Certificates needed for Native Mode

The biggest problem, for me, with Native Mode were all the certificates that were needed. That’s why I created an table for myself with the basic certificates that are needed for Native Mode and where to add them. The “Where to add” column is based on Windows Server 2008.

ConfigMgr Component Use Where to add
Primary Site Server Document Signing ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode
Management Point, Proxy Management Point, Distribution Point, Software Update Point en (State Migration Point) Server Authentication (Web Server Template) IIS > -Right-click- Sites > Edit Bindings > HTTPS -Edit-
Client computers Client Authentication (Computer Template) GPO > Policies > Computer Configuration > Windows Settings > Security Settings > Public Key Policies > -Right-click- Certificate Services Client –Auto-enrollment
Operating System Deployment/PXE Client Authentication (Workstation Template) Don’t forget the option: Allow Private Key to be exported ConfigMgr > Site Management > Site Database > Primary Site > Site Settings > Site Systems > Properties ConfigMgr PXE Service Point > Tab Database
Root CA for OSD Root ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode > Specify Root CA Certificates…


For more detailed information: http://technet.microsoft.com/en-us/library/bb680733.aspx

Rename your ConfigMgr Primary Site

Once you have installed your ConfigMgr Primary Site it is not possible to change the name of your Primary Site. At least not through the console… But what if you made a mistake or your company changes it’s naming conventions?? Well there is one way to change it. First off all stop the SMS_EXECUTIVE Service. After that open the site control file (<Installation directory>\Microsoft Configuration Manager\inboxes\sitectrl.box\Sitectrl.ct0) and search for BEGIN_SITE_DEFINITION. Close to that you will find your Primary Site name and you can change it (do not change anything else!!). After this save the file and start the SMS_EXECUTIVE Service again. Then after a few site refreshes your Primary Site name wil be changed.

In some cases it could be possible that you also have to change the value of the regkey: HKLM\Software\Microsoft\SMS\Identification.

Update: Keep in mind that editing the sitectrl.ct0 is not supported by Microsoft!

ConfigMgr Backup in combination with WSUS

I noticed that the scheduled backup of ConfigMgr can conflict with the installation of WSUS. When you have WSUS 3.0 SP1 installed on the same machine as your ConfigMgr Site you can, at random occassions, get problems with your WSUS installation. This is what happens: During the execution of the ConfigMgr Backup it does some kind of a healthcheck. When it then notices that the SUP/WSUS is not responding good it will try to do an repair action of WSUS. At this point the problem starts, bacause the installer of WSUS 3.0 SP1 doesn’t have a repair function, so WSUS will get uninstalled… After this has happened you can get errors like “Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync SMS_WSUS_SYNC_MANAGER” in the ConfigMgr Site Status.

There are two ways to workarround this:

  • Disable the backup of ConfigMgr (not really an option).
  • Make sure that the ConfigMgr Backup can’t find the WSUS 3.0 SP1 installer. You can do this by editting (just change the name or the location of the MSI) the following registrykey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\<Random number>\InstallProperties] “LocalPackage”=”C:\\WINDOWS\\Installer\\<Random number>.msi” “DisplayName”=”Microsoft Windows Server Update Services 3.0”

They say it is getting solved in WSUS 3.0 SP2. When your interested in that you can join the RC Program on: https://connect.microsoft.com/site/sitehome.aspx?SiteID=110.

App-V future ready???

Let’s start my first post about App-V being future ready (or not). When I was trying to deploy an App-V Sequence on a Windows 7 Client (with App-V Client 4.5 CU1) the application didn’t seem to work… At first I thouhgt it was just me, so I recreated everything from scratch, but still no luck. The next step was to search on Google and here I found a very helpfull link: http://www.softgridblog.com/?p=126.

The solution is this: During the proces of making a sequence with the App-V Sequencer you get to tab Deployment. In this tab you can specify the Operating System (OS) on which this sequence can run. Before the App-V 4.5 CU1 version you didn’t have the option to select Windows 7. This means that the sequence will not be able to run on Windows 7. The sequence can only run on the OS that is selected on the Deployment tab (it is possible to change the OS directly in the OSD-file, for this you have to add an extra line like: <OS VALUE=”Win7″>).

After all this you can say that App-V is future ready, because by adding Windows 7 to the Deployment tab it was possible to deploy the sequence on Windows 7. Just a shame that you have to make changes to already excisting sequences…