Navigating and Troubleshooting Cloud Management Gateway

HH07 - Troubleshoot Cloud Management Gateway - ConfigMgr (SCCM/MECM) Lab Tutorial

Estimated read time: 1:20

    Summary

    In this tutorial video, CloudManagement.Community takes us through troubleshooting the Cloud Management Gateway (CMG) for ConfigMgr (SCCM/MECM). Initially, the video demonstrates fixing an error encountered during connection analysis. The issue, 'Unauthorized Request,' stemmed from improperly discovered Azure AD users due to an outdated administrative password. Detailed steps are taken to rectify the problem by analyzing various logs and resetting the user password, leading to successful connection verification. The tutorial further explores log files to ensure the client is connected to the CMG. Lastly, it discusses cost implications of running the CMG, reassuring viewers about the manageable expenses involved in utilizing Azure services for cloud management.

      Highlights

      • Troubleshooting an error in connection analyzer related to Unauthorized Requests. ❌
      • The importance of checking logs like ccm_sts and user discovery for issues. πŸ“œ
      • Fixed 'Access Denied' issues by resetting an outdated password! πŸ”“
      • Examining Azure cost analysis to track CMG expenses. πŸ’·
      • Discovering external network switching and its log indicators. 🌍

      Key Takeaways

      • First-hand troubleshooting of CMG connection issues using logs πŸ› οΈ.
      • Resetting user passwords can resolve access errors.πŸ”
      • Affordable Azure costs for cloud management services – mere pennies and pounds! πŸ’Έ
      • Switching between internal and external management points for better connectivity 🌐.

      Overview

      The tutorial kicks off by addressing a common issue encountered when using the Cloud Management Gateway in a ConfigMgr setupβ€”an 'Unauthorized Request' error during connection analysis. The host walks us through identifying the root cause: undetected Azure AD users, primarily because of outdated credentials. By systematically resetting the password and checking through various logs, the error is corrected, demonstrating a thorough troubleshooting approach.

        Following the successful resolution of the access issue, the focus shifts to ensuring that client devices correctly log into the CMG. This involves verifying connections through additional logging into location services and confirming internet-based management points. Logs are reviewed to confirm device status, ensuring that communications route correctly through the CMG.

          Lastly, the video simplifies understanding costs associated with Azure utilization for cloud management. By examining cost analysis and resource consumption, users are reassured of the economic feasibility. The practical cost insights provided, especially for a larger client setup, help remove fears of unexpected expenses. Eventually, users are encouraged to explore new services and configurations with confidence.

            Chapters

            • 00:00 - 00:30: Introduction and Issue Identification In this chapter, the focus is on introducing the topic of troubleshooting within the context of cloud management gateways. The video referenced previously discussed setting up a cloud management gateway successfully. However, a problem has now arisen with the connection analyzer in the config manager console. The chapter sets out to resolve this issue, using it as a practical demonstration of troubleshooting within cloud management systems.
            • 00:30 - 02:00: Analyzing Connection Analyzer Errors The chapter titled 'Analyzing Connection Analyzer Errors' describes the process of using the connection analyzer feature within a cloud management gateway. It begins with verifying the status of the cloud management gateway, ensuring it's ready. The user then signs into the connection analyzer as an Azure AD user, specifically as 'dean at get modern'. The chapter provides a walkthrough of initiating the connection analyzer process to perform various checks to ensure everything is functioning correctly.
            • 02:00 - 04:00: Troubleshooting User Discovery Issues In this chapter, we start by verifying that the CMG (Cloud Management Gateway) services are in a 'ready' state, which confirms that they are functioning properly. The connection to the CMG service is checked to ensure it's operational; the service is confirmed to be running well. Configuration settings of the CMG are also verified and found to be up to date, which is a positive sign. Furthermore, the status of the CMG connection point is examined and shows all systems are functioning correctly. CMG-enabled site system rules are also verified, with no issues found at this stage. However, despite these positive checks, a major error is encountered, indicated by a big red error cross at the end.
            • 04:00 - 06:00: Rerunning Discovery and Verification In this chapter, the focus is on a technical issue related to a CMG (Cloud Management Gateway) channel test for a Mandarin point. The management point referenced is the primary site server in use. During the process, an issue is highlighted where the process fails to retrieve a configuration manager token from Azure ID, indicated by a status code 403, which typically means access is denied. The error message also states that the request is unauthorized and suggests checking the specified Azure AD user for resolution.
            • 06:00 - 10:00: Verifying Logs and Management Point In this chapter titled 'Verifying Logs and Management Point', the narrator discusses the process of ensuring that Azure Active Directory (AD) is configured correctly for user discovery. They mention the importance of verifying setup through log files using the CM Trace tool. The process involves navigating to the log directory in the SMS_CCM folder within the program files to identify any potential issues.
            • 10:00 - 15:00: Analyzing Azure Costs in Lab The chapter titled 'Analyzing Azure Costs in Lab' primarily focuses on examining a log file named ccm_sts, which is used to analyze Azure costs. During the analysis, the user encounters errors, specifically a 403 error, which indicates that the Microsoft Azure Active Directory (AAD) doesn't fully recognize a user ID. The timestamp confirms these entries are recent. The discussion suggests the issue revolves around incomplete user discovery, implying that not all necessary user information has been identified or recorded within Azure, which could be contributing to access or functionality problems when analyzing costs.
            • 15:00 - 21:00: Customer Example and Cost Analysis The chapter titled 'Customer Example and Cost Analysis' involves navigating through different log files to diagnose an issue within a Microsoft configuration manager. The specific log file investigated is the ad user discovery log located in c program files microsoft configuration manager logs. In the process, a significant error is identified, which is indicated in red, mentioning 'error fails to bind ldap.' This chapter focuses on locating and interpreting errors within log files as a part of cost analysis and system diagnosis.
            • 21:00 - 25:00: Conclusion and Next Steps The chapter titled 'Conclusion and Next Steps' discusses an issue with binding and impersonation in a directory setting. The speaker describes an error message indicating failure to enumerate directory objects in an Active Directory (AD) container. The error seems to be related to impersonating a specific user account, corp\lab admin, which suggests that the credentials for the lab admin user may not be up-to-date. This indicates a problem with the credentials being used for discovery, and highlights the importance of ensuring that user credentials are current and valid when conducting such operations.

            HH07 - Troubleshoot Cloud Management Gateway - ConfigMgr (SCCM/MECM) Lab Tutorial Transcription

            • 00:00 - 00:30 hey everybody in the previous video we looked at the cloud management gateway and set it up so it would work in our environment uh it seemed to go really well so next we're going to look at some logs and look at the azure costs and all that kind of stuff firstly though i hit a problem i tried to look at the connection analyzer in the config manager console and essentially it's hit an error so i thought we'd work through fixing that now as a good demonstration of how you can troubleshoot the cloud management gateway so let's jump on in so in the uh config manager admin console we're just going to click on the cloud services and
            • 00:30 - 01:00 then cloud management gateway and you can see i've got my cloud management gateway there which seems to be all fine and status is ready if we go into the connection analyzer we can sign in as an azure id user to check how this is going to go so i'm going to sign in as one of my ad users i'm going to go with dean at get modern at the moment so just click sign in and then all we do is click start and we'll go through all these checks to see if things are going well and so
            • 01:00 - 01:30 it starts off with we're going to check the cmg services in the ready state which is good that seems to have passed it checks to connect to the to the cmg service to see if it's running which is also passed so that's great it checks the configuration settings of the cmg to make sure it's up to date which it is that's good it checks the status of the cmg connection point which are all green and it checks for the cmg enabled site system rules so so far so good uh then a big red error a big red cross
            • 01:30 - 02:00 testing the cmg channel for mandarin point and that gives the management point name which is the primary site server that we're using here so what's the issue so we click on that and you get more information about it and essentially it says it has failed to get the config manager token from azure id and the status is 403 which something like access denied right at the bottom there it says the management point return the following error unauthorized request check the specified azure ad user
            • 02:00 - 02:30 is successfully discovered now i know i've configured azure ad is good for me i know i've configured ad discovery for users so let's just take a look at what could be wrong so the first thing we can do is open up cm trace and take a look at some log files so start menu type cm trace it should be there so first we're going to go to c program files sms underscore ccm and open up the log directory there essentially we're going to look for a
            • 02:30 - 03:00 log called ccm underscore sts which is right here so we'll just double click on that and ah we've got some errors there so taking a look at the date and time on these essentially looks like it's today which is good and it was a minute ago 3 30 ish so um yeah it came back with 403 and it says aad user with this id is not completely discovered so that makes sense so user discovery is
            • 03:00 - 03:30 in a different log file it's in the ad user discovery log so we'll head over to there which is c program files microsoft configuration manager logs and it's in ad user disks so we'll double click on that and go into it and this is a huge log file so let's let's wait for this to load ah there it is so what errors have we got there we've definitely got an error which is red so that's good and it says error fails to bind ldap and then the the container that
            • 03:30 - 04:00 it's trying to bind to which is corp d corp contoso.com with this error message and uh failed to enumerate directory objects in ad container and yeah so it's it's tried to impersonate corp slash lab admin it looks like i wonder if the credentials aren't up to date in the lab admin user i'm using to do this discovery so we're clearly using the lab admin
            • 04:00 - 04:30 user for discovery there let's just double check that and verify that in the discovery methods we'll go into active directory user discovery and check go into the properties and see the account we're using for this is definitely corp slash lab admin so okay let's take a look in the account section in security and just reset that password and see if we can fix that error by setting a new password
            • 04:30 - 05:00 so let's go into properties and choose set tap a new password in to make sure we're gonna test the right user and go and just choose a share that we want to use to verify the credentials uh we've got to shoot a share path through it yeah just choose a share path uh of let's go with the chq share and that's been verified so that's good so we know the password right now so we'll just click ok and then okay
            • 05:00 - 05:30 and then click apply right so let's rerun this discovery then let's check to see whether uh discovery now works by running discovery again and then heading over to the log file and hopefully we'll see that it it doesn't have those errors again when it runs this just takes a few seconds to run so let's give it a few seconds we should see it populating this log file soon look at that so yeah that's really good so it's picked up a lot of users clearly i'd not had the password set correctly when i when i've been doing this setup so that's all good it's done a
            • 05:30 - 06:00 load more discovery and so now i guess we just head over to the uh to the cloud management gateway section and run that connection analyzer again and see how we get on to sign in with one of my users and then choose start let's see how this goes okay so it's checked all green and all green yes so that's gone right through to the end and it's tested and it successfully verified the
            • 06:00 - 06:30 cloud management gateway channel on that site server so that's really good news all right good so the point of this video was to show you some log files and the azure cost so we'll start with the log files and um and we'll see how we go so i'm logged into a client with lucy.tester and let's see what log files we can look at i'm going to go into the control panel and just verify that this computer is logged in to the cloud management gateway rather
            • 06:30 - 07:00 than the internal server i have put it on the inter the on the on the external network so it shouldn't be able to contact the management point but let's just verify that by going to config manager client app so it says it's um currently on the internet and it's using this management point here but it'll be using that as the uh by proxy through the cloud app management point here okay good so this is kind of what we're
            • 07:00 - 07:30 looking for here and this is the internet based management point fqdn that we're looking for so we're gonna go into cmtrace which isn't which isn't there i'm gonna go into same trace by finding c entries
            • 07:30 - 08:00 that's just in this route here and so in the logs folder we're looking for um looking for location services at this point just to verify that it really has picked up the internet based management point let's take a look
            • 08:00 - 08:30 okay so relatively recently about five minutes ago we see it picked up this internet management point from here which is good and then we see also we've got this management point name here using https great okay so we're going to go into another log file which is client id manager startup okay
            • 08:30 - 09:00 so right from the bottom there we see it's the client selected the pki certificate with this thumb print for this computer name and this is the one we're using okay and then finally we're going to get another log file which is ccm messaging and just show that the mess the ccm messages are being sent via the cloud management gateway you can take a let's take a look at this so scroll down to the bottom
            • 09:00 - 09:30 and you can see it says outgoing message uh queue location manager delivered successfully to this host here which is my cloud management gateway so it's sending messages you know very regularly every every few seconds or every few minutes or so so that clearly makes it um it clearly shows that it's on the cloud management gateway interesting it was around about 10 minutes ago at the start of this video that i
            • 09:30 - 10:00 s selected the to switch from the internal network to the external network and as you can see this is when it stopped using the internal management point and switch to the external management point so you can verify that it's working by going into these logs and taking a look all right so it's it's getting dark um the last thing we wanted to do was take a look at the cost side of the cloud management gateway so let's jump into my lab environment in the azure portal and take a look at what
            • 10:00 - 10:30 it's costing me to run this environment right now so if i just go into my resource groups here and then click on the cmg resource group that i created earlier on and then go into cost analysis i'll just click on cost by resource to get this nice table and so not a lot right so it's seven seven pounds at the moment and if we look at the cloud service uh it's currently costing me so far
            • 10:30 - 11:00 uh for the well for the past three weeks it's cost me six pounds 96 it's about 10 or so and uh not a lot of bandwidth costs for data transfer out we look at the storage account that's this is where the actual data transfer happens costs 22 pence so about 40 cents for um for the data transfer the bandwidth egress from my azure storage
            • 11:00 - 11:30 so that's you know not a lot of money here so i want to show you in the lab environment just so you had a feeling for what it was costing me with my lab i do have an example from a customer i work with who have around about two and a half thousand clients and they're running it pretty much all of their app deployments through at the moment because it's it's much more efficient for them to have all their staff accessing their content from the internet rather than uh via via the internal network so we'll jump over to that
            • 11:30 - 12:00 environment now and see what see what they're paying okay so i'm gonna blank out some of the names here to make sure this is this is able to be shared but um we have uh a cost from around about the well i think just this month right now so the 24th of 24th of may so about 24 days we have a cost of around 65 uk pounds right now and if we look at the cloud service we have uh 44 pounds
            • 12:00 - 12:30 so about 60 65 for the cloud services av2 series um which an a2v2 uh machine based in us east and then for the egress storage cost is around six pence per gigabyte of data egress from the service he's uh he's currently six 16 pounds that they're being and so as i say they've got around 2 000
            • 12:30 - 13:00 clients running with this environment at the moment we're going to take a look at the config manager side of that to understand where these numbers are coming from and how many clients are connecting via the cmg just to see where this where this goes so in our admin console we're going to go to monitoring and then go scroll down and take a look at cloud management and at the top the first thing you'll see is uh is the azure ad statistics so this really isn't relevant for this
            • 13:00 - 13:30 bit right here so we're going to close that down and if we take a look at the cmg services so a load of big numbers here this is a very well used service we've got around um around 4 000 identities contacting the cmg over this period and this graph here gives you a good idea of uh of what's going on so we have 16 online clients from the cmg and 255 from the internet management point for you know
            • 13:30 - 14:00 management point traffic uh but these computers will be pulling their content from the cloud management gateway because that's the only place we put the content right now so there you go hopefully that's given you an idea of how to track your costs and look at your costs with the cloud management gateway and hopefully reassure you that it's not actually that expensive to try it out it's you know seven pounds for me to try it out in my lab and then in production for 2 000 clients it's only around 60 pounds a month anyway so yeah give it a go okay so ready to get this video finished before the light
            • 14:00 - 14:30 really runs out so essentially what we've done here is looked at the cloud management gateway setting it up in the previous video and then troubleshooting it all taking the local log files and analyzing the costs in this video next we're going to move to enhanced http rather than https to see what you can get from just not worrying about pki at all if you've liked this video please like and subscribe and we'll get more content to you as soon as we can see you next time