~ Buz Brodin | Senior Support Escalation Engineer
Hi everyone Buz Brodin here with a Configuration Manager client install tip for you. If you install your Configuration Manager clients via the command line, you may encounter a problem where the clients fail to register in a cross-forest domain after the install is complete. If you look through the logs files trying to figure out why, you’ll see errors similar to the following:
Ccmmessaging.log:
Failed to decode message '{40B79D99-AF54-4DB8-93F4-C5337573D3E0}'. Hook authenticate. Error 0x87d00309
InvokeDecodingHooks failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
HandleRemoteSyncSend failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
CForwarder_Sync::Send failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
CForwarder_Base::Send failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
CertMain.log:
Failed to verify signature of message received from MP using name 'server.domain.com' CertificateMaintenance 7/1/2015 8:52:59 PM 5940 (0x1734)
CCMverifymessage 87d00309
LocationServices.log:
Persisting lookup management point 'server.domain.com' LocationServices 7/1/2015 8:52:59 PM 5940 (0x1734)
StatusAgent: HandleFSPCcmHttpStatus - Failed to retrieve internet, proxy or assigned MP. Assuming 'server.domain.com' is not a relevant MP. StatusAgent 7/1/2015 9:11:02 PM 4408 (0x1138)
ClientIDManagerStartup.log:
CCM::LocationServices::CcmRefreshSiteCode(), HRESULT=8000ffff (e:\nts_sccm_release\sms\framework\ccmid\regtask.cpp,218) ClientIDManagerStartup 7/1/2015 9:11:02 PM 5484 (0x156C)
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 7/1/2015 9:11:02 PM 5484 (0x156C)
This problem occurs when Active Directory is not extended and you are also using the SMSDIRECTORYLOOKUP=NoWINS argument on the installation command line.
When you use SMSDIRECTORYLOOKUP=NoWINS in the command line, setup not only foregoes querying WINS, but it will not try to lookup the Management Point (MP) using HTTP either. While the most secure option for client configuration is in fact to use SMSDIRECTORYLOOKUP=NoWINS, it can be used only if your clients can query the global catalog, thus it should not be used for clients in remote forests or workgroups, or if the Active Directory schema has not been extended. If clients must use WINS for service location and SMSDIRECTORYLOOKUP=NoWINS is specified on the installation command line, service location will fail.
For more information please see the following:
- Configuration Manager and Service Location (Site Information and Management Points)
- Best Practices for Securing Clients
Note that if no properties are specified, the client installs in Secure WINS mode. The Any WINS mode is not secure and is not recommended. For more information, see About Configuration Manager Client Installation Properties.
Buz Brodin | Senior Support Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
ConfigMgr 2012 r2 system center 2012 configuration manager system center 2012 r2 configuration manager