For sometime now I have been occupied with my little book project, it has taken a lot of time from my blogging since it has been completely new territory for my part. But! it has been a unique learning experience and I think that I’ve never been this good a using Word… Ever!
A while back a publisher contacted me and asked if I was interested in writing a book for them, at first I thought nah… don’t have the time and capasity to finish this in time.. But after thinking about it a couple of days I thought when am I going to get this opportunity again ? Therefore I said yes! and fast forward a couple of months ahead and here I am with the finished product.
So allow me to introduce my little book
Configuration Manager 2012 High-availability and Performance Tuning
FThis is the first time I’ve ever written anything that was over 10 pages (Yes including school as well) and it has been a unique experience and I wish to thanks the publisher Packt www.packtpub.com who has given me this opportunity.
I also wish to thank my reviewers
Marius Skovli and Dragos Madarasan for good feedback in the review process.
Now Citrix released a beta build of Excalibur a couple of months ago, which shows the next generation of XenDesktop and XenApp architecture. (Well actually just XenDestkop, since the XenApp architecture is disappearing)
In addition, with this release we have some fancy choices for how to manage the machines within XenDesktop.
Excalibur will add additional WMI classes to all its desktop.
Which are listed here à
This allows you to create collections based upon if it’s VDI or Session host based, and even if it is assigned to a user or not.
Now in order to make these attributes available in Configuration Manager we have to add some WMI classes.
Go into Client Settings -> and alter the clients policy -> Go into hardware inventory and choose add classes. And from the list choose Add Hardware inventory class. From there you can browse to a remote computer that is installed as a VDA and in the namespace you can type \root\citrix\desktopinformation
And choose «Citrix_VirtualDesktopInfo»
Then Press OK
This will give you some more attributes on that WMI class
Which you can again use to create collections based on the variables.
Since Excalibur does not have any direct integration with for instance App-V you can now create user-based assignments to delivery groups.
So the user has multiple options of application deliveries.
Either via Software Portal and Configuration or Storefront with Citrix.
With 2012 release of System Center Configuration Manager, planning and designing a hierarchy became a bit more difficult.
Not because of the limitations, but because of the huge mix of different possibilities you have.
For instance with the introduction of CAS role (Which sits on the top of the hierarchy and is used for management purposes of many primary sites) you have even more options of how to manage your infrastructure.
In addition, with SP1 you have even more options, for instance you can now have more than one SUP for a primary site. (Which you could not have before SP1) and that the CAS SUP now doesn’t need to sync directly with Windows Update as well) so this post is what factors you need to think of in terms of planning and how to manage the devices. In addition, for many which have multiple domains, trusted and untrusted, and in different forests and depending on how you want the flow of traffic to go it takes a lot of planning!
This post is meant as a guideline and might not always present the best options but just to show some possible examples of how you deploy Configuration Manager 2012 SP1.
Now first I am going to define how the hierarchy in Configuration Manager looks like.
In the first picture we have a stand-alone site (Primary Site) in the secondary picture we have a Primary site with two secondary sites.
In addition, in the last picture we have the CAS with three primary sites and with their secondary sites.
First I’m going to specify the limits of each hierarchy role:
CAS: (Does not process client data, and does not support clients assignments.
400.000 clients (If you use SQL Enterprise) 50,000 if you use standard.
25 Child Primary Sites
Asset Intelligence synchronization point (Can only be one in the hierarchy)
Endpoint Protection point (Can only be one in the hierarchy)
Reporting services point
Software update point
System Health Validator point
Windows Intune connector
250 secondary sites
100,000 clients (50,000 clients if the SQL is installed on the same computer as the site server)
10,000 WES clients
Application Catalog web service point
Application Catalog website point
Asset Intelligence synchronization point (not if it’s a child primary site)
Fallback status point
Endpoint Protection point (not if it’s a child primary site)
Enrollment proxy point
Out of band service point
Reporting services point
Software update point
State migration point
System Health Validator point
Windows Intune connector (not if it’s a child primary site)
Secondary Site: (Must be linked to a primary site, MP and DP are installed automatically, installs SQL Express if nothing else is available)
Software update point
State migration point
Software Update Point:
25,000 clients (That is installed on the same server as the site server 100,000 else)
After SP1 (Supports multiple SUP per Site)
250 DP per Primary Site
250 DP per secondary site
10,000 packages and applications
10,000 Mac computers
10 MP per primary site
Now there are some roles that cannot be deployed in a untrusted domain:
These are out of band service point and the Application Catalog web service point.
But always think simplicity, so if it is possible avoid the CAS role where it seems logical.
(1 domain) ( 1 location ) 1 Primary Site
Depending on how many clients you have in your infrastructure, but with one location and one domain this is only and easiest way to go ahead, for high-availability purposes you should have 2 of each system role and a clustered SQL server for the site server.
( 1 domain ) ( 2 locations) 1 Primary Site 1 Secondary Site (Slow link)
Lets for the purpose of this post say that you have 1 location where you have most of your infrastructure, you have one remote site with 200 clients which has a limited connection to the primary site, one secondary site on the remote location would be the best approach. Clients there would talk directly to the management point and the distribution point of the secondary site.
(1 domain) ( 2 locations) 1 Primary Site and 1 Distribution Point (Fast link for secondary site)
In this case we have also a remote location but we have a fast wan link so we don’t need a secondary site which has the agents and the applications and packages. Therefore, we have a distribution point at the remote location and clients communicate with a MP in the central location.
(1 domain) (2 locations) ( one small branch office )
I would recommend using branch cache on a distribution point and for the clients, when the first client requests content from the DP it will download it and cache it for other clients on the same subnet. This requires a DP installed with Branch cache.
NOTE: Remember that for a remote domain installation to work properly you would need to install the management point with an account that has access to the Configuration Manager database. You configure this during the installation of the Management Point.
( 2 domains untrusted forest ) ( 1 locations) 1 Primary Site in Primary (1 Management Point 1 Distribution Point)
Now we cannot install a primary or secondary site in a untrusted domain, we can only install user facing system roles in a untrusted domain. So therefore, we install a management point and a distribution point in the untrusted domain.
And we can also publish the site in AD for the untrusted domain as well.
( 2 domains trusted forest ) ( 1 location )
This depends on the number of clients but again a solution with a distribution point and a management point in the other domain could be a solution. In case there are too many clients, you would need to expand the hierarchy with a CAS and a primary site in each forest.
(Multiple domains untrusted) (Multiple domains)
Primary site or depending on how many clients. Use Primary Site in one domain (Pref the largest one) and deploy a distribution point and a management point in the other domains.
Here I will also link to some example hierarchy scenarios from Microsoft
Identify requirements to plan for a hierarchy
I would also recommend that you read Microsoft’s own hierarchy for their internal Configuration Manager solution
Had some trouble with a case today that the application catalog would not start. When we opened the catalog they could not connect to the catalog service and got this error message. According to the error message it could not connect to the application service.
If we checked the service with ConfigMgr console we can see that Application Catalog Web Point has status Critical
So when we checked the latest events for that components.
As we can see here WCF is not activated, so make sure that WCF is installed,
So after the component in installed try to reinstall the Application Portal Catalog point and it should work
Now Configuration Manager is a complex beast, when designing a ConfigMgr site you have to plan carefully your network because there is going to be a lot of traffic going back and forth from your servers to your clients, and from your servers to your other servers. So you have to take some considerations on how many clients and how many distribution points you are going to have for your site, also depending on what kind of features you are going to use.
Now before we start with the networking part, let’s review the supported configuration and hardware requirements.
25 child primary sites.
250 secondary sites.
10,000 devices running windows embedded
10 Management Points
250 Distribution Point
1 Fallback Status Point
Multiple Application Catalog Website Point
1 Management Point
Fallback Status Point:
Software Update Point:
Application Catalog Website Point:
Application Catalog Web Service Point:
And as you can see this can lead up to a VERY complex setup if you have a large setup. Microsoft has also deployed Configuration Manager on their own computers
And Microsoft also have made a good Hardware Requirement for list.
You can read more about it here –> http://bit.ly/S3fRJB
Clients searches for a management point by using the following options in the order specified:
- Management point (If specified by agent installation)
- Active Directory Domain Services
Now when an agent connects to a MP it makes a list of all the Management Point which is within the Boundary and if the client has PKI certificate installed it makes a priority list over all
MP’s that has HTTPS enabled.
Now let’s start with the client communication to the servers. There are 3 ports that are the common used
Port 443 HTTPS = Used to communicate with a management point over HTTPS
Port 445 SMB = Used to communicate
Port 80 = Used to contact the Fallback status point
New with SP1! Port 10123 = Client Notification, to start or initiate an malware or policy update/scan
Port 9 UDP = Wake on Lan
You can see more about the port requirements for ConfigMgr here –> http://technet.microsoft.com/en-us/library/hh427328.aspx
Now clients connect to a distribution point either via HTTP or HTTPS using BITS. Now in order to limit the usage of network you have to specify a client setting for BITS.
Here we can define the bandwidth usage and throttling time.
You can also specify BITS settings in Group Policy. You need to remember that you have to plan on what features that you are going to use.
If you are using Software Metering, Software Inventory, Baselines & Compliance, Hardware Inventory etc. So there is a lot of feature that can generate a lot of traffic.
To run the Setup Downloader from command promt
- /VERIFY: Use this option to verify the files in the download folder, which include language files. Review the ConfigMgrSetup.log file in the root of the C drive for a list of files that are outdated. No files are downloaded when you use this option.
- /VERIFYLANG: Use this option to verify the language files in the download folder. Review the ConfigMgrSetup.log file in the root of the C drive for a list of language files that are outdated.
- /LANG: Use this option to download only the language files to the download folder.
- /NOUI: Use this option to start Setup Downloader without displaying the user interface. When you use this option, you must specify the download path as part of the command-line.
Setup Downloader starts, verifies the files in the \\MyServer\MyShare\ConfigMgrUpdates folder, and downloads only the files that are missing or newer than the existing files.
To run the prerequisites downloader from command prompt
Open a command prompt and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.
Type prereqchk.exe /LOCAL to open Prerequisite Checker and run all prerequisite checks on the server.
To install the ConfigMgr 2012 console unattended from command prompt.
consolesetup.exe /q TargetDir=»D:\Program Files\ConfigMgr» EnableSQM=0 DefaultSiteServerName=MyServer.Contoso.com
To install a ConfigMgr 2012 Primary Site
First of you need to create a setup.ini file where you need to define a lot of variables. For a Primary site these are the ones you need.
After you have created this file you need to start the setup with the following command. setup.exe /script scriptpathandname
Content of the setup.ini file
SMSInstallDir=<ConfigMgr install folder path>
SDKServer=<FQDN for SDKServer>
PrerequisitePath=<Prereqs folder path>
ManagementPoint=<FQDN MP server>
DistributionPoint=<FQDN DP server>
AdminConsole=1 (0 is you don’t want to install the console)
SQLServerName=<FQDN SQL server machine>
DatabaseName=<SQLServerName\InstanceName> (leave blank for the default instance)
Now last but not least, unattended install of SQL server 2012.
setup.exe /ACTION=install /QS /INSTANCENAME=»SCCM» /IACCEPTSQLSERVERLICENSETERMS=1
/FEATURES=SQLENGINE,SSMS /SQLSYSADMINACCOUNTS=»test\administrator» /SQLCOLLATION=»SQL_Latin1_General_CP1_CS_AS»
So next time I will start with PowerShell automation with ConfigMgr
Updated with ADK install since you need this for SP1
Install Windows ADK silent
Application Compatibility Toolkit (ACT) OptionId.ApplicationCompatibilityToolkit
Deployment Tools OptionId.DeploymentTools
Windows (Windows PE) optionId.WindowsPreinstallationEnvironment
User State Migration Tool OptionId.UserStateMigrationTool
adksetup /quiet /installpath <path> /features <featureID1><featureID2>
adksetup /quick/ installpath C:\programfiles\adk /features OptionId.ApplicationCompatibilityToolkit OptionId.DeploymentTools optionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool
I see a lot of searches towards the blog regarding boundaries and boundary groups so therefore I thought that I should post a bit more about how these settings work and how they affect your site.
A boundary is a network location in your infrastructure that contains one or more devices that you want to manage. A boundary can either be an IP subnet, Active Directory site, IPv6 or an IP address range and the hierarchy in ConfigMgr 2012 can include any combinations of these boundary types, and remember that to use a boundary you need to put it into a boundary group. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.
When clients are connecting from the internet, they do not use boundary group information They either download from any distribution point of their site (when the distribution point is configured to allow clients connections from internet)
And when you have created a boundary group, you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment.
And you can associate one or more distribution point with each boundary group. You can also add a single distribution point to multiple boundary groups. The default behavior is to choose the closest server from which to transfer the content from. And remember that ConfigMgr 2012 supports that a client is a member of multiple boundary groups for content location, but not for automatic site assignment.
What is important when planning your SCCM deployment ? Plan for High Availability! (among other things)
SCCM can span from a simple to a very complex solution And it can also be in a complex hierarchy as well. So it is important to know “where do I need to deploy multiple servers in order to have HA” in SCCM?
* ConfigMgr clients can use any of the available servers. If you have multiple Management Points the clients will try to contact one of them, if the one they try to contact is offline they will try the other one. If both servers are offline, the client will cache the data until a MP server is back up. Same goes for distribution points (If the content the client is looking for is located on that DP.
If a client fails to submit data, the site can generate an alert in the console.
* ConfigMgr Database use an SQL cluster for the primary site or at the CAS (IF you have one) Secondary sites does not support SQL clusters, to recover that you would need to reinstall the secondary site. You also do need to remember that you can setup a maintance task to take a backup of the ConfigMgr Site.
* ConfigMgr Sites you can use CAS(Central Administration site) with Primary child sites (This can provide you with fault tolerance if you have an deployment that requires a CAS) But DO not deploy a CAS server if you aren’t sure that you need it.
* ConfMgr Roles you can install multiple instances of roles such as (management points and distribution points) to provide redundancy for the clients. Remember that if you deploy multiple distribution points that if you want a client to failover to the other distribution points that the are within the boundary group.
* Active Directory if you are using AD publishing(and most are), remember that the client will query AD to find its MP and site, so remember that you will need multiple domain controllers (not only to load balance the queries but to provide HA) This goes for DNS as well, unless you are running another DNS server like bind.
* PKI ConfigMgr is very much reliant on certificates for securing traffic, remember that you should have 2 subordinate CA’s that can issue certificates.
Just some last notes, if you are using ConfigMgr you should have OpsMgr as well, use it to monitor your ConfigMgr, AD and ADCS solution!
There is a management pack available to monitor ConfigMgr within OpsMgr you can find it here –>
NOTE: There are some roles that aren’t meant for HA, this includes:
Endpoint Protection Point
Asset Intelligence synchronization point
Enrollment point & Enrollment point proxy
Fallback status point
Out of band service point
A bit hidden in SCCM 2012 is the ability to backup site servers in Configuration Manager with a schedule, open the console go to administration –> site configuration –> sites –> settings –> Site Maintance
From there you choose “Backup Sites Servers” and now you choose a backup location and set a schedule –>
If you enable an alert for backup task, it will appear in the monitoring tab
So if an error should occur during the backup, you can see it in the Overview tab in the monitoring pane. You can also view the logs for further info found under smsbkup.log
This backup includes, the database, logs, inboxes.