RODC clients in DMZ query

Similar Messages

• How to safely upgrade the OS on a RODC in a DMZ

  Hello,
  We have a Server 2008 R2 RODC in a DMZ.  I need to upgrade to Server 2012 while retaining the computer account.  I need to retain the computer account cause there a number of groups populated with users accounts in the 'Allowed RODC Password
  Replication Group' and by retaining the computer account, I wont force the user accounts who authenticated on this RODC to reset their password, correct?  If I deleted the computer account during the upgrade, I'd force the users accounts who authenticated
  on this RODC to reset their password due to the fact that the computer account's metadata is gone, correct?
  Thanks for your help! SdeDot

  Thanks for the response Christoffer
  1. Based on the following TechNet article, is the way to preserve the passwords one of the following methods?
  If you remove an RODC by using the Active Directory Domain Services Installation Wizard, you do not specify whether to retain domain controller metadata, and you are using a delegated RODC administrator account that is not a member of the Domain Admins
  or Enterprise Admins groups, you can click Yes to remove AD DS without removing metadata when you are prompted to do so......
  http://technet.microsoft.com/en-us/library/cc835490(v=ws.10).aspx
  2. Because of Firewall rules, I will use the same IP/FQDN as the current RODC which has 2008 R2 installed, however I re'IP/Rename another freshly built Server 2012 R2 Server with the current.  I DCPromo the current RODC to a member server and rename
  it to a temp IP/Name so I can use it on the new Server 2012 R2 server.
  3. Based on 2, Im not doing an In-place, but after I DCPromo down the current RODC, I reIP/rename the current to a temp, then re'IP/rename a new Server 2012 R2 server with the current, then DCpromo up.
  My main concern in this process is the user passwords are retained and Im not going to force a reset of user passwords. 
  Thanks in advance for your help here.
  Thanks for your help! SdeDot

• SCEP definition updates for clients in DMZ via UNC is not working.

  Hello,
  I have configured SCEP definition updates via UNC method for my Win 8.1 clients in DMZ and its not working.
  Script is properly associated with task scheduler and downloading definition to shared folder properly.
  Even running the mpcmdrun.exe -SignatureUpdate, gives the below error:
  C:\Program Files\Microsoft Security Client>mpcmdrun.exe -SignatureUpdate
  Signature update started . . .
  ERROR: Signature Update failed with hr=80070002
  CmdTool: Failed with hr = 0x80070002. 
  MpCmdRun: Command Line: mpcmdrun.exe  -SignatureUpdate
   Start Time: ‎Sun ‎Jul ‎06 ‎2014 11:05:09
  Start: MpSignatureUpdate()
  Update started 
  Search Started (UNC share) (Path: \\sccm\SCEP_UNC_DEFS\Updates\x64)...
  Search Completed 
  Download Started...
  Download Completed 
  Installation Started...
  Installation Completed 
  Update completed with hr: 0x80070002
  ERROR: Signature Update failed with hr=80070002
  MpCmdRun: End Time: ‎Sun ‎Jul ‎06 ‎2014 11:05:17

  Hi,
  Please check logs on the client to see whether there are any helpful information.(ScanAgent.log, Windowsupdate.log and UpdatesHandler.log)
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCEP definition updates for clients in DMZ

  Hello,
  I do want to enable SCEP definition updates for small group of clients in DMZ (apprx 30 -40)
  I have created a separate  AD OU and SCCM collection for such computers.
  Google shows me different ways like using Definition Update Automation Tool, WSUS, scripts, shares etc, and I am quite confused for which way to adopt.
  can any one suggest me which is the best automated way?
  I do have SCCM 2012 sp1 and all win 8 cleints.
  Thanks in Advance

  You can use whathever method you prefer. All will most likely work. As there's already Configmgr in place I'd use it to do this job. ADRs (automatic deployment rules) can be used to automate this process.
  Torsten Meringer | http://www.mssccmfaq.de

• Manage SCCM 2012 clients in DMZ (OS Deploy, Windows updates) via DP/MP

  Hi,
  We ’d like to manage (=OS Deploy, Packages,Windows updates) Windows clients (Windows 2008/2012 R2 servers for now, about 20 of them) in a DMZ (= different domain).
  There is this article
  https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which explains what to do … in 2011. Since then lots of things are changed I guess
  Before I dive in, I’d need to have an overview + do some administrative tasks (like asking for firewall accesses).
  Current setup DMZ:
  Our SCCM 2012 R2 server is on a Windows 2008 R2 OS
  Client communication is done via HTTP (not HTTPS)
  An extra physical Distribution point is setup (only DP, nothing more) in our current domain
  A new Windows 2012 server is setup in the DMZ which should host the DP and probably management point (since it should manage the clients over there)
  There are clients in DMZ that are currenlty managed by SCCM 2007 but 
  this server will be phased out, these client have:
  Correct sccm functionality
  Correct DNS resolution
  My steps/questions, please comment:
  Add the DMZ ip range to SCCM 2012 boundary as “DMZ”
  Add the network access account to be able to deploy as well clients as distribution point in DMZ
  In the DMZ accesses on firewall for server VLAN have to be asked
  When we have a distribution point and communication is “HTTP only” then http (port 80) from DMZ to sccm server should suffice, correct? Or are
   extra firewall openings needed for management point access/packages and windows updates sync?
  Now the sccm clients will be deployed to the servers in DMZ: deploy SCCM clients to hosts in DMZ, how this should be done: we connect a console to the SCCM-server in the DMZ then deploy the discovered clients?
  OS Deploy should be made available, but no dhcp is available in DMZ and it is not an option either, therefore we would boot from an ISO then enter an ip (or pre-enter it so there is already filled in an ip?). So tasksequences/deployments
  for servers in DMZ, where are they configured/deployed then? Via console access on DMZ management point or can we deploy on our domain SCCM management point (not in DMZ) and it will be synced to the DMZ management point? Not clear
  Selective sync of software to this distribution point (howto? not sure), we don’t need any Windows 8 software/drivers to be synced.
  Thanks for your input!
  J.
  Jan Hoedt

  No comment;
  I think you mean the client push installation account and the site system installation account;
  More ports are required, see site server > distribution point and distribution point > management point from the provided link;
  The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
  The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
  Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• MP/DP + SCCM clients in DMZ

  Hi,
  I have this MP/DP in DMZ. Firewall openings are documented inedeed here
  https://technet.microsoft.com/en-us/library/hh427328.aspx?f=255&MSPPError=-2147217396 but I'd need some extra info.
  The MP/DP: to which site server do you point the SCCM client on this server (to itself or to the "main" site server)
  => if to itself, this would also mean the clients in DMZ point to to the DMZ MP/DP and won't need any firewall openings, iow is there still communication needed from sccm clients to "main" site server or does everything go to MP/DP in DMZ?
  Please advise.
  J.
  Please see
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/6cbc9ab0-3e4e-4f14-a14d-a7d3f1c17cfc/install-sccm-client-to-server-in-dmz-mp-does-not-exist?forum=configmanagergeneral for more backgroundinfo on this question.
  Note: firewall ports to open:
  *DP => MP: TCP 80 and 443
  *MP => SQL: TCp 1433
  *site server <=> certificate registration point (sccm "main" server?) TCP 445 and 135, UDP 135
  *SUP => Internet: TCP 80
  Jan Hoedt

  The MP/DP will need an sccm client.
  No. Wrong assumption. Not needed from a ConfigMgr point of view (but required if you want to patch those systems and get inventory etc)
  Torsten Meringer | http://www.mssccmfaq.de

• Web Intelligence Rich Client Not Cancel Query

  Hi all
  When i do a query in Web Intelligence Rich Client and CANCEL that query appears 3 options, but whit any option nothing happend and the laptop is block and i have to use the commands CTRL + ALT + DEL and finish the process.
  What is the problem and the solution please.
  Thanks

  Does it happen with all users and on all machine and with all reports?
  Bashir Awan

• Management point location for workgroup clients in DMZ

  Hi All,
  I am trying to install the SCCM 2012 client to some servers that are located in a workgroup and in a DMZ at our organization.
  I have read up about the config for this and I think that we have everything in place but the clients themselves are not locating a management point which I think is due to the setup of the IIS on the management points.
  Firstly, I ammended the local hosts file on the system to ensure that the server could resolve the SCCM site server and 2 management points by using NetBIOS and FQDN. I also checked that the ports are opened from the client to the
  management point.
  I then ran ccmsetup using the following switches /noservice /mp=smsmp SMSSITECODE=XXX SMSSLP=SMSMP FSP=SMSSITESERVER CCMHTTPPORT=24555 CCMHTTPSPORT=24556 RESETKEYINFORMATION=TRUE which appers to have sucessfully installed the client
  but is now failing to communicate with the MP specified. I am seeing on the client the following repeated in the locationservices.log
  <![LOG[Raising event:
  instance of CCM_CcmHttp_Status
              DateTime = "20141127153834.775000+000";
              HostName = "SMSMP";
              HRESULT = "0x87d0027e";
              ProcessID = 4004;
              StatusCode = 401;
              ThreadID = 5184;
  ]LOG]!><time="15:38:34.775+00" date="11-27-2014" component="LocationServices" context="" type="1" thread="5184" file="event.cpp:715">
  <![LOG[Successfully sent location services HTTP failure message.]LOG]!><time="15:38:34.962+00" date="11-27-2014" component="LocationServices" context="" type="1" thread="5184"
  file="ccmhttperror.cpp:396">
  <![LOG[Error sending HEAD request. HTTP code 401, status 'Unauthorized']LOG]!><time="15:38:34.962+00" date="11-27-2014" component="LocationServices" context="" type="3"
  thread="5184" file="util.cpp:2568">
  <![LOG[Workgroup client is in Unknown location]LOG]!><time="15:38:34.962+00" date="11-27-2014" component="LocationServices" context="" type="1" thread="5184"
  file="lsad.cpp:1078">
  <![LOG[[CCMHTTP] ERROR: URL=http://SMSMP, Port=24555, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="15:38:34.993+00" date="11-27-2014"
  component="LocationServices" context="" type="1" thread="5184" file="ccmhttperror.cpp:297">
  And on the management point I am seeing the following repeated in the IIS logs
  x.x.x.x HEAD / - 24555 - x.x.x.x SMS+CCM+5.0 - 401 2 5 216 0
  I understand that this points to the IIS authentication issue so I have tried browsing to http://smsmp.domainname.com/sms_mp/.sms_aut?mplist and
  I do get a list of management points returned so I'm a little confused now. The other thing that confuses me is that we also have another domain we manage clients
  in and these systems have all registered with the MP fine even though there is no trust relationship in place between the 2 domains.
  I have checked anonymous authentication has been enabled on the SMS_MP virtual directory but I can see that it is set to use a user account of IUSR, but this is not a local user on the MP nor an AD user from what I can see.
  Is anybody able to point me in the correct direction of either what I am doing wrong or which settings I should be checking?
  Thanks in advance for any help
  Andrew

  You mention in your ccmsetup install properties: CCMHTTPPORT=24555 CCMHTTPSPORT=24556
  While the MPList test you provided shows:
  http://smsmp.domainname.com/sms_mp/.sms_aut?mplist
  This is on port 80
  Where is your MP? Port 80 or 24555 ?

• Installation sccm client on workgroup client in DMZ

  Hi Guys,
  i tried to install the sccm client on workgroup clients in a DMZ environment.
  First I created a client certifikate for the workgroup client on the sccm server and installed the certifikate on the workgroup computer with certutil.exe.
  commandline for installation:
  ccmsetup.exe /usePKICert /NOCRLCheck SMSMP=servername.bla.com SMSSITECODE=BLA
  i get this errors in the ccmsetup.log:
  Unexpected row count (0) retrieved from AD.
  Failed to get site version from AD with error 0x80004005
  thanks for your support,
  Chris

  Refer these Pls
  http://eskonr.com/2013/08/sccm-configmgr-2012-manage-workgroup-computers-for-deploymentremote-tools-etc/  (An Excellent article)
  Client installation in DMZ step by step :
  http://myitforum.com/cs2/blogs/cstauffer/archive/2009/02/06/sccm-client-install-in-a-dmz.aspx
  http://blogs.technet.com/b/keithmayer/archive/2012/07/30/planning-system-center-configuration-manager-across-dmz-and-protected-subnets-sysctr-configmgr.aspx
  http://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/
  Thanks, Prabha G

• Managing Clients in DMZ

  We have 30 servers in DMZ which we plan to manage with SCCM 2012 R2 for Endpoint Protection, Windows Updates
  I have a SCCM 2012 Server installed in my internal (intranet) domain will all the roles installed in the same server and currently using this for updating Microsoft Security patch updates to the all the 1500 SCCM clients in the internal domain.
  We are in process of transitioning to HTTPS communications using PKI certificates.
  I am trying to come up with a solution on how I can use the same SCCM 2012 R2 server to update security patches and reporting in the 30 DMZ machines that is in the different domain and has firewall rules setup.
  I did go through the entire posted forum but could not come up with the exact list of tasks that I need to do in order to archive this.
  Here are my questions?
  1. With the current SCCM 2012 R2 intranet Server , can I extend and mange clients in the separate DMZ domain?
  2. What SCCM 2012 R2 roles are required to install in the DMZ domain?
  3. What is the best way I can install SCCM client in the DMZ?
  4. What other configuration is required in the DMZ domain in order to communicate with the SCCM Server in the intranet?
  5. What configuration is required in the SCCM Server in the intranet domain?
  6. What ports needs to be open between the DMZ client and the SCCM Server in the intranet domain for Security updates and Central Site reporting?

  You should take a look at this blog post. It's really useful:
  http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx

• EZ VPN client in DMZ and a router-on-a-stick

  Does anyone know if it is possible to use a Cisco 1811 as an EZVPN client
  while the router is setup with only one interface? I have a customer that
  requested their VPN router to us be setup in their DMZ with no public facing
  interface on the 1811 (VPN device). I usually configure our VPN
  configurations with an internet facing interface and a DMZ facing interface.

  I don't think it is possible with only one *logical* interface. Router as a EZVPN Client requires two interfaces to do PAT for traffic going to the Internet. So far as I know, this is autoconfigured in both Client and NEM modes and cannot be disabled. However you *can* use 802.1q trunk to create two *logical* interfaces and configure EZVPN Client, or just configure Site-to-Site on a stick.
  HTH

• ASA5510 configuration to end VPN L2L and remote client in DMZ interface

  Hi,
  we have a Cisco ASA5510 with 3 interfaces.
  - Internet Interface with private addressing
  - DMZ Interface with public IP address
  - Internal interface.
  Our ISP route our public IP range to our Internet interface (with a 192.168.x.x).
  I'm trying to configure ASA5510 for L2L VPN and for Cisco VPN client server listening in the public IP@ assigned to the DMZ interface, but for the moment without success.
  Is it possible?. Any consideration to have into account?.
  I attach a diagram.
  I see packets UDP500 arriving to the Internet interface but there is no replies:
  172: 17:07:25.164115 81.223.31.240.50763 > X.X.X.X.500:  udp 1160
  (X.X.X.X is a public IP@ configured in the DMZ interface)
  Thanks a lot.

  I don't think it is possible with only one *logical* interface. Router as a EZVPN Client requires two interfaces to do PAT for traffic going to the Internet. So far as I know, this is autoconfigured in both Client and NEM modes and cannot be disabled. However you *can* use 802.1q trunk to create two *logical* interfaces and configure EZVPN Client, or just configure Site-to-Site on a stick.
  HTH

• Not able to get data in production client in BEX query

  Hi Experts,
                     I have an SD related query which is working fine in development.
  in production while i run the query iam not getting data for three fields "ship to party" , "Bill to party" and "sold to party.
  I am able to see the data at the cube level but it is not reflecting in the query. Transportation of this query also
  did not throw any errors. Please provide a solution.
  Regards,
  susheeth.
  Edited by: Susheeth on Aug 4, 2011 1:26 PM

  Hi,
  Check if the characteristics used in query are direct objects from cube or navigation attributes of any other characteristics. In case of navigation attributes you need to have master data maintained.
  And as mentioned by Vamsi, check the text data maintained for 0CUSTOMER. And for checking data you can mark Key and Text option.
  Regards,
  Durgesh.

• CLIENT EXIT Variable Query designer.

  Hi Experts,
  I need some information about this.
  Does anybody have any tutorial about this or know where can i get it? Saphelp would be ok too, but i can't find anything about this there.
  Thank-you!

  OK, let's try if [this|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/59069d90-0201-0010-fd81-d5e11994d8b5] will help you.
  There are additional directions to other documents in this PDF.
  Sample code can be found in [BW Expert|http://www.bwexpertonline.com/downloads/Hong-Bitra%20User%20Exit%20Code%20Download.doc] which I found [here|http://www.bwexpertonline.com/downloads.cfm?session=]

• Installing SQL 2008 / SQL 2012 in a DMZ covered by RODCs

  Hello guys,
  I'm trying to install SQL 2008 (tried also SQL 2012) in a W2008R2 server that lives in a DMZ site covered by a couple of RODCs.
  The RODCs have full access to the RWDCs, but the traffic is blocked from the rest of computers in the DMZ to the RWDCs.
  Every time I run the wizard to install SQL server, it fails when trying to setup a domain user to run SQL services
  (“Server configuration >> Service Account” step). When I temporary allow the communication from that SQL Server to one of the RWDCs, it works.
  I have obviously cached and prepopulated passwords in the RODCs and I am using Domain Admins and non-domain admins accounts.
  We have more than 30 windows member servers authenticating against those RODCs in the DMZ and everything works fine.
  Any ideas why the SQL installation wizard cannot authenticate against a RODC? I have been googling and I didn’t find anything!
  Btw, I have already posted a similar thread in the SQL forum. They suggested to "install SQL Server with a local Windows
  account and then change the SQL Server service account with to the Domain account". That actually works, but I'd like to find out what is wrong my RO AD setup or this is a just an expected
  behavior in SQL installations covered by RODCs.
  Thanks.

  Any update about the issue?
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?