IT Consultant Everyday Notes

Just some problems/solutions storage

Monthly Archives: August 2012

Lync 2010: Federated contact state: Updating

I am migrating OCS 2007 RTM infrastructure to Lync 2010 Enterprise Edition. As per Microsoft documentation I added my Front-End server names to Internal tab on OCS 2007 Access Edge server.

Problem: Federated contacts are in “Updating…” state when use Lync 2013 client and “Unknown” when use Lync 2010 client.

Resolution: I ran logging on Access Edge and see the following in Snooper:


I added my pool name to Internal tab


and now I can see status of my federated contacts.

SCCM 2012: How to manage servers in DMZ

(in progress…)

I decided to figure out how to get DMZ servers managed using SCCM 2012.

  • Draft design: MP, DP and SUP are on Internal network. We are panning to manage servers in DMZ. The server belongs to a different domain. I am planning to publish ports 443 and 80 (if necessary) on my reverse proxy and hope it will work.Smile. Update: it does not work via proxy since a Client Certificate is used and proxy (at least TMG) cannot pass it to the MP located on Intranet. So I need to either configure firewall to allow TCP 443 from the Server in DMZ to MP on Intranet or (less secure) create a server publishing rule on TMG (keeping the source IP unchanged) and create a static route on MP so the traffic back to DMZ server pass via TMG, not default gateway (if TMG is not dg of course). 
  • I added dedicated MP/DP to Intranet and configure both of them to answer to Intranet and Internet requests. Important: add Internet name during installation, there is no way to add it later.
  • The server name for Internet and Intranet are different, so I have to add SAN to certificates.
  • Certificates:
Site settings As per Microsoft document I need set my site to serve both HTT and HTTPS and add CA root certificate to the site (in Site Properties). I am using Two level CA in a different forest, so I added both Root CA and Issuing CA certificates.
MP certificate It must be certificate with “Client Authentication” EKU. I created a duplicate from “Workstation” template with exportable private key and issued a certificate for the server Internet name as CN and Intranet name as SAN
ConfigMgr Web certificate I created a duplicate of “Web Server” template with exportable private key and issued a certificate for Internet name as CN and Intranet name as SAN
DP certificate This is a “Client Authentication” certificate again, so I decided to try to use the same I used for MP
  • Firewall: open 80 and 443 from server in DMZ to SCCM servers
  • Add Internet names to a hosts file on managed nodes (for test, planning to move the manes to DMZ DNS in future)
  • Install SCCM Client on a managed machine using: ccmsetup /usePKICert /NOCRLCheck /mp: SMSSITECODE=TOR  (where is Internet name for my MP/DP designated for DMZ management)



1. It is better to install IIS and assign ConfigMgr WEB certificate to  default web site before MP and DP installation.

2. After I installed MP it should grab a proper certificate from Local Store. It did it, but for some reasons setup could not verify connection to this new MP. it failed with error: Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12175. I tried to restart SMS services, but it did not help. Reboot the new server fixed the issue.

3. Ideally you should have CRL available for clients. If this is not the case and you do not want to fix it – Disable CRL check


Finally the Client connected to SCCM:


4. Updates: Client should receive both update locations (Windows Updates site and SP).


BITS will try Microsoft site first – (it fails since I do not have Internet access from my DMZ systems):


CDTSJob::HandleErrors: DTS Job ‘{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ BITS Job ‘{AA69D14E-270B-4EF2-BA03-D91288D37D95}’ under user ‘S-1-5-18’ OldErrorCount 2440 NewErrorCount 2441 ErrorCode 0x80072EFD

CDTSJob::HandleErrors: DTS Job ID='{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ URL=’′ ProtType=1

and it switches to a Distribution point after that:

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} switched to location ‘:443/SMS_DP_SMSPKG">https://sccm.lab.<my domain here>:443/SMS_DP_SMSPKG$/0257c940-6d4b-4278-9b5e-a6d88c06e10f’.


DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘RetrievedData’.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} successfully completed download.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘NotifiedComplete’.

DTS job {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} has completed:
    Status : SUCCESS
    Start time : 08/28/2012 19:53:27
    Completion time : 08/30/2012 16:17:53
    Elapsed time : 92 seconds

SCCM 2012: HA for Admin Console–not possible

I tried to set up HA for SCCM 2012 Admin Console some time ago. Following Microsoft Instructions for HA I install the second SMS_Provider to my backup server and raised a MP there.

Unfortunately when I tried to connect to the server using Admin Console, I got:


After digging around I found I am not alone: – apparently HA is not supported for Admin Console; it works for Client load only…Ok, good to know what to promise to future Clients…

SCCM 2012: Local content cache failed for Workgroup machine

I have an SCCM 2012 single primary site infrastructure with two DPs configured for HTTP. Test clients are not joined to the domain. Network Access Account is properly configured.

All deployments configured to run directly from DP work fine.

Issue: Deployments configured to “Download content from distribution point and run locally” including all Windows Updates fail.

Errors (example – a windows update):


UpdatesHandler.log CAS failed to download update (4dfda4a4-f124-4589-bd1b-a6f45b71db16). Error = 0x80070005. Releasing content request.
DataTransfer.log Error sending DAV request. HTTP code 401, status ‘Unauthorized’
CAS.log Download failed for content 0e47d69c-240c-44e1-89c5-12333cd5fcf9.1 under context System, error 0x80070005

I am not sure why Network Access Account was not used. But it looks like it tried to use Local System Account for the Workgroup machine and failed with “Access Denied”.

Resolution: I enabled Anonymous Authentication for SMS_DP_SMSPKG$ folder in IIS and verified it set for IUSR user (I am using Server 2008 R2)


Note: the settings periodically flipped back to “Disabled” Sad smile  I finally found a KB explaining the behaviour. .  You basically need to enable anonymous connection in properties of DP:





SCCM 2012: Site Backup failed

Issue: I was trying to configure site backup Maintenance Task to put backup to a hidden share on my SCCM server. I am using a SQL Cluster as a backend. The backup failed with the error:

Error: Backup folder <My BackupFolder> does not exist or backup service does not have permission to access the folder.


Error: SQL Server could not prepare for the Backup. 

Resolution: Максимов Алексей pointed me to a fresh Microsoft link:

It turned out to be a known bug with SCCM 2012 (probably will be fixed with SP1).

There are several workarounds suggested – I used one recommended to create a Backup Share on SQL, not on ConfigMgr.

WDS configuration failed: Access Denied

Theoretically SCCM 2012 should install/configure WDS when you enable PXE for a Distribution Point. It did not happen in my case, so I needed to install WDS manually.

Problem: When you try to configure WDS option you get “Access Denied” error.

Resolution: I ran WDS mmc as a Domain Admin. That allowed to save configuration changes. The matter in fact it is documented here: – good to know.

SCCM 2012: PXE boot fails with: PXE-53: No boot filename received

I recently work on a case when we need to configure PXE boot –enabled Distribution Point for SCCM 2012 clients. Server holding DP and clients are in different subnets, so the router should be configured with IP Helpers (aka DHCP relays) to forward BOOTP requests from bare-metal clients to the PXE DP.

Problem: We configured IP helper on the router, but  PXE clients got an error: PXE-E53: No boot filename received. Everything was working if we configured options 66 and 67 (PXE server IP and boot image name) on the Corp DHCP, but this way is not recommended by Microsoft.

Resolution: In addition to IP Helper we needed to configure bootp-gateway option on the router and set it with IP address of the router for desktop VLAN.

Lync 2010: Database Update failed

One of requirements for Lync 2010 Update deployments (since CU4) is an upgrade of back-end database.

Here is my environment:

FE01.domain.tld – front-end

Cluster.domain.tld – back-end SQL cluster

Lync-Pool.domain.tld – FQDN of my Lync Pool


According the we need the following command (if Monitoring/Archiving databases are not collocated):

Install-CsDatabase -Update -ConfiguredDatabases –Cluster.domain.tld –UseDefaultSqlPaths


Unfortunately that command failed for me with an error saying Cluster.domain.tld pool cannot be found!


Resolution – I used NETBIOS name of my cluster instead of FQDN like this

Install-CsDatabase -Update -ConfiguredDatabases –Cluster –UseDefaultSqlPaths

These command passed successfully.