ConfigMgr 2012 : PXE Distribution Point Certificate Issues – “No Items Found”

NoItems

I ran into an issue with a System Center Configuration Manager 2012 deployment recently where if I selected the Distribution Point to be PXE enabled and then imported a certificate from our PKI I was unable to view or configure any of the server roles anymore. I simply got “Not items Found” in the ConfigMgr console!

NoItems

Working with Microsoft Support it was identified that our Certificate size exceeded 32K, which is larger than the buffer used by ConfigMgr. The XML assocaited with the Distribution Point was then being truncated leading to the error in the ConfigMgr console, as above.

Note; if your issue is affecting a SECONDARY SITE then see note at the bottom of the article.

The following queries were used to identify that the Certificate was too big:

{code lang:sql showtitle:false lines:false hidden:false} — XML Size
SELECT ServerName, Props, DATALENGTH(Props) FROM vSMS_SC_SysResUse_SDK
WHERE SiteCode = ‘<site code>’ AND RoleName = ‘SMS Distribution Point'{/code}

The XML size when I had this problem was 36163, as you can see this is clearly larger than 32K.

The reason the XML was so larger was because of the certificate blob which had bloated the XML. Why was our certificate so large? Simply beause we had a three-tier AD CS environment; A root CA, policy CA and finally an issuing CA. The issues certificate included information about all of these CA’s.

At this point in time there is no fix, only a couple of work-arounds:

  1. Use HTTP instead of HTTPS
  2. Use a certificate from a CA higher up the chain – in our case from the Policy CA or even Root CA – not ideal!

How do you get management back? Use the following SQL query to set the Certificate blob to ”:

{code lang:sql showtitle:false lines:false hidden:false} –Set Certificate to Blank
UPDATE vSMS_SC_SysResUse_Properties SET Value1 = ” WHERE Name =
‘CertificatePFXData’ and ID = (select ID from vSMS_SC_SysResUse_SDK
where NALPath like ‘%<DP FQDN>%’ and RoleName = ‘SMS
Distribution Point’){/code}

Then you must remove and re-add the Distribution Point server role.

Secondary Site Issue

If your issue is affecting a secondary site then watch this space, I have replicated thi issue without exceeding the 32K limit, however on importing the certificate I ended up with a second Site Server with a similar name! The first query above presented the following output:

SRV1.d <Properties><Property Name=”AllowInternetClient… 10666
SRV1.domlocal.net <Properties><Property Name=”AllowInternetClient… 30389

So we need to cleanup the invalid server, then apply the fix from above gainst the Secondary SIte server. First get the ID of the invalid server:

{code lang:sql showtitle:false lines:false hidden:false}SELECT *, DATALENGTH(Props) FROM vSMS_SC_SysResUse_SDK
WHERE SiteCode = ‘<Secondary Site Code>’ AND RoleName = ‘SMS Distribution Point'{/code}

Remove the invalid server role (it doesn’t exist):

{code lang:sql showtitle:false lines:false hidden:false}DELETE FROM vSMS_SC_SysResUse WHERE ID =<ID Number>{/code}

Now use the above fix against this Distribution Point.

For now I’ll be using HTTP on my Secondary Site Distribution Points!