IT 專業人員的技術資源 >
論壇首頁
>
Configuration Manager Internet Clients and Native Mode
>
Internet based site server connection problem
Internet based site server connection problem
- I hope this is a simple one (!).....
I'm doing internet based management which, I'm sure has been done by someone here nicely.
However, in my test environment, my MP, DP and SUP site server isn't working properly. The Primary server is in Domain "A" and the site system is, currently, in a workgroup - in my live environment, like my test environment, there will be no trust between the two as the internet facing component is in a DMZ and the firewall will allow the relevant traffic. The Site is also in Native mode and the certificates are, I believe, set up properly and placed on both the Primary and the site server (the site server has the certificates in the relevant stores for IIS and for the MP)
My site server is showing these errors in the MP_Retry log file:
MPDB ERROR - CONNECTION PARAMETERS
Which I would expect as the site server does not, as yet, have rights back to the Primary server.
SQL Server Name : SCCM-ENT
SQL Database Name : SMS_SC0
Integrated Auth : True
MPDB ERROR - EXTENDED INFORMATION
MPDB Method : Init()
MPDB Method HRESULT : 0x80004005
Error Description : [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.
OLEDB IID : {0C733A8B-2A1C-11CE-ADE5-00AA0044773D}
ProgID : Microsoft OLE DB Provider for SQL Server
MPDB ERROR - INFORMATION FROM DRIVER
Native Error no. : 17
Error State : 1
Class (Severity) : 16
To complicate things, the Primary server (due to limited resources) is also a DC but I don't think that's the cause of the problem.
My question really is - How do I allow the Site system to talk back to the Primary?
解答
- First things first - this statement worries me: "The Primary server is in Domain "A" and the site system is, currently, in a workgroup"
This is not supported. The Internet-based site systems must belong to a domain. The domain doesn't have to be the same domain as the site server's or even the same forest, but they must be domain-joined. From "Prerequisites for Internet-Based Client Management" (http://technet.microsoft.com/en-us/library/bb633122.aspx):
Site systems that will support Internet-based client management must be in an Active Directory domain, but can be in a different Active Directory forest from the forest that contains the site server.
Note
The Internet-based site systems do not require a trust relationship with the site server's Active Directory forest.
... And from "Configuration Manager 2007 General Supported Configurations" (http://technet.microsoft.com/en-us/library/dd547071.aspx):
Computers in Workgroups
All Configuration Manager 2007 site systems must be members of a Windows 2000, Windows Server 2003, or Windows Server 2008 Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network.
If you running in an unsupported environment, then all bets are off. I think you need to address that first.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- 已標示為解答Carol BaileyMSFT, 版主Monday, 23 November, 2009 18:37
所有回覆
- Quick update...
I hadn't set up the MP to use a different account (one that exists on the Primary) to use to talk back to SQL - bit of an oversight there.... So I've done that, the MP has reinstalled itself and now I get a different error:
Raising event:
And this to follow:
[SMS_CodePage(437), SMS_LocaleID(1033)]
instance of MpEvent_ConnectDatabaseFailed
{
ClientID = "GUID:4C8F107E-362C-4FA6-AB39-621187B73E39";
DatabaseName = "SMS_SC0";
DateTime = "20091104101728.906000+000";
ErrorCode = "0x80004005";
MachineName = "2K3INTERNET";
ProcessID = 2824;
ServerName = "SCCM-ENT";
SiteCode = "SC0";
ThreadID = 1712;
Win32ErrorCode = 0;
}
Hinv Retry: IMPDBConnection::Init() for class failed.
Where MachineName is the internet facing server and ServerName is the Primary server
- The plot thickens. In the mpcontrol log, I had an error about certificates not being in the MY store. Resolved that, but now I get these:
The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' of 'Local Computer' store. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
This suggests that the certificate and it's name isn't right for the destination machine.... Is that the case?
The 'MY' of 'Local Computer' store has 2 certificate(s).~Using custom selection criteria based on the machine name. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Machine name is '2k3internet'. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
There are no certificate(s) that meet the criteria. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Performing machine FQDN to SAN2 search. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Certificate doesn't have SAN2 extension. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Found a certificate with subject name as ‘sccm-ent.SCCM_ENT.local’, but will continue to look for the certificate with subject name as ‘2k3internet’. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Using custom selection criteria based on the machine NetBIOS name. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Machine name is '2K3INTERNET'. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
There are no certificate(s) that meet the criteria. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Call to HttpSendRequestSync failed for port 443 with an error code. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC)
Initialization still in progress. SMS_MP_CONTROL_MANAGER 04/11/2009 11:01:18 4012 (0x0FAC) - First things first - this statement worries me: "The Primary server is in Domain "A" and the site system is, currently, in a workgroup"
This is not supported. The Internet-based site systems must belong to a domain. The domain doesn't have to be the same domain as the site server's or even the same forest, but they must be domain-joined. From "Prerequisites for Internet-Based Client Management" (http://technet.microsoft.com/en-us/library/bb633122.aspx):
Site systems that will support Internet-based client management must be in an Active Directory domain, but can be in a different Active Directory forest from the forest that contains the site server.
Note
The Internet-based site systems do not require a trust relationship with the site server's Active Directory forest.
... And from "Configuration Manager 2007 General Supported Configurations" (http://technet.microsoft.com/en-us/library/dd547071.aspx):
Computers in Workgroups
All Configuration Manager 2007 site systems must be members of a Windows 2000, Windows Server 2003, or Windows Server 2008 Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network.
If you running in an unsupported environment, then all bets are off. I think you need to address that first.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- 已標示為解答Carol BaileyMSFT, 版主Monday, 23 November, 2009 18:37
- Any update on this?
- This has been open for a couple of weeks now with no further updates so marking as answered.
