Category: SCCM


WSUS admin console unable connect using SSL

When try to connect to WSUS with the admin console you are running to the problem that:

Cannot connect to "mydomain.com". The server may be using another port or different Secure Sockets Layer setting.

The problem was easy, cause the proxy was not configured correctly and we just deactivated the automatic proxy setting on that server and rebooted. After that everything should be fine. Zwinkerndes Smiley

Today I was thinking I get crazy. I was sucessfully booting with PXE, but run into one error. I was fixing that, but after that I was not able to boot again with PXE boot.

image

If you come from SCCM 2007 you would now know what to do, but I need a couple of hours to see and fix the problem.

In the collection All Desktops and Server Clients find the device(s) named Unknown. Right-click and delete the and you are done and are able to boot again with PXE.

Smiley mit geöffnetem Mund

Another thing was our SCCM 2012 environment. The easiest way to upgrade is to do an inplace upgrade. What you have to do if you are using multiple languages in your SCCM, you have to remove it bevore you upgrade. If you finished you can start the upgrade process beginning with the central site. I am not sure if you have to begin with the primary site or not, but I dont think it makes big difference and we have with the way of central site and then primary site no problems.

image

image

image

If everything wen’t well you will have an error in the upgrade log file, which you can safely ignore.

image

Bye.

Today we found in our VL and Technet Subscription the final version of System Center 2012. So we will upgrade our full environment as soon as possible!

Great job Microsoft. Zwinkerndes Smiley

Today I get the following error if I wanted to try in a LAB the Remote Assistance in SCCM 2012 RC2

image

The problem was easy to solve. You need to set the “Manage soliciated Remote Assitance settings” to True. Otherwise the Remote Assitance will just work if your customer is sending you a Remote Assistance offer.

image

Smiley Good Luck.

Expand SSL tunnel range for FFTMG (SCCM, FEP)

If your FEP 2010 clients are trying to download an update from the SCCM Server, you recognise a denied connection from the client through the Forefront Threat Management Gateway 2010. You have to allow the secure connection 8531 on the FFTMG. You can do this, with an extra tool from http://www.isatools.org/ , go there to “TMG Tools” and download “ISA Tunnel Port tool”.

Then run the command from an administrator command line. The commands would be:

run “cscript isa_tpr.js /del SSL”

run “cscript isa_tpr.js /add SSL 442 8531” (or whatever you have defined to secure connection for WSUS)

run “cscript isa_tpr.js /show SSL” (just for confimation)

Now just restart the Microsoft Firewall service and that’s it! Have fun with downloading virus defintions from SCCM/WSUS. Smiley mit geöffnetem Mund

Today we have been confronted with a very strange problem. We have one AD, with 4 different Sites. Every SCCM Boundery is configured correctly.

However I was advertising a software package to some clients. The policy was OK and also the client tried to download the content.

However it was running all the time till:

“Execution Request for package xxxxxxxx program xxxxxxxx Silent Install state change from WaitingDependency to WaitingContent”

Now it was fixed very easy, but very strange. The SCCM on the other site was shut down. I was starting the machine and everything was ok.

Strange thing. Verwirrtes Smiley

Our SCCM environment consists of a central site and a few primary child sites for each country. The buildin collections are only provided from out central site, so they are protected on each child site and can not be modified there.

Today we created a new collection on a child site and linked an inherited collection (All Windows 7 Systems) to this new collection:

                      link_to_collection_protected

As you can see, the collection is protected even if it’s only an instance, as in our case. If you now want to delete this instance you are not able to.

We searched the web and found no solution for this bug and we believe that it is one. So we have to digg into the SCCM collection management and found a solution.

Please be very careful if you try our solution, because a wrong handling may led to an inconsistent SCCM database. We don’t give any guarantee.

  1. Download the WMI Administrative Tools and install them on a client computer. We used a Windows XP computer.
     
  2. Start the WMI Object Browser, a part of the WMI Administrative Tools. The object browser starts in an internet explorer window and tries to connect to the default WMI namespace on the client computer:
                    wmi_object_browser_connect
     
  3. Connect to WMI namespace on your site server for the child site. Therefore klick on the small icon beside the selected namespace too browse to the SCCM site server you have the linked collection to be deleted, put in the site server name and as starting namespace use “root\sms” as shown:
                    wmi_object_browser_connect2 wmi_object_browser_connect3
    Klick on connect and put in appropriate credentials to connect to your site servers WMI. Select the namespace corresponding to your site code and klick ok. Now you have to specifiy the browser criteria which is the SMS_Collection class. Add it it and go further with ok:
                    wmi_object_browser_connect4
    You get another window where you have to choose the collection which helds the collection link to be deleted.  
                    collection_containing_link
    In our case it was the collection “Manage” with the ID “BCG0004F” and if you go ahead with ok you can see all the properties of your collection.
      
  4. Temporarily unset the protected flag for the collection to be deleted. To do that, open the object tree as shown in the following picture and select the trouble making collection. In our case the collection with id “ABC00048”:
    collection_edit 
    After choosing this collection you can see properties for this collection on the site-server!!! This is important to think of!!!

    Change the property “OwnedByThisSite” from false to true, save your change with the disk icon (marked with the arrow) and refresh the collection tree in your configuration manager console. Now you are able to delete the instance of this collection, like with any other collection not inherited.

    When deleted you should set the property to false afterwards, to get not in trouble with the central site

Again remember, the change we’ve made here was only for the child site, regarding a collection inherited from the central site!!!

So please be very careful of what you are doing.

SMS Distribution Manager failed to process package

I setup a new protected distribution point for a remote site and everything seems fine, till I tried to distribute a package to that DP, putting the SMS_DISTRIBUTION_MANAGER status to critical with the  two following error messages:

    1. Failed to create virtual directory on the defined share or volume on distribution point
      Message ID 2344
       
    2. SMS Distribution Manager failed to process package
      Message ID 2342

The first error message told me, that the IIS base components needed to be installed, what I’ve done already before installing the DP.

But also necessary are the facts, that the “IIS 6 WMI Compatibility” must installed to get it working. And that “WebDAV server extension” is necessary for clients to get BITS support for this DP.

Two error messages in the distmgr.log showed me the way to the solution above:

    1. CWmi::Connect(): ConnectServer(Namespace) failed. – 0x800706ba
    2. CWmi::Connect() failed to connect to \\%hostname%\root\MicrosoftIISv2. error = The RPC server is unavailable

It costs me today only 5 hours to solve a really anoying problem. Everything was wonderfull, because I was configuring SSL for WSUS-IIS on port 8531. The WSUS console could also connect succesfull, the only problem was that SCCM SMS_WSUS_CONTROL_MANAGER was writing Error 7000 and 7003.

If you run wsusutil.exe checkhealth then you get the following Event ID 12002, 12052, 12042, 12022, 12032, 12012.

The solution was only to execute:

wsusutil.exe configuressl (servername to whome the certificate was issued to –> Capital writing is essential)

image

It had to be exactly the same name which is in the issued to in the Web Server certificate.

Hope that will help somebody. Smiley