I had forgotten to apply the Post SP1 CU2 client patch. Once I applied that to two clients, they talked to the MP correctly and are now happy as far as I can tell.
Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark Sent: Monday, July 15, 2013 11:08 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] RE: Site assignment help OK, looking at the location services log, I see this one clients: Name:'Server.Name.Here' HTTPS: 'N' ForestTrust: 'N' Now on the server, where the client does install successfully and gets its site information correctly, the "ForestTrust" value is 'Y'. What does the client query to obtain this value? Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark Sent: Friday, July 12, 2013 11:46 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] RE: Site assignment help Yep, did that. Digging into the logs, it looks like it finds the management point from DNS like it should, but when it goes to get the certificate it fails. I compared logs with the server that installed the agent just fine, and the server gets the certificate but clients (on a different subnet) do not. Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael Sent: Friday, July 12, 2013 11:43 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] RE: Site assignment help Have you tried this? RESETKEYINFORMATION=TRUE RESETKEYINFORMATION If a Configuration Manager 2007 client has the wrong Configuration Manager trusted root key and cannot contact a trusted management point to receive a valid copy of the new trusted root key, you must manually remove the old trusted root key by using this property. This situation commonly occurs when you move a client from one site hierarchy to another. This property applies to mixed mode and native mode. Example: CCMSetup.exe RESETKEYINFORMATION=TRUE http://technet.microsoft.com/en-us/library/bb680980.aspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark Sent: Friday, July 12, 2013 11:29 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] RE: Site assignment help OK so I installed the SCCM agent on the site server itself, and it came up just fine. The two test machines I have tried so far, that do not get the site, are on a different subnet. That subnet however, is in a boundary group (IP Range) and SCCM shows that those machines are in the correct site (shows the site code next to the device name). What would change across subnets that would make the certificate unhappy? Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark Sent: Friday, July 12, 2013 11:13 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] RE: Site assignment help I think there may be something to do with the MP certificate, because I see this in the log from the CertificateMaintenance component on the client: "Failed to verify signature of message received from MP using name 'ServerName'" Otherwise it seems it is talking to the correct server (MP wise) it just doesn't like the answer it gets from that server. Is there a way to generate a new cert? Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Trevor Sullivan Sent: Thursday, July 11, 2013 12:52 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] RE: Site assignment help Have you tried the MPLIST and MPCERT test URLs? http://technet.microsoft.com/en-us/library/bb932118.aspx Also, have you tried specifying RESTKEYINFORMATION=TRUE in your client install command line? Cheers, Trevor Sullivan [cid:image001.gif@01CE815B.FEB89600]<http://trevorsullivan.net/> [cid:image002.gif@01CE815B.FEB89600] <http://twitter.com/pcgeek86> [cid:image003.gif@01CE815B.FEB89600] <http://facebook.com/trevor.sullivan> [cid:image004.gif@01CE815B.FEB89600] <https://plus.google.com/106658223083457664096> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark Sent: Wednesday, July 10, 2013 3:02 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Site assignment help Yep, used the one you have specified. I also get the message "Failed to verify signature of message received from MP using name 'FullServerFQDN' from the certificate maintenance log. Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: Wednesday, July 10, 2013 3:58 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Site assignment help How did you specify the MP? Specifically, did you use /mp? If so, that does *not* specify the MP for the client agent to initial use during installation. Use the SMSMP property instead. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark Sent: Wednesday, July 10, 2013 2:45 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Site assignment help I have set up SCCM2012, SP1, CU2 and am beginning to test out client management. We are still on SCCM2007 so I have not given the CM12 server access to publish site information into AD. I set up the CM12 server to publish to DNS for MP information (so it can get the site code from the MP). I have done both client push and manual client installs on a PC to test out an agent and it fails at site assignment. In both client installs, I have specified the management point and site code. In looking at the client logs it shows that it cannot find the site info in AD (which it shouldn't) and it then goes to find the MP from DNS (which it is successful at doing). However, it then tries to look at AD again as it comes up with the error "Failed to retrieve MP certificate encryption info from AD". And then immediately after that "HandleFSPCcmHttpStatus - Failed to retrieve internet, proxy or assigned MP. Assuming 'ServerNameHere' is not a relevant MP." I am confused by this part, because this seems to cripple site assignment and I can't go any further. I don't want to enable any AD publishing as we are not ready to migrate over. Is there something I am overlooking here? I can reach the MP thru a web browser, and there is nothing wrong with the MP according to SCCM status information. Thanks! Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State
<<inline: image001.gif>>
<<inline: image002.gif>>
<<inline: image003.gif>>
<<inline: image004.gif>>