Discovery & Agent Deployment for Managed Computers

In order to manage a computer using SCE, you must first discover it, and successfully deploy an agent.  The very first time you launch SCE you will be prompted to perform several "essential" configuration tasks, one of them being "Configure Computers and Devices to Manage".  This will kick off the "Discovery" wizard, and allow you to find the computers on your network and deploy agents.  This wizard is also accessible by navigating to the "Computers" space and clicking "Add new computers".

Auto or Advanced Discovery? 

Once you launch the wizard, you will be prompted to perform an "Automatic" or "Advanced" discovery.  Choose Automatic if you want to discover everything on your domain.  The next step will be to provide the proper credentials (Adminsitrator rights on the boxes you want to discovery).  The discovery process will then run and after a few minutes you will see the results of your discovery!  You should see all computers you have listed in your Active Directory that could be contacted by the Discovery Process.

If you choose Advanced Discovery, you can choose between clients (any computer running a supported client operating system such as Windows XP SP2), servers (any computer running a supported server operating system such as Windows Server 2003), or network devices (any SNMP enabled device!).

Choose “Automatic” if your network is less than 300 computers in size.  If your network is larger, you will want to choose “Advanced” and provide more specific criteria to locate your computers. 

When specifying an Administrator account, ensure the account has Administrative Privileges on the computers you want to discover and install agents on.  Once discovery is complete, choose the computers you want to manage, and click “Finish”.

Troubleshooting Problems with Computer Discovery

What happens when you try to manage a computer, and it can't be discovered using the Discovery Wizard? 

There are several things to look at when troubleshooting problems with computer discovery.  I will explain how the Computer Discovery process works under the covers... first, we take your search input parameters and translate that to an LDAP query.  LDAP is the query language used by Active Directory to search for objects in AD.  We then pass that LDAP query to the local domain controller and submit a search task.  AD then returns us the results, and we then try to actively connect to each computer returned in the list to ensure these disocovered computers can be connected-to and that we can feasibly install our management agent.  We call this step 'verification'.  Once a computer is verified it is added to the list of Discovered computers for you to choose. 

There are several groups of reasons why you could not discover computers - Active Directory issues, Network & DNS issues, and Verification issues.

Active Directory Issues 

AD Issues include: 

1. Could not connect to the domain controller to submit the LDAP query. 
2. The specified search criteria returned no matching computers in AD. 
3. The computer isnt listed in Active Directory.

Is the computer listed in Active Directory?

1. Open the "Active Directory Users and Computers" management console
   i. This tool is installed by default on Windows Server 2003.
   ii. The tool can be installed on Windows XP Pro from the Server 2003 Resource Kit.
2. Select the "Saved Queries" folder, right-click on it and select "New->Query".
3. Enter a name for the query
4. Click the "Define Query" button.
5. Click the drop-down list marked "Find:" and select "Computers".
6. Enter the name or search prefix, e.g. "pacer0" and click "OK"
7. Click "OK" again.
8. Verify the computer appears in the list of results.

Fix:  Add the computer to Active Directory.  Make sure the DNSHostname property is set correctly for the computer; this property can be viewed on the “General” tab of the computer’s property dialog in the “Active Directory Users and Computers” management console.
 

Network & DNS Issues

A common problem can be stale DNS entries.  Some machines have IP addresses but, the addresses resolved to other computer names. 

Is the computer contactable via the network?

1. Use the ping command to try and reach the computer using the same name provided to the discovery wizard.
2. If the machine responds to a ping command, use the IP address to run ping with the "-a" switch and the IP address, e.g. "ping -a <IP address>".  This will display the DNS name of the machine; it should match what was used in the original ping command.
3. Use "nbtstat -a <computer name>" to see the registered NetBIOS name and domain for the computer, "nbtstat -A <IP address>" will accomplish the same task with the IP address of the machine.

Fixes: 

1. If the machine does not respond to a ping request or fails a remote agent install with "RPC Service Unavailable", the Windows Firewall is turned on.  Turn off the firewall or set exceptions to allow for "File and Printer Sharing" and, optionally, ICMP Echo.
2. If the NetBIOS and FQDN names do not match, then the DNS records for the machine must be corrected.
3. If the agent installs but, fails to contact the OpgMgr Server, connect via Terminal Services or Remote Desktop to the agent computer and use the ping and nbtstat commands to verify that the agent can resolve the NetBIOS and FQDN names of the OpsMgr server that will manage it.

Verification Issues

1. Windows Firewalls:  Computers running Windows Firewall software, may not be discoverable.  You should temporarily disable the firewall on these computers and re-try discovery.  If discovery succeeds, you know its a firewall issue.  If the computer in question is running a Windows XP or Windows Server 20003 Firewall, SCE will automatically create a Firewall exception policy which will configure these firewalls to allow SCE to discover them and install agents.  It may take up to 24 hours for this firewall exception policy to become active acrross all computers in your domain, so please try again.  To speed up this process, you can log onto clients and run the following command from the command line:  gpupdate /force
2. Third Party Firewalls:  Computers running third-party firewall software, may not be discoverable.  You should temporarily disable the firewall on these computers and re-try discovery.  If discovery succeeds, you know its a firewall issue.  You can contact your firewall manufacturer for information on how to create firewall exception policies for your specific version.
3. Remote Registry is disabled:  The "Remote Registry" service must be running on all computers you want to discover.

Permissions Problems

Does the account used for discovery have appropriate permissions on the target computer?

1. Open a command window with the "Run As" option using the account used for discovery, normally this is the MOM server action account.  
2. Use the command "net view ComputerName” to verify that the account can connect using the API NetworkStationGetInfo.  This command may return the result, "There are no entries in the list."  This simply means that, the machine does not have any publicly visible shares.  
3. If the result is "Access denied.", then the account used does not have permission to contact the machine.
4. If the result is “The command completed successfully.” then the computer is properly configured for discovery.

Fixes: 
Through Group or Local Policy, grant the OpsMgr server action account the permission to access this computer from the network.  By default, members of the local Administrators and Power Users groups should have this permission.
 If the failure occurs during agent install, add the OpsMgr server action account to the local Administrators group.  If this is not possible due to security policy restrictions then: 

1. Reject the pending install from the "Pending Management" view.
2. Run the discovery wizard again
3. On the "Administrator Account" step select "Other" and provide an account (domain or local) that has administrator privilege on the computer
4. If the account is a local account or does not have rights to access Active Directory then check the box to use the MOM server action account for the discovery task
5. Discover the computer and push an agent to it.

What if the Agent Installation Task Fails?

Observe if the agent installation task is successful.  If its unsuccessful, navigate to the “Administration” space (the gold cog below “Reporting” navigation button), then click on “Pending Management”.  This view will provide troubleshooting steps, as well as offer you the ability to re-push the agent to computers that failed to install on first try.

Try Telnetting...

One way to tell if the computer you're trying to push an agent to is ready, is to try to Telnet to that computer from the SCE server.  If you can telnet via port 135 from the SCE server to the computer, you are ready to go.  If not, the firewall on that computer may be blocking TCP port 135 (RPC).

To run Telnet on most Windows computers, just launch a command window and tyle "telnet <computer_name> 135".  This will connect you with a telnet session to the computer name you specify, via port 135.  Port 135 is important because that's the port we use when installing the agent remotely.

Agent Installation Problems with Firewalls

Required changes if Windows firewall is enabled on SCE Server:

Open Control Panel -> Windows Firewall
Select Exceptions Tab
Create 3 port exceptions using ‘Add Port’ button
TCP – Name: Port8530, ‘Port Number’: 8530
TCP – Name: Port8531, ‘Port Number’: 8531
TCP – Name: Port25, ‘Port Number’: 25
For all 3 above, limit scope to “My network (subnet) only” through ‘Change Scope’ button.

Required changes if Windows firewall is enabled on client computers:

No changes are required, if Domain policy option is used.
If Local Policy option is used, perform these on each client machine:
Step 1: Open ‘Control Panel’ -> ‘Windows Firewall’

Step 2: Go to Exceptions tab

Step 3: Check ‘File and Printer Sharing’ option

Step 4: Create the following port exceptions using ‘Add Port…’. For all these exceptions, limit scope to SCE Server’s IP address using ‘Custom list’ option.

·         TCP – Name: ‘Port 6270’, Port Number: 6270

·         TCP – Name: ‘Port 135’, Port Number: 135

·         TCP – Name: ‘Port 445’, Port Number: 445

Agent Installation - Remote Registry Must be Enabled

Any client being administered by SCE must have the 'Remote Registry' service running for the client deployment to be successful.  For instance if your client is showing the 'Remote Registry' service running as manual you may have to set it to 'automatic' and start the service for the SCE to be able to install the agent.

Agent Installation - Computer Stuck in 'Installation in Progresss'

I've discussed this issue with a few customers and another workaround has come to light.  If your computer is stuck with installation in progress, it may be because you haven't enabled proper network access for your Administrator account.

Whichever account you specified to push-install the agents, you must make sure that the account is specified as being able to "access this computer from the network".  Once you have added that account to that local policy, you can reject those agents, and try to push install again.

Here's the local policy you will need to adjust:

Launch GPEDIT.MSC, then navigate down to:

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Click on "Access this computer from the network"

Now add that administator account to the list.  Reboot the computer, reject the computer from the "Pending Management" view, and try
to re-discover and push install again.