Troubleshooting MDM Setup Issues

Article
02/10/2009

2/9/2009

This section contains common issues encountered during System Center Mobile Device Manager Setup, which consists of separate Windows Installer (.msi) packages for MDM Device Management Server, MDM Enrollment Server, and the MDM Administrator Tools.

Setup Log Files

As you install each .msi package, Windows Installer gathers information and writes it to the MDMsetup.log file. Depending on the specific server, this log file is located in the Temp, System Temp, or User Temp directory. You should check the following log files for details that might help you troubleshoot MDM:

Windows Installer version 3.1 .msi logs - If you run Setup from the MDM splash screen, the .msi logs have friendly names. For example, DM.log, Enrollment.log, and AdminTools.log. If you run Setup at a command prompt, no logging is performed unless you use the /L or /L*v parameters.
You can specify the log name by adding /L and a log file name to the command line. Search for Return value 3 and examine the section before the return value. This section has the custom action that failed. By default, SCMDMsetup.log is located in the Temp directory.
Verbose Windows Installer log - To find the source of an error, generate and analyze a verbose log file. You can use the WILogUtl.exe tool from the Windows Installer SDK. You can enable logging with a Windows Installer logging policy, or by appending /L*v <path of log name.log> to the MSIExec command line.
MDMsetup.log - The MDMsetup.log file contains information that is collected from MDM component .msi installation logs. However, it does not contain verbose installer data, and does not report return values for the different custom actions. You can obtain the return values and more comprehensive information from the .msi logs for each MDM component installation.
VPNGateway.log - MDM Setup logs do not record the installation of MDM Gateway Server or other .msi-based installations for prerequisites. However, MDM Gateway Server Setup creates the Gateway.log file on the computer that is running MDM Gateway Server. By default, Gateway.log is located in the Temp directory.
Application event log - Windows Installer records installation information, such as successful and failed operations, in this event log.

Active Directory Configuration Tool

With the Active Directory Configuration Tool (ADConfig), you configure Active Directory and create the required objects, groups and certificate templates for MDM Setup. ADConfig does not modify or remove inherited permissions. Therefore, inherited permissions apply to the Active Directory objects created when ADConfig runs. ADConfig lets you do the following:

Create the Active Directory Universal Security Groups and containers for MDM.
Add the service connection point (SCP) for MDM.
Create and enable the MDM certificate templates on the enterprise certification authority.
ADConfig is in the ADConfig directory of the installation disc for MDM. You can start ADConfig at a command prompt, as the following describes.
You must run ADConfig from a computer or server that is in the same site and domain as the MDM system servers.
You must allow for enough time for the changes to replicate across all domain controllers before you continue with the next parameter in the process.
You must run ADConfig from a secure local location and not from a network share.
You must have Domain Administrator or equivalent permissions to create the Universal Security Groups (USG), SCP, and organizational units (OUs).
You must have Enterprise Administrator (or equivalent) credentials to create new templates in the enterprise, because the templates are created in the Active Directory configuration container that is accessible by all domains in the company network.
You must have Enterprise Administrator and Administrator permissions on the certification authority to enable certificate templates and grant revocation permissions on the certification authority.
For the Group Policy security parameters, depending on the options that you select, you must have either Domain Administrator permissions, Schema Administrator permissions, or permissions on a specific GPO.

Do not place objects in MDM Server or other infrastructure groups. Do not add objects, users, or containers to the following:

SCMDM Infrastructure Groups (<instance name>) OU
SCMDMDeviceManagementServers (<instance name>) Group
SCMDMEnrollmentServers (<instance name>) Group
SCMDMEnrolledDevices (<instance name>) Group
SCMDMSelfServiceServers (<instance name>) Group

You may add objects into the SCMDM Managed Devices organizational unit.

Active Directory Configuration Issues

Make sure that you have the appropriate permissions to run the ADConfig commands. The following shows the required permissions for each command.

Command	Permissions
`ADConfig.exe /createinstance:<` instance name `> /domain:<` domain name `>`	This command requires that the user be a member of the Domain Administrators group.
`ADConfig.exe /removeinstance:<` instance name `> /domain:<` domain name `>`	This command requires that the user be a member of the Domain Administrators group.
`ADConfig.exe /enableinstance:<` instance name `> /domain:<` domain name `>`	This command requires that the user be a member of the Domain Administrators group.
`ADConfig.exe /disableinstance:<` instance name `> /domain:<` domain name `>`	This command requires that the user be a member of the Domain Administrators group.
`ADConfig.exe /createtemplates:<` instance name `>`	This command requires that the user be a member of the Enterprise Administrators group.
`ADConfig.exe /removetemplates:<` instance name `>`	This command requires that the user be a member of the Enterprise Administrators group.
`ADConfig.exe /enabletemplates:<` instance name `>/ca:<` ca_server_name `>\<` ca_name `>`	This command requires that the user be a member of the Domain Administrators group, and has Administrator permissions on the certification authority for setting certification authority permissions. It also requires permissions for adding the templates to the certification authority object in Active Directory, which requires Enterprise Administrator permissions.
`ADConfig.exe /disabletemplates:<` instance name `>/ca:<` ca_server_name `>\<` ca_name `>`	This command requires that the user be a member of the Domain Administrators group, and has Administrator permissions on the certification authority for setting certification authority permissions. It also requires permissions for adding the templates to the certification authority object in Active Directory, which requires Enterprise Administrator permissions.
`ADConfig.exe /enablegpsecurity:<` instance name `> /domain:<` domain name `> /gpo:default`	This command requires that the user be a member of the Schema Administrators groups.
`ADConfig.exe /disblegpsecurity:<` instance name `> /domain:<` domain name `> /gpo:default`	This command requires that the user be a member of the Schema Administrators groups.

For more information about running each of these commands, see ADConfig Tool. After running ADConfig, allow time for the Active Directory changes to replicate fully before installing the MDM servers.

Note

If the user who runs ADConfig subsequently installs the .msi packages, then this user must log off and then log back on after running the ADConfig commands, and before installing the MDM servers.

System Containers, SCP, and Security Groups

Do not move or rename the system-level containers and the service connection point (SCP). You can rename any of the friendly names for Universal Security Groups created by MDM, but not the samAccountName.

To remove the system containers, the SCP, and security groups created by ADConfig, you must first uninstall all MDM servers, and then remove these groups by using ADConfig. For more information, see the MDM 2008 Deployment Guide and MDM Operations Guide.

Cannot Connect to Domain Controller: The Server Is Not Operational

If you receive the error Unknown Error 0x80005000: The server is not operational while you are running the ADConfig.exe /createinstance command, then the domain controller is offline or unreachable.

To resolve this issue, follow these steps:

Make sure that all domains in the forest are functioning correctly, and that all domain controllers are online and reachable through the Domain Name System (DNS).
Make sure that all MDM servers are in the same domain; while a domain forest can have multiple domains, MDM does not support multiple MDM servers in different domains.
Check the DNS configuration for appropriate network routing.
Connect to the domain controller by using ADSIEdit, which uses DNS to locate the target server. If this connection succeeds, then DNS configuration is not the issue. For more information about this tool, see Adsiedit Overview at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109940.
Connect to the domain controller by using LDP.EXE. If this connection succeeds, then DNS configuration is likely the issue.
Run nslookup and specify a different DNS server. If this command succeeds, then the DNS server is likely the issue.

Non-Functional Domains

If non-functional domains exist in the domain forest, or there are multiple domains in the forest, then MDM encounters an unknown error when checking the domain mode.

If you receive the error Checking the domain mode of domain <Domain1> in forest <Forest1> failed with an exception while running the ADConfig.exe /createinstance command, then either the Active Directory forest has domains that are not functioning properly, or the domain controllers for these domains are not reachable.

To resolve this issue, follow the steps in the previous Cannot Connect to Domain Controller: The Server is Not Operational section above.

Error Creating Certificate Templates

If you receive errors while you create certificate templates by using the ADconfig.exe /createtemplates:<instance name> command, make sure that the logged-on user account has Enterprise Administrator credentials, and then try to create the certificate templates manually. For more information about how to create certificate templates manually, see Manual Certificate Procedures in the MDM Deployment Guide.

You should also make sure that the following certificate templates exist:

WebServer
Workstation

By default, these templates are created when you install the first certification authority. These templates must exist for the MDM certificate templates to be created properly.

Error Enabling Certificate Templates

If you receive errors while you enable certificate templates by using the ADconfig.exe /enabletemplates:<instance name> /ca:<ca server>\<ca name> command, follow these steps:

Make sure that the certification authority server is running Windows Server 2003 Enterprise Edition operating system with SP2. MDM does not support certification authority servers that are running Windows Server 2003 Standard Edition.
Make sure that the logged-on user account has the following permissions:
- Administrator permissions on the certification authority for setting certification authority permissions.
- Enterprise Administrator permissions for adding the templates to the certification authority object in Active Directory.

Setting Up Multiple MDM Servers

When setting up multiple MDM servers, allow some time for replication to complete after installing the first MDM Enrollment Server or first MDM Device Management Server. Also, allow some time for replication to complete after running ADConfig, and before installing the first MDM Enrollment Server or MDM Device Management Server.

To install MDM Enrollment Server or MDM Device Management Server, you must be a member of SCMDMServerAdmins group in Active Directory, and a member of the local administrators group on the computer where you are installing MDM. If you add members to a group, log off and log back on before running MDM Setup.

Database Provisioning Failed

If you receive the error message Event 10005: Error 4020. Database provisioning failed. Setup will rollback all changes, it may occur for one or more of the following reasons:

Authentication, Domain Name System (DNS), or network issues contacting the SQL Server database
Incompatibility between Microsoft SQL Server and Windows-based operating system versions
Unsupported topology
Corrupted database (see the following section, Manually Deleting the Database .mdf File)

To help troubleshoot this issue, verify that you can reach the SQL Server by FQDN and IP address from MDM Enrollment Server. Check the Windows Installer .msi and server event log files for more information. Look for the SQL Server error to get an indication of the problem. If the log information is inconclusive, then check the log files on the SQL Server computer, or traces from SQL Server.

Manually Deleting the Database .Mdf File

During MDM uninstall, Microsoft SQL Server may drop the MDM database, but leave the corresponding .ldf and .mdf files in their existing locations. This generates a database provisioning error and causes Setup to fail if you reinstall MDM.

If you intend to drop the database during uninstall, you should check after uninstallation is complete to make sure that the .ldf and .mdf files were removed. If they still exist, delete them manually.

By default, these files are located in the %SystemDrive%:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data directory.

Database Log File Has Changed

You may encounter errors in subsequent installations if you change the database log, or .ldf file. If there is an orphaned database log file in the default log location with the corresponding MDF file absent, then MDM Setup fails with a database provisioning error. This error should be outlined in the setup log.

Unexpected Error Writing to Database

If you receive the error message Unexpected error "<specific error message>" writing to database, then it is likely that there are connectivity issues with the SQL Server database. To resolve this issue, check database connectivity and configuration.

If you are restoring MDM databases, you may receive either of the following event messages:

Event 6201: The configuration loader for the AdminDataAccess component was unable to access the database. Configuration items for this component may be out of date.
Event 6104: The AdminDataAccess component has failed to connect to the admin services database. The component will retry the connection.

To resolve this issue, change the database owner to a valid login or domain user. For more information about this issue, please visit the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=132125.

Failed to Reset Active Directory Service Connection Point

When there is a problem writing data to the MDM service connection point (SCP) in Active Directory, you receive the error message Event 10005: Error 4033. Failed to reset the Active Directory Service Connection Point. This error message can also occur if you install MDM in different domains, as all MDM servers must be members of the same Active Directory domain and site. The certification authority server must be a member of the same site, but not necessarily the same domain.

Check the following to troubleshoot this error:

Verify that all computers running MDM Enrollment Server and MDM Device Management Server are in the same domain that ADConfig configures. This tool creates Active Directory objects in the specified domain. Therefore, you should install MDM in the specified domain also.
Make sure that the computer running SQL Server meets all the software and hardware requirements. For information about these requirements, see System Requirements for MDM Servers and Managed Devices.
Make sure that the computer that is running SQL Server is in the same domain as the MDM system.
Verify that the account has access (Windows Integrated Authentication) to Active Directory.
Verify that you can reach the computer that is running SQL Server by FQDN and IP address from MDM Enrollment Server.
If you are reinstalling MDM, but using a different SQL Server database or instance name, then make sure that the Active Directory SCP is fully removed. When the database is fully removed, the keywords for the SCP should be database= and sqlinstance=, with no values entered.

MDM Certificates Not Installed on Certification Authority Server

At Setup, every computer that is running MDM, except for the non-domain joined MDM Gateway Server, installs a certificate from the certification authority. If the certificates are not created on the certification authority server, there is likely a connectivity issue and MDM cannot access the certification authority server.

To resolve this issue, check the following:

Verify that you ran the ADConfig.exe /createtemplates and ADConfig.exe /enabletemplates commands.
During Setup, select to request certificates (a page in the Setup Wizard).
Make sure that you have permissions on the templates and certification authority. For information about the required permissions on the certification authority, see Enable Certificate Templates on a Certification Authority Server.

After you resolve issues to access the certification authority server, create the MDM certificates manually. For more information about how to create MDM certificates manually, see Manual Certificate Procedures in the System Center Mobile Device Manager Deployment Guide.

WSUS Encounters Errors After Reinstalling .NET Framework

If you reinstall the .NET Framework on a computer that is running Windows Server Update Services (WSUS), it may cause errors in the WSUS console. Then, the WSUS services will not restart. These symptoms result in the disruption of MDM software distribution.

Follow these steps to restore WSUS and MDM software distribution functionality.

Make sure that IIS is not running in 32-bit mode for 64-bit computers. This mode may reset if you reinstall .NET Framework 2.0 for applications other than MDM. To verify the IIS application mode, at a command prompt, run the following command:
```
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs GET W3SVC/AppPools/Enable32bitAppOnWin64
```
If this command returns a value of 1, run the following command:
```
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
```
In your local .NET 2.0 directory, run aspnet_regiis.exe –ir. For 64-bit computers, locate the .NET 2.0 directory, and then the Framework64 directory to register ASP.NET into your Internet Server API (ISAPI) filter.
Make sure that you set ASP.NET 2.0 to Allowed for the Web services extensions. This property may reset to Prohibited when you reinstall .NET Framework.
Restart IIS.

Event 9030: The Port Specified Is Invalid

If you receive the error message Event 9030, The port specified is invalid, you can safely ignore this event because it does not affect the functionality of the servers in any way.

Enrollment Server Setup Fails to Configure SSL Certificates

If you run MDM Enrollment Server setup and receive the error message Failed to configure SSL certificates for Web services or Certificate Install Failed; Error Constructing or Publishing Certificate, then MDM cannot retrieve the proper certificates from the issuing certification authority. To resolve this issue, check the following:

Make sure that the Enterprise certification authority is running Windows Server 2003 Enterprise Edition with SP2. MDM does not support running Windows Server 2003 Standard Edition on the Enterprise certification authority.
Verify that the domain functional level is raised to Windows Server 2003, as described in the MDM Deployment Guide.
Verify that you created and enabled the MDM templates on the certification authority.
Open the certification authority event log and check for errors.
Restart the certification authority service.

It is also possible that the MDM Enrollment Server is being installed in a domain that is different from the domain of the certification authority; or, the certificate enrollment request is using a certificate template that was recently created. You should wait for 30 minutes after the templates are enabled on the target certification authority before installing MDM Enrollment Server.

For more information about using new certificate templates, see KB article Q281260 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=111994.

If MDM Enrollment Server is being installed in a domain that is different from the domain of the certification authority, then use the following steps to resolve this issue:

On the root certification authority server that issues signing certificates, open a Microsoft Management Console (MMC) window.
Add the Certificates snap-in with the Computer Account option, not the Service or User options.
Expand Certificates, expand Trusted Root Certification Authorities, and then select Certificates.
Right-click the certificate template for Enrollment Mobile Device, and then select Properties.
In the Certificate dialog box, on the Details tab, select Edit Properties.
In the Certificate Properties dialog box, on the General tab, select Enable only the following purposes, and then select Add Purpose.
In the User Defined Purpose dialog box, type 1.3.6.1.4.1.311.65.2.1, and then select OK.
In the Certificate Properties dialog box, select Apply, and then select OK.
In the Certificate dialog box, select OK.
Repeat steps 4 through 9 to add the 1.3.6.1.4.1.311.65.1.1 object identifier (also known as OID) to the GCM certificate template.
Request a new signing certificate for the issuing certification authority.
Wait 30 minutes for replication to complete.
Run MDM Enrollment Server setup again.

Uninstalling MDM

Uninstalling MDM involves removing System Center Mobile Device Manager, its databases, and Active Directory Objects. If the standard uninstallation procedures are not an option, such as in a disaster recovery scenario, use the manual removal steps as described in MDM Backup and Recovery.

If you are reinstalling System Center Mobile Device Manager, you can minimize disruption to Windows Mobile devices by keeping all currently-active gateways, and reinstall the gateways last, after verifying that all servers are installed and operating appropriately.

Note

The MDM Server Tools includes a set of tools to help administrators configure, deploy, and manage MDM and its components. The MDM Cleanup Tool enables administrators to completely uninstall MDM from servers when other removal options have not fully removed MDM components and settings. To download the MDM Cleanup Tool, see the MDM 2008 SP1 Resource Kit at: https://go.microsoft.com/fwlink/?LinkID=127030.

When uninstalling MDM, keep the following considerations in mind:

Uninstalling MDM Device Management Server or MDM Enrollment Server fails with a database provisioning error if you ran the ADConfig.exe /removeinstance command before starting the uninstallation. Uninstalling MDM requires access to Active Directory and the MDM Active Directory infrastructure. Contact the support team for assistance with recovery.
Uninstalling MDM Device Management Server or MDM Enrollment Server fails if the Active Directory SCP is missing or corrupt. Use ADSIEdit to verify and edit the keyword values. If the SCP is missing, see the previous point.
Setup fails to uninstall the servers if the SCMDMServerAdmins or any other infrastructure group (for example, SCMDMDeviceManagementServers or SCMDMEnrollmentServers) is removed before uninstalling the servers.
Uninstalling MDM Device Management Server or MDM Enrollment Server fails if the MDM databases are deleted before the uninstallation. SQL Server must be available for uninstallation to succeed.
Uninstalling MDM servers may fail if the IIS metabase is in an unstable or unexpected state (for example, if you manually changed the Web site properties). Restore a backup of the metabase if it exists.
Uninstalling MDM servers fails if IIS is uninstalled before uninstalling MDM. Setup fails to uninstall MDM Device Management Server, MDM Enrollment Server, and Gateway Server if IIS is uninstalled before removing these servers. Also, if you need to reinstall IIS for some reason, make sure you backup the metabase before this operation, and restore it later. After the metabase is restored, Setup can uninstall the MDM servers.
You must restart the MDM Gateway Server after uninstallation. The Ipsecvpn driver is loaded into the memory. If an uninstallation procedure cannot remove it from the memory, the next installation uses the old driver until the next restart. Therefore, restart the MDM Gateway Server after uninstalling MDM.
Only currently-installed MDM Device Management Server computers should belong to the SCMDMDeviceAdmins security group.
Only currently-installed MDM Enrollment Server computers should belong to the SCMDMEnrollmentServers security group.
Only currently-installed MDM Self Service Portal Servers should belong to the SCMDMSelfServiceServers Universal Security Group.

Removing MDM Objects from Active Directory

To remove the MDM structure from Active Directory, including all MDM objects, groups, and certificate templates, open a command prompt window and run these commands in the following sequence (with the /removeinstance parameter last):

ADConfig.exe /disablegpsecurity:<instance name> /domain:<domain name> /gpo:all [/quiet] [/force]
ADConfig.exe /disabletemplates:<instance name> /ca:<ca_server_name>\<ca_name> [/quiet] [/force]
ADConfig.exe /removetemplates:<instance name> [/quiet] [/force]
ADConfig.exe /disableinstance:<instance name> /domain:<domain name> [/quiet] [/force]
ADConfig.exe /removeinstance:<instance name> /domain:<domain name> [/quiet] [/force]

Only use the /force parameter if the Active Directory object is not removed. If you run ADConfig with the /force parameter while MDM is installed, then you will not be able to un-install MDM. For recovery steps, see MDM Backup and Recovery at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=115733.

Verifying Database Removal

After you uninstall MDM Device Management Server, MDM Enrollment Server, and MDM Administrator Tools, make sure that the MDM databases and SQL Server logins were removed correctly by using Microsoft SQL Server Management console or Microsoft SQL Server Management Studio Express. If necessary, go back and remove the databases and logins. Make sure that you uninstall the MDM system and components first, before you remove a SQL Server database.

If you modify databases and database logins directly, this may cause system problems or issues. If you decide to modify the databases and database logins directly, you do so at your own risk.

Follow these steps to make sure that you removed the databases successfully:

Open Microsoft SQL Server Management Studio.
Connect to the database server.
Expand the server list.
Expand Databases. Delete the following databases if they appear: AdminServices, MobileEnrollment, TEEDB.
After you delete a database, the Delete Object message appears. Make sure that you select the Close Existing Connections check box.
Expand Security.
Expand Logins. Delete the following Logins if they appear:
- domain name/SCMDMDeviceManagementServers
- domain name/SCMDMEnrollmentServers
- domain name/SCMDMServerAdministrators

If you receive a warning message that you are about to delete these logins, confirm the deletion(s) and then continue with the migration process.

Errors Removing an MDM Instance

If you encounter errors while removing an MDM instance with the ADconfig.exe /removeinstance ****** command, then check the following:

Make sure that you uninstall MDM on every computer that is running MDM Device Management Server and MDM Enrollment Server.
Make sure that there are no unnecessary members in any MDM groups.