Multiple Site Issue - Seems Related, But Can't Find Solution

[BzowK]

Good Morning All / Niall -

 

About 2 weeks ago, I started at a new company as their primary for SCCM 2012. A couple of weeks prior, they had someone start installing 2012. Since I arrived, it hasn't worked properly and I've spent all of my time trying to fix it instead of building on it.

 

I've researched a ton, Googled all kinds of stuff, and had a couple of Microsoft calls. The worst part about fixing it is that it's a large company so I must submit tickets to get AD objects made / created as so forth. I can view it all, though. I truly think most of the issues we are having are related so am going to list the environment details as issues and hopefully get some suggestions.

 

Environment

• SCCM 2012 SP1 CU1
• x1 CAS Server - Running on Windows Server 2008 R2
• x1 Primary SCCM Server - Running on Windows Server 2012 / SQL 2012 (Upgraded to SP1 Post install)
• x20 Secondary Sites (Once done will be ~50) - Running Windows Server 2012 - Each at different physical locations with 500 -1500 clients each

Important Notes

• Prior to 2012 installation, 2007 was and still is being used. 2012 is being installed as a clean install - not a migration site by site. This makes me nervous since I don't know if 2007 and 2012 can coexist on same domain and share System Management container. Last weekend, a deployment was performed with 3/4 of the clients being deployed to by the 2007 and the rest the 2012 server - all on the same domain - supported config?
• The primary was originally installed onto 08R2 with SQL 08R2. The 2nd day I got here, it wouldn't boot. They ended up wiping it, then had me restore the site / site database backups to the new OS install in which they wanted to use Server 2012 / SQL 2012. No noticible errors during restore, though. They had many issues prior to this, though...

Accounts

There are two accounts that 2012 primarially uses:

• svcsmsadmin2012 - Full SQL Access / Heard it has all permissions needed
• svcclientinstall - Domain Admin Rights (i'm told) / Full SQL Access / Think this is also Network Access Account

 

Things Fixed Already

• Secondary Sites didn't have all pre-requisites installed. Don't know how they installed without them, but some didn't have BITS and others didn't even have Windows Authentication. Possible the roles were removed post install, but wouldn't know how
• Many minor things I can list if needed

 

Current Issues

Secondary Sites

I currently have 4 secondary sites which are failing to install. It's a combination of errors from the sites which appear often - not just a single server failure. Many of the errors appear on all of the failed servers. When creating a secondary, I install prereqs (except sql) and let SCCM push the rest. The service account and primary hostnames are local admins on the servers. Below is a list of these errors:

 

From Local Pre-Req Check

• ERROR: The logon account for the SQL Server service cannot be a local user account, NT SERVICE\<sql service name> or LOCAL SERVICE. You must configure the SQL Server service to use a valid domain account, NETWORK SERVICE, or LOCAL SYSTEM.

• WARNING: The installed SQL Server Express version on the secondary site is earlier than SQL Server 2008 R2 Service Pack 1 (version 10.51.2500.0). Upgrade SQL Server Express for the CONFIGMGRSEC instance and try again.· ERROR: Current SUM configuration uses virtual locations for some of the active SUPs. Please remove any virtual locations from the existing SUM configuration.

• ERROR: Either the user account running Configuration Manager Setup does not have sysadmin SQL Server role permissions on the SQL Server instance selected for site database installation, or the SQL Server instance could not be contacted to verify permissions. Setup cannot continue.

From Console

• [Failed]:Unable to complete secondary site server installation - check ConfigMgrSetup.log in the root of the secondary site server system drive

• [Failed]:Prerequisite checks complete with failure - check ConfigMgrPrereq.log in the root of the primary site server system drive

From Console Monitoring

The below error seems to be common on all of them - Checked System Management container and server hostname has full rights delegated. Strange thing is that this error appears on two secondary sites which are listed as fully active and at first glance seem to have no issues in console

• Configuration Manager cannot update the already existing object "cn=SMS-MP-L77-SECONDARYHOSTNAME.ABC.DOMAIN.COM" in Active Directory (abc.domain.com).

From ConfigMgrSetup.log in Root of Secondary

• ERROR: Failed to connect SQL Server SECONDARYHOSTNAME.ABC.DOMAIN.COM, Database CONFIGMGRSEC\master.
• Failed to connect HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL registry key for reading on SQL Server [sECONDARYHOSTNAME.ABC.DOMAIN.COM].
• WARNING: failed to retrieve port number for SECONDARYHOSTNAME.ABC.DOMAIN.COM\CONFIGMGRSEC
• Setup failed to install SQL Server Express. Secondary site installation cannot be completed. Refer to the SQL Server installation log at %Program Files%\Microsoft SQL Server\100\Setup Bootstrap\Log. (I looked and path didn't even exist)
• INFO: SQL Connection failed. Connection: SECONDARYHOSTNAME.ABC.DOMAIN.COM CONFIGMGRSEC\MASTER, Type: Unsecure

• WARN: DropSCCMOldLogins: Failed to get sql connection.

• ERROR: SQL Server error: [01000][53][Microsoft][ODBC SQL Server Driver][DBMSLPCN]ConnectionOpen (Connect()).

• From Smstsvc.log in Root

 

SQL Database Issue The Cause?

Yesterday, I also tried to install the Application Compatibility Toolkit as they want to run an assessment for an upcoming Windows 7 migration. During the configuration, I was prompted for the CM SQL Database info which runs on the primary server. I entered in the hostname, database name (CM_ABC), and credentials which I verified had sysadmin rights. Whenever I verified just those steps, it always returned "The database is not a calid ConfigMgr database."

 

Small Additional Question

I'm currently pushing clients to the secondaries (the ones which seem to be working.) In the site's client installation push properties, the SMSSITECODE is set to the primary's site code by default. I've been changing it to the site code of the secondary site. Which should it be set to or does it really matter as long as the client is getting policy?

 

I guess that should be enough info to hopefully give some clues as to what I've got going on (or not going on.) I personally belive it to be permissions related or maybe conflicting within the Systems Management container / schema. I welcome any suggestions.

 

Thanks All / Niall!

 

[anyweb]

hi ben,

have you tried deleting everything in the system management container in AD and see what get's re-populated ? (it should auto populate within an hour, or if you reboot the servers even quicker)

 

try that and see what happens