Its Matt Posted October 12, 2012 Report post Posted October 12, 2012 I've got a new installation of SCCM 2012 that is going mostly well. This was a clean install, but I believe this environment may have tried SCCM 2007 at some point in the past, though unsuccessfully. I have a couple clients that are failing installation. They are all Windows XP. Here is a snippit of the ccmsetup.log. Current AD site of machine is HQ Local Machine is joined to an AD domain Current AD forest name is domain.local, domain name is domain.local DHCP entry points already initialized. Begin checking Alternate Network Configuration Finished checking Alternate Network Configuration Adapter {5A85755B-F909-4D9C-A46E-0BE51D804DD6} is DHCP enabled. Checking quarantine status. Sending message body '<ContentLocationRequest SchemaVersion="1.00"> <AssignedSite SiteCode="AHI"/> <ClientPackage/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="0"> <ADSite Name="HQ"/> <Forest Name="domain.local"/> <Domain Name="domain.local"/> <IPAddresses> <IPAddress SubnetAddress="10.0.1.0" Address="10.0.1.77"/> </IPAddresses> </ClientLocationInfo> </ContentLocationRequest> ' Sending message header '<Msg SchemaVersion="1.1"><ID>{81019CDF-2B74-4089-93D1-A4C32BCA8C5E}</ID><SourceHost>CLIENTXP</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:CLIENTXP:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://SCCMserver.domain.local</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2012-10-12T15:06:44Z</SentTime><Body Type="ByteRange" Offset="0" Length="1082"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>' CCM_POST 'https://SCCMserver.domain.local/ccm_system/request' Begin searching client certificates based on Certificate Issuers Completed searching client certificates based on Certificate Issuers Begin to select client certificate The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. 1 certificate(s) found in the 'MY' certificate store. Only one certificate present in the certificate store. Begin validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' doesn't have private key or caller doesn't have access to private key. Completed validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' GetSSLCertificateContext failed with error 0x87d00283 GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'https://SCCMserver.domain.local/ccm_system/request' GetDPLocations failed with error 0x87d00283 Failed to find DP locations with error 0x87d00283, status code 200. Check next MP. Only one MP https://SCCMserver.domain.local is specified. Use it. Have already tried all MPs. Couldn't find DP locations. GET 'https://SCCMserver.domain.local/CCM_Client/ccmsetup.cab' Begin searching client certificates based on Certificate Issuers Completed searching client certificates based on Certificate Issuers Begin to select client certificate The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. 1 certificate(s) found in the 'MY' certificate store. Only one certificate present in the certificate store. Begin validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' doesn't have private key or caller doesn't have access to private key. Completed validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' GetSSLCertificateContext failed with error 0x87d00283 GetHttpRequestObjects failed for verb: 'GET', url: 'https://SCCMserver.domain.local/CCM_Client/ccmsetup.cab' DownloadFileByWinHTTP failed with error 0x87d00283 CcmSetup failed with error code 0x87d00283 This should not be a boundary issue. I have defined all of my subnets as boundaries and joined them to a boundary group. This client is on the same subnet as many other clients that are working fine. The certificate is issued and the root CA is trusted. I have removed and rejoined this client to the domain. I have run winmgmt /resetrepository on this client. I looked up the 0x87d00283 with net helpmsg and it returns: This version of Windows is not compatible with the behavior version of directory forest, domain or domain controller This doesn't make any sense to me. My forest and domain function level is Windows 2008. These particular clients are Windows XP Professional SP3. I have many other WinXP SP3 clients working fine. I've pretty well run out of ideas and would welcome any discussion on the subject that might help me in any way. Thanks for listening! Quote Share this post Link to post Share on other sites More sharing options...
Tay Posted October 12, 2012 Report post Posted October 12, 2012 Get rid of sub net boundaries and switch to IP. Quote Share this post Link to post Share on other sites More sharing options...
Its Matt Posted October 15, 2012 Report post Posted October 15, 2012 Is there a reason to switch to IP ranges vs subnets? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted October 15, 2012 Report post Posted October 15, 2012 Is there a reason to switch to IP ranges vs subnets? how about this - http://blog.configmgrftw.com/?p=343 Quote Share this post Link to post Share on other sites More sharing options...
Its Matt Posted October 15, 2012 Report post Posted October 15, 2012 Ok that makes sense. I've made the changes to my boundaries. All subnets recreated as IP ranges and added to the same boundary groups that previously existed. I tried the install again and got the same failure code. Quote Share this post Link to post Share on other sites More sharing options...
Rocket Man Posted October 15, 2012 Report post Posted October 15, 2012 Have you tried basic troubleshooting like checking that you can browse to to the admin shares of the problematic systems \\PCname\admin$ from the SCCM server and also run the wbemtest.exe to see if you can connect to the systems namespace this way. Prior to setting up this installatyion of SCCM...did these systems already exist on the network? If they did what you can try to do is delete the DNS record of these systems and reboot them to get a new fresh DNS record and then try the client install again. Quote Share this post Link to post Share on other sites More sharing options...
Its Matt Posted October 22, 2012 Report post Posted October 22, 2012 Rocket Man, thanks for the reply. I did not perform those checks before, but just did and am able to connect to Admin$ and query WMI of the client machine from the SCCM Management Point server. Yes, these machines did predate this implementation of SCCM. Quote Share this post Link to post Share on other sites More sharing options...
alynch30 Posted January 19, 2016 Report post Posted January 19, 2016 Hello! After 24 hours of headbanging trying to figure out this issue we finally found the fix so I though I'd share it. Note that only a handful of our Windows 2003 were having that issue. The relevant line in your log is the following... Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' doesn't have private key or caller doesn't have access to private key. The local certificate store ACL were setup incorrectly for some reason... Here are where they are located ... C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys The private key for the certificate had no ACL whatsoever... Added full control for System and read for local administrators. After that CCMSetup ran succesfully on our 3 problematic servers. Thanks Quote Share this post Link to post Share on other sites More sharing options...
