I ran into an interesting issue with a SCCM implementation in an environment that utilizes Cisco NAC to protect their system resources from unauthorized devices. One of the goals of the implementation was to ensure the SCCM clients could still function when no user was logged into Windows, thus NAC agent not being authenticated with the production VLAN. In order to accomplish this, ports used by SCCM needed to be opened, allowed, and unrestricted to the SCCM servers.
The issue that we found was when the computer was on the “dirty” VLAN, the SCCM client would switch from being an Intranet client to an Internet client. Furthermore, the client’s LocationServices log showed that it was failing to locate the MP from AD and the SLP from AD.
Using a network monitoring tool called WireShark, we identified that the client was trying to communicate with AD on TCP port 3268. This is a normal port used by AD for LDAP. Checking into the configuration of NAC, it was certainly not allowing communication over that port. As soon as that was allowed, the SCCM client immediately began functioning to download software updates and SWD packages. Who knows whatever else was fixed through this discovery…
Filed under: SCCM, Troubleshooting 
roncrumbaker: Great link! Lots of information out there...and yes, there are many v...
Geoff Buckingham: Been trying to get some work done on mine for a long time ... without ...
Clint Huffman: Page file sizing depends on the crash dump setting of the system as we...
TGH: We try our best over at www.techygeekshome.co.uk ! mostly out of our o...
James: I think the Survival guide would be a good link: http://social.technet...