Agent discovery and push troubleshooting in OpsMgr 2007

<!--[if lt IE 9]>


Comments (32)
  1. Kevin Holman says:

    So…. no ports are required to perform a manual agent install.  You would assume that you have access to the desktop of that machine – and therefore the firewall is irrelevant.

    Now – for the manually installed agent to COMMUNICATE with through the firewall, that is a different story.  Only tcp_5723 is required for agent communication.  This communication channel is initiated FROM the Agent, TO the Management Server.  Once the channel is opened from the agent – the communication is bi-directional.

    The only additional ports – are ones for Active directory, if you are using AD/Kerberos authentication.  This is assumed working if the machine is a member of a domain, and their authenticating DC is on the other side of the firewall.  If using certs, this is irrelevant.

  2. Anonymous says:

    Tried pushing out to the server again this morning and the push was successful yet I can find no change in the enviromental variables.

  3. Kevin Holman says:

    Not sure what you mean by live. Yes, it is still applicable to SCOM 2012.

    As to your issue – if the agent reports that it didn’t find policy in AD, it didn’t find policy in AD. 🙂 Check the SCP that is supposed to be created when enabling AD integration. There is a tool to create the container. The LDAP rule only populates the groups.
    There is good documentation on this and lots of blog articles as well on configuring AD integration.

  4. Phil Marcum says:

    Hey sir thanks for taking the time to respond, again. Yes the dev_scom_HSvcSCP_SG container along with Domain Local security groups and containers for each of the management servers were created during the ADI setup. In terms of reference materials I have
    SCOM 2012 Unleashed 2nd edition and just about all of the known articles in terms of configuring ADI per a documented procedure. So I’m thinking I’ve overlooked some minor detail in terms of getting this to work.

    In viewing a reference site I see mention of a rule called AD rule for Domain. I have version 7.1.10226.0 of the Default management pack installed and when performing a search for this rule I see an AD rule for Domain:, ManagementServer: domainms
    but I don’t see the rule displaying polling info. Again not sure what I’m missing.

  5. Kevin Holman says:

    the account used is the management server action account – by default – this is in the UI.  Unless – you chose an optional account and entered that in – then it will use those credentials one time, and discard them.

  6. Anonymous says:

    I uninstalled an agent off of  a server 2K and when I re-installed an agent I get Error Code: 80070643 Error Description: Fatal error during installation.  Auto Updates is set to auto and is running.  What else could throw the 80070643 error?  

  7. Kevin Holman says:

    All communications are *initially originated* FROM the agent TO the management server, however, then once the communication channel is open from the agent – the communication is bi-directional.  Therefore – it depends on how your chosen firewall works – as to whether you need to open communiciation in both directions, or only from agent to MS.  When in doubt, just open both directions for this single port.

  8. Phil Marcum says:

    Hey is this still a live topic? Is there a simlar article for SCOM 2012? Hoping I can get some direction as I’ve got an agent deployment issue and it’s been a week today with no resolution from the MS SCOM forums.

    My thread:

    Basically I’m trying to deploy the 2012 R2 agent via the following startup script:

    msiexec /i \server.mydomain.comopsmgragent%Processor_Architecture%MOMAgent.msi /qn /l*v c:scom2012r2mmainstall.log USE_SETTINGS_FROM_AD=1 USE_MANUALLY_SPECIFIED_SETTINGS=0 ACTIONS_USE_COMPUTER_ACCOUNT=0 ACTIONSUSER=svc_dscom ACTIONSDOMAIN=mydomain ACTIONSPASSWORD=mypassword!
    SET_ACTIONS_ACCOUNT=1 AcceptEndUserLicenseAgreement=1

    The script is deployed as a group policy which is assigned to a security group housing the servers for that particular environment. So there’s a DEV group and a PROD group.

    The policy has been created and filtered to the security group. On a Windows 2012 R2 test server I see that the Microsoft Monitoring Agent has been successfully installed and its icon appears in the Control Panel. When clicked I don’t get any management info.

    The following entries appear in the logs on this server:

    Event ID: 2011 The Health Service did not find any policy in Active Directory
    Event ID: 2003 No management groups were started. This may either be because no management groups are currently configured or a configured management group failed to start. The Health Service will wait for policy from Active Directory configuring a management
    group to run.

    The HealthService is Running and I’ve configured AD Integration in the SCOM console using the following query: (&(objectCategory=group)(name=DSCOM_ADI))

    In checking the server I come across the C:Program FilesMicrosoft Monitoring Agent folder but no log. What am I overlooking?

    Any responses appreciated.

  9. Kevin Holman says:

    Whats in the OpsMgr event log on the DC?  Try a manual agent install and see if it will complete.

    Turn up MSI logging and then post or email the logfile.

  10. Richard says:

    Kevin, as usual, invaluable information, thanks so much.

    -The learning curve continues.

  11. Tim says:

    I can do a discovery and install of an agent on my domain controller but the server stays in "Pending Management" and doesn’t go anywhere.  If I check on the machine where I pushed the agent the files are present in c:program…system center op…

    What is going on?  I have uninstalled antivirus on both machines and I can figure out why the agent isnt viewable anywhere in the System Center Console…Please help

  12. RichardS says:

    What direction do the firewall rules need to be? Are they all uni-directional from SCOM to app servers?

  13. Thank you very much.You blog is very helpfull in my current working enviromnent.

  14. John Bradshaw says:

    Thx Kevin.

    What to do when the fatal code still can’t be overcome, after following the fix scenario above?

    Error Code: 80070643

    Error Description: Fatal error during installation.


    John Bradshaw

  15. Philip says:

    Very helpful.  How do you determine what account is being used to do the push?

  16. Dominique says:

    any similar information for Unix Agent?

  17. Jon says:

    Hi Kevin,

    Your blogs have been invaluable to me setting up OpsMgr 2007.  Thanks for all the great info.  

    I’m trying to find a comprehensive list of ports required to perform a manual agent install through a firewall, as well as ports required for ongoing monitoring.  All machines are part of the domain, just seperated by the firewall.  Can you help with this? My security admins will not allow me to open the wide ranges of RPC ports required for push installs.  

  18. Neel says:

    we provided admin access to SCOM even though we are not able to see reporting console in SCOM after installing the same.

  19. Johan says:

    I have a scenario where for workgroup servers, we install the certs and agents manually but when the server appears in the console, it shows up as "Not Monitored" even after several days.

    The event logs do not show any cert issues, though.

    Any ideas ?

  20. Kyle says:

    Hey Kevin,

    Thank you for writing this article, its helped me quite a bit. I do however keep running into the following issue while pushing agents via agent push script. My script will discover all of the machines i am trying to push to, and will attempt to install the agent but i get the following two errors.

    The Operations Manager Server failed to open service control manager on computer [FQDN of Server]. Therefore, the Server cannot complete configuration of agent on the computer.

    Operation: Agent Install

    Install account: [My install account]

    Error Code: 800706BA

    Error Description: The RPC server is unavailable.

    [this basically means the server is down, or unreachable at the moment.. Normal in this environment as servers are shipped from and too sites]


    The Operations Manager Server cannot process the install/uninstall request for computer [FQDN of Server] due to failure of operating system version verification.

    Operation: Agent Install

    Install account: [my install account]

    Error Code: 80070005

    Error Description: Access is denied.

    This is the error that is bothering me. I am able to use that same install account and install the agent on these machines, after logging directly into the server as the install account. I am also able to push agents from the RMS server using that install account. I checked to see if there were logs under agent logs and i cannot really read them very well, i also couldn't find a log for each of the servers that get this error.

    The account is a domain administrator

    The antivirus is turned off when installing the agent

    The account is a local administrator on the machines

    The server service is started on the machines that are domain controllers

    The windows firewall is turned off

    Im lost on what else i could possibly check, any suggestions would be very helpful.

    Thank you very much for your time!

  21. Mariusz says:

    Good info!  

    Thanks again.  Got an issue with pushed agent install.  It was placed on Pending Management list.  Consecutive re-installs and troubleshooting on the client side did not give any results.  

    In my case MOM Channel Port number: 5723 stopped responding on MS.  I saw only connections from RMS and nothing from agents.  The telnet to MS host on port 5723 then 'netstat -an | findstr 5723' on MS host themselves proved it.

    Restarted System Center Management – HealthService service on MS host caused MS to re-connect with monitored agents and agent install succeeded.

  22. Anonymous says:

    A small, but usefull link collection to use for configuration and upgrading System Center Operations

  23. Anonymous says:

    Here are some more links from my private collections. This links are very usefull to administrate, configure

  24. Anonymous says:

    These are the top Microsoft Support solutions for the most common issues experienced when using System

  25. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  26. TonyO says:

    Hi, I’m very new to SCOM am getting the following error trying to discover.
    The Operations Manager Server could not execute WMI Query "Select * from Win32_OperatingSystem" on computer

    Operation: Agent Install

    Install account: ENETCONSTRUCTServiceMOM_MSA_C

    Error Code: 800706BA

    Error Description: The RPC server is unavailable.

  27. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  28. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  29. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when using System Center 2012

  30. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when using System Center 2012

  31. home says:


  32. David Abowitt says:

    Kevin, we recently had to redeploy a failed MSFT DPM 2012R2 machine and now are unable to push agent to it from SCOM 2012R2 UR9. I initially deleted old managed agent in SCOM and now when trying to deploy ‘new’ agent I get “The Operations Manager Server could not execute WMI Query “Select * from Win32_OperatingSystem” on computer.”

    I have Windows FW disabled, all the services are running as necessary and here is the interesting thing from the SCOM mgt server I am unable to connect to WMI on DPM machine and same goes for all my other DPM machines in different sites same network domain. (Was able to install agent on those ‘other’ DPM machines in past.) All are on same network. I am unable to connect to WMI to the OPS manager server from the DPM Machine. I am able to connect to WMI on other machines on same VLAN as DPM server. Machines on those VLAN’s are able to connect to the new DPM server. My network team says nothing in logs showing blocking and they monitored as I attempted to install agent.

    Any ideas and I opened case with MSFT but they too have been unable to resolve.

Comments are closed.

Skip to main content