SCCM : Upgrading secondary sites to SP2 via Software Distribution on Windows 2008 could generate some issues

December 7, 2009 at 2:39 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, IIS, sccm, SCCM 2007, SCCM 2007 SP2 by Kenny Buntinx [MVP]

Scenario : Your Primary site server has been upgrade from SCCM 2007 SP1 R2 towards SCCM 2007 SP2.You want to upgrade all your secondary site server with are running on Windows Server 2008 to Service pack 2 on an automated way with Software distribution. The Secondary site server have the Proxy MP , State migration point and PXE service point role installed.

You will create a package with the source files and create a program that runs unattended with the following parameters: setup.exe /upgrade <path to SP2 prereqs>

Issue :

After the Client receives the advertisement , the secondary site will search for a distribution point . He will find it locally (same server) and will start the BITS transfer.

At that point in time , he will give a HTTP 404.8 error.He will also give you the same error when browsing manually in IE to the URL where the source files are stored.When looking this error 404.8 up , you will see that it will say :”hidden namespace of hidden segment error”.Into the request filtering module from IIS 7 , there are some directories excluded by default where no files could be transfered from. One of those excluded folders is the “bin” folder.

Within the source of SCCM Service Pack 2 , there are folders with the name “bin” , with will lead that the tranfer of the source files will be blocked.Only after removal of the exclude on the “bin”folder within IIS7 request filtering module, the files and folders with the name “bin” are available.

Solution :

Only after removal of the exclude on the “bin”folder within IIS7 request filtering module, the files and folders with the name “bin” are available for download.

The configuration file where the excludes are written down %windir%\system32\inetsrv\config\applicationhost.config (Also to be modified with appcmd).
The log files to be checked : DataTransferServices.log of the SCCM client, and the u_exdate.log in c:\inetpub\logs\logfiles\w3svc1 folder.
An example of the folder that was blocked : /smssetup/adminui/bin/">/smssetup/adminui/bin/">/smssetup/adminui/bin/">http://server/sms_dp_smspkgd$/<packageID>/smssetup/adminui/bin/

************* Update **************

Microsoft has foreseen a nice section to specifically address our concern, as they document how to configure Windows Server 2008 (and above) for site systems here:

http://technet.microsoft.com/en-us/library/cc431377.aspx

While they don’t explicitly call out this specific scenario (They can’t possibly anticipate everything), this general “problem” is covered by the following text…

To modify the requestFiltering section on BITS-enabled distribution point computers

If package source files distributed to BITS-enabled distribution points contain file extensions that are blocked by default in IIS 7.0, the requestFiltering section of the applicationHost.config file must be modified to allow required extensions.

~b727336Important

Enabling WebDAV and modifying the requestFiltering section of the applicationHost.config file for the Web site increases the attack surface of the computer. Enable WebDAV only when required for management points and BITS-enabled distribution points. If you enable WebDAV on the default Web site, it is enabled for all applications using the default Web site. If you modify the requestFiltering section, it is modified for all Web sites on that server. The security best practice is to run Configuration Manager 2007 on a dedicated Web server. If you must run other applications on the Web server, use a custom Web site for Configuration Manager 2007. For more information, see Best Practices for Securing Site Systems.

************* Update **************

 

Thanks to my colleague Merlijn for helping me figuring this out.

 

Hope it helps ,

 

Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest