Ok, here's results for others in same mess.
Decided to start with fresh SCE install (boss preferred, so skipped trying TechNet article). Ergo, deleted AD stuff (GPOs, SCE Managed Computers Group, and SCP (using adsiedit). Joined computer to domain (had reset computer account in AD, thus, reused
it, no problem encountered.) Installed SQL Server 2008, then SQL 2008 SP3, rebooted. Installed SCE 2010; ran into three issues:
- Forgot to make SCE account local admin, was prompted, did on the fly, got past issue.
- WSUS invalid date - ignored it since SCE bits contained WSUS SP2 (latest) and OS is 2008 R2 SP1; after some searching online, assumed error due to R2 being at SP1 which was after SCE RTM release.
- IIS not installed. Oh yes it was, including ASP.Net service, along with .NET 3.5.1, and a reboot for good measure after. SCE install log indicated failed on no IIS Admin service and sure enough the service was not installed. Well, the service is not installed
on IIS 7 or later unless IIS 6 stuff also installed. So, installed that, any other IIS role service I thought might be needed and, jic, Application Server role. And rebooted. Reran setup, issue resolved.
Ran wizard to set up GPOs, etc... Ran Discovery, pushed agent to several servers and my computer over existing agent (from defunct SCE). Ran into issues:
- Computers were showing up in SCE management console but were not added to SCE Managed Computers Group. Found blog post on SCE install that said a reboot of SCE server fixed issue, and thankfully after reboot all computers appeared in the group.
- Windows Update registry settings for WUserver and WUStatusServer were missing on the computers. However, remnants left over from defuct SCE for TargetGroup and TargetGroupEnabled were there. But of course those groups no longer existed. I recreated them
and repopulated them as before.
- SCE Managed Computers Group Policy was not being applied, even well after computers were in SCE Managed Computers group. So that explained #2. gpupdate did nothing. gpresult showed (variously) Access Denied, Inaccessible Data, and Unknown Reason as
causes. Even after removing agent, rebooting, reinstalling agent on one server and my computer as a test. GP looked good in GPMC - scope was correct and the SCE server and SCE Managed Computers Group had Read and Apply Group Policy permissions. No network
issues, etc.
I noticed that in the policy's Delegation tab, Advanced, when viewing Advanced Settings, the SCE server and the SCE Managed Computers group had the permissions on "This object only". Whereas the other groups/user (except Creator owner) had
"This object and all descendant objects". That seemed to explain Access Denied and Inaccessible Data. So I changed the setting to latter. After that change the policy got applied. Not sure if that is the correct solution (can't find documentation on what setting
should be) but it worked. GP got applied and the registry settings got added. Hoping everything sticks.
Joan