7. Troubleshooting Secondary Site Installation
Several common deployment issues may occur with secondary sites, including the following:
Failure to exchange secure keys between parent/child and child/parent.
Secondary site status stays in pending state, with the site control file not making it up from the secondary site.
Establishing an address from the primary to the secondary but not having one from the secondary to the primary.
The next sections discuss these issues.
Secure Key Exchange
You can configure parent and child sites to
require secure key exchange for communication. When you’re installing a
secondary site configured to use secure key exchange to communicate with
its primary site, the key transfer may occasionally fail.
Although the secondary site installation will
be successful, communication between the sites will fail, because the
primary parent site will reject communication until there is a secure
key exchange. This is evidenced by entries in the despool.log file at
the parent site server, the despooler inbox folder at the parent, and
status messages regarding secure key exchange issues:
Despool.log— The despool.log file is located on the parent site server—the default location is %ProgramFiles%\Microsoft
Configuration Manager\Logs. The Despooler component is responsible for
all incoming and outgoing communications between sites. The despool.log
file logs all site-to-site communication, including communication
failures.
When site communications fail due to the missing secure key, despool.log will contain the following entries:
Cannot find a public key for instruction
%ProgramFiles%\Microsoft Configuration Manager\inboxes\despoolr.box\receive
incoming from site <secondary site code>, retry it later
Cannot find valid public key for key exchange instruction coming from
site <secondary site code>
Both
entries state that Configuration Manager tries to locate the key. It
retries this every 5 minutes, for a maximum of 100 times.
Despooler inbox folder at the parent site—
Secure key exchange communication failures can also be identified when
the \inboxes\despoolr.box\receive folder becomes backlogged with files.
These files have extensions of .ins and contain site instructions. When
site communication is successful, these files are sent, processed, and
then deleted from the \receive folder. When the key is missing, those
files remain in the folder at the parent site.
Status messages— The SMS_Despooler will generate the following status messages for the receiving site:
Message ID 4404—
The Despooler component received an instruction and package file from a
site that will not be processed because the site does not allow
unsigned key exchange between sites.
Message ID 4405—
The site has received an instruction file containing intersite
replication data that will not be processed and retired because a valid
public key cannot be located for the sending site.
To resolve the public key exchange issue, you
must exchange the keys between the sites manually with the hierarchy
maintenance tool (preinst.exe). This tool is installed by default with
Configuration Manager 2007. The following procedure discusses the steps
to manually exchange the public keys using the hierarchy maintenance
tool.
Perform these steps at the child/secondary site:
1. | Go to Start -> Run and then type CMD to open a command prompt.
|
2. | At the command prompt, navigate to the location of the preinst.exe tool. The tool is located in the <ConfigMgrInstallPath>\bin\i386\<language code> folder on the site server.
|
3. | Type preinst /keyforparent to export the public key of the child site server. The key file is <Site Code>.ct4, and is stored at the root of the system drive.
|
4. | Move the <Site Code>.ct4 key to the <ConfigMgrInstallPath>\inboxes\hman.box folder at the parent site.
|
Perform these steps at the parent site:
1. | Go to Start -> Run and then type CMD to open a command prompt.
|
2. | At the command prompt, navigate to the location of the preinst.exe tool. The tool is located in the <ConfigMgrInstallPath>\bin\i386\<language code> folder on the site server.
|
3. | Type the command preinst /keyforchild to export the public key of the parent site server. This key file is <Site Code>.ct5 and will be stored at the root of the system drive.
|
4. | Move the <Site Code>.ct5 key to the <ConfigMgrInstallPath>\inboxes\hman.box folder at the child site.
|
Communication will start within 5 minutes once
the keys are exchanged. To monitor the process, check the contents of
the despool.log file.
Secondary Site Status Remains in Pending State after Upgrade or Installation
If the site control file is not created successfully, the secondary site may remain in a pending status and never go active.
When you install or upgrade a secondary site,
the final installation step is for the Site Control Manager service at
the secondary site to copy the .ct2 control file to its parent. This
file contains the information that the installation or upgrade was a
success.
To force the Site Control Manager service to create the .ct2 control file, perform the following steps:
1. | Verify that the secondary site server is indeed successfully installed, and that all services and components are up and running.
|
2. | At the secondary site, browse to the <ConfigMgrInstallPath>\inboxes\sitectrl.box folder. Copy the SiteCtrl.ct0 file to a temporary location (for example, c:\temp).
|
3. | At the temporary location, change the name of the earlier copied Sitectrl.ct0 file to 00000000.ct2.
|
4. | Copy the 00000000.ct2 file to the <ConfigMgrInstallPath>\inboxes\hman.box at the parent site.
|
This procedure informs the parent site that there is an updated site control file, and it will process this file immediately.
Addresses
When you deploy a secondary site through the
console of the primary parent site, the Secondary Site Creation Wizard
enables you to configure the address for the primary and secondary
sites. However, the configuration of the sender address for the primary
site at the secondary site may occasionally fail. If the sender address
is missing, site communication fails and sender.log at the parent site
server will contain the following entries:
Cannot connect to server <secondary site server name> at remote site
<secondary site code>, won't try send requests going to site
<secondary site code>, for an hour or until there are no active send requests.
There is no existing connection
Could not establish connection
Attempt to connect failed
When this occurs, you can create the
sender address manually. Use the ConfigMgr console to configure the
address. Because secondary sites do not have a database, you must manage
them through a console connected to the primary site database in the
console.
