July 2009 - Posts
This story happened at one of my customers , but lucky it happenend into an acceptance environment instead of production
After discovering that a reboot happened in our acceptance environment around the 19th of july 2009 , we saw that the management point did not communicate anymore with their clients.
After some investigation , we decided to uninstall the mgmt point and reinstall it. This should always go smooth and without issues.
Guess what , at my client it didn’t. Below you will find the detailed log files of the installation failing.
These errors didn’t worry me to much as the mgmt point was not existing anymore . Below you will find the rest of the log and that was really worrying me .
![Devil]( "clip_image002<img src=")
" border="0" alt="clip_image002
" src="http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/sccm/clip_5F00_image0026_5F00_thumb_5F00_4D28F5D0.jpg" width="429" height="202" />
As you can see it says : “Cannot create the internet virtual directory CCM_Incoming. The error code is 8007005” ==> This means somewhere access denied .
After checking the default permissions on the following accounts (IUSR,IWAM,IIS_WPG), I checked if the accounts did not give any Failure audits in the security log of the eventvwr to see if the account wasn’t locked out.
Guess what , it wasn’t the case.
So after that I started to dig any further to see if any patches where installed / deinstalled on the server ( remember the reboot ) . Well it seemed that the 18/07/09 the following hot fix KB923845 was uninstalled for whatever reason . Unlucky this was a BITS 2.5 hotfix …
![Music]( "clip_image002<img src=")
" border="0" alt="clip_image002
" src="http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/sccm/clip_5F00_image0028_5F00_thumb_5F00_38C33045.jpg" width="346" height="226" />
![clip_image002[10]](http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/sccm/clip_5F00_image00210_5F00_thumb_5F00_5B37BF00.jpg "clip_image002[10]")
I downloaded the hot fix and reinstalled it on the server . Same issue . It could just be a coincidence . After that I tried to see in IIS if Bits would still work and I tried to apply the bits into the default website and got the following error message : “Task scheduler could not be started . Cleanup cannot be scheduled now…” .
This triggerd me thinking it thru and I verified the service was running . The service was up and running . So the only one place to look further into ….GPO’s !
![clip_image002[12]](http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/sccm/clip_5F00_image00212_5F00_thumb_5F00_2EAE8F1A.jpg "clip_image002[12]")
I saw directly something strange . A GPO applied into the root of the forest doing the following as shown below :
![clip_image002[14]](http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/sccm/clip_5F00_image00214_5F00_thumb_5F00_3E01F129.jpg "clip_image002[14]")
Here is the problem ! They are killing the TASKS service by reducing security . Well , they killed BITS in one go as well as the MP and DP are using this feature !
So my next step was to create a separate OU , block inheritance of existing GPO’s and create and apply a UNDO_KB958644 to reset permission.
The server team at my customer implemented this for fighting the Conficker Virus , witch is recommended by Microsoft …but they didn’t do the last part in the article.
Well they (Customer server team) killed my Mgmt Point on my SCCM server ….
*******************************************************************************************************
If you are experiencing this kind of issues and it worked before , make sure to check your GPO’s for security add-ons !
(Thanks to Kim Oppalfens to put me on track for looking into GPO security add-ons)
*******************************************************************************************************
Hope it Helps ,
Kenny Buntinx
There is a new Knowledge Base articles published for System Center Configuration Manager 2007.The issue is when the time changes to or from Daylight Saving Time, the SMS_Inbox_Monitor or SMS_Outbox_Monitor components may not poll for new content in Microsoft System Center Configuration Manager 2007.
KB972400 - The SMS_Inbox_Monitor or SMS_Outbox_Monitor components may not poll for new content in System Center Configuration Manager 2007
Hope it helps ,
Kenny Buntinx
Just for those who didn’t believe our story about the filet Mignon at the sushi place being so BIG that Kurt just ordered 2 of them at 32 $ each !
Here’s the proof : ( look at the Blackbarry next to it )
Hope it Helps ,
Kenny
DISCLAIMER : This posting is provided AS IS with no warranties ! Test it first into a TEST environment unless like me you have no other option ! The first part may not even be supported !
At a customer I was struggling already for weeks with WSUS issues onto my SCCM environment.
A few weeks ago WSUS 3.1 for some reason disappeared from my SCCM Primary site box. Wsus 3.1 was installed on the SCCM primary site box , but with a offsite (separate) SQL 2005 SP2 box , so the DB of the WSUS and SCCM where offloaded to that SQL server.
Wsus was working fine for months and now i just logged on to the system to see that the System Status was there as critical, a quick check showed all three WSUS components critical and sync failing.I opened up IIS and WSUS wasn’t there any more, the c:\assembly folder is also now there... backup is configured to kick off every saturday and just after that it seemed to happen.
In the event viewer I see two warnings after the restart :
- Event ID 1004, source MSIinstaller
Detection of product '{77846B52-14C9-4FC4-BE63-FE06AF501442}', feature 'WSUSApiFeature', component '{067AEA00-5C0B-444C-8961-313ACF4C3C75}' failed. The resource '' does not exist. - Event ID 1001
Detection of product '{77846B52-14C9-4FC4-BE63-FE06AF501442}', feature 'WSUSApiFeature' failed during request for component '{8691403E-727C-4E5E-BA2D-0608341F1BBF}'
After that and searching on the technet forums, it seemed to be a kind of bug …. The only workaround that was known where this isn’t happening is the scenario to split of the WSUS from the SCCM site server !
I also noticed something that was very awkward , was that my IIS server went into trouble … After searching a lot into log files and error tracing , I found that the “network service” was REMOVED from the DCOM Components …?? After adding it back , My ISS server turned in healthy state again. The only thing I do not know is if this has anything to do with the uninstall from WSUS itself ….
After installing the WSUS server onto another box , and added the SUP role onto the new seperate SQL/WSUS box we got some funky messages into the console. Our new WSUS 3.1 is installed into a custom website with port 8530 and SSL on port 8531
The Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync
The SMS Wsus Configuration Manager failed to configure upstream server settings on wsus server “xxx” as shown in the status messages .
Further in my WCM.log , you see the following weird message that he is trying to connect on port SSL 8531 , witch he should not do ! He should connect to port 8530 !!
Well , if you look into the Software Update Point Component Properties you see that the “Enable SSL for This WSUS server” is greyed out .
Now I have to say that the Site was previously migrated to native mode , but due a mistake from the customer and that they have formatted the Subordinate certificate authority , we went back to mixed mode . It ran for a year without issue after the roll-back .So is this really an Security mode issue ? I don’t know for sure .
So how did we solve the issue ?
Well we modified the SiteControl file. BEFORE EDITING THIS FILE , STOP ALL SCCM SERVICES AND TAKE A BACKUP !!!!
DISCLAIMER : This posting is provided AS IS with no warranties ! Test it first into a TEST environment unless like me you have no other option ! This is not even supported !
BEGIN_COMPONENT
<SMS_WSUS_CONFIGURATION_MANAGER>
<6>
<SCHZ43075>
PROPERTY <DefaultWSUS><><SCHZ45067><0>
PROPERTY <DefaultWSUSType><><><1>
PROPERTY <DefaultPublicVIP><><><0>
PROPERTY <DefaultWSUSIISPort><><><8530>
PROPERTY <DefaultWSUSIISSSLPort><><><8531>
PROPERTY <DefaultWSUSAccessAccount><><><0>
PROPERTY <SSLDefaultWSUS><><><1> <------------------------------------------------------------------- change this value to Zero ! PROPERTY <SSLDefaultWSUS><><><0>
PROPERTY <DefaultUseParentWSUS><><><0>
PROPERTY <DefaultIsAlsoINF><><><1>
PROPERTY <INFWSUS><><><0>
PROPERTY <INFWSUSType><><><0>
PROPERTY <INFPublicVIP><><><0>
PROPERTY <INFWSUSIISPort><><><80>
PROPERTY <INFWSUSIISSSLPort><><><443>
PROPERTY <INFWSUSAccessAccount><><><0>
PROPERTY <SSLINFWSUS><><><1>
PROPERTY <INFUseParentWSUS><><><1>
PROPERTY <ParentWSUS><><><0>
PROPERTY <ParentWSUSPort><><><80>
PROPERTY <SSLToParentWSUS><><><0>
PROPERTY <Number of Retries><><><100>
PROPERTY <Retry Delay><><><60>
PROPERTY <SupportedTitleLanguages><><nl,en><0>
PROPERTY <SupportedUpdateLanguages><><nl,en><0>
PROPERTY <SMSClientDeployment><Enabled><><1>
PROPERTY <RequestedClientVersion><4.00.6221.1000><><0>
PROPERTY <MaxClientsPublished><><><2>
PROPERTY <HostBinariesOnMicrosoftUpdate><><><0>
PROPERTY <ClientReportingLevel><><><2>
PROPERTY <MaximumAllowedComputers><><><100000>
END_COMPONENT
DISCLAIMER : This posting is provided AS IS with no warranties ! Test it first into a TEST environment unless like me you have no other option ! This is not even supported !
After starting the services again , the option was still greyed out , but into the WCM.log , you see that everything runs fine and that SSL is Disabled !
Here is the WCM.Log file outcome :
Now you see he is connecting fine onto port 8530 and SSL is Disabled !
Hope it helps ,
Kenny Buntinx
I am happy to inform you that I have received the 2009 Microsoft Most Valuable Professional (MVP) Award for System Center Configuration Manager. This is certainly a great honor for me.
Thank you Microsoft, blog readers and all the community members that helped me out!
Thanks for the recognition. I am delighted.
Hope it helps ,
Kenny Buntinx
