rrasco Posted December 5, 2012 Report post Posted December 5, 2012 I am troubleshooting an issue with some client machines with the client agent are appearing in the device list as 'No' under the client column. Checking the ClientIDManagerSetup.log I see this: [RegTask] - Server rejected registration request: 3 ClientIDManagerStartup 12/5/2012 1:04:01 PM 9500 (0x251C) Researching this, possible causes are incorrectly configured boundaries or certificate issues. I tried scouring the logs on SCCM to find a specific error why the registration is being rejected, but I couldn't find anything related. I believe my boundaries are configured correctly, I have two in a boundary group, an AD boundary along with an IP range for my client machines. The next step in my process is to verify the certificates on the client machines. Looking at the cert manager on the client machines, I don't see an SMS folder or any certs related to SCCM. I do see this key with two entries in the registry though. My question is, how can I verify the certificates are correct and not expired for SCCM? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted December 5, 2012 Report post Posted December 5, 2012 I found the certificates. I may be showing my greenness with certs (never could get my head wrapped around them) but I had to load the computer account certs in MMC. Running certmgr.msc only gives you user certs. My certs for SMS are indeed expired. Deleting them now and then I need to figure out how to repair the client. Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted December 5, 2012 Report post Posted December 5, 2012 I re-ran the client installation. Looks like it added new certs, but those are still expired. Original ones I deleted had a expiration of 10/26/12. The ones that were just issued expire on 11/11/12. Why would it issue an old cert? Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted December 5, 2012 Report post Posted December 5, 2012 The certs on the SCCM server also have the 10/26/12 expiration date. Is that normal? Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted December 5, 2012 Report post Posted December 5, 2012 Never mind about the certificate. They are not expired, expiration is 2112 not 2012. Oops. Client still won't register though. Anyone know what log I can look at on SCCM to help pinpoint the issue? Quote Share this post Link to post Share on other sites More sharing options...
Rocket Man Posted December 6, 2012 Report post Posted December 6, 2012 Have your systems in SCCM console got your site code?? They should have this regardless whether or not they have the client installed.....if not then this is indication that your boundaries are not setup correctly!! Is it only some clients that are getting stuck in provisioning mode? You can run these 2 reg enteries on a couple of machines via the command prompt and then restart them to see if it fixes your problem REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v ProvisioningMode /t REG_SZ /d false /f REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v SystemTaskExcludes /t REG_SZ /d "" /f Rocket Man Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted December 6, 2012 Report post Posted December 6, 2012 Have your systems in SCCM console got your site code?? They should have this regardless whether or not they have the client installed.....if not then this is indication that your boundaries are not setup correctly!! Is it only some clients that are getting stuck in provisioning mode? You can run these 2 reg enteries on a couple of machines via the command prompt and then restart them to see if it fixes your problem REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v ProvisioningMode /t REG_SZ /d false /f REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v SystemTaskExcludes /t REG_SZ /d "" /f Rocket Man Devices do have a site code in the console. Does this mean my boundaries are setup correct? I am only testing this on a few machines. I had one machine push out correctly, including EndPoint; automatically. I have two other machines I cannot get to auto-install the client. It is worth noting, I had to push-install the client on these machines. It did not install the client on discovery. I will work on those suggestions. Takes me forever to reboot my machine so I'll get to that shortly. Quote Share this post Link to post Share on other sites More sharing options...