locked
SCCM clients not registering for DMZ workgroup servers RRS feed

  • Question

  • Hi everyone, hopefully someone will be able to assist with this problem. My knowledge of SCCM is limited so please accept my apologies for lack of knowledge.

    We have an SCCM environment which is functioning fine for clients inside the network, with pretty much all clients on the same domain. We also have a couple of other domains and workgroup systems inside the network which again, are fine. The issue appears to be Workgroup servers on the DMZ which are not registering. We did get a third party in to assist with the deployment for our SCCM server for DMZ clients, and they mostly work fine. Some servers in the DMZ are members of another domain which all register correctly, it is only the workgroup servers which have a problem.

    Now, with my limited knowledge of SCCM, at a high level it appears to be DNS related. After all domain joined servers all need DNS and can resolve records on the internal DNS zone. All workgroup servers have no DNS settings at all, only host files (all entries have been added to host files).

    Also, the DMZ clients all use client auth certs to authenticate with SCCM we have tested this successfully from the clients by connecting to the SCCM server IIS web pages using HTTPS. Both to the root IIS web page (get the standard Windows IIS page) and also to the SCCM virtual directories (that are set up to require client authentication), when we import the certificate into IIS and connect, we can view the xml file in IE. So, at tat level at least, the certificate appears fine.

    The domain joined servers in the DMZ also use client certs to authenticate with SCCM. These are all fine and have no problems.

    We also have a boundary defined for the IP range which the DMZ clients affected reside on, and a boundary group to point them to use HTTPS to register with the new MP server.

    The clients are Windows 2008 R2, and we see the following in the various logs (I've selected entries from log files that appear to be the most useful at tis point).

    #########################

    Attempting to retrieve lookup MP(s) from DNS LocationServices 20/04/2016 17:51:00 5412 (0x1524)
    Attempting to retrieve default management points from DNS LocationServices 20/04/2016 17:51:00 5412 (0x1524)
    Failed to retrieve DNS service record using _mssms_mp_xxx._tcp.domain.fqdn lookup. DNS returned error 10060 LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    No lookup MP(s) from DNS LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Policy prevents failover to WINS for lookup LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Attempting to retrieve site information from lookup MP(s) via HTTPS LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Failed to verify message. Sending MP [MPsvr.fqdn] not in cached MPLIST. LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    MPLIST requests are throttled for 00:09:59 LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Failed to verify message. Sending MP [SMPSvr] not in cached MPLIST. LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    MPLIST requests are throttled for 00:09:59 LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Failed to send site information Location Request Message to MPsvr.fqdn LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Retrieved MP [MPsvr.fqdn] from Registry LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Attempting to retrieve lookup MP(s) from DNS LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Attempting to retrieve default management points from DNS LocationServices 20/04/2016 17:51:21 5412 (0x1524)
    Failed to retrieve DNS service record using _mssms_mp_xxx._tcp.domain.fqdn lookup. DNS returned error 10060 LocationServices 20/04/2016 17:51:42 5412 (0x1524)
    No lookup MP(s) from DNS LocationServices 20/04/2016 17:51:42 5412 (0x1524)
    Policy prevents failover to WINS for lookup LocationServices 20/04/2016 17:51:42 5412 (0x1524)
    Attempting to retrieve site information from lookup MP(s) via HTTP LocationServices 20/04/2016 17:51:42 5412 (0x1524)
    LSIsSiteCompatible : Failed to get Site Version from all directories LocationServices 20/04/2016 17:51:42 5412 (0x1524)
    Won't send a client assignment fallback status point message because the last assignment error matches this one. LocationServices 20/04/2016 17:51:42 5412 (0x1524)

    ######################################

    Some further logs from ClientIDManaerStartup..

    Client PKI cert is available. ClientIDManagerStartup 20/04/2016 18:07:40 8024 (0x1F58)
    Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    Succesfully intialized registration renewal. ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    [RegTask] - Executing registration task synchronously. ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    Read SMBIOS (encoded): 4B00440039005400350034003400 ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    Evaluated SMBIOS (encoded): 4B00440039005400350034003400 ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    No SMBIOS Changed ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    SMBIOS unchanged ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    SID unchanged ClientIDManagerStartup 20/04/2016 18:07:42 6136 (0x17F8)
    HWID unchanged ClientIDManagerStartup 20/04/2016 18:07:43 6136 (0x17F8)
    RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 20/04/2016 18:08:27 6136 (0x17F8)
    Sleeping for 255 seconds before refreshing location services. ClientIDManagerStartup 20/04/2016 18:08:29 6136 (0x17F8)

    ##################

    The correct certificate is being selected (I've confirmed the thumbprints), we just seem to get the abov error (0x8000fff) logged every 5 minutes or so.

    Various parameters have been defined in the client installation to point it to the correct MP and also so that it uses the correct cert. This same command works fine for the other DMZ servers (which are domain joined). I keep falling back to DNS but I've been informed this isn't a requirement for all installations. Seems odd it's mentioned so often I the logs though.

    Any help appreciated.

    regards


    bc
    Wednesday, April 20, 2016 5:20 PM

All replies