SCCMinfo

SCCMinfo

sccm infrastructure

SCCM 2012 distribute content vs update distribution points

by

 

People always gets confused when they look at the options available on the properties of the any package type available in the SCCM 2012 for the distribution. Whenever they try to distribute content, up on right click they see below two options available which we will try our best to clear any doubt on the same.

 

After right click on Package we get,

 

  • Distribute content
  • Update Distribution points

 

 

Let us first see on Distribute Content:

 

Distribute content as name suggest is for distributing contents of the package to the distribution points which are not already available for SCCM client to use for deployment. Which means whenever you create any package and trying to put content of that package to the distribution point very first time, we should always use Distribute Content.

 

In this we must select the Distributions Point where package to be added.

 

When we select Distribute content, we get list of the distribution point to select as shown in below screen,

 

 

Now let us see Update Distribute Point:

 

Update Distribute point should be used to update the contents which are already available on Distribution points. Lets us say there is one package which source files have to be modified for some reason then as package is already available on the DP’s and we want updated source package contents to be updated on distribution points then use the Update Distribution Point option. Up on selecting update distribution point all the Distribution point would be updated wherever package is already distributed.

 

In this rather selecting distribute content, we must select update distribution point up on right click on package.

 

When we select Update Distribution point we get below screen, Click OK to continue to update all Distribution Points in which package is already added.

 

 

Here important to note that once you click OK on above dialog box, process of updating package would start on all Distribution points on which Package is already added. 

So in simple language if we have to understand this, then whenever we create any package use distribute content for first time to add package to Distribution Point and later on for some reason when we modify the content of the source of the same package then we have to use update distribute point.

 

Please share feedback in the comment box.

SCCM Server Setup Wizard – List installation requirements

by

To save time, confusion and to have clarity, please consider below inputs and be ready with the information in handy for installing Configuration Manager Central Administration Site or Primary Site.

 

  1. Decide on Site to be selected, Central Administration Site or Primary Site
  2. Be ready with the license product key to be entered
  3. Be ready with setup downloaded file with Setup Downloader. With this you do not require to download at the time of Site installation, you can select previously downloaded files by giving path of those files.
  4. Server Language selection would be by default as English which cannot be changed.
  5. Client Language selection would be by default as English which cannot be changed.
  6. Be ready with the Site Code to be used. Each Site code must be unique.
  7. Be ready with the friendly and easily identifiable Site Name accordingly to the Site you would want to be known.
  8. Decide on folder path for the installation as it cannot be changed later.
  9. Be ready with SQL server FQDN (Fully Qualified Domain Name), Instance Name, Database Name, and SSB (by default it uses 4022) port.
  10. Be ready with the path for SQL server data file and the SQL server log files.
  11. In case if you decide to install SMS Provider to be remote server then be ready with FQDN of the same else by default it takes site server’s name. Additional SMS provider server can be configured later.
  12. Be ready with input to give for client communication to site server on HTTP or HTTPS, in case to go for HTTPS for secure communication client’s computer must have valid PKI certificate.
  13. Decide on which server to be act as Management Point and Distribution Point Site System, and then be ready with FQDN for the servers.
  14. Service Connection Point to be selected in case of installing CAS or stand-alone Primary Site, at the time of installing child Primary Site this can be skipped.

 

Note: This information is not for installing Secondary Site as it does not support installation using Setup Wizard or by command lines. Installation of Secondary Site happens with in Configuration Manager Console.

 

Please share feedback in comment box.

 

Key points to secure SCCM Site Server

by

Here are the key points on consideration of securing Configuration Manager Sites administration:

  • Make sure to download the source file from trusted location and secure the network share where all these source files would be saved for the site installation.
  • Extending Active Directory Schema is not requirement, but it provide secure environment for the SCCM infrastructure.
  • Communication between site systems roles and SQL server is not secure, to make it secure either IPsec can be used or use SMB signing to make sure data is not tempered before clients download and use them.
  • At the time of Site installation, it creates below security groups on which doing any changes should be prevented.
    • SMS_SiteSystemToSiteServerConnection_MP_<SiteCode>
    • SMS_SiteSystemToSiteServerConnection_SMSProv_<SiteCode>
    • SMS_SiteSystemToSiteServerConnection_Stat_<SiteCode>
  • In case of non-active directory environment trusted root key must be managed properly by manual configuration to reduce the risk of client contacting untrusted Management point.
  • Advantage of non-default port can be taken as it is difficult for the attacker to attack the configuration manager environment. If decided to use non-default port need to plan properly and them through the hierarchy.
  • Avoid installing all or maximum site system on one computer as it would become single point of failure.
  • Configure Static IP address as it would be easy to protect and difficult to attack.
  • Do not allow installation of any other application which is not needed to avoid risk of attack.
  • Enable the signing and encryption option on Site
  • Allow only limited users to manage with required access and monitored them on periodically.
  • Make sure to secure Configuration Manager backup file as it has sensitive information which attacker can use to exploit.
  • Secure network location where you keep all configuration manager data like import/export objects, files, packages repositories.
  • Remember to remove certificate manually wherever site systems roles are not working properly, need uninstallation to fix issues, etc as this helps to remove the trust which was established. ( Affected site system servers’ certificate should be removed from other site systems in Trusted people certificate store)
  • Do not configure site systems which communicate to intranet and perimeter network as it removes boundary between intranet and internet.
  • By default, site system initiate connection to Site server, this is very risky when site system is located on perimeter network which is untrusted network. To avoid enable option Require the Site server to initiates connections to this site system.
  • When supporting internet-based client using web proxy server, need to use SSL bridging to SSL with termination and authentication. Configuring SSL with termination allow internet package to be inspected before they are forwarded to internet network.

Please share the comments in comment box

How data transfer between sites in SCCM hierarchy

by

Configuration Manager uses below type of replication to transfer data between sites in the hierarchy.

 

  1. File-based replication
  2. Database replication

 

Let talk about these two types of replication in brief,

 

File-Based replication

 

Configuration Manager uses this type of replication to transfer data such as the source contents for packages, applications to be transferred to distribution points in other sites. It also transfers discovery data which is unprocessed to primary sites.

 

It uses SMB server message block protocol on TCP/IP port 445 and has below settings to be configured to control transfer process,

 

  • File replication route
  • File replication account
  • Schedule
  • Rate limits
  • Sender
  • Routes between secondary sites
  • Maximum concurrent settings
  • Retry settings

 

Database Replication

 

For this replication method database replication uses SQL server to transfer the data from Site to Site, in this data gets merger with the data received from other sites so that all sites share the same data set or copy.

 

Point on this method of replication,

 

  • At the time of any site installation in the hierarchy database replication automatically gets set.
  • After finishing site installation replication gets start automatically.
  • It uses SSB SQL Server Service Broker on TCP port 4022 to replicate the changes.

 

Database replication classify the data in below two categories,

 

  1. Global Data
  2. Site Data

 

Global Data

 

This data includes objects which are created by administrator at either Central Administration Site or at Primary Site. This includes Software updates, Software Deployment, collection definitions, Role based security scope. Secondary receives only subset of this.

 

Site Data

 

This data included the information generated by Primary Site or its assigned clients and then this data gets replicate to CAS. This includes Hardware inventory, Status messages, Alerts, Query based collection results.

 

Database Replication has below configuration setting to control replication,

 

  • Database replication links
  • Distributed views – this can be used to choose replication links
  • Schedule transfer of data
  • Summarization of traffic
  • Database replication thresholds
  • Site Database replication controls  

 

Please leave your comments in comment box.

Planning and Designing SCCM Hierarchy

by

Before we do installation of first site in SCCM Hierarchy there are few things which need to be consider in the phase of planning and designing SCCM infrastructure.

 

Let’s talk about them in brief,

 

  1. Topology to be considered.
  2. Type of sites and relationship between them.
  3. Each sites functionality and management scope.
  4. Content management options to reduce having complex infrastructure environment.

 

Topology

 

For any organization very first and important point is to be consideration on deciding of topology to go with. Either one can go with Simple or Complex.

 

  • Simple consist of single Primary Site
  • Complex consist of Central Administration Site, multiple primary sites and then under multiple primary site there are multiple secondary sites.

 

Note : Deciding on to go for topology is based on number and type of device to be supported across organization.

 

Standalone Primary Site:

 

One can go with Standalone Primary Site when it supports currently available all organizations devices and users. This site even can be more useful if it supports all users, device across all locations of any organization globally as it provides benefit such as,

 

  • Not much administrative overhead of managing multiple sites, simplify administration.
  • Being single primary site in topology, becomes easy for the clients site assignment and discovering resources.
  • It removes delays of getting information as there is not involvement of database replication
  • Option is available to expand and make this Primary site chile primary site of central administration.

 

One or more Primary sites under Central Administration Site:

 

This option to be used when need to support larger number of devices and users which is beyond support of one primary site.

 

CAS support up to 25 no. of primary site and then you can scale up to organization needs.

 

One installation of CAS and primary site under it then it cannot be reversed, or child Primary site can not be converted to single Primary site as it is permanent.

 

Choose when to use Central Administration Site

 

  • This is the Site from where all Primary Sites, Secondary Sites and all the objects across organization. Clients cannot be directly managed or assigned to Central  Administration Site. Below point can be considered when to choose CAS.
  • This would be top site in the hierarchy and below this all primary sites would come as child sites.
  • When there is need to manage more than one Primary site then need to install CAS.
  • It only supports Primary sites as only child sites.
  • Clients can not be assigned to CAS.
  • CAS does not support site systems such as management point or other site systems which directly communicates with clients.
  • From central administration site we can manage all clients and perform all administrative related task like installing and configuring roles and site systems on Primary and Secondary sites.
  • This is the only site in topology where you can see all data such as inventory, client processed data, deployment status under all Primary and Secondary sites in the hierarchy.
  • Configure discover options on all Primary sites.
  • Control data flows from site to site by configuring the replication between sites.
  • Manage security by using different scope, roles throughout the

 

Choose when to use Primary Site

 

Client can only be assigned to Primary Site. So, if requirement is to support devices more than number of supported devices by Standalone Primary site then need install more than one or multiple primary sites under Central Administration Site.

 

Below point need to consider deciding on Primary Site,

 

  • Database replication would replicate the data when Primary Site would be configured as child Primary Site under Central Administration Site.
  • Multiple secondary site support as child site under Primary site
  • Primary site is child site under Central Administration Site
  • All the assigned client’s data would be processed at Primary site

 

Choose when to use Secondary Site

 

Placing secondary site in the hierarchy is needed when replication of the contents to be managed over low network bandwidth for the remote locations. Secondary site can only be attached to primary site and management can be done either from Central Administration Site or its parent primary site. Secondary site uses file-based replication to transfer clients processed data to Primary Site and uses database replication to communicate with its parent primary site.

 

Secondary site would be considered in below scenario,

 

  • Requirement to transfer the deployment contents to remote sites which are connected to main office with low bandwidth and then need to manage bandwidth utilization.
  • Requirement to send the client’s data information to top level sites in hierarchy.

 

In case if you consider to not to go with secondary site you have below two options which can help in above scenario as well,

 

  • Can take the advantage of BranchCache
  • Can take the advantage of bandwidth throttling on Distribution Properties

 

Content Management

 

Content management is one of the important aspects in stage of planning and designing SCCM hierarchy, below are the content management options available,

 

  • BranchCache
  • Bandwidth throttling on Distribution Point
  • Copy Contents manually on distribution and then pre-stage with tool

 

Above mentioned methods can be used for content management when,

 

  • There is enough network bandwidth is available for clients to talk to Management Point and send the data on discovery information, inventory, status message, policy, etc.
  • BITS Background intelligent transfer service is not providing the sufficient bandwidth control

 

Please share your valuable comments on the information to improve overself

SCCM Infrastructure

by

Here we are going to understand the fundamentals of SCCM infrastructure which is going to help across all the time whoever is working on this product.

Sites in SCCM infrastructure as below,

  • Central Administration Site
  • Primary Site
  • Secondary Site
  • Standalone Primary Site

Let’s talk about each of these sites in brief

Central Administration Site

Central Administrator Site also known as CAS is the topmost sites in the hierarchy of SCCM infrastructure. This site is to manage all primary sites, secondary sites and all the object across all locations of the organization.

Primary Site

This is the site where all the client would be assigned and managed. It is going to be the child site for the Central administrator site, and it support secondary site as child site. There can be multiple secondaries sites reporting to primary site. And multiple primary sites can report to central administrator site.

Secondary Site

Secondary site mainly uses to manage the distribution of deployment contents and transfer of the client’s data across low bandwidth networks. Multiple secondary sites can report to primary site.

Standalone Primary Site

Standalone Primary site can be used when supported devices of the organization is less than supported no. client by this site.