I was running ConfigMgr 1511 from an upgraded System Center 2012 Configuration Manager R2 SP1 Infrastructure with configured Intune Subscription without a problem for more than a month. But due to my Azure Tenant Name selection more than two years ago, I wanted to change the Tenant name from uncoolname.onmicrosoft.com to hosebei.onmicrosoft.com, because you might already guess it: the SharePoint URL.
Exchange Hybrid and all other Services was not easy, but worked how I planned to do it. But unfortunately the Service Connector did not work after this change, even after changing the Intune Subscription to my new Tenant.
I encountered the following errors within the Logfiles of ConfigMgr. Within the DMPDownloader.log was stated that:
Certmgr has not installed certificate yet, sleep for 1 minutes.
and later on:
WARNING: Cannot find a suitable certificate. Included extensions: 1.2.840.113556.5.11,1.2.840.113556.5.4,1.2.840.113556.5.6. Excluded extensions: . AgentTypeId:
Within the DMPUploader.log was the same message about the missing certificate and the following message:
ERROR: ERROR: Exception occured while calling REST UserAuth Location service The Dmp Connector failed to read the connector certificate.
And within the DMPDownloader.log there was quite the same errors. Don’t be mislead by the failure within the ConnectorSetup.log:
CTool::RegisterManagedBinary: Failed to register D:\Program Files\Microsoft Configuration Manager\bin\x64\IntuneContentManager\Microsoft.ConfigurationManager.IntuneContentManager.dll with .Net Fx 2.0
As outlined in this TechNet Forums post Link, the registration of the DLL will success with another .Net Version and it is also visible within the Logfile two Lines below the error.
I removed the Intune Subscription again (I can remove the Subscription without an issue, due to the change of the Azure Tenant, but if you are in Production, removing the Intune Subscription will lead to reenroll your Devices, see comment from matt), and also the Service connection point role, and readded them again without success. As outlined on this Technet Article, at the bottom of the Page, see this important notice for remote Server usage:
When the role installs on a computer that is remote from the site server:
You must configure the site system server that hosts the role with a Site System Installation Account
The Site System Installation Account is used by the distribution manager on the site server to transfer updates from the service connection point.
But even doing the Installation of the Role on the Site Server itself was not successful, or to say it right, the Service connection point was not able to do his work. I uninstalled the Service Connection Point again, and rebooted my primary site server. After adding the Role again, it was able to create or receive (?) a new connector certificate, which is also written to the Logfile (dmpdownloader.log):
Found connector certificate with subject 'CN=
You can find the certificate within the normal Machine Store of the Server that hosts the Service connection Role:
The synchronization afterwards was working like before.
Hope this helps.