Thursday, February 09, 2012 1:46 PM
I'm trying to install IBCM clients that are on branch. This clients will never touch the domain and I need to manage them. I build a SCCM server that has MP, DP, FSP installed and already migrated to Native Mode building PKI and certificates.
When I try to install a IBCM client, it installs successfully with the command:
ccmsetup.exe /native SMSSITECODE="ABC" CCMALWAYSINF=1 CCMHOSTNAME=sccm.contoso.com SMSMP=sccm.contoso.com SMSSIGNCERT="C:\ccmsetup\sitesigning.cer"
After installation completes, the client does not show in the Configuration Manager Console, when I search on the ClientIDManagerStartup.log, the message above is shown:
RegTask: Failed to send registration request. Error: 0x80040231
I already recreated the SCCM certificates but no success.
Can somebody help me?
Thursday, February 09, 2012 3:44 PMModerator
Have you verified connectivity and proper DNS resolution from the client to the specified MP?
Also, I don't think SMSMP is valid for internet-only clients; that's what CCMHOSTNAME is for.
Jason | http://myitforum.com/myitforumwp/community/members/jasonsandys/ | Twitter @JasonSandys
Thursday, February 09, 2012 3:56 PM
Hello Jason, thanks for the answer.
From the client I already did some tests browsing these SCCM URLs and the tests goes smoothly:
I got the instalation parameters from this post:
Thursday, February 09, 2012 5:00 PM
Reinstalled the SCCM agent without the SMSMP parameter but the error on ClientIDManagerStartup.log persists.
Thursday, February 09, 2012 5:23 PM
Is your MP setup to respond to both intranet and internet clients, go to your Site Settings -> Site Systems, double click your ConfigMgr management point and make sure the dropdown says 'Allow both intranet and internet client connections'
Also, if you right-click your site system server and select New Roles, is there a tickbox in internet-based fully qualified domain name for this site system. If the name is the same then fill it in the same and you can use the same site-signing certificate, if it is a different FQDN you will need a certificate that has both names on it.
If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer NetBIOS name) must be specified using the ampersand (&) symbol delimiter between the two names.
Thursday, February 09, 2012 6:04 PM
Hello Michael, thanks for your answer.
The MP is configured to Allow both intranet and internet connections.
When I right click the MP and select New roles, the New site role wizard show the FQDNs. Both intranet and internet FQDNs are different. Does it means I need a certificate with both internet and intranet FQDN?
Friday, February 10, 2012 10:44 AM
Yes, as the client won't be able to authenticate with the site server. If you go in to IIS and look at the certificate attached to your https binding it will likely have only one name against it.
You can use this document to get a certificate with both names.
Make sure you import it into IIS once you have obtained the cert.
- Marked As Answer by Carol BaileyMicrosoft Employee, Moderator Thursday, March 01, 2012 4:37 PM