If the Active Directory schema has not been extended for Configuration Manager 2007 or site information is not being published to Active Directory, the site’s public key will not be available to other sites in Active Directory. Sites located in different Active Directory forests are unable to query for site information published for sites in different forests.
In any of these situations, the destination server will check in its <install directory>\inboxes\hman.box directory for a public key for the sending site (not in the <install dir>\inboxes\hman.box\pubkey directory).
If the sending site’s public key cannot be found in Active Directory or the <install directory>\inboxes\hman.box directory, the received data will be rejected and the sites will be unable to communicate.
When installing a new secondary site for a primary site configured for secure key exchange, if you do not manually transfer the public key to the parent site, the secondary site installs successfully but is unable to properly establish a connection to the parent site. The primary site will continue to attempt to find a public key for the secondary site to allow it to connect about every five minutes, one hundred times. Secondary site communications will be rejected by the parent site until the keys are manually exchanged.
Until the public keys are manually exchanged, the following behaviors should be expected:
Parent Site Despooler Inbox
The <install directory>\inboxes\despoolr.box\receive directory (which stores data that is received from other sites) on the primary site will begin to fill with secondary site communication files. The files are typically processed and moved as soon as the site server receives the instruction files (.ins files), but they will remain until they are rejected and deleted by the receiving site in this situation.
Parent Site Despool.log Log File
The Despool.log file on the receiving site (which records incoming site-to-site communication transfers) will have entries similar to the following:
- "Cannot find a public key for instruction
incoming from site <secondary site code>, retry it
- "Cannot find valid public key for key
exchange instruction coming from site <secondary site
Receiving Site SMS_Despooler Component Status Messages
You will receive the following status messages for the SMS_DESPOOLER component on the receiving site:
- Status message 4404, stating that the
despooler component received an instruction and package file from a
site that will not be processed because the site does not allow
unsigned key exchange between sites.
- Status message 4405, stating that the site
has received an instruction file containing inter-site replication
data that will not be processed and retired because a valid public
key cannot be located for the sending site.