SCCM 2007 secondary site not communicating with primary?
I am having issues getting my secondary site to communicate with my primary site.
My layout is a single primary site, with two servers: one for the FSP, and one for everything else, including SQL. There is one secondary site, with one server for all roles. This is a completely fresh deployment in a fresh domain. The AD schema is extended, and SCCM is published to AD.
I have performed a push install from the primary to the secondary, and there were no issues during the install, no errors reported. The services are started on the new secondary server, and the SCCM console shows the secondary site listed under the primary site, but it does not display any of the items that should appear nested below the secondary site. The secondary site icon has a small hourglass over it, and no meaningful options when I right click. The "properties" especially is missing.
The only thing I can attemptis "transfer site settings," and when I try to transfer primary site settings to the secondary site, the secondary site does not even appear in the list of available sites. I checked the database, and the dbo.Sites table lists both my primary and my secondary site. I've already installed Hofix 845989, and while that did fix my status reporting issues, it hasn't done anything for this issue. From within the SCCM console, status messages are not available for the secondary site.
I can ping, telnet on 80, 443, 1433, etc from my secondary to my primary, with no issues. All SCCM site server computer accounts are local administrators on all SCCM site servers, so permissions should be fine. These permissions have been in place since before the initial server install. I don't see any glaring errors in any logs, but I don't really know what logs would be the best ot search through.
Does anyone have any suggestions?
Thanks in advance,
Andrew
January 17th, 2008 12:56am
Hopefully you meant 945898 as the hotfix you applied :-)
My guess would be that the keys have not gotten exchanged yet. But to ensure, here's what I'd do:
* On the primary site, verify that the secondary site server computer account is a member of the SMS_SiteToSiteConnection_primarysitecode group. If you are using a user account for the site address, then the user account needs to be a member of the group instead of the site server computer account.
* On the secondary site, verify that the primary site server computer account is a member of the SMS_SiteToSiteConnection_secondarysitecode group. If you are using a user account for the site address, then the user account needs to be a member of the group instead of the site server computer account.
Assuming those are correct, then:
* On the secondary site, check the sender.log for any valid sends to the primary site. You should see some entries like "Sucessfully sent 1024 bytes".
If you see errors, then the error code will be something like error 53 (can't find the server), or error 5 (access denied - the site address account is not a member of the remote group above).
If that is good, then check the Despoolr.log on the parent site. It may be reporting that it is still waiting for keys. We would try to publish the keys to AD and retrieve them from there. That can take a while, so usually I manually transfer the keys using preinst.exe.
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2008 1:24am
8s...9s...what's the difference! ;-)
So, yes, I did apply the proper hotfix.
* On the primary site server (site code "PGP"), the group "SCCM 2007 Servers" is a member of the Administrators, SMS_SiteSystemToSiteServerConnection_PGP, and SMS_SiteToSiteConnection_PGP groups. The "SCCM 2007 Servers" group contains the computer acounts for all my SCCM servers. My site address is not using a user account, it uses a site server computer account.
* On the secondary site server (site code "SAC"), the group "SCCM 2007 Servers" is a member of the Administrators, SMS_SiteSystemToSiteServerConnection_SAC, and SMS_SiteToSiteConnection_SAC groups. The "SCCM 2007 Servers" group contains the computer acounts for all my SCCM servers. My site address is not using a user account, it uses a site server computer account.
* My sender.log would appear to be indicating successful sends:
~Sending Started [C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\schedule.box\tosend\000000F3.Icq] $$<SMS_LAN_SENDER><Wed Jan 16 14:46:27.064 2008 Pacific Standard Time><thread=876 (0x36C)>~Attempt to write 396 bytes to \\ABSVSCCM1.plygempw.local\SMS_SITE\2006RSAC.TMP at position 0 $$<SMS_LAN_SENDER><Wed Jan 16 14:46:27.064 2008 Pacific Standard Time><thread=876 (0x36C)>~Wrote 396 bytes to \\ABSVSCCM1.plygempw.local\SMS_SITE\2006RSAC.TMP at position 0 $$<SMS_LAN_SENDER><Wed Jan 16 14:46:27.126 2008 Pacific Standard Time><thread=876 (0x36C)>~Sending completed [C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\schedule.box\tosend\000000F3.Icq] $$<SMS_LAN_SENDER><Wed Jan 16 14:46:27.126 2008 Pacific Standard Time><thread=876 (0x36C)>
* The Despoolr.log seems to show an error:
~Waiting for ready instruction file.... $$<SMS_DESPOOLER><Wed Jan 16 14:32:13.671 2008 Pacific Standard Time><thread=5552 (0x15B0)>~Cannot find a public key for instruction C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\despoolr.box\receive\ds_t5it3.ist coming from site SAC, retry it later $$<SMS_DESPOOLER><Wed Jan 16 14:32:13.656 2008 Pacific Standard Time><thread=5760 (0x1680)>~Will retry instruction C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\despoolr.box\receive\ds_t5it3.ist 80 more times, the next retry is in about 60 minutes $$<SMS_DESPOOLER><Wed Jan 16 14:32:13.687 2008 Pacific Standard Time><thread=5760 (0x1680)>
So I will attempt to use preinst.exe to manually transfer the keys. I assume I need to transfer from primary to secondary and from secondary to primary, correct?
Thanks,
Andrew
January 17th, 2008 1:59am
At the secondary site, you would run:
preinst /keyforparent
And then copy the file to the Inboxes\Hman.box on the parent site.
Then, on the parent site, you would run:
preinst /keyforchild
And then copy the file to the Inboxes\Hman.box folder on the secondary site.
Wait a couple of minutes, then the files in Inboxes\Despoolr.box\Receive should be processed.
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2008 2:06am
OK, so keys are transferred. I am now seeing this type of error in my hman.log on the secondary server:
Active Directory DS RootC=plygempw,DC=local~ $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)>Searching for the System Management Container.~ $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)>System Management container exists.~ $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)> Searching for SMS-Site-SAC Site Object.~ $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)> SMS-Site-SAC doesn't exist, creating it.~ $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)>SMS-Site-SAC could not be created, error code = 5.~ $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)>STATMSG: ID=4913 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_HIERARCHY_MANAGER" SYS=SCSVSCCM1 SITE=SAC PID=2464 TID=660 GMTDATE=Tue Jan 15 00:36:00.542 2008 ISTR0="SMS-Site-SAC" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)> Time to verify that the public key of current site server in the site control file is still valid. $$<SMS_HIERARCHY_MANAGER><Mon Jan 14 16:36:00.542 2008 Pacific Standard Time><thread=660 (0x294)>
I have assigned the "SCCM 2007 Servers" group full control on the AD System Management container and all child objects, but it appears I'm still getting access denied. I restarted the SMS_EXECUTIVE service on the secondary server to try and force it to write to AD, but no such luck.
Any more ideas?
Thanks,
Andrew
January 17th, 2008 3:09am
I've heard of others with issues using groups, but individual servers work. Maybe the server needs rebooted after being added to the group to get the token updated? By the way, this is a different question, so if you need a followup, I'd recommend creating a new thread so it can be tracked by the subject name, which is off topic now.
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2008 3:24am
Hmm...soI lied. The object it said it couldn't create has been created...but no success was logged to hman.log.
So, the console is now showing the site properly, andI can configure it. Thanks for all the help!
Andrew
January 17th, 2008 3:31am
Hi there,
just got the same problem but after using preinst /keyforparent & /keyforchild nothing happens, it stills:
~waiting for ready intraction file... $$<SMS_DESPOOLER>
When preinst /keyforchild on Parent Site Server I got a PC5 key instead of the already exiting PC4 that I had in hman.box\pubkey
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2008 1:21pm
"Waiting for ready instruction file" is normal, that just means there are no files to process.
When you run preinst /keyforchild, you do a .CT5file. That is normal. You then drop this file in the hman.box folder on the child site.
February 15th, 2008 10:52pm
There was a problem with the public key. Parent site was expecting a .pkp file from the secondary site, while secondary site recieved (really fast) a same one from its parent site. So I manually create the pkp file and it works.
It was not enough to copy the .CT5 and .CT4 files to hman.box folders, it needed an extra help
Thanks foryour help
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2008 1:05pm
Wally [MSFT] wrote:
I've heard of others with issues using groups, but individual servers work. Maybe the server needs rebooted after being added to the group to get the token updated? By the way, this is a different question, so if you need a followup, I'd recommend creating a new thread so it can be tracked by the subject name, which is off topic now.
YES ! This was the problem in my case.... and now is OK.
March 11th, 2008 6:49pm
When running the command "preinst /keyforchild" on the secondary site server I get an error message that says "You can only run this utility on an SMS site server and you must be a local administrator on the site server"Any ideas are appreciated.
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2009 5:57pm
This Fixed my issue. Thanks alot :)
May 10th, 2009 2:59pm
Can someone put some light on how to solve this issue,,,,,
Message Details
Timestamp:
6/10/2009 4:42:16 PM
Message Type:
Milestone
Site Code:
CP1
Message ID:
11423
System:
2UA8320QD9
Process ID:
1648
Source:
SMS Client
Thread ID:
2948
Component:
Software Updates Scan Agent
Severity:
Error
Description
Scan component (type=Microsoft Update) failed. A failure code of 5 was returned.
Properties
Client SMS Unique ID
GUID:15A43CB1-8569-4AA5-A47A-1DF947322F4D
UpdateSourceUniqueID
{66388233-D225-4697-8697-B48CC0C2FF56}
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2009 12:11am
I am having a similar issue where the secondary site seem to not communicate with parent site. However, the site servers are already members of the SMS_SiteToSiteConnection_ groups, the despool.log is able to find the key and yet the sender.log continues to show error 5.SECONDARY SITE SERVER DESPOOL.LOG entryCPublicKeyLookup::GetNextKey() Found Key: 0602000000A400005253413100040000010001006F7AE86B9BB5AF8B156CB5AAE507C949EEACF85F67FC7A814CA6B05DB18EF3E342B8C730967BBE1130929D5279E196FB8C84C6C5CA1137AF601D81C1F48A47346D01970A57FD19E49D47702236A22EC37905517C23680572A96ED624C81CF892CAD4D207D6DBF10CB2BE4FC3D2B9872C77B32484B773C886B58C79477684B4ADSMS_DESPOOLER8/25/2009 7:24:20 PM8116 (0x1FB4)SENDER.LOG entryFQDN for server TORSCCMP1 is TORSCCMP1.parentdomain.com.inSMS_LAN_SENDER8/25/2009 7:59:25 PM9948 (0x26DC)****There is no existing connection, Win32 error = 5SMS_LAN_SENDER8/25/2009 7:59:28 PM9948 (0x26DC)There is no existing connection, Win32 error = 5SMS_LAN_SENDER8/25/2009 7:59:28 PM9948 (0x26DC)Error during connection to \\TORSCCMP1.parentdomain.com.in\SMS_SITE (5).SMS_LAN_SENDER8/25/2009 7:59:28 PM9948 (0x26DC)Error is considered fatal.SMS_LAN_SENDER8/25/2009 7:59:28 PM9948 (0x26DC)**** note that this entry in the log should read as followsthe FQDN should be TORSCCMP1.parentdomain.com - however, all other components are working ok, theConfigMgr shares are available by using either namePRIMARY SITE SERVERSENDER.LOGWrote 1024 bytes to \\BANG-SCCM-01.parentdomain.com.in\SMS_SITE\210NRSIG.PCK at position 0SMS_LAN_SENDER08/25/09 9:54:17 AM8364 (0x20AC)Attempt to write 299 bytes to \\BANG-SCCM-01.parentdomain.com.in\SMS_SITE\210NRSIG.PCK at position 1024SMS_LAN_SENDER08/25/09 9:54:17 AM8364 (0x20AC)Wrote 299 bytes to \\BANG-SCCM-01.parentdomain.com.in\SMS_SITE\210NRSIG.PCK at position 1024SMS_LAN_SENDER08/25/09 9:54:18 AM8364 (0x20AC)Sending completed [Q:\Program Files\Microsoft Configuration Manager\inboxes\schedule.box\tosend\0000B987.P61]SMS_LAN_SENDER08/25/09 9:54:18 AM8364 (0x20AC)DESPOOL.LOGVerified package signature from site INDSMS_DESPOOLER08/25/09 8:42:10 AM10756 (0x2A04)CPublicKeyLookup::CPublicKeyLookup("IND")SMS_DESPOOLER08/25/09 8:42:10 AM10756 (0x2A04)Signature checked out OK for instruction coming from site IND, proceed with the instruction execution.SMS_DESPOOLER08/25/09 8:42:10 AM10756 (0x2A04)What could be my problem?
August 25th, 2009 9:14pm
My issue is now resolved. It was a DNS/WINS setup issue. Thanks for the opportunity to ask questions in these forums.Ramon
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2009 10:27pm
There was a problem with the public key. Parent site was expecting a .pkp file from the secondary site, while secondary site recieved (really fast) a same one from its parent site. So I manually
create the pkp file and it works.
It was not enough to copy the .CT5 and .CT4 files to hman.box folders, it needed an extra help
Thanks for your help
Hi Alex, welcome to the 3 years ago! I get the very same, some messages are now being read but a lot of them are not and I see it's looking for the pkp file.
How did you "manually create" it? Just create an empty file?
Edit: No need, I had to copy it to the root dir NOT the pubkey... the tool even says so. The spooler processes the CT4 file and creates a pkc file in the pubkey folder.
January 11th, 2011 2:15pm