I just installed a client in a trusted domain but the client is not connecting to the site, from the locationServices.log Processing pending site assignment. Assigning to site 'A01' LSVerifySiteVersion : Verifying Site Version for <A01> LSGetSiteVersionFromAD : Failed to retrieve version for the site 'A01' (0x80004005) Retrieved SLP [server.fqdn] from Registry Attempting to retrieve SLPs from AD Mixed-mode style request to http://fqdn/sms_slp/slp.dll?site&sc=A01 cannot be fulfilled since mixed-mode fallback is disallowed. LSGetSiteVersionFromSLP : No site version returned from SLP for site <A01> LSVerifySiteVersion: Failed to get Site Version from AD and SLP Won't send a client assignment fallback status point message because the last assignment error matches this one. site is in native mode, client has the client cert. Do I need to extend the schema in the trusted domain? Rob Szarszewski

In ConfigMgr 2007, site information is only published to the domain in which the site server resides. Clients have no way of finding site information in any domain other than their own. Thus, it makes sense clients, whether in a trusted domain or not, cannot find the info because it's not there for them to find. You have two options, both involve installing an SLP: - Configure the SLP (using SMSSLP public property) on the command-line of ccmsetup (can be done in a variety of ways dedning on you installation method) - Publish the SLP in WINS so that clients can find it thereJason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

thanks Jason, I can just install the SLP role on a server right in the trusted domain? I don't need a secondary site correct? also, do I need to extend the schema for the trust domain? Rob Szarszewski

Hi, You should install the SLP role in the Primary Site Server, and then use the command-line as described above by Jason when installing the client. The clients in the trusted domain will not use the AD for as they are in another domain so NO there is no reason for extending the schema. Regards, Jörgen-- visit my System center blog at http://ccmexec.com --

ah, I understand now. but I do have a SLP on the Primary and I did use SMSSLP=Server.FQDN in the client installation. Rob Szarszewski

I agree with Jorgen (sorry Jorgen, don't know how to type an umlaut). As for the secondary site, no you don't need one. Secondary Sites are for network traffic management and have nothing to do with authentication.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Verify that you put in the correct SLP, that is it is reachable from the client and that your boundaries account for the client. This error message indicates an issue: "No site version returned from SLP for site <A01>" Also, are you using the SMSSITECODE to assign a site code on the ccmsetup command-line? If not, add it with the appropriate site code (don't use AUTO).Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

"mixed-mode fallback is disallowed" This native mode client finds the server locator point but can't communicate with it over HTTP, which is the default behavior. To change this, see http://technet.microsoft.com/en-us/library/bb694220.aspx. More information: http://technet.microsoft.com/en-us/library/bb632728.aspx.

Thanks, I'll review that document shortly and will report back my results.Rob Szarszewski

I got past that error, now another Current AD site of machine is RENWEGG LocationServices 4/3/2011 8:33:34 PM 4780 (0x12AC) The 'Certificate Store' is empty in the registry, using default store name 'MY'. LocationServices 4/3/2011 8:33:35 PM 4780 (0x12AC) Refreshing client operational settings over AD LocationServices 4/3/2011 8:33:35 PM 4780 (0x12AC) Failed to update security settings over AD with error 0x80004005. LocationServices 4/3/2011 8:33:35 PM 4780 (0x12AC) The 'Certificate Store' is empty in the registry, using default store name 'MY'. LocationServices 4/3/2011 8:33:35 PM 4780 (0x12AC) No security settings update detected. LocationServices 4/3/2011 8:33:35 PM 4780 (0x12AC) Attempting to retrieve default management point from AD LocationServices 4/3/2011 8:43:34 PM 4780 (0x12AC) Retrieved SLP [SLP.fqdn.local] from Registry LocationServices 4/3/2011 8:43:34 PM 4780 (0x12AC) Attempting to retrieve SLPs from AD LocationServices 4/3/2011 8:43:34 PM 4780 (0x12AC) Retrieved SLPs from AD LocationServices 4/3/2011 8:43:34 PM 4780 (0x12AC) Making mixed-mode style fallback request to SLP.fqdn.local. LocationServices 4/3/2011 8:43:34 PM 4780 (0x12AC) Raising event: instance of CCM_CcmHttp_Status { DateTime = "20110403184335.349000+000"; HostName = "SLP.fqdn.local"; HRESULT = "0x00000000"; ProcessID = 2184; StatusCode = 0; ThreadID = 4780; }; LocationServices 4/3/2011 8:43:35 PM 4780 (0x12AC) Retrieved Default Management Point from SLP: SLP.fqdn.local LocationServices 4/3/2011 8:43:35 PM 4780 (0x12AC) Persisting the default management point in WMI LocationServices 4/3/2011 8:43:35 PM 4780 (0x12AC) Persisted Default Management Point Location locally LocationServices 4/3/2011 8:43:35 PM 4780 (0x12AC) Attempting to retrieve local MP from AD LocationServices 4/3/2011 8:43:35 PM 4780 (0x12AC) Current AD site of machine is RENWEGG LocationServices 4/3/2011 8:53:35 PM 4780 (0x12AC) The 'Certificate Store' is empty in the registry, using default store name 'MY'. LocationServices 4/3/2011 8:53:35 PM 4780 (0x12AC) Refreshing client operational settings over AD LocationServices 4/3/2011 8:53:35 PM 4780 (0x12AC) Failed to update security settings over AD with error 0x80004005. LocationServices 4/3/2011 8:53:35 PM 4780 (0x12AC) The 'Certificate Store' is empty in the registry, using default store name 'MY'. LocationServices 4/3/2011 8:53:35 PM 4780 (0x12AC) No security settings update detected. LocationServices 4/3/2011 8:53:35 PM 4780 (0x12AC) Rob Szarszewski

I read this thread but got a bit confused. Did you extend the schema in any domain at all? If yes take a look at the logfile extadsch.log on the root of the server where you run the extension. Make sure it contains no errors. If you extended, is the System Management container in place. With the fll control permissions for the site servers, even the secondary sites?Follow me through my blog and Twitter!

the schema is extended in the central site and we are managing client for a while now with no issues. A new domain has been setup with a trust and we are now trying to manage those clients. the client now installs but I receive the error in my last post from the locationservices.log. The client cert was not installed on in the trusted domain, I'm trying that today, hopefully that's the issues.Rob Szarszewski

Hi Jason, I have a new question reagarding to this discussion. 1. Can I assume that Not seeing SCCM objects in System Management container of trusted domais is correct? 2. I have SLP and my clients have found it´s MP (Clients are sending info to the MP). But the clients which ara in a trusted domain, are not bing autoapproved ( So MP_Control_Manager is rejecting them). What´s the next step, or which direction I should research? I´m lost with this... Thanks in advance BMS

#1: yes. The System Management container will only be populated in the domain where a site server resides #2: it depends on the approval settings of the site: http://technet.microsoft.com/en-us/library/bb694193.aspxTorsten Meringer | http://www.mssccmfaq.de

1. Oks 2. Automatically approve computers in trusted domains is configured... But not working, and not more errors than about rejected clients. Is there any log I cuold check the approval process? Thanks BMS

The approval process is documented here: http://blogs.technet.com/b/configurationmgr/archive/2010/01/20/how-it-works-automatic-client-approval-in-configuration-manager-2007.aspxTorsten Meringer | http://www.mssccmfaq.de

MP_RegistrationManager.log and IIS log are both OK. There is a difference between the document scenario and my scenario. The document is related to child domain, and my scenario is diferent forrest (trusted domain). I´ll try to find out about network info. Any other suggestions? BMS

Hi everybody! I could solve the problem. That was a Kerberos issue. Our relationships betewen doamin forrests were made by domain instead of forest trust. We have corrected that and new clients are being auto approved automatically. Environment: AD Forest Level 2003 Site Server WS2008 R2 SCCM 2007 R3 Mixed Mode *Requirements for Clients in different trusted forest: Site must be able to resolve netbios of clients (DNS sufix of diferent forrest added to Site Server). Clients must have conection to MP FQDN (registered on DNS). SLP defined for clients (WINS and/or CCMSetup). **kerberos Autentication between forest: Trust made between forest (not domain trust beteen different domain forest). Hope this will be useful for others. BMS