Excalibur and Configuration Manager

Now Citrix released a beta build of Excalibur a couple of months ago, which shows the next generation of XenDesktop and XenApp architecture. (Well actually just XenDestkop, since the XenApp architecture is disappearing)
In addition, with this release we have some fancy choices for how to manage the machines within XenDesktop.

Excalibur will add additional WMI classes to all its desktop.
Which are listed here à

http://support.citrix.com/proddocs/topic/xendesktop-ibi/cds-manage-sccm-ibi.html

This allows you to create collections based upon if it’s VDI or Session host based, and even if it is assigned to a user or not.
Now in order to make these attributes available in Configuration Manager we have to add some WMI classes.

Go into Client Settings -> and alter the clients policy -> Go into hardware inventory and choose add classes. And from the list choose Add Hardware inventory class. From there you can browse to a remote computer that is installed as a VDA and in the namespace you can type \root\citrix\desktopinformation

And choose “Citrix_VirtualDesktopInfo”
Then Press OK

This will give you some more attributes on that WMI class

Which you can again use to create collections based on the variables.

Since Excalibur does not have any direct integration with for instance App-V you can now create user-based assignments to delivery groups.
So the user has multiple options of application deliveries.

Either via Software Portal and Configuration or Storefront with Citrix.

Configuration Manager and hierarchy planning

With 2012 release of System Center Configuration Manager, planning and designing a hierarchy became a bit more difficult.
Not because of the limitations, but because of the huge mix of different possibilities you have.
For instance with the introduction of CAS role (Which sits on the top of the hierarchy and is used for management purposes of many primary sites) you have even more options of how to manage your infrastructure.

In addition, with SP1 you have even more options, for instance you can now have more than one SUP for a primary site. (Which you could not have before SP1) and that the CAS SUP now doesn’t need to sync directly with Windows Update as well) so this post is what factors you need to think of in terms of planning and how to manage the devices. In addition, for many which have multiple domains, trusted and untrusted, and in different forests and depending on how you want the flow of traffic to go it takes a lot of planning!

This post is meant as a guideline and might not always present the best options but just to show some possible examples of how you deploy Configuration Manager 2012 SP1.

Now first I am going to define how the hierarchy in Configuration Manager looks like.
In the first picture we have a stand-alone site (Primary Site) in the secondary picture we have a Primary site with two secondary sites.
In addition, in the last picture we have the CAS with three primary sites and with their secondary sites.

Source: http://i.technet.microsoft.com/dynimg/IC638818.gif

First I’m going to specify the limits of each hierarchy role:

CAS: (Does not process client data, and does not support clients assignments.
400.000 clients (If you use SQL Enterprise) 50,000 if you use standard.
25 Child Primary Sites
Roles:
Asset Intelligence synchronization point (Can only be one in the hierarchy)
Endpoint Protection point (Can only be one in the hierarchy)
Reporting services point
Software update point
System Health Validator point
Windows Intune connector

Primary Site:
250 secondary sites
100,000 clients (50,000 clients if the SQL is installed on the same computer as the site server)
10,000 WES clients
50,000 Mac
Roles:
Application Catalog web service point
Application Catalog website point
Asset Intelligence synchronization point (not if it’s a child primary site)
Distribution point
Fallback status point
Management point
Endpoint Protection point (not if it’s a child primary site)
Enrollment point
Enrollment proxy point
Out of band service point
Reporting services point
Software update point
State migration point
System Health Validator point
Windows Intune connector (not if it’s a child primary site)

Secondary Site: (Must be linked to a primary site, MP and DP are installed automatically, installs SQL Express if nothing else is available)
5,000 clients.
Distribution point
Management point
Software update point
State migration point

Software Update Point:
25,000 clients (That is installed on the same server as the site server 100,000 else)
After SP1 (Supports multiple SUP per Site)

Distribution Point:
4,000 clients
250 DP per Primary Site
250 DP per secondary site
10,000 packages and applications

Management Point:
25,000 clients
10,000 Mac computers
10 MP per primary site

Now there are some roles that cannot be deployed in a untrusted domain:
These are out of band service point and the Application Catalog web service point.

But always think simplicity, so if it is possible avoid the CAS role where it seems logical.

(1 domain) ( 1 location ) 1 Primary Site
Depending on how many clients you have in your infrastructure, but with one location and one domain this is only and easiest way to go ahead, for high-availability purposes you should have 2 of each system role and a clustered SQL server for the site server.

( 1 domain ) ( 2 locations) 1 Primary Site 1 Secondary Site (Slow link)
Lets for the purpose of this post say that you have 1 location where you have most of your infrastructure, you have one remote site with 200 clients which has a limited connection to the primary site, one secondary site on the remote location would be the best approach. Clients there would talk directly to the management point and the distribution point of the secondary site.

(1 domain) ( 2 locations) 1 Primary Site and 1 Distribution Point (Fast link for secondary site)
In this case we have also a remote location but we have a fast wan link so we don’t need a secondary site which has the agents and the applications and packages. Therefore, we have a distribution point at the remote location and clients communicate with a MP in the central location.

(1 domain) (2 locations) ( one small branch office )
I would recommend using branch cache on a distribution point and for the clients, when the first client requests content from the DP it will download it and cache it for other clients on the same subnet. This requires a DP installed with Branch cache.

NOTE: Remember that for a remote domain installation to work properly you would need to install the management point with an account that has access to the Configuration Manager database. You configure this during the installation of the Management Point.

( 2 domains untrusted forest ) ( 1 locations) 1 Primary Site in Primary (1 Management Point 1 Distribution Point)

Now we cannot install a primary or secondary site in a untrusted domain, we can only install user facing system roles in a untrusted domain. So therefore, we install a management point and a distribution point in the untrusted domain.
And we can also publish the site in AD for the untrusted domain as well.

( 2 domains trusted forest ) ( 1 location )

This depends on the number of clients but again a solution with a distribution point and a management point in the other domain could be a solution. In case there are too many clients, you would need to expand the hierarchy with a CAS and a primary site in each forest.

(Multiple domains untrusted) (Multiple domains)

Primary site or depending on how many clients. Use Primary Site in one domain (Pref the largest one) and deploy a distribution point and a management point in the other domains.

Here I will also link to some example hierarchy scenarios from Microsoft
http://technet.microsoft.com/en-us/library/gg712989.aspx

Identify requirements to plan for a hierarchy
http://technet.microsoft.com/en-us/library/gg712310.aspx

I would also recommend that you read Microsoft’s own hierarchy for their internal Configuration Manager solution
http://blogs.msdn.com/b/shitanshu/archive/2011/10/16/configuration-manager-2012-deployment-real-world-experience-part-1.aspx

Trouble with Application Catalog

Had some trouble with a case today that the application catalog would not start. When we opened the catalog they could not connect to the catalog service and got this error message. According to the error message it could not connect to the application service.

If we checked the service with ConfigMgr console we can see that Application Catalog Web Point has status Critical

So when we checked the latest events for that components.

As we can see here WCF is not activated, so make sure that WCF is installed,

So after the component in installed try to reinstall the Application Portal Catalog point and it should work

Configuration Manager 2012 Client Communication & Hardware Planning

Now Configuration Manager is a complex beast, when designing a ConfigMgr site you have to plan carefully your network because there is going to be a lot of traffic going back and forth from your servers to your clients, and from your servers to your other servers. So you have to take some considerations on how many clients and how many distribution points you are going to have for your site, also depending on what kind of features you are going to use.

Now before we start with the networking part, let’s review the supported configuration and hardware requirements.

CAS:
25 child primary sites.
400.000 clients

Primary Site:
250 secondary sites.
100,000 clients
10,000 devices running windows embedded
10 Management Points
250 Distribution Point
1 Fallback Status Point
Multiple Application Catalog Website Point

Secondary Site:
5,000 clients
1 Management Point

Management Point:
25,000 clients

Fallback Status Point:
100,000 clients

Distribution Point:
4,000 clients

Software Update Point:
25,000 clients

Application Catalog Website Point:
400,000 clients

Application Catalog Web Service Point:
400,000 clients

And as you can see this can lead up to a VERY complex setup if you have a large setup. Microsoft has also deployed Configuration Manager on their own computers

And Microsoft also have made a good Hardware Requirement for list.

You can read more about it here –> http://bit.ly/S3fRJB

Clients searches for a management point by using the following options in the order specified:

1. Management point (If specified by agent installation)
2. Active Directory Domain Services
3. DNS

Now when an agent connects to a MP it makes a list of all the Management Point which is within the Boundary and if the client has PKI certificate installed it makes a priority list over all
MP’s that has HTTPS enabled.
Now let’s start with the client communication to the servers. There are 3 ports that are the common used
Port 443 HTTPS = Used to communicate with a management point over HTTPS
Port 445 SMB = Used to communicate
Port 80 = Used to contact the Fallback status point
New with SP1! Port 10123 = Client Notification, to start or initiate an malware or policy update/scan
Port 9 UDP = Wake on Lan
You can see more about the port requirements for ConfigMgr here –> http://technet.microsoft.com/en-us/library/hh427328.aspx
Now clients connect to a distribution point either via HTTP or HTTPS using BITS. Now in order to limit the usage of network you have to specify a client setting for BITS.
Here we can define the bandwidth usage and throttling time.

You can also specify BITS settings in Group Policy. You need to remember that you have to plan on what features that you are going to use.
If you are using Software Metering, Software Inventory, Baselines & Compliance, Hardware Inventory etc. So there is a lot of feature that can generate a lot of traffic.

SCCM and Windows Embedded

Configuration Manager SP1 will come with support for managing Windows Embedded. This will open a new world for managing thin clients.
Dell Wyse has also announced that they will come with a integration possibility with their own device manager to allow for more management possibilities outside Windows on the thin clients.
This will include support for the following Windows Embedded editions.

• Embedded Operating Systems based on Windows XP (32-bit) includes the following:
  • Windows XP Embedded
  • Windows Embedded for Point of Service
  • Windows Embedded Standard 2009
  • Windows Embedded POSReady 2009
• Embedded operating systems based on Windows 7 (32-bit) includes the following:
  • Windows Embedded Standard 7 (32-bit)
  • Windows Embedded POSReady 7 (32-bit)
  • Windows ThinPC
• Embedded operating systems based on Windows 7 (64-bit) includes the following:
  • Windows Embedded Standard 7 (64-bit)
  • Windows Embedded POSReady 7 (64-bit)

And for Wyse’s part there are a lot of different clients to choose from. http://www.wyse.com/products/cloud-clients/firmware/WES
But in a Citrix environment, I’m guessing most are going for thinOS.

Now there are some things you need to remember when deploying an SCCM agent and with Endpoint Protection to an Windows Embedded.
And that is Write filters. These write filters take all writes and redirects it from the disk to ram to a space called “overlay” this way, all changes made to the system will be wiped when rebooted.
So in this case if we installed the agent and the system does a reboot the agent is gone!

With SP1, Configuration Manager can automatically temporarily disable these write filters before installing the agent and then activating them again.

So when you are creating custom policies for a Windows Embedded Computer Collection.
Endpoint Protection:

• Install Endpoint Protection client on client computers
• For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart)
• Allow Endpoint Protection client installation and restart to be performed outside maintenance windows
  

Microsoft has also created an scenario for deploying ConfigMgr SP1 to Windows Embedded.
http://technet.microsoft.com/en-us/library/jj721567.aspx

So what else can be done with this ? users typically use a thin clients and a Citrix connection, use the XenApp connector on ConfigMgr and get full control of the applications that are published out to the users!

Configuration Manager 2012 silent install

To run the Setup Downloader from command promt

setupdl \\MyServer\MyShare\ConfigMgrUpdates

• /VERIFY: Use this option to verify the files in the download folder, which include language files. Review the ConfigMgrSetup.log file in the root of the C drive for a list of files that are outdated. No files are downloaded when you use this option.
• /VERIFYLANG: Use this option to verify the language files in the download folder. Review the ConfigMgrSetup.log file in the root of the C drive for a list of language files that are outdated.
• /LANG: Use this option to download only the language files to the download folder.
• /NOUI: Use this option to start Setup Downloader without displaying the user interface. When you use this option, you must specify the download path as part of the command-line.

Setup Downloader starts, verifies the files in the \\MyServer\MyShare\ConfigMgrUpdates folder, and downloads only the files that are missing or newer than the existing files.

To run the prerequisites downloader from command prompt 

1. Open a command prompt and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.

2. Type prereqchk.exe /LOCAL to open Prerequisite Checker and run all prerequisite checks on the server.

 

To install the ConfigMgr 2012 console unattended from command prompt.

consolesetup.exe /q TargetDir=”D:\Program Files\ConfigMgr” EnableSQM=0 DefaultSiteServerName=MyServer.Contoso.com

To install a ConfigMgr 2012 Primary Site

First of you need to create a setup.ini file where you need to define a lot of variables. For a Primary site these are the ones you need.
After you have created this file you need to start the setup with the following command. setup.exe /script scriptpathandname

Content of the setup.ini file

[Identification]
Action=InstallPrimarySite

[Options]

ProductID=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
SiteCode=<Site Code>
SiteName=<Site Name>
SMSInstallDir=<ConfigMgr install folder path>
SDKServer=<FQDN for SDKServer>
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
PrerequisiteComp=0
PrerequisitePath=<Prereqs folder path>
MobileDeviceLanguage=0
ManagementPoint=<FQDN MP server>
ManagementPointProtocol=HTTP
DistributionPoint=<FQDN DP server>
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=0
AdminConsole=1 (0 is you don’t want to install the console)

[SQLConfigOptions]
SQLServerName=<FQDN SQL server machine>
DatabaseName=<SQLServerName\InstanceName> (leave blank for the default instance)
SQLSSBPort=4022

 

Now last but not least, unattended install of SQL server 2012.

setup.exe /ACTION=install /QS /INSTANCENAME=”SCCM” /IACCEPTSQLSERVERLICENSETERMS=1
/FEATURES=SQLENGINE,SSMS /SQLSYSADMINACCOUNTS=”test\administrator” /SQLCOLLATION=”SQL_Latin1_General_CP1_CS_AS”
/SQLSVCACCOUNT=”<DomainName\UserName>” /SQLSVCPASSWORD=”xxxxxxxxxxx”

So next time I will start with PowerShell automation with ConfigMgr

NOTE:
Updated with ADK install since you need this for SP1

Install Windows ADK silent

 Feature     Identifier
Application Compatibility Toolkit (ACT)     OptionId.ApplicationCompatibilityToolkit
Deployment Tools                                               OptionId.DeploymentTools
Windows (Windows PE)                                    optionId.WindowsPreinstallationEnvironment
User State Migration Tool                                 OptionId.UserStateMigrationTool

adksetup /quiet /installpath <path> /features <featureID1><featureID2>

adksetup /quick/ installpath C:\programfiles\adk /features OptionId.ApplicationCompatibilityToolkit OptionId.DeploymentTools optionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool

Boundaries and Boundary Groups

I see a lot of searches towards the blog regarding boundaries and boundary groups so therefore I thought that I should post a bit more about how these settings work and how they affect your site.

A boundary is a network location in your infrastructure that contains one or more devices that you want to manage. A boundary can either be an IP subnet, Active Directory site, IPv6 or an IP address range and the hierarchy in ConfigMgr 2012 can include any combinations of these boundary types, and remember that to use a boundary you need to put  it into a boundary group. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.

When clients are connecting from the internet, they do not use boundary group information They either download from any distribution point of their site (when the distribution point is configured to allow clients connections from internet)

And when you have created a boundary group,  you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment.

And you can associate one or more distribution point with each boundary group. You can also add a single distribution point to multiple boundary groups. The default behavior is to choose the closest server from which to transfer the content from. And remember that ConfigMgr 2012 supports that a client is a member of multiple boundary groups for content location, but not for automatic site assignment.

SCCM 2012 and High Availability

Short post!
What is important when planning your SCCM deployment ? Plan for High Availability! (among other things)
SCCM can span from a simple to a very complex solution And it can also be in a complex hierarchy as well. So it is important to know “where do I need to deploy multiple servers in order to have HA” in SCCM?

* ConfigMgr clients can use any of the available servers. If you have multiple Management Points the clients will try to contact one of them, if the one they try to contact is offline they will try the other one. If both servers are offline, the client will cache the data until a MP server is back up. Same goes for distribution points (If the content the client is looking for is located on that DP.
If a client fails to submit data, the site can generate an alert in the console.

* ConfigMgr Database use an SQL cluster for the primary site or at the CAS (IF you have one) Secondary sites does not support SQL clusters, to recover that you would need to reinstall the secondary site. You also do need to remember that you can setup a maintance task to take a backup of the ConfigMgr Site.

* ConfigMgr Sites you can use CAS(Central Administration site) with Primary child sites  (This can provide you with fault tolerance if you have an deployment that requires a CAS) But DO not deploy a CAS server if you aren’t sure that you need it.

* ConfMgr Roles you can install multiple instances of roles such as (management points and distribution points) to provide redundancy for the clients.  Remember that if you deploy multiple distribution points that if you want a client to failover to the other distribution points that the are within the boundary group.

* Active Directory if you are using AD publishing(and most are), remember that the client will query AD to find its MP and site, so remember that you will need multiple domain controllers (not only to load balance the queries but to provide HA) This goes for DNS as well, unless you are running another DNS server like bind.

* PKI ConfigMgr is very much reliant on certificates for securing traffic, remember that you should have 2 subordinate CA’s that can issue certificates.

Just some last notes, if you are using ConfigMgr you should have OpsMgr as well, use it to monitor your ConfigMgr, AD and ADCS solution!
There is a management pack available to monitor ConfigMgr within OpsMgr you can find it here –>
http://systemcenter.pinpoint.microsoft.com/en-US/applications/monitoring-pack-for-system-center-2012-configuration-manager-12884938509

NOTE: There are some roles that aren’t meant for HA, this includes:
Endpoint Protection Point
Site Server
Asset Intelligence synchronization point
Enrollment point & Enrollment point proxy
Fallback status point
Out of band service point

Backup site servers in SCCM 2012

A bit hidden in SCCM 2012 is the ability to backup site servers in Configuration Manager with a schedule, open the console go to administration –> site configuration –> sites –> settings –> Site Maintance

From there you choose “Backup Sites Servers” and now you choose a backup location and set a schedule –>

If you enable an alert for backup task, it will appear in the monitoring tab

So if an error should occur during the backup, you can see it in the Overview tab in the monitoring pane. You can also view the logs for further info found under smsbkup.log

This backup includes, the database, logs, inboxes.

Configuration Manager 2012 SP1 what’s new

Since the release in April, Microsoft has been working hard to finish the service pack 1 for System Center 2012. This is needed because the regular System Center  2012 release does not support Server 2012. Therefore Microsoft has to move fast to release SP1 so customers can start building Server 2012 + SC 2012 infrastructure.

With the release of Service Pack 1 for System along with it comes loads of new functionality especially for ConfigMgr 2012.
* Support for Windows 8 (This includes Windows To Go) and deploy AppX Applications (and links to the Windows Store) And OS deployment with UEFI mode.
* Support for Windows Server 2012 and SQL Server 2012
* Support for Mac computers, and on Linux / UNIX Servers( ill go more into detail on that later)
* PowerShell cmdlets
    -> get-command -module ConfigurationManager
* More flexible hierarchy management which allows you to join a stand-alone primary site into a new CAS site.
* Support for multiple SUP for redundancy
* App-V 5 support
* Windows Embedded Support for Endpoint Protection.

When regarding the Mac & Linux/Unix support.
For Mac you have the following capabilities
* Hardware Inventory
* Compliance Settings
* Application Management (Deployment)

• Apple Disk Image (.DMG)
• Meta Package File (.MPKG)
• Mac OS X Installer Package (.PKG)
• Mac OS X Application (.APP)

* Software Updates

And remember that the client only works on OS X 10.6 & 10.7

For Linux/UNIX you have the following capabilities
* Hardware Inventory
* Compliance Settings
* Application Management (Deployment)

And it is now supported for the latest RHEL, Solaris, SUSE Distroes.

Something I didn’t find in the new documentation is news about Endpoint protection settings for Mac & Linux/Unix in SP1, since Microsoft stated that this would be available in the SP1 release, still it remains to see.

You can read more about the SP1 at Technet –> http://technet.microsoft.com/en-us/library/jj591552.aspx