ConfigMgr 2012 R2 and managing clients in untrusted forest

Similar Messages

• Scenario – Multi Tenant ConfigMgr 2012 R2 and Same IP Address range for multiple customer

  The service provider plans on managing customer’s workstation/desktop via ConfigMgr 2012 R2 CU3 which is hosted at Service Provider’s network however the Secondary Site (MP/DP Role) is hosted at customer’s physical location and on their network but
  not joined to customers domain. The service provide plans to have a one-way trust with each customer initiated from service provider to each customer and have a copy of customer’s DNS by way of ADC hosted at service providers network.
  Now the challenge is that we might end up having plenty of customers who will have same IP/subnet range such as 192.168.1.x and wanted to know the impact/issues around deployment. We may have challenges defining boundaries/boundary group for same IP range
  or subnet for each customer because you can't have two boundaries with same IP range or Subnet. Also, since we have one way trust, we don't get the option to view customer's AD sites and services...
  We are testing a scenario where we’ve defined the DNSSUFFIX on CM client so the client knows which MP to talk and MP presents with the nearest DP this works out quite well where you’ve defined IP boundary but haven’t tested anything with two or more customers
  with same IP Range – hence not sure how the same IP/subnet range would work.
  Wondering if we DO NOT define any boundary or boundary group so the client assume it's on slow or unreliable network and set the applications
  Deployment Option to "Download content from DP and run locally" and still receives the application – I know this works in workgroup scenario but will this be a feasible option when dealing with multiple customers with same IP range ?
  Please note that we are not planning on publishing MP or AD Schema on customer network but since we have a one way trust, we can do a discovery of customer’s AD forest.
  Thoughts ?

  Wondering if we DO NOT define any boundary or boundary group so the client assume it's on slow or unreliable network and set the applications
  Deployment Option to "Download content from DP and run locally" and still receives the application – I know this works in workgroup scenario but will this be a feasible option when dealing with multiple customers with same IP range ?
  This is a complex scenario which requires a lot of planning and even testing. Having no boundaries will work, but all DPs are treated as slow/remote then and it's not possible to define which one will be used then.
  Torsten Meringer | http://www.mssccmfaq.de

• SCCM 2012 R2 Configuration Manager Client Package - stuck "In Progress"

  Hi Team; I’m having 2 issues with SCCM 2012 R2:
  Issue 1: I'm having a strange issue with the default XXX00002 package - "Configuration Manager Client Package",
  it will not deploy to the Secondary Site DP. The console is saying "In Progress" - below is the output from the
  distmgr.log file.
  ~Package BDC00002 does not have a preferred sender. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.443+240><thread=6032 (0x1790)>
  ~CDistributionSrcSQL::UpdateAvailableVersion PackageID=BDC00002, Version=1, Status=2301 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.444+240><thread=6032 (0x1790)>
  ~StoredPkgVersion (1) of package BDC00002. StoredPkgVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.462+240><thread=6032 (0x1790)>
  ~SourceVersion (1) of package BDC00002. SourceVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.462+240><thread=6032 (0x1790)>
  ~Package BDC00003 does not have a preferred sender. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.443+240><thread=6092 (0x17CC)>
  ~CDistributionSrcSQL::UpdateAvailableVersion PackageID=BDC00003, Version=1, Status=2301 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.464+240><thread=6092 (0x17CC)>
  STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=BBK-SCCM-PRI.bbk2310.com SITE=PRI PID=2768 TID=6032 GMTDATE=Mon Mar 17 20:00:23.476 2014
  ISTR0="Configuration Manager Client Package" ISTR1="BDC00002" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="BDC00002" 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.477+240><thread=6032 (0x1790)>
  StateTable::CState::Handle - (2301:1 2014-03-17 20:00:23.476+00:00) >> (0:0 2014-02-28 16:33:45.383+00:00) 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.484+240><thread=6032 (0x1790)>
  CStateMsgReporter::DeliverMessages - Queued message: TT=1401 TIDT=0 TID='8ACCAE01-5079-4FCD-A988-C1CD3004B698' SID=2301 MUF=0 PCNT=2, P1='PRI' P2='2014-03-17 20:00:23.476+00:00' P3='' P4=''
  P5=''  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.495+240><thread=6032 (0x1790)>
  ~StoredPkgVersion (1) of package BDC00003. StoredPkgVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.496+240><thread=6092 (0x17CC)>
  ~SourceVersion (1) of package BDC00003. SourceVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.497+240><thread=6092 (0x17CC)>
  STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=BBK-SCCM-PRI.bbk2310.com SITE=PRI PID=2768 TID=6092 GMTDATE=Mon Mar 17 20:00:23.510 2014
  ISTR0="Configuration Manager Client Upgrade Package" ISTR1="BDC00003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400
  AVAL0="BDC00003"  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.510+240><thread=6092 (0x17CC)>
  StateTable::CState::Handle - (2301:1 2014-03-17 20:00:23.510+00:00) >> (0:0 2014-02-28 16:33:45.383+00:00)
   $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.515+240><thread=6092 (0x17CC)>
  CStateMsgReporter::DeliverMessages - Queued message: TT=1401 TIDT=0 TID='8ACCAE01-5079-4FCD-A988-C1CD3004B698' SID=2301 MUF=0 PCNT=2, P1='PRI' P2='2014-03-17 20:00:23.510+00:00' P3='' P4=''
  P5=''  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.526+240><thread=6092 (0x17CC)>
  CStateMsgReporter::DeliverMessages - Created state message file: D:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\1sfb1dbj.SMX  
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.571+240><thread=6032 (0x1790)>
  Successfully send state change notification 8ACCAE01-5079-4FCD-A988-C1CD3004B698 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.572+240><thread=6032 (0x1790)>
  ~Exiting package processing thread. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.574+240><thread=6032 (0x1790)>
  CStateMsgReporter::DeliverMessages - Created state message file: D:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\abaibh8y.SMX  
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.637+240><thread=6092 (0x17CC)>
  Successfully send state change notification 8ACCAE01-5079-4FCD-A988-C1CD3004B698 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.683+240><thread=6092 (0x17CC)>
  ~Exiting package processing thread. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.685+240><thread=6092 (0x17CC)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:26.886+240><thread=2936 (0xB78)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:27.948+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:27.950+240><thread=4900 (0x1324)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:31.934+240><thread=2936 (0xB78)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:33.021+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:33.023+240><thread=4900 (0x1324)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:38.108+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:38.111+240><thread=4900 (0x1324)>
  Sleeping for 60 minutes before content cleanup task starts.~ 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:06:28.094+240><thread=4968 (0x1368)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:30:52.271+240><thread=2936 (0xB78)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:01:10.002+240><thread=2936 (0xB78)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:01:10.977+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:01:10.979+240><thread=4900 (0x1324)>
  Sleeping for 60 minutes before content cleanup task starts.~ 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:06:55.337+240><thread=4968 (0x1368)>
  Issue 2: I'm trying to deploy a couple of Packages/Applications using SCCM 2012 R2 running on Win2K8 R2 with no luck, knowing that I could install the packages
  on a test VM “in the DataCenter site”, but when trying to deploy the packages to production PC “in the Office Site”,
   the status is packages deployment compliance stuck at 0%
  Infrastructure:
  3 SCCM servers: CAS, PRI & SEC. Both CAS and PRI are in the DataCenter site, and SEC is in the Office site. The office site has several IP subnets.
  Boundaries are configured through Forest Discovery “IP Ranges and AD Sites” since that the AD site should contain all the IP subnets that the AD site contains, Boundaries groups are also configured and a site reference
  server is configured for each group respectively.
  A OU based Collection has been configured that contains 13 PC "the collection contains the PCs that the packages should be installed.
  Packages/Applications are configured correctly since that I could successfully deploy the packages to the test VM which is on the same subnet as the CAS and the PRI servers "the DataCenter subnet". The issue
  is that I can't deploy the packages to production PCs in the Office subnet!
  Firewall rules are configured and applied via GP, and I even turned Windows Firewall off, and still nothing! I tried to manually initiate Computer Policy download via the SCCM GUI and via a script, still no luck!
  I tried configuring IP Subnet Boundaries, still no luck!!
  Here are the last 2 lines in the LocationServices.log of a client PC at the Office Site:
  <![LOG[MPLIST requests are throttled for 00:00:44]LOG]!><time="14:47:00.766+240" date="03-17-2014" component="LocationServices" context="" type="2" thread="5776"
  file="lssecurity.cpp:4528"> <![LOG[Current AD site of machine is Default-First-Site-Name]LOG]!><time="14:47:00.777+240" date="03-17-2014" component="LocationServices" context="" type="1"
  thread="4884" file="lsad.cpp:770">
  And here are the last 4 lines in the ClientLocation.log
  <![LOG[Rotating assigned management point, new management point [1] is: BBK-SCCM-PRI.bbk2310.com (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState"
  Value="0"/></Capabilities>]LOG]!><time="14:49:04.880+240" date="03-17-2014" component="ClientLocation" context="" type="1" thread="3600" file="lsad.cpp:6311">
  <![LOG[Assigned MP changed from <BBK-SCCM-PRI.bbk2310.com> to <BBK-SCCM-PRI.bbk2310.com>.]LOG]!><time="14:49:04.891+240" date="03-17-2014" component="ClientLocation" context="" type="1"
  thread="3600" file="lsad.cpp:1532"> <![LOG[Rotating proxy management point, new management point [1] is: BBK-SCCM-SEC.bbk2310.com (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState"
  Value="0"/></Capabilities>]LOG]!><time="14:49:05.345+240" date="03-17-2014" component="ClientLocation" context="" type="1" thread="3600" file="lsad.cpp:6374">
  <![LOG[Rotating local management point, new management point [1] is: BBK-SCCM-SEC.bbk2310.com (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="14:49:05.786+240"
  date="03-17-2014" component="ClientLocation" context="" type="1" thread="3600" file="lsad.cpp:6436">
  It looks like clients in the Office Site can’t connect to the DP/MP of the Secondary Site server which is also a DP.
  While on the PC that the application was installed on I see the folowing in the LocationService.log:
  <![LOG[Distribution Point='http://BBK-SCCM-PRI.bbk2310.com/SMS_DP_SMSPKG$/Content_69547d2a-339f-4ac4-9523-238c79ff8a52.1', Locality='LOCAL', DPType='SERVER', Version='7958', Capabilities='<Capabilities SchemaVersion="1.0"><Property
  Name="SSLState" Value="0"/></Capabilities>', Signature='http://BBK-SCCM-PRI.bbk2310.com/SMS_DP_SMSSIG$/Content_69547d2a-339f-4ac4-9523-238c79ff8a52.1.tar', ForestTrust='TRUE',]LOG]!><time="14:42:59.506+240"
  date="03-17-2014" component="LocationServices" context="" type="1" thread="224" file="lsutils.cpp:415"> <![LOG[Calling back with locations for location request {144620BC-4BF0-4878-9554-F67D305ECCF8}]LOG]!><time="14:42:59.522+240"
  date="03-17-2014" component="LocationServices" context="" type="1" thread="224" file="replylocationsendpoint.cpp:220">
  Is there something wrong with the Distribution point on the Secondary Site server?
  Please help…
  Thanks..

  Update:
  I fixed the issue with the default XXX00002 package - "Configuration Manager Client Package", it will not deploy to the Secondary Site DP. I did that through "Update Distribution Points" option, and after a while the status was 100%.
  However; the second issue is still unsolved...
  Please help..

• SCCM 2012 Design and Management

  I'll preface this by saying I dont have much experience beyond setting up a stand alone primary site for SCCM 2012. 
  Here's the situation:
  1. Central Office in LA, CA with smaller offices in Texas and in SF (totaling about 4k clients)
  a. Fast 10G link to TX
  b. Slow link to SF
  2. Korea office with 500 clients (slow link)
  3. Europe office with 1500 clients (slow link)
  4. Local IT staff managing systems and software deployment in each location. 
  5. Central office would like oversight and management of other regions. 
  If anyone could provide suggestions on hierarchy design that would be appreciated. 
  Originally I was going to setup a CAS and a Primary Site in the US (DPs for SF and TX), and 2 other Primary Sites for KR and EU regions (Remote DPs and what not for the smaller branches within). IT staff for each region would manage their own primary. But this
  apparently isn't ideal. 
  My question is how a stand-alone primary design would work in this instance? And if the primary resides in the US, would administrative users have to use the console to access the primary over the slow WAN link?
  I think my confusion in design comes from whether the regional admins need direct access to the Primary site or not. 
  Thanks, and please excuse my ignorance. 

  I'm not sure what the internet cloud is there for.  Your LA Primary should be in that spot; remember those servers all need to be able to communicate with the primary, usually on the same domain.  If what you meant by that 'internet" cloud
  you really meant "Our Internal Company WAN Links", then ok.  By that I mean... I presume in SF, KR, EU... there are domain controllers servicing those locations?  then it's sorta similar to CM12.
  If you really *do* mean internet is how those locations are linked, no domain trusts, then what you may be looking at is pki certificates, and internet based client management.  And/Or possibly considering leveraging Intune for those clients.
  Regarding console usage; either publish the console via Citrix, or publish the console as a TS App.  i.e., publish the console from citrix via a citrix server in the same datacenter as the LA Primary--and everyone uses that console (if they need to
  use the console). 
  fyi/off topic... my opinion.  "helpdesk" type personnel have no need to be in the console, nor does anyone who simply needs to run reports.
  Standardize. Simplify. Automate.
  Correct, internal WAN links, all computers are domain joined. We will eventually move to internet management too but that seems to be something we'll tackle later down the road. 
  I will need to check with the other admins to see what kind of VDI we have in place. 
  Console access is for other admins to create/modify collections for their region, deploy software, etc. The console itself wont be made available to helpdesk/service desk.
  response to edit:
  - Correct, TX will only have a DP on a "site server" (not a secondary site). 
  - link to SF would be 1GB, and change to 10GB once they move into a perm location. In my diagram they would also just receive a DP
  edit 2: ok my vocab is off, when i put "site server" in the diagram i really mean "site system server"

• ConfigMgr 2012 R2 and SQL Collation

  I am planning to install a new ConfigMgr 2012 R2 server and use SQL Server 2012 SP2.
  Does ConfigMgr 2012 R2 already support other SQL Collations than "SQL_Latin1_General_CP1_CI_AS"?
  In other System Center 2012 R2 products "SQL_* collations are being deprecated for their Windows equivalents" according to
  http://technet.microsoft.com/library/dn281933.aspx

  Generally speaking, no. There are two exceptions for use in China, see also:
  http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLSrvReq
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Identifying and managing clients in nonblocking NIO socket programming

  Here's my beef. When I write a Server using a thread for every new connection that comes in, I can remember everything for each client in its respective thread. I can have a table entry in a MYSQL database for each client which each thread can look up by a remembered id. I can direct packets from a different application to a specific client by passing a message to the thread associated with the client. But, in this implementation, the client-server setup will need to have a master-slave relationship where one is always reading, and can talk on the network only in response.
  I like the NIO selector way of doing things, but I do not get a memory method to deal with specific clients. How do I, for example,
  direct packets to a specific client.?
  recognize incoming packet info and make sense of its context in relation to past messages to and from the same client?
  maintain one-to-one correspondence between a MYSQL database table entry and a specific client?
  Could somebody explain this to me how I can maintain a client environment, and a client state machine with memory?
  Thanks
  Anil

  cloud9ine wrote:
  Here's my beef. When I write a Server using a thread for every new connection that comes in, I can remember everything for each client in its respective thread. I can have a table entry in a MYSQL database for each client which each thread can look up by a remembered id. I can direct packets from a different application to a specific client by passing a message to the thread associated with the client. But, in this implementation, the client-server setup will need to have a master-slave relationship where one is always reading, and can talk on the network only in response.
  I like the NIO selector way of doing things, but I do not get a memory method to deal with specific clients. How do I, for example,
  direct packets to a specific client.?
  recognize incoming packet info and make sense of its context in relation to past messages to and from the same client?
  maintain one-to-one correspondence between a MYSQL database table entry and a specific client?
  Could somebody explain this to me how I can maintain a client environment, and a client state machine with memory?
  Thanks
  AnilYou will use select() and SelectionKey when you deal with NIO. The SelectionKey has an attach method that you can use to associate the client with something, e.g. a session. Your Session class can contain all that you now have in your thread.
  Kaj

• SCCM 2012 R2 - Install MP in the Untrust forest How to???

  Hello my Customer want to install a MP in untrusted forest...
  1- I have added the forest in the add forest menu
  2- I have place the option of the client push installation
  3- The sccmadmin account with the same password it was created in the untrusted forest
  4- But the AD said connection error with th untrusted forest.
  3- What is the good step by step to accomplish this installation?

  Extending the AD schema is not a requirement, unless you are using Network Access Protection, see also:
  http://technet.microsoft.com/en-us/library/gg712272.aspx
  I don't what errors you get, but also make sure that the site is not trying to publish information to that AD. That could cause errors, if the AD schema is not extended.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• ConfigMgr 2012 R2 and DMZ Questions

  I am working with a client who's security team has been a challenge.  They do not want to open any of the RPC Dynamic Range ports needed for communication between certain roles on the Primary Site server and a server they want setup in one of their
  DMZ's. 
  They have a domain in the DMZ and all devices are a member of that domain.  We successfully setup a management point but can't publish since the ports from the primary site server to a DC in the DMZ are not open.  We placed a DNS service locator
  record in the DMZ and when we manually install the clients add the DNSSUFFIX and point to the MP in the DMZ.  The clients are reporting at this point.  However, they are not getting any software updates since the DP can't install and we don't allow
  failover to any other DP.
  The client has said that there has to be other solutions.  The solution we are using isn't best practice I know that.
  I guess there are three solutions here, correct?
  1.  Open DMZ site ports for clients to communicate only to ConfigMgr Server.  (Not secure)
  2.  Keep current design of MP/DP/SUP in DMZ?
  3.  Put a secondary site in DMZ?
  I have two questions about 2 and 3.  Why should we add the SUP?  Shouldn't the client talk to the Management Point and the management point sends the request to the SUP on the ConfigMgr?   So can't we ditch that extra SUP?  
  Also, even if we put a secondary site in the DMZ, we will still run into port issues since the client is refusing to open RPC Dynamic port ranges?
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Yes 3 is out ConfigMgr wise.
  I would not call 1 insecure though. Open ports are not insecure, that's a myth perpetuated by those who don't know what a port is. Network security is about controlling the traffic and securing the endpoints. Ultimately, that may be a battle you won't win
  though because of political reasons and the perpetuation of myths in network security and the purpose of DMZs.
  Option 2 is what most/nearly all folks go with. If one port is open, you may as well open them all because security wise there is no true difference so any resistance here is ignorance. As long as the traffic is confined to a single endpoint, the port its
  using makes no difference and the level of security comes down to, as mentioned, the security posture and controls in place on that endpoint itself -- who cares that the traffic has a data field set to 80 or 443 or 1024 as long as the target is well controlled, "secured", and
  monitored.
  There ultimately aren't any other ways (besides 1 and 2) to accomplish this using only ConfigMgr proper. The ports required are well documented on TechNet so there's no magic to make these go away.
  Another architectural solution however is to use reverse proxy. This is a twist on choice 1 except that all client traffic passes through the reverse proxy instead to reach the internal site systems.
  Jason | http://blog.configmgrftw.com

• SCCM 2012, WMI, and SCCM Clients

  I have SCCM 2012 R2 CU2. I know that WMI has to be working for SCCM to be fully functional. I've done some reading on what I'm about to ask but I'd like to get some clarification on these points as I'm not totally clear on a few things:
  1) If when using wbemtest you discover there is no WMI connectivity between the DCs and siteserver to/from a client, including a non-domain member client, will the SCCM client install on that client machine?
  2) After the SCCM client is installed on a client machine, how essential is WMI connectivity to that SCCM client functioning?
  3) Was parts of SCCM use WMI?
  4) What permissions, including within DCOM, are needed for WMI to work with SCCM?
  Thanks.
  Ben JohnsonWY

  <...>
  I'm now back to getting that 0x80070427 error. That error code is also on another server (and with the same software and main functionality) that's on another domain but for now we'll stick with the server we've been talking about.
  <...>
  So the root question is, what is causing that 0x80070427. There's almost zilch on that error code on the internet.
  cmtrace is your friend :)
  open cmtrace, press CTRL+L and paste in the error/HRESULT:
  Lookup: 0x80070427
  Result:The service process could not connect to the service controller.
  Source: Windows
  Note that ConfigMgr relies heavily on non-ConfigMgr components, i.e. Windows base services/features. If those base services/features are mis-configured / disabled / broken, ConfigMgr *will* be impacted.
  In this case, the "Source: Windows" tells us that a Windows component is throwing the error.
  There should be additional/further detail/information available for this event in the log. Research that.
  The logs on the client will probably need to be examined, including the Windows event logs, to see why the service and service-controller are throwing this error. IF it's happening on two servers, and those servers both have  "the same software
  and main functionality", I'd be immediately suspicious of that software/function - perhaps that software is the cause of the service/controller issue..
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Question on Untrusted Forest and Roles Required.

  Hi, i need some help understanding untrusted forests and system roles.
  All my untrusted forests are well connected to each other; they are all in the same data-center for that matter.
  Is at least 1 site system role (MP?) required in an untrusted forest to manage those clients in each untrusted forest from the Pri?
  I read this blog here, 
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/
  But one of the readers posted at the bottom of the blog that is it not supported referencing technet.

  More info:
  Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation
  http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Managed Clients Printers and wrong Printernames

  Hi,
  we have managed clients and assign printers through the WGM.
  If for example the client uses the "ad dept"printer the printername in the dock, while it is printing says "finance dept" but prints to the correct printer.
  I have spoken with other admins, that also use WGM and managed clients/printers ad they have the same situation.
  Again: The detination is right but the name of the printer in the Dock is wrong.
  I looked in the detailview in WGM and found nothing irregular.
  Is there a way to handle this?
  regards
  Oliver

  We had a wierd problem with HP printers giving the wrong names... we had to change the printers mDNS name. Dunno if this helps

• Managing untrusted forest

  Hi All,
  We have actually the following configuration with SCCM 2012 R2 CU4 :
  Same Forest, same Domain (2 x 2 DCs + AD DNS)
   + Primary Site Server with 300 clients  (MP,DP,SUP,SDB,SS,FSP,RSP)
   + Secondary site Server with 300 clients  (MP,DP,SUP,SDB,SS)
  distinct Untrusted Forest (2 DC + AD DNS)
   + 15 clients
  What's the best configuration to manage the untrusted forest ? I already checked the following link (http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx)
  what's the comm ports requirements ? clients + site system <-> primary site 
  Can we avoid the untrusted clients to access to the pri/sec site servers.
  We plan to add a site System to the primary site in the remote untrusted forest with MP,DP,SUP Roles)
  (afaik a secondary site need trusts which is not permitted)
  We need Inventory, Software Distribution, Windows Updates features on the untrusted forest
  Link between primary and secondary site is ~16Mb/s
  Link between primary and untrusted forest is about ~16Mb/s
  Link between secondary site and untrusted forest is about ~1Gb/s
  Thanks a lot !

  Port used by ConfigMgr is well explained here:
  https://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
  In addition, be aware that for discovering computers in untrusted forest you need to open port 53 (DNS) between the SCCM server and remote DC (in untrusted forest) OR create a secondary DNS zone for the untrusted forest in your DNS.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Untrusted forest and right click tools

  I just installed right click tools and it's really a great tool. We manage clients in untrusted ad forest and right click tools doesn't work for them because of the authentication problems. Does anyone know is there something that can be done to bypass
  this limitation?

  Remember, the right-click tools are simply scripts that run in the context of the current user logged into the console and connect directly to the clients to perform their work. They are not part of ConfigMgr and do not use the ConfigMgr infrastructure
  to communicate (because the ConfigMgr infrastructure never ever connects to client agents). Thus, every-thing the right-click tools do is subject to normal restrictions and for connecting to a remote system including authentication and authorization. And thus,
  the account you are using must have the proper privileges and permissions on the target client system.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Domain Join to a specific OU based on Computer Name - ConfigMgr 2012 R2 / MDT 2013

  Hi all
  i need to build an OS deployment task sequence with ConfigMgr 2012 R2 and MDT 2013. my requirement is to be able to join a computer based on its computer name. there are three types of computers. Sales / Marketing and Technical. based on the prefix of the
  computer name i need to place them on 3 different OUs. Computer Names would be SAL1100, MKT1100 or TEC1100, i would like to refer first three characters of the computer name and the decided on which OU they need to be allocated to. 
  i would appreciate if someone could tell me how i can do this within my task sequence 

  I don't think you can accomplish this by using conditions. Instead I'd use the script that Jörgen provided. Here's an edit of that so that it would suit your environment requirements of the first 3 characters of the OSDComputerName:
  set env = CreateObject("Microsoft.SMS.TSEnvironment")
  sComputerName = env("OSDComputerName")
  threeChars = UCase(Left(sComputerName,3))
  sBuiltOU = "NOT_set!"
  If threeChars = "ABC" Then
  sBuiltOU = "LDAP://OU=ABC,OU=Computers,DC=DOMAIN,DC=COM"
  If threeChars = "DEF" Then
  sBuiltOU = "LDAP://OU=DEF,OU=Computers,DC=DOMAIN,DC=COM"
  If threeChars = "GHI" Then
  sBuiltOU = "LDAP://OU=GHI,OU=Computers,DC=DOMAIN,DC=COM"
  env("OSDDomainOUName") = sBuiltOU
  Wscript.quit
  Save this as 'SetOU.vbs' and create a package in ConfigMgr where you specify the source content to the location where you placed the script file. As Jason described, put a Run Command Line step right before Apply Windows Settings, use 'cscript.exe SetOU.vbs'
  as the command line and point to the package you created. This script assumes that the OSDComputerName variable is already properly populated with the correct computer name.
  Regards,
  Nickolaj Andersen | www.scconfigmgr.com | @Nickolaja

• Installing and Managing SCCM 2012 R2 client in workgroup

  Hi,
  I'm trying to install sccm 2012 r2 client on a workgroup workstation, but i can't manage to put the client working.
  Already tried this solutions
  http://blogs.technet.com/b/anilm/archive/2012/05/06/managing-workgroup-clients-in-configuration-manager-2012.aspx
  http://eskonr.com/2013/08/sccm-configmgr-2012-manage-workgroup-computers-for-deploymentremote-tools-etc/
  if i use this commands to install the client the client don't install.
  ccmsetup.exe /source:C:\client SMSSITECODE=PRI SMSMP=sgcmcen.cm12lab.com DNSSUFFIX=cm12lab.com
  if i use this one same happens
  Ccmsetup.exe /mp:sccmserver SMSSITECODE=XXX FSP=sccmserver DNSSUFFIX=dnssuffix
  If i use this one the client gets installed and the site code assigned but nothing more. It shows at the sccm console, but don't receive informations from sccm i think
  Ccmsetup.exe /mp:sccmserver SMSSITECODE=XXX SMSSLP=sccmserver DNSSUFFIX=dnssuffix
  on the client, clicking in Site tab and configure settings, the site code is there, clicking in Find Site returns error saying that cant find the site. on the locationservices log i'm getting
  Policy prevents failover to WINS for lookup
  Unable to retrieve AD Site membership
  No Location reply received from xxxxxx.domain.xxx
  No location reply received from xxxxxx
  thks in advance

  It should work just by:
  Copy the client files (the whole directory) to the workgroup computer (c:\tmp\Client)
  Run ccmsetup.exe /source:c:\tmp\Client SMSSITECODE=PRI SMSMP=sgcmcen.cm12lab.com DNSSUFFIX=CM12LAB.COM
  Examine %windir%\ccmsetup\logs\ccmsetup.log for more information if the client doesn't install at all, possible causes might be corrupted WMI, lack of BITS (if running Windows 2003 server).. in these cases you could run WMIDiag (http://www.microsoft.com/en-us/download/details.aspx?id=7684)
  to get more info on the errors and how to fix them.
  Couple of checks:
  DNS is working correctly both ways? Workgroup machine can find ConfigMgr server and ConfigMgr server can find workgroup machine by name? You can test this by running
  nslookup <target.fqdn> on both
  Workgroup computer is in the boundary / boundary group that has a site server assigned