System Center 2012 Configuration Manager

System Center 2012 Configuration Manager
Deploying System Center 2012 Configuration Manager Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Conditions and Terms of Use
Microsoft Confidential This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non- infringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential
Overview Deploying System Center 2012 Configuration Manager Site Servers Deploying System Center 2012 Configuration Manager Site Systems Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Objective After completing this lesson, you will: Understand how to deploy System Center 2012 Configuration Manager Hierarchy: Central Administration Site Primary site(s) Secondary site(s) Site System Roles Understand how to install Configuration Manager console Understand how to perform Configuration Manager Unattended setup Introduction This module provides key information required to deploy a System Center 2012 Configuration Manager hierarchy. Objectives After completing this lesson, you will be able to: Identify the prerequisites for deploying System Center 2012 Configuration Manager Understand Active Directory and PKI Certificate dependencies Understand System Center 2012 Configuration Manager deployment methods Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

System Center 2012 Configuration Manager Hierarchy Overview
System Center 2012 Configuration Manager Hierarchy types Active Directory and PKI certificate requirements Extending AD Schema There are many things that you must consider before you run Setup and install your site: Network infrastructure and Business requirements Supported Configurations PKI Certificate requirements Site Hierarchy planning Windows Environment preparation Site Database planning Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

System Center 2012 Configuration Manager Hierarchy Types
Standalone site One Primary Site server One or more site system servers Can support up to 100,000 clients Primary Site If your network bandwidth is sufficient for client computers at the remote location to communicate with a Management Point to download client policy, and send inventory, reporting status, and discovery information, then no Secondary sites are required. Consider installing Local Distribution Point for: Managing deployment content traffic over the WAN Using Multicast for Operating System Deployment Using App-V streaming No Local Distribution Point is required if: BITS provides enough control for WAN traffic BranchCache™ deployed DP DP MP MP DP Primary Site Site System Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Hierarchy of sites – without CAS Single Primary Site server Can support up to 250 Secondary Sites Can support up to 100,000 clients Primary Site Consider adding secondary sites if: No local administration required Tiered file-based content routing to other secondary sites that have a common parent primary site is required You have to manage client information that is sent to sites higher in the hierarchy Primary Site Secondary Site Site System DP DP DP MP Secondary Site Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Hierarchy of sites – with CAS Central Administration Site (CAS) Can support up to 25 child Primary Sites Can support up to 400,000 clients using an Enterprise edition of SQL Server Consider adding primary sites to: Scale managed clients (More than 100,000 clients) Scale child secondary sites (More than 250 secondary sites) Load balancing Local point of connectivity for administration Content regulation For more information, please see Planning for Configuration Manager Sites and Hierarchy or Central Administration Site Primary Site Secondary Site Site System Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Expanding a Stand-Alone Primary Site into a Hierarchy by adding CAS
Prerequisites The stand-alone primary site and new CAS must run the same version of Configuration Manager The stand-alone primary site cannot be configured to migrate data from another Configuration Manager hierarchy The new CAS site computer account site must be a member of the Administrators group on the stand-alone primary site (Note account will be removed after site expansion completes.) Remove Asset Intelligence synchronization point and Endpoint Protection point from stand-alone primary site before you can expand the site When the stand-alone primary site is configured for migration, you must stop all active Data Gathering before you expand the site Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Considerations Details Software update points Install SUP on CAS as soon as possible after the expansion. Until SUP is configured on CAS, SUP at the Primary site cannot synchronize the new software updates After the expansion, Stand-alone Primary site automatically reconfigures to synchronize with SUP at the new CAS site Pre-existing configuration at the primary site automatically apply at CAS which includes Sync schedules, supercedence configurations and additional related settings Packages for software deployment Packages that were created at the stand-alone primary site before your expand the site, continue to be managed by the primary site. However, these packages replicate as global data to all sites in the hierarchy, and you can manage these packages from the central administration site. The only exception to this is the client installation package. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Client installation package After expansion, ownership of the client installation package transfers to the CAS. As manages this package, it modifies the package to support only the client operating system languages that are selected at that site, ensure that the CAS site supports the same client languages that are selected at your primary site. Client policy After you expand a primary site, you must restart the SMS_POLICY_PROVIDER or SMS Executive else client will not get new policies. Default Boot WIM CAS creates and deploys a new default boot WIM after expansion which will become the new default WIM for use in the hierarchy. The boot WIM from the stand-alone primary site remains unmodified, and objects for operating system deployment that are based on this WIM continue to function. Microsoft Confidential © 2012 Microsoft Corporation

Hierarchy Expansion: Process
Central Administration Site Primary Site Global Data initialized Existing Standalone Primary Deploy a new CAS Choose to expand an existing hierarchy and enter the standalone primary Default settings from the CAS are written to the Primary site Global data is then re-init from the Primary to the new CAS Admin can now deploy another new primary in the hierarchy Primary Site Microsoft Confidential © 2012 Microsoft Corporation

Hierarchy Expansion vs. Site Attach
Configuration Manager 2007 Configuration Manager 2012 Join site to a hierarchy New Site setup Mergers & Acquisitions Built-in migration feature Hierarchy changes Redeploy – Less of an issue with simplified hierarchies

Upgrade paths 2012 RTM  2012 Sp1 Yes 2012 RTM  2012 SP1 Beta
Supported/Possible? 2012 RTM  2012 Sp1 Yes 2012 RTM  2012 SP1 Beta No (support for TAP customers only) 2012 SP1 Beta  2012 Sp1 2007  2012 RTM No (fresh install and use migration feature to migrate data) 2007  2012 SP1

Upgrade considerations
Upgrade must be done using top-down approach. Configuration Manager 2012 Sp1 clients cannot be assigned to RTM sites. Always run “testDBUpgrade” against a copy of your database prior to upgrading in the production environment. Review Notes section for the best practices of upgrade process. Configuration Manager 2012 Sp1 Upgrade best practices: Prepare for Upgrade: (Perform before Onsite) Download System Center 2012 Configuration Manager SP1 from TechNet, MSDN, or the VL site. Download the Windows ADK ( ) Download PowerShell 3.0 ( ) Download WSUS 3.0 SP2 Update KB ( ) Download Setup prerequisite files using the SP1 media. Once you have downloaded the SP1 you will need to extract the contents to a source and then find the file <InstallMedia>\SMSSETUP\BIN\x64\setupdl.exe and run it. It will ask you to save the files to a source location, we will use this during the install. More information here ( Download the optional Tools below. Install the WSUS KB on all WSUS Servers used by Configuration Manager. Uninstall Windows Automated Installation Kit on all Site servers. Install Windows ADK on all Site Servers. Select the following options only (WINPE, USMT, Deployment Tools) Reboot Servers to validate there are no pending reboots. If there are multiple System Center Products installed, here is the recommended install order: Upgrade: Disable AntiVirus Install Configuration Manager SP1 on CAS Install Configuration Manager SP1 on Primary Sites Install PowerShell 3.0 on Site Servers Enable AntiVirus Install New Tools (Optional) Update Task Sequence for SP1 Client Create Application for SP1 Client Update Clients Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

New Text-Only Slide (Hidden)
Known Issues: Client Push install fails with Authenticode error. See for fix. Changes to Built-in Collections are overwritten: See . This is by design. Configuration Manager 2012 SP1 prerequisite checker will end up with numerous warnings if your primary server has remote site Systems (MP, DP and SUP) in a different Domain without trust (Like a DMZ) . Warnings will be related to BITs, IIS and Server service. You may safely ignore those warnings. These warnings are because the account which runs prerequisite checker doesn’t have proper access on Remote Site Systems. SUP doesn’t work after upgrade. To avoid this, please ensure that the CAS, Primary and Remote SUP site systems are patched with WSUS patches KB and KB (See Release Notes) SUP/WSUS ports are getting changed to default ports (80/443) when customer has specified custom ports. Ports will need to be changed back to the custom ports (8530/8531) on the SUP Site Server. Boot images corrupted with certain AV software. Disabling the AV software during the install avoids the issue. Boot images not updating after upgrade: Permissions issues on remote MP bgb.box folders. describes the issue. Manually set permissions for the local groups (SMS_SiteSystemToSiteServerConnection_SMSProv_xyz, SMS_SiteSystemToSiteServerConnection_MP_xyz, and SMS_SiteSystemToSiteServerConnection_Stat_xyz). Prerequisite Checker fails during Installation of Configuration Manager 2012 SP1 with 'Active Replica MP' Error. Looked at the SQL Server Configuration and there were no Publications or Subscriptions configured. Looking at the properties of the Distributor. Check to see if Distribution Publisher location configured. Workaround: Right Click on Replication folder in SQL, and select Disable Publishing and Distribution: Other issues here: Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

New Tools: Configuration Manager 2012 SP1 Toolkit Configuration Manager 2012 SP1 SDK Package Conversion Manager 2.0 ( Information Reading: What is new in SP1: ( How to Upgrade Configuration Manager 2012 to SP1: ( Configuration Manager 2012 SP1 Release Notes: ( List of public KB articles and major fixes that are included in System Center 2012 Configuration Manager SP1: ( Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Upgrade: Interoperability
Central Administration Site Upgrade to Sp1 User upgrades CAS to SP1 Schema is replicated throughout the hierarchy Hierarchy is now in Interoperability Mode (Interop: On) - When a hierarchy is not fully upgraded to Sp1, some Sp1 features will not be available Functionality that cannot be used will be marked First Primary site is upgraded to Sp1 (Interop: On) Last Primary site is upgraded to Sp1 (Interop: Off) – assuming this is the last Primary site in the hierarchy All Primaries must be upgraded to get out of interoperability mode (Interop: off) Once the hierarchy has been upgraded to Sp1, all features will be available Primary Site Primary Site Upgrade to Sp1 Upgrade to Sp1 Interop: Off Interop: On Microsoft Confidential © 2012 Microsoft Corporation

Changes to Site System Roles
Reporting Point Reporting services point PXE service point Distribution point Server locator point Management Point Branch distribution point Standard DP & BranchCache NLB Management Point Multiple Management Points Each Primary Site can support up to 10 Management Points and each MP can support up to 25,000 clients. Default Management Point Client will automatically select one of multiple MPs in a site based on network location and capability (HTTPS or HTTP) Proxy management point MP installed at Secondary site The Secondary Site Management Point can support up to 5,000 computer clients. The following site systems roles are removed: The Reporting Point - All reports are generated by the Reporting Services Point The PXE Service Point - This functionality is moved to the Distribution Point The Server Locator Point - This functionality is moved to the Management Point The Branch Distribution Point - Distribution Points can be installed on servers or workstations that are in an Active Directory domain. The functionality of the branch distribution point is now a BranchCache setting for an application deployment type and the package deployment. In addition, Network Load Balanced (NLB) Management Points are no longer supported. This configuration is removed from the Management Point component properties. Instead, this functionality is automatically provided when you install more than one Management Point in the site. The following site system roles are new: The Application Catalog website point and the Application Catalog web services point - These site system roles require IIS and support the new client application, Software Center. The enrollment proxy point - which manages enrollment requests from mobile devices and the enrollment point, which completes mobile device enrollment and provisions AMT-based computers, both site system roles require IIS. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Secondary Site or Distribution Point?
Attribute\Capability Configuration Manager 2007 Secondary Site Configuration Manager 2012 Secondary Site Configuration Manager 2012 Distribution Point Complexity Moderate Low Control over package replication Best Support for (Proxy) Management Point Yes No BITS Support for Clients Pre-staging of content (Software Packages) No** PXE Service Point Multi-cast Operating System Deployment Virtualized Application Streaming Licensing Cost None Consider deploying a Distribution Point instead of installing another site if any of the following conditions apply: Your network bandwidth is sufficient for client computers at the remote location to communicate with a Management Point to download client policy, and send inventory, reporting status, and discovery information. Background Intelligent Transfer Service (BITS) does not provide sufficient bandwidth control for your network requirements. Consider installing a Secondary Site if any of the following conditions apply: You do not require a local administrative user for the site. You have to manage the transfer of deployment content to sites lower in the hierarchy. You have to manage client information that is sent to sites higher in the hierarchy. For more information, please see Determine Whether to Install a Secondary Site - **These are all properties of the Distribution Point in 2012 Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Replicated Data Types Global Data Database replication Alert rules
Client discovery Collections rules and count Configuration Items metadata Deployments Operating system images (boot images and driver packages) Package metadata Program metadata Site control file Site security objects (security roles and security scopes) Software updates metadata System Resource List (site system servers) Site Data Alert messages Asset Intelligence client access license (CAL) tracking data Client Health data Client Health history Collection membership results Component and Site Status Summarizers Hardware inventory Software distribution status details Software inventory and metering Software updates site data Status messages Status summary data File content File-based replication Package files used by deployments Data from secondary sites Fallback Status Point state messages Discovery data records System Center 2012 Configuration Manager transfers data between sites by using database replication and file-based replication. Additionally, the data that is replicated is grouped into the following classifications: Global data that replicates by using database replication Site data that replicates by using database replication File content that replicates by using file-based replication Global Data: Global data refers to administrator-created objects that replicate to all sites throughout the hierarchy, although secondary sites receive only a subset of global data, as global proxy data. Examples of global data include software deployments, software updates, collections, and role-based administration security scopes. Administrators can create global data at central administration sites and primary sites. Site Data: Site data refers to operational information that Configuration Manager Primary Sites and the clients that report to Primary Sites create. Site data replicates to the Central Administration Site but not to other Primary Sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only viewable at the Central Administration Site and the Primary Site where the data originates. You can modify site data only at the Primary Site where it was created. All site data replicates to the Central Administration Site; therefore, the Central Administration Site can perform administration and reporting for the whole hierarchy. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential - For Internal Use Only
Replication Model Global Data Available at: CAS & Primary Sites Ex. Collections Packages Deployments Security Scopes Content Available where content has been distributed to a DP Site Data Available at: CAS, Replicating Primary Ex. HINV Status Collection Membership Results Central Site (Berlin) Germany (Berlin) Spain(Madrid) Database replication: Database replication in System Center 2012 Configuration Manager uses Configuration Manager database replication. Configuration Manager database replication uses the SQL Server Service Broker to transfer data between the SQL Server database of different sites in a hierarchy. By default, the SQL Server Service Broker installs with SQL Server, and uses port 4022. Data, represented as objects, can include different types of information such as configuration settings or client inventory or status information. When a new site installs, a snapshot of the parent sites database is taken by bulk copy (BCP) and transferred by Server Message Blocks (SMB) to the new site where it is inserted by BCP to the local database. File-based replication: File-based replication in System Center 2012 Configuration Manager transfers data in file format between System Center 2012 Configuration Manager sites. This is accomplished by use of a sender and address combination that define how and when a network connection to a parent or child site can be established. In a change from past versions of Configuration Manager, System Center 2012 Configuration Manager supports a single type of sender and it uses the Server Message Block protocol. Data replication considerations: If you require reports that contain site data for multiple sites in a hierarchy, consider installing the reporting services point on a site system at the Central Administration Site and use the Central Administration Site database as the reporting data source. If you require reports that contain site data for a specific primary site or global data, but you do not want the report user to have access to site data from other Primary Sites, install a Reporting Services Point on a site system at the Primary Site and use the Primary Site’s database as the reporting data source. Cordoba Global Data subset Ex. Packages (metadata) Programs Primary Site Secondary Site Sevilla Content routing between Secondaries 2/15/2012 Microsoft Confidential - For Internal Use Only © 2012 Microsoft Corporation Microsoft Confidential

Replication Improvement in Sp1
Replication Link Replication traffic compression Decrease CAS traffic size ~>70% Increase SQL CPU ~< 11% Default on for all links Change SQL Server Service Broker Ports Ease management for security Configure replication retention threshold Allow for extended outages Configure for problematic networks Active Directory Schema Extension: All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites, but they are not required for all Configuration Manager functions. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 site or clients. For more information about extending the Active Directory schema for System Center 2012 Configuration Manager, see: Determine Whether to Extend the Active Directory Schema for Configuration Manager. Prepare Active Directory for Configuration Manager - Disjoint Namespaces: With the exception of out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. To allow a computer to access domain controllers that are disjoint, you must modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list Single Label Domains: Configuration Manager does not support single label domains (SLD). For more information, see Article in the Microsoft Knowledge base. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Distributed Views Distributed Views are setup under Link properties between CAS and Primary Sites. CAS and Primary should be well connected It reduces site data replication and SQL Server replication loads Improve SQL server performance Notes: Single provider supported at the CAS Single SSRS at the CAS Distributed Views and Scheduling are mutually exclusive Active Directory Schema Extension: All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites, but they are not required for all Configuration Manager functions. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 site or clients. For more information about extending the Active Directory schema for System Center 2012 Configuration Manager, see: Determine Whether to Extend the Active Directory Schema for Configuration Manager. Prepare Active Directory for Configuration Manager - Disjoint Namespaces: With the exception of out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. To allow a computer to access domain controllers that are disjoint, you must modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list Single Label Domains: Configuration Manager does not support single label domains (SLD). For more information, see Article in the Microsoft Knowledge base. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Schedule Site Data Schedule Site Data are setup under Link properties between CAS and Primary Sites. CAS and Primary should be well connected. It reduces site data replication and SQL Server replication loads. Improve SQL server performance Protect business critical network applications Use excess bandwidth Notes: Distributed Views and Scheduling are mutually exclusive Active Directory Schema Extension: All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites, but they are not required for all Configuration Manager functions. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 site or clients. For more information about extending the Active Directory schema for System Center 2012 Configuration Manager, see: Determine Whether to Extend the Active Directory Schema for Configuration Manager. Prepare Active Directory for Configuration Manager - Disjoint Namespaces: With the exception of out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. To allow a computer to access domain controllers that are disjoint, you must modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list Single Label Domains: Configuration Manager does not support single label domains (SLD). For more information, see Article in the Microsoft Knowledge base. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Reporting There are 10 new reports for Replication traffic Active Directory Schema Extension: All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites, but they are not required for all Configuration Manager functions. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 site or clients. For more information about extending the Active Directory schema for System Center 2012 Configuration Manager, see: Determine Whether to Extend the Active Directory Schema for Configuration Manager. Prepare Active Directory for Configuration Manager - Disjoint Namespaces: With the exception of out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. To allow a computer to access domain controllers that are disjoint, you must modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list Single Label Domains: Configuration Manager does not support single label domains (SLD). For more information, see Article in the Microsoft Knowledge base. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Active Directory requirements
All site systems must be members of Active Directory domain Changing domain membership or computer name of a site system after installation is not supported Sites and hierarchies can span Active Directory forests. Configuration Manager supports the Exchange Server connector in a different forest from the site server DNS forwarding might be required Extending Active Directory schema is optional but highly recommended If you extended the schema for SCCM 2007 SP1 you do not need to extend the schema again Configuration Manager can publish site data to trusted forests Active Directory Schema Extension: All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites, but they are not required for all Configuration Manager functions. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 site or clients. For more information about extending the Active Directory schema for System Center 2012 Configuration Manager, see: Determine Whether to Extend the Active Directory Schema for Configuration Manager. Prepare Active Directory for Configuration Manager - Disjoint Namespaces: With the exception of out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. To allow a computer to access domain controllers that are disjoint, you must modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list Single Label Domains: Configuration Manager does not support single label domains (SLD). For more information, see Article in the Microsoft Knowledge base. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Cross-forest Communication
Two-way forest trust Actions required Site<->Site Required Firewall configuration Name resolution Site <->Site System Not Required User policies are supported only when the Internet-based management point trusts the forest that contains the user accounts Out of band service point, must be installed in the same forest as the site server. Grant appropriate access to the SQL Server database to : Management Point Database Connection Account Enrollment Point Connection Account Client<->Site System Clients that are not in the same forest as their site’s site server*: Two way trust required or the site system must be in the same forest as the client. The site system role server is located in the same forest as the client The client is on a domain computer that does not have a two-way trust with site server and site system role are not installed in the client’s forest Clients must be able to locate: Site system servers Site resources, such as Management Points and deployment content Client can use AD when their site is published to their AD Forest. To publish site information to another AD Forest, you must first specify the forest and then enable publishing to that forest in the AD Forests node of the Administration workspace. For clients that cannot use AD for service location, you can use DNS/WINS or the client’s assigned MP. *Cannot manage AMT-based computers out of band when these computers are in a different forest from the site server. More detail info on cross forest - System Center 2012 Configuration Manager supports sites and hierarchies that span Active Directory forests. Configuration Manager also supports clients that are not in the same Active Directory forest as the site server. To support clients in a forest that is not trusted by your site server’s forest, install site system roles in that untrusted forest. To manage internet-based clients, site system roles can be installed on your perimeter network. For example, a perimeter network can include locations that do not have a two-way trust with the site server’s forest. Configuration Manager supports the Exchange Server connector in a different forest from the site server. To support this scenario, ensure that name resolution works across the forests (for example, configure DNS forwards), and specify the intranet FQDN of the Exchange Server when you configure the Exchange Server connector. For more information, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager The Management Point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database. If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site: Management point: Management Point Database Connection Account Enrollment point: Enrollment Point Connection Account Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

AD Schema Extension Extending the Active Directory schema is a forest-wide irreversible action and can only be done one time per forest Member of the Schema Admins Group You can extend the schema before or after setup There are no changes in AD Schema extensions in Configuration Manager 2012 Sp1 from RTM version. If you have extended schema for Configuration Manager 2007 or Configuration Manager 2012 RTM, you do not have to extend the schema again for Configuration Manager 2012 Sp1. Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup. Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Enable Active Directory publishing for the Configuration Manager site. For a complete list of all classes and attributes added to Active Directory Domain Services, review the ConfigMgr_ad_schema.LDF file that is located in the\SMSSETUP\BIN\x64 folder of the System Center 2012 Configuration Manager installation media. For information about extending the schema, creating the System Management container, and on setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic - For information about enabling publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Why should I extend AD Schema?
Functionality AD Schema Extended Client computer installation and site assignment Clients can search Active Directory Domain Services for installation properties. Port configuration for client-to-server communication Client can obtain this new port setting from Active Directory Domain Services. Network Access Protection Required Content deployment scenarios Site’s public key is made available to all sites in the hierarchy. When you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish site information to Active Directory Domain Services. Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead. NAP: Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a client’s statement of health. Important: Extend AD Schema for each forest managed by Configuration Manager Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Actions Required if AD Schema is not Extended
Functionality Required actions Client computer installation and site assignment You must use one of the following workarounds to provide configuration details that computers require to install: Use client push installation Install clients manually and provide client installation properties by using CCMSetup installation command-line properties. This must include the following: /mp:=<Management Point name computer name> or /source:<path to client source files> SMSMP (Specify a list of initial Management Points for the client to use) Publish the Management Point in DNS or WINS and configure clients to use this service location method Port configuration for client-to-server communication You must use one of the following workarounds to provide this new port configuration to existing clients: Reinstall clients and configure them to use the new port information. Deploy a script to clients to update the port information. If clients cannot communicate with a site because of the port change, you must deploy this script externally to Configuration Manager. For example, you could use Group Policy Network Access Protection Not available Content deployment scenarios Use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites directly Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

How to Prepare Active Directory for Configuration Manager
Extend the Active Directory schema By running the extadsch.exe By using the ConfigMgr_ad_schema.ldf file Create the System Management container in Active Directory Domain Services Set security permissions on the System Management container All site server computer accounts must be granted Full Control permissions to the System Management container and all its child objects Enable Active Directory publishing for the Configuration Manager site Three actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

PKI Requirements Sites are no longer configured for mixed mode or native mode Individual site system roles can be configured to support client connections over HTTPS or HTTP Mobile devices and client connections over the Internet must use HTTPS Most of the PKI certificate requirements from Configuration Manager 2007 remain the same for HTTPS site systems roles Many certificates now support SHA-2 in addition to SHA-1 With the exception of the client certificates that Configuration Manager enrolls on mobile devices, and the certificates that Configuration Manager installs on AMT-based computers, you can use any PKI to create, deploy, and manage the following certificates. However, when you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the management of the certificates. Use the Microsoft certificate template to use column to identify the certificate template that most closely matches the certificate requirements. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or Datacenter Edition of the server operating system, such as Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. For sites that use HTTPS client connections: No PKI certificate for document signing is required (the site server signing certificate in Configuration Manager 2007) because System Center 2012 Configuration Manager automatically creates this certificate (self-signed). Important: When you use an enterprise certification authority and certificate templates, do not use the version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are incompatible with Configuration Manager. For step-by-step guidance for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority - For more information about Active Directory Certificate Services, see Active Directory Certificate Services in Windows Server Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

PKI Certificates for Servers
Configuration Manager component Certificate purpose/ Microsoft certificate template to use Site systems that run IIS and HTTPS client connections: Management Point Distribution Point Software Update Point State Migration Point Enrollment point Enrollment proxy point Application Catalog web service point Application Catalog website point Server authentication Web Server Network Load Balancing (NLB) cluster for a Software Update Point Site system servers and servers that run Microsoft SQL Server Site system monitoring for: Client authentication Workstation Authentication Site systems that have a Distribution Point installed Out of band service point AMT Provisioning Web Server (modified) Network infrastructure component Certificate purpose/ Microsoft certificate template to use Proxy web server accepting client connections over the Internet Server authentication and client authentication Web Server Workstation Authentication Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

PKI Certificates for Clients
Configuration Manager component Certificate purpose/ Microsoft certificate template to use Client computers Client authentication Workstation Authentication Mobile device clients Authenticated Session Boot images for deploying operating systems Root certification authority (CA) certificates for the following scenarios: Operating system deployment Mobile device enrollment RADIUS server authentication for Intel AMT-based computers Client certificate authentication Certificate chain to a trusted source N/A Intel AMT-based computers Server authentication. Web Server (modified) * Intel AMT 802.1X client certificate Workstation Authentication ** For more details, please see PKI Certificate Requirements for Configuration Manager Note: *You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format. You must grant Read and Enroll permissions to the universal security group that you specify in the out of band management component properties. Note:**You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format, clear the DNS name and select the User Principal Name (UPN) for the alternative subject name. You must grant the universal security group that you specify in the out of band management component properties Read and Enroll permissions to this certificate template Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Extending Active Directory schema To extend the Active Directory schema by using Extadsch.exe Create a backup of the schema master domain controller’s system state. Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group. Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema. Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1. Important: You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally Note: To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

To manually create the System Management container Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services. Run ADSI Edit, and connect to the domain in which the site server resides. Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object. In the Create Object dialog box, select Container, and then click Next. In the Value box, type System Management, and then click Next. Click Finish to complete the procedure. To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool. Click View, and then click Advanced Features. Expand the System container, right-click System Management, and then click Properties. In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions. Click Advanced, select the site server’s computer account, and then click Edit. In the Apply onto list, select This object and all child objects. Click OK to close the Active Directory Users and Computers administrative tool and complete the procedure. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson Review Can a single site span multiple forests? How can you verify if AD Schema extension is completed successfully? Yes See see C:\Extadsch.log. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Deploying a Central Administration Site
Configuration Manager supported configurations Central Administration Site prerequisites Central Administration Site setup options Demo: Central Administration Site setup Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Configuration Manager Supported Configurations
Must be 64-bit operating system Windows Server 2008/2008 R2 Standard/Enterprise/Data Center Edition Windows Server 2012 (for Configuration Manager 2012 Sp1) Server Core installations is not supported Windows Server cluster is supported only for the site database server Secondary sites and site database servers are not supported on a computer running Windows Server 2008 or Windows Server 2008 R2 that uses a read-only domain controller (RODC) For more information please see: Supported Configurations for Configuration Manager Requirements for Windows Server 2012: Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Support for Virtualized Environments
All site server roles are supported in the following virtualization environments: Windows Server2008 Microsoft Hyper-V Server 2008 Windows Server 2008 R2 Microsoft Hyper-V Server 2008 R2 Note: You can validate that your virtualization environment is supported for Configuration Manager by using the Server Virtualization Validation Program and its online Virtualization Program Support Policy Wizard. For more information about the Server Virtualization Validation Program, see Windows Server Virtualization Validation Program. Additional Info - Virtualization Considerations: Configuration Manager does not support Virtual PC or Virtual Server guest operating systems running on Macintosh. Configuration Manager cannot manage offline virtual machines. Configuration Manager cannot manage virtual machines unless they are running. An offline virtual machine image cannot be updated nor can inventory be collected by using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager might not determine that an update has to be re-applied to a virtual machine image if it is stopped and restarted without saving the state of the virtual machine to which the update was applied. You can validate that your virtualization environment is supported for Configuration Manager by using the Server Virtualization Validation Program (SVVP) and its online Virtualization Program Support Policy Wizard. For more information about the Server Virtualization Validation Program (SVVP), see Windows Server Virtualization Validation Program Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

SQL Server Supported Configurations
Configuration Manager 2012 RTM or Sp1 (SQL Server Enterprise/Standard Edition): SQL Server 2008 SP2 with Cumulative Update 9 SQL Server 2008 SP3 with Cumulative Update 4 SQL Server 2008 R2* with SP1 and Cumulative Update 6 SQL Server 2008 R2* with Sp2 (no CU) Secondary Site ONLY: SQL Server Express 2008 R2 with SP1 and Cumulative Update 6 SQL Server Express 2008 R2 with Sp2 and no CU Configuration Manager 2012 Sp1 only SQL Server 2012 Standard/Enterprise with no SP and minimum of CU2 SQL Server 2012 Std./Enterprise with SP1 Secondary Site SQL Server 2012 Express (no SP) and min. of CU2 Secondary site SQL Server 2012 Sp1 or SQL Server Express 2012 Sp1. Important: * Configuration Manager with no service pack does not support the site database on any version of a SQL Server 2008 R2 cluster. This includes any service pack version or cumulative update version of SQL Server 2008 R2. With Configuration Manager SP1, the site database is supported on a SQL Server 2008 R2 cluster. Updated on 2/11/2013 for SQL Server 2012 Sp1 support - More info on SQL Server Supported Configurations - Configuration Manager database replication does not require the SQL Server replication feature. SQL Server Ports: Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP The following site system roles communicate directly with the SQL Server database: Management Point SMS Provider computer Reporting Services Point Site server When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports. Microsoft Confidential Important: Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication. © 2012 Microsoft Corporation Microsoft Confidential

SQL Server Supported Configurations
Each site must use SQL_Latin1_General_CP1_CI_AS collation Only Database Engine Services feature* is required for each site server Windows authentication Dedicated instance of SQL Server for each site on a shared SQL Server Active/Passive cluster and multiple instance configuration is supported * ConfigMgr database replication does not require the SQL Server replication feature. More info on SQL Server Supported Configurations - Configuration Manager database replication does not require the SQL Server replication feature. SQL Server Ports: Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP The following site system roles communicate directly with the SQL Server database: Management Point SMS Provider computer Reporting Services Point Site server When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports. Microsoft Confidential Important: Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication. © 2012 Microsoft Corporation Microsoft Confidential

SQL Server Memory Configuration
Maximum SQL Server memory: Co-Located database server: 50% of the available memory Dedicated SQL Server: 80% of the available memory Minimum SQL Server memory: 8 GB for CAS and primary site servers 4 GB for secondary site servers When you use a database server that is co-located with the site server, dedicate 50 percent of the available addressable system memory for SQL Server. When you use a dedicated SQL Server, dedicate 80 percent of the available addressable system memory for SQL Server. Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of memory in the buffer pool used by an instance of SQL Server for the Central Administration Site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio) - Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

CAS Supported Configuration
Required for hierarchies with more than one primary site Supports only primary sites as child sites (Up to 25 child sites) The hierarchy supports up to: 50,000 clients when using SQL Server Standard (co-located or remote from the site server) 400,000 clients when using SQL Server Enterprise (co-located or remote from the site server) Supports only the following site system roles: Asset Intelligence Synchronization Point Endpoint Protection Point Reporting Services Point Software Update Point System Health Validator Point Determine Whether to Install a Central Administration Site - Install a Central Administration Site if you plan to install multiple primary sites. Use a Central Administration Site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. This site type does not manage clients directly but it does coordinate inter-site data replication, which includes the configuration of sites and clients throughout the hierarchy. Use the following information to help you plan for a Central Administration Site: The Central Administration Site is the top-level site in a hierarchy. When you configure a hierarchy that has more than one primary site, you must install a Central Administration Site. The Central Administration Site supports only primary sites as child sites. The Central Administration Site cannot have clients assigned to it. The Central Administration Site does not support all site system roles. You can manage all clients in the hierarchy and perform site management tasks for any primary site when you use a Configuration Manager console that is connected to the Central Administration Site. The Central Administration Site is the only place where you can see site data from all sites. This data includes information such as inventory data and status messages. You can configure discovery operations throughout the hierarchy from the Central Administration Site by assigning discovery methods to run at individual sites. You can manage security throughout the hierarchy by assigning different security roles, security scopes, and collections to different administrative users. These configurations apply at each site in the hierarchy. You can configure addresses that control communication between sites in the hierarchy. This includes settings that manage the schedule and bandwidth in for transferring file-based data between sites. CAS does not process data submitted by clients, except for the Heartbeat Discovery DDR. Information flows up to CAS and down to other sites Migration Consideration: The Central Administration Site must always be installed on new hardware Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Pre-installation Applications
Setup Downloader (setupdl.exe) A stand-alone* application that verifies and downloads required prerequisite redistributables, language packs, and the latest product updates for Setup You must have Full Control NTFS file system permissions to the download folder Log file: ConfigMgrSetup.log file in the root of the C: drive Example: <ConfigMgrSourceFiles>\SMSSETUP\BIN\X64\setupdl /NOUI \\MyServer\ConfigMgrUpdates Command line Description /VERIFY: Verify the files in the download folder, which include language files. /VERIFYLANG: Verify the language files in the download folder. /LANG: Download only the language files /NOUI: Start Setup Downloader without displaying the user interface. you must specify the download path <DownloadPath>: Specify the path to the download folder *setupdl.exe requires other dll files located under x64 folder so you cannot really use setupdl.exe completely stand-alone. Setup Downloader Configuration Manager Setup Downloader is a stand-alone application that verifies and downloads required prerequisite redistributables, language packs, and the latest product updates for Setup. When you install a Configuration Manager site, you can specify a folder that contains required files or Setup can automatically start the Setup Downloader to download the latest files from the Internet. You might choose to run Setup Downloader before you run Setup and store the files on a network shared folder or removable hard drive. This is necessary when the planned site server computer does not have Internet access or a firewall prevents the files from downloading. After you download the latest files, you can use the same path to the download folder to install multiple sites. When you install sites, always verify that the path to the download folder contains the most recent version of the files. You can open Setup Downloader and specify a path to the folder that will host the downloaded files, or you can run Setup Downloader from a command prompt and specify command-line options. Use the following procedures to start Setup Downloader and download the latest Configuration Manager files that are required by Setup. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prerequisite Checker (prereqchk.exe) A standalone application that verifies server readiness for a site server or specific site system roles You must have Administrator rights on the server Required files (<ConfigMgrSourceFiles>\SMSSETUP\BIN\X64): prereqchk.exe prereqcore.dll basesql.dll basesvr.dll baseutil.dll Log file: ConfigMgrPrereq.log file in the root of the C: drive Prerequisite Checker The Prerequisite Checker (prereqchk.exe) is a standalone application that verifies server readiness for a site server or specific site system roles. Before site installation, Setup runs the Prerequisite Checker. You might choose to manually run the Prerequisite Checker on potential site servers or site systems to verify server readiness. This allows you to remediate any issues that you find before you run Setup. When you run Prerequisite Checker without command-line options, the local computer is scanned for an existing site server and only the checks that are applicable to the site are run. If no existing sites are detected, all prerequisite rules are run. You can run Prerequisite Checker from a command prompt and specify specific command-line options to perform only checks associated with the site server or site systems specified in the command-line. When you specify another server to check, you must have Administrator rights on the server for Prerequisite Checker to complete the checks. For more information about the prerequisite checks that are performed by Prerequisite Checker, see Technical Reference for the Prerequisite Checker in Configuration Manager Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prereqchk.exe Command-line for CAS
Command-Line Option Required? Description /NOUI No Start Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command-line. /CAS Yes Verifies that the local computer meets the requirements for the Central Administration Site. /SQL <FQDN of SQL Server> Verifies that the specified computer meets the requirements for SQL Server to host the Configuration Manager site database. /SDK <FQDN of SMS Provider> Verifies that the specified computer meets the requirements for the SMS Provider. /Ssbport Verifies that a firewall exception is in effect to allow communication on the SSB port. The default is port number is 4022. InstallDir <ConfigMgrInstallationPath Verifies minimum disk space on requirements for site installation. To start Prerequisite Checker from a command prompt and run Central Administration Site checks Open a command prompt and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or ConfigMgrInstallationPath\SMSSETUP\BIN\X64 Type prereqchk.exe with command-line options to check requirements for a Central Administration Site installation Click an item on the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the C drive to review the prerequisite checker results Usage examples (optional options are displayed in brackets): prereqchk.exe /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider> /Ssbport 4022 prereqchk.exe /NOUI /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider> When you run the command-line, unless you use the NOUI option, Prerequisite Checker opens and starts scanning the specified servers using prerequisite checks applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any problems found. Prereqchk.exe /CAS /SQL sqlsrv.consoto.com /sdk sdksrv.contoso.com /Ssbport InstallDir D:\ConfigMgr12 Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

CAS -Prerequisites Checker
Level Site Type Administrator rights on Central Administration Site Error Primary site Administrative rights on site system CAS Secondary site Connection to SQL Server on Central Administration Site Site server computer account administrative rights SQL Server Site System to SQL Server Communication Warning Management Point SQL Server sysadmin rights We also check for Management Point dependencies as well. Technical Reference for the Prerequisite Checker in Configuration Manager Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

CAS Setup Options Configuration Manager Setup Wizard Unattended install New in Configuration Manager 2012 Sp1: You have the option to install the CAS as the first site of a new hierarchy, or install the central administration site to expand a stand-alone primary site into a hierarchy with the new central administration site. You can upgrade from RTM version of Configuration Manager 2012 to Sp1. More Information - Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Installing Central Administration Site (Screen shots)
For step by step screen shot refer to One Note - Concepts_Admin_Module_02 Deploying Configuration Manager 2012_v2.0 - Screen shots  Installing Central Administration Site page Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

WAIK Recommendations It’s recommended to first uninstall the WAIK (Windows Automated Installation Kit) and then Install Windows Assessment and Deployment Kit (ADK) for Windows 8 before installing Configuration Manager 2012 SP1. Windows does not support WAIK and ADK being on the same box at the same time. If your system do not have internet access then use the steps defined in this article to install ADK - Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Site System Roles Site system role CAS Child primary site Secondary site Site specific or hierarchy wide Application Catalog web service point Hierarchy Application Catalog website point Asset Intelligence synchronization point Distribution Point Site Fallback status point Management Point Endpoint Protection point Enrollment point Enrollment proxy point Out of band service point Reporting services point Software update point State migration point System Health Validator point For Stand-alone primary site all site system roles are supported New Site Systems The Application Catalog website point The Application Catalog web services point Support the new client application, Software Center (Requires IIS) The enrollment proxy point Manages enrollment requests from mobile devices, and the enrollment point, which completes mobile device enrollment and provisions AMT-based computers. (Requires IIS) Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson Review What is a CAS? Which sites can report to a CAS? Which site systems roles are supported on a CAS? 1. CAS is a Central Administration site which is installed top of the hierarchy. 2. Primary Sites can report to a CAS 3. The following roles are supported on a CAS: Asset Intelligence Synchronization Point Endpoint Protection Point Reporting Services Point Software Update Point System Health Validator Point Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Deploying a Primary Site
Primary site supported configurations Primary site prerequisites Primary site setup options Demo: Primary site setup Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Primary Site Supported Configurations
Supports only Secondary sites as child sites (up to 250 secondary sites) Supports up to: 50,000 clients when using SQL Server that is co-located with the site server 100,000 clients when using a SQL Server that is remote from the site server Uses database replication to communicate directly to the Central Administration Site Cannot change its parent site relationship after installation When a Primary site is installed, it automatically configures database replication with its designated Central Administration Site Primary sites are responsible for processing all client data from their assigned clients. Primary sites use database replication to communicate directly to their Central Administration Site. You can install typically used site system roles when you install a primary site. Determine Whether to Install a Primary Site To manage clients directly To increase the number of clients to manage. Each primary site can support up to 100,000 clients To provide a local point of connectivity for administration To meet organizational management requirements Use the following information to help you plan for primary sites: A primary site can be a stand-alone primary site or a member of a hierarchy. A primary site only supports a Central Administration Site as a parent site. A primary site only supports secondary sites as child sites and can support one or more secondary child sites. A primary site cannot change its parent site relationship after installation. Primary sites are responsible for processing all client data from their assigned clients. When a primary site is installed, it automatically configures database replication with its designated Central Administration Site. Primary sites use database replication to communicate directly to their Central Administration Site. You can install typically used site system roles when you install a primary site. For a list of site system roles that are supported on primary sites, see Planning Where to Install Sites System Roles in the Hierarchy Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prereqchk.exe Command-line for Primary Child Site
Command-Line Option Required? Description /NOUI No Use this option to start Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command-line. /PRI Yes Verifies that the local computer meets the requirements for the primary site. /SQL <FQDN of SQL Server> Verifies that the specified computer meets the requirements for SQL Server to host the Configuration Manager site database. /SDK <FQDN of SMS Provider> Verifies that the specified computer meets the requirements for the SMS Provider. /JOIN <FQDN of central administration site> Verifies that the local computer meets the requirements for connecting to the central administration server. /MP <FQDN of management point> Verifies that the specified computer meets the requirements for the management point site system role. This option is only supported when you use the /PRI option. /DP <FQDN of distribution point> Verifies that the specified computer meets the requirements for the distribution point site system role. This option is only supported when you use the /PRI option. /Ssbport Verifies that a firewall exception is in effect to allow communication for the SQL Server Service Broker (SSB) port. The default is port number is 4022. InstallDir <ConfigMgrInstallationPath> Verifies minimum disk space on requirements for site installation. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Primary child site -Prerequisites Check
Level Site Type Administrator rights on central administration site Error Primary Child Administrative rights on site system Connection to SQL Server on central administration site Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Primary Site Setup Options
Configuration Manager Setup Wizard Unattended installation by using the scripted installation method Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Installing Primary Site (Screen shots)
For step by step screen shot refer to One Note - Concepts_Admin_Module_02 Deploying Configuration Manager 2012_v2.0 - Screen shots  “Installing Primary Site” page Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson Review Which sites can report to a Primary site? Which site systems roles are not supported on a child Primary site? Can a child Primary site in a hierarchy be installed before installing the CAS? 1. Secondary site 2. Asset Intelligence Synchronization Point, Endpoint Protection Point, Windows Intune connector 3. No Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Deploying a Secondary Site
Secondary site supported configurations Secondary site prerequisites Secondary site setup options Demo: Secondary site setup Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Secondary Site Supported Configurations
Can support communications up to 5,000 clients Has a SQL Server database Uses file-based replication as well as database-replication Console initiated installation only Automatically deploy a Management Point and Distribution Point that are located on the secondary site server Cannot change parent site without reinstalling the site When a secondary site is installed, it automatically configures database replication with its parent primary site Windows Server 2008 or Windows Server 2008 R2 that uses a Read-Only Domain Controller (RODC) is not supported Determine Whether to Install a Secondary Site You do not require a local administrative user for the site. You have to manage the transfer of deployment content to sites lower in the hierarchy. You have to manage client information that is sent to sites higher in the hierarchy. Use the following details to help you plan for secondary sites: Secondary sites automatically install SQL Server Express during site installation if a local instance of SQL Server is not available. Secondary site installation is initiated from the Configuration Manager console when it is connected to the Central Administration Site or a primary site. When a secondary site is installed, it automatically configures database replication with its parent primary site. Secondary sites use database replication to communicate directly to their parent primary site and to obtain a subset of the shared Configuration Manager database. Secondary sites support the routing of file-based content to other secondary sites that have a common parent primary site. Secondary site installations automatically deploy a Management Point and Distribution Point that are located on the secondary site server. Consider deploying a Distribution Point instead of installing another site if any of the following conditions apply: Your network bandwidth is sufficient for client computers at the remote location to communicate with a Management Point to download client policy, and send inventory, reporting status, and discovery information. Background Intelligent Transfer Service (BITS) does not provide sufficient bandwidth control for your network requirements. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prereqchk.exe Command-line for Secondary Site
Command-Line Option Required? Description /NOUI No Use this option to start Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command-line. /SEC <FQDN of secondary site server> Yes Verifies that the specified computer meets the requirements for the secondary site. /INSTALLSQLEXPRESS Verifies that SQL Express can be installed on the specified computer. /Ssbport Verifies that a firewall exception is in effect to allow communication for the SQL Server Service Broker (SSB) port. The default is port number is 4022. /Sqlport Verifies that a firewall exception is in effect to allow communication for the SQL Server service port and that the port is not in use by another SQL Server named instance. The default port is 1433. InstallDir <ConfigMgrInstallationPath Verifies minimum disk space on requirements for site installation. SourceDir Verifies that the computer account of the secondary site can access the folder hosting the source files for Setup. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Secondary Site Setup Options
Console initiated installation only Source files can be pre-staged on a network share If no local instance of SQL Server is available Setup automatically installs SQL Server Express Setup configures database replication with its parent primary site Setup automatically installs the following site system roles : Management Point Distribution Point You must take additional steps to ensure that secondary sites that use SQL Server Express have the latest software updates. When you install a primary site, Configuration Manager downloads SQL Server Express from the Microsoft Download Center and copies the files to the primary site server. When you install a secondary site and select the option that installs SQL Server Express, Configuration Manager installs the previously downloaded version and does not check whether new versions are available. To ensure that the secondary site has the latest versions, perform one of the following: After the secondary site is installed, run Windows Update on the secondary site server. Before you install the secondary site, manually install SQL Server Express on the computer that will run the secondary site server and ensure that you install the latest version and any software updates. Then install the secondary site and select the option to use an existing SQL Server instance. Periodically run Windows Update for these sites and all installed versions of SQL Server to make sure that they have the latest software updates Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Installing Secondary Site (Screen shots)
For step by step screen shot refer to One Note - Concepts_Admin_Module_02 Deploying Configuration Manager 2012_v2.0 - Screen shots  “Installing Secondary Site” page Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson Review How can you install a Secondary site? Which SQL Server Edition will be installed during setup? How do you monitor installation of Secondary site? Console initiated install SQL Express Right click on Secondary Site and select “Show Install Status” Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Deploying Site System Roles
Site system roles supported configurations Site system roles prerequisites Site systems setup options Demo: Site systems setup Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Management Points Each primary site can support up to 10 Management Points Each primary site Management Point can support up to 25,000 computer clients Each secondary site can support a single Management Point that must be co-located on the Secondary site server The secondary site Management Point can support up to 5,000 computer clients Prerequisites: IIS BITS When you increase the number of management points at a primary site, you do not increase the maximum number of clients that the site can support. Instead, additional management points provide redundancy for communications from clients. Do not place management points across a slow link from their primary site server or from the site database server. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Distribution Points Each Primary site supports a combined total of up to 5,000 DPs*. Individually, each Primary site and Secondary site supports up to 250 Distribution Points. Each Distribution Point can support up to 4,000 clients**. Each DP supports a combined total of up to 10,000 packages and applications. Supported operating systems: Client OS: Windows Vista (x86)/Windows 7 (x86/x64) PXE and Multicast not supported Windows 8 (Pro/Enterprise – x86/x64) with Configuration Manager 2012 Sp1 Server OS: Windows Server 2003 /R2 (x86/x64) Multicast not supported Windows Server 2008 /R2 (x64) Windows Server 2012 Standard/Datacenter (x64) with Configuration Manager 2012 Sp1 Prerequisites: Remote Differential Compression IIS BITS Windows Deployment Services (To support PXE or multicast) *Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites. **The number of clients that one distribution point can support depends on the speed of your network, the disk performance of the distribution point computer, and the application or package size. For more information on DP supports - BranchCache™ deployed Distribution point on Windows Server 2008 R2 Clients running compatible operating system Vista SP2 with KB installed Windows 7 One distribution point type Role can be installed on clients and servers Clients - Windows Vista SP2 and later Servers - Windows Server 2003 SP2 and later Ability to configure throttling and scheduling PXE service and multicast properties Specify drives for content storage IIS feature is required on all distribution points Co-exist on secondary site server or remotely connected Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Distribution Points Upgrade/Sharing
Standalone Co-located with other site roles Co-located with secondary site server Standard DP Y N DP on Server Shares *Branch DP *Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites. **The number of clients that one distribution point can support depends on the speed of your network, the disk performance of the distribution point computer, and the application or package size. For more information on DP supports - BranchCache™ deployed Distribution point on Windows Server 2008 R2 Clients running compatible operating system Vista SP2 with KB installed Windows 7 One distribution point type Role can be installed on clients and servers Clients - Windows Vista SP2 and later Servers - Windows Server 2003 SP2 and later Ability to configure throttling and scheduling PXE service and multicast properties Specify drives for content storage IIS feature is required on all distribution points Co-exist on secondary site server or remotely connected * Important: Admin must uninstall Configuration Manager 2007 client before upgrading Branch DP, otherwise the upgrading will fail and the content will be removed. * The client OS must meet the OS requirement of Configuration Manager 2012 DP Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Distribution Points on Server Shares
If the server shared DP is co-located with secondary site Enable the standard DP on the Secondary site server Redistribute the content to that standard DP Redistribution does not cause network traffic Remove the distribution point on server share Upgrade the standard DP on the secondary site server *Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites. **The number of clients that one distribution point can support depends on the speed of your network, the disk performance of the distribution point computer, and the application or package size. For more information on DP supports - BranchCache™ deployed Distribution point on Windows Server 2008 R2 Clients running compatible operating system Vista SP2 with KB installed Windows 7 One distribution point type Role can be installed on clients and servers Clients - Windows Vista SP2 and later Servers - Windows Server 2003 SP2 and later Ability to configure throttling and scheduling PXE service and multicast properties Specify drives for content storage IIS feature is required on all distribution points Co-exist on secondary site server or remotely connected Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Distribution Points Disk space requirements
Remove unwanted data before upgrading. It requires double disk space when upgrading DP from Configuration Manager 2007 to 2012 RTM. Configuration Manager 2012 Sp1 improvement – Now the original content will be removed right after successful conversion. *Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites. **The number of clients that one distribution point can support depends on the speed of your network, the disk performance of the distribution point computer, and the application or package size. For more information on DP supports - BranchCache™ deployed Distribution point on Windows Server 2008 R2 Clients running compatible operating system Vista SP2 with KB installed Windows 7 One distribution point type Role can be installed on clients and servers Clients - Windows Vista SP2 and later Servers - Windows Server 2003 SP2 and later Ability to configure throttling and scheduling PXE service and multicast properties Specify drives for content storage IIS feature is required on all distribution points Co-exist on secondary site server or remotely connected Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Cloud-based Distribution Points
New Site System role in Configuration Manager SP1: Distribution Points that run as a cloud service in Windows Azure. (requires subscription to Windows Azure) Clients can use the cloud-based DP as standard content location or as a fallback location. You have to specify within Client Settings whether you want to allow clients to access Cloud-based DP. Detailed information on Cloud-based DP - More information around Cloud Services for Site System Roles - About Cloud Services for Site System Roles With Configuration Manager SP1, you can use a cloud service in Windows Azure to host the following site system roles: Distribution point - For information about how to use cloud-based distribution points, see the Planning for Cloud-Based Distribution Points section in the Planning for Content Management in Configuration Manager topic. Site system roles that Windows Azure hosts are named site system cloud services. These cloud services are in contrast to site system servers, which refer to on-premises computers that you manage in your network environment. Before you can use a cloud service to host a site system role, you must have a subscription to Windows Azure, and configure Windows Azure to support the site system roles. To use Windows Azure for site system roles, you must obtain a management certificate that you upload to Windows Azure. The management certificate enables Configuration Manager to communicate with the cloud service. For additional requirements, see the planning topic that is specific to the site system role that you install as a cloud service. When you use a cloud service to host a site system role, you do not have to plan for the hardware that the site system role is installed on. The cloud service in Windows Azure replaces the hardware. For example, for a distribution point, you define the amount of storage that you want the distribution point to use, and specify when Configuration Manager generates alerts that are based on data transfer thresholds. You also specify the Windows Azure region that each cloud-based distribution point serves. For example, you might deploy one cloud-based distribution point to the North America region, and a second distribution point to Asia. Typically, the primary concern for a site system role that is installed as a cloud service is cost management for the Windows Azure account that hosts the cloud service. Therefore, plan to monitor each cloud service that you use for ongoing costs that are associated with the storage of data in the cloud, and for data transfers from site system cloud services that you use with Configuration Manager. For more information, see Costs of Using a Cloud Service with Configuration Manager, and review the details for your Windows Azure subscription. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Costs of Using a Cloud Service with Configuration Manager When you use a cloud service, plan for the cost of data storage and transfers that Configuration Manager clients perform. System Center 2012 Configuration Manager does not control charges for using a cloud service, nor does Configuration Manager add additional costs to access a cloud service. Instead, your Windows Azure account and subscription details, and the volume of data that you store and allow clients to download determine all costs. For more information about Windows Azure, see Windows Azure in the MSDN Library. Limitation of Cloud-based DP: Limitations because of the nature of the beast - Operating System Deployment (you can’t PXE boot a computer over the cloud) Limitations because this is the first version of this feature and we wanted to make sure the basics work perfectly before tackling more advanced features: Task sequences (for operating system deployment and application deployment) App-V streaming over a distribution point on Windows Azure Using cloud-based distribution points as source distribution points for pull distribution points Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Pull Distribution Points
New option in Configuration Manager SP1: You are able to define Pull Distribution Point option when setting up the Distribution Point so that DP can download the content from another DP rather than going back to the original source. Similar to “Distribute the content from the nearest site in the hierarchy” feature. For Configuration Manager SP1 only: ( Enable the pull-distribution point option on a distribution point to change the behavior of how that computer obtains the content that you distribute to the distribution point. When you configure a distribution point to be a pull-distribution point, you must specify one or more source distribution points from which the pull-distribution point obtains the content. Important: Although a pull-distribution point supports communications over HTTP and HTTPS, source distribution points must be configured for HTTP. You cannot specify a source distribution point that is configured for HTTPS. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Software Update Points (SUP)
The SUP can support up to 25,000 clients when WSUS 3.0 Sp2 runs on the SUP computer and SUP co-exists with another site system role. The SUP can support to 100,000 clients when WSUS 3.0 Sp2 runs on the SUP and it does not co-exist with another site system role. Prerequisites: IIS WSUS WSUS Admin Console To support more than 25,000 clients, the software update point can be configured to use Network Load Balancing (NLB). To support up to 100,000 clients, the software update point must meet the WSUS. For more information, see Determine WSUS Capacity Requirements. The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS is not already installed on the site server. Important - The WSUS version on the site server must be the same as the WSUS version running on the software update points. Important - Do not use the WSUS Administration Console to configure WSUS settings. Configuration Manager connects to WSUS that is running on the software update point and configures the appropriate settings. For Configuration Manager SP1 only: When you have multiple software update points at a site, ensure that they are all running the same version of WSUS. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Software Update Points (SUP) – (Configuration Manager 2012 Sp1)
You can create one or more SUPs at a sit to support clients in an untrusted forest When there are multiple SUPs at a site, and then one fails or becomes unavailable, clients will connect to a different SUP*. When you have an active Software Update Point (SUP01) in a Configuration Manager with RTM (no SP) site, upgrade the site to Configuration Manager SP1, and then add a second Software Update Point (SUP02). As a result, the existing clients will only switch to SUP02 on the condition of a failed scan. All new clients will randomly be assigned to SUP01 or SUP02 after you upgraded your site to Configuration Manager SP1. * Client uses the following process when it fails to scan for software updates: The client scans for software updates at its scheduled time, or when it is initiated through the control panel on the client, or by using the SDK. If the scan fails, the client waits 30 minutes to retry the scan, and it uses the same software update point. The client retries a minimum of four times at 30 minute intervals. After the fourth failure, and after it waits an additional two minutes, the client will move to the next software update point in the software update point list. After a successful scan, the client will continue to connect to the software update point. The following list provides additional information that you can consider for software update point retry and switching scenarios: If a client is disconnected from the corporate intranet and fails to scan for software updates, it will not switch to another software update point. This is an expected failure, because the client cannot reach the corporate network or the software update point that allows connection from the intranet. The Configuration Manager client determines the availability of the intranet software update point. If Internet-based client management is enabled, and there are multiple software update points that are configured to accept communication from clients on the Internet, the switching process will follow the standard retry process that is described in the previous scenario. If the scan process started, but the client was powered down before the scan completed, it is not considered a scan failure and it does not count as one of the four retries. More info - and look under “Software Update Point Switching” section Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Proxy Server (new in Configuration Manager 2012 Sp1)
You can configure a proxy server on each site system server for use by all site system roles installed on that system. This is not a new site system role but a configuration for site system servers. You can use Configuration Manager Console to configure each site system server to use a proxy server. This configuration is used by each applicable site system role that is installed on that computer. Example: Software Update Point connection to Microsoft Update site to download updates using proxy server. More information - Example: Use a proxy server when synchronizing software updates Use a proxy server when downloading content by using automatic deployment rules Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Site System Roles Prerequisites
.NET Framework WCF activation IIS Additional prerequisites Application Catalog web service point 3.5 SP1 4.0 Required ASP.NET IIS 6 Metabase Compatibility Windows Authentication Application Catalog website point Not applicable Static Content Default Document Asset Intelligence synchronization point Endpoint Protection point Enrollment point Enrollment proxy point WCF Activation - Windows Process Activation Service (also known as WAS) Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Site System Roles Prerequisites
.NET Framework WCF activation IIS Additional prerequisites Fallback status point Not applicable Required Out of band service point 4.0 Reporting services point SQL Server Reporting Services. Software update point 3.5 SP1 WSUS 3.0 SP2 State migration point System Health Validator point This site system role is supported only on a NAP health policy server. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Site System Roles Setup Options
Add Site System Roles wizard Create Site System Server Wizard Configuration Manager does not support site system roles for multiple sites on a single site system server. To prevent Configuration Manager from installing on specific drives, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before you install the site system server. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Create a Site System Server
To install site system roles on an existing site system server In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for the new site system roles. On the Home tab, in the Server group, click Add Site System Roles. On the General page, review the settings, and then click Next. On the System Role Selection page, select the site system roles that you want to add, and then click Next. Complete the wizard. To install site system roles on a new site system server In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles. On the Home tab, in the Create group, click Create Site System Server. On the General page, specify the general settings for the site system, and then click Next. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Installing the Configuration Manager Console
Configuration Manager console supported configurations Configuration Manager console prerequisites Configuration Manager console setup options Demo: Configuration Manager console setup Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Configuration Manager Console
Connects to either a Central Administration Site, or a Primary site Can connect to other sites after the initial connection is made Cannot connect to a Secondary site No limit to the number of simultaneous Configuration Manager console connections to a Primary site or Central Administration Site Can be installed on the same computer with the Configuration Manager 2007 console Can be installed during setup or after setup by using the Configuration Manager console Windows Installer package (consolesetup.exe) No ICP (International Client Pack) required for multiple language support .NET Framework 4 is required There is a new console for System Center 2012 Configuration Manager, which provides the following benefits: Logical grouping of operations into the following workspaces: Assets and Compliance, Software Library, Monitoring, and Administration. To change the default order of the workspaces and which ones are displayed, click the down arrow on the navigation pane above the status bar, and then select one of the options: Show More Buttons, Show Fewer Buttons, or Navigation Pane Options. A ribbon to help you more efficiently use the console. An administrative user sees only the objects that they are allowed to see, as defined by role-based administration. Search capabilities throughout the console, to help you find your data more quickly. Browse and verify capability for many accounts that you configure in the console, which helps to eliminate misconfiguration and can be useful for troubleshooting scenarios. For example, this design applies to the Client Push Installation Account and the Network Access Account. Use of temporary nodes in the navigation pane that are automatically created and selected as a result of actions that you take and that do not display after you close the console. Examples of temporary nodes include the following: In the Assets and Compliance workspace, click the Device Collections node, and then select the All Systems collection. In the Collection group, click Show Members and the temporary node named All Systems is created and automatically selected in the navigation pane. In the Monitoring workspace, click Client Status, and in the Statistics section, browse to the All Systems collection, and then click Active clients that passed client check or no results. The temporary node named Active clients that passed client check or no results from “All Systems” is created and automatically selected in the Assets and Compliance workspace. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Read-only Mode Admin Console
The Primary site did not complete site installation yet The Primary site has inter-site replication problems The Primary site is running a site restoration The Primary site is initializing global data You must close, and reconnect the Configuration Manager console to establish a normal session Read-only console session is established if: The primary site did not complete site installation yet. The primary site has inter-site replication problems. The primary site is running a site restoration. The primary site is initializing global data. You must close, and reconnect the Configuration Manager console to establish a normal session. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Configuration Manager Console Supported Configurations
Operating system System architecture Windows XP Professional (SP3) x86 Windows XP Professional for 64-bit Systems (SP2) x64 Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2) x86, x64 Windows Server 2003 R2 SP2 Standard Edition Enterprise Edition Datacenter Edition Windows Server 2008 Windows 7 Professional Editions (without service pack, SP1) Enterprise Editions (without service pack, SP1) Ultimate Editions (without service pack, SP1) Windows Server 2008 R2 Standard Edition (without service pack, SP1) Enterprise Edition (without service pack, SP1) Datacenter Edition (without service pack, SP1) Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Configuration Manager Console Supported Configurations
Operating system System architecture CM12 Version Windows 8 Pro/Enterprise x86, x64 Configuration Manager with SP1 Windows Server 2012 Standard Edition Datacenter Edition x64 Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prerequisite Checker Run prereqchk.exe /Adminui to check requirements for Configuration Manager console installation on the local computer Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Administrator Console Setup Options
Configuration Manager Console setup wizard consolesetup.exe Command-Line options Command-Line Option Description /q Unattended setup. The EnableSQM and DefaultSiteServerName options are required /uninstall Uninstall the Configuration Manager console. You must specify this option first when used with the /q option. LangPackDir Specify the path to the folder that contains the language files. TargetDir Specify the installation folder. This option is required when used with the /q option. EnableSQM Specify whether to join the Customer Experience Improvement Program (CEIP). This option is required when used with the /q option. DefaultSiteServerName Specify the FQDN of the site server to which the console will connect when it opens. This option is required Always install the Configuration Manager console by using ConsoleSetup.exe. The Configuration Manager console Setup can be initiated by running the AdminConsole.msi, but there are no prerequisite or dependency checks and the installation will likely not install correctly. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Installing Admin Console (Screen shots)
For step by step screen shot refer to One Note - Concepts_Admin_Module_02 Deploying Configuration Manager 2012_v2.0 - Screen shots  “Installing Admin Console” page Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson Review Can System Center 2012 Admin Console and Configuration Manager 2007 Admin Console co-exist on the same computer? What’s the name of the program used to install the Administrator Console? Yes Consolesetup.exe Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Unattended Configuration Manager setup
Configuration Manager setup command line options Configuration Manager Console unattended setup Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Unattended installation
To perform a scripted installation, follow these steps: The Configuration Manager installation process generates a file called ConfigMgrAutoSave.ini and stores it under %temp% folder. This file can be used to perform an unattended installation. Save ConfigMgrAutoSave.ini (you can also create it) to another location. From a CMD windows, go to <ConfigMgr install source\SMSSetup\Bin\X64 Type setup.exe /script <the script path> (you can also use setupwpf.exe) Note that setup.exe will not check components (.Net, manifest file, SQL Express …). They should be present (or downloaded using setupDL.exe /NoUI <Path>) To monitor the installation you can refer to ConfigMgrSetup.log and sitecomp.log. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Configuration Manager Setup Command Line Options
Description /NODISKCHECK Disable the verification of disk space requirements during prerequisite checking. /UPGRADE <ProductKey> <PathToSetupPrerequisiteFiles> Perform an unattended Use a command-line for the /UPGRADE option similar to the following: Setup /UPGRADE xxxxx-xxxxx-xxxxx-xxxxx-xxxxx <PathToSetupPrerequisiteFiles> /DEINSTALL Uninstall the site. You must run Setup from the site server computer. /NOUSERINPUT Disable user input during Setup, but display the Setup Wizard interface. This option must be used in conjunction with the /SCRIPT option. /RESETSITE Perform a site reset that resets the database and service accounts for the site. /TESTDBUPGRADE <InstanceName\DatabaseName> Perform a test on the site database to ensure that it is capable of an upgrade. As a best practice, run this command-line option on a backup of the site database instead of on your production site database. /SCRIPT <SetupScriptPath> Perform unattended installations. A setup initialization file is required when you use the /SCRIPT option. SDKINST <FQDN> Install the SMS Provider on the specified computer. You must provide the FQDN for the SMS Provider computer. SDKDEINST <FQDN> Uninstall the SMS Provider on the specified computer. You must provide the FQDN for the SMS Provider computer. MANAGELANGS <SetupScriptPath> Manage the languages that are installed at the selected site. © 2012 Microsoft Corporation Microsoft Confidential

Unattended Install -ConfigMgrAutoSave.ini
CAS Primary site [Identification] Action=InstallCAS [Options] ProductID=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX SiteCode=<Site Code> SiteName=<Site Name> SMSInstallDir=<ConfigMgr install folder path> SDKServer=<FQDN for SDKServer> PrerequisiteComp=1 PrerequisitePath=<Prereqs folder path> MobileDeviceLanguage=0 AdminConsole=1 (0 is you don’t want to install the console) [SQLConfigOptions] SQLServerName=<FQDN of the SQL Server machine> DatabaseName=<SQLServerName\InstanceName> (leave blank for the default instance) SQLSSBPort=4022 [HierarchyExpansionOption] Action=InstallPrimarySite RoleCommunicationProtocol=HTTPorHTTPS ClientsUsePKICertificate=0 PrerequisiteComp=0 ManagementPoint=<FQDN MP server> ManagementPointProtocol=HTTP DistributionPoint=<FQDN DP server> DistributionPointProtocol=HTTP DistributionPointInstallIIS=0 SQLServerName=<FQDN SQL server machine> CCARSiteServer=<FQDN CAS server> (This line is only to install a child site, it’s no needed for a PS server) Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson Review What is the option within unattended setup “ConfigMgrAutoSave.ini” file to install Admin console together with CAS or Primary Site installation? What’s the name of the script created by setup? 1. AdminConsole=1 (0 is you don’t want to install the console) 2. ConfigMgrAutoSave.ini Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Lesson summary In this Lesson, you learned: How to deploy a Central Administration Site How to deploy a Primary child site How to deploy a Secondary site How to install site system roles How to install the Administration Console How to perform an unattended site installation Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

System Center 2012 Configuration Manager

Similar presentations

Presentation on theme: "System Center 2012 Configuration Manager"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

System Center 2012 Configuration Manager

Similar presentations

Presentation on theme: "System Center 2012 Configuration Manager"— Presentation transcript:

Similar presentations

About project

Feedback