You are browsing the archive for 2009 July.

SCCM 2007 MP horror : “Cannot create the internet virtual directory CCM_Incoming. The error code is 8007005”.

4:39 pm in Conficker, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, MP, sccm, SCCM 2007, SCCM 2007 R2 by Kenny Buntinx [MVP]

This story happened at one of my customers , but lucky it happenend into an acceptance environment instead of production

After discovering that a reboot happened in our acceptance environment around the 19th of july 2009 , we saw that the management point did not communicate anymore with their clients.

After some investigation , we decided to uninstall the mgmt point and reinstall it. This should always go smooth and without issues.

Guess what , at my client it didn’t. Below you will find the detailed log files of the installation failing.

clip_image002

These errors didn’t worry me to much as the mgmt point was not existing anymore . Below you will find the rest of the log and that was really worrying me .

 

clip_image002[6]

 

As you can see it says : “Cannot create the internet virtual directory CCM_Incoming. The error code is 8007005” ==> This means somewhere access denied .

After checking the default permissions on the following accounts (IUSR,IWAM,IIS_WPG), I checked if the accounts did not give any Failure audits in the security log of the eventvwr to see if the account wasn’t locked out.

Guess what , it wasn’t the case.

So after that I started to dig any further to see if any patches where installed / deinstalled on the server ( remember the reboot ) . Well it seemed that the 18/07/09 the following hot fix KB923845 was uninstalled for whatever reason . Unlucky this was a BITS 2.5 hotfix …

clip_image002[8]

 

clip_image002[10]

I downloaded the hot fix and reinstalled it on the server . Same issue . It could just be a coincidence . After that I tried to see in IIS if Bits would still work and I tried to apply the bits into the default website and got the following error message : “Task scheduler could not be started . Cleanup cannot be scheduled now…” .

This triggerd me thinking it thru and I verified the service was running . The service was up and running . So the only one place to look further into ….GPO’s !

clip_image002[12]

I saw directly something strange . A GPO applied into the root of the forest doing the following as shown below :

clip_image002[14]

Here is the problem ! They are killing the TASKS service by reducing security . Well , they killed BITS in one go as well as the MP and DP are using this feature !

So my next step was to create a separate OU , block inheritance of existing GPO’s and create and apply a UNDO_KB958644 to reset permission.

The server team at my customer implemented this for fighting the Conficker Virus , witch is recommended by Microsoft …but they didn’t do the last part in the article.

Well they (Customer server team)  killed my Mgmt Point on my SCCM server ….

 

*******************************************************************************************************

If you are experiencing this kind of issues and it worked before , make sure to check your GPO’s for security add-ons !

(Thanks to Kim Oppalfens to put me on track for looking into GPO security add-ons)

*******************************************************************************************************

 

Hope it Helps ,

 

Kenny Buntinx

A new Configuration Manager KB hot fix for Daylight saving time .

8:09 am in Uncategorized by Kenny Buntinx [MVP]

There is a new Knowledge Base articles published for System Center Configuration Manager 2007.The issue is when the time changes to or from Daylight Saving Time, the SMS_Inbox_Monitor or SMS_Outbox_Monitor components may not poll for new content in Microsoft System Center Configuration Manager 2007.

KB972400 – The SMS_Inbox_Monitor or SMS_Outbox_Monitor components may not poll for new content in System Center Configuration Manager 2007

 

Hope it helps ,

Kenny Buntinx

MMS 2009 : Filet Mignon

1:37 pm in mms by Kenny Buntinx [MVP]

Just for those who didn’t believe our story about the filet Mignon at the sushi place being so BIG that Kurt just ordered 2 of them at 32 $ each !

Here’s the proof : ( look at the Blackbarry next to it )

lapvlees

Hope it Helps ,

Kenny

SCCM 2007 : WSUS issues , Configuration manager failed to configure upstream settings on Wsus Server “xxxx”

1:27 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, sccm, SCCM 2007, SCCM 2007 R2 by Kenny Buntinx [MVP]

DISCLAIMER : This posting is provided AS IS with no warranties ! Test it first into a TEST environment unless like me you have no other option ! The first part may not even be supported !

 

At a customer I was struggling already for weeks with WSUS  issues onto my SCCM environment.

A few weeks ago WSUS 3.1 for some reason disappeared from my SCCM Primary site box. Wsus 3.1 was installed on the SCCM primary site box , but with a offsite (separate) SQL 2005 SP2 box , so the DB of the WSUS and SCCM where offloaded to that SQL server.

Wsus was working fine for months and now i just logged on to the system to see that the System Status was there as critical, a quick check showed all three WSUS components critical and sync failing.I opened up IIS and WSUS  wasn’t there any more, the c:\assembly folder is also now there… backup is configured to kick off every saturday and just after that it seemed to happen.

In the event viewer I see two warnings after the restart :

  • Event ID 1004, source MSIinstaller
    Detection of product ‘{77846B52-14C9-4FC4-BE63-FE06AF501442}’, feature ‘WSUSApiFeature’, component ‘{067AEA00-5C0B-444C-8961-313ACF4C3C75}’ failed. The resource ” does not exist.
  • Event ID 1001
    Detection of product ‘{77846B52-14C9-4FC4-BE63-FE06AF501442}’, feature ‘WSUSApiFeature’ failed during request for component ‘{8691403E-727C-4E5E-BA2D-0608341F1BBF}’

After that and searching on the technet forums, it seemed to be a kind of bug …. The only workaround that was known where this isn’t happening is the scenario to split of the WSUS from the SCCM site server !

I also noticed something that was very awkward , was that my IIS server went into trouble … After searching a lot into log files and error tracing , I found that the “network service” was REMOVED from the DCOM Components …?? After adding it back , My ISS server turned in healthy state again. The only thing I do not know is if this has anything to do with the uninstall from WSUS itself ….

After  installing the WSUS server onto another box , and added the SUP role onto the new seperate SQL/WSUS box we got some funky messages into the console. Our new WSUS 3.1 is installed into a custom website with port 8530 and SSL on port 8531

The Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync

The SMS Wsus Configuration Manager failed to configure upstream server settings on wsus server “xxx” as shown in the status messages .

image

Further in my WCM.log , you see the following weird message that he is trying to connect on port SSL 8531 ,  witch he should not do ! He should connect to port 8530 !!

 

image

Well , if you look into the Software Update Point Component Properties you see that the “Enable SSL for This WSUS server” is greyed out .

 

image 

Now I have to say that the Site was previously migrated to native mode , but due a mistake from the customer and that they have formatted the Subordinate certificate authority , we went back to mixed mode . It ran for a year without issue after the roll-back .So is this really an Security mode issue ? I don’t know for sure .

So how did we solve the issue ?

Well we modified the SiteControl file. BEFORE EDITING THIS FILE , STOP ALL SCCM SERVICES AND TAKE A BACKUP !!!!

DISCLAIMER : This posting is provided AS IS with no warranties ! Test it first into a TEST environment unless like me you have no other option ! This is not even supported !

BEGIN_COMPONENT
    <SMS_WSUS_CONFIGURATION_MANAGER>
    <6>
    <SCHZ43075>
    PROPERTY <DefaultWSUS><><SCHZ45067><0>
    PROPERTY <DefaultWSUSType><><><1>
    PROPERTY <DefaultPublicVIP><><><0>
    PROPERTY <DefaultWSUSIISPort><><><8530>
    PROPERTY <DefaultWSUSIISSSLPort><><><8531>
    PROPERTY <DefaultWSUSAccessAccount><><><0>
    PROPERTY <SSLDefaultWSUS><><><1>  <——————————————————————- change this value to Zero ! PROPERTY <SSLDefaultWSUS><><><0>
    PROPERTY <DefaultUseParentWSUS><><><0>
    PROPERTY <DefaultIsAlsoINF><><><1>
    PROPERTY <INFWSUS><><><0>
    PROPERTY <INFWSUSType><><><0>
    PROPERTY <INFPublicVIP><><><0>
    PROPERTY <INFWSUSIISPort><><><80>
    PROPERTY <INFWSUSIISSSLPort><><><443>
    PROPERTY <INFWSUSAccessAccount><><><0>
    PROPERTY <SSLINFWSUS><><><1>
    PROPERTY <INFUseParentWSUS><><><1>
    PROPERTY <ParentWSUS><><><0>
    PROPERTY <ParentWSUSPort><><><80>
    PROPERTY <SSLToParentWSUS><><><0>
    PROPERTY <Number of Retries><><><100>
    PROPERTY <Retry Delay><><><60>
    PROPERTY <SupportedTitleLanguages><><nl,en><0>
    PROPERTY <SupportedUpdateLanguages><><nl,en><0>
    PROPERTY <SMSClientDeployment><Enabled><><1>
    PROPERTY <RequestedClientVersion><4.00.6221.1000><><0>
    PROPERTY <MaxClientsPublished><><><2>
    PROPERTY <HostBinariesOnMicrosoftUpdate><><><0>
    PROPERTY <ClientReportingLevel><><><2>
    PROPERTY <MaximumAllowedComputers><><><100000>
END_COMPONENT

DISCLAIMER : This posting is provided AS IS with no warranties ! Test it first into a TEST environment unless like me you have no other option ! This is not even supported !

After starting the services again , the option was still greyed out , but into the WCM.log , you see that everything runs fine and that SSL is Disabled ! 

Here is the WCM.Log file outcome :

image

Now you see he is connecting fine onto port 8530 and SSL is Disabled !

Hope it helps ,

Kenny Buntinx

MVP Award : System Center Configuration Manager

7:44 am in Uncategorized by Kenny Buntinx [MVP]

I am happy to inform you that I have received the 2009 Microsoft Most Valuable Professional (MVP) Award for System Center Configuration Manager. This is certainly a great honor for me.

Thank you Microsoft, blog readers and all the community members that helped me out!

Thanks for the recognition. I am delighted.

Hope it helps ,

Kenny Buntinx

kenny