Primary site is SCCM 2007 R2 SP2 in mixed mode. Secondary site is in a branch office (same domain) with a protected management point installed. The borders are configured. Clients on this secondary site are installed via logonscript. The clients get installed well and are assigned to the primary site. They don't receive the policy from the protected management point. In the clientlogs I get this error messages : location services.log : Failed to verify the mp thumbprint with error '0x80040304'. LocationServices 9/2/2010 8:05:43 PM 1324 (0x052C) Failed to validate thumbprint with error 0x80070057. LocationServices 9/2/2010 8:05:43 PM 1324 (0x052C) Failed to validate the certificate ... (from the protected management point). The client communicates with the local MP, but the comm fails due to a verification error Reïnstallation of the managementpoint/ client doesn't help In mixed mode, do I have to import a certificate into the secondary site ?

You shouldn't have to import a certificate. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

There's no such thing as a "protected" MP. Also, note, clients do require access to the primary site's MP: http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/05b8f031-7515-4f35-80e9-c54d1f16a7a7/. How are you verifying that the client is being assigned correctly? What command-line is your logon script running to install the client?Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Hi, I would look in the clientidstartupmanager.log file for errors.Kent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products

Hi all, In the clientIDManagerStartup.log the client is assigned to the primary site and gets registered The install command-line is <Secondary site\client$>\ccmsetup.exe /logon /mp:<Primary Site> SMSSITECODE=<Primary Site Code> SMSMP=<Primary Site> smsslp=<Primary Site> FSP=<Primary Site> DNSSUFFIX=<domain suffix> DISABLESITEOPT=TRUE DISABLECACHEOPT=TRUE" The clientlocationlog also seems to be ok : GetCurrentManagementPointEx Current Management Point is <Primary site server>with version 6487 and capabilities: <Capabilities SchemaVersion="1.0"/>. GetCurrentManagementPointEx Current Management Point is <Secondary site server>with version 6487 and capabilities: <Capabilities SchemaVersion="1.0"/>. So both MP's are known ... Can it have something to do with the AD-scheme that is not extended ?

I don't think it's an issue with AD not being extended. If that were the case the MP's wouldn't be listed in the logs. Does the MP at the secondar site pass MPlist and MPCert? John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

Hello, That's what I don't understand, the Management Point Troubleshooter post installation test runs without errors. The clients don't trust data coming from the secondary MP. I copied the (cert) regkeys of the primary MP to the secondary MP, but that didn't help ...

Try a manual key exchange. SCCMINSTALLDIR\bin\i386\0000409\preinst.exe /keyforparent SCCMINSTALLDIR\bin\i386\0000409\preinst.exe /keyforchild copy the keys that get dumped to the root of the drives to the parent/child servers hmanbox John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

Hi, I used the manual key exchange to allow communication between both sites. Is this the only key used for authentication ?

HI, have you installed a server locator point ? this role is not mandatory but helpful in your environment. I actually install a SCCM solution for a client : SCCM 2007 SP2 R2 in mixed mode and Active Directory not extended, and the client installation works correctly after having installed a "server locator point" and after having added the name of the SLP in the client registry : HKLM\software\Microsoft\CCM SMSSLP I also think that the MP of the primary site have to be accessible through of network. So check that the secondary site clients can contact primary site server. Régis

Hi, The SLP is installed and known by the clients. I uninstalled the secondary site and the clients of the secondary site got there policy from the primary site => everything ok The certificate validation errors stopped appearing in the LocationServices log. After reïnstallation of the secondary site (+ manual key exchange) the clients chose the MP at the secondary site and ... the problem is back ! Attempting to refresh certificate information from AD LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Failed to update certificate information from AD LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Refreshing Certifcate Information over HTTP LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Raising event: instance of CCM_CcmHttp_Status { ClientID = "GUID:9BE22CD5-06D5-4566-887A-96B103D64DB1"; DateTime = "20100908144658.578000+000"; HostName = "secondary.domain.com"; HRESULT = "0x00000000"; ProcessID = 552; StatusCode = 0; ThreadID = 3688; }; LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Failed to validate thumbprint with error 0x80070057. LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Raising event: instance of CCM_CcmHttp_Status { ClientID = "GUID:9BE22CD5-06D5-4566-887A-96B103D64DB1"; DateTime = "20100908144658.688000+000"; HostName = "primary.domain.com"; HRESULT = "0x00000000"; ProcessID = 552; StatusCode = 0; ThreadID = 3688; }; LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Failed to validate thumbprint with error 0x80070057. LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Failed to verify the mp thumbprint with error '0x80040304'. LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Failed to validate the certificate '308201D830...' from management point 'secondarySite' LocationServices 8/09/2010 16:46:58 3688 (0x0E68) Raising event: instance of CCM_LocationServices_ManagementPointCertificate_CrossVerificationFailure { ClientID = "GUID:9BE22CD5-06D5-4566-887A-96B103D64DB1"; DateTime = "20100908144658.703000+000"; ManagementPoint = "SecondarySIte"; ProcessID = 552; ThreadID = 3688; }; LocationServices 8/09/2010 16:46:58 3688 (0x0E68)

Since you reinstalled have you tested the MP using MPcert and MPList? John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

Yes, I ran the Management Point troubleshooter for the MP on the secondary site, all tests passed ! On the sec site, under HKLM\software\microsoft\SMS\MP, the TrustedRootKey & the SignedSirealizedKey are empty. Is this normal ?

Hello, Can I remove the PMP and just use the distribution point for that site ?

Sure you can remove it but I consider that a workaound. I'd rather resolve the problem John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

I agree, what can I do next to get this working ?