What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

NEW DMZ Clients not using a specific SUP Server in DMZ

  • Thread starter Thread starter VincentD
  • Start date Start date
  • Replies Replies 0
  • Views Views 2K
V

VincentD

Member
Messages
5
Reaction score
0
Points
1
Hello SCCM Experts,

The complex situation is as following:

* SCCM CB - Primary Site PR1 in my normal domain Mydomain.Contoso.CA with servers:

SERVER02 (SUP)
SERVER03 (MP-DP-FSP-SUP)
SERVER04 (DP)
SERVER07

In my DMZ (=PAZ) domain DMZdomain.Contoso.CA , I have 2 new servers that communicates with my Primary Site PR1:

DMZSERVER01 (MP-DP)
DMZSERVER02 (SUP)

The goal is to support SCCM clients (servers 2016 and 2012r2) in the DMZ thru these 2 new servers.
There are of course firewall rules between the domains and we have already troubleshoot and open SCCM required ports there.

We configured a new Boundary IPSubnet 192.168.26.0 (for DMZ SCCM clients) with site systems DMZSERVER01.DMZdomain.Contoso.CA and DMZSERVER02.DMZdomain.Contoso.CA part of a new BoundaryGroup called 'BG_PAZ' with References DMZSERVER01.DMZdomain.Contoso.CA and DMZSERVER02.DMZdomain.Contoso.CA (and fallback relationships is empty).

There is a Active Directory site Boundary called 'Site-HQ' linked to AD Site Name 'Site-HQ' (which is used in our current domain Mydomain.Contoso.CA) with site systems SERVER02.Mydomain.Contoso.CA, SERVER03.Mydomain.Contoso.CA, SERVER04.Mydomain.Contoso.CA and SERVER07.Mydomain.Contoso.CA part of a BoundaryGroup called 'BG_HQ' with References the 4 servers (and fallback relationships is empty).

BUT what I find out is that there is also the same AD Site Name 'Site-HQ' in the DMZ domain DMZdomain.Contoso.CA, and as indicated in the SCCM client log LocationServices.log ("Current AD site of machine is Site-HQ") it would probably mean overlapping boundaries?
Problem: I cannot change this AD Site Name in the DMZ domain for now

Anyway, coming back to the main concern, my SCCM clients in the DMZ that are not working with the correct SUP. Because I was unable to switch to my expected SUP DMZSERVER02 by using client notifications 'switch to next SUP' on a few clients, I decide to take another client as a concrete exemple of my general issue. Hereby I force multiple times the 'switch to next SUP' thru the console:

--> At this point, this SCCM client had the correct SUP values in registry and in file registry.pol = http://DMZSERVER02.DMZdomain.Contoso.CA:8530
- extract from the LocationServices.log (shows my 3 SUPs):
Calling back with the following WSUS locations
WSUS Path='http://DMZSERVER02.DMZdomain.Contoso.CA:8530', Server='DMZSERVER02.DMZdomain.Contoso.CA', Version='213', LocalityEx='BOUNDARYGROUP', SUPFallbackIn='0'
WSUS Path='http://SERVER02.Mydomain.Contoso.CA:8530', Server='SERVER02.Mydomain.Contoso.CA', Version='213', LocalityEx='BOUNDARYGROUP', SUPFallbackIn='0'
WSUS Path='http://SERVER03.Mydomain.Contoso.CA:8530', Server='SERVER03.Mydomain.Contoso.CA', Version='213', LocalityEx='BOUNDARYGROUP', SUPFallbackIn='0'

see attached logs ScanAgent.log and WUAHandler.log

--> [STEP 1] from console switch to next SUP + force cycle on client 10/06/2019 1:48:23 PM

==> registry values and registry.pol SUP = http://SERVER02.Mydomain.Contoso.CA:8530
==> NO errors. access to SERVER02 is OK (probably because of some open FW rules towards this server)

--> [STEP 2] from console switch to next SUP + force cycle on client 10/06/2019 1:52:24 PM

==> registry values and registry.pol SUP = http://SERVER03.Mydomain.Contoso.CA:8530
==> ERRORS! Access to SERVER03 is NOT OK! (because FW rules blocks access outside DMZ)

--> [STEP 3] from console switch to next SUP + force cycle on client 10/06/2019 1:56:25 PM

==> registry values and registry.pol SUP = http://SERVER02.Mydomain.Contoso.CA:8530 !!!!!
==> Not more switching to original http://DMZSERVER02.DMZdomain.Contoso.CA:8530 ???!!!
==> NO errors. access to SERVER02 is OK (probably because of some open FW rules towards this server)

--> [STEP 4] from console switch to next SUP + force cycle on client 10/06/2019 2:00:25 PM

==> registry values and registry.pol SUP = http://SERVER03.Mydomain.Contoso.CA:8530 !!!!!
==> Not more switching to original http://DMZSERVER02.DMZdomain.Contoso.CA:8530 ???!!!
==> ERRORS! Access to SERVER03 is NOT OK! (because FW rules blocks access outside DMZ)

So, I did not figure out why it's not not more switching to original SUP = http://DMZSERVER02.DMZdomain.Contoso.CA:8530 ???!!!
It stays looping between SERVER02 and SERVER03 only!

Can you please help understanding what's going on?

We even try on a client to force pushing a domain GPO for SU to point to http://DMZSERVER02.DMZdomain.Contoso.CA:8530 but then it still gives errors in the scan/wuahandler logs.

I hope you can give me some help with this?

Thank you in advance
Vincent
 

Attachments

You must log in or register to reply here.

Similar threads

  • PENDING sk sequence 'Windows 11 Task Sequence - 24H2' has failed with the error code 0x80070002 in the task sequence step 'Apply Operating System Image'.
  • NEW Some Win11 Desktops Not Reporting as 11 in SCCM
  • PENDING SCCM Surface PRO 9 5G (ARM64) PXE no boot with Dongle Microsoft Thunderbolt 4
  • NEW Intune Application Requirements
  • PENDING SCCM Distribution point APP pool keep stopping

    • Forum statistics

    Threads
    7,070
    Messages
    27,624
    Members
    17,879
    Latest member
    santoshseel

    Latest posts

    Trending content
    Back
    Top