Installing Site System Roles

The process just discussed results in a hierarchy with three sites: a Central Administration Site, a primary site, and a secondary site. But just installing the sites doesn’t mean that installation is complete. In order to provide service to clients that will be interacting with these sites, you must first decide what services will be provided and then configure the additional site components that facilitate providing the needed services. These site components are also known as site system roles. The ones available for a given site will depend on the site type:

Central Administration Site
◆ Asset Intelligence synchronization point
◆ Certificate registration point
◆ Endpoint protection point
◆ Reporting Services point
◆ Software update point
◆ System Health Validator point
◆ Windows Intune Connector
 

Primary site
◆ Application Catalog web service point
◆ Application Catalog website point
◆ Certificate registration point
◆ Enrollment point
◆ Enrollment proxy point
◆ Fallback status point
◆ Out of band service point
◆ Reporting Services point
◆ State migration point
◆ System Health Validator point
 

Secondary site◆ Software update point
◆ State migration point

Notice that the term interacting was used in regard to clients and site servers. Administrators familiar with Configuration Manager may have expected the term assigned to be used instead. This term was used on purpose because in Configuration Manager clients can only be assigned to primary sites but are able to interact with any site their boundaries match. This concept is known as roaming and describes how clients are able to interact with secondary sites and other primary sites if they’re within defined boundaries for those sites. Roaming is beyond the scope of discussion for this section.

A common element in installing all site system roles is the Add Site System Roles Wizard. Before launching the wizard to add the role, you must first decide whether the role will be added to an existing server or a new server. In the example hierarchy just built, that means a choice of adding the new role to a site server itself or creating a new server on which to add the role (both are shown in Figure)

 ◆ If you’re adding to an existing server, simply right-click that server under the Servers and Site System Roles node of the console, and choose Add Site System Roles.
◆ If you’re adding a new server to host a site system role, that process is initiated by selecting the Create Site System Server action from the Home tab of the ribbon.

A single remote site system server cannot host roles from multiple sites!
Both methods will result in the Create Site System Server Wizard being launched. The only difference is whether the server name field will be populated and grayed out, and there is no option to specify the site code that the new server should support since it is already part of a site. For the example, site system roles are being added to the primary site, which already exists. The first page of the wizard is shown in Figure

 

 On this page of the wizard you have the opportunity to provide a server name. This option will be available only if you’re creating a new site system server. In addition, options are available to supply the FQDN of the server if it will be addressable from the Web. This option was also available in Configuration Manager 2007, but this brings up an interesting point of discussion. Configuration Manager 2007 supported two security modes: standard security and native mode security. Native mode security was required when specific functions were to be used, such as Internet-based client management and mobile device management. Native mode as a security option in Configuration Manager 2012 is gone and has been replaced by the ability to designate site system servers as those that will participate on the Internet or serve other functions that require certificate-based security. In this way the additional security afforded by certificates can be applied just where it’s needed—to the site system itself.

The option Require The Site Server To Initiate Connections To This Site System appears to be new but is actually just a relabeling of the Configuration Manager 2007 option that was on this page: Allow Only Site Server Initiated Data Transfers From This Site System. The goal of this option, as the wizard states in Configuration Manager 2012, is to designate that communication to site systems should be initiated from the site server itself rather than the site system pushing data back to the site server. This adds additional security and also accommodates scenarios where trusts aren’t in place to accommodate cross-forest authentication.

  

Administrators accustomed to previous versions of Configuration Manager may note that the option to set the site system as a protected site system is no longer available on the first page of the Create Site System Server Wizard. Site system protection only ever applied to distribution points and state migration points. Based on the new design of Configuration Manager 2012 R2, meaning distribution points and state migration points are protected by default (more on that shortly), the option to do so was not needed on the Create Site System Server Wizard. Clicking Next on the wizard will move you to the node to allow you to select which site system roles should be added to the target server. Once you select the roles and continue moving through the wizard, you must configure the various options for the role-specific pages  that will be displayed. Those pages will be discussed shortly for each type of site system. As previously stated, the available site system roles for a given server depend on the type of server being configured. Each available site system role is described next.