Configuration Manager Post In-place OS upgrade, CreateMedia.exe finished with error code 80004005

Another short post to highlight an issue after performing an In-place OS upgrade from Windows Server 2008 R2 to Windows Server 2012 R2 – Configuration Manager 1602

When attempting to create standalone media on a remote console, the error below was displayed in the CreateTsMedia.log 

Retrieving info for package H0100143.4

Content library is on remote system ‘SiteServer’
Cannot connect to remote registry on ‘SiteServer’ (frequent cause is remote registry service is not running) 
Trying to use WMI to read from the remote registry.
Failed to open to WMI namespace ‘SiteServer\root\default’ (80041003)
Unable to open WMI namespace ‘SiteServer\root\default’ (0x80041003)
Failed to connect to namespace ‘root\default’ needed to read remote registry values. The user who creates media has to be local administrator on remote DP on ‘SiteServer’ which contains media content.
Content library location could not be found.
Omitting package source ‘SiteServer’ because content library location or its usable drives cannot be read from registry of ‘SiteServer’
CreateMedia.exe finished with error code 80004005 

As you can see, the process is unable to read the content library location from the registry.

Content library location could not be found.
Omitting package source ‘SiteServer’ because content library location or its usable drives cannot be read from registry of ‘SiteServer’

After a while of troubleshooting, I discovered that the remote registry access had been removed from the below registry string, this entry bypasses restrictions for remote services.

remote-registry Once I restored this entry the process was able to complete on a remote console.

Further information about access to remote registry here 

Error opening remote console after Configuration Manger in place OS upgrade

Quick post about issues connecting to site with remote console after upgrading the server OS from Windows 2008 R2 to Windows Server 2012 R2

After the upgrade all remote console were unable to connect to the site

console-error

After reviewing the SMSAdminUI.log  on one of the remote devices, there were access denied errors.

\r\nSystem.Management.ManagementException\r\nAccess denied \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
:System.Management.ManagementException\r\nAccess denied \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

I granted one user local admin rights to the SCCM server, which was hosting the SMS Provider and the console access was restored.

I reviewed the DCOM permissions which were fine, however, the WMI permissions for the SMS Admins group were missing!

I check the WMI permissions using wmimgmt.msc and added the required permissions

wmi.PNG

and

wmi1.PNG

I removed the local admin permissions and tested again. Console access was working again

More detail

In order to access a local or remote SMS Administrator console, users must be members of the SMS Admins local group. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace. The SMS Admins group provides its members with access to the SMS Provider, through WMI. Add Users to the SMS Admins group when they need to access the SMS Administrator console, but do not have to be Local Administrators

Console access troubleshooting

https://support.microsoft.com/en-us/kb/317872

 

Configuration Manager Assessment

Things to consider when doing a Configuration Manager assessment:

Network environment:

What does your network topology look like?

What are the  WAN link speeds, network latency and bandwidth?

What network infrastructure and security devices are in place?

What ports and protocols are allowed through these devices?

What are the usage patterns for network resources, network utilization?

At which locations will you provide services?

What client systems are at each location?

How many devices are to be managed in total?

What users are at each location?

How do external/remote users connect to the corporate network?

Is support for 802.1X authentication required?

Is there a PKI implementation?

Is a POC environment available?

How are change requests handled?

Active Directory environment:

Do you have multiple AD forests?

What are the trust relationship if so?

Will you support computers in workgroups?

SCCM Operators

Who will use the system?

What tasks will they be required to do?

Server and Data Center infrastructure:

Is server infrastructure centralized in a few large data centers or is it distributed?

Are some data centers better connected than are others?

What are the hardware standards?

Is virtualization preferred?

Installed client base and hardware refresh cycle:

What is the hardware and operating system (OS) mix for the installed PC base?

How are new systems imaged?

Is PXE booting  to install images required?

What mobile devices are in use?

Is there a need to support embedded systems?

How often are systems replaced?

Are users allowed to bring their own systems?

Is there a planned OS upgrade?

Who are you deploying Windows to or for?

What OS are you deploying?

What applications do you want to deploy with the OS?

Will this be different for different user or system roles?

To which hardware models are you deploying the OS?

Will you support mobile device client such as smartphones, or Internet-only clients?

Will App-V be enabled for deploying virtualised applications?

How are clients being updated with Windows patches?

Are third party update patches required?

Existing SQL Server deployment:

Will you be using existing SQL servers?

Do these systems meet ConfigMgr requirements?

Are SQL servers clustered?

Are SQL reporting services deployed?

Storage and backup infrastructure:

What storage technologies are in use?

How is data replicated between storage systems?

Details of the design such as optimum server placement, hardware configuration,

and client installation methods depend on the IT infrastructure and services you

have in place.

How to verify if site maintenance tasks are running successfully

If you would like to know if the site maintenance tasks are running successfully you can either check the site status for errors or use the below SQL query

select *,
floor(DATEDIFF(ss,laststarttime,lastcompletiontime)/3600) as Hours,
floor(DATEDIFF(ss,laststarttime,lastcompletiontime)/60)- floor(DATEDIFF(ss,laststarttime,lastcompletiontime)/3600)*60 as Minutes,
floor(DATEDIFF(ss,laststarttime,lastcompletiontime))- floor(DATEDIFF(ss,laststarttime,lastcompletiontime)/60)*60 as TotalSeconds
from SQLTaskStatus

Completion status – 0 = Success

SMT

Clients not communicating with MP after in place OS upgrade – Configuration Manger 1602

After in place OS upgrade Windows 2008 R2 to Windows 2012 R2 the Configuration Manager MP and clients communication was not working.

A site reset did not resolve this issue

Useful errors 

During the OS upgrade the SMS folder in the cert store gets removed until the ConfigMgr services are restarted and then its gets recreated. After time some of the certs com back but not them all.

This is how the cert store looked before the OS upgrade. The Site server, Site system identification and SMS Provider certs were recreated, but the other were not.

certs

MP logs

MP_Policy.log

CHandlePolicyAssignmentRequest::CreatePolicyRequestStagingFile: cannot create or find policy request file        MP_PolicyManager        7/12/2016 10:08:22 PM        8772 (0x2244)

CHandlePolicyAssignmentRequest::Execute(): CreatePolicyRequestStagingFile() failed with error: 0x80070020.

MP_PolicyManager        7/12/2016 10:08:22 PM        8772 (0x2244)

CPolicyManagerHandler::HandleMessage(): SetComplete(DISCARD) called.        MP_PolicyManager        7/12/2016 10:08:22 PM        8772 (0x2244)

 Client logs

 Locationservices.log

Failed to verify message. Sending MP [MP server] not in cached MPLIST.        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

MPLIST requests are throttled for 00:26:05        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

Failed to send web service info Location Request Message        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

Failed to verify message. Could not retrieve certificate from MPCERT.        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

MPCERT requests are throttled for 00:04:50        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

Failed to verify message. Sending MP [MP server] not in cached MPLIST.        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

MPLIST requests are throttled for 00:26:05        LocationServices        12/07/2016 13:10:38        24440 (0x5F78)

Failed to send web service info Location Request Message        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

LocationServices::CCMVerifyServiceSignature: Unable to refresh Web Service MP server certificate        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

LocationServices::VerifyDataSignature: Overall signature verification failed – 0x87D00309; checking if status message should be sent.        LocationServices        12/07/2016 13:10:38        18512 (0x4850)

Failed to verify message. Could not retrieve certificate from MPCERT.        LocationServices        12/07/2016 13:11:19        24232 (0x5EA8)

Attempting to refresh certificate information from AD LocationServices 12/07/2016 13:41:19 17684 (0x4514)
Failed to refresh certificate information from AD LocationServices 12/07/2016 13:41:19 17684 (0x4514)
Failed to verify Certificate with error 0x80070057. LocationServices 12/07/2016 13:41:19 17684 (0x4514)

Cause

After the OS upgrade some of the Site server certs were missing !

SMS Signing Certificate

SMS SMP Encryption Certificate

SMS Encryption Certificate

Resolution

Restore the certs from backup, reboot the server and wait for 1-2 hours ! 🙂

You should see the client side locationservices log

Attempting to refresh certificate information from AD LocationServices 12/07/2016 14:01:19 22964 (0x59B4)
Refreshed Certificate Information from AD LocationServices 12/07/2016 14:01:19 22964 (0x59B4)
Retrieved thumbprints from AD LocationServices 12/07/2016 14:01:19 22964 (0x59B4)
Successfully stored new Site Server Signing Certificate… LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Name : Site Server LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Thumbprint : D9B1FFFA03C94CB5BAE4A94E16D8A4E523826918 LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Valid From: 2016-07-05, 15:21 LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Valid To : 2116-06-12, 15:21 LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)
Refreshed Site Signing Certificate over AD LocationServices 12/07/2016 14:01:20 20400 (0x4FB0)

 

SCCM Cross Forest support

Here are some points about cross forest support

A two way trust is mainly for adding a child primary or secondary site in a remote forest.

To consolidate devices in a remote forest with an existing Site no trust is required.

To allow remote forest support in a existing Primary

These are all configurable from the console and we can use a specific account to connect to the remote forest (so a trust is not actually required) we obviously need to allow the required network traffic.
So to summarise, the goal is to

• Discover the forest and publish Configuration Manager Site information into the forest.
• Configure AD System Discovery to run against the forest.
• Configure Client Push Installation to work in the forest.
• PXE boot clients for OSD

Configuration Overview –

• Add the forest to the Active Directory Forest Hierarchy Configuration Node in the ConfigMgr console. This will discover information about the forest such as sites and subnets and also allow us to further configure publishing to this forest.
• Publish the ConfigMgr 2012 site information into the remote AD forest. The Active Directory of the forest will require the CM 2007/2012 schema extensions and the System Management container will need to exist prior publishing.
• Configure System Discovery for the remote forest.
• Ensure that boundaries have been created that will represent each client in the remote forest and that these boundaries have been added to a configured boundary group.
• Configure Client Push Installation with an account suitable for client installation in the remote forest.
• Deploy clients
• For PXE use iphelpers which is the prefers method to allow clients to fine the PXE server
• Deploy PXE DP in remote forest

Point to consider
Application Catalog web service point, which must be installed in the same forest as the site server.
firewalls must allow the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the sites SQL Server:

• Asset Intelligence synchronization point
• Endpoint Protection point
• Enrollment point
• Management point
• Reporting service point
• State migration point

The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database.

If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site:

• Management point: Management Point Database Connection Account
• Enrollment point: Enrollment Point Connection Account

Links
https://technet.microsoft.com/en-us/library/gg712701.aspx?f=255&MSPPError=-2147217396#Plan_Com_X-Forest

http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

Client Push requirements

Client Push is a feature that is responsible for fixing defective SCCM clients that are on the domain, but not reporting directly to its assigned site. Additionally, machines that have never received the SCCM client will have it installed.

There are several prerequisites to meet before you can successfully push a client to a remote computer:

One of the specified client push installation accounts must be a member of the local administrators group on the destination computer. Alternatively, you can grant the machine account of the SCCM server to as a local admin

The computer must have the ADMIN$ share enabled.
The computer must be found by the site server and vice versa, using DNS name resolution.
Client Push Installation Firewall Exceptions –
In order to successfully use client push to install client, you must add the following as exceptions to the Windows Firewall or any other firewall between the site server and the client machine:

 File and Printer Sharing
 Windows Management Instrumentation (WMI)

Ports:
UDP TCP
Server Message Block (SMB) between the site server and client computer. — 445

RPC endpoint mapper between the site server and the client computer. 135 135

RPC dynamic ports between the site server and the client computer. — DYNAMIC

Hypertext Transfer Protocol (HTTP) from the client computer to a mixed mode management point. — 80 (See note 1, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point. — 443 (See note 1, Alternate Port Available)

In the client push installation method, the server makes an initial connection to the admin$ share on the prospective client computer using Windows file-sharing protocols. Administrative access to the client is required to connect to the admin$ share.

The site server uses these connections to copy the required setup files to the client and then installs and starts the ccmsetup service.