RealityShift
New Member
- Messages
- 3
- Reaction score
- 1
- Points
- 3
Hello! I have read/watched a lot of your guides and found them very helpful. I'm having a very annoying problem that I have not been able to solve in the past 2 weeks so, I'm reaching out for help 
I'm working implementing an IBCM system in our SCCM 2012 R2 SP1 environment. The IBCM server is to be a DP, MP, and SUP. In this context, the IBCM server will be called IBCM and the primary site server will be called SCCM.
Our layout:
In private layer - SCCM.company.local
DMZ layer - IBCM.company.local with external FQDN of IBCM.company.com (also configured on the site system)
Proper firewall ports are opened between SCCM and IBCM, as well as, IBCM and internet client.
I got a functional PKI structure set up and configured the DP and MP on the IBCM server successfully. I am able to push applications and policy to our internet clients perfectly fine. This was tested by deploying an application that was only distributed to the IBCM server.
I installed the SUP role on ports 8530/8531 and set it to require SSL and set to internet-only clients (the SCCM SUP is set to 80/443 and intranet-only clients).
I have imported the SSL cert into the IIS HTTPS binding. I configured WSUS to require SSL on APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, SimpleAuthWebService followed by using the command `WsusUtil configuressl ibcm.company.local`. Lastly, I ran command `.\WsusUtil.exe usecustomwebsite true` and did a `WsusUtil checkhealth` which shows healthy and no errors in eventvwr.
On SCCM, in the WCM.log, I see that it lists 2 SUP servers:
Changes in active SUP list detected. New active SUP List is:
SUP0: SCCM.company.local, group = SCCM.company.local\MICROSOFT##WID, nlb =
SUP1: IBCM.COMPANY.LOCAL, group = IBCM.COMPANY.LOCAL\MICROSOFT##WID, nlb =
On the client, inside the WUAHandler log, I see:
`Existing WUA Managed server was already set (http://SCCM.company.local:8530), skipping Group Policy registration.` and `OnSearchComplete - Failed to end search job. Error = 0x8024402c.`
Within WindowsUpdate.log on the client, I see `Server URL = http://SCCM.company.local:8530/SimpleAuthWebService/SimpleAuth.asmx`
When using WMI Explorer, the namespace: `ROOT\ccm\SoftwareUpdates\WUAHandler` has a class called CCM_UpdateSource which contains an instance that content location is set to `http://SCCM.company.local:8530`
Now I feel like all these are incorrect and it should be pointing at `https://IBCM.company.com:8531`
I'm having an incredibly hard time tracking down why the client is either a) Not getting the policy to look at the ibcm server even though I'm 100% sure IBCM DP/MP works or b) Why the IBCM MP is not pushing the correct wsus configuration to the client.
Here are some other notes/facts about my situation:
-There is no GPO configuring WSUS
-The registry key `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer` is `http://SCCM.company.local:8530`
-The registry key `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer` is `http://SCCM.company.local:8530`
-I have removed and re-added both the SUP and WSUS individually
-Confirmed client's configuration manager indicates "Currently Internet"
-Wiped client's policy cache with `Invoke-WMIMethod -ComputerName localhost -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000040}"` and requested new policy
-Reinstalled client's configuration manager
-Confirmed client can navigate to `https://IBCM.com:8531/Selfupdate/wuident.cab` and `https://IBCM.com:8531/ClientWebService/wusserverversion.xml` which ensures connectivity to the WSUS administration site is working porperly without certificate errors.
-When running "Software Update Scan Cycle" -> Nothing shows in WindowsUpdate.log or WUAHandler.log
-Rebuilt WMI repository on the client
-On SCCM, WCM.log shows successful connection to both SCCM.company.local and IBCM.company.local
-On IBCM, WsusCtrl.log shows `Successfully connected to local WSUS server`
-Have rebooted client and IBCM server multiple times
Any help would be GREATLY appreciated!
I'm working implementing an IBCM system in our SCCM 2012 R2 SP1 environment. The IBCM server is to be a DP, MP, and SUP. In this context, the IBCM server will be called IBCM and the primary site server will be called SCCM.
Our layout:
In private layer - SCCM.company.local
DMZ layer - IBCM.company.local with external FQDN of IBCM.company.com (also configured on the site system)
Proper firewall ports are opened between SCCM and IBCM, as well as, IBCM and internet client.
I got a functional PKI structure set up and configured the DP and MP on the IBCM server successfully. I am able to push applications and policy to our internet clients perfectly fine. This was tested by deploying an application that was only distributed to the IBCM server.
I installed the SUP role on ports 8530/8531 and set it to require SSL and set to internet-only clients (the SCCM SUP is set to 80/443 and intranet-only clients).
I have imported the SSL cert into the IIS HTTPS binding. I configured WSUS to require SSL on APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, SimpleAuthWebService followed by using the command `WsusUtil configuressl ibcm.company.local`. Lastly, I ran command `.\WsusUtil.exe usecustomwebsite true` and did a `WsusUtil checkhealth` which shows healthy and no errors in eventvwr.
On SCCM, in the WCM.log, I see that it lists 2 SUP servers:
Changes in active SUP list detected. New active SUP List is:
SUP0: SCCM.company.local, group = SCCM.company.local\MICROSOFT##WID, nlb =
SUP1: IBCM.COMPANY.LOCAL, group = IBCM.COMPANY.LOCAL\MICROSOFT##WID, nlb =
On the client, inside the WUAHandler log, I see:
`Existing WUA Managed server was already set (http://SCCM.company.local:8530), skipping Group Policy registration.` and `OnSearchComplete - Failed to end search job. Error = 0x8024402c.`
Within WindowsUpdate.log on the client, I see `Server URL = http://SCCM.company.local:8530/SimpleAuthWebService/SimpleAuth.asmx`
When using WMI Explorer, the namespace: `ROOT\ccm\SoftwareUpdates\WUAHandler` has a class called CCM_UpdateSource which contains an instance that content location is set to `http://SCCM.company.local:8530`
Now I feel like all these are incorrect and it should be pointing at `https://IBCM.company.com:8531`
I'm having an incredibly hard time tracking down why the client is either a) Not getting the policy to look at the ibcm server even though I'm 100% sure IBCM DP/MP works or b) Why the IBCM MP is not pushing the correct wsus configuration to the client.
Here are some other notes/facts about my situation:
-There is no GPO configuring WSUS
-The registry key `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer` is `http://SCCM.company.local:8530`
-The registry key `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer` is `http://SCCM.company.local:8530`
-I have removed and re-added both the SUP and WSUS individually
-Confirmed client's configuration manager indicates "Currently Internet"
-Wiped client's policy cache with `Invoke-WMIMethod -ComputerName localhost -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000040}"` and requested new policy
-Reinstalled client's configuration manager
-Confirmed client can navigate to `https://IBCM.com:8531/Selfupdate/wuident.cab` and `https://IBCM.com:8531/ClientWebService/wusserverversion.xml` which ensures connectivity to the WSUS administration site is working porperly without certificate errors.
-When running "Software Update Scan Cycle" -> Nothing shows in WindowsUpdate.log or WUAHandler.log
-Rebuilt WMI repository on the client
-On SCCM, WCM.log shows successful connection to both SCCM.company.local and IBCM.company.local
-On IBCM, WsusCtrl.log shows `Successfully connected to local WSUS server`
-Have rebooted client and IBCM server multiple times
Any help would be GREATLY appreciated!
