I have setup a test environment to use vPro and SCCM2007 SP1/R2, and I am having a few issues with the OOB Management. I have been following the quick start guide for vPro and SCCM v1.9.
My test environment consists of a two Servers and two workstations.....
1 x Server 2003 SP2/R2 Ent Ed - Domain Controller, DNS, DHCP, SCCM2k7
1 x Server 2003 SP2/R2 Ent Ed - Member Server - Enterprise CA.
1 x Lenovo workstation - AMT Version 5.1.0
1 x HP7900SFF - AMT Version 5.0.1
I imported the PCs into a custom collection, and the SCCM console says that they are provisioned. I have also checked the CA and a AMT Web Certificate has been issued to the two workstations. However I am unable to access the Out of Band Management Console on the workstations, the status bar indicates that it is attempting to connect, then it fails. I have also tried to restart the workstation via the Power Control, without success.
When I attempt to restart the workstation the following error is listed in the amtopmgr.log
Error: Failed to get CIM_AssociatedPowerManagementService instance.
I have attached the amtopmgr.log and oobconsole.log files.
Also as a test I tried to navigate to https://lenovo.test.lab:16993 https://lenovo.test.lab:16993 (my test domain and workstation) from the SCCM Server , and it fails, no such site, however when I access the webserver on the workstation via :16993">https://:16993 it connects to the website, however I am unable to login using the credentials I specified in the Out of Band Management Point in the SCCM console. For testing purposes I am using Domain\Administrator, and selecting all options.
I have also checked the provisioning record on the workstation, everything seems to be in order.
Also, (last one) I am using my own minted CA. The CA Hash has been imported into the workstations.
Your help would be appreciated.
Well, at least your provisioning has succeeded, so that would indicate that, from an infrastructure perspective, you've got things configured properly.
Based on the behavior we're seeing here, I suggest that we focus our troubleshooting on the system that you're running the OOB Console on. Can you provide some details about this system?
- What OS is it running?
- Which Service Pack level?
- Is KB960804 installed on top of the ConfigMgr console? (necessary for iAMT v4/5)
- What version of WinRM does it have? (Not sure this is necessary)
- Is your Intermediate CA Certificate imported into Trusted Root CA store?
- Did you apply the IE registry fix for the web interface?
Hopefully we can get this worked out for you soon!
Here are my answers....
What OS is it running?
Server 2003 Ent ed 32 bit
Which Service Pack level?
Is KB960804 installed on top of the ConfigMgr console? (necessary for iAMT v4/5)
It was installed, but I reinstalled the hotfix, just in case.
What version of WinRM does it have? (Not sure this is necessary)
As Per http://support.microsoft.com/kb/936059 http://support.microsoft.com/kb/936059
Is your Intermediate CA Certificate imported into Trusted Root CA store?
Yes, Checked the certificate path on the SCCM Server, it is ok
Did you apply the IE registry fix for the web interface?
No, the Server is running IE7.
I am also getting the following error in the AMTOPMGR.log when I attempt to restart the computer.
ERROR: Invoke(get) failed: 80020009argNum = 0 $$
Description: The I/O operation has been aborted because of either a thread exit or an application request. $$
Error: Failed to get CIM_AssociatedPowerManagementService instance.~ $$
AMT Operation Worker: AMT machine lenovo.test.lab can't be restarted. Error code: 0x800703E3 $$
Auto-worker Thread Pool: Error, Can not execute the task successfully after try it 3 times. Remove it from task list.
Just another update, although I have not installed the IE6 fix, I have entered the registry key....
- Click Start, click Run, type regedit, and then click OK.
- In the left pane, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
- On the Edit menu, point to New, and then click Key.
- Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.
- On the Edit menu, point to New, and then click DWORD Value.
- Type iexplore.exe, and then press ENTER.
- On the Edit menu, click Modify.
- Type 1 in the Value data box, and then click OK.
- Exit Registry Editor.
Yes, that's the registry fix I was referring to. It's required for any version of Internet Explorer, including 6, 7, and 8. Thanks for validating that
* Could you try disabling your anti-virus software, and see if that is impacting the connectivity at all?
* Do you have any firewalls in place that would be preventing traffic from properly flowing?
* Do the AMT client's forward and reverse DNS records resolve properly using nslookup?
* Could you try downloading the http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/ Intel AMT Developer Toolkit, and see if you can connect to the same AMT device using the Commander utility?
* What other major software / services are running on the Windows 2003 SP2 server that might interfere with AMT connectivity?
I have made some progress....I had a typo in the IE registry key...I am now able to access the Power Control features of the workstation, I can reboot it etc. However I had to let the workstation boot into the OS, so that a DNS entry was created.
For example. When I connect a NIC to a brand new workstation, without powering it on, it receives an IP address, however DNS is not updated, and hence I can't power on the workstation via SCCM/oob mgt console. I switched on the option in DNS to receive NON-secure updates, and the DNS entry was created, but I can't do this in production.
How do I get the workstation to create a DNS entry without powering it on?
Also, I noticed when remote controlling the workstation, and going into the BIOS etc, sometimes I lose updates to the OOB mgt console, although I can see on the workstation I still key keyboard control, have you seen this before?
Getting closer to make all this stuff work.
I'm happy that you're making progress with getting this technology functional!
It sounds like you might have some permissions issues with DNS in your lab environment. I'm assuming that you're using Microsoft Active Directory Integrated DNS, is this correct? If you have secure updates enabled on the DNS zone, the AMT controllers should still be able to update the DNS records, since they have Active Directory computer accounts. These accounts enable authentication to the Active Directory database directly from AMT. I'm not aware of all the specifics with Microsoft DNS, but you might want to make sure that AMT computer accounts are allowed to perform dynamic updates into your DNS namespace.
In order to avoid future DNS resolution issues, you may also want to review your DNS scavenging configuration. If you are scavenging records too frequently, you risk disabling access to AMT devices, as well as reducing their discoverability.
An Intel engineer would have to provide greater detail about AMT's DNS registration process, but I would assume that the AMT controller should automatically register itself when it starts up. You can remove the power cord from a system, and then plug it back in (without powering it up), and AMT should boot up and register itself in DNS.