Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

SCCM2K7 Out of Band Management

idata
Employee
2,466 Views

Hi All,

I have setup a test environment to use vPro and SCCM2007 SP1/R2, and I am having a few issues with the OOB Management. I have been following the quick start guide for vPro and SCCM v1.9.

My test environment consists of a two Servers and two workstations.....

1 x Server 2003 SP2/R2 Ent Ed - Domain Controller, DNS, DHCP, SCCM2k7

1 x Server 2003 SP2/R2 Ent Ed - Member Server - Enterprise CA.

1 x Lenovo workstation - AMT Version 5.1.0

1 x HP7900SFF - AMT Version 5.0.1

I imported the PCs into a custom collection, and the SCCM console says that they are provisioned. I have also checked the CA and a AMT Web Certificate has been issued to the two workstations. However I am unable to access the Out of Band Management Console on the workstations, the status bar indicates that it is attempting to connect, then it fails. I have also tried to restart the workstation via the Power Control, without success.

When I attempt to restart the workstation the following error is listed in the amtopmgr.log

Error: Failed to get CIM_AssociatedPowerManagementService instance.

I have attached the amtopmgr.log and oobconsole.log files.

Also as a test I tried to navigate to https://lenovo.test.lab:16993 https://lenovo.test.lab:16993 (my test domain and workstation) from the SCCM Server , and it fails, no such site, however when I access the webserver on the workstation via :16993">https://:16993 it connects to the website, however I am unable to login using the credentials I specified in the Out of Band Management Point in the SCCM console. For testing purposes I am using Domain\Administrator, and selecting all options.

I have also checked the provisioning record on the workstation, everything seems to be in order.

Also, (last one) I am using my own minted CA. The CA Hash has been imported into the workstations.

Your help would be appreciated.

0 Kudos
10 Replies
idata
Employee
625 Views

Hi Steve,

Well, at least your provisioning has succeeded, so that would indicate that, from an infrastructure perspective, you've got things configured properly.

Based on the behavior we're seeing here, I suggest that we focus our troubleshooting on the system that you're running the OOB Console on. Can you provide some details about this system?

  1. What OS is it running?
  2. Which Service Pack level?
  3. Is KB960804 installed on top of the ConfigMgr console? (necessary for iAMT v4/5)
  4. What version of WinRM does it have? (Not sure this is necessary)
  5. Is your Intermediate CA Certificate imported into Trusted Root CA store?
  6. Did you apply the IE registry fix for the web interface?

Hopefully we can get this worked out for you soon!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
624 Views

Hi Trevor,

Here are my answers....

What OS is it running?

 

Server 2003 Ent ed 32 bit

Which Service Pack level?

 

SP2

Is KB960804 installed on top of the ConfigMgr console? (necessary for iAMT v4/5)

 

It was installed, but I reinstalled the hotfix, just in case.

What version of WinRM does it have? (Not sure this is necessary)

 

As Per http://support.microsoft.com/kb/936059 http://support.microsoft.com/kb/936059

Is your Intermediate CA Certificate imported into Trusted Root CA store?

 

Yes, Checked the certificate path on the SCCM Server, it is ok

Did you apply the IE registry fix for the web interface?

 

No, the Server is running IE7.

I am also getting the following error in the AMTOPMGR.log when I attempt to restart the computer.

Session params : https://lenovo.test.lab:16993 https://lenovo.test.lab:16993 , 11001 $$

 

ERROR: Invoke(get) failed: 80020009argNum = 0 $$

 

Description: The I/O operation has been aborted because of either a thread exit or an application request. $$

 

Error: Failed to get CIM_AssociatedPowerManagementService instance.~ $$

 

AMT Operation Worker: AMT machine lenovo.test.lab can't be restarted. Error code: 0x800703E3 $$

 

Auto-worker Thread Pool: Error, Can not execute the task successfully after try it 3 times. Remove it from task list.
0 Kudos
idata
Employee
624 Views

Just another update, although I have not installed the IE6 fix, I have entered the registry key....

  1. Click Start, click Run, type regedit, and then click OK.
  2. In the left pane, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
  3. On the Edit menu, point to New, and then click Key.
  4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.
  5. On the Edit menu, point to New, and then click DWORD Value.
  6. Type iexplore.exe, and then press ENTER.
  7. On the Edit menu, click Modify.
  8. Type 1 in the Value data box, and then click OK.
  9. Exit Registry Editor.
0 Kudos
idata
Employee
624 Views

Steve,

Yes, that's the registry fix I was referring to. It's required for any version of Internet Explorer, including 6, 7, and 8. Thanks for validating that

* Could you try disabling your anti-virus software, and see if that is impacting the connectivity at all?

* Do you have any firewalls in place that would be preventing traffic from properly flowing?

* Do the AMT client's forward and reverse DNS records resolve properly using nslookup?

* Could you try downloading the http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/ Intel AMT Developer Toolkit, and see if you can connect to the same AMT device using the Commander utility?

* What other major software / services are running on the Windows 2003 SP2 server that might interfere with AMT connectivity?

Cheers,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
624 Views

Hi trevor,

I have made some progress....I had a typo in the IE registry key...I am now able to access the Power Control features of the workstation, I can reboot it etc. However I had to let the workstation boot into the OS, so that a DNS entry was created.

For example. When I connect a NIC to a brand new workstation, without powering it on, it receives an IP address, however DNS is not updated, and hence I can't power on the workstation via SCCM/oob mgt console. I switched on the option in DNS to receive NON-secure updates, and the DNS entry was created, but I can't do this in production.

How do I get the workstation to create a DNS entry without powering it on?

Also, I noticed when remote controlling the workstation, and going into the BIOS etc, sometimes I lose updates to the OOB mgt console, although I can see on the workstation I still key keyboard control, have you seen this before?

Getting closer to make all this stuff work.

regards

Steve

0 Kudos
idata
Employee
624 Views

Hi Steve,

I'm happy that you're making progress with getting this technology functional!

It sounds like you might have some permissions issues with DNS in your lab environment. I'm assuming that you're using Microsoft Active Directory Integrated DNS, is this correct? If you have secure updates enabled on the DNS zone, the AMT controllers should still be able to update the DNS records, since they have Active Directory computer accounts. These accounts enable authentication to the Active Directory database directly from AMT. I'm not aware of all the specifics with Microsoft DNS, but you might want to make sure that AMT computer accounts are allowed to perform dynamic updates into your DNS namespace.

In order to avoid future DNS resolution issues, you may also want to review your DNS scavenging configuration. If you are scavenging records too frequently, you risk disabling access to AMT devices, as well as reducing their discoverability.

----------------------

An Intel engineer would have to provide greater detail about AMT's DNS registration process, but I would assume that the AMT controller should automatically register itself when it starts up. You can remove the power cord from a system, and then plug it back in (without powering it up), and AMT should boot up and register itself in DNS.

Cheers,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
William_Y_Intel
Employee
624 Views

AMT will not update DNS directly. You will need to enable DDNS via your DHCP server (DHCP server updates DNS). AMT will not directly update DNs. That is a new feature forth coming.

0 Kudos
idata
Employee
624 Views

Thanks for clarifying on that, Bill.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
624 Views

DNS was the issue. I am now able to do OOB management. Thanks for your help trevor, keep up the good work. regards steve.

0 Kudos
idata
Employee
624 Views

Congrats on getting it working! Thanks for posting back your results!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
Reply