Replace certificate server
I have installed a new two tier PKI (windows 2008 servers) and now the time has come to get MDM SP1 to work with the new cert server. I have prepared the users for hard reset and new enrollment.
What would be the best approach? Should I do an uninstall/reinstall of each component, do I have to run the adconfig tool to set some rights for the new cert
In this process I would also like to fix a couple of issues
1. It seems like my mdmintance name today are SCMDM008, this name is not supported according to TechNet?
2. BPA gives an error on SQL: The SQL Server instance is not bound to the selected MDM instance. You cannot check other SQL Server issues until you provide the appropriate SQL Server instance. Use the Get-MDMInstance cmdlet to retrieve the SQL Server instance associated with the selected MDM instance. I have seen similar errors reported here on the forum and this could be because off a missing FQDN of the SQL server in the installation of enrollment and management server
I have two servers, one gateway server in DMZ and the other for the rest including SQL and wsus.
Everything has been working fine Except that the clients do not report back to the software distribution console as they should. It reports correct only when I deploy a new software package.
Any tip is appreciated
EBE
All Replies
- Hi Espen, If you don't have that many production clients I would recommend a clean unisntall and re-install using the new CAs and running the proper ADConfig steps..
Also, be aware of the potential client side patch you may need to use the Windows 2008 CA on down-level Windows Mobile 6.1 clients. Please see my old post here:
http://myitforum.com/cs2/blogs/mnielsen/archive/2009/06/05/scmdm-2008-sp1-support-for-windows-2008-ca.aspx
|\\arco..- Proposed As Answer byWayne Phillips.MVP, ModeratorThursday, October 01, 2009 12:16 AM
Since you are hard resetting your devices, you might as well start from scratch. I totally agree with Marco's suggestion. There are a few caveats when using multi tier CA‘s and some for using Windows 2008 CA's, so make sure you cover these off. The Windows 2008 CA’s default settings are set to sign 2048 bit keys. The MDM enrolment process generates 1024 but keys, so you need to make sure your CA will sign 1024 key requests. You also need to make sure you deploy both the Root Certificate Authority and the Intermediate Certificate Authority to the devices.
This would help you clean up the old “SCMDM2008” container.
Good luck with the Migration.Cheers Wayne
AirloomThanks you for the help so far
I have tried to reinstall mdm but am facing some problems right away with the adconfig /validateinstance and BPA. I first thought I could ignore the errors that validateinstance gave me because the error at the end of the log below has to do with the old certifacate server that are not in use. I have later validated this by creating another instance and cert templates against the old CA, I then I get the exact same security error for the new CA.
Before I started installation I uninstalled Management server, Enrollment server and removed the old templates and instances scmdm2008 with adconfig.
I installed Enroll and managemet servers and it installed without any errors however the BPA gives me critical issues:
· Not able to connect to the web service. URL is https://mobileenroll.mycompany.com:443/EnrollmentServer/Service.asmx.
· Client website port is 443
· Client website host is mobileenroll.mycompany.com
· The remote certificate is invalid according to the validation procedure.It gives the same error for Enrollment server, enrollment admin and both management components, however I can browse the enrollmenturl and the certificates looks fine in IIS manager.
Maybe my configuration with 2003 domain and 2008 CA are not supported? I was advised to keep the old CA for a while and not uninstall and remove from the domain. They now both working in “parallel” in the domain. Could this be a problem?
It should not be a DNS problem because I use the same urls as before I reinstalled.
The System Center Mobile Device Manager Active Directory Configuration tool will be run wi
th the command line options: [ /validateinstance:icmobile /domain:mycompany.org]
ERROR : System Center Mobile Device Manager instance icmobile is not valid. The availabil
ity will not be checked.
Container SCMDM successfully created.
Service connection point icmobile was successfully created.
Security setting for service connection point icmobile is valid. Group SCMDMServerAdmins (
icmobile) has the right permissions on this service connection point.
Security setting for service connection point icmobile is valid. Group SCMDMSecurityAdmins
(icmobile) has the right permissions on this service connection point.
ERROR : Some keywords created by System Center Mobile Device Manager Setup are not presen
t.
Keyword icmobile was successfully created.
Keyword 1860FB7C-44BA-4a72-B355-EF3BB63292B3 was successfully created.
Keyword instancefriendly was successfully created.
Keyword instance was successfully created.
Keyword version was successfully created.
Keyword database was successfully created.
Keyword sqlinstance was successfully created.
Keyword dmadminurl was successfully created.
Keyword dmurl was successfully created.
ERROR : Keyword portalurl was not created.
Keyword enadminurl was successfully created.
Keyword enurl was successfully created.
Keyword serverca was successfully created.
Keyword servercaname was successfully created.
The Managed Devices organizational Unit SCMDM Managed Devices (icmobile) was successfully
created.
Security setting for Managed Devices organizational unit SCMDM Managed Devices (icmobile)
is valid. Group SCMDMEnrollmentServers (icmobile) has the right permissions on this organi
zational unit.
Container SCMDM Infrastructure Groups (icmobile) successfully created.
Group SCMDMServerAdmins (icmobile) successfully created.
Group SCMDMServerAdmins (icmobile) exists and has the right security settings.
Group SCMDMDeviceAdmins (icmobile) successfully created.
Group SCMDMDeviceAdmins (icmobile) exists and has the right security settings.
Group SCMDMDeviceSupport (icmobile) successfully created.
Group SCMDMDeviceSupport (icmobile) exists and has the right security settings.
Group SCMDMHelpdeskOperator (icmobile) successfully created.
Group SCMDMHelpdeskOperator (icmobile) exists and has the right security settings.
Group SCMDMDeviceManagementServers (icmobile) successfully created.
Group SCMDMDeviceManagementServers (icmobile) exists and has the right security settings.
Group SCMDMEnrollmentServers (icmobile) successfully created.
Group SCMDMEnrollmentServers (icmobile) exists and has the right security settings.
Group SCMDMEnrolledDevices (icmobile) successfully created.
Group SCMDMEnrolledDevices (icmobile) exists and has the right security settings.
Group SCMDMSelfServiceServers (icmobile) successfully created.
Group SCMDMSelfServiceServers (icmobile) exists and has the right security settings.
Group SCMDMAuthorizedUsers (icmobile) successfully created.
Group SCMDMAuthorizedUsers (icmobile) exists and has the right security settings.
Group SCMDMReadOnlyUsers (icmobile) successfully created.
Group SCMDMReadOnlyUsers (icmobile) exists and has the right security settings.
Group SCMDMSecurityAdmins (icmobile) successfully created.
Group SCMDMSecurityAdmins (icmobile) exists and has the right security settings.
Template SCMDMMobileDevice (icmobile) was successfully created.
Security setting for template SCMDMMobileDevice (icmobile) is valid. Group SCMDMEnrolledDe
vices (icmobile) has the right permissions on this template.
Template SCMDMMobileDevice (icmobile) is enabled on certification authority nor01CA01.mycompany.org\Mycompany-Enterprise-CA.
WARNING : Template SCMDMMobileDevice (icmobile) is not enabled on certification authority
nor01dc01.mycompany.org\nor01dc01.
Template SCMDMWebServer (icmobile) was successfully created.
Security setting for template SCMDMWebServer (icmobile) is valid. Group SCMDMServerAdmins
(icmobile) has the right permissions on this template.
Template SCMDMWebServer (icmobile) is enabled on certification authority nor01CA01.infocar
e.org\Mycompany-Enterprise-CA.
WARNING : Template SCMDMWebServer (icmobile) is not enabled on certification authority no
r01dc01.mycompany.org\nor01dc01.
Template SCMDMGCM (icmobile) was successfully created.
Security setting for template SCMDMGCM (icmobile) is valid. Group SCMDMDeviceManagementSer
vers (icmobile) has the right permissions on this template.
Security setting for template SCMDMGCM (icmobile) is valid. Group SCMDMServerAdmins (icmob
ile) has the right permissions on this template.
Template SCMDMGCM (icmobile) is enabled on certification authority nor01CA01.mycompany.org\
Mycompany-Enterprise-CA.
WARNING : Template SCMDMGCM (icmobile) is not enabled on certification authority nor01dc0
1.mycompany.org\nor01dc01.
Security for nor01CA01.mycompany.org\Mycompany-Enterprise-CA is valid.
ERROR : Security for nor01dc01.mycompany.org\nor01dc01 is invalid.
Regards
EBE
The funny thing is that enrollment is actually working. I guess the adconfig and BPA are not prepared for my server scenario. Still I would feel a lot more comfortable if the BPA would pass without errors.
The device has received 3 certificates the root and intermediate and the user cert that is only visible in the management console:-)Regards
EBE
- Hi Espen, The portalurl keyword is for the Self Service Portal and I believe not a requirement to have in place.
On the 3 other warnings this appear to perhaps to be because you have not enabled the Certificate Templates on the CA server. Did you follow step 5 on this deployment page: http://technet.microsoft.com/en-us/library/dd252799.aspx?
|\\arco.. To answer your question Marco Yes I have enabled the templates on the new CA but not on the old one (nor01dc01) this server is still is a part of the domain. I have cleaned the domain for the old instance and templates. I think the problem is that Adconfig and BPA are not expecting to find more than one CA. The good thing is that it doesn’t seem to affect the installation.
More problems! I have added the gateway server and enabled VPN. First thing I did was to enroll a TyTNII phone with build (19212). As expected the phone enrolled fine but the VPN could not start without the patch (KB951840). After I installed the patch (on the phone) the VPN connected fine right away. Then I tried to install the patch on the server and it refuses to install.
OK no problem the phone can connect anyway I thought, until I tried to enroll a new phone HTC Diamond 2 with Windows Mobile 6.1.6 OS. 5.2.21041 (Build 21042.1.6.1) I get the same connection error as I got on the TyTN. Then I tried to install the KB951840 but it will not install of course.
I guess the problem with the phones with 6.1.4 and newer is the missing patch on the gateway server?
I am running the MSDN version of SCMDM SP1. Why want the path install? PLEASE HELP!
The message I get from the installer are:
The upgrade patch cannot be installed by the windows
Installer service because the program to be upgraded
may be missing, or the upgrade patch may update a
different version of the program. Verify that the program
to be upgraded exists on your computer and that you
have the correct upgrade patch- Unmarked As Answer byWayne Phillips.MVP, ModeratorSunday, October 25, 2009 11:56 PM
- Marked As Answer byWayne Phillips.MVP, ModeratorSunday, October 25, 2009 11:56 PM
Try a repair install of the gateway. Since the Gateway doesn't contain any data, it might be worthwhile uninstalling the gateway and all related patches. Cleanup any residual files and re-install. It is always prudent to follow backup and restore procedures prior to complete these steps.
Cheers Wayne
Airloom
