Tuesday, 26 April 2016

Content Management

Managing content in Configuration Manager 2012 can be done on different levels and in different parts of the Configuration Manager 2012 console: 
Distribution Points/Distribution Point Groups Per distribution point or distribution point group you are able to see, redistribute, validate, or remove content easily. Content validation can be done automatically based on a schedule. When adding a new distribution point to a distribution point group, all the applications or packages assigned to a distribution point group will be automatically copied to the new distribution point.
Content-Related Objects Objects that have content have a Content Locations tab where you can manage the content and see on which distribution point the content is available. From the object you are also able to validate, redistribute, and remove the content from the distribution points. Objects that have content are applications, packages, boot images, driver packages, operating system images, operating system installers, and software update deployment packages.
Monitoring In the monitoring workspace of the Configuration Manager console you can monitor your applications and packages in the Content Status node. You can also monitor the distribution point group status and distribution point configuration status.

Planning the Configuration Manager Hierarchy

When designing your Configuration Manager hierarchy you need to create an implementation plan for where to install which server with what kind of roles. The deployment information you gathered in an earlier stage will provide the requirements for where you need to install the Central Administration Site, primary sites, secondary sites, and distribution points. To come up with the right design, follow these design steps:
  1.  Define a naming convention if one doesn’t already exist.
  2.  Determine whether a CAS is needed and where to place this site in your environment. The CAS is the topmost site in your Configuration Manager hierarchy.
  3.  Define the placement of the primary sites, secondary sites, or just distribution points;remember that tiering primary sites is no longer possible. Look at your WAN and keepthe design rules in mind and which roles you need in a specific site.
  4. Look at the logical and physical connections between your Configuration Manager sites so you can decide whether addresses need to be configured to manage the traffic between the sites.
  5. Assign the boundaries that represent your Configuration Manager sites, and be sure that no boundaries overlap each other.
  6.  Depending on the Configuration Manager sites, high-availability demands, and other requirements, you can place the site system roles where they are needed. Designing a good Configuration Manager hierarchy is a must for an effective and solid Configuration Manager infrastructure. Always check the proposed design, and if possible let someone else review the design.

Designing Your Configuration Manager Environment

After you’ve gathered your information about the new Configuration Manager 2012 infrastructure, you can design the new infrastructure. When designing a new Configuration Manager 2012 infrastructure, you need to keep a couple things in mind. Whereas in SMS 2003 and Configuration Manager 2007 you could easily design an infrastructure based on bandwidth, languages, or administrative purposes, in Configuration Manager 2012 the hierarchy is simplified and modernized. For most cases you can do more with less. Of course, you still need to identify your network locations and the bandwidth between your locations. Keep in mind that Configuration Manager 2012 has the goal of simplifying your Configuration Manager infrastructure by flattening the hierarchy and by server consolidation.

When designing a Configuration Manager 2012 infrastructure, you will need to review your gathered intelligence and translate this into a design. Things you need to take in account are the following:
Physical Locations of Your Environment As we said, the first step is to translate your network infrastructure information into information that can be used for the design of the Configuration Manager infrastructure. 
Ask yourself the following questions:
Where are my locations?
Are my locations in the same country? If so, larger locations often are well-connected sites, and smaller locations usually have less bandwidth available.
Are my locations on the same continent?
If your locations are on the same continent, you need to place a management point at your site, and you can create a secondary site for each location. If a location is not on the same continent, it is wise to create a primary site for that location. 
What is the available bandwidth?
For well-connected locations it is often unnecessary to create a Configuration Manager site for that location. If there is a need for local content, you can install a distribution point on such locations since the distribution point now has throttling and bandwidth control.
How many users are working at the location?
One primary site can handle 100,000 clients. Depending on your hardware performance and bandwidth, you can implement one primary site for your entire Configuration Manager infrastructure. Consider using BranchCache for small locations or just a distribution point.
What kind of traffic needs to flow down in the network?
Depending on the data that needs to flow down for administrative or political reasons, it might be necessary to implement a primary site at a location that should normally not be a primary site because of the size or available bandwidth.

Central Administration Site or Not? When you need more than one primary site in your Configuration Manager infrastructure, you also need a Central Administration Site. The placement of this CAS can be a design choice, but often you will place this site at the datacenter or the location where the IT department resides. Configuration Manager clients do not connect to a CAS.
High Availability Considerations If you need a highly available Configuration Manager site or infrastructure, you can install multiple roles (management point, provider, and so on) of the same role in one site without the need for network load balancing. The Configuration Manager 2012 client automatically finds the right management point if one is offline. You also can cluster the SQL database.
Client Settings As we said, client settings are no longer a reason to implement a primary site. Multiple client settings can be assigned to collections of users or computers. While designing, try to define different client settings for the groups of users or computers as needed. Otherwise, just use the default client settings.
Boundary Management Boundaries and boundary groups are fundamentals of your Configuration Manager infrastructure. Be sure to identify all the boundaries so that all the Configuration Manager clients can be managed.
Virtualization Microsoft supports the virtualization of Configuration Manager site servers. Before implementing, always check the Microsoft website for the latest versions and supported third-party virtualization software.
Managing Untrusted Environments In the past you could manage untrusted domains by supplying accounts with rights. With Configuration Manager 2012 you can manage other forests only via two-way trusts. Another way is to install site roles in an untrusted domain, but it cannot be a primary site role. You can provide some services but not all of them.
Naming the Configuration Manager Sites After determining your sites in your Configuration Manager 2012 infrastructure, you need to name the Configuration Manager sites. Like in earlier versions, you use a three-character-length code. The site code can contain only standard characters (A–Z, a–z, 0–9, and the hyphen, “-”) and must be unique for your Configuration Manager infrastructure. In earlier versions of Configuration Manager you were not able to use Microsoft reserved names: SMS, CON, PRN, AUX, NUL, OSD, SRS, or FCS. This is still the case.

Disaster Recovery

When planning a new Configuration Manager 2012 infrastructure, be sure to also make a disaster recovery plan. Since Configuration Manager 2012 is an important part of your IT infrastructure, you will need to be sure that when a disaster occurs, your Configuration Manager 2012 infrastructure will not be affected. To protect yourself from failure, you can make your environment highly available. This can be done by implementing the following options:
◆ Installing more than one primary site server in a site
◆ Placing the Configuration Manager databases on a SQL cluster
◆ Installing more than one site role per site
It is recommended that you test your disaster recovery plan in a test environment so you can document the disaster recovery process and know what to expect while recovering your Configuration Manager 2012 environment.

How Can You Prepare Your Configuration Manager 2007 Environment?

Before planning for a migration of your Configuration Manager 2007 environment, prepare the environment so it is compliant on the following matters:
◆ Flatten your hierarchy where possible, for instance, by removing secondary sites or unnecessary primary sites in the Configuration Manager hierarchy.
◆ Plan for Windows Server 2008 R2, SQL 2008, and 64-bit by acquiring hardware that is compatible with 64-bit software.
◆ Start with the implementation of BranchCache with Configuration Manager 2007.
◆ Move from web reporting to SQL Reporting Services by configuring the reporting site role in Configuration Manager 2007.
◆ Avoid mixing user and device-collection definitions.
◆ Use UNC paths in your packages instead of local paths.
Migrate your Windows XP branch distribution points to Windows 7.

Migration

In Configuration Manager 2012 the migration feature is used to migrate your Configuration Manager 2007 investments or investments made in another Configuration Manager 2012 environment to the new user-centric platform. With the migration feature you can migrate the following objects:

◆ Collections (from Configuration Manager 2012 only)
◆ Deployments (from Configuration Manager 2012 only)
◆ Software distribution deployments
◆ Task sequence deployments
◆ Application deployments
◆ Software update deployments
◆ Software update list deployments
◆ Baseline deployments
◆ Boundaries
◆ Boundary groups (from Configuration Manager 2012 only)
◆ Global conditions (from Configuration Manager 2012 only)
◆ Software distribution packages
◆ Applications (from Configuration Manager 2012 only)
◆ Virtual application packages (from Configuration Manager 2007 only)
◆ App-V virtual environments (from Configuration Manager 2012 only)
◆ Software updates
◆ Deployments
◆ Deployment packages
◆ Deployment templates
◆ Software update lists
◆ Software update groups (from Configuration Manager 2012 only)
◆ Automatic deployment rules (from Configuration Manager 2012 only)
◆ Operating system deployment
◆ Boot images
◆ Driver packages
◆ Drivers
◆ Images
◆ Installer
◆ Task sequences
◆ Settings management
◆ Configuration baselines
◆ Configuration items
◆ Asset Intelligence
◆ Catalog
◆ Hardware requirements
◆ User-defined categorization list
◆ Software metering rules
◆ Saved searches (from Configuration Manager 2012 only)

Role-Based Administration

In Configuration Manager 2012, role-based administration is a feature that brings you “Show me what’s relevant for me” based on security roles and scopes. Configuration Manager 2012 comes with 15 standard roles, and you can also create custom roles.

Role-based administration is based on the following concepts:
Security Roles What types of objects can someone see, and what can they do to them?
Security Scope Which instances can someone see and interact with?
Collections Which resources can someone interact with?
 
As part of role-based administration you are able to limit collections; every collection is limited by another. Assigning a collection to an administrator will automatically assign all limited collections.
While planning role-based administration, explore the 15 standard roles and assign the rights to your administrators depending on the part of Configuration Manager they need to manage.
 
The 15 different roles from which you can choose are these:
  1. Application administrator
  2.  Application author
  3.  Application deployment manager
  4.  Asset manager
  5.  Company resource access manager
  6.  Compliance settings manager
  7.  Endpoint protection manager
  8.  Full administrator
  9.  Infrastructure administrator
  10.  Operating system deployment manager
  11.  Operations administrator
  12.  Read-only analyst
  13.  Remote tools operator
  14.  Security administrator
  15.  Software updates manager
Role-based administration allows you to map organizational roles of administrators to security roles. Hierarchy-wide security management is done from a single management console.

You can add Active Directory user accounts to Configuration Manager 2012 in the Configuration Manager 2012 console. In the Administration workspace you will find Administrative Users under Security; here you can add the user accounts from your users who need to have access to Configuration Manager 2012. After adding the user accounts you can assign them the proper role.

Client Settings and Client Deployment

With Configuration Manager you are able to create different client user and client device settings packages for different collections. Besides the default client agent settings that are available for the entire hierarchy, you can create custom client settings that you can assign to collections. Custom client settings override the default client settings. The resultant settings can be an aggregation of default and one or more custom settings.

Implementing client settings is the easiest step to reduce the infrastructure; there is no need for primary sites for different client settings.

Depending on the implementation or migration scenario, different ways of deploying the Configuration Manager client to the devices are supported. Configuration Manager 2012 still supports the client push mechanism and pushing clients via the WSUS infrastructure. Deploying the client with a third-party application deployment environment or Active Directory is of course also possible

Discovery of Your Resources

The methods of resource discovery have not changed since Configuration Manager 2007. You can use multiple ways to discover different types of resources in the network. You define which esources you want to discover, how often, and using which scope. The following methods are available:
Heartbeat Discovery Used to send a discovery data record from the client to the site periodically; it’s a method to renew client data in the Configuration Manager database. Heartbeat discovery is available for primary sites.
Active Directory Forest Discovery Used to discover Active Directory forests from the Active Directory Domain Services. It discovers site server forests plus any trusted forests and supports boundary creation on demand and automatically. Active Directory forest discovery can be configured only on a CAS or a primary site.
Active Directory Group Discovery Used to discover group membership of computers and users from the Active Directory Domain Services. Active Directory group discovery is available for primary sites.
Active Directory System Discovery Used to discover computer accounts from the Active Directory Domain Services. Active Directory system discovery is available for primary sites.
Active Directory User Discovery Used to discover user accounts from the Active Directory Domain Services. Active Directory user discovery is available for primary sites.
Network Discovery Used to discover resources on the network such as subnets, SNMPenabled devices, and DHCP clients. Network discovery is available for primary sites and secondary sites.

Be sure to plan the resource discovery well. For instance, if there is no need to discover the whole Active Directory, plan the resource discovery to discover only resources in dedicated Active Directory organizational units. This way you keep the Configuration Manager environment free of unwanted objects. Discovered resources can be added to collections, which can be used to deploy applications or compliancy settings to the resources.

Site Security Mode

Configuration Manager 2007 had two security modes: mixed mode and Native mode. In Configuration Manager 2007, mixed mode was the default mode, which used port 80 to communicate with the clients. Configuration Manager 2007 in Native mode was the more secure mode, which integrated PKI to secure client/server communications. The security mode in Configuration Manager 2007 was site wide.

In Configuration Manager 2012, the concept of Native and mixed modes has been replaced and simplified. You are now able to decide per individual site system role whether clients can connect through HTTP or HTTPS. Instead of configuring a site as mixed or Native mode, you must configure the site role to use HTTP (port 80), HTTPS (port 443), or both. This way, you are more flexible if you want to implement a PKI to secure intranet client communications.

 To allow secure communications between your clients and site servers, a PKI needs to be present in your environment, and certificate templates need to be created to be able to enroll certificates for the Configuration Manager 2012 site systems and the Configuration Manager 2012 clients.
The following site roles can be configured in HTTP or HTTPS mode:

◆ Management point
◆ Distribution point
◆ Enrollment point
◆ Enrollment proxy point
◆ Out of band service point
◆ Application Catalog web service point
◆ Application Catalog website point
◆ Software update point (SSL)
 
Internet-based clients and mobile devices always use secure HTTPS connections. For Internet-based clients, you need to install a site system server in a demilitarized zone (DMZ) and configure the Internet-facing site roles to accept HTTPS client communications and connections from the Internet. When you configure Configuration Manager 2012 to be accessible from the Internet, you can support your clients from the Internet. If you have a lot of mobile workers, managing your Configuration Manager 2012 clients is essential. Mobile devices communicate over the air via the Internet to your Configuration Manager 2012 environment. For this reason, the communication between the Configuration Manager 2012 environment and mobile devices must be secure.

Site Communications

The method of replicating data between sites has changed in Configuration Manager 2012. Synchronization of site information between sites is done by database replication, based on SQL Server Service Broker. The Data Replication Service is used to replicate the Configuration Manager 2012 database between the SQL Server databases of other sites in a Configuration Manager 2012 hierarchy. Global data and site data are replicated by database replication.

When you install a new site in the hierarchy, a snapshot of the parent site database is taken. The snapshot is transferred by server message blocks (SMB) to the new site, where it is inserted into the local database by bulk copy procedure (BCP). 

For application or package content, file-based replication is still used, and it uses addresses and senders to transfer data between the sites in the hierarchy. The SMB protocol (TCP/IP port 445) is still used for file-based replication.

Data
Examples
Replication  Type
Data Location
Global data
Collection rules, package metadata, software update metadata,  deployments anything created by administrators or  scripts
SQL
Central Administration Site, all primary sites, subsets on secondary sites
Site data
Collection membership, inventory,
alert messages—any data created by clients in normal operations
SQL
Central Administration Site and originating primary site
Content
Software package installation sources, software update sources, boot images
File based
Primary sites, secondary sites, and distribution points

SQL Considerations

While planning the Configuration Manager 2012 infrastructure you also need to plan the SQL environment. 

Consider the following design rules for you SQL environment:
◆ If you use a remote database server, ensure that the network between the site server and the remote database server is a high-available and high-bandwidth network connection.
◆ Each SMS provider computer that connects to the site database increases network bandwidth requirements. The exact bandwidth is unpredictable because of the many different site and client configurations.
◆ SQL Server must be located in a domain that has a two-way trust with the site server and each SMS provider. Best practice is to place SQL Server in the same domain as the SMS provider and SMS site servers.
◆ Clustered SQL Server configurations for the site database server when the site database is collocated with the site server are not supported.


Best Practices for Site System Design

When planning and designing a Configuration Manager 2012 site hierarchy, you also need to place your site system roles on the right server. Depending on the role and the size of the site, the role can consist of other roles on one or more site servers. This section will provide information about some best practices for capacity planning of Configuration Manager 2012. 

Capacity Planning of Configuration Manager2012Table  lists the maximum recommendations for planning and designing your Configuration Manager 2012 infrastructure. The actual figures depend on your available hardware, your network infrastructure, and also on your demands.

Site System
Number
Description
Clients
400,000
This is the maximum number of clients supported for the entire Configuration Manager 2012 hierarchy.
Primary site
25
 A Central Administration Site supports up to 25 child primary sites.
Primary site
100,000
A primary site supports up to 100,000 clients.
Secondary site
250
There is a maximum of 250 secondary sites per primary site.
Secondary site
5,000
A secondary site can support communications from up to 5,000 clients.
Management point
10
A primary site can support up to 10 management points.
Management point
25,000
One management point can support up to 25,000 clients.
Distribution point
4,000
A distribution point is capable of supporting up to 4,000 clients.
Distribution point
250
A site can hold up to 250 distribution points.
Pull distribution point
2,000
Each primary and secondary site supports up to 2,000 pull distribution points.
PXE-enabled distribution points
250
Up to 250 PXE-enabled distribution points are supported per primary site.
Software update point
25,000
If the software update point runs on the WSUS server and other site roles coexist, the software update point supports up to 25,000 clients.
Software update point
100,000
If the software update point runs on the WSUS server and no other site roles coexist, the software update point supports up to 100,000 clients.
System health validator
point
100,000
The system health validator point in Configuration Manager 2012 supports up to 100,000 clients or one per hierarchy if fewer than 100,000 clients.
Fallback status point
100,000
The fallback status point in Configuration Manager 2012 supports up to 100,000 clients or one per site.
Application Catalog  website point
400,000
One Application Catalog website point supports up to
400,000 clients, but for better performance, plan for 50,000 clients per point.
Application Catalog web service point
400,000
One Application Catalog web service point supports up to 400,000 clients. Best practice is to place the website point and web service point on the same server.
Packages and applications per distribution point
10,000
Per distribution point supports up to 10,000 packages and applications.