SCE 2010 Disaster Recovery - Questions


  • SCE 2010 with SQL 2008 SP1 server (a VM) got hosed. Have a backup of certificate pfx (exported from certificate store per SCE How to backup article), certificates folder, encryption key, and all databases from before mess. Was going to follow How to Restore in Single-server Deployment. Need more disk space anyway for SCE updates storage so deleted vm, created new vm, installed W2K8r2, gave same IP and same name. Was just going to join domain, and so -- important note -- reset computer account in AD.

    But just picked up on statement "If you could not correctly uninstall Essentials 2010 after the failure, then you must delete the computer container for the Essentials management server before re-joining the server to the domain." What exactly does "computer container" refer to? The computer account? If so, does this mean I can't simply reset the computer account and reuse it? SCE being hosed did not affect AD or SCE group policies; everything SCE related *not* on SCE server is intact. If I delete the computer account won't this prevent SCE reinstall unless I delete the Service Connection Point? (

    At this point, what is best way to proceed? (We do have a backup of the SCE server but we just wanted to start clean)



    Wednesday, May 21, 2014 10:45 PM

All replies

  • Hi,

    I think the System Container is the SCE remnants including the System Managed Computer accounts. You also need to remove SCP information from AD.

    Juke Chou

    TechNet Community Support

    Monday, May 26, 2014 9:35 AM
  • Late reply, was out last week.

    I wouldn't translate computer container to "system container".  And the TechNet article said to ensure the two group policies exist. Regardless, I am first going to try reset computer account and reinstall using article. If I get message can't install because an SCE server already exists in domain, I will delete all including SCP from AD then install new. Pain having to reinstall agents.

    Will report back results.


    Monday, June 02, 2014 4:54 PM
  • Ok, here's results for others in same mess.

    Decided to start with fresh SCE install (boss preferred, so skipped trying TechNet article). Ergo, deleted AD stuff (GPOs, SCE Managed Computers Group, and SCP (using adsiedit). Joined computer to domain (had reset computer account in AD, thus, reused it, no problem encountered.) Installed SQL Server 2008, then SQL 2008 SP3, rebooted. Installed SCE 2010; ran into three issues:

    1. Forgot to make SCE account local admin, was prompted, did on the fly, got past issue.
    2. WSUS invalid date - ignored it since SCE bits contained WSUS SP2 (latest) and OS is 2008 R2 SP1; after some searching online, assumed error due to R2 being at SP1 which was after SCE RTM release.
    3. IIS not installed. Oh yes it was, including ASP.Net service, along with .NET 3.5.1, and a reboot for good measure after. SCE install log indicated failed on no IIS Admin service and sure enough the service was not installed. Well, the service is not installed on IIS 7 or later unless IIS 6 stuff also installed. So, installed that, any other IIS role service I thought might be needed and, jic, Application Server role. And rebooted. Reran setup, issue resolved.

    Ran wizard to set up GPOs, etc... Ran Discovery, pushed agent to several servers and my computer over existing agent (from defunct SCE). Ran into issues:

    1. Computers were showing up in SCE management console but were not added to SCE Managed Computers Group. Found blog post on SCE install that said a reboot of SCE server fixed issue, and thankfully after reboot all computers appeared in the group.
    2. Windows Update registry settings for WUserver and WUStatusServer were missing on the computers. However, remnants left over from defuct SCE for TargetGroup and TargetGroupEnabled were there. But of course those groups no longer existed. I recreated them and repopulated them as before.
    3. SCE Managed Computers Group Policy was not being applied, even well after computers were in SCE Managed Computers group. So that explained #2. gpupdate did nothing. gpresult showed (variously) Access Denied, Inaccessible Data, and Unknown Reason as causes. Even after removing agent, rebooting, reinstalling agent on one server and my computer as a test. GP looked good in GPMC - scope was correct and the SCE server and SCE Managed Computers Group had Read and Apply Group Policy permissions. No network issues, etc.

    I noticed that in the policy's Delegation tab, Advanced, when viewing Advanced Settings, the SCE server and the SCE Managed Computers group had the permissions on "This object only". Whereas the other groups/user (except Creator owner) had "This object and all descendant objects". That seemed to explain Access Denied and Inaccessible Data. So I changed the setting to latter. After that change the policy got applied. Not sure if that is the correct solution (can't find documentation on what setting should be) but it worked. GP got applied and the registry settings got added. Hoping everything sticks.


    Wednesday, June 04, 2014 9:51 PM
  • And installed which is a later update than 2720211 and per posts here. To fix agent build mismatch. (Symptoms - Event Log errors 1001 Windows Error Reporting, WindowsUpdate Failure and WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\ are not trusted: Error 0x800B0001 in client WindowsUpdate.log.

    Thursday, June 05, 2014 4:02 PM