I’ve been seeing quite a few customer questions about not being able to select the branch distribution point option for a Configuration Manager site system – the option is disabled in the distribution point properties, but without any explanation. Most of the time it’s because the Configuration Manager client isn’t installed on the selected site system, which is a prerequisite for a branch distribution point. Another scenario that results in disabling this option is if the computer is a workgroup client rather than domain-joined. However, there have a few occasions where the client has been installed on a domain computer, and on investigation they have been on native mode sites that are configured for Internet-based client management.
We clearly document that a branch distribution point is not supported on the Internet, and that clients on the Internet cannot connect to branch distributions points. The two configurations are mutually exclusive. However, some customers took this to be an operational support statement only, rather than a programmatic support statement. What I mean by this is, they installed the client and configured it with an Internet-based management point, but had no intention of moving the client from the intranet, and then attempted to configure it as a branch distribution point.
Why configure a client for Internet-based management when it would never leave the intranet? Ease of administration. Customers had added the CCMHOSTNAME command line property to the client push option so that all clients in the site were automatically configured for Internet-based client management. Unfortunately, the documentation actually says Configuration Manager will not prevent this configuration although it is not supported:
Do not create branch distribution points on Internet-based clients. Although Configuration Manager does not prevent you from doing so, creating any type of distribution point on an Internet-based client greatly increases your attack surface and should be avoided.
I remembered a request to block this combination in the Configuration Manager console, and that the request was not taken, with the mitigation being documentation. Hence the statement above that appears in multiple places in the Configuration Manager documentation library. So when I heard that customers were not able to create branch distribution points because the client was configured for Internet-based client management, I decided to look into this.
It seems that the option to block this combination was taken later in the product cycle, with the use of an InternetEnabled flag in the code, but the documentation team wasn’t informed – which is why we didn’t update the documentation. However, before revising the documentation I tried to reproduce it and couldn’t: my client was configured for Internet-based client management and I could select the option to enable it for a branch distribution point. This had me banging my head against the keyboard until I finally realized that I was testing it differently to how customers had reported it. They were installing the client with the CCMHOSTNAME option, whereas I already had my native mode clients installed and added the Internet-based management point in the client properties, on the Internet tab. So I reinstalling the client with the CCMHOSTNAME option, but still the option for a branch distribution point wasn’t blocked. I tried initiating hardware inventory, discovery data, and configured all my schedules to run with really low values and left it for a few days. Still the option for a branch distribution point wasn’t blocked in the distribution point properties.
Thanks to our test engineers Adam Meltzer and Tony Meng, we finally discovered that although the intent was to reset the InternetEnabled flag with a DDR and hardware inventory, it’s actually only set at registration. That’s why even reinstalling didn’t make any difference where I configured the Internet-based management point after the initial installation and found that I could still select the option to enable the branch distribution point. However, what I hadn’t realized is that although the branch distribution point successfully installs with this unsupported combination, packages will not install and are stuck at “Install Pending”.
Typically, the product team does not test what happens if you configure something that isn’t supported. However, if you find yourself in either of these situations, how to recover is not obvious because simply reconfiguring the client or reinstalling is not sufficient.
If you cannot select the branch distribution point option because you have installed the client with the CCMHOSTNAME option:
At this point, you can manually update the collection membership and press F5 if you need to immediately manage the client through collections. Or you can wait for the client to automatically reappear, according to your collection membership update cycle.
Note that if you have installed the client with the CCMHOSTNAME property, you cannot reinstall the client and clear this value – this one also had me scratching my head for a while until it was confirmed that it couldn’t be done. You can't unset it or set it to a null value. Instead, you must uninstall first and then reinstall without the CCMHOSTNAME property, or delete the value in the client properties.
If you have selected the branch distribution point option for a client that is configured with an Internet-based management point:
I’m revising the documentation for this information and it will be published to the Web when Configuration Manager 2007 R2 releases, with the recovery steps in "Troubleshooting Software Distribution Issues". In the meantime I hope that posting this information early will help other customers who unknowingly run into this unsupported combination.
This posting is provided AS IS with no warranties and confers no rights.