Software Updates in an Untrusted Forest

Similar Messages

• Software Update Point Switching is not working for some Clients

  Hi there,
  I found nothing similar here and I hope this is the right section.
  I´m running ConfigMgr 2012 R2 where one of the Site Systems from one of the Primaries is located in an untrusted Forest in a perimeter Network. The Site System there has the MP, SUP and DB Roles. In general it works great. The Systems in that untrusted Forest
  get the SCCM Agent pushed, see and can install published Software packages and receive Windows Updates. But there are a few systems where everything works, except Windows Updates.
  So I had a deeper look at what is happening and found out that the SUP switching is not working for them. They always try to contact the SUP from the Primary, which they cannot reach (this is intended).
  From how I understand SUP switching as described here
  http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx#pi140062=1
  the Windows Update Agent tries to connect to a SUP every 30 minutes and after 4 failed attempts he will try to connect to the next one until he finds one which works.
  As I said before, this seems to work for most systems in the untrusted forest, but some do not make any intentions to switch the SUP.
  So my next step was to find out from where the Update Agent can get the information of the available SUPs. I think they either don´t receive the information that other SUPs exist, or if the Information is there, they don´t realize that there´s an error and
  make no attempt to switch.
  I used the System Center Support Center to gather all Information from some of the systems with that problems (Log Files, WMI information, registry information, policies etc.) but I cannot find where SCCM or the Update Agent store the information which SUPs
  are available in my environment.
  I´m sure the problem is on the Systems which fail to connect to the right SUP and not in the SCCM infrastructure itself, because for most of the systems everything is working just perfect. Unfortunately in the Blog Post above there´s also no information
  where this information is stored and how it is obtained by the clients. In the comments there´s even one post which describes the same problem I have here, but there was no answer. I hope someone can point me into the right direction, because I´m stuck currently.
  Things I tried additionally to all the log file / WMI / registry sniffing:
  Removing the Software Distribution Folder and restarting the Windows Update Agent
  Removing the WindowsUpdate Registry folder in the HKLM\SOFTWARE\Policies\Windows section in the Registry and restarting the Windows Update Agent.
  Tried to reset the WUAgent with wuauclt /Resetauthorization additionally to the steps above.
  I also tried to manually set the WUServer and WUStatusServer Keys in the registry to the new Server, but as soon as the next Update Scan cycle runs, the value is set back to the URL of the Primary Sites SUP
  Is someone having additional ideas? It seems to me older systems are more affected (which were configured for a standard WSUS before SCCM 2012 was deployed) than newer ones which were installed when SCCM was in place already. But I don´t know what else to
  "reset" on those machines without reinstalling them.

  Thank you very much for your response. I must have missed that one by looking through numerous Logfiles. In this, there´s indeed a list of all available SUPs. So according to the LocationServices.log the machine should have a choice.
  The WMI Key however, contains just one entry and this is the URL of the Primaries SUP which is not reachable in the untrusted forest. Is it OK that the WMI entry includes only one entry? If yes, what process is putting the results from the LocationServices
  into WMI? It seems like the Windows Update Agent is feeded from the WMI Key then. If this is the case my problems seems to be the "communication path" between these two components.
  Is this the job from the SCCM Agent, the Windows Update Agent or maybe some third component I´m not aware of? I wonder how I can fix this.

• Managing untrusted forest

  Hi All,
  We have actually the following configuration with SCCM 2012 R2 CU4 :
  Same Forest, same Domain (2 x 2 DCs + AD DNS)
   + Primary Site Server with 300 clients  (MP,DP,SUP,SDB,SS,FSP,RSP)
   + Secondary site Server with 300 clients  (MP,DP,SUP,SDB,SS)
  distinct Untrusted Forest (2 DC + AD DNS)
   + 15 clients
  What's the best configuration to manage the untrusted forest ? I already checked the following link (http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx)
  what's the comm ports requirements ? clients + site system <-> primary site 
  Can we avoid the untrusted clients to access to the pri/sec site servers.
  We plan to add a site System to the primary site in the remote untrusted forest with MP,DP,SUP Roles)
  (afaik a secondary site need trusts which is not permitted)
  We need Inventory, Software Distribution, Windows Updates features on the untrusted forest
  Link between primary and secondary site is ~16Mb/s
  Link between primary and untrusted forest is about ~16Mb/s
  Link between secondary site and untrusted forest is about ~1Gb/s
  Thanks a lot !

  Port used by ConfigMgr is well explained here:
  https://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
  In addition, be aware that for discovering computers in untrusted forest you need to open port 53 (DNS) between the SCCM server and remote DC (in untrusted forest) OR create a secondary DNS zone for the untrusted forest in your DNS.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• SUP in untrusted forest using SCCM 2012 SP1

  Hi, I have a single primary site in a single domain/AD forest. I also have a single site system in an untrusted forest behind a firewall.
  I have installed a DP and an MP onto this server in the untrusted forest and have now installed WSUS and added the SUP role. The SUP role has been installed, however the SUP in the untrusted forest isnt synching its catalog from the SUP in the primary
  site.
  In the Software Update Point Synchronisation Status, its source is specified as Microsoft Update, rather than the name of the Priamry Site server with the SUP role.
  The relevant ports 80/443/8530/8531 are open between the two forests, but it doesnt appear to attempt to sync from the primary site.
  How do I get this SUP to sync from the Primary site? I've tried setting a WSUS Server Connection Account, but this doesnt appear to make any difference.
  Thanks for your help.
  Carl

  I had to remove the use of the proxy server at the primary SUP so that it downloads directly from the internet without the use of a proxy.
  As soon as this was removed the untrusted SUP synchronised successfully. Even though the proxy isnt specified in the SUP properties of the untrusted site system, it still appears to use this when performing a sync.
  Do you want to file this on Connect as feedback to the Product Group?
  https://connect.microsoft.com/ConfigurationManagervnext/Feedback
  Rob Marshall | UK | My Blog |
  WMUG |
  File CM12 Feedback |
  CM12 Docs |
  CM12 Release Notes

• Install Software Updates in a WIndows 7 build and capture shooses wrong SUP

  Hi,
  My environment is the following.
  One SCCM 2012 R2 Primary site server in a trusted domain, MP, DP and SUP. This site is reachable from the clients on the internal  network.
  One SCCM 2012 R2 server in an untrusted forest, MP, DP and SUP. This server is NOT reachable from clients on the internal nrowotk.
  I am doing a build and capture of Windows 7 using a SCCM TS on a VM on the internal network.
  When the Install Updates task Is running the SCCM client is trying to use the SUP in the untrusted forest instead of the one in the local trusted forest.
  How do I force the SCCM client to use the local SUP instead of the one in the untrusted forest.
  According to
  http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx it should prioritize the one in the local forest, but the build and capture PC is not member of the AD so it looks like it just uses the SUP that is
  first in the list from the MP.
  The blog also states that the SUP will not be shifted to the next one in the list before 4 failed scans at 30 minutes intervals so it will take more than 4 hours before the SCCM client will try the next SUP. At that time the TS has long finished the
  Software Update task.
  I thought about creating an entry in the hosts file on the capture PC with the name of the untrusted SUP and the IP of the trusted SUP to redirect the client to use the trusted SUP. I solution that might work but that I find very ugly.
  What can I do to force the SCCM client on the build and capture PC to us the internal trusted SUP?
  Thomas Forsmark Soerensen

  The SUP info cannot be got from the Internal MP. Please review the Smsts.log file.
  Juke Chou
  TechNet Community Support

• Software Updates in DMZ BITS download hangs

  Hi guys,
  i am running into a strange problem when deploying software updates to a DMZ system without internet access.
  Here are some facts about the environment:
  1 Primary Site: W2k8 R2 / SCCM 2012
  1 DMZ system (mgmt Point, sup, dp)  W2k8R2 (SQL replication, manual wsus replication) SSL Must be used
  The DMZ mgmt Point is not able to download Software Updates. They are listed in the Software Center but they persist with downloading at 0%. Application packages are working fine. Just the SW Update get stuck.
  The Boundaries are OK, there are no "IIS request filtering files" inside the updates (e.g just scep definitions), the DP ist up to date, iis bindings are correct (if i install the client certificate in the internet explorer i am able to access the DP.
  I already reinstalled the client and created new deployments.
  It would be really great if you have some ideas what the problem could be?
  Here are some parts of the logs:
  it is very strange that "internetproxy.log" looks for a proxy even if the server is the DP itself.
  CAS.log:
  Download location found 0 - net:http://download.windowsupdate.com/msdownload/update/software/defu/2012/09/am_delta_b319532d42a9440ba2ffbd7b1b5ff56f155dc06b.exe ContentAccess 27.09.2012 21:47:47 2220 (0x08AC)
  Download location found 1 -
  http://Myserver/SMS_DP_SMSPKG$/c47daa52-7427-454d-b42d-07ee1ca0234e ContentAccess 27.09.2012 21:47:47 2220 (0x08AC)
  Download request only, ignoring location update ContentAccess 27.09.2012 21:47:47 2220 (0x08AC)
  Download started for content 660dae26-926c-4e87-90e3-b9f412b6ce9a.1 ContentAccess 27.09.2012 21:47:47 4692 (0x1254)
  Download started for content 28e4ad5a-f152-49c3-9341-6a0672f5fb2c.1 ContentAccess 27.09.2012 21:47:47 3376 (0x0D30)
  Download started for content c47daa52-7427-454d-b42d-07ee1ca0234e.1 ContentAccess 27.09.2012 21:47:48 2220 (0x08AC)
  Setting download timeout options for content request {55E8400B-B684-425F-BDB7-896ADB84C51D}: LocationTimeout = 604800, DownloadTimeout = 864000, PerDPInactivityTimeout = 0, TotalInactivityTimeout = 0 ContentAccess 27.09.2012 21:48:34 2220 (0x08AC)
  No need to change timeout settings ContentAccess 27.09.2012 21:48:34 2220 (0x08AC)
  Setting download timeout options for content request {19D068E1-C310-4963-9400-FA3F451B4968}: LocationTimeout = 604800, DownloadTimeout = 864000, PerDPInactivityTimeout = 0, TotalInactivityTimeout = 0 ContentAccess 27.09.2012 21:48:34 2220 (0x08AC)
  No need to change timeout settings ContentAccess 27.09.2012 21:48:34 2220 (0x08AC)
  Setting download timeout options for content request {334EAFEC-D2A7-4453-AFA2-CF4B441BC590}: LocationTimeout = 604800, DownloadTimeout = 864000, PerDPInactivityTimeout = 0, TotalInactivityTimeout = 0 ContentAccess 27.09.2012 21:48:34 2220 (0x08AC)
  No need to change timeout settings ContentAccess 27.09.2012 21:48:34 2220 (0x08AC)
  Contenttransfermanager.log:
  CTM job {230A8EF2-A26C-481C-B261-0A1A9AC532DC} switched to location 'http://Myserver/SMS_DP_SMSPKG$/c47daa52-7427-454d-b42d-07ee1ca0234e' ContentTransferManager 27.09.2012 22:05:21 3764 (0x0EB4)
  CTM job {230A8EF2-A26C-481C-B261-0A1A9AC532DC} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 27.09.2012 22:05:21 3764 (0x0EB4)
  CTM job {230A8EF2-A26C-481C-B261-0A1A9AC532DC} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 27.09.2012 22:05:22 2536 (0x09E8)
  CTM job {230A8EF2-A26C-481C-B261-0A1A9AC532DC} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 27.09.2012 22:05:22 2536 (0x09E8)
  internetproxy.log:
  Failed to get proxy for url 'https://MYserver:443/SMS_DP_SMSPKG$/c47daa52-7427-454d-b42d-07ee1ca0234e'. Error 0x87d00215 NetworkProxy 27.09.2012 22:05:22 5788 (0x169C)
  locationservices:
  Calling back with locations for location request {DABBE0DD-F0DF-42BF-AC38-69D53CBE52E2} LocationServices 27.09.2012 21:47:47 2220 (0x08AC)
  Current AD site of machine is Default-First-Site-Name LocationServices 27.09.2012 21:47:47 2420 (0x0974)
  Begin checking Alternate Network Configuration LocationServices 27.09.2012 21:47:47 2420 (0x0974)
  Finished checking Alternate Network Configuration LocationServices 27.09.2012 21:47:47 2420 (0x0974)
  Calling back with the following distribution points LocationServices 27.09.2012 21:47:47 2420 (0x0974)
  Distribution Point='net:http://download.windowsupdate.com/msdownload/update/software/defu/2012/09/am_delta_b319532d42a9440ba2ffbd7b1b5ff56f155dc06b.exe', Locality='LOCAL', DPType='SERVER', Version='0', Capabilities='<Capabilities/>', Signature='', ForestTrust='FALSE' LocationServices 27.09.2012
  21:47:47 2420 (0x0974)
  Distribution Point='http://Myserver/SMS_DP_SMSPKG$/c47daa52-7427-454d-b42d-07ee1ca0234e', Locality='LOCAL', DPType='SERVER', Version='7711', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState"
  Value="63"/></Capabilities>', Signature='http://Myserver/SMS_DP_SMSSIG$/c47daa52-7427-454d-b42d-07ee1ca0234e.1.tar', ForestTrust='TRUE' LocationServices 27.09.2012 21:47:47 2420 (0x0974)
  iis log:
  2012-09-27 20:00:53 x.x.x.x PROPFIND /SMS_DP_SMSPKG$/489bf668-564c-4255-9619-cdadfd9fc405 - 443 - 10.8.1.2 SMS+CCM+5.0 207 0 0 277
  2012-09-27 20:02:00 x.x.x.x PROPFIND /SMS_DP_SMSPKG$/19ff6196-1e32-4035-bc59-1b6c0faad309 - 443 - 10.8.1.2 SMS+CCM+5.0 207 0 0 60
  2012-09-27 20:03:07 x.x.x.x PROPFIND /SMS_DP_SMSPKG$/660dae26-926c-4e87-90e3-b9f412b6ce9a - 443 - 10.8.1.2 SMS+CCM+5.0 207 0 0 20
  2012-09-27 20:04:14 x.x.x.xPROPFIND /SMS_DP_SMSPKG$/28e4ad5a-f152-49c3-9341-6a0672f5fb2c - 443 - 10.8.1.2 SMS+CCM+5.0 207 0 0 26
  2012-09-27 20:05:19 x.x.x.x GET /SMS_MP/.sms_aut MPLIST 443 - 10.8.1.2 SMS_MP_CONTROL_MANAGER 200 0 0 29
  2012-09-27 20:05:21 x.x.x.x PROPFIND /SMS_DP_SMSPKG$/c47daa52-7427-454d-b42d-07ee1ca0234e - 443 - 10.8.1.2 SMS+CCM+5.0 207 0 0 22
  2012-09-27 20:10:33 x.x.x.x GET /SMS_MP/.sms_aut MPLIST 443 - 10.8.1.2 SMS_MP_CONTROL_MANAGER 200 0 0 47
  2012-09-27 20:15:19 x.x.x.x GET /SMS_MP/.sms_aut MPLIST 443 - 10.8.1.2 SMS_MP_CONTROL_MANAGER 200 0 0 30
  thank you very much for your help!!
  best regards
  Philipp

  Hi Philipp,
  I am having this same problem...software updates are stuck at downloading 0% for "internet" DMZ/Workgroup SCCM 2012 clients that communicate with DP/MP in an untrusted forest (no internet access). Normal software packages/programs/task sequences can
  download and install successfully.
  SCCM 2012 SP1 with CU1 running on Windows Server 2012 on all site servers and site system servers. SQL 2012 SP1 on site servers. Clients using PKI certs. MP and DP using HTTPS with PKI certs.
  Similarities are that there is a 207 in the IIS log file when the client attempts to download the update. The rest of the logs aren't very useful because they just stop logging and the client sits in a "downloading 0%" state.
  Did you ever resolve the problem? Is anyone else having this problem?
  Thanks, appreciate any help I can get.
  Darren
  UpdatesHandler.log
  Successfully initiated scan. UpdatesHandler 6/05/2013 8:45:57 AM 10236 (0x27FC)
  Updates scan completion received, result = 0x0. UpdatesHandler 6/05/2013 8:46:00 AM 5916 (0x171C)
  Method (Apply) called from SDM. UpdatesHandler 6/05/2013 8:46:01 AM 5916 (0x171C)
  Starting job with id = {F728823C-C086-44AD-A746-1F0FD90413D7} UpdatesHandler 6/05/2013 8:46:01 AM 5916 (0x171C)
  Initiating Scan. Forced = (0) UpdatesHandler 6/05/2013 8:46:01 AM 5916 (0x171C)
  Successfully initiated scan for job ({F728823C-C086-44AD-A746-1F0FD90413D7}). UpdatesHandler 6/05/2013 8:46:01 AM 5916 (0x171C)
  Scan completion received for job ({F728823C-C086-44AD-A746-1F0FD90413D7}). UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Evaluating status of the updates for the job ({F728823C-C086-44AD-A746-1F0FD90413D7}). UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Initiating download for the job ({F728823C-C086-44AD-A746-1F0FD90413D7}). UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Check contents availability. UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Bundle update (b85d7b05-87dc-4d24-b01b-a933ad99f6a8) is requesting download from child updates for action (INSTALL) UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  CUpdate::CheckLocations - Checking locations on action (INSTALL) for Update (b2a8acf6-1950-4412-ac54-a90ae5d0bbb4) UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Ignoring update state (DOWNLOAD_READY) change in job state (2) UpdatesHandler 6/05/2013 8:46:01 AM 10236 (0x27FC)
  Starting download on action (INSTALL) for Update (b2a8acf6-1950-4412-ac54-a90ae5d0bbb4) UpdatesHandler 6/05/2013 8:46:01 AM 6592 (0x19C0)
  ContentTransferManager.log
  Starting CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292}. ContentTransferManager 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Created CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} for user S-1-5-18 ContentTransferManager 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Created and Sent Location Request '{58D13D96-F31D-47CD-AD9B-0A98EB9759F9}' for package b2a8acf6-1950-4412-ac54-a90ae5d0bbb4 ContentTransferManager 6/05/2013 8:46:01 AM 8248 (0x2038)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 6/05/2013 8:46:01 AM 8248 (0x2038)
  Queued location request '{58D13D96-F31D-47CD-AD9B-0A98EB9759F9}' for CTM job '{BE124BCE-2027-4DFF-BF50-9014C5F4B292}'. ContentTransferManager 6/05/2013 8:46:01 AM 8248 (0x2038)
  Persisted locations for CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292}:
   (LOCAL) net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/crup/2012/11/windows8-rt-kb2771431-x64_e427432cc210b801dcebb5b859da118d1f1bc789.cab
   (LOCAL)
  http://xxxxxxxxxxxxxxx/SMS_DP_SMSPKG$/b2a8acf6-1950-4412-ac54-a90ae5d0bbb4 ContentTransferManager 6/05/2013 8:46:01 AM 5916 (0x171C)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} (corresponding DTS job {42140637-5F9C-4E6B-8016-D3D70B1B1D5C}) started download from 'http://wsus.ds.download.windowsupdate.com/msdownload/update/software/crup/2012/11/windows8-rt-kb2771431-x64_e427432cc210b801dcebb5b859da118d1f1bc789.cab'
  for full content download. ContentTransferManager 6/05/2013 8:46:01 AM 5916 (0x171C)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 6/05/2013 8:46:01 AM 10236 (0x27FC)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 6/05/2013 8:46:01 AM 3812 (0x0EE4)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} switched to location 'http://NS02CM0V003D1.dmz.tmbank.com.au/SMS_DP_SMSPKG$/b2a8acf6-1950-4412-ac54-a90ae5d0bbb4' ContentTransferManager 6/05/2013 8:49:15 AM 3812 (0x0EE4)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 6/05/2013 8:49:15 AM 8292 (0x2064)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 6/05/2013 8:49:15 AM 4496 (0x1190)
  CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 6/05/2013 8:49:15 AM 4224 (0x1080)
  CAS.log
  Requesting locations synchronously for content b2a8acf6-1950-4412-ac54-a90ae5d0bbb4.1 with priority Foreground ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  The number of discovered DPs(including Branch DP and Multicast) is 2 ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Calling back with the following distribution points ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Distribution Point='net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/crup/2012/11/windows8-rt-kb2771431-x64_e427432cc210b801dcebb5b859da118d1f1bc789.cab', Locality='LOCAL' ContentAccess 6/05/2013 8:46:01 AM 6592
  (0x19C0)
  Distribution Point='http://xxxxxxxxxxxxxxxxxxx/SMS_DP_SMSPKG$/b2a8acf6-1950-4412-ac54-a90ae5d0bbb4', Locality='LOCAL' ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Requesting content b2a8acf6-1950-4412-ac54-a90ae5d0bbb4.1, size(KB) 0, under context System with priority Foreground ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  User policy requested with no user credentials. ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Invalid user. ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Submitted CTM job {BE124BCE-2027-4DFF-BF50-9014C5F4B292} to download Content b2a8acf6-1950-4412-ac54-a90ae5d0bbb4.1 under context System ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Successfully created download  request {A78034D7-202F-480B-B189-057C1FA6B654} for content b2a8acf6-1950-4412-ac54-a90ae5d0bbb4.1 ContentAccess 6/05/2013 8:46:01 AM 6592 (0x19C0)
  Location update from CTM for content b2a8acf6-1950-4412-ac54-a90ae5d0bbb4.1 and request {A78034D7-202F-480B-B189-057C1FA6B654} ContentAccess 6/05/2013 8:46:01 AM 3812 (0x0EE4)
  Download location found 0 - net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/crup/2012/11/windows8-rt-kb2771431-x64_e427432cc210b801dcebb5b859da118d1f1bc789.cab ContentAccess 6/05/2013 8:46:01 AM 3812 (0x0EE4)
  Download location found 1 -
  http://xxxxxxxxxxxxxxxxx/SMS_DP_SMSPKG$/b2a8acf6-1950-4412-ac54-a90ae5d0bbb4 ContentAccess 6/05/2013 8:46:01 AM 3812 (0x0EE4)
  Download request only, ignoring location update ContentAccess 6/05/2013 8:46:01 AM 3812 (0x0EE4)
  Download started for content b2a8acf6-1950-4412-ac54-a90ae5d0bbb4.1 ContentAccess 6/05/2013 8:46:01 AM 8248 (0x2038)
  IIS Log from DP/MP
  2013-05-05 22:47:16 ::1 GET /SMS_MP/.sms_aut MPLIST 443 - ::1 SMS_MP_CONTROL_MANAGER - 200 0 0 46
  2013-05-05 22:47:26 <IP of MP/DP> CCM_POST /bgb/handler.ashx RequestType=Continue 443 - xxxxxxxxxxxx3
  2013-05-05 22:48:56 <IP of MP/DP> CCM_POST /bgb/handler.ashx RequestType=Continue 443 - <IP of client attempting software update download> ccmhttp - 200 0 0 309976
  2013-05-05 22:49:15 <IP of MP/DP> PROPFIND /SMS_DP_SMSPKG$/b2a8acf6-1950-4412-ac54-a90ae5d0bbb4 - 443 -
  <IP of client attempting software update download> SMS+CCM+5.0 - 207 0 0 26
  2013-05-05 22:50:28 ::1 CCM_POST /ccm_system_windowsauth/request - 443 - ::1 ccmhttp - 401 2 5 29
  2013-05-05 22:50:28 ::1 CCM_POST /ccm_system_windowsauth/request - 443 <username> ::1 ccmhttp - 200 0 0 48
  2013-05-05 22:50:36 <IP of MP/DP> CCM_POST /bgb/handler.ashx RequestType=Continue 443 - xxxxxxxx5

• Software Update Scan Cycle automatically changes the WUServer value

  We have 2 forests, Forest A and Forest B that are untrusted. We have a Primary Site installed on Server A in Forest A with a Software Update Point. 
  We got the Software Update Point Role installed successfully on a server B in Forest B (its a Replica of Upstream server) by opening the firewalls between Server A & Server B. WSUS Sync is working fine between Server A & Server B, no errors in the logs.
  We are now trying to patch the clients in Forest B, every time we run a Software Update Scan Cycle on the clients, the Windows Update Server setting in the Local Policy (Specify intranet Microsoft Update Service Location) changes the value from http://serverB:80
  to http://serverA:80. Since the firewall rules are blocked between clients in Forest B to site Server in Forest A, the patching fails with the following error - "OnSearchComplete - Failed to end search job. Error = 0x80072ee2."
  Manually changing the value in Local Policy to http://serverB:80 does not work, on the next scan cycle, this gets changed to http://serverA:80 automatically.
  We tried to set a Domain GPO to avoid changing the value, but that results in a different failure - "Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://ServerB:80 and Policy ENABLED Failed to Add Update Source
  for WUAgent of type (2) and id Error = 0x87d00692."
  It looks like a bug where the client is trying to auto assign the primary site server as a WSUS Server Location. If the client needs to access the Server A directly for a Scan cycle, what's the point in installing Software Update Point in Forest B? From a security
  standpoint, this absolutely does not make any sense. Any ideas what might be happening?

  Thank you Jason!
  I think I was a little unclear.. the SUP that I installed in Forest B is a replica of the SUP installed on Primary Site (Forest A). You're right, both the SUP's are syncing without issues. (The Upstream server that I mentioned above is the one on Primary
  Site)
  We do have a MP & DP on the server B (Forest B) that has a replica SUP, and all the client communication is restricted to Server B (Forest B) for Software distribution, Policy assignments, PXE. Could you tell me the purpose of the client to directly
  talk to SUP in a different forest when there's already a SUP within the same forest (even though it's a replica). 

• Has anyone else noticed that Software Update is not requiring a password to install updates?

  I noticed this started after the 10.6.6 update on all my Macs.  Anyone else experiencing this?

  Thomas A Reed wrote:
  The whole point of the password is to prevent software from installing without the user or admin definitively accepting that it is ok to do so.
  Actually, it is to give access to areas that you don't normally have access to, and in the case of updates coming straight from Apple and installed from an admin account, it has been deemed safe not to request a password.  I believe those updates are verified by the system somehow, so they cannot be malicious unless someone hacks Apple, and then you'd still think nothing of giving your password anyway.  There's no reason to ask for a password in this case.
  I understand this.  It protects the "protected" parts of the system.  But I still think that you should have the last say even if Apple is as trusted as they are.  At the end of the day it is still your computer.  I deal with hardware that requires firmware and software on a regular basis, and just because the company says it is ok to do an update, does not always make it appropriate to do so.  A lot of times it causes more harm then good.  There have been several cases (like iPhoto) recently where you may want to hold off on an update, and allowing all the packages to install in a bundle without a password opens you up for potential issues.
  Thomas A Reed wrote:
  anyone can come along in your house and run updates without your knowledge
  If you've got untrusted people using your admin account, you have bigger problems than someone installing an Apple software update without your knowledge.  If you are security-minded, you don't do that, and thus this issue becomes moot, and if you're not security-minded, then the issue is moot because you don't care enough to secure your computer.
  Perhaps that read different from how it was intended to sound.  My intention for that statement was not to suggest that I do not fully trust my family, but rather that they may not know what they are doing.  Surely you have someone in your family that comes to you for computer advice?  The password was an added security feature that gave me piece of mind from one of those "I don't know what just happened all I did was..." moments.  If I wasn't security minded, do you think I would waste my time expressing an opinion about a security issue?
  Thomas A Reed wrote:
  this opens a door for OSX to automatically add these updates in the future without your consent as long as Apple deems them appropriate
  Don't you think that's a little paranoid?  Why would Apple do that?  Microsoft tries to copy Apple, not the other way around.
  Actually no I don't think it is paranoid.  I do agree that Microsoft copies Apple in every which way they can, and I am a 100% non-Windows household.  I simply see this as a potential pitfall that Apple has opened up.  Even though I do love, admire, and trust Apple, at the end of the day they are a business, and in such a decision could be made to "protect" its user base by allowing OSX to automatically add any updates they deem necessary whenever they want in order to "protect" the perception of their product.  As I stated above, not all updates are wanted right away.

• User-based deployment to untrusted forest

  Case:
  Domain A has ConfigMgr 2012 server with all roles (MP, DP, SUP...)
  Domain B is untrusted and hasn't got any ConfigMgr site server roles installed
  ConfigMgr site has been introduced to Domain B also, so all the resources can be discovered (systems, users)
  I can deploy software to systems in the untrusted forest
  I cannot deploy software to users in the untrusted forest
  Is this normal behavior? Do I need MP to untrusted forest so that I can get my user deployment's working? When I deploy software to users in the untrusted domain, they don't even show up in the AppDiscovery.log and deployment status on the console doesn't
  show the device for the user.

  See the Support for users in untrusted forests section at http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx
  Jason | http://blog.configmgrftw.com

• Domain is not discovered in untrusted forest

  I have the following Setup.
  Domain A in forest A. ASCCM2012 Primary Server  with SCCM 2012 SP1 CU1 server installed with MP,DP and SUP. Domain A i a 2008 R2 domain.
  Domain B in Forest B, MP and DP and SUP installed on BSCCM2012. Domain B is a 2012 domain.
  There is no trust between forest A and forest B. For the testing the firewalls on the SCCM servers are disabled. There is full network connectivity between the servers. I have setup a forest discover account SCCMADDiscover that is created in domain B as a normal
  user.
  Problem.
  I have setup forest discovery (and thereby forest publishing) of the Forest B on the Primary SCCM server.
  In the console on the "Active Directory Forests" it says that both the discover and the publishing have been successfully.
  But when I look at the "Domains" tab for the Forest B it says “No Items Found”.
  When I look in the ADForestDisc.log file I see the following errors:
  Entering function GetUserCredentials() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:20 7988 (0x1F34)
  ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException. Discovery will be attempted on next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function ReportForestDiscoverySuccessStatusMessage() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Raising discovery success status message for forest B, in which we discovered 1 site(s) and 0 subnet(s). SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, 1073750724, 0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=ASCCM2012 SITE=P01 PID=2344 TID=7988 GMTDATE=to maj 16 11:07:21.315 2013 ISTR0="AssensOpen.dk" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="0" ISTR5="1" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to update forest fqdn for all site systems associated with site P01 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to discover forest name for server BSCCM2012. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Failed to get the domain basic info for machine BSCCM2012. Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to discover forest name for server BSCCM2012 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Failed to get the domain basic info for machine BSCCM2012 Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  As it can be seen in the log file it fails to get forest name and domain name for the server BSCCM2012 in the untrusted domain. It gets an error 5 that I assume is a Access Denied.
  I have tried to give the SCCMADDiscover account domain and enterprise admin rights but that did not help. I have also tried to add the SCCMADDiscover to the local admin group on BSCCM2012 server but that didn’t help either.
  It also seems that the data is not saved correct.
  ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException
  Where is it the SCCMADDiscover account have insufficient rights?
  Thomas Forsmark Soerensen

  Thanks for letting me know. This means that this is not the root cause, so I can focus on other things.
  There´s also another problem I´m not sure if it related to the Forest Discovery and I wonder if it´s the same for you. I will create a separate topic if it´s not related, but maybe you can confirm from your side. For the Computers which have been discovered
  in the untrusted Forest, when I go to the properties of a system, the property "System OU Name" changes from time to time. When I look at the property throughout the day for different systems it´s sometimes empty, sometimes shows the complete OU paths and
  sometimes just the single OU Containers. For example when a System is located in EU\COMPUTERS\SERVERS, sometimes the whole path is shown (like for all systems in the trusted Forest) and sometimes it just shows "EU";"COMPUTERS";"SERVERS" or it´s just empty.
  All for the same system during different times throughout the day. Like it´s not able to grab the complete OU paths. I have no error in the AD System discovery log, so I wonder if this is related to the Forest Discovery too.
  This makes it impossible to build collections based on System OUs, so I am using the DN currently (which is populated properly).

• SCCM 2012 R2 - Software Update Point

  I have two domains, one where the site server (SCCM) will be installed home office,  and then another untrusted domain Management.  This server will have site roles, SUP, and some others.
  I want to create a site system server with DP, MP in the untrusted domain.    In order to push out updates to clients in the untrusted domain,  what do I need, in the untrusted domain, to make this work.

  Hi,
  For the SUP in the untrusted domain the SCCM Site Server you need the proper patch level of the installed WSUS, the correct ports open on Firewall and an account from the Domain where the SCCM Site is installed which has rights on the WSUS on the primary
  site. This account has to be configured during the installation of the SUP on the Site System Server.
  May this post also give you some hints:
  http://social.technet.microsoft.com/Forums/en-US/c3fbf3ab-ca70-48da-90b1-e7322783140c/sup-in-untrusted-forest-using-sccm-2012-sp1?forum=configmanagerdeployment
  Cheers
  Christoph
  PS: Could somebody please move this thread to the correct Configuration Manager Forum :)

• ConfigMgr 2012 R2 and managing clients in untrusted forest

  I have read documentations and I'm still not 100% sure what are the possible limitations in my situation. I have 2 AD forests without any trusts between them. I'm planning to deploy ConfigMgr 2012 R2 in forest A. I also have clients in forest B.
  I need to install operating systems via PXE, applications and windows updates to clients in untrusted forest. I'm also planning to support internet clients. 

  You can manage clients in un-trusted forests. This blog is a good place to start.
  http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx
  Managing internet clients is called IBCM (Internet Based Client Management). You can read about it here
  http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Software Update Scan Cycle not found on Client computer.

  Hi,
  In my organization in some of the client PC's (Windows 7), Software update scan cycle is not found.
  When i checked the UpdateDeployment.log file on client computer it saying
  "Software Updates client configuration policy has not been received."
  "Software updates functionality will not be enabled until the configuration policy has been received. If this issue persists please check client/server policy communication."
  "Software Updates feature is disabled"
  Please help me to solve the issue. Let me know the solution if anyone faced the same problem.
  Thanks in Advance
  Shreyas

  ClientLocation.log
  <![LOG[Assigning client to site 'PP1']LOG]!><time="13:10:54.638-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:501">
  <![LOG[Getting Assigned Site]LOG]!><time="13:10:54.669-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:989">
  <![LOG[Client is currently not assigned to any site]LOG]!><time="13:10:54.669-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:603">
  <![LOG[Removing client site assignments]LOG]!><time="13:10:54.669-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:734">
  <![LOG[Removed pending site assignment to 'PP1']LOG]!><time="13:10:54.669-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:353">
  <![LOG[Raising event:
  instance of CCM_RemoteClient_Reassigned
  DateTime = "20140414074054.763000+000";
  LastAssignedSite = "";
  NewAssignedSite = "PP1";
  ProcessID = 6500;
  ThreadID = 7844;
  ]LOG]!><time="13:10:54.763-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="event.cpp:706">
  <![LOG[Client is now successfully assigned to site 'PP1']LOG]!><time="13:10:54.779-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:684">
  <![LOG[Setting current Management Point as PUNSCCMPS01.*****.com]LOG]!><time="13:10:54.888-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7844" file="smsclientclass.cpp:923">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:11:00.098-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="8076" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:11:00.098-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="8076" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:11:00.114-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="8076" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:11:00.114-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="8076" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:11:01.143-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="8076" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:11:01.143-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="8076" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:11:06.619-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6324" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:11:06.619-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6324" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:11:06.635-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6324" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:11:06.635-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6324" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:11:06.713-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6324" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:11:06.728-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6324" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:11:22.843-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7688" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:11:22.843-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7688" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:11:22.905-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="7688" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:11:22.921-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7688" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:11:23.139-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="7688" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:11:23.139-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7688" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:14:39.276-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7152" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:14:39.276-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7152" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:14:39.292-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="7152" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:14:39.307-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7152" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:14:39.354-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="7152" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:14:39.370-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7152" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:14:50.555-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6520" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:14:50.555-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6520" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:14:50.586-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6520" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:14:50.586-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6520" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:14:50.633-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6520" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:14:50.633-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6520" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:18:06.954-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="1784" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:18:06.954-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="1784" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:18:06.969-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="1784" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:18:06.969-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="1784" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:18:07.032-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="1784" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:18:07.032-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="1784" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:18:18.341-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7116" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:18:18.341-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7116" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:18:18.388-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="7116" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:18:18.388-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7116" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:18:18.684-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="7116" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:18:18.700-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="7116" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:21:35.739-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4344" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:21:35.739-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4344" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:21:35.754-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="4344" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:21:35.770-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4344" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:21:35.817-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="4344" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:21:35.832-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4344" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:21:47.423-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:21:47.423-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:21:47.485-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:21:47.501-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:21:47.610-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:21:47.625-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="13:25:47.094-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="13:25:47.094-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:25:47.141-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:25:47.141-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="13:25:47.359-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="13:25:47.359-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="6664" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="15:43:44.652-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4748" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="15:43:44.655-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4748" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="15:43:44.673-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="4748" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="15:43:44.676-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4748" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="15:43:44.838-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="4748" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="15:43:44.843-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4748" file="lsad.cpp:1364">
  <![LOG[Current AD forest name is *****.com, domain name is *****.com]LOG]!><time="15:43:52.799-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4944" file="lsad.cpp:818">
  <![LOG[Domain joined client is in Intranet]LOG]!><time="15:43:52.799-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4944" file="lsad.cpp:896">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="15:43:53.116-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="4944" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="15:43:53.122-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4944" file="lsad.cpp:1364">
  <![LOG[Rotating assigned management point, new management point [1] is: PUNSCCMPS01.*****.com (7804) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="15:43:53.207-330"
  date="04-14-2014" component="ClientLocation" context="" type="1" thread="4944" file="lsad.cpp:5909">
  <![LOG[Assigned MP changed from <PUNSCCMPS01.*****.com> to <PUNSCCMPS01.*****.com>.]LOG]!><time="15:43:53.209-330" date="04-14-2014" component="ClientLocation" context="" type="1" thread="4944" file="lsad.cpp:1364">

• Constant failed software update - current software now corrupted

  I am receiving constant messages regarding the software update that is due (10.2.0.424 - 1GB) however when trying to update it fails constantly. I have been battling for 2 weeks straight, every single day to try and sort it out however it will not work. It fails via link, web and wifi. I have triple checked our wifi at home and it is working perfectly fine. I am able to download any other files via the same net on my laptop so my internet is clearly not the problem. All these failed attempts to upgrade has clearly corrupt my current software as I am now getting notifications to state that my gmail is untrusted and it will not work. Everytime I reboot my phone or turn it on, I receive error messages to say that gmail is untrusted?? I am very frustrated and rather annoyed with the endless problems I am having. Is someone able to give me some form of guidance please?? I have tried everyhing I could think of... reloading to factory settings installing an old back up etc. Nothing is working.

  Well  seems you tried all you should. maybe just put the update out of mind for a while and see if you can get your email working. Remove your email, power off, wait a while, power on and add your email back.

• HT5381 i did a software update and now mail wont open at all

  Help......my mail app is coming up with an error "You can't use this version of Mail with this version of Mac OS X".  Can I uninstall the update?

  !! WARNING !!
  about the September 2012
  "Security Update 2012-004"
  If you've got "Mail.app" in a folder OTHER THAN the root "Applications" folder,
  MOVE "MAIL.APP" TO THE APPLICATIONS FOLDER
  **BEFORE** INSTALLING THE "004" UPDATE!!
  Because *IF* you use OSX's integrated Software Update app from the Apple menu to do the "004" updating, and *IF* your Mail.app is NOT in the Applications folder, then buddy, you've got some sitdown fixit time ahead of ya and/or some internet tie-up time downloading the "004" update file itself.
  Been through it all, already.  In fact, just got done getting my Mail back up & running. And I tried everything short of attempting to unpacking my "Mail.pkg" receipt file using... whatever... even Pacifist couldn't get it out. So that fixit "Plan D" died quick. And I'm not savvy enough to use Terminal commands to do "Plan E," so that SUDO stuff was my brick wall.
  So I compressed my entire "Mail" subdirectory that contain all my emails, for safekeeping during the required surgery, or whatever would work, leaving the original Mail directory where it was. In case something bad happened in all my fixit whatevers, the one thing I *didn't* want to cross paths with was a hosed Library -> Mail folder. Then I'd be pssd. But I can wipe out that ZIP now 'cause all's well now. After 6 hrs of downloading thru a mobile broadband hotspot running at only 14KB/sec speed due to my having gone over my T-Mobile hotspot plan's bandwidth amount (throttled-down after reaching the limit, tho not cut off completely. Kinda nice, but it's a huge speed drop).
  I tried moving the two Mail.app versions around, compressing them & then trashing the original so they wouldn't be recognized, blabla, even booted my Mac in Safe Mode & reinstalled the "MacOSX 10.6.8 (Snow Leopard) Update Combo.dmg" update file, which in the past has fixed many problems. But after restarting, not this one.
  Like a dummy who ignored knowing better, I had my Mail.app in a folder other than the Applications folder, with only an alias to that being in the Applications folder. NOT GOOD ENOUGH. The updater don't see that as nuthin special or useful.
  So if you've got, like I've got, "old" icons for Mail.app (v4.5) in your Finder toolbar & in your Dock that all point to "Mail.app v4.5" in whatever folder you've got that in, other than in the Applications folder (where Apple apparently REQUIRES that it be located, and ONLY there, at least for OSX updating purposes), then after you download & autorun that "004" updater using Software Update, NONE of your pre-existing Mail icons will work. And MOST aggravatingly, **NOR** will your brand-new "Mail.app v4.6" work that came out of the "004" updating installation.  So basically, your Mail.app's... all of 'em.... are hosed. But only if you run the "004" update without your "Mail.app v4.5" being located in your Applications folder and ONLY in your Applications folder. And duplicates of Mail.app, scattered around your HDD??  Always a problem with many Apple apps.... The Apple software engineers apparently like 'em to be in the Applications folder, and in ONLY there, and ONLY the latest version, and ONLY 1 single copy of each on your entire HDD. They just don't seem to stress that enough, it appears. Kind of an oversight for them to not emphasize that, IMO...
  My recommendation for this particular September 2012 "004" update:
  If you run Software Update, and if you see the "Security Update 2012-004" listed as available for download, UNCHECKMARK IT.  DO NOT DOWNLOAD IT USING SOFTWARE UPDATE !  Instead, download the actual update file itself.
  Same thing, only a different way of doing it. Most importantly, you'll be skipping the auto-installation that Software Update performs.
  AND you'll have that update file on your HDD for future fixits, should a nasty "unfixable" problem come up.
  First, #1. Do a filename search for "Mail" (Option-Command-Spacebar). Scroll down to where the "Apps" are located in the list under the "Kind" column heading. First, find your Mail.app that's v4.5. Get that bugger into your Applications folder if it's not already there. Next, Trash all other "Mail.app" apps you see in that same list that you may have elsewhere on your HDD.
  #2. Go here: https://support.apple.com/kb/DL1586
  And download the actual "004" DMG update file: "SecUpd2012-004.dmg"
  And of course, it's a biggie.... 270MB... so watching grass grow may be involved here if you've got a slow connection (go to a MacDonalds & do it, like I shoulda done).
  3. After downloading, I'd recommend closing down all apps, emptying the Trash, and restarting.
  Then, after restarting, run Disk Utility's "Repair Disk Permissions."
  Then, doublecheck that the Mail.app version 4.5 is in your Applications folder.
  THEN fire up & install "SecUpd2012-004.dmg."
  Reboot.
  After the reboot, your Mail.app version 4.5 in the Applications folder will have become Mail.app version 4.6 in the Applications folder, and all will be well again.
  And you can dump that zipped-up "Username -> Library -> Mail" folder then, too.
  Happy Mac'in!
  Kevin Kendall
  Macbook 7,1
  (Apple's very last all-white Macbook model)
  2.4GHz - 256GB Crucial SSD - 8GB Crucial RAM
  OS 10.6.8 Build 10K549 + Win 7 Ultimate thru VMWare Fusion v5.0.1