Microsoft KB Archive/827887

= New secondary site installation may fail if data signing is turned on in SMS 2.0 SP5 or in SMS 2003 =

Article ID: 827887

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Systems Management Server 2.0 Service Pack 5
 * Microsoft Systems Management Server 2003

-





SYMPTOMS
When you try to create a new secondary site in Microsoft Systems Management Server (SMS) 2.0 Service Pack 5 (SP5) or in SMS 2003, the child site installation is not completed, and the child site status remains Pending in the SMS Administrator Console. If you have turned on logging for the SMS Despooler component, the following may appear in the Despool.log file on the parent SMS site server, where  is the site code for the child site: Waiting for ready instruction file.... Verifying signature for instruction C:\SMS\inboxes\despoolr.box\receive\ds_1vfda.ist of type MICROSOFT|SMS|MINIJOBINSTRUCTION|TRANSFER CPublicKeyLookup::CPublicKeyLookup(&quot;xxx&quot;) CPublicKeyLookup::CPublicKeyLookup(&quot;xxx&quot;) Initializing to file: C:\SMS\inboxes\hman.box\pubkey\xxx.pkc CPublicKeyLookup::GetNextKey Getting Iteration: 2 CPublicKeyLookup::GetNextKey Checking C:\SMS\inboxes\hman.box\pubkey\xxx.pkc for Key0 CPublicKeyLookup::GetNextKey No Match Found, Trying C:\SMS\inboxes\hman.box\pubkey\xxx.pkp CPublicKeyLookup::GetNextKey Found Key: CPublicKeyLookup::CPublicKeyLookup(&quot;xxx&quot;) Cannot find valid public key for key exchange instruction coming from site xxx Retry the instruction (C:\SMS\inboxes\despoolr.box\receive\ds_1vfda.ist) because this site does not allow untrusted child sites. Will retry instruction C:\SMS\inboxes\despoolr.box\receive\ds_1vfda.ist 100 more times, the next retry is in about 5 minutes Instruction C:\SMS\inboxes\despoolr.box\receive\r_g1bzte.sni won't be processed till 07/29/2003 12:42:51 PM Eastern Daylight Time Waiting for ready instruction file....  The log entries appear for each .sni file from the secondary site that is processed by the parent site. The secondary site cannot report status to the parent site. You may also notice a backlog of files in the \SMS\Inboxes\Despool.box file on the parent site server computer.



CAUSE
This problem occurs because of new security features that are available with SMS 2.0 SP5 and with SMS 2003. The security features allow an SMS administrator to reject communication from SMS sites that do not use signed data. The security features can prevent the installation of additional secondary sites in the SMS hierarchy that do not meet the security requirements.



RESOLUTION
To resolve this problem, follow these steps:
 * 1) On the secondary site computer, click Start, click Run, type cmd, and then click OK.
 * 2) At the command prompt, change to the \SMS\bin\i386\00000409 folder.
 * 3) Type preinst.exe /KEYFORPARENT, and then press ENTER.

Preinst.exe creates a .CT4 file in the root folder of the largest drive partition, where   is the site code of the secondary site.
 * 1) Copy the  .CT4 file to the \SMS\Inboxes\Hman.box folder on the parent site computer.

The SMS Hierarchy Manager component processes the .CT4 file and adds the security key to its list of accepted keys for data transfer. After the security key is added to the SMS parent site, the backlog of files on the parent site is processed by the SMS Despooler component.

When the new .CT4 file is processed, the following log entries appear in the Hman.log file, where  is the site code for the child site: Wait for site control changes... Processing C:\SMS\inboxes\hman.box\xxx_7W21.CT4 file, containing 1 keys. CPublicKeyLookup::UpdateCurrentKey(&quot;xxx&quot;, &quot;0602000000A400005253413100020000010001008F581AE90DEF71C4F156B96D19CAD050C82F4D7E6FEDF516CE20335CB0E37D4A1BE164C8C8113CEFBF285BC88F84BF0E928AB054A86260868A955D5F292A29A4&quot;) CPublicKeyLookup::UpdateCurrentKey Checking C:\SMS\inboxes\hman.box\pubkey\xxx.pkc for Key0 CPublicKeyLookup::UpdateCurrentKey Updating Key0 No parent site to forward CT4 file C:\SMS\inboxes\hman.box\xxx_7W21.CT4 to. Deleting. Wait for site control changes... After the SMS Hierarchy Manager has processed the .CT4 file, the secondary site communications are accepted, and the secondary site appears as Active.



MORE INFORMATION
In SMS 2.0 SP5, the following options appear on the Site Connection tab in the Site Properties dialog box. In SMS 2003, the following options appear on the Advanced tab in the Site Properties dialog box:
 * Do not accept unsigned data from sites running SMS 2.0 SP4 and earlier.
 * Require secure key exchange between sites.

If these options are turned on, new SMS 2.0 child sites may not complete the installation process. A new secondary site may remain in a Pending state in the SMS Administrator Console of the parent site.

Keywords: kbtshoot kbserver kbsmsadmin kbsyssettings kbsetup kbsecurity kbprb KB827887

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.