slice16

Afternoon all! Please can someone point me in the right direction with an SCCM design I am currently contemplating? We are currently running a project where we are automating the deployment and configuration of servers within our on-premise and Azure subscription. There will be significant automation workflows being called from a dedicated Orchestrator instance, that's primary job will be to deploy servers (physical/virtual) and hand over to SCCM for day to day management. This would be a pretty easy design if it was standalone, however we already have a significant investment in SCCM for our desktop estate, with dedicated teams of packagers and admins. I am recommending we utilise existing investments and build out the hierarchy, but there are some interesting questions that have come out of scoping: 1) Would it make sense to build out a new primary site dedicated to the server estate, and have both the desktop and server primary sites report into a CAS? 2) Does it make sense to have a dedicated packaging team/admin that is applied at the CAS layer... or do we split within each site? 3) How do we manage things like SCCM Updates (not wsus, but the infrastructure)... Desktops are pretty agile and moving quickly. With the level of automation and criticality of some servers, we need to be sure upgrades does effect the other. Has anyone got any thoughts on the above? Thanks Paul

Thanks Peter. That is an interesting Powerpoint. We have two key teams within the organisation that will be managing the Compliance within the datacentre, and each have a very different outlook on what tool is best. We have a Support Team (who manage up to the OS) and an Application Team who take it from IIS upwards. The latter are programmers by heart and love tools like Puppet, which is why DSC is so exciting. I suppose to future proof ourselves, who it make sense to use Config Baselines that use DSC style scripts to report back compliance? Or is that over complicating matters?

Morning All, Happy New Year, I trust you have all had a good one? I am wondering if anyone has any experience with utilising the new Powershell DSC stuff into SCCM, and which route people would recommend. The way I see it, we have two ways that we can manage client compliance: 1) Using 'Configuration Baselines'. that has a nice GUI and built in reporting. We can do advanced queries using powershell scripts for any custom components we need. 2) We create Powershell Manifests and use DSC. We could then use task sequnces, packages/applications to actually deploy them and enforce. I imagine monitoring these could be a little more complex (custom report, mof files etc) Thanks, Paul

Hi Anthony, My personal recommendation would be to install new servers into the same site. You can then install the various roles and start to decommission the current box. I am guessing you have SQL installed on your main server? If so, guidance can be found on the Technet blogs http://blogs.technet.com/b/configurationmgr/archive/2013/04/02/how-to-move-the-configmgr-2012-site-database-to-a-new-sql-server.aspx. All configuration data will be stored in the database, so you shouldnt need to export/reimport. Thanks Paul

After some research, it doesn't look as though this is possible:( http://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_WhatsNew Reading that, all my clients will need access to Windows Update to be able to use the SUP. As my clients aren't 'true internet' based clients (they are being managed over SSL on 443 for multi-tenancy) and may not have true internet access. I can't think of a way round this issue

Morning All, Where can I force my clients to use my Internet Based DP that contains my SCCM updates? I have a large number of internet based machines (members of various untrusted domains) that have the client installed. They connect to SCCM, but when attempting to install updates that automatically go to Windows Update rather than the SCCM DP. SCCM does show up at a second location, but it seems to drop out before trying that. Thanks Paul

Here is my fix: http://tameyourcloud.com/?p=117 I had to create a the routes manually into the relevant SQL instances by running the following: CREATE ROUTE ConfigMgrBGBRoute_Local AUTHORIZATION dbo WITH SERVICE_NAME = 'ConfigMgrBGB_SitePOC', ADDRESS = 'LOCAL'

Sorted Turns out the Service Brokers weren't created. I am writing up the fix now and will get it over here.

Has any one got any ideas as to what this may be? I have looked a little more into the SQL configuration and can see that there is a route called ConfigMgrBGBRoute_Local, which is configured for the service ConfigMgrBGB_SitePOC and is set to local: From what I can see, everything is setup correctly? Thanks Paul

Ok after some more research, the broker service relies on Broker routes to manage replication traffic between the various instances. In this case, adding the newly created instance has upset the balance. It appears to be have the [LOCAL] route within the POC instance. Is there a way I can view all the routes? thanks

Afternoon All, I was hoping you guys could point me in the right direction, as I am hitting a bit of a brick wall. I am in the process of building a multiple forest SCCM hierachy that will have two primary sites that report into a CAS. The setup will be the following: SCCM SITE CODES: CAS - Central Administration Site POC - Primary Site in AD.local DEV - Primary in MS.local SCCM Servers: SCCMCAS.ad.local (Central Administration Site) SCCM01.ad.local (First Primary Site) SCCM01.ms.local (Second Primary Site) Database Configuration: SCCMCAS and SCCM01 both sit within ad.local and have a dedicated SQL instance on an SQL 2008 R2 SP1 cluster. SCCM01.ms.local sits within ms.local which is a trust domain with ad.local. This machine has its own dedicated SQL instance. Issue I have successfully added SCCM01.ad.local to the hierachy and replications shows as healthy. The SSB ports are set to 4022 on sccmcas01.ad.local and 4023 on sccm01.ad.local. This also passes the Replication Link Analyser without any issues. When I add SCCM01.ms.local it sets itself to Initializing, which seems to start counting up through the %;s. However, this then fails the CAS to POC replication link. When I check the Link Analyser log file, I get the following error message: </DoesBrokerConfigurationExist> [url="http://www.windows-noob.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=92#"]-[/url] <DoesBrokerConfigurationExist ssbPort="[b]4023[/b]" SqlInstanceName="[b]ms-sql01.ms.local\SCCM[/b]" SiteCode="[b]POC[/b]"> <Result HasRun="[b]True[/b]" HasPassed="[b]False[/b]" /> [url="http://www.windows-noob.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=92#"]-[/url] <Description> <Detail Name="[b]isValidEndpointCertificateExists[/b]" Value="[b]True[/b]" /> <Detail Name="[b]isServiceBrokerConfigCorrect[/b]" Value="[b]True[/b]" /> <Detail Name="[b]isServiceBrokerRouteConfigCorrect[/b]" Value="[b]False[/b]" /> <Detail Name="[b]isServiceBrokerLoginConfigCorrect[/b]" Value="[b]True[/b]" /> <Detail Name="[b]result[/b]" Value="[b]Service broker route [ConfigMgrBGBRoute_Local] is missing or has incorrect address [] for service [ConfigMgrBGB_SitePOC]. Expected address [LOCAL].[/b]" /> <Detail Name="[b]isServiceBrokerLoginCertificateCorrect[/b]" Value="[b]True[/b]" /> </Description> As soon as I uninstall the DEV site, everything starts working again. The only think I can think of is a port conflict on the Service Broker connection. I didnt think this would be an issue as the POC and DEV primary sites use different SQL Servers. Is there a best practice available when configuring multiple sites? Thanks in advance, Paul

Ahh, turns out I am being daft! As per the Nialls guide: e: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site. When all else fails, read the manual haha.

Hi All, I think I may be loosing the plot a little, but I am unable to find the EndPoint Protection site service role. When I go to add a site System Role, I only the roles in the attached .png. I am running SCCM SP1 CTP2 and have a CAS and Primary site. Thanks Paul

Right, think I have sussed it now. This article explains it pretty well: http://technet.microsoft.com/en-us/library/bb680334.aspx Basically, if a client is not in the same forest as the site, it will need to contact the SLP. The SLP will be configured during client installation. If they move to another site at the same level within the hierarchy, it will be unable to locate any content sources within the separate site.

Hi Eswar, Sorry I was adding another reply when you posted. My site boundaries wont be overlapping, but I will have a number of duplicate subnets configured from AD Users and Computers between the forests. My post above should go into a little more detail into my configuration. It isn't the easiest of setups due to the corporate structure. Thanks, Paul