Updates from the TechNet Forums – Internet-Based Client Management

  • Article

I’ve recently been involved with some interesting issues reported on the TechNet forums that relate to Internet-based client management. Two resulted in KBs and the third is a confirmation of a change in behavior in SP1. All three resulted in revisions to the March documentation update that is going out with the RC release of Configuration Manager 2007 SP1.

The TechNet System Center Configuration Manager forums (https://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=488&SiteID=17) are a great way to report problems and learn from other peoples’ experience – as well as help other customers. The writers on my team monitor these forums not just to help out with customer problems, but also as a cross-check with the documentation to make sure that what customers report matches the documented behavior. When it doesn’t, we investigate the disparity to see if we need to make revisions to the documentation. If we’ve documented the expected behavior but it doesn’t match what customers report seeing, we often work with the product group and Customer Support Services (CSS) to identify the problem and file bugs for a fix.

As these examples show, the forums are a great resource to help drive customer feedback into the documentation and the product, as well as resolving problems. However, the forums are not designed to address urgent issues. If you cannot find the answer to your urgent problem in the product documentation, available KBs, or by searching the community resources, use the regular support channels such as CSS or your Technical Account Manager.

KB 950023: Internet-based clients in System Center Configuration Manager 2007 may be unable to run software distribution advertisements on the Internet

Boundaries are an intranet-only concept. They are used for auto-site assignment, for finding the closest distribution points when clients request content, and for conserving bandwidth on the corporate network. None of these apply when clients are on the Internet:

  • You cannot use auto-site assignment when clients are on the Internet because domain controllers and a server locator point are not available to clients when they are on the Internet. One of these must be available for clients to automatically locate their site.
  • There is no concept of finding the closest distribution point or roaming when clients are on the Internet. When a client on the Internet requests content from its Internet-based management point, all the Internet-based distribution points from the client’s assigned site will be returned to the client without any regard to location or bandwidth.

Because boundaries do not apply to Internet-based clients, content that is available on Internet-based distribution points is expected to always download and run when it is requested by clients on the Internet, regardless of the boundary configuration for the software update deployment or software distribution advertisement. So we were perplexed when customers reported different behavior on the forum, telling us that an advertisement would run only when the fast boundary was changed from “run from the distribution point” to “download and run”.

Sometimes on the forums, it can seem like nothing is happening with reported problems because there is no response. But often this can mean that people are investigating but there isn’t yet a conclusive answer to post – and this is what happened in this case. Behind the scenes, a lot of people got involved with tracking this issue down to eventually confirm a very complicated bug. In particular, I would like to thank Stan White, and our two testers - Adam Meltzer (for confirming the software distribution advertisement behavior) and Eric Mowery (for confirming software update deployment behavior). Also our CSS contacts, Brent Dunsire and Jack Hou for helping to get the resulting KB published quickly.

Unfortunately, this problem will not be fixed in SP1 so you must follow the workaround instructions in the KB. We were just in time to add this to the troubleshooting content in the March documentation update – it appears under both Troubleshooting Software Distribution Issues and Configuration Manager Client Native Mode and Internet-Based Client Management Issues.

KB 950024: You experience issues in the Configuration Manager console when you try to configure connections for Internet clients in System Center Configuration Manager 2007

This one is a good example of why you need to clue up on the documented product and feature dependencies rather than expecting the product to do it for you (see October 2007 blog entry: Getting To Know Your Dependencies).

Secondary sites do not support Internet-based client management, but there’s nothing to stop you from configuring a secondary site system with an Internet FQDN. In addition to this configuration not working (site systems in secondary sites will never be returned to clients on the Internet) the Configuration Manager console behavior is inconsistent, ranging from not showing the options for Internet connections (distribution points), to showing them although they will never work (management point and software update point), to console errors and a crash (fallback status point).

Particularly in the case of the fallback status point, it can be difficult to work out that the console unloads when you try to configure the fallback status point properties because of a setting in the site system properties – the Internet FQDN.

We’ve revised the March documentation to help make this dependency clearer, and the KB provides more details and workarounds if you find yourself in this situation. But I’m sure that there are more examples where unexpected things happen if you try to configure an unsupported scenario. We can’t test and document all possible ramifications of configuring an unsupported scenario, so it really pays to check the prerequisites first. Search for “Prerequites for” in the Configuration Manager library. For more information, see the above referenced blog posting for getting to know your dependencies.

Running an unscheduled advertisement on the Internet for a low-rights user – fixed in SP1 Beta 1 onwards

There was a limitation in Configuration Manager at RTM that only a user with admin rights could interactively run an advertisement when the client computer was on the Internet. For users without admin rights (low-rights users) you had to configure the advertisement to be scheduled for it to run on the Internet. This behavior and configuration might not be obvious, but it was well documented in the following topics:

This limitation is fixed in SP1, from Beta 1 onwards. However, the fix is client-side and not server-side so don’t expect it to be fixed as soon as you upgrade your site – you need to upgrade the client as well. So if this RTM limitation affects you, it makes sense to prioritize upgrading Internet-based clients when SP1 is released.

An interesting observation that our tester, Tony Meng, passed on to me was that in this scenario, you might notice an initial delay that you won’t see with a user with admin rights. This is because the client first tries to access the native mode certificate in the current user context which will fail, because a low-rights user doesn’t have rights to the computer certificate store. It retries to make sure it wasn’t a transient error. Then it accesses the computer certificate in the system context, which succeeds. So when you’re testing this, you might see an initial delay when a low-rights user tries to download an advertisement on the Internet using the SP1 client in comparision to when an admin runs the same advertisement. Tony's useful tip is that this difference is expected and the initial delay doesn’t mean that there’s a problem. Outside the testing environment, a user is unlikely to notice anything because it is not unusual to experience small delays on the Internet.

We’ve revised the March documentation to include this SP1 change in behavior, and it also fixes a text error in the flowchart that we initially missed. The last decision point in the flowchart is supposed to display: “Program set to run with admin rights?”.

 

Finally, I would say like to say a "hello" and thank you to Jason Scovill who reported two of these three issues in the forum and patiently worked with us. Other customers will thank you, Jason!  

 

 

- Carol Bailey

This posting is provided “AS IS” with no warranties and confers no rights.