To do this, run wdsutil /uninitialize-server at the command prompt, and then run wdsutil /initialize-server /reminst:<path to RemoteInstall folder>.
| Target | Microsoft.Windows.Server.6.3.WDSRole | ||
| Parent Monitor | System.Health.AvailabilityState | ||
| Category | StateCollection | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | MatchMonitorHealth | ||
| Alert Priority | Normal | ||
| Alert Auto Resolve | True | ||
| Monitor Type | Microsoft.Windows.3SingleEventLog3StateUnitMonitorType | ||
| Remotable | True | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Default |
Home
ENU <UnitMonitor ID="Microsoft.Windows.Server.6.3.WDSRole.RogueDetectionState" Accessibility="Public" Enabled="onEssentialMonitoring" Target="Microsoft.Windows.Server.6.3.WDSRole" ParentMonitorID="SystemHealth!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.3SingleEventLog3StateUnitMonitorType" ConfirmDelivery="true">
<Category>StateCollection</Category>
<AlertSettings AlertMessage="Microsoft.Windows.Server.6.3.WDSRole.RogueDetectionState.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDisplayNumber$</AlertParameter1>
<AlertParameter2>$Data/Context/EventDescription$</AlertParameter2>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="FirstEventRaised" HealthState="Success"/>
<OperationalState ID="Warning" MonitorTypeStateID="SecondEventRaised" HealthState="Warning"/>
<OperationalState ID="Error" MonitorTypeStateID="ThirdEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>Application</FirstLogName>
<FirstExpression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(769|775|777)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">WDSPXE</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>Application</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>WDSPXE</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>771</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</SecondExpression>
<ThirdComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ThirdComputerName>
<ThirdLogName>Application</ThirdLogName>
<ThirdExpression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(768|770|772|773|774|776)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">WDSPXE</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</ThirdExpression>
</Configuration>
</UnitMonitor>