I have followed through all the steps but I seems to be having a problem connecting to the enrollment server from the mobile emulator. I came across a tool called EM IP Utility, installed it on the emulator and scaned it for assigned IP but the IP assigned to it is wrong. I have enabled the NE2000 PCMCIA network adapter and bind it to the VMWare Accelerated AMD PCNet Adapter.

Any reason why the emulator is not picking the IP address assigned to the server?

Assigned IP is 192.168.55.101
Expected IP is 192.168.10.xxx

When it fails during enrollment with an error like this the steps you should check are:
- You have a valid SSL certificate for the enrollment site. (Should be fixed during install but you never know.)
- If you don’t use mobileenroll.contoso.com as the address you will need to type it in manually on the device.
- The certificate will be checked so if you type in 192.168.x.y it will fail if the certificate isn’t issued to this name.
- Are you using multiple domain names and e-mail addresses? Always test using the primary address if you’re having problems.

Still no go? You could test the webservices on a desktop to see if you are eligible for enrollment.

“We are unable to localte a server successfully, but enrollment could not complete. Verify your e-mail address and enrollment password, and then try again.”

I’ve entered the information correctly..

When I go to enroll a device I receive the following:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

Enrollment Data
Failed

Error:
You are not authorized to perform this action.

Mobile Device Manager Shell command attempted:
New-EnrollmentRequest -Owner ‘CN=Domain Username Removed,CN=Users,DC=domainname,DC=ca’ -Name ‘TouchPro2′ -Container ‘OU=SCMDM Managed Devices (ALLSOL),DC=domainname,DC=ca’

Elapsed Time: 00:00:00

—

BPA comes back with 4 warnings that are performance related (I’m setting the servers up in VMWware (SCMDM = 2003 x64 Enterprise / Cert Server on Server 2003 x86) such as low ram, disk space, and processor speed. Everything else has green checkmarks.

I’m running MDM Console as Aministrator and have ensured that account is part of the 5 crucial SCMDM groups and Domain Admins.

Provided you aren’t trying to run them both on port 443 or a similar conflict. The SSP can be run on a different port, but the enrollment site needs to run on port 443 for devices to be able to enroll. Port 8445 is for the admin part of it, and it is correct that some of the web service methods can only be run from localhost. I have another post detailing how the web services work, and how they can be used.

Are you running multiple MDM roles on a single box (like in my test scenario) or have you split the roles over different boxes? Are you running the DC and MDM on the same server? This may create access issues. I cannot remember any issues using the domain admin account for administrating the MDM servers as long as this account is also a member of the MDM groups. (Remember to logout and login for the membership to apply.) I usually attempt device enrollment with a normal user account though.

If I were to troubleshoot the issue I’d have a crack at the following steps:
- Check Event Viewer for any suspicious error messages.
- Check that you have the correct DNS entries. Records for mobileenroll, for the SSP, for MDM, etc. You can have multiple records pointing to the same IP address.
- Double check that certificates are installed, and are valid.
- Check IIS that the host names apply to the correct web site, the correct ports, and that there are no conflicts in the IIS setup.

If all is good you could attempt a repair install of the enrollment role.

If I try to access the link from the hyper-v host (also a machine on the virtual network) I do get access to the Enrollment Admin web site with several links to enrollment administration . However, if I select any of the links it tells me that “this test form is only available from the local machine”.

The BPA Predeployment and Postdeployment test returned no errors. However, the Active Directory Validation had one error on the MDM Instance Property; Keyword portalurl was not created.

I have not found any reference to this error.

Then, when I do the device Pre-Enrollement and select a user from AD then click the CREATE button, it gives the following error;

Error Contacting Server https://mobileenroll.domain.com:8445/MDM/enrollmentadminservice/admin.armx
The request failed with HTTP status 401: Unauthorized

I am a domain admin and also in the SCMDS Server Admins group.

I don’t know where to look for this or whether the AD Validation error is related to the failure to Pre-Enroll the device.

I would be most grateful for some direction.

Glad to be of help if I pointed you in the right direction