IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Upgrade

SCCM: Installation on hardened server

One of my Customers asked me to migrate an existing SCCM 2012 R2 to SCCM CB. They preferred side-by-side migration.

Everything looked good until I figure out the server they gave me for the new SCCM was hardened. I guess security team did it for good but as a result I had some fun with a trivial SCCM installation.

1. They used a third-party tool to remove TLS 1.0-1.1 and old SSL leavin only TLS 1.2 available. 3DES was killed too.

As a result, when I ran prereqchk.exe /Local before SCCM installation I received errors about SQL indexing, collation page (which I knew I set correctly), sysadmin membership etc… SQL looked good, but in

prereqchk log I saw: “Failed to connect to the SQL Server, connection type: SMS Master”

and in even log I observed: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I removed fresh Machine keys from Programdata\microsoft\crypto\RSA – did not help

I set “Use FIPS compliant algorithms for encryption”  after that the error in event log changed saying TLS 1.0 protocol is using (never new it is FIPS compliant), but it is not configured.

So, at this point I ran IISCrypto and learnt the protocols are disabled.

As soon as I enabled the old obsolete TLS 1.0 prereqchk.exe passed smoothly and I started SCCM installation

Microsoft says  only SSL3.0 should be disabled and clearly requires both TLS 1.1 and 1.2 enabled. But in my case I still needed TLS 1.0 enabled too. So it looks like a working progress for me.

There is another article from Microsoft. It talks about TLS 1.2 configuration for SCCM CB 1610+. But it looks like it is about post-installation TLS 1.2 support and had an issue during installation. In addition, I tried my best to understand what should I configure on Windows Server 2016 with .Net 4.7 and SQL 2016 SP1 and as far as I understood I should do nothing, it supposed just work Smile. I would prefer Microsoft present the information in some kind of matrix for different .Net versions, OS versions and SQL…

2. Everything was fine until installer tried to setup a Management Point.

This time an error in ConfigMgrsetup.log said:

Unable to find an existing certificate in the store.  Creating a new self-signed certificate…    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a cryptographic key (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a CSP or key container (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to create the certificate (0x8009000f)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
ERROR: Failed to find or create SQL Server certificate.    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)

this time I spent more time troubleshooting and finally opened a case with Microsoft. The tech found local Administrators was kicked out from permissions for Programdata\microsoft\crypto\RSA  and Setup could not create a private key there. We granted Full Control to local Administrators group, re-install MP and tis time it was setup.

3. Setup, bot not properly running – both standard tests (https://technet.microsoft.com/en-us/library/bb932118.aspx?f=255&MSPPError=-2147217396) from web browser gave me Internal Server Error (HTTP Error 500.19)

Fortunately I found Heinrich’s article (http://heinrichandsccm.blogspot.ca/2013/05/http-error-50019-internal-server-error.html). I re-installed WSUS  and MP started to work. After that I ran wsusutil for postinstall configuration and it finished successfully.

And after all changes above I succeeded to install SCM 4.0 before it failed with generic 1603 error.

Advertisements

SCCM: Side-by-side migration. Changing Site for Clients.

I do site migrations for my Customers from time to time. Most often SCCM 2007/2012 to SCCM CB. The procedure is well documented and in generally works well. But the last step – move SCCM Clients from the old site to the new site is not very clear.

What I normally did is using Jason Sandys’ startup script (https://home.configmgrftw.com/configmgr-client-startup-script/)to re-install am SCCM Client with the new site code. But that always looked like a bit too much for me.

These days I am participating IT/DEV Connection conference and raised this scenario for panel of SCCM experts we have here. Here is the main points of the discussion:

1. Do not use SCCM ADMX template in GPO to change SCCM code only. Sometimes does not wrk, just breaks the client.

2. Jason’s script is probably the best way to re-point the client for today

3. Wally also mentioned we can create a package for a NEW client with the new site code on the OLD SCCM and deploy it. That will update the Client binaries and repoint it the same time.

4. Some people recommended to manage site assignment via site Boundaries (in this case we should separate boundaries for old and new SCCM). But as far as I remember it is not recommend even by MS itself.

So the bottom line is: after side-by-side migration we need to reinstall the Client using either Jason’s script above or method recommended by Wally.

SCCM: What NOT to do when upgrade SCCM CB

Gerry published a piece of wisdom from Prod Team:

 

  1. Do NOT manually clean up EasySetupPayload folder for CM update that is being downloaded/processed.
  2. Do NOT manually clean up CMU without confirming the correct state and content library for the Easy Setup package.
  3. Do NOT restore the CM database/CM site server if there is an error with CM update (fix the issue and “retry installation”).
  4. Do NOT reinstall the Service Connection Point if an update is in progress.
  5. Do NOT use 1602 cd.latest to install a standalone primary site (Note: you can use this method to install a child primary to a 1602 CAS).
  6. Do NOT use 1602 cd.latest to upgrade a 1511 site or R2 SP1 (or earlier) site.
  7. Do NOT manually clean up any CM_Update* tables.
  8. Do NOT restart CMU service during installation.
  9. Do NOT keep the CMUStaging\<Guid> folder open during installation.
  10. Do NOT copy files in CMUStaging.
  11. Do NOT restart SMSEXEC during payload download (dmpdownloader.log shows if the package content is downloading). The Notification can get lost in that scenario.

SCCM: Prerequisites check for new SCCM build fails. Why?

I am in process of upgrade of my SCCM TP to TP 1601. As the first step I need to check prerequisites. For that I right-click the downloaded update and select Check Prerequisites.

image

After some time it failed. Where we can find out why? Here:

SNAGHTML306dfc18

SCCM: SCCM 1511 does not download 1512, 1601 TP

I decided to test auto update technology introduced with SCCM CB (currently 1511). So, I enabled Service Connector, set it to online and restart SMS_DMP_Downloader. I check the dmpdownloader log and figured out updates cannot be found even though two builds 1512 and 1601 are available at this time…

After some head scratching I decided to install SCCM TP4 instead of RTM version of 1511 (the idea behind was – 1512 and 1601 are Technical Previews, so maybe it cannot be downloaded by RTM version?)

And it looks like it is right – in dmpdownloader.log I found an interesting line:

image

and after that SCCM TP4 download the latest SCCM update (in my case 1601).

SNAGHTML30573085

So I guess you should have a Preview version to download/install/test Preview Builds Smile

SCCM 2012 R2: Migration from SCCM 2007 SP2

Wally Mead on SCCM migration video: http://vimeo.com/101353581

SCCM 2012 R2: OSD fails after upgrade

 

I upgraded SCCM 2012 SP1 CU2 to SCCM 2012 R2 CU2 and after that my OSD TS starts to fail with:

SNAGHTML161552

401 – Unsuccessful with context credentials. Retrying with supplied credentials.   …
Network access account credentials not supplied.

401 – Unsuccessful on all retries.

 

I tried to delete/re-create Network access account – no go

Add a new account to NAA list (SCCM 2012 R2 supports multiple NAA) – no go

Made minor changes to my boot image to force boot image rebuild – after redistribution on DP TS successfully started.

 

NOTE: if you use CD/USB media you need to recreate it!