SCCMinfo

SCCMinfo

sccm

List SCCM installation requirements

by

 

Find here the top information in list manner to have an idea on before going doing the installation of SCCM site in production environment

  1. Before starting to install site please make sure you have decided on the topology.
  2. Choosing installation method would be depend on the type of site you may want to opt.
  3. The first site you install always going to be either Stand alone Primary Site or Central Administration Site.
  4. Whenever installing first site always use baseline version.
  5. After installing baseline version, it can be updated to latest one from in-console update.
  6. As installation method we can either use Configuration Manager Setup Wizard or scripted command line tool.
  7. After installation of first site, one or more site can be added any time.
  8. To install secondary site use configuration manager console as installation method of CAS or Primary are not supported to install secondary site
  9. Make sure the basic task like updating computer with latest patches, install and configure SQL server for database, hardening of server OS, preparing network environment are completed before to go for site installation.
  10. Make sure to decide on site names and codes.
  11. Be aware of limits and restriction post installation of sites like, you can not change site code, site description and installation directory. Also, you can not move primary site from hierarchy.
  12. Setup Downloader can be used to pre-download the content before installation of site.
  13. Run prerequisites checker to identify and fix the issues before start of site installations.
  14. Optional port can be identified to use to secure communication between configuration manager sites and clients.

Please share feedback in comment section

Securing SCCM IIS Configuration and SCCM Management Point Configuration

by

Key points on securing IIS

 

There are roles in SCCM which require IIS. And configuring IIS is one of the important ask for any SCCM implementor as configuring IIS component which are not at all require might put the SCCM infrastructure in risk for attacks.

 

Here are listing out key point to be considered while configuring IIS for roles in SCCM,

 

  • Install and enable only require component of IIS.
  • Enable HTTPS for sits system roles for the communication.
  • Setup CTL (Certificate Trust List) in IIS.
  • Add only CA (Certificate Authority) to the CTL which are use by Configuration Manager for accepting the client’s communications.
  • Do not select to put IIS on computer running site server as site servers computer account is having local admin rights on all computers having site systems roles installed.
  • Do not put any web-based application on IIS server which is being used for Configuration Manager as poorly configured application open the path for attackers to gain access to configuration manager environment.
  • Use custom website if at all there is need to run other web application with set-wide setting.
  • In case of using custom website delete default virtual directory.
  • Configure custom header to disable MIME sniffing.

Key point on securing Management Point

 

Securing Management point is very important as this is site system which is used to have communication between clients and site servers.

 

  • Best practice to assign client to the management point for same site other than management point of another site.
  • In case of migration from earlier site to current branch, migrate the clients on the management point to new site as soon as possible.

Please leave comment for any suggestions or corrections.

MPList for Configuration Manager Client

by

MPList

 

MP list is nothing but list of the Management point sets in order as per the priority that configuration manager client is identified earlier. This is the list client uses as favourite source for service location to find the Management point. This list gets build on basis of network location in which client resides. This list is stored in WMI on local computer.

 

There are two types of MP list describe below,

 

Building initial MP list – this list gets build in below order

 

  • First includes management point found at time of client installation.
  • Client look for ADDS (Active Directory Domain Service) for published management point.
  • If client does not get MP by above two approach, then it checks DNS and WINS.
  • In this list some of other Management points information might not be there.

Organizing MP list – this list prioritises in below order

 

  • Proxy – This is the Management point at Secondary Site
  • Local – This is the Management point which is define by boundary group or by assigned site.
  • Assigned – This could be any Management point of site system under client assigned site.

Selecting Management point to use

 

For general purpose and commonly clients use the management point in below order according to the current network locations they fall into.

  1. Proxy Management point
  2. Local Management point
  3. Assigned Management point

But in case of management point registration and certain policies messages client uses assigned management point only and other communication would be sent to proxy and local Management point.

 

Client always try to connect with HTTPS secure connection if client is enabled for HTTPS

 

 Keynote:
 
 Once Client found MP it would continue to use same until:
    25 hours passed.
    Client is not able to connect MP for five tries over period of 10 mins.

Please give your feedback on the information in comment box.

SCCM Management Point

by

Key information on how Configuration Manager Client look for Management Point (MP)

  • Very first time Config Manager clients selects default Management Point when it gets assign to Primary Site.
  • Client selects the preferred management point on the base of configured boundary group and current network location.
  • This default Management point would become the preferred management point. And at the time of Client installation we can add command line to set preferred management point.
  • Client would always use preferred management point before any other management point if preferred management point setting is enabled for the hierarchy.
  • Management point affinity can be used to allow clients to user one or more management point over preferred management point.
  • At the time of installation client store initial MP list in WMI
  • Whenever client need to contact Management point it checks first in the MP list
  • This MP list would be updated periodically.
  • When client do not find valid MP then it searches in order with Management Point, AD DS, DNS, WINS.
  • And then via this process when client find the valid management point then it updates the local MP list.

Let us know was this information useful in comment box.

Understanding service location information in Configuration Manager

by 
Here we are going to see key points on how clients find its site, resources, and services.
  • Client use process called Service Location to find site systems with whom they communicate.
  • With this service location process, they find core and other systems for the services and resources they would be using.
  • Site system could be Management point, Software Update point, Distribution point.
  • Service location uses current network location, protocol preference and assigned site to get management point assigned to it.
  • Client communicate with Management point to get list of available MPs (MP List), upload data for inventory and status.
  • Download the policies which have the information on deployment schedule of applications, software updates.
  • Clients also request to Management point on information about other site systems for it such as distribution point, software update point for respective services.
  • Clients makes services location request every 25 hours.
  • If there are any change in network client makes service location request.
  • When ccmexec.exe service start or restart on client computer then also it sends request for service location.
  • And when client must find respective sites system for services.

Please provide your inputs on if this information was useful in comment section.

How data transfer between sites in SCCM hierarchy

by

Configuration Manager uses below type of replication to transfer data between sites in the hierarchy.

 

  1. File-based replication
  2. Database replication

 

Let talk about these two types of replication in brief,

 

File-Based replication

 

Configuration Manager uses this type of replication to transfer data such as the source contents for packages, applications to be transferred to distribution points in other sites. It also transfers discovery data which is unprocessed to primary sites.

 

It uses SMB server message block protocol on TCP/IP port 445 and has below settings to be configured to control transfer process,

 

  • File replication route
  • File replication account
  • Schedule
  • Rate limits
  • Sender
  • Routes between secondary sites
  • Maximum concurrent settings
  • Retry settings

 

Database Replication

 

For this replication method database replication uses SQL server to transfer the data from Site to Site, in this data gets merger with the data received from other sites so that all sites share the same data set or copy.

 

Point on this method of replication,

 

  • At the time of any site installation in the hierarchy database replication automatically gets set.
  • After finishing site installation replication gets start automatically.
  • It uses SSB SQL Server Service Broker on TCP port 4022 to replicate the changes.

 

Database replication classify the data in below two categories,

 

  1. Global Data
  2. Site Data

 

Global Data

 

This data includes objects which are created by administrator at either Central Administration Site or at Primary Site. This includes Software updates, Software Deployment, collection definitions, Role based security scope. Secondary receives only subset of this.

 

Site Data

 

This data included the information generated by Primary Site or its assigned clients and then this data gets replicate to CAS. This includes Hardware inventory, Status messages, Alerts, Query based collection results.

 

Database Replication has below configuration setting to control replication,

 

  • Database replication links
  • Distributed views – this can be used to choose replication links
  • Schedule transfer of data
  • Summarization of traffic
  • Database replication thresholds
  • Site Database replication controls  

 

Please leave your comments in comment box.

Understanding basic fundamentals of content management in SCCM

by

Managing contents and its distribution or replication in Configuration Manager is one of the important factor as deployment of software such as Operating system, applications, software updates, applications would have contents which need to be distributed or replicated across LAN, WAN locations in the organization. And size of the contents might have in large size due to which its distribution and replication put burden on the network bandwidth causing impact during production hours for many organizations. For such reason it is very much important to understand the basic concept and fundamental of content management.

 

Here we are going to put the list of options which would help in optimizing content distribution and then understand some of them in brief,

 

  • Bandwidth throttling and scheduling
  • Binary differential replication
  • Delta replication
  • Peer Cash Technology
    • Branch Cache
    • Delivery Optimization
    • Configuration Manager peer cache
    • Microsoft connected cache
    • Peer cache
    • Windows PE peer cache
  • Windows LEDBAT
  • Client Locations
  • Content Source priority
  • Content Library
  • Distribution Points
  • Distribution Point Group
  • On-demand content distribution
  • Package transfer manager
  • Prestige content
  • Fallback
  • Network Bandwidth

 

Bandwidth throttling and scheduling

 

Both these built-in option helps to provide control over managing network bandwidth when large amount of content being transferred on the network. These settings are available on Distribution Point and then can be configured when and how contents should be transferred.

 

Binary differential replication

 

This method only sees for the changes within the file and then transfer only those which helps in saving the time and network bandwidth. This is basically working on block level transfer within the file. This is always enabled for applications but optional for legacy packages. If the file is already available on the Distribution Point and only changes need to be transferred, then we should use this option

 

Delta replication

 

This work on file level. If there are new files added in package, then those files only be get transferred with delta replication. This option is by default on and is not configurable.

 

Branch Cache

 

This is windows in-built features from Windows server 2012 or later. With enabling this feature who ever first BranchCache enabled clients gets content form BranchCache enabled server, that client downloads the content and cache it. Later, when any other client request for the same content within the same subnet, it contacts that first BranchCache enable client and get the contents from it instead taking the content from Distribution Point. The contents get distributed across multiple clients on that subnet.

 

Delivery Optimization

 

This is cloud based peer to peer service to share the contents between windows 10 device and recommended to use for optimization delivering of Microsoft 10 update.

 

Microsoft connected cache

 

Distribution Point can be enabled as Microsoft connected cache to cache the content for delivery optimization, instead clients enabled for delivery optimization download the contents from internet service point they download same contents from local distribution point which have cached contents saving the WAN bandwidth.

 

Peer cache

 

Enabling the peer cache for the client would help clients in the remote sites which are connected with low network bandwidth. After enabling the Peer Cache on the collection, client cache the contents and then share contents to another client on the same boundary group or same subnet.

 

Windows PE peer cache

 

This would help in for the client which are getting newly operating system via task sequence and get the required contents from the peer cache source instead downloading from distribution point. This help in reducing the WAN traffic.

 

Please share your comments on this topic.

 

Quick points on Site Database for Configuration Manager

by

Placing database for the sites in Configuration Manager hierarchy is going to be one of the very important task of the planning and designing phase.

 

Below quick points to be considered,

 

  • Site Database is server which runs the supported version of SQL to host the database for storing information of Configuration Manager.
  • Site Database can be Site server, or it can be hosted on Remote server.
  • On Central Administration Site and Primary Site full version of SQL should installed
  • On secondary site SQL express can be installed instead SQL full version.
  • Need to make sure high bandwidth, high availability, and speed between Site server a remote server where  you decided to host the database as some of the sites server and site systems constantly talk to Database server.
  • For SQL always on availability database recovery model need to be set to full.
  • For SQL non-availability database recovery model need to be set to simple.
  • Default instance of SQL server can be used.
  • SQL server must be part of domain where all sites servers are part of it with two-way trust to site servers and computers running SMS provider.
  • Failover cluster for SQL can not be use when database is on site server.

Please share your valuable comments.

Understanding role of SMS Provider in Configuration Manager

by

SMS provider is WMI windows management instrumentation provider that help to access site database to SCCM administrator. To manage resources on the network we use Configuration Manager console which in backend connects to instance of SMS provider at site database.

Quick points on SMS Provider:

 

  • It gets installed automatically when we install Central Administration site or Primary site in SCCM hierarchy.
  • More than one SMS providers can be installed in the hierarchy.
  • SMS provider can not be installed on Secondary Site
  • SMS provide does not communicate with configuration manager clients.
  • Each SMS Provider supports for simultaneous connection from multiple requests but limited to number of server connection allowed that are available to windows.
  • SMS provider can be installed other than site server.
  • SMS provider provide security as it gives information for the users who are authenticated via configuration manager console.
  • From version 1810 the level of authentication can be specified so that the administrator who like to access data should be signed in with required authentication level. Authentications level are windows authentication, certificate authentication and windows Hello for business.
  • Multiple SMS Provider can be used for high availability.
  • Multiple SMS Provider can be used in case of requirement of connecting to database using configuration manager console by many administrators at same time.

 

Please share your valuable comments.

SCCM Client Management Solutions

by

We are discussing here currently available client management solutions in brief,

 

  • Configuration Manager client
  • On-premises MDM with Configuration Manager
  • Co-management with Microsoft Intune
  • Microsoft Exchange

 

One of the above solutions can be used or combination of them also can be useful in case of managing the clients which always resides on on-premises and then are some who roams over internet because they have job requirement. So on-premises configuration infrastructure can be used for managing the on-premiss clients and co-management can support for internet clients. This way all devices can be managed.

 

Configuration Manager client

 

This client should be installed on the organizations devices and then this helps to take full advantage of using all features of Configuration Manager with regards to getting hardware or software inventory, installing software’s, installing updates, etc.

 

Methods to install clients,

 

  • Client Push installation
  • Software update point-based installation
  • Group policy installation
  • Logon script installation
  • Manual installation
  • MS Intune MDM installation

 

On-premises MDM with Configuration Manager

 

On-premises MDM is based on Open Mobile Alliance Device Management (OMADM). It uses on-premises configuration manager infrastructure with Intune license to manage the devices but does not required to have the cloud connection.

 

Advantages of using on-premises infrastructure is easy to setup, maintain and all data would be available on organization infrastructure where as dis-advantage is it has less functionality. It does not support for task sequence, software centre.

 

Co-management with Microsoft Intune

 

This is new capability added by Microsoft with aim of managing the device from on-premises as well as from MS office 365 cloud as it gives ability to upload device to Intune call co-manage device. It helps to take the other available advantage of Intune once device becomes co-manage.

 

Microsoft Exchange

 

There is connector call as MS exchange connector to connect configuration manager to exchange active sync. We can configure exchange mobile device management feature in configuration manager console and then would be able to wipe device and control the settings.

 

Please share comments in comment section