SCCM ibcm
Question
i have a ibcm setup in my dmz. i have all the roles installed but i am noticing that i am getting an error in the wsusctrl.log file on the DMZ server.
Cannot open database “SUSDB” requested by the login. The login failed.~~Login failed for user ‘NT AUTHORITYNETWORK SERVICE’.~
i have a seperate sql server and in my MP i have it setup to use a domain account to connect to the sql database. does anyone have any recommendation on what i might have missed?
Answers ( 12 )
I was able to get this working it turned out that IIS was doing a CRL check. i disabled the crl checking and now internet clients are checking in properly.
i seem to have my MP up now. but the clients arent talking to the ibcm. sccm sees its on the internet but the location logs are showing this. i have it binded with the cert for https but the clients seem to be having a cert issue for some reason. being pki if i switch back to the network the client works fine so i dont think its an issue on the client side.
Unable to retrieve AD forest + domain membership. Error 0x8007054b LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7 LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
[CCMHTTP] ERROR: URL=https://PRI02.domain.net/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=31, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
[CCMHTTP] ERROR INFO: StatusCode= StatusText= LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = “GUID:DB7DE699-398A-4BCD-BCEA-7BF6FE91A52F”;
DateTime = “20200505143844.073000+000”;
HostName = “PRI02.domain.net”;
HRESULT = “0x80072ee7”;
ProcessID = 3636;
StatusCode = 0;
ThreadID = 5188;
};
LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Successfully queued event on HTTP/HTTPS failure for server ‘PRI02.domain.net’. LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
[CCMHTTP] ERROR: URL=https://ibcm.xxxx.com/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=31, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = “GUID:DB7DE699-398A-4BCD-BCEA-7BF6FE91A52F”;
DateTime = “20200505143844.331000+000”;
HostName = “ibcm.xxxx.com”;
HRESULT = “0x87d0027e”;
ProcessID = 3636;
StatusCode = 403;
ThreadID = 5188;
};
LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Successfully queued RefreshSecuritySettingsEvent event. LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Successfully queued event on HTTP/HTTPS failure for server ‘ibcm.xxxx.com’. LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
Domain joined client is in Unknown location LocationServices 5/5/2020 10:38:44 AM 5188 (0x1444)
1 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 5/5/2020 10:38:44 AM 6792 (0x1A88)
Already refreshed security settings within the last 60 minutes, not refreshing. LocationServices 5/5/2020 10:38:44 AM 7636 (0x1DD4)
No security settings update detected. LocationServices 5/5/2020 10:38:44 AM 7636 (0x1DD4)
Already refreshed security settings within the last 60 minutes, not refreshing. LocationServices 5/5/2020 10:38:44 AM 7636 (0x1DD4)
No security settings update detected. LocationServices 5/5/2020 10:38:44 AM 7636 (0x1DD4)
2 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 5/5/2020 10:38:44 AM 4636 (0x121C)
DMZ to DB 1433 port opened ?
Use Site system initiates connection while installing role
During role installation use local account something like DMZServername\local account
grant SQL permissions to this account
the ports where all opened. i found out that sometimes from our DMZ to our internal domain it has DNS issues so i edited the host file and that fixed that part.
On your IBCM server is MP working fine ?
if your intranet domain and DMZ domain dont have trust you may have to use custom local accounts to be configured for the site roles like MP , SUP
assuming all the required ports are open, based on this confirmation we can drill further to nail down the issue.
Also please make sure to enable “Site Server Initiates the connection” option
I am reinstalling the MP now and it looks to be having issues with the SQL also. when setting up the MP i selected Specify the account that connects the management point to the sql server DB. for that i am selecting the domain account that is where the sql database is in.
*** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
Can you connect the DB using Management Studio from DMZ?
if PKI and running different version of OS and upgraded the server to latest OS creates HASH Mismatch.
Can you check if you have “Client and Server” Auth certificate on the new DMZ box? Did you enroll new certificate for this new server where you are trying to install the role?
I learned from your earlier comments that you used same HOSTNAME (Can you check if Both Hostname and NETBIOS Name are same) How about host entry related to WSUS Box at this location C:\Windows\System32\drivers\etc? was it there before? Can you check the certificate store name SMS has 2 SMS Related certificate under that tab?
Did you install SCCM Agent on that DMZ box which you are trying to promote to SUSDB? Also you said you have remote SQL DB. Do you have required ports opened? As you said you used same IP so this configuration was same or it was on WID and now you are setting it up to go to SQL? How about ports between SQL DB and DMZ SQL Box? 1433 open?
can you find the default website under IIS? It should be something like WSUS Administrator under default site option.
Did you give rights to the computer account (Including your Network Service Account) on the Normal WSUS box from where the DMZ box will sync?–And Vice-Versa.
are you using cert select?
Did the AD container updated the new server information? Of-course not. Could you please remove it and add it back from the AD container ?
Did you give permission to the share folder which gets utilized in the Sync process?
Did you tried this one already?
Step 1: Download the KB2720211 from Microsoft: http://support.microsoft.com/kb/2720211
Step 2: Open Regedit, and change the value of this DWORD to 0: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\wYukonInstalled”
Step 3: Install KB2720211
Step 4: Change the DWORD value back to 1
Step 5: Stop the SQL database service (I used Windows Internal Database, so it is MSSQL$MICROSOFT##SSEE)
Step 6: Delete the DB files in *:\WSUS\UpdateServicesDbFiles (SUSDB.mdf & SUSDB_log.ldf)
Step 7: Restore the SUSDB.mdf & SUSDB_log.ldf from backup
Step 8: Start the SQL database service
Step 9: Start the “Update Services” service
Even after this you are on the same page then we need to have a call and do some live troubleshooting to drill down. I am generally available after 4:00 PM IST on weekends.
so i got things almost working. i found the issue was i had to edit the host file. my old server must have had entries in there. now that i have done that i got my MP and DP installed and talking to SQL. but my internet clients are still trying to connect to the internal url for the internet. any ideas what i have to do. i tried connecting to the internet facing site and its up an working from the web i get to the IIS page.
also when i want to install WSUS. should i install just the wsus role and keep the WID and sql uncheck. let that install then add the role on the sccm so it configures the rest or do i have to set everything up through WSUS on the server first then and the role through the sccm primary?
IBCM have been a very controversial technology from the beginning but useful too.
Let’s see how we can get the solution for your issue. To understand better may i know below:
1. CB Version.
2. hierarchy setup. Total servers.
3. Has it ever worked before or just new setup.If worked then what was changed recently. If never worked then we will troubleshoot.
4.From the log what i can say is “You are trying to SYNC the DMZ WSUS to normal WSUS.
5. All necessary ports are open.
6. This DMZ Server is hosting Software update point and Upstream or Downstream.
7. Did you try enabling proxy and sync.
8. If HTTPs containing information that is interpreted as blocked content.
9. How is the DNS.
10 Hope you are not behind Palo Alto Firewall with 2 factor authentication.
11. What is the catalog version of DMZ and normal WSUS server.
12. WSUS DB is WID (Windows Internal Database) or SQL.
13. You are not setting it up newly.
i am on 1902, 1 primary(DP,MP,SUP), 2 internal dps, 1 sql server, 1 DMZ(MP,DP,SUP Downstream). this was working before my old server got corrupt instead of trying to fix a 2012r2 server i decided to get a 2019 and use that with the same name and ip so that i didnt have to request all the firewall changes again. the old server was working fine and it took me a while to get it working. I am also full PKI env, so i set up HTTPS. i am trying to set it up using a separate SQL server. so i built the 2019 server added the IIS and WSUS roles but when doing WSUS i cant connect it to my DB its giving me an error on that step. when i try to add the role through SCCM i didnt see WSUS role get installed on the server. so i was trying to install it manually prior. i have uninstalled all the roles through sccm except the component and site system and tred reinstalling the DP MP and SUP.
This problem may appear because the NT AUTHORITY\NETWORK SERVICE account does not have login permissions to the master database in the SQL instance. Add the NT AUTHORITY\NETWORK SERVICE account to the master database permissions list, restart the SQL server, restart the IIS service, and then restart the Update Services service. Also, check the same on the SUSDB database.
should i install the wsus role on my ibcm server first or just let the role install it? i am having issues connecting to the DB when i try to install the role manually. its odd because my original server died i spun up a new one with the same name and IP because of firewall rules. so the connection shouldnt be blocked.