Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Microsoft System Center Configuration Manager Cookbook

You're reading from   Microsoft System Center Configuration Manager Cookbook Over 60 applicable recipes to administer and manage System Center Configuration Manager Current Branch

Arrow left icon
Product type Paperback
Published in Nov 2016
Publisher
ISBN-13 9781785881206
Length 354 pages
Edition 2nd Edition
Arrow right icon
Authors (5):
Arrow left icon
Samir Hammoudi Samir Hammoudi
Author Profile Icon Samir Hammoudi
Samir Hammoudi
Brian Mason Brian Mason
Author Profile Icon Brian Mason
Brian Mason
Greg Ramsey Greg Ramsey
Author Profile Icon Greg Ramsey
Greg Ramsey
Chuluunsuren Damdinsuren Chuluunsuren Damdinsuren
Author Profile Icon Chuluunsuren Damdinsuren
Chuluunsuren Damdinsuren
Matthew Hudson Matthew Hudson
Author Profile Icon Matthew Hudson
Matthew Hudson
+1 more Show less
Arrow right icon
View More author details
Toc

Table of Contents (10) Chapters Close

Preface 1. Designing a System Center Configuration Manager Infrastructure 2. Deploying Windows 10 with Operating System Deployment FREE CHAPTER 3. Deploying Applications and Software Updates 4. Managing Compliance Settings 5. Managing Mobile Devices using Configuration Manager with Microsoft Intune 6. Managing Sites 7. Managing Clients 8. Managing Inventory 9. Managing Reports and Queries

Dividing up site system roles

It is likely that most installations of CM consist of a single primary site with all roles loaded locally on the same server. Depending on the hardware used (RAM and disk IO chief among them), this will suffice for many organizations. As companies grow and the workload of CM starts to stress the hardware of a single server, administrators need to offload roles to other servers.

Note

While it was a best practice to offload SQL in CM07, we now advise keeping SQL on box in CM as SQL replication has replaced much of the file-based replication of CM07. CM is native x64 code, so there is no performance hit for a WOW64 translation like there was with CM07 on x64 servers. Underpowered VMs, however, might benefit from offloading SQL to more powerful servers.

Getting ready

Admins should move roles off as described in the following How to do it... section until the primary site starts to perform as expected. We will start with both Distribution Point (DP) and Management Point (MP). Unlike CM07, CM allows for more than one MP with no default MP to define. Offloading these two roles will do more to alleviate stress than any other steps. For this step, have another server ready where you can move these roles to.

How to do it...

  1. Add the machine account of the primary site to the local admin's group of the server taking on the MP and DP role.
  2. If you need to prevent content from copying to any particular drive on the new server, drop a file on the root of the drive named no_sms_on_drive.sms.
  3. Navigate to Administration | Site Configuration | Servers and Site System Roles. From the Home tab on the ribbon, click on Create a Site System Server.
  4. Enter the name of the new server, select the primary site code, and enter the FQDN of the new server.
  5. Check the boxes for both Distribution Point and Management Point.
  6. Check the box to allow CM to install the IIS role on the new server.
  7. CM now gives the ability to force content on a DP to drive letters of your preference. Choose as needed.
  8. CM has moved the PXE service point to the DP. Select this option only if you plan to image devices with an F12 boot. Enable multicast only if needed; the rule of thumb in security is less is better; you reduce the surface area of attack and reduce the odds you have something to patch down the road.
  9. CM can now verify the content of your packages on a DP, which reduces the chance of clients failing to install an application due to corrupt files. CM now allows you to associate DPs to boundary groups. Use this feature only if you're trying to protect the network, otherwise leave this alone as it introduces another possible point of failure in a distribution you may have to troubleshoot one day.
  10. For the MP settings, use the defaults for now; you can always set up SQL replication to the MP at a later time to reduce additional load.
  11. Complete the wizard and then read sitecomp.log and distmgrr.log on the primary server and MPSetup.log on the new server to verify a successful installation.
  12. Test the new MP by stopping the SMSAgentHost service on the primary, and then verify that clients are contacting the new MP (check mpfdm.log on the new MP).
  13. Test the new DP by distributing content to it.

With a working MP and DP on another server, these roles can now be removed from the primary site. Follow these steps to remove the roles:

  1. Navigate to Administration | Site Configuration | Servers and Site System Roles and select your primary site in the right-hand pane.
  2. In the bottom pane, select both Management Point and Distribution Point (use Ctrl + click) and then click on Remove Role from the ribbon.
  3. If you see a warning that this is the last management point for the site, click on No and go back to testing the new MP as the site is not aware that it is working.

How it works...

Once all IIS roles have been offloaded, IIS can be removed from the primary site. This strengthens security of the server and frees up resources for the remaining duties of the site. As you offload roles, the server has less to do as resources are freed up.

There's more...

Beyond IIS-based roles, there are still several items that can cause stress to the primary site server, which you can offload to other servers.

Offloading the SUP

With the MP and DP offloaded, the bulk of the client traffic to the primary site has been removed. The SUP role should be offloaded next as it's another point where clients can directly hit your primary site. To do this simply follow these steps:

  1. Install the latest version of WSUS on the MP/DP server (that already has IIS installed) and be sure to cancel the configuration wizard when it starts (CM will configure it instead). Also, be sure to select the option Use this server as the active software update point.
  2. Navigate to Administration | Site Configuration | Servers and Site System Roles, select the MP/DP server, and add the software update point role. Verify that the setup encountered no errors by checking SUPSetup.log, then look out for errors in WSUSCtrl.log and wcm.log.
  3. With the new SUP working, that role can now be removed from the primary site. From the admin console, select the Primary server and remove the Software update role.
  4. Uninstall WSUS from the primary site server, but be sure to leave the WSUS admin console installed as its files are needed to manage the SUP.

Offloading Endpoint Protection

If you are using Endpoint Protection in your company, you can move this role next, but note that there will be no change to the server load. To do this simply follow these steps:

  1. Select the MP/DP/SUP server in the admin console and add the Endpoint Protection Point role.
  2. Verify that the setup encountered no errors by checking EPSetup.log, then watch for errors in EPCtlMgr.log. Often, this server will have to be rebooted before it can become functional and that will show in EPSetup.log.
  3. From the admin console, select the primary server and remove the Endpoint Protection Point role.

Offloading SQL Reporting Services

The SQL Reporting Service Point can cause stress if people are repeatedly running reports that are hard for your primary to query. The smart move there is to simply set such reports to cache for a certain amount of time (an hour, a day, and so on) so that no matter how often the report is run, the cached data is used instead of fresh queries to the primary site's database. Additionally, reporting services for SQL 2008 and above no longer require IIS, so offloading the role doesn't help towards the ability to remove IIS. Should you still wish to offload that role anyway, (perhaps just as a rule you might decide that no other roles be allowed on a primary) select a server with SQL Reporting Services installed (IIS is not necessary).

Follow these steps to offload SQL Reporting Services Point role:

  1. Navigate to Administration | Site Configuration | Servers and Site System Roles, select the Create Site System Server from the Home tab in the ribbon. Enter the FQDN of the server and choose the CAS if you have one or choose the primary server.
  2. Select the Reporting services point as the role, verify the settings by clicking on the Verify button, and enter a domain account that you have granted the smsschm_users role in SSMS (generally, the same account used when SRS was created on the primary site).
  3. Complete the wizard and verify that the new site is working by running a report from the Monitoring | Reporting node in the console and choosing the new server (not the primary site).
  4. Navigate to Administration | Site Configuration | Servers and Site System Roles, choose your primary site and remove the Reporting services point role.
  5. Log on to the primary site, click on the Start button and type SQL Server Installation Center (64-bit) and hit Enter. Run the installation wizard and remove the reporting services role by unchecking it, thereby completing the wizard.

The remaining roles should cause no discernible stress to the primary. But there is one additional step you can take to reduce the impact of the MP role on your server and that is to create a transnational replica between the primary site and the MP. With such a replica, the MP can answer all client requests without querying the primary site. This also allows clients to remain functional if the primary site is down for maintenance or patching (assuming you've offloaded other roles needed like DP, SUP, and so on).

By creating this replica, there is a benefit in that if other roles are offloaded from the primary site, the primary site could go down for patching or maintenance while software distribution and patching could continue.

See also

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image