SCCM multiple processing same .DDR file

swissdmr 96 Reputation points
2020-09-16T12:29:34.053+00:00

Hi all
In SCCM (MECM) 2002 we see many errors in the component status for SMS_DISCOVERY_DATA_MANAGER. The error says:

Could not open file "D:\SCCM\inboxes\auth\ddm.box\Q8P5K2BF.DDR" for reading.

If I take a look at the ddm.log, I can see that the file Q8P5K2BF.DDR gets successfully processed --> CDiscoverDataManager::ProcessDDRs_PS - finished processing file D:\SCCM\inboxes\auth\ddm.box\Q8P5K2BF.DDR.
A little bit further down the log, I can see, that it starts to process the same DDR file again. The finished and the processing file message were written at the same time (even the 54 seconds match): 9:33:54 AM

These are the lines, that we get at the second/third/fourth time:
Processing file Q8P5K2BF.DDR
CDiscoverDataManager::ProcessDDRs_PS - unable to open source file
STATMSG: ID=530 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISCOVERY_DATA_MANAGER" SYS=primary.DOM.ORG SITE=ZH1 PID=2692 TID=11692 GMTDATE=Wed Sep 16 09:33:54.991 2020 ISTR0="D:\SCCM\inboxes\auth\ddm.box\Q8P5K2BF.DDR" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Moving bad file Q8P5K2BF.DDR to D:\SCCM\inboxes\auth\ddm.box\BAD_DDRS\Q8P5K2BF.DDR.
CDiscoverDataManager::ProcessDDRs_PS - Unable to move file D:\SCCM\inboxes\auth\ddm.box\Q8P5K2BF.DDR to D:\SCCM\inboxes\auth\ddm.box\BAD_DDRS\Q8P5K2BF.DDR

We have one primary site, 3 MPs and about 70 DPs. Primary and MPs are all on UTC, DPs are on client local time. We had the same behavior with our Antivirus turned off on all SCCM systems (Primary, MPs, DPs).
Does someone know this issue?
Let me know, if you need more information.

Microsoft Configuration Manager
{count} votes

Accepted answer
  1. swissdmr 96 Reputation points
    2021-05-12T06:13:08.677+00:00

    If someone else is facing issues with the Microsoft Defender / Windows Security, here's the list with the exclusions I got from MS support (why make it official when you can hide it ;) --> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/configuration-manager-current-branch-antivirus-exclusions/ba-p/884831

    In the end we were not able to distribute new software, because the package snapshot was also blocked by the Microsoft Defender. And the official exclusions were all made.
    But yeah, looks like these two Microsoft products (SCCM + Windows Defender) play against each other haha...

    No comments

2 additional answers

Sort by: Most helpful
  1. Garth Jones 2,071 Reputation points
    2020-09-16T19:14:54.91+00:00

    Have you used procmon to see why it can't be copies?


  2. swissdmr 96 Reputation points
    2020-10-20T14:24:36.293+00:00

    Hi together

    Thank you for your help, I think I was able to resolve most of the errors :).
    We had set a "Hardware Inventory Class" in the "Default Client settings" (Administration, Client Settings) which was not working anymore. I don't know if it was a custom one, but the name was something with pOffice. There was the following error in the SMS_Inventory_Data_Loader -->

    Microsoft SQL Server reported SQL message 8152, severity 16: [22001][8152][Microsoft][SQL Server Native Client 11.0][SQL Server]String or binary data would be truncated. : pOFFICE_PRODUCTINFO_DATA
    Please refer to your Configuration Manager documentation, SQL Server documentation, or the Microsoft Knowledge Base for further troubleshooting information.
    

    After I removed this Class, the errors decreased more and more. At the moment we still get errors sometimes, but that's probably normal and everything works so far and is green (PXE, primary user, software assignment, hardware inventory etc.). We also had to define some exclusions in our Antivirus (folders and file types like mif, ddr etc.). But most of the exclusions were already made before, except for the MIF one.

    What I also saw was the following:
    If the AV was off, the Windows Defender Advanced Threat Protection was still running and also investigating files in the inboxes folder (used procmon for that). These files were the same ones, that SCCM wants to process or move (DDR, MIF etc.). We also disabled ATP in the end, but the errors were still there. But I'd say less errors were generated.

    Because of that, my question now is the following: Is it possible, that the ATP is investigating these files and at the same time SCCM wants to process these files but is not able to (because sense (ATP) is blocking these files because it's investigating)? Due to that, SCCM is not able to move or process these files for the moment (even if it's only for 1ms) and generates an error because of this?

    Kind regards
    swissdmr

    No comments