I guess it is odd.  Looking in location services now, when it does get the MP 
from DNS, it now trusts the "Forest".  And so it downloads the cert just fine.  
What will be interesting to see is when we move into production and publish the 
2012 site into AD.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Trevor Sullivan
Sent: Monday, July 15, 2013 1:10 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Site assignment help - FIXED

Does that seem weird to anyone, or is it just me? I would think that a 
ConfigMgr SP1 client, without the Cumulative Update 2, should be able to talk 
to ConfigMgr SP1 CU2 management point, right?

Cheers,
Trevor Sullivan
[cid:image001.gif@01CE815F.873D49A0]<http://trevorsullivan.net/>   
[cid:image002.gif@01CE815F.873D49A0] <http://twitter.com/pcgeek86>    
[cid:image003.gif@01CE815F.873D49A0] <http://facebook.com/trevor.sullivan>     
[cid:image004.gif@01CE815F.873D49A0] 
<https://plus.google.com/106658223083457664096>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Monday, July 15, 2013 12:06 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help - FIXED

I had forgotten to apply the Post SP1 CU2 client patch.  Once I applied that to 
two clients, they talked to the MP correctly and are now happy as far as I can 
tell.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Monday, July 15, 2013 11:08 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help

OK, looking at the location services log, I see this one clients:
Name:'Server.Name.Here' HTTPS: 'N' ForestTrust: 'N'

Now on the server, where the client does install successfully and gets its site 
information correctly, the "ForestTrust" value is 'Y'.

What does the client query to obtain this value?

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Friday, July 12, 2013 11:46 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help

Yep, did that.  Digging into the logs, it looks like it finds the management 
point from DNS like it should, but when it goes to get the certificate it 
fails.  I compared logs with the server that installed the agent just fine, and 
the server gets the certificate but clients (on a different subnet) do not.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael
Sent: Friday, July 12, 2013 11:43 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help

Have you tried this?

RESETKEYINFORMATION=TRUE

RESETKEYINFORMATION

If a Configuration Manager 2007 client has the wrong Configuration Manager 
trusted root key and cannot contact a trusted management point to receive a 
valid copy of the new trusted root key, you must manually remove the old 
trusted root key by using this property. This situation commonly occurs when 
you move a client from one site hierarchy to another. This property applies to 
mixed mode and native mode.
Example: CCMSetup.exe RESETKEYINFORMATION=TRUE



http://technet.microsoft.com/en-us/library/bb680980.aspx

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Friday, July 12, 2013 11:29 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help

OK so I installed the SCCM agent on the site server itself, and it came up just 
fine.  The two test machines I have tried so far, that do not get the site, are 
on a different subnet.  That subnet however, is in a boundary group (IP Range) 
and SCCM shows that those machines are in the correct site (shows the site code 
next to the device name).

What would change across subnets that would make the certificate unhappy?

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Friday, July 12, 2013 11:13 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help

I think there may be something to do with the MP certificate, because I see 
this in the log from the CertificateMaintenance component on the client:

"Failed to verify signature of message received from MP using name 'ServerName'"

Otherwise it seems it is talking to the correct server (MP wise) it just 
doesn't like the answer it gets from that server.  Is there a way to generate a 
new cert?

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Trevor Sullivan
Sent: Thursday, July 11, 2013 12:52 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] RE: Site assignment help

Have you tried the MPLIST and MPCERT test URLs?

http://technet.microsoft.com/en-us/library/bb932118.aspx

Also, have you tried specifying RESTKEYINFORMATION=TRUE in your client install 
command line?

Cheers,
Trevor Sullivan
[cid:image001.gif@01CE815F.873D49A0]<http://trevorsullivan.net/>   
[cid:image002.gif@01CE815F.873D49A0] <http://twitter.com/pcgeek86>    
[cid:image003.gif@01CE815F.873D49A0] <http://facebook.com/trevor.sullivan>     
[cid:image004.gif@01CE815F.873D49A0] 
<https://plus.google.com/106658223083457664096>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Wednesday, July 10, 2013 3:02 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Site assignment help

Yep, used the one you have specified.  I also get the message "Failed to verify 
signature of message received from MP using name 'FullServerFQDN' from the 
certificate maintenance log.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Wednesday, July 10, 2013 3:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Site assignment help

How did you specify the MP?

Specifically, did you use /mp? If so, that does *not* specify the MP for the 
client agent to initial use during installation. Use the SMSMP property instead.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Wednesday, July 10, 2013 2:45 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] Site assignment help

I have set up SCCM2012, SP1, CU2 and am beginning to test out client 
management.  We are still on SCCM2007 so I have not given the CM12 server 
access to publish site information into AD.  I set up the CM12 server to 
publish to DNS for MP information (so it can get the site code from the MP).  I 
have done both client push and manual client installs on a PC to test out an 
agent and it fails at site assignment.  In both client installs, I have 
specified the management point and site code.  In looking at the client logs it 
shows that it cannot find the site info in AD (which it shouldn't) and it then 
goes to find the MP from DNS (which it is successful at doing).  However, it 
then tries to look at AD again as it comes up with the error "Failed to 
retrieve MP certificate encryption info from AD".  And then immediately after 
that "HandleFSPCcmHttpStatus - Failed to retrieve internet, proxy or assigned 
MP. Assuming 'ServerNameHere' is not a relevant MP."  I am confused by this 
part, because this seems to cripple site assignment and I can't go any further. 
 I don't want to enable any AD publishing as we are not ready to migrate over.  
Is there something I am overlooking here?

I can reach the MP thru a web browser, and there is nothing wrong with the MP 
according to SCCM status information.

Thanks!

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State















<<inline: image001.gif>>

<<inline: image002.gif>>

<<inline: image003.gif>>

<<inline: image004.gif>>

Reply via email to