- How to deploy a scripted application installation with SCCM 2012 - Mon, Sep 23 2013
- How to deploy an MSI package with SCCM 2012 - Mon, Aug 19 2013
- SCCM 2007 - General client troubleshooting tips - Tue, Aug 6 2013
Because Native Mode involves SSL encryption, it also requires PKI and certificates. Because PKI in a Windows environment relies heavily on DNS, and pretty much everything in AD relies on DNS, well, that means DNS and WINS need to be configured and working properly as well.
Configuration Manager in Native Mode
- Client applet (General tab) does not show “Site Mode” as “Native Mode”
- Client fails to communicate with Management Point
- Client is not Approved (when Automatic approval has been enabled)
- Client fails to report inventory
Potential causes ^
- Corrupted, missing or expired client certificate
- PKI environment issues
- Missing or Unavailable CRL in perimeter network (Internet clients)
- Client device does not meet minimum requirements for Native mode
- DNS or WINS name resolution issues
- Firewall settings (on routers, servers, and clients)
- Network Connectivity issues
- Trying to use NLB Management Points with AD publishing
- Check the Windows System Event Log
- Verify Network Connectivity
- Verify Name Resolution (DNS, WINS)
- If using Windows Server 2008, do not use Version 3 PKI certificate templates
- Verify client certificate is installed and valid
- Verify PKI environment is working properly
- Run the SCCMNativeModeReadiness.exe utility from the CCM folder (right-click and select "Run as Administrator". Append " /?" to view available options as well)
- Verify local services are running properly
- Verify firewall settings (client, routers, switches, servers)
If the client computer issues are related to domain account issues, such as losing trust or delegation rights, or password synchronization failures, you may also see Windows Event log entries indicating failures to locate or communicate with a domain controller, or failures downloading or applying Group Policy. I don’t mean individual GPO settings or GPO’s, but errors indicating Group Policy is unable to update at all.
"Potential Causes" items 1 through 4 are the most common I’ve seen, but that's only in the context of the environments I've dealt with, so that's anecdotal. Checking on the status of the certificate never hurts, and since Native Mode depends so heavily on PKI it makes sense to rule that out first.
DNS and WINS name resolution issues can be easy to overlook, so be sure to verify that the clients can resolve the Name of each DNS server relevant to the client's connection and authentication scheme. If WINS is used (more often than expected actually), make sure you verify name resolution to the WINS server as well.
When everything else appears fine I ask the user (or field technician) to verify there is “activity” on the network port of the device and they reply “I don’t see any lights blinking”, I usually suggest checking the cable or swapping it out, or trying a different jack or verifying wireless connectivity (if applicable).
Helpful links ^
- Prerequisites for Native Mode
- How to Determine if Client Computers are Ready for Native Mode
- Certificate Requirements for Native Mode
- Troubleshooting Configuration Manager Client Issues
- Configuration Manager and Name Resolution
- How to Configure the Site Server with its Site Server Signing Certificate
- Client Communication in Mixed Mode and Native Mode
- Administrator Checklist: Deploying PKI Requirements for Native Mode
- Troubleshooting Group Policy Using Windows Event Logs