locked
MP Deployment to an untrusted forest returns an error about not being able to write to the primary site's forest RRS feed

  • Question

  • I have the following configuration:

    • INT forest is on the intranet
    • DMZ forest is in the DMZ
    • No trust between the forests
    • Primary Site server is in INT
    • Already have an MP in the INT forest on a separate server
    • Installing role server with MP in DMZ

    The DMZ MP has been configured with:

    • Require the site server to initiate connections to this site system
    • Use another account for installing this site system and that account is a local administrator
    • Use the site database
    • Specifiy the account that conects the management point to the SQL Server Database

    All accounts have been checked to make sure they work.

    I'm getting the following issues when the MP is deployed:

    1. The MP Control Manager is raising an error that the DMZ server can't be added to SMS_SiteSystemToSiteServerConnection_MP_Site.  Which is correct, it can't because they are in untrusted forests.  I suspect this can be ignored.  Looking through the mpcontrol.log there isn't anything showing as a problem.
    2. The MP.MSI isn't installing, the error code is 1603 (it failed) and digging through the MPSetup.log has nothing of value in it, and the mpMSI.log doesn't have much more.  Just an error in rollback and operation failed with error 8007041d. 

    I've kept this as simple as possible to avoid anything that might complicate it.  It's only using HTTP, the connection between the primary and the DMZ MP is through an IPSEC tunnel that has everything open.  I'll tighten down when I get everything working.

    Any suggestions on where to look?


    Bob

    Monday, February 11, 2013 10:56 PM

Answers

  • I think I found an answer, I think it was from trying to install all of the roles at the same time.  Why it's an answer, who knows.  I removed all the roles and deleted the server.  I then added the roles one at a time in the following order, waiting for each to be successful before moving to the next.  Yeah, I know I could probably combine some of them, but I'm guessing that the MP vs. DP interaction caused the problem.  Particularly the part where the install IIS was checked on the DP.

    1. MP
    2. FSP
    3. DP
    4. SUP

    I'll mark this if answered tomorrow if it stays stable.


    Bob

    • Marked as answer by Bob Panick Wednesday, February 20, 2013 2:21 PM
    Wednesday, February 20, 2013 12:48 AM

All replies

  • mpmsi.log can usually be used to troubleshoot a failed installation. Do you see "return value 3" in the log? The cause of the error should be listed a few lines above it.

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, February 12, 2013 7:53 AM
  • I checked it and there isn't anything more than what I have above. 


    Bob

    Tuesday, February 12, 2013 12:17 PM
  • Excuse me if I missed any info.  I am just trying to provide what I know as I have the same setup myself without any problems. :)

    If you trying to use the DB in your intranet from the DMZ, you will need to open port 1433 between the DMZ MP and the DB server.  This is the only port you should need to open.

    Are you installing the MP role with a DMZ domain account?

    Shawn

    Tuesday, February 12, 2013 2:00 PM
  • I am using an account in the DMZ to install, and another account in INT that has access to the SQL server.

    The ports to the SQL server are open.  I have another MP in the local INT domain that can access everything just fine, so it's probably not firewall issues.  Right now the IPSEC tunnel is wide open, so nothing is being restricted.

    I might have found the problem, I'm used to SCCM setting the SQL Access rights for the MP, it appears it didn't do that for the SQL access account I'm using for the MP.  That might explain it.  I'm going to try it and I'll post if I get it working.


    Bob

    Tuesday, February 12, 2013 3:17 PM
  • Unfortunately, this didn't fix the problem.  Here is the entries from the mpMSI.log 

    [11:02:48] WARNING: Failed to delete setup in progress time-stamp with error 0x80070002
    [11:02:48] Starting ccmexec
    MSI (s) (58:F8) [11:02:48:893]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    MSI (s) (58:F8) [11:02:48:893]: Error in rollback skipped. Return: 5
    [11:02:48] WARNING: Operation failed with error 8007041d
    MSI (s) (58:F8) [11:02:48:920]: Note: 1: 2318 2: 
    MSI (s) (58:F8) [11:02:48:922]: No System Restore sequence number for this installation.
    MSI (s) (58:F8) [11:02:48:922]: Unlocking Server
    MSI (s) (58:F8) [11:02:48:927]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
    Action ended 11:02:48: INSTALL. Return value 3.


    Bob

    Tuesday, February 12, 2013 4:06 PM
  • I found another problem, this one I think is probably the root cause.  The SCCM 2007 agent was still running on the server, but I didn't know it was there.  I tried removing all the roles and then uninstalling the agent.  But no change in how things are working. I'm going to try running the CCMSETUP /uninstall from the SCCM 2012 version and see if it cleans things up.  If it doesn't I'll end up wiping and reloading it.

    Bob

    Tuesday, February 12, 2013 7:00 PM
  • Well turns out that wasn't causing the problem either.  After a fresh install, I'm still getting the problem.  Unfortunately the logs are useless so I'm down to poking around at thing trying to guess why it's failing.  I'm guessing it's some security restriction that's causing the problem.

    The only one that I've seen that makes any sense is a warning that the MP in the DMZ can't write to the inbox on the site server.  Which makes sense, but since the server is setup to require that the Primary initiate the conversation I'm not sure why I'm seeing that.


    Bob

    Tuesday, February 19, 2013 7:12 PM
  • Much farther up the log file from the value 3 error is an error about being able to access the IIS configuration.  Likely a permissions issue.  I'm doing some checks to make sure the service account has the rights it needs.


    Bob

    Tuesday, February 19, 2013 8:05 PM
  • Here is the error I'm getting.  Which doesn't make much sense.  The service account set for the MP has full admin rights, and I even checked the local system account in case it was a problem with bootstrapper.  Everything is good. The funny part is the DP installed just fine. I even tried removing the DP.

    MSI (s) (34:34) [17:19:05:322]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF530.tmp, Entrypoint: CcmCreateIISVirtualDirectories
    [17:22:05] ERROR: Timed out trying to acquire lock.
    [17:22:05] ERROR: Failed to acquire the port lock '0x80004005'.
    [17:22:05] ERROR: Failed to configure sms ports '0x80004005'.
    [17:22:05] ERROR: Failed to process port information.
    [17:22:05] @@ERR:25011
    MSI (s) (34!04) [17:22:05:425]: Product: ConfigMgr Management Point -- Error 25011. Setup was unable to process the IIS port settings for SMS
    The error code is 80004005
    Error 25011. Setup was unable to process the IIS port settings for SMS
    The error code is 80004005
    CustomAction CcmCreateIISVirtualDirectories returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (34:30) [17:22:05:447]: User policy value 'DisableRollback' is 0
    MSI (s) (34:30) [17:22:05:447]: Machine policy value 'DisableRollback' is 0
    Action ended 17:22:05: InstallFinalize. Return value 3.


    Bob

    Tuesday, February 19, 2013 10:26 PM
  • I think I found an answer, I think it was from trying to install all of the roles at the same time.  Why it's an answer, who knows.  I removed all the roles and deleted the server.  I then added the roles one at a time in the following order, waiting for each to be successful before moving to the next.  Yeah, I know I could probably combine some of them, but I'm guessing that the MP vs. DP interaction caused the problem.  Particularly the part where the install IIS was checked on the DP.

    1. MP
    2. FSP
    3. DP
    4. SUP

    I'll mark this if answered tomorrow if it stays stable.


    Bob

    • Marked as answer by Bob Panick Wednesday, February 20, 2013 2:21 PM
    Wednesday, February 20, 2013 12:48 AM