How can I configure boundaries in System Center Configuration Manager (Current Branch) ?

[anyweb]

Introduction
In an earlier post you installed System Center Configuration Manager (Current Branch), then you learned about configuring discovery. In this post you’ll take a look at configuring Boundaries to understand how automatic site assignment and content location works.

What is a Boundary ?
In System Center Configuration Manager, a boundary is a network location on the intranet that can contain one or more devices that you want to manage. Boundaries can be based on any of the following and the hierarchy can include any combination of these boundary types:

• IP subnet
• Active Directory site name
• IPv6 Prefix
• IP address range

To use a boundary, you must add the boundary to one or more boundary groups.

• Boundaries are no longer site specific, but defined once for the hierarchy, and they are available at all sites in the hierarchy.
• Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point.
• You no longer configure the network connection speed of each boundary. Instead, in a boundary group you specify the network connection speed for each site system server associated to the boundary group as a content location server.

What is a Boundary Group ?
Boundary groups are collections of boundaries. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.

What about Internet based clients ?
When clients are on the Internet, or they are configured as Internet-only clients, they do not use boundary information. These clients cannot use automatic site assignment and always download content from any distribution point in their assigned site when the distribution point is configured to allow client connections from the Internet.

Should I use automatic or manual boundary creation methods ?
ConfigMgr can automatically create IP Address range and Active Directory Site based boundaries depending on your discovery preferences. This is useful in scenarios where you may have several subnet's or Active Directory Sites defined in Active Directory Sites and Services. If the number of subnets and sites in Active Directory Sites and Services is comparatively small, adding boundaries manually would be more suitable, however keep in mind that entering anything manually is prone to error.

 

Ok now that you understand what boundaries and boundary groups are, let's continue.

Step 1. Review AD Sites and Subnets in Active Directory Sites and Services
Note: Perform the following on the Active Directory Domain Controller server (AD1) as Local Administrator

To identify where ConfigMgr get's the information it needs to automatically create boundaries (depending on your discovery preferences) you can open Active Directory Sites and Services on the Active Directory Domain Controller. This tool allows you to edit, create, or delete Subnets or Active Directory sites or to change Forest or Domain Controller.

 

To learn how to add new Sites or Subnets in Active Directory Sites and Services please review the following post on Technet: https://technet.microsoft.com/en-us/library/cc732761.aspx

 

Note: A forest or domain consisting of a single site can be very efficient for a single location network connected completely by high-speed bandwidth. If your forest or domain contains multiple geographic locations that communicate over low-speed wide area network (WAN) connections, establishing multiple sites gives you more detailed control of Active Directory replication behavior, reduces authentication latency, and reduces network traffic on the WAN.

 

 

In this sample setup I've already created 3 Active Directory Sites, and then I created 3 subnets and associated each of those subnets with an active directory site as listed below:

• NewYork - 192.168.5.0/24
• London - 192.168.4.0/24
• Stockholm - 192.168.3.0/24

 

Note: You will want to configure your Sites and Subnets according to your preferences as this is only an example configuration in a lab.

 

Step 2. Review automatically discovered boundaries
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

When you enabled Active Directory Forest Discovery in this guide, ConfigMgr automatically created boundaries for you based on the settings you selected. You can review those boundaries it created in the ConfigMgr console.

 

To do so start the console and browse to the Administration workplace, select Hierarchy Configuration and then select Boundaries, the three Active Directory subnets detected by the discovery method are created as IP address range boundaries because you selected to automatically create IP address range boundaries for IP subnets when they are discovered in Active Directory Forest Discovery.

 

 

Note: If you had configured Active Directory Forest Discovery to automatically create Active Directory Site boundaries when they are discovered then the active directory site names would be listed as boundaries also. If you change any subnets or sites within Active Directory Sites and Services they will not be shown until the Active Directory Forest Discovery method detects them as defined in it's schedule. In addition the discovery method will not remove previously detected subnets or sites.

 

In addition to reviewing what boundaries are listed in the ConfigMgr console, you can use CMTrace to open the ADForestDisc.log file. The log file will be located in in the <InstallationPath>\LOGS folder.

 

 

Tip: You can change the verbosity level of the logging engine for this discovery component by changing the Verbose Logs reg key found in HKLM\Software\Microsoft\SMS\Components\SMS_AD_FOREST_DISCOVERY_MANAGER from the default value of 0 to 2 for verbose logging. Thanks to my buddy Rob for reminding me. Once you've enabled the change, trigger Active Directory Forest Discovery by right clicking on the method and choose Run Forest Discovery Now.

 

Step 3. Create a boundary group
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

Start the ConfigMgr console and browse to the Administration workplace, select Hierarchy Configuration and then select Boundaries Groups. Right Click and choose Create Boundary Group.

 

 

When the Create Boundary Group wizard appears, fill in some useful details about the boundary group you are creating. In this example you will name the Boundary Group as NewYork, USA.

 

Tip: To make it easier to visualize what location your boundary groups deal with you could make the name descriptive of the Geographical location. For example for a boundary group that contains servers located in Sweden enter the name of the boundary group as Sweden, Europe. Another boundary group that contains servers in France could be called France, Europe and so on.

 

 

Click OK when done. The newly created boundary group appears in the console.

 

Step 4. Adding one or more boundaries to the boundary group
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

To add one or more boundaries to a boundary group, start the ConfigMgr console and browse to the Administration workplace, select Hierarchy Configuration and then select Boundaries Groups. Right Click the previously created NewYork Boundary Group and choose choose Properties.

 

 

The boundary group properties are shown.

 

 

In this example you will add one IP Address Range boundary to this boundary group. Click on Add to add a boundary to the boundary group. Select the IP Address Range boundary that matches NewYork in the description.

 

 

Alternatively if you have many boundaries, simply enter NewYork into the search field provided and select the available result.

 

 

After clicking OK, the newly added boundary appears in the boundary group.

 

 

Click OK to close the wizard, note that the member count in the boundary group has increased.

 

 

Step 5. Enabling Automatic Site Assignment for the boundary group
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

Site assignment is used by clients that use automatic site assignment to find an appropriate site to join, based on the clients current network location. After a client assigns to a site, the client will not change that site assignment. For example, if the client roams to a new network location that is represented by a boundary in a boundary group with a different site assignment, the client’s assigned site will remain unchanged. Source: Technet.

 

To enable automatic site assignment for a boundary group, start the ConfigMgr console and browse to the Administration workplace, select Hierarchy Configuration and then select Boundaries Groups. Right Click the previously created NewYork Boundary Group and choose choose Properties. Click on the References Tab.

 

 

Place a check mark in Use this boundary group for site assignment and using the drop down menu, select the site you wish to assign clients to.

 

 

Click Apply and close the window by clicking on OK. Back in the console right click anywhere in the column view and choose Site from the list of available options as shown below. By default, the Site column is not selected.

 

 

Once done, you'll see the site listed in that column provided that Automatic Site Assignment is enabled for that Boundary Group otherwise it will appear blank.

 

 

Note: When you plan for boundary groups, to help avoid overlapping boundaries for site assignment, consider using of one set of boundary groups for site assignment, and a second set of boundary groups for content location.

 

Step 6. Adding servers for Content and Policy retrieval for the boundary group
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

In System Center Configuration Manager Current Branch you can add site servers to a boundary group for the following options:

• Content Location
• State Migration Points
• Preferred Management Point

Note: If you intend to use preferred management points, you must enable this option for the hierarchy. To do so, in the Configuration Manager console, click Administration > Site Configuration > Sites > Hierarchy Settings. Then, on the General tab of the Hierarchy Settings, select Clients prefer to use management points specified in boundary groups as shown in the screenshot below.

 

 

To enable automatic site assignment for a boundary group, start the ConfigMgr console and browse to the Administration workplace, select Hierarchy Configuration and then select Boundaries Groups. Right Click the previously created NewYork Boundary Group and choose choose Properties. Click on the References Tab.

 

In the Site system servers section click on Add and place a check mark for each site system server you want added to this boundary group.

 

 

Click OK when done and the selected site system servers will be listed.

 

Note: If you want to change a Site System Servers connection speed from Fast (the default) to Slow, select the server name and click on Change Connection. Clients prefer Fast to Slow connections.

 

 

Click Apply and then OK and you can now see that the Site System Count has increased.

 

 

Step 8. Automate the above using PowerShell

Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

The above steps show how you can configure boundaries and boundary groups using the ConfigMgr console, however you could script it all using PowerShell. The ConfigMgr PowerShell cmdlets for Boundaries alone can be listed with the below command once you've connected to PowerShell in ConfigMgr.

 

Get-Command -Module configurationmanager -Noun *boundary*

 

To automate Boundary Group creation using Windows PowerShell either write your own script or take a look at this one I wrote, it will automate the above nicely and you can extend it to do multiple boundaries/boundary groups.

 

Download the Create Boundary Groups.ps1 script in the Downloads section at the bottomg of this guide and extract it to C:\Temp.

 

Open it with Windows PowerShell ISE by starting that as Administrator. Edit the variables in the script to match your environment, most are shown below in the Green box.

 

 

When you are happy with the variables, Run the script by pressing F5 or clicking on the Green arrow. The following output will be observed.

 

 

cool !

 

Summary

Creating and configuring Boundaries and Boundary Groups helps Configuration Manager clients to locate content, use automatic site assignment and policy retrieval from preferred management points. Automating the process using Windows PowerShell is fun :-).

 

Thanks for reading my guides !

 

until next time, adios.

 

Downloads

You can download a Microsoft Word copy of this guide dated 2015/12/28 here.

 

How can I configure boundaries.zip

 

The PowerShell script used in this guide is located here.

 

Create Boundary Group.zip

 

Note: There was a bug in the script up until Jan/14/2016. I've corrected it and uploaded the fixed script.

 

 

Next Post > Updates and Servicing Offline mode

[ogeccut]

One more question here....

Why in PS Get-Command -Module configurationmanager -Noun *boundary*

I am not getting anything? My test VM does not have an internet connection.

 

Whats next?

Thank you.

[anyweb]

what do you get ?

[ogeccut]

Nothing. Just a blank line. Is it possible to attach images here from a local drive?

[anyweb]

sure attach them, but did you launch PowerShell from the ConfigMgr console before doing this ?

[ogeccut]

I have created boundaries on AD1, and now trying to check from the console but getting the following errors in the log:

ERROR: [ForestDiscoveryAgent]: Discovered subnet 192.168.5.0/24 in AD site NewYork in forest sccmlab.com was not saved in the database. Return value was -1. Discovery will be attempted on the next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 10/13/2016 10:00:42 AM 4788 (0x12B4)

ERROR: [ForestDiscoveryAgent]: Discovered subnet 192.168.4.0/24 in AD site London in forest sccmlab.com was not saved in the database. Return value was -1. Discovery will be attempted on the next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 10/13/2016 10:00:42 AM 4788 (0x12B4)

ERROR: [ForestDiscoveryAgent]: Discovered subnet 192.168.3.0/24 in AD site Stockholm in forest sccmlab.com was not saved in the database. Return value was -1. Discovery will be attempted on the next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 10/13/2016 10:00:42 AM 4788 (0x12B4)

Sorry, just took a little time. Ran it again with no issues

[RhoSysAdmin]

Why when I look at any of my boundary groups am I not able to change the speed associated with the server?  I don't have a "Connection" column when looking at the References tab of my boundary group properties.

We're running Current Branch 1706.

Thx.