Site icon TheWindowsUpdate.com

The case of unexplained – ConfigMgr 2012: Mismatch in a User collection members count in Primary and CAS

This post has been republished via RSS; it originally appeared at: Configuration Manager Archive articles.

First published on TECHNET on Jun 08, 2015
https://blogs.technet.microsoft.com/umairkhan/2015/06/08/configmgr-2012-the-case-of-unexplained-mismatch-in-a-user-collection-members-count-in-primary-and-cas/

 

Issue:

=====

Only a single custom user collection (rest others work fine) doesn’t replicate it members up in the hierarchy to CAS. We see 23 members down in that collection and nothing in CAS. We have a CAS and 6 primaries and all these 23 members we are talking belong to a single primary.

 

More details on how the collection is defined. It’s an App collection meant for uninstallation applications. So it detects the application is installed for a machine by a user by the SMS_G_System_AppClientState class. The query used is as described in

http://blogs.technet.com/b/configmgrdogs/archive/2014/11/03/managing-app-v-deployments-in-configmgr-2012.aspx

 

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain 
from SMS_R_User inner join SMS_G_System_AppClientState on SMS_R_USER.UniqueUserName = SMS_G_System_AppClientState.UserName 
where SMS_G_System_AppClientState.AppName = "APPLICATIONNAME" 
and SMS_G_System_AppClientState.ComplianceState = 1

 

 

Assessment:

=========

Now the basic things that initially comes to mind when the data is there on the child but not there on the CAS is replication. Yes DRS! But we have verified tracking the number and changes for the replication group Collection_Membership being the latest on CAS and links are ACTIVE.

-          VLOGS don’t show any exceptions in processing any record and all looks good. So why the mismatch?? Or What’s happening here?

 

Dissection:

========

Here normal troubleshooting basically will defy and frustrate you unless the evaluation logic is known. I will first explain the concept then we will come back to the issue again.

Suppose we have a hierarchy:

 

Difference between evaluation in a User collection and Device collection:

 

                So collections ([Collections]) are global data, no matter you create them at any site they will replicate to all other sites. [CollectionMembers] as client data are site data. So if I create a collection membership rule for a device collection as all Windows 7 machines on CAS, what happens?

-          Note that there is no CollEval at CAS, and the rule flows down to each primary as global data. The collection membership is locally calculated for each site individually and independently. And once done each sites updates its [CollectionMembers] and send the membership to CAS.

-          Now CAS then holds the data in the [CollectionMembers] from all the sites.

 

-          So suppose if there were total 7000 Win7 machines in the hierarchy. What we will see on CAS is Member Count = 7000 and Members Visible on site = 7000. Taking the example of hierarchy above supposedly assuming if each primary has 3500 Win7 clients then on both the Primary sites collection view will show Member Count = 7000 and Members Visible on site = 3500.

-          Yes, the primary knows the total count as it is again a global data stored in [CollectionMemberCounts]

 

I hope majority of us know the part above. Let’s bring in the tricky part. Is it the same for a user collection in a hierarchy? You guessed it right NO!

 

Now the reason for that NO is we don’t have the need for each site to independently send the data to CAS as USERS are considered as global data. So what do we do?

 

 

Everything thing is same except the part I already mentioned. We just select a single site to send the membership changes to the CAS on behalf of all other primaries. So that special primary is the first primary site that you created in the hierarchy.

So if the previous admin left the job, how do we find the first primary site?

 

 

select * from sites where ReplicatesReservedRanges = 1

 

Yes, the above will give you the first primary site. Coming back to the assumed hierarchy, If a have a user collection and I added a user resource in PR2 then:

  1. PR2 on collection evaluation will update its CollectionMembers. So the Member Count on PR2 will be still the old value but ‘Members Visible on Site’ will increase by 1 as mentioned earlier CollectionMemberCounts is global data and CAS still does not know of this addition.
  2. PR1 on collection evaluation will update its CollectionMembers and *send the changes to the CAS*. The Member Count on PR1 will be still the old value but ‘Members Visible on Site’ will increase by 1 as mentioned earlier CollectionMemberCounts is global data and CAS still does not know of this addition.
  3. CAS will see now a members addition via DRS message received now and update its members and update the total member count for that collection.
  4. This will replicate back to the Primary site and then member count will be updated on them.

 

So as of now I think in logical means be it User or Device collection the Members visible on site cannot be greater than total Member Count. We are done with the concept part now! J

 

Coming back to the issue, Why are CollectionMembers not replicating up to CAS on this scenario.

 

Note that we use SMS_G_System_AppClientState class in the collection query. This actually corresponds to fn_ListAppClientState() function in SQL. If you see it’s definition:

 

SELECT 
         appname.DisplayName AS AppName,
         ci.CI_ID as AppCI,
         ci.ModelId as AppModelID,
         ci.ModelName as AppModelName,
         sd.Name0 as MachineName,
         us.FullName as UserName,
         ccs.ComplianceState as ComplianceState,
         ccs.CIVersion as Revision,
         sd.ItemKey as ResourceID
  FROM CI_CurrentComplianceStatus ccs
  INNER JOIN vSMS_ConfigurationItems ci ON ci.ModelId = ccs.ModelID AND ci.IsLatest=1 AND ci.CIType_ID = 10
  INNER JOIN System_DISC sd ON sd.ItemKey = ccs.ItemKey 
  INNER JOIN Users us ON us.UserID = ccs.UserID
  LEFT JOIN fn_LocalizedCIProperties(@LocaleID) AS appname ON ci.CI_ID = appname.CI_ID

-          So this function is basically telling you the compliance state for an application installed on a machine by a user.

-          So here is the catch, CI_CurrentComplianceStatus is a site data table and though user is global info, machine is site data. We will replicate the whole site data up in the CAS.

-          Also, take an example of the hierarchy here, if suppose a user installed an app in PR2 then:

  1. PR2 collection membership will update and it will update the CollectionMembers locally.
  2. PR1 on its evaluation of this collection *will not find any changes* as the CI_CurrentComplianceStatus table is site data specific. And hence PR2 data will stay at PR2 and then move to CAS but not known to PR1.
  3. Now, Since PR1 is the first site it will not replicate the CollectionMembers as it did not know of the changes of insertion in the PR2 CollectionMembers as collection was based on CI_CurrentComplianceStatus which is site data specific.
  4. CAS will not know of any members being added and will also not update its CollectionMembers and increase the CollectionMembersCount.

 

Yes, that’s the issue :) 

 

To summarize how it looks when we have the issue. SQL queries:

On PR2: [Members visible on site > Member count :) ]

 

Console

SQL

 

On PR1:

 

Console

SQL

 

On CAS:

 

Console

 

SQL

 

Conclusion: Don’t use a site data dependent criteria in a User based collection. Not that I can find any documentation on this and this is going by design! :)

 

Please do let me know if there are any corrections to this.

Hope it helps!

 

-UK

ConfigMgr | @TheFrankUK

Exit mobile version