10 Replies Latest reply on Jun 23, 2009 5:29 AM by Trevor.Sullivan

    SCCM2K7 Out of Band Management

    smurfphy

      Hi All,

       

      I have setup a test environment to use vPro and SCCM2007 SP1/R2, and I am having a few issues with the OOB Management.  I have been following the quick start guide for vPro and SCCM v1.9.

       

      My test environment consists of a two Servers and two workstations.....

       

      1 x Server 2003 SP2/R2 Ent Ed - Domain Controller, DNS, DHCP, SCCM2k7

       

      1 x Server 2003 SP2/R2 Ent Ed - Member Server - Enterprise CA.

       

      1 x Lenovo workstation  - AMT Version 5.1.0

       

      1 x HP7900SFF - AMT Version 5.0.1

       

      I imported the PCs into a custom collection, and the SCCM console says that they are provisioned.  I have also checked the CA and a AMT Web Certificate has been issued to the two workstations.  However I am unable to access the Out of Band Management Console on the workstations, the status bar indicates that it is attempting to connect, then it fails.  I have also tried to restart the workstation via the Power Control, without success.

       

      When I attempt to restart the workstation the following error is listed in the amtopmgr.log

       

      Error: Failed to get CIM_AssociatedPowerManagementService instance.

       

      I have attached the amtopmgr.log and oobconsole.log files.

       

      Also as a test I tried to navigate to https://lenovo.test.lab:16993 (my test domain and workstation) from the SCCM Server , and it fails, no such site, however when I access the webserver on the workstation via https://<ipaddress>:16993 it connects to the website, however I am unable to login using the credentials I specified in the Out of Band Management Point in the SCCM console.  For testing purposes I am using Domain\Administrator, and selecting all options.

       

      I have also checked the provisioning record on the workstation, everything seems to be in order.

       

      Also, (last one) I am using my own minted CA.  The CA Hash has been imported into the workstations.

       

      Your help would be appreciated.

        • 1. Re: SCCM2K7 Out of Band Management
          Trevor.Sullivan

          Hi Steve,

           

          Well, at least your provisioning has succeeded, so that would indicate that, from an infrastructure perspective, you've got things configured properly.

           

          Based on the behavior we're seeing here, I suggest that we focus our troubleshooting on the system that you're running the OOB Console on. Can you provide some details about this system?

           

          1. What OS is it running?
          2. Which Service Pack level?
          3. Is KB960804 installed on top of the ConfigMgr console? (necessary for iAMT v4/5)
          4. What version of WinRM does it have? (Not sure this is necessary)
          5. Is your Intermediate CA Certificate imported into Trusted Root CA store?
          6. Did you apply the IE registry fix for the web interface?

           

          Hopefully we can get this worked out for you soon!

           

           

          Trevor Sullivan

          Systems Engineer

          OfficeMax Corporation

          • 2. Re: SCCM2K7 Out of Band Management
            smurfphy

            Hi Trevor,

             

            Here are my answers....

             

            What OS is it running?


            Server 2003 Ent ed 32 bit

             

            Which Service Pack level?


            SP2

             

            Is KB960804 installed on top of the ConfigMgr console? (necessary for iAMT v4/5)


            It was installed, but I reinstalled the hotfix, just in case.

             

            What version of WinRM does it have? (Not sure this is necessary)


            As Per http://support.microsoft.com/kb/936059

             

            Is your Intermediate CA Certificate imported into Trusted Root CA store?


            Yes, Checked the certificate path on the SCCM Server, it is ok

             

            Did you apply the IE registry fix for the web interface?


            No, the Server is running IE7.

             

            I am also getting the following error in the AMTOPMGR.log when I attempt to restart the computer. 

             

             

             

            Session params : https://lenovo.test.lab:16993   ,  11001  $$<SMS_AMT_OPERATION_MANAGER><Wed Jun 17 11:49:06.709 2009 E. Australia Standard Time><thread=1464 (0x5B8)>
            ERROR: Invoke(get) failed: 80020009argNum = 0  $$<SMS_AMT_OPERATION_MANAGER><Wed Jun 17 11:49:08.958 2009 E. Australia Standard Time><thread=1464 (0x5B8)>
            Description: The I/O operation has been aborted because of either a thread exit or an application request.   $$<SMS_AMT_OPERATION_MANAGER><Wed Jun 17 11:49:08.958 2009 E. Australia Standard Time><thread=1464 (0x5B8)>
            Error: Failed to get CIM_AssociatedPowerManagementService instance.~  $$<SMS_AMT_OPERATION_MANAGER><Wed Jun 17 11:49:08.958 2009 E. Australia Standard Time><thread=1464 (0x5B8)>
            AMT Operation Worker: AMT machine lenovo.test.lab can't be restarted. Error code: 0x800703E3  $$<SMS_AMT_OPERATION_MANAGER><Wed Jun 17 11:49:08.958 2009 E. Australia Standard Time><thread=1464 (0x5B8)>
            Auto-worker Thread Pool: Error, Can not execute the task successfully after try it 3 times. Remove it from task list.

            • 3. Re: SCCM2K7 Out of Band Management
              smurfphy

              Just another update, although I have not installed the IE6 fix, I have entered the registry key....

               

              1. Click Start, click Run, type regedit, and then click OK.
              2. In the left pane, locate and then click the following registry subkey:
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
              3. On the Edit menu, point to New, and then click Key.
              4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.
              5. On the Edit menu, point to New, and then click DWORD Value.
              6. Type iexplore.exe, and then press ENTER.
              7. On the Edit menu, click Modify.
              8. Type 1 in the Value data box, and then click OK.
              9. Exit Registry Editor.
              • 4. Re: SCCM2K7 Out of Band Management
                Trevor.Sullivan

                Steve,

                 

                Yes, that's the registry fix I was referring to. It's required for any version of Internet Explorer, including 6, 7, and 8. Thanks for validating that

                 

                * Could you try disabling your anti-virus software, and see if that is impacting the connectivity at all?

                * Do you have any firewalls in place that would be preventing traffic from properly flowing?

                * Do the AMT client's forward and reverse DNS records resolve properly using nslookup?

                * Could you try downloading the Intel AMT Developer Toolkit, and see if you can connect to the same AMT device using the Commander utility?

                * What other major software / services are running on the Windows 2003 SP2 server that might interfere with AMT connectivity?

                 

                Cheers,

                 

                Trevor Sullivan

                Systems Engineer

                OfficeMax Corporation

                • 5. Re: SCCM2K7 Out of Band Management
                  smurfphy

                  Hi trevor,

                   

                  I have made some progress....I had a typo in the IE registry key...I am now able to access the Power Control features of the workstation, I can reboot it etc.  However I had to let the workstation boot into the OS, so that a DNS entry was created.

                   

                  For example.  When I connect a NIC to a brand new workstation, without powering it on, it receives an IP address, however DNS is not updated, and hence I can't power on the workstation via SCCM/oob mgt console.  I switched on the option in DNS to receive NON-secure updates, and the DNS entry was created, but I can't do this in production.

                   

                  How do I get the workstation to create a DNS entry without powering it on?

                   

                  Also, I noticed when remote controlling the workstation, and going into the BIOS etc, sometimes I lose updates to the OOB mgt console, although I can see on the workstation I still key keyboard control, have you seen this before?

                   

                   

                  Getting closer to make all this stuff work.

                   

                  regards

                   

                  Steve

                  • 6. Re: SCCM2K7 Out of Band Management
                    Trevor.Sullivan

                    Hi Steve,

                     

                    I'm happy that you're making progress with getting this technology functional!

                     

                    It sounds like you might have some permissions issues with DNS in your lab environment. I'm assuming that you're using Microsoft Active Directory Integrated DNS, is this correct? If you have secure updates enabled on the DNS zone, the AMT controllers should still be able to update the DNS records, since they have Active Directory computer accounts. These accounts enable authentication to the Active Directory database directly from AMT. I'm not aware of all the specifics with Microsoft DNS, but you might want to make sure that AMT computer accounts are allowed to perform dynamic updates into your DNS namespace.

                     

                    In order to avoid future DNS resolution issues, you may also want to review your DNS scavenging configuration. If you are scavenging records too frequently, you risk disabling access to AMT devices, as well as reducing their discoverability.

                     

                     

                    ----------------------

                     

                     

                    An Intel engineer would have to provide greater detail about AMT's DNS registration process, but I would assume that the AMT controller should automatically register itself when it starts up. You can remove the power cord from a system, and then plug it back in (without powering it up), and AMT should boot up and register itself in DNS.

                     

                    Cheers,

                     

                    Trevor Sullivan

                    Systems Engineer

                    OfficeMax Corporation

                    • 7. Re: SCCM2K7 Out of Band Management
                      wryork

                      AMT will not update DNS directly.  You will need to enable DDNS via your DHCP server (DHCP server updates DNS).  AMT will not directly update DNs.  That is a new feature forth coming.

                      • 8. Re: SCCM2K7 Out of Band Management
                        Trevor.Sullivan

                        Thanks for clarifying on that, Bill.

                         

                        Trevor Sullivan

                        Systems Engineer

                        OfficeMax Corporation

                        • 9. Re: SCCM2K7 Out of Band Management
                          smurfphy

                          DNS was the issue.  I am now able to do OOB management.  Thanks for your help trevor, keep up the good work.  regards steve.

                          • 10. Re: SCCM2K7 Out of Band Management
                            Trevor.Sullivan

                            Congrats on getting it working! Thanks for posting back your results!

                             

                            Trevor Sullivan

                            Systems Engineer

                            OfficeMax Corporation