For sometime now I have been occupied with my little book project, it has taken a lot of time from my blogging since it has been completely new territory for my part. But! it has been a unique learning experience and I think that I’ve never been this good a using Word… Ever!
A while back a publisher contacted me and asked if I was interested in writing a book for them, at first I thought nah… don’t have the time and capasity to finish this in time.. But after thinking about it a couple of days I thought when am I going to get this opportunity again ? Therefore I said yes! and fast forward a couple of months ahead and here I am with the finished product.
So allow me to introduce my little book
Configuration Manager 2012 High-availability and Performance Tuning
FThis is the first time I’ve ever written anything that was over 10 pages (Yes including school as well) and it has been a unique experience and I wish to thanks the publisher Packt www.packtpub.com who has given me this opportunity.
I also wish to thank my reviewers
Marius Skovli and Dragos Madarasan for good feedback in the review process.
Another fancy feature from within Configuraiton Manager is the ability to create VHDs direcly from the console by using a task sequence. Think of the possibilities of creating golden images by bulding a VHD file and then importing this direcly into SCVMM.
In order to do this process there are a couple of requirements.
* You need a physical computer which runs Hyper-V (Window 8 or 2012 +) (NOTE: Had some trouble running the R2 Configmgr on Hyper-v 2012 R2 so I used 2012 for this guide.
* you need the Configuration Manager console installed on the physical computer
* Should not be the site server
Now first thing we do after installing the R2 console is to go into Software Library –> Operating Systems –> Task Sequences.
Then right-click and choose “Create a new task sequence” –> “Install an existing image package to a virtual hard disk”
Next we follow the procedures here and enter the information.
Now after we are done with creating the task sequence we can continue on with creating the VHD. We go into Software Library –> Operating Systems –> Virtual Hard disks, right-click and choose “Create Virtual harddisk”
Now first of it builds an ISO file with the task sequence and creates a VM in hyper-v.
You can see a random VM name appears.
Note: you can view the smsts.log for any errors that might occure during the running of the task sequence inside the VM (Before formatting this is placed on the X: drive)
To troubleshoot the hyper-v server you can view CreateTSMedia.log and DeployToVHD.log which are located under %ProgramFiles(x86)%\Microsoft Configuration Manager\AdminConsole
Remeber that this process creates a local VM instance on that hyper-v server that is spins up and runs the particular task sequence (when it is done it shuts down the VM and removes it from Hyper-V) and you get left with the VHD.
Well, along time since I’ve managed to blog! But ill give a quick update about the book im writing. Im writing a book about Configuration Manager which is going to cover high-availability and performance tuning, really exiting times! It takes up alot of my time therefore my lack of blogging lately.
Anways, this is something I’ve post poned some while now, which is cloud based distribution points!
Cloud-based distribution points is something that came with Service Pack 1 in System Center. Cloud-based DPs are really much like a regular DP except for the following:
* You cannot use a cloud-based distribution point to host software updates
* You cannot use a cloud-based distribution point for PXE or multi-cast deployments
* You cannot use a cloud-based distribution point during a task sequence that requires a task to Download content locally when needed by running task sequence.
* You cannot use a cloud-based distribution point to offer packages that are setup with run from Distribution Point
* You cannot use a cloud-based distribution point to host virtualized applications
* You cannot set a cloud-based distribtuion point as pull-based or as source distribution point.
Content that is sent from the Configuration Manager to Azure is copied encrypted. In order to setup a Cloud DP you need a couple of things.
First of you need a management certificate which you can use against Azure you can follow my recipe from my previous post.
You also need to generate a certificate which should be created using the same PKI structure as for the regular Configuration Manager solution. This certificate should be created using the web server template. This certificate should contain a FQDN which your clients should be able to resolve using DNS.
You can read more about the certificate here –> http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_clouddp2008_cm2012
Here we have to enter the subscripbtion ID this we can get from Azure and the management certificate.
Next we choose what region and what site this DP should be assosicated with, as well as add a certificate generated by our internal PKI for the DP.
Next we configure alerts and thresholds. After this is done we have to change the client policy to allow access to cloud DP
And we can se in the monitoring pane that the cloud DP is functional.
Under the FQDN enter a name for the server (which resembles the certificate name) this record has to be added the the DNS-zone either internally (if only for internal clients) or on the external zone) the IP-adress of the Distribution Point in Azure is found under cloud services.
After this is done, we also have to modify the clients policy settings to allow clients access to the distribution point. If you go into the storage blob and under containers you can see the different packages that have been distributed to the cloud DP.
after I have distributed content I can see the package ID under the container in the storage pane.
And there we go, will try to write up a follow-up which covers multi cloud DP points.
One of the awesome features in Configuration Manager SP1 is the ability to define a distribution point as pull based. In essence what it does is that instead of pushing content from a site server to all the distribution points within a site, you define a pull DP and a source DP.
Then when you distribute content from a site server to a group of source DPs and the pull-based will get the content from the source DPs, this way you will reduce the load of the site server itself, and you might as well this way more effeciently distribute data. Think of it what if the site server has a low bandwidth connection to DP2 in the branch office but DP1 has a high-bandwidth connection to DP2 ?
This way it allows for more effecient data distribution.
and please note:
You can’t use a site server DP as pull-based
You can’t use a cloud-based DP as pull-based or as a source
A distribution point set with rate limiting which is then configured as pull-based distribution point will ignore any rate limiting configuration set.
Another nice feature on the DP which im going to cover in another post is cloud-based distribution point and of course rate limiting.
This allows you to define a schedule and bandwidth in % when sending content from a site server to a DP. (Remeber that these settings are only visible for DPs that are not on the site server. When you define rate limiting you have three options.
Uses all the available bandwidth (no restrictions)
2: Pulse Mode
Allows you do define that the content is to be split up in chucks in terms of KBs and how often they should be transmitted (with a delay between blocks)
3: Limited to specified maximum transfer rates by hour
Important to note that this options does not register how much bandwidth is available to Configuration Manager. For instance if you set this to 50% for 0 to 1 hours ConfigMgr will send data the first 30 mins then stop sending data the next 30 mins.
Now Citrix released a beta build of Excalibur a couple of months ago, which shows the next generation of XenDesktop and XenApp architecture. (Well actually just XenDestkop, since the XenApp architecture is disappearing)
In addition, with this release we have some fancy choices for how to manage the machines within XenDesktop.
Excalibur will add additional WMI classes to all its desktop.
Which are listed here à
This allows you to create collections based upon if it’s VDI or Session host based, and even if it is assigned to a user or not.
Now in order to make these attributes available in Configuration Manager we have to add some WMI classes.
Go into Client Settings -> and alter the clients policy -> Go into hardware inventory and choose add classes. And from the list choose Add Hardware inventory class. From there you can browse to a remote computer that is installed as a VDA and in the namespace you can type \root\citrix\desktopinformation
And choose «Citrix_VirtualDesktopInfo»
Then Press OK
This will give you some more attributes on that WMI class
Which you can again use to create collections based on the variables.
Since Excalibur does not have any direct integration with for instance App-V you can now create user-based assignments to delivery groups.
So the user has multiple options of application deliveries.
Either via Software Portal and Configuration or Storefront with Citrix.
Had some trouble with a case today that the application catalog would not start. When we opened the catalog they could not connect to the catalog service and got this error message. According to the error message it could not connect to the application service.
If we checked the service with ConfigMgr console we can see that Application Catalog Web Point has status Critical
So when we checked the latest events for that components.
As we can see here WCF is not activated, so make sure that WCF is installed,
So after the component in installed try to reinstall the Application Portal Catalog point and it should work
And now you can connect your on-premise ConfigMgr instance with Intune for more broad device management.
Here you have a list of the fully supported mobile devices.
Still missing the direct support for Android based phones but I’m guessing that is on the horizon as well
For Windows 8 users, they will get a new Self-service portal in order to get their apps, which is going to be a fully blown “new-gui” app.
You can read more about what’s new here –> http://bit.ly/ZBOdcs
With Service Pack 1 there is a lot of new features available for instant actions. ConfigMgr is not happening “real-time” so when you deploy software to a computer it needs to wait for the computer to update its policy before it realizes that a new software is available. With Service Pack 1 you have more options to “speed things up” for instance you can do an remote computer update policy from within ConfigMgr.
Which is pretty similar with what you can with in Windows Server 2012 and Group Policy management where you can do a remote force update policy.
So as you can see we have
“Client Notification –> from here we can choose Update Computer Policy”
Endpoint Protection –> Update definition and full scan on the collection”
You can also do this at computer level, the options available will be reflected upon what component is installed. So if Endpoint protection is not installed you can not force update the definitions or run a full scan.
So in this case Endpoint protection is not installed on this computer so we can not update the endpoint. But this new features will allow for administrators to more quickly deploy updates / applications / endpoint definitions to computer.
Just remember that running updates on a large collection might result in a CPU spike on the Management Servers.
Now on the other hand we also have the ability to automate jobs from Orchestrator against Configuration Manager.
Now why would we do this ?
Just pretend we have a runbook that creates multiple virtual machines for a customer, we would want to have a custom computer collection created for that customer were we place all these new computers, where we would deploy baselines based upon what applications that customer wants as well. Might also be that a superuser wishes to deploy a new application that he purchased for his users that he wishes to deploy. Ill give some better examples as we go trough here.
Now to let’s take a look at the activities we have available in Orchestrator.
* Deploy program
* Add Collection Rule
* Create Collection
* Perform Client Action
* Get Deployment Status
* Get Collection
* Deploy Task Sequence
* Query ConfigMgr
* Deploy Software Update
* Delete Collection
* Delete Collection rule
* Update Collection Membership
* Deploy Software
* Deploy Application
* Deploy Configuration Baseline
These actions can be used to deploy a runbook for a customer. For instance a superuser can issue a application deployment for its users after the software has been ordered.
Or a new customer can get a new computer collection created for its computers (or for instance a new VMM deployment can get a computer collection created in ConfigMgr and get baselines attached to it)
There are endless options here for deployment. You can also use this to do an instant “update” on the client using the Perform Client Action activity.
With the major release of System Center 2012 and soon to be Service Pack 1.
Microsoft has updated the End-of-life of its former System Center 2007 products.
Operations Manager 2007
Data Protection Manager 2007
System Center Virtual Machine Manager
And with the release of Windows Server 2012, System Center 2012 with SP1 is the only viable option.
Now Configuration Manager is a complex beast, when designing a ConfigMgr site you have to plan carefully your network because there is going to be a lot of traffic going back and forth from your servers to your clients, and from your servers to your other servers. So you have to take some considerations on how many clients and how many distribution points you are going to have for your site, also depending on what kind of features you are going to use.
Now before we start with the networking part, let’s review the supported configuration and hardware requirements.
25 child primary sites.
250 secondary sites.
10,000 devices running windows embedded
10 Management Points
250 Distribution Point
1 Fallback Status Point
Multiple Application Catalog Website Point
1 Management Point
Fallback Status Point:
Software Update Point:
Application Catalog Website Point:
Application Catalog Web Service Point:
And as you can see this can lead up to a VERY complex setup if you have a large setup. Microsoft has also deployed Configuration Manager on their own computers
And Microsoft also have made a good Hardware Requirement for list.
You can read more about it here –> http://bit.ly/S3fRJB
Clients searches for a management point by using the following options in the order specified:
- Management point (If specified by agent installation)
- Active Directory Domain Services
Now when an agent connects to a MP it makes a list of all the Management Point which is within the Boundary and if the client has PKI certificate installed it makes a priority list over all
MP’s that has HTTPS enabled.
Now let’s start with the client communication to the servers. There are 3 ports that are the common used
Port 443 HTTPS = Used to communicate with a management point over HTTPS
Port 445 SMB = Used to communicate
Port 80 = Used to contact the Fallback status point
New with SP1! Port 10123 = Client Notification, to start or initiate an malware or policy update/scan
Port 9 UDP = Wake on Lan
You can see more about the port requirements for ConfigMgr here –> http://technet.microsoft.com/en-us/library/hh427328.aspx
Now clients connect to a distribution point either via HTTP or HTTPS using BITS. Now in order to limit the usage of network you have to specify a client setting for BITS.
Here we can define the bandwidth usage and throttling time.
You can also specify BITS settings in Group Policy. You need to remember that you have to plan on what features that you are going to use.
If you are using Software Metering, Software Inventory, Baselines & Compliance, Hardware Inventory etc. So there is a lot of feature that can generate a lot of traffic.