locked
SUP Assignment not correct RRS feed

  • Question

  • I have one Primary Site (2012 R2) with two SUP Servers. They are in two different forest, which are untrusted. Between them is a Firewall and the Clients can't connect to the SUP, MP, DP in the other forest.

    Now I have growing amount of Clients which switch to the other SUP after they couldn't locate the local during a maintenance window. That is ok for me, but they don't switch back to the correct one. I found out, that there are two different classes of errors (Retry and non-retry --> http://technet.microsoft.com/en-us/library/gg712696.aspx#BKMK_SUPSwitching ). If it's a retry Exit code it would switch back after 4 x 30min, but I think it's a non-retry error code.

    The software change returned error code 0x80072EE2(-2147012894).

    After some investigation we found out, that when we create a hostfile entry for the Server and Point it to a webserver (Without WSUS), then the Client got a retry error code and switched back after two hours.

    I can't do this workaround on all these clients. Is there another way to specify the correct SUP for a Client? Or is it possible to define the above exit code as retry exit code?

    According to http://technet.microsoft.com/en-us/library/gg712696.aspx#BKMK_SUP_CrossForest the SUP in the same forest should be contacted first, so the Clients should normally assigned to the correct SUP after a switching is initialized...

    Thank you for help


    Cheers,

    Thomas Kurth
    Netree AG, System Engineer
    Blog: http://netecm.netree.ch/blog | Twitter: | LinkedIn: | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, June 4, 2014 10:57 AM

Answers

  • Ok, I found another workaround :) (I don't know if it is supported)...

    I can add the exit code 0x80072EE2 to the list of retry exit codes with the following script. Then the servers switch back to the correct SUP after two hours...

    $updateConfig = Get-WmiObject -Namespace Root\ccm\Policy\Machine\ActualConfig -Class CCM_UpdateSource 
    $updateConfig.ScanFailureRetryErrorCodes += 2147954402 
    $updateConfig.put() 
    


    Cheers,

    Thomas Kurth
    Netree AG, System Engineer
    Blog: http://netecm.netree.ch/blog | Twitter: | LinkedIn: | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 5, 2014 8:07 AM

All replies

  • Ok, first of all. I don't have answer to your question. I had similar problem with multiple MPs in untrusted forest and the clients were facing MP rotation issue.

    When you look at the Technet documentation, the client should ideally connect to the MP/SUP in it's local forest. This is not going to happen every time in the scenario when you've multiple SUPs/MPs the client should give first priority (as per technet docs) to local SUP/MP. We can't be sure, it will always give first preference to local MP/SUP. 

    For MP rotation issue, we found some workarounds, probably we can use 2nd option (Redirect the foreign forest MPs to local forest MP) which I mentioned in the following post for your SUP issue. But it's not an ideal workaround ;) 

    http://anoopcnair.com/2014/04/11/workaround-sccm-2012-clients-mp-selection-rotation-issue-untrusted-dmz-forests/

    There would be some other better options (which I'm not aware or I never thought about) to cater this issue. Probably you may need to wait for others to comment.


    Anoop C Nair (My Blog www.AnoopCNair.com) - Twitter @anoopmannur - FaceBook Forum For SCCM

    Wednesday, June 4, 2014 1:01 PM
  • MP selection and use and SUP selection and use are two very different things. This blog covers it pretty well including a possible solution: http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/group-policy-preferences-and-software-updates-in-cm2012sp1.aspx

    Jason | http://blog.configmgrftw.com

    Wednesday, June 4, 2014 2:37 PM
  • Yes that's correct, the MP selection is at the moment ok. Only the SUP is not switched. Perhaps is the use of a DNS alias or hosts file entry the only way to get the Clients to the correct SUP.

    Cheers,

    Thomas Kurth
    Netree AG, System Engineer
    Blog: http://netecm.netree.ch/blog | Twitter: | LinkedIn: | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, June 4, 2014 3:28 PM
  • BTW, I never said MP and SUP selections are same ;) I know it's different :-D What I was trying to say is similar kind of workarounds (#2 and #3) I've mentioned in the post can be used in your scenario as well. 

    Anoop C Nair (My Blog www.AnoopCNair.com) - Twitter @anoopmannur - FaceBook Forum For SCCM

    Wednesday, June 4, 2014 3:44 PM
  • Ok, I found another workaround :) (I don't know if it is supported)...

    I can add the exit code 0x80072EE2 to the list of retry exit codes with the following script. Then the servers switch back to the correct SUP after two hours...

    $updateConfig = Get-WmiObject -Namespace Root\ccm\Policy\Machine\ActualConfig -Class CCM_UpdateSource 
    $updateConfig.ScanFailureRetryErrorCodes += 2147954402 
    $updateConfig.put() 
    


    Cheers,

    Thomas Kurth
    Netree AG, System Engineer
    Blog: http://netecm.netree.ch/blog | Twitter: | LinkedIn: | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 5, 2014 8:07 AM