none
Clients in Secondary secured zone problem.

    Question

  • Hi,

    I have a problem with all the systems in a  secondary secured environment. One, domain, one forest, all boundaries are protected.

    I am able to push the client out just fine, but none of them are registering in SCCM.

    The install of the client was performed via discovery and client push, all from the primary.

    The secondary site server is publishing data to AD, I’ve verified with ADSIedit. I have configured the Management Point Component for the secondary site sever to be the default management point.

    All the agents are trying to communicate with the PRIMARY SITE SERVER which they are blocked, and not the SECONDARY SITE SERVER.

     

    All the agents have errors like this in the ccmexec.log :

    [CCMHTTP] HTTP ERROR: URL=http://PRIMARY_SITE_SERVER/ccm_system_windowsauth/request, Port=80, Protocol=http, SSLOptions=0, Code=12029, Text=ERROR_WINHTTP_CANNOT_CONNECT CCMEXEC 10/13/2009 11:31:20 AM 2440 (0x0988)
    Raising event:

    instance of CCM_CcmHttp_Status
    {
     ClientID = "GUID:87DE25C9-CC7C-43F8-848E-EB4CEAF4A89F";
     DateTime = "20091013173120.337000+000";
     HostName = "PRIMARY_SITE_SERVER";
     HRESULT = "0x80072efd";
     ProcessID = 580;
     StatusCode = 0;
     ThreadID = 2440;
    };
     CCMEXEC 10/13/2009 11:31:20 AM 2440 (0x0988)
    HandleRemoteSyncSend failed (0x80040231). CCMEXEC 10/13/2009 11:31:20 AM 2440 (0x0988)
    CForwarder_Sync::Send failed (0x80040231). CCMEXEC 10/13/2009 11:31:20 AM 2440 (0x0988)
    CForwarder_Base::Send failed (0x80040231). CCMEXEC 10/13/2009 11:31:20 AM 2440 (0x0988)

    and in the clientidmanagaerstartup.log this:

     

    RegTask: Client is not registered. Sending registration request...   ClientIDManagerStartup  10/13/2009 11:47:20 AM 2440 (0x0988)

    RegTask: Failed to send registration request message. Error: 0x80040231 ClientIDManagerStartup  10/13/2009 11:47:41 AM 2440 (0x0988)

    RegTask: Failed to send registration request. Error: 0x80040231    ClientIDManagerStartup  10/13/2009 11:47:41 AM 2440 (0x0988)

     IS there something i am missing in the setup of SCCM?

     

    Tuesday, October 13, 2009 5:59 PM

Answers

  • i know you cannot assign to a secondary, but apparently that it what i may have been doing. :)

    No worries, Thanks for helping. This forum is great.

    I was trying to manage systems in a highly secure zone with a secondary site server, but it appears that i may not be able to do that given that communication between the secondary zone and the primary zone are exclusive to the site servers 

    • Marked as answer by Yog Li Tuesday, October 27, 2009 10:09 AM
    Tuesday, October 13, 2009 8:09 PM

All replies

  • When you want to install the clients from the Secundary Site you need to enable the automated Client Push Installation method at the Secondary Site and run Active Directory System discovery FROM the secondary site. And of course you have to ensure that your Boundaries are set correctly.
    My Blog: http://www.petervanderwoude.nl/
    Tuesday, October 13, 2009 6:18 PM
  • That is how I have it setup now, but the damage appears to be done.

    If I delete all the systems from the SCCM database, performed another discovery initiated by the secondary, would that then initiate a reinstall on all these affected clients? 

     

    Tuesday, October 13, 2009 6:30 PM
  • That's indeed the first step, also check if there are still any Client Configuration Request (CCR) -Records for the machines. See for that, this link: http://blog.coretech.dk/confmgr07/client-installation/how-to-stop-a-client-push-installation-in-configuration-manager/ 
    My Blog: http://www.petervanderwoude.nl/
    Tuesday, October 13, 2009 6:56 PM
  • No, the client would not be reinstalled. The only thing you would achieve is that clients installed later by automatic push will be installed from the secondary site.
    What properties, if any, did you configure when pushing the clients?
    Tuesday, October 13, 2009 6:57 PM
  • Sorry I didn't read that last part good... It doesn't reinstall it only works for the clients that still have to be done.
    My Blog: http://www.petervanderwoude.nl/
    Tuesday, October 13, 2009 7:03 PM
  • Still stuck. There are no CCRs, so i was good there.

    The client install again is occuring fine. The binaries are downloaded from the secondary MP, but once installed the ccmexec.log shows the client trying to connect to the primary site server which it is blocked from, and not atttemping the secondary:

    Is this by design? The client should be looking at AD, seeing it's default MP. Why is it not? I'm only dealing with one AD site here for this location, and it is not overlapping.

    Locationservices.log

    Attempting to retrieve default management point from AD  LocationServices            10/13/2009 1:17:05 PM  3076 (0x0C04)

    Retrieved Default Management Point from AD: PRIMARY  LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    Persisting the default management point in WMI   LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    Persisted Default Management Point Location locally        LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    Attempting to retrieve local MP from AD   LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    DhcpGetOriginalSubnetMask entry point not supported.    LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    Current AD site of machine is MonroeBridge-Gateway       LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    Retrieved local Management Point from AD: SECONDARY            LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    The 'Certificate Store' is empty in the registry, using default store name 'MY'.          LocationServices            10/13/2009 1:17:06 PM       3076 (0x0C04)

    Refreshing client operational settings over AD       LocationServices            10/13/2009 1:17:06 PM  3076 (0x0C04)

    Refreshed security settings over AD        LocationServices            10/13/2009 1:17:07 PM  3076 (0x0C04)

    No security settings update detected.      LocationServices            10/13/2009 1:17:07 PM  3076 (0x0C04)

     

    Tuesday, October 13, 2009 7:22 PM
  • Clients need to first talk once to the management point at the primary site to be told were their proxy management point is (and validate the identity of that proxy mp).
    You can't assign clients to a secondary site, so you can't force it to use a secondary site as its assigned mp.
    Open up the connection to the primary site mp and all will work fine.
    "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
    Tuesday, October 13, 2009 7:27 PM
    Moderator
  • So if i cannot open up communication between the clients in the secondary and the primary does that require a Primary server in place of the secondary? This would be port 80

    Tuesday, October 13, 2009 8:02 PM
  • If your initial question was if you could assign a client to a Secondary Site, then I am sorry because then I misguided you.... Like Kim said, a client can only be assigned to a Primary Site.
    I thought your initial question was how to install a client via the Secondary Site...
    My Blog: http://www.petervanderwoude.nl/
    Tuesday, October 13, 2009 8:03 PM
  • i know you cannot assign to a secondary, but apparently that it what i may have been doing. :)

    No worries, Thanks for helping. This forum is great.

    I was trying to manage systems in a highly secure zone with a secondary site server, but it appears that i may not be able to do that given that communication between the secondary zone and the primary zone are exclusive to the site servers 

    • Marked as answer by Yog Li Tuesday, October 27, 2009 10:09 AM
    Tuesday, October 13, 2009 8:09 PM