Ocelaris

So we're about 80% complete with our migration of clients from 2007 to 2012. We discovered about 40 machines out of 2300 that have managed to be rebooted in the middle of the client update. The problem is that our WSUS point was the 2007 environment, once you uninstall the 2007 client they are free agents, and can go do updates to update.microsoft.com and download Internet Explorer 10 etc... and we have strict rules about which updates get pushed, particularly for the browser. We confirmed on a hanful of these machines that they dropped the old WSUS SCUP point, and got interrupted, and the CM 2012 server didn't pick them up until a few hours later and completed the client upgrade. We've pushed a ADM "don't install IE 10" GPO, and are in the midst of doing a DNS blackhole for update.microsoft.com so clients at least on our network can't reach out to the web for updates. Eventually we'll roll back the DNS Blackhole, but just a warning to people out there if they manage their updates very carefully that you can get some rogue clients if you're doing client push.

Are you getting ANY Packages to that DP? I was having an issue where I missed Client Certificate Authentication in IIs, I added that, uninstalled/reinstalled the DP and all the packages started coming in.

That helped me as well, after SP1, CU1, the Software Summarization was set to run every hour, and had my SQL pegged. We went from 4 to 6 cores, same thing, bumped it to 8, same thing... If you're looking for where summarization is, right click on "All Software Updates" under Software Updates in Software Library, and you'll see summarization. It was set to every hour, so I changed that to 1 day, and it's much happier now.

Did you ever get this resolved, I'm having the exact same issue, I can't delete any records. I also found a ton of DDR records in the same folder, and basically we keep getting the Error...I can create new ones fine, but then I can't delete them. CDiscoverySource_SQL::DecommissionDiscoveryItem - Error decommissioning resource data. Also where did you find that SQL Log? I don't see that anywhere on the SQL Server... Thanks

Apparently (so my coworker tells me) if you delete that shortcut, it comes back... so unless you're doing some logon script check every time, it seems that may not be a complete solution. Still looking for a better solution. I find it hard to believe Microsoft made such nefarious links without a way to move them. In 2007 it was well integrated into the control panel!

This is exactly the same problem I have, although I even have AD publishing enabled. If I use the ccmhostname=ICBM.domain.com inside a task sequence for the "Install Configuration Manager" application the task sequence fails. My Computer client certificate is passed out through AD, and I can't rely on it to be installed prior to client installation, although I may see if I can programatically request the certificate AND use the ccmhostname=ICBM.domain.com . But that's exactly what happens, if you use the ccmhostname command property the SCCM client believes it's on the internet and fails to find a management point, presumably because of the management point only talks https and the client doesn't have a cert yet. We do have a http Management point which is what we prefer to build out the desktops/laptops with because we don't want to bother with certificates in the PXE environment. So not sure if there is a way to say "this is your ICBM, but don't use it at the moment, just keep it in case you need it later, find your MP from AD". Where I already have a working operating system (built from 2007) and I install the 2012 client, everything works fine, it will roam between MPs fine. I'll let you know if I succeed, but I think I'm going to try and repair the SCCM client at the very end with the CCMhostname command.

Only 443 is required to be open, and I would suspect that if you're proxying SSL connections, you would have issues as the proxy would have to broker that SSL Connection as a man in the middle. I would remove the proxy and confirm/deny that fixes the issue first. I would look at execmgr logs on the client to see what requests are going on, and possibly IIS from the Internet facing DP to see if the requests are getting through.

Ditto, stupid mistake on my part... I had the limiting group set as "All Desktop and Server Clients" so since it had never been imaged, it didn't show up... put it under "All Systems" and that fixed it.

Thanks, that's what I thought, but getting SYSADMIN rights on a SQL box is like pulling teeth. I opened up a case with Microsoft because sometimes to get permissions "they" have to hear it from the someone else to believe it. I just submitted the case this morning so hopefully will hear back, and I'll follow up when I've gotten their answer hopefully officially.

I'm pretty sure you can't, because you would have to specify 2 instances of WDS, which would be listening on different interfaces... SCCM hijacks WDS for it's PXE references... You'd have to have a service smart enough to only listen on one interface adapter basically, and I don't think WDS has that option? and I don't see how you could hack it to have two instances of WDS running... sorry that wasn't more helpful!

So my SCCM 2007 environment backups started failing, and all suspects were the NT-Authority\system and SERVER$ accounts not having sysadmin privileges. So I talked to our SQL guy, and he wasn't aware that we were doing VSS snapshots with the built in SCCM 2007 environment, and wants me to NOT use them. Basically he has DB backups (which I'm confident in), but it's the rest of the backup that I'm worried about. It seems like going through the restore/repair procedure looks at a whole swath of stuff in the backup, and I'm not confident that SQL Backup + Vmware Snapshot (vranger) will restore me to a full working SCCM envorinment. Plus the built in SCCM backup fails completely when just the SQL VSS Writer portion fails. So I can't even just rely on the SQL guy to do the DB backups, and then use the file/registry data from the built-in backups. What is everyone else doing where they have another team responsible for backups? Are you still doing your own SCCM/CM backups or are you letting them handle that, and have you run through that backup procedure? I'm opening a ticket with Microsoft, mostly for some answers to what the actual backup procedure is doing, because at this point it seems very opaque to me. If I could use the gui backup, then that would be fine, but our server team is balking at me doing the backups. Thanks

I have that set up somewhat like you're talking about, but the problem is the broadcast address will only go to one place, i.e. the client sees the first responder and then ignores any others. So it's like a light switch, you EITHER have 2007 or 2012, not both. On my test Vlan I have 2012 and 2007 and if I mess around with the delays I can swap between 2012 and 2007, but on our production network, it's unaffected because it only broadcasts to the 2007 server. Basically the client will grab onto whichever server first responds, so you basically have to limit the ip helper statement in the switch to limit the broadcasts. If you can set up a subnet for imaging 2007 machines, that's what I'd do.

Yeah, that's what my team lead was saying. I guess I'll just write a VBScript that checks for the CM 2012 client, and if it is installed, delete the shortcut and move it to our " - Utilities" folder where it can live happily. We've already done a transform for the Silverlight so it moves the shortcut to it's appropriate place (nowhere!) but I'll have to check on that shortcut as well. I'd rather not have a scheduled task run, but I suppose I can run it after the client install package. I'm just wondering about when I do client rollout, if I'm targeting it via SUP, how that works... but that's more my ignorance of SUP custom packages than anything else. Thanks, when I finish the script I'll post back.

So I'm not quite happy that SCCM installs a shortcut in the start menu for "Microsoft System Center 2012/Configuration Manager/Software Center" as well as "Silverlight"... I normally maintain a pretty strict start menu folder structure for my environment, and with the automated installation it seems the only way to fix this is to modify the package on the site server... Has anyone had any luck with this? I opened up the Client.msi package with Wise Package Editor on the site system, but I can't see in the msi any shortcuts...

To troubleshoot, remove any WMI queries in case that's the issue, and just have it run unconditionally. You also ought to double check the PCI Device ID to verify that it is indeed the correct driver, Open up the .inf file and look for the line that says something like this: "PCI\VEN_8086&DEV_2A42&SUBSYS_30DB103C" compare that to device manager, hardware IDs... to confirm at LEAST VEN_####&DEV_#### match. Also checking ""Do Attended installaiton of unsigned drivers on versions of Windows where this is allowed" helps a lot.

In CM, go into administration/Security and add the smsadmin (AD account) to the Full Administrator's group. There are a number of places where you'll have to add that account in, but that should allow you to at least load the console. You probably need to make that account a member of the local admin's group on that box as well.

So I've gotten our new CM 2012 SUP environment set up and am working on migrating what I can from our old 2007 environment. During the migration phase, I'm getting a "Could not find the specified instance". It's particularly difficult to search on "SUP" because the 3 letter search (google site search didn't help much). A little background, our 2007 environment ponied up to a seperate WSUS server which served as our only SUP, now I have 2 SUPs with 2012 SP1. One is our Stand alone Primary server, and the other is our DMZ Internet facing IBCM server. Both point at a shared separate SQL server installed on the default instance (which worked quite well may I add after I added SP1). Anyone have any experience with migrating the Approvals and groups? Our security engineer runs the software updates, so I'm not so knowledgeable about the inner workings of the SUP approval and collections process at this point (although I maintain the SCCM/CM infrastructure), so I'm basically just trying to not have the security guy reapprove all his updates. I assume the computers will be able to scan against the database. I had thought about trying the WSUTIL program, but I know CM doesn't like people messing directly with the WSUS DB... Thanks

So the install seemed to go fine, I'll let you know if I have any issues, but basically on the WSUS install on the 2nd site (DMZ) I just pointed it at the default instance of the server and it found the database, and I said "reuse existing database" then I did the KB updates, and I'm waiting for it to all synchronize now.

Thanks, I'm going to look more at that reverse proxy method, because the way it looks from the KBs, is that it takes 4x 30 minutes to fail over to the "other" SUP, and once it's moved, it will stay on that server indefinetly. So basically laptops which roam outside will stay on the DMZ based server as long as they can reach it from the inside as well... which I don't care for. But I may try just installing the wsus 3.0 sp2 on the DMZ server today and point it at the shared DB (while the other one is up and running) and see if it plays nicely... I can't imagine it would, but stranger things have happened.

Thanks, I'm about to do the SP1 upgrade today or tomorrow. Thanks for the heads up on those updates. It seems the documentation is a bit better these days (links below) Did you have to open up 8530 and 8531 to the internet for internet based clients to be able to scan against the remote server? I'd rather just keep 80/443 open, but MS reccomends using a custom website (per best practices). Again, I'm still a bit confused whether I even need a remote SUP, i.e. if I have my Primary site inside, and I allow internet based clients on that, I assume I would have to open 8530/8531 to the internet; which is the whole point of my DMZ server. I'm just not sure how the CM client works, i.e. if I have the Remote site handling Internet clients fine, do I even need a SUP sitting out on the DMZ or would the CM client somehow pass the packages/data through to the inside SUP. Planning for Software Updates in CM 2012 Use a Shared WSUS Database for Software Update Points For Configuration Manager SP1 only: When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. By sharing the same database you can significantly mitigate the client and network performance impact that can occur when clients switch to a new software update point. When a client switches to a new software update point that shares a database with the old software update point, a delta scan still occurs, but this scan is much smaller than it would be if the WSUS server had its own database. This is good that they're now saying that you can use a shared DB, and I assume those KBs you mentioned are for the SUSDB sharing capability.

Have you upgraded to SP1 yet? I'm deploying an internet facing SUP for the same reason. I guess my question is, is there any problem with having 2 databases as long as they are all speaking the same language? I just mean, if you push out a patch from the CM console, I expect whichever SUP to push it, and not worry about whether my client is inside or outside. I'm pretty sure you need to make your internet site an "active" SUP, as that means clients will scan against that SUP. Passive being a site which clients don't scan against. I saw this good link about moving a database once it's set up... http://scug.be/sccm/2012/10/03/configmgr-2012-sp1-installing-multiple-software-update-points-per-single-primary-site-and-use-a-single-shared-wsus-database-on-your-sql-cluster/ But I'm not convinced that's the right path, if I just have to have a small SQL DB on a server, I'd rather do that until MS officially supports it.

I'm in the same quandry, I'm extending our CM 2012 environment into the internet, and from my reading I believe you need to have an active software update point in the DMZ. i.e. Active SUP = scanning, where as a not active SUP is not able to scan... But I'd like an answer as well.

Ok, so I've gotten further, I redid the certificate, although pretty sure I had it right the first time. I discovered that you should test the management point by exporting the computer's personal ConfigMgr client certificate (including private key!) and import it into IE to test. I did that, and it looks somewhat ok. But on the internet client, it only lists the primary site, not the distribution point in the DMZ. This site explained very well how to test... http://technet.microsoft.com/en-us/library/bb932118(TechNet.10).aspx Testing shows I get the certificate fine but the mplist only gives me the list of the Internal Management point, not the Internet point which is called "cmsec.external.com" (not really external.com, I just am blanking it out). Any ideas? http://<ServerName>/sms_mp/.sms_aut?mpcert http://<ServerName>/sms_mp/.sms_aut?mplist

well, the client is finding the site, but in ccmMessaging.log I am getting errors: Post to https://cmsec.EXTERNAL.com/ccm_system/request failed with 0x8000000a.

hmm... I may have it working... How would you test other than pushing a job? Here's a great walk through of the Certificates, now that I look at it, it seems to be for 2007, but I can't remember if I had another link... http://technet.micro...y/cc872789.aspx ClientLocation.log: Current Internet Management Point is cmsec.EXTERNAL.com with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities> Raising event (#1 of 1): instance of CCM_CcmHttp_Status { ClientID = "GUID:84A86C42-ADA3-4C30-9670-87BDBC3B16D8"; DateTime = "20120817203014.250000+000"; HostName = "cmsec.EXTERNAL.com"; HRESULT = "0x00000000"; ProcessID = 2376; StatusCode = 0; ThreadID = 3792; };