Hey all,

          I'm having a heck of a time with my first deployment of secondary sites. My primary site works just fine, and all the clients there are completely happy and functioning perfectly. Now, my secondary sites (two at the moment) are both failing. I've followed all the steps to get the secondary site servers installed correctly. The clients though, are having major issues. The sites are setup my AD site, which is polled and populated by forest discovery and each site is added into a boundary group.

I'm seeing errors

"No Location Reply received from <fdqn of secondary site server>

and

"Failed to retrieve Root Site Code from AD with error 0x87d00215".

I've opened up all the correct firewall ports on the host and network firewalls. I've even done a packet capture on the client and saw the LDAP queries go through okay.

I've also noticed in the CertificateMaintenance.Log there are repetitive errors "MP Site code <sitecode> on server auth header does not match any known site code".

Does anyone have any ideas? Both of my secondary sites' clients are the same way. They can all pull their local site code just fine and "show up" in the console, but they don't pull any policy and only have the two actions.

Thanks!

What is the purpose of Secondary sites in your environment? Would a remote DP work?

With that being said, did you extend AD and manually create the System Management container?  Did you grant your primary site server full control over this container?

This environment is extremely high security, and each site has a very small amount of bandwidth on often saturated and unreliable links so I've chosen secondary sites.

Yes, the AD Schema is extended and the system management container is created. All of my clients in the primary site work perfectly, they all pull policy, report back inventory, etc. The system management container has a security group that contains all of the site servers as full administrators to all objects and decedents as well as them listed individually for troubleshooting purposes.

What does your mpcontrol.log on your secondary sites shows?   Any errors in the status messages in the console?  Are these HTTP or HTTPS MP's?

There are no errors in the mpcontrol.log, only 200 responses.

"STATMSG: ..."

"Successfully performance Management point availability check against local computer"

"SSL is not enabled"

"Call to HTTPSendRequestSync succeeded for port 80 with status code 200, text: OK."

These are all HTTP for the time being, I will roll into HTTPS eventually but for now they are all HTTP only.

There are also no errors in the Site Status or Component Status portions of the console.

• Edited by Matt Hansen0 10 hours 45 minutes ago

There are no errors in the mpcontrol.log, only 200 responses.

"STATMSG: ..."

"Successfully performance Management point availability check against local computer"

"SSL is not enabled"

"Call to HTTPSendRequestSync succeeded for port 80 with status code 200, text: OK."

These are all HTTP for the time being, I will roll into HTTPS eventually but for now they are all HTTP only.

There are also no errors in the Site Status or Component Status portions of the console.

• Edited by Matt Hansen0 Friday, May 15, 2015 9:01 PM

How are you installing the clients exactly?

Initially I just copied the group policy that I was using for the primary site (which works fine) and changed the sitecode to the secondary site code and the MP to the secondary site server in the ADM templates (also had the .msi installing in the same policy, just like normal).

I've now switched to command line while troubleshooting this using 

\\<smbshare>\ccmsetup.exe smssitecode=<sitecode> mp=<MP>

Since that works fine in the primary site with the correlative site and MP.

That's why. Clients cannot report to a secondary site so setting the site code to the secondary site's code is invalid. Client's only belong to primary sites and thus you can only specify a primary site's site code for client installation. Based upon boundaries within your content location boundary groups, clients will use an MP, DP, and SUP that belong to a secondary site though.

For reference: http://blog.configmgrftw.com/secondary-sites-and-boundary-groups/

 I want my secondary site server to be the MP and DP for clients at that site. So, if I'm understanding correctly I need to take these steps? 

- Turn off site assignments on boundary groups, but keep the secondary site server as the resource in the site

- Install the clients using the Primary site code, not the secondary site code

- Install clients using Primary management server

Is that correct?

Depends. For the second point above, yes absolutely. You can't specify a secondary site's code because it cannot and does not manage clients.

Site assignment boundary groups will dictate where ccmsetup actually pushes from so that depends upon your intent. Same with number 3.

Thanks! This worked! 

Now I have one other side question. Do you know of any good reference for ports that need opened from secondary site clients <--> Primary Site Management Point?

Thanks! 

Here you go:

https://technet.microsoft.com/en-us/library/hh427328.aspx

• Proposed as answer by Jason SandysMVP, Moderator 17 hours 30 minutes ago
• Marked as answer by Jason SandysMVP, Moderator 17 hours 30 minutes ago

Do you know of any good reference for ports that need opened from secondary site clients <--> Primary Site Management Point?

Same as any client since technically clients aren't "secondary site clients". They will in general always use the MP within the secondary site based on content location boundary groups, but do also need to be able to communicate with the MP in the primary site (exactly when is undocumented and potentially undefined). This communication is no different than any other client communication which is all port 80 (or 443) by default to MPs (and 1023 for client notification although clients will fallback to 80/433 if 1023 is unavailable -- this does cause additional load on the MP though and should be avoided unless necessary).