Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2916 Discussions

DCOM 10009 - problem during client web cert provisioning

MEdwa5
Beginner
1,857 Views

Our Enterprise team did some work on our Enterprise CA environment last month, and it appears to have broken vPro in-band provisioning.

system is SCCM 2007 SP2 R2

Provisioning was working fine until they moved CA Issuing from one set of Servers (Server1,Server2 - both Server 2003) to another set of servers (ServerA,ServerB - both Server 2008 R2).

The provisioning process works fine up until the point where the OOB Mgt point is expected to retrieve the AMT client Web server cert... it times out after 5 RETRYs. (this is step 10c here: http://technet.microsoft.com/en-us/library/cc431371.aspx http://technet.microsoft.com/en-us/library/cc431371.aspx)

We've recreated the template on the new CAs, made sure to choose Server 2003 as the type. If I open the Certificates MMC on the OOB Mgmt Point, I can successfully enroll a cert from the template. Certutil command on the OOB Mgmt Point shows the two new Issuing CA servers (ServerA,ServerB). The interesting* thing is that I get DCOM errors in the SYSTEM log that correlate exactly to the times in the amtopmgr.log when it is trying to enroll the AMT client web certs on the clients:

DCOM was unable to communicate with the computer SERVER1.domain.org using any of the configured protocols.

Why is it apparently trying to retrieve the cert from the old Issuing CA (Server1)? My only thought is that SCCM hardcodes this into WMI or something at the time the OOB Mgmt Point is installed...which would really suck.

Any ideas out there?

thanks

Mark

*it's not really that interesting

0 Kudos
2 Replies
idata
Employee
808 Views

Did you reconfigure your SCCM out-of-band settings to point to ServerA as instead of Server1? If you use the WS-MAN translator, you will need to update the setting in there as well. Finally, you will want to make sure that you have the updated and full cert chain for your new CA environment in your SCCM server's computer account trusted root cert store.

-Dan

0 Kudos
Bruno_Domignues
Employee
808 Views

Mark,

Can you send the amtopmgr.log in order that I can see what's going on?

Have you restarted the SMS Execute after you changed the CA appointment? As far you changed the server, did you granted SCCM computer account permission on new server template?

Possibles causes on top of my head.

My two cents!

--Bruno Domingues

0 Kudos
Reply