Planning a Configuration Manager Infrastructure - Mastering System Center 2012 R2 Configuration Manager (2014)

Mastering System Center 2012 R2 Configuration Manager (2014)

Chapter 2. Planning a Configuration Manager Infrastructure

Properly planning a Configuration Manager infrastructure is crucial in utilizing the software to its full potential. This is even more the case with Microsoft System Center 2012 R2 Configuration Manager with its new and improved features.

The first step is to define a project plan with the phases defined in the Microsoft Solution Framework. The Microsoft Solution Framework will guide you to set up a project plan with the following phases:

· Envision: Gather deployment intelligence.

· Plan: Plan and design the Configuration Manager environment.

· Develop: Build the proof-of-concept and the new environment.

· Stabilize: Perform a pilot with multiple key users.

· Deploy: Migrate the users to the new infrastructure.

More information about the Microsoft Solution Framework can be found at the Microsoft TechNet documentation library.

In this chapter, you will learn to

· Plan and design a Central Administration Site

· Plan and design an effective Configuration Manager 2012 infrastructure

· Identify the enhancements to the distribution point site system role

· Prepare your current Configuration Manager 2007 environment for the migration to Configuration Manager 2012

Gathering Deployment Intelligence

When you want to implement a new Configuration Manager 2012 infrastructure in your environment or you want to migrate from Configuration Manager 2007, you need to write a plan of approach. The installation of Configuration Manager 2012 looks like a Next, Next, and Finish installation, but without a solid plan you will not use most of it. It’s crucial to describe your current environment and define a goal you want to reach or make a business case for your project. The following sections describe the process in detail.

Three Pillars of Configuration Manager

Configuration Manager 2012 is built on three pillars:

· Empower Users

· Unify Infrastructure

· Simplify Administration

The Empower Users pillar means that Configuration Manager gives the users the ability to be productive from anywhere on whatever device they choose.

The Unify Infrastructure pillar means that Configuration Manager gives the IT department the ability to reduce the cost of the IT management infrastructure. This is done by the simplified Configuration Manager infrastructure and the integration of other technology in Configuration Manager 2012, for instance, by embedding Forefront Endpoint Protection and most of the features of Microsoft System Center Mobile Device Management.

The Simplify Administration pillar means that Configuration Manager will give Configuration Manager administrators a less-complex infrastructure to manage and, with the role-based administration feature, more effectiveness.

Since the positioning of Configuration Manager in the IT environment has changed and has become more important, planning the Configuration Manager environment is essential for an effective implementation of Configuration Manager 2012.

Determining What You Need to Accomplish

Before installing Configuration Manager in your environment, it’s wise to define the business case and scope of your project. Ask yourself, “What do we need to accomplish with the implementation of Configuration Manager?” and try to answer this question with the help of your colleagues.

While planning a Configuration Manager environment you can schedule a workshop to define the scope and expectations of your project. You want the results to be accepted by your colleagues or customer. You also need to think from the users’ perspective since Configuration Manager 2012 placed the user in the center. User-centricity is new but can be very powerful and well adopted by your organization or customer. During the workshop try to answer the following questions:

· Does the Configuration Manager 2012 environment need to have high availability?

· How is your IT management organized? Do you need role-based administration, or are all the administrators allowed to perform every task?

· How is your organization organized?

· Do you need to implement or do you support a full application lifecycle model?

· What kind of devices are you going to support? Which level of support do you want to provide?

· Are there relationships between users and systems?

· Do you deploy operating systems? If so, where do you need to deploy them?

· Would you like to implement self-service for the end users?

· Are you going to use one set of client settings, or is there a need for client settings based on collections of users or devices?

· Will you need to use the remote management features of Configuration Manager? If so, for what devices?

· Is there a need to use hardware and software inventory and asset intelligence?

· Is there a service-level agreement available that must be met after the implementation?

Describing the Network

When planning a Configuration Manager infrastructure, you want to look at your current network design. Collect as much information as you can about your current Configuration Manager 2007 infrastructure, your Active Directory, and your network design; this can help you make the right design decisions.

Think about the following when describing the network:

· Make a diagram of your network. The diagram must include the following: LAN and WAN infrastructure, network size per location, available bandwidth, network latency, and the use of firewalls.

· Do Configuration Manager clients need to connect to the Configuration Manager site from the Internet?

· Are you allowed to extend Active Directory with the Configuration Manager schema?

· Document your IPv4 and IPv6 number plan.

· Describe your Active Directory forest structure and possible Active Directory trusts.

· Describe your Active Directory organizational unit structure; where are your assets?

· Describe your security demands. Does Configuration Manager need to be configured to support HTTP or HTTPS intranet connections or both? Is a public key infrastructure available?

· Describe your servers and roles; if you want to manage your servers with Configuration Manager 2012, it’s good to define different maintenance windows per groups of servers.

· Do you already use Windows Server Update Services in your environment? Can it be replaced by Configuration Manager 2012?

Describing Your Migration Needs

With the migration feature in Configuration Manager 2012 you need to really think about how you want to migrate the investments you made in Configuration Manager 2007.

There is only one supported scenario for migrating to Configuration Manager 2012; this is a side-by-side scenario. You need to list which collections, applications, software update deployments, operating systems, and other objects you want to migrate.

Define up front how long you want to keep the two environments operational since you need to administer two Configuration Manager infrastructures and possibly re-migrate objects you migrated earlier in the process.

Planning the Configuration Manager Environment

In order to plan, design, and implement a Configuration Manager 2012 environment, you need to take several steps to be able to implement it in the right way for your business. Configuration Manager 2012 can be installed and configured in many different ways, and you must make many design decisions.

Plan a workshop with your Configuration Manager team to make decisions about the following subjects:

· System requirements

· Active Directory considerations

· Hierarchies and sites

· Site boundaries and boundary groups

· Site system roles

· Site communications

· Site security

· Discovery of your resources

· Client settings and client deployment

· Content management

· Role-based administration

· Migration

· Disaster recovery

System Requirements

When planning your Configuration Manager 2012 infrastructure, you need to define what kind of hardware and software your infrastructure will use and what kind of devices you want to manage via the Configuration Manager 2012 infrastructure. This section describes the hardware and software requirements for the Configuration Manager 2012 infrastructure.

Configuration Manager Client Requirements

Configuration Manager 2012 supports managing various clients with various operating systems. In addition to the Windows operating systems, Configuration Manager now also supports mobile device operating systems. In the tables in this section you will find the supported client operating systems.

Hardware

The minimum and recommended hardware requirements for the Configuration Manager 2012 clients are shown in Table 2.1. Refer to the processor and RAM requirements for the operating systems of the devices.

Table 2.1: Hardware requirements/recommended

Component

Requirement

Recommended

Free disk space for client

500 MB

In addition to the required 500 MB, another 5 GB of free space for the client cache

RAM for operating system deployment

384 MB

Software center

500 MHz processor

Remote control

Pentium 4 HT 3 GHz or higher and 1 GB of RAM for best experience

Out-of-band management

Support for Intel vPro technology or Intel Centrino Pro and a supported version of Intel AMT

Operating System

Configuration Manager 2012 supports various operating systems for desktops, laptops, and mobile devices. Windows versions ranging from Windows XP to Windows 8.1, plus Windows Server, Windows Mobile, and Nokia Symbian are supported by Configuration Manager 2012. The exact versions and editions are found in the tables of this section.

Windows XP

Windows XP is still a very popular operating system and is well used in a lot of environments. As well as normal operating system versions, the operating systems for tablet and embedded devices are supported. Windows XP is supported until April 4, 2014, so be sure to read Chapter 10, “Operating System Deployment,” and see how you are able to migrate your Windows XP SP3 computers to a later version of Windows. Table 2.2 lists the supported versions.

Table 2.2: Supported Windows XP versions

Windows XP version

X86

X64

Professional Service Pack 3

image

Professional for 64-bit systems Service Pack 2

image

Windows XP Tablet PC (SP3)

Windows Embedded Standard 2009 (based on Windows XP SP3)

image

Windows XP Embedded SP3 (based on Windows XP SP3)

image

Windows Fundamentals for Legacy PCs (WinFLP) (based on Windows XP SP3)

image

Windows Embedded POSReady 2009 (based on Windows XP SP3)

image

WEPOS 1.1 SP3 (based on Windows XP SP3)

image

Windows Vista

Configuration Manager 2012 is able to manage Windows Vista versions as of Service Pack 2. If you still have the RTM version of Windows Vista or earlier Service Pack releases, you need to install Service Pack 2 before the Configuration Manager 2012 client can be installed. Table 2.3 shows the supported Windows Vista versions.

Table 2.3: Supported Windows Vista versions

Windows Vista version

X86

X64

Business Edition Service Pack 2

image

image

Enterprise Edition Service Pack 2

image

image

Ultimate Edition Service Pack 2

image

image

Windows 7

Table 2.4 shows you the Windows 7 editions that are supported by Configuration Manager 2012.

Table 2.4: Supported Windows 7 versions

Windows 7 version

X86

X64

Enterprise Edition

image

image

Ultimate Edition

image

image

Professional Edition

image

image

Enterprise Edition Service Pack 1

image

image

Ultimate Edition Service Pack 1

image

image

Professional Edition Service Pack 1

image

image

Windows Embedded Standard 7

image

image

Windows Embedded POSReady 7

image

image

Windows Thin PC

image

image

Windows 8 and Windows 8.1

The market share of Windows 8.1 is getting bigger. Table 2.5 shows you which editions are supported by Configuration Manager 2012 and how.

Table 2.5: Supported Windows 8 versions

image

Windows Server 2003

Windows Server 2003 is also well used in IT environments. Configuration Manager 2012 supports Windows Server 2003 as of Service Pack 2 and the R2 version. Table 2.6 shows you the complete list of supported versions.

Table 2.6: Supported Windows Server 2003 versions

Windows Server 2003 version

X86

X64

Web Edition Service Pack 2

image

Enterprise Edition Service Pack 2

image

image

Datacenter Edition Service Pack 2

image

image

Standard Edition R2 SP2

image

image

Enterprise Edition R2 SP2

image

image

Datacenter Edition R2 SP2

image

image

Storage Server Edition R2 SP2

image

image

Windows Server 2008

Windows Server 2008 comes in different editions and for different platforms. Table 2.7 provides the complete list of supported versions and editions.

Table 2.7: Supported Windows Server 2008 versions

Windows Server 2008 version

X86

X64

Standard Edition Service Pack 2

image

image

Enterprise Edition Service Pack 2

image

image

Datacenter Edition Service Pack 2

image

image

R2 Standard Edition (core and full)

image

R2 Enterprise Edition (core and full)

image

R2 Datacenter Edition (core and full)

image

R2 Standard Edition Service Pack 1 (core and full)

image

R2 Enterprise Edition Service Pack 1 (core and full)

image

R2 Datacenter Edition Service Pack 1 (core and full)

image

Windows Server 2012 (R2)

The new flagship of Microsoft Windows Server 2012 R2 comes in different versions. Table 2.8 shows you which editions are supported by Configuration Manager 2012.

Table 2.8: Supported Windows Server 2012 R2 versions

Versions

X64

Windows Server 2012 Standard

image

Windows Server 2012 Datacenter

image

Windows Server 2012 R2 Standard

image

Windows Server 2012 R2 Datacenter

image

Windows Server 2012 Core installation

image

Windows Server 2012 R2 Core installation

image

Datacenter Releases Are Supported But Not Certified

The Datacenter versions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 are supported but not certified for Configuration Manager 2012.

Apple Mac OS X

Configuration Manager 2012 R2 supports a broad range of Windows, Linux, and Mac devices. Table 2.9 lists the supported Mac OS X operating systems.

Table 2.9: Supported Mac OS X versions

Versions

Supported

Mac OS X 10.6

image

Mac OS X 10.7

image

Mac OS X 10.8

image

Linux and Unix Operating Systems

The Linux and Unix operating systems are the odd-men-out operating systems that are supported by Configuration Manager 2012 R2, since they are server-based operating systems only. In Table 2.10 you can see which versions are supported.

Table 2.10: Supported Linux and Unix versions

Versions

Version

Supported

Red Hat Enterprise Linux

4 x86

image

Red Hat Enterprise Linux

4 x64

image

Red Hat Enterprise Linux

5 x86

image

Red Hat Enterprise Linux

5 x64

image

Red Hat Enterprise Linux

6 x86

image

Red Hat Enterprise Linux

6 x64

image

Solaris

9 SPARC

image

Solaris

10 x86

image

Solaris

10 SPARC

image

Solaris

11 x86

image

Solaris

11 SPARC

image

SUSE Linux Enterprise Server

9 x86

image

SUSE Linux Enterprise Server

10 x86 SP1

image

SUSE Linux Enterprise Server

10 x64 SP1

image

SUSE Linux Enterprise Server

11 x86 SP1

image

SUSE Linux Enterprise Server

11 x64 SP1

image

CentOS

5 x86

image

CentOS

5 x64

image

CentOS

6 x86

image

CentOS

6 x64

image

Debian

5 x86

image

Debian

5 x64

image

Debian

6 x86

image

Debian

6 x64

image

Debian

7 x86

image

Debian

7 x64

image

Ubuntu

10.4 LTS x86

image

Ubuntu

10.4 LTS x64

image

Ubuntu

12.4 LTS x86

image

Ubuntu

12.4 LTS x64

image

Oracle Linux

5 x86

image

Oracle Linux

5 x64

image

Oracle Linux

6 x86

image

Oracle Linux

6 x64

image

HP-UX

11iv2 IA64

image

HP-UX

11iv2 PA-RISC

image

HP-UX

11iv3 IA64

image

HP-UX

11iv3 PA-RISC

image

AIX

5.3 Power

image

AIX

6.1 Power

image

AIX

7.1 Power

image

Operating Systems for Mobile Phones and Handheld Devices

Configuration Manager 2012 supports management for several mobile phones and handheld devices. The level of support and the features vary per platform and client type, but each platform supports inventory, settings management, and software deployment. The support can be divided into two levels:

· Depth management

· Light management

Devices that are supported through depth management are enrolled in Configuration Manager 2012 and receive a Configuration Manager 2012 client, or the mobile devices can be enrolled into Configuration Manager 2012 via the Windows Intune connector. To be able to support the light management of devices, you need to connect the Configuration Manager 2012 environment to a Microsoft Exchange Server 2010 (SP1) or higher on-premises or online environment. In Chapter 16, “Mobile Device Management,” you can find the supported features and the supported mobile devices and learn how to enroll the mobile devices into Configuration Manager 2012 R2.

Configuration Manager Site Server Requirements

The Configuration Manager site server roles can be installed on different kinds of hardware and software platforms. This section will help you to identify the hardware and software options you have when planning your site servers.

Hardware

In Table 2.11 you will find the minimum and recommended hardware requirements for Configuration Manager site systems. Be sure that the hardware supports a 64-bit operating system. The only exception is for the distribution point site role; this role can be installed on a limited list of 32-bit operating systems. The following requirements are based on the requirements of Windows 2008 SP2 x64.

Table 2.11: Hardware requirements/recommended

Component

Requirement

Recommended

Processor

1.4 GHz processor

2.0 GHz or faster

RAM

4 GB

8 GB or more

Free disk space

10 GB

50 GB (if using operating system deployment)

In many cases you will need fewer servers than with earlier versions and have less resource waste.

Software Requirements for Site System Roles

To be able to install and configure Configuration Manager 2012 site system roles on your servers, the operating system must comply with some requirements. Site system roles are roles that can be installed and configured on Configuration Manager 2012 site systems. This section will describe the requirements for installing the different site system roles.

Operating Systems

Depending on the roles you want to install, you can choose which operating system you want to install the site system role on. Every site system role has certain requirements for which operating system it can be installed on. For instance, a management point site system role can be installed only on a 64-bit Windows Server operating system in contrast to the distribution point site system role, which is supported on a large number of operating systems. This section helps you to identify the operating system requirements for site system roles.

Site System Roles with the Same Operating System Requirements

Most site system roles require the same operating systems. The following site server roles have the same OS requirements:

· Central administration site

· Primary site server

· Secondary site server

· Site database server

· SMS provider

· Enrollment point

· Enrollment proxy point

· Fallback status point

· Management point

· Application Catalog web service point

· Application Catalog website point

· Asset Intelligence synchronization point

· Endpoint Protection point

· Out of band service point

· Reporting services point

· Software update point

· State migration point

· System health validator point

The operating system versions in Table 2.12 support installing the site roles mentioned here.

Table 2.12: Supported operating systems

Operating System

X86

X64

Windows Server 2008 Standard Edition (SP2)

image

Windows Server 2008 Enterprise Edition (SP2)

image

Windows Server 2008 Datacenter Edition (SP2)

image

Windows Server 2008 R2 Standard Edition

image

Windows Server 2008 R2 Enterprise Edition

image

Windows Server 2008 R2 Datacenter Edition

image

Windows Server 2008 R2 SP1 Standard Edition

image

Windows Server 2008 R2 SP1 Enterprise Edition

image

Windows Server 2008 R2 SP1 Datacenter Edition

image

Windows Server 2012 Standard

image

Windows Server 2012 Datacenter

image

Windows Server 2012 R2 Standard

image

Windows Server 2012 R2 Datacenter

image

Windows Server 2012 Foundation

image

Windows Server 2012 R2 Foundation

image

The site system roles are not supported on a Core installation of Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Foundation, Windows Server 2008 R2 Foundation, Windows Server 2012, or Windows Server 2012 R2 editions.

Some of the site server roles can be installed on different operating systems than the ones required for the roles listed previously. The following site server roles can be installed and configured on many more operating systems:

· Distribution point

· Client status reporting host system

The operating systems that are supported for the distribution points are listed in Table 2.13. The support of distribution points on Windows Server 2003 has some feature limits. For instance, BranchCache will not work with Windows Server 2003.

Table 2.13: Supported operating systems for distribution points

Operating System

X86

X64

Windows Vista Business Edition 64-bit SP1

image

Windows Vista Enterprise Edition 64-bit SP1

image

Windows Vista Ultimate Edition 64-bit SP1

image

Windows Server 2003 Standard Edition R2

image

image

Windows Server 2003 Enterprise Edition R2

image

image

Windows Server 2003 Web Edition SP2

image

Windows Server 2003 Standard Edition SP2

image

image

Windows Server 2003 Enterprise Edition SP2

image

image

Windows Server 2003 Datacenter Edition SP2

image

image

Windows Server 2003 Storage Server Edition SP2

image

Windows Server 2008 Standard Edition (SP2)

image

image

Windows Server 2008 Enterprise Edition (SP2)

image

image

Windows Server 2008 Datacenter Edition (SP2)

image

image

Windows Server 2008 R2 Standard Edition

image

Windows Server 2008 R2 Enterprise Edition

image

Windows Server 2008 R2 Datacenter Edition

image

Windows Server 2008 R2 SP1 Standard Edition

image

Windows Server 2008 R2 SP1 Enterprise Edition

image

Windows Server 2008 R2 SP1 Datacenter Edition

image

Windows Storage Server 2008 R2 Workgroup

image

Windows Storage Server 2008 R2 Standard

image

Windows Storage Server 2008 R2 Enterprise

image

Windows Server 2012 Standard

image

Windows Server 2012 Datacenter

image

Windows Server 2012 R2 Standard

image

Windows Server 2012 R2 Datacenter

image

Windows 7 Professional Edition (with or without SP1)

image

image

Windows 7 Enterprise Edition (with or without SP1)

image

image

Windows 7 Ultimate Edition (with or without SP1)

image

image

Windows 8 Professional

image

image

Windows 8 Enterprise

image

image

Windows 8.1 Professional

image

image

Windows 8.1 Enterprise

image

image

When using Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows Server 2003 R2 platforms, only the standard distribution point is supported. Enhanced features like PXE or Multicast are not supported. When using Windows Server 2008 SP2 Multicast on the Distribution Point is not supported.

Prerequisite Software Requirements

The following software must be installed and, if needed, configured before you can install Configuration Manager 2012:

· Windows Server Update Services 3.0 SP2

· Microsoft .NET Framework 3.5.1

· Microsoft .NET Framework 4 (for Windows Server 2008)

· Microsoft .NET Framework 4.5 (of Windows Server 2012)

· Active Directory schema extended with Configuration Manager 2012 classes

· Windows ADK 8.1

The following SQL Server versions are supported:

· SQL Server 2008 SP2 (Standard or Enterprise) with a minimum of Cumulative Update 9

· SQL Server 2008 SP3 (Standard or Enterprise) with a minimum of Cumulative Update 4

· SQL Server 2008 R2 (Standard or Enterprise) with SP1 with a minimum of Cumulative Update 6

· SQL Server 2008 R2 (Standard or Enterprise) with SP2

· SQL Server 2012 (Standard or Enterprise) with a minimum of Cumulative Update 2

· SQL Server 2012 (Standard or Enterprise) with SP1

· SQL Server Express 2008 R2 with SP1 with a minimum of Cumulative Update 6 (secondary sites only)

· SQL Server Express 2008 R2 with SP2 (secondary sites only)

· SQL Server Express 2012 and a minimum of Cumulative Update 2 (secondary sites only)

· SQL Server Express 2012 with SP1 (secondary sites only)

The collation of the SQL Server and the site databases must be SQL_Latin1_General_CP1_CI_AS to be able to install Configuration Manager 2012 R2.

As with Configuration Manager 2007, several roles and features of Windows Server need to be installed and configured:

· Background Intelligent Transfer Service (BITS)

· Remote Differential Compression

· IIS7 (with IIS6 Management compatibility, ASP.NET, Static Content Compression, and the common IIS and security features)

We’ll discuss more on the installation of Configuration Manager 2012 in Chapter 4, “Installation and Site Role Configuration.”

Extending the Active Directory Schema

When you are migrating from Configuration Manager 2007 and you already have extended the Active Directory schema, you do not have to extend it again. The Active Directory schema of Configuration Manager 2007 is the same for Configuration Manager 2012. The schema extensions for Configuration Manager 2012 are unchanged.

When planning the extension of the Active Directory schema for Configuration Manager 2012, you need to take into account that several site roles require the extension.

Extending Active Directory is not part of the installation process; when extending you can publish the Configuration Manager site information into Active Directory automatically. Extending the Active Directory schema is done by executing a separate executable; you can find more about this procedure in Chapter 4.

Extending the Active Directory schema is optional, but for some features extending it is required. Table 2.14 provides the list of Configuration Manager 2012 features that require an extended Active Directory schema or need it optionally.

Table 2.14: Configuration Manager 2012 features that require an extended Active Directory schema

Feature

Schema Extension

Description

Client installation

Optional

When installing or pushing a new Configuration Manager client, the client will default search Active Directory for information about the Configuration Manager 2012 environment. Searching Active Directory provides such information as where the management point resides and the Configuration Manager site name.

If you don’t want to extend Active Directory, you can install the client with installation parameters such as SMSMP, or you can publish the management point in DNS and in WINS.

Automatic site assignments/global roaming

Optional

If you don’t want to extend Active Directory, you need to publish the management point in WINS. Otherwise, the Configuration Manager client won’t find the management point and cannot communicate with the site servers.

TCP port configuration for client-to-server communication

Optional

When you install a Configuration Manager client, it is configured with information about the TCP ports that are used to communicate with the site servers.

Network Access Protection

Required

Configuration Manager publishes health state information to Active Directory; this way the system health validator point can validate whether a client is healthy.

Microsoft best practice is to extend Active Directory with the Configuration Manager schema. Also be sure that the primary site servers have access to the Systems Management container in Active Directory.

Hierarchies and Sites

When planning for a Configuration Manager 2012 infrastructure, you need to have a clear understanding of what your global network infrastructure looks like; also, you need to take into account your business needs. The Configuration Manager 2012 architecture is simplified from earlier versions and consists of the following site types:

· Central Administration Site

· Primary site

· Secondary site

Next to the site types, a distribution point can have an essential role in the Configuration Manager hierarchy. A Configuration Manager hierarchy consists of Configuration Manager sites that are linked directly or indirectly and have a parent-child relationship, as shown in Figure 2.1.

image

Figure 2.1 A Configuration Manager hierarchy

Central Administration Site

The Central Administration Site (CAS) is the top-level site in a Configuration Manager hierarchy and is the recommended location for all administration and reporting for a Configuration Manager 2012 hierarchy. It has limited site roles available, has no clients assigned, and doesn’t process client data.

The CAS supports only primary sites as child sites. When you are using two or more primary sites, a CAS is always the first site you need to install. A primary site that is installed before implementing a CAS cannot be attached to the CAS. A SQL server is needed for data that is gathered from the hierarchy. The data includes such information as inventory data and status messages from the hierarchy. You can configure the discovery of objects in the hierarchy from the CAS by assigning discovery methods to run in individual sites in the hierarchy.

The following site roles can be configured for Central Administration Sites:

· System health validator point

· Software update point

· Asset Intelligence synchronization point

· Reporting Services point

· Endpoint Protection point

· Certificate Registration point

· Windows Intune connector

A Central Administration Site can support up to 25 child primary sites.

Primary Site

The primary site serves clients in well-connected networks. A primary site can have a CAS as its parent tier. A primary site cannot have another primary site as its parent tier. Since role-based administration is a real feature, no separate primary sites are needed for security, administrative, or data-segmentation purposes.

Extra primary sites can be added for the following reasons:

· Managing clients directly

· Providing a local point for administration

· Supporting more than 100,000 clients

The following are design rules for primary sites:

· Primary sites can be stand-alone or members of a hierarchy.

· A primary site cannot change its parent site relationship after the installation.

· A stand-alone primary site cannot be assigned to a Central Administration Site after the installation, but you can install an empty CAS above the stand-alone primary site.

· Primary sites that are installed as children of a CAS will configure database replication to the parent site automatically.

· Primary sites use database replication for the communication to their child and parent sites.

· Primary sites can have only a central administration point as a parent site.

· Primary sites can support one or more secondary sites as child sites.

· Primary sites process all client data from their assigned Configuration Manager clients.

· A primary site can support up to 10 management points for load balancing.

· A primary site can support up to 250 secondary sites.

The following site roles can be configured for primary site servers:

· Management point

· Distribution point

· Software update point

· System health validator point

· State migration point

· Fallback status point

· Out-of-band service point

· Asset Intelligence synchronization point (only on stand-alone primary site)

· Reporting Services point

· Application Catalog web service point

· Application Catalog website point

· Enrollment proxy point

· Enrollment point

· Certificate registration point

· Endpoint Protection point (only on stand-alone primary site)

· Windows Intune connector (only on stand-alone primary site)

Secondary Site

A secondary site is installed through the Configuration Management console. The site can be used to service clients in remote locations where network control is needed. You can use secondary sites for servicing site roles such as software update points, PXE-enabled distribution points, and state migration points and if you need tiered content routing for deep network topologies.

Reassigning a secondary site to another primary site is not possible; you need to delete the secondary site and reinstall it from the Configuration Manager console.

The following are design rules for secondary sites:

· When installing a secondary site, it will automatically install SQL Server Express if a local SQL Server is not available.

· Secondary sites that are installed as children of a primary site will configure database replication to the parent site automatically.

· Secondary sites use database replication for the communication to their parent sites and receive a subset of the Configuration Manager database.

· Secondary sites support the routing of file-based content between secondary sites.

· When installing secondary sites, a management point and a distribution point are installed automatically.

· Upward and downward flow of data is required.

The following site roles can be configured for secondary site servers:

· Management point

· Distribution point

· Software update point

· State migration point

Distribution Points

Distribution point is the Configuration Manager role that stages packages to clients. The distribution point role is more enhanced than in earlier versions. In Configuration Manager 2012, the old standard, server share, and branch distribution points are merged into one distribution point role.

The following are design rules for distribution points on a remote site without a local primary site or secondary site server present:

· The bandwidth of your network is sufficient to communicate and send and receive information such as client inventory, client policies, reporting status, or discovery information to or from a management point.

· Background Intelligent Transfer Service does not provide enough bandwidth control for your network environment.

· You need to stream virtual applications to clients at a remote location.

· You need to use the multicast protocol for deploying operating systems to clients at a remote location.

· You need downward flow of data.

If these rules do not apply and a primary site or secondary site is also not needed, your clients can probably use a remote distribution point.

A distribution point cannot be connected to a central administration point; it always communicates with a primary site or a secondary site.

The distribution point role now supports the following:

· Scheduling and throttling of data synchronization

· PXE

· Multicast

· Content library

· Content validation

· State-based distribution point groups

· Prestaged content

· BranchCache

These are described in detail in the following sections.

Scheduling and Throttling

Whereas in Configuration Manager 2007 you needed a secondary site to be able to manage the synchronization of data on the distribution points, you are now able to control content distribution by using bandwidth, bandwidth throttling, and scheduling options. With scheduling you are able to define periods for restricting synchronization traffic to the distribution point. You can configure synchronizations per day, per hour, and by priority. With throttling you are able to configure options like the following:

1. Unlimited When Sending To This Destination When you choose this option, all available bandwidth will be used for distribution point synchronization traffic.

2. Limited To Specified Maximum Transfer Rates By Hour Configure per hour the percentage of the bandwidth that is allowed to be used for distribution point synchronization traffic.

3. Pulse Mode When you choose this option, you can define the block size of the data that needs to be synchronized and the time delay between each block that is sent to the distribution point.

Scheduling and throttling are available only on site systems with only the distribution point site role installed.

PXE

To be able to install operating systems in your environment, you need to configure PXE support. PXE support allows you to boot into a boot image that is used to initiate operating system deployment for Configuration Manager 2012 clients. With Configuration Manager 2012, this role is moved from the site server to a server with the distribution point available. Per site, up to 250 PXE-enabled distribution points are supported.

Multicast

The multicast support is used to deploy operating systems while conserving network bandwidth by simultaneously sending data to multiple clients instead of sending data to each client using a separate session.

Best practice is that the same distribution point is not used for multicast and unicast distributions at the same time.

Content Library

The way of storing data on the distribution point has changed drastically; where Configuration Manager 2007 stored a lot of duplicate content, Configuration Manager 2012 stores content only once. The content is stored in the content library (SCCMContentLib). This library is divided in three parts:

1. Data Library (DataLib) The data library holds INI files with metadata information about each file in the file library.

2. File Library (FileLib) The file library holds the actual files of the packages. It provides single-instance storage of files on the site server and distribution point.

3. Package Library (PkgLib) The package library stores information about the content in each package.

The content library replaces the compressed content on the Configuration Manager 2007 distribution points and replaces the smspkx$ share (where x represents the volume name hosting the share), the place where the compressed content was stored.

For site-to-site replication of distribution point content, compressed copies of the content are still used. The compression method is new and has a higher compression rate. A new component called PkgXferMgr performs the distribution.

The location of the distribution point share can be spanned over different drives. Drives will have a priority set for file storage, instead of the drive with the most space being used like in earlier versions.

Content Validation

A new feature in Configuration Manager 2012 is the ability to validate the content on a distribution point (see Figure 2.2). When validating the content on a distribution point, the validation process will check to see if the content on the distribution point is the same as the content in the source of the application or package. Validating the content can be scheduled for the distribution point or done per package.

image

Figure 2.2 Managing the content on the distribution point

Per application on the distribution point, you are able to validate, redistribute, or remove the content. If the content is not valid, it will then be reported in the Content Status node in the Monitoring workspace of the Configuration Manager console.

State-Based Distribution Point Groups

In Configuration Manager 2007, distribution point groups were just for administrative purposes to easily target software, but in Configuration Manager 2012, the concept has changed. The distribution point groups are state based; this means that when you add a distribution point to a group, it will receive all the content that has previously been assigned to the distribution point group.

Content Prestaging

A new feature that replaces the courier senders and the package preload tool used in earlier versions of Configuration Manager is called Content Prestage. The courier senders and the package preload tool were used to provide distribution points with content from a physical medium (DVD, tape, external disk, and so on) instead of synchronizing the content over the WAN. The feature allows you also to deploy a remote distribution point without using the WAN to let it synchronize with the site server in the hierarchy. With Content Prestage you are able to save content to an offline media device and load it locally on the remote distribution point.

BranchCache

Since Configuration Manager 2007 SP2, distribution points also support a feature of Windows Server 2008 R2 called BranchCache. BranchCache is used to reduce WAN utilization and enhance access to content at the central office from branch office locations. When BranchCache is enabled, a copy of content retrieved from a server is cached in the branch office. When someone else wants to retrieve the same content, the client will retrieve the content from the cache available in the branch office; this way the WAN is not used to get the content again from the centrally located server. This BranchCache feature caches HTTP, HTTPS, BITS, or SMB-based content on both distributed cache and local cache locations. A distributed cache is a cache location on a Windows 7 client that is configured to use BranchCache. A local cache is a location on a Windows 2008 R2 server in the branch office where BranchCache is enabled.

There is no special configuration option in Configuration Manager 2012 to enable BranchCache since it is not a feature of Configuration Manager 2012. The only thing you need to configure is that your deployments are enabled for downloading and running the applications locally.

BranchCache is often used in WAN environments with a lot of latency and with slow data links between the sites.

BranchCache works only in a combination of Windows 7 clients and Windows Server 2008 R2.

Site Boundaries and Boundary Groups

In Configuration Manager 2012 you can define one or more network locations called boundaries. A boundary in Configuration Manager 2012 can be based on the following types:

1. IP Subnet A boundary can be a subnet ID, which is automatically calculated while entering the IP subnet and subnet mask.

2. Active Directory Site When you are using Active Directory sites in your Active Directory domain, you can configure the boundary to use an Active Directory site.

3. IPv6 Prefix If you are configuring Configuration Manager 2012 in an IPv6 environment, you can configure a boundary to use an IPv6 prefix. An IPv6 prefix is a fixed part of the IPv6 address or the network ID.

4. IP Address Range Instead of using an IP subnet, you can configure the boundary to use an IP address range. The IP address range can be defined according to your needs.

The boundaries can contain devices that you want to manage with Configuration Manager 2012. Each boundary must be a member of one or more boundary groups, which are collections of boundaries. Boundaries are available for the Configuration Manager 2012 hierarchy, whereas boundaries in Configuration Manager 2007 were site specific.

New for clients is that before clients can identify an assigned site or locate content on a distribution point, a boundary must be associated with a boundary group. The boundary group is used for clients to find their assigned site, and they are used to locate content. In a boundary group you can associate system servers that have distribution points or state migration points installed so that the client can find software like applications, operating system images, and software updates. Boundary groups can be added to keep boundaries organized in a logical way.

Boundary creation can be done by hand, but when you enable the Active Directory Forest Discovery feature, you can create Active Directory site boundaries and IP subnet boundaries automatically at the same time. This process can be configured to run periodically. When migrating from Configuration Manager 2007, boundaries and boundary groups are also automatically created during the migration process.

Configuring Network Speed

In Configuration Manager 2007, you needed to configure the network speed for your location. In Configuration Manager 2012, you need to configure the network speed on the Content Location property per distribution point in a boundary group.

A boundary group can be assigned to a specific site and can have one or more content locations. A distribution point can be added to one or more boundary groups. The boundary groups will provide the clients with a list of distribution points to download the content from. The client will choose the nearest distribution point.

Do Not Overlap Boundaries

When planning boundary groups, avoid overlapping the boundaries. This is allowed in Configuration Manager 2012 and earlier versions, but when you use automatic site assignment, the site that a client will be assigned to is unpredictable. So do not use overlapping in combination with automatic client assignment.

Site System Roles

Site system roles are roles that can be installed on Configuration Manager 2012 site servers. Depending on the size of your site and hardware, you can assign multiple roles to one site system server. Some site system roles are installed while installing Configuration Manager 2012 or when adding a secondary site to the Configuration Manager 2012 infrastructure. Others can be installed in the Configuration Manager console.

The following list provides an overview (in alphabetical order) of all the site roles and what they are used for. More information about the site system roles can be found in Chapter 4.

1. Application Catalog Web Service Point The Application Catalog web service point publishes software information from the software library to the Application Catalog website. This site role is available hierarchy wide.

2. Application Catalog Website Point The Application Catalog website point publishes the available software for a user, depending on the user rights. The Application Catalog website allows users with mobile devices to remotely wipe their device or request software that is available for distribution but not without approval from the system administrator. This site role is available hierarchy wide.

3. Asset Intelligence Synchronization Point The Asset Intelligence synchronization point synchronizes the Asset Intelligence Catalog information with the System Center online service. This site system role can only be installed on the Central Administration Site server in a hierarchy or a stand-alone primary site server. Synchronization of the Asset Intelligence information can be scheduled or run manually. This site role is available hierarchy wide.

4. Certificate Registration Point The certificate registration point communicates with the server that runs the Network Device Enrollment Service of Active Directory Certificate Services to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP).

5. Component Server A component server is automatically installed with all site system roles except the distribution point and is used to run Configuration Manager services.

6. Distribution Point Distribution point is the Configuration Manager role that stages packages such as application content, software packages, software updates, operating system images, and boot images to clients. The distribution point role in Configuration Manager 2012 also supports PXE, scheduling, bandwidth throttling, multicast, and content validation. This site role is available only in the site.

7. Endpoint Protection Point The Endpoint Protection role integrates the former Forefront Endpoint Protection with Configuration Manager 2012. The role is configured at the Central Administration Site or a stand-alone primary site. With the System Center Endpoint Protection role you can secure your clients and servers from viruses and malware. To be able to use the Endpoint Protection point, you need to accept the license terms and configure the default membership for the Microsoft Active Protection Service.

8. Enrollment Point When implementing mobile device management or secure out-of-band management, an enrollment point is needed. Public key infrastructure (PKI) certificates are required to complete the enrollment of the mobile device, and the device will provision AMT-based clients. This site role is available only in the site.

9. Enrollment Proxy Point When implementing mobile device management, an enrollment proxy point is needed to manage enrollment requests from mobile devices. Mobile device enrollment will need a PKI to secure the over-the-air communication with the mobile devices. This site role is available only in the site.

10.Fallback Status Point When a client becomes unmanaged or the management point is unable to communicate with the client, a fallback status point will point out unmanaged clients and helps you monitor the client installation. This site role is available hierarchy wide.

11.Management Point The management point provides policy and content location information to Configuration Manager clients. It also receives configuration data from Configuration Manager clients.

12.The server locator point functionality as it is known in Configuration Manager 2007 is moved to the management point. If the Configuration Manager client is no longer able to retrieve site information from Active Directory or WINS, the management point is used to provide this information.

13.This site role is available only in the site.

14.Out-of-Band Service Point The out-of-band service point is used for provisioning and configuring AMT-based computers for out-of-band management. This site role is available only in the site.

15.Reporting Services Point For reporting you need a Reporting Services point; this role integrates with SQL Server Reporting Services. You can create and manage reports for Configuration Manager. This site role is available hierarchy wide.

16.Site Database Server The site database server hosts the Microsoft SQL Server database. This database is used to store information about assets and site data.

17.SMS Provider This is installed automatically when you install a Central Administration Site and when you install a primary site. The SMS provider is the interface between the Configuration Manager 2012 console and the Configuration Manager 2012 database. Secondary sites do not install SMS providers.

18.Software Update Point The software update point is used for integration with Windows Server Update Services so that software updates can be deployed and managed with Configuration Manager. This site role is available only in the site.

19.State Migration Point When a computer receives a new operating system, the user state will be stored at the state migration point. The state migration point receives the user state from User State Migration Toolkit 4.0, which is executed in an operating system deployment task sequence. This site role is available only in the site.

20.System Health Validator Point When implementing Network Access Protection (NAP) a system health validator point validates the Configuration Manager NAP policies. The role needs to be installed on the NAP health policy server. This site role is available hierarchy wide.

21.Windows Intune Connector When managing mobile devices via Windows Intune you need to install the Windows Intune connector to be able to retrieve status messages and inventory messages from the mobile devices that are enrolled in Windows Intune.

Best Practices for Site System Design

When planning and designing a Configuration Manager 2012 site hierarchy, you also need to place your site system roles on the right server. Depending on the role and the size of the site, the role can consist of other roles on one or more site servers. This section will provide information about some best practices for capacity planning of Configuration Manager 2012.

Capacity Planning of Configuration Manager 2012

Table 2.15 lists the maximum recommendations for planning and designing your Configuration Manager 2012 infrastructure. The actual figures depend on your available hardware, your network infrastructure, and also on your demands.

Table 2.15: Site system planning figures

Site System

Number

Description

Clients

400,000

This is the maximum number of clients supported for the entire Configuration Manager 2012 hierarchy.

Primary site

25

A Central Administration Site supports up to 25 child primary sites.

Primary site

100,000

A primary site supports up to 100,000 clients.

Secondary site

250

There is a maximum of 250 secondary sites per primary site.

Secondary site

5,000

A secondary site can support communications from up to 5,000 clients.

Management point

10

A primary site can support up to 10 management points.

Management point

25,000

One management point can support up to 25,000 clients.

Distribution point

4,000

A distribution point is capable of supporting up to 4,000 clients.

Distribution point

250

A site can hold up to 250 distribution points.

Pull distribution point

2,000

Each primary and secondary site supports up to 2,000 pull distribution points.

PXE-enabled distribution points

250

Up to 250 PXE-enabled distribution points are supported per primary site.

Software update point

25,000

If the software update point runs on the WSUS server and other site roles coexist, the software update point supports up to 25,000 clients.

Software update point

100,000

If the software update point runs on the WSUS server and no other site roles coexist, the software update point supports up to 100,000 clients.

System health validator point

100,000

The system health validator point in Configuration Manager 2012 supports up to 100,000 clients or one per hierarchy if fewer than 100,000 clients.

Fallback status point

100,000

The fallback status point in Configuration Manager 2012 supports up to 100,000 clients or one per site.

Application Catalog website point

400,000

One Application Catalog website point supports up to 400,000 clients, but for better performance, plan for 50,000 clients per point.

Application Catalog web service point

400,000

One Application Catalog web service point supports up to 400,000 clients. Best practice is to place the website point and web service point on the same server.

Packages and applications per distribution point

10,000

Per distribution point supports up to 10,000 packages and applications.

High Availability/Load Balancing

If there is a need for a highly available Configuration Manager 2012 infrastructure in your environment or you want to load balance some site system roles, there are some options that you can implement. The following high-availability options are offered:

1. Adding Extra Management Points When you add extra management points, you are providing load balancing for the management points but also a form of high availability. When one management point fails, the second management point will take over and provide connectivity.

2. Adding Extra Distribution Points When you add extra distribution points, you are providing load balancing for the distribution points but also a form of high availability. When one distribution point fails, the second distribution point will take over and provide access to the content.

3. Adding Extra SMS Providers When you add extra SMS providers, when one SMS provider is unavailable the Configuration Manager 2012 console can still access the Configuration Manager database.

4. Clustering Configuration Manager 2012 Database Per site you can place your Configuration Manager 2012 database on a Windows 2008 R2 or higher failover cluster.

When you place site system roles such as software update points or distribution points on dedicated servers, you spread the risks and load of the site system servers.

SQL Considerations

While planning the Configuration Manager 2012 infrastructure you also need to plan the SQL environment. The planning figures in Table 2.16 are valid for your SQL environment.

Table 2.16: Site system planning figures

Edition

Number

Description

Standard

50,000

The standard edition of SQL supports up to 50,000 clients in the hierarchy when it is collocated with a CAS server or remote from the site server.

Standard

50,000

The standard edition of SQL supports up to 50,000 clients in the site when it is collocated with a primary site server.

Standard

100,000

The standard edition of SQL supports up to 100,000 clients in the site when it remote from the site server.

Enterprise

400,000

The enterprise edition of SQL supports up to 400,000 clients in the hierarchy when it is collocated with the CAS server.

Consider the following design rules for you SQL environment:

· If you use a remote database server, ensure that the network between the site server and the remote database server is a high-available and high-bandwidth network connection.

· Each SMS provider computer that connects to the site database increases network bandwidth requirements. The exact bandwidth is unpredictable because of the many different site and client configurations.

· SQL Server must be located in a domain that has a two-way trust with the site server and each SMS provider. Best practice is to place SQL Server in the same domain as the SMS provider and SMS site servers.

· Clustered SQL Server configurations for the site database server when the site database is collocated with the site server are not supported.

Site Communications

The method of replicating data between sites has changed in Configuration Manager 2012. Synchronization of site information between sites is done by database replication, based on SQL Server Service Broker. The Data Replication Service is used to replicate the Configuration Manager 2012 database between the SQL Server databases of other sites in a Configuration Manager 2012 hierarchy. Global data and site data are replicated by database replication.

When you install a new site in the hierarchy, a snapshot of the parent site database is taken. The snapshot is transferred by server message blocks (SMB) to the new site, where it is inserted into the local database by bulk copy procedure (BCP).

For application or package content, file-based replication is still used, and it uses addresses and senders to transfer data between the sites in the hierarchy. The SMB protocol (TCP/IP port 445) is still used for file-based replication.

Table 2.17 lists the changes regarding the replication of Configuration Manager data.

Table 2.17: Site replication of Configuration Manager 2012 data

image

Site Security Mode

Configuration Manager 2007 had two security modes: mixed mode and Native mode. In Configuration Manager 2007, mixed mode was the default mode, which used port 80 to communicate with the clients. Configuration Manager 2007 in Native mode was the more secure mode, which integrated PKI to secure client/server communications. The security mode in Configuration Manager 2007 was site wide.

In Configuration Manager 2012, the concept of Native and mixed modes has been replaced and simplified. You are now able to decide per individual site system role whether clients can connect through HTTP or HTTPS. Instead of configuring a site as mixed or Native mode, you must configure the site role to use HTTP (port 80), HTTPS (port 443), or both. This way, you are more flexible if you want to implement a PKI to secure intranet client communications.

To allow secure communications between your clients and site servers, a PKI needs to be present in your environment, and certificate templates need to be created to be able to enroll certificates for the Configuration Manager 2012 site systems and the Configuration Manager 2012 clients. The following site roles can be configured in HTTP or HTTPS mode:

· Management point

· Distribution point

· Enrollment point

· Enrollment proxy point

· Out of band service point

· Application Catalog web service point

· Application Catalog website point

· Software update point (SSL)

Internet-based clients and mobile devices always use secure HTTPS connections. For Internet-based clients, you need to install a site system server in a demilitarized zone (DMZ) and configure the Internet-facing site roles to accept HTTPS client communications and connections from the Internet. When you configure Configuration Manager 2012 to be accessible from the Internet, you can support your clients from the Internet. If you have a lot of mobile workers, managing your Configuration Manager 2012 clients is essential. Mobile devices communicate over the air via the Internet to your Configuration Manager 2012 environment. For this reason, the communication between the Configuration Manager 2012 environment and mobile devices must be secure.

Discovery of Your Resources

The methods of resource discovery have not changed since Configuration Manager 2007. You can use multiple ways to discover different types of resources in the network. You define which resources you want to discover, how often, and using which scope. The following methods are available:

1. Heartbeat Discovery Used to send a discovery data record from the client to the site periodically; it’s a method to renew client data in the Configuration Manager database. Heartbeat discovery is available for primary sites.

2. Active Directory Forest Discovery Used to discover Active Directory forests from the Active Directory Domain Services. It discovers site server forests plus any trusted forests and supports boundary creation on demand and automatically. Active Directory forest discovery can be configured only on a CAS or a primary site.

3. Active Directory Group Discovery Used to discover group membership of computers and users from the Active Directory Domain Services. Active Directory group discovery is available for primary sites.

4. Active Directory System Discovery Used to discover computer accounts from the Active Directory Domain Services. Active Directory system discovery is available for primary sites.

5. Active Directory User Discovery Used to discover user accounts from the Active Directory Domain Services. Active Directory user discovery is available for primary sites.

6. Network Discovery Used to discover resources on the network such as subnets, SNMP-enabled devices, and DHCP clients. Network discovery is available for primary sites and secondary sites.

Be sure to plan the resource discovery well. For instance, if there is no need to discover the whole Active Directory, plan the resource discovery to discover only resources in dedicated Active Directory organizational units. This way you keep the Configuration Manager environment free of unwanted objects. Discovered resources can be added to collections, which can be used to deploy applications or compliancy settings to the resources, for example. You will find more information about discovering your resources in Chapter 6, “Client Installation.”

Client Settings and Client Deployment

With Configuration Manager you are able to create different client user and client device settings packages for different collections. Besides the default client agent settings that are available for the entire hierarchy, you can create custom client settings that you can assign to collections. Custom client settings override the default client settings. The resultant settings can be an aggregation of default and one or more custom settings.

Implementing client settings is the easiest step to reduce the infrastructure; there is no need for primary sites for different client settings.

Depending on the implementation or migration scenario, different ways of deploying the Configuration Manager client to the devices are supported. Configuration Manager 2012 still supports the client push mechanism and pushing clients via the WSUS infrastructure. Deploying the client with a third-party application deployment environment or Active Directory is of course also possible. Read more about installing Configuration Manager clients and client settings in Chapter 6.

Content Management

Managing content in Configuration Manager 2012 can be done on different levels and in different parts of the Configuration Manager 2012 console:

1. Distribution Points/Distribution Point Groups Per distribution point or distribution point group you are able to see, redistribute, validate, or remove content easily. Content validation can be done automatically based on a schedule. When adding a new distribution point to a distribution point group, all the applications or packages assigned to a distribution point group will be automatically copied to the new distribution point.

2. Content-Related Objects Objects that have content have a Content Locations tab where you can manage the content and see on which distribution point the content is available. From the object you are also able to validate, redistribute, and remove the content from the distribution points. Objects that have content are applications, packages, boot images, driver packages, operating system images, operating system installers, and software update deployment packages.

3. Monitoring In the monitoring workspace of the Configuration Manager console you can monitor your applications and packages in the Content Status node. You can also monitor the distribution point group status and distribution point configuration status.

Role-Based Administration

In Configuration Manager 2012, role-based administration is a feature that brings you “Show me what’s relevant for me” based on security roles and scopes. Configuration Manager 2012 comes with 15 standard roles, and you can also create custom roles.

Role-based administration is based on the following concepts:

1. Security Roles What types of objects can someone see, and what can they do to them?

2. Security Scope Which instances can someone see and interact with?

3. Collections Which resources can someone interact with?

As part of role-based administration you are able to limit collections; every collection is limited by another. Assigning a collection to an administrator will automatically assign all limited collections.

While planning role-based administration, explore the 15 standard roles and assign the rights to your administrators depending on the part of Configuration Manager they need to manage.

The 15 different roles from which you can choose are these:

· Application administrator

· Application author

· Application deployment manager

· Asset manager

· Company resource access manager

· Compliance settings manager

· Endpoint protection manager

· Full administrator

· Infrastructure administrator

· Operating system deployment manager

· Operations administrator

· Read-only analyst

· Remote tools operator

· Security administrator

· Software updates manager

Role-based administration allows you to map organizational roles of administrators to security roles. Hierarchy-wide security management is done from a single management console.

You can add Active Directory user accounts to Configuration Manager 2012 in the Configuration Manager 2012 console. In the Administration workspace you will find Administrative Users under Security; here you can add the user accounts from your users who need to have access to Configuration Manager 2012. After adding the user accounts you can assign them the proper role.

Migration

In Configuration Manager 2012 the migration feature is used to migrate your Configuration Manager 2007 investments or investments made in another Configuration Manager 2012 environment to the new user-centric platform. With the migration feature you can migrate the following objects:

· Collections (from Configuration Manager 2012 only)

· Deployments (from Configuration Manager 2012 only)

· Software distribution deployments

· Task sequence deployments

· Application deployments

· Software update deployments

· Software update list deployments

· Baseline deployments

· Boundaries

· Boundary groups (from Configuration Manager 2012 only)

· Global conditions (from Configuration Manager 2012 only)

· Software distribution packages

· Applications (from Configuration Manager 2012 only)

· Virtual application packages (from Configuration Manager 2007 only)

· App-V virtual environments (from Configuration Manager 2012 only)

· Software updates

· Deployments

· Deployment packages

· Deployment templates

· Software update lists

· Software update groups (from Configuration Manager 2012 only)

· Automatic deployment rules (from Configuration Manager 2012 only)

· Operating system deployment

· Boot images

· Driver packages

· Drivers

· Images

· Installer

· Task sequences

· Settings management

· Configuration baselines

· Configuration items

· Asset Intelligence

· Catalog

· Hardware requirements

· User-defined categorization list

· Software metering rules

· Saved searches (from Configuration Manager 2012 only)

How Can You Prepare Your Configuration Manager 2007 Environment?

Before planning for a migration of your Configuration Manager 2007 environment, prepare the environment so it is compliant on the following matters:

· Flatten your hierarchy where possible, for instance, by removing secondary sites or unnecessary primary sites in the Configuration Manager hierarchy.

· Plan for Windows Server 2008 R2, SQL 2008, and 64-bit by acquiring hardware that is compatible with 64-bit software.

· Start with the implementation of BranchCache with Configuration Manager 2007.

· Move from web reporting to SQL Reporting Services by configuring the reporting site role in Configuration Manager 2007.

· Avoid mixing user and device-collection definitions.

· Use UNC paths in your packages instead of local paths.

Migrate your Windows XP branch distribution points to Windows 7.

Be sure to always plan your migration, and address the following subjects in your migration plan:

· Prepare the Configuration Manager 2007 environment to be able to migrate the objects to Configuration Manager 2012.

· Decide how often the data-gathering process needs to be run.

· Determine which objects you are going to migrate.

· Discover where the objects are that need to be migrated.

· Determine how to migrate the distribution point and whether you will use distribution point sharing.

· Plan the client migration.

· Decide how to remove the Configuration Manager 2007 environment.

You can read more about the migration feature in Chapter 3, “Migrating to Configuration Manager 2012.”

Disaster Recovery

When planning a new Configuration Manager 2012 infrastructure, be sure to also make a disaster recovery plan. Since Configuration Manager 2012 is an important part of your IT infrastructure, you will need to be sure that when a disaster occurs, your Configuration Manager 2012 infrastructure will not be affected.

To protect yourself from failure, you can make your environment highly available. This can be done by implementing the following options:

· Installing more than one primary site server in a site

· Placing the Configuration Manager databases on a SQL cluster

· Installing more than one site role per site

It is recommended that you test your disaster recovery plan in a test environment so you can document the disaster recovery process and know what to expect while recovering your Configuration Manager 2012 environment.

You can read more about disaster recovery in Chapter 18, “Disaster Recovery.”

Designing Your Configuration Manager Environment

After you’ve gathered your information about the new Configuration Manager 2012 infrastructure, you can design the new infrastructure. When designing a new Configuration Manager 2012 infrastructure, you need to keep a couple things in mind. Whereas in SMS 2003 and Configuration Manager 2007 you could easily design an infrastructure based on bandwidth, languages, or administrative purposes, in Configuration Manager 2012 the hierarchy is simplified and modernized. For most cases you can do more with less. Of course, you still need to identify your network locations and the bandwidth between your locations. Keep in mind that Configuration Manager 2012 has the goal of simplifying your Configuration Manager infrastructure by flattening the hierarchy and by server consolidation.

Noncritical Design Issues

The design of Configuration Manager 2012 was changed; for this reason, the following items are no longer critical decision points for designing a site hierarchy:

· Support of multiple languages

· Different client settings per region

· Decentralized administration of your Configuration Manager infrastructure

· Logical data segmentation

· Content routing for deep hierarchies

When designing a Configuration Manager 2012 infrastructure, you will need to review your gathered intelligence and translate this into a design. Things you need to take in account are the following:

1. Physical Locations of Your Environment As we said, the first step is to translate your network infrastructure information into information that can be used for the design of the Configuration Manager infrastructure. Ask yourself the following questions:

· Where are my locations?

1. Are my locations in the same country? If so, larger locations often are well-connected sites, and smaller locations usually have less bandwidth available.

· Are my locations on the same continent?

1. If your locations are on the same continent, you need to place a management point at your site, and you can create a secondary site for each location. If a location is not on the same continent, it is wise to create a primary site for that location.

· What is the available bandwidth?

1. For well-connected locations it is often unnecessary to create a Configuration Manager site for that location. If there is a need for local content, you can install a distribution point on such locations since the distribution point now has throttling and bandwidth control.

· How many users are working at the location?

1. One primary site can handle 100,000 clients. Depending on your hardware performance and bandwidth, you can implement one primary site for your entire Configuration Manager infrastructure. Consider using BranchCache for small locations or just a distribution point.

· What kind of traffic needs to flow down in the network?

1. Depending on the data that needs to flow down for administrative or political reasons, it might be necessary to implement a primary site at a location that should normally not be a primary site because of the size or available bandwidth.

2. Central Administration Site or Not? When you need more than one primary site in your Configuration Manager infrastructure, you also need a Central Administration Site. The placement of this CAS can be a design choice, but often you will place this site at the datacenter or the location where the IT department resides. Configuration Manager clients do not connect to a CAS.

3. High Availability Considerations If you need a highly available Configuration Manager site or infrastructure, you can install multiple roles (management point, provider, and so on) of the same role in one site without the need for network load balancing. The Configuration Manager 2012 client automatically finds the right management point if one is offline. You also can cluster the SQL database.

4. Client Settings As we said, client settings are no longer a reason to implement a primary site. Multiple client settings can be assigned to collections of users or computers. While designing, try to define different client settings for the groups of users or computers as needed. Otherwise, just use the default client settings.

5. Boundary Management Boundaries and boundary groups are fundamentals of your Configuration Manager infrastructure. Be sure to identify all the boundaries so that all the Configuration Manager clients can be managed.

6. Virtualization Microsoft supports the virtualization of Configuration Manager site servers. Before implementing, always check the Microsoft website for the latest versions and supported third-party virtualization software.

7. Managing Untrusted Environments In the past you could manage untrusted domains by supplying accounts with rights. With Configuration Manager 2012 you can manage other forests only via two-way trusts.

8. Another way is to install site roles in an untrusted domain, but it cannot be a primary site role. You can provide some services but not all of them.

9. Naming the Configuration Manager Sites After determining your sites in your Configuration Manager 2012 infrastructure, you need to name the Configuration Manager sites. Like in earlier versions, you use a three-character-length code. The site code can contain only standard characters (A–Z, a–z, 0–9, and the hyphen, “-”) and must be unique for your Configuration Manager infrastructure. In earlier versions of Configuration Manager you were not able to use Microsoft reserved names: SMS, CON, PRN, AUX, NUL, OSD, SRS, or FCS. This is still the case.

Planning the Configuration Manager Hierarchy

When designing your Configuration Manager hierarchy you need to create an implementation plan for where to install which server with what kind of roles. The deployment information you gathered in an earlier stage will provide the requirements for where you need to install the Central Administration Site, primary sites, secondary sites, and distribution points. To come up with the right design, follow these design steps:

1. Define a naming convention if one doesn’t already exist.

2. Determine whether a CAS is needed and where to place this site in your environment. The CAS is the topmost site in your Configuration Manager hierarchy.

3. Define the placement of the primary sites, secondary sites, or just distribution points; remember that tiering primary sites is no longer possible. Look at your WAN and keep the design rules in mind and which roles you need in a specific site.

4. Look at the logical and physical connections between your Configuration Manager sites so you can decide whether addresses need to be configured to manage the traffic between the sites.

5. Assign the boundaries that represent your Configuration Manager sites, and be sure that no boundaries overlap each other.

6. Depending on the Configuration Manager sites, high-availability demands, and other requirements, you can place the site system roles where they are needed.

Designing a good Configuration Manager hierarchy is a must for an effective and solid Configuration Manager infrastructure. Always check the proposed design, and if possible let someone else review the design.

Planning Configuration Manager Site Systems

After designing and planning the Configuration Manager hierarchy, the next step is to plan and design your site systems. This is done by analyzing your requirements per site, gathered during the deployment intelligence phase, described in the section “Gathering Deployment Intelligence.” Depending on the expected load and the number of connecting users, you can place roles on different servers or group them on one server.

When planning a highly available Configuration Manager infrastructure, you will need to plan several site roles on more than one server. Not all roles can be installed on every site, so be sure that you determine this while planning the hierarchy.

For detailed information on all the Configuration Manager 2012 site system roles and the installation of these roles, see Chapter 4.

Planning Configuration Manager Clients

The clients managed by Configuration Manager 2012 are an essential part of the Configuration Manager infrastructure. You need to plan the deployment of your Configuration Manager 2012 clients while migrating from Configuration Manager 2007 or while building a new Configuration Manager 2012 because the deployment can be carried out in different ways. Planning your Configuration Manager 2012 client agent settings is also essential. In Configuration Manager 2012 you can create more than one client settings package.

Client Installation Planning

Like in earlier versions, you are able to deploy the Configuration Manager 2012 client via different methods. Depending on your scenario, you can choose different ways to deploy the Configuration Manager client to clients:

· When clients are managed by a third-party desktop management tool, you can choose to install the client via the current desktop management tool or install it via the supported ways in Configuration Manager 2012, via client push and software updates. Or you can choose to deploy a new operating system to the clients with the operating system deployment feature of Configuration Manager.

· When clients are managed with Configuration Manager 2007, you can migrate the clients to the new Configuration Manager 2012 management point.

· Unmanaged clients can receive a client via the supported ways in Configuration Manager 2012, via client push and software updates. Or you can choose to deploy a new operating system to the clients with the operating system deployment feature of Configuration Manager.

Every solution has it pros and cons, but try to find out which method is the best for your environment. For instance, installing a Configuration Manager client on an unmanaged client can result in lots of legacy and unmanaged software in your environment. Installing a new operating system on thousands of clients can be a lot of work and very expensive.

You can read more about client installation methods and best practices in Chapter 6.

Client Agent Planning

A Configuration Manager client consists of agents that support several Configuration Manager features. There is one default Client Settings package with settings for all manageable agents. With Configuration Manager 2012 you are able to create custom client settings and deploy them to clients on collection levels to users or devices.

Planning your client (agent) settings is more complex, because you have the ability to assign client settings to collections. For this reason it’s important to analyze the needs of groups of devices and the users. You can read more about client settings methods and best practices in Chapter 6.

Determining How to Deploy Configuration Manager

After you have verified your site design in your test lab, you should plan an initial pilot deployment of Configuration Manager on a small section of your network. Monitor the deployment progress and any potential client problems with your first-level support department.

With the lessons that you learn during your pilot deployment, you’ll be able to decide which method of Configuration Manager installation to use for your site deployment. Your goal will be to accomplish the deployment as efficiently as possible while preserving the functionality of any previous methods of system management that you already have in place for as long as needed. The deployment method you use will then help you decide whether you will need additional hardware or personnel resources to do that.

There are several starting points for an implementation of the new Configuration Manager 2012 infrastructure. When a Configuration Manager 2007 infrastructure is already in place, you will probably choose to migrate the environment via the side-by-side migration feature, which is available in Configuration Manager 2012. If you have a version older than Configuration Manager 2007, then you have only two options since direct migration of earlier versions is not supported:

· Build a greenfield (new) Configuration Manager 2012 infrastructure.

· Migrate first to Configuration Manager 2007 and then perform a side-by-side migration.

If you don’t have any Configuration Manager infrastructure in place, you need of course to build a new environment without migrating any assets. An in-place upgrade like that supported in earlier versions is not supported by Configuration Manager 2012.

In the next chapter you will read more about the migration options and the dos and the don’ts when migrating assets from Configuration Manager 2007.

Building a Proof-of-Concept Environment

After your plan and design phase is finished, you need to verify your design in a test or proof-of-concept (POC) environment. In this environment you can test your future Configuration Manager 2012 environment and create, if necessary, a detailed migration plan. The POC environment can also be used to train your Configuration Manager administrators so that they become familiar with the new environment and will accept the new Configuration Manager 2012 environment.

Be sure to create a test plan upfront as a guideline for your proof-of-concept phase of the project. A few test steps that you want to take are shown here; depending on your demands, you can shorten or lengthen the list:

· Deployment of the Configuration Manager 2012 clients

· Deployment of applications, software updates, and settings

· Deployment of operating systems

· Synchronization of data between sites

· Migration of objects from Configuration Manager 2007

If all tests are successful, you can start implementing the new Configuration Manager 2012 infrastructure in the production environment. Be sure to keep the POC environment so that you will have a test lab for testing future changes in the Configuration Manager 2012 environment or for testing your disaster-recovery plan.

image

Implementing a New Configuration Manager Infrastructure

Sports Clothes United Inc. develops and sells sportswear to retailers and their own shops all over the world. The head office is located in San Francisco. The company is growing fast, and they are now using a third-party deployment tool for applications and operating systems.

You as a consultant or Configuration Manager administrator are asked to develop a real desktop management environment where user experience is the key to the success of the project and acceptance.

Deployment Intelligence

As we said, Sports Clothes United is using a third-party deployment tool, and the assets and investments made in the years they were not using it are not compatible for migration. The company has four locations with offices and factories spread over the United States and China, and they are planning to open offices in Europe soon. The proposed Configuration Manager environment must be scalable and support future expansions.

Currently Sports Clothes United has major offices and factories in San Francisco, Houston, Shanghai, and Suzhou. The corporate systems are available from a datacenter in Washington, D.C. The local stores in the United States connect through an MPLS network to the nearest office. In China the offices and plants are connected through a 2-MB fiber connection. The United States and China are connected through a 10-MB fiber connection.

The following locations serve local or remote clients:

· Washington, D.C.: no clients connecting

· Houston: 1,000 clients connecting

· Shanghai: 3,000 clients connecting

· Suzhou: 100 clients connecting

image

At this time Sports Clothes United isn’t able to support their users at the level they want. The corporate IT department is professionalizing their processes, and they currently cannot service their internal customers according to the service-level agreement. To be able to do this they want to have the following features in their new Configuration Manager 2012 infrastructure:

· Software inventory

· Hardware inventory

· Software distribution to any (mobile) workplaces

· Zero-Touch operating system deployment of Windows 7 Multi-Language

· Wake On LAN

· User self-service portal to request or install applications

· Deployment of software updates

· Compliancy settings management to control the workplace

· Role-based administration for delegation of tasks

· Software metering to control licenses

· Remote administration to support internal customers

· Support for mobile device management

For software updates in the United States, a local software update point must be present in every major location.

One of the major requirements in managing applications is that the new environment must support people bringing their own devices to work. Supporting this new way of working is the key to success because it will promote internal customer satisfaction. The assets owned by Sports Clothes United must be able to receive a corporate image, and applications installed via Microsoft Installer Package (MSI) and assets that are brought in or are owned by the employees must be able to receive a virtualized version of that same application. Support for Virtual Desktop Infrastructure (VDI)- and Server Based Computing (SCB)-based environments is also a must-have.

Deployment Planning

With the information and requirements gathered during the deployment intelligence phase of your project, you now need to translate the information requirements to a design and a deployment plan.

One of the best practices is not to create a primary site that covers more than one continent. Since Sports Clothes United currently has locations in two continents and is planning one or more in Europe, you will need to place a primary site in North America and one in Asia.

Because of the fact that the company needs two or more primary sites, a Central Administration Site is needed. The datacenter in Washington, D.C. can be used for the CAS. No clients will connect to this site.

The locations in San Francisco and Shanghai are chosen as primary sites because of the size of the location in Shanghai and the availability of the corporate IT in San Francisco. The Houston site will be a secondary site because of the requirement that all sites in the United States need a local software update point. The site in Suzhou will receive a local distribution point with PXE, bandwidth control, and throttling enabled and configured.

The basic proposed Configuration Manager hierarchy is shown here.

image

This Configuration Manager 2012 infrastructure can be a greenfield environment, and the transition will be done after a pilot phase has proven that the requirements have been met.

The Bottom Line

1. Plan and design a Central Administration Site. One of the first questions you will ask yourself while starting to design and plan a new Configuration Manager 2012 hierarchy is “Do I need a Central Administration Site?” The answer to this question is essential for your final design.

1. Master It Determine when a CAS is needed.

2. Plan and design an effective Configuration Manager 2012 infrastructure. When planning and designing a new Configuration Manager 2012 infrastructure, it is important to plan your site placement appropriately. The design rules for primary sites have changed from how they were in Configuration Manager 2007.

1. Master It Understand the reasons for not needing an additional primary site implementation.

3. Identify the enhancements to the distribution point site system role. Distribution points in older versions were used to provide local points for accessing content and later also for App-V streaming. In Configuration Manager 2012 distribution points do a lot more.

1. Master It Distribution points have been enhanced. What roles and components are merged with the new distribution point, and what’s new?

4. Prepare your current Configuration Manager 2007 environment for migration to Configuration Manager 2012 An in-place upgrade of Configuration Manager 2007 to Configuration Manager 2012 is not supported. Configuration Manager 2012 has a migration feature within the feature set to enable side-by-side migration.

1. Master It How can you as a Configuration Manager administrator or consultant prepare a current Configuration Manager 2007 environment for migration to Configuration Manager 2012?