Tuesday, May 18, 2010

SCCM OSD/PXE Issues in Native Mode

There have been many posts out there trying to address the issue behind Native Mode and PXE and/or Boot Media problems.  This posting publishes information I found in the following article and additions which I have made to clarify some certificate configurations.

Step 1

In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :



Step 2

Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !

My Comments:  

MAKE SURE SUBJECT NAME TAB CONTAINS: SUPPLY IN REQUEST. When the request is made, give the certificate the following Attributes:

  • CommonName: <FQDN> (i.e. OSDpxeBootCert.<domain>.Com)
  • Alternate name: <Fqdn> OSDpxeBootCert.<domain>.com
  • Friendly name: Any descriptive name.

Note:  Because certificates are Required through out the native mode deployment.  FQDNs are also required for certificate Subject name and Alt Subject Names.


When you have created the certificate , export it to a DER format by going to MMC - Certificates - personal - Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .

Step 3

Import you in the PXE role configuration pane .

Now we go to the SCCM console and go to Site systems - PXE Role , import the certificate you just exported . The picture below explains it :


You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select "yes" to continue


Check the PXE Certificate in the SCCM console.  Verify that the Root CA is trusted.

Try opening the Certificates | PXE node in SCCM.  Find the certificate that is not "blocked" and right-click to Open it.  Check the status of the CA Certificate.  I found that it was "Not Trusted" in my environment. 

When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then "valid" when I reopened the certificate.  My SMSPXE.log no longer reflected that the certificate was not set.


Step 4

Check that the following things below are set correctly

Network Access Account Not Set

Go into the Client Policy in SCCM and set a Network Access Account.  It sometimes "disappears" even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !

No comments:

Post a Comment