Introducing Nomad 7.0.200
Working with Nomad
Resolving common issues
Resolving content integrity (hash checks) issues
Resolving dynamic pre-caching issues
Resolving hard link issues
Resolving Nomad Dashboard issues
Resolving Nomad peer election issues
Resolving Peer Backup Assistant (PBA) issues
Resolving peer copy over HTTP or HTTPS issues
Resolving remote differential compression issues
Resolving slow content transfer issues
Resolving SoftwareUpdate metadata validation
Relicensing Nomad client
Reducing election notifications in Nomad log
- Known issues
Some common issues when installing, configuring or using the Nomad Dashboard.
Client version and Client Health tiles
Tiles no longer updated with Nomad 7.0
Nomad 7.0, implemented through the 1E Client, no longer includes 1E Client Health. The Client Health Status tile and associated drill-down data will not be updated by clients after upgrading from previous versions of Nomad. Also, the Client Version Distribution tile and associated drill-down data will not show Nomad 7.0 clients (Nomad 7.0 clients will show as 'Missing' in this dashboard tile.
The functionality of 1E Client Health is now provided through the Guaranteed State feature of the 1E Tachyon platform, please refer to Tachyon 5.1 - Nomad Client Health Policy for more details.
The Client health status tile and associated drill-down data will not be updated by clients after upgrading from previous versions of Nomad. The Client version distribution tile and associated drill-down data will show Nomad 7.0 clients as 'Missing' in this dashboard tile.
The Nomad Dashboard, Nomad Sync and Nomad Pre-cache features rely on an SQL linked server connection between the ActiveEfficiency database and the Configuration Manager Database. When the Configuration Manager database, Active Efficiency database and Active Efficiency service are installed on three separate servers, SPN registration and Account delegation must be properly configured in Active Directory to allow the ActiveEfficiency service to obtain information from the Configuration Manager database through the linked server created on the ActiveEfficiency Database server.
This scenario is commonly referred to a double hop and it requires the ActiveEfficiency database service account be allowed to delegate to the Configuration Manager database service.
To enable secure delegation the following is required:
Service Principal Names must be registered for each SQL database(Active Efficiency and SCCM) service account. The syntax to list currently registered SPNs is
setspn -L <domain\SQL service account>. For example:
If you need to create an SPN, the syntax for
setspn -S MSSQLSvc/SQLServerFQDN:SQLInstance <domain\SQL service account. You can derive the SPN name from the error message, for example:
A Kerberos connection must be possible to each SQL service. Run this query remotely from the SQL server – it should return KERBEROS is the service is configured correctly.
You must run this remotely from the SQL server. If you run this on the SQL Server, it will always return NTLM. You can also use the The Microsoft Kerberos Configuration Manager for SQL Server tool can also be useful in setting up Kerberos authentication for SQL server.
The ActiveEfficiency SQL service account must be trusted to delegate to the Configuration Manager SQL service. In the illustration below, the AESQLService is the Server account under which ActiveEfficiency SQL database service is running, 1ETrainCMPRI is the name of the SCCM primary SQL database server:
If the ActiveEfficiency service is not running under a system account (typically Network Service,) then it must be allowed to delegate. So the highlighted option should NOT be checked: (AEService is the ActiveEfficiency Service account):
- Also, make sure that the ActiveEfficiency service account has permission on the Configuration Manager site database. By default, the service account is Network Service, so the ActiveEfficiency server's computer account must be granted access. For standalone primary site environments, permissions are assigned to the ActiveEfficiency service account automatically using the ConfigMgr_DViewAccess Windows local group native to Configuration Manager. For a CAS, this group is not created natively and additional steps are required to allow access.
Other things to note
Is the ActiveEfficiency service is running? Open the Services.log and WebService.log to check the health of the ActiveEfficiency Nomad sync. The most common error that we encounter in the logs is:
This error mean that the Kerberos authentication failed, either becauase the SPN registration or account delegation (as described above) is not correctly set or the ActiveEfficiency service account does not have rights to read Configuration Manager database
Is Nomad sync enabled? We can verify that by initiating the Nomad-ActiveEfficiency sync and looking at the Services.log located under C:\Programdata\1E\ActiveEfficiency.
To initiate Nomad sync, run:
We should have an entry like below in the Services.log:
If it's not enabled, the log will display a message that Nomad sync is not enabled. You can also verify what details were provided for the Configuration Manager database (such as the name of its server and database) during ActiveEfficiency installation, by running the following SQL query against the ActiveEfficiency database:
No data available
The Nomad Dashboard uses the RBAC lists from Configuration Manager to determine if a user can view data in the Nomad Dashboard tiles. If a user has not been granted rights in Configuration Manager or if ActiveEfficiency is unable to determine the users permissions in Configuration Manager, Active Efficiency will not display any data in the Dashboard tiles.
In order for users to view data in the Dashboard tiles, users must be granted these permissions:
Boot Image Package
Read, Read Resource
Operating System Image
Operating System Upgrade Package
Task Sequence Package
- The ActiveEfficiency Service account is unable to query group membership in AD. Under normal circumstances this should not be an issue as the service account will have this ability unless it has been explicitly denied. However, Active Efficiency 1.9.500 did experience a problem where occasionally the ActiveEfficiency service account would be unable to obtain all of the group membership for an account from Active Directory. This was fixed in Active Efficiency 1.9.600
- User accessing the Nomad Dashboard is a member of multiple groups which have been granted rights in Configuration Manager. This was fixed in Fixed in Active Efficiency 1.9.600
- User accessing the Nomad Dashboard is a member of an accounts domain that differs from the Domain the Active Efficiency server is in. This was fixed in Active Efficiency 1.9.800
Prompting for credentials
Windows Security prompts for user name and password when accessing the Nomad Dashboard from within the ConfigMgr console (Monitoring, Overview, 1E Nomad, Dashboard) or directly via the Nomad Dashboard web site ( http://ActiveEfficiency server name/ActiveEfficiency/NomadDashboard ).
If no valid user name and/or password is provided, the Nomad Dashboard tiles do not display data and error 401 is returned. When a valid user name and password is provided in the Window Security window, Nomad Dashboard starts and load the tiles successfully.
The common cause is the Nomad Dashboard Website is not added to the Local Intranet web site list in the web browser on the system running the ConfigMgr console with the Nomad Dashboard feature enabled or on the server/client accessing the Nomad Dashboard web site (https//ActiveEfficiency server name/ActiveEfficiency/NomadDashboard) directly from a web browser.
To mitigate this, on the system running the ConfigMgr console with the Nomad Dashboard feature enabled or on the server/client accessing the Nomad Dashboard web site (https//ActiveEfficiency server name/ActiveEfficiency/NomadDashboard):
- Open your web browser such as Internet Explorer.
- On Internet Explorer, click on Tools, Internet Options, Security tab, Local Intranet, Sites.
- Add the Nomad Dashboard web site to the Website list.
- Click Close followed by OK.
The procedure above may vary from different types of Web browsers. The URL added to the Local Intranet zone must exactly match the URL used by the Configuration Manager console or you should add a URL using both the FQDN name and NetBIOS name of the Active Efficiency server. This is a per user setting and will need to be configured for each user accessing the dashboard.
It is also possible that Windows Authentication is not enabled on IIS on the Active Efficiency Website. If it is not, ensure Windows authentication is installed and enabled on the ActiveEfficiency Website