Hi,

We are trying to automate the provisioning of our DistributionPoints using Orchestrator - no worries here.

The issue we have is with the Add-CMDistributionPoint cmdlet in a PKI environment.
Using the this code snippet:

$site = CMSite
$ssPXEPwd = 'pxepassword' | ConvertTo-SecureString -AsPlainText -Force
$ssCERTPwd = 'strongcertpassword' | ConvertTo-SecureString -AsPlainText -Force
$DPCertPath = 'localpathtocertificate'
$DPServer = 'DP_FQDN'
$siteCode = $site.SiteCode
$NewDP = Add-CMDistributionPoint -SiteSystemServerName $DPServer -SiteCode $siteCode -CertificatePath $DPCertPath -CertificatePassword $ssCERTPwd -MinimumFreeSpaceMB 5000 -AllowPreStaging -PrimaryContentLibraryLocation "M" -PrimaryPackageShareLocation "M" -EnablePXESupport -AllowRespondIncomingPxeRequest -EnableUnknownComputerSupport -ComputersUsePxePassword $ssPXEPwd -EnableMulticast -EnableValidateContent

We can deploy the first Distribution Point fine, but subsequent DP's fail with this error:

WARNING: The certificate you specified is already in use. Are you sure you want to use this certificate? Add-CMDistributionPoint : Validation of input parameters failed. Cannot continue. At line:1 char:1 + Add-CMDistributionPoint -SiteSystemServerName $DPServer -SiteCode $siteCode -Cer ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : InvalidArgument: (Microsoft.Confi...ionPointCommand:AddDistributionPointCommand) [Add-CM    DistributionPoint], InvalidOperationException     + FullyQualifiedErrorId : ValidationError,Microsoft.ConfigurationManagement.Cmdlets.HS.Commands.AddDistributionPoi    ntCommand

If you perform the same operation in the console, you also get prompted, but at least you can continue past the dialog.

Is there a way to do this with the cmdlet? I don't want to have to create 250 certificates for the DP's! If we delete the cert from the console (DB) then we can re-run the command no worries.

Thanks

Make sure to file a feedback item on connect.microsoft

Thanks Torsten,

I thought this might be the case.  I have filed a feedback item as suggested.  We may need to log a support call for it as well as this issue will hold up our production deployment.

Regards,

David

Hi,

There are other issues also with this cmdlet and its better not to use that.

Best,

Kaido Jrvemets

CM12SDK.net

Thanks for the heads up Kaido,

I know of 2 issues with this cmdlet now:
- When using PKI Certificates, unable to re-use certificate that has already been added to the console
- Incorrectly setting the ServerRemoteName to the first server deployed in the Hierarchy
(http://support.microsoft.com/kb/2860244)

Are there more issues with this CmdLet that I have not come across yet?

Reason I ask is that we are about to deploy ~230 Distribution Points, and want to use a supported Microsoft method of doing so, without having to deploy each one manually from the console.

Thanks,

David

I received a response to my feedback item on connect.microsoft today.

The response was that this is 'by design'.

We also worked with MSPS on the issue a few weeks ago, and came up with a workaround - which involved generating a certificate per distribution point at deployment time.
we used the following PowerShell script as a reference:

Set-Location -Path cert:\LocalMachine\My
Get-Certificate -Template ConfigMgrSMSPXEDP -Url ldap: -SubjectName CN=FQDNOFDP
$secure_string_pwd = ConvertTo-SecureString -String "SomeStrongPassword!" -Force AsPlainText
Get-ChildItem cert:\localmachine\my | where {$_.Subject -match "CN=FQDNOFDP"} | Export-PfxCertificate -FilePath C:\windows\temp\FQDNOFP.pfx -Password $secure_string_pwd
Set-Location -Path cert:\
Get-ChildItem cert:\localmachine\my | where {$_.Subject -match "CN=FQDNOFDP"} | Remove-Item -DeleteKey

Upon review, this works out to be a better solution anyway :)

Thanks all :)