In Control Panel, the Domain Enroll application shows Enrollment status and allows the user to enroll if they are not already enrolled. The DeviceUpdate.log file records Open Mobile Alliance (OMA) device management (DM) sessions in a detailed manner. These files are particularly useful for troubleshooting and debugging.

If you experience any enrollment issues, enable client-side logging and reproduce the issue. To enable enrollment logging on the device by using the MDM Connect Now tool, follow these steps.

1. On the Start screen, select Menu.
   
   
2. Select Logging.
   
   
3. Select Enable Enroll Log.
   
   

The location of log file is \deviceupdate.log. For information about the MDM Connect Now tool, see MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=108953 .

After you enter the uniform resource identifier (URI) for MDM Enrollment Server, the device displays the error message The enrollment server could not be located - please contact your Administrator for assistance.

Make sure that you entered the URI correctly. For example, make sure that you specify only the fully qualified domain name (FQDN), without any prefixes, such as the abbreviation for Hypertext Transfer Protocol (HTTP).

Depending on the cause of the issue, the device might display various error messages, such as network connectivity, incorrect date and time, database connectivity, communication with the enrollment NT service, and issues accessing the IIS metabase.

To resolve these enrollment issues, follow these steps:

• Make sure that the data connection is functioning properly on the device; you should be able to browse the Internet with Internet Explorer Mobile.
  
  
• Make sure that the date and time on the device are set correctly.
  
  
• Verify connectivity with the Enrollment service:
  
  
  1. On the device, start Internet Explorer Mobile.
     
     
  2. Browse to the following site: https://<enrollmentservername>/enrollmentserver/service.asmx?op=ShouldEnroll.
     
     
  3. On the Certificate Checkpage, choose Continue.
     
     
  4. In the Versionbox, type 1.0.0.
     
     
  5. In the Owner Identitybox, type your name.
     
     
  6. Choose Invoke.
     
     
  The Enrollment Web service should return a value of 0. If it returns a value of 1, the owner identity did not match the identity provided during pre-enrollment.
  
  If the Enrollment Web service returns any value other than 0or 1, the enrollment Web service cannot access the SQL database, communicate with the Enrollment NT service, or access the IIS metabase.
  
  

If enrollment fails but the device passes ShouldEnroll, a valid connection to MDM Enrollment Server has found the pre-enrollment record. Make sure that the password is correct, and check for correct server settings and configuration.

For widespread problems, enable enrollment logging in the DeviceUpdate.log file for more information. If you still experience problems, contact a Microsoft representative to help analyze the log file. In this scenario, failures are typically on the server side.

If the device displays the error message Unable to enroll this device in the domain, contact your Administrator, make sure that the device has Internet connectivity through the appropriate Internet service provider (ISP), and that the date and time are set correctly. You can also check the following items:

• Check Event Viewer on the server for enrollment issues that have SCMDM 2008 event log IDs between 2000 and 2999. These events can provide more details about what the system encountered during enrollment.
  
  
• Use the Get-EnrollmentServiceLogcmdlet to export Enrollment service logs that provide more details about the completion of certain Enrollment services. The following shows the correct syntax to export Enrollment service log entries to a text file.
  
  

  	Copy Code
  Get-EnrollmentServiceLog > C:\enrollmentlog.txt

• Check the IIS log file for more information about enrollment failures that return HTTP 200 errors.
  
  
• Enable tracing on MDM Enrollment Server by running the following command in MDM Console:
  
  

  	Copy Code
  Enable-MDMTrace -Server Enrollment -Components Everything -Level Debug

• Check whether the device Certificate Subject Name matches the host FQDN or server name in the MDM Enrollment Server IIS certificate. To view the certificates installed in the Personal, Intermediate, and Root stores, choose Settings, choose System, and then choose Certificates.
  
  
• On MDM Device Management Server, or from MDM Console, run the following cmdlets and check for errors:
  
  
  • Get-EnrollmentConfig
    
    
  • Get-EnrollmentServiceLog
    
    
• Test the connectivity of the Enrollment Web service:
  
  
  • From MDM Enrollment Server, start Internet Explorer and visit http://localhost. You should see an Under Construction message.
    
    
  • Visit https://localhost/enrollmentserver/service.asmx?op=ShouldEnroll. You may receive certificate warnings. A ShouldEnroll link will appear.
    
    
  • From an internally connected computer or server, start Internet Explorer and visit: https://<internalhostname>/enrollmentserver/service.asmx?op=ShouldEnroll
    
    You may receive certificate warnings. A ShouldEnroll link will appear.
    
    If you reference localhost in the URL instead of the name of the computer that is running MDM Enrollment Server, you can isolate whether this issue involves an incorrect IIS configuration. If you can view the ShouldEnroll link, you can successfully connect to the Enrollment Web service on MDM Enrollment Server.
    
    
• Select ShouldEnrollto test the ShouldEnroll link.
  
  
  • In the Version box, type 1.0.0.
    
    
  • In the Owner Identitybox, type the e-mail address for the issued enrollment.
    
    
  • Choose Invoke.
    
    The Enrollment Web service should return a value of 0. If it returns a value of 1, the owner identity did not match the identity provided during pre-enrollment.
    
    If the Enrollment Web service returns any value other than 0 or 1, the Enrollment Web service cannot access the SQL database, communicate with the Enrollment service, or access the IIS metabase.
    
    
• To make sure that the Enrollment service is running, follow these steps to use the Services.msc MMC:
  
  
  • On the computer that is running MDM Enrollment Server, run the following command:
    
    

    	Copy Code
    Sc query SCMDMDeviceEnroll

    The return status should be Running.
    
    
• In Event Viewer, check for Event ID 2001. This event indicates that the Enrollment service is running and that the global configuration has refreshed successfully. This event occurs when SCMDMDeviceEnroll starts or when the global configuration for MDM Enrollment Server changes.
  
  To log this event, at an MDM Shell command prompt, run the net stop SCMDMDeviceEnrolland net start SCMDMDeviceEnrollcommands. If you do not see Event ID 2001 after MDM Enrollment Server starts, you should see warning events for Event ID 2002. Check Event ID 2002 for more information.
  
  
• In Event Viewer, check for Event ID 2101. This event means that the Enrollment Web service cannot reach MDM Enrollment Server. To troubleshoot this issue, confirm that IIS is configured correctly and follow these steps:
  
  
  • At a MDM Shell command prompt, run the sc query w3svccommand to view the return status.
    
    
  • At a MDM Shell command prompt, run the sc query iisadmincommand to view the return status.
    
    
  • Make sure that IIS properties and services are set to start automatically.
    
    
  • Check the System and Application Event logs for IIS errors.
    
    
  • In the IIS log, find a DeviceEnroll entry and check the status.
    
    
• Check the MDM application and error logs for issues connecting to an SQL database. You can use SQLProfiler tracing to troubleshooting database access issues. To use the SQLProfiler tool, start the trace capture, and then select the ShouldEnrolllink.
  
  
• Database connection issues can occur if you do not create the SCMDM database login accounts during Setup. To check for suitable database login accounts, select Loginsin SQL Server Enterprise Manager.
  
  

When you use the Enrollment Wizard to create a pre-enrollment request, after you enter the device name and choose Next, you may receive the error message Some controls are not valid. Device container cannot be empty. This error occurs if you did not specify the name of an organizational unit (OU) that will host managed devices.

After you create a new enrollment request and choose Finish, you may receive various error messages that state the enrollment request could not be created. These error messages may provide additional information that contains sufficient details to diagnose the problem.

To determine whether the problem is with MDM Console or the Enrollment Administration service, create an enrollment request by running the New-EnrollmentRequestcmdlet. If this command succeeds, the problem is with MDM Console. If the command fails with the same error, the problem is with the Enrollment Administration service.

If you encounter errors connecting to the Enrollment service, follow these steps:

• Make sure that MDM Enrollment Server is running
  
  
• Make sure that you installed the correct certificate for the Enrollment Administration service
  
  
• To check the certificate, start IIS Manager, expand Web Sites, right-click EnrollmentAdmin, select Properties, choose the Directory Securitytab, and then choose View Certificate.
  
  

After you create a new enrollment request and specify an e-mail address, the user does not receive the enrollment e-mail message. This e-mail message contains the URL for MDM Enrollment Server and the one-time password for device enrollment.

To resolve this issue, follow these steps:

• From MDM Console, make sure that you select the Send e-mailcheck box
  
  
• If you are creating the enrollment request by running the New-EnrollmentRequestcmdlet, use the -SendMailparameter
  
  
• Make sure that the e-mail address for the device owner is correct
  
  
• Specify a valid e-mail sender by running the Set-EnrollmentConfigcmdlet with the –EmailSenderparameter. For example:
  
  

  	Copy Code
  Set-EnrollmentConfig –EmailSender administrator@contoso.com

  If the –EmailSendervalue is not a valid Microsoft Exchange Server 2007 e-mail account, or is otherwise not properly configured to send e-mail, then MDM has no way to send the enrollment e-mail message.
  
  
• On the enrollment server, check Event Viewer for Event ID 2201
  
  
• Run the following MDM Shell command to specify the SMTP server to send e-mail messages:
  
  

  	Copy Code
  Set-EnrollmentConfig -SmtpServer smtp.yourdomain.com

  By default, MDM uses localhost to send the e-mail message that contains the one-time enrollment password. When you run the Get-EnrollmentConfigcmdlet in MDM Shell, you can see that the SmptServer entry specifies localhost.
  
  The following shows you other parameters that you can modify:
  
  

  	Copy Code
  Set-EnrollmentConfig -SmtpServer Set-EnrollmentConfig -EmailSubject Set-EnrollmentConfig -EmailBodyTemplate Set-EnrollmentConfig -EmailSender

• If the enrollment request succeeds but the user does not receive the enrollment e-mail message, check the MDM section in Event Viewer for error message, Event 2201 - Error: System.Net.Mail.SmtpException: Syntax error, command unrecognized. The server response was: 5.7.3 Authentication unsuccessful.
  
  This error indicates that there was a problem in sending the enrollment e-mail message. This problem can occur if the e-mail system is running Microsoft Exchange Server 2007 with anonymous relay disabled.
  
  To resolve this issue, enable anonymous relay in Exchange Server 2007 by following the instructions at this Microsoft Web site:
  
  http://go.microsoft.com/fwlink/?LinkId=108241
  
  

When you enroll a device, you may receive the error message Unable to enroll this device in the company domain.

The following syntax shows the EnrollmentServiceLog file description.

Copy Code

System.UnauthorizedAccessException: General access denied errorat System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()at System.DirectoryServices.DirectoryEntry.CommitChanges()at Microsoft.Mobile.ManagementServices.EnrollmentServer.ADOperation.AddAccount(EnrollRequestrc)at Microsoft.Mobile.ManagementServices.EnrollmentServer.ADLayer.AddAccount(RequestContext rc)at Microsoft.Mobile.ManagementServices.EnrollmentServer.Controller.Execute(RequestContext rc)

This error message indicates that MDM Enrollment Server could not create a device account because of insufficient permissions to the organizational unit (OU) of the device.

To resolve this issue, in MDM Shell, run the following cmdlet:

	Copy Code
Set-EnrollmentPermissions -container <device container>

The device can enroll successfully. However, you do not receive a message to restart the device. The device is enrolled on the domain but the virtual private network (VPN) connection is never established. This issue occurs when the gateway Uniform Resource Identifier (URI) for the mobile VPN connection is not set correctly.

To resolve this issue, follow these steps:

• Run the Get-EnrollmentServiceLogMDM Shell cmdlet. Check for the ActivateVPNmessage value. If the value is set to True, run the Get-EnrollmentConfigcmdlet and verify that the MDM Gateway Server URL is in the output list.
  
  
• If the ActivateVPNmessage value is set to False, delete the existing pre-enrollment request; use the cmdlet to configure the gateway URI, and then create a new pre-enrollment request by using the following command.
  
  

  	Copy Code
  Set-EnrollmentConfig –GatewayURI <GatewayServerName>.yourdomain.com

• To export the enrollment service log entries, run the following command.
  
  

  	Copy Code
  Get-EnrollmentServiceLog > C:\enrollmentlog.txt

After you try to enroll a device, the device connection status shows that the device enrolled but the device remains in the Pending Enrollmentslist in MDM Console. It can require the total expiration time of the enrollment password before MDM removes the device from the Pending Enrollmentslist.

Or, this issue indicates a problem with device connection to MDM Device Management Server. Until the device contacts MDM Device Management Server and becomes a managed device, it remains in the Pending Enrollmentslist. The device may not contact MDM Device Management Server for the following reasons:

• Domain Name System (DNS) name resolution fails. To fix DNS issues, create a host file on the device that resolves the IP address and the host name of MDM Device Management Server.
  
  
• A firewall is blocking the TCP port 8443 to MDM Device Management Server. Open this port to enable the device to contact MDM Device Management Server.
  
  
• You must have a persistent route from MDM Gateway Server to the company network through the internal firewall. In addition, you must have another route on the firewall server to the MDM client network through MDM Gateway Server. For example:
  
  
  • Gateway route one: To add a route to the company network through the internal firewall, run the following command.
    
    

    	Copy Code
    route –p add <corporate subnet> mask 255.255.0.0 <Firewall IP>

  • Firewall route two: To add a route to the MDM client network through MDM Gateway Server, run the following command.
    
    

    	Copy Code
    route –p add <Client pool subnet> mask 255.255.0.0 <SCMDM 2008 GW IP>

To verify connectivity to MDM Device Management Server when a device connects to MDM Gateway Server successfully, from MDM Device Management Server, at a command prompt, run the Netstat utility to verify that a device is connecting successfully. For information about the Netstat commands, type netstat /? .

This utility is especially useful to force device-to-DM synchronization by using the MDM Connect Now Tool. From MDM Device Management Server, at a command prompt, run the netstat -acommand. This command retrieves the device name and port number for all active connections, listed by TCP or UDP port number. To download the MDM Connect Now Tool, see this Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=108953

In scaled-out topologies with load-balanced MDM Enrollment Server arrays, you may receive the following error message when you try to enroll:

HTTP 401.1 - Unauthorized: Logon Failed.

This issue occurs if you install Windows XP operating system with Service Pack 2 (SP2) or Windows Server 2003 operating system with Service Pack 1 (SP1). These Windows-based operating systems include a loopback-check security feature that helps prevent reflection attacks on your computer.

This issue occurs when the Web site uses Integrated Authentication and has a name that maps to the local loopback address. In a Network Load Balancing (NLB) array, a server accesses the Web services on itself through NLB. This issue can also occur if the FQDN or custom host header does not match the local computer name.

To resolve this issue, follow these steps to disable loopback checking on any computers that are running MDM Enrollment Server:

1. On the Startmenu, choose Run, type regedit, and then choose OK.
   
   
2. In Registry Editor, find and select the following registry key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
   
   
3. Right-click Lsa, point to New, and then select DWORD Value.
   
   
4. Type DisableLoopbackCheck, and then press ENTER.
   
   
5. Right-click DisableLoopbackCheck, and then select Modify.
   
   
6. In the Valuebox, type 1, and then choose OK.
   
   

For more information about this issue, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109943 .

When you enroll a device, it may return an error message that states it cannot enroll the device on the domain. For example:

	Copy Code
Missing Configuration: CCertRequest::GetCAProperty Access is denied. 0x80070005 (WIN32: 5)

A possible cause could be a problem with DCOM permissions on the certification authority server. If you are running Windows Server® 2003 Enterprise Edition with Service Pack 2 (SP2), follow these steps:

1. Verify that the security group CERTSVC_DCOM_ACCESS was created on the local server. The certification authority creates this group in the CN=Users container.
   
   
2. If the CERTSVC_DCOM_ACCESS group exists, verify that the following groups are members: Domain Users and Domain Computers.
   
   If you installed the certification authority on a domain controller, and the enterprise has multiple domains, Certificate Services cannot automatically update the DCOM security settings for users and computers from outside the domain of the certification authority. Therefore, you must manually add them to the CERTSVC_DCOM_ACCESS group. If there are users or computers in other domains that also have to enroll together with the certification authority, you must add those users and computers to the CERTSVC_DCOM_ACCESS group.
   
   If these errors occur on a domain controller, add the DOMAIN CONTROLLERS group to the CERTSVC_DCOM_ACCESS group.
   
   By default, domain controllers are not members of the Domain Computers global group. Therefore, they do not have sufficient DCOM permissions. Changes that affect the group membership of the certification authority server itself may require a restart before the changes take effect.
   
   
3. Follow these steps to verify that the CERTSVC_DCOM_ACCESS group was added to the DCOM Security Limits group on the certification authority.
   
   
   1. On the Startmenu, choose Programs, choose Administrative Tools, and then choose Component Services.
      
      
   2. Expand Component Services.
      
      
   3. Expand Computers.
      
      
   4. Right-click My Computerand choose Properties.
      
      
   5. On the COM Securitytab, under Access Permissions, choose Edit Limits.
      
      
   6. In the Access Permissiondialog box, on the Security Limitstab, verify that CERTSVC_DCOM_ACCESS is a member of the Groups or user nameslist.
      
      
   7. In the Groups or user nameslist, select Everyone, and then in the Permissions for everyonelist, verify that Local Accessand Remote Accessare allowed, and then choose OK.
      
      
   8. Under Launch and Activation Permissions, choose Edit Limits.
      
      
   9. In the Launch Permissiondialog box, on the Security Limitstab, in the Groups or user nameslist, select Everyone, and then in the Permissions for everyonelist, verify that Local Activationand Remote Activationare allowed, and then choose OK.
      
      
   10. In the My Computer Propertiesdialog box, choose OK.
       
       
   11. Close Component Services.
       
       

If the previous steps do not resolve the problem, type the following command at a command prompt to reset the DCOM permissions on the certification authority server:

	Copy Code
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG net stop certsvc net start certsvc