Clients not communicating with MP after in place OS upgrade – Configuration Manger 1602

After in place OS upgrade Windows 2008 R2 to Windows 2012 R2 the Configuration Manager MP and clients communication was not working.

A site reset did not resolve this issue

Useful errors 

During the OS upgrade the SMS folder in the cert store gets removed until the ConfigMgr services are restarted and then its gets recreated. After time some of the certs com back but not them all.

This is how the cert store looked before the OS upgrade. The Site server, Site system identification and SMS Provider certs were recreated, but the other were not.

certs

MP logs

MP_Policy.log

CHandlePolicyAssignmentRequest::CreatePolicyRequestStagingFile: cannot create or find policy request file        MP_PolicyManager        7/12/2016 10:08:22 PM        8772 (0x2244)

CHandlePolicyAssignmentRequest::Execute(): CreatePolicyRequestStagingFile() failed with error: 0x80070020.

MP_PolicyManager        7/12/2016 10:08:22 PM        8772 (0x2244)

CPolicyManagerHandler::HandleMessage(): SetComplete(DISCARD) called.        MP_PolicyManager        7/12/2016 10:08:22 PM        8772 (0x2244)

 Client logs

 Locationservices.log

Failed to verify message. Sending MP [MP server] not in cached MPLIST.        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

MPLIST requests are throttled for 00:26:05        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

Failed to send web service info Location Request Message        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

Failed to verify message. Could not retrieve certificate from MPCERT.        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

MPCERT requests are throttled for 00:04:50        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

Failed to verify message. Sending MP [MP server] not in cached MPLIST.        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

MPLIST requests are throttled for 00:26:05        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

Failed to send web service info Location Request Message        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

LocationServices::CCMVerifyServiceSignature: Unable to refresh Web Service MP server certificate        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

LocationServices::VerifyDataSignature: Overall signature verification failed – 0x87D00309; checking if status message should be sent.        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

Failed to verify message. Could not retrieve certificate from MPCERT.        LocationServices        12/07/2016 13:11:19        24232 (0x5EA8)

Attempting to refresh certificate information from AD LocationServices 12/07/2016 13:41:19 17684 (0x4514)
Failed to refresh certificate information from AD LocationServices 12/07/2016 13:41:19 17684 (0x4514)
Failed to verify Certificate with error 0x80070057. LocationServices 12/07/2016 13:41:19 17684 (0x4514)

Cause

After the OS upgrade some of the Site server certs were missing !

SMS Signing Certificate

SMS SMP Encryption Certificate

SMS Encryption Certificate

Resolution

Restore the certs from backup, reboot the server and wait for 1-2 hours ! 🙂

You should see the client side locationservices log

Attempting to refresh certificate information from AD LocationServices 12/07/2016 14:01:19 22964 (0x59B4)
Refreshed Certificate Information from AD LocationServices 12/07/2016 14:01:19 22964 (0x59B4)
Retrieved thumbprints from AD LocationServices 12/07/2016 14:01:19 22964 (0x59B4)
Successfully stored new Site Server Signing Certificate… LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Name : Site Server LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Thumbprint : D9B1FFFA03C94CB5BAE4A94E16D8A4E523826918 LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Valid From: 2016-07-05, 15:21 LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Valid To : 2116-06-12, 15:21 LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Refreshed Site Signing Certificate over AD LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)

 

Advertisements

Client Push requirements

Client Push is a feature that is responsible for fixing defective SCCM clients that are on the domain, but not reporting directly to its assigned site. Additionally, machines that have never received the SCCM client will have it installed.

There are several prerequisites to meet before you can successfully push a client to a remote computer:

One of the specified client push installation accounts must be a member of the local administrators group on the destination computer. Alternatively, you can grant the machine account of the SCCM server to as a local admin

The computer must have the ADMIN$ share enabled.
The computer must be found by the site server and vice versa, using DNS name resolution.
Client Push Installation Firewall Exceptions –
In order to successfully use client push to install client, you must add the following as exceptions to the Windows Firewall or any other firewall between the site server and the client machine:

 File and Printer Sharing
 Windows Management Instrumentation (WMI)

Ports:
UDP TCP
Server Message Block (SMB) between the site server and client computer. — 445

RPC endpoint mapper between the site server and the client computer. 135 135

RPC dynamic ports between the site server and the client computer. — DYNAMIC

Hypertext Transfer Protocol (HTTP) from the client computer to a mixed mode management point. — 80 (See note 1, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point. — 443 (See note 1, Alternate Port Available)

In the client push installation method, the server makes an initial connection to the admin$ share on the prospective client computer using Windows file-sharing protocols. Administrative access to the client is required to connect to the admin$ share.

The site server uses these connections to copy the required setup files to the client and then installs and starts the ccmsetup service.

Client Push Installation change in Configuration Manager 2012 and how to take advantage of this change for troubleshooting purposes

Client push installation starts and tracks the installation of the client by using the Configuration Manager database and no longer creates individual .CCR files. When you enable client push installation for a site, all discovered resources that are assigned to the site and that do not have a client installed are immediately added to the database, and client installation begins

How about the new data? There is a new view in the DB named v_CP_Machine (Found in a primary site DB where client push installtion is enabled or being manually executed). Here we can find information about the client push installation process (for non-clients) such as when the initial installation request was submitted, when the last attempt was made, How many attempts have been made, and a listing of the last error code.

Full article