Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
3051 Discussions

sccm primary site provisioning problem

idata
Employee
3,635 Views

Hi, I have installed my provisioning certificate on my parent sccm server and i am able to provision clients that have their site settings pointing to this server.

We have quite a few branch offices that point to this parent sccm server for its site settings and they are provisioning as well. However, one of our branch offices has its own primary child sccm server on which none of the client are getting provisioned.

they all have this error in the oobmgt.log file

<![LOG[Failed to Call CheckCertificate provider method, 80041001]LOG]!>

 

<![LOG[END]LOG]!>

does anyone have documentation on how to set this up?

0 Kudos
16 Replies
Bruno_Domignues
Employee
2,518 Views

Stéphane,

Does your branch that is facing this provisioning problem using a different FQDN? See if is not the case of http://technet.microsoft.com/en-us/library/cc161803.aspx disjoined namespace.

Best Regards!

--Bruno Domingues

0 Kudos
idata
Employee
2,518 Views

Hey Bruno,

My parent sccm server that has the certificate installed on has a different FQDN than the branch server

parent sccm server = serverA.ab.cde.fghi.ca

primary child sccm server= serverB.ab.cde.fghi.ca

my certificate was generate with an alias of = intelvpro.ab.cde.fghi.ca

the alias is pointing to serverA

all branchs are all on the same domain including serverb

the fully qualified domain name string is the same but the host name is diffenrent.

is that have you are asking??

thanks

0 Kudos
idata
Employee
2,518 Views

Can someone help me with my previous question please?

0 Kudos
Bruno_Domignues
Employee
2,518 Views

Sthéphane,

I'm not sure that I understand your case, based on your last post, this diagram represent your environment?

It's means that you have a single forest, a single domain with multiples sites, correct? In this case, there is no reason to provision fail, and we should see others option... please, let me know if I understood correctly.

Best Regards!

--Bruno Domingues

0 Kudos
idata
Employee
2,518 Views

Yes, you got it. single domain, single forest with multiple sites.

sccm serverA set up as primary parent and failing clients are on serverB sccm primary child

On ServerA i noticed that looking at the sccm console site settings for serverB there is the OOB component configuration options there as well, does it need to be configured there as well, you can set every option that you can on serverA under component configuration then OOB console options but the provisioning certificate and certificate template part is not available....in both boxes it says "not available on parent site" but my parent site is server A.

thanks for your help.

Stéphane

0 Kudos
Bruno_Domignues
Employee
2,518 Views

Stéphane,

I believe that the problem is because you are managing the child primary from primary site.

Configuration Manager prevents you configuring the AMT provisioning certificate in this case because it would result in overwriting the AMT provisioning certificate in the parent site.

Try configure directly from the child site.

Best Regards!

--Bruno Domingues

0 Kudos
idata
Employee
2,518 Views

ok, i just looked at the settings for this from the primary child, it looks like i need another provisioning certificate on my primary child sccm server....right?

i tried pointing it to the primary parent prov cert but brought up a certificate error??

let me know

thanks

Stéphane

0 Kudos
Bruno_Domignues
Employee
2,518 Views

Stéphane,

As far child is part of same dns domain, there is no reason to use another certificate. can you send me the error message and amtopmgr.log in order to make easier to figure out what is going on?

Best Regards!

--Bruno Domingues

0 Kudos
idata
Employee
2,518 Views

Hi Bruno, sorry for the late reply

Here is both the parent and primary child logs

see attachement.

please help me!!! :O)

thanks

Stéphane

0 Kudos
Bruno_Domignues
Employee
2,518 Views

Stéphane,

Looking into your logs I just found there are some vPro 2.2 versions trying be provisioned as showed in this piece of log:

Have you installed the http://software.intel.com/en-us/articles/intel-ws-management-translator/ Intel WS-Translator in you SCCM? it's required to provision machines with Me firmware 3.2.1 and older.

About the certificate issue, can you send the me printscreen of OOB component directly from primary child (using RDP), not from parent? I can see this mensage in your logs:

Can you confirm vPro versions and also which certificate did you issue?

Best Regards!

--Bruno Domingues

0 Kudos
idata
Employee
2,518 Views

Hi Bruno,

The AMT versions 2.2 I am neglecting for now as they will be getting life cycled shortly .

The versions i have in the child location are a mix of 3.2.1 up to 7.14 and pretty much everything in between.

These versions are provisioning fine in all other locations where there site settings point to the primary parent.

I am using a verisign cert.

As you can see in the screen shot below there is partial info entered in the general tab on the component for the primary child. That is because when i configured the primary parent and all locations except the child started provisioning i figured that the child needed the same configuration as the parent so i put it in for a test, it did not seem to change anything so i removed the info but could not remove the top 2 entries. Should the configuration be in the child as well. The cert i got from verisign was done based on the parent fqdn.

please see attachement below

Also, here is a oobmgmt log entry from one of those clients under the child location, all clients at the child location have these entries in the log

<![LOG[Successfully submitted event to the Status Agent.]LOG]!>

 

<![LOG[Failed to Call CheckCertificate provider method, 80041001]LOG]!>

 

<![LOG[END]LOG]!>

Please advise and thanks for your help

Stéphane

0 Kudos
idata
Employee
2,518 Views

Hi Bruno, i have not gotten a reply from my last post yet.

I just thought of something that might help you help me.

When i got the verisign cert created one of the questions was " How many servers is this cert for?, i picked one....

should have i picked 2, since i have a primary parent and a primary child???

0 Kudos
Bruno_Domignues
Employee
2,518 Views

No, one certificate is fine.

0 Kudos
Bruno_Domignues
Employee
2,518 Views

Stéphane,

Yes, you must configure the OOB component also in the primary child, however you should see that is an appoitment to parent SCCM in certificate configuration since both are part of the same namespace. Did you see?

The oobmgmt.log error is expected since you don't have any provision certificate in child primary neither an appotment to primary parent.

Can you compare what you see in OOB configuration between the site that is working fine and this problematic? what is the difference in certificate configuration? the SCCM computer account of this child is included in the AD group that has permission in certificate template and also in SCCM parent?

Best Regards!

--Bruno Domingues

0 Kudos
idata
Employee
2,518 Views

ok, so i remotely connected to my primary child and went into oob component configuration and as you can see in my previous post i had attached oob component.png. The certificate part on the bottom asks you to browse to your certificate well that certificate sits on my primary parent, i do not see that this is an appointement to parent sccm server from my child sccm server.

You ask to look at difference between parent and child. the only difference is that parent has the certificate installed in IIS and child does not.All the rest is the same

I cannot pick the cert from the child sccm server.

And yes the child sccm is in the same security groups that as my parent and that group is applied at the right locations.

thanks

0 Kudos
idata
Employee
2,518 Views

I ended up calling MS sccm support for this and they advised me to purchase a second certificate for my child sccm and Bingo...it worked

so in my environment a second provisioning certificate was required to be installed in the OOB management component configuration in sccm on my child sccm server as well

0 Kudos
Reply