IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: SUP

SCCM 2012: Software Update Download failed with ERROR: There was an error downloading the software update. (12029)

Issue: I tried to download updates creating a new Software Update Package using a remote SCCM console. SCCM created a folder for the first update under the Package Source folder, but could not download content – failed with ERROR: There was an error downloading the software update. (12029)

Resolution: I checked PatchDownloader.log located in %UserProfile%\AppData\Local\Temp\3 folder and found the error saying the content cannot be downloaded from Microsoft Update site.

There is a proxy in the environment. I set proxy settings in IE and content was downloaded successfully.

Note: There is a Proxy Settings in properties of Software Update Point in SCCM. Do not forget to set it up if there is no direct connection to Microsoft Update sites from your SCCM SUP. This settings affects SUP/Microsoft synchronization process only!

To download Software Update Content you have to have proxy configured in IE on the machine you use to run the SCCM console. At least that solve the issue for me.

Advertisements

SCCM 2012: How to manage servers in DMZ

(in progress…)

I decided to figure out how to get DMZ servers managed using SCCM 2012.

  • Draft design: MP, DP and SUP are on Internal network. We are panning to manage servers in DMZ. The server belongs to a different domain. I am planning to publish ports 443 and 80 (if necessary) on my reverse proxy and hope it will work.Smile. Update: it does not work via proxy since a Client Certificate is used and proxy (at least TMG) cannot pass it to the MP located on Intranet. So I need to either configure firewall to allow TCP 443 from the Server in DMZ to MP on Intranet or (less secure) create a server publishing rule on TMG (keeping the source IP unchanged) and create a static route on MP so the traffic back to DMZ server pass via TMG, not default gateway (if TMG is not dg of course). 
  • I added dedicated MP/DP to Intranet and configure both of them to answer to Intranet and Internet requests. Important: add Internet name during installation, there is no way to add it later.
  • The server name for Internet and Intranet are different, so I have to add SAN to certificates.
  • Certificates:
Site settings As per Microsoft document I need set my site to serve both HTT and HTTPS and add CA root certificate to the site (in Site Properties). I am using Two level CA in a different forest, so I added both Root CA and Issuing CA certificates.
image
MP certificate It must be certificate with “Client Authentication” EKU. I created a duplicate from “Workstation” template with exportable private key and issued a certificate for the server Internet name as CN and Intranet name as SAN
image
ConfigMgr Web certificate I created a duplicate of “Web Server” template with exportable private key and issued a certificate for Internet name as CN and Intranet name as SAN
DP certificate This is a “Client Authentication” certificate again, so I decided to try to use the same I used for MP
   
   
  • Firewall: open 80 and 443 from server in DMZ to SCCM servers
  • Add Internet names to a hosts file on managed nodes (for test, planning to move the manes to DMZ DNS in future)
  • Install SCCM Client on a managed machine using: ccmsetup /usePKICert /NOCRLCheck /mp:https://SCCM.internet.com SMSSITECODE=TOR CCMHOSTNAME=SCCM.internet.com  (where SCCM.internet.com is Internet name for my MP/DP designated for DMZ management)

 

Notes:

1. It is better to install IIS and assign ConfigMgr WEB certificate to  default web site before MP and DP installation.

2. After I installed MP it should grab a proper certificate from Local Store. It did it, but for some reasons setup could not verify connection to this new MP. it failed with error: Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12175. I tried to restart SMS services, but it did not help. Reboot the new server fixed the issue.

3. Ideally you should have CRL available for clients. If this is not the case and you do not want to fix it – Disable CRL check

image

Finally the Client connected to SCCM:

image

4. Updates: Client should receive both update locations (Windows Updates site and SP).

image

BITS will try Microsoft site first – (it fails since I do not have Internet access from my DMZ systems):

DataTransferService.log:

CDTSJob::HandleErrors: DTS Job ‘{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ BITS Job ‘{AA69D14E-270B-4EF2-BA03-D91288D37D95}’ under user ‘S-1-5-18’ OldErrorCount 2440 NewErrorCount 2441 ErrorCode 0x80072EFD

CDTSJob::HandleErrors: DTS Job ID='{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ URL=’http://download.windowsupdate.com:80/msdownload/update/software/secu/2012/04′ ProtType=1

and it switches to a Distribution point after that:

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} switched to location ‘:443/SMS_DP_SMSPKG">https://sccm.lab.<my domain here>:443/SMS_DP_SMSPKG$/0257c940-6d4b-4278-9b5e-a6d88c06e10f’.

<……>

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘RetrievedData’.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} successfully completed download.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘NotifiedComplete’.

DTS job {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} has completed:
    Status : SUCCESS
    Start time : 08/28/2012 19:53:27
    Completion time : 08/30/2012 16:17:53
    Elapsed time : 92 seconds