How to add Configuration Manager Distribution Point Remotely with PowerShell

If you are trying to add a Configuration Manager Distribution Point remotely you may end up with issue:

WARNING: The self-signed certificate could not be created successfully

Validation of input parameters failed. Cannot Continue

DP_Certificate_Issue

Code example

Invoke-Command -ScriptBlock { #Step 1 Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1") #Step 2 $SiteCode = Get-PSDrive -PSProvider CMSITE #Step 3 Set-Location "$($SiteCode.Name):\" #Step 4 Add-CMDistributionPoint -SiteSystemServerName TestServer.corp.viamonstra.com -SiteCode $SiteCode.Name ` -ClientConnectionType Intranet -MinimumFreeSpaceMB 50 -PrimaryContentLibraryLocation Automatic ` -SecondaryContentLibraryLocation Automatic -PrimaryPackageShareLocation Automatic -EnablePxeSupport ` -SecondaryPackageShareLocation Automatic -CertificateExpirationTimeUtc ((Get-Date).AddYears(100)) -ErrorAction STOP } -ComputerName CM01.corp.viamonstra.com

If you take same code and run it locally on your Primary Site Server, then it works correctly but what is the problem then? The problem is that you haven’t enabled CredSSP on your site server and your admin PC. There are so many different posts in internet that explains the second hop scenario and I will not explain it in this but you can read it from here .

To fix this problem you need to run this command on you admin PC. Please change the DeletegateComputer parameter value

Enable-WSManCredSSP -Role Client -DelegateComputer *.corp.viamonstra.com -Force

And this command on your Primary Site Server

Enable-WSManCredSSP -Role Server -Force

To add the Distribution Point successfully remotely you need to execute the Invoke-Command like that

Invoke-Command -ScriptBlock { #Step 1 Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1") #Step 2 $SiteCode = Get-PSDrive -PSProvider CMSITE #Step 3 Set-Location "$($SiteCode.Name):\" #Step 4 Add-CMDistributionPoint -SiteSystemServerName TestServer.corp.viamonstra.com -SiteCode $SiteCode.Name ` -ClientConnectionType Intranet -MinimumFreeSpaceMB 50 -PrimaryContentLibraryLocation Automatic ` -SecondaryContentLibraryLocation Automatic -PrimaryPackageShareLocation Automatic -EnablePxeSupport ` -SecondaryPackageShareLocation Automatic -CertificateExpirationTimeUtc ((Get-Date).AddYears(100)) -ErrorAction STOP } -ComputerName CM01.corp.viamonstra.com -Credential (Get-Credential) -Authentication Credssp

Happy Scripting :)


Comments (2):

  1. Travis Knight says:

    Hello:

    Thanks for this valuable post. However, CredSSP is not solving “WARNING: The self-signed certificate could not be created successfully” for me. I can successfully execute with one account (mine), but not with a service account. It seems to be related to CM permission/Role (though is a Full Administrator) or something with the svc account Windows profile. Just can’t nail it down. Any additional insight would be appreciated.

    Cheers

  2. Jeff says:

    Very helpful post! Thank-you for sharing it.

    I am trying to install a DP using this method as a step as part of a Server Build Task Sequence. The TS installs the server and then has a section for installing a Pull DP by connecting to our CAS using CredSSP and then using the Add-CMDistributionPoint cmdlet. My script runs great using my account with CredSSP if I disable the InstallDP.ps1 script in the TS and then logon to the newly built server and run the script manually after the build but when running as part of the TS (using my account as the execution account for the step) I get the error:

    “Connecting to remote server failed with the following error message: The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information see the about_Remote_Troubleshooting Help topic.”

    I’ve run “Enable-WSManCredSSP -Role Server -Force” manually on the CAS and then in my TS I have a step that runs “Enable-WSManCredSSP -Role Client -DelegateComputer *..com -Force” on the new server being built. I then run a script similar to your example above but still get the error. Any ideas?

Leave a Reply