System Center Configuration Manager (SCCM) can be a great endpoint management solution for your on-premises IT infrastructure. Yet as many SCCM admins can attest, the software is quite complex, and there are many subtle places where things can go wrong. In this blog we’ll explore some troubleshooting tips that can be used to diagnose and remediate challenges with the SCCM Distribution Point (DP) role.
It is highly recommended to use the Current Branch of SCCM. The new in-place servicing upgrades work well on the whole and make it much easier to keep the server up-to-date than with past 2012 versions, not to mention the additional cloud integration capabilities provided, such as Co-Management.
However, with recent builds such as 1806 and 1902, you may have encountered some issues with Distribution Points following the upgrade. During and after SCCM servicing, the Primary Site Server will notify all other Site Servers in the hierarchy that it is being serviced. It will then proceed to transmit the updated binaries for the roles and trigger a reinstall of them as necessary; some roles will always be reinstalled. You can follow along with what is happening during the upgrade by viewing the details of the patch progress in the console, or by watching the CMUpdate.log using CMTrace.exe.
With the subtle issue described here, the site upgrade completes successfully, and everything appears to have gone right. But afterwards, you notice the Distribution Point(s) are behaving strangely.
For example, when running a Task Sequence in WinPE, the “Use Toolkit Package” steps may first fail with 0x800700A1 (aka, the specified path is invalid) and then become 0x8007002 – access denied! In some circumstances, this can indicate when the client’s OS disk isn’t yet partitioned, and thus it can’t lay down binaries or temp files beyond those in the RAM Disk. But in this case, diskpart shows the OS disk is ready:
This can be symptomatic of an unhealthy distribution point. The issue will manifest if the IIS virtual directories are missing on the DP, which similarly results in “path is invalid”. It may occur even though the rest of the role appears healthy and content has replicated, etc. Yet it won’t be working 100% correct. In IIS, the App Pool “SMS Distribution Points Pool” should have the following 8 apps running:
If the App Pool shows less than 8 apps, then the DP IIS configuration is corrupted. In this example screenshot, there are only 2 apps, which means it won’t work right. Manual steps are needed to correct it.
Uninstall the DP role in the SCCM console as normal. Wait at least 30 minutes for this process to execute.
Uninstalling via removing the role reports success according to distmgr.log, but stuff may be left over. And if you just try reinstalling at this point, it still does not fully re-add all the IIS apps.
Manually cleanup the leftovers: remove the Apps, then delete the empty App Pool from IIS, reboot, then reinstall the DP role so everything gets recreated properly. If you don’t take the extra step of deleting the App Pool, it still won’t get recreated properly, because the pool itself is what’s corrupted.
You must first delete all the DP apps before it lets you remove the pool itself:
Now with IIS emptied of DP apps, reboot the DP, then re-add the role via the SCCM as usual.
The installer is supposed to run the DISM command below to add all the required IIS roles if you check the box to “Install and configure IIS”, but occasionally these steps can be skipped, for example if IIS has already been configured on the DP by some other application. You can manually run this to double-check:
#Command line to install IIS for SCCM DP (retrieved from the log):
dism.exe /online /norestart /enable-feature /ignorecheck /featurename:"IIS-WebServerRole" /featurename:"IIS-WebServer" /featurename:"IIS-CommonHttpFeatures" /featurename:"IIS-StaticContent" /featurename:"IIS-DefaultDocument" /featurename:"IIS-DirectoryBrowsing" /featurename:"IIS-HttpErrors" /featurename:"IIS-HttpRedirect" /featurename:"IIS-WebServerManagementTools" /featurename:"IIS-IIS6ManagementCompatibility" /featurename:"IIS-Metabase" /featurename:"IIS-WindowsAuthentication" /featurename:"IIS-WMICompatibility" /featurename:"IIS-ISAPIExtensions" /featurename:"IIS-ManagementScriptingTools" /featurename:"MSRDC-Infrastructure" /featurename:"IIS-ManagementService"
Wait another 30 minutes. A proper re-install should recreate the app pool and all 8 apps as shown below – a properly initialized Distribution Point:
Distmgr.log indicates that its indeed recreating/updating the app pool apps.
Also, note that the DP will not need to re-replicate its content, provided you did not delete the SCCMContentLib folder, so don’t be worried about a bandwidth flood. However, it will need to run through the Content Validation process to calculate hashes and inspect checksums to make sure everything it needs is present, and to pick up any changes that may have taken place while the DP was out-of-service. This can take a few hours if you have lots of content. Wait for the DP status icon to change from yellow to green. Then retry your deployments.
Hopefully this will enable you get your SCCM Distribution Points back on track! If you need more help with your System Center infrastructure, BDO Digital has a team of Microsoft Certified Engineers that can provide comprehensive support for all your on-premises and in-cloud Information Technology platforms.