Ok that’s it, I’ve had enough of IIS 7.5 (don’t be happy, IIS 7 too) and WebDAV already, this is the 100th time I see the problem and I still have no idea what causes it.

If you have installed SCCM before, you’d know what I’m talking about. WebDAV is now a part of the IIS 7.5 Role Services so you don’t have to download or install it separately like IIS 7 in Server 2008.

A prerequisite for installing SCCM is having WebDAV installed and configured as follows:

  • A Rule that allows all users read access to all content

and a couple of settings tweaking:

  • Allow Anonymous Property Queries should be set to True
  • Allow Custom Properties should be False
  • Allow Property Queries with Infinite Depth should be set to True
  • Allow Hidden Files to be Listed should be set to True

How IIS 7/7.5 Configuration Works

Now, with IIS 7/7.5 things have tremendously changed, IIS Server and Website Configurations are not written in a metabase like the IIS 6.0 Metabase, but rather written to XML Configuration files can be found in C:\Windows\System32\InetSrv\Config

You will see a bunch of XML files like the “Administration.xml” where global security settings and administrative delegation are defined here, “ApplicationHost.xml” where global application configuration settings can be found. if you dig a little deeper into the Schema subfolder you will find the IIS, ASP.NET, and of course the WebDAV Schema (WebDAV_Schema.xml) where the configuration settings you define in the IIS Management Console will be replicated to those XML files.

In the IIS Management console, Some settings are Server Wide (inherited to every single website) while others are Per Website/module/application pool..etc. for example check this out "<sectionSchema name="system.webServer/webdav/globalSettings">” <—this fellow here is a header for elements and attributes that affect global server WebDAV settings.

Why has this been done? so you can scale out your IIS deployment to hundreds of servers in a couple of clicks. so you can share the Configuration Store (where all the XML files are) and make lots and lots of IIS servers connect to it to retrieve their unified settings. So what if you need to change something? you guessed it, it can be done once! and all servers will reflect those changes.

This is cool…when it works.

Problem Details

The problem occurs when you change some settings from the IIS Management Console but for some mysterious reason, they changes are not reflected to the Schema Configuration file! causing inconsistency between the settings you see and the settings that are actually applied. as you can see below my WebDAV settings in the Management Console and the Schema file:

IIS_WebDAV
WebDAV Settings in the IIS Management Console

and this is how they appear in the WebDAV_Schema.xml file
WebDAV_Schema
WebDAV Settings in the WebDAV_Schema.xml file

the screen shots above belong to the same server (not photoshoped) and the inconsistency is pretty clear.

SCCM Problem

Before we solve the IIS inconsistency lets examine what the above does to SCCM; your configuration will go through the Prerequisites Checker and SCCM installation will be smooth, However, when you open the System Status in SCCM’s Management Console, you will see Errors reported by the SMS_MP_Control_Manager. Every time it retries to install the components, you will see the same error:

The WebDAV server extension is either not installed or not configured properly.
Solution: Make sure WebDAV is installed and enabled. Make sure there is an authoring rule that allow “All users” read access to “All content”. Make sure the WebDAV settings “Allow anonymous property queries” and “Allow property queries with infinite depth” are set to “true” and “Allow Custom Properties” is set to false.

Examining the MPSetup.log which is the Log File for the Management Point located in: “C:\Program Files (x86)\Microsoft Configuration Manager\Logs” <—The path may differ depending on your installation settings (you know better right?) will also throw the same error above.

Solution

You need to configure the WebDAV_Schema.xml file to reflect the settings required by SCCM, a small obstacle you may face is the owner ship of the file, if you simply open up the file in notepad and save it, you will receive an Access Denied error because you have no write permissions on the file, even if you try to add yourself you wont be able to, because TrustedInstaller is the owner of that file.

SecurityProperties_WEBDAV_SCHEMA

so you need first to Take Ownership of you the file, give yourself Write access then save it as an alternate name (because the containing folder doesn’t give you access as well). you then rename the old file (i.e. WebDAV_Schema.xml.old) and make your modified one with the same name as follows:

<attribute name=”allowAnonymousPropfind” type=”bool” defaultValue=”true” />
<attribute name=”allowInfinitePropfindDepth” type=”bool” defaultValue=”true” />
<attribute name=”allowCustomProperties” type=”bool” defaultValue=”false” />

Give the IIS and the SMS_SITE_COMPONENT_MANAGER services a restart and your server will be just fine, you can double check the MPSetup.log and reset the error count for the SMS_MP_Control_Manager from the System Status (or else you need to wait a bit long for it to give you the green check).

Side Problem: SMS Hierarchy Manager and Active Directory

The file security above reminded me of another problem thrown by the SMS Hierarchy Manager telling you that its unable to update its objects in the “System Management” container in Active Directory.

“Systems Management Server cannot update the already existing object "SMS-Site-[SiteCode]" in Active Directory….”

This problem occurs from the moment you create the “System Management” container using ADSIEDIT and give the SCCM Server full access to it.

What ADSI Edit does, is give the server access to “This Object Only” which means that the full access has only been given to the container itself, not the objects in it. to solve the issue, go back to the container’s Advanced Security Settings and set the “Apply To” option to “This Object and All Descendent Objects”:

System_Management_Container_Security

let me know if you have any thoughts! see ya.

  • Share/Bookmark