Software update catalog permissions
Hi
I have 2 domains domain1.com and domain2.com. In domain1.com i have installed the SCCM2012 SP1 and want do updates machines from domain2.com. There is no trust relation between this two domains.
I created the folder \\10.10.10.1\Updates on SCCM2012 server where all necessary updates were downloaded. I put the sharing and ntfs permission to this folder as read&write for everyone.
When i deploy the updates i see in Deployment Status error of all servers from domain2.com with info Access Denied and error code 0x80070005 and last logon user as (SYSTEM)
I believe it's becasue this machines can't get access to share in domain1.com where the updates and distribution point are located.
All clients on servers in domain2.com succesfully comunicate with SCCM2012 server in domain1.com
Manually i can get to Updates share from domain2.com to domain1.com typing the path but it always ask for credentials.
What i need to change to make working software update process?
- Edited by
bllitz
20 hours 6 minutes ago
September 13th, 2013 11:12am
The ConfigMgr client is going to try to download content from a distribution point over HTTP (or HTTPS), not over a file share.
Are the workstations in domain2 able to get to the Software Update Point to even do their scan? By default with Server 2012, this will be port 8530 (or 8531 if using SSL).
September 13th, 2013 11:24am
Also, do you have a network access account defined?
Are the clients Win7?
If so, do they have the hotfix from
KB2522623 installed?
September 13th, 2013 11:36am
When i type in one of the client the http://10.10.10.1:8530 i got 403 forbidden: access denied. Yes workstation are able to comunicate to SUP all functions of client are working, reporting etc
September 13th, 2013 11:38am
Thanks for checking on that.
So, you will want to move on through the log files for Software Update Management and for finding/downloading content.
I would start with C:\Windows\WindowsUpdate.log for obvious stuff (like Group Policy push those workstations to another WSUS server).
The ConfigMgr logs that have to do with software update management (like Update*.log) are described here:
http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_SU_NAPLog
Let us know what you find,
Nash
September 13th, 2013 11:43am
I enabled the directory browsing on IIS in SCCM2012 server and now i can list the http://10.10.10.1:8530
The clients are Windows 2003.
Network access acount?
September 13th, 2013 11:44am
Servers are reaching the correct update server SCCM2012 where is also WSUS. I checked in WindowsUpdate. The rest of the update*.log files didn't show any errors. There is in CIDownloaded.log something like this
CAS failed to download update (a38dae17-a65e-4663-9a0e-b8f7d5a883f3). Error = 0x80070005. Releasing content request.
September 13th, 2013 12:04pm
>When i deploy the updates i see in Deployment Status error of all servers from domain2.com with info Access Denied and error code 0x80070005 and last logon user as (SYSTEM)
You should see some errors in the client logs that correspond to what you were seeing in the console.
Have you defined a Network Access Account for these devices? They will not have permissions to download using their computer account since they are not in a trusted forest.
September 13th, 2013 12:11pm
I see not, i will right away do it, but can you please explain. What account i should use as this Network Access Account. Some account from domain2.com (server domain) or some account from domain1.com (SCCM server) domain? Also what else i will need to change
to make it work? Do i need to assign permission to some folder to this account?
PS.
I created NAA as account from domain1.com (SCCM2012 server domain) and this account has local admin rights on SCCM2012 server. Is this correct way? Do i need also modify something on client site to use this account accessing to updates?
- Edited by
bllitz
18 hours 48 minutes ago
September 13th, 2013 12:20pm
You would need to use an account from domain1 as your network access account since there is not a full trust. Create an account specifically for this (and don't use it for anything else). The network access account is specified in Administration
> Site Configuration > Sites > Select your site, and then under Configure Site Components > Software Distribution on the Network Access Account tab.
>Do i need to assign permission to some folder to this account?
No, ConfigMgr clients DO NOT access network folders to download content for software distribution or software update management, they download it over HTTP/HTTPS from a distribution point. Do NOT give access to any content source location folders to
all users. It may be helpful for you to Microsoft Virtual Academy course for ConfigMgr 2012, as well
as the TechNet Virtual Labs
for Content Management, Application Management, and Software Update Management.
I hope that helps,
Nash
September 13th, 2013 12:35pm
I create the accout as you wrote. Should i update now something on client side to get know the servers to use this account to download the update content?
September 13th, 2013 12:42pm
They will need to update machine policy to find out about this change.
September 13th, 2013 12:43pm