hi guys

I'm breaking my head for days trying to understand why my clients choose to connect to whatever DP they want, randomly...

I have one site with three MP\DP's.

I have boundaries configured correctly, I'm sure.

boundaries are configured by subnets.

I checked the System management OU in AD for any leftovers from old SCCM2007

tried to remove the Management Point Role from all servers and Added the Rules again...

tried to remove subnets from boundaries and use a fallback status point - but still.... the client choose random management point.

here is the last part of the locationservices.log of one of the machines:

Default Management Points from MP: LocationServices 5/12/2013 8:58:49 PM 1020 (0x03FC)
Name: 'BRANCH-MP.Domain.com' HTTPS: 'N' ForestTrust: 'Y' LocationServices 5/12/2013 8:58:49 PM 1020 (0x03FC)
Name: 'MAIN-MP.Domain.com' HTTPS: 'N' ForestTrust: 'Y' LocationServices 5/12/2013 8:58:49 PM 1020 (0x03FC)
Name: 'SECONDARY-MP.Domain.com' HTTPS: 'N' ForestTrust: 'Y' LocationServices 5/12/2013 8:58:49 PM 1020 (0x03FC)
Persisted Default Management Point Locations locally LocationServices 5/12/2013 8:58:49 PM 1020 (0x03FC)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 8:58:49 PM 1020 (0x03FC)
Calling back with the following distribution points LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Distribution Point='http://MAIN-MP.Domain.com/SMS_DP_SMSPKG$/NEW00182', Locality='LOCAL', DPType='SERVER', Version='7804', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>', Signature='http://MAIN-MP.Domain.com/SMS_DP_SMSSIG$/NEW00182', ForestTrust='TRUE', LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Distribution Point='\\MAIN-MP.Domain.com\SMSPKGD$\NEW00182\', Locality='LOCAL', DPType='SERVER', Version='7804', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>', Signature='', ForestTrust='TRUE', LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Distribution Point='http://SECONDARY-MP.Domain.com/SMS_DP_SMSPKG$/NEW00182', Locality='REMOTE', DPType='SERVER', Version='7804', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>', Signature='http://SECONDARY-MP.Domain.com/SMS_DP_SMSSIG$/NEW00182', ForestTrust='TRUE', LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Distribution Point='\\SECONDARY-MP.Domain.com\SMSPKGD$\NEW00182\', Locality='REMOTE', DPType='SERVER', Version='7804', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>', Signature='', ForestTrust='TRUE', LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Calling back with locations for location request {06634153-EAAA-4877-A749-1976DDE37599} LocationServices 5/12/2013 8:58:49 PM 1536 (0x0600)
Failed to send request to /SMS_MP/.sms_aut?MPCERT2 at host BRANCH-MP.Domain.com, error 0x2ee2 LocationServices 5/12/2013 8:58:58 PM 2256 (0x08D0)
[CCMHTTP] ERROR: URL=http://BRANCH-MP.Domain.com/SMS_MP/.sms_aut?MPCERT2, Port=80, Options=224, Code=12002, Text=ERROR_WINHTTP_TIMEOUT LocationServices 5/12/2013 8:58:58 PM 2256 (0x08D0)
Raising event:
instance of CCM_CcmHttp_Status
{
 ClientID = "GUID:04B87CCF-5575-4689-A8FA-14D25B733DCA";
 DateTime = "20130512175858.328000+000";
 HostName = "BRANCH-MP.Domain.com";
 HRESULT = "0x80072ee2";
 ProcessID = 3648;
 StatusCode = 600;
 ThreadID = 2256;
};
 LocationServices 5/12/2013 8:58:58 PM 2256 (0x08D0)
Successfully sent location services HTTP failure message. LocationServices 5/12/2013 8:58:58 PM 2256 (0x08D0)
Failed to refresh Encryption certificate information over HTTP(0x80072ee2) LocationServices 5/12/2013 8:58:58 PM 2256 (0x08D0)
Failed to refresh encryption cert info for BRANCH-MP.Domain.com. LocationServices 5/12/2013 8:58:58 PM 2256 (0x08D0)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 8:58:58 PM 1536 (0x0600)
1 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 5/12/2013 8:58:58 PM 1536 (0x0600)
Failed to send management point list Location Request Message to BRANCH-MP.Domain.com LocationServices 5/12/2013 8:59:10 PM 1020 (0x03FC)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 8:59:10 PM 1536 (0x0600)
2 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 5/12/2013 8:59:10 PM 1536 (0x0600)
Attempting to retrieve local MPs from the assigned MP LocationServices 5/12/2013 8:59:10 PM 1020 (0x03FC)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 8:59:10 PM 1020 (0x03FC)
Failed to send management point list Location Request Message to BRANCH-MP.Domain.com LocationServices 5/12/2013 8:59:31 PM 1020 (0x03FC)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 8:59:31 PM 2256 (0x08D0)
3 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 5/12/2013 8:59:31 PM 2256 (0x08D0)
Refreshing the Management Point List for site TLV LocationServices 5/12/2013 8:59:31 PM 1020 (0x03FC)
Retrieved management point encryption info from AD. LocationServices 5/12/2013 8:59:31 PM 1020 (0x03FC)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 8:59:45 PM 1536 (0x0600)
Failed to send request to /SMS_MP/.sms_aut?MPLIST at host BRANCH-MP.Domain.com, error 0x2ee2 LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
[CCMHTTP] ERROR: URL=http://BRANCH-MP.Domain.com/SMS_MP/.sms_aut?MPLIST, Port=80, Options=224, Code=12002, Text=ERROR_WINHTTP_TIMEOUT LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Raising event:
instance of CCM_CcmHttp_Status
{
 ClientID = "GUID:04B87CCF-5575-4689-A8FA-14D25B733DCA";
 DateTime = "20130512175952.670000+000";
 HostName = "BRANCH-MP.Domain.com";
 HRESULT = "0x80072ee2";
 ProcessID = 3648;
 StatusCode = 600;
 ThreadID = 1020;
};
 LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Successfully sent location services HTTP failure message. LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Failed to retrieve MP certificate authentication information over http. LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 8:59:52 PM 544 (0x0220)
Refreshing trusted key information LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Refreshed Root Site Code from AD LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Attempting to refresh TRK from AD LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Refreshed TRK from AD LocationServices 5/12/2013 8:59:52 PM 1020 (0x03FC)
Failed to send request to /SMS_MP/.sms_aut?MPKEYINFORMATIONEX at host BRANCH-MP.Domain.com, error 0x2ee2 LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
[CCMHTTP] ERROR: URL=http://BRANCH-MP.Domain.com/SMS_MP/.sms_aut?MPKEYINFORMATIONEX, Port=80, Options=224, Code=12002, Text=ERROR_WINHTTP_TIMEOUT LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Raising event:
instance of CCM_CcmHttp_Status
{
 ClientID = "GUID:04B87CCF-5575-4689-A8FA-14D25B733DCA";
 DateTime = "20130512180013.779000+000";
 HostName = "BRANCH-MP.Domain.com";
 HRESULT = "0x80072ee2";
 ProcessID = 3648;
 StatusCode = 600;
 ThreadID = 1020;
};
 LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Successfully sent location services HTTP failure message. LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 9:00:13 PM 4072 (0x0FE8)
Failed to verify Certificate with error 0x80070057. LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Failed to refresh trusted key information while refreshing mp list. LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Persisting the management point authentication information in WMI LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Persisted Management Point Authentication Information locally LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
4 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 5/12/2013 9:00:13 PM 1536 (0x0600)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:00:13 PM 2712 (0x0A98)
Assigned MP error threshold reached, moving to next MP. LocationServices 5/12/2013 9:00:13 PM 544 (0x0220)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
MPLIST requests are throttled for 00:03:23 LocationServices 5/12/2013 9:00:13 PM 3964 (0x0F7C)
Ignoring MP error during post-rotation flush period of 20 seconds. LocationServices 5/12/2013 9:00:13 PM 4072 (0x0FE8)
0 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 5/12/2013 9:00:13 PM 4072 (0x0FE8)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Updated FSP 'MAIN-MP.Domain.com' from AD to local. LocationServices 5/12/2013 9:00:13 PM 1020 (0x03FC)
Failed to send Location Request Message LocationServices 5/12/2013 9:00:34 PM 2712 (0x0A98)
Failed to create Location Request Message body LocationServices 5/12/2013 9:00:34 PM 2712 (0x0A98)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 9:00:34 PM 1020 (0x03FC)
Executing Task LSSiteRoleCycleTask LocationServices 5/12/2013 9:00:34 PM 4072 (0x0FE8)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:01:35 PM 2712 (0x0A98)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:01:36 PM 2712 (0x0A98)
The number of discovered DPs(including Branch DP and Multicast) is 2 LocationServices 5/12/2013 9:01:36 PM 2712 (0x0A98)
Calling back with the following distribution points LocationServices 5/12/2013 9:01:36 PM 2712 (0x0A98)
Distribution Point='http://MAIN-MP.Domain.com/SMS_DP_SMSPKG$/TLV0002A', Locality='LOCAL' LocationServices 5/12/2013 9:01:36 PM 2712 (0x0A98)
Distribution Point='\\MAIN-MP.Domain.com\SMSPKGD$\TLV0002A\', Locality='LOCAL' LocationServices 5/12/2013 9:01:36 PM 2712 (0x0A98)
Received reply of type PortalCertificateReply LocationServices 5/12/2013 9:01:38 PM 544 (0x0220)
The reply from location manager contains 0 certificates LocationServices 5/12/2013 9:01:38 PM 544 (0x0220)
Updating portal certificates LocationServices 5/12/2013 9:01:38 PM 544 (0x0220)
There are no certificates available to install LocationServices 5/12/2013 9:01:38 PM 544 (0x0220)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:03:36 PM 1020 (0x03FC)
Current AD site of machine is MAIN-AD-SITE LocationServices 5/12/2013 9:03:36 PM 1020 (0x03FC)
Received reply of type PortalCertificateReply LocationServices 5/12/2013 9:03:36 PM 916 (0x0394)
The reply from location manager contains 0 certificates LocationServices 5/12/2013 9:03:36 PM 916 (0x0394)
Updating portal certificates LocationServices 5/12/2013 9:03:36 PM 916 (0x0394)
There are no certificates available to install LocationServices 5/12/2013 9:03:36 PM 916 (0x0394)

 thank you!

Management point selection is not governed by site boundaries.  Client systems will arbitrarily choose an available MP from within the site.  Distribution point selection IS controllable by boundaries.

If you need client systems at remote sites to talk to a specific local MP then you need to look at implementing a Secondary site - and this sparks a debate about actual need.

Management point selection is not governed by site boundaries.  Client systems will arbitrarily choose an available MP from within the site.  Distribution point selection IS controllable by boundaries.

If you need client systems at remote sites to talk to a specific local MP then you need to look at implementing a Secondary site - and this sparks a debate about actual

thank you for replying

so you are saying that the boundaries have no meaning (regarding Management points)?

so how can I control management points? 

so you are saying that the boundaries have no meaning (regarding Management points)?

so how can I control management points? 

As mentioned, you can control which MP a client uses by deploying secondary sites (nothing has changed here since 2007). Boundaries are used for 3 things and 3 things only: content location, auto-site assignment, secondary site location.

Client to MP traffic is generally quite small and trivial though so you may be over thinking where you need to have MPs. Without knowing the details of the clients you are wishing to force to a specific MP including count, bandwidth, and communication restrictions, no specific recommendations can be given.

hi

thanks again

ok.

I'm dealing with this issue because It IS influencing my software distribution all across my site.

when a client is connected to the correct MP - everything is working fine.

when a client is connected to the wrong MP - software deployment, updates are not available (can be that the list is empty, or that the applications are stucked on "waiting"....

so you say that :

1. only one MP is required for my whole site?

2. I need to monitor the  DP? how do I do that?

What do you mean by correct MP or wrong MP? Do you have multiple MPs deployed for a single primary site?

When applications are stuck "waiting" that is a content lookup issue and has nothing to do with the MP generally. Have you reviewed CAS.log and ContentTransferManager.log? Have you verified the health of the MPs and that the clients are successfully connecting to and communicating will *all* of them?

1. No, not necessarily; however, the use of multiple MPs in a single primary site is for availability and cross-forest scenarios only.

2. Please define what you mean by monitor?

in Configuration manager (client) on first tab - the first raw is "assigned management point"

that is my problem.

IT IS related to boundaries.

the CAS.log and ContentTransferManager.log looks fine (almost no errors)

2.

you say that MP's cannot be monitored\controlled.

and DP's?

how can I change currently assigned Distribution point.... ?

in Configuration manager (client) on first tab - the first raw is "assigned management point"

that is my problem.

IT IS related to boundaries.

I'm confused....

I have 1 site called ABC

I have 3 management points (and distribution points) In different subnets (in different cities)

each time SMS_AGENT_HOST service starts - it picks up random "assigned management point"

if it is outside subnet - client preforms badly.

if it connects to the in-subnet server - client preforms ok.

I have no control over the "assigned MP's" but I am trying to control the boundaries.

whenever a client have more than one option - it chooses the most far point to connect to.

I have overlapped subnets in my domain so I am defining the subnets manually and not by AD.

still - although boundaries are limited - clients still connected to MP's outside boundaries.

I cant understand it.

every time a client is acting weird - I look into the "assigned MP" and see it is outside boundaries.

restarting the SMS_HOST_AGENT Service causing the client to choose different MP every time.

how can I control that?

As mentioned above, MP location within a primary site has *nothing* to do with boundaries.

And, once again, as mentioned above, you can't control that without the use of secondary sites.

Finally, explicitly describe "performs badly" (generalities don't help us help you).

hi Guys.

we had a holiday, I'm sorry for not responding.

the "Badly" means that the apps\updates do not start installations - they are stuck on "waiting"

or that there are no programs available for installation

OK, well as mentioned, that has nothing to do with the MP. If the MP communication were having issues, the client wouldn't have the deployment at all.

You need to review the log files (execmg.log for packages and AppIntentEval.log, AppDiscovery, and AppEnforcefor apps) along with the normal content download logs like CAS.log and ContentTransferManager.log.

If this is a content download issue, which I'm thinking it is, then it all comes down to your boundaries and fallback.

I will look for that..

thank you guys!

I've a simmilar issue, i've a primary site and a secondary site. Bondaries are define on a group of clients to grab updates from the Secondary site and also the Management Point in the Secondary Site.

Question 1) Does the Clients needs a connection back to the Primary site MP before it knows where to grab the updates? Reason why i'm asking is becos i want to control my clients to only take policy from my Secondary site MP

Question 2) What can i use to control or define my clients to only go to my Secondary Site MP to take instructions?

For your advise please.

1. The exact times when a client needs to communicate with an MP in the primary are undefined. The only statement from Microsoft on this is that it must. There are a few times that we know it does, but that list is not necessarily comprehensive. For your question explicitly, no it shouldn't have to but that's not guaranteed so basing a design upon that premise would/could be bad. It's simply not what a secondary site is for.

2. You can't. This is by design behavior as a secondary site is *not* meant for isolation or segregation. There is a possible work-around but it involves setting up an additional MP for the primary site and forcing the clients at the location to use that MP.

Hi Jason, thanks for your advise. I've having difficulty because, i cut out access to Primary server using a NAC solution. Only when clients are patched with the latest and updated patch than the NAC solution will allow connect back to Primary, if not they will only be able to connect to Seconday MP and DP.

What your take on this?

As I've mentioned multiple times, you are trying to do something that is not by design of the product and will cause you issues. This simply is *not* what secondary sites are for. If you truly want to achieve this, you will need to set up an additional site system hosting the needed site roles (MP, DP, SUP). Forcing the client to use these is non-trivial though as there's nothing really built in for this unless you are using Microsoft's NAP (which is deprecated).

Also note that clients *never* communicate with the primary site server. They may communicate with sites roles  (like the MP) that happen to be co-located on the primary site server, but there's no reason these roles need to be on the primary site server.

I understand your goal here, but is it truly a huge deal to have the clients communicate with this single system in order to remediate themselves?