2 Replies Latest reply on Aug 23, 2011 11:06 AM by brunodom

    DCOM 10009 - problem during client web cert provisioning


      Our Enterprise team did some work on our Enterprise CA environment last month, and it appears to have broken vPro in-band provisioning.


      system is SCCM 2007 SP2 R2


      Provisioning was working fine until they moved CA Issuing from one set of Servers (Server1,Server2 - both Server 2003) to another set of servers (ServerA,ServerB - both Server 2008 R2).


      The provisioning process works fine up until the point where the OOB Mgt point is expected to retrieve the AMT client Web server cert... it times out after 5 RETRYs. (this is step 10c here: http://technet.microsoft.com/en-us/library/cc431371.aspx)


      We've recreated the template on the new CAs, made sure to choose Server 2003 as the type.  If I open the Certificates MMC on the OOB Mgmt Point, I can successfully enroll a cert from the template.  Certutil command on the OOB Mgmt Point shows the two new Issuing CA servers (ServerA,ServerB).  The interesting* thing is that I get DCOM errors in the SYSTEM log that correlate exactly to the times in the amtopmgr.log when it is trying to enroll the AMT client web certs on the clients:


      DCOM was unable to communicate with the computer SERVER1.domain.org using any of the configured protocols.


      Why is it apparently trying to retrieve the cert from the old Issuing CA (Server1)?  My only thought is that SCCM hardcodes this into WMI or something at the time the OOB Mgmt Point is installed...which would really suck.


      Any ideas out there?







      *it's not really that interesting