locked
MP keeps rotating to wrong site RRS feed

  • Question

  • Hello

    We have a CAS + 2 Primary Site setup with 2 MPs in each site. The CAS and SiteA is located in DomainA, and SiteB is located in DomainB.

    All the clients in both sites/domains somehow connects to the MP in site A, even though the SiteB clients have the Assigned Management Point set to the MP in SiteB. The Resident Management Point however, is the MP in SiteA for all clients in SiteB.

    The 2 domains have separate subnets, and separate boundaries with their own boundarygroups, no overlapping.

    Both sites publish information to each their domains, and also publish MP to their DNS.

    When restarting the SMS Agent host service on a client in DomainB, the ClientLocation.log shows the following:

    Rotating assigned management point, new management point [1] is: MP.domainB.org
    Assigned MP changed from <MP.domainB.org> to <MP.domainB.org> Rotating assigned management point, new management point [1] is: MP.domainB.org
    Assigned MP changed from <MP.domainB.org> to <MP.domainB.org> Rotating local management point, new management point [1] is: MP.domainA.org

    So obviously it gets the correct MP at first, but suddenly it is forced over to the wrong MP, why is this?

    (The reason this is an issue is that internal firewalls disallow communication from most subnets in SiteB from reaching SiteA, hence the agents in SiteB does not work since they want to connect to the SiteA MP!)

    Thanks in advance.







    • Edited by Ola Holtberget Friday, June 14, 2013 9:01 AM Updated with amount of MPs per site
    Thursday, June 13, 2013 3:50 PM

All replies

  • The 2 domains have separate subnets, and separate boundaries with their own boundarygroups, no overlapping.
    Locating management point is controlled by boundaries (this statement is not true when it comes to multiple MPs per site though!) so you should double check the configuration! How do the boundaries + groups look like? Are the boundary groups set up as site assignment and/or content location boundaries?

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, June 14, 2013 7:20 AM
  • Hi, and thanks for the reply!

    We do indeed have 2 MPs per site, are you saying that we cannot control the MPs through boundaries if we have more than one MP in the site? If we cut down to 1 MP in SiteB, could that make a difference?

    Clients in both sites connect only to the two MPs in SiteA.

    Our boundaries are a combination of IP ranges and IP subnets, no AD sites.

    The boundarygroups are set up for both siteassignment AND content location.

    Friday, June 14, 2013 7:51 AM
  • We have a CAS + 2 Primary Site setup with 1 MP in each site.
    [...]
    We do indeed have 2 MPs per site,


    So this is conflicting information then.
    So you would have to update the information on which MP is picked by what client.
    MP location within in the same domain (if there are multiple MPs) cannot be controlled.

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, June 14, 2013 8:49 AM
  • We do indeed have 2 MPs per site, are you saying that we cannot control the MPs through boundaries if we have more than one MP in the site? 

    Yes, that is correct statement. If you've two MPs then it's random selection by clients (I assume the you don't have two forest clients). We can't control. 

    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<

    Friday, June 14, 2013 8:51 AM
  • We have a CAS + 2 Primary Site setup with 1 MP in each site.
    [...]
    We do indeed have 2 MPs per site,


    So this is conflicting information then.
    So you would have to update the information on which MP is picked by what client.
    MP location within in the same domain (if there are multiple MPs) cannot be controlled.

    Torsten Meringer | http://www.mssccmfaq.de

    I was mistakenly keeping that info out not to complicate things uneccesarily. Unfortunately I didn't know it made a difference.

    To make things more clear:

    2 different forests with two-way trust

    CAS + SiteA in DomainA, SiteB in DomainB

    2 MPs in each site (4 MPs all in all)

    I understand that several MPs will make the selection random for the client, but I would think that it would choose random MPs _within_ its own site and domain, not go to the other domain/site's MPs?

    In the different Active Directory and DNS, there is only information about the MPs in the respective domains. (DomainB does not have records for MPs in DomainA)

    So the only way the clients can get information about the MPs in the other domain, is that the local MP (which they connect to first, before rotating) informs the clients about all the MPs?

    I would like to try to remove 1 of the MPs in SiteB to see if I can control the clients there to only use the remaining MP in that site.

    Thanks for the followup

    Friday, June 14, 2013 9:15 AM
  • We do indeed have 2 MPs per site, are you saying that we cannot control the MPs through boundaries if we have more than one MP in the site? 

    Yes, that is correct statement. If you've two MPs then it's random selection by clients (I assume the you don't have two forest clients). We can't control. 

    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<

    Thanks for the reply!

    As I said to Torsten: I would think that the client would choose random MPs _within_ its own site and domain, not go to the other domain/site's MPs?

    Friday, June 14, 2013 9:16 AM
  • Are you certain that the site servers are publishing their MP data only into their own domains?  What does the System Management OU show you in each Domain?  Do you have entries in each DNS system that show each MP or does that all look good?

    My Personal Blog: http://madluka.wordpress.com

    Friday, June 14, 2013 9:34 AM
  • I would like you to check 2 things

    1. CM 12 console Active Directory Forests Node

    Check whether Domain Suffix, Publishing Site and "Specific a domain or server"(last one is optional ) options are selected and all are correct ?

    2. Client log locationservices.log

    check whether the client is able to find both MPs with same settings?

    I mean to say, are you able see same settings (https:'N' ForestTrust:'Y') for both MPs in the log file?


    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<


    Friday, June 14, 2013 10:25 AM
  • I would like you to check 2 things

    1. CM 12 console Active Directory Forests Node

    Check whether Domain Suffix, Publishing Site and "Specific a domain or server"(last one is optional ) options are selected and all are correct ?

    2. Client log locationservices.log

    check whether the client is able to find both MPs with same settings?

    I mean to say, are you able see same settings (https:'N' ForestTrust:'Y') for both MPs in the log file?


    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<


    Under Active Directory Forests:
    DomainA has the correct suffix, and has only the A00 site (SiteA) enabled
    DomainB also has the correct suffix, and has only the E00 site (SiteB) enabled

    From Locationservices.log:

    Current AD forest name is domainB.org, domain name is domainB.org
    The MP name retrieved is 'MP1.domainB.org' with version '7804'
    MP 'MP1.domainB.org' is compatible
    The MP name retrieved is 'MP2.domainB.org' with version '7804'
    MP 'MP2.domainB.org' is compatible
    Refreshed security settings over AD
    No security settings update detected.
    Refreshed Site Signing Certificate over AD
    Retrieved lookup MP [MP1.domainB.org] from Registry
    Attempting to retrieve lookup MP(s) from AD
    Lookup Management Points from AD:
    Name: 'MP2.domainB.org' HTTPS: 'N' ForestTrust: 'N'
    Name: 'MP1.domainB.org' HTTPS: 'N' ForestTrust: 'N'
    Retrieved lookup MP(s) from AD
    Default Management Points from AD:
    Name: 'MP2.domainB.org' HTTPS: 'N' ForestTrust: 'N'
    Name: 'MP1.domainB.org' HTTPS: 'N' ForestTrust: 'N'
    Persisting the default management points in WMI
    Current AD site of machine is AppSite
    Default Management Points from MP:
    Name: 'MP1.domainB.org' HTTPS: 'N' ForestTrust: 'Y'
    Name: 'MP2.domainB.org' HTTPS: 'N' ForestTrust: 'Y'
    Persisted Default Management Point Locations locally
    Current AD site of machine is AppSite
    Attempting to retrieve local MPs from the assigned MP
    Current AD site of machine is AppSite
    Local Management Points from assigned MP:
    Name: 'MP1.domainA.org' HTTPS: 'N' ForestTrust: 'Y'
    Name: 'MP2.domainA.org' HTTPS: 'N' ForestTrust: 'Y'
    Current AD site of machine is AppSite
    Retrieved management point encryption info from AD.
    Current AD site of machine is AppSite
    Raising event:
    instance of CCM_CcmHttp_Status

    Friday, June 14, 2013 11:00 AM
  • One thing I came over that might be an issue, is that we have 2 ADsites named the same in the different domains. The ADsite "AppSite" exists in both DomainA and DomainB, and they are linked to different subnets i ADSitesAndServices. Can this play a role perhaps?
    Friday, June 14, 2013 11:03 AM
  • It's bit confusing for me :( sorry....if you look at the log file the foresttrust was changing between Y and N.....

    Have you tried to change something in "Specific a domain or server" option in publishing tab....


    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<

    Friday, June 14, 2013 11:07 AM
  • We have specified a specific DC in each domain in the publishing tab, so the sites can publish their information, and that works fine.

    Here is another clue:

    When installing the CCM client on a new machine, this is what ccmsetup.log shows:
    (The MP servers also have the Distribution Point role installed)

    Found remote location 'http://MP1.DomainA.org/SMS_DP_SMSPKG$/CAS00002'
    Found remote location 'http://MP2.DomainB.org/SMS_DP_SMSPKG$/CAS00002'
    Found local location 'http://MP2.DomainA.org/SMS_DP_SMSPKG$/CAS00002'
    Found local location 'http://MP1.DomainB.org/SMS_DP_SMSPKG$/CAS00002'
    Discovered 2 local DP locations.

    First of all, why would the DPs from SiteA/DomainA show up here in the first place?
    Second, why is 1 of the MPs from SiteA remote and 1 local, and the same with SiteB?
    The discovered "local" DPs are now: MP1.DomainB.org and MP2.DomainA.org
    For a client in SiteB the connections against MP2.DomainA.org will fail because Port 80 is blocked between the domains.
    Friday, June 14, 2013 1:21 PM