I have had a scenario with pretty simple FEP 2010 with Update Rollup 1 configuration: basic topology with remote reporting server. In this scenario I had two servers: one primary site server and another reporting server with SRSS on board.

Symptom

After FEP server components installation everything works fine except alerts. I have tried to send test email using Windows Integrated or Anonymous authentication but had zero success results. Nothing was wrong on a first sight with primary site server, its firewall or destination email server. I checked email server by spoofing it via telnet and have test email arrived to my Inbox. (For those who curious how to do it you can find step by step instruction here http://support.microsoft.com/kb/153119). So nothing was wrong with email server or port on firewall. I have checked FEP event log and found nothing there connected to test email as well. I have had no choice so I called Microsoft Premier Support and ask them to help me. CritSit A was opened because this scenario was happened on customer FEP brand new installation and customer has intention to start production deployment of FEP clients in couple of days.

Resolution

PSS guys asked me to change FEP event trace logging mode to Verbose. I stopped trace (trace file was cleaned). Started trace again and restarted Forefront Endpoint Protection Monitoring Service (FepSrv.exe) and tried to send test alert email again. After that I stopped FEP event trace and gave result file to PSS guys for further investigation. They came back to me with question about microsoft.configurationmanagement.managementprovider.dll file located in “C:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\bin” folder. They told me FEP monitoring service couldn’t use it and asked me to check it. This is what I done:

  1. I compared ACL of this folder with similar installation on my LAB and found that customer’s folder doesn’t have local group “Users” with read and execute permissions. I fixed it.
  2. I run command – tasklist /m "microsoft.configurationmanagement.managementprovider.dll” and found an error in the output.
  3. I checked DLL name and found that it was updated during SCCM KB2271736 update http://support.microsoft.com/KB/2271736. I replace it with original DLL from KB.
  4. Run tasklist command again and found same error. I rebooted server. Run tasklist command again after reboot and received response that FepSrv.exe is using this DLL.
  5. After that I run SCCM console with FEP dashboard installed and run test alert. I have received result in the Forefront event log and test email in my Inbox.

Case closed