Support Tip: ConfigMgr 2012 client fails to register cross-forest when installed using the command line

~ Buz Brodin | Senior Support Escalation Engineer

FIXHi everyone Buz Brodin here with a Configuration Manager client install tip for you. If you install your Configuration Manager clients via the command line, you may encounter a problem where the clients fail to register in a cross-forest domain after the install is complete. If you look through the logs files trying to figure out why, you’ll see errors similar to the following:

Ccmmessaging.log:

Failed to decode message '{40B79D99-AF54-4DB8-93F4-C5337573D3E0}'. Hook authenticate. Error 0x87d00309
InvokeDecodingHooks failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
HandleRemoteSyncSend failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
CForwarder_Sync::Send failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)
CForwarder_Base::Send failed (0x87d00309). CcmMessaging 7/1/2015 9:11:02 PM 5484 (0x156C)

CertMain.log:

Failed to verify signature of message received from MP using name 'server.domain.com' CertificateMaintenance 7/1/2015 8:52:59 PM 5940 (0x1734)
CCMverifymessage 87d00309

LocationServices.log:

Persisting lookup management point 'server.domain.com' LocationServices 7/1/2015 8:52:59 PM 5940 (0x1734)
StatusAgent: HandleFSPCcmHttpStatus – Failed to retrieve internet, proxy or assigned MP. Assuming 'server.domain.com' is not a relevant MP. StatusAgent 7/1/2015 9:11:02 PM 4408 (0x1138)

ClientIDManagerStartup.log:
CCM::LocationServices::CcmRefreshSiteCode(), HRESULT=8000ffff (e:\nts_sccm_release\sms\framework\ccmid\regtask.cpp,218) ClientIDManagerStartup 7/1/2015 9:11:02 PM 5484 (0x156C)
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 7/1/2015 9:11:02 PM 5484 (0x156C)

This problem occurs when Active Directory is not extended and you are also using the SMSDIRECTORYLOOKUP=NoWINS argument on the installation command line.

When you use SMSDIRECTORYLOOKUP=NoWINS in the command line, setup not only foregoes querying WINS, but it will not try to lookup the Management Point (MP) using HTTP either. While the most secure option for client configuration is in fact to use SMSDIRECTORYLOOKUP=NoWINS, it can be used only if your clients can query the global catalog, thus it should not be used for clients in remote forests or workgroups, or if the Active Directory schema has not been extended. If clients must use WINS for service location and SMSDIRECTORYLOOKUP=NoWINS is specified on the installation command line, service location will fail.

For more information please see the following:

Note that if no properties are specified, the client installs in Secure WINS mode. The Any WINS mode is not secure and is not recommended. For more information, see About Configuration Manager Client Installation Properties.

Buz Brodin | Senior Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

ConfigMgr 2012 r2 system center 2012 configuration manager system center 2012 r2 configuration manager