SOLVED SCCM clients not downloading updates from remote site

[adispy]

Hi,
As the title says, my clients from the remote site cannot download updates from the DP. The story goes like this:
- Primary site where SCCM is installed (siteA.local)
- Remote site with a totally different AD forest (siteB.local)
- VPN line between the two forests, ports are opened. From the remote site I can open the SCCM shares if I authenticate with a primary siteA.local account. In SCCM I have added a network account from the primary site (where SCCM lives), thinking this way clients from the remote site can use this account to authenticate (just in case).
- Added the remote site forest in SCCM, extended the schema on the remote site. Discovery and automatic client installs are working great, on both forests.
- Clients from the remote site report to SCCM for updates. I can see them in the required column. Updates are downloaded and published to the necessary device collections.
On the remote site if I open the Software Center I can see the updates and if I click Install they get stuck at Downloading 0%. After it times out, if I hit the Retry button, nothing happens. I was thinking it is because they cannot reach the DP, but I cannot find anything the log files.
I have bee searching trough client logs and I have no errors so I ended up here thinking that someone has gone trough this before.

Thanks in advance
Adrian

 

[Youssef Saad]

Hi,

Which type of SCCM site do you have setup in your remote forest? Secondary site, child primary?
Do you have a trusted relationship between the both forest? If not, you have to setup Network Access Account in your SCCM to connect into the second forest devices.

Have you configured your boundary groups for the remote site? Check if the concerned Distribution Point is correctly listed in this boundary group as Site Server Systems.

To troubleshoot the Software Updates installation issue, check the following log files located in "%WINDIR%\CCM\Logs":

• ClientLocation.log
• LocationServices.log
• WUAHandler.log
• UpdateDeployment.log
• CAS.log

 

[adispy]

Which type of SCCM site do you have setup in your remote forest? Secondary site, child primary?
None. I don't need a system site in my remote location. There are just 20 servers or so and the bandwidth is enough.

Do you have a trusted relationship between the both forest?
No. Don't need one since users don't need resource access from one forest to the other.

If not, you have to setup Network Access Account in your SCCM to connect into the second forest devices.
As I've said, I have set up a Network Access Account on my in my SCCM server using an account from siteA.local/primary site. I'm thinking that since the remote site clients need to authenticate to the SCCM shares they need an account from the primary site.

Have you configured your boundary groups for the remote site?
Yes, but here is a bit of configuration I do not like. The remote site has two subnets (192.168.90.0 and 192.168.100.0). The problem is that the router on the remote site does not know how to route two subnets (I'm trying to change it but it's up to the client) trough a VPN IPSec connection, so I had to supernet the subnet. In SCCM I put 192.168.64.0/18 to cover both the remote subnets.
The problem is not from here since communication works, DNS resolution works, I can access shares and UNC paths from the remote site to the primary site.

Check if the concerned Distribution Point is correctly listed in this boundary group as Site Server Systems.
It is. This is the first thing I have checked.

To troubleshoot the Software Updates installation issue, check the following log files located in "%WINDIR%\CCM\Logs":
Nothing on log files. It prints that it finds updates, but nothing about the download or the error message.

 

[adispy]

In the end I made it work.
I changed the boundaries supernet to the ones I have on the remote site. Looks like SCCM needs the actual subnet the client is in. It does not calculate the subnets and stuff.

Thanks Youssef for the input, much apprech...