Re: Provisioning stopped after CA Rebuild

idata · ‎10-08-2009

Good Morning,

I've gotten to provision approximately 200 vPro clients using SCCM SP1. The process was running nice and smoothly for months now. However, do to unforeseen circumstances, our Network group had to rebuild our CA. Supposedly, everything has been restored to the way it once was, however, I am seeing a consistent break in the process.

Going to our OOB MP and looking at the amtproxymgr.log file, I see: "ERROR: ICertRequest2->Submit failed: 0x80070005."

I've seen this error early on when first building out our infrastructure. We have a multi-domain hierarchy and our CA sits in our top level "Domain1.com" and the OOB Management point sits in "Domain2.com". Refering to Microsoft's guidance here http://technet.microsoft.com/en-us/library/cc161803.aspx http://technet.microsoft.com/en-us/library/cc161803.aspx, we needed to add SCCM.Domain2.com to CERTSRV_DOM_ACCESS sitting in Domain1.com.

In the past, this resolved our issue and we were able to begin provisioning. Now, hoever, with the assurances that were given about the environment being restored, we are seeing the same issue where the chain is not being validated due to a block in rights.

My question is this, do we need to remove and then rebuild the OOB Mgmt Role on our Management Point for the provisioning process to be restored? Or could it be that there is still an oversite in that our OOB was not actually added to the correct Security group to manage the provisioning certificate?

Any help would be GREATLY appreciated.

Best Regards,

Johnny Cadavid

Matthew_R_Intel · ‎10-08-2009

Johnny,

The submit failure usually cased by... Not being able to find the Issuing CA or the SCCM Site Server not having sufficent permission to request the certificate. I would recommend checking the following...

Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".
Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.

--Matt Royer

idata · ‎10-08-2009

Matt,

Like I said, the environment was happily chugging along until the CA was rebuilt. I really don't want to rebuild the OOB Role from scratch if I don't have to because nothing was touched. Is it a matter of a GUID changing or something that would cause this to happen? I'm just trying to get an understanding of why.

Matthew_R_Intel · ‎10-08-2009

If they rebuilt the CA infrastructure... i would make sure the CA template that you are explecting to use is still there and you still have the appropriate permissions to that template.

--Matt Royer

idata · ‎10-19-2009

Matt,

Thanks for the pointer. It ended up being that the OOB MP wasn't actually placed in the CERTSRV_DCOM_ACCESS Security Group for the CA in our top domain. After a reboot, the provisioning started working. It's brought up another interesting problem, but I am going to start a new thread for that.

Thanks Matt!