SCCM Training book

M I C R O S O F T 10748C L E A R N I N G P R O D U C T MCT USE ONLY. STUDENT USE PROHIBITED O F F I C I A L Planning and Deploying System Center 2012 Configuration Manager Planning and Deploying System Center 2012 Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED ii Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. © 2014 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners. Product Number: 10748C Part Number: X19-17689 Released: 04/2014 MCT USE ONLY. STUDENT USE PROHIBITED MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any. These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms apply. BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below for each license you acquire. 1. DEFINITIONS. a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time. b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center. c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware. d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content. f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program. g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware. h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy Program. i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status. j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies. k. “MPN Member” means an active Microsoft Partner Network program member in good standing. MCT USE ONLY. STUDENT USE PROHIBITED l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware. m. “Private Training Session” means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT. o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines. 2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are five separate sets of use rights. Only one set of rights apply to you. a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, MCT USE ONLY. STUDENT USE PROHIBITED vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware. b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or 2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or 3. you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers. MCT USE ONLY. STUDENT USE PROHIBITED c. If you are a MPN Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers. d. If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. e. If you are a Trainer. i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session. MCT USE ONLY. STUDENT USE PROHIBITED ii. You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of “customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content. 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices. 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included for your information only. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement. 3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of the Microsoft technology. The technology may not work the way a final version of the technology will and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its technology, technologies, or products to third parties because we include your feedback in them. These rights survive this agreement. c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control. MCT USE ONLY. STUDENT USE PROHIBITED 4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: • access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content, • alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content, • modify or create a derivative work of any Licensed Content, • publicly display, or make the Licensed Content available for others to access or use, • copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party, • work around any technical limitations in the Licensed Content, or • reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation. 5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. 6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. 7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it. 8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control. 9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. 10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements. 11. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. MCT USE ONLY. STUDENT USE PROHIBITED b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so. 13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. 14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. Cette limitation concerne: • tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et. • les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur. MCT USE ONLY. STUDENT USE PROHIBITED Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. Revised July 2013 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager xi Planning and Deploying System Center 2012 Configuration Manager Acknowledgments Microsoft Learning wants to acknowledge and thank the following for their contribution in developing this title. Their effort at various developmental stages has ensured that you have a good classroom experience. Conan Kezema: Content Developer Conan Kezema, Bachelor of Education (B.Ed), Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Trainer (MCT), is an educator, consultant, architect of network systems, and author who specializes in Microsoft® technologies. As an associate of S.R. Technical Services, Conan has been a subject-matter expert, instructional designer, and author on numerous Microsoft courseware development projects. David Susemiehl: Content Developer MCT USE ONLY. STUDENT USE PROHIBITED xii David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has extensive experience consulting on Microsoft Systems Management Server and Microsoft System Center Configuration Manager 2012, as well as Active Directory® products, Microsoft Exchange Server, and Terminal Server and Citrix deployments. David has developed courseware for Microsoft and HewlettPackard, and delivered those courses successfully in Europe, Central America, and across North America. For the last several years, David has been writing courseware for Microsoft Learning, and has been managing the Microsoft System Center and Exchange Server deployments for a nationwide insurance company. Orin Thomas: Content Developer Orin Thomas is a Microsoft Most Valuable Professional (MVP), an MCT and has a string of Microsoft MCSE and Microsoft Certified IT Professional (MCITP) certifications. He is the author of more than 20 books for Microsoft Press®, and is a contributing editor at Windows IT Pro magazine. He has been working in IT since the early 1990s. He is a regular speaker at events such as TechEd in Australia and around the world on the topics of Windows Server®, Windows® Client, System Center, and security topics. Orin founded and runs the Melbourne System Center Users Group. Telmo Sampaio: Content Developer Telmo Sampaio, who has a Bachelor of Science (B.S.) degree, also is an MCT, MCSE, Microsoft Certified Solutions Developer (MCSD), and an MCT Regional Lead. He is the “Chief Geek” for MCTrainer.NET and TechKnowLogical. Telmo specializes in System Center, Microsoft SharePoint®, Microsoft SQL Server®, and .NET, and has worked for IBM, Microsoft, and several start-ups during the past 20 years. He is very active in the MCT community, and travels the world providing consulting services and attending training engagements. His home base is Miami, Florida. Telmo has passed more than 80 Microsoft exams since his first certification in 1996. Bob Lawler: Technical Reviewer Bob Lawler, B.S., is an MCITP, MCSE, and MCT, and in 2012 was selected as a charter member of the MCT Regional Lead program. He is the owner and president of XPO-NET Corporation, and has more than 20 years of IT experience. As a professional technical writer, he has authored, contributed to, and edited a variety of training software and videos, books, magazine articles, and courseware for multiple Microsoft and third-party technologies. As a consultant and trainer, Bob has provided expertise and guidance on several technologies, including Exchange Server, Microsoft Internet and Security Acceleration (ISA) Server, and System Center Configuration Manager for many organizations, including some of the most recognizable names in American business. Contents Module 1: Overview of System Center 2012 R2 Configuration Manager Lesson 1: Introduction to System Center 2012 R2 Configuration Manager Lesson 2: Overview of the Configuration Manager Site System Roles 1-2 1-13 Lesson 3: Overview of the Configuration Manager Optional Site System Roles 1-21 Lesson 4: Overview of Configuration Manager Deployment Scenarios 1-29 Lesson 5: Overview of the Configuration Manager Client 1-35 Module 2: Planning and Deploying a Stand-Alone Primary Site Lesson 1: Planning a Configuration Manager Stand-Alone Primary Site Deployment 2-3 Lesson 2: Preparing to Deploy a Configuration Manager Primary Site 2-7 Lesson 3: Installing a Configuration Manager Site Server 2-21 Lab A: Installing a Configuration Manager Primary Site 2-26 Lesson 4: Performing Post-Setup Configuration Tasks 2-31 Lesson 5: Tools for Monitoring and Troubleshooting a Configuration Manager Site 2-38 Lab B: Performing Post-Setup Configuration Tasks 2-43 Module 3: Planning and Configuring Role-Based Administration Lesson 1: Overview of Role-Based Administration 3-2 Lesson 2: Identifying IT Roles in Your Organization 3-10 Lesson 3: Configuring Role-Based Administration 3-16 Lab: Planning and Configuring Role-Based Administration 3-19 Module 4: Planning and Deploying a Multiple-Site Hierarchy Lesson 1: Planning a Configuration Manager 2012 Multiple-Site Hierarchy Lesson 2: Deploying a Configuration Manager 2012 Site 4-2 4-9 Lesson 3: Deploying the Central Administration Site 4-16 Lab A: Installing a Site Hierarchy 4-23 Lesson 4: Deploying Primary Sites in a Hierarchy 4-26 Lab B: Verifying a Site Hierarchy 4-33 Lesson 5: Deploying Secondary Sites 4-37 Lab C: Installing a Secondary Site 4-41 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager xiii Planning and Deploying System Center 2012 Configuration Manager Module 5: Replicating Data and Managing Content in Configuration Manager 2012 Lesson 1: Introduction to Data Types and Replication 5-2 Lesson 2: Managing Data Replication 5-12 Lab A: Configuring, Monitoring, and Troubleshooting Data Replication 5-21 Lesson 3: Planning Content Management 5-26 Lab B: Planning and Configuring Content Management 5-35 Module 6: Planning Resource Discovery and Client Deployment Lesson 1: Identifying Resources by Using Configuration Manager Discovery Methods Lesson 2: Client Deployment in Configuration Manager 6-3 6-13 Lesson 3: Deploying Windows-Based Configuration Manager Clients 6-25 Lab: Implementing Configuration Manager Client Deployment 6-36 Lesson 4: Managing Configuration Manager Clients 6-42 Lesson 5: Monitoring Client Status in Configuration Manager 6-50 Module 7: Configuring Internet and Cloud-Based Client Management Lesson 1: Managing Remote Clients by Using System Center 2012 R2 Configuration Manager Lesson 2: Managing Internet-Based Configuration Manager Clients Lab A: Configuring PKI for Configuration Manager 7-2 7-8 7-14 Lesson 3: Configuring Cloud Services in System Center 2012 R2 Configuration Manager 7-20 Lab B: Configuring Windows Intune Integration with System Center 2012 R2 Configuration Manager 7-26 Module 8: Maintaining and Monitoring System Center 2012 Configuration Manager Lesson 1: Overview of Configuration Manager 2012 Site Maintenance 8-2 Lesson 2: Performing Backup and Recovery of a Configuration Manager Site 8-9 Lesson 3: Monitoring Configuration Manager 2012 Site Systems 8-19 Lab: Maintaining System Center 2012 Configuration Manager 8-23 Module 9: Migrating to System Center 2012 R2 Configuration Manager Lesson 1: Overview of the Migration Process Lesson 2: Preparing Configuration Manager 2007 Sites for Migration 9-2 9-8 Lesson 3: Configuring Migration Settings 9-11 Lesson 4: Migrating Objects 9-17 Lesson 5: Upgrading Configuration Manager 2012 to Configuration Manager 2012 with SP1 and then to System Center 2012 R2 Configuration Manager 9-23 Lab: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager 9-30 MCT USE ONLY. STUDENT USE PROHIBITED xiv Lab Answer Keys Module 2 Lab A: Installing a Configuration Manager Primary Site L2-1 Module 2 Lab B: Performing Post-Setup Configuration Tasks L2-5 Module 3 Lab: Planning and Configuring Role-Based Administration L3-9 Module 4 Lab A: Installing a Site Hierarchy L4-15 Module 4 Lab B: Verifying a Site Hierarchy L4-19 Module 4 Lab C: Installing a Secondary Site L4-23 Module 5 Lab A: Configuring, Monitoring, and Troubleshooting Data Replication L5-27 Module 5 Lab B: Planning and Configuring Content Management L5-32 Module 6 Lab: Implementing Configuration Manager Client Deployment L6-37 Module 7 Lab A: Configuring PKI for Configuration Manager L7-43 Module 7 Lab B: Configuring Windows Intune Integration with System Center 2012 R2 Configuration Manager L7-49 Module 8 Lab: Maintaining System Center 2012 Configuration Manager L8-55 Module 9 Lab: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager L9-59 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager xv MCT USE ONLY. STUDENT USE PROHIBITED About This Course This section provides a brief description of the course, audience, suggested prerequisites, and course objectives. Course Description MCT USE ONLY. STUDENT USE PROHIBITED About This Course xvii This three-day course describes how to design and deploy a System Center 2012 R2 Configuration Manager hierarchy, including a central administration site; one or more primary sites and secondary sites; and all associated site systems. The course also covers migrating to a System Center 2012 R2 Configuration Manager hierarchy from System Center Configuration Manager 2007 and from the initial release of System Center 2012 Configuration Manager. Audience This course is intended for Information Technology (IT) professionals who are responsible for designing and deploying one or more System Center 2012 R2 Configuration Manager sites and all supporting systems. They should have three to five years of experience in medium to large enterprise organizations, in a role in which they are supporting multiple desktop and server computers that run Windows®-based operating systems. This course is also for individuals who are interested in taking exam 70-243 TS: Administering and Deploying System Center 2012 Configuration Manager. Both 10747D: Administering System Center 2012 Configuration Manager and 10748C: Planning and Deploying System Center 2012 Configuration Manager are necessary to prepare for this exam. Student Prerequisites Before attending this course, students must have a working knowledge at the system-administrator level of: • Networking fundamentals, including TCP/IP and Domain Name System (DNS). • Active Directory® Domain Services (AD DS) principles and management. • Windows Server management, including managing Windows Server 2008 R2 and Windows Server 2012. • Windows Client fundamentals. • Deployment, configuration, and troubleshooting for Windows-based personal computers. • Basic public key infrastructure (PKI) concepts. • Configuration Manager features and administrative tasks including: • Working with the System Center 2012 Configuration Manager or newer administrator console. • Installing clients. • Maintaining hardware and software inventory. • Working with collections. • Reporting. • Deploying applications. • Managing software updates. • Deploying operating systems. • Settings management. MCT USE ONLY. STUDENT USE PROHIBITED About This Course xviii Students who attend this training can meet the prerequisites by obtaining equivalent knowledge and skills or by attending the following courses: • Course 6419: Configuring, Managing, and Maintaining Windows Server® 2008–based Servers • Course 20411: Administering Windows Server® 2012 • Course 20687: Configuring Windows® 8.1 And EITHER: o Course 10747: Administering System Center 2012 Configuration Manager o Course 6451: Planning, Deploying, and Managing Microsoft System Center Configuration Manager 2007 OR: AND o Six months of hands-on experience with System Center 2012 Configuration Manager or newer Course Objectives After completing this course, students will be able to: • Describe the System Center 2012 R2 Configuration Manager infrastructure. • Plan and deploy a stand-alone primary site. • Plan and configure role-based administration. • Plan and deploy a multiple site hierarchy. • Replicate data and manage content in Configuration Manager. • Plan resource discovery and client deployment. • Configure Internet and cloud-based client management. • Maintain and monitor System Center 2012 R2 Configuration Manager. • Migrate to System Center 2012 R2 Configuration Manager. Course Outline The course outline is as follows: Module 1, Overview of System Center 2012 R2 Configuration Manager This module explains the System Center 2012 R2 Configuration Manager infrastructure and the typical deployment scenarios. Module 2, Planning and Deploying a Stand-Alone Primary Site This module explains how to plan and deploy a stand-alone primary site. Module 3, Planning and Configuring Role-Based Administration This module explains how to plan and configure Configuration Manager administrative users and access. Module 4, Planning and Deploying a Multiple Site Hierarchy This module explains how to plan and deploy a multiple site hierarchy including a central administration site, primary sites, and a secondary site. Module 5, Replicating Data and Managing Content in Configuration Manager 2012 MCT USE ONLY. STUDENT USE PROHIBITED About This Course xix This module explains how to plan, configure, and monitor data types, intersite communication, replication, and content. Module 6, Planning Resource Discovery and Client Deployment This module explains how to plan and use various methods to discover resources and deploy the Configuration Manager client. Module 7, Configuring Internet and Cloud-Based Client Management This module explains how to plan and configure Internet and cloud-based client management. Module 8, Maintaining and Monitoring System Center 2012 R2 Configuration Manager This module explains how to perform maintenance tasks and monitor the Configuration Manager site systems. Module 9, Migrating to System Center 2012 R2 Configuration Manager This module explains how to perform migration tasks from Configuration Manager 2007 and upgrade Configuration Manager 2012 to Configuration Manager 2012 SP1 and then to System Center 2012 R2 Configuration Manager. Exam/Course Mapping This course, 10748C: Deploying System Center 2012 Configuration Manager, has a direct mapping of its content to the objective domain for the Microsoft exam 70-243: Administering and Deploying System Center 2012 Configuration Manager. The following table is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer. Note: The exam objectives are available online at the following URL: http://www.microsoft.com/learning/en-us/exam-70-243.aspx, under Skills Measured. About This Course Exam Objective Domain: 70-243: Administering and Deploying System Center 2012 Configuration Manager 1. Design and Plan System Center Configuration Manager Infrastructure (10 - 15%) This objective may include but is not limited to: pre1.1. Plan System installation requirements, examining the current Center computing environment, CAS, primary and secondary Configuration sites, branch cache, designing and recommending Manager System Center Configuration Manager server hierarchy and site system roles. architecture, extending the Active Directory schema (DNS service records, WINS), managed providers, discovery methods, and planning migration 1.2. Plan and This objective may include but is not limited to: PKI or configure self-signed certificates, HTTP or HTTPs security. implementation, NAP, FEP, and planning role-based security This objective may include but is not limited to: 1.3. Define the disaster recovery and site maintenance Business Continuity Plan (BCP). 5. Manage Sites (10 - 15%) 5.2. Monitor site This objective may include but is not limited to: SSRS, health. log files, In Console Monitoring, Toolkit 5.4. Manage site communications. 5.6. Manage role-based security. This objective may include but is not limited to: configuring bandwidth settings for a site address, configuring senders, secondary sites (file-based replication, SQL replication paths), resolving DP connections This objective may include but is not limited to: security scopes, custom roles, cloned security roles and permissions 6. Manage Clients (10 - 15%) 6.1. Deploy This objective may include but is not limited to: GPO, clients. WSUS, logon scripts, manual, client push, OSD task sequence, monitoring client health Course Content MCT USE ONLY. STUDENT USE PROHIBITED xx Module Mod 2 Lesson Lessons 1/2/3/4/5 Lab Mod 2 Labs A/B Mod 4 Lessons 1/2/3/4 Mod 4 Labs A/B/C Mod 3 Lessons 1/2/3 Mod 3 Lab Mod 8 Lessons 1/2/3 Mod 8 Lab Mod 8 Lessons 1/2/3 Mod 8 Lab Mod 5 Lessons 1/2/3 Mod 5 Labs A/B Mod 3 Lessons 1/2/3 Mod 3 Lab Mod 6 Lessons 1/2/3/4/5 Mod 6 Lab Note: Attending this course in itself will not successfully prepare you to pass any associated certification exams. There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en-us/exam-70-243.aspx, under Preparation options. MCT USE ONLY. STUDENT USE PROHIBITED About This Course xxi You should also check out the Microsoft Virtual Academy, http://www.microsoftvirtualAcademy.com to view further additional study resources and online courses which are available to assist you with exam preparation and career development. You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en-us/course.aspx?ID=10748C, under Overview, Audience Profile. The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes. Course Materials The following materials are included with your kit: • Course Handbook: A succinct classroom learning guide that provides the critical technical information in a crisp, tightly-focused format, which is essential for an effective in-class learning experience. • Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. • Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. • Module Reviews and Takeaways: Provide on-the-job reference material to boost knowledge and skills retention. • Lab Answer Keys: Provide step-by-step lab solution guidance. Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: Searchable, easy-to-browse digital content with integrated premium online resources that supplement the Course Handbook. • Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers, and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. • Resources: Include well-categorized additional resources that give you immediate access to the most current premium content on TechNet, Microsoft Developer Network (MSDN®), or Microsoft Press®. Student Course files: on the http://www.microsoft.com/learning/companionmoc site. • Course evaluation: At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. Virtual Machine Environment This section provides the information about the lab scenario that is used in this course. Virtual Machine Configuration In this course, you will use Microsoft Hyper-V® to perform the labs. Important At the end of each lab, you must revert the virtual machines to a snapshot. You can find the instructions for this procedure at the end of each lab. The following table shows the role of each virtual machine that is used in this course: Virtual machine Role � 10748C-LON-DC1 (A,B,C) Domain controller for the Adatum.com domain 10748C-LON-CFG (A,B,C) Configuration Manager primary site server 10748C-LON-CAS-(B,C) Central administration site server 10748C-LON-SVR1-C Server in the adatum.com domain 10748C-LON-CM7-C Configuration Manager 2007 installation used for migration 10748C-TOR-CFG-(B,C) Secondary site server for the Toronto branch office 10748C-NYC-CFG-(B,C) Primary site server for New York Software Configuration The following software is installed on each virtual machine: • Windows Server 2012 R2 Classroom Setup Each classroom computer will have the same virtual machine configured in the same way. You may be accessing the lab virtual machines in either in a hosted online environment with a web browser or by using Hyper-V on a local machine. The labs and virtual machines are the same in both scenarios however there may be some slight variations because of hosting requirements. Any discrepancies will be called out in the Lab Notes on the hosted lab platform. Your Microsoft Certified Trainer will provide details about your specific lab environment. Course Hardware Level MCT USE ONLY. STUDENT USE PROHIBITED About This Course xxii To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware is taught. • The minimum equipment configuration for this course is hardware level 7 with 16 gigabytes (GB) of random access memory (RAM) Hardware Level 7 MCT USE ONLY. STUDENT USE PROHIBITED About This Course xxiii • Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor • Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better. The hard disks should be configured with a separate volume (Drive C: and Drive D:) on each hard disk. • 16 GB random access memory (RAM) or higher • DVD drive • Network adapter • Super VGA (SVGA) 17-inch monitor • Microsoft Mouse or compatible pointing device • Sound card with amplified speakers MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED 1-1 Module 1 Overview of System Center 2012 R2 Configuration Manager Contents: Module Overview 1-1 Lesson 1: Introduction to System Center 2012 R2 Configuration Manager 1-2 Lesson 2: Overview of the Configuration Manager Site System Roles 1-13 Lesson 3: Overview of the Configuration Manager Optional Site System Roles 1-21 Lesson 4: Overview of Configuration Manager Deployment Scenarios 1-29 Lesson 5: Overview of the Configuration Manager Client 1-35 Module Review and Takeaways 1-41 Module Overview By using the features of Microsoft® System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager, you can perform complex management tasks, including the following: • Hardware and software inventory. • Application management. • Operating-system deployment. • Settings management. • Software update management. • Remote client troubleshooting. • Protection from malware. Knowledge of these features helps you design and deploy a Configuration Manager infrastructure. Other areas of knowledge that can you in your design and deployment tasks include: • An understanding of Configuration Manager components and functionality. • Knowledge of site system roles. • An understanding of the architecture of the Configuration Manager client. Objectives After completing this module, you will be able to: • Describe the System Center 2012 R2 products. • Describe Configuration Manager and the new functionality in System Center 2012 Configuration Manager with Service Pack 1 (SP1) and in System Center 2012 R2 Configuration Manager. • Describe the Configuration Manager server infrastructure. • Describe typical Configuration Manager deployment scenarios. • Describe the Configuration Manager console. Lesson 1 Introduction to System Center 2012 R2 Configuration Manager Configuration Manager is a management solution with many useful features. In this lesson, you will discover how to design a Configuration Manager hierarchy that helps you use these features more efficiently. You will examine the role of Configuration Manager in the System Center 2012 R2 family of products and determine whether Configuration Manager is the appropriate product to use in your organization. MCT USE ONLY. STUDENT USE PROHIBITED 1-2 Overview of System Center 2012 R2 Configuration Manager You will also examine how the changes introduced in the System Center 2012 R2 Configuration Manager 2007 and 2012 versions affect your overall site hierarchy design. In Configuration Manager 2007, data is transferred between sites by using file-based replication. Although System Center 2012 R2 Configuration Manager still uses file-based replication for content, it uses database replication to replicate operational data. In this lesson, you will examine what global data and site data are and how data is replicated throughout the hierarchy. Lesson Objectives After completing this lesson, you will be able to: • Describe the features of Configuration Manager. • Explain how Configuration Manager is positioned in the System Center 2012 R2 family of products. • Describe site and hierarchy differences between Configuration Manager 2007, System Center 2012 Configuration Manager, and System Center 2012 R2 Configuration Manager. • Understand the layout and functionality of the Configuration Manager console. Overview of the System Center 2012 R2 Set of Products System Center solutions help you manage the physical and virtual information technology (IT) environments across data centers, client computers, and mobile devices. You can improve your productivity by using the integrated and automated solutions of System Center. The following table lists the System Center products. Product System Center 2012 R2 App Controller Details You can use the System Center 2012 R2 App Controller to provide selfservice access for application administrators. Then administrators can create and manage virtual machines and services based on templates, and manage private cloud resources and public cloud Windows Azure™ subscriptions from a single web interface. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Product System Center 2012 R2 Configuration Manager Details 1-3 You can use the change and configuration management capabilities of System Center 2012 R2 Configuration Manager to perform tasks such as: • Deploying operating systems, software applications, and software updates. • Monitoring and remediating computers for compliance settings. • Collecting hardware and software inventory. • Remote administration. System Center 2012 R2 Data Protection Manager You can use the System Center 2012 R2 Data Protection Manager (DPM) to perform disk-based and tape-based continuous data protection and recovery for file servers, Active Directory® Domain Services (AD DS) and application servers such as Microsoft SQL Server®, Exchange Server, Microsoft SharePoint®, and Microsoft Hyper-V®–based virtualization hosts. You can use DPM to protect the data on Windows® desktops and laptops. System Center 2012 R2 Endpoint Protection You can use System Center 2012 R2 Endpoint Protection to provide malware protection for your client systems. System Center 2012 R2 Endpoint Protection is built into Configuration Manager, creating a single infrastructure for deploying and managing Endpoint Protection. System Center 2012 R2 Operations Manager You can use System Center 2012 R2 Operations Manager to monitor services, devices, and applications on multiple computers in a single console. System Center 2012 R2 Operations Manager enables you to view the state of the information technology environment and services running across different systems. You can view state, health, and performance information in addition to real-time alerts generated for availability, performance, configuration, and security incidents. System Center 2012 R2 Orchestrator You can use the System Center 2012 R2 Orchestrator to orchestrate, integrate, and automate the IT processes in an organization. Orchestrator enables you to define and automate processes from a central point and integrate with existing management solutions, from both the System Center family and third-party management platforms. System Center 2012 R2 Service Manager You can use the System Center 2012 R2 Service Manager for automating and adapting the organization’s processes to IT service management best practices, such as those found in Microsoft Operations Framework and Information Technology Infrastructure Library. System Center 2012 R2 Service Manager also provides built-in processes for incident and problem management, change management, release management, and risk and compliance management. System Center 2012 R2 Virtual Machine Manager You can use the System Center 2012 R2 Virtual Machine Manager to configure and manage virtualization hosts, networking, and storage resources. This management solution for the virtualized datacenter also helps you create and deploy virtual machines and services to private clouds. Note: For System Center 2012 licensing information, please visit Microsoft Server and Cloud Platform Pricing and Licensing at http://go.microsoft.com/fwlink/?LinkId=253177. MCT USE ONLY. STUDENT USE PROHIBITED 1-4 Overview of System Center 2012 R2 Configuration Manager Question: Which of the System Center family of products, including the previous versions, are you using in your organization? Licensing for System Center 2012 R2 Server Management There are two editions of the System Center 2012 R2 suite—Standard and Datacenter—which the follow table details. Server license System Center 2012 R2 Standard Edition System Center 2012 R2 Datacenter Edition Products App Controller Configuration Manager Data Protection Manager Endpoint Protection Operations Manager Orchestrator Service Manager Virtual Machine Manager Virtual machines per license Two Unlimited The Standard and the Datacenter editions are limited to two physical processors. If you deploy these editions on a server with four processors, you need to purchase an additional suite license. You can purchase System Center 2012 R2 licensing for client management in a variety of packages. System Center 2012 R2 includes licensing for a version of SQL Server Standard edition that supports System Center 2012 and System Center 2012 R2. Overview of Configuration Manager 2012 The following table outlines the features of System Center 2012 Configuration Manager. Feature Asset management Feature usage Hardware and Software Inventory You can use the tools and resources provided in the Hardware and Software Inventory feature to maintain a record of hardware and software in your organization. Asset Intelligence You can use the Asset Intelligence feature to obtain more insight from the inventory data that the Hardware and Software Inventory feature records. Asset Intelligence uses a catalog that contains software and imported license information to identify the inventoried software. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Feature Software Metering Feature usage 1-5 You can use the Software Metering feature to monitor and collect software usage data and generate reports to determine how your organization uses applications. Change Management Application management You can use the tools and resources in the Application Management feature to create, manage, deploy, and monitor applications in your organization. Software Updates Management You can use the tools and resources in the Software Updates Management feature to manage, deploy, and monitor software updates in your organization. Operating System Deployment You can use the Operating System Deployment feature to plan and deploy operating systems by using images. Content Management You can use the tools and resources in the Content Management feature to manage content files for applications, packages, software updates, and operating-system deployment. Compliance Settings You can use the tools and resources of the Compliance Settings feature to help you assess, track, and remediate the configuration compliance of client computers in the organization. Power Management You can use the tools and resources of the Power Management feature to manage and monitor the power consumption of client computers in the organization. Client Health You can use the tools and resources of the Client Health feature to manage and monitor the health of the Configuration Manager client software. Network Access Protection (NAP) You can use the Network Access Protection feature as a health validator. This feature works in conjunction with Network Access Protection in Microsoft Windows Server® 2008, Windows Server 2012, and Windows Server 2012 R2. Endpoint Protection You can use this new functionality in Configuration Manager 2012 to protect clients against malware. This functionality was available previously in Microsoft Forefront® Endpoint Protection. Administrative Features Reporting You can use the SQL Reporting Services in Configuration Manager 2012 for report generation. Administrators can create subscriptions so that SQL Reporting Services generates reports on a schedule and distributes them in various formats by email. Monitoring You can use the Monitoring feature to supervise site systems and client health. It also provides automatic remediation for specific client errors. Remote Management You can use the Remote Management feature to assist users by remotely accessing any client computer in the hierarchy. You can use the remote control to troubleshoot hardware and software configuration problems on client computers and to provide help-desk support when access to a user’s computer is necessary. Feature Role-Based Administration Feature usage MCT USE ONLY. STUDENT USE PROHIBITED 1-6 Overview of System Center 2012 R2 Configuration Manager You can use role-based administration to assign roles and permissions to the administrators, to allow them to access and use Configuration Manager and its various features. New Functionality in the System Center 2012 R2 Configuration Manager Release System Center 2012 Configuration Manager SP1 introduced new features that were not available in the original Release to Manufacturing (RTM) version. The release of System Center 2012 R2 Configuration Manager builds on the SP1 release and introduces additional features. New Features in System Center 2012 Configuration Manager SP1 System Center 2012 Configuration Manager SP1 introduces support for the following significant features: • The Configuration Manager client on computers that are running Windows® 8 and Windows Server 2012. • The ability to use Configuration Manager to deploy Windows 8 or to upgrade computers that are running Windows 7 to Windows 8. • Support for Windows To Go deployment and clients. • User data and profiles configurations that enable Configuration Manager to manage folder redirection, offline files, and roaming profiles. • Deployment of Windows Store apps (.appx files) to clients running Windows 8, through sideloading or links to the Windows Store. • Use of a metered Internet connection and the Always On, Always Connected Windows 8 features. • The ability to use Windows Server 2012 for site systems and as client devices. • The ability to use SQL Server 2012 to host the Configuration Manager database. • The ability to use computers running Mac OS X, Linux, or UNIX as Configuration Manager client devices. • The ability to use mobile devices that are running Windows Phone 8, Windows RT, iOS, or Android through a Windows Intune™ organizational account. • Windows PowerShell® cmdlets that you can use to automate Configuration Manager operations through Windows PowerShell scripts. • Windows Azure-based distribution points. • The ability to expand a stand-alone primary site into a hierarchy by adding a new central administration site. • Migrating a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy. • More than one software update point in a site. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-7 • The ability to trigger some client operations, such as downloading policy and malware scans, from the Configuration Manager console. • Microsoft Application Virtualization (App-V) virtual environments that make it possible for App-V applications to share data from file systems and registries. • Increased email alert subscriptions. New Features in System Center 2012 R2 Configuration Manager In addition to the features discussed above, System Center 2012 R2 Configuration Manager supports the following new features: • Windows Server 2012 R2 and Windows 8.1. • Boot images that you create by using Windows Automated Installation Kit (AIK) for Windows 7 SP1. • The new site system role for certificate registration points. This role enables deployment to, and management of, certificates to Configuration Manager client devices. • Certificate profiles that support user and device certificates to managed devices that are running the iOS, Windows 8.1, Windows 8.1 RT, and Android operating systems. • The merging of System Center 2012 R2 Configuration Manager hierarchies. • The migration of data from a System Center 2012 Configuration Manager test environment to a System Center 2012 R2 Configuration Manager production environment. • The enrollment of Mac OS X computers and deployment of client certificates through an enrollment wizard. • The ability to reassign Configuration Manager client devices (including managed mobile devices) to a different site in the Configuration Manager hierarchy, either individually or through bulk reassignment. • The enrollment of Android devices by using the Company Portal app that is available through the Google Play store. The Company Portal app includes the Configuration Manager Management agent that enables management capabilities, such as password settings, encryption settings, and a camera. • The enrollment of iOS devices by using the Company Portal app available through the App Store. The Company Portal app enables users to change or reset passwords; download and install apps that the organization owns; and enroll, unenroll, or remove organizational content from their iOS devices. • Devices that run the Windows RT, iOS, and Android mobile operating systems and that support the required deployment purpose. • The Wipe and Retire function, which enables administrators to remove organizational content from mobile devices, while leaving the user’s personal information on the device. • Windows Intune, which you can use to manage Windows 8.1 devices that are not domain-joined and that do not have the Configuration Manager client installed. • Additional compliance settings that relate to mobile devices. • The deployment of web applications through a new deployment type. • Windows 8.1 app bundles (.appxbundle) to optimize the deployment of Windows Store apps and resource packages. • Featured applications that display prominently in the Company Portal. • The configuration of per-application virtual private network (VPN) profiles that enable an application to open a VPN connection. MCT USE ONLY. STUDENT USE PROHIBITED 1-8 Overview of System Center 2012 R2 Configuration Manager • Remote connection profiles, which enable users to connect remotely to their work computers from the company portal. • VPN profiles, which enable you to deploy VPN settings to devices that are running iOS, Windows RT, and Windows RT 8.1. • Wi-Fi profiles that enable you to deploy Wi-Fi connection settings to devices that are running iOS, Windows 8, Windows 8.1, Windows RT, and Windows RT 8.1. • Support for Windows 8 and Windows 8.1 distribution points. • Software updates for specific maintenance windows. • Previews of software updates in an automatic deployment rule. • The alteration of deployment packages for existing deployment rules, so that you can add new software updates more efficiently. • The ability to view resultant client settings, so that you can see effective client settings that are applied to specific devices. • Nondefault locations for site database files during setup. • The creation of prestaged content files for task sequence content. • Virtual hard-disk management. • New task-sequence steps that include Run PowerShell Script, Check Readiness, and Set Dynamic Variables. • Pull distribution points that enable administrators to configure priorities for source distribution points. • The pushing of status information about completed actions by pull distribution points to the site server. • Summary reports of distribution point usage, which enable administrators to view details that compare individual distribution-point utilization. • Configuration Manager reporting filters reports’ data based on the permissions of the user who runs the report. Sites and Hierarchies You can implement Configuration Manager as: • A single primary site with optional secondary sites. • Multiple sites in a hierarchical relationship, including a central administration site, multiple primary sites, and secondary sites. Unlike Configuration Manager 2007, sites in Configuration Manager are no longer security boundaries and do not limit the administrative scope. You use multiple primary sites for scale-out operations to accommodate a larger number of clients. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Changes to Site Types Configuration Manager introduces changes to site types including: • • • 1-9 Central administration site. In Configuration Manager 2007 and previous versions, the top-level primary site was called a central site. Configuration Manager introduces a new site type—the central administration site—that: o Is required only when implementing multiple primary sites. o Provides centralized management of primary sites in the hierarchy. o Is used to generate reports that contain data from the entire hierarchy. o Supports a subset of site system roles. o Does not have directly assigned clients or process client data. It receives client data from the other primary sites in the hierarchy. The central administration site does not support roaming clients. With System Center 2012 Configuration Manager, if you wanted to use a central administration site, you needed to install it first, and then install other primary sites that would be part of the hierarchy under the central administration site. However, with System Center 2012 SP1 Configuration Manager and System Center 2012 R2 Configuration Manager, you can deploy a primary site. If you need additional primary sites, you can join that primary site to a central site. Primary sites. Prior to Configuration Manager 2012, you could tier primary sites below other primary sites, and use them to enable decentralized administration, define custom configurations for client agents, or serve as a security scope. In Configuration Manager, you no longer use primary sites to provide those functions. Configuration Manager primary sites: o Are used to increase scalability by supporting a larger number of clients when you add another primary site. o Manage the clients assigned to them and perform client data processing. o Cannot be linked to another primary site in a parent-child relationship. Only secondary sites can be a child site of a primary site. o Are installed either as a stand-alone site or as the child to an existing central administration site when you install it in a hierarchy. After installation, you can change the parent-child association only by uninstalling and reinstalling the primary site or by joining a primary site to a central administration site. o Do not limit the administrative scope. Configurations that administrative users perform at any of the sites replicate throughout the hierarchy. You can restrict administrative access by using security roles. Secondary sites. In Configuration Manager 2007, you could use secondary sites to manage the network bandwidth for sending client data and content to remote locations. In Configuration Manager, you use secondary sites to control the flow of client data in the hierarchy. Secondary sites: o Use a SQL Server database, which is on a SQL Server Express instance and installed locally on the secondary site server. o Always include a management point and distribution point. o Participate in database replication with their parent primary site. o Must be a child of a primary site. o Support the routing of file-based content to other secondary sites. Question: If you have an existing Configuration Manager 2007 implementation, what is your current architecture? Using the Configuration Manager Console The System Center 2012 R2 Configuration Manager console has the ribbon design similar to Microsoft Office 2010. The System Center 2012 R2 Configuration Manager console is context sensitive and organized into multiple panes. The five panes in the System Center 2012 R2 Configuration Manager console are the: MCT USE ONLY. STUDENT USE PROHIBITED 1-10 Overview of System Center 2012 R2 Configuration Manager • Ribbon. The ribbon contains the actions that you can perform on the currently selected object. These actions also are available by right-clicking the object. • Workspaces. The workspaces are the navigation tools that help you navigate quickly through the different management areas. • Navigation pane. The Navigation pane is the main navigation area, and it contains the nodes that make up the selected workspace. When you perform certain tasks, such as searches or queries, Configuration Manager creates temporary nodes that display the task results. • Results pane. The Results pane shows the objects available under the currently selected workspace or node. • Preview pane. The Preview pane is a tabbed pane that appears as the bottom part of the Results pane. The Preview pane may or may not appear, depending on the object currently selected in the Results pane. Assets and Compliance Workspace You can use the Assets and Compliance workspace to manage the compliance of your environment’s objects. The Assets and Compliance workspace provides different nodes, through which you can manage objects, including the following: • Users. Use this node to manage Configuration Manager users and groups. • Devices. Use this node to manage Configuration Manager computers and mobile devices. • User Collections. Use this node to manage user collections. • Device Collections. Use this node to manage device collections. • User State Migration. Use this node to manage the user state during operating system deployments. • Asset Intelligence. This folder contains the Catalog, the Inventoried Software, and the Hardware Requirements nodes, which you can use to manage the objects that you use for Asset Intelligence. • Software Metering. Use this node to manage rules for monitoring software usage. • Compliance Settings. This folder contains the Configuration Items, the Configuration Baselines, User Data and Profiles, Remote Connection Profiles, and Company Resource Access nodes, which you can use to manage the objects that you use for assessing and remediating compliance of settings on devices. • Endpoint Protection. This folder contains nodes for antimalware and firewall policies. Software Library Workspace MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-11 You can use the Software Library workspace to manage software that you are deploying in your System Center 2012 R2 Configuration Manager environment. The Software Library workspace is organized into the following nodes: • Application Management. This folder contains the Applications, Packages, Approval Requests, and Global Conditions nodes. • Software Updates. This folder contains the All Software Updates, Software Updates Groups, Deployment Packages, and Automatic Deployment Rules nodes. • Operating Systems. This folder contains the Drivers, Driver Packages, Operating Systems Images, Operating System Installers, Boot Images, Task Sequences, and Virtual Hard Disks nodes. Monitoring Workspace You can use the Monitoring workspace to manage the alerts, queries, reports, status messages, and other components that allow you to monitor your environment. The Monitoring workspace includes the following nodes: • Alerts. Use this node to view and manage alerts. This node contains the Subscriptions subnode, which enables you to create subscriptions to alerts. • Queries. Use this node to run, view, and manage Configuration Manager queries. • Reporting. This folder contains the Reports and Report Subscriptions nodes. • Site Hierarchy. Use this node to view and manage the status of all sites in the hierarchy, by using a hierarchy view or geographical view. • System Status. This folder contains the following nodes: Site Status, Component Status, Conflicting Records, and Status Message Queries. • Deployments. Use this node to view the status of software deployments. • Client Operations. Use this node to get details on client operations. • Client Status. Use this folder to view Client Health and Client Activity nodes. • Database Replication. Use this node to view site-to-site link status for SQL Server based replication. • Distribution Status. This folder contains the Content Status, Distribution Point Group Status, and Distribution Point Configuration Status nodes. • Software Update Point Synchronization Status. Use this node to view the status of the synchronization process for the software update points. • Endpoint Protection Status. Use this node for security and operational states, and to view the status of the site’s Endpoint Protection. Administration Workspace You can use the Administration workspace to manage your System Center 2012 R2 Configuration Manager environment. The Administration workspace includes the following nodes: • Hierarchy Configuration. This folder contains the Discovery Methods, Boundaries, Boundary Groups, Exchange Server Connectors, Addresses, and the Active Directory Forests nodes. • Cloud Services. This contains the Windows Intune Subscriptions and Cloud Distribution Points nodes. • Site Configuration. This folder contains the Sites and Servers node and the Site System Roles node. • Client Settings. Use this node to manage client settings. MCT USE ONLY. STUDENT USE PROHIBITED 1-12 Overview of System Center 2012 R2 Configuration Manager • Security. This folder contains the Administrative Users, Security Roles, Security Scopes, Accounts, and Certificates nodes. • Distribution Points. Use this node to manage individual distribution points. • Distribution Points Groups. Use this node to manage distribution points groups. • Migration. This folder contains the Active Source Hierarchy, Migration Jobs, and Distribution Point Updates nodes, which you can use to manage data migration from Configuration Manager 2007. Lesson 2 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-13 Overview of the Configuration Manager Site System Roles Configuration Manager has multiple site roles that you can install on the same computer or, for scalability, on multiple servers. Default site roles are installed in every Configuration Manager implementation. Optional site roles provide additional functionality, and you can install them, as necessary. By understanding the functionality of the site roles, you can make design decisions regarding the configuration and placement of each role in your Configuration Manager implementation. Lesson Objectives After completing this lesson, you will be able to: • Describe the functionality of the default site system roles. • Identify the site roles you need to install in your implementation. • Describe planning and design considerations for the default site system roles. Overview of the Configuration Manager Site System Roles When you install a Configuration Manager site, several site system roles are installed by default. The roles installed are required for the core operations of each site. You can move some of these roles to other servers, but you cannot remove them from the site. When you install additional site servers for optional roles, some default site system roles are also installed. Configuration Manager no longer supports the concept of a site mode. Instead, you configure each appropriate individual site role to use either HTTP or HTTPS. Default Site System Roles When you install a site server, the default system roles are installed automatically. The SMS Provider role is the only role that does not have an object exposed in the Configuration Manager console. You can configure two optional roles—the management point and distribution point roles—for automatic installation when you install a primary or secondary site server. The following table lists the default site system roles. Site system role Description Site server A site server is the computer on which you run Configuration Manager Setup. The site server provides the core functionality for the site. Component server A component server runs the Configuration Manager services and installs automatically with all site systems, except the distribution point. Site system role Description MCT USE ONLY. STUDENT USE PROHIBITED 1-14 Overview of System Center 2012 R2 Configuration Manager SMS Provider An SMS Provider is the interface between the Configuration Manager console and the site database. This role installs automatically when you install a central administration site or primary site. Installation of a secondary site does not install the SMS Provider. You can install the SMS Provider on the site server, the site database server (unless the site database is hosted on a clustered instance of SQL Server), or on another computer. You can also move the SMS Provider to another computer after the site installs, or you can install multiple SMS Providers on additional computers. Site system A site system is any computer that hosts one or more site system roles for a Configuration Manager site. Site database server A site database server hosts the SQL Server database to store information about assets and site data. Management point A management point provides policy and content location information to clients. It also receives data from clients. You cannot install a management point in a central administration site. Distribution point A distribution point contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. You can control content distribution by using bandwidth, throttling, and scheduling options. You cannot install a distribution point on a central administration site. Optional Site System Roles Optional site roles provide additional functionality to your Configuration Manager implementation. Some of the roles, such as Windows Server roles, have external prerequisites and features that you must install on that server first. The following table provides some examples of optional site roles. Site system role Description Application Catalog web service point An Application Catalog web service point provides software information to the Application Catalog website from the Software Library. This is a role introduced in Configuration Manager 2012. Application Catalog website point An Application Catalog website point provides users with a list of available software. This is a role introduced in Configuration Manager 2012. Asset Intelligence synchronization point An Asset Intelligence synchronization point connects to System Center Online to download Asset Intelligence catalog information. It can also upload uncategorized titles that the administrator selected previously for inclusion in the catalog. Certificate registration point A certificate registration point connects to a server running Network Device Enrollment Service and manages certificate requests from devices that use the Simple Certificate Enrollment Protocol (SCEP). Endpoint Protection point An Endpoint Protection point provides the ability to manage malware and Windows Firewall remediation for System Center 2012 Endpoint Protection. Site system role Description 1-15 Enrollment point An enrollment point uses public key infrastructure (PKI) certificates to complete mobile device enrollment and provision computers that are running Active Management Technology (AMT). This is a role introduced in Configuration Manager 2012. Enrollment proxy point An enrollment proxy point manages enrollment requests from mobile devices so that Configuration Manager can manage them. This is a role introduced in Configuration Manager 2012. Fallback status point A fallback status point helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point. Out of band service point An out of band service point provisions and configures AMT-based computers for out-of-band management. Reporting services point A reporting services point integrates with SQL Server Reporting Services to create and run reports for Configuration Manager. Software update point A software update point manages Windows Server Update Services (WSUS) in order to synchronize the software update metadata from a configured source, such as Microsoft Update, and make the data available to Configuration Manager. State migration point A state migration point stores user state data when a computer is migrated to a new operating system. System Health Validator point A System Health Validator point validates Configuration Manager Network Access Protection (NAP) policies. You must install this site system role on a NAP health policy server. Windows Intune connector A Windows Intune connector manages mobile devices through a Windows Intune subscription. Planning the Site Database The site database role hosts the Configuration Manager database. Planning Considerations for the Site Database When you are planning your site database role, you should consider that: • MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager The site database server must be running one of the following: o SQL Server 2008 Service Pack 2 (SP2) with Cumulative Update 9 or newer o SQL Server 2008 Service Pack 3 (SP3) with Cumulative Update 4 or newer o SQL Server 2008 R2 SP1 and Cumulative Update 6 or newer o SQL Server 2008 R2 SP2 or newer • o SQL Server 2012 or newer o SQL Server 2012 SP1 or newer MCT USE ONLY. STUDENT USE PROHIBITED 1-16 Overview of System Center 2012 R2 Configuration Manager The site database server can use the Standard or Enterprise version of SQL Server 2008, SQL Server 2008 R2, or SQL Server 2012. When planning the site database, the relevant differences between the Enterprise edition of SQL Server and the Standard edition include that the Enterprise edition: o Supports up to 400,000 clients in the hierarchy. The Standard edition supports a maximum of 50,000 in the hierarchy. o Supports more than four sockets or 16 processor cores. o Supports more than 64 gigabytes (GB) random access memory (RAM). o Supports more than two AlwaysOn Failover Cluster instances. o Supports AlwaysOn Availability Groups. • Secondary sites use SQL Server Express 2008 R2 with SP1 and Cumulative Update 4 by default, but you can configure them to use Standard or Enterprise editions, as well. • The site database role can use a default instance or a named instance of SQL Server. It is possible to use the same SQL Server to host databases for multiple sites. However, each Configuration Manager site requires a unique instance of SQL Server. • You can configure the SQL Server service by using a domain user account or the local system account of the computer that is running SQL Server. Using a domain user account as the SQL Server service account is a best practice. However, you must manually register the service principle name (SPN) for the account. Site Database Placement At a central administration site and at primary sites, you can collocate the database server on the site server or place it on a remote server. At secondary sites, the database server is always collocated on the secondary site server. If you use a remote database-server computer, ensure that the network connection between the site server and site database is a high-availability, high-bandwidth network connection. This is necessary because the site server and some site system roles must constantly communicate with the SQL Server that is hosting the site database. When you are planning to install the site database on a remote server, you should consider that: • The amount of bandwidth required for communications to the database server depends upon a combination of many different site and client configurations. Therefore, the actual bandwidth required cannot be predicted accurately. • Each computer that runs the SMS Provider and that connects to the site database increases network bandwidth requirements. • The computer that runs SQL Server must be in a domain that has a two-way trust with the site server and all computers that are running the SMS Provider. • You cannot use a clustered SQL Server for the site database server when the site database is collocated with the site server. Planning the Site Server Role When you install a Configuration Manager site, several roles are installed by default, and they provide the site’s core functionality. The Configuration Manager roles installed on a server during the Configuration Manager Setup process are: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-17 • Site server. The site server role provides core functionality for a Configuration Manager site. When you install Configuration Manager on the first server in a site, the site server role installs automatically. There are no configurable properties for the site server role. • Component server. You can install the component server role on any site system that runs the SMS Executive service. All Configuration Manager components, except the distribution point role, use the SMS Executive service. There are no configurable properties for the component server role. • Site system. You can install the site system role on any server that hosts a Configuration Manager role. When you install a site role on a server from the Configuration Manager console, the site server connects remotely to that computer, configures it as a site system, and then installs the site role that you requested. The site system role includes the following configuration options: o Specify an FQDN for this site system for use on the Internet. If the roles that this server supports are going to be accessible from the Internet, you must configure an Internet fully qualified domain Name (FQDN). However, the intranet FQDN is configured automatically during the installation of the Configuration Manager server. o Require the site server to initiate connections to this site system. When you choose this option, you also must configure the site system installation account. This option is useful when the site system is in a perimeter network and security policies will not allow it to initiate communication with the internal network. o Site System Installation Account. This setting allows you to configure the account that the site server uses to install this site system role. By default, the site server computer account is used. o Active Directory membership. This setting allows you to configure the Active Directory forest and domain FQDNs that the site system is a member of. Design Considerations The site server role installs automatically when you install a central administration site or primary site. It installs on the server from which you run Configuration Manager Setup. When you install a secondary site by using the Configuration Manager console, the site server role is installed on the server that you specify as the secondary site server. You cannot move the site server role to another server without reinstalling the site. Because the site server is a critical component in a Configuration Manager implementation, you must ensure that you can recover your site server configuration if a server loss or malfunction occurs. You achieve this by configuring the site backup task to back up the site server. For more information and details about how to configure site maintenance tasks, including the backup task, refer to Module 7. Planning the SMS Provider Role The SMS Provider manages read and write access to the Configuration Manager databases in primary and central administration sites. Design Considerations There must be at least one SMS Provider in each primary site and at least one SMS Provider in the central administration site. When you install a site, an SMS Provider for that site also installs by default. You can deploy multiple SMS Providers in a site. If there is only one SMS Provider at a site and the server that hosts the SMS Provider is offline, you will be unable to access the site database by using the Configuration Manager console. However, you can view the locations of all SMS Providers installed at a site, on the General tab of the Site Properties dialog box in the Configuration Manager console. The server that hosts the SMS Provider must meet the following prerequisites: MCT USE ONLY. STUDENT USE PROHIBITED 1-18 Overview of System Center 2012 R2 Configuration Manager • The server must be part of the same Active Directory forest as the servers that host the site server and site system roles for the site database. • The server cannot host site system roles from different sites or an existing SMS Provider. • The server must have enough free space to support the installation of Windows Assessment and Deployment Kit (Windows ADK) components if you are deploying System Center 2012 Configuration Manager with Service Pack 1 or System Center 2012 R2 Configuration Manager. If you are deploying System Center 2012 Configuration Manager, there must be sufficient space for deployment of Windows AIK components. • The Configuration Manager console and any site systems that interact with the site database access the database through the SMS Provider. • You specify the SMS Provider location during site installation. By default, the SMS provider is located on the Configuration Manager site server. • You can relocate the SMS provider by using the Configuration Manager site maintenance action from the Configuration Manager Setup program. Beyond ensuring that the role is highly available, you should deploy multiple SMS Providers to a site under the following conditions: • The site has a large number of administrative users who use the Configuration Manager console concurrently. • Your organization is using the Configuration Manager Software Development Kit (SDK) or any other products that perform frequent calls to the SMS provider. SMS Provider Placement When you install a site, the installation automatically installs the first SMS Provider for the site. You can specify any of the following supported locations for the SMS Provider: • The site server computer. • The site database computer. • Any other computer that does not hold an SMS Provider. Planning the Management Point Role The management point provides policy and content location information to Configuration Manager clients. Each client that you assign to a site locates the management point for that site, connects to it to download policy, and then sends the collected information, such as hardware inventory, and task results to the site server. It then implements the management point as a web service, which Internet Information Services (IIS) hosts. Note: In Configuration Manager 2007, you can configure management points to use network load balancing (NLB) for high availability. Management points in Configuration Manager 2012 do not support the use of NLB. Design Considerations When planning for management points, consider the following: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-19 • Each primary and secondary site must contain at least one management point. • Secondary sites do not support more than one management point, and you install them on the site server. You cannot move them to another server. Secondary site management points cannot support mobile devices that are enrolled by Configuration Manager. • To ensure high availability of the management point, you can install multiple management points in the same primary site. • You can configure each management point to use either HTTP or HTTPS for client communications. To use HTTPS, you need to request and install PKI-based certificates. • By default, clients use the most secure method available for communication. If both are available, a client will use an HTTPS-configured management point before it will use an HTTP-configured one. • To manage clients on the Internet, you will need at least one management point that you configure to use HTTPS. This management point must be accessible from the Internet to manage remote clients. Planning the Distribution Point Role You can use the distribution point role to provide the content necessary for features such as deployment of applications, software updates, and operating systems to the Configuration Manager clients. The distribution point implements as a web service that IIS hosts. The clients access the distribution point to download package files, operating-system images, applications, or updates. Configuration Manager Features MCT USE ONLY. STUDENT USE PROHIBITED 1-20 Overview of System Center 2012 R2 Configuration Manager Configuration Manager 2012 has several features that you can use to implement the distribution point, including the following: • Distribution points can be configured individually to use HTTP or HTTPS depending on the capabilities of the clients. If you are managing clients over the Internet, you need at least one distribution point configured to use HTTPS. • Distribution points now include the functionality of the PXE service point. To enable this functionality, you need to install Windows Deployment Services (Windows DS) on the same computer that hosts the distribution point. • To control the content distribution, you can create distribution point groups which enable you to manage content on multiple distribution points as a single entity. • Distribution points now include the option to perform content validation to verify the status of the content replicated from the site server or from other distribution points. This option is not enabled by default. • Distribution points can be associated with one or more boundary groups, so you can configure which clients can access content from the distribution point. • Distribution points that are not site servers have settings for bandwidth throttling and scheduling the transfer of content so you can control network traffic. • Distribution points now use a single instance store, and they put into effect the concept of a content library. Design Considerations When you are planning distribution points, consider these factors: • Place a distribution point close to the clients it will serve. For example, place one on the same highspeed network segment. • Deploy multiple distribution points if you frequently use features such as software distribution, software update management, and operating-system deployment. • Install distribution points on desktop operating systems and on 32-bit systems. System Center 2012 R2 Configuration Manager supports distribution points that Windows Azure hosts. Windows Azure distribution points simplify the deployment of content to clients that may not be located on the organizational network, because these clients can connect to the cloud-hosted distribution point. You must have a Windows Azure account to deploy a Windows Azure distribution point. You will learn more about distribution points in Module 5. Lesson 3 Overview of the Configuration Manager Optional Site System Roles MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-21 Configuration Manager optional site roles provide additional functionality to the site, and you can install them as necessary. During the planning and design phase of your Configuration Manager implementation, you need to identify the necessary roles, functionality, and capacity requirements. This lesson describes the basic functionality of the optional site system roles, as well as planning and design considerations for these optional roles. Lesson Objectives After completing this lesson, you will be able to plan the placement of the following optional site roles: • Application Catalog web service point • Application Catalog website point • Asset Intelligence synchronization point • Certificate registration point • Endpoint protection point • Enrollment point • Enrollment proxy point • Fallback status point • Out of band service point • Reporting services point • Software update point • State migration point • System Health Validator point • Windows Intune connector Planning for Reporting Services The reporting services point is a site system that you install on a server that is running Microsoft SQL Server Reporting Services (SSRS), which provides advanced reporting capabilities and rich authoring tools for building reports. You can run reports from the Configuration Manager console or directly from the reporting services point website, and then you can save them in a variety of formats. In addition to running reports manually, the reporting services point supports report subscriptions, which are MCT USE ONLY. STUDENT USE PROHIBITED 1-22 Overview of System Center 2012 R2 Configuration Manager recurring requests to deliver reports at specific times or in response to events. In the subscription, you can specify the application file format of the report. Design Considerations When you are planning for the reporting services points, consider the following: • You must install the reporting services point on a computer that is running SQL Server Reporting Services that is the same version as the site database. • Each SSRS instance can support one site only. • You can install multiple reporting services points in your hierarchy. • If you install a reporting services point in a primary site, the reports show the data collected from that site. However, reports that you run in the central administration site, on a reporting services point in the central administration site, return data collected from the entire hierarchy. Planning Roles for Client Management Performing client management requires a number of roles. The roles that you deploy for client management include the: • Fallback status point • Enrollment point • Enrollment proxy point • Windows Intune connector • Out of band service point Fallback Status Point A fallback status point is a hierarchy-wide role that monitors client deployment activity and identifies clients that are unmanaged because they cannot communicate with a management point. Mobile devices do not use a fallback status point. When planning for a fallback status point, consider the following: • You need to install a fallback status point if you want client computers to report installation failures, particularly when they cannot communicate with a management point. • You need to install a fallback status point if you want to use the client deployment reports. These reports depend on information sent to the fallback status point. • You can use a dedicated server to host the fallback status point and have additional security measures in place to help protect against attack. Enrollment Point and Enrollment Proxy Point You can use Configuration Manager to manage mobile devices. There are multiple methods you can use for managing mobile devices, including that you can use: • Exchange Connector to manage mobile devices through the Exchange ActiveSync® protocol. • The Configuration Manager mobile client to provide richer hardware inventory, settings management, and software deployment. Configuration Manager uses the enrollment point and the enrollment proxy point to provide depth management for supported mobile devices. Configuration Manager can use in-depth management to manage mobile devices that are running a supported MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-23 Windows Mobile operating system or Nokia Symbian devices. The enrollment point roles also support AMT devices. • The Windows Intune connector through a Windows Intune subscription to manage devices running iOS, Android, Windows Phone 8, or Mac OS X. The enrollment point roles work together to provide the depth-management functionality through the use of an: • Enrollment point. This role uses PKI certificates to complete the enrollment of mobile devices and AMT-capable computers (for out-of-band management) by Configuration Manager. • Enrollment proxy point. Mobile devices connect to this role to submit client-installation requests and download the client. Enrollment requests are sent to the Enrollment point for completion. When planning for mobile device management, consider the following: • The enrollment point role is a site-wide role. Additionally, the enrollment proxy point is typically accessed from the Internet, so you should place it in a perimeter network or publish it through a firewall. • Light management provides basic management functionality and uses the Exchange connector. • Depth management installs a client and provides additional management features. • You must use depth management if you require: o Customizable mobile device hardware inventory. o The ability to specify mobile device settings. o The ability to deploy software. Windows Intune Connector The Windows Intune connector is a site system role that you can use to connect the Configuration Manager infrastructure and a Windows Intune subscription. You must deploy this role in conjunction with a connection to an existing Windows Intune subscription that you configure to synchronize with on-premises AD DS. Out of Band Service Point Out of band management lets an administrative user connect to a supported computer's AMT management controller when the computer is turned off or is in hibernation, or the operating system is otherwise unresponsive. In these situations, administrative users can manage these computers without requiring local access to the computer. Typical out of band management tasks include: • Powering on one or more computers. • Powering off unresponsive computers. • Enabling and disabling AMT audit logging. When planning for the out of band service point, consider the following: • Client systems must have the Intel vPro chipset and a supported version of the AMT. • You must use the following certificates for out of band management: o An AMT provisioning certificate on the out of band service point. This allows configuration of computers for out of band management. o A web servicer certificate on the enrollment point. This provides secure communication with the out of band service point during the provisioning process. o Client certificates. This is necessary when you use 802.1X authentication. You can use an audit log on the AMT-based computers to record out of band activity and to make it auditable. Planning Roles for Software Updates The central administration site and all primary child sites must have an active software update point for you to deploy software updates to all clients. When planning the infrastructure for software update points, you need to determine which server should be the active software update point for the site. You also need to decide if the software update point will be collocated with the site server or installed on a remote server. Additionally, you need to determine which sites require an Internet-based software update point. Finally, you need to decide if you need an active software update point in any secondary sites. When planning the infrastructure for software update points, you should consider that: MCT USE ONLY. STUDENT USE PROHIBITED 1-24 Overview of System Center 2012 R2 Configuration Manager • You must install the software update point on a server that is hosting WSUS 3.0. • You can install a software update point in every site. • By default, the software update point at the central administration site (or at the stand-alone primary site) synchronizes with Microsoft Update. • By default, the software update points installed in child sites synchronize with their parent site. • You should schedule the synchronizations for a time frame that is suitable for your environment. Planning Roles for Endpoint Protection The Endpoint Protection point role is required before you can enable Endpoint Protection in Configuration Manager. The Endpoint Protection point sends information collected by the Endpoint Protection clients to the Microsoft Active Protection Service. This information is used to update the definitions that identify harmful software. During the installation of the Endpoint Protection point, you must accept a separate license agreement. Design Considerations When planning for the Endpoint Protection point, consider the following: • You can install the Endpoint Protection point in the Central Administration site or in a stand-alone primary site. • You must install an Endpoint Protection point before you can begin to use and manage System Center Endpoint Protection. • You can choose one of three levels of membership with the Microsoft Active Protection Service: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-25 o Nonparticipating. The Endpoint Protection point sends no information to Microsoft. Users will be alerted only about unclassified software. o Basic membership. The Endpoint Protection point sends basic information about detected software to the Microsoft Active Protection Service. o Full membership. Endpoint protection will alert users about unclassified software. In addition to the basic information, the Endpoint Protection point sends more detailed information to the Microsoft Active Protection Service about software that the Endpoint Protection client detects. Planning Roles for Application Management The Application Catalog enables users to select and install applications automatically by placing requests in a portal, which can be approved for installation, or if specially configured, allow installation to occur. You can implement the Application Catalog by using the following two site roles: • Application catalog web service point. This role provides software information from the software library. As an administrator, you configure this information for each application that publishes in the catalog. • Application catalog website point. This role is the web interface for end users. Users can use this portal to see the list of available applications, as well as to request and install applications. When planning for the Application Catalog, you should consider that: • The Application Catalog is a hierarchy-wide role. Typically, in a hierarchy with multiple primary sites, you install one instance of each role, although multiple instances are supported. • You cannot install the Application Catalog in a secondary site or on a central administration site. • The Application Catalog allows users to install deployed applications or to request available applications, which will deploy after approval. • The Application Catalog allows users to configure some preferences and wipe their mobile devices that are being managed through Configuration Manager. • The Application Catalog supports integration with Microsoft SharePoint®. Asset Intelligence Synchronization Point You can use the Asset Intelligence synchronization point to connect to System Center Online (over HTTPS) to download updates to Asset Intelligence catalog information. Configuration Manager supports only a single instance of this site system role at the top-level site in a hierarchy. Asset Intelligence catalog information is replicated to all primary sites. When planning for the Asset intelligence Synchronization point, you should consider that: MCT USE ONLY. STUDENT USE PROHIBITED 1-26 Overview of System Center 2012 R2 Configuration Manager • You can install the asset intelligence synchronization point only at the top-level site in the hierarchy. • The asset intelligence synchronization point must be able to make an Internet connection over HTTPS to System Center online. • Microsoft treats unidentified software title information that uploads to System Center Online for categorization as public information. Planning Roles for Operating System Deployment The state migration point stores user state data remotely when performing certain types of operating-system deployments by using Configuration Manager. You must store the user state data remotely on the state migration point when you use a side-by-side deployment. However, when you are using the same computer, such as an update deployment where you are updating the operating system on the destination computer, you can store the data locally or on the state migration point. For some computer deployments, when you create the state store, Configuration Manager automatically creates an association between the state store and the destination computer. The state migration point requires that IIS. Design Considerations When planning for the state migration point, you should consider: • User state size. You need to plan for enough storage space to store the migration data. • Retention policy. You need to determine how long you will retain the migration data. • Drives. You can use one or more drives on the site system for storing migration data. Planning Roles for Securing the Configuration Manager Infrastructure You deploy the Certificate registration point when you want to allow devices to request and receive certificates from an organizational certification authority. The Certificate registration point role communicates with a server that has the Network Device Enrollment Service installed. The Network Device Enrollment Service is a special service that communicates with a certification authority and allows devices that support SCEP to request and receive certificates. When you deploy the Certificate registration point, this site service mediates device certificate requests and deployment to devices that support SCEP. Overview of Role Placement Depending on the site type, you can install only certain site system roles in a site. In a single primary site hierarchy, you can install all roles on the primary site server. When using a multiple primary site hierarchy, there are some limits to where you can place roles and the number of instances of each role. For example, a central administration site does not have any assigned clients. Because of this, you cannot install any of the roles involved in client management, such as the management point and distribution point, in a central administration site. If you are planning a complex hierarchy with a central administration site and multiple primary and secondary sites, you should consider that: • Some roles provide functionality for their local site only. • Some roles provide functionality for the entire hierarchy. • When installing software update points in a multiple primary site hierarchy, install the software update point in the central administration site first. • In a secondary site, only the distribution point is supported on a remote system. The following table shows the site system roles that you can install in the different site types. Site system role Central administration site Child primary site Secondary site MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-27 Site-specific or hierarchywide functionality Application Catalog web service point No Yes No Hierarchy Application Catalog website point No Yes No Hierarchy Asset Intelligence synchronization point Yes No No Hierarchy, only one instance per hierarchy Certificate registration point Yes Yes No Hierarchy Distribution point No Yes Yes Site, multiple instances supported per site and hierarchy Endpoint Protection point Yes No No Hierarchy Enrollment point No Yes No Site Enrollment proxy point No Yes No Site Fallback status point No Yes No Hierarchy Site system role Central administration site Child primary site Secondary site MCT USE ONLY. STUDENT USE PROHIBITED 1-28 Overview of System Center 2012 R2 Configuration Manager Site-specific or hierarchywide functionality Management point No No Yes Yes Out of band service point No Yes No Site Reporting services point Yes Yes Yes, Hierarchy, multiple instances supported per site and hierarchy Software update point Yes Yes Yes Site, one per site, multiple in hierarchy State migration point No Yes No Site, multiple instances supported per site and hierarchy System Health Validator point Yes Yes No Hierarchy, multiple instances supported per site and hierarchy Windows Intune connector Yes No No Hierarchy Lesson 4 Overview of Configuration Manager Deployment Scenarios One of the first questions you may ask yourself when you design a Configuration Manager implementation is whether to use a single primary site or multiple sites in a hierarchy. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-29 To help you answer this question, in this lesson you will examine different implementation scenarios and compare the advantages and disadvantages of each. You will also develop a set of design criteria that you can use to choose the most appropriate implementation model for your organization. Lesson Objectives After completing this lesson, you will be able to: • Identify the deployment scenario most appropriate to your organization. • Determine when to use a single primary site. • Determine when to use a central administration site and multiple primary sites. • Identify the need to use secondary sites or a distribution point instead of a site in a remote location. • Describe a typical implementation scenario of Configuration Manager for a small-to-medium size organization, for a medium-to-large size organization, and for a global organization. Determining When to Use a Primary Site You need to install at least one Configuration Manager primary site to be able to manage any clients. Primary sites provide core functionality to your Configuration Manager implementation. The following are some of the reasons for installing a primary site: • To directly manage clients. Only a primary site can have clients assigned to it. • To scale up the number of clients to manage. Each primary site can support up to 50,000 clients if SQL Server is collocated with Configuration Manager, or 100,000 clients if SQL Server and Configuration Manager are on separate servers. • To reduce the effect of failure of a single primary site. This prevents all clients from being affected while the site is recovered. • To provide a local point of connectivity for administration. The Configuration Manager console can connect only to a primary site or central administration site. When using the Configuration Manager console from a computer that is running a client operating system, ensure that the client computer has reliable high speed access to a primary or central administration site. • To manage content independently and meet organizational management requirements. For example, the organization may have a specific requirement that a different team of administrators manage clients from a given location, such as management occurring within national borders. To meet this requirement, you can install another primary site and offer a local point of connectivity. The following are some of the characteristics of a primary site: MCT USE ONLY. STUDENT USE PROHIBITED 1-30 Overview of System Center 2012 R2 Configuration Manager • A primary site can be either a stand-alone primary site or a member of a hierarchy. • A primary site supports a central administration site as a parent site. Primary sites cannot have another primary site as a parent, as was the case in Configuration Manager 2007 and older versions. • A primary site supports secondary sites as child sites. • With System Center 2012 Configuration Manager, a primary site cannot change its parent site relationship after installation. With System Center 2012 Configuration Manager with SP1, you can join a primary site to a new central administration site after deployment. • The client-originated data processing occurs only at the primary site to which the clients are assigned. If the primary site is the child of a central administration site, the data will then be replicated to the central administration site. • When you install a primary site in a hierarchy, database replication is automatically configured with its designated central administration site. • You can install all site system roles on a stand-alone primary site, but not on all primary sites that are part of a hierarchy. Determining When to Use a Central Administration Site A central administration site is necessary if you need to install multiple primary sites and perform consolidated management and reporting of data from all sites. You can use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. This site type does not manage clients directly. However, you can use it to perform hierarchywide management, which includes the configuration of sites and clients settings throughout the hierarchy. Planning a Central Administration Site Use the following information to help you plan for a central administration site: • The central administration site is the top-level site in a hierarchy. If your initial plans for a hierarchy that has more than one primary site, you must install a central administration site. • When using a central administration site with SQL Server Enterprise edition, the hierarchy can contain up to 400,000 clients. • When you use SQL Server Standard edition for the site database at the central administration site, the shared database and hierarchy support up to 50,000 clients. This is due to the partitioning of the database. After you install Configuration Manager, if you upgrade the edition of SQL Server at the central administration site from Standard to Enterprise, the database does not repartition and this limitation remains. • The central administration site: o Supports up to 25 primary sites as child sites. o Cannot have clients assigned to it. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-31 o Does not support all site system roles. o Is the only place where you can see site data from all sites. This data includes information such as inventory data and status messages. o Enables you to connect with the Configuration Manager console to manage all clients in the hierarchy and perform site management tasks for any primary site. o Enables you to configure discovery method options for each site in the hierarchy. Determining When to Use a Secondary Site You can use secondary sites to manage multiple clients in remote locations. You can manage a secondary site from a central administration site or from the secondary site’s parent primary site. Consider using a secondary site: • When the location does not have a local administrator. • To manage the transfer of upward-flowing client data across low-bandwidth networks. The following are some of the characteristics of secondary sites: • Secondary sites are installed from a primary site. The primary site is the secondary site’s parent. You cannot change the parent of a secondary site without uninstalling and reinstalling the site. • They use SQL Server Express by default; however, they can use a local instance of SQL Server if one is available. • They use file-based replication to receive deployment content transferred from a primary site. • They use database replication to receive a subset of global data from the parent primary site. • They use file-based replication to transfer client information to the parent primary site. • They can route content between peer secondary sites to help manage the replication of deployment content if the two secondary sites have the same parent site. • Installation automatically deploys a management point and distribution point that are located on the secondary site server. • A primary site can support up to 250 secondary sites as child sites. • A secondary site can support up to 5,000 clients. Implementing Configuration Manager 2012 for a Small-to-Medium Organization The single primary site implementation scenario is most appropriate for organizations that: • Have a centralized administration approach in which a single team administers all systems from a single location and where political and regulatory requirements do not necessitate multiple primary sites. • Have fewer than 100,000 clients. Note: A single Configuration Manager primary site can accommodate up to 50,000 clients, or up to 100,000 clients if the SQL Server and Configuration Manager server are not collocated. To reach this capacity, you probably need to install additional management points or secondary sites. Primary Site Roles Usually, the following site system roles deploy to a primary site, and you can install them on a single server or distribute them across multiple servers for scalability. Mandatory roles include: MCT USE ONLY. STUDENT USE PROHIBITED 1-32 Overview of System Center 2012 R2 Configuration Manager • Site server. The site server is the first server installed. In a small-to-medium organization scenario, the site server typically is the only server on which site system roles are installed by the Configuration Manager Setup Wizard. • Site database. A site database is installed on the same server as the site server, or you can install it on a separate server to increase the site scalability. • Management point. The management point serves as a point of communication between the Configuration Manager clients and the site server. Primary sites must have at least one management point deployed to manage clients. • Distribution point. Distribution points distribute content and prerequisites needed for deployments. You can deploy other roles, depending on the features that you require. Typical roles may include: • Reporting services point. This role provides you with the ability to generate reports and export them in various formats. • Software update point. This role provides you with the ability to synchronize the software update metadata from Microsoft Update and make it available to Configuration Manager. • Fallback status point. This role allows clients to send state messages to the fallback status point, which forwards them to the site server. For example, this would occur if they cannot connect to a management point. Other roles commonly installed in a single primary site include the: • Application Catalog web service point • Application Catalog website point • Asset Intelligence synchronization point • Endpoint Protection point Question: What other roles do you typically use in your organization? Implementing Configuration Manager 2012 for a Medium-to-Large Organization In larger organizations with multiple remote locations and a large number of users, you may need to scale out the Configuration Manager deployment without necessarily adding additional primary sites. You may need to scale out if: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-33 • You have fewer than 100,000 clients but more than 50,000 clients. Your SQL database must be located on a dedicated server other than the Configuration Manager server. • Your client count grows. You then must consider that each management point can support approximately 25,000 clients, and you can use multiple management points in a single site for scalability. • You need to manage the bandwidth between the primary site location and remote locations. In this scenario, you can install secondary sites or remote distribution points. Secondary Site A secondary site includes a management point and distribution point. You can use a secondary site to: • Offload the client communication from the primary site when clients are in a remote location and network connections are slow. • Provide tiered content routing for deep network topologies. Distribution Point You can choose to install only a distribution point instead of a secondary site when: • You have a small number of clients in the remote location. • You do not have a server available in the remote location. A computer running 64-bit version of Windows Server 2008, 2008 R2, 2012, or 2012 R2 is required to run the secondary site, while you also can install a distribution point on 32-bit servers and workstations that can support the IIS role. • You do not need to control client-to-management point traffic from the remote location to the primary site. Implementing Configuration Manager 2012 for a Global Organization Global organizations have a large number of clients distributed across multiple locations worldwide, with multiple administration teams and different administrative requirements. To accommodate these types of scenarios, you can implement Configuration Manager 2012 by using multiple primary sites in a hierarchy. Multiple Sites in a Hierarchy Using multiple sites in a hierarchy is a more complex model to implement and it requires additional servers to host the site systems roles. Before deciding to use multiple sites in a hierarchy, you need to analyze your environment and determine if a single primary site can meet your requirements. You should use this implementation scenario if you have: MCT USE ONLY. STUDENT USE PROHIBITED 1-34 Overview of System Center 2012 R2 Configuration Manager • More clients than you can manage by using a single primary site. A single primary site can support up to 100,000 clients, while a hierarchy can accommodate up to 400,000 clients. • Multiple administrative teams that need to manage their own locations. • More than 250 of remote locations requiring secondary sites or remote locations with more than 5,000 clients. • Export regulations on content. Question: What type of organizations would use the multiple sites in a hierarchy model? Discussion: Determining When to Use a Stand-Alone Primary Site or a Hierarchy Use these discussion questions to help you plan a Configuration Manager installation, including when to use a single primary site or a complex hierarchy. Discussion Questions • How many clients do you need to manage? • How will the existing network infrastructure influence your Configuration Manager design? • What are your business requirements for using Configuration Manager? • How many locations do you need to support? • Do you need to manage the clients locally? • Are restrictions in place that control how client information transfers across borders? Lesson 5 Overview of the Configuration Manager Client To perform management tasks on client computers, the Configuration Manager client application is installed on client computers. The term client is often used to refer to either of the following: • The computer that Configuration Manager manages. • The Configuration Manager client software. Understanding Configuration Manager client architecture and prerequisites helps you design your Configuration Manager implementation. Lesson Objectives After completing this lesson, you will be able to: • Describe the Configuration Manager client functionality. • Describe the types of clients supported in System Center 2012 R2 Configuration Manager. • Describe the Configuration Manager client architecture. • Explain how Configuration Manager clients locate site systems. Role of the Configuration Manager Client The Configuration Manager client has multiple features, corresponding to the Configuration Manager functionalities that are implemented by using client components. For example, the hardware inventory agent collects hardware data according to a scheduled interval and then sends data to the site database through the management point. The administrator enables or disables each client component individually by using client settings. The Configuration Manager client: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-35 • Connects to the management point according to a scheduled interval (the default is 60 minutes) and on demand, and then downloads and processes any policies applicable to the client. • Performs hardware and software inventory and metering according to a scheduled interval and on demand, and then sends the collected data through the management point to the site server. • Downloads the content of packages and applications from the distribution point, and then installs software and updates. • Executes the task sequences that the administrator assigns to that computer by using the Operating System Deployment feature. • Collects compliance results data specified in configuration baselines and sends the results to the site server through the management point. If the computer is not compliant, depending on the configuration item, the client can also execute remediation actions to make it compliant, as long as content is not required to bring the client into compliance. • Allows administrators to connect to remote computers by using remote tools or the Remote Assistance feature, to support end users. • Performs health validation that is used in conjunction with NAP. • Installs the Endpoint Protection client when Endpoint Protection is enabled and an Endpoint Protection role is installed in the hierarchy. MCT USE ONLY. STUDENT USE PROHIBITED 1-36 Overview of System Center 2012 R2 Configuration Manager Client Types Supported by System Center 2012 R2 Configuration Manager You can deploy the System Center 2012 R2 Configuration Manager client to operating systems other than Windows and Windows Server. You can install the System Center 2012 R2 Configuration Manager client on the following operating systems: • Windows XP (not supported after April 2014) • Windows Vista® • Windows 7 • Windows 8 • Windows 8.1 • Windows Server 2003 • Windows Server 2003 R2 • Windows Server 2008 • Windows Server 2008 R2 • Windows Server 2012 • Windows Server 2012 R2 • Mac OS X 10.6 • Mac OS X 10.7 • Mac OS X 10.8 • AIX Version 7.1, 6.1, 5.3 • Solaris Version 11, 10, 9 • HP-UX Version 11iv2 • HP-UX Version 11iv3 • RHEL Version 4, 5, 6 • SLES 9, 10, 11 • CentOS 5, 6 • Debian 5, 6 • Ubuntu 10.4, 12.4 • Oracle Linux 5, 6 As new revisions of these operating systems become available, new versions of the Configuration Manager client will likely become available to support them. Configuration Manager Client Architecture The Configuration Manager client consists of many components that together provide all the functionality in Configuration Manager. Although the client installs most of the components during the initial installation, the installed components are not all enabled by default; only the Endpoint Protection client is not installed by default. When planning your Configuration Manager deployment you must consider the functionality that you need and configure the client settings appropriately. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-37 The Configuration Manager client uses some built-in Windows components and some additional run-time components. In addition to the specific Configuration Manager components, the Configuration Manager client for computers running Windows will also use the components in the following table. Windows component or run-time module Use Windows Management Instrumentation (WMI) WMI is the infrastructure for management data and operations on Windows-based operating systems. Windows Installer Supports the use of Windows Installer (.msi) and Windows Installer update files (.msp) for installing and updating applications. Windows Update Agent Supports update detection and deployment. Microsoft Core XML Services (MSXML) Supports the use of Windows Installer (.msi) and Windows Installer update files (.msp) for installing and updating applications. Microsoft Remote Differential Compression (RDC) Used to optimize data transmission over the network. Microsoft Visual C++® 2008 Redistributable Supports client operations. Microsoft Visual C++ 2005 Redistributable Supports Microsoft SQL Server Compact operations. Windows Imaging APIs Allows Configuration Manager to manage Windows image (.wim) files. Microsoft Policy Platform Allows clients to evaluate compliance settings. Microsoft Silverlight® Supports the Application Catalog website. Microsoft .NET Framework 4 Supports client operations. Microsoft SQL Server Compact 3.5 SP2 components Stores information related to client operations. Microsoft Background Intelligent Transfer Service (BITS) version 2.5 Allows throttled data transfers between the client computer and the Configuration Manager site systems. MCT USE ONLY. STUDENT USE PROHIBITED 1-38 Overview of System Center 2012 R2 Configuration Manager You can view the client components and their status on the Components tab in the Configuration Manager client for computers running Windows. The following table describes the components that are installed when the client is installed. Component Core Configuration Manager Components Overview Several different components that are used for core functionality and that show only a status of installed or not installed: • CCM Framework • CCM Policy Agent • CCM Status and Eventing Agent • Core Components, Maintenance Task Coordinator • Operating System Deployment Components • Shared Components and Task Sequence Components Compliance and Settings Management Performs compliance and settings tasks. Hardware Inventory Agent Uses WMI to collect inventory information as configured in the client settings. Out of Band Management Agent Allows out of band management for AMT-based computers. Power Management Agent Applies power management settings configured for collections in Configuration Manager. Remote Tools Agent Manages the Remote Control and Remote Assistance settings for the client computers. Software Distribution Agent Manages the deployment of programs and applications to client devices. Software Inventory Agent Performs the software inventory as configured in the client settings. Software Metering Agent Tracks software usage on the client computer. Software Updates Agent Interacts with the software update point to detect which software updates are needed on the client computer and interacts with the management point and distribution point to install those updates. Source List Update Agent Contacts a management point and retrieves the location for downloading deployed content. The Configuration Manager client for Mac OS X computers has components that support the following features: • Hardware inventory. You can use hardware inventory data collected from Mac computers to create collections, reports, and queries. You can also use Resource Explorer to view hardware inventory data for Mac OS X computers. • Software deployment. You can use Configuration Manager to deploy software packaged in the following formats to Mac computers: o Mac OS Installer Package (.PKG) • o Mac OS X Application (.APP) o Apple Disk Image (.DMG) o Meta Package File (.MPKG) MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-39 Compliance settings. Configuration Manager supports the use of Mac OS X Preference settings (.plist files) to enforce the configuration of different elements on Mac computers, or shell scripts to monitor and remediate settings. The Configuration Manager client for Linux-based and UNIX-based computers has components that support the following features: • Hardware inventory. You can use hardware inventory data collected from Linux and UNIX computers to create collections, reports, and queries. You can also use Resource Explorer to view hardware inventory data for Linux-based and UNIX-based computers. • Software deployment. You can use Configuration Manager to deploy software to Linux-based and UNIX-based computers by using packages and programs. Software deployment on Linux-based and UNIX-based computers by using Configuration Manager does not support any kind of user interaction. How Clients Locate Site Systems Client systems communicate to Configuration Manager through one of two types of management points: Internet-based management points or intranet management points. If clients are unable to communicate with a management point, they send a message to a fallback status point, if configured. However, they cannot retrieve policy without communicating with a management point. Because of this, it is imperative that clients locate and communicate with a management point for the site that they are assigned to. Clients communicate to the management point through either HTTP or HTTPS; therefore, any intervening firewalls must allow the traffic. There are several methods for the client to locate a management point. It is preferable to use AD DS because, besides providing the location of the management point, AD DS can also update the communication settings for the clients. For example, if the communication ports change, the client could retrieve this information from AD DS before attempting to communicate. Clients use the following methods, in the order listed, to locate site systems. AD DS AD DS is the preferred method for clients to locate site systems. To use this method, you must ensure that you meet the following prerequisites: • You must extend the Active Directory schema for Configuration Manager. • The Configuration Manager site(s) must publish information to AD DS. • The client computer must be a member of the Active Directory forest where the information is published and must have access to a Global Catalog server. DNS MCT USE ONLY. STUDENT USE PROHIBITED 1-40 Overview of System Center 2012 R2 Configuration Manager Clients can use DNS to locate a management point. However, this method has some specific DNS system requirements. Additionally, if you use this as your primary method for locating management points, the client will not update automatically if you make changes to the communication ports. You can use this method for locating site systems if: • The AD DS schema is not extended to support Configuration Manager. • Clients on the intranet are located in a forest that is not enabled for Configuration Manager publishing. • Clients are on workgroup computers and are not configured for Internet-only client management. To use this method, the following prerequisites must be met: • You must assign the clients to a specific site rather than use automatic site assignment. • You must configure a client property that specifies the domain suffix of the management point. • Your DNS servers must support service location resource records, by using a version of Berkeley Internet Name Domain (BIND) that is at least 8.1.2. • The intranet FQDNs for the Configuration Manager site systems have corresponding host entries in DNS. When your DNS servers support automatic updates, you can configure Configuration Manager to automatically publish management points on the intranet to DNS. Windows Internet Name Service (WINS) When other service location mechanisms fail, clients can find an initial management point by checking WINS. • The first management point in the primary site that is configured to accept HTTP client connections is automatically published to WINS. • When the clients connect to this management point, they download a list of other management points and can use them for subsequent connections. If you do not want clients to locate a management point using WINS, configure clients with the CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS. Module Review and Takeaways Review Questions Question: What are the major features of Configuration Manager 2012? Question: What are the three types of sites in Configuration Manager 2012? Question: What are the new site roles introduced in Configuration Manager 2012? MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1-41 MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED 2-1 Module 2 Planning and Deploying a Stand-Alone Primary Site Contents: Module Overview 2-1 Lesson 1: Planning a Configuration Manager Stand-Alone Primary Site Deployment 2-3 Lesson 2: Preparing to Deploy a Configuration Manager Primary Site 2-7 Lesson 3: Installing a Configuration Manager Site Server 2-21 Lab A: Installing a Configuration Manager Primary Site 2-26 Lesson 4: Performing Post-Setup Configuration Tasks 2-31 Lesson 5: Tools for Monitoring and Troubleshooting a Configuration ManagerSite 2-38 Lab B: Performing Post-Setup Configuration Tasks 2-43 Module Review and Takeaways 2-47 Module Overview Planning a Microsoft® System Center 2012 Configuration Manager site deployment is a complex process that requires numerous inputs, such as: • Network topology. • Number of managed clients. • Desired features. • Capacity requirements. Scalability improvements in Configuration Manager 2012 enable a stand-alone primary site to accommodate infrastructures that have up to 100,000 clients. In this module, you will review the planning process, inputs, and typical planning activities for deploying a stand-alone primary site. You also will review prerequisites for installing a site server and related components, perform and validate the installation of a stand-alone primary site, and perform the initial site configuration. Finally, you will review the requirements for managing Internet-based clients. Objectives After completing this module, you will be able to: • Describe the planning tasks for a Configuration Manager 2012 primary site deployment. • Identify the preparation steps for deploying Configuration Manager 2012. • Install a Configuration Manager 2012 primary site. • Perform post-setup configuration tasks. • Describe the tools that you can use to monitor and troubleshoot a Configuration Manager 2012 installation. • Describe processes that you can use to manage Internet-based clients. MCT USE ONLY. STUDENT USE PROHIBITED 2-2 Planning and Deploying a Stand-Alone Primary Site MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Lesson 1 2-3 Planning a Configuration Manager Stand-Alone Primary Site Deployment The design of a System Center 2012 Configuration Manager stand-alone primary site deployment can vary from a stand-alone server with all required site roles, to more-complex deployments with site roles that you distribute on multiple servers. In this lesson, you will review the tasks that the planning process typically involves when you are deploying a stand-alone primary site. These tasks include determining the site system roles that you need to deploy, the number of servers necessary for deployment, and your deployment’s prerequisites. Additionally, you will review Configuration Manager Setup options, examine site code and naming conventions, and examine the requirements for configuring client communication modes. Lesson Objectives After completing this lesson, you will be able to: • Describe the planning tasks for a Configuration Manager 2012 primary site deployment. • Describe planning a Configuration Manager 2012 stand-alone primary site deployment. • Describe naming conventions for sites. • Describe the client communication modes. • Discuss planning a Configuration Manager 2012 stand-alone primary-site deployment. Planning Tasks for a Configuration Manager Deployment Before deploying Configuration Manager, you must plan for an architecture that supports your environment’s technical and business needs. No matter how simple or complex your environment is, you can use the following process to plan for a Configuration Manager deployment: • Identify your network infrastructure, including the number of physical locations, subnets, network connections between locations, and link speeds. This information helps you determine the number of primary sites, secondary sites, and site system roles that you need to deploy, and the locations for each server and site system role. Work together with your organization’s Active Directory® administrators to view how many Active Directory sites and subnets your environment has. • Determine the number of devices that you must manage, and their locations. A single primary site can support up to 100,000 clients devices. If you need to manage more devices, you will need more than one primary site. • Identify the business requirements for Configuration Manager. Business requirements map to the different features available in Configuration Manager, which include hardware and software inventory, software metering, software updates, and operating-system deployment. Review the MCT USE ONLY. STUDENT USE PROHIBITED 2-4 Planning and Deploying a Stand-Alone Primary Site business requirements with key stakeholders to get their input as to what features your environment requires. Depending on the features that you require, you will need different site system roles. • Identify the structure of your organization’s information technology (IT) department. Some larger global corporations maintain a very rigid separation of IT groups among geographical locations. Therefore, you may need to have a different primary site for each of these individual geographies. Keep in mind that this is a business requirement, not a technical requirement. • Determine your migration requirements, in case you are moving from Configuration Manager 2007 to Configuration Manager 2012. If your organization has a Configuration Manager 2007 environment, you need to consider whether you need a hierarchy restructure. You also need to consider migrating each site, and clients to Configuration Manager 2012, and different objects, such as packages, operating-system images, and collections. Planning a Stand-Alone Primary Site Deployment Site System Roles While you can deploy a primary site on a single server, you also can move roles or install new roles onto different servers. When deploying a standalone primary site, the Configuration Manager setup installs the following site system roles by default: • Site server. This is the main system role for Configuration Manager. • Site System. This includes any server that hosts one or more Configuration Manager roles. • Site database server. This is the Microsoft SQL Server® Database server for Configuration Manager. • Component server. This is any server that is running the SMS_EXECUTIVE service. • SMS Provider. This is the interface between the Configuration Manager console and the site database. • Management point. This is the main communication point for clients. • Distribution point. This stores content for deployment to clients. You can install additional roles as necessary. However, before deploying clients, you should install the fallback status point to help monitor client-deployment issues. You also should install the Reporting services point so that you can review reports about the site and client-installation progress. The number of clients that you can manage using a stand-alone primary site depends on the following site configuration and role placement: • If the site server and site database roles are collocated on the same server, you can manage up to 50,000 Configuration Manager clients. • If the site server and site database roles are on different servers, you can manage up to 100,000 Configuration Manager clients. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Multiple Physical Locations 2-5 A stand-alone primary site can span multiple physical locations while managing clients across your entire infrastructure. To get the maximum benefit from your Configuration Manager deployment, while still using a stand-alone primary site, you can perform the following implementation tasks: • Install distribution points in locations that have a larger number of clients to reduce wide area network (WAN) traffic and increase the efficiency of features such as software distribution, software update management, or operating-system deployment. • Use role-based administration and security scopes to implement your desired security model, rather than deploying multiple primary sites to define administrative roles and permissions. • Place site system roles on separate servers for additional scalability with respect to how many clients you can manage. • Configure multiple management points to improve scalability. Site Naming Conventions You use site codes and site names to identify sites in a System Center 2012 Configuration Manager hierarchy. You configure the site code and site name when you install Configuration Manager, and you cannot change them after installation. Even if you are installing a stand-alone primary site, you should choose the site code and site name carefully to avoid future conflicts, such as in migration scenarios. Consider the following naming convention guidelines. A site code: • Must be a three-character alphanumeric code that uses letters A through Z, numbers 0 through 9, or combinations of the two. • Must be unique in a Configuration Manager hierarchy. • Should not use Microsoft Windows®-reserved names such as AUX, CON, NUL, PRN, or SMS. A site name: • Is a friendly name identifier for the site. • Must be unique in a Configuration Manager hierarchy. • Uses the standard alphanumeric characters A through Z and a through z, numbers 0 through 9, spaces, and the hyphen (-). You use site codes for client assignment, and if you extend your schema, the site servers can publish site codes in AD DS. This enables clients to determine the site assignment, and then locate the management point. If you perform a migration from Configuration Manager 2007 to Configuration Manager 2012 R2, you cannot reuse site codes because they must be unique in the source and destination hierarchies. For more details, please review the migration topics in “Module 9: Migrating to System Center 2012 R2 Configuration Manager.” Client Communication Modes In System Center Configuration Manager 2007, you can configure a site to work in either mixed mode or native mode. In mixed mode, all site systems use HTTP for client communication, and sites perform mutual authentication by using Kerberos version 5 protocol in the Active Directory forest. In native mode, all site systems use HTTPS and public key infrastructure (PKI)-issued certificates to perform mutual authentication. MCT USE ONLY. STUDENT USE PROHIBITED 2-6 Planning and Deploying a Stand-Alone Primary Site One of the most important changes in Configuration Manager 2012 is that you configure communication for site system roles independent of the site. You can configure site system roles that use Internet Information Services (IIS), such as management point or distribution point, to use either HTTP or HTTPS individually. You can use site system roles that you configure for HTTP only with client computers that are on the intranet. To support clients on the Internet, the site system roles that you expose to the Internet must use HTTPS. To use HTTPS, a server requires an X.509 server certificate issued by a PKI that both the servers and clients trust. When and administrator installs the Configuration Manager client on a client computer, the client creates a self-signed certificate. For client computers to communicate by using HTTPs, they must have an X.509 client certificate issued by a PKI that both the client and servers trust. This certificate authenticates the Configuration Manager client with the site system role. By default, Configuration Manager clients communicate by using the most secure protocol available. If you configure them with a X.509 certificate and they can find a site system role by using HTTPS, they connect with that site system by using HTTPS. If they cannot find a site system role by using HTTPS, they connect by using HTTP. Discussion: Planning a Configuration Manager 2012 Stand-Alone Primary Site Deployment You can use the following questions as a guideline to determine the configuration of your System Center 2012 Configuration Manager deployment. Question: How can you use a stand-alone primary site to manage clients in multiple network locations? Question: How can you implement different administrative requirements for multiple administrative teams in a stand-alone primary site? Question: What site system roles would you deploy in a stand-alone primary site? Question: What communication modes can client and site system roles use? MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Lesson 2 Preparing to Deploy a Configuration Manager Primary Site 2-7 When preparing for a Configuration Manager primary site deployment, you must determine the site system’s hardware and software requirements. You can use prerequisite checker to determine whether a server meets the prerequisites for hosting site system roles that you select during the setup process. As part of your preparation, you also can extend the Active Directory schema to enable the site server to publish information in AD DS. Clients can use this information to determine their assigned site and locate the management point. Lesson Objectives After completing this lesson, you will be able to: • Explain the purpose of extending the Active Directory schema. • Describe extending the Active Directory schema. • Describe site server and site database requirements for a Configuration Manager primary site deployment. • Describe the site system roles requirements for a Configuration Manager primary site deployment. • Identify, install, and configure the prerequisites for site system deployment. • Explain the functionality of prerequisite checker. • Describe the installation and configuration of operating-system prerequisites. Extending the Active Directory Schema System Center 2012 Configuration Manager uses the same schema extensions as System Center Configuration Manager 2007. If you extended the schema for System Center Configuration Manager 2007, you do not need to extend the schema again. When installing subsequent versions or service packs, you need to read a specific version’s release notes to determine whether you need to extend the schema’s time to allow for the associated update’s changes. Extending the Active Directory schema is optional unless you are implementing network access protection (NAP). However, extending the Active Directory schema helps ease the management of the Configuration Manager site. When you extend the Active Directory schema, the site server publishes information to AD DS to help with: • Client computer installation and site assignment. During Configuration Manager client installation, the client searches AD DS to find a management point from which to download the client software and a site for site assignment. • Port configuration for client-to-server communication. During installation, the client obtains the IIS port information for the client-to-server communications from AD DS. If you change the client-to- MCT USE ONLY. STUDENT USE PROHIBITED 2-8 Planning and Deploying a Stand-Alone Primary Site server port information after you install clients, the clients can obtain the updated port information from AD DS. • NAP. Configuration Manager publishes health state references to AD DS so that the System Health Validator point can validate a client’s statement of health. You can extend the schema by running the following program: <installation source>\smssetup\bin\x64\extadsch.exe Optionally, you can extend the schema by using the LDAP Data Interchange Format Data Exchange (LDIFDE) tool to import the installation source \smssetup\bin\x64\ConfigMgr_ad_schema.ldf file. You need to edit the .ldf file to include the forest name before you can use it. For example, the following command line imports the schema extensions into AD DS, turns on verbose logging, and creates a log file during the import process: ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file> The System Management Container Configuration Manager publishes its information into the AD DS Root\System\System Management container in AD DS. Extending the Active Directory schema does not create this container automatically. You must create the container in each domain that includes a Configuration Manager central administration site, a primary site server, or secondary site server that publishes site information to AD DS. You can create the System Management container manually by using the ADSIEdit.msc tool. When you are creating the System Management container manually, you have to assign the Configuration Manager site server full control permissions for the System Management container and all descendant objects. Optionally, you can grant the Configuration Manager site server full control permissions to the System container in AD DS, and then the System Management container is created automatically when the Configuration Manager site server first publishes information to AD DS. If you have additional AD DS forests that contain clients, and allow your site to publish site data to additional forests, you also need to extend the Active Directory schema and grant the site server rights to publish to the remote forests. Workarounds for Client Installation and Settings If you decide not to extend the Active Directory schema, you have to use workarounds for the client installation and maintenance settings that the client receives from AD DS, including that you can use the following workarounds for: • • Client computer installation and site assignment: o Use client push installation, and configure installation properties for the site in the Client Push Installation Properties window. o Install clients manually and provide client installation properties by using CCMSetup installation command-line options. o Publish the management point in Domain Name System (DNS) or Windows Internet Naming Service (WINS). Port configuration for client-to-server communication: o Reinstall clients and configure them to use the new port information. o Deploy a script to clients to update the port information through an external method, such as by using Group Policy. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Demonstration: Extending the Active Directory Schema 2-9 In this demonstration, you will see how to extend the Active Directory schema, verify that the schema was extended successfully, create the System Management container in AD DS, and configure permissions on the System Management container. Demonstration Steps 1. On LON-DC1, start File Explorer, and then browse to \\LON-CFG\E$\ConfigMgr2012R2\SMSSETUP \BIN\X64. Locate and then run the ExtADSch.exe file. 2. Browse to drive C, open the ExtADSch.log file, and then verify the success of the operation by observing the classes and attributes added to Active Directory® Domain Services (AD DS) and the message that confirms the schema’s successful extension. 3. In the Run dialog box, type adsiedit.msc, and then click OK. 4. In the ADSI Edit console, connect to the default naming context. 5. In the ADSI Edit console, expand Default naming context [LON-DC1.Adatum.com], expand the DC=Adatum,DC=Com container, and then select the CN=System container. 6. Create an object under CN=System with the type container and the name System Management. 7. In the ADSI Edit console, verify that the CN=System Management container appears in the results pane, and then close the console. 8. In the Active Directory Users and Computers console, from the View menu, enable Advanced Features. 9. Locate the System Management container, and then access its Properties. 10. On the Security tab, assign Full Control permission to the LON-CFG computer, and then click Advanced. 11. In the Advanced Security Settings for System Management dialog box, edit the entry for the LON-CFG computer so Full Control permission will apply to This object and all descendant objects, and then click OK. 12. Click OK on each dialog box to close them. 13. Close the Active Directory Users and Computers console. Note: After the installation, the Configuration Manager 2012 site server will publish information in the System Management container. It enables clients to determine their assigned site and locate the management point. Site Server and Site Database Requirements Hardware Requirements To install a stand-alone Configuration Manager 2012 primary site in an environment that has up to 100 clients, and that supports all of the features of Configuration Manager 2012, you need to ensure that you meet the minimum hardware requirements that the following table lists. Hardware component Minimum Processor AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support. Minimum: 1.4 gigahertz (GHz) RAM 2 gigabytes (GB) of random access memory (RAM) Free disk space Available: 10 GB Total, including the operating system: 50 GB Network adapter Site system computers must have network connectivity to other Configuration Manager site systems, and they must have clients to manage them. MCT USE ONLY. STUDENT USE PROHIBITED 2-10 Planning and Deploying a Stand-Alone Primary Site This hardware configuration is suitable only for testing environments. If you want to install Configuration Manager 2012 in a production environment, the minimum hardware requirements are not sufficient. The following table lists the recommended hardware requirements for a stand-alone System Center 2012 Configuration Manager primary site server that has SQL Server installed on the site server computer. Hardware component Recommended Processor 8 cores (Intel Xeon 1.4GHz or comparable central processing unit [CPU]) RAM 32 GB of RAM Free disk space 550-GB hard-disk space for the operating system, SQL Server, and all database files Network adapter Site system computers must have network connectivity to other Configuration Manager site systems, and they must have clients to manage them. When you use an instance of SQL Server that is installed on the same computer as the site server, the primary site can support up to 50,000 clients. When you use an instance of SQL Server that is installed on a computer that is remote from the site server, the primary site can support up to 100,000 clients. Operating-System Requirements MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-11 In System Center 2012 Configuration Manager, all site systems, with the exception of distribution points, require 64-bit server systems that are running one of the following operating systems: • • • • Windows Server® 2008 Service Pack 2 (SP2) Standard, Enterprise, or Datacenter o System Center 2012 Configuration Manager o System Center 2012 Configuration Manager Service Pack 1 (SP1) o System Center 2012 Configuration Manager R2 Windows Server 2008 R2 (no service pack or SP1) Standard, Enterprise, or Datacenter o System Center 2012 Configuration Manager o System Center 2012 Configuration Manager SP1 o System Center 2012 Configuration Manager R2 Windows Server 2012 Standard or Datacenter o System Center 2012 Configuration Manager SP1 o System Center 2012 Configuration Manager R2 Windows Server 2012 R2 Standard or Datacenter o System Center 2012 Configuration Manager o System Center 2012 Configuration Manager SP1 o System Center 2012 Configuration Manager R2 A computer configured as a read-only domain controller (RODC) will not support secondary sites and site database servers. SQL Server Requirements The following table lists the server requirements for the different versions of SQL Server that Configuration Manager 2012 can use. SQL Server version Edition Central administration site Primary site Secondary site Notes SQL Server 2008 with SP2 and Cumulative Update 9 Standard, Enterprise Supported Supported Supported Using Standard Edition at the central administration site limits the total number of clients to 50,000. SQL Server 2008 with Service Pack 3 (SP3) and Cumulative Update 4 Standard, Enterprise Supported Supported Supported Using Standard Edition at the central administration site limits the total number of clients to 50,000. SQL Server version Edition Central administration site Primary site Secondary site Notes MCT USE ONLY. STUDENT USE PROHIBITED 2-12 Planning and Deploying a Stand-Alone Primary Site SQL Server 2008 R2 with SP1 and Cumulative Update 6 Standard, Enterprise Supported Supported Supported Using Standard Edition at the central administration site limits the total number of clients to 50,000. SQL Server 2012 Standard, Enterprise Supported Supported Supported Using Standard Edition at the central administration site limits the total number of clients to 50,000. SQL Server 2012 SP1 Standard, Enterprise Supported Supported Supported Using Standard Edition at the central administration site limits the total number of clients to 50,000. SQL Server Express 2008 R2 with SP1 and Cumulative Update 6 Not applicable Not supported Not supported Supported None SQL Server 2012 Express Not applicable Not supported Not supported Supported None SQL Server 2012 Express SP1 Not applicable Not supported Not supported Supported None Additionally, you need to ensure that you apply the following settings to SQL Server: • Database collation. Configuration Manager requires the collation for both the database instance and the Configuration Manager itself be set to SQL_Latin1_General_CP1_CI_AS. • Authentication. Configuration Manager can use only Windows authentication to communicate with SQL Server. • SQL Server instance. Each Configuration Manager site must have a dedicated SQL Server instance. • Reporting Services. You must install SQL Server Reporting on a database server to provide reporting capabilities in Configuration Manager. Requirements for Site System Roles The management point and the distribution point are two common site system roles that you can install during the Configuration Manager setup. You can provide scalability by installing additional instances of these site system roles in a primary site or secondary site. Requirements for Management Points Each primary site-management point can support up to 25,000 computer clients. For example, to support 100,000 clients, you would need at least four management points. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-13 Each primary site can support up to 10 management points. If you install additional management points in a stand-alone primary site, note the hardware requirements that the following table lists. Hardware component Recommended Processor 4 cores (Intel Xeon 2.0 GHz or comparable CPU) RAM 8 GB of RAM Free disk space 50 GB of disk space for the operating system and Configuration Manager Memory and processor capacity are the primary influences on management point performance. Requirements for Distribution Points Each primary site supports up to 250 distribution points, and each distribution point can support up to 4,000 clients. You also can increase scalability by installing a secondary site. By default, a secondary site includes a management point and a distribution point, both of which you install on the secondary site server. Each secondary site supports up to 250 distribution points. Each distribution point can support up to the same number of clients that the hardware configuration of the secondary site server supports, to a maximum of 4,000 clients. Each primary site supports a combined total of up to 5,000 distribution points, which includes: • All distribution points at the primary site • All distribution points that belong to the primary site’s child secondary sites If you install additional distribution points, note the hardware requirements that the following table lists. Hardware component Recommended Processor 2 cores (Intel Xeon 2.0 GHz or comparable CPU) RAM 8 GB of RAM Free disk space Disk space, as required for the operating system and content that you deploy to the distribution point. Network and disk input/output (I/O) are the primary influences on distribution point performance. MCT USE ONLY. STUDENT USE PROHIBITED 2-14 Planning and Deploying a Stand-Alone Primary Site In addition to Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, you can deploy distribution points to the operating systems that the following table lists. Operating system Windows Vista® Architecture x64 Edition • Business Edition (SP1) • Enterprise Edition (SP1) Notes Can only host the standard distribution point • Ultimate Edition (no service pack or SP1) Windows® 7 x86 or x64 • Professional (no service pack or SP1) • Enterprise Edition (no service pack or SP1) Can only host the standard distribution point • Ultimate Edition (no service pack or SP1) Windows 8 x86 or x64 • Pro • Enterprise Windows 8.1 x86 or x64 • Pro • Enterprise Windows Server 2003 x86 or x64 • Standard Edition (SP2) • Enterprise Edition (SP2) Can only host the standard distribution point Can only host the standard distribution point Does not support multicast • Datacenter Edition (SP2) Windows Server 2003 x86 Windows Server 2003 R2 x86 or x64 • Web Edition (SP2) • Storage Server Edition (SP2) • Standard Edition • Enterprise Edition Does not support multicast Does not support multicast Some 32-bit operating systems support distribution points, unlike other site system roles. However, only specific operating systems support additional distribution-point features, such as Pre-Boot EXecution Environment (PXE) and multicast. Note: You can install the site server or any site system role on virtual machines. When using virtual machines, you need to ensure that the Hyper-V® host meets the hardware requirements for all virtual machines that it is hosting. Prerequisites for Installing and Configuring Configuration Manager There are many prerequisites for Configuration Manager. Some roles require specific operatingsystem components or settings, while other roles use functionality from other programs. The following table lists the prerequisites and roles that need them. Prerequisite Role or feature Microsoft .NET Framework 3.5 Features All web-based roles Internet Information Server All web-based roles Notes MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-15 Install both .NET 3.5 and Windows Communication Foundation (WCF) activation. This is a Windows feature that installs with the Windows Server Manager. When you install the .NET Framework 3.5 features, you receive a prompt to add required roles and services. IIS then installs with the required features. • Common HTTP features o Static content o Default document o Directory browsing o HTTP errors o HTTP redirection • Application development o ASP.NET o .NET extensibility o ISAPI extensions o ISAPI filters • Health and diagnostics o HTTP logging o Logging tools o Request monitor o Tracing • Security o Windows authentication o Request filtering • Performance o Static content compression Prerequisite Role or feature Notes • Management tools o IIS Management Console o IIS management scripts and tools o IIS 6 management compatibility o IIS 6 metabase compatibility o IIS 6 Windows Management Instrumentation (WMI) compatibility Net Framework 4.5 • Application Catalog web service point • Application Catalog website point • Software update point • Asset Intelligence synchronization point • Reporting Services point • Enrollment point • Enrollment proxy point • Windows Server 2008 R2 MCT USE ONLY. STUDENT USE PROHIBITED 2-16 Planning and Deploying a Stand-Alone Primary Site o Download .NET Framework 4.5 from Microsoft’s website, and then install it. • Windows Server 2012 o Install the .NET Framework 4.5 feature BITS Management point Distribution point The Background Intelligent Transfer Service (BITS) is a Windows feature that installs through the Windows Server Manager. Remote Differential Compression Site Servers Remote Differential Compression is a Windows feature that installs through the Windows Server Manager. WDS PXE-enabled distribution point You can install the Windows Deployment Services (WDS) Role by using Windows Server Manager, and it is a prerequisite if you want to use PXE or multicast. Windows Automated Installation Kit Operating System Deployment The Windows Automated Installation Kit installs automatically when the Configuration Manager 2012 Setup Wizard runs. This prerequisite is for the operating-system deployment feature. Windows ADK Operating System Deployment The Windows Assessment and Deployment Kit (Windows ADK) replaces Windows Automated Installation Kit for Windows Server 2012 and Window 8 and newer operating systems, and you must install it on the site server. You can install WAIK or Windows ADK, but both kits cannot coexist on the same server. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-17 Depending on the site system role that you want to implement, you must configure one or more of the following prerequisites: • IIS with ASP.NET and .NET Framework 3.5.1. Most site system roles use HTTP or HTTPS to communicate with clients, so you should install the Web Server (IIS) server role on the majority of servers that are hosting site system roles. • BITS. Site system roles, such as management and distribution points, use BITS for bandwidth throttling. • .NET Framework 4.5. This is required when you install any of the following: o Application catalog o Software update point o Asset Intelligence synchronization point o Reporting Services point o Enrollment point o Enrollment proxy point • WSUS. The software update point role uses Windows Server Update Services (WSUS). • WDS. WDS is required when you use PXE-initiated deployments of operating systems or if you wish to use multicast deployment of operating-system images. Configuration Manager Setup Downloader Configuration Manager Setup Downloader (SetupDL.exe) is a stand-alone application that you can use to download the Configuration Manager client prerequisites, language packs, and SQL Server Express 2008 R2 SP1. These prerequisites are requested during the System Center 2012 Configuration Manager Setup Wizard, and you can download them from the Microsoft web site during setup. If the site server does not have a direct connection to the Internet, you can use the Configuration Manager Setup Downloader (SetupDL.exe). You can find this on the Configuration Manager installation media in the \\SMSSETUP\BIN\X64 folder, and it enables you to download the prerequisites on another computer that does not have Internet connectivity. You then can copy the prerequisites to the server on which you plan to install Configuration Manager. SQL Server Configuration When you install and configure the SQL Server that Configuration Manager 2012 uses, refer to the settings that the following table describes. Configuration More information Database collation The instance of SQL Server in use at each site must use the following collation: SQL_Latin1_General_CP1_CI_AS. SQL Server features Only the Database Engine Services feature is required for each site server. You also can install SQL Server Reporting Services to support the Reporting Services point role. Note: Configuration Manager replication does not require the SQL Server replication feature. Windows authentication Configuration Manager requires Windows authentication to validate connections to the database. Configuration More information SQL Server instance You must use a dedicated instance of SQL Server for each site. SQL Server memory When you use a database server that is co-located with the site server, limit the memory for SQL Server to 50 to 80 percent of the available addressable system memory. When you use a dedicated SQL Server, limit the memory reserved for SQL Server to 80 to 90 percent of the available addressable system memory. Configuration Manager requires SQL Server to reserve a minimum of 8 GB of memory in the buffer pool that an instance of SQL Server uses for the central administration and primary sites. What Is Prerequisite Checker? Prerequisite checker (ConfigMgrSourceFiles \SMSSETUP\BIN\x64\prereqchk.exe) is a standalone application included with the System Center 2012 installation media. Use the prerequisite checker application to verify that a server is ready for a site server installation or the installation of specific site system roles. The prerequisite checker application performs tests in the following categories: • Security rights. Prerequisite checker performs validation for the security rights of the administrative user who is performing the setup. It verifies administrative permissions on the central administration site, if a central administration site exists; local administrator permissions on the computer where Configuration Manager is installed; and permissions on the SQL Server that was used for the installation. • Configuration Manager dependencies. Prerequisite checker tests for Configuration Manager dependencies, such as: • MCT USE ONLY. STUDENT USE PROHIBITED 2-18 Planning and Deploying a Stand-Alone Primary Site o Verifying that BITS is enabled. o Checking the SQL Server configuration. o Checking the Windows Firewall settings. o Checking the IIS configuration. o Checking publishing to AD DS permissions. o Checking for the installation of the required Configuration Manager prerequisites. System requirements. Prerequisite checker validates the hardware and operating-system configuration, AD DS functional level, Active Directory schema extensions, domain membership, and the free disk space on the server on which you perform the installation. You can run prerequisite checker manually when preparing a server for Configuration Manager, but it is not a requirement. If you choose to run prerequisite checker manually, you can remediate any issues that you find before you run the Configuration Manager Setup program. The Configuration Manager Setup program runs it as the last step in the Setup Wizard, because installation cannot begin until all prerequisites for the chosen roles are met. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-19 Prerequisite Checker notifies you of any warnings or errors that it encounters. Tests that result in a warning do not prevent you from installing System Center 2012 Configuration Manager successfully. However, you should resolve the condition that generated the warning before running the Configuration Manager 2012 Setup Wizard. Tests that result in an error prevent you from completing the Configuration Manager setup process. Additionally, you can avoid interrupting the setup process by remediating any prerequisite errors before running Configuration Manager 2012 Setup Wizard. The following table lists the available options to use when you run Prerequisite Checker from a command line. Command-line option Description /NOUI Use this option to start Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command-line. /PRI or /CAS Verifies that the local computer meets the requirements for the primary site or central administration site. You can specify only one option. You cannot combine this option with the /SEC option. /SEC FQDN of secondary site Verifies that the specified computer meets the requirements for the secondary site. This option cannot be combined with the /PRI or /CAS option. [/INSTALLSQLEXPRESS] Verifies SQL Express on the specified computer. You can use this option only after the /SEC option. /SQL FQDN of SQL Server Verifies that the specified computer meets the requirements for SQL Server to host the Configuration Manager site database. This option is required when you use the /PRI or /CAS option. /SDK FQDN of SMS Provider Verifies that the specified computer meets the requirements for the SMS Provider. This option is required when you use the /PRI or /CAS option. /JOIN FQDN of central administration site Verifies that the local computer meets the requirements for connecting to the central administration server. This option is only valid when you use the /PRI option. /MP FQDN of management point Verifies that the specified computer meets the requirements for the management point site system role. This option is only supported when you use the /PRI option. /DP FQDN of distribution point Verifies that the specified computer meets the requirements for the distribution point site system role. This option is only supported when you use the /PRI option. /ADMINUI Verifies that the local computer meets the prerequisites for the Configuration Manager console. This option cannot be combined with any other option. Prerequisite Checker verifies that the site server computer account has permissions to write in AD DS, but it does not check permissions for any groups of which the site server is a member. MCT USE ONLY. STUDENT USE PROHIBITED 2-20 Planning and Deploying a Stand-Alone Primary Site Demonstration: Installing and Configuring Operating-System Prerequisites In this demonstration, you will see what Windows Server 2012 R2 roles and features are necessary to support the Configuration Manager installation. Demonstration Steps 1. On LON-CFG, start the Server Manager console. 2. In the Server Manager console, verify that the following roles and features are installed: o .NET Framework 3.5 Features o .NET Framework 4.5 Features o Background Intelligent Transfer Service (BITS) o Remote Differential Compression o Web Server Lesson 3 Installing a Configuration Manager Site Server MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-21 After preparing the environment, your next step is to install the Configuration Manager 2012 site server. You can use the System Center 2012 Configuration Manager Setup Wizard to: • Install a primary site, either as a stand-alone site or as part of a hierarchy. • Install a central administration site. • Recover a site server. • Perform site maintenance. • Uninstall the site. You can select additional configuration options for site systems during setup. You will review the available setup options, and then determine the most appropriate settings for your implementation. Lesson Objectives After completing this lesson, you will be able to: • Describe the Configuration Manager 2012 setup process. • Explain the Configuration Manager 2012 setup options. • Describe the installation of a Configuration Manager 2012 primary site. The Configuration Manager 2012 Setup Process The following table lists the steps of the System Center 2012 Configuration Manager Setup Wizard, and information that you input for each step. Wizard step Input required Getting Started Choose: Install a Configuration Manager primary site server. Optionally, you can check: Use typical installation options for a stand-alone primary site. Product Key Enter the product key or select Install this product as an evaluation. Microsoft Software License Terms Accept the license terms in this step to continue with the setup. Prerequisite In this step, you must accept the licenses for Microsoft SQL Server 2008 R2 Wizard step Input required MCT USE ONLY. STUDENT USE PROHIBITED 2-22 Planning and Deploying a Stand-Alone Primary Site Licenses Express, Microsoft SQL Server 2008 Native Client, and Microsoft Silverlight® 4 to continue with the setup. Prerequisite Downloads In this step, you can download the Configuration Manager prerequisites or specify a folder where you downloaded them previously. Server Language Selection This option enables you to specify additional language packs to download and install for the admin console and reports. Client Language Selection This option enables you to specify additional language packs to download and install for the Configuration Manager client. Site and Installation Settings Configure the site code and site name. You cannot change these settings once you configure them. You also can choose whether to install the Configuration Manager console. Primary Site Installation If you selected Install a Configuration Manager primary site in the first step, you can indicate whether the site is a stand-alone site or is part of a hierarchy. Database Information Input the fully qualified domain name (FQDN) of the SQL server, the name of the Configuration Manager database, and the port to use for the SQL Server Service Broker. SMS Provider Settings Input the FQDN name of the server that hosts the SMS Provider. By default, this installs on the site server. We recommend installing this role on the database server, unless the database is clustered. Client Computer Communication Settings In this step, you can configure choose either of the following: • All site systems roles accept only HTTPS communication from clients • Configure the communication method on each site system role If you choose to configure site system roles separately, you can check the: Clients use HTTPS when they have a valid PKI certificate and HTTPS-enabled site roles are available check box. Site System Roles In this step, you can choose to install a management point and/or a distribution point, and specify the FQDNs for the roles. By default, both roles are installed by using the server’s FQDN. Option Role configuration All site systems roles accept only HTTPS communication from clients. Both roles are configured for HTTPS and you cannot modify them during setup. Configure the communication method on each site system role. Both roles are configured for HTTP and you cannot modify them during setup. Configure the communication method on each site system role, and you check Clients will use HTTPS when they have a valid PKI certificate and HTTPS-enabled site roles are available. Both roles are configured for HTTPS. You can modify them during setup. Wizard step Input required MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Customer Experience Improvement Program Configuration In this step, you can choose to participate in the Customer Experience Improvement Program. Settings Summary Review your selections to determine whether you need to make changes. Prerequisite Check The Setup Wizard launches the prerequisite checker application to evaluate the server readiness for hosting selected roles. Begin install Select the option to start the installation. Alternatively, you can go back and make additional changes, or you can install missing prerequisites. 2-23 If you want to install the console on an administrative user’s workstation, you can use the ConsoleSetup.exe in SMSSETUP/BIN/i386. The Configuration Manager console is a 32-bit application that you can install on 32-bit and 64-bit operating systems. Setup Options for Configuration Manager 2012 You can use the options in the first step of the System Center 2012 Configuration Manager Setup Wizard to: • Install a Configuration Manager primary site. Select this option to install a primary site. You have the opportunity later to select whether it is a stand-alone site or part of a hierarchy. • Install a Configuration Manager central administration site. If you are installing a hierarchy, you must install the central administration site first. • Upgrade an existing Configuration Manager 2012 installation. This option enables you to upgrade the current Configuration Manager 2012 site to a newer version, such as SP1. • Recover a site. Use this option to perform the first step in recovering a failed site server. Module 7 provides more details on site-server recovery. • Perform site maintenance or reset this site. Use this option to modify the SQL server configuration, manage the SMS Provider, or perform a site reset after restoring from a backup. • Uninstall a Configuration Manager site. We recommend this approach to remove a site server from a hierarchy. Note: The option to install a secondary site is not available in the Setup Wizard. You can install the secondary sites by using the Configuration Manager console connected to an existing primary site. The Configuration Manager setup differs from the Configuration Manager 2007 setup in the following ways: MCT USE ONLY. STUDENT USE PROHIBITED 2-24 Planning and Deploying a Stand-Alone Primary Site • With the exception of the management point and distribution point site roles, you cannot install any of the optional roles during the setup process. • Setup Downloader (SetupDL.exe) and Prerequisite Checker (prereqchk.exe) now are separate applications that you can launch without starting the Configuration Manager Setup Wizard. Demonstration: Installing a Configuration Manager Primary Site In this demonstration, you will see how to install a Configuration Manager primary site. Demonstration Steps 1. On LON-CFG, open File Explorer, and then navigate to the E:\ConfigMgr2012R2\ folder. 2. Double-click splash.hta. 3. In the System Center 2012 R2 Configuration Manager Setup dialog box, click Install. 4. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. Use the following settings to install a stand-alone primary site. a. On the Getting Started page, select Install a Configuration Manager primary site. b. On the Product Key page, select Install the evaluation edition of this product. c. On the Microsoft Software License Terms page, accept the license terms. d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept these License Terms. Under Microsoft SQL Server 2012 Native Client, select I accept these License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms and automatic updates of Silverlight. e. On the Prerequisite Downloads page, select Use previously downloaded files, and then specify the E:\ConfigMgr2012R2\Redist as the location. f. On the Server Language Selection and Client Language Selection pages, click Next. g. On the Site and Installation Settings page, configure the following options.  Site code: LON  Site name: Adatum Site  Install the Configuration Manager console: selected h. On the Primary Site Installation page, select Install the primary site as a stand-alone site. i. On the Database Information page, accept the default settings. j. On the SMS Provider Settings page, accept the default settings. k. On the Client Computer Communication Settings page, select Configure the communication method on each site system role. l. On the Site System Roles page, verify that both Install a management point and Install a distribution point check boxes are selected. Additionally, verify that LON-CFG.Adatum.com appears in both FQDN text boxes. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-25 m. On the Customer Experience Improvement Program Configuration, select I don’t want to join the program at this time. n. On the Settings Summary page, click Next. o. On the Prerequisite Check page, wait for the prerequisite checking to finish, review the results, and then click Begin Install. Lab A: Installing a Configuration Manager Primary Site Scenario You are the network administrator for A. Datum Corporation. Adatum wants to deploy System Center 2012 Configuration Manager as a stand-alone primary site. You need to test the deployment by: 1. Configuring prerequisites for the Configuration Manager 2012 deployment. 2. Extending the Active Directory schema. 3. Installing a System Center 2012 Configuration Manager stand-alone primary site. Objectives At the end of this lab, you will be able to: MCT USE ONLY. STUDENT USE PROHIBITED 2-26 Planning and Deploying a Stand-Alone Primary Site • Configure the prerequisites for a System Center 2012 R2 Configuration Manager deployment. • Extend the Active Directory schema, and configure permissions for the Configuration Manager site server. • Install a Configuration Manager 2012 stand-alone primary site. Lab Setup Estimated Time: 30 minutes Virtual Machines 10748C-LON-DC1-A 10748C-LON-CFG-A User Name Adatum\Administrator Password Pa$$w0rd For this lab, you use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, from the Start screen, click Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-A, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Log on by using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps 2 through 4 for 10748C-LON-CFG-A. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-27 Exercise 1: Configuring the Prerequisites for Configuration Manager 2012 Deployment Scenario You have received your virtual environment to use for testing. The virtual machines are configured with the Windows Server 2012 R2 operating systems. Additionally, IIS, the required prerequisites, and SQL Server 2012 SP1 are installed. You need to verify the configuration of prerequisites for the Configuration Manager deployment. The main tasks for this exercise are as follows: 1. Start Server Manager. 2. Verify the installation of the Web Server (IIS) role. 3. Verify the required features. 4. Verify that Windows ADK for Windows 8.1 is installed.  Task 1: Start Server Manager • On 10748C-LON-CFG-A, start the Server Manager console, and then click to the Local Server node.  Task 2: Verify the installation of the Web Server (IIS) role • In the Server Manager console, scroll to the Roles and Features section, and verify that the Web Server (IIS) role is installed.  Task 3: Verify the required features 1. 2. In the Server Manager console, verify that the following features are installed: o Background Intelligent Transfer Service (BITS) o Remote Differential Compression Close the Server Manager console.  Task 4: Verify that Windows ADK for Windows 8.1 is installed • Open File Explorer, and then browse to C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit. Verify that the following components have been installed: o Deployment Tools o Windows Preinstallation Environment o User State Migration Tool Results: After this exercise, you should have validated the prerequisites for installing System Center 2012 Configuration Manager. Exercise 2: Extending the Active Directory Schema Scenario MCT USE ONLY. STUDENT USE PROHIBITED 2-28 Planning and Deploying a Stand-Alone Primary Site The virtual environment includes a domain controller with AD DS that is configured in the Adatum.com domain. You need to prepare AD DS for Configuration Manager 2012 by extending the AD DS schema, and then by creating the System Management container manually in which the Configuration Manager 2012 server will publish information. The main tasks for this exercise are as follows: 1. Run EXTADSCH on the domain controller. 2. Create a System Management container by using ADSI Edit. 3. Assign Full Control permissions to the site server for the System Management container.  Task 1: Run EXTADSCH on the domain controller 1. On LON-DC1, open File Explorer, navigate to the \\LON-CFG\E$\ConfigMgr2012R2 \SMSSETUP\BIN\X64 folder, and then locate and run extadsch.exe. 2. Browse to drive C, open the ExtADSch.log file created in the root of drive C, and then verify the success of the operation by observing the classes and attributes added to AD DS and the message that confirms the schema’s successful extension.  Task 2: Create a System Management container by using ADSI Edit 1. On LON-DC1, in the Run dialog box, type adsiedit.msc, and then click OK. 2. In the Active Directory Service Interfaces (ADSI) Edit console, connect to the default naming context. 3. In the ADSI Edit console, expand Default naming context [LON-DC1.Adatum.com], expand the DC=Adatum,DC=Com container, and then select the CN=System container. 4. Create an object under CN=System with the type container and the name System Management. 5. In the ADSI Edit console, verify that CN=System Management container appears in the results pane, and then close the console.  Task 3: Assign Full Control permissions to the site server for the System Management container 1. Open the Active Directory Users and Computers console, and then from the View menu, verify that Advanced Features is selected. 2. Under the System container, browse to the System Management container, and then access its Properties. 3. On the Security tab, assign Full Control permission to the LON-CFG server, and then click Advanced. 4. In the Advanced Security Settings for System Management dialog box, edit the entry for the LON-CFG computer so Full Control permission will apply to This object and all descendant objects, and then click OK. 5. Close all dialog boxes with OK. 6. Close the Active Directory Users and Computers console. Note: After the installation, the Configuration Manager 2012 site server will publish information in the System Management container. This enables clients to determine their assigned site and locate their management point. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-29 Results: At the end of this exercise, you should have extended the Active Directory schema, created the System Management container, and assigned permissions to the Configuration Manager server. Exercise 3: Installing a Configuration Manager 2012 Stand-Alone Primary Site Scenario After you verify that you have installed all prerequisites, and you have extended the AD DS schema, you need to install Configuration Manager 2012 in a stand-alone primary site. The main tasks for this exercise are as follows: 1. Run the setup for Configuration Manager 2012. 2. Install a Configuration Manager 2012 stand-alone primary site. 3. To prepare for the next lab.  Task 1: Run the setup for Configuration Manager 2012 1. On LON-CFG, open File Explorer, and then navigate to the E:\ConfigMgr2012R2\ folder. 2. Double-click splash.hta, and then click Microsoft (R) HTML Application host.  Task 2: Install a Configuration Manager 2012 stand-alone primary site 1. On the System Center 2012 R2 Configuration Manager Setup window, click Install. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. 2. Use the following settings to install a stand-alone primary site: a. On the Getting Started page, select Install a Configuration Manager primary site. b. On the Product Key page, select Install the evaluation edition of this product. c. On the Microsoft Software License Terms page, accept the license terms. d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept these License Terms. Under Microsoft SQL Server 2012 Native Client, select I accept these License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms and automatic updates of Silverlight. e. On the Prerequisite Downloads page, select Use previously downloaded files, and then specify the E:\ConfigMgr2012R2\Redist as the location. f. On the Server Language Selection and Client Language Selection pages, verify that English is selected. g. On the Site and Installation Settings page, configure the following options: h.  Site code: LON  Site name: Adatum Site  Install the Configuration Manager console: selected On the Primary Site Installation page, select Install the primary site as a stand-alone site. MCT USE ONLY. STUDENT USE PROHIBITED 2-30 Planning and Deploying a Stand-Alone Primary Site i. On the Database Information pages, accept the default settings. j. On the SMS Provider Settings page, accept the default settings. k. On the Client Computer Communication Settings page, select Configure the communication method on each site system role. l. On the Site System Roles page, verify that a management point and a distribution point will be installed on LON-CFG.Adatum.com. m. On the Customer Experience Improvement Program Configuration page, select I don’t want to join the program at this time. 3. n. On the Settings Summary page, click Next. o. On the Prerequisite Check page, wait for the prerequisite check to finish, and then click Begin Install. Wait for the installation to finish, and then close the wizard. Note: The installation may take up to 30 minutes  Task 3: To prepare for the next lab • When you finish the lab, leave the virtual machines running. Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager in a stand-alone primary site. Question: What prerequisites are required for installing a stand-alone Configuration Manager primary site? Question: To validate server readiness for installation, Prerequisite Checker verifies prerequisites for which components? Question: What user rights are required to extend the Active Directory schema? Question: What setup options are available in the Configuration Manager 2012 Setup Wizard? Lesson 4 Performing Post-Setup Configuration Tasks MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-31 You can verify that the successful installation of System Center 2012 Configuration Manager by starting the Configuration Manager console, reviewing the installation logs, and then reading the status messages. Additionally, you need to perform initial site configuration by defining the boundaries and boundary groups, and by installing optional, additional site roles. Lesson Objectives After completing this lesson, you will be able to: • Verify a Configuration Manager 2012 primary site installation. • View and interpret status messages. • Configure status summarizers. • Configure boundaries and boundary groups. • Configure Active Directory Forest Discovery. • Install additional site system roles. • Describe performing post-configuration tasks. Verifying the Configuration Manager 2012 Installation You can perform the following actions to verify the Configuration Manager 2012 installation: 1. Use the Services console to verify that the SMS Executive and related services have started. 2. Start the Configuration Manager console. This verifies that the default site components are functioning correctly. If the console cannot connect, verify that you are logged on with the same account that you used for Setup. 3. View the installation logs: 4. o ConfigMgrPrereq.log. Prerequisite checker generates this log, regardless of whether you run it stand-alone or as part of Setup. o ConfigMgrSetup.log. Configuration Manager Setup Wizard generates this log, and is the primary setup log. Look here to identify any abnormal errors that the wizard encountered during Setup. For example, when you run Setup, the wizard attempts to connect to the database. Since the database does not exist at this point, this action generates an error. o ConfigMgrSetupWizard.log. The Setup Wizard generates this log. o ConfigMgrAdminUI.log. The console setup generates this log. Because installing the console is not mandatory, this is a separate log. View the Status Messages in the Monitoring section. Viewing Status Messages All major Configuration Manager components generate status messages. One way to use status messages is to validate a Configuration Manager installation and its core component functionality. You can find status messages in the Monitoring workspace at the following nodes: • Site Status • Component Status After selecting a site system or component, use the Status Messages Viewer to view the associated status messages. Start this application by clicking Show Messages in the ribbon. Status messages can also be viewed using status message reports. Overview of Status Summarizers Status messages help you track data flow through the Configuration Manager components. State messages represent a client’s point-in-time condition. You can use the status message viewer to read status messages, but there is no such equivalent for state messages. State messages are seen largely in reports, various data in the console (such as number of systems needing an update), or the client logs themselves. Browsing through all status messages can be a tedious task. Configuration Manager aggregates status messages by using status summarizers that determine the overall health of each component. There are four status summarizers: MCT USE ONLY. STUDENT USE PROHIBITED 2-32 Planning and Deploying a Stand-Alone Primary Site • Application Deployment Summarizer, which aggregates state messages that clients generate when involved in deploying applications clients. • Application Statistics Summarizer, which aggregates information about status messages for application deployment. • Component Status Summarizer, which aggregates status messages that site-system components generate. • Site System Status Summarizer, which aggregates status messages that site systems generate. Additional tools for working with status messages are: • Status filter rules, which control the processing of status messages based on both built-in rules that you can modify and on rules that you create. Configuring Boundaries and Boundary Groups A boundary is an intranet network location that can contain one or devices that more you want to manage. There are multiple ways to define boundaries, and a hierarchy can have boundaries that you define by using any combination of the available methods. Boundary information is stored as global data and, as such, replicates throughout the hierarchy. To use boundaries for Configuration Manager operations, you must add them to boundary groups. Internet-based clients or clients that you configure as Internet-only clients do not use boundary information. Because these clients cannot use automatic site assignment, when you configure the distribution point to allow client connections from the Internet, they download content from any distribution point in their assigned site. Boundaries MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-33 Each boundary represents a network location in your hierarchy. A boundary does not enable you to manage clients at the network location. You can use it to identify available network locations. To manage a client, the boundary must be a member of a boundary group. You can define a boundary by using an: • IP subnet. You can specify an IP address and subnet mask, and then Configuration Manager calculates the subnet ID or you can provide the subnet ID. Note: Configuration Manager does not support the use of supernetworks for boundaries. If you try to use a supernetwork address, Configuration Manager changes it to a class A, class B, or class C subnet. • Active Directory site name. You can specify any sites that you define in your AD DS environment. • IPv6 Prefix. You can use an IPv6 prefix for a boundary if you are using IPv6 in your environment. • IP address range. You can specify a range of IP addresses if you want to limit your boundaries. An administrator can create boundaries manually, or Configuration Manager 2012 can create IP address range boundaries automatically by using the Active Directory Forest Discovery method. We recommend that you use IP address ranges to define boundaries instead of using IP subnets, because IP address ranges do not rely on the subnet mask’s configuration being correct at the client. Boundary Groups Boundary groups contain one or more boundaries. They enable clients on the intranet to find an assigned site and locate content. Boundary groups are functionally equivalent to Configuration Manager 2007 boundaries, and are associated with sites. Clients use them to identify the site to which they are assigned, and use them to locate content. Site Assignment A client can use boundary groups for automatic site assignment by finding an appropriate site to join, based on the client’s current network location. You must enable the Use this boundary group for site MCT USE ONLY. STUDENT USE PROHIBITED 2-34 Planning and Deploying a Stand-Alone Primary Site assignment setting to enable automatic site assignment to use a particular boundary. This setting is in the boundary group’s Properties dialog box on the References tab. When you enable a boundary group for automatic site assignment, you also can configure the site to which you want to assign the clients. Configuration Manager publishes boundary group information to AD DS, and the client queries them after installation. After a client receives a site assignment, the client does not change that site assignment automatically. For example, a client’s site assignment does not change if that client roams to a different network location that a boundary, in a site’s boundary group than the client’s assigned site, represents. Content Location Clients also use boundary groups to identify available distribution points or state migration points, based upon the client’s current network location. When configuring a boundary group, you specify the distribution points and state migration points that clients use within one of the boundary group’s boundaries. When a client requests content, it retrieves a list of all distribution points that contain the content from all the boundary groups of which the client is a member. The client then downloads the content from the distribution point that is the best choice, based on the boundary and its speed. Overlapping Boundary Groups There might be situations where you want a boundary to be in multiple boundary groups. While this configuration works well with content location, you might get unpredictable results if you overlap boundaries in boundary groups that you are using for site assignment. Therefore, Configuration Manager 2012 does not support overlapping boundary groups for site assignment. Depending on your environment’s complexity, you might decide to create two sets of boundary groups— one for site assignment and one for content location. This enables you to configure the boundary groups for content location to contain overlapping boundaries and not affect site assignment. Network Connection Speed When you add a distribution point to a boundary group, you specify whether it is Fast or Slow for the boundary group to which you are adding it. By default, distribution points are Fast. Clients use this value when determining the distribution point to which to connect. The network connection speed and the deployment configuration determine whether a client can download content from a distribution point when the client is in an associated boundary group. Question: After defining a boundary, what should you do next? What Is Active Directory Forest Discovery? Active Directory Forest Discovery discovers IP subnets and Active Directory sites from AD DS, and can add them to the Configuration Manager hierarchy as IP address-range boundaries or Active Directory site boundaries. You can use these boundaries in boundary groups, which Configuration Manager clients use for site assignment or for content location. Unlike other discovery methods, Active Directory Forest Discovery does not discover resources that you can manage, such as computers, users, or groups. Active Directory Forest Discovery configuration options are in the System Center 2012 Configuration Manager console’s Administration workspace under the Hierarchy Configuration node, and include: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-35 • Discovery Methods. You can enable Active Directory Forest Discovery in the hierarchy. You also can configure a simple schedule to run discovery, and specify whether it should create boundaries automatically from the IP subnets and Active Directory sites that Configuration Manager discovers in the Active Directory Forest(s). You cannot run Active Directory Forest Discovery at a secondary site, but you can trigger a discovery cycle on demand. • Active Directory Forests. Here you configure the additional Active Directory forests that you want to discover, specify the account to use as the Active Directory Forest Account for each forest, and configure publishing to each forest. Additionally, you can specify the discovery of IP subnets and Active Directory sites. The following information is published to AD DS when you enable publishing for an Active Directory forest if the schema was previously extended and configured for Configuration Manager publishing: • SMS-Site-<site code> • SMS-MP-<site code>-<site system server name> • SMS-<site code>-<Active Directory site name or subnet> To publish data into AD DS, each site server must have full permissions on the System Management container and all descendant objects. Secondary sites always use the computer account of the secondary site server to publish to AD DS. Therefore, you must ensure that secondary site servers have full permissions. You can configure Active Directory Forest Discovery at the central administration site or any primary site in the hierarchy. To avoid conflicts with discovery data, you should not configure multiple sites to discover the same Active Directory Forest. Active Directory Forest Discovery actions are recorded in the following logs, which reside in the site server’s <InstallationPath>\Logs folder: • All actions, with the exception of actions related to publishing, are in the ADForestDisc.log. • Active Directory Forest Discovery publishing actions are in the hman.log. Question: How does Configuration Manager use IP subnets that Active Directory Forest Discovery locates? Installing Site System Roles To provide flexibility when determining the site role installation, you can install only management and distribution points during setup. You install other roles from the Configuration Manager console after performing a setup. You will need to determine whether the roles are installed: • On an existing site system, by using the Add Site System Roles Wizard. • On a new site system, by using the Create Site System Server Wizard. MCT USE ONLY. STUDENT USE PROHIBITED 2-36 Planning and Deploying a Stand-Alone Primary Site The two wizards are the same, except that you need to select an existing server and designate it as a new site system in the Configuration Manager site in the Create Site System Server Wizard. Conversely, you do not need to reconfigure the Add Site System Roles Wizard information on the General page. Please note that the Add Site System Roles Wizard does not list roles that are installed already on the site systems. Demonstration: Performing Post-Configuration Tasks In this demonstration, you will see how to configure Active Directory Forest Discovery to create boundaries based on AD DS sites, create a boundary group, and assign the new boundary. You also will see how to configure site system roles and install additional roles, and how to configure a management and distribution point. Demonstration Steps 1. On LON-DC1, start the Active Directory Sites and Services console. 2. In the Active Directory Sites and Services console, under the Sites node, rename Default-First-SiteName to London. 3. Under the Subnets node, create a subnet for 10.10.0.0/24, and then assign it to the London site. 4. Close the Active Directory Sites and Services console. 5. On LON-CFG, open the Configuration Manager console, in the Administration workspace, expand Hierarchy Configuration, and then select Discovery Methods. 6. In the results pane, access the properties for Active Directory Forest Discovery, and then select the Enable Active Directory Forest Discovery and Automatically create Active Directory site boundaries when they are discovered check boxes. 7. In the Configuration Manager console, in the Active Directory Forests node, access the Properties of Adatum.com. Review the settings, and then close the dialog box. 8. Under the Boundaries node, access the Properties of the created boundary. Review the settings, and then close the dialog box. 9. In the Configuration Manager console, select the Boundary Groups node, and then on the ribbon, click Create Boundary Group. 10. Create a boundary group with the following settings: o Name of the boundary group: London Clients o Add the London boundary. o On the References tab, select the option Use this boundary group for site assignment. o Add \\LON-CFG.Adatum.com as the site system server. 11. In in the Configuration Manager console, under Site Configuration, select the Servers and Site System Roles node. 12. Select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site System Roles. 13. In the Add Site System Roles Wizard, use the following settings to install the site system roles: o On the General page, verify that the Name for the site server is LON-CFG.Adatum.com. o On the System Role Selection page, select Fallback status point and Reporting services point. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager o On the Fallback Status Point page, accept the default settings. o On the Reporting services point page, use the Verify button to validate access to database. o Under User name click Set, New Account, and then specify the following credentials:  User name: ADATUM\Administrator  Password: Pa$$w0rd  Confirm password: Pa$$w0rd 14. Complete the wizard by accepting the default settings. 15. In the Configuration Manager console, select \\LON-CFG.Adatum.com. 16. In the preview pane, access the Properties for the Management point. 2-37 17. Select the option Generate alert when the management point is not healthy, and then close the dialog box. 18. In the preview pane, access the Properties for the Distribution point. 19. On the Boundary Groups tab, verify that the London Clients boundary group you have created previously appears in the list, and then close the dialog box. Note: The association between the distribution point and the boundary group was created when you added the site system to the boundary group in a previous task. Lesson 5 Tools for Monitoring and Troubleshooting a Configuration Manager Site MCT USE ONLY. STUDENT USE PROHIBITED 2-38 Planning and Deploying a Stand-Alone Primary Site You were introduced to the status messages feature when you validated the installation of the System Center 2012 Configuration Manager primary site. All major Configuration Manager components generate status messages that you can use to monitor and troubleshoot your installations. In this lesson, you will review additional features that pertain to status messages, such as status summarizers, status filter rules, and status reports. Configuration Manager site systems and components also generate detailed logs. In this lesson, you will review the logs, and then identify the most appropriate log to use when troubleshooting a specific feature. You also will examine the Configuration Manager console, which also includes features that you can use for monitoring and alerting. Lesson Objectives After completing this lesson, you will be able to: • Describe using the Configuration Manager 2012 logs for troubleshooting. • Describe using the monitoring features in the in the Configuration Manager 2012 console. • Configure alerts and subscriptions for site system processes. Using Configuration Manager Logs for Troubleshooting a Configuration Manager Site System Center 2012 Configuration Manager site systems and clients generate logs that you can use for troubleshooting your deployment. There are three types of logs: • Setup logs. The Setup Wizard generates setup logs in the root of the %SystemDrive%. • Site server logs. Site systems and components generate site server logs in the InstallationPath\LOGS folder. On computers that serve as management points or Fallback Status Points, some log files are located in the %ProgramFiles%\SMS_CCM\Logs folder. • Several roles, such as the management point and distribution point, use IIS. The IIS log file is in the %Windir%\System32\logfiles\W3SVC1 folder on the IIS server. The Configuration Manager Trace Log Tool (CMTrace.exe) is an add-on tool that you can use to view logs, quickly locate warning and errors, and view the latest real-time updates to logs. The Configuration Manager Trace Log Tool is a stand-alone executable file in the installation media\SMSSETUP\TOOLS folder or in the installation path\TOOLS folder. You can use this tool to view and monitor log files, including: • Log files in all Configuration Manager versions. • Plain ASCII or Unicode text files, such as Windows Installer logs. Log files MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-39 Most processes and roles generate their own log files. The following table lists the log files that pertain to installation and default roles, including the management and distribution points. Log file Description compmon.log Located in the InstallationPath\LOGS folder. This log file records the status of the component threads. compsumm.log Located in the InstallationPath\LOGS folder. This log file records Component Status Summarizer tasks. ComRegSetup.log Located in the InstallationPath\LOGS folder. This log file records the initial installation of COM registration results. ConfigMgrAdminUISetup.log Located in the root of the %SystemDrive%. This log file records the installation of the Configuration Manager console. ConfigMgrPrereq.log Located in the root of the %SystemDrive%. This log file records the results of the prerequisites checker. ConfigMgrSetup.log Located in the root of the %SystemDrive%. This log file records the installation of the Configuration Manager server. ConfigMgrSetupWizard.log Located in the root of the %SystemDrive%. This log file records the progress of the Configuration Manager Setup Wizard. distmgr.log Located in the InstallationPath\LOGS folder. This log file records package creation, compression, delta replication, and information updates. hman.log Located in the InstallationPath\LOGS folder. This log file records site configuration changes and publishing of site information in AD DS. mpcontrol.log Located in the InstallationPath\LOGS folder. This log file records the availability of the management point every 10 minutes. mpfdm.log Located in the InstallationPath\LOGS folder. This log file records the activity of the management point component that moves client files to the corresponding INBOXES folder on the site server. mpMSI.log Located in the InstallationPath\LOGS folder. This log file records details about the management point installation. MPSetup.log Located in the InstallationPath\LOGS folder. This log file records the management point installation wrapper process. PerfSetup.log Located in the InstallationPath\LOGS folder. This log file records the results of the installation of performance counters. Log file Description MCT USE ONLY. STUDENT USE PROHIBITED 2-40 Planning and Deploying a Stand-Alone Primary Site sitecomp.log Located in the InstallationPath\LOGS folder. This log file records the installation of site system roles, as well as maintenance of the installed site components. sitectrl.log Located in the InstallationPath\LOGS folder. This log file records site setting changes made to site control objects in the database. sitestat.log Located in the InstallationPath\LOGS folder. This log file records the availability and disk space monitoring activity for all site systems. smsdbmon.log Located in the InstallationPath\LOGS folder. This log file records database changes. smsexec.log Located in the InstallationPath\LOGS folder. This log file records the processing of all site server component threads. SMSProv.log Located in the InstallationPath\LOGS folder. This log file records WMI provider access to the site database. statesys.log Located in the InstallationPath\LOGS folder. This log file records the processing of system state messages. statmgr.log Located in the InstallationPath\LOGS folder. This log file records the writing of all status messages to the database. Note: For a full list of logs that the Configuration Manager site server and site system roles generate, refer to the Additional Reading link in the Course Companion Content at http://www.microsoft.com/learning/companionmoc/. Monitoring Features in the Configuration Manager Console You can use the Configuration Manager console to view aggregated information about the health state of your Configuration Manager infrastructure. This information is available in the console’s Monitoring section. You can use the Configuration Manager console to: • Configure the generation of alerts if site systems are not functioning. • Create status message queries. • Access the reports. • View the diagram of your Configuration Manager hierarchy. • View the aggregated health status of the site systems, site components, and deployments. • View the health status of Configuration Manager clients. • View the status of database replication between the sites in a hierarchy. • View the content distribution status. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-41 “Module 8: Maintaining and Monitoring System Center 2012 R2 Configuration Manager” provides more detail about monitoring features. Configuring Alerts and Subscriptions for Site System Processes Configuration Manager generates alerts based on predefined conditions. Typically, Configuration Manager generates alerts when errors occur to inform administrators of the error, which enables them to fix it. You can configure alerts for client status and Endpoint Protection operations per collection. You also can use the following default alerts that are available in Configuration Manager: • Database replication component failed to run. Occurs when the database replication component is unable to replicate data between sites. • Low sideloading activations. Occurs when there are less than 10 activations available for a sideloading key. • Warning low free space alert for database on site. Occurs when the amount of free space in the database is less than 10 GB. • Critical low free space alert for database on site. Occurs when the amount of free space in the database is less than 5 GB. Note: You can change the thresholds for existing alerts. The following table lists the events for which you can create alerts. Alert Client health alerts Events • Client check pass or no results for active clients falls below threshold • Client remediation success falls below the threshold • Client activity falls below threshold Endpoint protection alerts • Malware is detected • The same type of malware is detected on a number of computers • The same type of malware is repeatedly detected within the specified interval on a computer • Multiple types of malware are detected on the same computer with the specified interval Alert Site server alerts Events • Deployments • Database replication • Database (drive capacity) • Low sideloading activations (Windows 8) Site system alerts • Software update point • Management point MCT USE ONLY. STUDENT USE PROHIBITED 2-42 Planning and Deploying a Stand-Alone Primary Site You can view alerts in the Configuration Manager console, or you can subscribe to alerts, so that you can receive them by email. To receive alerts by email, you must: 1. Configure alert email settings. 2. Configure alerts. 3. Subscribe to existing alerts. Demonstration: View and Monitor Site Status In this demonstration, you will see how to: • View site status. • Configure email settings for alerts. • Configure collection alerts. • Subscribe to alerts. Demonstration Steps 1. Find all status messages with an ID of 5103 for the management point component. 2. Configure the site to use LON-CFG as a Simple Mail Transfer Protocol (SMTP) server for alert subscriptions. 3. Configure an alert to generate when client activity falls below 70 percent for the All Systems device collection. 4. Subscribe to the newly created alert. Lab B: Performing Post-Setup Configuration Tasks Scenario You have installed a System Center 2012 Configuration Manager stand-alone primary site in the lab environment. You need to validate the installation and perform the initial site configuration. Objectives After completing this lab, you will be able to: • Validate the installation of the Configuration Manager primary site. • Perform the initial configuration of the primary site. Lab Setup Estimated Time: 15 minutes Virtual Machines 10748C-LON-DC1-A 10748C-LON-CFG-A User Name Adatum\Administrator Password Pa$$w0rd MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-43 For this lab, you use the available virtual machine environment. Before you begin the lab, you must ensure the following virtual machines are still running: • 10748C-LON-DC1-A • 10748C-LON-CFG-A Exercise 1: Validating the Installation of the Primary Site Scenario You need to examine the Site Status and Component Status nodes and review any error messages related to the installations. You also need to view the installation logs that the Prerequisite Checker and Configuration Manager setup create. The main tasks for this exercise are as follows: 1. View the Site Status and Component Status. 2. View the status messages that pertain to the Configuration Manager 2012 installation. 3. View the installation logs.  Task 1: View the Site Status and Component Status 1. On LON-CFG, start the Configuration Manager Console. 2. In the Configuration Manager console, in the Monitoring workspace, under the System Status \Site Status node, view the status of each site system role. 3. In the Component Status node, view the status of each component.  Task 2: View the status messages that pertain to the Configuration Manager 2012 installation MCT USE ONLY. STUDENT USE PROHIBITED 2-44 Planning and Deploying a Stand-Alone Primary Site 1. Select the Site Status node, and then in the results pane, select Site server. 2. On the ribbon, click the Show Messages button, and then click All. 3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK. 4. In the Configuration Manager Status Message Viewer for <LON> <Adatum Site>, double-click on any message, and then review the details of the status message. Use the Next and Previous buttons to view additional status messages, and then close the Status Message Details dialog box. 5. Close the Configuration Manager Status Message Viewer window.  Task 3: View the installation logs 1. On LON-CFG, open File Explorer. 2. Navigate to drive C, and then open the ConfigMgrPrereq.log file located in the root folder. Review the file, note any errors or warnings reported by Prerequisite Checker, and then close the log file. 3. Open the ConfigMgrSetup.log file. Review the file, note any errors or warnings reported by Setup, and then close the log file. Note: The root folder also stores the ConfigMgrSetupWizard.log. If you installed the console, you should see ConfigMgrAdminUISetup.log. Results: At the end of this exercise, you will have validated the installation of System Center 2012 Configuration Manager. Exercise 2: Performing the Initial Configuration of the Primary Site Scenario You need to configure Active Directory Forest Discovery to create boundaries from the AD DS sites. Begin by creating a new AD DS site in Active Directory Sites and Services, and then configure Active Directory Forest Discovery in the Configuration Manager console. Next, you will install new site system roles, such as Fallback Status Point and Reporting Services Point, and then configure the management and distribution points. The main tasks for this exercise are as follows: 1. Configure the London Active Directory site. 2. Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site. 3. Configure a boundary group, and include the new boundary. 4. Install additional site system roles: the Fallback Status Point and Reporting Services Point. 5. Configure the management and distribution points. 6. To prepare for the next module.  Task 1: Configure the London Active Directory site MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-45 1. On LON-DC1, start the Active Directory Sites and Services console. 2. In the Active Directory Sites and Services console, under the Sites node, rename the Default-FirstSite-Name site to London (without a space). 3. Under the Subnets node, create a subnet for 172.16.0.0/16, and then assign it to the London site. 4. Close the Active Directory Sites and Services console.  Task 2: Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site 1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand Hierarchy Configuration, and then select Discovery Methods. 2. In the results pane, access the properties for Active Directory Forest Discovery and select the Enable Active Directory Forest Discovery, and the Automatically create Active Directory site boundaries when they are discovered check boxes. 3. In in the Configuration Manager console, under the Active Directory Forests node, access the Properties of Adatum.com. Review the settings, and then close the dialog box. 4. Under the Boundaries node, access the Properties of the London boundary. Review the settings, and then close the dialog box. You may need to refresh the console to see the London boundary.  Task 3: Configure a boundary group, and include the new boundary 1. In the Configuration Manager console, select the Boundary Groups node, and then on the ribbon, click Create Boundary Group. 2. Create a boundary group with the following settings: o Name of the boundary group: London Clients o Add the London boundary imported by Active Directory Forest Discovery. o On the References tab, select the option Use this boundary group for site assignment. o Add \\LON-CFG.Adatum.com as the site system server for content location.  Task 4: Install additional site system roles: the Fallback Status Point and Reporting Services Point 1. In in the Configuration Manager console, under Site Configuration, select the Servers and Site System Roles node. 2. Select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site System Roles. 3. In the Add Site System Roles Wizard, use the following settings to install the site system roles: o On the General page, verify that the Name for the site server is LON-CFG.Adatum.com. o On the System Role Selection page, select Fallback status point and Reporting services point. o On the Fallback Status Point page, accept the default settings. o On the Reporting Services Point page, use the Verify button to validate access to database. o Under User name click Set, New Account, and then specify the following credentials:  User name: ADATUM\Administrator 4.  Password: Pa$$w0rd  Confirm password: Pa$$w0rd Complete the wizard, by accepting the default settings.  Task 5: Configure the management and distribution points MCT USE ONLY. STUDENT USE PROHIBITED 2-46 Planning and Deploying a Stand-Alone Primary Site 1. In the Configuration Manager console, select \\LON-CFG.Adatum.com. 2. In the preview pane, access the Properties for the Management point. 3. Select the option Generate alert when the management point is not healthy, and then close the dialog box. 4. In the preview pane, access the Properties for the Distribution point. 5. On the Boundary Groups tab, verify that the London Clients boundary group you created previously appears in the list, and then close the dialog box. Note: The association between the distribution point and the boundary group was created when you added the site system to the boundary group in a previous task.  Task 6: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-A, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CFG-A. Results: At the end of this exercise, you will have performed the initial configuration of a System Center 2012 Configuration Manager stand-alone primary site. Question: Which logs can you use to validate an installation? Question: What are status summarizers? Question: When you can have overlapping boundaries for multiple boundary groups? Module Review and Takeaways Review Questions Question: What site system roles can you configure during setup of a stand-alone primary site? Question: What tools can you use to troubleshoot Configuration Manager? Tools MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 2-47 The tools in the following table are useful during the Configuration Manager 2012 deployment process. Tool Use for Where to find it Prerequisite Checker Validating the prerequisites for the Configuration Manager site server and roles installation On the installation media Setup Downloader Downloading the client prerequisites On the installation media Configuration Manager Trace Viewing the logs in an interactive mode, searching and filtering On the installation media MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED 3-1 Module 3 Planning and Configuring Role-Based Administration Contents: Module Overview 3-1 Lesson 1: Overview of Role-Based Administration 3-2 Lesson 2: Identifying IT Roles in Your Organization 3-10 Lesson 3: Configuring Role-Based Administration 3-16 Lab: Planning and Configuring Role-Based Administration 3-19 Module Review and Takeaways 3-24 Module Overview Microsoft® System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager implement role-based access control (RBAC). With RBAC, you can use security roles, security scopes, and collections to define access permissions for your administrative users. This module shows you how to customize the security roles and scopes to match your specific organizational requirements. Objectives After completing this module, you will be able to: • Describe role-based administration concepts. • Describe the process of identifying a typical information technology (IT) department’s job roles and identify its responsibilities and activities. • Describe the process for creating new security roles and configuring scopes in Configuration Manager 2012 and System Center 2012 R2 Configuration Manager. Lesson 1 Overview of Role-Based Administration MCT USE ONLY. STUDENT USE PROHIBITED 3-2 Planning and Configuring Role-Based Administration You can use role-based administration in Configuration Manager to centrally define security settings and to delegate administrative tasks to users or groups. You can assign an administrative user one or more security roles that represent a set of administration tasks. The security role includes all permissions necessary to complete the tasks that relate to the role. For example, you can assign the Application Deployment Manager security role to a user who will manage application deployments. This role automatically grants permissions to deploy applications to computer devices or users. You can further define the objects that a security role can administer, thereby limiting administrative access to specific collections and security scopes. You can use a security scope to associate specific objects with one or more administrative users. For example, you can give an administrator permission to deploy only specific applications by associating those applications with a security scope, instead of permissions to deploy all applications. Administrative users can see only the objects that they have permission to manage, which the security role, security scope, and collection define. You can use the built-in security roles and scopes, or you can create your own custom security settings to use throughout the hierarchy. When you create administrative users, you configure and replicate security assignments throughout the central administration site and the hierarchy’s primary sites. Lesson Objectives After completing this lesson, you will be able to: • Explain the benefits of role-based administration. • Describe the functionality of security roles. • Describe Configuration Manager’s built-in roles. • Describe security scopes. • Describe collections. • Describe planning role-based administration. Benefits of Role-Based Administration The benefit of role-based administration is that it allows organizations to be specific when granting privileges to users who need to perform tasks. Rather than assign a general role that allows a user to perform many tasks across the Configuration Manager deployment, you can use role-based administration to grant users specific privileges over specific securable objects. For example, you can give a user the ability to deploy specific apps to specific device collections, rather than a more general permission to deploy any app to any device collection. In Configuration Manager, you manage role-based administration by creating administrative users. An administrative user includes an Active Directory® Domain Services (AD DS) user or group account, one or MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-3 more security roles, one or more security scopes, and collections as necessary. The best practice is to create an administrative user by specifying an AD DS security group. Then you can assign AD DS user accounts to security group by adding the accounts to the associated AD DS security group. Security roles are collections of permissions to perform administrative tasks. Security scopes are groups of securable objects. Role-based administration helps ensure that a user who connects by using the Configuration Manager console or Windows PowerShell® can view and modify only those Configuration Manager objects that the user has permission to manage. This reduces the chance that a user can perform unauthorized actions. Role-based administration also simplifies the auditing of administrative actions, making it easier to determine who performed a particular administrative task. Security Roles A security role is a group of permissions that are necessary for performing specific administrative tasks. The role consists of individual permissions for each object type that an administrative user is allowed to manage. For example, the Application Administrator role has a cumulative set of permissions that define its security role. This role consists of a set of individual permissions to manage a variety of objects, including the following permissions for application objects: • Approve • Create • Delete • Modify • Modify Folder • Move Object • Read • Modify Report • Set Security Scope You can use scopes and collections to limit access by administrative users to individual object instances because the roles themselves do not specify user permissions for individual objects. Configuration Manager includes 15 built-in roles that include permissions for executing typical tasks on different types of objects. You cannot modify or delete the built-in roles, but you can create custom roles to match special administrative requirements. Question: What are security roles? Built-In Roles Configuration Manager includes the 15 built-in security roles that the following table lists. Each role gives specific permissions to an administrative user to perform actions on certain types of objects. Security role Application Administrator Description MCT USE ONLY. STUDENT USE PROHIBITED 3-4 Planning and Configuring Role-Based Administration Grants permissions: • That both the Application Author and Application Deployment Manager roles include. • To manage queries, read site settings, manage collections, and manage settings for user device affinity. • To manage Microsoft Application Virtualization (App-V) virtual environments. Application Author Grants permissions to: • Create, modify, and retire applications. • Manage packages and programs, and manage alerts for the applications. • Manage App-V virtual environments. Application Deployment Manager Grants permissions to: • View applications and manage deployments, alerts, templates, packages, and programs. • View collections and their members, status messages, queries, and conditional delivery rules. Asset Manager Grants permissions to manage hardware and software inventory, software metering, the Asset Intelligence sync point, and the Asset Intelligence reporting classes. Company Resource Access Manager Grants permissions to create, deploy, and manage company resource access profiles such as virtual private network (VPN), Wi-Fi, and certificate profiles to users and devices. Compliance Settings Manager Grants permissions to: • Create, modify, and delete configuration items and configuration baselines. • Deploy configuration baselines to collections, initiate compliance evaluation, and initiate remediation. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Security role Description 3-5 Endpoint Protection Manager Grants permissions to perform tasks that are necessary to administer Endpoint Protection in Configuration Manager, including creating and deploying Endpoint Protection policies, alerts, and reports. Full Administrator Grants all permissions in Configuration Manager. The user who creates a new Configuration Manager installation is associated with this security role automatically. Infrastructure Administrator Grants permissions to: • Create, delete, and modify the Configuration Manager server infrastructure. • Perform migration tasks. Operating System Deployment Manager Grants permissions to: • Manage operating-system installation packages, images, task sequences, drivers, boot images, and state migration settings. • Create and deploy operating-system images to computers. Operations Administrator Grants permissions for all actions in Configuration Manager, with the exception of managing security of administrative users, security roles, security scopes, and collections. Read-only Analyst Grants Read permissions to all Configuration Manager objects. Remote Tools Operator Grants permissions to run the out-of-band management console, remote control, Windows Remote Assistance, and Remote Desktop Services. Security Administrator Grants permissions to add and remove administrative users and to associate those administrative users with security roles, security scopes, and collections. Software Update Manager Grants permissions to manage collections, software update groups, deployments, and templates. Custom Security Roles If a user performs tasks that relate to multiple roles, you can perform one of the following options: • Add multiple security roles to the administrative user, as necessary. • Create a custom security role that specifies the required permissions. To create a custom security role, right-click an existing role, and then click Copy. Provide a new name, and customize the permissions for the new security role. Question: Which security role does Configuration Manager assign to you when you first install it? Security Scopes You can assign a securable object to one or more security scopes, and then assign appropriate security scopes to administrative users. This enables you to specify the objects that the users can view and manage within the Configuration Manager console. When you create an administrative user, you must assign at least one security scope to provide administrative access to objects. Configuration Manager contains two built-in security scopes: • All. Contains all securable objects. You cannot modify or delete this scope. • Default. Enables you to associate securable objects. Security scopes determine the securable objects that an administrative user can view and manage. Securable objects include: • Boundary groups • Applications, packages, and deployments • Boot images and operating-system images • Task sequences • Queries • Sites • Custom client settings • Distribution points and distribution-point groups • Software-update groups • Software-metering rules • Configuration items and configuration baselines Creating Security Scopes MCT USE ONLY. STUDENT USE PROHIBITED 3-6 Planning and Configuring Role-Based Administration You can create custom security scopes to help control access to specific instances of securable objects. For example, you can create one security scope for desktop administrators and another security scope for server administrators. You then can associate specific applications with the appropriate security scope, based on administrative requirements. This enables desktop administrators to view and manage only applications that relate to their administrative role. Additionally, server administrators can view and manage only applications that relate to their tasks. To create a custom security scope, perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. Expand the Security node, and then click Security Scopes. The results pane displays all of the scopes created for the hierarchy. 3. Right-click Security Scopes, and then click Create Security Scope. 4. Type a security scope name, and then assign administrative users as necessary. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-7 To associate a security scope with an object, right-click one or more securable objects, and then click Set Security Scopes. You then can select the security scopes that you want to associate with the specific object. Note: Computer and user objects are not assigned to scopes. Collections limit administrative permissions to sets of computer or user objects. However, you can assign collection objects to scopes. Question: What is the purpose of the All security scope? Collections You can use collections to implement security for user and computer objects separately from other securable objects in Configuration Manager. Administrative users must have collections assigned to them to be able to manage the user or device objects that those collections include. The security roles that you assign to administrative users limit the level of management that those users have over those objects. Collection rules determine membership in each collection. There are four types of collection rules: • Direct. Members are specified directly. • Query. Members are determined by running a query against the Configuration Manager database. The query is evaluated at each site. • Include. Members are determined by specifying members of other collections to include. • Exclude. Members are determined by specifying members of other collections to exclude. If you assign either of the following built-in, read-only root collections to an administrative user, they have administrative rights to all users and devices in the hierarchy: • All Systems. This collection contains all devices discovered in a Configuration Manager hierarchy. • All Users and User Groups. This collection contains all discovered users and user groups. For example, consider the following scenario: • The All Users and User Groups collection has 1,000 users. • The All Systems collection has 1,000 computers. • The Toronto Users collection contains only 20 users. • The Toronto Systems collection contains only 20 systems. You assign only the Toronto-based collections to a user. When the user opens the Configuration Manager console, the following are visible: • The 20 users from the Toronto Users collection • The 20 systems from the Toronto Systems collection • The Toronto-based collections assigned to the user MCT USE ONLY. STUDENT USE PROHIBITED 3-8 Planning and Configuring Role-Based Administration If you assign a user a security role that allows creating collections, the user can create new collections where the limiting collection is one of the Toronto-based collections. The members of the new collections, therefore, are a subset of one of the Toronto-based collections to which the user has been assigned a security role. Planning Role-Based Administration Configuring role-based administration requires careful consideration. When you plan to add an administrative user, you must consider the security roles, security scopes, and collections. When planning security configuration, consider the following factors: • Security roles control what you allow an administrative user to do. • Security scopes control the securable Configuration Manager objects that the administrative user can administer. • Collections control the users and devices that an administrative user can manage. • You must assign an administrative user to at least one security scope. • You can map each administrative user to separate security scopes and collections. Question: How would you plan security roles, security scopes, and collections for a scenario in which you are managing a remote location with local administrative users who: • Need to be able to deploy applications, create collections for their users and devices, and run queries and reports about their users. • Should not be able to manage software updates for their location. • Must be limited to managing users and devices in their location. Discussion: Planning Role-Based Administration Consider the following scenario: You are the administrator for A. Datum Corporation. You need to plan administrative permissions for application administrators who are in London and Toronto. London application administrators should be able to: • Configure applications used in London and Toronto. • Deploy applications to desktop computers and users who are based in London and Toronto. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Toronto application administrators should be able to: • Deploy applications to desktop computers and users based in Toronto. 3-9 You need to plan for security roles, security scopes, and collections. Assume that corresponding security groups in AD DS exist. Activity: Describe Roles, Security Scopes, and Collections Use the following table or a separate piece of notepaper to describe the roles you would use and the security scopes and collections that you need to create. Security group London Admins Toronto Admins Security role Security scopes Collections Lesson 2 Identifying IT Roles in Your Organization MCT USE ONLY. STUDENT USE PROHIBITED 3-10 Planning and Configuring Role-Based Administration Organizations can have a variety of IT department structures with diverse sets of roles and responsibilities. Role-based administration accommodates the various security models that organizations might use. This lesson examines the process of identifying the roles and responsibilities in an IT department, and it explores the process of matching those roles and responsibilities to the security roles that Configuration Manager includes. Lesson Objectives After completing this lesson, you will be able to: • Describe a typical IT department’s structure. • Identify IT roles and responsibilities. • Identify administrative scopes. • Identify the need for custom collections. • Match to existing built-in roles in Configuration Manager. • Identify the need for additional roles. • Discuss identifying roles, activities, and scopes. Identifying an IT Department’s Structure The first step in designing the security model for your Configuration Manager implementation is to identify the specific job roles and responsibilities in your organization’s IT department and how those job roles are structured. For example, IT roles might include, but are not limited to, the following: • An IT manager, who manages the enterprise’s IT operations activities. • Application administrators, who create application packages, perform and monitor the application deployments, and configure content distribution on the infrastructure. • Server administrators, who manage the server infrastructure of a Configuration Manager site. • Desktop administrators and server administrators, who administer the desktops, deploy software updates, and deploy operating systems. • Helpdesk personnel, who provide support to users. • Security and audit personnel, who administer security and perform audits, such as software-update compliance audits. • Asset management personnel, who perform asset inventory for hardware and software. Note: The roles in the list above are examples only. The actual roles that your organization uses may vary. Question: Who is responsible for performing the software updates on desktops? Question: Who is responsible for tracking the use of administrative privileges? Question: Who is responsible for managing hardware and software inventory? Identifying Job Roles and Responsibilities What tasks do you want administrative users to perform? This is the primary question that you should ask yourself when you are determining your organization’s roles and responsibilities. After identifying the job roles in your IT organization, you need to determine how the built-in roles in Configuration Manager map to the specific tasks that each job role in your organization performs. These tasks might relate to one or more groups of management activities, including the following: • Deploying applications and packages. • Deploying operating systems. • Deploying settings for compliance. • Configuring sites and security. • Auditing. • Remotely controlling computers. • Analyzing the inventory data and creating reports. When designing your model of security roles, you must: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-11 • Determine whether the Configuration Manager built-in roles allow you to perform the actions on specific objects that each job role requires. • Determine whether your organization has any regulatory or policy requirements. • Discover any internal processes that might affect actions that each role needs. To do this, you can adapt the security model to comply with your processes, or you can use the Configuration Manager implementation as an opportunity to re-engineer and rationalize your internal processes. Question: What is the next step you should take after identifying your organization’s roles? Identifying Administrative Scopes What is the best way to limit access to object instances? You should answer this primary question when you are determining whether you need to create scopes. You can determine whether to use security scopes by examining: • The size of your organization. • How your organization manages resources. • The number of administrative teams your organization has. Some small-to-medium organizations may not require security scopes. Administrative users then have access to all objects, dependent only on the permissions included in the associated roles. This is more important in single primary-site implementation scenarios than in multiple-site hierarchies. Typically, enterprise organizations that decide to implement a complex hierarchy are interested in defining security scopes to limit administrative access. MCT USE ONLY. STUDENT USE PROHIBITED 3-12 Planning and Configuring Role-Based Administration To determine whether you need to use security scopes in your organization, first determine whether you need to: • Make some objects available to select administrative users. • Manage some objects individually, but manage other objects in groups. • Implement approval or deployment processes that your organization uses. • Specify which administrative users will manage individual instances of objects. Question: How can you determine whether you need to create custom scopes? Identifying the Need for Custom Collections You can use custom collections to limit administrative access to specific instances of user and device objects. When you determine which custom collections to create, consider which user and computer resources each administrative user should manage. When determining the custom collections that you need to create to limit administrative scope, you can identify existing segmentation criteria for your organization’s users and devices, including the: • Internal structure of your organization, such as departments. • Users and devices in the same geographic area as your organization. • Numbers of servers versus desktops that your organization has. • Unique characteristics of managed devices or users. • Groups with special security requirements. • Business processes that require different resource collections. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-13 If different administrative users need to manage users and devices in each of these segments, then you should create custom collections. Note: Collections are discussed in more detail in Module 2, “Discovering and Organizing Resources” in course 10747D: Administering System Center 2012 R2 Configuration Manager. Question: How can you determine whether you need to create custom collections? Mapping to Existing Built-in Roles in Configuration Manager To better adapt the Configuration Manager security model to your organization, compare the job roles and responsibilities in your organization with the built-in Configuration Manager security roles. You then can match your IT functions with the Configuration Manager security roles as closely as possible. You can analyze tasks that each administrative user performs to help identify the corresponding security role in Configuration Manager. If some administrative users perform tasks that multiple Configuration Manager security roles define, you should directly assign these multiple security roles to these administrative users, rather than create a new security role that combines all of the tasks. If instead you create a new security role that combines all tasks, you could inadvertently grant some administrative users additional permissions to perform tasks that you do not want them to perform. If different administrative users are performing tasks that the same built-in Configuration Manager role includes, then you may consider: • Segregating the tasks by creating separate custom security roles. • Using one built-in role for users, and using scopes or collections to limit user access to objects. For example, say one administrative user in your organization performs application deployments on desktops, while another administrative user performs application deployments on servers. You can assign the Application Deployment Manager role to both users, and then limit their access to objects by: • Placing different objects in scopes to which you give the administrative users permission. • Using collections to limit their access to desktops and servers, respectively. For example, you might try to map the typical IT department to the built-in Configuration Manager security roles, which the following table describes. IT role Possible Configuration Manager security role mappings IT Manager Full Administrator None Application Administrators Application Administrator None IT role Possible Configuration Manager security role mappings MCT USE ONLY. STUDENT USE PROHIBITED 3-14 Planning and Configuring Role-Based Administration Server Administrators Infrastructure Administrator Operations Administrator Desktop Administrators OS Deployment Manager Software Update Manager Helpdesk Endpoint Protection Manager Remote Tools Operator Security and Audit Security Administrator Compliance Settings Manager Asset Management Asset Manager Read-only Analyst Note: In some organizations, a desktop administrator may perform the same tasks that the Endpoint Protection Manager role performs. However, in other organizations, a security administrator may perform these tasks. Question: Which job role in your organization is performing the tasks that the Endpoint Protection Manager role specifies? Identifying the Need for Additional Roles In most cases, the built-in Configuration Manager roles satisfy an organization’s needs with respect to security roles. If the tasks that the organizational roles you identify do not map to the actions of the built-in security roles, you need to create new security roles. You do not need to create new security roles if you need to limit access only for some administrative users to specific resources. Instead, you can create custom scopes and custom collections to address that issue. Test any new security role by running the console as the new administrative user that you have assigned to that role. This enables you to verify that the user has access to the appropriate objects and corresponding permissions. Each administrative user in Configuration Manager is associated with one or more of the following: • Security roles that provide permissions to perform specific tasks on various types of objects. • Security scopes that might limit administrative access to specific object instances. • User or device collections that might limit administrative access to specific user or device resources. Note: When you associate multiple administrative users with multiple security scopes, you are granting that administrative user access to all object instances from each assigned scope. That administrative user can perform all actions that their associated roles permit, to all the object instances associated with the assigned scopes. In other words, scopes are cumulative. Discussion: Planning for Custom Roles, Scopes, and Collections Consider the following scenario: You are the administrator for A. Datum. You need to plan for custom roles, scopes, and collections for the administrative users who are based in London and Toronto. The administrative users in London must be able to: • Create and deploy applications to London users, desktops, and servers. • Manage software updates on servers and desktops in all locations. • Manage anti-malware protection on servers and desktops in all locations. • Manage content on the distribution points in all locations. The administrative users in Toronto must be able to: • Create and deploy applications to Toronto users and desktops. • Manage content on the Toronto distribution points. Activity: Create Custom Roles, Scopes, and Collections MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-15 Fill in the following table (or use notepaper), providing the names and details (such as permissions) of the custom roles, scopes, and collections that you need to create to fulfill the criteria that you listed previously. Assume that the corresponding security groups in AD DS exist. Names of new roles, scopes, and collections Details Custom roles Custom scopes Custom collections Activity: Describe the Proposed Configuration Fill in the following table with descriptions of your proposed configuration for roles, security scopes, and collections. Security group Security roles Security scopes Collections London Admins Toronto Admins Review Questions Question: When would you need to create custom roles in a Configuration Manager implementation? Question: When would you need to create custom scopes in a Configuration Manager implementation? Question: When would you need to create custom collections in a Configuration Manager implementation? Lesson 3 Configuring Role-Based Administration MCT USE ONLY. STUDENT USE PROHIBITED 3-16 Planning and Configuring Role-Based Administration After determining the security roles that your organization uses, the next step in securing your Configuration Manager environment is to implement those roles in Configuration Manager. Depending on your requirements, you may need to create custom security roles and scopes. This lesson examines the process of creating custom security roles and scopes. Additionally, this lesson covers how to associate administrative users with roles, scopes, and collections. Lesson Objectives After completing this lesson, you will be able to: • Describe the process for creating custom security roles. • Describe the process for creating custom security scopes. • Describe the process for adding administrative users to the security roles. Creating Custom Security Roles To create a custom security role in System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager, you should make a copy of an existing role that is the closest match to your desired set of actions. You then must modify the copy to meet your specific requirements. To create a custom security role, perform the following procedure: 1. Select an existing role and click Copy on the ribbon. 2. Specify the name and description for the new security role. 3. You can specify individual permissions in the Customize the permissions for this copy of the security role area by expanding each object type and then clicking Yes or No next to each individual permission. Because security roles are global data, any custom security roles that you create will be replicated to all of the sites in your Configuration Manager hierarchy. You can export your custom security role configurations by clicking the Export Security Role button on the ribbon. Then the role definition is saved as an XML file that you can import into another Configuration Manager environment or use to restore permissions after a site recovery. Question: How can you create a custom security role? Creating Custom Security Scopes To limit access for administrative users to specific instances of objects, you need to create a custom security scope. You then can associate objects with the new scope. Create a Custom Security Scope To create a custom security scope in Configuration Manager, perform the following procedure: 1. In the Configuration Manager console, select the Administration workspace. 2. In the navigation pane, expand the Security node, and then click the Security Scopes node. 3. Click the Create Security Scope button on the ribbon. 4. Type a name and a description, and then click OK. Associate Objects with the Scope MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-17 After you create the custom security scope, you can associate objects with the scope by selecting the objects, and then clicking the Set Security Scope button on the ribbon. Because you can associate objects with multiple security scopes, administrative users may also obtain permissions to manage specific objects when you assign them multiple security scopes. The effective permissions they have on the objects depend on their associated security roles. Question: How can you associate an object with a security scope? Adding Administrative Users The last step in configuring role-based administration is to associate administrative users and groups to the Configuration Manager security roles, scopes, and collections. To add an administrative user or group, perform the following procedure: 1. In the Configuration Manager console, select the Administration workspace. 2. In the navigation pane, expand the Security node, and then click Administrative Users. 3. On the ribbon, click the Add User or Group button. 4. Next to User or group name, click the Browse button to select the user or group from AD DS. 5. To associate one or more Configuration Manager roles with the administrative user or group, under Assigned security roles, click the Add button, and then select the role. 6. In the Assigned security scopes and collections area, select one of the following options: o o All instances of the objects that are related to the assigned security roles. This option associates the administrative user with: MCT USE ONLY. STUDENT USE PROHIBITED 3-18 Planning and Configuring Role-Based Administration  The All security scope.  The root-level built-in collections for All Systems, and All Users and User Groups.  Choosing the All instances of the objects that are related to the assigned security roles option defines access to objects only by the security roles assigned to the user. Use this approach sparingly because it enables users to manage all objects. You can use the principle of least privilege by limiting users’ access to objects with security scopes and collections. Only the instances of objects that are assigned to the specified security scopes or collections. Use this option to associate individual scopes and collections with the administrative user or group. A best practice is to use groups when you need to assign the same security roles, scopes, and collections to multiple administrative users, rather than adding each administrative user to a role individually. All securable objects in Configuration Manager are associated by design with the All built-in security scope. Administrative users who you associate with this scope can manage all objects in Configuration Manager. Their only management limitations are by the permissions assigned to their associated security roles. You can limit administrative users’ access to specific instances of objects by removing the All scope and adding more specific scopes. Similarly, if you want to limit administrative users’ access to specific user and group resources, you must remove the All Systems and All Users and User Groups collections from the list, and then add more restrictive collections. Question: How do administrative users obtain permissions to individual object instances in Configuration Manager? Demonstration: Creating New Roles and Scopes In this demonstration, you will see how to create a custom security role and a custom security scope. Demonstration Steps 1. In the Configuration Manager console, in the Administration workspace, under the Security node, select Security Roles. 2. Select an existing security role, such as the Application Administrator, to use as the source for the new security role, and then on the ribbon, click Copy. 3. In the Copy Security Role dialog box, perform the following configurations: o In the Name box, type a name for the new custom security role. o Under Permissions, expand each node to display the existing permission settings, click the dropdown list next to the setting, and then select either Yes or No. 4. To save the new security role, click OK. 5. In the Configuration Manager console, in the Administration workspace, under the Security node, select Security Scopes. 6. On the ribbon, click Create Security Scope. 7. In the Create Security Scope dialog box, type a name for the new security scope. 8. To save the new security scope, click OK. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-19 Lab: Planning and Configuring Role-Based Administration Scenario You are the network administrator for A. Datum. You are reviewing role-based administration, and you want to limit the scope of tasks that application administrators from different branch offices can perform. Objectives Objectives covered in the lab: • Review built-in roles. • Create new roles and scopes. • Test the new roles by using a different user account. Lab Setup Estimated Time: 20 minutes Virtual machines 10748C-LON-DC1-B 10748C-LON-CFG-B User name Adatum\Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following procedure: 1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-B, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in by using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps 2 through 4 for 10748C-LON-CFG-B. Exercise 1: Reviewing Built-in Security Roles and Scopes Scenario As the network administrator for A. Datum, you have completed the proof-of-concept deployment in your lab environment. Now, you must evaluate the role-based administration features by reviewing the built-in Configuration Manager security roles and scopes. The main tasks for this exercise are as follows: 1. Review the default security roles and scopes. 2. Review the default permissions for a security role.  Task 1: Review the default security roles and scopes MCT USE ONLY. STUDENT USE PROHIBITED 3-20 Planning and Configuring Role-Based Administration 1. On LON-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, in the Administration workspace, expand the Security node, and then click the Security Roles node. 3. Review the list of roles available in the results pane. Note that there are 15 built-in roles. 4. Under the Security Scopes node, review the list of scopes available in the results pane. Note there are two built-in scopes: All and Default. 5. Under the Administrative Users node, select ADATUM\Administrator, and then review the information in the preview pane. By default, the user who performed the Configuration Manager setup is assigned the Full Administrator role, the All security scope, and the All Systems and All Users and User Groups collections.  Task 2: Review the default permissions for a security role 1. In the Configuration Manager console, under the Security Roles node, access the Properties for the Application Administrator role. 2. In the Application Administrator Properties dialog box: 3. • On the General tab, examine the role description. • On the Administrative Users tab, note there are no users associated with this role. Additionally, note that you cannot add users from this property window. • On the Permissions tab, examine the permissions associated with this role. Expand each category, and then review the individual permissions. Note that you cannot modify the permissions for built-in roles. Close the Application Administrator Properties dialog box. Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated permissions, and the built-in security scopes. Exercise 2: Creating Custom Security Roles and Scopes Scenario You have reviewed the built-in security roles, and you need to create custom security roles, security scopes, and custom collections. Additionally, you need to test the functionality in the lab. The main tasks for this exercise are as follows: 1. Create a new user and group for application administrators, and then add the user to the group. 2. Create a custom scope for the London application administrators. 3. Create a custom collection. 4. Create a custom security role for application administrators. 5. Add a new group of administrative users, and then assign a custom role and a custom scope. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-21  Task 1: Create a new user and group for application administrators, and then add the user to the group 1. On LON-DC1, start the Active Directory Users and Computers console. 2. In the Active Directory Users and Computers console, create a new user in the Users container, with the following attributes: o First name and User logon name: LondonAdmin o Password and Confirm password: Pa$$w0rd o Clear the User must change password at next logon check box. 3. In the Active Directory Users and Computers console, create a new group in the Users container, named London Application Admins. 4. Access the properties of the London Application Admins group, and add the LondonAdmin user account as a member. 5. Close the Active Directory Users and Computers console.  Task 2: Create a custom scope for the London application administrators 1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand the Security node, and then click the Security Scopes node. 2. On the ribbon, click Create Security Scope, and then create a security scope named London. 3. Under the Distribution Points node, select LON-CFG.ADATUM.COM, and then on the ribbon, click Set Security Scopes. 4. Assign the London security scope to the distribution point. Note: Do not remove the Default scope from the distribution point.  Task 3: Create a custom collection 1. In the Configuration Manager console, in the Assets and Compliance workspace, click the Device Collections node. 2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a device collection with the following attributes: o Name: London Servers o Limiting collection: All Systems o Create a Direct Rule and search for System Resources with a name like LON%. o Select LON-CFG as a direct member.  Task 4: Create a custom security role for application administrators 1. In the Configuration Manager console, in the Administration workspace, expand the Security node, and then click the Security Roles node. 2. Select Application Administrator, and then on the ribbon, click Copy. 3. In the Copy Security Role dialog box, use the following settings to create a new role: o Name: Application and Update Administrator o In the Permissions box, configure the following permissions by expanding each permission group and selecting Yes next to each individual permission:  All permissions under Software Update Group  All permissions under Software Update Package  All permissions under Software Updates MCT USE ONLY. STUDENT USE PROHIBITED 3-22 Planning and Configuring Role-Based Administration  Task 5: Add a new group of administrative users, and then assign a custom role and a custom scope 1. In the Configuration Manager console, under the Security node, click the Administrative Users node. 2. On the ribbon, click Add User or Group. Use the following information to configure the new administrative group: o Click Browse to select the London Application Admins group. o Assign the Application and Update Administrator security role. o Verify that the Only the instances of objects that are assigned to the specified scopes or collections option is selected. o Remove the existing collections and security scope. o Add the London security scope. o Add the London Servers collection by selecting Device Collections in the Select Collections dialog box. 3. In the Configuration Manager console, click Adatum\London Application Admins, and then review the information from the preview pane. 4. Close the Configuration Manager console. Note: The users added to the London Application Admins group will have access only to the Configuration Manager objects associated with the London scope and resources in the London Servers collection. Results: By the end of this exercise, you should have created a custom security scope, a custom collection, and a custom security role. Exercise 3: Testing the Permissions of the New Role Scenario You have created a custom security role, a security scope, and a custom collection, and you have assigned them to an administrative user. You need to test the assigned permissions by logging in with the administrative user. The main tasks for this exercise are as follows: 1. Start the Configuration Manager console by using the London application administrator account. 2. Verify the permissions assigned to the new security role. 3. To prepare for the next module. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 3-23  Task 1: Start the Configuration Manager console by using the London application administrator account 1. On LON-CFG, press the Shift key, and in the Start menu, right-click Configuration Manager Console, and then select Run as a different user. 2. Use LondonAdmin with the password Pa$$w0rd as credentials for the Configuration Manager console.  Task 2: Verify the permissions assigned to the new security role 1. In the Configuration Manager console, in the Assets and Compliance workspace, under the Device Collections node, verify that you can see only the London Servers collection. 2. Under the Devices node, verify that you can see only the resources associated to your collection. 3. In the Administration workspace, under the Distribution Points node, verify that you can see the LON-CFG.ADATUM.COM server. 4. Under the Security node, verify that you do not have access to the Administrative Users, Security Roles, or Security Scopes nodes. 5. Close the Configuration Manager console.  Task 3: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CFG-B. Results: By the end of this exercise, you should have tested the new role permissions. Question: What are the differences between the Application Administrator role and the Software Update Manager role? Question: What was the purpose of creating the Applications and Updates Administrator custom role? Question: What was the purpose of creating the London security scope? Question: How did you assign permissions to administrators in London? Module Review and Takeaways Review Questions Question: Which built-in role is able to perform software updates? Question: How can you assign multiple security permissions to an administrative user? Question: How can you limit an administrative user’s access to specific instances of objects and resources? MCT USE ONLY. STUDENT USE PROHIBITED 3-24 Planning and Configuring Role-Based Administration MCT USE ONLY. STUDENT USE PROHIBITED 4-1 Module 4 Planning and Deploying a Multiple-Site Hierarchy Contents: Module Overview 4-1 Lesson 1: Planning a Configuration Manager 2012 Multiple-Site Hierarchy 4-2 Lesson 2: Deploying a Configuration Manager 2012 Site 4-9 Lesson 3: Deploying the Central Administration Site 4-16 Lab A: Installing a Site Hierarchy 4-23 Lesson 4: Deploying Primary Sites in a Hierarchy 4-26 Lab B: Verifying a Site Hierarchy 4-33 Lesson 5: Deploying Secondary Sites 4-37 Lab C: Installing a Secondary Site 4-41 Module Review and Takeaways 4-46 Module Overview You can implement a Microsoft® System Center 2012 Configuration Manager to accommodate the requirements of a multiple-site hierarchy. For example, you can deploy to larger numbers of clients and distributed administrative teams, and regulate the distribution of content. In this module, you will review the criteria for installing a multiple-site hierarchy and learn about the characteristics of the central administration site. You will also perform an installation of a multiple-site hierarchy including the central administration site, multiple primary sites, and a secondary site. Objectives After completing this module, you will be able to: • Describe the Configuration Manager 2012 hierarchy model, types of sites, and when to use each site type. • Describe the role of the central administration site in a hierarchy. • Install the central administration site. • Install a primary site in an existing hierarchy. • Install a secondary site. Lesson 1 Planning a Configuration Manager 2012 Multiple-Site Hierarchy MCT USE ONLY. STUDENT USE PROHIBITED 4-2 Planning and Deploying a Multiple-Site Hierarchy The System Center 2012 Configuration Manager hierarchy model accommodates a large variety of deployment scenarios. In addition, it is a simpler hierarchy model than the one presented in Configuration Manager 2007. In this lesson, you will review the following types of sites, which you can implement in Configuration Manager: • Central administration sites • Multiple primary sites • Multiple secondary sites You will examine the criteria you will use to decide whether to implement a multiple-site hierarchy. Lesson Objectives After completing this lesson, you will be able to: • Describe the Configuration Manager 2012 hierarchy model. • Describe the functionality of Configuration Manager 2012 sites, including the central administration site, primary sites, and secondary sites. • Describe alternatives to using secondary sites. • Explain the typical considerations for implementing a multiple-site hierarchy. • Plan a Configuration Manager hierarchy for a specific scenario. Overview of the Configuration Manager 2012 Hierarchy Model Global organizations can have multiple administrative teams, varying administrative requirements, and a large number of clients distributed across multiple locations worldwide. To accommodate these factors, you can implement Configuration Manager 2012 in a multiple-site hierarchy. The Configuration Manager 2012 hierarchy model has only three tiers: • Central administration site. The central administration site is located at the top of the hierarchy. You use it to centralize administration and reporting for the entire hierarchy. You can implement only one central administration site in a hierarchy. Unlike primary sites, a Configuration Manager 2012 central administration site cannot have clients assigned to it. In addition, a central administration site can have only primary sites as child sites. Once installed, the central administration site name, site code, and role cannot be changed. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-3 • Primary site. Primary sites are located in the middle tier of the hierarchy. You use them to manage clients directly. Primary sites in the Configuration Manager 2012 hierarchy serve the same purpose as they do in Configuration Manager 2007. The major difference between primary sites in Configuration Manager 2007 and Configuration Manager 2012 is the relationships they can have with other sites. Unlike primary sites in Configuration Manager 2007, a primary site in Configuration Manager 2012 cannot be a child of another primary site; it can be a child of only the central administration site. A primary site can have only secondary sites as child sites. Once you install them in a hierarchy, you cannot change them to stand-alone primary sites. • Secondary site. Secondary sites are located at the bottom tier of the hierarchy. Secondary sites are optional and you can use them to manage the transfer of client data and deployments across low bandwidth networks. A management point and a distribution point are installed automatically with each secondary site. A secondary site can be a child site of only a primary site, not a central administration site. Administrators in the central administration site can view and manage all the objects in the hierarchy and can configure hierarchy-wide settings. Beginning with System Center 2012 Configuration Manager Service Pack 1 (SP1), you can join an existing stand-alone primary site to a hierarchy at the time when you install the central administration site. You can migrate additional existing stand-alone primary sites into the new hierarchy. The central administration site must be the first site in the hierarchy in System Center 2012 Configuration Manager and older versions. Overview of Configuration Manager Sites Each type of Configuration Manager site brings different functionality to a hierarchy. Central Administration Site A central administration site provides the following functionality in a hierarchy: • The ability to create a multisite hierarchy • Centralized administration for all the sites in the hierarchy • Centralized reporting for all the sites in the hierarchy Primary Site Primary sites provide the following functionality in a hierarchy: • Increased number of clients that Configuration Manager 2012 can manage in the hierarchy • Independent content management • Traffic management for software deployments Secondary Site Secondary sites provide the following functionality: MCT USE ONLY. STUDENT USE PROHIBITED 4-4 Planning and Deploying a Multiple-Site Hierarchy • Management of the transfer of client data up the hierarchy across low bandwidth networks, without the overhead of a primary site • Management of the transfer of content down the hierarchy across low bandwidth networks, without the overhead of a primary site Alternatives to Using a Secondary Site When you have clients in remote network locations, rather than installing a secondary site, you might want to consider more efficient alternatives. Often, you can eliminate the need for another site by configuring a distribution point in the remote location or using Windows BranchCache®. Secondary Site If you want to control upward network traffic from remote clients to the primary site, you must install a secondary site in the remote location. When planning for installing a secondary site, you should consider the following: • You must use a computer running a supported version of a server operating system, such as Windows Server® 2008 R2. You cannot install the secondary site role on desktop operating systems. • You must locate the site database on the same server as the secondary site server. You can install any supported Microsoft SQL Server® version. If you do not install SQL Server in advance, the setup process installs Microsoft SQL Server 2012 Express. • When you install a secondary site, the setup process automatically installs a management point and distribution point on the site server. • Secondary sites support only a limited number of Configuration Manager roles. The following roles are supported: o Distribution point. You can install additional distribution points in a secondary site. Each secondary site supports up to 250 distribution points and each distribution point can support up to 4,000 clients. o Management point. You can have only a single management point in a secondary site and you must install it on the secondary site server. o Software update point. When data transfer across the network is slow, you can install a software update point in a secondary site if you want to perform software update management in the remote site. o State migration point. When data transfer across the network is slow, you can install a state migration point in a secondary site if you want to perform user state migration during operating system deployment in the remote site. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Distribution Point 4-5 Depending on the number of clients and the available bandwidth for the network connection to a remote physical location, you might find it more efficient to use a distribution point to support clients in a remote location, instead of a secondary site. If any of the following conditions apply, you may want to consider using a local distribution point: • There is sufficient network bandwidth between locations to support management point communications but insufficient network bandwidth to allow clients to download content. The client uses Background Intelligent Transfer Service (BITS) when downloading content from distribution points. However, even if the client uses BITS, the bandwidth may not be sufficient for the clients to download content across a wide area network (WAN) link. In terms of content delivery, a distribution point alone can be as effective as a secondary site with a distribution point. • You want to use multicast to deploy operating systems to computers at the remote location. Multicast functionality is built into the distribution point role. When planning to use multicast for deployment, you only need to consider using a distribution point. • You want to stream virtual applications to computers at the remote location. You can stream applications from a distribution point. BranchCache BranchCache is a feature included in Windows Server 2008 R2 and newer operating systems. You use BranchCache to distribute content using peer-to-peer technology. Typically, you use BranchCache with clients that are connected to the distribution points via a high latency WAN connection. When one client finishes downloading all of the content, the remaining clients in the remote location will copy the content from a peer client. You can configure BranchCache settings on a deployment type, for applications, and on the deployment, for a package. To use BranchCache, the following requirements must be in place: • You must configure at least one distribution point on a computer running Windows Server 2008 R2 or a newer version in BranchCache distributed cache mode. • Clients must run one of the following compatible operating systems configured in BranchCache distributed cache mode: o Windows Vista® Service Pack 2 (SP2) with KB960568 installed o Windows® 7 o Windows Server 2008 with KB960568 installed o Windows Server 2008 R2 o Windows 8 o Windows 8.1 o Windows Server 2012 o Windows Server 2012 R2 Considerations for Implementing Configuration Manager Sites When deciding which implementation scenario is most appropriate for your organization, you need to consider a variety of factors. These factors include the number and locations of clients, the planned administration approach, availability of bandwidth between locations, and server and other infrastructure limitations. Stand-Alone Primary Site The stand-alone primary site implementation scenario is most appropriate for your organization if: • There are no requirements for local administration of content. • You have 100,000 clients or fewer. Additional Secondary Sites A secondary site includes a management point and a distribution point. You can install additional secondary sites to: MCT USE ONLY. STUDENT USE PROHIBITED 4-6 Planning and Deploying a Multiple-Site Hierarchy • Offload the client communication from the primary site when clients are in a remote location and you need to control network traffic both to and from the remote location. However, secondary sites do not increase the number of clients that a primary site can support. • Provide tiered content routing between secondary sites that have the same parent. Alternative Content Management You can use a distribution point or BranchCache configuration for a remote site to: • Provide content locally in a remote location when you do not need to control the traffic from the remote location to the parent location. Multiple-Site Hierarchy A multiple-site hierarchy is a more complex model to implement due to the additional servers and roles included. Before deciding to create a multiple-site hierarchy, you must analyze your environment and determine whether a stand-alone primary site can meet your requirements. You should use the multiple-site hierarchy scenario if: • You have more clients than a stand-alone primary site can manage. A stand-alone primary site can support up to 100,000 clients. A multiple site hierarchy can support up to 400,000 clients. • You have remote administrative teams that require local administration of their Configuration Manager environment. • You have 5,000 or more remote locations that you cannot accommodate by using a stand-alone primary site and secondary sites. • You are subject to export regulations on content. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Discussion: Planning Multiple Configuration Manager Sites You are an infrastructure architect working for A. Datum Corporation, an international financial company with headquarters in New York. The New York headquarters provides financial services for customers in North America and Europe. A. Datum has 150,000 workstations, distributed as follows across North America and Europe: • The central office is located in New York and contains 50,000 clients. • The regional office is located in Toronto and contains 20,000 clients. • A. Datum has 500 office locations across North America with a total of 50,000 clients. Each office contains between 50 and 1,000 clients. • There are international offices in London and Paris with a total of 30,000 clients. Office Location Number of workstations 4-7 Network bandwidth Headquarters New York 50,000 Local Gigabyte Regional office Toronto 20,000 T1 United Kingdom office London 15,000 E1 France office Paris 15,000 E1 Office locations 500 locations across North America 50,000 in total T1 A. Datum wants to implement System Center 2012 Configuration Manager to administer its workstations in a centralized way. A team of 40 full-time administrators manages the company data center in New York. The administrators in New York are providing support for all the locations in North America, including Toronto. A small data center is located in Toronto and is administered remotely from New York. The data center for Europe is located in London and has a dedicated team of 15 administrators. They manage all of the resources in the London and Paris offices. You need to choose which hierarchy model to implement. Use the following questions to help you choose the most appropriate implementation model. Use the table below to record your proposed scenario. Location Site type Managing clients from Administered by MCT USE ONLY. STUDENT USE PROHIBITED 4-8 Planning and Deploying a Multiple-Site Hierarchy Distribution point MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Lesson 2 Deploying a Configuration Manager 2012 Site 4-9 When planning for a Configuration Manager deployment, you should take into consideration the supported number of sites and site systems and the maximum number of supported clients. You should also consider the existing network environment and the Configuration Manager 2012 design you will implement to accommodate multiple domains or forests. When deploying a multiple-site Configuration Manager 2012 hierarchy, you should install the sites in a specific order, starting with the central administration site, and then continuing with the primary and secondary sites. In Configuration Manager 2012 SP1 and later versions, you can install a single primary site before installing the central administration site. You can also install a central administration site and expand one primary site into the hierarchy. You can install additional site systems at any time after you install the site servers. You must select the appropriate setup options when installing the sites in an existing hierarchy, and use the appropriate resources to validate a successful installation. Lesson Objectives After completing this lesson, you will be able to: • Describe the maximum limits for a Configuration Manager 2012 hierarchy. • Describe the implementation of Configuration Manager 2012 in an environment with multiple domains or forests. • Describe the deployment process for a multiple-site hierarchy. • Describe the Configuration Manager setup options. • Explain how to verify a successful site system installation. Planning a Multiple-Site Hierarchy Central Administration Site The maximum number of supported clients per hierarchy depends on the central administration site’s SQL Server edition, but not on the SQL Server edition that is installed on the primary or secondary sites. A central administration site will: • Support up to 25 child primary sites. • Not support any client management roles. You cannot assign clients to the central administration site, only to primary sites. • Support up to 400,000 clients in the hierarchy when using SQL Server Enterprise Edition for the site database. • Support up to 50,000 clients in the hierarchy when using SQL Server Standard Edition for the site database. MCT USE ONLY. STUDENT USE PROHIBITED 4-10 Planning and Deploying a Multiple-Site Hierarchy These limitations are due to the partitioning of the site database. If you install the central administration site by using SQL Server Standard Edition, and then upgrade to SQL Server Enterprise Edition, the database is not repartitioned and these limitations remain in effect. Primary Sites You use primary sites to manage clients. Each primary site can accommodate up to 50.000 or 100,000 clients, depending on whether SQL Server is co-located on the site server or is installed on a separate computer. However, the number of clients that a primary site supports is still limited to 50,000 if the central administration site uses SQL Server Standard Edition. A primary site will: • Support up to 250 secondary sites. • Support up to 250 distribution points. Each distribution point can support up to 4,000 clients, depending on the type of content you are distributing. • Support up to 5,000 distribution points. This total includes all distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites. • Support up to ten management points. Each primary site management point can support up to 25,000 computer clients. To support 100,000 clients you must have at least four management points. When you have more than four management points in a primary site, the supported client count of the primary site does not increase beyond 100,000. Instead, any additional management points provide redundancy for communications from the clients. • Support up to 50,000 clients when SQL Server is co-located on the site server. • Support up to 100,000 clients when SQL Server is installed on a separate computer from the site server. Secondary Sites You can use secondary sites to manage the upward traffic from the clients in a remote location to the primary site server. You can also use a secondary site to increase the total number of distribution points that can be installed on a primary site. A secondary site will: • Support up to 250 distribution points. Each distribution point can support up to 4,000 clients, depending on the type of content you are distributing. • Support a single management point located on the site server. • Support SQL Server Express 2012 in addition to the other supported SQL Server versions for the site database. You can install SQL Server on the same computer as the secondary site server if you do not want to use SQL Server Express. • Support communications for up to 5,000 clients. Software Update Point Each site supports one active software update point for use on the intranet and, optionally, one software update point for use on the Internet. You can configure each of these software update points as a Network Load Balancing (NLB) cluster. You can have up to four software update points in the NLB cluster. A software update point that is installed on the site server can support up to 25,000 clients. A software update point that is installed on a computer that is remote from the site server can support up to 100,000 clients. Configuration Manager 2012 SP1 introduced software update point switching. If a client’s scan for software updates fails, it will automatically attempt to use a different software update point. Note: Before upgrading from Configuration Manager with no service pack to Configuration Manager SP1, you must remove NLB from your active software update point. After the upgrade is complete, you can reconfigure NLB by using Windows PowerShell®. Fallback Status Point MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-11 You can install a fallback status point to enable clients to send state messages to the site, and enable CCMSetup to report deployment issues. Each primary site supports one fallback status point and each fallback status point can support up to 100,000 clients. Application Catalog Website Point and Application Catalog Web Service Point Each instance of this site system role supports up to 400,000 clients, providing service for the entire hierarchy. You can install multiple instances of the Application Catalog website point at the primary sites. For improved performance, you should plan to support up to 50,000 clients per instance. System Health Validator Point You can install a System Health Validator point in each site to integrate with the Windows Server Network Access Protection functionality. Each System Health Validator point can support up to 100,000 clients. Planning for Multiple Domains and Forests System Center 2012 Configuration Manager supports sites and hierarchies that span Active Directory® Domain Services (AD DS) forests. Configuration Manager also supports domain computers that are not in the same Active Directory forest as the site server, and computers that are in workgroups. To support domain computers in a trusted forest, you can install a child site in a remote forest that has a required two-way trust with the forest of the parent site. For example, you can place a secondary site in a different forest from its primary parent site if a two-way forest trust that supports Kerberos authentication exists. If you do not have a two-way forest trust that supports Kerberos authentication, you cannot install a Configuration Manager child site in the remote forest. To support domain computers in a forest that your site server’s forest does not trust, you can install the appropriate site system roles in that untrusted forest. In addition, you have the option to publish site information to that Active Directory forest. When you install site system servers in the client’s forest, the client-to-server communication takes place within the client’s forest and the remote site system role can authenticate the computer using Kerberos. When planning to deploy to an untrusted forest, consider the following: • When you publish site information to the client’s forest, clients can retrieve site information, such as a list of available management points, from their Active Directory forest rather than downloading this information from their assigned management point. You cannot install the out of band service point and the Application Catalog web service point in an untrusted forest. You can install them only in the same forest as the site server. The same restriction applies for the site database, which you must install in the same forest as the site server. • When you specify a computer to be a site system server, you must specify the Site System Installation Account. This account must have local administrative credentials to systems that it connects to, so that it can then install the site system roles on the specified computer. • When you install a site system role in an untrusted forest, you must select the Require the site server to initiate connections to this site system option. This configuration enables the site server to establish MCT USE ONLY. STUDENT USE PROHIBITED 4-12 Planning and Deploying a Multiple-Site Hierarchy connections to the site system server to transfer data to and from the site system server. This prevents the site system server in the untrusted location from initiating contact with the site server in your trusted network. The connection uses the Site System Installation Account that you use to install the site system server. • The management point and enrollment point site system roles connect to the site database. By default, when you install these site system roles, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted forest, you must configure the site system role connection account to enable the site system role to obtain information from the database. If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database for that site. The following roles are supported and require that you configure the associated database connection account: o Management point: Management Point Connection Account o Enrollment point: Enrollment Point Connection Account To support computers in a workgroup that use HTTP client connection to site system roles, you must approve them manually. This is because Configuration Manager cannot authenticate these computers by using Kerberos. In addition, you must configure the Network Access Account, regardless of the HTTP or HTTPS configuration, so that these computers can retrieve content from distribution points. Because workgroup clients cannot retrieve site information from AD DS, you must provide an alternative mechanism for these clients to find the management points. You can use Domain Name System (DNS) publishing or Windows Internet Name Service (WINS), or assign a management point directly. You can also use Internet-based client management and public key infrastructure–issued (PKI-issued) certificates to enable management of clients in an untrusted forest or in a workgroup. Deploying a Multiple-Site Hierarchy You must follow this process when you deploy a multiple-site hierarchy if no site exists yet. Deploying the Central Administration Site • Extend the Active Directory schema. You must decide whether you will extend the Active Directory schema to enable site servers and site systems to publish information to AD DS. If you extend the schema, you need to grant the site server accounts permission to publish to the system management container. • Install Configuration Manager 2012 as a central administration site first, before installing any sites that will join the hierarchy. Deploying Primary Sites • Install Configuration Manager 2012 as a primary site in the existing hierarchy. Run Setup to install Configuration Manager 2012. Specify the central administration site that you want to use as a parent site. Deploying Secondary Sites MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-13 • Add the primary site server computer account to the local Administrators group on the target secondary site server. • Run the Secondary Site Installation Wizard from the primary site. You can select whether to use an existing instance of SQL Server on the secondary site server or install SQL Server Express. Deploying Additional Site System Roles • Run the Add Site System Roles Wizard for each site. You can select which roles to install for each particular site: o When they are part of a hierarchy, some roles cannot be installed in all sites. You will learn which roles are available later in this module. o For specific roles, you may be able to install only a single instance of the role. For example, there can be only a single instance of the Asset Intelligence synchronization point, and you must install this role at the top-level site in the hierarchy. Beginning with Configuration Manager 2012 SP1, you can expand an existing primary site into a hierarchy after you install the primary site. For example, if you have deployed a single primary site and your organization later enlarges, you can expand the primary site into a hierarchy without losing any data. The process for doing this is similar to the process for deploying a multisite hierarchy as described above. Deploying the Central Administration Site • Extend the Active Directory schema. If you did not perform this operation when you installed the initial primary site, you must perform it now. • Install Configuration Manager 2012 as a central administration site. During the installation process, you specify the site that you are expanding into the hierarchy. Deploying Additional Sites and Roles • The creation of the rest of the hierarchy is similar to the process described above. Configuration Manager 2012 Setup Options To install a central administration site or a primary site, you use the setup program from the installation media. Generally, we recommend that you run the Prerequisite Checker (prereqchk.exe) before starting the installation process so that you can address any problems quickly. If you do not run the Prerequisite Checker prior to running setup, the setup process will automatically run it later. If you are planning to use HTTPS communication, you should acquire an appropriate certificate before beginning Setup. The Prerequisite Checker will not check for a certificate because installation does not require one. We recommend that you run the Setup Downloader (SetupDL.exe) prior to starting the installation. This tool downloads the required installation updates. Like the Prerequisite Checker, this tool will be run later in the setup process. Running it manually allows you to save time during the process. MCT USE ONLY. STUDENT USE PROHIBITED 4-14 Planning and Deploying a Multiple-Site Hierarchy Before running the System Center 2012 R2 Configuration Manager Setup Wizard, you must spend time planning the process. You will need to make the following decisions: • Will you install a Configuration Manager primary site or a Configuration Manager central administration site? Typically, when you install a multisite hierarchy, you start with the central administration site. Once you have installed the central administration site, you can continue building the hierarchy by installing the primary sites. Alternatively, you can start with a primary site and expand it into a new hierarchy later. However, you can only expand a single stand-alone site into a hierarchy. • Will you choose Prerequisite downloads, Download required files, or Use previously downloaded files? You will see these options after you advance through the licensing pages in the System Center 2012 R2 Configuration Manager Setup Wizard. If you have not downloaded the prerequisite files previously, you must do so at this time. When you deploy multiple sites, the files should be stored in a central location available to each server where you are deploying Configuration Manager 2012. • Are you supporting additional languages? You can install language support for both the server and clients separately. If you need to support additional client languages, you specify them during the site installation, or you can specify additional languages later. If you are expanding an existing primary site into a hierarchy, during the central administration site installation, you should specify the same client languages supported in the existing primary site. If you do not install client language support for a language supported in the existing primary site, Setup will remove support for that language. • What will you chose for the Site code, Site name, and Installation folder? The next decision point is on the Site and Installation settings page of the wizard. The site code and site names must be unique and cannot be changed without reinstalling. • Will you install a central administration site as the first site in a new hierarchy, or expand an existing stand-alone primary into a hierarchy? When you install a central administration site, you have the following options: • o Start a new hierarchy. o Expand an existing primary site into a hierarchy as a child of the central administration site that you are installing. Will you join the primary site to an existing hierarchy or install the primary site as a stand-alone site? When you install a primary administration site, you have the following options: o Starting a new hierarchy. o Join an existing hierarchy as a child of the central administration site. • Will you use a local or remote SQL Server? System Center 2012 R2 Configuration Manager requires a SQL Server to host the databases that the site uses. The SQL Server installation can be on the same server as the Configuration Manager server or on a remote server. Additionally, during the installation process you can specify the location for the SQL Server database files. • Where will the SMS Provider be located? The SMS Provider provides a communication layer between the management tools and the databases. Typically, the Configuration Manager server is also the SMS Provider. However, you can choose to install the SMS Provider on a separate server. • What communications methods will you use? When you install a primary site, you must decide whether the clients will communicate using HTTP or HTTPS. If you are going to use HTTPS, you should have installed the appropriate certificate already. If you have not installed an appropriate certificate, you should install the primary site by using HTTP communication and configure HTTPS communication as soon as you acquire an appropriate certificate. This setup option is not available for a central administration site since it does not support clients directly. Verifying a Configuration Manager 2012 Site Installation You can perform the following steps to verify the success of a Configuration Manager 2012 site installation: 1. In the Configuration Manager console, in the Monitoring workspace, under System Status, there are two status nodes: o System Status node. Displays the status for the installed roles. o Component Status nodes. Displays the status for all the components on each site server. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-15 A status of OK verifies that the site and the site components are functioning normally. If the status displays as warning or critical, you will need to review the messages and troubleshoot the issues you find. 2. Verify that the SMS_EXECUTIVE, SMS_SITE_COMPONENT_MANAGER service, and any other listed Configuration Manager services, except for the SMS_SITE_BACKUP service, are listed as automatic and started in the Services console. 3. View the installation logs: 4. o ConfigMgrPrereq.log. Prerequisite Checker generates this log, whether you run it as stand-alone or as part of Setup. o ConfigMgrSetup.log. This is the primary setup log. View this log to identify any if abnormal errors were encountered during Setup. o ConfigMgrSetupWizard.log. The Configuration Manager Setup Wizard generates this log. o ConfigMgrAdminUI.log. The console installation generates this log. This is a separate log because installing the console is not mandatory. o SMS_BOOTSTRAP.log. This log is located on the intended secondary site server. It records information about the progress of launching the secondary site installation process. ConfigMgrSetup.log contains details of the actual setup process. View the status messages in the Monitoring workspace. Lesson 3 Deploying the Central Administration Site MCT USE ONLY. STUDENT USE PROHIBITED 4-16 Planning and Deploying a Multiple-Site Hierarchy Typically, when implementing a hierarchy of multiple primary sites, the central administration site is the first site you install. The central administration site is the hub of the entire hierarchy. You join primary sites to it to build your hierarchy. In this lesson, you will review the role of the central administration site in a multiple site hierarchy. Lesson Objectives After completing this lesson, you will be able to: • Describe the characteristics of the central administration site. • Determine whether to install a central administration site. • Describe how to install a central administration site. • Describe installing site system roles and configuring security roles and scopes in the central administration site. What Is the Central Administration Site? The central administration site is the top-level site in a hierarchy. Frequently, it is the first site that you install in the hierarchy. You can use the central administration site to manage all objects and perform site management tasks for all sites in the hierarchy. From the central administration site, you can view global data and site data from all primary sites in the hierarchy. The central administration site is the only location where you can access this site in a consolidated data view. The central administration site: • Supports only primary sites as child sites. You must specify the central administration site’s site server during the installation of a primary site that joins the same hierarchy. • Can be used to expand a primary site into a multisite hierarchy. When expanding a single stand-alone primary site into a multisite hierarchy, you install the central administration site and specify the primary site that you want to expand during installation. • Cannot have clients assigned to it. You must have at least one primary site in the central administration site’s hierarchy to manage clients. • Does not process client data. Site data from clients is processed at primary sites, and then replicated to the central administration site. • Does not support all site system roles. You cannot install any of the roles related to client management in the central administration site. • Offloads administration and reporting from the primary sites. You can run reports to contain consolidated information from all sites in the hierarchy. • Participates in database replication with primary sites. The database replication is configured automatically when installing a primary site as a child of the central administration site. • Contains site data replicated from all the sites in the hierarchy. The central administration site consolidates site data from all sites in the hierarchy. Determining When to Install a Central Administration Site You must install a central administration site if you are going to have multiple primary sites in a hierarchy. You use the central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. The central administration site does not manage clients directly. However, it does coordinate inter-site data replication, which includes the configuration of sites and clients throughout the hierarchy. Use the following information to help you plan for the central administration site installation: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-17 • If you need to support more than 100,000 clients, you must have the central administration site and multiple primary sites in the hierarchy. The central administration site can support up to 25 primary sites. • You can manage all clients in the hierarchy and perform site management tasks for any primary site when you use a Configuration Manager console that is connected to the central administration site. • The central administration site is the only place where you can view site data from all sites. This data includes information such as inventory data and status messages. • You can configure discovery operations throughout the hierarchy from the central administration site by assigning discovery methods to run at individual sites. • Although the central administration site does not support the distribution point role, you can create content in the central administration site and distribute it to all sites in the hierarchy. You do not need to install a central administration site to: • Manage fewer than 100,000 clients. You can use a stand-alone primary site and install additional secondary sites or additional distribution points as necessary. • Support multiple locations. A stand-alone primary site with remote distribution points or secondary sites can span multiple locations. • Manage clients. You can assign clients to only primary sites, not the central administration site. Additionally, primary sites support the site system roles related to client management and the central administration site does not. • Decentralize administration for a primary site. You can use security roles and scopes to limit administrative permissions to a subset of objects. The central administration site does not limit the administrative permissions. Instead, it centralizes administration across multiple sites. • Perform content routing. If you are using a stand-alone primary site, you can implement distribution points or secondary sites to perform content routing. MCT USE ONLY. STUDENT USE PROHIBITED 4-18 Planning and Deploying a Multiple-Site Hierarchy In a merger or acquisition scenario, installing a central administration site will not offer an advantage over a stand-alone primary site: • If the second organization has deployed Configuration Manager 2007, you can use the migration feature to migrate objects to the Configuration Manager 2012 hierarchy. • If the second organization has deployed Configuration Manager 2007, you can use the Export and Import functionality to copy objects between hierarchies. • Beginning with Configuration Manager 2012 SP1, you can merge data from hierarchies that are on the same version and service pack of Configuration Manager. Installing the Central Administration Site After deciding to install a Configuration Manager central administration site, you must run the Setup program. When planning the central administration site, choose the site code and site name carefully because you cannot change them after installation without reinstalling the site. In the case of a central administration site, that would mean reinstalling the entire hierarchy. Beginning with System Center Configuration Manager 2012 with SP1, if you have an existing stand-alone primary site, you can expand the stand-alone primary site into a new hierarchy. During the installation of a central administration site, you are able to expand one primary site into the site hierarchy. The primary site must be online and available or the expansion will fail. You must merge any additional primary sites with the new hierarchy if you want to save the data. After you merge any data, you must uninstall and then reinstall the additional primary sites. The following table lists the steps that the System Center 2012 Configuration Manager Setup Wizard performs when installing the central administration site. The table also includes the information that you supply for each step. Wizard page Input required Getting Started Choose to install a central administration site. Product Key Choose whether you want to install an evaluation version or provide a product key. Microsoft Software License Terms Read and accept the license terms to continue with the setup. Prerequisite Licenses Accept the licenses for the various prerequisite components to continue with the setup. Prerequisite Downloads You can specify whether to download the Configuration Manager prerequisite files now or to use the files from a folder where you have downloaded them previously. Server Language Selection This page allows you to specify additional language packs to be downloaded and installed for the administration console and site servers. Wizard page Input required 4-19 Client Language Selection Specify the additional language packs to be downloaded and installed for the Configuration Manager client. Site and Installation Settings There are several required settings on this page: site code, site name, and Installation folder. You cannot change these settings later. Additionally, you can choose whether to install the Configuration Manager console on this page. Central Administration Site Installation You must choose between creating a new hierarchy and expanding an existing stand-alone primary site into a hierarchy. If you choose to expand an existing stand-alone primary site, you must specify the fully qualified domain name (FQDN) of the primary site. Database Information If necessary, enter the FQDN for the instance name of the SQL Server, the name of the Configuration Manager database, and the port you will use for SQL Server Service Broker. Database Information The wizard contains two database information pages. You must specify the installation paths for the SQL Server files on this page. SMS Provider Settings Enter the FQDN of the server that will host the SMS Provider. By default, this is installed on the site server. Customer Experience Improvement Program Configuration Select this option if you want to join the Customer Experience Improvement Program. Settings Summary Review your selections to determine whether you need to go back to make any changes. Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker to evaluate the server readiness for hosting the selected roles. Once all the checks have finished, you can begin the installation. Configuring the Central Administration Site After you install the central administration site, you perform several configuration steps, such as installing additional site system roles and configuring security roles and scopes. You can install only the following subset of site system roles in the central administration site: • MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Asset Intelligence synchronization point. Configuration Manager can inventory all the applications that are in use in your environment. Then, you can use this information through the Asset Intelligence catalog to manage license usage in your environment. The Asset Intelligence synchronization point synchronizes the Asset Intelligence catalog with System Center Online. MCT USE ONLY. STUDENT USE PROHIBITED 4-20 Planning and Deploying a Multiple-Site Hierarchy • Endpoint Protection point. The Endpoint Protection point manages Endpoint Protection in your hierarchy. Note that Endpoint Protection is a separate installation. • Reporting services point. The reporting services point provides a location for running and viewing reports. A reporting services point in the central administration site allows you to view reports pertaining to all sites in the hierarchy. • Software update point. You install a software update point at the top of the hierarchy to synchronize with Microsoft updates. The software update points at primary sites will synchronize with the software update point deployed in the central administration site. • System Health Validator point. Network Access Protection (NAP) integrates with a Windows Network Policy server to validate Configuration Manager NAP policies. Note: You can install only one Asset Intelligence synchronization point and one Endpoint Protection point in a hierarchy. You can install only these two roles in the top-level site in the hierarchy. Role-Based Administration Role-based administration allows you to define the management security in Configuration Manager 2012. You define role-based administration in the Administration workspace, under the Security node. You apply role-based administration configurations at each site in a hierarchy. Role-based administration is composed of three components–roles, scopes, and collections–that allow you to define management rights for your hierarchy: • Security roles. There are several built-in security roles, and you can create custom roles. Security roles define what can be done to the various object classes defined in Configuration Manager. • Security scopes. There are two built-in security scopes, and you can create custom scopes. The security scope defines which objects an administrator can manage. • Collections. You use collections to limit the users or computers that an administrative user can manage. When defining permissions for administrative users, you define their security roles and the objects and collections that they will be able to access. By default, the user that installed the configuration manager site has the Full Administrator role for all objects and collections. You add a user or group in the Administrative Users node in the Security folder. When you add a user or group, you can assign one or more roles, one or more defined security scopes, and one or more collections that you want to manage. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-21 Expanding a Stand-Alone Primary Site into a Hierarchy with a New Central Administration Site Prior to System Center 2012 Configuration Manager SP1, if you decided to transition from a single site hierarchy to a multi-site hierarchy, you had to uninstall the site and start over. System Center Configuration Manager 2012 with SP1 introduced the ability to install a central administration site as a parent site of an existing stand-alone primary site. You can do this with only one stand-alone primary site. If you have several stand-alone sites, you must uninstall and then reinstall any additional sites that you want to join to the multisite hierarchy. Expanding a stand-alone primary site into a multisite hierarchy adds one step to the central administration site installation. During the installation process, you specify the stand-alone site that you are expanding into the hierarchy. Prerequisites for Expanding a Stand-Alone Site Before you can expand a stand-alone site into a multisite hierarchy, the stand-alone site must meet the following requirements. Prerequisite Additional information The stand-alone primary site must be on the same version of Configuration Manager that you will use to install the central administration site. Before you install the central administration site, upgrade the primary site to the same version of Configuration Manager that you will use to install the central administration site. You must use either Configuration Manager 2012 with SP1 or System Center 2012 R2 Configuration Manager. You must not configure the stand-alone primary site to migrate data from another Configuration Manager hierarchy. You always perform site migrations from the top-level site. Once the expansion is complete, you can perform any site migrations using the central administration site. You can migrate data to the central administration site or any primary site in the hierarchy. When you configure the stand-alone primary site for migration, you must stop all active data gathering before starting the expansion process. If you migrate data from another site using data gathering, you must stop all active data gathering processes. After completing the expansion process, you can restart any data gathering processes. The computer account for the computer that will host the central administration site must be in the local Administrators group on the stand-alone primary site’s computer. This is required only during the expansion process and you can remove it once the process is complete. The user performing the expansion must be an administrator of the site that he or she is expanding. The user performing the expansion must be defined in role-based administration as either a Full Administrator or an Infrastructure Administrator at the site that he or she is expanding. Prerequisite Additional information MCT USE ONLY. STUDENT USE PROHIBITED 4-22 Planning and Deploying a Multiple-Site Hierarchy You must uninstall any roles that are not supported in a child primary site from the stand-alone primary site that is being expanded. If you install the Asset Intelligence synchronization point, Endpoint Protection point, and Windows Intune™ connector roles, they must be located in the central administration site of a multisite hierarchy. The SQL Server Service Broker must be able to transfer data between the central administration site and the child primary sites. The Prerequisite Checker does not verify that the SQL Server Service Broker port is open. Considerations When Expanding a Stand-Alone Primary Site When you expand a stand-alone primary site into a multisite hierarchy, many objects and configuration settings in the primary site database are shared with the new central administration site. You need to address several of these objects and settings after the expansion is complete. Considerations Additional information Software update point In a multisite hierarchy, a software update point at the primary site will reconfigure automatically to synchronize with the software update point in the central administration site. You should install a new software update point in the central administration site as soon as possible. Software deployment packages Software deployment packages that you created previously in the stand-alone primary site will replicate to the central administration site as global data. Then you can manage the packages at either the primary site or the central administration site. The default client installation package is the only exception to this process. Client installation package Ownership of the client installation package transfers to the central administration site. The client installation package maintains the same package number; however, Setup reconfigures it to support only the languages that the central administration site supports. Client settings Once the expansion is complete, you must restart the SMS_POLICY_PROVIDER component on the primary site. Until the component is restarted, the primary site will not provide any new or updated client settings to the clients. Default Boot WIM The central administration site creates and deploys a new default boot Windows image file (WIM) that will be used throughout the hierarchy. The boot WIM at the primary site is not modified and existing operating system deployments will continue to function. Lab A: Installing a Site Hierarchy Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-23 You are the network administrator for A. Datum Corporation. A. Datum wants to expand its System Center 2012 R2 Configuration Manager stand-alone primary site installation into a complex hierarchy with a central administration site, two primary sites, and a secondary site. A. Datum has already deployed the primary site as a stand-alone site. Objectives You must perform the installation of a System Center 2012 R2 Configuration Manager central administration site by using hierarchy expansion. Lab Setup Estimated Time: 80 minutes Virtual machines 10748C-LON-DC1-B 10748C-LON-CFG-B 10748C-LON-CAS-B 10748C-NYC-CFG-B User name Adatum\Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-B, and in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in using the following credentials: o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum 5. Repeat steps 2 to 4 for 10748C-LON-CFG-B. 6. Do not start 10748C-LON-CAS-B or 10748C-NYC-CFG-B until instructed by the lab. Exercise 1: Using Hierarchy Expansion to Install the Central Administration Site Scenario You need to install a Configuration Manager 2012 central administration site in London with the site code CAS on the LON-CAS.Adatum.com server. You will expand the primary site on LON-CFG as a child site of the new central administration site. The main tasks for this exercise are as follows: 1. Prepare the environment for the hierarchy expansion. 2. Start additional lab servers. 3. Run Installation Prerequisite Check, and verify that the expansion prerequisites are met. 4. Run the splash screen for Configuration Manager 2012. 5. Run Setup to install a Configuration Manager 2012 R2 central administration site and expand an existing primary site into the hierarchy.  Task 1: Prepare the environment for the hierarchy expansion MCT USE ONLY. STUDENT USE PROHIBITED 4-24 Planning and Deploying a Multiple-Site Hierarchy 1. On LON-CFG, open Computer Management, and then add LON-CAS to the local Administrators group. 2. Switch to LON-DC1. 3. Open Active Directory Users and Computers, and then add LON-CAS and NYC-CFG to the ConfigMgrServers security group.  Task 2: Start additional lab servers 1. Start 10748C-LON-CAS-B, and then sign in as Adatum\Administrator. 2. Start 10748C-NYC-CFG-B, and then sign in as Adatum\Administrator.  Task 3: Run Installation Prerequisite Check, and verify that the expansion prerequisites are met 1. On LON-CAS, open an Administrator: Command Prompt. 2. In the Administrator: Command Prompt, navigate to E:\ConfigMgr2012R2\SMSSetup\BIN\X64. 3. Run the following command in the Administrator: Command Prompt: Prereqchk.exe /CAS /SQL LON-CAS.Adatum.com /SDK LON-CAS.Adatum.com /Expand LONCFG.Adatum.com 4. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several warnings), and then click OK. 5. Close the Administrator: Command Prompt.  Task 4: Run the splash screen for Configuration Manager 2012 1. On LON-CAS, navigate to the E:\ConfigMgr2012R2\ folder. 2. Double-click splash.hta. 3. Open the .hta file with the Microsoft (R) HTML Application host.  Task 5: Run Setup to install a Configuration Manager 2012 R2 central administration site and expand an existing primary site into the hierarchy 1. In the System Center 2012 R2 Configuration Manager Setup screen, click Install. 2. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. Use the following settings to install a central administration site: a. On the Getting Started page, select Install a Configuration Manager central administration site. 4-25 b. On the Product Key page, select Install the evaluation edition of this product, and then click Next. c. On the Microsoft Software License Terms page, accept the license terms. d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these License Terms, under Microsoft Silverlight 5, select I accept these License Terms and automatic updates of Silverlight, and then click Next. e. On the Prerequisite Downloads page, select Use previously downloaded files, and then specify the E:\ConfigMgr2012R2\Redist as the location. f. On the Server Language Selection and Client Language Selection pages, click Next. g. On the Site and Installation Settings page, configure the following options:  Site code: CAS  Site name: London Central Administration Site  Install the Configuration Manager console: selected h. On the Central Administration Site Installation page, select Expand an existing stand-alone primary into a hierarchy, and then in the Stand-alone primary site server (FQDN) field, type LON-CFG.Adatum.com. i. On the Database Information page, accept the default settings. j. On the second Database Information page, accept the default settings. k. On the SMS Provider Settings page, accept the default settings. l. On the Customer Experience Improvement Program Configuration page, select I don’t want to join the program at this time. m. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click Begin Install. 3. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Wait for the installation to finish, and then close the Setup Wizard and the System Center 2012 R2 Configuration Manager Setup screen. Note: When the System Center R2 Configuration Manager Setup Wizard displays Core setup has completed, the setup is not complete. Do not continue with the lab until the Applying the snapshot data task has completed. The installation process may take up to 45 minutes. Results: At the end of this exercise, you should have installed a Microsoft® System Center 2012 R2 Configuration Manager central administration site and a primary site in a hierarchy. Question: How do you install a primary site in an existing hierarchy? Lesson 4 Deploying Primary Sites in a Hierarchy After installing the central administration site, you can install additional primary sites in your hierarchy. Primary sites are support clients in a Configuration Manager hierarchy. You must install primary sites before you can deploy clients. MCT USE ONLY. STUDENT USE PROHIBITED 4-26 Planning and Deploying a Multiple-Site Hierarchy In this lesson, you will discuss the primary site role, the factors that determine when to install a primary site, and the roles that you can install on a primary site. Lesson Objectives After completing this lesson, you will be able to: • Describe a primary site. • Determine if it is appropriate to install a primary site in a hierarchy. • Describe the installation of a primary site in a hierarchy. • Describe various site installation methods. • Describe the configuration of a primary site in a hierarchy. Primary Sites in a Configuration Manager Hierarchy A primary site is the middle tier in a multisite hierarchy and is required to manage clients. You can use a primary site to manage all objects and perform site management tasks for the primary site and any child secondary sites that report to the primary site. From a primary site, you can view global data, site data from the local primary site, and information about any child secondary sites in the primary site’s branch of the hierarchy. A primary site: • Can be a stand-alone primary site or a member of a hierarchy. • Supports most of the Configuration Manager roles. • Supports only the central administration site as a parent site. • Supports only secondary sites as child sites. • Can support up to 250 secondary child sites, up to 250 distribution points, and 2000 pull distribution points. • Cannot change its parent site relationship after installation. • Is responsible for processing all client data from its assigned clients. • Uses database replication, which is configured automatically, to communicate to its central administration site. • Can support the distribution point and management point roles, if you choose to install them during site installation. Determining Whether to Install a Primary Site You must install at least one primary site in your hierarchy to support clients. You cannot assign clients to the central administration site or a secondary site. Consider adding a primary site to your hierarchy when you need to: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-27 • Increase the number of clients you are managing. Each primary site can support up to 100,000 clients. • Reduce the effect of failure of a stand-alone primary site. If a primary site fails, you cannot manage any clients assigned to that site until the site is restored. Activity on the client, such as inventory collection, continues and the results are stored locally as usual. However, reporting of this activity is delayed until the site is restored. When you have multiple primary sites in a hierarchy, a site failure affects only the clients assigned to that primary site. • Provide a local point of connectivity for a large business unit so that you can perform administration tasks for the clients in the business unit. • Meet organizational management requirements. Different locations may be under different regulations for the storage of data or the use of encryption. Using a separate primary site may help you meet these requirements. You do not need additional primary sites in your hierarchy if you are: • Providing decentralized administration. You can use role-based administration to segregate the administration of resources. • Performing logical data segmentation. All data that exists in a hierarchy is replicated to the central administration site. If you are required to maintain client data separation and want to use Configuration Manager to manage clients, consider using a separate stand-alone installation. • Configuring different client settings. You can configure custom client settings individually or by collection; these settings are replicated throughout the entire hierarchy. • Supporting a different site language. You can configure multiple languages for the same site. • Performing content routing. You can configure content routing between two distribution points located in two secondary sites that have the same parent. This can reduce the network traffic associated with the WAN links Installing a Primary Site in a Hierarchy Installing a Configuration Manager primary site requires some additional preplanning before you run Setup. Since you will use the primary site to support clients, you should decide how clients would connect to the primary site before performing the installation. If you plan to use HTTPS communications, you should acquire the appropriate certificate before installation. Unlike client communication settings, you cannot change the following after installation without reinstalling the site: • The parent central administration site to which the primary site is assigned • The site code • The site name The following table lists the steps in the Configuration Manager Setup Wizard that you use to install a primary site, and the information that you supply for each step. Wizard page Input required MCT USE ONLY. STUDENT USE PROHIBITED 4-28 Planning and Deploying a Multiple-Site Hierarchy Getting Started Select the option for installing a primary site. To speed up the process, you can install a primary site with typical settings. Product Key Choose between installing an evaluation version and providing a product key. Microsoft Software License Terms Read and accept the license terms. Prerequisite Licenses Accept the licenses for the various prerequisite components. Prerequisite Downloads You can specify to download the Configuration Manager prerequisites files now, or to use the files from a folder where you have downloaded them previously. Server Language Selection This page allows you to specify additional language packs you want to download and install for the Administration console and the site servers. Client Language Selection Specify the additional language packs you want to download and install for the Configuration Manager client. Site and Installation Settings There are several required settings on this page: site code, site name, and Installation folder. You cannot change these settings later. Additionally, you can choose if you want to install the Configuration Manager console. Primary Site Installation You can choose if the primary site you are installing is stand-alone or a part of the hierarchy. Database Information Enter the FQDN of the computer running SQL Server, the name of the Configuration Manager database, and the port to use for the SQL Server Service Broker. Wizard page Input required MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-29 Database Information The wizard contains two database information pages. On this page, you must specify the installation paths for the SQL Server files. SMS Provider Settings Enter the FQDN name of the server that hosts the SMS Provider. By default, this is installed on the site server. Client Computer Communication Settings You can choose either to configure HTTPS communication or to configure communication requirements for each role individually. If you choose to configure HTTPS communication, you need to have the appropriate certificate installed. Site System Roles You can choose to install both a management point and a distribution point, or just one of the two. You must specify the FQDNs for these roles. By default, both roles will be installed using the FQDN of the server. Depending on what you configured on the previous page, you can also choose the client communication method, either HTTP or HTTPS. Customer Experience Improvement Program Configuration Select this option if you want to join the Customer Experience Improvement Program. Settings Summary Review your selections to determine if you need to go back to make any changes. Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker to evaluate the server readiness for hosting the selected roles. Once all the checks have finished, you can begin the installation. Site Installation Methods To install a new primary site, you can either use the Configuration Manager 2012 Setup Wizard or perform an unattended installation by using the scripted installation method. You can perform an unattended installation for a new primary site using a setup command-line option and an unattended installation file, which is stored in an initialization file (.ini file). You can create the file manually or use the %TEMP%\ConfigMgrAutoSave.ini file that Setup generated during the installation of another primary site, such as in a test environment. You can also create the unattended installation .ini file by running the Configuration Manager 2012 Setup Wizard until you reach the Prerequisite Check page. You can name or rename the actual file name, but it must have an .ini extension. To perform the unattended installation, run the following command: Setup /script path\filename.ini MCT USE ONLY. STUDENT USE PROHIBITED 4-30 Planning and Deploying a Multiple-Site Hierarchy For example, if you created an installation .ini file named InstPrimSite.ini and stored it in the root of drive C:, the command would be: Setup /script C:\InstPrimSite.ini Note: When using an unattended installation .ini file, the Setup program uses only the values in the .ini file. You must specify all required setup options, or the installation will fail; however, you can leave the ServerLanguages and ClientLanguages options blank. This example illustrates a typical script used for installing a primary site in a hierarchy: [Identification] Action=InstallPrimarySite [Options] ProductID= SiteCode=LON SiteName=London Primary Site SMSInstallDir=C:\Program Files\Microsoft Configuration Manager SDKServer=LON-CFG.ADATUM.COM RoleCommunicationProtocol=HTTPorHTTPS ClientsUsePKICertificate=0 PrerequisiteComp=1 PrerequisitePath= E:\ConfigMgr2012\Redist MobileDeviceLanguage=0 ManagementPoint=LON-CFG.ADATUM.COM ManagementPointProtocol=HTTP DistributionPoint=LON-CFG.ADATUM.COM DistributionPointProtocol=HTTP DistributionPointInstallIIS=1 AdminConsole=1 [SQLConfigOptions] SQLServerName=LON-CFG.ADATUM.COM DatabaseName=CM_LON SQLSSBPort=4022 [HierarchyExpansionOption] CCARSiteServer=NYC-CAS.ADATUM.COM Configuring a Primary Site When you install a primary site as part of a hierarchy, there are certain site system roles that you cannot install in the primary site. These roles are: • Asset Intelligence synchronization point. Synchronizes the Asset Intelligence catalog for the entire hierarchy. • Endpoint Protection point. Provides the configuration for Endpoint Protection for the entire hierarchy. • Intune Connector. Provides mobile device management through Windows Intune. A primary site in a hierarchy supports all other optional Configuration Manager roles. You decide how to distribute roles throughout your hierarchy based on your business requirements and on the functionality that you need to provide. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-31 For example, although you can install multiple reporting points in a hierarchy, only a reporting services point that you install in the central administration site can provide reports on all objects in the hierarchy. You might decide to install only a single reporting services point and run all reports in the central administration site. Alternatively, you might decide to install a reporting services point in each site so local administrators can run their own reports. With either option, you can run both standard and custom reports. The following table shows the optional roles that you can install in a child primary site and whether they provide site-only functionality or hierarchy-wide functionality. Site system role Scope Notes Application Catalog web service point Site or hierarchy An Application Catalog web service point provides application information for one or more Application Catalog website points. Because this type of information is replicated as global data, all Application Catalog web service points provide the same information. Therefore, you can install this role in a single site or in multiple sites for load balancing. Application Catalog website point Site or hierarchy An Application Catalog website point displays global data retrieved from an Application Catalog web service point. Because this is global data, all Application Catalog website points provide the same information. Therefore, you can install this role in a single site or in multiple sites for load balancing. Distribution point Site A distribution point provides support based on the site boundary groups to which it belongs. You can install multiple distribution points in a single site to provide load balancing or to provide intranet and Internet support from separate servers. Fallback status point Site or hierarchy A fallback status point allows clients that cannot communicate with a management point to send state messages to the site. The fallback status point will forward any messages received from the clients to the appropriate primary site. This information is replicated as site data and is available in reports at the central administration site. Management point Site Clients use a management point to communicate with their assigned site. You can install multiple management points in a single site to provide load balancing or to provide intranet and Internet support from separate servers. Enrollment point Site Clients use an enrollment point to create mobile device and Intel Active Management Technology (AMT) device objects in a site. You can configure one enrollment point per site. Enrollment proxy point Site An enrollment proxy point allows mobile devices and AMT devices to join a site. You can configure one enrollment proxy point per site. Out of band service point Site An out of band service point allows you to manage AMT devices that are offline by using out of band management. There can be only one out of band service point per primary site and you must install it in a primary site that it also contains the enrollment point role. Site system role Scope Notes MCT USE ONLY. STUDENT USE PROHIBITED 4-32 Planning and Deploying a Multiple-Site Hierarchy Reporting services point Site or hierarchy A reporting services point installed in a primary site rather than the central administration site can display data from only that primary site and any child secondary sites. That includes global data replicated to the site in addition to the site data. Software update point Site You use a software update point to synchronize the metadata about software update information. You install a software update point in the central administration site to synchronize with Windows Server Update Services and in all primary sites that will use the software updates feature. State migration point Site A state migration point temporarily stores user data during certain operating system deployment processes. You can configure multiple state migration points in a site to support a large-scale operating system migration. System Health Validator point Site or hierarchy You use a System Health Validator point with network access protection. Only one System Health Validator point is required in the hierarchy; however, you can install multiple System Health Validator points for load balancing. Lab B: Verifying a Site Hierarchy Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-33 You are the network administrator for A. Datum Corporation. A. Datum wants to expand its System Center 2012 R2 Configuration Manager stand-alone primary site installation into a complex hierarchy with a central administration site, two primary sites, and a secondary site. A. Datum has already deployed the primary site as a stand-alone site. Objectives You must verify that the System Center 2012 R2 Configuration Manager central administration site expansion was successful. Then you must add an additional primary site and automate the installation of a second primary site. Lab Setup Estimated Time: 50 minutes Virtual machines 10748C-LON-DC1-B 10748C-LON-CFG-B 10748C-LON-CAS-B 10748C-NYC-CFG-B User name Adatum\Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the previous lab, and the Configuration Manager installation must be complete on LON-CAS-B. Exercise 1: Validating the Installation Scenario You installed the central administration site and expanded the A. Datum System Center 2012 R2 Configuration Manager stand-alone site into the hierarchy. You need to validate the installation of the System Center 2012 R2 Configuration Manager central administration site. The main tasks for this exercise are as follows: 1. View the site status and component status. 2. View the status messages for the Configuration Manager 2012 installation. 3. View the database replication status. 4. View the installation logs. 5. Review the available site system roles.  Task 1: View the site status and component status MCT USE ONLY. STUDENT USE PROHIBITED 4-34 Planning and Deploying a Multiple-Site Hierarchy 1. On LON-CAS, start the Configuration Manager console. 2. In the Configuration Manager console, in the Monitoring workspace, under the Site Status node, view the status of each site system and site system role. 3. Under the Component Status node, view the status of site system and each component.  Task 2: View the status messages for the Configuration Manager 2012 installation 1. Click the Site Status node, and then in the results pane, for \\LON-CAS.Adatum.com, select Site server. 2. On the ribbon, click Show Messages, and then click All. 3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK. 4. In the Configuration Manager Status Message Viewer, double-click any message, and then review the details of the status message. Use the Next and Previous buttons to view additional status messages, and then close the Status Message Details dialog box. 5. Close the Configuration Manager Status Message Viewer window.  Task 3: View the database replication status 1. Select the Database Replication node. 2. View the status of the database replication link between CAS and S01. Note: If the Link State is Link Failed, you must reinitialize the replication. To reinitialize the replication, perform the following steps: 1. On LON-CFG, create and move a file named configuration data.pub to C:\Program Files \Microsoft Configuration Manager\inboxes\rcm.box. 2. After the configuration data.pub file is removed, switch to LON-CAS, and after 10 minutes, in Database Replication, refresh the replication link for Parent Site CAS and Child Site S01. The link should now display Link Active.  Task 4: View the installation logs 1. Navigate to drive C, open the ConfigMgrPrereq.log file. By default, it will open with Notepad. Review the file, note any errors or warnings reported by Prerequisite Checker, and then close Notepad. 2. Open the ConfigMgrSetup.log file. By default, it will open with Notepad. Review the file, note any errors or warnings reported by Setup, and then close Notepad. Note: When a log file reaches a certain size, which varies depending on the process, a new log file is created and the old log file is renamed with a .lo_ extension. The ConfigMgrSetup.log might have only a few entries, and you might need to review the ConfigMgrSetup.lo_ file.  Task 5: Review the available site system roles 1. In the Configuration Manager console, in the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 2. In the results pane, click LON-CAS.Adatum.com, and then in the preview pane, review the roles installed on the server. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-35 3. In the results pane, right-click LON-CAS.Adatum.com, and then click Add Site System Roles. The Add Site System Roles Wizard starts. 4. On the System Role Selection page, review the roles available for install. Note: When you install certain site system roles as part of a hierarchy, including the Asset Intelligence synchronization point, software update point, and Endpoint Protection point, you cannot install them in a primary site but must install them at the central administration site. 5. Cancel the Add Site System Roles Wizard. Results: At the end of this exercise, you will have validated the installation of System Center 2012 R2 Configuration Manager. Exercise 2: Automating the Installation of a Primary Site Scenario You have installed the central administration site and a primary child site in the A. Datum network environment. Now you need to install a second System Center 2012 R2 Configuration Manager primary child site by using the automated method, which performs a scripted installation. The site will be installed in New York City with the site code NYC on the NYC-CFG.Adatum.com server. The main tasks for this exercise are as follows: 1. Review the contents of the installation script. 2. Run Setup for Configuration Manager 2012 and use the script option.  Task 1: Review the contents of the installation script 1. On LON-CAS, in Windows Explorer, navigate to E:\ConfigMgr2012R2\NYC, and then open the ConfigMgrAutoSave_NYC.ini file. 2. Review the contents of the file, and then close the viewer: [Identification] Action=InstallPrimarySite [Options] ProductID=EVAL SiteCode=NYC SiteName=New York City Primary Site SMSInstallDir=C:\Program Files\Microsoft Configuration Manager SDKServer=NYC-CFG.Adatum.com RoleCommunicationProtocol=HTTPorHTTPS ClientsUsePKICertificate=0 PrerequisiteComp=1 PrerequisitePath=\\LON-CAS\E$\ConfigMgr2012R2\Redist MobileDeviceLanguage=0 ManagementPoint= NYC-CFG.Adatum.com ManagementPointProtocol=HTTP DistributionPoint= NYC-CFG.Adatum.com DistributionPointProtocol=HTTP DistributionPointInstallIIS=0 AdminConsole=1 JoinCEIP=0 [SQLConfigOptions] SQLServerName= NYC-CFG.Adatum.com MCT USE ONLY. STUDENT USE PROHIBITED 4-36 Planning and Deploying a Multiple-Site Hierarchy DatabaseName=CM_NYC SQLSSBPort=4022 SQLDataFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA SQLLogFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA [HierarchyExpansionOption] CCARSiteServer=LON-CAS.Adatum.COM  Task 2: Run Setup for Configuration Manager 2012 and use the script option 1. On NYC-CFG, open an Administrator: Command Prompt window. 2. At the command prompt, type the following commands. Press Enter after each command line: Net Use I: \\LON-CAS\E$\ConfigMgr2012R2 I: cd smssetup\bin\X64 setup /script I:\NYC\ConfigMgrAutoSave_NYC.ini Note: The Configuration Manager Setup will run in unattended mode. The installation process may take up to 30 minutes. You can use Task Manager to monitor the Setup progress. On the Details tab, when you see CcmExec.exe as a running process, the setup is complete. Results: At the end of this exercise, you should have installed a System Center 2012 R2 Configuration Manager primary site in an existing hierarchy by using the automated setup method. Question: Which roles cannot be installed in a primary site if it is a member of a hierarchy? Question: Which primary site roles, when installed in a multisite hierarchy, can support the entire hierarchy with a single instance? Lesson 5 Deploying Secondary Sites MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-37 If you have remote locations that connect to the primary site server’s location by using low bandwidth network links, you may want to install secondary sites to manage the transfer of client data and deployments. In this lesson, you will review the installation process for a secondary site. Lesson Objectives After completing this lesson, you will be able to: • Describe the characteristics of a secondary site. • Determine when you need to install a secondary site. • Describe the process for installing a secondary site. • Describe the site system roles that you can install in a secondary site. What Is a Secondary Site? If you have clients in remote locations and you want to manage client-to-server communication across slow network links, you have the option to install a secondary site. A secondary site: • Cannot perform local administration tasks. A secondary site does not provide connectivity for the Configuration Manager console. • Uses SQL Server Express or a local instance of SQL Server to store information. If a local SQL Server instance is not already installed, the secondary site installation process will install SQL Server Express. • Uses SQL Server replication to replicate a subset of global data from the primary site. • Replicates information to its primary site using file-based replication. • Supports routing of file-based content to other secondary sites. • By design, includes a management point and a distribution point on the site server. The secondary site and all its components are managed from its parent primary site. Each primary site can support up to 250 secondary sites. Each secondary site can support communications from up to 5,000 clients. However, the total number of clients assigned to a primary site with multiple child secondary sites still cannot exceed 100,000 clients. Determining Whether to Install a Secondary Site You should install a secondary site only if you need to manage client data and content across low bandwidth networks. Managing client data transfer includes managing the download of policies from the management point to the client. Additionally, client data transfer includes the upload of hardware and software inventory and other types of client data from the client to the primary site. It is possible to manage client data transfers for clients within the boundaries of a secondary site because the secondary site’s management point acts as a proxy for the parent primary site’s management point. MCT USE ONLY. STUDENT USE PROHIBITED 4-38 Planning and Deploying a Multiple-Site Hierarchy Because a secondary site also includes a distribution point on its site server, you can control the transfer of deployment-related files, including applications, packages, software updates, and operating system images. A secondary site does not provide local connectivity for the Configuration Manager consoles. You need to manage the secondary site by using a console that is connected to the parent primary site. Installing a Secondary Site You install secondary sites from the primary site that will be the secondary site’s parent. After installation, you cannot change the parent of a secondary site without removing the secondary site and reinstalling it from a different parent. Before installing the secondary site, you should complete the following preparation steps: • Prepare the intended secondary site server with the appropriate prerequisites. • Decide whether to use SQL Server or SQL Server Express. If you use SQL Server, you must preinstall SQL Server on the intended secondary site server. • Add the primary site server computer account to the local Administrators group of the new secondary site server. • Ensure that the user performing the installation has: • o Local Administrator rights on the intended secondary site computer. o Local Administrator rights on the remote site database server for the primary site. o The Infrastructure Administrator or Full Administrator security role on the parent primary site. Choose the account you want to use for site-to-site communications. The account you use for site-tosite communications must have local administrator rights on the parent site. The default is the parent site computer account. After you prepare the server, you start the secondary site installation from within the Configuration Manager console by using the Create Secondary Site Wizard. After completing the wizard, you can monitor the progress of the installation in the Configuration Manager console. After selecting the secondary site, click Show Install Status on the ribbon to monitor the installation progress. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-39 The following table lists the steps in the Create Secondary Site Wizard, and the information that you enter for each step. Wizard page Input required Before You Begin This page briefly describes the Create Secondary Site Wizard, and lists the site that will be the parent for this secondary site. There is no input on this page; however, you should verify that the correct parent site displays before continuing. General Configure the site code, the FQDN of the intended secondary site server, the site name, and the installation directory. Installation Source Files You need to specify the source of the files. You can copy the files from the parent site to the secondary site, use source files from a network location, or use source files that are already available locally on the secondary site server. SQL Server Settings You have the option to install and configure SQL Server Express or to use an existing instance of SQL Server. SQL Server Express options include the SQL Server service port and SQL Server Service Broker port. When using an existing SQL Service instance you need to specify the FQDN of the SQL Server, an instance name if applicable, the database name, and the SQL Server Service Broker port. Distribution Point This page contains the distribution point settings. If necessary, you can install Internet Information Services (IIS) on the secondary site server. Additionally, you configure the client communication settings and you can configure the distribution point for prestaged content. Drive Settings You configure the drive space reserve, the minimum free space Configuration Manager will leave on a drive. Additionally, you can configure the drives to locate the content. Content Validation You can set a schedule to validate the content of the distribution point with the source. Boundary Groups You should identify the boundary groups on which this distribution point will be available. Windows PowerShell System Center 2012 Configuration Manager SP1 introduced support for additional Windows PowerShell Configuration Manager cmdlets, including a cmdlet for installing a secondary site. You can use the New-CMSecondarySite cmdlet to install a secondary site. For more information about the options available with this cmdlet, see: http://technet.microsoft.com/en-us/library/jj850174(v=sc.10).aspx. Configuring a Secondary Site A secondary site can support a limited number of the optional Configuration Manager roles. The following table shows the optional roles that you can install in a secondary site and whether they provide site-only functionality or hierarchy-wide functionality. Site system role Scope Notes MCT USE ONLY. STUDENT USE PROHIBITED 4-40 Planning and Deploying a Multiple-Site Hierarchy Distribution point Site By default, Setup installs a distribution point when a secondary site is installed. Management point Site By default, Setup installs a management point when a secondary site is installed. Software update point Site You can install a software update point in a secondary site so that clients will not have to access a software update point across a low bandwidth WAN link. State migration point Site You can install a state migration point in a secondary site to support operating system deployment operations in a remote location. System Health Validator point Hierarchy You can install a System Health Validator point in a secondary site to support Network Access Protection (NAP) operations in a remote location. Lab C: Installing a Secondary Site Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-41 You are a network administrator for A. Datum Corporation. A. Datum wants to deploy System Center 2012 Configuration Manager in a complex hierarchy with a central administration site, two primary sites, and a secondary site. Previously, you installed the central administration site and two primary sites. Objectives You must install a secondary site under the existing New York primary site by: 1. Configuring prerequisites. 2. Installing a secondary site from a primary site. 3. Validating the installation. Lab Setup Estimated Time: 60 minutes Virtual machines 10748C-LON-DC1-B 10748C-LON-CFG-B 10748C-LON-CAS-B 10748C-NYC-CFG-B 10748C-TOR-CFG-B User name Adatum\Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. On the host computer, if it is not already started, start Hyper-V Manager. 2. In Hyper-V Manager, verify that 10748C-LON-DC1-B, 10748C-LON-CAS-B, and 10748C-NYC-CFG-B are still running and connected, and that you are signed in as Adatum\Administrator. 3. Do not start 10748C-TOR-CFG-B until the lab instructs you to. Exercise 1: Configuring Prerequisites Scenario You need to validate that the prerequisites required for the secondary site installation are configured correctly on the server. The main tasks for this exercise are as follows: 1. Prepare the environment for the TOR-CFG secondary site. 2. Start TOR-CFG and launch Server Manager. 3. Verify that Web Server (IIS) and related role services are installed. 4. Verify that the BITS and remote differential compression features are installed.  Task 1: Prepare the environment for the TOR-CFG secondary site • On LON-DC1, add TOR-CFG to the ConfigMgrServers security group.  Task 2: Start TOR-CFG and launch Server Manager MCT USE ONLY. STUDENT USE PROHIBITED 4-42 Planning and Deploying a Multiple-Site Hierarchy 1. Start 10748C-TOR-CFG-B, and then sign in as Adatum\Administrator. 2. Start Server Manager. 3. On TOR-CFG, from Server Manager, open Computer Management. 4. Expand Local Users and Groups, and then click the Groups node. 5. Add the computer account of the primary site server NYC-CFG to the local Administrators group. 6. Close the Computer Management console.  Task 3: Verify that Web Server (IIS) and related role services are installed • In the Server Manager console, click Local Server, and then under the Roles and Features section, verify that the following Role Services are installed: o Common HTTP Features  o Security  o o Default Document Windows Authentication Application Development  ASP.NET 3.5  ASP.NET 4.5  .NET Extensibility 3.5  .NET Extensibility 4.5 IIS 6 Management Compatibility  IIS 6 Metabase Compatibility  IIS 6 WMI Compatibility  Task 4: Verify that the BITS and remote differential compression features are installed • In the Server Manager console, under the Roles And Features section, verify that the following features are installed: o .NET Framework 3.5 Features o .NET Framework 4.5 Features o Background Intelligent Transfer Service (BITS) o Remote differential compression Results: At the end of this exercise, you should have validated the prerequisites for installing a System Center 2012 Configuration Manager secondary site. Exercise 2: Installing a Secondary Site from a Primary Site Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-43 You need to perform the installation of the secondary site in the Toronto branch office with the site code TOR on the TOR-CFG.adatum.com server by running the Secondary Site Installation Wizard from the New York primary site. The main task for this exercise is as follows: 1. Run the Secondary Site Installation Wizard.  Task 1: Run the Secondary Site Installation Wizard 1. On NYC-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, in the Administration workspace, under Site Configuration, click the Sites node. 3. In the results pane, select NYC – New York City Primary Site, and then, on the ribbon, click Create Secondary Site. 4. In the Create Secondary Site Wizard, use the following settings to install a secondary site: a. On the General page, configure the following options:  Site code: TOR  Site server name: TOR-CFG.Adatum.com  Site Name: Toronto Secondary Site b. On the Installation Source Files page, click Copy installation source files over the network from the parent site server. c. On the SQL Server Settings page, click Install and configure a local copy of SQL Server Express on the secondary site computer, and then verify that the following information is specified:  SQL Server service port: 1433  SQL Server Service Broker Port: 4022 d. On the Distribution Point page, accept the default settings. e. On the Drive Settings page, accept the default settings. f. On the Content Validation page, accept the default settings. g. On the Boundary Groups page, accept the default settings. h. Finalize and close the wizard. Note: When the Create Secondary Site Wizard finishes, the installation will continue in the background on the target server. To validate the installation, verify the installation logs in the next exercise. 5. In the Configuration Manager console, select TOR – Toronto Secondary Site, and then, on the ribbon, click Show Install Status. Review the progress of the installation actions, click Refresh to monitor the status, and then close the dialog box. It takes approximately 15-20 minutes for the installation to complete. Results: At the end of this exercise, you should have installed the System Center 2012 Configuration Manager secondary site. Exercise 3: Validating the Installation Scenario You need to validate the installation of the secondary site. You will review the setup log found on the secondary site server after installation and view the system status of the secondary site by using the Configuration Manager console that is connected to the parent primary site. The main tasks for this exercise are as follows: 1. View the setup logs. 2. View the system status for the new secondary site. 3. To prepare for the next module.  Task 1: View the setup logs • On TOR-CFG, open Windows Explorer, navigate to drive C, and then open the ConfigMgrSetup.log file in Notepad. Review the file, note any errors or warnings reported by Setup, and then close Notepad.  Task 2: View the system status for the new secondary site 1. MCT USE ONLY. STUDENT USE PROHIBITED 4-44 Planning and Deploying a Multiple-Site Hierarchy On NYC-CFG, in the Configuration Manager console, in the Monitoring workspace, under the Site Status node, view the status of the site systems for TOR-CFG. Note: You can view the secondary site status at the parent primary site and at the central administration site. It may take several minutes until the installation finishes and the secondary site status appears in the console. 2. Under the Component Status node, view the status of the components for TOR-CFG. 3. Under the Database Replication node, view the status of the replication link between NYC and TOR. It should show that the link is active. 4. Under the Site Hierarchy node, view the site hierarchy diagram. On the NYC icon, click the plus sign to view TOR. Note: The line between NYC and TOR represents the state of the database replication between the sites. This line can have several different symbols depending on the replication status. • ? in a white circle is shown when the status has not yet been reported. • X in a red circle is shown when the status has been reported and the initial replication is incomplete or there is an error during ongoing replication. • √ in a green circle is shown when the initial replication has competed successfully and there are no errors in the ongoing replication.  Task 3: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-B, 10748C-NYC-CFG-B, 10748C-LON-CFG-B, and 10748C-TOR-CFG-B. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 4-45 Results: At the end of this exercise, you should have validated the installation of a System Center 2012 Configuration Manager 2012 secondary site. Question: How do you install a secondary site? Question: What site roles are installed in a secondary site? Question: When can you use a distribution point instead of a secondary site? Module Review and Takeaways Review Questions Question: Which roles cannot be installed in the central administration site? Question: Which roles cannot be installed in a child primary site? Question: How can you install a secondary site? Tools The tools in the following table are useful during the Configuration Manager deployment process. Tool Use Where to find it MCT USE ONLY. STUDENT USE PROHIBITED 4-46 Planning and Deploying a Multiple-Site Hierarchy Extadsch.exe To extend the Active Directory® Domain Services schema Configuration Manager installation media in the \smssetup\bin\x64\ folder Ldifde.exe As an alternative method for extending the Active Directory schema Built-in Windows tool SetupDL.exe To predownload updated components required for Configuration Manager installation Configuration Manager installation media in the \smssetup\bin\x64\ folder Prereqchk.exe To verify that a system is ready for Configuration Manager installation Configuration Manager installation media in the \smssetup\bin\x64\ folder MCT USE ONLY. STUDENT USE PROHIBITED 5-1 Module 5 Replicating Data and Managing Content in Configuration Manager 2012 Contents: Module Overview 5-1 Lesson 1: Introduction to Data Types and Replication 5-2 Lesson 2: Managing Data Replication 5-12 Lab A: Configuring, Monitoring, and Troubleshooting Data Replication 5-21 Lesson 3: Planning Content Management 5-26 Lab B: Planning and Configuring Content Management 5-35 Module Review and Takeaways 5-40 Module Overview In a Microsoft® System Center 2012 R2 Configuration Manager multiple-site hierarchy, data is transferred between sites to allow for centralized administration and reporting. Understanding how data transfer works helps you monitor the data flow in your Configuration Manager hierarchy and troubleshoot replication issues. Configuration Manager 2012 uses database replication and file-based transfer to transfer data between sites. The data transfer method that Configuration Manager 2012 uses depends on the type of data it is transferring. In this module, you will review the data types, including global data, site data, and content. You will also examine the location of the data and the replication process of the data to other sites in a Configuration Manager hierarchy. Additionally, you will use the features in the Configuration Manager console to monitor and troubleshoot replication. Configuration Manager 2012 relies on the distribution point infrastructure to provide content management functionality. In this module, you will review the content management features, plan the configuration of distribution points, and distribute and monitor content. You will also perform content validation and content prestaging. Objectives After completing this module, you will be able to: • Describe site and global data types and how data is replicated throughout the hierarchy. • Manage data replication. • Plan for content management. Lesson 1 Introduction to Data Types and Replication MCT USE ONLY. STUDENT USE PROHIBITED 5-2 Replicating Data and Managing Content in Configuration Manager 2012 Configuration Manager 2012 data that is transferred between sites is categorized in three data types: global data, site data, and content. Depending on its type, some data is copied to all sites; other data is copied to only some sites in the hierarchy. By understanding each data type—where it is created, how it is transferred, and where it is used—you can monitor and troubleshoot Configuration Manager inter-site communication efficiently. In this lesson, you will review where each of these types of data is created and used in a Configuration Manager hierarchy. Lesson Objectives After completing this lesson, you will be able to: • Describe the different types of data that Configuration Manager 2012 uses. • Describe the types of global data. • Describe the types of site data. • Describe the content types. • Describe database replication and file-based replication. • Describe how global data is replicated in a hierarchy. • Describe how site data is replicated in a hierarchy. • Describe how content is transferred between sites and within the same site. Data Types in Configuration Manager 2012 System Center 2012 Configuration Manager uses site-to-site communications to transfer the following types of data between sites: • Global data, which consists of objects that an administrator creates at the central administration site or at primary sites. • Site data, which is operational information that site systems in a primary site and the clients assigned to them generate automatically. • Content, such as packages, application files, and software updates that deployments use. Depending on its type, data can be used in the local site only or can be replicated to other sites in the hierarchy. The administrator determines where content is transferred by configuring content distribution. Configuration Manager 2012 uses different replication methods, depending on the data type being replicated. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-3 The following table summarizes the three data types, where they are created, and the replication methods used. Data type Where it is created Where it is transferred Replication method Global data At the central administration site and at primary sites To the central administration site and all primary sites; a subset of global data is transferred to secondary sites Database replication Site data At primary sites To the central administration site Database replication At secondary sites To the parent primary site File-based replication At primary sites and at the central administration site To distribution points in the same site or child sites in a hierarchy File-based replication Content Note: You will learn about database replication and file-based replication in more detail in Lesson 2. Types of Global Data Global data consists of objects that administrators create at the central administration site or at primary sites. Administrators can create global data by using the Configuration Manager console connected to the central administration site or to primary sites. An example of global data is collection membership rules. The administrator creates the collection membership rules that define each collection. Collection rules’ definitions are replicated throughout the hierarchy and evaluated at each site to determine the list of collection members. In contrast, the list of collection members is site data. You will see an explanation of collection members in the next topic. Global data is replicated automatically from the primary site where it is created to the central administration site and to all the other primary sites; global data created at the central administration site is also replicated to all primary sites. A subset of global data is replicated to secondary sites. Because of this, administrators see global data in the same way regardless of the site database to which he or she connects with the Configuration Manager console. For example, a collection definition that an administrator creates at one of the sites is replicated to the central administration site and all primary sites in the hierarchy. The following table lists some examples of global data. Global data types Usage MCT USE ONLY. STUDENT USE PROHIBITED 5-4 Replicating Data and Managing Content in Configuration Manager 2012 Alert rules Alert rules determine when to notify the administrators for specific events by specifying the events that will raise alerts and the recipients who will receive the alerts. Collection rules Collection rules determine the membership of each collection. Four types of collection rules exist: direct, query, include, or exclude. The collection rules are evaluated independently at each primary site. Deployments Deployment definitions describe the objects associated in a deployment, including the content to be deployed and the collection to which it is deployed. Package metadata Package metadata contains information about the software and the source files used in a deployment, platforms on which the software can be deployed, and other information necessary to perform the deployment. Program metadata Program metadata contains information about the command line and parameters that Configuration Manager uses to perform a deployment. Software update deployments Software update deployment definitions contain information about the objects used in a software update deployment, including the updates to be deployed and the collection to which they are deployed. Software update metadata Software update metadata contains information about the executable files included in software updates, platforms to which the updates apply, and other useful software update information, such as language, name, date released, and sensitivity. Configuration item metadata Configuration item metadata contains the definition of configuration items used to determine the compliance of managed systems with configuration settings that the administrator defines. Task sequence metadata Task sequence metadata defines the task sequence as individual steps to be executed. Site control definition The site control definition contains information about the site configuration. Site servers list The site servers list contains the list of servers and corresponding site system roles installed in each site. Role-based administration security roles, security scopes, and administrative users Security roles are assigned to administrative users to grant permissions on object types in the Configuration Manager hierarchy. Security scopes limit administrative permissions to specific objects in the hierarchy. Administrative users associate roles, scopes, and collections to the Active Directory® Domain Services (AD DS) users and groups. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Types of Site Data Site data is operational information that Configuration Manager sites and clients generate automatically. After site data is generated at the originating primary site or secondary site, it replicates to the central administration site but not to other primary or secondary sites. For example, primary sites use collection rules to determine collection membership, resulting in the list of members. The list of members is an example of site data. The list contains clients assigned to a primary site, and clients that meet the collection’s membership criteria. 5-5 Another example of site data is client inventory. Clients generate hardware and software inventory, which is then added to each primary site’s database, which in turn replicates to the central administration site. The following table lists some examples of site data. Site data types Description Alert messages Site systems at each site generate alert messages. Collection membership lists Collection membership lists contain the objects that are members of the collection after evaluating the collection rules at each primary site. Hardware inventory data The hardware inventory client agent collects hardware inventory data from the Configuration Manager clients. Software inventory data The software inventory client agent collects software inventory data from the Configuration Manager clients. Software metering data The software metering client agent collects software metering data from the Configuration Manager clients. Asset Intelligence data Asset Intelligence data adds additional classes and attributes to the data collected by the hardware inventory agent at the Configuration Manager clients. Status messages and alerts Site systems and clients generate status messages to report status information to the site server. The site server generates alerts when it encounters specific error conditions that administrators have configured. Software distribution status details Clients generate software distribution status details that report the status of a particular deployment. Component and site status summarizers Component and site status summarizers aggregate status messages to determine the overall health status of the site systems and components. Client health data Configuration Manager determines client health data by using information such as last connection time, hardware inventory, and software inventory. Client health history Client health history contains aggregated information about client health. You can use client health history to obtain reports about client health over a specific period. Site data types Description Wake On LAN data Wake On LAN data contains the history of all Wake On LAN operations performed. Quarantine client restriction history Quarantine client restriction history contains the list of clients that are restricted by Network Access Protection. MCT USE ONLY. STUDENT USE PROHIBITED 5-6 Replicating Data and Managing Content in Configuration Manager 2012 If the Configuration Manager console is connected to a primary site, you will see the global data and only the site data that has originated from that site or any child secondary site. To see site data from all sites and to perform administration and reporting for the entire hierarchy, you must use a Configuration Manager console at the central administration site. You can modify site data only at the primary site where it was created. Content Types Configuration Manager administrators create content at the central administration site or at primary sites. Content is transferred down the hierarchy to site servers and distribution points according to distribution settings that administrators configure. Configuration Manager 2012 uses the same Server Message Block–based (SMB-based), file-based replication mechanism as Configuration Manager 2007 to transfer content, such as packages, between sites. Content Description Applications Applications contain all objects used to deploy software. The application metadata, definitions for deployment types, requirements, supersedence, and other application settings for deploying software are replicated by using the new application model; however, only the source files are replicated by using filebased replication. Software packages Software packages contain source files and definitions used to deploy software by using the classic software deployment model. Software update packages Software update packages contain software update metadata and update files used to perform update management. Driver packages Driver packages contain driver metadata and driver files. Driver packages are used for operating system deployments. Only the driver files are replicated by using file-based replication. Operating system images Operating system images contain preconfigured operating system installations. These images are used for operating system deployments. Operating System installers Operation system installers contain installation files imported from the installation media. Operating system deployments utilize these installers. Boot images Boot images contain the Windows Preinstallation Environment (Windows PE) that is used to boot computers and initiate the operating system deployment process. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Intersite Communication in Configuration Manager 2012 Within a hierarchy, the sites communicate with each other by exchanging data. The communications occur by using either database replication or file-based replication. Database Replication Configuration Manager 2012 database replication is a custom replication method. Configuration Manager 2012 does not use the older replication methods included in Microsoft SQL Server®, such as transactional replication. You do not need to install SQL Server–based replication components. 5-7 Configuration Manager database replication uses SQL Server Service Broker to transfer data between SQL Server databases installed in different sites in a hierarchy. By default, the Configuration Manager database replication mechanism uses the following ports to transfer data: • Port 1433 for the SQL Server instance • Port 4022 for the SQL Server Service Broker If you have configured the SQL Server instance to use different ports, the SQL Server Service port will be detected automatically and you will have to specify a non-default SQL Server Service Broker port. File-Based Replication File-based replication between Configuration Manager 2012 sites uses the same mechanism as Configuration Manager 2007 replication. This mechanism is based on senders and the SMB protocol. The SMB protocol uses TCP port 445. Note: A sender is the communication mechanism implemented in Configuration Manager to transmit data between sites and control bandwidth usage. The sender uses SMB as the underlying communication protocol. Unlike Configuration Manager 2007, Configuration Manager 2012 supports only a single type of sender. Configuration Manager 2012 secondary sites use file-based replication to transfer site data to their parent primary site. File-based replication is also used to transfer fallback status point state messages to the assigned site when a client’s assigned site does not have a fallback status point. In addition, the initial transfer of discovery data records to the assigned site requires the use of file-based replication. The following table summarizes data types that are transferred by using file-based replication between sites. Data Destination Package files used by deployments Sent to distribution points located in primary and secondary sites. Secondary site data Sent to the parent primary site of the secondary site. Fallback status point state messages Forwarded to the assigned site when only a single fallback status point is in use in a hierarchy. Data Destination Discovery data records Forwarded to the assigned site when clients are not assigned to the site that discovered them. The discovery data record is processed locally at the assigned site and the information is replicated to other sites in the hierarchy by using database replication. Data collected from clients at secondary sites Transferred to the parent primary site by using file-based replication. How Global Data Is Replicated in a Hierarchy Global data consists of configuration information that administrators create. Global data is replicated to all sites in the hierarchy. Creation of Global Data Administrators can create global data by using the Configuration Manager console connected at the central administration site or at any primary site. The types of global data that an administrator can create depend on the security roles assigned to that administrator: MCT USE ONLY. STUDENT USE PROHIBITED 5-8 Replicating Data and Managing Content in Configuration Manager 2012 • Typically, the hierarchy administrator can create global data in any site in the hierarchy. • Security scopes usually limit the primary site administrators’ permissions. This allows primary site administrators to manage objects from only their primary site. Any objects that they create are global data and will be replicated to the central administration site and all other primary sites. Replication of Global Data Global data is replicated to the central administration site and all primary sites in the hierarchy by using database replication. A subset of global data is replicated to secondary sites by using database replication. For example, consider a Configuration Manager hierarchy that consists of a central administration site and two primary sites, Site A and Site B. An administrator creates a collection in primary Site A. The collection definition, which includes membership rules, is replicated to the central administration site and to primary Site B. The collection membership rules are evaluated at both primary sites; both Site A and Site B determine the list of collection members for their respective sites based on collection membership rules. Collection membership, however, is site data. Multiple Edits of Global Data Different administrators who are in different locations can attempt to edit the same global object at the same time. To prevent multiple administrators from editing the same data, when the first administrator opens an object for editing, this action places a lock on the object. When other administrators attempt to open the object, they will receive a message indicating that the object is in use and is available as readonly. After the first administrator closes the object, other administrators can edit the object. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager How Site Data Is Replicated in a Hierarchy Site data is generated automatically as a result of site activity. Configuration Manager administrators can review and delete site data, but depending on how it was created, it may be generated again. Creation of Site Data Both Configuration Manager clients and site systems in each site can generate site data. For example: • A site server can generate an alert if the replication between sites is not functioning correctly. • A client collects hardware and software inventory and sends it to its assigned primary site. • A client sends status messages related to a deployment to the primary site. Replication of Site Data 5-9 Site data is located at the originating primary site and is replicated to only the central administration site by using database replication. Secondary sites use file-based replication to transfer site data to their parent primary site. Accessing Site Data Site data is available in the Configuration Manager console and through reports. When using reports, administrators can access site data from a primary site or from the entire hierarchy, depending on the location from which the reports are run. Hierarchy administrators can access site data from all sites in the hierarchy by connecting the Configuration Manager console to the central administration site or by running reports on a reporting services point in the central administration site. Administrators who connect the Configuration Manager console to a primary site or run reports from a reporting point in a primary site generate reports that contain site data from only the local site. For example, consider a hierarchy that contains a central administration site, primary sites named Site A and Site B, and a secondary site, Site C, which is a child of Site B. In this scenario, the site administrator from Site A can access site data from only Site A and the site administrator from Site B can access site data from only primary Site B and its secondary Site C. The administrator from the central administration site can access site data from all the sites in the hierarchy. How Content Is Replicated in a Hierarchy Content, such as files that will be used for a deployment, is distributed by using file-based replication to site servers and distribution points according to distribution settings that administrators configure. When planning for distributing content in a Configuration Manager hierarchy, you must follow your organization’s content lifecycle. You should be able to answer the following questions: • Where is content created? • Where is content distributed? • Where is content deployed? MCT USE ONLY. STUDENT USE PROHIBITED 5-10 Replicating Data and Managing Content in Configuration Manager 2012 By answering the questions above, you will be able to design your distribution infrastructure to fit your organization’s needs. You will learn more about planning for content management in Lesson 3, later in this module. Content Creation Configuration Manager administrators can create content at any primary site or central administration site. Initially, content is placed in the content library located on the site server in the originating site. Content library, a new feature included in Configuration Manager 2012, implements single-instance storage for content. Content Distribution After creating content, the administrator can distribute the content to distribution points—that the site is aware of—located throughout the hierarchy. One method administrators can use to distribute content simultaneously to multiple distribution points is to implement distribution point groups. When an administrator assigns a package to a distribution point group, the package will be transferred to all distribution points that are part of that group. When an administrator adds a new distribution point to the distribution point group, the content is distributed automatically to the new distribution point. Content is transferred between sites by using senders that use the SMB protocol. Content is transferred within the same site between the site server and distribution points by using Package Transfer Manager, which also uses file-based replication and the SMB protocol. For this reason, any firewalls located between sites, and between the site servers and distribution points, must allow SMB traffic. The administrator can configure content routing between two secondary sites by configuring the content to be copied from a secondary site to another secondary site instead of directly from the primary site server. This process can reduce the network traffic on the link between a secondary site and parent primary site if the secondary sites have a better connection among themselves than with the parent site. Content Deployment MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-11 Because deployment definitions are global data and are replicated to all sites in the hierarchy, an administrator from a primary site can deploy content that an administrator creates in a different primary site. However, to perform the deployment successfully, and so that clients can access the content locally, the content should first be distributed to distribution points in the local primary site. Configuration Manager clients connect by using HTTP or HTTPS to a distribution point in their assigned site that has the content available, download the content, and install it on the local system, according to the deployment settings received in the policy. Because the transfer from the distribution point to the local system uses HTTP or HTTPS, the traffic can usually pass through any firewalls. Lesson 2 Managing Data Replication MCT USE ONLY. STUDENT USE PROHIBITED 5-12 Replicating Data and Managing Content in Configuration Manager 2012 When you install a primary site or a secondary site in an existing Configuration Manager hierarchy, database replication is configured automatically with the parent site. Additionally, when expanding a Configuration Manager 2012 stand-alone site into a hierarchy with a central administration site, database replication is automatically configured. However, you can configure some settings for use by the new site, such as the SQL Server ports and the SQL Server instance. After upgrading to Configuration Manager R2 or Configuration Manager SP1, you benefit from the additional configuration options, including defining on-demand data replication. In the Configuration Manager console, you can monitor Configuration Manager database replication. You can use tools, such as Replication Link Analyzer, to troubleshoot the replication process. Lesson Objectives After completing this lesson, you will be able to: • Describe how to manage file-based replication. • Describe how to manage database replication. • Describe the tools for monitoring replication. • Manage and monitor replication. • Describe the reports for monitoring replication traffic. • Describe how to troubleshoot replication. Managing File-Based Replication When you create a parent-child relationship in a Configuration Manager hierarchy, replication is configured automatically between the parent and child sites. Later, you can create routes manually, if you want to customize the connection configuration. You can view the file-based connections in the File Replication node, under the Hierarchy Configuration folder in the Administration workspace. For each parent-child relationship that you create, a corresponding file replication route is also created. File-based replication used to communicate between site servers uses a file replication account to connect to the SMS_SITE share on the destination server; each file replication route can define a separate file replication account. When a site server is installed, a local group named SMS_SiteToSiteConnection_xxx (where xxx is the site code) is created. The SMS_SiteToSiteConnection_xxx group is granted change permissions to the SMS_SITE share and modify permissions to the underlying folder. When a new file replication route is created, the destination computer’s Active Directory computer account is added to the SMS_SiteToSiteConnection_xxx group. Note: Configuration Manager 2012 SP1 introduced name changes to the file-based replication components for naming consistency with database replication. The following table lists the name changes. Prior to Configuration Manager 2012 SP1 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-13 Configuration Manager 2012 SP1 and newer versions Site Address Account File replication account Address File replication route Addresses node in the Configuration Manager console File Replication node in the Configuration Manager console You can configure a file replication route to support the connection to the remote site and to control the bandwidth that the file replication route can use. A file replication route’s properties dialog box has three tabs that you use to configure file-based replication: • General tab. The General tab displays general information that you cannot change without recreating the route. This includes the Source site code and site name, the Destination site code and site name, and the destination servers’ name. The configurable option on the General tab is the File Replication Account. By default, the file replication route uses the source computer’s Active Directory account. You can change the account that a primary site will use to any Active Directory account. Secondary sites always use the computer account of the secondary site server as the File Replication Account. The File Replication Account needs permissions to write to the destination site servers SMS_SITE share. • Schedule tab. You can use the Schedule tab to limit the amount of communication traffic during configured time periods by restricting when data can be sent to the destination site. By default, the file replication route is open to all priorities at all times. The following table describes the options for configuring the schedule. Time Priorities The minimum unit of time that you can schedule is one hour. You can choose any one-hour block, multiple one-hour blocks, entire days, or a block of time across all days. For the selected blocks of time, you can choose: • Open for all priorities • Allow medium and high priority • Allow high priority only • Closed • Rate Limits tab. The Rate Limits tab has configuration options to prevent Configuration Manager from consuming all available bandwidth on the connection. The options for configuring the rate limits are: o Unlimited when sending to this destination. There are no limits on the bandwidth usage. o Pulse mode. You can specify the amount of data to send at one time, in kilobytes (KB), and how long to wait between transmissions, in seconds. o Limited to specified maximum transfer rates by hour. By using this setting, you can specify the maximum percentage of bandwidth that can be used during each hour of the day.  You can configure how the data will be transmitted based on one-hour increments through the day.  All days share the same schedule. MCT USE ONLY. STUDENT USE PROHIBITED 5-14 Replicating Data and Managing Content in Configuration Manager 2012 The file replication route relies on the sender process to transmit the data. The sender is the Configuration Manager component that transmits the data from one site to another. You can control some behavior of the sender by using the configuration options on the Sender tab in the site properties dialog box. You can use the Maximum concurrent sendings option to specify the maximum number of simultaneous communications. The following table describes the settings in this option. Setting Description All sites By default, the site will have a combined maximum number of five simultaneous communications to all sites. Per site By default, the site will have a maximum of three simultaneous communications to a single site. You can use the Retry Settings option to specify what actions to take when a communication fails. The following table describes the settings in this option. Setting Description Number of retries By default, a failed communication will be retried two times. Delay before retrying (minutes) By default, retries will be tried one minute apart. Managing Database Replication Configuration Manager database replication is performed by using a custom replication method based on SQL Server Service Broker that is built into Configuration Manager. Because Configuration Manager does not use older SQL Server–based replication methods, such as transactional replication, configuration settings for Configuration Manager database replication are not accessible in the SQL Management Studio console. Therefore, Configuration Manager 2012 RTM database administrators had no ability to manage the replication of Configuration Manager data between sites. Administrators can monitor Configuration Manager database replication only in the Configuration Manager console. When you install a primary site in a hierarchy, or expand a primary site into a hierarchy when installing a central administration site, replication is configured automatically between the primary site and the central administration site. Similarly, replication is configured automatically between each secondary site and the parent primary site. Beginning with Configuration Manager 2012 SP1, a Configuration Manager administrator can configure some database replication settings. There are several configuration options for managing the database replication link: • Distributed views. You can configure this option on the General tab of the <ParentSiteCode><ChildSiteCode>Replication Link Properties. You can enable distributed views for any or all of the following: Hardware inventory, Software inventory and software metering, and Status messages. When you enable distributed views, the primary site does not replicate the selected MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-15 information to the central administration site. By default, these settings are not enabled. Distributed views are only available for primary site to central administration site replication. • Replication data summary. You can find this option on the General tab of the <ParentSiteCode><ChildSiteCode>Replication Link Properties. You can use the Replication data summary setting to configure how often Configuration Manager summarizes reporting data for database replication traffic. By default, this interval is 15 minutes. • Scheduling. You can schedule database replication on the Schedule tab of the <ParentSiteCode><ChildSiteCode>Replication Link Properties. You can configure when replication will be available throughout the week. Additionally, you can control which data will replicate during those times, either All site data or any or all of the following: o Hardware inventory o Software inventory and software metering o Status messages Additional database replication configuration options are available by right-clicking the <ParentSiteCode><ChildSiteCode> Replication Link and selecting either Child Database Properties or Parent Database Properties. On the Database tab of the <Site> Database Properties, you can configure the following options: • SQL Server Service Broker port. By default, the SQL Server Service Broker uses port 4022. • Data compression. By default, compression is enabled. This setting applies to all the data replication links. • Data retention. Data retention can be set between 1 and 14 days, and is set to 5 days by default. If replication is interrupted for longer than the data retention period, the global data will be reinitialized from the parent site after replication is restored. By default, database replication takes place over ports 1433 and 4022. These ports need to be open at firewalls before installing the new Configuration Manager sites to allow replication between sites. Because ports are configurable, you can change their settings during or after installation of the new sites. You also need to ensure that the site server can communicate with the site database if the site database is hosted on a separate server. Monitoring Replication You can monitor replication in the Configuration Manager console, in the Monitoring workspace, in the Database Replication node. You can review the link statuses for all replication connections. A replication link will have one of the following statuses: • Link Active. No problems have been detected and communication across the link is current. • Link Degraded. Replication is functional, but at least one replication object has been delayed. You should monitor links in this state and review information from both sites involved for indications that the link might fail. • MCT USE ONLY. STUDENT USE PROHIBITED 5-16 Replicating Data and Managing Content in Configuration Manager 2012 Link Failed. Replication is not functional. It is possible that a replication link will recover without further action. Consider using Replication Link Analyzer to investigate and remediate replication on this link. When you select a replication connection in the results pane, you can view detailed information in the preview pane, including: • A summary of the replication status between the parent and child site. • Detailed replication information about the parent site. • Detailed information about the child site. • Detailed information about each replication group. • Detailed information about the replication process. You can obtain additional information by saving a diagnostic file. You need to select the replication connection and then click the Save Diagnostic File button on the ribbon. The diagnostic file is a text file containing detailed information about the replication and link statuses. For further troubleshooting, you can use Replication Link Analyzer, to perform a series of tests for the replication link: • Checking the SMS_EXECUTIVE on the parent site server • Checking the SMS_EXECUTIVE on the child site server • Checking network connectivity between sites • Checking replication queues on the local SQL Server instance • Checking replication queues on the remote SQL Server instance • Checking connectivity between the local site server and the remote SQL Server instance • Checking connectivity between the local SQL Server instance and remote SQL Server instance • Checking replication initialization on sites • Checking computer clock synchronization between site servers • Checking for a valid SQL Server Service Broker certificate on site servers • Checking for a valid SQL Server Service Broker account on site servers • Checking for free disk space on the system running SQL Server You can save the test results as an XML file by clicking the Replication Link Analyzer Report link on the Troubleshooting Report page. You also can configure alerts to be generated when the replication link is inactive for a specified interval of time (the default interval is 30 minutes) in the <ParentSiteCode><ChildSiteCode>Replication Link Properties dialog box. The console displays alerts if the replication link is inactive for the specified period. Demonstration: Managing and Monitoring Replication In this demonstration, you will see how to: • Configure a file replication link. • Configure a database replication link. • Configure sender properties. • Monitor replication. Demonstration Steps Configure file-based replication 1. On LON-CAS, start the Configuration Manager console, and then click the Administration workspace. 2. Open the Hierarchy Configuration folder, and then click the File Replication node. 3. Configure the Adatum Site S01 London Central Administration Site CAS with the following settings: o For Sunday midnight availability, select Closed o For 0 to 4, set Limit available bandwidth (%) to 50%. Configure database replication MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-17 1. Click the Database Replication node. 2. Review the CAS Central administration site S01 Primary site database replication link, and then click Child Database Properties. 3. Configure the Link Properties of the CAS Central administration site S01 Primary site database replication link, with the following settings: o 4. Summarization interval (minutes): 5 Review the settings on the Schedule and Alerts tabs. Configure sender properties 1. Expand the Site Configuration node and navigate to S01 – Adatum Site. 2. Open the Software Distribution settings for S01 – Adatum Site. 3. Configure the General tab with the following settings: o Maximum number of packages: 5 o Maximum threads per package: 8 o Number of retries: 5 o Delay before retrying (minutes): 5 Monitor replication 1. Open the Monitoring workspace. 2. In the Database Replication node, select the CAS to S01 replication link. Verify that the Link State shows Link Active. If it does not, refresh the results pane. 3. Review the information available in the preview pane, under Replication Status. Verify that, in the Site Replication Status section, both Parent Site State and Child Site State display a status of Replication Active. 4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global State and Child Site to Parent Site Global State display a status of Link Active and that the Last Synchronization Time reflects today’s date. MCT USE ONLY. STUDENT USE PROHIBITED 5-18 Replicating Data and Managing Content in Configuration Manager 2012 5. In the preview pane, at the Parent Site tab, review the information available in the Replication Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022. 6. In the preview pane, on the Child Site tab, review the information available in the Replication Status area. Reports for Monitoring Replication Traffic By default, Configuration Manager summarizes reporting of data for database replication every 15 minutes. This data is used in reports that you can use to monitor the data replication environment. The following table describes the replication traffic reports. Report name Description Global Data Replication Traffic Per Link (line chart) This report contains a line chart that displays total global data replication traffic on a specific link for a specified number of days. Global Data Replication Traffic Per Link (pie chart) This report contains a pie chart that displays total global data replication traffic on a specific link for a specified number of days. Hierarchy Replication Traffic By Link This report contains a pie chart report that displays total replication traffic for each link in the hierarchy for a specified number of days. Hierarchy Top Ten Replication Group’s Traffic Per Link (pie chart) This report contains a pie chart report that displays the replication traffic for the top ten replication groups across the entire hierarchy by link. Link Replication Traffic This report contains a line chart that displays total replication traffic for all data for a specified number of days. Replication group traffic link This report contains a line chart that displays the replication group network traffic over a specific database replication link for a specified number of days. Site Data Replication Traffic Per Link (line chart) This report contains a line chart that displays total site data replication traffic on a specific link for a specified number of days. Site Data Replication Traffic Per Link (pie chart) This report contains a pie chart report that displays total site data replication traffic on a specific link for a specified number of days. Total Hierarchy Replication Traffic (line chart) This report contains a line chart that displays hierarchy aggregate global and site data replication for each direction of every link for a specified number of days. Total Hierarchy Replication Traffic (pie chart) This report contains a pie chart report that displays hierarchy aggregate global and site data replication for each direction of every link for a specified number of days. Troubleshooting Replication Multiple Configuration Manager components are involved in a database replication. The troubleshooting actions that you perform depend on the components that fail. Troubleshooting the replication process is similar to troubleshooting other aspects of Configuration Manager; that is, you use the available tools and log files. Perform the following steps to troubleshoot replication errors: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1. Use the Replication Link Analyzer. The Replication Link Analyzer will identify most issues with the replication link. 2. Check replication log files. If you cannot find the issue in the Replication Link Analyzer, check the rcmctrl.log and replmgr.log files. You can adjust the logging level with the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components \SMS_REPLICATION_CONFIGURATION_MONITOR\Verbose logging The values that you can use are: o Value 0. Errors and key messages (default value) o Value 1. All information in value 0 and warnings and more general information o Value 2. Verbose (all information) 5-19 3. Run a stored procedure on SQL Server. On the SQL Server instance, you can run the spDiagDRS stored procedure to view detailed information about the database replication process. 4. Check the SQL Server Service Broker log. By default, the SQL Service Broker log file is located at C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\ErrorLog. 5. Reinitiate the data. You can use the spDrsSendSubscriptionInvalid stored procedure to reinitiate the data. You should consider this step as a last resort because it will cause all the data to be rereplicated between the sites. The following table lists typical remediation actions that you can perform. Issue Corrective action SMSExec service stopped on sending or target site • If SMSExec stops responding, restart it on the sending or target site server. Network communication down • Verify network adapter and drivers. • Call network support/external help. Connection with SQL Server cannot be established • Restart SQL Server Service. Site server clocks are not in sync • Verify that domain controllers are configured to use a Network Time Protocol (NTP) server. Service accounts or certificate issues • Reset the password for service accounts and reissue certificates. • Restart SQL Server Service Broker. Replication Best Practices MCT USE ONLY. STUDENT USE PROHIBITED 5-20 Replicating Data and Managing Content in Configuration Manager 2012 When content is created, the site at which it is created becomes the owner of the content. The source files are copied from the specified path to the content library on the site that owns the content. When you start an Update Content or Update Distribution Point action, the files are recopied from the source path to the content library of the site that owns the package. When creating packages, consider the network connection between the source file location and the site that will own the package. Question: What troubleshooting steps can you perform if Replication Link Analyzer reports SQL Server connectivity issues? Lab A: Configuring, Monitoring, and Troubleshooting Data Replication Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-21 You are the network administrator for A. Datum Corporation. A. Datum has deployed System Center 2012 Configuration Manager in a complex hierarchy that includes the central administration site, two primary sites, and a secondary site. You need to use the Configuration Manager console to monitor data replication between a primary site and the central administration site and to troubleshoot the replication. Objectives After completing this lab, you will be able to: • Verify and configure replication settings. • Monitor replication. • Troubleshoot replication. Lab Setup Estimated Time: 40 minutes Virtual machines 10748C-LON-DC1-C 10748C-LON-CAS-C 10748C-LON-CFG-C User name Adatum\administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Log on using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps two through four for the following virtual machines: o 10748C-LON-CAS-C o 10748C-LON-CFG-C Exercise 1: Verifying and Configuring Replication Settings Scenario MCT USE ONLY. STUDENT USE PROHIBITED 5-22 Replicating Data and Managing Content in Configuration Manager 2012 You need to configure the replication settings between the London primary site and the A. Datum central administration site. The main tasks for this exercise are as follows: 1. Configuring file replication settings. 2. Configuring database replication settings. 3. Configuring sender properties.  Task 1: Configuring file replication settings 1. On LON-CAS, start the Configuration Manager console, and then open the Administration workspace. 2. Open Hierarchy Configuration, and then click the File Replication node. 3. Configure the Adatum Site S01 London Central Administration Site CAS file replication link with the following settings: o Sunday midnight availability: Closed o Midnight to 4 A.M.: Limit available bandwidth (%) to 50%.  Task 2: Configuring database replication settings 1. Click the Database Replication node. 2. Configure the CAS Central administration site S01 Primary site database replication link with the Summarization interval (minutes) as 5 under Link Properties. 3. Review the settings on the Schedule and Alerts tabs.  Task 3: Configuring sender properties 1. Expand the Site Configuration node and navigate to S01 – Adatum Site. 2. Open the Software Distribution settings for S01 – Adatum Site. 3. Configure the General tab with the following settings: o Maximum number of packages: 5 o Maximum Threads per package: 8 o Number of Retries: 5 o Delay before Retrying (Minutes): 5 Results: At the end of this exercise, you should have configured the replication settings between the A. Datum central administration site and the London primary site. Exercise 2: Monitoring Replication Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-23 You need to use the Configuration Manager console to monitor replication between the London primary site and the A. Datum central administration site. The main tasks for this exercise are as follows: 1. Review the replication information and configuration settings. 2. Create a custom collection. 3. Monitor the replication of the collection to the primary site.  Task 1: Review the replication information and configuration settings 1. On LON-CAS, open the Monitoring workspace. 2. In the Database Replication node, select the CAS to S01 replication link. Verify that the Link State shows Link Active. If it does not, refresh the results pane. 3. Review the information available in the preview pane, under Replication Status. Verify that, in the Site Replication Status section, both Parent Site State and Child Site State display a status of Replication Active. 4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global State and Child Site to Parent Site Global State display Link Active status and that the Last Synchronization Time reflects today’s date. Note: If the status of Parent Site to Child Site Global State and Child Site to Parent Site Global State is Link Inactive, verify that both LON-CAS and LON-CFG have started. To refresh the status, click the CAS to S01 replication link, and then press F5. 5. In the preview pane, on the Parent Site tab, review the information available in the Replication Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022. 6. In the preview pane, on the Child Site tab, review the information available in the Replication Status area.  Task 2: Create a custom collection 1. In the Configuration Manager console, click the Assets and Compliance workspace, and then click the Device Collections node. 2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a device collection with the following attributes: o Name: London Computers o Limiting collection: All Systems o Create a Direct Rule and search for System Resources with the name LON%. o Select LON-CAS and LON-CFG as direct members.  Task 3: Monitor the replication of the collection to the primary site 1. On LON-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, in the Assets and Compliance workspace, click the Device Collections node. MCT USE ONLY. STUDENT USE PROHIBITED 5-24 Replicating Data and Managing Content in Configuration Manager 2012 3. Verify that the London Computers collection appears in the list of device collections. 4. Right-click the London Computers collection, and then click Show Members. Notice that a new node appears in the navigation pane under Devices. Notice also that the members of the collection appear in the results pane. Results: At the end of this exercise, you should have verified the replication between the A. Datum central administration site and the London primary site. Exercise 3: Troubleshooting Replication Scenario You need to use the Configuration Manager console to troubleshoot the replication between a primary site and the central administration site. The main tasks for this exercise are as follows: 1. Configure in-console alerts for monitoring replication. 2. Stop the SMS_EXECUTIVE service on LON-CFG. 3. Troubleshoot the replication issue. 4. Resolve the issue and verify that replication is functioning correctly.  Task 1: Configure in-console alerts for monitoring replication 1. On LON-CAS, in the Configuration Manager console, in the Monitoring workspace, click the Database Replication node. 2. Access the Properties of the CAS to S01 replication link. 3. In the CAS <-> Replication Link Properties dialog box, on the Alerts tab, verify that Generate an alert when this replication link is not working for a specified period of time is selected. 4. Change the value of the Number of minutes to 3 minutes.  Task 2: Stop the SMS_EXECUTIVE service on LON-CFG 1. On LON-CFG, on the Start screen, click Administrative Tools, and then open the Services console. 2. In the Services console, stop the SMS_EXECUTIVE service. 3. In the Service Control window, wait for the service to stop. Wait at least three minutes before continuing to the next task.  Task 3: Troubleshoot the replication issue 1. On LON-CAS, browse to C:\Program Files\Microsoft Configuration Manager\tools\, and then start CMTRACE.exe. Associate CMTRACE.exe with all log files, and then close the tool. 2. On LON-CAS, in the Configuration Manager console, in the Alerts node, click All Alerts, click the alert named Replication link down between parent site and S01, and then on the ribbon, click Configure. 3. In the Replication link down between parent site and S01 Properties dialog box, verify that Minutes replication link connectivity down greater than has a value of 3. 4. In the Assets and Compliance workspace, click the Device Collections node. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-25 5. Access the Properties of the London Computers collection, and change the name of the collection to London Servers. 6. In the Monitoring workspace, in the Database Replication node, select the CAS to S01 replication connection. 7. Verify that the status of the replication link is either Link Failed or Link Degraded. Press F5, if required, to refresh the status. 8. Right-click the CAS to S01 replication link, and then click Save Diagnostics Files. 9. Save the file with the name Replication Diagnostics in drive C. 10. In Windows Explorer, browse to drive C, and then open the file Replication Diagnostics in Notepad. 11. Review the content of the file. Note that the Child Site to Parent Site Global State shows the status of Link Failed or Link Degraded. Close Notepad.  Task 4: Resolve the issue and verify that replication is functioning correctly 1. On LON-CAS, right-click the CAS to S01 replication link, and then click Replication Link Analyzer. Replication Link Analyzer starts detecting problems. 2. In the CAS <-> S01 Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service on LON-CFG.Adatum.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation to finish. 3. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service on LON-CFG.Adatum.com page, click Continue. Note: Based on timing, there may still be issues that are detected. If issues are detected, first click the Check to see if the problem is fixed link. 4. Wait for the operation to finish, and then on the Troubleshooting Report page, click View Report. The content of ReplicationAnalysis.xml opens in Internet Explorer®. 5. Review the content of the file, and then close Internet Explorer. 6. In the Replication Link Analyzer window, click the View Log. The content of ReplicationLinkAnalysis.log opens in Configuration Manager Trace Log Tool. 7. Review the content of the file, and then close Configuration Manager Trace Log Tool. 8. In the Replication Link Analyzer window, click Close. Results: At the end of this exercise, you should have troubleshot replication between the primary site and the central administration site.  Task 5: To prepare for the next lab • When you finish this lab, leave the virtual machines running. Lesson 3 Planning Content Management MCT USE ONLY. STUDENT USE PROHIBITED 5-26 Replicating Data and Managing Content in Configuration Manager 2012 System Center 2012 Configuration Manager provides content management functionality that you can use to create, distribute, and monitor content. The content management feature relies on distribution points as the core components of the distribution infrastructure. Distribution points in Configuration Manager 2012 include new features such as content validation and content prestaging. In this lesson, you will review these new features and learn about planning a content management infrastructure, including the prerequisites you may need to consider. In addition, you will learn how to plan for managing network bandwidth. Lesson Objectives After completing this lesson, you will be able to: • Describe the considerations for implementing preferred and fallback distribution points. • Describe the network bandwidth considerations for distribution points. • Describe how to configure pull-distribution points. • Describe the considerations for content prestaging. • Describe how to plan and configure a cloud-based distribution point. • Describe how clients use cloud-based distribution points. • Describe how to monitor distribution point distributions. • Describe how to implement BranchCache® integration. Considerations for Implementing Preferred and Fallback Distribution Points When creating a distribution point, you can associate one or more boundary groups with the distribution point. Optionally, you can add boundary groups to the distribution point’s list after creating a distribution point. Clients will use preferred distribution points, which are distribution points assigned to their boundary group. Regardless of the boundary settings, you can also configure a distribution point to be available as a fallback distribution point. Fallback distribution points are distribution points that a client uses when no preferred distribution points are available for the client. When a client device needs to download deployed content, the client sends a content source location request to a management point. The management point compiles a list of available distribution points that are preferred distribution points for the client’s boundary group. The client then chooses one of the listed distribution points to contact for the content. You can configure content for a deployment type or package to allow the client to use a fallback distribution point if the content is not available on a preferred distribution point. When a client needs to download content, and this setting is enabled for the content, the content source location request asks for MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-27 fallback distribution points. The management point response will include preferred distribution points and fallback distribution points. Network Connection Speed Additionally, you can specify whether to treat the connection between the clients and a distribution point as fast or slow. When a client connects to a fallback distribution point, the connection to the distribution point is considered slow. For connections to distribution points in a slow boundary, or fallback distribution points, you can choose any of the following options: • Do not download content • Download content from distribution point and run locally On-Demand Content Distribution If you set the Distribute the content for this package to preferred distribution points property for an application or package, on-demand content distribution is enabled. If this setting is enabled and a client tries to download content that is not available on any preferred distribution points, the content will be distributed to all the preferred distribution points for that client. Content Source Location Scenarios When you deploy applications or packages to clients, the following settings influence the content source location process: • Allow fallback source location for content. By selecting this setting, you ensure that clients can download content from distribution points that are designated as fallback distribution points when content is unavailable on a preferred distribution point. • Deployment behavior for slow network. You can configure whether clients will download content from slow distribution points. • Distribute the content for this package to preferred distribution points. By selecting this setting, you enable on-demand content distribution for the application or package. Question: In Scenario A, from where will Client A and Client B download content? Question: In Scenario B, from where will Client A and Client B download content? Question: In Scenario C, from where will Client A and Client B download content? Question: In Scenario D, from where will Client A and Client B download content? Network Bandwidth Considerations for Distribution Points Distributing content in a Configuration Manager 2012 infrastructure generates network traffic at various points in the distribution process: • When content files are copied from the source path to the site server, if the source path is on a different server than the site server. In this case, files transfers use the SMB protocol. The effect of this traffic on the network is usually negligible because it occurs over a high-speed network. • When content files are copied from the site server to remote distribution points. In this MCT USE ONLY. STUDENT USE PROHIBITED 5-28 Replicating Data and Managing Content in Configuration Manager 2012 situation, file transfers use the SMB protocol. This traffic can have a significant impact on network utilization, especially over low-speed network connections. You can manage this traffic by using content throttling and distribution scheduling, except for distribution points located on site servers. Consider the following when configuring content throttling and scheduling: • Content distribution detects updated files so that only the new or updated files are distributed when content source files are updated. • You can configure scheduling and set specific throttling settings that determine when and how much bandwidth is consumed during content distribution to remote distribution points. You can configure the throttling settings on the Rate Limits tab and the scheduling settings on the Schedule tab. The Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not installed on a site server. • You can configure remote distribution points with different settings based on the network bandwidth limitations from the site server to the remote distribution point. Each remote distribution point configured as a pull-distribution point will use its own throttling settings and schedule to transfer content. Distribution Point Priority Beginning with System Center 2012 R2 Configuration Manager, Configuration Manager assigns a priority to each distribution point, depending on how long content distribution has taken in prior distributions, on average. This priority is evaluated constantly as you distribute content. When you distribute content to multiple distribution points at the same time, the highest priority distribution point will receive content first. The Configuration Manager console does not include any options for managing the distribution point priority settings. Distribution point priority is not related to package priority. Package priority still determines the order of package distribution and the time at which package distribution is permitted. Planning for Network Bandwidth Management When planning for network bandwidth management in Configuration Manager 2012, you need to consider how you can reduce the content distribution network traffic: • Configure scheduling and bandwidth throttling settings on distribution points and senders. • Use content prestaging to transfer the content offline. • Place distribution points on the same high-speed networks as clients. • Install standard applications as part of the operating system images. • Include standard application installer files in the operating system image and use custom task sequence commands to install those applications from the local source files. Both senders and Package Transfer Manager use file-based replication and the SMB protocol. Any firewalls placed between sites or between the site server and distribution points must allow SMB traffic. Configuring Pull-Distribution Points Beginning with Configuration Manager 2012 SP1, you can configure non-site server distribution points as pull-distribution points. When content is assigned to a pull-distribution point, the pulldistribution point copies the content files from the specified distribution point. When distributing content to a large number of distribution points, this reduces the processing utilization of the site server. Pull-distribution points support the same configurations and functionality as typical Configuration Manager distribution points with the following exceptions: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-29 • You cannot configure a cloud-based distribution point as a pull-distribution point or as a source server for pull distributions. • You cannot configure a distribution point on a site server as a pull-distribution point. • Prestaged content distribution settings override pull distribution. If content is configured for prestaging, then a pull-distribution point will not pull it. • Rate limit configurations do not apply to pull-distribution points. • Retry settings do not apply to pull-distribution points. The Package Transfer Manager service on the site server does not notify the pull-distribution point to start downloading the content until it has verified the pull-distribution point as available on a source server. • If the pull-distribution point is in a remote forest, the Configuration Manager client must be installed on the distribution point and the Network Access Account must be able to access the source distribution point. You can configure a distribution point as a pull-distribution point during the creation of the distribution point or any time thereafter. When configuring a distribution point as a pull-distribution point, you must also specify one or more source distribution points. You can use only distribution points that support HTTP as source distribution points when using the Configuration Manager console. Beginning with System Center 2012 R2 Configuration Manager, you can configure the source distribution points with priorities. Note: The Configuration Manager Software Development Kit (SDK) includes information and tools for configuring a pull-distribution source by using HTTPS. Considerations for Content Prestaging Content prestaging allows you to transfer and preload content by using an offline method, such as shipping media from a site server to a distribution point. You can use this method instead of file-based replication, to reduce network traffic between the site server and the distribution point. Content prestaging: • Works with all content types. • Works with content libraries and package shares. • Registers content availability automatically with the site server upon content extraction on the distribution point. • Uses a compressed prestaged content file with the extension .pkgx. • Can be used to prestage multiple content files in a single operation. • Offers a conflict detection mechanism as part of the extraction tool to prevent earlier versions of content from being prestaged on a distribution point. Planning for Content Prestaging Consider using prestaging content for applications and packages when: MCT USE ONLY. STUDENT USE PROHIBITED 5-30 Replicating Data and Managing Content in Configuration Manager 2012 • There is limited network bandwidth from the site server to distribution point. While distributing content over the network to a remote distribution point, consider prestaging the content on the distribution point when scheduling and throttling do not reduce network traffic sufficiently. • You need to restore the content library on a site server. When a site server fails, information about packages and applications in the content library is restored to the site database as part of the restore process. However, the site backup does not include content library files by default. If you do not have a file system backup to restore the content library, you can create a prestaged content file from another site that contains the packages and applications you need, and then extract the prestaged content file on the recovered site server. Planning and Configuring a Cloud-Based Distribution Point Introduced in Configuration Manager 2012 SP1, you can use cloud-based distribution points in Windows Azure™ to host a distribution point. You configure cloud-based distribution points in the Cloud services node in the Administration workspace. Additionally, you must configure a client settings policy to allow clients to use cloudbased distribution points. Finally, to help control the costs associated with a cloud-based distribution point, you can configure thresholds for the amount of storage that the distribution point uses and the amount of client traffic to the distribution point. Cloud-based distribution points include the following distribution point features: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-31 • Supports individual or group-based management. • Can be a fallback distribution point. • Supports intranet and Internet-based clients. • Supports BranchCache-configured systems to download content from the cloud-based distribution point. There are additional features specific to using a cloud-based distribution point in Windows Azure. When content is sent to a Windows Azure–based distribution point, the content is encrypted while traversing the Internet. Additionally, you can quickly scale the size of your distribution points as necessary without investing in additional hardware. However, you also need to consider the limitations of a cloud-based distribution point: • Cloud-based distribution points cannot host software update packages. • Cloud-based distribution points cannot be configured for Pre-Boot EXecution Environment (PXE) or multicast deployments. • Cloud-based distribution points cannot be used with task sequences that use the deployment option Download content locally when needed by running task sequence. • Cloud-based distribution points do not support packages that run from the distribution point. • Cloud-based distribution points do not support streaming packages. • Cloud-based distribution points cannot be configured for prestaged content. • Cloud-based distribution points cannot be configured as pull-distribution points. Additional Considerations There are other factors to consider before using a cloud-based distribution point, such as: • Availability. Cloud-based storage may not be accessible in certain countries or locations. • Cost. Several factors determine the cost of using Windows Azure, including the number of virtual machines that are running, the amount of storage used, and the amount of data that is transferred each month. Additional Reading: For a current information on Windows Azure pricing and availability, visit the Windows Azure pricing at-a-glance website: http://go.microsoft.com/fwlink/?LinkID=391480&clcid=0x409 Windows Intune Windows Azure is a cloud-based service that primarily provides infrastructure as a service (IaaS), whereas Windows Intune™ is a cloud-based client management service. Windows Intune provides client management including application deployment, software and hardware inventory, anti-malware, and policy control. You can deploy Windows Intune as a stand-alone product or integrate it with your System Center 2012 R2 Configuration Manager environment. How Clients Use Cloud-Based Distribution Points Client devices cannot use cloud-based distribution points unless configured to do so. Cloud-based distribution points are always considered remote distribution points. Clients on an intranet will use a cloud-based distribution point only if no onpremises distribution points have the desired content and are available. Clients on the Internet will not use cloud-based distribution points if they are configured to use an Internet-based distribution point. An Internet-based distribution point is a distribution point that is part of one of your on-premises Configuration Manager sites and configured to accept connections from the Internet. MCT USE ONLY. STUDENT USE PROHIBITED 5-32 Replicating Data and Managing Content in Configuration Manager 2012 You can place cloud-based distribution points in any region in Windows Azure. Client devices are not aware of Windows Azure regions and clients using cloud-based distribution points will not necessarily use the closest region. The process that clients use for choosing a cloud-based distribution point is: 1. Clients always attempt to use a preferred distribution point first. 2. If a preferred distribution point is not available, clients will attempt to use remote (fallback) onpremises distribution points. 3. If no preferred distribution points or fallback distribution points are available, the client will use a cloud-based distribution point. When a client connects to a cloud-based distribution point, the cloud-based distribution point must authenticate the client by using a Configuration Manager access token. If the client trusts the cloud-based distribution point certificate, the client will download the requested content. Monitoring Distribution Point Distributions You can use the Distribution Status folder in the Monitoring workspace of the Configuration Manager console to perform monitoring for: • Content status, which includes the status of individual packages, applications and driver packages in relation to their distribution points. When viewing the content status, you can cancel an in-progress distribution. • Distribution point group status, which includes the aggregate status of content assigned to a specific distribution point group. • Distribution point configuration status, which includes the aggregate status of the content assigned to a distribution point and status of the optional components (PXE and multicast). To troubleshoot content distribution, you can also use: • Configuration Manager reports. • Configuration Manager status messages. • Configuration Manager logs. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-33 To troubleshoot issues with content management, you can use the following Configuration Manager logs: • SMSProv.log. You can use this log to troubleshoot actions started from the UI or the SDK. • DistMgr.log. You can use this log to troubleshoot content creation, update, deletion, and start of distribution. You can use this log on the site server from the source site, to verify that Distribution Manager processes the content. • Scheduler.log. You can use this log to see the current status of the sender job. You can use this log on the site server from the source site to verify that the content was queued for the sender. • Sender.log. You can use this log to troubleshoot the copy of the compressed content to the destination site. You can use this log on the site server from the source site, to determine whether the sender has transferred the content to a different site. • Despooler.log. You can use this log to troubleshoot the extraction of the compressed copy to the content library on the destination site. You can use this log file on the site server from the destination site to verify that the despooler received and processed the content. • PkgXferMgr.log. You can use this log to troubleshoot the distribution of content from the site server to the distribution point. You can use this log on the site server to determine whether the content was processed by Package Transfer Manager and transferred to a distribution point located in the same site as the site server. • SMSDPProv.log. You can use this log to troubleshoot the addition of content to the content library on the distribution point. You can use this log on a distribution point to verify that content was added to the content library. • SMSPXE.log. You can use this log to troubleshoot the PXE provider. You can find this log on a distribution point that is configured to use PXE. You can use the following Windows logs to troubleshoot distribution point configuration: • u_exYYMMDD.log (where YYMMDD is the year, month, and day). You can use these IIS logs for troubleshooting issues related to Internet Information Services (IIS). You can find the IIS logs on the distribution point in the C:\Inetpub\Logs\LogFiles\W3SVC1\ folder. • WDS.log. You can use the Windows Deployment Services (Windows DS) log for troubleshooting issues related to Windows DS. Implementing BranchCache Integration for Content Distribution BranchCache is included in the Windows® 7 and Windows Server® 2008 R2 and newer operating systems. It enables content from file and web servers on a wide area network (WAN) to be cached on computers at a local branch office. BranchCache can improve application response time and reduce WAN traffic. You can configure BranchCache in Windows Server 2008 R2 to work in two modes: • Distributed cache mode. Cached content is distributed across peer client computers. • Hosted cache mode. A server hosts cached content. Configuration Manager does not support this mode. BranchCache Support in Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED 5-34 Replicating Data and Managing Content in Configuration Manager 2012 To support BranchCache on a site server, install the Windows BranchCache feature to a site system server that is configured as a distribution point. No additional configuration is necessary. Configuration Manager supports BranchCache with the following operating systems configured in BranchCache distributed cache mode: • Windows 8.1 • Windows 8 • Windows 7 with SP1 • Windows Server 2012 R2 • Windows Server 2012 • Windows Server 2008 R2 with no service pack, with SP1, or with SP2 Clients running a supported version of Windows Vista® SP2 and Windows Server 2008 SP2 by using the Background Intelligent Transfer Service (BITS) 4.0 release also can use BranchCache BITS transferred content only. These operating systems do not support the BranchCache client functionality for: • Software deployments that are configured to run from the network. • SMB file transfers. • Content copied from cloud-based distribution points. You can install the BITS 4.0 release on Configuration Manager clients by using software updates or software deployment. BranchCache management is integrated in the Configuration Manager console. For applications, you can configure BranchCache on a deployment type. For programs and software updates, you can configure the BranchCache settings on the deployment. Planning to Use BranchCache When you plan to use BranchCache for content distribution, consider whether: • Windows Server 2008 R2 or a later version is in a central location and is configured in BranchCache distributed mode. • Workstations situated in remote locations are running a supported operating system for BranchCache, such as Windows 8 or Windows 7 with SP1. Lab B: Planning and Configuring Content Management Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-35 You are the network administrator for A. Datum Corporation. A. Datum has deployed System Center 2012 Configuration Manager in a distributed environment that includes multiple locations with WAN connections to the central campus location. You need to configure your content management infrastructure by installing and configuring an additional distribution point for a remote office, creating a distribution point group, and adding the distribution points to the groups. You will also distribute content and perform content validation. You will use content prestaging for transferring packages to the remote distribution point. Objectives After completing this lab, you will be able to: • Plan content distribution. • Implement distribution points. • Implement content prestaging. • Implement BranchCache to support content management. Lab Setup Estimated Time: 40 minutes Virtual machines 10748C-LON-DC1-C 10748C-LON-CAS-C 10748C-LON-CFG-C 10748C-LON-SVR1-C User name Adatum\administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. In Hyper-V Manager, verify that the following virtual machines are running: o 10748C-LON-DC1-C o 10748C-LON-CAS-C o 10748C-LON-CFG-C o 10748C-LON-SVR1-C Log on, if necessary, by using the following credentials: o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Exercise 1: Planning Content Distribution Scenario Read the following scenario and plan for configuring content distribution. MCT USE ONLY. STUDENT USE PROHIBITED 5-36 Replicating Data and Managing Content in Configuration Manager 2012 A. Datum is an international organization that includes a central campus location in London with three buildings and approximately 4,000 users. There are six remote offices in the European continent, several of which have local information technology (IT) staff. New York is the central location for North American operations. The New York offices are largely autonomous. They support a user base that is similar in size to the London user base. The Toronto office is the central location for Canadian operations, and although there is a small IT staff in Toronto, it is managed by the New York office. There are eight additional remote offices in North America. The remote offices each support between 50 and 1,000 users. In addition, there are more than 1,000 field agents with laptops requiring management and connectivity. The office in New York communicates with the London central office through a satellite connection. The Toronto office is connected directly to the New York office via high-speed connections. The remote locations are connected through Multiprotocol Label Switching (MPLS) connections to the main offices in their respective continents; these connections can be 80 percent utilized at peak times. You need to plan for software distribution that affects the corporate network minimally during business hours. You are planning to build a central administration site and one primary site in London and one primary site in New York. You plan to create a secondary site in the Toronto office. The remaining remote offices will be managed from the primary site in their respective continents. You can recommend any additional distribution components that you think are necessary. The main task for this exercise is to plan the deployment.  Task: Planning the deployment • Discuss a deployment plan with the class. Results: At the end of this exercise, you will have planned distribution architecture for the company. Exercise 2: Implementing Distribution Points Scenario You need to install a new distribution point in a remote location on a server named LON-SRV1. You will configure the distribution point for content prestaging. Then you will create a distribution point group and include all distribution points in the London area in the group. The main tasks for this exercise are as follows: 1. Add the primary site server computer account to the local Administrators group. 2. Create a distribution point. 3. Create and populate a distribution point group.  Task 1: Add the primary site server computer account to the local Administrators group 1. On LON-SVR1, from Server Manager, start Computer Management. 2. In the Computer Management console, under Local Users and Groups, select Groups. 3. Add LON-CFG as a member of the Administrators local group. 4. Close the Computer Management console and Server Manager.  Task 2: Create a distribution point MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-37 1. On LON-CAS, in the Configuration Manager console, in the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 2. On the ribbon, on the Home tab, click Create Site System Server. The Create Site System Server Wizard starts. Use the following settings to create the new distribution point (use default settings for pages that are not specified): 3. o On the General page, browse to select LON-SVR1 as the new site system server, and then in the Site Code drop-down list, select S01 – Adatum Site. o On the System Role Selection page, select Distribution Point. o On the Distribution Point page, select Install and configure IIS if required by Configuration Manager and Enable this distribution point for prestaged content. o On the Content Validation page, select Validate content on a schedule. o Complete the wizard. In the Configuration Manager console, verify that \\LON-SVR1.Adatum.com appears in the results pane.  Task 3: Create and populate a distribution point group 1. Navigate to the Distribution Points node. 2. Select LON-CFG.ADATUM.COM, NYC-CFG.ADATUM.COM and TOR-CFG.ADATUM.COM. 3. On the ribbon, select Add Selected Items to New Distribution Point Group. 4. Create a new distribution point group named Primary and Secondary Site Distribution Points. Results: At the end of this exercise, you should have created a distribution point, created a distribution point group, and added distribution points to the group. Exercise 3: Implementing Content Prestaging Scenario Previously, you configured the LON-SRV1 distribution point to use content prestaging. You need to prestage the content of the package you distributed. You will create the prestage content file, copy it to the remote server, extract the file on the remote distribution point by using the Extractcontent.exe tool, and then monitor the prestaged content status. The main tasks for this exercise are as follows: 1. Create and distribute a package. 2. Create a prestaged content file. 3. Extract a prestaged content file on a distribution point. 4. Monitor the prestaged content status.  Task 1: Create and distribute a package 1. On LON-CFG, in the Configuration Manager console, in the Software Library workspace, expand Application Management, and then click the Applications node. 2. On the ribbon, click Create Application. The Create Application Wizard starts. Use the following settings to create an application: 3. o On the General page, verify that in the Type box, Windows Installer (*.msi) is selected, in the Location text box, type \\LON-CFG\E$\Software\MSI_Files\PPTViewer, and then select ppviewer.msi. o Accept the default settings for all other pages, and then complete the wizard. In the Configuration Manager console, in the results pane, select the Microsoft PowerPoint Viewer application, and then on the ribbon, click Distribute Content. The Distribute Content Wizard starts. Use the following settings to distribute content: o On the Content Destination page, add the LON-CFG.ADATUM.COM distribution point. o Accept the default settings for all other pages, and then complete the wizard.  Task 2: Create a prestaged content file 1. 2. MCT USE ONLY. STUDENT USE PROHIBITED 5-38 Replicating Data and Managing Content in Configuration Manager 2012 On LON-CFG, in the Configuration Manager console, in the Software Library workspace, under the Application node, select Microsoft PowerPoint Viewer, and then on the ribbon, click Create Prestaged Content File. The Create Prestaged Content File Wizard starts. Use the following settings to create the prestaged content file: o On the General page, browse to drive E, and then save the file with the name PowerPointViewer. o On the Content Locations page, add LON-CFG.Adatum.com as a source of content. o Accept the default settings for all other pages, and then complete the wizard. In Windows Explorer, browse to drive E, and then copy PowerPointViewer.pkgx to \\LON-SVR1\C$.  Task 3: Extract a prestaged content file on a distribution point 1. On LON-SVR1, open a command prompt. 2. At the command prompt, type the following commands, pressing Enter after each line: CD C:\SMS_DP$\sms\Tools extractcontent.exe /P:C:\PowerPointViewer.pkgx /S  Task 4: Monitor the prestaged content status 1. On LON-CFG, in the Configuration Manager console, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. 2. In the results pane, click Microsoft PowerPoint Viewer, and then review the information in the preview pane. Notice that two distribution points were targeted and Success is now listed as 2. Results: At the end of this exercise, you should have performed content prestaging. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 5-39 Exercise 4: Implementing BranchCache to Support Content Management Scenario The planning exercise helped you determine that you wanted to use BranchCache for the remote locations without a distribution point. In this exercise, you need to enable support for BranchCache on the LON-SVR1 server. The main tasks for this exercise are as follows: 1. Configure LON-SVR1 to support BranchCache. 2. Verify that an application is ready for BranchCache.  Task 1: Configure LON-SVR1 to support BranchCache 1. On LON-SVR1, open Server Manager. 2. Click Add roles and features, and then use the Add Roles and Features Wizard to install the BranchCache feature.  Task 2: Verify that an application is ready for BranchCache 1. On LON-CFG, in the Configuration Manager console, navigate to the Software Library workspace. 2. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box, on the Content tab, verify that the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) deployment type has the Allow clients to share content with other clients on the same subnet check box selected. Results: At the end of this exercise, you will have enabled BranchCache support on LON-SVR1.  Task 3: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for the following virtual machines: o 10748C-LON-CAS-C o 10748C-LON-CFG-C o 10748C-LON-SVR1-C Module Review and Takeaways Review Questions Question: What are the two methods that Configuration Manager 2012 uses to replicate data between sites? What types of data does each method replicate? Question: How is hardware inventory transferred from a secondary site to the central administration site? Question: How can you create a file that contains diagnostics information for replication links? MCT USE ONLY. STUDENT USE PROHIBITED 5-40 Replicating Data and Managing Content in Configuration Manager 2012 MCT USE ONLY. STUDENT USE PROHIBITED 6-1 Module 6 Planning Resource Discovery and Client Deployment Contents: Module Overview 6-1 Lesson 1: Identifying Resources by Using Configuration Manager Discovery Methods 6-3 Lesson 2: Client Deployment in Configuration Manager 6-13 Lesson 3: Deploying Windows-Based Configuration Manager Clients 6-25 Lab: Implementing Configuration Manager Client Deployment 6-36 Lesson 4: Managing Configuration Manager Clients 6-42 Lesson 5: Monitoring Client Status in Configuration Manager 6-50 Module Review and Takeaways 6-56 Module Overview You can configure the Configuration Manager resource-discovery methods to locate resources in your network environment. In this module, you will examine the discovery methods available in Configuration Manager and consider which of these discovery methods to use based on the resources you need to manage. You can use Configuration Manager to manage computer resources by installing the Configuration Manager client on the computers that you want to manage. Configuration Manager provides several methods for installing the Configuration Manager client on computer resources. This module covers various client-installation methods, and then examines the advantages and disadvantages of each method. You will examine how to choose the most appropriate client-installation methods to use in your organization’s environment. Depending on the client-installation methods that you decide to use, you may be able to configure client installation properties that are applied during installation. You can configure site servers to publish client installation properties in Active Directory® Domain Services (AD DS). Configuration Manager clients use these properties after installation to identify the assigned site and locate appropriate site systems. This module discusses how to configure client-installation properties when using the client push and Group Policy installation methods. This module also covers the Client Health feature that you can use for monitoring Configuration Manager clients. This feature can perform automatic remediation for certain client configuration issues. Objectives After completing this module, you will be able to: • Describe processes and methods for resource discovery. • Describe the client-installation process and client-deployment methods. • Plan and complete a typical client deployment. • Describe managing Configuration Manager clients after installation. • Deploy the Configuration Manger client. • Describe the new Client Health feature in Configuration Manager. MCT USE ONLY. STUDENT USE PROHIBITED 6-2 Planning Resource Discovery and Client Deployment MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Lesson 1 Identifying Resources by Using Configuration Manager Discovery Methods 6-3 Resource discovery is the process that Configuration Manager uses to discover an infrastructure’s manageable resources, such as computers, groups, user accounts, sites, and IP subnets. Configuration Manager uses multiple discovery methods to discover resources. The primary source of information for discovering resources is AD DS. Configuration Manager has several discovery methods that use AD DS as a source of information. Configuration Manager also can search the network to discover network topology and devices that have an IP address. This lesson covers discovery methods, the advantages and the disadvantages of each method, and how to decide which methods are the most appropriate to use to discover resources in your environment. To detect which installed clients are still active in the network, Configuration Manager uses Heartbeat Discovery, which is a special discovery method. This method does not discover new computers. Instead, it rediscovers existing clients that are active in the network. Lesson Objectives After completing this lesson, you will be able to: • Describe the role of discovery methods for resource discovery. • Describe the available discovery methods. • Describe the Active Directory discovery methods for systems, users, and groups. • Describe the Active Directory Forest Discovery method. • Describe Network Discovery. • Describe the role of Heartbeat Discovery. Overview of Resource Discovery In a multiple-site Configuration Manager environment, you can configure discovery methods at different levels in the hierarchy. The following table describes the discovery methods available in Configuration Manager and where you can configure them in a Configuration Manager hierarchy. Discovery method Supported locations Active Directory Forest Discovery Central administration site Primary site Active Directory System Discovery Primary site Active Directory Group Discovery Primary site Active Directory User Discovery Primary site Network Discovery Primary site Secondary site Heartbeat Discovery Primary site MCT USE ONLY. STUDENT USE PROHIBITED 6-4 Planning Resource Discovery and Client Deployment When a discovery method successfully discovers a resource, it creates a file that is a discovery data record (DDR). In a single primary site environment, the site server processes DDRs and enters them into the Configuration Manager database. In a multiple-site hierarchy, DDRs that are created at primary and secondary sites for the newly discovered resources are forwarded to the central administration site for processing. Then, database replication replicates the information about the discovered computers to primary sites, making the discovery data available at each site in the hierarchy, regardless of where it was discovered or processed. Subsequent discoveries for the existing resources, such as DDRs that Heartbeat Discovery creates, are processed at the primary sites. Consider the following for Resource discovery in Configuration Manager: • A DDR is processed only once, and then it is entered into the database at a primary site or central administration site. After processing, the DDR file is deleted. • Discovery information entered into the database at one site is replicated to all primary sites in the hierarchy by using the Configuration Manager database replication feature. • Active Directory Forest Discovery is not used to discover resources, but rather is used to discover subnets and Active Directory sites, and then add them as boundaries for the hierarchy. • When a primary site is in a different AD DS forest, you can enable and configure Active Directory Forest Discovery at the central administration site, or at primary sites, to accommodate deployment scenarios. • Active Directory Group Discovery in System Center 2012 Configuration Manager discovers groups and their membership, and is the replacement for the Configuration Manager 2007 discovery method, Active Directory Security Group Discovery. • Active Directory System Discovery and Active Directory Group Discovery both support options to filter the discovery of stale computer records based on the timestamp of the last logon or the last password change. • Active Directory System Discovery, Active Directory User Discovery, and Active Directory Group Discovery all support delta discovery, which detects changes in AD DS more frequently than by using the default discovery schedule. Delta discovery differs from the Configuration Manager 2007 R3 version, because it can detect the addition or removal of computers or users from a group. You will learn about each of these discovery methods and their available configuration settings in upcoming topics, enabling you to choose the discovery methods that are most appropriate for your environment. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Discovery Methods You can use a variety of resource discovery methods with Configuration Manager to discover resources in your infrastructure, such as computers, groups, user accounts, and network infrastructure topology. The following table describes the resource discovery methods that are available and how you use them. Discovery method Usage 6-5 Active Directory Forest Discovery Introduced in Configuration Manager, this method discovers Active Directory sites and subnets, and it can create Configuration Manager boundaries for each site and IP subnet that it discovers. Active Directory System Discovery Discovers computer systems from AD DS. Additionally, it can discover Active Directory container names, as does the Configuration Manager 2007 Active Directory System Group Discovery. Active Directory Group Discovery Discovers local, global, and universal groups and their membership from AD DS. Active Directory User Discovery Discovers users from the specified locations in AD DS. Network Discovery Discovers the network topology and devices. Heartbeat Discovery Updates existing Configuration Manager client-discovery records in the database. MCT USE ONLY. STUDENT USE PROHIBITED 6-6 Planning Resource Discovery and Client Deployment When you choose which discovery methods to implement, consider what types of resources that you need to discover, such as computers, users, or groups. The following table lists various types of resources in a typical corporate infrastructure, and the discovery methods that you can use to discover each type of resource. Resources Computers Discovery methods Active Directory System Discovery. Active Directory System Discovery discovers computer resources from AD DS, and it provides additional information about the computer resources, such as the organizational units (OUs) in which the computer resources are located. Network Discovery. Network Discovery provides information about your network topology that you cannot acquire with other discovery methods. Note: You must ensure discovery of computer resources before you install the Configuration Manager client by using the client-push installation method. You can use Active Directory System Discovery and Network Discovery to discover computer resources before client installation. Heartbeat Discovery. If you install the Configuration Manager client by using a different method than client push, Heartbeat Discovery forces the discovery of active clients and then creates records in the database. Heartbeat Discovery collects only limited information about computer resources, which may not be detailed enough to build complex queries or collections. Users Active Directory User Discovery. You can discover user resources by using Active Directory User Discovery. This method discovers users from AD DS, and it includes basic information about users, such as username and email address. You can use this information to build queries and collections similar to those for computers. You can configure User Discovery to retrieve other attributes from Active Directory, such as manager, office, and phone number. Groups and their membership Active Directory Group Discovery. You can discover groups and group memberships by using Active Directory Group Discovery. This discovery method creates resource records for security groups. Additionally, it identifies the members of each group, and optionally any nested groups within that group. Active Directory Group Discovery also discovers limited information about group members. This does not replace Active Directory System or User Discovery, and typically it is insufficient to use to build complex queries and collections, or to serve as the base of a client-push installation. Infrastructure Active Directory Forest Discovery. You can use Active Directory Forest Discovery to search an Active Directory forest for information about subnets and Active Directory sites. You then can use these objects to configure your Configuration Manager boundaries. Network Discovery. You also can use Network Discovery to discover your network topology. Network Discovery can discover subnets and router topology of your network, in addition to computer resources. Question: What discovery methods can you use to discover computer resources? MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Active Directory Discovery Methods for Systems, Users, and Groups You can use the following three Active Directory discovery methods in Configuration Manager: • Active Directory System Discovery • Active Directory User Discovery • Active Directory Group Discovery 6-7 These discovery methods are similar in configuration and operation, but they retrieve different types of information. You can configure each of these discovery methods to search one or more Active Directory locations in the local forest or in remote forests. If you configure multiple instances of these Active Directory discovery methods on multiple primary sites in a Configuration Manager hierarchy, you should configure the source location for each discovery method, so that the same resources are not discovered more than once. In smaller environments, you should consider configuring all Active Directory discovery methods from the same location. You can configure each method to perform a full discovery and a delta discovery based on a specified schedule. The default schedule for a full discovery is once a week, and the default schedule for a delta discovery is every five minutes. Because delta discovery discovers only new resources, the impact on AD DS and network traffic decreases. Active Directory System Discovery Active Directory System Discovery searches for computer resources in the administrator-specified AD DS locations. Active Directory System Discovery has the ability to filter obsolete computer records based on the lastLogonTimeStamp and pwdLastSet attributes in AD DS. If you want to improve the quality of discovery, you should identify old computer records in AD DS by using a dsquery command. You then can disable them before configuring discovery. For a computer resource to be discovered by using Active Directory System Discovery, it must have the following: • An enabled computer account in AD DS. Active Directory System Discovery filters out disabled computers, by default. • A computer record in Domain Name System (DNS). Active Directory System Discovery tries to resolve the name of each computer resource to an IP address. If the DNS contains obsolete records, it might cause the discovery of computers that are no longer active on the network. To avoid this, you should remove obsolete records in DNS by activating DNS scavenging. If the computer resource meets the preceding conditions, the discovery method generates a DDR for the computer and populates the DDR with information that identifies the computer resource. Active Directory System Discovery discovers basic information about a computer, including the: • Computer name • Operating system and version • Active Directory container name • IP address • Active Directory site • Last Logon Time Stamp: Universal Time Coordinate (UTC) MCT USE ONLY. STUDENT USE PROHIBITED 6-8 Planning Resource Discovery and Client Deployment Additionally, you can configure the discovery of extended attributes from AD DS in the Active Directory System Discovery Properties dialog box on the Active Directory Attributes tab. Active Directory System Discovery includes functionality to discover Active Directory container names, such as Organizational Units, which is available in Configuration Manager 2007 in Active Directory System Group Discovery. Active Directory User Discovery Active Directory System Discovery searches the specified AD DS location to identify user accounts and their associated attributes. Active Directory User Discovery discovers basic information about the user account, including the following: • User name • Unique user name (includes the domain name) • Domain • Active Directory container names In addition to this basic information, you can configure the discovery of extended attributes from AD DS in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab. Active Directory Group Discovery Active Directory Group Discovery discovers basic information about the groups and their membership, including the following: • Groups • Groups membership • Limited information about a groups member computers and users By default, Active Directory Group Discover only discovers security groups. To discover the membership of distribution groups, you must select the check box for the option Discover the membership of distribution groups in the Active Directory Group Discovery Properties dialog box on the Option tab. There are two options when configuring Active Directory Group Discovery searches: • Location. You can search one or more Active Directory containers, such as a forest, domain, container or OU. You can use a recursive search of the specified Active Directory container, so that the search includes all child containers under the container that you specify. This process continues until Active Directory Group Discovery does not find any more child containers. • Groups. You can specify one or more Active Directory groups. When configuring this option, you can use the default domain and forest for the site or limit the search to an individual domain controller. If you do not specify at least one group, this method performs a location search of the location that you specify. You can use both of these options more than once and at the same time. For example, you might want to find all the members of all groups in a particular location (forest, domain, container or OU) plus all the members of one particular group in a different location. Active Directory Discovery Log Files The following logs record Active Directory Discovery actions. These logs are in the InstallationPath\Logs folder on the site server, and they include the following: • Active Directory System Discovery actions are in the adsysdis.log. • Active Directory User Discovery actions are in the adusrdis.log. • Active Directory Group Discovery actions are in the adsgdis.log. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager What Is Network Discovery? Network Discovery discovers the topology of your network and devices on your network by searching for devices that have IP addresses. Network Discovery searches your network for IP-enabled resources by querying: • The Windows® browse list for Active Directory domains. • Servers that run a Microsoft® implementation of the Dynamic Host Configuration Protocol (DHCP). • Address Resolution Protocol (ARP) caches in routers. • Devices enabled with Simple Network Management Protocol (SNMP). 6-9 Network Discovery must identify the IP address and the subnet mask to successfully discover a resource. Network Discovery can discover resources that cannot support the Configuration Manager client software, such as printers, routers, and bridges. Network Discovery creates discovery records that include the following information, as appropriate: • NetBIOS name • IP addresses • Resource domain • System roles • SNMP community name • Media access control (MAC) addresses Network Discovery and Heartbeat Discovery are the only discovery methods that can discover computers in workgroups. To configure Network Discovery, you must specify the level of discovery, which the following table outlines. Level of discovery Details Topology This level discovers routers and subnets, but it does not identify a subnet mask for objects. Topology and client This level discovers topology and potential clients, such as computers, and resources, such as printers and routers. This level of discovery attempts to identify the subnet mask of objects that it finds. Topology, client, and client operating system In addition to topology and potential clients, this level attempts to discover the computer operating-system name and version. This level uses Windows Browser service and Windows Networking calls. For Network Discovery to discover an object, it must identify the object IP address and then identify its subnet mask or Active Directory site membership. It then creates a DDR for that object. If Network Discovery cannot determine the subnet mask or Active Directory site membership of an object, it does not create a DDR. MCT USE ONLY. STUDENT USE PROHIBITED 6-10 Planning Resource Discovery and Client Deployment To discover computer resources, you must configure at least the Topology and client discovery level. You can configure Network Discovery to use the following sources of information: • Domains. Network Discovery discovers any computer from the domain that you specify. This information must be visible when browsing the network. Network Discovery retrieves the IP address and then uses an Internet Control Message Protocol (ICMP) echo request to ping each device that it finds to determine which computers are currently active. It then initiates Windows networking application programming interface (API) calls to the resource to discover its operating-system information. • SNMP. Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that responds to the query. The ipNetToMediaTable value returns arrays of IP addresses that are client computers or other resources, such as printers, routers, or other IP-addressable devices. • DHCP. Network Discovery queries Microsoft DHCP servers for a list of devices that are registered with each server. Network Discovery retrieves information by using remote procedure calls to the database on the DHCP server. Network Discovery supports only DHCP servers that run the Microsoft implementation of DHCP. You can limit Network Discovery by specifying the following options: • Subnets. You can configure the subnets that Network Discovery queries when it uses the SNMP and DHCP options. These two options search only the subnets that you enable. • SNMP community names. You can specify SNMP community names that Network Discovery uses to query SNMP devices. • Maximum hops. You limit the number of network segments and routers that Network Discovery can query by using SNMP. To identify the subnet mask, Network Discovery uses the following methods: • Router ARP cache. Network Discovery queries the ARP cache of a router to find subnet information. • DHCP. Network Discovery queries each administrator-specified DHCP server to discover the devices for which the DHCP server has provided a lease. • SNMP device. Network Discovery directly queries a SNMP device, and then makes an additional call to obtain the subnet mask information. Question: What level of Network Discovery must you configure to discover computers? What Is Heartbeat Discovery? Heartbeat Discovery is a Configuration Manager discovery method. It rediscovers existing computers that have the Configuration Manager client installed and that are active in the network. Configuration Manager uses it to maintain the records of active clients in the database and to force discovery of active clients that were removed from the database, or installed but not discovered by another discovery method. The following list describes the functions of Heartbeat Discovery: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-11 • Heartbeat Discovery is enabled by default, and it runs on a schedule on each computer client to create a Heartbeat Discovery DDR. To send the Heartbeat Discovery record, the client computer must be able to contact a management point. • For mobile device clients, the management point that the mobile device client uses creates the DDR. • The default schedule for Heartbeat Discovery is set to run every seven days. • Heartbeat Discovery provides details about the client installation status by updating a systemresource client attribute to active status. • The following maintenance tasks use discovery information. If you adjust the heartbeat interval, you should adjust these tasks: • • Clear Install Flag. This maintenance task is not enabled by default. If you enable this task, the default schedule is 00:00 and 05:00 every Sunday. This task clears the install flag of any client that has not submitted a Heartbeat DDR within the past 21 days. This forces a client reinstallation if you enable the client push installation method. • Delete Aged Discovery Data. By default, this maintenance task is enabled and runs between 00:00 and 05:00 every Saturday. By default, this task removes any discovery data that is more than 90 days old. If a DDR for the resource has not added in the past 90 days, this task deletes everything relevant to that resource from the Configuration Manager database. • This task affects all types of resources: systems, users, and groups. This task removes database records about discovered computers that have not had the Configuration Manager client installed during the last 90 days. • Delete Inactive Client Discovery Data. By default, this maintenance task is not enabled. If you enable this task, the default schedule is 00:00 to 05:00 every Saturday. The Delete Inactive Client Discovery Data task is similar to the Delete Aged Discovery Data task. However, this task operates only on resources that are Configuration Manager clients. When you enable this task, it removes records for inactive clients that have not sent a heartbeat during the last 90 days. You cannot configure Heartbeat Discovery on secondary sites, but secondary sites can receive the Heartbeat DDR from a client, and forward it to the primary site. Question: If you change the default schedule for Heartbeat Discovery, you should ensure that Heartbeat Discovery runs more frequently than which site-maintenance tasks? Discussion: Planning Discovery Only the Heartbeat Discovery method is enabled by default. You can modify this method, but you should not disable it. Depending on what you plan to manage, you can enable any or all of the Heartbeat Discovery methods. The following table summarizes the discovery methods. Discovery method Default schedule Description MCT USE ONLY. STUDENT USE PROHIBITED 6-12 Planning Resource Discovery and Client Deployment Active Directory System Discovery Once a week after you enable it, and delta discovery every five minutes. Discovers computers in AD DS from the specified forests, domains, and containers. Discovers basic Active Directory attributes for the computers. Active Directory User Discovery Once a week after you enable it, and delta discovery every five minutes. Discovers users in AD DS from the specified forests, domains, and containers. Discovers basic Active Directory attributes for the users. Active Directory Group Discovery Once a week after you enable it, and delta discovery every five minutes. Discovers groups and group memberships in AD DS from the specified forests, domains, and containers. Discovers minimal information about the group members. Active Directory Forest Discovery Once a week after you enable it. Discovers groups and group memberships in AD DS from the specified forests, domains, and containers. Discovers minimal information about the group members. Network Discovery Once, running for two hours when you enable it. Discovers Network Devices that respond to the configured Network Discovery method. Heartbeat Discovery Once a week after you install the client. Client systems generate a new DDR to keep their data active in the Configuration Manager database. Considering your environment, discuss the following questions with the rest of the class: Question: Which discovery methods might you enable, and why? Question: For the discovery methods that you would enable, how do you think you would schedule them? Question: If you intended to enable Active Directory System Discovery or Active Directory User Discovery, would you enable additional attributes as well? Lesson 2 Client Deployment in Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-13 You can install Configuration Manager clients by using a variety of methods. Regardless of the method that you choose, you should start by using either CCMSetup.exe or CCMSetup.msi, which is a bootstrap for CCMSetup.exe. This lesson covers the client-installation process and the CCMSetup parameters that you can use with CCMSetup.exe to control the deployment process. You will examine typical Configuration Manager client-installation methods and Configuration Manager site systems that are involved in client deployment. This lesson also discusses the role of AD DS in client deployment. Lesson Objectives After completing this lesson, you will be able to: • Explain the importance and the role of AD DS in the client-deployment process. • Describe the site systems that Configuration Manager uses during the client-deployment process. • Describe how to use Configuration Manager boundaries and boundary groups for client assignment and content location. • Describe how Configuration Manager clients find Configuration Manager site systems. • Describe the requirements for client installation. • Describe the Configuration Manager client-installation process for Mac computers. • Describe the Configuration Manager client-installation process for UNIX and Linux computers. • Describe typical client-deployment methods. The Role of AD DS in Client Deployment Although not mandatory, you can extend AD DS to simplify the management of your Configuration Manager site. Extending the AD DS schema and publishing Configuration Manager information to AD DS simplifies the client-installation process by automatically providing the installation parameters that you configure. You can use AD DS publishing with any installation method to allow for automatic site assignment. AD DS publishing also enables you to provide the client with the name of a management point to communicate with. Configuration Manager publishes client-installation properties to AD DS, including: • The management point to be used for downloading content for client installation. • The Configuration Manager site code. • The Hypertext Transfer Protocol (HTTP) port used for client communications. • The Hypertext Transfer Protocol Secure (HTTPS) port that is used for client communication. MCT USE ONLY. STUDENT USE PROHIBITED 6-14 Planning Resource Discovery and Client Deployment • A setting to indicate that the client must communicate by using HTTPS. • The fallback status point. If the site has multiple fallback status points, only the first one installed is published to AD DS. • The criteria for certificate selection. This might be required when the client has more than one valid certificate. • Installation properties specified in the Installation Properties tab of the Client Push Installation Properties dialog box. Additionally, if you use alternate ports for your site systems, clients are automatically updated when you make a change. Extending the Active Directory schema is an irreversible forest-wide action that you need to perform only once per forest. When deploying Configuration Manager in a multiple-forest environment, you need to extend the schema in each forest to which you want to publish information. If you previously extended the schema for Configuration Manager 2007, you do not need to extend it again for System Center 2012 R2 Configuration Manager. Only a member of the Schema Admins group or an administrator that has sufficient permissions to modify the schema can extend it. If you extend the schema before installation, Configuration Manager automatically configures the site to publish site information during installation and publishes site information to AD DS at the completion of installation. However, you can extend the schema after the Configuration Manager installation and then manually configure the site to publish to AD DS. Note: For more information about extending the Active Directory schema for Configuration Manager, refer to “Module 2, Planning and Deploying a Stand-Alone Environment.” Question: How do Group Policy initiated deployments use AD DS during Group Policy installation? Question: Are you planning to extend the Active Directory schema in your environment? Site Systems That Client Deployment Uses The process for installing the Configuration Manager client involves several different site systems. In addition to the site systems that play a direct role in client deployment, there are a few site systems that you might find useful during a deployment. The following site system roles are directly involved when you install client devices. Management Point A management point is required to complete the client-installation process, although you can install the client components successfully without one. The installation process is complete when the client registers with a primary site, is assigned its initial policy, and retrieves the policy. This initial policy sets the components to their desired state. For standard installation methods, the client downloads a copy of CCMSetup.exe from a management point. All other files are downloaded from a distribution point. After the installation program is complete, the client contacts the management point to register itself and obtain its site assignment. It then reports the state of the installation. If the client cannot contact the management point, all client components appear as installed rather than enabled or disabled. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-15 The client software has several methods that it can use to locate the management point, and it uses them in the following order: 1. Setup Parameters. As part of the installation command, you can specify a management point. 2. AD DS. The client software queries AD DS for an appropriate management point. 3. DNS. The client searches for a service record (SRV) record type for a management point. To find the right SRV record in DNS, you must configure the clients with their site code. 4. Windows Internet Name Service (WINS). A management point automatically updates its WINS record with the appropriate information. Automatic client assignment is based on boundaries, which are members of a boundary group for which you enable automatic assignment. In previous Configuration Manager versions, if clients fall outside of all boundaries, automatic site assignment fails and clients are not managed. However, Configuration Manager enables you to configure a fallback site for client assignment at the hierarchy level. If you install a client that is outside of any configured boundary groups, the automatic site-assignment process uses this site, and the installation process completes successfully. Fallback Status Point The fallback status point is an optional site system that is used during the client-installation process. A fallback status point monitors client deployment and identifies unmanaged clients that cannot communicate with a management point. The fallback status point uses unauthenticated connections from clients over HTTP. To reduce exposure to security risks due to use of unauthenticated connections, you should use a dedicated system for the fallback status point. Furthermore, in a production environment, you should not install other site system roles on the fallback status point server. Additionally, Configuration Manager client deployment reports use data sent by clients through the fallback status point. Mobile devices that Configuration Manager enrolls, and mobile devices that the Exchange Server connector manages, do not use a fallback status point. Software Update Point You can install the Configuration Manager client by using software update-point push installations. If you choose to use this method, you need to configure the software update point on a Windows Server Update Services (WSUS) server. This installs the client when computers scan for applicable software updates. Enrollment Point and Enrollment Proxy Point Mobile devices and the Mac OS X use the enrollment point for Configuration Manager enrollment. The enrollment proxy point manages the enrollment requests from mobile devices. These site system roles are not required if you plan to manage mobile devices by using the Exchange connector, Windows Intune, or if you install the Configuration Manager client for Windows CE. Distribution Point The distribution point is used to copy all client installation files, except for CCMSetup.exe, unless CCMSetup has been invoked by using the /source: parameter and points to a folder with all files and prerequisites. When you deploy an operating system by using the Configuration Manager operatingsystem deployment feature, CCMSetup is downloaded from a distribution point to the client’s local cache. A standard installation is then invoked, including the download of a copy of CCMSetup from the management point to the %WINDIR%\ccmsetup folder and the download of client.msi and prerequisite files from a distribution point. MCT USE ONLY. STUDENT USE PROHIBITED 6-16 Planning Resource Discovery and Client Deployment When you upgrade the client by using software deployment, the installation package downloads from a distribution point. The installation of the Window CE client also uses a distribution point. Reporting Services Point In addition to the required and optional roles that client installation uses directly, you might find it useful to install a reporting services point. This enables you to view any reports about the client installation process or the status of clients. Planning for Windows-Based Client Installation Before deploying the Configuration Manager client for Windows-based computers, you need to understand the client requirements and the different methods that you can use to deploy the client, based on how you will manage it. Prerequisites Some of the prerequisites for client deployment install automatically on client computers during the deployment process. You must install other prerequisites before you deploy the client, and those prerequisites vary depending on the client version that you are deploying. The following list contains all prerequisites that you need to successfully deploy the Configuration Manager client to Windows-based computers: • • External dependencies. You must install these prerequisites before you deploy the client: o Client Bridge ActiveX® Control. This client uses this control for computers that run a version of the client prior to System Center 2012 Configuration Manager Service Pack 1 (SP1). For those computers, you must exclude the Microsoft.ConfigurationManager .SoftwareCatalog.Website.ClientBridgeControl.dll control from ActiveX filtering in Windows Internet Explorer®. This control installs automatically with the client for versions prior to System Center 2012 Configuration Manager SP1. o Windows Installer version 3.1.4000.2435. This is the minimum version of the installer that is necessary for software updates and .msp files in packages. o KB2552033. This update is necessary for servers that are running Windows Server® 2008 R2, if you use client push to deploy the Windows-based client. o Background Intelligent Transfer Service (BITS) 2.5. BITS throttles communication between client and servers. BITS does not install automatically on all Windows versions, so you need to determine whether it is installed. If it is not, you need to install it. Dependencies that install automatically during deployment. CCMSeup.exe downloads these prerequisites from a distribution point and, if necessary, installs them during deployment: o Microsoft .NET Framework 4 Client Profile. The Configuration Manager client is a .NET application, so it needs .NET Framework. Download this component only if none of the following are installed on the client:  Microsoft .NET Framework 3.0  Microsoft .NET Framework 3.5  Microsoft .NET Framework 4.0 • MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-17 o Microsoft Core XML Services (MSXML) 6.20.5002. Processes XML documents in Windows. o Microsoft Policy Platform 1.2.3514.0. Evaluates compliance settings on the client. o Microsoft remote differential compression (RDC). Compresses data for transmission over a network. o Microsoft Silverlight 4.0.50524.0. Used by the Application Catalog website on computers that are running versions of the Configuration Manager client prior to System Center 2012 Configuration Manager SP1. o Microsoft Silverlight 5.1.10411.0. Used by the Application Catalog website on computers that are running the System Center 2012 Configuration Manager SP1 and older versions of the Configuration Manager client. o Microsoft SQL Server Compact 3.5 SP2 components. Stores information that client operations require. o Microsoft Visual C++ 2005 Redistributable version 8.0.50727.42. Used by SQL Server® Compact 3.5. o Microsoft Visual C++ 2008 Redistributable version 9.0.30729.4148. Used by the client to execute various client operations. o Microsoft Windows Imaging Components. Used by the .NET Framework for computers that are running Windows Server 2003 or Windows XP SP2 for 64-bit. o Windows Imaging APIs 6.0.6001.18000. Manages .WIM files. o Windows Update Agent version 7.0.6000.363. Supports software updates. Communication ports. Client deployment uses these ports: o TCP 80. Used in all client deployment methods for communication with a fallback status point. Also used for communication with the management point and distribution point. o TCP 443. Used in all client deployment methods for communication between the client and a management point and distribution point, if you configure the management point and distribution point to use HTTPS instead of HTTP. o TCP 445. Used by Server Message Block (SMB) block messages when downloading the client files in a client push installation or in any installation that uses the /source property for CCMSetup. o UDP/TCP 135. Used with dynamic ports on the client to support Remote Procedure call (RPC) communication between client and site servers during a client-push installation. o TCP 8530. Used for HTTP communication with a software update point when you install the client by using software updates. o TCP 8531. Used for HTTPS communication with a software update point when you install the client by using software updates. Note: These ports are the default ports that Configuration Manager uses. You can modify them. For more information about ports that client deployment uses and alternative ports, refer to “Windows Firewall and Port Settings for Client Computers in Configuration Manager” at http://go.microsoft.com/fwlink/?LinkID=391457. Overview of the Windows Client-Installation Process Depending on the client-installation method that you use, the complexity of configuration can vary significantly. However, all of the installation methods use the same files, and they finish the installation essentially in the same way. The installation process for the Configuration Manager client uses the following files. CCMSetup.exe CCMSetup.exe generally begins the clientinstallation process and runs in all clientinstallation methods. CCMSetup performs the following actions: MCT USE ONLY. STUDENT USE PROHIBITED 6-18 Planning Resource Discovery and Client Deployment • Determines the location from which to download client prerequisites and installation files. If you start CCMSetup without command-line options and if you extend the AD DS schema for Configuration Manager, the setup process reads the client-installation properties from AD DS to find an appropriate management point. If you do not extend the Active Directory schema, CCMSetup searches DNS or WINS for a management point to contact. Alternatively, you can specify a management point by providing the /mp:ComputerName switch or a specific UNC location by using the /source:path switch. • Downloads a copy of itself from the management point or specified source folder to the %windir%\ccmsetup folder. • Downloads the client prerequisite files. Files include the Client.msi file and any prerequisite files that are missing, which this module discussed previously. • Invokes the startup of the Client.msi file. The Client.msi file installs the Configuration Manager client software on the client. CCMSetup copies all of the files that it needs to %systemroot%\CCMSetup, and it creates the ccmsetup.log file, which is stored in the %systemroot%\CCMSetup\logs folder. Numerous switches are available for modifying the behavior of CCMSetup.exe, which the following topic discusses. Client.msi After CCMSetup installs the prerequisites on the client that you specify, it invokes Client.msi. This Windows Installer file installs the client on the system. Client.msi creates the client.msi.log log file in the %systemroot%\CCMSetup folder. You can modify the Client.msi installation behavior by providing specific properties on the CCMSetup.exe command line. Alternatively, you can specify the properties on the Installation Properties tab of the Client Push Installation Properties dialog box. These settings then publish to AD DS, and the various installation methods use these settings. CCMSetup.msi The Configuration Manager installation process uses the CCMSetup.msi Windows installer file when using an AD DS Group Policy to publish or assign the Configuration Manager client to computers. This file is in the installation directory\bin\i386 folder on the Configuration Manager site server. Client Assignment MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-19 After the client installation is complete, the client is assigned to a site to allow for client management. Client devices can be assigned to any primary site. However, client devices cannot be assigned to either a secondary site or a central administration site. Most clients reside within site-assignment boundary groups and are automatically assigned based on the boundary definition. You can configure a site in the hierarchy settings as a fallback site, so that when you select a client, the client is assigned to the site if the client is outside the configured boundary groups of all defined sites. You also can assign a client to a site through a client.msi option, either directly or through the Client tab of the Client Push Installation Properties dialog box. If you do not extend the AD DS schema, you have the following options for site assignment: • You can specify a site code by using the client.msi property SMSSITECODE=sitecode. • You can manually assign a group of clients to a site by using Group Policy. You also can choose to install a client offline and not immediately assign it to a site. However, Configuration Manager cannot manage a client until it is assigned to a site. After the client is assigned to a site, the client remains assigned to that site, even if the client changes its IP address and roams to another site. Under normal circumstances, only an administrator can manually assign the client to another site. If the client auto-assignment fails, the client software remains installed, but Configuration Manager does not manage it until it locates a site. If the client remains unassigned, every time that the CCMExec process starts, it attempts to perform autoassignment. Question: How does the client-deployment process use the management point? Question: Which executable determines the location of the source files and then downloads them to start the Configuration Manager client-installation process? CCMSetup Installation Properties CCMSetup.exe switches allow you to specify the installation properties of the Configuration Manager client. You can type these switches at a command line when using the manual installation or logon installation methods, or they can be read from AD DS. You also can use CCMSetup.exe to provide properties for client.msi when you are using these methods. The CCMSetup.exe command line uses the following format: CCMSetup.exe /[CCMSetup switch] [client.msi setup properties] The following table lists a few of the switches that CCMSetup.exe supports. For a complete list of the available settings, refer to “About Configuration Manager Client Installation Properties” at http://go.microsoft.com/fwlink/?LinkID=391458. CCMSetup switch Purpose MCT USE ONLY. STUDENT USE PROHIBITED 6-20 Planning Resource Discovery and Client Deployment /source:Path Specifies the location to download installation files from. You can use a local or UNC installation path. Files are downloaded by using the SMB protocol. The Windows user account that you use for client installation must have Read permissions to the installation location. /mp:Computer Specifies the source management point for downloading installation files. Files are downloaded over an HTTP or HTTPS connection, depending on the management configuration for client connections. This download uses BITS throttling, if you configure it. If you configure the management point for HTTPS client connections only, you must verify that the client computer has a valid public key infrastructure (PKI) client certificate. /skipprereq:filename Specifies to skip prerequisite software that installs automatically. /forceinstall Specifies the uninstallation of any existing client and the installation of a new client. Client.msi Properties You can combine client.msi properties with CCMSetup switches when you perform an installation by using CCMSetup. You can specify these properties manually or by changing Client Push Installation Properties in the Configuration Manager console. The following list shows the properties that are used most commonly: • CCMHOSTNAME. Use for Internet-based clients. Points to the management point that the client will use. • SMSCACHESIZE. Use to specify the size, in megabytes (MB), of the local cache that the client uses when downloading files and packages from a distribution point. • SMSMP. Use to specify the management point that the client will use. • SMSSITECODE. Use to specify the site that you will assign the client to. • FSP. Use to specify the fallback status point that the client will use. Note: For more information about CCMSetup.exe switches and Client.msi properties, refer to “About Client Installation Properties in Configuration Manager” at http://go.microsoft.com /fwlink/?LinkID=391458. Question: What should you type at a command prompt to install the Configuration Manager client from a network share, and to specify that the client should use the LON site code and LON-CFG.adatum.com as the management point after installation? Planning for Installing the Configuration Manager Client on Mac Computers System Center 2012 Configuration Manager SP1 introduces support for Mac computers. However, you cannot use all Configuration Manager features on Mac computers, and Configuration Manager does not support all versions of the Mac operating system. Supported Operating Systems Configuration Manager supports the following Mac operating systems: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-21 • Mac OS X 10.6 (Snow Leopard): Supported on System Center 2012 Configuration Manager SP1 and newer versions. • Mac OS X 10.7 (Lion): Supported on System Center 2012 Configuration Manager SP1 and newer versions. • Mac OS X 10.8 (Mountain Lion): Supported on System Center 2012 Configuration Manager SP1 with Cumulative Update 1 and newer versions. Deployment Configuration Manager client installation and management for Mac computers require the use of PKI certificates. The Configuration Manager client for Mac computers always performs a certificate revocation check, and you cannot disable this check. If a Mac computer cannot perform the check, it does not connect to Configuration Manager site systems. Mac computers communicate with Configuration Manager site systems as if they were Internet-based clients. This means that all communication happens by using HTTPS. You must configure management points and distribution points to support Mac computers. Features Supported The Configuration Manager client for Mac supports only three features: hardware inventory, software deployment, and compliance settings. Note: Compliance settings use .plist files and shell scripts for remediation. Planning for Installing the Configuration Manager Client on Linux and UNIX Computers System Center 2012 Configuration Manager SP1 introduces support for Linux and UNIX computers. However, you cannot use all features of Configuration Manager on Linux and UNIX machines, and some versions of Linux and UNIX operating systems require an individual client agent. Microsoft introduced a universal client with Cumulative Update 1 for System Center for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX. You can use the universal agent for both the SP1 and R2 versions of Configuration Manager, and it consists of two files: • ccm-Universalx86.build.tar. Used for 32-bit implementations. • ccm-Universalx64.build.tar. Used for 64-bit implementations. MCT USE ONLY. STUDENT USE PROHIBITED 6-22 Planning Resource Discovery and Client Deployment You must ensure that the operating system and version of your Linux or UNIX implementation support the universal installer before using it. The following implementations of Linux and UNIX support the universal agent: • • • • Red Hat Enterprise Linux (RHEL) o Version 5, x86 o Version 5, x64 o Version 6, x86 o Version 6, x64 SUSE Linux Enterprise Server (SLES) o Version 10 SP1, x86 o Version 10 SP1, x64 o Version 11 SP1, x86 o Version 11 SP1, x64 CentOS o Version 5, x86 o Version 5, x64 o Version 6, x86 o Version 6, x64 Debian o Version 5, x86 o Version 5, x64 o Version 6, x86 o Version 6, x64 o Version 7, x86 o Version 7, x64 • • Ubuntu o Version 10.4 LTS, x86 o Version 10.4 LTS, x64 o Version 12.4 LTS, x86 o Version 12.4 LTS, x64 Oracle Linux o Version 5, x86 o Version 5, x64 o Version 6, x86 o Version 6, x64 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-23 Configuration Manager can also manage computers that are running other versions of Linux or UNIX. However, for those versions, you need a specific installer. The following list shows the installers for each version: • AIX o Version 5.3 (Power): ccm-Aix53ppc.build.tar o Version 6.1 (Power): ccm-Aix61ppc.build.tar o Version 7.1 (Power): ccm-Aix71ppc.build.tar • HP-UX • Version 11iv2 IA64: ccm-HpuxB.11.23i64.build.tar • o Version 11iv2 PA-RISC: ccm-HpuxB.11.23PA.build.tar o Version 11iv3 IA64: ccm-HpuxB.11.31i64.build.tar o Version 11iv3 PA-RISC: ccm-HpuxB.11.31PA.build.tar SUSE Linux Enterprise Server (SLES) o • • Version 9, x86: ccm-SLES9x86.build.tar Solaris o Version 9 SPARC: ccm-Sol9sparc.build.tar o Version 10 x86: ccm-Sol10x86.build.tar o Version 10 SPARC ccm-Sol10sparc.build.tar o Version 11 x86: ccm-Sol11x86.build.tar o Version 11 SPARC: ccm-Sol11sparc.build.tar Red Hat Enterprise Linux (RHEL) o Version 4, x86: ccm-RHEL4x86.build.tar o Version 4, x64: ccm-RHEL4x64.build.tar Note: There are external dependencies that you must ensure are met if you want a client to work on computers that are running Linux or UNIX. For a list of dependencies, refer to “Planning for Client Deployment for Linux and UNIX Servers” at http://go.microsoft.com/fwlink/?LinkID=391459. SHA-256 Support MCT USE ONLY. STUDENT USE PROHIBITED 6-24 Planning Resource Discovery and Client Deployment The Configuration Manager client uses SHA-256 to validate data coming from site systems. Specifically, SHA-256 validation verifies the site server signature for management points when downloading policies, and it validates the hash for packages that download from a distribution point. However, some Linux and UNIX operating systems do not support SHA-256. If you have computers that are running any of the following operating systems, you must use the ignoreSHA256validation switch during installation: • HP-UX Version 11iv2 (PA-RISH/IA64) • Red Hat Enterprise Linux Version 4 (x86/x64) • Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86) • SUSE Linux Enterprise Server Version 9 (x86) Deployment You must deploy the Configuration Manager client in a computer that is running a supported Linux or UNIX operating system in the same way that you deploy the client on workgroup-based computers. This means that you must configure a Network Access Account to allow these clients to access resources in the AD DS domain that is hosting the site systems. You must initiate the installation manually. Supported Features The Configuration Manager client for Linux and UNIX supports only two features: hardware inventory and software deployment. Lesson 3 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-25 Deploying Windows-Based Configuration Manager Clients To install the Configuration Manager client, the target systems must meet certain prerequisites. Some of the prerequisites download and install automatically during client setup. However, you must install other prerequisites manually on the target system before you install the Configuration Manager client. This lesson discusses how to deploy clients by using the following client-deployment methods: • Client push • Software update point • Group Policy • Login script • Manual installation • Client upgrade Additionally, this lesson covers installation prerequisites, and the advantages and disadvantages for each installation method. Lesson Objectives After completing this lesson, you will be able to: • Describe the system requirements for installing Configuration Manager clients. • Describe using silent push to install Configuration Manager clients. • Describe using a software update point to install Configuration Manager clients. • Describe using Group Policy to install Configuration Manager clients. Overview of Client Deployment Methods To efficiently deploy the Configuration Manager client components to potential resources, you need to decide which deployment method to use. You should consider the details of each installation method, and decide which is best for your environment. The client deployment methods are: • Client-push installation. This method pushes the Configuration Manager client software to client computers. You can automate this deployment method, so that client installation occurs on systems that are assigned to the site. Or you can manually initiate a client push installation to any discovered system that Configuration Manager supports for client installation. • Group Policy installation. This method uses Group Policy to publish or assign the Configuration Manager client to computers when the GPO runs on the computer. • Software update-point installation. You can use this method to publish the Configuration Manager client installation program (CCMSetup.exe) as a software update to a software update point. This is useful if your environment uses WSUS, especially if the Windows firewall is enabled but not configured to support other installation methods. MCT USE ONLY. STUDENT USE PROHIBITED 6-26 Planning Resource Discovery and Client Deployment • Manual installation. This method manually installs the Configuration Manager client software on computers by using CCMSetup.exe. Use this method if you need to install the client on a small number of workstations. If the Configuration Manager information publishes to AD DS, and you run CCMSetup.exe without any command-line parameters, the client-installation process retrieves the published client-installation parameters from AD DS. • Logon script installation. This method uses CCMSetup.exe in a logon script to trigger the client installation. This method ensures that the Configuration Manager client installs on all computers to which the user has local administrator permissions. • Upgrade installation (software deployment). You can use this method to upgrade existing client software on computers to newer Configuration Manager versions. • Operating-system deployment. When using operating system deployment to deploy a new operating system, or upgrade an existing one, you include the Configuration Manager client as part of the operating system deployment process. • Computer imaging. You can use this method to preinstall the Configuration Manager client software on a master image computer that builds your organization’s computers. The following table outlines the advantages and disadvantages for the various client-deployment methods. Client-deployment method Advantages Disadvantages Client push installation Using the Client push installation wizard, you can use this method to push to a single computer, a collection, or to the results from a query. Using site-wide client push, you can use this method to install the client automatically on discovered computers. Uses client-installation properties defined on the Installation Properties tab of the Client Push Installation Properties dialog box. Can cause high network traffic when pushing to large collections. You can use this only on computers that Configuration Manager discovers. You must specify a client-push installation account, which has administrative rights to the intended client computer. If you do not configure an account, Configuration Manager tries to use the site system’s computer account, which must have administrative rights on the target client. You must configure the Windows firewall on client computers and all firewalls between the clients and site server, with exceptions to allow client-push installation to finish. Group Policy installation Does not require you to discover computers before you can install the client. You can use this method for new client installations or for upgrades. If you extend the Active Directory schema, computers can read installation properties that publish to AD DS. Does not require administrative rights on client computers. Does not require firewall exceptions. Can cause high network traffic if you are installing a large number of clients. If you do not extend the Active Directory schema for Configuration Manager or if the site does not publish to AD DS, you must use Group Policy to add clientinstallation properties to computers in your site. Works only for systems that belong to an Active Directory domain. Applies Group Policy settings to computers at reboot only, which can delay installation. Client-deployment method Advantages Disadvantages MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-27 Software updatebased client installation Uses your existing software updates infrastructure to manage the client software. Installs the client software automatically on new computers if WSUS is configured correctly. Does not require Configuration Manager to discover computers before you can install the client. Reads installation properties in AD DS. Reinstalls the client software if it is removed. Does not require administrative rights on client computers. Does not require firewall exceptions. Requires a WSUS infrastructure that the systems are currently using. Must use the same server for client installation and software updates, and this server must reside in a primary site. If you do not extend the Active Directory schema for Configuration Manager or if the site does not publish to AD DS, you must use a GPO to add client installation properties to your site’s computers. Manual installation Does not require Configuration Manager to discover computers before you can install the client. Can be useful for testing purposes. Supports using command-line properties for CCMSetup. Allows you to retrieve configuration properties from AD DS. No automation. Therefore, this can be time-consuming. Works only for users who are local administrators. Logon script installation Does not require Configuration Manager to discover computers before you can install the client. Supports using command-line properties for CCMSetup. Does not require firewall exceptions. Can cause high network traffic if you are installing a large number of clients over a short period of time. Requires that the logged-on user be a local administrator for the computer. Upgrade installation (software deployment) Can leverage the Configuration Manager features to upgrade clients by collections, at a time that you specify. Supports using command-line properties for CCMSetup. Does not require administrative rights on client computers. Does not require firewall exceptions. Can cause high network traffic when distributing the client to large collections. You can use this only to upgrade the client software on computers that have been discovered and assigned to the site. Operating-system deployment Deploys Configuration Manager as part of the image. Site assignment is automatic. Can use Client.msi options. Can cause high network traffic if you are deploying a large number of clients over a short period of time. Requires that an operating-system deployment infrastructure be in place. Client-deployment method Computer imaging Advantages The image may preinstall Configuration Manager, and it does not require a separate deployment task. Communication to the Configuration Manager site can begin almost immediately after the image is deployed. Disadvantages MCT USE ONLY. STUDENT USE PROHIBITED 6-28 Planning Resource Discovery and Client Deployment Requires specific infrastructure considerations for storing and deploying the computer images. If the reference computer is not properly prepared and is allowed to register with a site, all clients that are deployed from that image have the same globally unique identifier (GUID). Installing Clients by Using Client Push You can use client push installation to deploy the Configuration Manager client to support computer systems that it discovers and for which it registers a DDR in the site database. You can use client push to install the client on domain-based computers discovered by using Active Discovery methods, or on workgroup computers discovered by using Network Discovery. You must provide local administrator credentials by configuring the client push installation method to use an account that has local administrator permissions on the target computers. You can automate the client push installation for the entire site by enabling site-wide client push installation. Additionally, you can manually initiate this installation for individual systems or for entire collections by using the Client Push Installation Wizard. The primary difference between the automatic and manual methods occurs when installation is initiated: • When you configure automatic push installation, the installation starts as soon as Configuration Manager discovers a system and the system is placed within a site-assignment boundary group. • When you configure manual push installation, you decide when and on which systems to install the client. Whether you use only one of these methods or both, you must configure certain properties for client push installation. When you perform a client push installation, if the site server cannot contact the client computer or start the setup process, it automatically repeats the installation attempt every hour for up to seven days, until it succeeds. To help track the client installation process, install a fallback status-point site system before you install clients, which clients automatically use when client push installs them. Automatic Client Push Installation You can configure client push installation at the site level so that client installation occurs automatically on devices that Configuration Manager discovers and assigns within the site’s configured site-assignment boundary group. If a device is assigned to the site and you enable the site setting for client push installation, the site server generates a Client Configuration Request for the discovered resource. If the MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-29 discovered resource matches the configuration criteria that you established for the client push installation method, Configuration Manager processes the Client Configuration Request, and starts the client installation. You configure automatic client push installation on the General tab of the Client Push Installation Properties dialog box. After enabling the automatic client push installation, you can choose what types of systems install automatically. You can configure the following options: • Enable automatic site-wide client push installation. You can use this check box to enable or disable automatic client push installation. It includes the following options: o Servers. This check box allows you to enable or disable automatic push installation to server systems. o Workstations. You can use this check box to enable or disable automatic push installation to workstations systems. o Configuration Manager site system servers. You can use this check box to enable or disable automatic push installation to Configuration Manager site system servers. • Always install the Configuration Manager client on domain controllers. You can use this option to enable or disable client installation on domain controllers. • Never install the Configuration Manager client on domain controllers, unless the Client Push Installation Wizard specifies it. You can use this option to specify that the client installs only on domain controllers when you use push install and that you want to manually specify during push install that the client can be installed on domain controllers. Common Settings for Client Push Installation Both the automatic push and manual push methods involve pushing the client from the site server. The Client Push Installation Properties dialog box affects both methods. The dialog box is available on the ribbon in the Settings section when you select a site, or from a site’s right-click menu. You must configure two tabs to use either of the client push-installation methods. Accounts Tab You can use the Accounts tab to list the accounts that are used to attempt a client push installation. The installation must use an account with Administrative rights on the client system that you are targeting. If more than one account is listed, installation is attempted by using each account starting at the top and working down the list until the installation finishes or until all accounts are tried. If you do not specify at least one client push-installation account, Configuration Manager tries to use the site system’s computer account. Note: The password for the client push-installation account is limited to 38 characters or less. Installation Properties Tab You can use the Installation Properties tab to configure the client.msi settings that you want to use for your site. If you extend the schema for Configuration Manager, client-installation properties that this tab specifies publish to AD DS. They are read by client installations where CCMSetup.exe runs without installation properties. Install Client Wizard You can launch the Install Client Wizard by selecting one or more discovered devices under the Devices node of the Assets and Compliance workspace, and then clicking Install Clients in the ribbon. You also can use the Install Client Wizard from the Device Collections node. After you launch the Install Client Wizard, you have the following options: MCT USE ONLY. STUDENT USE PROHIBITED 6-30 Planning Resource Discovery and Client Deployment • Allow the Client software to be installed on domain controllers. You can use this check box to enable the push installation to domain controllers. • Always install the client software. You can use this check box to cause the client software, if it is present, to be reinstalled, repaired, or upgraded. You also have an option to uninstall any existing client software before the client is reinstalled. • Install the client software from a specified site. You can use this check box to specify an alternate site to use for installing the client software. This does not change the client site assignment. Firewall Settings for Client Push Installation Client push installation can fail if the client is running a firewall that is blocking the ports that the installation process is using. To help ensure the success of the installation, you should configure the settings in the following table for Windows Firewall or any other intervening firewalls. To successfully use client push to install the Configuration Manager client, you must add the following exceptions to the Windows Firewall: • File and Printer Sharing • Windows Management Instrumentation (WMI) The client push-installation method uses the ports that the following table lists. Additionally, the method confirms whether the client computer is available on the network by using ICMP echo request messages, or the PING protocol, from the site server to the client computer to confirm whether the client computer is available. Description UDP TCP HTTP from the client computer to a fallback status point. Not applicable 80 SMB between the site server and client computer. Not applicable 445 RPC endpoint mapper between the site server and the client computer. 135 135 RPC dynamic ports between the site server and the client computer. Not applicable Dynamic HTTP from the client computer to an intranet-only management point. Not applicable 80 HTTPS from the client computer to an Internet-capable management point. Not applicable 443 Installing Clients by Using Software Updates If you use WSUS to deploy software updates to client computers, you can use the same procedures for deploying the Configuration Manager client as if it were a software update. You can use software update-based client installation to install new clients or to upgrade existing Configuration Manager clients to newer versions. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-31 One important advantage of using this method is that it does not require administrative permissions on target computers. With this method, you can install the client on computers when a firewall prevents you from using alternate automated methods, and you cannot configure the firewall exceptions for alternate installation methods. The following are some of the prerequisite configurations that you must perform before using the software updates method: • If a client system has a previous version of the Configuration Manager client installed and is using the software update point, you do not need to do additional configuration. • If a client system does not have the Configuration Manager client installed, you must configure and assign a GPO in AD DS. This GPO specifies the WSUS server that you configure as a software update point from which the computer obtains software updates. • The software update method uses the configuration information that is published in AD DS, if available. If no configuration information is published, you should create a GPO by using the ConfigMgrInstallation.adm template to provide client installation settings for your site’s computers. Use the Software Update-Based Client Installation dialog box to publish the Configuration Manager client-installation program (CCMSetup.exe) to a software update point as an additional software update. To access the dialog box, navigate to the Administration workspace, expand Site Configuration, click Sites, click a site in the results pane, on the ribbon in the Settings group click Client Installation Settings, and then click Software-Update Based Client Installation. When you use this installation method, the client is installed during the next software update cycle on the target computers. Firewall Settings for Software Update-Based Client Installation Software Update-Based Client Installation can fail if the client is running a firewall that is blocking ports that the installation process is using. To help ensure the success of the installation, configure the port settings for Windows Firewall or any intervening firewalls listed in the following table. Processes used in client deployment UDP TCP HTTP from the client computer to a fallback status point. Not applicable 80 HTTP from the client computer to the software update point. Not applicable 80 or 8530 HTTPS from the client computer to the software update point. Not applicable 443 or 8531 Question: What are some of the benefits of using the software update-point installation method? Demonstration: Installing Clients by Using Software Updates In this demonstration, you will see how to: • Configure a GPO to connect to a software update point. • Publish the Configuration Manager client to a software update point. Demonstration Steps 1. Create a GPO named CMClientInstall that is linked to the Adatum.com domain. 2. Configure the GPO to use http://lon-cas.adatum.com:8530 as the Windows update server. 3. Set up Software Update-Based Client Installation. When you finish the demo, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-C. Installing Clients by Using Group Policy You can use Group Policy to deploy the Configuration Manager client when you want to use an automated method for client installation, but still want to control when the deployment occurs. By using Group Policy, you can plan a client roll out that mirrors your AD DS OU structure. To use Group Policy for this purpose, consider the following requirements: MCT USE ONLY. STUDENT USE PROHIBITED 6-32 Planning Resource Discovery and Client Deployment • You can use the Group Policy installation method only for systems that are members of the Active Directory domain. • You must use the CCMSetup.msi file that the Configuration Manager installation directory\bin\I386 folder on the site server provides. You cannot modify the command line that you use to launch the CCMSetup.msi. You must use other methods, such as using the ConfigMgrInstallation.adm Group Policy template or publishing properties to AD DS with the Client Push Installation Properties on the Installation Properties tab. • You should extend the AD DS schema to support Configuration Manager and ensure that the site is publishing to AD DS. This ensures that all Group Policy-based clients find installation properties that the client push-installation properties publish in AD DS when you install the Configuration Manager client. Additionally, if you later change settings, such as ports, clients update when they perform AD DS lookups for Configuration Manager systems. There are two Group Policy administrative templates on the Configuration Manager installation media located in TOOLS\ConfigMgrADMTemplates: ConfigMgrInstallation.adm and ConfigMgrAssignment.adm. The ConfigMgrInstallation.adm template provides installation properties to client computers, including the site code needed for site assignment. Group Policy provides the following option for deploying software to network clients: • MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-33 Assign. You can assign the CCMSetup.msi file, which means that the Configuration Manager client installs when you start the computer after the policy has been applied. Firewall Settings for Group Policy Client Installation Group Policy installation can fail if the client is running a firewall that is blocking the ports that the installation process is using. To help ensure the success of the installation, you should configure the following settings for Windows Firewall or any intervening firewalls. To use Group Policy to install the Configuration Manager client, you must add the following File and Printer Sharing exception to Windows Firewall. Group Policy installation uses the ports that the following table lists. Description UDP TCP HTTP from the client computer to a fallback status point. Not applicable 80 HTTP from the client computer to an intranet-only management point. Not applicable 80 HTTPS from the client computer to an Internet-capable management point. Not applicable 443 SMB between the source server and client computer if you specify an alternate source server with CCMSetup using /source:<Path>. Not applicable 445 Question: Why would you want to assign the Configuration Manager client to a computer through a GPO? Question: When do you need to provision the client installation properties in AD DS by using Group Policy? Additional Client-Installation Methods Configuration Manager supports several additional installation methods that you can use to deploy the Configuration Manager client components. The following sections discuss considerations for each of these additional methods. Manual or Logon Script-Based Installations Even though the manual installation method has the most administrative overhead of all methods, it is useful for troubleshooting. To use this method, the logged-on user must have administrative rights to the client computer. If the user running CCMSetup.exe does not have administrative privileges, the installation does not start. CCMSetup.exe is in the Configuration Manager Installation location\Client folder on the site server, which is also shared as site server name\SMS_site code\Client. You can specify command-line properties for both CCMSetup.exe and Client.msi to modify this client installation’s behavior. Consider the following command-line example: CCMSetup.exe /mp:MP01.ADATUM.COM SMSSITECODE=AUTO FSP=FP01.ADATUM.COM In the previous example, the client installation uses the properties in the following table. Property Description MCT USE ONLY. STUDENT USE PROHIBITED 6-34 Planning Resource Discovery and Client Deployment /mp:MP01.ADATUM.COM Specifies the management point, MP01, from which to download the necessary client installation files. SMSSITECODE=AUTO Specifies that the client should use AD DS or the management point to determine the Configuration Manager site code to use. FSP=FP01.ADATUM.COM Specifies that the fallback status point named FP01 receives state messages sent from the client computer related to client deployment, and is the daily management point check. Note: For a full list of properties that you can use with CCMSetup.exe, refer to “About Configuration Manager Client Installation Properties” at http://go.microsoft.com/fwlink /?LinkID=247706. The logon script-based installation method is a manual method that uses the /logon command-line switch and that launches from a script. When you specify the /logon installation property for CCMSetup.exe, client installation does not occur if any version of the client already exists on the computer. This prevents the client’s reinstallation each time the logon script runs. Logon script installation uses the same methods as manual client installation. Therefore, you can use the same command-line switches for logon script-based installations. It also means that the user running the logon script requires administrative rights. For example, you could modify the preceding command-line example as shown in the following example to use it in a logon script: CCMSetup.exe /mp:MP01.ADATUM.COM /logon SMSSITECODE=AUTO FSP=FP01.ADATUM.COM When CCMSetup.exe runs, it copies all necessary installation prerequisites to the client computer, and calls the Windows Installer package (Client.msi) to perform the client installation. You cannot perform the installation by directly invoking the Client.msi installation file. Software Deployment-Based Installations You cannot upgrade Configuration Manager 2007 clients to Configuration Manager by using Application Management. Instead, you must uninstall the Configuration Manager 2007 client, and install the Configuration Manager client by using one of the other client-deployment methods. You can create a package in Configuration Manager 2007 to uninstall the Configuration Manager 2007 client, and then start a Configuration Manager client installation. Operating-System Deployment As part of an operating-system deployment task sequence, the Configuration Manager client installs. Including the Configuration Manager Client in System Images You can preinstall the Configuration Manager client software on a reference computer image and then deploy that image throughout your network environment. To prepare the reference computer for imaging, complete the following steps: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-35 1. Manually install the Configuration Manager client software on the reference system computer in an isolated network segment, so that automatic site assignment does not occur. Do not specify the client’s site code in the CCMSetup.exe command-line properties. 2. Ensure that the SMS Agent Host service (CCMExec.exe) is not running on the reference computer, by typing net stop ccmexec at a command prompt and then pressing Enter. 3. Remove any certificates that the reference computer is storing. 4. If you plan to install the clients in a Configuration Manager hierarchy different from the master image computer, remove the Trusted Root Key from the master image computer. 5. Run sysprep.exe on the reference computer, and use your imaging software to capture the reference system computer’s image. 6. Deploy the image to target computers. Note: Failure to follow this procedure results in duplicate Configuration Manager unique IDs on clients and, thus, clients missing from the Configuration Manager database. Question: How would you install the Configuration Manager client on computers for remote workers? Discussion: Planning Client Deployment When planning client deployment in your organization, you can choose between all of the deployment methods. You do not need to use a single deployment method for all of your clients. Therefore, you should evaluate each situation, and then determine the best deployment method to use. Considering your environment, discuss the following questions with the class: Question: Do you have potential clients in remote locations? If so, how would you deploy these clients? Question: Do you have workers who infrequently visit an office? If so, how would you deploy clients to their systems? Question: Are you going to deploy clients to the servers in your data center? If yes, what method will you use? Question: Are there systems on which you do not want to install the client? Lab: Implementing Configuration Manager Client Deployment Scenario MCT USE ONLY. STUDENT USE PROHIBITED 6-36 Planning Resource Discovery and Client Deployment You are the network administrator for A. Datum Corporation. A. Datum has deployed Configuration Manager in a complex hierarchy. There is a central administration site, two primary sites, and a secondary site. You need to configure discovery methods and install the Configuration Manager clients by using various installation methods. Objectives In this lab, you will: 1. Configure Active Directory resource discovery methods. 2. Use client push to install the Configuration Manager client. 3. Use Group Policy to install the Configuration Manager client. Lab Setup Estimated Time: 45 minutes Virtual machines: 10748C-LON-DC1-C 10748C-LON-CAS-C 10748C-LON-CFG-C User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following procedure: 1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in by using the following credentials: 5. • User name: Administrator • Password: Pa$$w0rd • Domain: Adatum Repeat steps 2 through 4 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. Exercise 1: Configuring Active Directory Discovery Methods Scenario In this exercise, you use the Configuration Manager console to configure Active Directory System Discovery, Active Directory User Discovery, and Active Directory Group Discovery. The main tasks for this exercise are as follows: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-37 1. Configure Active Directory System Discovery. 2. Configure Active Directory User Discovery. 3. Configure Active Directory Group Discovery. 4. Verify that the discovered computers appear in the All Systems collection and are assigned to the site correctly.  Task 1: Configure Active Directory System Discovery 1. On LON-CFG, open the Configuration Manager console. 2. In the Configuration Manager console, in the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. In the results pane, access the properties for Active Directory System Discovery. In the Active Directory System Discovery Properties dialog box, use the following settings to configure System Discovery, and then click OK: o At the General tab, click Enable Active Directory System Discovery, and then click New. o In the Active Directory Container dialog box, browse to click the Adatum domain, and then close the dialog box. o At the Polling Schedule tab, review the settings. o At the Active Directory Attributes tab, review the settings. o At the Options tab, review the settings.  Task 2: Configure Active Directory User Discovery • In the results pane, access the properties for Active Directory User Discovery. In the Active Directory User Discovery Properties dialog box, use the following settings to configure User Discovery: o At the General tab, click Enable Active Directory User Discovery, and then click New. o In the Active Directory Container dialog box, browse to click the Adatum domain, and then close the dialog box. o At the Polling Schedule tab, review the settings. o At the Active Directory Attributes tab, review the settings.  Task 3: Configure Active Directory Group Discovery • In the results pane, access the properties for Active Directory Group Discovery. In the Active Directory Group Discovery Properties dialog box, use the following settings to configure System Discovery: o At the General tab, click Enable Active Directory Group Discovery, click Add, and then click Location. o In the Add Active Directory Location dialog box, in the Name box, type Adatum domain, and then browse to click the Adatum domain. Close the dialog box. o At the Polling Schedule tab, review the settings. o At the Options tab, review the settings. MCT USE ONLY. STUDENT USE PROHIBITED 6-38 Planning Resource Discovery and Client Deployment  Task 4: Verify that the discovered computers appear in the All Systems collection and are assigned to the site correctly 1. In the Configuration Manager console, click the Assets and Compliance workspace, and then click the Device Collections node. 2. Click the All Systems collection, and then on the ribbon, click the Show Members button. 3. A new node called All Systems appears in the navigation pane, under the Devices node. In the results pane, observe the systems that are members of the All Systems collection and their assigned site. On the Site Code column, you should see S01 for most systems. Results: At the end of this exercise, you should have configured the Active Directory discovery methods. Exercise 2: Using Client Push to Install the Configuration Manager Client Scenario You need to use the Configuration Manager console to configure the client push installation method, and install the client on systems by using client push. The main tasks for this exercise are as follows: 1. Create a client push installation account. 2. Configure the client push installation method. 3. Install the client by using client push. 4. Verify the client installation.  Task 1: Create a client push installation account 1. On LON-DC1, start the Active Directory Users and Computers console. 2. In the Active Directory Users and Computers console, in the Users container, create a new user account with the following settings: o In the First name and User logon name text boxes, type ConfigMgrClientPush. o In the Password and Confirm password text boxes, type Pa$$w0rd. o Clear the User must change password at next logon box. o Select the User cannot change password and Password never expires check boxes. 3. In the Active Directory Users and Computers console, access the Properties of the ConfigMgrClientPush user account, and then add the user to the Domain Admins group. 4. Close the Active Directory Users and Computers console.  Task 2: Configure the client push installation method MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-39 1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand Site Configuration, and then click the Sites node. 2. Right-click S01 – Adatum Site, click Client Installation Settings, and then click Client Push Installation. 3. In the Client Push Installation Properties dialog box, use the following settings to configure the client push installation method: o At the Accounts tab, click the New button, and then click New Account. o In the Windows User Account dialog box, click the Browse button. o In the Select User dialog box, type ConfigMgrClientPush, click the Check Names button, and then close the dialog box. o In the Windows User Account dialog box, in both the Password and Confirm password boxes, type Pa$$w0rd and then click Verify. The Windows User Account dialog box expands. o In the Windows User Account dialog box, in the Network Share box, type \\LON-DC1\C$, and then click Test connection. Close the dialog box. o In the Client Push Installation Properties dialog box, at the Installation Properties tab, in the Installation properties box, after the text SMSSITECODE=S01 type a space, and then type FSP=LON-CFG.adatum.com. Note: The entire line should read SMSSITECODE=S01 FSP=LON-CFG.adatum.com.  Task 3: Install the client by using client push 1. On LON-CFG, in the Configuration Manager console, in the Assets and Compliance workspace, under Device Collections, click the All Systems node. 2. In the results pane, right-click LON-CFG, and then click Install Client. 3. The Install Configuration Manager Client Wizard starts. Use the following settings to install the client on LON-CFG: o In the Installation Options page, check the Install the client software from a specified site box, and then verify that in the Site list appears S01 – Adatum Site. o Complete the wizard by using the default settings. 4. In the results pane, right-click LON-DC1, and then click Install Client. 5. The Install Configuration Manager Client Wizard starts. Use the following settings to install the client on LON-DC1: o In the Installation Options page, check the Allow the client software to be installed on domain controllers box. o Complete the wizard by using the default settings.  Task 4: Verify the client installation 1. Switch to LON-DC1. 2. In Control Panel, start Configuration Manager. 3. In the Configuration Manager Properties dialog box: MCT USE ONLY. STUDENT USE PROHIBITED 6-40 Planning Resource Discovery and Client Deployment o On the General tab, review the information. o On the Components tab, verify the status of the agents: some of the agents should have the Status of Installed. o On the Actions tab, in the Actions list, click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now. This initiates the connection of the Configuration Manager client to the management point. Note: When the Configuration Manager client is running inside a virtual machine, it uses randomization for the initial time interval of connection to the management point. Manually running the Machine Policy Retrieval & Evaluation Cycle helps ensure that all components are updated, as necessary. Results: At the end of this exercise, you should have started the installation of the Configuration Manager client by using the client push installation method. Exercise 3: Using Group Policy to Install the Configuration Manager Client Scenario You have client computers in a remote office that you want to install automatically. To help ensure that the Configuration Manager client installs on the computers as they come online, you have decided to use Group Policy to deploy the Configuration Manager client. However, you need to do some additional configuration to support the remote office. The main tasks for this exercise are as follows: 1. Import the configmgrinstallation.adm file. 2. Configure client-installation properties within a GPO. 3. Import CCMSetup.msi, and then deploy the Configuration Manager client by using Group Policy. 4. Verify client installation. 5. To prepare for the next module.  Task 1: Import the configmgrinstallation.adm file 1. From LON-DC1, create a new Group Policy Object (GPO) in the Group Policy Management console, named SCCM Client Install, which is linked to the Adatum.com domain. 2. Import the configmgrinstallation.adm template to the GPO.  Task 2: Configure client-installation properties within a GPO • Configure the Configure Configuration Manager 2012 Client Deployment Settings GPO as follows: o State: Enabled o CCMSetup options: SMSSITECODE=S01 FSP=LON-CFG.adatum.com MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-41  Task 3: Import CCMSetup.msi, and then deploy the Configuration Manager client by using Group Policy 1. Create a share in LON-DC1 with the following settings: o Folder: C:\SCCMClient o Share: SCCMClient o Permissions: Read for everyone 2. Copy the ccmsetup.msi file from LON-CFG to the SCCMClient in LON-DC1. 3. Create a new software installation package in the SCCM Client Install GPO with the following settings: 4. o MSI file: \\LON-DC1\SCCMClient\ccmsetup.msi o Deployment type: assigned In Hyper-V® Manager, start the 10748C-LON-SVR1-C virtual machine.  Task 4: Verify client installation 1. 2. Sign in to LON-SVR1 by using the following credentials: o Username: ADATUM\Administrator o Password: Pa$$w0rd Verify that ccmsetup.msi or ccmsetup.exe is running.  Task 5: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for the following virtual machines: o 10748C-LON-CAS-C o 10748C-LON-CFG-C o 10748C-LON-SVR1-C Results: At the end of this exercise, you should have installed the Configuration Manager client by using a GPO. Question: How do you discover computers? Question: What are the prerequisites for installing clients by using client push? Question: How do you validate a client installation? Lesson 4 Managing Configuration Manager Clients MCT USE ONLY. STUDENT USE PROHIBITED 6-42 Planning Resource Discovery and Client Deployment After installing the Configuration Manager client, you can begin managing the computer systems in the site. You can perform several tasks for the client systems from within the Configuration Manager console. Additionally, you can configure the client settings to control how the client behaves by default in addition to by collection. Lesson Objectives After completing this lesson, you will be able to: • Describe the available client-management tasks. • Explain how to configure client settings. • Reassign clients. • Use certificate profiles. Managing Clients When Configuration Manager discovers a system, it displays in the Assets and Compliance workspace in the Devices node. You can also add the systems to collections. The All Systems and All Desktop and Server Clients collections in the Device Collections node populate automatically. No significant client management can take place until after you install the Configuration Manager client. When you select a device or collection that contains devices with the Configuration Manager client installed, you can select various management operations. Additionally, there are management tasks that involve other workspaces in the console, such as client settings, which the next topic discusses. Additionally, there are some tasks that do not use the Configuration Manager console. Managing Clients from the Assets and Compliance Workspace You perform management tasks for individual clients in the Devices node. From the Devices node, you can perform the following actions, per client: • Add a device to a collection. • Install a client on a device. • Start Resource Explorer for the device. • Start Remote Control, Remote Assistance, or Remote Desktop for the device. • Approve the device for management. • Block the device from management. • Unblock the device for management. • Perform out-of-band management. • Perform a malware scan on the device. • Edit primary users for the device. • View device discovery data. • Delete the device from Configuration Manager. • Wipe mobile devices. Managing Clients from the Device Collections Node MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-43 At the collection level, you can perform many of the client-management tasks that you can perform on a single device. This has the advantage of automatically applying the management task to all eligible devices in the collection. Although this can be a convenient method to manage multiple clients at once, it can also generate increased network packets. This increases central processing unit (CPU) usage on the site server. Additionally, you can perform some tasks only against collections. Before you perform collection-level client management tasks, consider how many devices are in the collection, whether they are connected by low-bandwidth network connections, and how long the task will take to complete for all the devices. When you perform a client management task, you cannot stop it from the console. Management tasks for collections are performed in the Device Collections node. From the Device Collections node, you can perform the following actions, per collection: • View collection members. • Add collection members to other collections. • Install the client. • Manage affinity requests. • Manage out-of-band features. • Perform malware scans on devices. • Export a collection definition. • Copy a collection. • Simulate a deployment. • Deploy applications. • Move a collection. • Change collection properties. Additional Tasks for Managing the Client You can perform additional client-management actions. These management actions include: • Change the client cache configuration. An administrator can do this from the Configuration Manager properties on the client itself. • Uninstall the client. You can do this from the client or from the console. • Manage conflicting records. This typically occurs automatically. However, if Configuration Manager cannot resolve the conflict, it uses a hierarchy setting that merges the records automatically when it detects duplicate hardware IDs (the default setting), allows you can decide when to merge, block, or create new client records. If you decide to manually manage duplicate records, you must manually resolve the conflicting records by using the Configuration Manager console. • Initiate a policy retrieval cycle. You can do this from the client or from the console. Configuring Client Settings You can manage Configuration Manager client settings in the Configuration Manager console, in the Administration workspace from the Client Settings node. When you install Configuration Manager, a default client settings object is created. You can modify the default client settings. However, you cannot delete them, because these settings are applied to all clients in the hierarchy. You also can configure custom client settings that override the default client settings when you assign them to collections. MCT USE ONLY. STUDENT USE PROHIBITED 6-44 Planning Resource Discovery and Client Deployment You can create multiple custom clients settings that are applied, in order, based on the priorities assigned to the client settings. The default client settings have a priority of 10,000 and are always applied first. Custom policies have priorities beginning at one and increasing incrementally as they are created. You can change the priority of custom settings to change the order in which they are applied. When multiple custom settings adjust the same setting value, the last value applied is the effective value. Many of the client settings are self-explanatory. Refer to the following tables for more information about the client settings. Client Settings for Devices The Administration workspace groups client settings by feature, which include: • Background Intelligent Transfer. You can specify whether to use BITS and schedule times for throttling. • Client Policy. You can specify the schedule for retrieving policies. • Compliance Settings. Allows you to enable compliance settings for clients, and schedule evaluation. • Computer Agent. Allows you to configure general client settings, such as notification for application deployments, and Windows PowerShell® execution policy. • Computer Restart. Allows you to configure user notifications to be displayed when the device is about to be restarted by Configuration Manager. • Endpoint Protection. Allows you to manage Endpoint Protection settings. • Hardware Inventory. Allows you to configure hardware inventory settings. • Network Access Protection. Allows you to manage NAP settings from Configuration Manager. • Power Management. Allows you to configure Power Management profiles for client devices. • Remote Tools. Allows you to configure remote tools, remote assistance, and remote-desktop settings. • Software Deployment. Allows you to schedule reevaluation for deployments. • Software Inventory. Allows you to configure software-inventory frequency and other settings. • Software Metering. Allows you to configure software-metering scheduling. • Software Updates. Allows you to schedule update cycles, and other update settings. • State Messaging. Allows you to configure the frequency for sending status messages to the server. • User and Device Affinity. Allows you to configure whether users can change their affinity settings. Question: How do you configure classes so that the hardware inventory collects them? Client Reassignment Configuration Manager clients are always assigned to a primary site. However, a Configuration Manager hierarchy can consist of several primary sites. Usually, a primary site links to a physical location or to a collection of physical locations. For example, a company may have operations in several countries in North America, Europe, and South America. In its System Center 2012 Configuration Manager hierarchy, it may create an individual primary site for each country. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-45 In environments like this, you need to consider what happens as computers move from one physical location to another, and consequently, move from one primary site to another. There are two ways to classify these moves: roaming or reassignment. Roaming After the Configuration Manager client installs, the client is assigned to a site. Even if the assignment occurs automatically, based on boundaries, the actual assignment does not change after installation. Therefore, even in a scenario where users travel with their laptops between locations, and connect from different boundaries that belong to different primary sites, the computers remain assigned to their original site. Usually, when a client starts, it requests a list of management points for its site. This process repeats every 25 hours and any time the computer receives a new IP address. When a client receives an IP address that is not within the boundary of its assigned site, the client is roaming. If the client detects that its IP address is within the boundary of a secondary site, the client connects to the management point for the secondary site. This enables it to avoid using a potentially slow connection to the primary site. However, if the client is roaming to a different primary site or to a secondary site for another primary site, the client connects to a management point for its assigned site to retrieve policies and upload data. Client Reassignment In larger organizations that have multiple primary sites, there are always clients that roam from one site to another. However, sometimes a client actually is moving permanently from one physical location to another. In this scenario, you should reassign the client to the new site. There are three ways to reassign a client: reinstall the client, manually reassign the client, and use a GPO. Reinstall the client You can use a client push install at any time to reinstall the client on a computer that moves from one site boundary to another. During client push, if the client resides within the boundary of a new site, and you configure the client push to automatically assign a site, the client is assigned to the new site. The same process works for manual installations, scripted installations, and installations where you manually specify the actual site code. To use this process, you must be able to identify which computers need their site reassigned. Manually reassign the client As the name suggests, in a manual reassignment, you must enter the new site for the computer by using the Configuration Manager setting in Control Panel for the client. This process is best for re-assigning one MCT USE ONLY. STUDENT USE PROHIBITED 6-46 Planning Resource Discovery and Client Deployment client, or a very small number of clients, because it does not require you to force an install. However, you still need to identify the computers that need reassignment, because you need to connect to them locally. Additionally, you must use a local administrator account on the computers to make the change. To reassign a computer to a new site, follow this procedure: 1. Log on to the computer by using an account that has local administrator permissions. 2. Open the Configuration Manager settings in Control Panel. 3. Click the Site tab, and then click Configure Settings. 4. Reassign the client by doing the following: 5. a. Type the site code in the Currently assigned to site code box. b. Click Find Site to automatically assign the client by using boundaries. Click OK. Use a GPO You can also reassign clients to a site by using a GPO. Microsoft provides an administrative template named configmgrassignment.adm, which you can use to assign clients to a site. Be aware that if you choose this option, all computers that have the GPO applied to them will be reassigned to the site that the GPO specifies. To assign a client by using a GPO, follow this procedure: 1. Create a new GPO. 2. Import the configmgrassigment.adm template to the GPO. 3. Configure the Configure Configuration Manager 2012 Site Assignment setting, as follows: 4. a. Click Enabled to enable the setting. b. In the Assigned Site textbox, type the site code that you want to assign the clients to. c. In the Site Assignment Retry Interval (Mins) numeric textbox, specify how frequently the client will start a reassignment process. d. In the Site Assignment Retry Duration (Hours) numeric box, type how long the client will keep trying to reassign itself before failing. Link the GPO to the domain or OU that contains the computer accounts for the systems that you want to reassign. The main advantage of this process is that you do not need to identify each individual computer that you need to reassign. This also reassigns computers for which the computer account has moved from one OU or site to another due to physical relocation. However, if you are linking the OU to sites, you may incorrectly reassign computers that are simply roaming. Securing Clients by Using Certificate Profiles The assignment of certificate profiles is a new feature in System Center 2012 R2 Configuration Manager. Certificates can be issued automatically to clients that Configuration Manager manages in the following scenarios: • User and device certificates that support Wi-Fi and VPN connections. • Root certification authority (CA) and intermediate CA certificates that are used to create a chain of trust for server authentication. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-47 To provide certificates for managed clients, you must install a certificate registration point, and you must install the Configuration Manager Policy Module on a server running Windows Server 2012 R2 with the Active Directory Certificate Services and the Network Device Enrollment service roles installed. Supported Clients Configuration Manager supports the deployment of certificates to devices that are running one of the following operating systems: • Windows RT 8.1 • Windows 8.1 • Android • iOS Types of Certificate Profiles You can manage two types of certificate profiles in Configuration Manager: • Simple Certificate Enrollment Protocol (SCEP) settings. This profile allows devices to request a certificate for a user or a device from a server that is running Windows Server 2012 R2 and the Network Device Enrollment Service by using SCEP. You can use user and device certificates for authentication on Wi-Fi networks and VPNs. • Trusted CA certificate. You can use this certificate profile to deploy a trusted root CA or intermediate CA certificates to devices. You can use trusted root CA and intermediate CA certificates to establish a chain of trust for server authentication. Configuring Certificate Profiles To configure your Configuration Manager environment to use certificate profiles, perform the following procedure: 1. Install the Network Device Enrollment Service (NDES) on a computer that is running Windows Server 2012 R2. Note: For detailed information about how to install NDES, refer to “Network Device Enrollment Service Guidance“ at http://go.microsoft.com/fwlink/?LinkID=391461. 2. Modify the certificate template permissions for the certificates that you intend to enroll for by using certificate profiles, as follows: o Add Read permission to the accounts that run the Configuration Manager console. o Add Read and Enroll permission to the account that the NDES application pool uses. Note: For detailed information about how to deploy certificate templates, refer to “Deploy Client Computer Certificates” at http://go.microsoft.com/fwlink/?LinkID=391463. 3. Deploy a web server PKI certificate to the server that is running NDES. Note: For detailed information about how to deploy a web server certificate for the NDES server, refer to “Deploying the Client Certificate for Distribution Points” at http://go.microsoft.com/fwlink/?LinkID=391467. The content targets Windows Server 2008 computers, but it works in the same manner for Windows Server 2012 R2. 4. Export the root CA certificate to a .cer file. You will need this file later when you configure the site system role for the certificate registration point. 5. On the NDES server, change the following registry values in the HKEY_LOCAL_MACHINE \CurrentControlSet\Services\HTTP\Parameters key: 6. MCT USE ONLY. STUDENT USE PROHIBITED 6-48 Planning Resource Discovery and Client Deployment o MaxFieldLength. Use the maximum value for this parameter, which is 65534. o MaxRequestBytes. Use the maximum value for this parameter, which is 16777216. On the NDES server, in Internet Information Services (IIS) Manager, configure the request-filtering settings for the /certsrv/mscep application by specifying the following values in the Edit Request Filtering Settings dialog box: o Maximum allowed content length (Bytes). 30000000 o Maximum URL length (Bytes): 65534 o Maximum query string (Bytes): 65534 Note: You need to restart IIS for these settings to take effect. 7. Install and configure the site system role for the certificate registration point in a server in the primary site or the central administration site. You need the URL for the NDES web application and the .cer file for the root CA that you exported earlier. The URL for the NDES application typically is https://computer/certsrv/mscep/mscep.dll. 8. Copy the PolicyModule.msi and PolicyModuleSetup.exe files from ConfigMgrInstallationMedia \SMSSETUP\POLICYMODULE\X64 to the NDES server, and then run PolicyModuleSetup.exe to install the System Center Policy Module. You need to specify the URL for the certificate registration point during the setup, which typically is https://serverh/CMCertificateRegistration, and the certificate that you deployed in step 3 above, along with the root CA certificate that you exported to a .cer file. Note: For detailed information about how to set up certificate profiles, refer to “Configuring Certificate Profiles in Configuration Manager” at http://go.microsoft.com/fwlink /?LinkID=391469. Creating and Deploying Certificate Profiles MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-49 After you configure a certificate registration point, you can create, deploy, and monitor Certificate Profiles. Before you can create a SCEP profile, you need to configure at least one Trusted CA certificate profile. To create a Trusted CA certificate profile, perform the following procedure: 1. From the Configuration Manager console, in the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then click Certificate Profiles. 2. Right-click Certificate Profiles, and then click Create Certificate Profile. 3. In the Create Certificate Profile Wizard, on the General page, in the Name box, type a name for the profile. 4. Click Trusted CA certificate, and then click Next. 5. On the Configure a trusted CA certificate page, click the Import button to locate the .cer file that you created initially for the root CA or an intermediate CA, and then click OK. 6. Click the appropriate Destination store based on the type of certificate that you selected in step 5 above, and where the certificate should be stored (user certificate store, or computer certificate store), and then click Next. 7. On the Supported Platforms page, click the type of devices that can use the profile, and then click Next. 8. On the Summary page, click Finish, and then on the Completion page, click Close. 9. Right-click the certificate profile you just created, and then click Deploy. 10. In the Deploy Certificate Profile dialog box, click Browse, click the collection for deployment, and then click OK. 11. Click Generate an alert to generate an alert if the certificate profile compliance is less than a given percentage after a specified time. 12. Specify the schedule for the compliance setting, and then click OK. Lesson 5 Monitoring Client Status in Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED 6-50 Planning Resource Discovery and Client Deployment Client Health is a feature that Configuration Manager introduces. Administrators can use Client Health to determine the overall health status of clients and to identify individual client issues, such as missing prerequisites, WMI issues, and clients that are not functioning. Client Health builds on the Client Status Reporting feature included Configuration Manager 2007, by offering client status monitoring and automatic remediation for client issues. Lesson Objectives After completing this lesson, you will be able to: • Describe the Client Health feature in Configuration Manager. • Describe the Configuration Manager Health Evaluation Task. • Monitor client activity. • Use Client Check to monitor Configuration Manager clients. • Use reports to monitor client status. Overview of Client Status In previous Configuration Manager versions, assessing client health could present a challenge to administrators. However, identifying and remediating unhealthy clients is crucial to ensuring the success of Configuration Management operations. Thus, administrators often need to answer the following questions: • How many clients in my hierarchy are healthy? • How many clients in my hierarchy are inactive because they have been powered off for an extended period or because the Configuration Manager client is uninstalled? • What is the primary cause of unhealthy clients in my hierarchy? From the perspective of Configuration Manager, an active client is healthy when it connects to management points to download policies and upload data, such as hardware and software inventory. However, whether a client is active might not adequately explain its health. To get an accurate determination of the client’s health, the client must perform several additional local checks. If a client is inactive, it might be because it has been powered off for an extended period, or because the Configuration Manager client is uninstalled or is not functioning. When the client is inactive, the site systems cannot evaluate the client’s health status because the client is not connecting to the management point. The only way to evaluate the client’s health is to perform validation checks directly on the client computer to determine that: • The necessary prerequisites and dependencies are present. • The Configuration Manager client is installed correctly. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-51 The Configuration Manager client runs a scheduled task to evaluate its client health status, and then sends the evaluation results to the site as a state message to the management point. If there is any change in the evaluation result since the most recent state message, the health status is sent back by using a state message. By default, the task runs between midnight and 1:00 A.M. Similar to the initial installation process, if the client fails to send its state message to a management point, it then sends the state message to a fallback status point, if one exists in your hierarchy. If a fallback status point is not installed in your hierarchy, the site server might not receive some evaluation results. The site server summarizes the client health-evaluation results and activities, and then displays these in the Configuration Manager console, in the Client Status folder located in the Monitoring workspace. The following items are new or have changed for client status reporting (now Client Status) since Configuration Manager 2007 Client Status Reporting: • Client health and client activity information are integrated into the Configuration Manager console. • Configuration Manager automatically remediates typical client problems that reporting detects. • Configuration Manager does not use the Ping tool from Configuration Manager 2007 R2 Client Status Reporting. When you click the Client Status node, the results pane displays a dashboard that shows a summary of the Client Activity and Client Check nodes. The information available is organized differently than in either the Client Activity or Client Check nodes, because it displays results that are based on both monitors. The following links are available in the Client Status dashboard: • Active clients that passed client check or no results • Active clients that failed client check • Inactive clients that failed client check • Inactive clients that passed client check or no results • No configuration Manager Client Installed Additionally, there is a graph showing the Most Frequent Client Check Errors. If you click the links available, a sticky node is created under the Devices node in the Assets and Compliance workspace, and the console changes automatically to the newly created sticky node. Sticky nodes remain in the Configuration Manager console until you manually remove them or until you close the console. For example, when you click the Active clients that failed the client check link, which denotes the clients that failed the Client Health checks, this action creates a sticky node for these unhealthy clients and selects it automatically. Note: By default, client status information is updated once a day. You can modify this interval in the Schedule Client Status Update dialog box or force summarization on demand. Question: What are some of the causes of an unhealthy and active client? Question: How does Client Status improve client monitoring compared with previous Configuration Manager versions? Overview of the Configuration Manager Health Evaluation Task MCT USE ONLY. STUDENT USE PROHIBITED 6-52 Planning Resource Discovery and Client Deployment Client Status in the Configuration manager console receives its information from the Client Health evaluation engine running on each client. The Client Health evaluation engine is the executable file CCMEval.exe. CCMEval.exe is installed with the Configuration Manager client, and it runs on computers. It is not part of the mobile device client. When you install the Configuration Manager client, the installation process creates the scheduled task Configuration Manager Health Evaluation. This task runs CCMEval.exe between midnight and 01:00. The results are reported as a state message to the clients’ management point or to a fallback status point, if the management point is unavailable. You can run the Configuration Manager Health Evaluation process on demand, as required by running CCMEval.exe. To view the client health rules that the Client Health evaluator engine is using, you can look in the client location\ccmeval.xml file. However, you cannot make changes to this file. If the computer is not running when the scheduled Configuration Manager Health Evaluation task is due to run, the task runs automatically as soon as possible, such as when the operating system is loaded or is brought out of sleep mode. The following table lists the health evaluation rules and remediation actions. Health check Remediation Verify WMI service exists No automatic remediation Verify/Remediate WMI service startup type Set service startup to automatic Verify/Remediate WMI service status Start service WMI Repository Integrity Test Reinstall Client Reset WMI Repository and Reinstall Client No automatic remediation Automatic remediation might not be desirable on all systems, such as for mission critical servers where the remediation activities might be disruptive. By installing the Configuration Manager client with the client.msi property NotifyOnly=True or by changing the HKEY_LOCAL_MACHINE\Software\Microsoft \CCM\CcmEval\NotifyOnly registry value to True, you can disable automatic remediation. Question: Why would you disable automatic remediation on servers? Monitoring Client Activity On the server side, the administrator can define the frequency of client-server communications that determine whether the client has an active or inactive status. You can configure the client communication thresholds in the Client Status Settings Properties dialog box. The following table lists the settings and their default values. Setting Default value Client policy requests during the following days 7 days Heartbeat Discovery during the following days 7 days Hardware inventory during the following days 7 days Software inventory during the following days 7 days Status messages during the following days 7 days Retain client status history for the following number of days 31 days MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-53 You can use the Configuration Manager console to view interactions between the client and the management system, which helps the administrator distinguish between unhealthy clients and clients that are offline. Configuration Manager retrieves information from AD DS to identify the inactive clients based on the LastLogonTimeStamp. When you click the Client Activity node, the results pane divides into two sections that show information based on the client activity monitors that you configure, including: • Client activity for all devices. Displays a chart showing active computers, inactive computers, and computers with no Configuration Manager client installed. Click a section of the pie chart to create a sticky node that shows a list of computers with the status that you select. You can view activity detail for each of the node’s clients to determine their displayed status. • Client activity trend for all devices. Displays a graph showing client activity over a specified period. You can configure the time period that you want to view from five to 90 days from the Client activity period drop-down list. Using Client Check to Monitor Configuration Manager Clients When you click the Client Check node, the results pane becomes divided into the following two separate sections that display information based on the Configuration Manager Health Evaluation task: MCT USE ONLY. STUDENT USE PROHIBITED 6-54 Planning Resource Discovery and Client Deployment • Client check results for all devices displays a chart showing computers that passed client check, computers that failed client check, computers that have not reported results and computers with no Configuration Manager client installed. Click a section of the pie chart to create a sticky node showing a list of computers with the status you selected. You can click the Client Check Detail tab in the results for individual systems to discover any remediation actions that Configuration Manager took. • Client check trend for all active clients displays a graph showing client computers that passed client check over a specified period. You can configure the time (from five to 90 days) that you want to view from the Client activity period drop-down list. Using Reports to View Client Status In addition to the Client Check and Client Activity information in the Configuration Manager console, you also can use the Client Status reports. After you install and configure a reporting services point role, the Client Status reports become available in the Client Status folder in the Configuration Manager console or in the “ConfigMgr_site code\Client Status” path in the reporting website. The following table lists the available reports. Report Description Client Remediation Details This report provides client remediation details for a given collection. Client Remediation Summary This report provides remediation summary information for a given collection. Client Status History This report provides a historical view of the overall client status in the environment. Client Status Summary This report provides administrators with the current percentages of healthy and active clients for a given Collection. Report Description MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 6-55 Client Time to Request Policy This report shows the percentage of clients that have requested policy as least once in the last 30 days. Each day represents a percentage of the total clients that have requested policy since Day 1 in the cycle. This information is useful to help determine the time it takes to distribute a policy update to your client population. Client deployments or changes in client count can affect the accuracy of the report. Clients with Failed Client Check Details This report displays details about clients that client check failed for a specified collection. Inactive Clients Details This report provides a detailed list of inactive clients for a given Collection. Question: Which reports can you use to view information about client status? Module Review and Takeaways Review Questions Question: What discovery method can you use to create boundaries in Configuration Manager, and how are the boundaries determined? Question: In what situation would you need to provision client properties by using Group Policy? Question: In what situation would you need to configure DNS for locating site systems? Question: What is the difference between an inactive client and an unhealthy client? MCT USE ONLY. STUDENT USE PROHIBITED 6-56 Planning Resource Discovery and Client Deployment MCT USE ONLY. STUDENT USE PROHIBITED 7-1 Module 7 Configuring Internet and Cloud-Based Client Management Contents: Module Overview 7-1 Lesson 1: Managing Remote Clients by Using System Center 2012 R2 Configuration Manager 7-2 Lesson 2: Managing Internet-Based Configuration Manager Clients 7-8 Lab A: Configuring PKI for Configuration Manager 7-14 Lesson 3: Configuring Cloud Services in System Center 2012 R2 Configuration Manager 7-20 Lab B: Configuring Windows Intune Integration with System Center 2012 R2 Configuration Manager 7-26 Module Review and Takeaways 7-31 Module Overview In an increasing number of organizations, direct connections between workers’ computers and the organizational network are becoming rare. Workers are either bringing their own devices (BYOD) or using devices that the organization provides, such as laptop computers and tablets. They use these devices at home, in coffee shops, or in other remote locations. The cloud management functionality of Microsoft® System Center 2012 R2 Configuration Manager allows you to support and manage the increasing number of clients that perform organizational tasks in locations far from organizational networks. Objectives After completing this module, students will be able to: • Manage remote clients by using System Center 2012 R2 Configuration Manager. • Manage Internet-based Configuration Manager clients. • Configure cloud services in System Center 2012 R2 Configuration Manager. Lesson 1 Managing Remote Clients by Using System Center 2012 R2 Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED 7-2 Configuring Internet and Cloud-Based Client Management You can use System Center 2012 R2 Configuration Manager to manage clients that can connect to the Internet from outside the organizational network. By using Configuration Manager, you can manage a variety of remote clients, including those that make connections by using technologies such as a virtual private network (VPN) or DirectAccess. You can also allow mobile devices and Internet-connected computers to be managed by integrating Configuration Manager with a Windows Intune™ subscription. Lesson Objectives After completing this lesson, you will be able to: • Describe the challenges in managing remote Configuration Manager clients. • Describe the methods used to provide local area network (LAN) connections for remote clients. • Describe how to support remote clients with Configuration Manager. • Describe when to deploy the profile types. • Describe how Windows Intune supports remote clients. Challenges in Managing Remote Configuration Manager Clients An increasing number of computers used for organizational work reside outside the organizational network permanently or for extended periods. Workers use these computers in their home offices, in hotel rooms, and in coffee shops. As the nature of work changes, people are working in locations outside of the traditional business office. People may even connect to the Internet while travelling by plane; it is now practical to work online regardless of the location, which, however, poses new management challenges. This change in work habits presents challenges when you are trying to perform configuration management tasks by using System Center 2012 R2 Configuration Manager. It is far simpler to manage a desktop computer connected to a wired network in your organization’s office than it is to manage a roaming laptop computer. When managing remote clients, a Configuration Manager administrator faces these challenges: • Heartbeat issues. You may find it difficult to determine whether a client is still active. When a client connected to an internal network is not active for 60 days, it is considered no longer active. When a remote client is not active for 60 days, that determination is harder to make. • Software updates. You may find it difficult to determine if the client is up-to-date and has installed the most recent software updates. • Software deployment. It is challenging to deploy large applications and packages to clients that connect infrequently. Therefore, remote clients may be running older software than other clients in the organization. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager • Inventory collection. You may find it difficult to determine whether hardware and software configuration information is current. Remote clients may return data infrequently to the Configuration Manager organization. • Endpoint Protection. It is challenging to keep definitions up to date. Outdated definitions present a security risk. Methods Used to Provide LAN Connections for Remote Clients One way you can manage Configuration Manager clients on the Internet is to configure them to be able to access your organization’s internal network infrastructure through remote access technologies. You can accomplish this by using two methods: DirectAccess or VPN. DirectAccess is a technology introduced with Windows Server® 2008 R2 and Windows® 7, available in editions of the Windows client operating system that can be volume-licensed. DirectAccess is a computer-authenticated remote access solution that initiates an automatic remote access connection to the internal organizational network when an Internet connection is detected. DirectAccess requires that the client be a member of an Active Directory® Domain Services (AD DS) domain. 7-3 Client computers running the Windows 7 and Windows 8 operating systems support the following VPN protocols, which can be deployed on Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 remote access servers: • Internet Key Exchange version 2 (IKEv2). This protocol supports VPN reconnect, which allows a VPN connection to be reestablished automatically after a disruption that lasts up to eight hours Reconnections can also occur when Internet connections are switched, such as when a user switches from connecting through a mobile broadband device to using a coffee shop’s free Wi-Fi. • Layer Two Tunneling Protocol/Internet Protocol Security (L2TP/IPsec). L2TP/IPsec uses IPsec for transport encryption. L2TP/IPsec requires a public key infrastructure (PKI) deployment. • Point-to-Point Tunneling Protocol (PPTP). A large number of vendors support this older protocol, but it is not as secure as newer protocols such as L2TP/IPsec. • Secure Socket Tunneling Protocol (SSTP). This protocol tunnels the VPN connection over HTTPS. The benefit of this technology is that while some public Internet connections block VPN protocols like L2TP/IPsec and PPTP, they rarely block port 443 used by HTTPS, because this would also block secure web browsing. Windows-based clients may also use third-party VPN server solutions that support all or some of the VPN protocols listed above. Users can initiate remote access connections by using a VPN even when their computers are not members of an AD DS domain. A substantial disadvantage of VPN technologies is that they require the user to initiate the VPN connection and perform authentication. Supporting Remote Clients with Configuration Manager Configuration Manager supports management of clients through Internet-based client management and Windows Intune. Administrators using Internet-based client management have options for supporting remote clients, but they must publish certain site system roles through the organizational firewall. When Configuration Manager is integrated with Windows Intune, you can manage clients running mobile device operating systems. This integration does not require the publication of site system roles through the organizational firewall. MCT USE ONLY. STUDENT USE PROHIBITED 7-4 Configuring Internet and Cloud-Based Client Management You can use a Windows Intune subscription to manage remote clients without integrating Windows Intune with Configuration Manager. A managed client cannot contain both the Windows Intune agents and the Configuration Manager client. If you manage some clients through Windows Intune and others through Configuration Manager, you must use the different management interfaces associated with each management platform. When Windows Intune is integrated with Configuration Manager, you can perform mobile device management tasks by using either the Configuration Manager console or the Configuration Manager Windows PowerShell® module. If you integrate your Windows Intune subscription with Configuration Manager, computers under the Windows Intune subscription are still managed through the Windows Intune management interfaces unless you retire them from Windows Intune and then install the Configuration Manager client. You can manage clients that are connected through DirectAccess connections as you would manage clients connected to a branch office network. You can configure these clients to use cloud-based distribution points. Planning for the Deployment of Profiles You can use System Center 2012 R2 Configuration Manager to deploy four profile types to clients to assist with networking, certificates, and remote access. These profile types are the VPN, Wi-Fi, remote connection, and certificate profiles. VPN Profiles You can use VPN profiles to deploy VPN connection configuration information to System Center 2012 R2 Configuration Manager clients that are running Windows RT 8.1, Windows RT, Windows 8.1, or Windows 8, or to Apple iPhone and Apple iPad devices that are running iOS 5 and iOS 6. You can use VPN profiles to deploy VPN connections that use the following connection types: • Cisco AnyConnect • Juniper Pulse • F5 Edge Client • Dell SonicWALL Mobile Connect MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager • Check Point Mobile VPN • Microsoft Secure Socket Tunneling Protocol (SSTP) • IKEv2 • PPTP • L2TP Wi-Fi Profiles 7-5 You can use Wi-Fi profiles to deploy wireless network settings to users so that the users can connect automatically to preconfigured wireless networks. You can use Wi-Fi profiles with devices running the following: • Windows 8.1 (x86 and x64) • Windows RT 8.1 • iOS 5 • iOS 6 • Android version 4 Remote Connection Profiles You can use remote connection profiles to configure System Center 2012 R2 Configuration Manager clients to allow users to make remote connections across the Internet to their work computers. For example, you can use remote connection profiles to configure a collection of computers so that, when users use their personal computers at home, they can establish a remote desktop connection to their work computers. Through this connection, they can interact with files stored on those computers and access resources, such as printers, that are configured to work with their work computers. You can configure remote connection profiles to: • Use a Remote Desktop Gateway server address. This is the address of the Remote Desktop Gateway server that makes the connection. Remote clients can connect across the Internet only through a Remote Desktop Gateway server. • Allow users who are listed as primary users of a work computer to make remote connections to that computer from remote hosts. Users can make connections to computers only if they are primary users. • Configure Windows Firewall with Advanced Security rules to allow connections when the computer connects to a domain or private network. Certificate Profiles You can use certificate profiles to deploy certificates to System Center 2012 R2 Configuration Manager clients for the purposes of authentication and authorization. You can configure automatic certificate deployment to clients that are not members of the organization’s AD DS domain and therefore, cannot participate in the Active Directory Certificate Services (AD CS) autoenrollment process. These clients could be Windows RT 8.1, Windows 8.1, iOS, and Android operating systems. Certificate profiles support the following capabilities: • Certificate enrollment and renewal from enterprise or stand-alone certification authorities (CAs). • Deployment of trusted CA certificates to compatible System Center 2012 R2 Configuration Manager clients. • Monitoring and reporting on installed certificates. MCT USE ONLY. STUDENT USE PROHIBITED 7-6 Configuring Internet and Cloud-Based Client Management To use certificate profiles, you must deploy the certificate registration point on a site system server in the central administration site or in a primary site. You cannot deploy this role in a secondary site. This role is new in System Center 2012 R2 Configuration Manager. Supporting Remote Clients with Windows Intune Windows Intune provides an alternate method of managing remote clients that do not often connect to the organizational network by using DirectAccess or a VPN. You can use Windows Intune to manage clients separately or you can integrate Windows Intune with Configuration Manager. Windows Intune supports managing clients that run on the following operating systems: • Windows 8 (x86, x64), Windows 7, Windows Vista®, Windows XP • Windows RT • Windows Phone® 8 • Apple iOS • Android (requires Exchange ActiveSync®) Windows Intune supports managing mobile devices directly or through Exchange ActiveSync. It also supports direct management for mobile devices that are running Windows RT, Windows Phone 8, and iOS. To deploy applications directly to mobile devices that are running Windows RT, you must obtain sideloading keys, and you must have a code-signing certificate to sign the applications. The device running Windows RT or Windows Phone 8 must trust this code-signing certificate. Additionally, you can use deep linking to deploy an application from the appropriate Windows App store directly to mobile devices that are running the Windows RT or Windows Phone 8 mobile operating systems. You can use Windows Intune to deploy applications to iOS devices by deep linking to the Apple store or by sideloading apps, which means you are installing them by using direct access to the source files. To deploy applications to iOS devices, you must obtain the appropriate mobile device management certificates from Apple. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager The following table details the mobile device–management tasks that you can perform when you configure the Windows Intune connector for Configuration Manager. Management task Windows RT 8.1/Windows RT /Windows 8.1/Windows 8 Windows Phone 8 iOS Android Device life-cycle management Yes Yes Yes No Compliance settings Yes Yes Yes No Line-of-business app management Yes Yes Yes Yes Deep-linked app deployment Yes Yes Yes Yes Hardware inventory Yes Yes Yes No 7-7 Lesson 2 MCT USE ONLY. STUDENT USE PROHIBITED 7-8 Configuring Internet and Cloud-Based Client Management Managing Internet-Based Configuration Manager Clients To be able to manage Internet-based clients, you need to configure site systems to support Internetbased clients and publish those site systems through the firewall. You must configure these site systems with certificates issued by a certification authority (CA) trusted by the clients. In addition, all Internetbased clients must have computer certificates issued by the same certification authority. Data transmitted between these computers and the site systems is encrypted by using Secure Sockets Layer (SSL). Lesson Objectives After completing this lesson, you will be able to: • Describe the site system roles involved in Internet-based client management. • Describe how to configure certificates in Internet-based client management. • Prepare certificates for Configuration Manager. • Describe how to publish site system roles through a firewall. Site System Roles Involved in Internet-Based Client Management Internet-based client management utilizes the following site system roles: • Management point • Distribution point • Software update point • Fallback status point • Application Catalog website point • Enrollment proxy point In contrast with previous versions, System Center 2012 R2 Configuration Manager sites no longer rely on a single default management point. You can install multiple management points in the same site and the client selects one automatically based on network location and capability (HTTPS or HTTP). You can configure some management points in a site to support HTTPS client connections and others to support HTTP client connections. Using this approach, you can configure separate management points for Internet-based client management. You must configure these management points to use certificates from a PKI solution trusted by the clients and the servers. Additionally, your Internet-based Configuration Manager clients need a valid PKI certificate from a PKI solution trusted by both the client and server for authentication with the site systems. The fallback status point always uses HTTP because this role provides an alternate method of communication when clients cannot communicate with site system roles, even when SSL traffic might fail for some reason. All site systems must reside in an Active Directory domain; however, you can install site systems for Internet-based client management in an untrusted forest. This scenario might be appropriate for a perimeter network that requires high security. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-9 When you plan to manage client computers over the Internet, you must decide whether to configure them for management on the intranet and the Internet, or for Internet-only client management: Note: You can configure the client management option only during the installation of a client. If you change your mind later, you must reinstall the client. • Client computers that you configure for Internet-only client management communicate with only those site systems that are configured for client connections from the Internet. Mobile device clients are configured automatically as Internet-only when they are configured to use an Internet-based management point. • Client computers that you configure for Internet-based and intranet client management can switch automatically between the two when they detect a change of network. If these clients can find and connect to a management point that is configured for client connections on the intranet, these clients are managed as intranet clients that have full Configuration Manager management functionality. If the clients cannot find or connect to a management point that is configured for client connections on the intranet, they attempt to connect to an Internet-based management point. If this is successful, these clients are then managed by the Internet-based site systems in their assigned site. Not all client management functionality is available when using Internet-based client management. Features that rely on AD DS, or features that are not appropriate for a public network (such as operating system deployments), are not supported for Internet management. The following features are not supported when clients are managed on the Internet: • Client deployment. For example, Client Push and software update–based client deployment. You must use manual client installation to install the Configuration Manager client on these computers. • Auto-site assignment. Clients must be configured with an assigned site at installation. Clients try to locate the site systems by using Domain Name System (DNS). The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers. Clients select one of the Internet-based site systems, regardless of bandwidth or physical location. • Network Access Protection (NAP). NAP relies on AD DS and cannot function on the Internet. • Wake On LAN wake-up packets. • Operating system deployments. You cannot perform these deployments on the Internet, but you can perform task sequences that do not deploy an operating system, such as task sequences that run scripts and maintenance tasks on clients. • The remote control feature. This feature is not available for Internet-based clients because these computers cannot be located by using public DNS. • Out of band management by using Intel Active Management Technology (AMT). • Software deployments to users. You cannot deploy software to users unless the Internet-based management point can authenticate the user in AD DS by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides. Configuring Certificates in Internet-Based Client Management When clients connect to the site systems located on the internal network, the computers perform mutual authentication by using Kerberos. This is possible because clients and site systems can access the Active Directory infrastructure. For Internet-based client management, you must assign and install certificates to enable mutual authentication. MCT USE ONLY. STUDENT USE PROHIBITED 7-10 Configuring Internet and Cloud-Based Client Management When you configure certificates for Internetbased client management, keep in mind that you must configure each client and each site system involved in Internet-based client management with certificates to perform mutual authentication on the Internet. You can perform this configuration by following this process: 1. 2. Configuration Manager site system roles that communicate by using HTTPS use certificates to verify that their server name is the same as the server to which the clients are trying to connect. The Enhanced Key Usage field in this type of certificate includes Server Authentication (1.3.6.1.5.5.7.3.1). When using an AD CS Enterprise CA, you should create a template based on the existing Web Server template in the template store. Secure Hash Algorithm 1 (SHA-1) and Secure Hash Algorithm 2 (SHA-2) are supported. There is no limit for the maximum supported key length for this certificate. o If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet FQDN. o If the site system accepts connections from both the Internet and the intranet, you must specify both the Internet FQDN and the intranet FQDN (or computer name) by using the ampersand (&) symbol delimiter between the two names. Configuration Manager site systems that are hosting the distribution point role use certificates configured for client authentication. The Enhanced Key Usage field in this type of certificate includes Client Authentication (1.3.6.1.5.5.7.3.2). When using an AD CS Enterprise CA, you should create a template based on the existing Workstation Authentication template in the template store. The private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. The maximum supported key length is 2,048 bits. The certificate: o Is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages. o Is sent to computers when the Enable PXE support for clients distribution point option is selected. This ensures that the client computers can connect to a HTTPS-enabled management point during the deployment of the operating system if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information. Note: The private key must be exportable because you must import the certificate as a file on the distribution point properties, rather than select it from the certificate store. You need to export the issued certificate in the Public Key Cryptography Standard (PKCS #12) format (.pfx file). 3. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-11 Internet-based clients can use those certificates generated by the PKI solution for authentication when connecting to a Configuration Manager site system. The Enhanced Key Usage field in this type of certificate includes Client Authentication (1.3.6.1.5.5.7.3.2). When using an AD CS Enterprise CA, you should create a template based on the existing Workstation Authentication template in the template store. Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field. The maximum supported key length is 2,048 bits. Template-based certificates can be issued by an Enterprise CA running on a supported edition of the server operating system, such as Windows Server 2012 Datacenter or Standard. Note: When you use Enterprise CA and certificate templates, do not use the version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are incompatible with Configuration Manager. When prompted for the version of the template, select version 2 (Windows Server 2003). Ensure that clients trust the CA that issues both the client certificates the management point certificate. Configuring Server and Client Certificates for Internet-Based Client Management The configuration of server and client certificates required for Internet-based client management typically involves the following steps: 1. 2. 3. 4. Deploying the Web Server certificate for site systems that run Internet Information Services (IIS). This includes the following procedures: a. Creating and issuing the Web Server certificate template on the certification authority. b. Requesting a Web Server certificate from each of the site systems. c. Configuring IIS to use the Web Server certificate on each site system. Deploying the distribution point certificate for site systems that are hosting the distribution point role. This includes the following procedures: a. Creating and issuing the distribution point certificate template on the certification authority. b. Requesting a distribution point certificate from each distribution point and exporting the certificate in a .pfx file. c. Configuring the distribution point to use the certificate. Deploying the client certificate for computers. If the computers are also connecting to the intranet and can authenticate to AD DS, the certificate deployment includes the following procedures: a. Creating and issuing the Workstation Authentication certificate template on the certification authority. b. Configuring autoenrollment of the Workstation Authentication template by using Group Policy. c. Enrolling the Workstation Authentication certificate automatically and verifying its installation on computers. If the computers are not connecting to AD DS, issuing and installing the client certificates manually. Demonstration: Preparing Certificates for Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED 7-12 Configuring Internet and Cloud-Based Client Management In this demonstration, you will see how to configure a client certificate template and a client distribution point certificate template. Demonstration Steps 1. On LON-DC1, start the Certification Authority console. 2. In the Certification Authority console, right-click the Certificate Templates folder, and then click Manage. The Certificate Templates console opens. 3. Duplicate the Workstation Authentication template, and then click the Windows Server 2003 compatibility option. 4. In the Properties of New Template dialog box, configure the following settings: o On the General tab, name the template Configuration Manager Client Certificate. o On the Security tab, click the Domain Computers group, and then add the Read and Autoenroll permissions. 5. Duplicate the Workstation Authentication template, and then click the Windows Server 2003 option. 6. In the Properties of New Template dialog box, configure the following settings: o On the General tab, name the template Configuration Manager Client Site System Certificate. o On the Request Handling tab, select Allow private key to be exported. o On the Security tab, remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. Add the ConfigMgrServers group, and then grant the ConfigMgrServers group the Enroll permission. Note: This certificate template is based on the Workstation Authentication template, which is the same template that the Configuration Manager client certificate uses. However, this template requires the private key to be exportable, because you must import the certificate as a file, rather than select it from the certificate store. Publishing Site System Roles Through a Firewall You must publish the site systems configured to support Internet-based client management on the Internet. You can do this by using one of the following methods: • Place the site systems configured to support Internet-based client management on a perimeter network. This method is more secure but more difficult to implement. To follow this method, configure your firewalls as follows: 1. Configure the external firewall to allow HTTPS communications from the Internet to site systems. The clients communicate to the fallback status point by using HTTP. 2. • MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-13 Configure the internal firewall to allow communications between the perimeter network site systems and the internal servers. You can adjust port values for any customization in your environment. However, the following communications must be allowed:  Management point. Communicates with the computer running Microsoft SQL Server® through the SMS Provider to read policy, and communicates directly with the site server to report state messages.  Distribution point. Communicates with the site server to read configuration information and replicate content by using file-based replication.  Software update point. Communicates with an upstream software update point or directly with Microsoft Update.  Fallback status point. Communicates with the site server. Configure the internal site systems to support Internet-based client management and publish them through a firewall. This method is less secure but easier to implement. To follow this method, configure your firewall to allow direct HTTPS access from the Internet to the site systems (also known as tunneling or pass-through). If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server. However, the clients are connecting directly to the site systems, and the firewall cannot inspect the traffic, which can pose additional security risks. If you are using a proxy web server with SSL termination (bridging) for incoming Internet connections, the proxy web server has the following certificate requirements: o Certificates are installed on the proxy web server with Enhanced Key Usage configured for server and client authentication. You can use the Web Server and Workstation Authentication templates. o The Subject Name field or Subject Alternative Name field includes Internet FQDN. If you are using Microsoft certificate templates, the Subject Alternative Name is available only with the workstation template. o A server authentication certificate is used to authenticate servers to Internet clients and to encrypt all the data transferred between the client and servers by using SSL. o Client authentication is used to bridge client connections between clients running System Center 2012 Configuration Manager and newer versions and the Internet-based site systems located on the intranet. Lab A: Configuring PKI for Configuration Manager Scenario You have installed System Center 2012 R2 Configuration Manager in the lab environment. MCT USE ONLY. STUDENT USE PROHIBITED 7-14 Configuring Internet and Cloud-Based Client Management You must configure a Microsoft PKI solution to use with Configuration Manager as a method of improving security. To do this, you will create templates for Configuration Manager, and then deploy the certificates to your Configuration Manager infrastructure. Objectives After completing this lab, you will be able to: • Create certificate templates for Configuration Manager. • Deploy certificates for Configuration Manager. Lab Setup Estimated Time: 35 minutes Virtual machines 10748C-LON-DC1-C 10748C-LON-CAS-C 10748C-LON-CFG-C User name Adatum\Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, open Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Log on using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps 2 through 4 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. Exercise 1: Creating Certificate Templates for Configuration Manager Scenario In this exercise, you will create a group for the Configuration Manager servers and then create certificate templates for Configuration Manager certificates. The main tasks for this exercise are as follows: 1. Create a Configuration Manager IIS servers group. 2. Create a Configuration Manager Web Server certificate template. 3. Create a Configuration Manager client certificate template. 4. Create a Configuration Manager client distribution point certificate template. 5. Create a Configuration Manager mobile device client certificate template. 6. Enable the Configuration Manager certificate templates.  Task 1: Create a Configuration Manager IIS servers group MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 1. On LON-DC1, from Server Manager, start Active Directory Users and Computers. 2. In the Active Directory Users and Computers console, in the Users container, create a new group named Configuration Manager IIS Servers. 3. Add LON-CFG to the Configuration Manager IIS Servers group. 4. Close Active Directory Users and Computers.  Task 2: Create a Configuration Manager Web Server certificate template 7-15 1. On LON-DC1, from Server Manager, start the Certification Authority console. 2. In the Certification Authority console, right-click the Certificate Templates folder, and then click Manage. The Certificate Templates console opens. 3. Duplicate the Web Server template, and then on the Compatibility tab, ensure that the Windows Server 2003 option is selected. 4. In the Properties of New Template dialog box: o On the General tab, name the template Configuration Manager Web Server Certificate. o On the Subject Name tab, ensure that the Supply in the request option is selected. o On the Security tab, remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. Add the Configuration Manager IIS Servers group, and then grant the Configuration Manager IIS Servers group the Enroll permission.  Task 3: Create a Configuration Manager client certificate template 1. Duplicate the Workstation Authentication template, and then on the Compatibility tab, ensure that the Windows Server 2003 option is selected. 2. In the Properties of New Template dialog box: o On the General tab, name the template Configuration Manager Client Certificate. o On the Security tab, select the Domain Computers group, and then add the Read and Autoenroll permissions.  Task 4: Create a Configuration Manager client distribution point certificate template 1. Duplicate the Workstation Authentication template, and then on the Compatibility tab, ensure that the Windows Server 2003 option is selected. 2. In the Properties of New Template dialog box: o On the General tab, name the template Configuration Manager Client Distribution Point Certificate. o On the Request Handling tab, select Allow private key to be exported. o On the Security tab, remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. Add the Configuration Manager IIS Servers group, and then grant the Configuration Manager IIS Servers group the Enroll permission. Note: This certificate template is based on the Workstation Authentication template, which is the same template that the Configuration Manager client certificate uses. However, this template requires the private key to be exportable, because you must import the certificate as a file, rather than select it from the certificate store.  Task 5: Create a Configuration Manager mobile device client certificate template MCT USE ONLY. STUDENT USE PROHIBITED 7-16 Configuring Internet and Cloud-Based Client Management 1. Duplicate the Authenticated Session template, and then on the Compatibility tab, ensure that the Windows Server 2003 option is selected. 2. In the Properties of New Template dialog box: 3. o On the General tab, name the template Configuration Manager Mobile Device Certificate. o On the Subject Name tab, ensure that the Build from this Active Directory information option is selected, and in the Subject name format list, select Common name, and then clear the User principal name (UPN) check box. Close the Certificate Templates console.  Task 6: Enable the Configuration Manager certificate templates 1. If necessary, in the navigation pane of the Certification Authority console, expand the AdatumCA node, and then click Certificates Templates. 2. Enable the following certificates: 3. o Configuration Manager Client Certificate o Configuration Manager Client Distribution Point Certificate o Configuration Manager Mobile Device Certificate o Configuration Manager Web Server Certificate Close the Certification Authority console. Results: After this exercise, you should have created a group for the Microsoft® System Center 2012 R2 Configuration Manager servers and created the templates for Configuration Manager certificates. Exercise 2: Deploying Certificates for Configuration Manager Scenario You are going to deploy the certificates to the Configuration Manager infrastructure by using the templates you created. You will deploy the workstation certificates through a Group Policy Object (GPO) to take advantage of autoenrollment. You will request the web certificate and distribution point certificate for the Configuration Manager web-based services. Then you will configure the site system roles to use HTTPS. The main tasks for this exercise are as follows: 1. Create an autoenrollment GPO. 2. Request a Configuration Manager IIS certificate on the management point. 3. Request a Configuration Manager client distribution point certificate. 4. Assign the Configuration Manager IIS certificate to Web Services. 5. Configure HTTPS for the Configuration Manager roles. 6. Deploy certificate profiles to clients.  Task 1: Create an autoenrollment GPO 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. 2. At the root of the domain, create a GPO named Enable Autoenrollment of Certificates. 3. Edit the Enable Autoenrollment of Certificates GPO. 4. Navigate to the Computer Configuration/Policies/Windows Settings/Security Settings /Public Key Policies/Certificate Services Client – Auto-Enrollment object. 5. Configure the following values for the Certificate Services Client – Auto-Enrollment object: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager o In the Configuration Model list, select Enabled. o Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box. o Select the Update certificates that use certificate templates check box. 7-17  Task 2: Request a Configuration Manager IIS certificate on the management point 1. On LON-CFG, restart the server. 2. Wait for the machine to restart, and then sign in as Adatum\Administrator with the password of Pa$$w0rd. 3. Start a Microsoft Management Console (MMC), and then add the Certificates snap-in for the Local computer: (the computer this console is running on). 4. In the MMC window, expand Certificates (Local Computer), and click Personal. Right-click Personal, and then select the option Request New Certificate. 5. In the Certificate Enrollment wizard, request a new certificate by using the following information: o On the Request Certificates page, select the Configuration Manager Web Server Certificate check box, and then click More information is required to enroll for this certificate. Click here to configure settings. o On the Subject tab, in the Alternative name area, in the Type list, select DNS, in the Value box, type LON-CFG.Adatum.com, and then click Add. o On the General tab, in the Friendly name box, type Configuration Manager Web Services. o Complete the request, wait until the certificate is installed, and then click Finish.  Task 3: Request a Configuration Manager client distribution point certificate 1. In the MMC window, under the Personal folder, right-click Certificates, and then select the option Request New Certificate. 2. In the Certificate Enrollment Wizard, request a new certificate by using the following information: 3. o On the Request Certificates page, select the Configuration Manager Client Distribution Point Certificate check box, and then click Enroll. o Complete the request, wait until the certificate is installed, and then click Finish. In the MMC window, expand Personal, and then select Certificates. MCT USE ONLY. STUDENT USE PROHIBITED 7-18 Configuring Internet and Cloud-Based Client Management 4. Select the certificate that has Configuration Manager Client Distribution Point Certificate on the Certificate Template column, right-click the certificate, and then select Export. The Certificate Export Wizard opens. 5. In the Certificate Export Wizard, use the following information to export the certificate: 6. o On the Export Private Key page, select Yes, export the private key. o On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected. o On the Security page, type Pa$$w0rd in both the Password and Confirm password text boxes. o On the File to Export page, in the File name text box, type C:\ConfigMgrClientDPCertificate.pfx. o Complete the export of the certificate. Close the MMC window.  Task 4: Assign the Configuration Manager IIS certificate to Web Services 1. On LON-CFG, from Server Manager, open Internet Information Services (IIS) Manager. 2. Expand LON-CFG (ADATUM\Administrator), dismiss the dialog box, expand Sites, right-click Default Web Site, and then click Edit Bindings. 3. In the Site Bindings dialog box, edit the https entry, in the SSL certificate list, select the Configuration Manager Web Services certificate, click OK, and then close all open windows.  Task 5: Configure HTTPS for the Configuration Manager roles 1. On LON-CFG, from the task bar, start the Configuration Manager console. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. In the results pane, select \\LON-CFG.Adatum.com, and then, in the preview pane, access the Properties for the Site system. 4. In Site system Properties, configure the following: • Select Specify an FQDN for this site system for use on the Internet. • In the Internet FQDN text box, type LON-CFG.Adatum.com, and then close the dialog box. 5. In the preview pane, access the Properties for Distribution point. 6. In the Distribution point Properties dialog box: 7. • On the General tab, select Import certificate, and then browse to and click the C:\ConfigMgrClientDPCertificate.pfx certificate file. • In the Password text box, type Pa$$w0rd. • Select HTTPS, under Requires computers to have a valid PKI client certificate, select Allow intranet and Internet connections, and then close the dialog box. In the preview pane, access the Properties for the Management point. 8. In the Management point Properties dialog box: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-19 o On the General tab, click HTTPS, and then under This option requires client computers to have a valid PKI client certificate for client authentication, select Allow intranet and Internet connections. o Select the Allow mobile devices to use this management point check box, and then close the dialog box.  Task 6: Deploy certificate profiles to clients 1. On LON-CFG, open File Explorer. 2. Copy the \\LON-DC1\CertEnroll\LON-DC1.Adatum.com_AdatumCA.crt file to the desktop. 3. In the Assets and Compliance workspace, navigate to Certificate Profiles, and then create a certificate profile. 4. Name the profile AdatumEnterpriseRootCA, and then set the profile type to Trusted CA certificate. 5. Import the certificate that you copied to the desktop and ensure that it will be placed in the Computer certificate store – Root location. 6. Configure the profile for all supported platforms. 7. Deploy the certificate profile to the All Desktop and Server Clients collection. Results: After this exercise, you should have issued the Configuration Manager certificates and configured HTTPS communication for Configuration Manager roles. Lesson 3 Configuring Cloud Services in System Center 2012 R2 Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED 7-20 Configuring Internet and Cloud-Based Client Management By integrating cloud services into a Configuration Manager deployment, you can extend your organization’s ability to distribute content and manage mobile devices. Cloud-based distribution points allow you to deploy distribution points hosted in a public Windows Azure™ cloud. You can deploy a scalable distribution point rapidly to clients on both the Internet and internal networks without provisioning a virtual machine or physical server to host it. You can also integrate Windows Intune with System Center 2012 R2 Configuration Manager, thereby allowing you to manage mobile devices running the iOS, Android, Windows Phone, and Windows RT operating systems. Lesson Objectives After completing this lesson, you will be able to: • Describe the benefits and limitations of cloud-based distribution points. • List the prerequisites for implementing cloud-based management. • Describe Windows Intune and its functionality. • Explain the preparatory steps for implementing Windows Intune integration. • Explain how to configure the Windows Intune connector site system role. • List the certificate requirements for mobile devices. Cloud-Based Distribution Points in System Center 2012 R2 Configuration Manager In Windows Azure, you can distribute content by using cloud-hosted distribution points. This means that you can make content accessible to clients on the Internet and clients on the internal network without deploying additional distribution points on internal networks. For example, if you are planning content distribution to very small branch offices, you can use a cloud-based distribution point instead of using physical hardware or a virtual machine to deploy a distribution point at the branch office locations. You can manage cloud-based distribution points individually or as part of distribution point groups. This feature offers the following benefits: • Provides encryption. Configuration Manager encrypts content transmitted to a cloud-based distribution point before transmission to Windows Azure. • Can scale as necessary. You can scale the cloud-based distribution point up or down to meet the changing demands for content. For example, you can scale it up when you require more deployment capacity, and scale it down when you require less deployment capacity. By doing so, you will find it less necessary to deploy additional distribution points within the organization. • Can be used by both intranet and Internet-based clients. • Supports Windows BranchCache®. • Can be used as a fallback content location. Cloud-based distribution points have the following limitations: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-21 • Cannot host software update packages. • Cannot be used for Pre-Boot eXecution Environment (PXE) or multicast-enabled deployment. • Does not support packages that run from the distribution point; content must be downloaded from the distribution point and run locally. • Does not support streaming applications by using Microsoft Application Virtualization (App-V). • Does not support prestaged content. • Cannot be configured as pull-distribution points. When you use Windows Intune with Configuration Manager, a cloud-based distribution point is created automatically for distributing content through Windows Intune. This distribution point distributes content for clients that are managed through the Windows Intune connector. Prerequisites for Implementing Cloud-Based Management You can implement a cloud-based distribution point by using two methods: Windows Azure and Windows Intune. Each method has its own prerequisites. Cloud-based distribution points in Windows Azure must meet the following prerequisites: • A Windows Azure subscription • A management certificate (either selfsigned or issued from a CA) that is used for communication between the primary site server and Windows Azure • A service certificate that Configuration Manager clients use to connect to Windows Azure cloudbased distribution points to retrieve content by using the HTTP protocol • The Allow access to cloud distribution points client setting set to Yes for the Configuration Manager device or user • The client attempting to access the cloud-based distribution point is able to access the Internet • The client attempting to access the cloud-based distribution point is able to resolve the name of the cloud service; this will require a canonical name (CNAME) record in the local DNS namespace mapped to the name of the cloud-based distribution point The only prerequisite for a Windows Intune cloud-based distribution point is that Windows Intune integration must be configured. This requires a Windows Intune subscription, the Windows Intune connector site system role, and configuration of directory synchronization. You can use the Directory Synchronization tool, also known as DirSync, to synchronize AD DS user accounts and passwords with Windows Azure Active Directory. Windows Azure Active Directory stores user accounts and passwords for Windows Intune, Windows Azure, and other services such as Microsoft Office 365™. Versions of DirSync after 6382.000 support password synchronization. Because you no longer have to deploy Active Directory Federation Services (AD FS), it is simpler to integrate an on-site Configuration Manager deployment with Windows Azure and Windows Intune. Overview of Windows Intune You can use Windows Intune, a cloud-based management service, to perform the following management tasks on client computers and mobile devices: • Software updates • Software deployments • Hardware and software inventory • Endpoint Protection • Remote assistance • Mobile device management • Software licensing • Windows Firewall policy MCT USE ONLY. STUDENT USE PROHIBITED 7-22 Configuring Internet and Cloud-Based Client Management You can use Windows Intune to perform these management tasks on computers that rarely connect to an organizational network and that might not be joined to an Active Directory domain. Additionally, you can use Windows Intune to manage software deployment for computers that are running Windows, Android, and Apple iOS operating systems. Computers that you manage through Windows Intune require Windows Intune client software. You can download the client software from the Windows Intune company portal. The client software includes an account certificate that binds the client to a specific Windows Intune deployment. If your organization chooses to use Windows Intune to manage client devices, you must develop a strategy to install the client software on all end-user computers. After you install the client software on a device, the Windows Intune administrator can manage that device remotely. Note: You cannot deploy the Windows Intune client software on a computer that has the System Center 2012 Configuration Manager SP1 agent or the System Center 2012 R2 Configuration Manager agent installed. Prerequisites for Implementing Windows Intune Integration Before configuring the Windows Intune connector, you should perform the following tasks: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-23 • Sign up for a Windows Intune organizational account. Before you can configure the connector, you must have Windows Intune administrator credentials for the organizationname.onmicrosoft.com (where organizationname.com is your organization’s DNS suffix) domain. Do not use the account that you used to sign up for Windows Intune (the Outlook.com, Hotmail.com, or live.com Microsoft account) to configure the connector. • Add a public company domain to Windows Intune. You must have a public company domain for which you can create DNS resource records, and you must configure this domain within Windows Intune. • Configure user account, or User Principal Name (UPN), suffixes. You must configure user accounts with UPNs for the public company domain. • Configure directory synchronization. You must configure Active Directory synchronization between your on-premises AD DS and the Windows Azure Active Directory that you are using with the Windows Intune organizationname.onmicrosoft.com domain. • Configure DNS alias. Create a CNAME record in DNS that maps enterpriseenrollment.organizationname.com to manage.microsoft.com. • Obtain relevant certificates or keys. Depending on the mobile devices that you will be managing through Windows Intune, you need the certificates or keys. You will learn more about these in a later topic in this lesson. The Windows Intune Connector Site System Role The Windows Intune connector is a site system role that you use to connect the Configuration Manager infrastructure with a Windows Intune subscription. You must deploy this role in conjunction with a connection to an existing Windows Intune subscription that is configured to synchronize with on-premises AD DS. The Windows Intune connector will use the proxy server configuration of the site system server on which you install the role. You configure the proxy server configuration for a site system server when you install a site system role. You can edit the proxy server by editing the properties of the site system server. All site system roles on a site system server use the same proxy server configuration. To create the Windows Intune connector, perform the following procedure: MCT USE ONLY. STUDENT USE PROHIBITED 7-24 Configuring Internet and Cloud-Based Client Management 1. In the Administration workspace, expand the Hierarchy Configuration folder, and then click Windows Intune Subscriptions. 2. On the ribbon, click Add Windows Intune Subscription. 3. On the Introduction page, click Next. 4. On the Subscription page, sign in by using an account configured as an administrator for your Windows Intune organization. Select the Allow the Configuration Manager console to manage this subscription check box. 5. Review the privacy links. 6. On the General page, specify the following settings: 7. o Specify the user collection whose members will be able to enroll their devices for management. Browse to the appropriate collection. o Company name. Specify your organization name. o URL to company privacy information. Provide privacy information (optional). o Color scheme for company portal. Change the color of the company portal, or accept the default color. o Configuration Manager site code. Specify the primary site for mobile devices. On the Platforms page, choose the device types you want to manage (devices running Android, iOS, Windows, or Windows Phone 8), and then review the platform requirements. For each device type that you choose, you need to configure additional settings. You can configure these settings on a per-device type basis when necessary. When you enable the Allow the Configuration Manager console to manage this subscription option, Configuration Manager takes control of the Windows Intune subscription for mobile device management. You cannot undo this step. If you later decide that you do not want to manage Windows Intune by using Configuration Manager, you must create a new Windows Intune subscription. To deploy the site system role for the Windows Intune connector, perform the following procedure on a site system server that will communicate with the Windows Intune servers on the Internet: 1. In the Administration workspace, expand the Site Configuration folder, and then click Servers and Site System Roles. 2. Select the site system server, and then on the ribbon, click Add Site System Roles. 3. On the System Role Selection page, select Windows Intune Connector, and then click Next. 4. Complete the wizard. Certificate Requirements for Supporting Devices Depending on the mobile device operating system, you will need certificates or keys to enroll mobile devices through the Windows Intune connector with Configuration Manager. The following table details those specifications. Mobile device operating system Certificates or keys Notes MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-25 Windows Phone 8 Code-signing certificate (all sideloaded apps must be codesigned) Purchase a code-signing certificate from Symantec Windows RT Sideloading keys to allow installation of sideloaded apps All apps that you sideload must be code-signed Obtain sideloading keys from Microsoft Sign apps by using a code-signing certificate that an internal or thirdparty trusted CA issues iOS Apple Push Notification service certificate Obtain from Apple Android Not required Not applicable Lab B: Configuring Windows Intune Integration with System Center 2012 R2 Configuration Manager Scenario MCT USE ONLY. STUDENT USE PROHIBITED 7-26 Configuring Internet and Cloud-Based Client Management You are responsible for managing apps at A. Datum Corporation’s Melbourne office. An increasing number of users at the Melbourne office need to use mobile devices to interact with sensitive organizational content. With this in mind, your job is to manage mobile devices through the organization’s existing Configuration Manager infrastructure. You need to configure the infrastructure so that users are able to self-enroll their devices, such as mobile phones. You should also configure the infrastructure so that users are able to self-enroll user-owned computers by visiting a website on the Internet. Objectives After completing this lab, you will be able to: • Sign up for a Windows Intune trial account and configure directory synchronization. • Configure the Windows Intune connector role. Lab Setup Estimated Time: 130 minutes Virtual machines 10748C-LON-DC1-C 10748C-LON-CAS-C 10748C-LON-CFG-C User name Adatum\Administrator Password Pa$$w0rd Virtual machines MSL-TMG1 User name Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, open Hyper-V Manager. 2. In Hyper-V Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Log on using the following credentials: o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-27 5. Repeat steps 2 through 4 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. 6. Repeat steps 2 and 3 for MSL-TMG1. This is a gateway server that allows connections to the Internet. Exercise 1: Signing Up for a Windows Intune Trial Account and Configuring Directory Synchronization Scenario Before setting up a connection between Windows Intune and System Center 2012 R2 Configuration Manager, you must configure an organizational Windows Intune subscription. When setting up a Windows Intune subscription, you want to ensure that you do not have to configure a set of parallel user accounts. You will configure directory synchronization that enables users to use one set of credentials to authenticate against both Windows Server Active Directory Domain Services (AD DS) and Windows Azure Active Directory. The main tasks for this exercise are as follows: 1. Create a temporary email account name. 2. Create a Windows Intune account. 3. Configure a UPN suffix. 4. Configure directory synchronization.  Task 1: Create a temporary email account name • Create a temporary email account name and not an actual e-mail account using the following scheme: o The first part of the email address should be your first name, the first letter of your last name, 10748C, and the date in the format used in your region (mm/dd/yy or dd/mm/yy). For example, JoeS10748C010114 if it is the first of January 2014. o The domain (the portion of the address after the @ symbol) should be Adatum.com. For example joeS10748C0110114@adatum.com.  Task 2: Create a Windows Intune account 1. On LON-CAS, edit the properties of Internet Explorer® and set the security level for the trusted sites zone to Low. 2. Remove the requirement for https, and then add *.microsoft.com to the list of trusted sites. 3. In Internet Explorer, navigate to the following URL: http://www.microsoft.com/intune. 4. In Internet Explorer, click the Try option, and then click Sign up for a Windows Intune free 30-day trial. 5. On the Windows Intune Sign up page, provide the required information to sign up for the trial account. Enter data for the following required fields, and then click Check Availability: o Country or region: Select your country or region o Organizational language: Choose your organizational language o First name: Don o Last Name: Funk 6. MCT USE ONLY. STUDENT USE PROHIBITED 7-28 Configuring Internet and Cloud-Based Client Management o Organization Name: Type the first three letters of the city in which you are attending the course; the course number; the month, day, and year; and the number of your computer, counting from the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you are attending the course in Melbourne; the course number is 10748C; the date is February 4, 2014; and you are using the fifth computer from the front left side of the classroom o Address 1: Street address of the location in which you are attending the course o City: City in which you are attending the course o State: State in which you are attending the course o ZIP code: ZIP code in which you are attending the course o Phone Number: 555-555-1212 o Email address: The fake email address that you created in the first task of this exercise. o New Domain Name: Type the first three letters of the city in which you are attending the course; the course number; the month, day, and year; and the number of your computer, counting from the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you are attending the course in Melbourne; the course number is 10748C; the date is February 4, 2014; and you are using the fifth computer from the front left side of the classroom After the domain name is verified, enter the following information: o New User ID: Student o Create new password: Pa$$w0rd o Confirm new password: Pa$$w0rd 7. In the Verification field, type the text that is shown as a graphic. Note that the text is not casesensitive. 8. Click I Accept and continue. 9. In the Windows Intune form, click Continue. 10. In the Don’t lose access to your account dialog box, click Remind me later. 11. Close Internet Explorer.  Task 3: Configure a UPN suffix 1. On LON-DC1, use the Active Directory Domains and Trusts console to add the organizationname.onmicrosoft.com UPN suffix, where organizationname is your Windows Intune organization name. 2. Run Windows PowerShell ISE as Administrator, type the following, replacing organizationname.onmicrosoft.com with your Windows Intune organization’s name, and then press Enter: Get-ADUser -Filter {UserPrincipalName -like "*@adatum.com"} -SearchBase "DC=adatum,DC=com" | ForEach-Object { $UPN = $_.UserPrincipalName.Replace("adatum.com","organizationname.onmicrosoft.com") Set-ADUser $_ -UserPrincipalName $UPN } 3. In the script pane, type the following, and then press Enter: Add-DnsServerResourceRecordCname –HostNameAlias manage.microsoft.com –Name EnterpriseEnrollment –ZoneName Adatum.com 4. Use Active Directory Administrative Center to verify that the new UPN has been applied to April Reagan’s account.  Task 4: Configure directory synchronization MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-29 1. On LON-CAS, open Internet Explorer. 2. Navigate to account.manage.microsoft.com in Internet Explorer, and then sign in as student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization name, with the password Pa$$w0rd. 3. In the Users section, activate Active Directory synchronization. 4. Download and install the 64-bit version of the Active Directory synchronization tool by using the default settings. 5. Sign out from LON-CAS, and then sign in as Adatum\administrator with the password Pa$$w0rd. 6. Run the Active Directory Sync tool Configuration Wizard with the following settings: o Windows Azure Active Directory user name: student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization name o Windows Azure Active Directory password: Pa$$w0rd o Active Directory username: administrator@adatum.com o Active Directory password: Pa$$w0rd o Enable Hybrid Deployment: Enabled o Enable Password Sync: Enabled o Synchronize your directories now: Selected 7. Wait five minutes, return to the Windows Intune Admin page, click Users, and then verify that the list of users in Windows Intune is now populated with users from AD DS. 8. In the User list, click Alex Darrow. 9. Select the Windows Intune check box, and then click Save. 10. On the Assign role page, leave default settings, and then select United States as the location. 11. Click Save. Results: After this exercise, you will have created a Windows Intune™ account, and configured directory synchronization between the local Windows Server® Active Directory® Domain Services (AD DS) instance and Windows Azure™ Active Directory. Exercise 2: Configuring the Windows Intune Connector Role Scenario MCT USE ONLY. STUDENT USE PROHIBITED 7-30 Configuring Internet and Cloud-Based Client Management Users at A. Datum use a variety of mobile platforms. You need to integrate Windows Intune so that you can manage mobile devices. The main tasks for this exercise are as follows: 1. Configure the Windows Intune connector. 2. Deploy the Windows Intune site system role. 3. Configure client access to the cloud-based distribution point.  Task 1: Configure the Windows Intune connector • On LON-CAS, in the Configuration Manager console, create a Windows Intune subscription through the Windows Intune Subscriptions node, under the Cloud Services folder, by using the following settings: o Set the mobile device management authority to: Configuration Manager o Username: student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization name o Password: Pa$$w0rd o Collection: All Users o Company Name: Adatum o Configuration Manager site code: S01 o Platforms: Do not select any platforms  Task 2: Deploy the Windows Intune site system role • Use the Configuration Manager console to add the site system role for the Windows Intune connector to LON-CAS.  Task 3: Configure client access to the cloud-based distribution point • Edit the properties of the Default Client Settings to allow access to cloud-based distribution point. Results: After this exercise, you will have integrated Configuration Manager with Windows Intune.  Task 4: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 to 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. Module Review and Takeaways Review Questions Question: Your organization has users with devices running Windows RT 8.1 and iOS 6. These devices are Configuration Manager clients. What technology would you use to provision these devices with VPN connection information? Question: What are the limitations of cloud-based distribution points over distribution points deployed on-premises? MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 7-31 MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED 8-1 Module 8 Maintaining and Monitoring System Center 2012 Configuration Manager Contents: Module Overview 8-1 Lesson 1: Overview of Configuration Manager 2012 Site Maintenance 8-2 Lesson 2: Performing Backup and Recovery of a Configuration Manager Site 8-9 Lesson 3: Monitoring Configuration Manager 2012 Site Systems 8-19 Lab: Maintaining System Center 2012 Configuration Manager 8-23 Module Review and Takeaways 8-28 Module Overview System Center 2012 Configuration Manager architecture includes multiple components on the site server, site systems, and client devices. Although you can design your solution’s architecture to be resilient to failures by implementing multiple site systems, using database clustering, and implementing multiple primary sites to benefit from global-data replication, you must configure and perform regular site-maintenance tasks to ensure that the solution that you implement is functional and effective. Performing regular backups is an important maintenance activity that you implement in your Configuration Manager environment. Performing regular backups is even more important if you have a stand-alone primary site, so that you can recover the site configuration or the site database if failure occurs. If you have a multiple-site environment, data replicates to other sites in the hierarchy. However, we still recommend that you perform backup for the site servers and databases in the central administration site and the primary sites to protect your implementation in your operating system or site fails. The databasereplication mechanism helps you in the recovery process by replicating the most recent global data from other sites in the hierarchy. In addition to regular site backups, you should perform regular monitoring activities to determine the health of your Configuration Manager implementation. You use the monitoring capabilities that the Configuration Manager console includes to monitor the status of the site systems and replication. Additionally, you can use external monitoring tools, such as System Center 2012 Operations Manager, to automate monitoring and alerting. Objectives After completing this module, you will be able to: • Describe Configuration Manager site-maintenance tasks. • Back up and recover a Configuration Manager site. • Monitor Configuration Manager site systems. Lesson 1 Overview of Configuration Manager 2012 Site Maintenance MCT USE ONLY. STUDENT USE PROHIBITED 8-2 Maintaining and Monitoring System Center 2012 Configuration Manager Configuration Manager 2012 includes built-in maintenance tasks that you can enable and then configure to run on a schedule. After installing your Configuration Manager environment, you must review the built-in maintenance tasks, so that you can determine which ones to enable and when they should run. A crucial part of your site-maintenance setup that you should make a part of every Configuration Manager design is a site-maintenance plan. When you create a site-maintenance plan, you should include configuration details for the following: • Built-in site maintenance tasks. • Maintenance activities that you need to perform manually on a daily, weekly, or monthly schedule. • Configuration of the status alert and status-monitoring systems that you can access from the Configuration Manager console. • External monitoring tools that you can use in the site, such as System Center 2012 Operations Manager. Lesson Objectives After completing this lesson, you will be able to: • Provide an overview of Configuration Manager 2012 site maintenance. • Describe typical tasks that you can use to maintain a Configuration Manager 2012 site. • Maintain a Configuration Manager 2012 site. • Describe the purpose and content of a site-maintenance plan. Overview of Configuration Manager 2012 Site Maintenance Site maintenance and monitoring for Configuration Manager 2012 includes the following types of activities: • Performing site-maintenance tasks. You can configure the built-in site maintenance tasks, such as the Backup Site Server maintenance task, and perform other regular maintenance activities. • Monitoring the site systems and replication. You can use the monitoring features that the Configuration Manager console includes to view site-system status, evaluate client health, and monitor site replication. • Monitoring by using System Center 2012 Operations Manager. You can monitor the Configuration Manager 2012 environment by using System Center 2012 Operations Manager to import the Configuration Manager 2012 management pack, and then configuring the alerts and performancecollection rules. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-3 Configuring the Backup Site Server maintenance task, and ensuring that the backup occurs correctly, is the most important action you perform in your Configuration Manager 2012 environment. By ensuring these two factors, you can recover the site server and the database if an operating-system or site failure occurs. The next lesson, “Performing Backup and Recovery of a Configuration Manager 2012 Site”, covers backup and recovery in greater detail. Question: Describe the tools that you can use to monitor the health of Configuration Manager 2012 site systems. Site Maintenance Tasks Configuration Manager 2012 includes built-in maintenance tasks that you can enable and configure to run on a schedule. Configuration Manager 2012 enables some of these tasks by default, and they perform required clean-up activities, including deleting aged information from the database, ensuring removal of obsolete information, and ensuring that reports show upto-date information. You can view the site maintenance tasks by performing the following procedure: 1. Open the Configuration Manager console. 2. In the Configuration Manager console, in the Administration workspace, expand Site Configuration, and then click the Sites node. 3. Select the site for which you want to view the tasks, and then on the ribbon, click Settings, and then click the Site Maintenance Tasks button. 4. In the Site Maintenance dialog box, click the maintenance task that you want to configure, and then click Edit. The following table lists the site-maintenance tasks and their purposes. Site-maintenance task Purpose Backup Site Server Backs up a Configuration Manager 2012 site, including the site database, files, registry keys, and system-configuration information. Rebuild Indexes Rebuilds the site database-table indexes to speed up data retrieval. Monitor Keys Monitors the primary keys from the site database tables. Delete Aged Inventory History Deletes aged inventory history from the site database. Delete Aged Status Messages Deletes aged status-message data from the site database. Delete Aged Discovery Data Deletes aged client-discovery data from the site database. Delete Aged Collected Files Deletes aged data regarding collected files from the site database and from the site-server folder structure. Site-maintenance task Purpose MCT USE ONLY. STUDENT USE PROHIBITED 8-4 Maintaining and Monitoring System Center 2012 Configuration Manager Delete Aged Software Metering Data Deletes aged software-metering data from the site database. Delete Aged Software Metering Summary Data Deletes aged software-metering summary data from the site database. Summarize Software Metering File Usage Data Summarizes software-metering file-usage data from multiple, highly granular records into fewer, more generalized records. Summarize Software Metering Monthly Usage Data Summarizes monthly software-metering usage data from multiple, highly granular records into fewer, more generalized records. Clear Install Flag Clears the install flag in the database for clients whose Heartbeat Discovery data records have not been updated in the specified interval, so that the Configuration Manager client reinstalls automatically by using Client Push. Delete Inactive Client Discovery Data Deletes inactive client-discovery data from the site database. Delete Obsolete Client Discovery Data Deletes obsolete client-discovery data from the site database. Delete Aged Computer Association Data Deletes aged user-device affinity data from the site database. Evaluate Provisioned AMT Computer Certificates Evaluates provisioned Active Management Technology (AMT) computer certificates. Delete Obsolete Alerts Deletes alerts that have been closed for a specific period. Delete unused application revisions Deletes unreferenced application revisions. Delete aged log data Deletes aged data from the replication logs, and cleans up object lock requests. Delete aged replication tracking data Deletes aged replication-tracking data. Delete aged application request data Deletes cancelled or denied application requests that are older than the specified period. Delete Aged Devices managed by the Exchange Server Connector Deletes all obsolete records in the Exchange partnership properties table that have a LastSuccessSyncTimeUTC earlier than the specified period. It also deletes the system records that correspond to the obsolete partnership entries if they are managed solely by Exchange. Delete aged device wipe record Deletes aged device-wipe records from the site database. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Site-maintenance task Purpose 8-5 Delete Obsolete Forest Discovery Sites and Subnets Deletes obsolete discovery data that the Active Directory® Forest Discovery method creates by trying to find, and then remove, sites and subnets that forest discovery has not discovered for a specific period. Check Application Title with Inventory Information Determines whether the correct application title displays in the Asset Intelligence catalog. It does this by matching the installed software data with catalog data, which is determined by calculating the Software Properties Hash based on the Product Name, the Publisher, and the Product Version. Summarize installed software data Summarizes installed software data. Delete aged enrolled devices Deletes aged enrolled devices from the site database. Delete aged threat data Deletes aged Endpoint Protection threat data from the database. Delete aged endpoint protection health status history data Deletes aged Endpoint Protection health-status history data from the site database. Delete aged client operations Deletes aged Endpoint Protection-related client operation data, such as administrators-initiated scan and definition-download requests. Evaluate collection members Evaluates the collection members incrementally, every five minutes by default. Update application catalog tables Synchronizes the Application Catalog website database cache with the latest application information. Delete aged delete detection data Deletes old data-change information that external systems use when extracting data from database. Delete aged user device affinity data Deletes aged information about user-device affinity. Question: Why should you delete aged-inventory history data? Maintaining a Configuration Manager Site Site maintenance for Configuration Manager 2012 involves several types of activities that you need to perform to ensure that your Configuration Manager implementation is working properly, and that you can recover if a hardware or software failure occurs. The first step that you can take to configure your installation’s site maintenance is to create a sitemaintenance plan. This plan lists the configuration of the built-in site-maintenance tasks, describes additional maintenance activities such as monitoring of the site systems and clients, and describes recovery procedures that you must follow if a site failure occurs. MCT USE ONLY. STUDENT USE PROHIBITED 8-6 Maintaining and Monitoring System Center 2012 Configuration Manager Built-in site maintenance tasks include typical maintenance features, but you should complement them with additional tools for end-to-end maintenance and monitoring of your Configuration Manager implementation. Typical activities for maintaining and monitoring a Configuration Manager 2012 environment include: • Create a site-maintenance plan. In a site -plan, you describe the: o Configuration of the built-in site-maintenance tasks. o Daily, weekly, and periodic activities that you need to perform. o Required custom external-maintenance tasks. o Configuration of the status system. o Configuration of alerting features. o Recovery procedures to use if a site failure occurs. • Create any necessary custom maintenance tasks that are external to Configuration Manager. Custom maintenance tasks perform activities that the built-in tasks do not include. You can implement these custom tasks as scripts that the Task Scheduler runs automatically. You can use batch files or a scripting language, such as Windows PowerShell®, to implement these tasks. • Review, configure, and enable or disable site-maintenance tasks. Review the built-in site-maintenance tasks, and then configure them, and enable or disable according to your site-maintenance plan. • Configure the status summarizers. Configure the status summarizers to evaluate the health of your site systems and components, based on the number and importance of status messages. • Use the monitoring features that the Configuration Manager console includes. Use the Configuration Manager console features to monitor replication and the status of the site systems. • Configure alerts. Configure alerts that you want to generate for errors or specific thresholds. • Consider using System Center 2012 Operations Manager. You can use System Center 2012 Operations Manager to monitor your Configuration Manager environment. Creating a Site-Maintenance Plan To ensure that you do not overlook important maintenance activities, you should create a sitemaintenance plan. Typically, you create a sitemaintenance plan during the implementation of your Configuration Manager environment. It should reflect your particular implementation architecture and your organization’s specific information technology (IT) requirements with respect to operations. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-7 Your site-maintenance plan should be part of your Configuration Manager implementation documentation, along with the implementation design, and procedures for installation, configuration, and operations. Additionally, it should include recommendations for typical maintenance activities, such as: • Configuring and verifying site backups. • Checking for file backlog on site servers and site systems. • Reviewing status messages for site systems and components. • Configuring and reviewing alerts in the console. • Checking for failed replication communication. • Reviewing error and warning messages that System Center 2012 Operations Manager generates, if applicable. Site-maintenance plans can contain activities that you perform on a schedule, either manually or through an automatic configuration. You can schedule the tasks to happen daily, weekly, or over a longer period. The following table lists typical maintenance tasks and the suggested frequency of the tasks. Frequency Daily maintenance tasks Typical maintenance tasks • Verify that built-in daily maintenance tasks are running successfully. • Check the status of the Configuration Manager site database. • Check the status of the site server. • Check Configuration Manager site-system inboxes for backlogs. • Check the status of the site systems. • Check client status and health. • Check the operating-system event logs on site systems. • Check the SQL Server® error log. • Check system performance. Weekly maintenance tasks • Verify that built-in weekly maintenance tasks are running successfully. • Delete unnecessary files from site systems. • Produce and distribute end-user reports, if necessary. • Back up and then clear application, security, and system-event logs. • Check the size of the site database, and then verify that the site database has enough available disk space to enable growth. • Perform SQL Server database maintenance on the site database, according to your SQL Server maintenance plan. • Check available disk space on all site systems. • Run disk-defragmentation tools on all site systems. Frequency Periodic maintenance tasks Typical maintenance tasks • Review the security plan for any required changes. MCT USE ONLY. STUDENT USE PROHIBITED 8-8 Maintaining and Monitoring System Center 2012 Configuration Manager • Change accounts and passwords, if necessary, according to your security plan. • Review the maintenance plan to verify that you have scheduled maintenance tasks properly and effectively, depending on the configuration of your site settings. • Review the design of the Configuration Manager hierarchy. • Check network performance to ensure changes have not been made that affect site operations. • Verify that Active Directory Domain Services (AD DS) settings affecting site operations have not changed. For example, you should ensure that no changes have been made to subnets that are assigned to Active Directory sites, and that a Configuration Manager site is using the Active Directory Forest Discovery method to create site boundaries. • Review the disaster-recovery plan for any required changes. • Perform a site recovery in a test lab according to the disaster-recovery plan by using a backup copy of the most recent backup snapshot that the Backup Site Server maintenance task created. • Check hardware for any available errors or hardware updates. For each maintenance task in the site-maintenance plan, you should assign an owner who is responsible for performing that task. Administrative users to whom you assign the Infrastructure Administrator or Operations Administrator security roles can perform most daily or weekly maintenance tasks. When configuring the built-in site maintenance tasks, you must ensure that you are not scheduling the maintenance tasks too aggressively, which can create additional processing load on your site server and database. Conversely, ensure your schedule is not too passive, which can result in obsolete information not being deleted. In most implementations, you should use the default schedules for the built-in maintenance tasks. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Lesson 2 Performing Backup and Recovery of a Configuration Manager Site 8-9 Configuring the Backup Site Server task and ensuring that backups occur regularly and successfully can help ensure that you can recover your site configuration should your site server or site database fail. The Backup Site Server task only backs up the site database, and certain folders and registry keys from your site server. To recover your Configuration Manager implementation completely, you may need to include additional data in your backup, such as custom reports, content files, and custom updates. You also need to run the planned recovery procedures in a test environment, to ensure that you can recover all necessary data from the site. If the AfterBackup.bat batch file is present, the Backup Site Server task attempts to run it immediately after performing the site backup. This lesson examines how to use the AfterBackup.bat to perform additional backup operations. This lesson also explains how to troubleshoot your backup procedure and results, and how to perform a site recovery from your backup. Lesson Objectives After completing this lesson, you will be able to: • Describe the backup and recovery processes for Configuration Manager 2012. • Describe the resources that you need to back up. • Configure the Backup Site Server task. • Describe the resources that you can use to troubleshoot the backup. • Perform site recovery. • Recover a primary site. Overview of Backup and Recovery Planning the Configuration Manager backup and recovery processes enables you to recover from site failure. Backup and recovery processes must be part of your site-maintenance plans to ensure that you can recover sites and hierarchies quickly, with minimal data loss. Backup Site Server Maintenance Task The Backup Site Server maintenance task runs on a schedule, and backs up the site database, specific registry keys, and specific folder and files. It does not back up all files. However, you can create the AfterBackup.bat file to perform postbackup actions automatically after the backup-maintenance task finishes. These tasks might include copying additional files from your site server and archiving the backup snapshot to a secure location. Recovery Features In case of hardware or software failure, you need to restore the site with minimal or no data loss. Site recovery includes potentially replacing failed hardware, reinstalling the operating system and Configuration Manager 2012, and restoring the site database from a backup. MCT USE ONLY. STUDENT USE PROHIBITED 8-10 Maintaining and Monitoring System Center 2012 Configuration Manager Configuration Manager 2012 has recovery features that differ from previous versions. For example, in Configuration Manager 2012, the Configuration Manager Setup Wizard includes a recovery option. There is support for multiple recovery options, which the following table outlines. Recovery option for: The site server Recovery option available • Recover the site server from a backup • Reinstall the site server The site database • Recover the site database from a backup • Create a new site database • Use a site database that you recover manually • Skip database recovery If you have a multiple-site implementation of Configuration Manager, you can benefit from data replication, which can minimize data loss after recovery. When recovering a site that is part of a hierarchy, Configuration Manager uses database replication to retrieve the most current global data that the failed site created before failure. This process minimizes data loss even when no backup is available. When you need to recover a site, you can initiate an unattended site recovery by configuring an unattended installation script, and then using the Setup /script command. Volume Shadow Copy Service The Backup Site Server maintenance task uses the Volume Shadow Copy Service (VSS) to create the backup snapshot. By using VSS shadow copies when you run the Backup Site Server maintenance task, you can minimize the time that site servers are offline. VSS must be available on both the site server and the database server for the Backup Site Server maintenance task to complete successfully. Question: How do you perform a recovery of your entire site if your site server fails? Backing Up a Configuration Manager 2012 Site Configuration Manager 2012 stores data in the Microsoft® SQL Server site database, in the files on the site server computer, and in registry keys. To ensure that you can recover your entire Configuration Manager environment if a site failure occurs, you should configure the Backup Site Server maintenance task for the central administration site and for every primary site in your hierarchy. The Backup Site Server maintenance task runs automatically, on a schedule that you configure. When it runs, it stops the Configuration Manager services, and then performs a backup snapshot of your site. This snapshot contains all necessary data to perform a complete recovery, including the site database, certain folders from your Configuration Manager installation path, and the registry settings that relate to Configuration Manager. Backup and Recovery Scenarios MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-11 Depending on your implementation, you might not need to have a site backup to avoid data loss. In multiple-site implementations, you might recover a primary site successfully by reinstalling it, and then using database replication to retrieve the configuration settings that you were using before the failure. The need for a site backup depends on the site implementation scenario, such as the following scenarios for: • A stand-alone primary site. To avoid data loss when a stand-alone primary site fails, you must have a Configuration Manager backup. • Secondary sites. You have no built-in features for the backup and recovery of secondary sites. When a secondary site fails, you must reinstall it from the primary site server. • A central administration site with child primary sites. You can configure the Backup Site Server task, and perform recovery of the central administration site and all primary sites. Because your hierarchy uses database replication, you can retrieve the data necessary for recovery from another site in the hierarchy. This means that you can recover a primary site even when you do not have a site backup. The benefit of having a backup is that you can restore the data by using the most recent backup, and replication only needs to retrieve changes to the data since the last backup. This reduces the amount of data that you are transferring over your network. Configuring the Backup Site Server Task To back up Configuration Manager sites, you must configure the Backup Site Server maintenance task to run on a specific schedule, or it will not run. You can configure the Backup Site Server on central administration and primary sites only. There is no backup support for secondary sites or site system servers. The Backup Site Server task implements as a Windows service called SMS_SITE_BACKUP, which is configured for manual startup by default. You can configure this service to run on a schedule on the site server and database server, and the Scheduler starts it at the time for which you configure a backup to begin. You also can start the service manually to initiate an unscheduled backup. When the backup service starts, it follows the instructions that have been predefined in the backup control file, smsbkup.ctl, located in <ConfigMgrInstallationFolder>\Inboxes\smsbkup.box\. You can modify the backup control file to change the behavior of the backup service. The changes that can be incorporated by modifying the smsbkup.ctl file include adding files and/or registry keys to list of files and registry keys backed up by default, stopping and starting additional Windows services, and running external programs. The Backup Site Server tasks write site backup-status information to the smsbkup.log file. Configuration Manager creates this log file automatically in the folder that you specify Backup Site Server maintenance task’s Properties window. Using the AfterBackup.bat File You use the AfterBackup.bat file to copy additional files from your site server, archive the backup snapshot at the end of every backup operation, and perform other post-backup tasks that the Backup Site Server maintenance task does not perform. After successfully backing up the site, the Backup Site Server task attempts to run the AfterBackup.bat file automatically. If an AfterBackup.bat file exists, and is in the correct folder, the file automatically runs after the backup task completes. You need to create the AfterBackup.bat file manually in the <ConfigMgrInstallationFolder>\Inboxes\smsbkup folder. To verify that the site backup task ran the AfterBackup.bat file successfully, open the Configuration Manager console, and then click the Component Status node in the Monitoring workspace. In the results MCT USE ONLY. STUDENT USE PROHIBITED 8-12 Maintaining and Monitoring System Center 2012 Configuration Manager pane, review the status messages for SMS_SITE_BACKUP. If the task initiates the AfterBackup.bat batch file successfully, the message ID 5040 appears. Question: What tool can you use to configure the archival of backup files that begins automatically after the site backup completes? Configuring the Site Backup Task The configuration options that you choose for the Backup Site Server task depend on your site architecture. You need to configure the appropriate options in the Backup Site Server dialog box. To configure the Backup Site Server task, perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. In the Administration workspace, expand Site Configuration, and then click the Sites node. 3. Select the site for which you are configuring the Backup Site Server task. 4. On the ribbon, in the Settings group, click the Site Maintenance Tasks button. 5. In the Site Maintenance dialog box, click Backup Site Server, and then click Edit. 6. Select Enable this task, and then click Set Paths to specify the backup destination. You have the following options: o Local drive on site server for site data and database. You specify a folder on the site server’s local drive that stores the backup files for the site and site database. You must create this local folder before the backup task runs, and the site server’s computer account must have write access to the folder. o Network path (UNC name) for site data and database. You specify a shared folder in the network by using the universal naming convention (UNC) path to the location that stores the site’s backup files and the site database. You must create this network-shared folder before the backup task runs, and the site server’s computer account must have write access to the share. o Local drives on site server and SQL Server. You specify a path on the site server’s local drive to the location that stores the backup files for the site server. You also specify a path on the site database server’s local drive to the location that stores the backup files for the site database. You must create these local folders before the backup task runs, and the site server’s computer account must have write access to both folders. This option is available only when the site database is on a remote site system server. 7. Configure an appropriate schedule for the site backup task. As a best practice, consider a backup schedule outside of active business hours. 8. Select the Enable alerts for backup task failures check box, click OK, and then click OK. When you select this check box, Configuration Manager creates a critical alert for the backup failure. You can view it from the Alerts node in the Monitoring workspace. What is Backed Up? The site backup includes the following files, by default: • The Configuration Manager site database and registry keys • The following Configuration Manager installation folders: • o <ConfigMgrInstallationPath>\inboxes o <ConfigMgrInstallationPath>\Logs o <ConfigMgrInstallationPath>\data o <ConfigMgrInstallationPath>\srvacct o <ConfigMgrInstallationPath>\install.map file The ..\HKEY_LOCAL_MACHINE\Software\Microsoft\SMS registry key What is Not Backed Up? MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-13 The Backup Site Server task does not back up all Configuration Manager files. The backup occurs only on the site server and the site database, and not on other site system roles, such as: • Configuration Manager site systems and secondary sites. There is no need to back up data from site systems, such as distribution points and management points. You can reinstall these site systems easily by the site server if they fail. There is no backup support for secondary sites. You must reinstall them from the parent primary site. There is also no backup of roles, such as the state migration point. We strongly recommend using a highly available disk storage configuration (RAID 5 or better) for this type of role. • Custom Reporting Services reports. You must back up any custom reports that you create by using Reporting Services and the database files for the report server. This enables you to recover them if a site failure occurs. You should include the following in the report server backup: o Source files for reports and models o Encryption keys o Custom assemblies or extensions o Configuration files o Custom SQL Server views that custom reports use o Custom stored procedures • Content library. You must back up the content library so that you can restore and redistribute content to distribution points. When you initiate content redistribution, Configuration Manager copies the files from the content library on the site server to the distribution points. The content library for the site server is in the SCCMContentLib folder that typically is on the drive that had the most free disk space when you installed the site. • Package source files. You must maintain a copy of the package source files so that you can restore them after a site failure. You then must update the content on distribution points. When you initiate a content update, Configuration Manager copies new or modified files from the package source to the content library, which then copies the files to associated distribution points. • Windows Server Update Services (WSUS) database. You need to back up the WSUS database if you want to recover the metadata about software updates. This provides an alternative if a failure occurs. You can reinstall the software update point on a new WSUS instance. However, you will need to reconfigure the synchronization settings. • Backup custom software updates. You must include the System Center Updates Publisher 2011 database in your backup if you use System Center Updates Publisher 2011 to perform any of the following activities: o Publish custom software updates to WSUS o Synchronize the software updates to Configuration Manager o Assess software-updates compliance o Deploy the custom software updates to clients Performing Unscheduled Backups MCT USE ONLY. STUDENT USE PROHIBITED 8-14 Maintaining and Monitoring System Center 2012 Configuration Manager You should perform unscheduled backups whenever you make changes to your Configuration Manager environment, such as when you add new sites or site system roles. You can perform an unscheduled backup by starting the SMS_SITE_BACKUP service on the site server. Demonstration: Backing Up a Primary Site In this demonstration, you will see how to configure the Backup Site Server task, and how to trigger and monitor a backup. Demonstration Steps 1. On LON-CFG, start the Configuration Manager Console. 2. In the Configuration Manager console, click the Administration workspace, expand Site Configuration, and then select Sites. 3. Select S01 – Adatum Site, and on the ribbon, click Settings, and then click Site Maintenance. 4. In the Site Maintenance dialog box, edit the Backup Site Server task. 5. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then click Set Paths. 6. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and database is selected, and then browse to select a folder. 7. On drive E, create a folder called Backup, and then click Select Folder. 8. In the Set Backup Paths dialog box, verify that E:\Backup appears in the box, and then click OK. 9. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three minutes from now, verify that the Latest start time is at least one hour from now, and then click OK. 10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled. 11. From Administrative Tools, start the Services console. 12. In the Services console, start the SMS_SITE_BACKUP service. 13. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the smsbkup.log file in Notepad. 14. If the backup completes successfully, at the end of the smsbkup.log file, the text Backup completed appears, and then on the next line, the text STATMSG: ID=5035 appears. 15. Navigate to the E:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the database files. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-15 16. Navigate to the E:\Backup\S01Backup\SiteServer\SMSServer folder, double-click on the SMSServer folder to open it, and then note that it contains the data, inboxes, Logs, and srvacct folders. 17. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and then select the Component Status node. 18. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages, and then click All. 19. Accept the default of 1 day ago. 20. In Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035. Troubleshooting a Site Backup You can use the logs and monitoring features that Configuration Manager includes to ensure that the Backup Site Server task started according to the backup schedule and that the backup operations occur successfully. To verify that the Backup Site Server maintenance task finishes successfully, you can: • Review the smsbkup.log located in <ConfigMgrInstallationFolder>\Logs, or in your backup destination folder, for any warnings and errors. When the site backup completes successfully, you will see the message, Backup completed, with a timestamp, and STATMSG: ID=5035. • Review the timestamp on the files in the backup destination folder that the Backup Site Server maintenance task creates. Verify that the timestamp is the same as the last scheduled Backup Site Server maintenance task run time. • Navigate to the Component Status node in the Monitoring workspace, and then review the status messages for SMS_SITE_BACKUP. If the backup has started, you will see the message ID 5055. When the site backup completes successfully, message ID 5035 appears, indicating that the site backup completed without any errors. • Configure the Backup Site Server maintenance task to create an alert when a backup fails. You can check the Alerts node in the Monitoring workspace for these backup failure alerts. • Review the Event Viewer logs for account and access violations. Ensure that the service account for SMS_SITE_BACKUP can access any remote locations that you specify in the SMS Backup control file and that the service account has the appropriate privileges to perform the tasks in the Configuration Manager Backup control file in the [Tasks] section. By default, the SMS_SITE_BACKUP runs under the local system account. Archiving Multiple Backup Snapshots Every time the Backup Site Server maintenance task runs, it creates a backup snapshot, and overwrites any previous snapshot. Only one backup snapshot—the most recent one—is in the backup destination folder at any given time. As a mitigation measure, we recommend that you archive multiple versions of the backup snapshot, so that you can use a previous version if the most recent version becomes corrupt. Question: What tasks can you perform to verify that the backup was successful? Site Recovery You must recover a System Center 2012 Configuration Manager site whenever the site fails or data loss occurs in the site database. You can initiate the site recovery by running the System Center 2012 Configuration Manager Setup Wizard or by using an unattended installation script with the Setup /script command. Your recovery options depend on whether you have a backup of the System Center 2012 Configuration Manager site and the site database. To start the site recovery process, perform the following procedure: 1. Start the Microsoft System Center 2012 Configuration Manager Setup Wizard by running <Configuration Manager 2012 Installation Source Path>\SMSSETUP\BIN\X64\setup.exe. 2. On the Before You Begin page, click Next. 3. On the Getting Started page, select Recover a site, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED 8-16 Maintaining and Monitoring System Center 2012 Configuration Manager When performing the site recovery in System Center 2012 Configuration Manager, you must recover the site server and the site database. If you simply want to perform site maintenance or a site reset, start the setup from the installation path. Site Server Recovery Options You have the following recovery options for the failed site server: • Recover the site server by using an existing backup. Use this option when you have a backup of the Configuration Manager site server that you created before the site failure. You can reinstall the site and reconfigure the site settings to match what they were when you backed up the site. • Reinstall this site server. Use this option when you do not have a backup of the site server. You can reinstall the site server, and then you must specify the site settings. You must use the same site name, site code, and configurations as the failed site, if you want to recover your site successfully. Note: When Setup detects an existing System Center 2012 Configuration Manager site on the server, it disables the recovery options for the site server, and uses the existing Configuration Manager site files and registry keys. Site Database Recovery Options MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-17 At various steps during the Site Recovery Wizard, you can use the following recovery options for the site database: • Recover the site database by using the backup set at the following location. Use this option when you have a backup of the Configuration Manager site database that you created before the site database failure. When you have a hierarchy, Configuration Manager uses replication to retrieve from other sites the changes made to the site database after the last site database backup. When you recover the site database for a stand-alone primary site, you lose any changes made to the site since the last backup. Note: If you select to restore the site database by using a backup set, and the site database already exists, the recovery will fail. You must delete the existing database files manually before attempting recovery. • Create a new database for this site. Use this option when you do not have a backup of the Configuration Manager site database. When you have a hierarchy, you can create a new site database, and the use replication to recover data from other sites in the hierarchy. This recovery option is not available when you are recovering a stand-alone primary site or a central administration site that has no primary sites. • Use a site database that you recover manually. Use this option when you recover the Configuration Manager site database by using a method other than the Backup Site Server maintenance task. When you have a hierarchy, you can create a new site database, and the use replication to recover data from other sites in the hierarchy. When you recover the site database for a stand-alone primary site, you lose any changes made to the site since the last backup. • Skip database recovery. Use this option when the site failure did not cause data loss in the Configuration Manager site database, and you recover only the site server. Post-Recovery Tasks There are several post-recovery tasks that you may need to perform to complete the site recovery process: • Reenter user account passwords. You must reenter user account passwords for the user accounts that the site specifies, because all passwords are reset during the site recovery. The accounts for which you must reset passwords are on the Finished page of the Setup Wizard after site recovery completes, and are saved on the recovered site server in the C:\ConfigMgrPostRecoveryActions.html file. • Reinstall hotfixes on the recovered site server. You must reinstall any hotfixes that were applied to the site server. A list of hotfixes installed previously is on the Finished page of the Setup Wizard after the site recovery completes, and saves to C:\ConfigMgrPostRecoveryActions.html on the recovered site server. • Recover custom reports. You must reimport any custom reports that you created on Reporting Services. • Recover content files. You must restore the content library and package source files to their original locations. The site database contains information about the content files’ storage locations on the site server, but the backup and recovery process does not back up or restore content files. You can restore these files from a file system backup of the site server. Question: How do you recover a stand-alone primary site when the database becomes corrupt? Demonstration: Recovering a Primary Site Demonstration Steps 1. Run E:\ConfigMgr2012\SMSSETUP\BIN\X64\setup.exe. The System Center 2012 Configuration Manager Setup Wizard starts. Note: To perform site recovery, you need to start the setup program from the installation media. If you want to perform a site reset only, you need to start the setup from the installation path. 2. MCT USE ONLY. STUDENT USE PROHIBITED 8-18 Maintaining and Monitoring System Center 2012 Configuration Manager In the Microsoft System Center 2012 Configuration Manager Setup Wizard, use the following settings to restore the site: o On the Getting Started page, at Available Setup Options, click Recover a site. o On the Site Server and Database Recovery Options page, click Recover the site database using the backup set at the following location, and then browse to the folder where the backup is stored. o On the Site Recovery Information page, verify that the option Recover primary site is selected. o On the Product Key page, select Install the evaluation edition of this product. o On the Microsoft Software License Terms page, select the I accept the license terms check box. o On the Prerequisite Licenses page, accept all prerequisite components. o On the Prerequisite Downloads page, select Use previously downloaded files, and then in the path box, type E:\ConfigMgr2012\Redist. o In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to finish. o On the Site and Installation Settings page, click Next. o On the Database Information page, click Next twice. o On the Customer Experience Improvement Program configuration page, select I don’t want to join the program at this time, and then click Next. o On the Settings Summary page, click Next. o On the Prerequisite Check page, click Cancel. For a real system recovery, you would click Begin Install. However, for the purposes of this demonstration, you cancel the wizard. Lesson 3 Monitoring Configuration Manager 2012 Site Systems MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-19 Configuration Manager 2012 includes monitoring and alerting features that you can use to detect and troubleshoot critical conditions that pertain to site systems and clients. You can configure the status system to determine the overall health of your Configuration Manager environment, based on status messages. For further monitoring capabilities, you can implement System Center 2012 Operations Manager, which provides proactive server and applications monitoring and alerting. You then can use the information that these features provide to detect and resolve critical issues. Lesson Objectives After completing this lesson, you will be able to: • Configure alerts. • Configure the status system and summarizers. • Describe the features of System Center 2012 R2 Operations Manager that you can use to monitor Configuration Manager 2012 site systems. Configuring Alerts Configuration Manager 2012 includes an alerting system that generates alerts in the Configuration Manager console when it encounters specific conditions. You can configure alerts for: • Endpoint Protection events for a collection. You can configure alerts manually that generate for different endpoint protection events for collections. • Client status events for a collection. You can configure alerts manually to generate for different client status events for collections. • Site System role health. You can configure some site system roles manually, such as management points, to generate alerts when they are not healthy. • Database replication. Configuration Manager provides an alert automatically for database replication issues. • Database disk space usage. Configuration Manager provides alerts automatically regarding free database space. • Low Sideloading activations. Configuration Manager provides alerts automatically for sideloading activations. • Deployments. You can configure alerts manually for deployment of applications and compliance settings. MCT USE ONLY. STUDENT USE PROHIBITED 8-20 Maintaining and Monitoring System Center 2012 Configuration Manager Alerts generate every 30 minutes by default if conditions that the alert rules include evaluate to true. You can view all configured alert rules in the Configuration Manager console in the Monitoring workspace under the Alerts node. Additionally, you can change the frequency with which the alerts generate. In System Center 2012 Configuration Manager, you could create alert subscriptions only for Endpoint Protection. Beginning with Configuration Manager 2012 SP1, you can create subscriptions for any alert. To create a subscription, you must specify: 1. The subscription name. 2. The email addresses. 3. The alert rules for which you want to receive email messages. Configuring the Status System Configuration Manager 2012 generates status messages about actions that various Configuration Manager components perform, and about site systems and client status. All Configuration Manager components generate status messages. The Configuration Manager database stores status messages, which you can view individually by using the Configuration Manager Status Message Viewer. You also can aggregate status messages by using summarizers to determine the health of the Configuration Manager site system or components, and to obtain statistics about application deployment. There are four types of summarizers: • Application Deployment Summarizer. Summarizes the status messages that pertain to application deployments. • Application Statistics Summarizer. Summarizes information about the installed deployment process, so that you can create statistics. • Component Status Summarizer. Summarizes the status messages that pertain to Configuration Manager components, to determine their health. • Site System Status Summarizer. Summarizes the status messages that pertain to Configuration Manager site systems, to determine their health. To configure the status summarizers, perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select the site. 3. On the ribbon, in the Settings group, click Status Summarizers. 4. In the Status Summarizers dialog box, select the summarizer that you want to configure, and then click Edit. You can use the Configuration Manager console to view the aggregated health information for site systems and components that summarizers calculate. This information is in the Monitoring workspace, under the System Status node. At this location, you can find the aggregated health status under the Site Status and Component Status nodes. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-21 You can configure status filter rules to detect critical conditions based on specific status messages, and perform automated actions based on the conditions detected. The built-in status filter rules create events in the Windows event logs when it detects specific status messages. You also can create custom statusfilter rules to control the processing of status messages. To configure the status filter rules, you must perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select the site. 3. On the ribbon, in the Settings group, click Status Filter Rules. 4. In the Status Filter Rules dialog box, select the rule that you want to configure, and then click Edit. You also can create new status-filter rules in this dialog box. Status Reporting By configuring status reporting, you can modify how the server and client components report status messages to the Configuration Manager status system. You then can configure the location to which the components send status messages. By default, the components send all status messages for All Milestones without details to Configuration Manager, and Configuration Manager does not write the information to event logs. To configure the status reporting, perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane expand Site Configuration, click Sites, and then in the results pane, select the site. 3. On the ribbon, in the Settings group, click Configure Site Components, and then click Status Reporting. 4. In the Status Reporting Component Properties dialog box, select the level of details for Server component status reporting and for Client component status reporting. Note: The default reporting settings are appropriate for most environments, and you should use caution when changing them. When you increase the level of status reporting, by choosing to report all status details, you can increase the amount of status messages that process. This increases the processing load on the site server and site database. Monitoring by Using System Center 2012 R2 Operations Manager System Center 2012 R2 Operations Manager provides proactive server and applications monitoring that you can use to identify the conditions that lead to potential issues before they affect your environment. Additionally, it provides troubleshooting information that is specific to detected issues. This information can help you resolve issues more quickly. System Center 2012 R2 Operations Manager uses agents that you install on servers that you want to monitor. These agents evaluate the health of applications and services, and monitor performance. The management packs include the rules that describe those components that agents are monitoring. The Configuration Manager 2012 Management Pack for Operations Manager helps administrators manage and administer Configuration Manager 2012 servers, computers, databases, services, disks, applications, and other objects that require monitoring. MCT USE ONLY. STUDENT USE PROHIBITED 8-22 Maintaining and Monitoring System Center 2012 Configuration Manager This release of this Management Pack improves Configuration Manager 2012 monitoring, and includes the following improvements: • Monitoring the availability status of all server roles. • Monitoring the health status of key services. • Monitoring SQL replication health status. • Monitoring general central processing unit (CPU), memory, and disk-system resource usage. • Providing a topology diagram of the Configuration Manager 2012 site hierarchy. • Monitoring the performance trends of some Configuration Manager performance counters. By using System Center 2012 Operations Manager, you can monitor physical hardware, operating-system components, and core network services, such as Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and AD DS. Additional management packs for monitoring applications are available in the management-pack catalog on the Microsoft website. Lab: Maintaining System Center 2012 Configuration Manager Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-23 You are the network administrator for A. Datum Corporation. A. Datum has deployed System Center 2012 R2 Configuration Manager in a complex hierarchy with a central administration site, two primary sites, and a secondary site. You need to configure site-maintenance tasks to reduce the space that the Configuration Manager database uses, and configure the Backup Site Server task to backup and recover a primary site. Objectives At the end of this lab, you will be able to: • Configure site-maintenance tasks. • Configure the Site Backup Task. • Recover the site from a backup. Lab Setup Estimated Time: 60 minutes Virtual Machines 10748C-LON-DC1-C 10748C-LON-CAS-C 10748C-LON-CFG-C User Name Adatum\Administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following procedure: 1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in by using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps two through four for 10748C-LON-CAS-C and 10748C-LON-CFG-C. Exercise 1: Configuring maintenance tasks in Configuration Manager Scenario You need to configure maintenance tasks to delete aged software metering and inventory data. The main tasks for this exercise are as follows: 1. Verify the default settings for maintenance tasks. 2. Configure the Delete Aged Inventory History task. 3. Configure the Delete Aged Software Metering Data tasks.  Task 1: Verify the default settings for maintenance tasks MCT USE ONLY. STUDENT USE PROHIBITED 8-24 Maintaining and Monitoring System Center 2012 Configuration Manager 1. On LON-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, click the Administration workspace, expand Site Configuration, click Sites, and then click the S01 – Adatum Site. 3. On the ribbon, in the Settings group, click Site Maintenance. 4. In the Site Maintenance dialog box, review the tasks that are enabled by default. Notice that most tasks pertain to database cleaning. 5. Verify the settings for the Delete Aged Discovery Data task.  Task 2: Configure the Delete Aged Inventory History task • Configure the Delete Aged Inventory History by using the following settings: o Delete data that has been inactive for: 365 days. o Schedule: every Sunday between 1 AM and 3 AM.  Task 3: Configure the Delete Aged Software Metering Data tasks 1. 2. Configure the Delete Aged Software Metering Data tasks by using the following settings: o Delete data that has been inactive for: 7 days o Schedule: every day between 1 AM and 3 AM. Configure the Delete Aged Software Metering Summary Data by using the following settings: o Delete data that has been inactive for: 120 days. o Schedule: every Saturday between 1 AM and 3 AM. Results: At the end of this exercise, you will have configured maintenance tasks in Configuration Manager. Exercise 2: Configuring the Site Backup Task Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-25 You need to configure the Backup Site Server task, trigger the backup, and then verify that the backup completes successfully. The main tasks for this exercise are as follows: 1. Configure the Site Backup task. 2. Trigger the backup of the site, and verify its completion.  Task 1: Configure the Site Backup task 1. On LON-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, click the Administration workspace, expand Site Configuration, and then select Sites. 3. Select S01 – Adatum Site, and on the ribbon, click Settings, and then click Site Maintenance. 4. In the Site Maintenance dialog box, edit the Backup Site Server task. 5. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then click Set Paths. 6. In the Set Backup Paths dialog box, verify that the option Local drive on site server for site data and database is selected, and then browse to select a folder. Note: In practice, you should use either Network path (UNC name) for site data and database to save backup on a network share, or you should use Local drives on site server and SQL Server if the database is installed on a separate server. 7. Create a new folder called Backup in the Local Disk (C:) drive, and then click Select Folder. 8. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK. 9. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three minutes from now, and then click OK. 10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled.  Task 2: Trigger the backup of the site, and verify its completion 1. From Server Manager, start the Services console. 2. In the Services console, start the SMS_SITE_BACKUP service. 3. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the smsbkup.log file in Notepad. 4. If the backup occurs successfully, in the smsbkup.log file, the text Backup completed appears, and then, on the next line, the text STATMSG: ID=5035 appears. 5. Navigate to the C:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the database files. 6. Navigate to the C:\Backup\S01Backup\SiteServer folder, double-click on the SMSServer folder to open it, and then note that it contains the data, inboxes, Logs, and srvacct folders. 7. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and then select the Component Status node. MCT USE ONLY. STUDENT USE PROHIBITED 8-26 Maintaining and Monitoring System Center 2012 Configuration Manager 8. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages, and then click All. 9. Accept the default of 1 day ago. 10. In the Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035. Note: When site backup completes successfully, message ID 5035 appears. This indicates that the site backup completed without any errors. 11. Close the Configuration Manager Status Message Viewer. 12. Close the Configuration Manager console. Results: At the end of this exercise, you should have performed a backup for the Configuration Manager site. Exercise 3: Recovering a Site from a Backup Scenario You need to use the Site Recovery Wizard to recover the site from a backup. The main tasks for this exercise are as follows: 1. Use the Site Recovery wizard to recover a site from backup. 2. To prepare for the next module.  Task 1: Use the Site Recovery wizard to recover a site from backup 1. On LON-CFG, run E:\ConfigMgr2012R2\SMSSETUP\BIN\X64\setup.exe. The System Center 2012 R2 Configuration Manager Setup Wizard starts. 2. In the Microsoft System Center 2012 R2 Configuration Manager Setup Wizard, use the following settings to restore the site: o On the Getting Started page at Available Setup Options, click Recover a site. o On the Site Server and Database Recovery Options page, click Recover the site database using the backup set at the following location, and then browse to select the C:\Backup\S01Backup folder. This folder stores the backup that you performed in the previous exercise. o On the Site Recovery Information page, verify that the option Recover primary site is selected. o On the Product Key page, select Install the evaluation edition of this product, and then click Next. o On the Microsoft Software License Terms page, click the I accept these license terms check box, and then click Next. o On the Prerequisite Licenses page, accept all prerequisite components. o On the Prerequisite Downloads page, select Use previously downloaded files, and then specify E:\ConfigMgr2012R2\Redist as the location. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 8-27 o On the Site and Installation Settings page, click Next. o On the Database Information page, accept the default settings. o On the Customer Experience Improvement Program configuration page, select I don’t want to join the program at this time, and then click Next. o Complete the wizard by using the default options. At the Prerequisite Check step, click Cancel, and then click Yes. Note: It takes time to restore the site. Therefore, for expediency in this lab, you cancel the restoration process.  Task 2: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 R2 primary site. Question: How do you configure a site backup? Question: How do you perform site recovery? Question: What can you do to maintain your Configuration Manager database as small as possible? Module Review and Takeaways Review Questions Question: For what purposes do you use the AfterBackup.Bat file? Question: What factors determine how frequently you should perform a backup? Question: Under what circumstances should you perform unscheduled backups? Question: How can you minimize data loss when you do not perform backups? MCT USE ONLY. STUDENT USE PROHIBITED 8-28 Maintaining and Monitoring System Center 2012 Configuration Manager MCT USE ONLY. STUDENT USE PROHIBITED 9-1 Module 9 Migrating to System Center 2012 R2 Configuration Manager Contents: Module Overview 9-1 Lesson 1: Overview of the Migration Process 9-2 Lesson 2: Preparing Configuration Manager 2007 Sites for Migration 9-8 Lesson 3: Configuring Migration Settings 9-11 Lesson 4: Migrating Objects 9-17 Lesson 5: Upgrading Configuration Manager 2012 to Configuration Manager 2012 with SP1 and then to System Center 2012 R2 Configuration Manager 9-23 Lab: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager 9-30 Module Review and Takeaways 9-38 Course Evaluation 9-39 Module Overview Microsoft® System Center 2012 Configuration Manager provides a rich feature set that you can use to migrate objects from Microsoft® System Center Configuration Manager 2007 through Configuration Manager 2012 to System Center 2012 R2 Configuration Manager. In addition, it provides the necessary tools for restructuring your site hierarchy during migration. Differences between Configuration Manager 2007 site architecture and Configuration Manager 2012 site architecture may require you to perform site consolidation when performing migration. Using the built-in migration functionality, you can migrate objects from any source site in the Configuration Manager 2007 hierarchy to the central administration site in the Configuration Manager 2012 hierarchy. From the central administration site, the migrated objects are replicated as global data to all sites in the hierarchy. Using the Migration Job Wizard, you can migrate different types of objects such as collections, advertisements, software packages, software updates, Asset Intelligence customizations, operating system deployment objects, desired configuration management objects, and software metering rules. Objectives After completing this module, you will be able to: • Describe the migration process from Configuration Manager 2007 to Configuration Manager 2012. • Prepare Configuration Manager 2007 sites for migration. • Configure migration settings. • Migrate objects. • Upgrade a Configuration Manager site to System Center 2012 R2 Configuration Manager. Lesson 1 Overview of the Migration Process MCT USE ONLY. STUDENT USE PROHIBITED 9-2 Migrating to System Center 2012 R2 Configuration Manager The migration process from Configuration Manager 2007 to Configuration Manager 2012 includes configuring the source hierarchy, configuring additional source sites, configuring shared distribution points, migrating collections, migrating objects by type, monitoring the migration process, and migrating Configuration Manager clients. When the migration process is completed, you perform migration data cleanup by removing the configuration of the source hierarchy. In this lesson, you will review the migration process, review the types of objects that can be migrated, discuss the restrictions for migrating collections, and analyze consolidation requirements for migrating primary sites. Lesson Objectives After completing this lesson, you will be able to: • Describe the migration process. • Describe the types of objects that can be migrated. • Describe the restrictions imposed on collections. • Describe the need for consolidating primary sites. Overview of the Migration Process There are two ways to move your existing Configuration Manager environment to System Center 2012 R2 Configuration Manager: you can perform an upgrade or a migration. The upgrade option applies only to versions of Configuration Manager 2012. You can upgrade System Center 2012 Configuration Manager without a service pack to System Center 2012 Configuration Manager with SP1, which you can then upgrade to System Center 2012 R2 Configuration Manager. You cannot perform an in-place upgrade from System Center 2012 Configuration Manager without a service pack to System Center 2012 R2 Configuration Manager directly. When you migrate a Configuration Manager 2007 hierarchy to a Configuration Manager 2012 hierarchy, you always perform a side-by-side migration. You install a fully functional Configuration Manager 2012 hierarchy in the same network environment as the Configuration Manager 2007 hierarchy, select and migrate objects in batches, and lastly, migrate clients. By using the migration approach, you minimize the risks associated with an in-place upgrade. Additionally, if the Configuration Manager 2012 installation fails, you can discard the new installation easily and revert to the previous source hierarchy. By performing a side-by-side migration, you also have the opportunity to consolidate sites. This is because the Configuration Manager 2012 hierarchy can have a maximum of three site levels made up of the central administration site, one level of primary sites below that, and a level of secondary sites below the primary sites. If you have primary sites that are child sites of primary sites in the Configuration Manager 2007 hierarchy, you need to restructure your hierarchy when migrating to Configuration Manager 2012. Primary sites cannot be the child sites of other primary sites in Configuration Manager 2012. This is a significant change from all prior versions of Configuration Manager. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-3 You cannot migrate secondary sites in-place. If you want to reuse the same server hardware, you must first uninstall secondary sites from Configuration Manager 2007 before installing them in Configuration Manager 2012. You can also convert secondary sites from Configuration Manager 2007 to distribution points in Configuration Manager 2012. This provides the advantages of hierarchical simplification in cases of reasonable bandwidth with fewer than a thousand clients at the former secondary site locations. You can upgrade clients by using any of the client installation methods, including Client Push, Group Policy installation, logon script, or manual installation. After you upgrade, the Configuration Manager clients maintain the execution history for advertisements. The migration process has two uses: migrating from an existing Configuration Manager 2007 site and consolidating existing Configuration Manager 2012 hierarchies. The following table lists the source hierarchies that you can migrate and the hierarchy version to which you can migrate them. Permitted migrations to and from Configuration Manager 2012 with SP1 and newer can be very useful when you are moving from a lab or staging environment into production. It is also useful in hierarchy simplification through merger scenarios. This migration capability was added in System Center Configuration Manager 2012 with SP1. Source hierarchy Destination hierarchy Configuration Manager 2007 SP2 or R3 System Center 2012 Configuration Manager with no service pack Configuration Manager 2007 SP2 or R3 System Center 2012 Configuration Manager with SP1 System Center 2012 Configuration Manager with SP1 Configuration Manager 2007 SP2 or R3 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager You perform the following steps for a typical migration process: 1. Configure the source hierarchy. In the first step of the migration process, you configure the source hierarchy by specifying the top-level site in the Configuration Manager 2007 implementation. This site also becomes a source site for migrating Configuration Manager objects. 2. Configure additional source sites. You can specify additional source sites that contain objects you want to migrate. You can configure only source sites that are under the top-level site that you configured in the previous step. When migrating a Configuration Manager 2012 site to a new Configuration Manager 2012 site, you do not need to configure additional source sites for child sites, since the Client Access server site database contains all of the objects that you can replicate. 3. Configure distribution point sharing. In this optional step, you configure a Configuration Manager 2007 distribution point so that it is visible to Configuration Manager 2012 clients after migration. You use this approach to make packages available to Configuration Manager 2012 clients without distributing the content to the Configuration Manager 2012 distribution points. 4. Migrate collections and associated objects. You create a migration job to migrate collections and associated objects, such as advertisements or packages. 5. Migrate objects by type. You select the types of objects to migrate, including boundaries, Asset Intelligence customizations, software updates, operating system deployment objects, desired configuration management baselines and configuration items, and software metering rules. 6. Migrate Configuration Manager clients. You can use any of the client installation methods to upgrade the client to the Configuration Manager 2012 version in place. This process maintains the client execution history. 7. MCT USE ONLY. STUDENT USE PROHIBITED 9-4 Migrating to System Center 2012 R2 Configuration Manager Convert secondary sites to distribution points. In this optional step, you can convert Configuration Manager 2007 secondary sites to Configuration Manager 2012 distribution points. The Upgrade Shared Distribution Point Wizard uninstalls the secondary site and then configures the server as a distribution point in Configuration Manager 2012, while maintaining the content on the distribution point. After migration, you should: 1. Remove distribution point sharing. After you migrate all Configuration Manager clients to the Configuration Manager 2012 version, you can remove the distribution point sharing. 2. Remove the source hierarchy configuration and decommission the old hierarchy. This is the last step in the migration process. After you ensure that you have migrated all of the necessary objects, remove the source hierarchy configuration and then decommission the Configuration Manager 2007 hierarchy. Note: You cannot reuse any site codes in a migration. You must provide unique site codes across Configuration Manager 2007 and Configuration Manager 2012 hierarchies. Types of Objects You Can Migrate The majority of object types are supported for migration from Configuration Manager 2007 to Configuration Manager 2012. When you create a migration job, you can select which objects you want to migrate. The following table lists the types of objects that you can migrate. Object Collections What you can migrate You can migrate query-based or direct membership collections with the following restrictions: • You cannot migrate mixed collections (which contain both users and devices). • You migrate collections that have the membership limited to other collections as individual collections with additional inclusion rules. Advertisements You can migrate existing advertisements for packages, software updates, or task sequences so that the Configuration Manager 2012 clients receive them. Advertisements migrated from Configuration Manager 2007 become deployments in Configuration Manager 2012. Boundaries You can migrate the existing boundaries to Configuration Manager 2012. You need to assign the boundaries to boundary groups to use them for client assignment or content lookup in Configuration Manager 2012. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Object What you can migrate 9-5 Software distribution packages You can migrate software distribution packages. We recommend that you configure the package source using a Universal Naming Convention (UNC) path to minimize the need for reconfiguring the package source after migration. Virtual application packages You can migrate the virtual application packages to Configuration Manager 2012 applications. Any existing advertisements of virtual application packages are not migrated. Software updates To migrate objects related to software updates, first you need to configure a software update point in Configuration Manager 2012, and then you synchronize software update metadata with the same sync source as the source hierarchy uses. After you do this, you can migrate the following types of objects: • Deployments • Deployment packages • Templates • Software update lists Asset Intelligence customizations You can migrate any customizations you made to the Asset Intelligence catalog, including custom categories, software families, labels, hardware requirements, and software lists. Operating system deployment You can migrate the following types of objects that you use in operating system deployment: • Boot images • Driver packages • Drivers • Images • Packages • Task sequences Desired configuration management You can migrate configuration baselines and configuration items you have created previously in Configuration Manager 2007. Software metering rules You can migrate software metering rules, but not the metering history. The following types of objects cannot be migrated using the included Configuration Manager migration tools: • Queries • Security rights and instances for the site and objects • Configuration Manager 2007 web reports or Microsoft SQL Server® Reporting Services (SSRS) reports • Client inventory and history data (from the site database); however, clients maintain execution history • Intel Active Management Technology (AMT) client provisioning information • Files in the client cache MCT USE ONLY. STUDENT USE PROHIBITED 9-6 Migrating to System Center 2012 R2 Configuration Manager SSRS reports can be migrated outside of the Configuration Manager migration process. If there are reports that you want to migrate you can export the Report Definition Language (.RDL) files from the SSRS in your Configuration Manager 2007 environment and import them into the SSRS in your new environment. Collection Restrictions When you migrate collections that are linked to other collections or that have subcollections, Configuration Manager 2012 creates multiple objects in either the User Collections node or the Device Collections node: • In the root of the appropriate node, Configuration Manager 2012 creates a collection named after the parent collection. This collection is populated by any members from the parent collection only. • In the root of the appropriate node, Configuration Manager 2012 creates a collection named Migrated Collection <parent collection name> and subcollections. The membership rules include the parent and subcollections that were migrated. • In the root of the appropriate node, Configuration Manager 2012 creates a folder with the parent collection’s name. Located under this folder are the migrated subcollections of the migrated parent folder. You cannot migrate collections that contain a reference to a collection of a different resource type. In Configuration Manager 2007, empty collections (collections that have no associated resources) are used to organize other collections. When you migrate an empty collection, it converts to an organizational folder that contains no users or devices. You cannot migrate mixed collections that contain both users and devices because Configuration Manager 2012 does not support them. To migrate mixed collections, you must create individual collections that contain only users or only devices. Typically, Configuration Manager 2007 used empty collections with no rules to organize other collections. In Configuration Manager 2012, you can migrate empty collections as folders. The collections must be independent of one another in Configuration Manager 2012 to avoid circular references, because collections are evaluated at all primary sites in the hierarchy. For example, if you have a collection called New York, containing all clients from New York, with two subcollections called Servers and Desktops, and you migrate all of them to Configuration Manager 2012, the result is three independent collections. You can add additional inclusion rules to the Servers and Desktops collections to ensure that they have the same membership after migration. If the top-level collection has no membership rules or targeted advertisements, the New York collection will migrate to a folder in Configuration Manager 2012. The subcollections Servers and Desktops will migrate as collections with additional inclusion rules in the New York folder. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Consolidation Requirements for Primary Sites In Configuration Manager 2012, a primary site cannot be the child of another primary site; it can only be a child of the central administration site. Similarly, a secondary site must have a primary site as its parent site. Due to these restrictions, the hierarchy model in Configuration Manager 2012 can have a maximum of three levels: • Central administration site. Situated at the top level of the hierarchy, the central administration site maintains the configuration for the entire hierarchy. • Primary sites. You use primary sites to manage clients. • Secondary sites. You use secondary sites to manage client communication traffic on slow wide area network (WAN) links. 9-7 A Configuration Manager 2007 hierarchy can have more than three levels. For instance, a primary site can have another primary site as its parent. When you migrate to Configuration Manager 2012, you need to consolidate any primary site that is a child of another primary site. You cannot assign clients that you assigned to central primary sites in Configuration Manager 2007 to the central administration site in Configuration Manager 2012. This is because the central administration site cannot have assigned clients. You need to reassign the clients that were assigned to the central site in Configuration Manager 2007 to another primary site in the Configuration Manager 2012 hierarchy. You cannot migrate secondary sites directly to Configuration Manager 2012. For any existing secondary sites in the Configuration Manager 2007 hierarchy, you need to perform one of the following actions: • Uninstall the sites, and then reinstall them as new secondary sites in Configuration Manager 2012. • Convert the sites to distribution points in the new Configuration Manager 2012 installation. Lesson 2 Preparing Configuration Manager 2007 Sites for Migration To migrate objects from Configuration Manager 2007 to Configuration Manager 2012, you need to ensure that both the source and destination hierarchies meet certain prerequisites. MCT USE ONLY. STUDENT USE PROHIBITED 9-8 Migrating to System Center 2012 R2 Configuration Manager In this lesson, you will review the preparation steps that you must perform on Configuration Manager 2007 sites to ensure successful migration of objects. You will also review the prerequisites for configuring source sites and running migration jobs. Lesson Objectives After completing this lesson, you will be able to: • Describe the steps for preparing Configuration Manager 2007 sites for migration. • Describe the prerequisites for migration from Configuration Manager 2007 to Configuration Manager 2012. Preparing Configuration Manager 2007 Sites for Migration To ensure a successful migration, you should review your Configuration Manager 2007 hierarchy settings and make changes as required. Not all of the changes described below are required to perform the migration; however, they help streamline the migration process. Consider the following points when reviewing your Configuration Manager 2007 hierarchy settings: • You must install Configuration Manager 2007 with SP2 or Configuration Manager 2007 R3 for all source sites. You need to upgrade all Configuration Manager 2007 sites in the source hierarchy to Configuration Manager 2007 SP2. Additionally, if you installed Configuration Manager 2007 R2 or R3, you can migrate Microsoft Application Virtualization (App-V) packages. • Migration is an opportunity to restructure the hierarchy configuration, because a Configuration Manager 2012 hierarchy can have a maximum of three levels. Primary sites cannot have other primary sites as child sites in Configuration Manager 2012. Therefore, you must migrate all of the objects in your Configuration Manager 2007 hierarchy from the multiple primary sites that are in a parent-child relationship to a single primary site in your new Configuration Manager 2012 hierarchy. • Configuration Manager 2012 requires Windows Server® 2008 or newer, SQL Server 2008 or newer, and 64-bit systems. While it is not necessary to upgrade the source hierarchy to use these versions, you should test them to ensure that your organization environment supports them before installing the new Configuration Manager 2012 hierarchy. • Consider implementing Microsoft BranchCache® in Configuration Manager 2007 R2 as an alternative to using distribution points. You can use BranchCache after migrating to Configuration Manager 2012. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-9 • In some organizations, it can take a long time to acquire additional server hardware to implement your Configuration Manager 2012 hierarchy. You can speed up the migration process by using server virtualization technologies, which enable the rapid creation of new virtual servers. • Mixed collections and subcollections may require changes to their collection definitions to enable migration to Configuration Manager 2012. • You should configure all software packages with a UNC path to reduce the need for reconfiguration after you migrate them. • All site codes need to be unique throughout the source and destination hierarchies. • You should remove any references to SMSSITECODE=AUTO. All site codes should be explicitly stated. The use of SMSSITECODE=AUTO was encouraged in earlier versions of Configuration Manager, but this practice can cause the loss of a client’s management point when migrating. Configuration Manager 2007 Prerequisites for Migration To perform migration, prepare Configuration Manager 2007 sites to meet prerequisites by: • Updating Configuration Manager 2007 at all source sites with Service Pack 2 or Configuration Manager 2007 R3. • Configuring the following two user accounts in Configuration Manager 2012 with permissions in each source site that you want to migrate: o The Source Site SMS Provider Account. This account requires Read permission to all source site objects. o The Source Site SQL Server Account. This account requires Read and Execute permissions to the source site database. Note: Use the computer account for the Source Site SMS Provider Account and the Source Site SQL Server Account rather than a user account. • Opening the following network protocols and ports in the firewalls between the Configuration Manager 2007 site and the Configuration Manager 2012 site: o NetBIOS/Server Message Block (SMB), 445 (TCP) o Remote Procedure Call (RPC) (WMI), 135 (TCP) o SQL Server, 1433 (TCP) Configuration Manager 2012 Prerequisites for Migration You cannot perform an in-place upgrade of an existing Configuration Manager 2007 infrastructure to System Center 2012 Configuration Manager. Instead, you must perform a side-by-side migration by installing a Configuration Manager 2012 hierarchy on different systems than the Configuration Manager 2007 site installation. Before you begin migration, you need to install and configure your Configuration Manager 2012 hierarchy in the same network environment as your existing Configuration Manager 2007 implementation. The new hierarchy can be one of the following: • Multiple-site. Install a central administration site and then install at least one primary site in the hierarchy. • Stand-alone primary site. Install a single primary site, which will be the only primary site in the hierarchy. Before migrating, ensure that the following Configuration Manager 2012 migration prerequisites are complete: MCT USE ONLY. STUDENT USE PROHIBITED 9-10 Migrating to System Center 2012 R2 Configuration Manager • Use an account in the Configuration Manager 2012 hierarchy that has the Full Administrator security role, so that you can create objects in any site in the Configuration Manager 2012 hierarchy. • Configure a software update point in your Configuration Manager 2012 hierarchy. Synchronize the software update metadata using the same source as the existing software update point in your Configuration Manager 2007 hierarchy. This enables you to migrate software updates. • Configure at least one Configuration Manager 2012 primary site, or the central administration site, to use the same port numbers as the original Configuration Manager 2007 source site. In this way, client requests are directed properly. In addition, client requests can use shared distribution points from the Configuration Manager 2007 site. • Assign Site Delete permissions to the Source Site Access Account on the source site to remove the distribution points automatically from the Configuration Manager 2007 site during migration. Lesson 3 Configuring Migration Settings MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-11 Your first step in the migration process is to configure the source hierarchy by specifying the top-level site in your Configuration Manager 2007 hierarchy. After you have configured the source hierarchy, the migration data gathering process begins. It collects information about sites, and objects within those sites, in the Configuration Manager 2007 hierarchy starting from the top-level site that you specified. The top-level site is configured as a source site containing objects to be migrated. You can configure additional sites from the Configuration Manager 2007 hierarchy as source sites, which makes it possible to migrate objects from these sites to Configuration Manager 2012. Lesson Objectives After completing this lesson, you will be able to: • Describe the process of configuring a source hierarchy. • Describe the data gathering process. • Describe how you can use multiple-source hierarchies in the migration process. • Describe the process for configuring distribution point sharing. • Describe how you can migrate secondary sites to distribution points in the Configuration Manager 2012 hierarchy. Process of Configuring the Source Hierarchy The source hierarchy is the set of Configuration Manager 2007 sites that contain objects that you want to migrate to Configuration Manager 2012. To configure the source hierarchy, you must input the following information in the Specify Source Hierarchy dialog box: • The fully qualified domain name (FQDN) of the top-level Configuration Manager 2007 site server. • The Source Site Account you use to connect to the SMS Provider of the source site. • The Source Site Database Account you use to connect to the site database of the source site. When you configure a Configuration Manager 2007 site as the top-level site, you can migrate objects from it and from any child primary sites. You can migrate objects from only the site that you selected, in addition to sites that are under the source site, so we recommend selecting the site located at the top of the Configuration Manager 2007 hierarchy. This is called a central site. Configuration Manager 2012 uses these settings to retrieve information about objects and distribution points from the source site. During the data gathering process, child sites in the Configuration Manager 2007 hierarchy are identified. Then you can configure these sites as source sites for migration. MCT USE ONLY. STUDENT USE PROHIBITED 9-12 Migrating to System Center 2012 R2 Configuration Manager You can configure multiple instances of source hierarchies. However, only one source hierarchy can be active at a given time. If you configure an additional source hierarchy before you complete migration from the active source hierarchy, it cancels any active migration jobs and postpones any scheduled migration jobs. The newly configured source hierarchy becomes the active source hierarchy. You can configure connection credentials, source sites, and migration jobs for the current active source hierarchy. To configure a source hierarchy, perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand Migration, and then click the Source Hierarchy node. 3. On the ribbon, click Specify Source Hierarchy. 4. In the Specify Source Hierarchy dialog box: o Select New source hierarchy for the active source hierarchy. o Type the name of the top-level Configuration Manager 2007 site server. o Configure the Source Site Account. o Configure the Source Site Database Account. Demonstration: Configuring the Source Hierarchy In this demonstration, you will see how to configure the source hierarchy. Demonstration Steps 1. On LON-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, in the Administration workspace, under the Migration node, click the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy. 3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source hierarchy: 4. o In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com. o Under Specify the Source Site Account to use to access the SMS Provider for the source site server. This account requires Read permissions to all source site objects, verify that User Account is selected, and then use Set to configure a new account with the following information:  In the User name box, type Adatum\Administrator.  In the Password and Confirm password boxes, type Pa$$w0rd.  Use Verify and Test connection to validate the credentials and connection to source site. o Under Specify the Source Site Database Account to use to access the SQL Server for the source site server. This account requires Read and Execute permissions to the source site database, verify that Use the same account as the Source Site SMS Provider Account is selected. o Select the Enable distribution-point sharing for the source site server check box, and then click OK. After you have configured the source hierarchy, the Data Gathering Status process will start. Wait for the data collection to complete, and then click Close. Migration Data Gathering The migration data gathering process collects information about the source hierarchy configuration and objects that you can migrate from source sites. The migration data gathering process starts after: • You specify an active source hierarchy. • You configure credentials for an additional source site in an active source hierarchy. • You share the distribution points for a source site with Configuration Manager 2012. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-13 The migration data gathering process then repeats on a simple schedule to maintain synchronization with any changes to data in the source sites. By default, the process repeats every four hours. You can modify the schedule for this cycle by editing the properties of the source site in the Configuration Manager console. The initial data gathering process must review all objects in the Configuration Manager 2007 database. It may take longer to finish than subsequent data gathering processes that identify only changes to the data. To gather data, the Configuration Manager 2012 top-level site connects to the SMS Provider and to the site database of the source site, and then retrieves a list of objects and distribution points. You can use the Gather Data Now action in the Configuration Manager console to start the migration data gathering process immediately and to reset the start time of the next cycle. Data gathering runs on the configured schedule until you change the active source hierarchy or until you use the Stop Gathering Data action to end the data gathering process for that site. You can use the Stop Gathering Data action to end the data gathering process for a source site when you no longer want Configuration Manager 2012 to identify new or changed objects from that site. Note: Regardless of where you configure the source hierarchy, the migration jobs, including the initial data gathering, are run from the top-level site. In a multisite hierarchy, to troubleshoot migration issues, review the migmctrl.log on the central administration site server. Configuring Additional Source Sites Source sites are sites in the active source hierarchy that have data that you migrate to Configuration Manager 2012. When you configure a source hierarchy, you must specify the top-level site of the hierarchy first, which is configured as the first source site for that source hierarchy. After Configuration Manager gathers the initial data for the top-level site of the source hierarchy, any child sites of that site are visible in the Configuration Manager console. You must configure the child sites as source sites to migrate objects from those sites. You must specify credentials for each additional source site for migration. When you configure additional source sites, you must configure source sites from the top down, and configure the bottom-tier sites last. MCT USE ONLY. STUDENT USE PROHIBITED 9-14 Migrating to System Center 2012 R2 Configuration Manager You do not have to configure additional source sites before creating migration jobs. However, you can only migrate data from source sites that you have configured, and the migration data gathering process must have gathered data from these sites successfully. To configure additional source sites in the active source hierarchy, perform the following procedure: 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand Migration, and then click Source Hierarchy. 3. In the results pane, click the site that you want to configure as a source site. 4. On the ribbon, in the Source Site group, click Configure Credentials. 5. In the Source Site Credentials dialog box, for the Source Site Access Accounts, specify accounts that have Read permission to the SMS Provider and to the SQL Server database in the specified site, and then click OK. Configuring Distribution Point Sharing You can share Configuration Manager 2007 distribution points with Configuration Manager 2012. This makes the content that is distributed to Configuration Manager 2007 distribution points immediately available to the clients in the Configuration Manager 2012 hierarchy. By using this approach, you can ensure that the same content remains available for clients in both hierarchies. You can maintain this content until you stop gathering data and complete the migration. Distribution point sharing is a site-wide setting that, when enabled, configures all eligible distribution points in a Configuration Manager 2007 primary site and its secondary sites as shared distribution points. You cannot select individual distribution points to share when you enable distribution point sharing. Prerequisites When planning for distribution point sharing, consider the following prerequisites: • You must configure distribution points with a FQDN to be eligible for sharing. • At least one Configuration Manager 2012 primary site or the central administration site must use the same port numbers for client requests that the Configuration Manager 2007 site uses. • Configuration Manager 2012 clients can receive content location information for packages that are installed on shared distribution points in the Configuration Manager 2007 hierarchy, including branch distribution points, distribution points on server shares, and standard distribution points. • When you share a protected distribution point, Configuration Manager 2012 creates a boundary group that includes the protected network locations of the Configuration Manager 2007 distribution point. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-15 • You need to ensure that the package version for packages that you migrate is the same in the source hierarchy and in Configuration Manager 2012. Then Configuration Manager 2012 clients will be able to retrieve the content from the shared distribution point. • You cannot use shared distribution points to host packages for App-V. You must migrate and convert the App-V packages for Configuration Manager 2012 clients. Reassigning Shared Distribution Points You can reassign shared distribution points in place to Configuration Manager 2012 distribution points, thereby preserving their content. Distribution points can be one of the following: • Stand-alone distribution points, which you can upgrade in place to Configuration Manager 2012 • Secondary site servers, which you can convert to stand-alone distribution points in Configuration Manager 2012 When you no longer have to support clients in your Configuration Manager 2007 environment, you can reassign a shared distribution point in your Configuration Manager 2012 hierarchy. When you reassign the distribution points in place, you do not have to redeploy content to new distribution points. To reassign a distribution point, the Configuration Manager 2007 site system server must meet the following conditions: • The Configuration Manager 2007 site system server must have only the distribution point role assigned to it. You cannot upgrade a Configuration Manager 2007 distribution point that has any additional site system roles. • You must configure the Configuration Manager 2007 site system with an intranet FQDN. • The site system server must have sufficient disk space to convert the content from the Configuration Manager 2007 content storage format to the single instance store format. This requires available free space equal to two times the existing data on the distribution point. • The site system server must run an operating system version that Configuration Manager 2012 supports as a distribution point. Note: Prior to System Center 2012 R2 Configuration Manager, distribution point reassignment was referred to as upgrading. The Upgrade Distribution Point migration job is now referred to as Reassign Distribution Point migration point. Uninstalling Distribution Points You can also choose to uninstall the existing distribution points from the Configuration Manager 2007 hierarchy and reuse the same hardware by installing the servers as distribution points in the Configuration Manager 2012 hierarchy. In this case, you need to redeploy the content to the new distribution points. Migrating Secondary Sites to Distribution Points You can convert secondary sites in Configuration Manager 2007 to distribution points in Configuration Manager 2012. There are several advantages to using a distribution point instead of a secondary site. Configuration Manager 2012 distribution points have more features than their Configuration Manager 2007 counterparts, such as single instance store and better management of data transfers. Unless you need the management point functionality from the Configuration Manager 2007 secondary site, typically you will migrate your Configuration Manager 2007 secondary sites to distribution points. The conversion process is the same as the distribution point reassignment process, with the additional step of uninstalling the secondary site. MCT USE ONLY. STUDENT USE PROHIBITED 9-16 Migrating to System Center 2012 R2 Configuration Manager The reassignment process first uninstalls the Configuration Manager 2007 secondary site, and then waits until the next data gathering cycle to upgrade the distribution point in place to a Configuration Manager 2012 distribution point. If you use the default settings for the data gathering cycle, the wait time may be up to four hours. This step ensures that the secondary site was uninstalled successfully before the distribution point reassignment starts. When converting a secondary site to a distribution point, consider the following restrictions: • To be able to reassign, the secondary site must not have any Configuration Manager site system roles assigned to the server, except for the management point. • You must configure the Configuration Manager 2007 site system with an intranet FQDN. • Any content that is present on the distribution point will be converted to a Configuration Manager 2012 single instance store. Because of this, you must ensure that available free space is equal to two times the size of existing content on the distribution point. In Configuration Manager 2012 with SP1 and newer versions, the old content is removed once the migration is complete. • Before reassigning a secondary site to a distribution point, ensure that you have upgraded all existing remote distribution points at that site. After the secondary site is uninstalled during the distribution point upgrade, the remaining remote distribution points will become orphan files and will not be eligible for upgrade. Lesson 4 Migrating Objects MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-17 To migrate objects from Configuration Manager 2007 sites to Configuration Manager 2012, you need to create migration jobs. You can use these jobs to migrate collections and associated objects or to migrate objects by type. You can choose to migrate objects that were migrated previously if they have changed after migration to Configuration Manager 2012. In this lesson, you will learn about the steps required to create migration jobs, review the migrated objects, and use the migration reports. Lesson Objectives After completing this lesson, you will be able to: • Create migration jobs. • Describe the steps used to migrate collections. • Describe the steps used to migrate objects by object type. • Review migrated objects in the console. • Use the migration reports to validate the migration. Migration Jobs You must create migration jobs to migrate objects from Configuration Manager 2007 sites to Configuration Manager 2012. A migration job lists the objects that are migrated and includes migration settings. You can schedule migration jobs to run at a specific time. You can create migration jobs to perform the following types of migrations: • • Collection migration o With this type of migration, you can migrate collections and objects that are related to selected collections, such as advertisements and software packages. o By default, all objects associated with members of the collection are selected for migration. You can deselect the objects that you do not want to migrate. o You can exclude individual object instances from migration. You might do this because you want to migrate them at a later time using object migration, for example. Object migration o With this type of migration, you can select individual object types and object instances to migrate. o By default, object types and instances are not selected. You need to select the specific data that you want to migrate. • Objects modified after migration o With this type of migration, you can remigrate any objects that were migrated previously, but have since been updated in the source hierarchy. Migrating Collections You can migrate collection definitions and associated objects, such as packages and advertisements, from Configuration Manager 2007 to Configuration Manager 2012. To migrate collections, use the Create Migration Job Wizard and select the following options: MCT USE ONLY. STUDENT USE PROHIBITED 9-18 Migrating to System Center 2012 R2 Configuration Manager • General. Type a name for the migration job and select the Collection migration option. • Select Collections. Select individual collections to migrate. • Select Objects. Select packages, advertisements, and other objects that are associated with collections to migrate. • Content Ownership. Select the Configuration Manager 2012 site that will get the ownership for the migrated object’s content. • Security Scope. Associate the migrated objects with an existing security scope or create a new scope. This helps limit the administrative permissions to the migrated objects. • Collection Limiting. You can configure how collection limiting settings from Configuration Manager 2007 are translated to inclusion rules in Configuration Manager 2012. • Site Code Replacement. On this page, you can configure site code replacement in the collection queries. This is required if you have query rules that are based on the Configuration Manager site code, because you are migrating to a new site with a new site code. • Review Information. You can review the objects included in the migration job and information about the migration of those objects. • Settings. You can run the migration job immediately or schedule it for a later time. Also, you can: o Configure whether previously migrated objects can be overwritten. o Transfer the organization folder structure for objects to the destination site. o Enable programs for deployments after advertisements are migrated. Migrating Objects by Type You can migrate objects of different types from Configuration Manager 2007 to Configuration Manager 2012, including: • Boundaries • Software distribution packages • Virtual application packages • Software update objects • Operating system deployment objects • Desired configuration management configuration items • Configuration baselines • Asset Intelligence customizations • Software metering rules To migrate objects by type, use the Create Migration Job Wizard and select the following options: MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-19 • General. Type a name for the migration job and select the Object migration option. • Select Objects. Select object types and individual objects to migrate. • Content Ownership. Select the Configuration Manager 2012 site that will get the ownership for the migrated objects’ content. • Security Scope. Associate the migrated objects with an existing security scope or create a new scope. This helps limit the administrative permissions to the migrated objects. • Review Information. You can review the objects included in the migration job and information about the migration of those objects. • Settings. You can run the migration job immediately or schedule it for a later time. You can also configure whether previously migrated objects can be overwritten, and whether to transfer the organization folder structure for objects to the destination site. Demonstration: Creating Migration Jobs In this demonstration, you will see how to migrate collections and migrate objects by type. Demonstration Steps 1. On LON-CFG, in the Configuration Manager console, click the Migration Jobs node. 2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following settings to configure the migration job: o On the General page, configure the following options:  Name: Collections and associated objects  Description (optional): Migrate collections and associated objects  In the Job type box, select Collection migration o On the Select Collections page, select Adatum Servers (this also selects London Servers and ConfigMgr Servers), and then verify that the Migrate objects that are associated with the specified collections option is selected. o On the Select Objects page:  Select Software Distribution Deployments, and then clear the KB977384 check box.  Select Software Distribution Packages, clear the KB977384 – Advanced Client Hotfix – CM7 check box, and then click Next. o On the Content Ownership page, set the Destination Site to S01 – Adatum Site. o On the Security Scope page, select Default. o Complete the wizard by choosing the default settings. Select the Run the migration job now option so that the migration job will run automatically after the wizard completes. 3. In the results pane, verify that the status of the migration job is Completed. If necessary, click Refresh. 4. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following settings to configure the migration job: o o 5. MCT USE ONLY. STUDENT USE PROHIBITED 9-20 Migrating to System Center 2012 R2 Configuration Manager On the General page, configure the following options:  Name: Migrate objects by type  Description (optional): Migration of specific objects  In the Job type box, select Object migration On the Select Objects page, under Object types, select the following types of objects:  Boundaries  Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of configuration items.  Asset Intelligence Catalog o On the Content Ownership page, click Next. o On the Security Scope page, select Default, and then click Next. o Complete the wizard and choose the default settings. Select the Run the migration job now option so that the migration job will run automatically after the wizard completes. In the results pane, verify that the status of the migration job is Completed. If necessary, click Refresh. Reviewing Migrated Objects You can review the progress of Configuration Manager 2012 migration actions in the Configuration Manager console, in the Administration workspace, under the Migration node. You can view summary information for each migration job, including objects that have and have not migrated, the number of objects excluded from the migration, and details about any migration problems. To view the progress of object migration for a migration job, select a migration job, and then in the Objects in Job tab, select the objects for which you want to view the summary information. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-21 Migration actions are recorded in the migmctrl.log file in the <InstallationPath>\Logs folder on the site server. After you perform the migration, the administrator can review migrated objects and their properties, and compare them with the objects in the source site. Viewing Migration Reports Configuration Manager 2012 includes several reports that you can use to review migration jobs, objects included in migration jobs, objects that failed to migrate, collections that used collection limiting, and Configuration Manager 2007 clients excluded from the upgrade to Configuration Manager 2012. To view the migration reports, perform the following procedure: 1. In the Configuration Manager console, click the Monitoring workspace. 2. In the navigation pane, expand Reporting, expand Reports, and then click the Migration folder. 3. In the results pane, click Migration Job properties, and then on the ribbon, click Run. 4. After Migration Job Name, click Values. 5. Under Migration Job Name, click a migration job, and then click OK. 6. Click View Report. 7. Close the Migration Job properties window. 8. In the results pane, click Migration jobs, and then on the ribbon, click Run. 9. Close the Migration jobs window. Migrating Clients You can use any supported client deployment method to migrate clients. When CCMSetup detects a Configuration Manager 2007 client on the target computer, it uninstalls the existing client software and installs the new client software. Before migrating the clients, you must ensure that you have migrated all objects the clients will use in the new environment, such as collections or packages. You can migrate clients in any order. However, we recommend that you migrate them in phases to limit the impact on network bandwidth. This distributes the traffic associated with the client installation and initial inventory cycle across a longer period. The following information is retained on the client: MCT USE ONLY. STUDENT USE PROHIBITED 9-22 Migrating to System Center 2012 R2 Configuration Manager • The globally unique identifier (GUID). The GUID associates a client with its information in the Configuration Manager database. • The advertisement history. The advertisement history prevents clients from rerunning advertisements unnecessarily. The following information is not retained: • The files in the client cache. If these files are necessary to install a package, the client downloads them again from a distribution point. • Information about any advertisements that have not yet run. If the advertisements have not run, they are deleted. You must migrate or re-create the advertisements in the new Configuration Manager 2012 hierarchy. • Inventory data. Clients perform an inventory cycle after upgrading, and then send the new data to the management point. • Compliance data. Clients evaluate compliance against the baselines assigned in the new environment, and then send the compliance data to the management point. Lesson 5 MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-23 Upgrading Configuration Manager 2012 to Configuration Manager 2012 with SP1 and then to System Center 2012 R2 Configuration Manager You cannot upgrade Configuration Manager 2012 without a service pack directly to System Center 2012 R2 Configuration Manager. When performing an in-place upgrade of Configuration Manager 2012 without a service pack to System Center 2012 R2 Configuration Manager, you must first upgrade to Configuration Manager 2012 with SP1. In this lesson, you will learn the steps required to upgrade Configuration Manager 2012 without a service pack to System Center 2012 R2 Configuration Manager. Lesson Objectives After completing this lesson, you will be able to: • Describe the requirements for upgrading to Configuration Manager 2012 with SP1. • Describe the requirements for upgrading to System Center 2012 R2 Configuration Manager. • Describe the upgrade considerations for Configuration Manager 2012. • Configure automatic client upgrade. Prerequisites for Upgrading to Configuration Manager 2012 with SP1 You must upgrade Configuration Manager 2012 to Configuration Manager 2012 with SP1 before upgrading further. When upgrading to Configuration Manager 2012 with SP1 you must upgrade the prerequisites first. When preparing to upgrade to Configuration Manager 2012 with SP1, you should review the following checklist, which lists the configuration modifications necessary for the upgrade. Modification Description Ensure the environment meets the Configuration Manager 2012 with SP1 prerequisites Configuration Manager 2012 uses the Windows Automated Installation Kit (Windows AIK) for operating system deployment. Configuration Manager 2012 with SP1 uses the Windows Assessment and Deployment Kit 8 (Windows ADK 8). You must uninstall the Windows AIK and then install Windows ADK 8. Review the site hierarchy and resolve any issues Before you perform the upgrade, ensure you resolve all operational issues. Install all critical updates on the site server, database server, and any remote site systems Apply all updates and perform all necessary restarts before you start the installation. Modification Description MCT USE ONLY. STUDENT USE PROHIBITED 9-24 Migrating to System Center 2012 R2 Configuration Manager Review requirements for add-ins or extensions used Before you upgrade, review the requirements for any add-ins or extensions to avoid any compatibility problems. Disable any database replicas that management points use at primary sites The Configuration Manager 2012 with SP1 upgrade will fail if a management point on a primary site is using a replica database. Reconfigure any network load balancing (NLB) software update points Software update points using NLB cannot be upgraded. Back up the site database Before upgrading, always back up the database in case you need to perform a disaster recovery. Disable all site maintenance tasks Tasks such as Backup Site Server can interrupt the upgrade process and you need to stop them for the duration of the upgrade. Create a duplicate of any built-in collections you modified Built-in collections in Configuration Manager 2012 with SP1 are read-only and you cannot modify them. Run the Prerequisite Checker The Configuration Manager 2012 with SP1 prerequisites are different from Configuration Manager 2012. Running the Prerequisite Checker allows you to find any missing prerequisites. Download the prerequisite and redistributable files for Configuration Manager 2012 with SP1 Use the Setup Downloader to download the additional files used during setup. These include prerequisite redistributables, language packs, and the latest product updates. Place them in a location that is accessible during setup. Plan for server and client language support If you have previously installed support for additional languages, you may need to download the appropriate files for the Configuration Manager 2012 with SP1 installation. If you do not download the language files for an installed language, the installation process will remove support for the missing language files. Plan for site system role prerequisites The Prerequisite Checker does not check prerequisites for site system roles on the site server or remote system servers. Review the site upgrade considerations Review the automatic changes and manual changes required for the upgrade to be complete. Test the database upgrade process Restore the site database to an additional computer running SQL Server and verify that you can upgrade the database without incident. Restart all the servers in the hierarchy Ensure that there are no pending processes before you begin the upgrade. Install Configuration Manager 2012 with SP1 Start at the top-level site. Once the top-level site is complete, upgrade any child sites. Modification Description MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-25 Upgrade any stand-alone Configuration Manager console installations Before managing a Configuration Manager 2012 with SP1 site, you must upgrade a management console to Configuration Manager with SP1. Reconfigure any database replicas If you use database replicas for management points, you can reconfigure them once the upgrade is complete. Reconfigure any database maintenance tasks disabled previously Once the upgrade is complete, you can reconfigure the maintenance tasks. Upgrade clients Although Configuration Manager 2012 with SP1 supports client communications from lower level clients, you should upgrade the clients as soon as possible. Systems using lower level clients cannot take advantage of the new functionality. Prerequisites for Upgrading to System Center 2012 R2 Configuration Manager After upgrading to Configuration Manager 2012 with SP1, you can upgrade to System Center 2012 R2 Configuration Manager. The process for upgrading to System Center 2012 R2 Configuration Manager is similar to the process for upgrading to Configuration Manager 2012 with SP1. Before installing System Center 2012 R2 Configuration Manager, you should review the following checklist. Modification Description Ensure you upgrade all the sites in the hierarchy to Configuration Manager 2012 with SP1 You must upgrade to System Center 2012 R2 Configuration Manager from Configuration Manager 2012 with SP1. Ensure that the environment meets the System Center 2012 R2 Configuration Manager prerequisites System Center 2012 R2 Configuration Manager uses Windows ADK 8.1. You must uninstall the Windows ADK 8 and install the Windows ADK 8.1. Review the site hierarchy and resolve any issues Before you perform the upgrade, ensure that you resolve all operational issues. Install all critical updates on the site server, database server, and any remote site systems Apply all updates and perform all necessary restarts before you start the installation. Review requirements for add-ins or extensions Before you upgrade, review the requirements for any add-ins or extensions to avoid any compatibility problems. Modification Description MCT USE ONLY. STUDENT USE PROHIBITED 9-26 Migrating to System Center 2012 R2 Configuration Manager Disable any database replicas that management points at primary sites are using The Configuration Manager 2012 with SP1 upgrade will fail if a management point on a primary site is using a replica database. Reconfigure any NLB software update points You cannot upgrade software update points using NLB. Back up the site database Before upgrading, always back up the database in case you need to perform a disaster recovery. Disable all site maintenance tasks Tasks such as Backup Site Server can interrupt the upgrade process and you must stop them for the duration of the upgrade. Create a duplicate of any built-in collections you modified You cannot modify built-in collection in Configuration Manager 2012 with SP1. Run the Prerequisite Checker The Configuration Manager 2012 with SP1 prerequisites are different from Configuration Manager 2012. Running the Prerequisite Checker allows you to find any missing prerequisites. Download the prerequisite and redistributable files for System Center 2012 R2 Configuration Manager Use the Setup Downloader to download the additional files during setup. These include prerequisite redistributables, language packs, and the latest product updates. Place them in a location that is accessible during setup. Prepare to upgrade secondary sites System Center 2012 R2 Configuration Manager secondary sites use SQL Server 2012 Express Edition with cumulative update package 2. When attempting to upgrade a secondary site from an earlier version of SQL Server 2012 Express, the upgrade will fail. Plan for server and client language support If you have previously installed support for additional languages, you may need to download the appropriate files for the Configuration Manager 2012 with SP1 installation. If you do not download the language files for an installed language, the installation process will remove support for the missing language files. Plan for site system role prerequisites The Prerequisite Checker does not check prerequisites for site system roles on the site server or remote system servers. Review the site upgrade considerations Review the automatic changes and manual changes required for the upgrade to be complete. Test the database upgrade process Restore the site database to an additional computer running SQL Server and verify that you can upgrade the database without incident. Restart all the servers in the hierarchy Ensure that there are no pending processes before you begin the upgrade. Install System Center 2012 R2 Configuration Manager Start at the top-level site. Once the top-level site is complete, upgrade any child sites. Modification Description Before managing a Configuration Manager 2012 with SP1 site, you must upgrade a management console to Configuration Manager 2012 with SP1. Reconfigure any database replicas If you use database replicas for management points, you can reconfigure them once the upgrade is complete. Reconfigure any database maintenance tasks you disabled previously Once the upgrade is complete, you can reconfigure maintenance tasks. Upgrade clients While Configuration Manager 2012 with SP1 supports client communications from lower level clients, you should upgrade the clients as soon as possible. Systems using lower level clients cannot take advantage of the new functionality. When planning to upgrade a Configuration Manager 2012 site to System Center 2012 R2 Configuration Manager, you must keep in mind certain considerations. You cannot upgrade directly from Configuration Manager 2012 without a service pack to System Center 2012 R2 Configuration Manager. You must first upgrade to Configuration Manager 2012 with SP1. When upgrading to Configuration Manager 2012 with SP1, consider the following actions: • • 9-27 Upgrade any stand-alone Configuration Manager console installation Considerations for Upgrading to System Center 2012 R2 Configuration Manager • MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager Automatic actions. When you apply a service pack to Configuration Manager 2012, several actions will occur automatically: o A site reset will reinstall all site system roles automatically. o When upgrading the top-level site, the client installation package will be updated on each distribution point in the hierarchy. Additionally, the default boot images are upgraded to the Windows® 8 version of Windows Preinstallation Environment (Windows PE). o The client upgrade package will be updated on each primary site. Manual actions. Once the site upgrade is complete, you must complete the following steps manually: o Upgrade the clients to the latest client software. o Upgrade each Configuration Manager console installation. o Reconfigure database replicas that were used for management points. Other considerations. When upgrading a site to Configuration Manager 2012 with SP1, several settings are reset to their default values: o Software settings. Work information business hours are reset to 5:00 AM to 10:00 PM Monday through Friday. Computer maintenance is set to Suspend Software Center activities when my computer is in presentation mode. Remote Control is set to the value in the applicable client settings. o Custom summarization schedules for software updates are reset to the default value of one hour. When upgrading from Configuration Manager 2012 with SP1 to System Center 2012 R2 Configuration Manager, the considerations are identical, with the following exception: • MCT USE ONLY. STUDENT USE PROHIBITED 9-28 Migrating to System Center 2012 R2 Configuration Manager Automatic actions. The default boot images are upgraded to Windows PE 5.0, which is capable of deploying Windows 8.1 and Windows Server 2012 R2. Windows PE 5.0 is backward compatible with Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. Windows PE 5.0 cannot deploy Windows Server 2008, Windows Vista®, or older operating systems. Automatically Upgrading the Configuration Manager Client You can configure the Configuration Manager 2012 client to upgrade to the latest version of the client automatically. Two examples of scenarios when you would enable automatic upgrade are: • After you upgrade the site to a new version • After you install a new language pack Configuration Manager 2012 creates an upgrade package by default and distributes it to all distribution points automatically. If you modify the client package at the central administration site, such as by adding a new language pack, Configuration Manager automatically updates and distributes the client upgrade package. If you enable automatic client upgrade, Configuration Manager will attempt to upgrade every client. Note: Configuration Manager does not upgrade cloud-based distribution points automatically. To configure a Configuration Manager 2012 site automatic client upgrade, follow this procedure: • On the Home tab, click Hierarchy Settings, and then click the Client Installation Settings tab. Note that in Configuration Manager 2012 with SP1 and later versions, the Client Installation Settings tab has been renamed Automatic Client Upgrade. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-29 The availability of automatic upgrade options depends on the version of Configuration Manager 2012, as illustrated in the following table. Option Notes Upgrade client automatically when new client updates are available You must select this check box to enable the automatic client upgrade. Allow clients to use a fallback source location for content This setting was removed in Configuration Manager 2012 with SP1. Do not run program when a client is within a slow or unreliable network boundary or when the client uses a fallback source location for content This setting was removed in Configuration Manager 2012 with SP1. Automatically upgrade clients within days Specifies the number of days, from the time the client receives the policy, within which the client will attempt to upgrade. To prevent network saturation, the client will attempt the upgrade at a random time interval within the number of days specified. Automatically upgrade clients that are this version or earlier This setting was removed in Configuration Manager 2012 with SP1. Automatically distribute client installation package to distribution points that are enabled for prestaged content This is a new setting in Configuration Manager 2012 with SP1. Demonstration: Configuring Client Upgrades In this demonstration, you will see how to configure automatic client upgrades. Demonstration Steps 1. On LON-CFG, in the Configuration Manager console, in the Site Configuration folder, click the Sites node. 2. On the ribbon, click Hierarchy Settings. The Site Settings Properties dialog box is displayed. 3. On the Automatic Client Upgrade tab, select the Upgrade client automatically when new client updates are available check box. 4. Accept the changes. Lab: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager Scenario MCT USE ONLY. STUDENT USE PROHIBITED 9-30 Migrating to System Center 2012 R2 Configuration Manager You are the network administrator for the A Datum Corporation. A. Datum has Configuration Manager 2007 and System Center 2012 Configuration Manager deployed as stand-alone primary sites. You need to perform the migration of Configuration Manager objects by: 1. Configuring the source hierarchy. 2. Creating a migration job and performing migration. Objectives After completing this lab, you will be able to: • Configure a source hierarchy. • Migrate a Configuration Manager 2007 SP2 site to System Center 2012 R2 Configuration Manager. Lab Setup Estimated Time: 45 minutes Virtual machines 10748C-LON- DC1-C 10748C-LON-CM7-C 10748C-LON-SVR1-C 10748C-LON-CAS-C 10748C-LON-CFG-C User name Adatum\administrator Password Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps two through four for 10748C-LON-CM7-C, 10748C-LON-SVR1-C, 10748C-LON-CAS-C, and 10748C-LON-CFG-C. For LON-CM7, wait until the virtual machine starts and you sign in before starting the rest of the virtual machines. This is so that all services start as expected and do not time out. Exercise 1: Configuring the Source Hierarchy Scenario MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-31 You must examine the source hierarchy and review the objects that you will migrate. Then you will configure the source hierarchy by specifying the name of the site server and credentials to connect to the SMS Provider and site database. Because you will be migrating content, you must prepare the Configuration Manager 2007 servers to allow the Configuration Manager 2012 site server to access the content source shares. The main tasks for this exercise are as follows: 1. Review the objects that must be migrated (Optional). 2. Prepare permissions on LON-CM7 and LON-SRV1. 3. Configure the source hierarchy.  Task 1: Review the objects that must be migrated (Optional) 1. On LON-CM7, start the Configuration Manager console. 2. In the Configuration Manager console, under Site Database, click the Site Management node, and verify that the version of the site is 4.00.6487.2000, which means the site is running Configuration Manager 2007 Service Pack 2. 3. Under Site Database, expand Site Management, expand CM7-London Configuration Manager 2007, expand Site Settings, click the Boundaries node, and then review the Properties of the existing IP subnet boundary. 4. Under Site Database, under Site Management, under CM7-London Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, click \\LON-SVR1, and then verify the roles for LON-SVR1. 5. Under Computer Management, expand Collections, and then access the Properties of the Adatum Servers collection. 6. In the Adatum Servers Properties dialog box, under Membership Rules, observe that there are no membership rules defined. Note: The Adatum Servers collection does not have any members and serves as a container for the other two collections. 7. Under Adatum Servers, access the Properties of the London Servers collection. 8. Review the Membership rules for the London Servers collection, and then examine the query used to determine the membership of the collection. Note: The London Servers collection uses a query rule to include all computers with a name starting with LON. 9. Under Adatum Servers, access the Properties of the ConfigMgr Servers collection. 10. Review the Membership rules for the ConfigMgr Servers collection, and then observe the direct membership rule created for LON-CM7. Note: The ConfigMgr Servers collection uses a direct membership rule to include LON-CM7 as a member. 11. Under Software Distribution, click the Packages node. MCT USE ONLY. STUDENT USE PROHIBITED 9-32 Migrating to System Center 2012 R2 Configuration Manager 12. Access the Properties of the Microsoft Corporation Microsoft Office Word Viewer 2003 package, and then review its settings, including the distribution points to which it is distributed. Note that this is a Windows Installer package. 13. Access the Properties of the Excel Viewer 1 package, and then review its settings, including the distribution points to which it is distributed. Note that this is an App-V package. 14. Under the Advertisements node, review the existing advertisements. 15. Under Asset Intelligence, expand Customize Catalog, click the Software Categories node, and then review the Adatum Software custom category. 16. Under the Software Families node, review the Adatum LOB Applications custom family. 17. Under the Custom Labels node, review the Adatum Application custom label. 18. Under Desired Configuration Management, click the Configuration Items node. 19. Access the Properties of the Windows Firewall Enabled configuration item, review the properties, and then at the Settings tab, review the settings of the configuration item. Note that this configuration item is using a WMI query language (WQL) query to check the status of the Windows Firewall. 20. Under the Configuration Baselines node, access the Properties of the Adatum Security Policy Validation baseline, and then review the settings.  Task 2: Prepare permissions on LON-CM7 and LON-SRV1 1. Add LON-CAS and LON-CFG to the Administrators group on LON-CM7. 2. On LON-CM7, start the Configuration Manager console, if it is not already started. 3. Under Site Database, under Site Management, under CM7-London Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, click \\LON-SVR1, and then open the properties for the ConfigMgr site system role. Configure LON-SVR1 with an intranet FQDN of LON-SVR1.Adatum.com. 4. Add LON-CAS and LON-CFG to the Administrators group on LON-SVR1.  Task 3: Configure the source hierarchy 1. On LON-CFG, start the Configuration Manager console. 2. In the Configuration Manager console, in the Administration workspace, under the Migration node, click the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy. 3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source hierarchy: o In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com. o Under Specify the Source Site Account to use to access the SMS Provider for the source site server. This account requires Read permissions to all source site objects, verify that User Account is selected, and then use Set to configure a new account with the following information:  In the User name box, type Adatum\Administrator.  In the Password and Confirm password boxes, type Pa$$w0rd.  MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-33 Use Verify and Test connection to validate the credentials and connection to the source site. o Under Specify the Source Site Database Account to use to access the SQL Server for the source site server. This account requires Read and Execute permissions to the source site database, verify that Use the same account as the Source Site SMS Provider Account is selected. o Select the Enable distribution-point sharing for the source site server check box. 4. After you have configured the source hierarchy, the Data Gathering Status process will start. Wait for the data collection to complete, and then click Close. 5. On the ribbon, click Refresh, and then on the Shared Distribution Points tab, verify that LON-CM7.ADATUM.COM and LON-SVR1.ADATUM.COM appear. Note: By configuring the Shared Distribution Points option, both the Configuration Manager 2007 clients and Configuration Manager 2012 clients will have access to the packages during migration. Results: At the end of this exercise, you should have reviewed the configuration of the Microsoft® System Center Configuration Manager 2007 site and configured the source hierarchy in Configuration Manager 2012. Exercise 2: Creating a Migration Job and Performing Migration Scenario You must create a collection migration job to migrate custom collections and associated advertisements and packages. Then you will create another migration job and migrate objects by type. You will validate the successful migration by running the migration reports. The main tasks for this exercise are as follows: 1. Create a collection migration job. 2. Review migrated objects. 3. Migrate objects by type. 4. Review migrated objects. 5. View migration reports.  Task 1: Create a collection migration job 1. On LON-CFG, in the Configuration Manager console, click the Migration Jobs node. 2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following settings to configure the migration job: o On the General page, configure the following options:  Name: Collections and associated objects  Description (optional): Migrate collections and associated objects  In the Job type box, select Collection migration 3. MCT USE ONLY. STUDENT USE PROHIBITED 9-34 Migrating to System Center 2012 R2 Configuration Manager o On the Select Collections page, select Adatum Servers (this also selects London Servers and ConfigMgr Servers), and then verify that the Migrate objects that are associated with the specified collections option is selected. o On the Select Objects page:  Select Software Distribution Deployments, and then clear the KB977384 check box.  Select Software Distribution Packages, and then clear the KB977384 – Advanced Client Hotfix – CM7 check box.  Select Virtual Application Packages, verify that Excel Viewer is selected, and then click Next. o On the Content Ownership page, set the Destination Site to S01 – Adatum Site. o On the Security Scope page, select Default. o Continue the wizard and choose the default settings, and then on the Settings page, select the Run the migration job now option. In the results pane, verify that the status of the migration job is Completed. If necessary, click Refresh.  Task 2: Review migrated objects 1. In the Configuration Manager console, click the Collections and associated objects migration job, and then review the objects included in the migration job. 2. Close and then reopen the Configuration Manager console. 3. In the Assets and Compliance workspace, under Device Collections, open the Adatum Servers folder, and then observe the migrated ConfigMgr Servers and London Servers collections. If you do not see the Adatum Servers folder, click the Overview node, and then press F5 on your keyboard to refresh the navigation pane. 4. Access the Properties of the London Servers collection, and then review the Membership rules. 5. In the Software Library workspace, under Application Management, click the Packages node. 6. Click the migrated Microsoft Office Word Viewer 2003 package, and then in the preview pane, review the information in the Deployments tab. 7. Under the Applications node, click the migrated Excel Viewer virtual application package, and then in the preview pane, review the information in the Deployment Types tab.  Task 3: Migrate objects by type 1. In the Configuration Manager console, in the Administration workspace, under Migration node, click the Migration Jobs node. 2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following settings to configure the migration job: o On the General page, configure the following options:  Name: Migrate objects by type  Description (optional): Migration of specific objects  In the Job type box, select Object migration o 3. On the Select Objects page, under Object types, select the following types of objects:  Boundaries  Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of configuration items.  Asset Intelligence Catalog MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-35 o On the Content Ownership page, use the default settings. o On the Security Scope page, select Default, and then continue through the wizard. o Continue the wizard by choosing the default settings, and then on the Settings page, select the Run the migration job now option. In the results pane, verify that the status of the migration job is Completed. If necessary, select the Migrate objects by type object, and then click Refresh.  Task 4: Review migrated objects 1. In the Configuration Manager console, in the Assets and Compliance workspace, under the Asset Intelligence node, click the Catalog node, and then review the User Defined objects. 2. Under the Compliance Settings node, click the Configuration Items node, and then review the migrated configuration items. 3. Click the Configuration Baselines node, and then review the migrated baseline. 4. In the Administration workspace, under the Hierarchy Configuration node, click the Boundaries node, and then review the migrated boundary. 5. Click the Boundary Groups node, and then review the boundary groups created for the Configuration Manager 2007 site and for the distribution points.  Task 5: View migration reports 1. In the Configuration Manager console, in the Monitoring workspace, under the Reporting node, expand the Reports node. 2. Click the Migration folder. 3. From the results pane, run the Migration Job properties report. 4. In the report window, select the first migration job as a parameter, and then click View Report. Review the results, and then close the report window. 5. Close the Migration Job properties window. 6. In the results pane, run the Migration jobs report. Review the results, and then close the report window. Results: At the end of this exercise, you should have created migration jobs, performed object migration, and viewed the migration reports. Exercise 3: Migrate a Secondary Site to a Distribution Point Scenario MCT USE ONLY. STUDENT USE PROHIBITED 9-36 Migrating to System Center 2012 R2 Configuration Manager You must create a distribution point migration job to migrate the LON-SVR Configuration Manager 2007 secondary site and its associated content. You will validate the successful migration by verifying that the content is still present. The main tasks for this exercise are as follows: 1. Reassign a secondary site as a distribution point. 2. Review migrated objects. 3. Decommission the source hierarchy. 4. To prepare for the course finish.  Task 1: Reassign a secondary site as a distribution point 1. On LON-CFG, in the Configuration Manager console, navigate to the Administration workspace, Migration folder, Distribution Point Migration node. 2. On the ribbon, click Reassign Distribution Point. The Reassign Shared Distribution Point Wizard starts. Use the following settings to configure the migration job. Use the default settings for the pages that are not listed below: o On the General page, configure the following options:  Name: LON-SVR1.ADATUM.COM  Site code: S01 – Adatum Site o On the Distribution point page, select the Install and configure IIS if required by Configuration Manager check box. o On the Boundary Groups page, add the CM7 (London Configuration Manager 2007) boundary. 3. Once the Reassign Shared Distribution Point Wizard completes, monitor the status until the status changes to Pending on secondary site uninstallation. To update the results pane, press F5. 4. Open the \\LON-SVR1\C$\ConfigMgrSetup.log in the Configuration Manager Trace Log tool. 5. Monitor the ConfigMgrSetup.log until the Completed the deinstall of the ConfigMgr site message appears. Note: The uninstallation of the secondary site should take about five minutes. 6. Close the Configuration Manager Trace Log tool. 7. Start a data gathering process on the CM7 source hierarchy. 8. Once the process is complete, click the Distribution Point Migration node and monitor the status of the LON-SVR1.Adatum.com distribution point migration. Once the process completes, the status Completed reassign distribution point appears. Click Refresh as necessary. Note: The distribution point installation should take about five minutes.  Task 2: Review migrated objects 1. In the Distribution Points node, verify that the CM7 (London Configuration Manager 2007) boundary was added to LON_SVR1.ADATUM.COM. 2. In the Monitoring workspace, verify that the Excel Viewer application is distributed to LON_SVR1.ADATUM.COM.  Task 3: Decommission the source hierarchy MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-37 1. In the Configuration Manager console, in the Administration workspace, expand the Migration node, and then click the Source Hierarchy node. 2. In the results pane, click CM7, and then on the ribbon, click Stop Gathering Data. Click Yes in the Configuration Manager dialog box. 3. In the results pane, verify that CM7 has the status Have not gathered data, and then on the ribbon, click Clean Up Migration Data. 4. In the Clean Up Migration Data dialog box, verify that CM7 (LON-CM7.Adatum.com) appears in the Source hierarchy box, and then click OK. Click Yes in the Configuration Manager dialog box. 5. In the results pane, note that the source hierarchy has been removed.  Task 4: To prepare for the course finish When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-C, 10748C-LON-CFG-C, 10748C-LON-CM7-C, and 10748C-LON-SVR1-C. Results: At the end of this exercise, you will have reassigned a secondary site. Question: How do you configure the source hierarchy? Question: How can you migrate collections? Question: How can you migrate desired configuration management objects? Module Review and Takeaways Review Questions Question: What are the restrictions for migrating collections? Question: Why would you need to consolidate primary sites? Question: What are the restrictions for site codes during migration? Question: What additional configurations do you need to perform when migrating objects related to software updates? MCT USE ONLY. STUDENT USE PROHIBITED 9-38 Migrating to System Center 2012 R2 Configuration Manager Course Evaluation Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager 9-39 MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED L2-1 Module 2: Planning and Deploying a Stand-Alone Primary Site Lab A: Installing a Configuration Manager Primary Site Exercise 1: Configuring the Prerequisites for Configuration Manager 2012 Deployment  Task 1: Start Server Manager 1. On 10748C-LON-CFG-A, from the task bar, click Server Manager. 2. In the navigation pane of the Server Manager console, click Local Server.  Task 2: Verify the installation of the Web Server (IIS) role • In the Server Manager console, scroll to the Roles and Features section, and verify that the Web Server (IIS) role is installed.  Task 3: Verify the required features 1. In the Server Manager console, scroll to the Roles and Features section, and verify that the Remote Differential Compression and Background Intelligent Transfer Service (BITS) features are installed. 2. Close the Server Manager console.  Task 4: Verify that Windows ADK for Windows 8.1 is installed 1. From the task bar, click File Explorer, and then navigate to C:\Program Files (x86)\Windows Kits \8.1\Assessment and Deployment Kit. 2. Verify the following have been installed: 3. o Deployment Tools o Windows Preinstallation Environment o User State Migration Tool Close File Explorer. Results: After this exercise, you should have validated the prerequisites for installing System Center 2012 Configuration Manager. Exercise 2: Extending the Active Directory Schema  Task 1: Run EXTADSCH on the domain controller 1. On LON-DC1, open File Explorer, navigate to the \\LON-CFG\E$\ConfigMgr2012R2 \SMSSETUP\BIN\X64 folder, and then locate extadsch.exe. 2. Double-click extadsch.exe. MCT USE ONLY. STUDENT USE PROHIBITED L2-2 Planning and Deploying a Stand-Alone Primary Site 3. Browse to the drive C, open the ExtADSch.log file created in the root of drive C, and then verify the success of the operation by observing the classes and attributes added to AD DS and the message that confirms the schema’s successful extension. 4. Close Notepad and the Local Disk (C:) window.  Task 2: Create a System Management container by using ADSI Edit 1. On LON-DC1, from the Start screen, type Run, and then press Enter. 2. In the Run dialog box, type adsiedit.msc, and then click OK. 3. In the ADSI Edit console, right-click ADSI Edit, and then click Connect to. 4. In the Connection Settings dialog box, accept the defaults, and then click OK. 5. In the ADSI Edit console tree, expand Default naming context [LON-DC1.Adatum.com], expand the DC=Adatum,DC=Com container, right-click the CN=System container, click New, and then click Object. 6. In the Create Object page, select container, and then click Next. 7. In the Create Object page, in the Value text box, type System Management, click Next, and then click Finish. 8. In the ADSI Edit console, click the CN=System container, verify that CN=System Management container appears in the results pane, and then close the console.  Task 3: Assign Full Control permissions to the site server for the System Management container 1. On LON-DC1, from the Start screen, click Administrative Tools, and then double-click Active Directory Users and Computers. 2. In the Active Directory Users and Computers console, from the View menu, select Advanced Features. 3. In the navigation pane, expand Adatum.com, expand the System container, right-click the System Management container, and then select Properties. 4. In the System Management Properties dialog box, select the Security tab, and then click Add. 5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 6. In the Object Types dialog box, select Computers, and then click OK. 7. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, type LON-CFG, click Check Names, and then click OK. 8. In the System Management Properties dialog box, select LON-CFG (Adatum\LON-CFG$), and in the Allow column, select the Full Control permission check box (all checkboxes are selected). Click Advanced. 9. In the Advanced Security Settings for System Management dialog box, select LON-CFG (Adatum\LON-CFG$) from the permission entry list, and then click Edit. 10. In the Permission Entry for System Management dialog box, in the Apply to drop-down list, select This object and all descendant objects, and then click OK. 11. In the Advanced Security Settings for System Management dialog box, click OK. 12. In the System Management Properties dialog box, click OK. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L2-3 13. Close the Active Directory Users and Computers console. Note: After installation, the Configuration Manager 2012 site server publishes information in this container. This enables clients to determine their assigned site and locate their management point. Results: At the end of this exercise, you should have extended the Active Directory schema, created the System Management container, and assigned permissions to the Configuration Manager server. Exercise 3: Installing a Configuration Manager 2012 Stand-Alone Primary Site  Task 1: Run the setup for Configuration Manager 2012 1. On LON-CFG, from the task bar, click File Explorer, and then navigate to the E:\ConfigMgr2012R2\ folder. 2. Double-click splash.hta, and then click Microsoft (R) HTML Application host.  Task 2: Install a Configuration Manager 2012 stand-alone primary site 1. On the System Center 2012 R2 Configuration Manager Setup window, click Install. 2. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. On the Before You Begin page, click Next. 3. On the Getting Started page, under Available Setup Options, select Install a Configuration Manager primary site, and then click Next. 4. On the Product Key page, select Install the evaluation edition of this product, and then click Next. 5. On the Microsoft Software License Terms page, select the I accept these license terms check box, and then click Next. 6. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept these License Terms, and then under Microsoft SQL Server 2012 Native Client, select I accept these License Terms. Under Microsoft Silverlight 5, select I accept these License Terms and automatic updates of Silverlight, and then click Next. 7. On the Prerequisite Downloads page, select Use previously downloaded files, and then click Browse. 8. In the Browse For Folder dialog box, select the E:\ConfigMgr2012R2\Redist folder, and then click OK. 9. On the Prerequisite Downloads page, click Next. 10. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to finish. 11. On the Server Language Selection page, click Next. 12. On the Client Language Selection page, click Next. 13. On the Site and Installation Settings page, type the following information, and then click Next: o Site code: LON o Site name: Adatum Site o Install the Configuration Manager console check box: selected 14. On the Primary Site Installation page, select Install the primary site as a stand-alone site, and then click Next. 15. In the Configuration Manager dialog box, click Yes. 16. On the Database Information page, verify that the SQL Server® name is LON-CFG.Adatum.com and the database name is CM_LON, and then click Next twice. 17. On the SMS Provider Settings page, verify that the server name is LON-CFG.Adatum.com, and then click Next. 18. On the Client Computer Communication Settings page, select Configure the communication method on each site system role, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED L2-4 Planning and Deploying a Stand-Alone Primary Site 19. On the Site System Roles page, verify that the Install a management point and Install a distribution point check boxes are selected, verify that that LON-CFG.Adatum.com appears in both FDQN text boxes, and then click Next. 20. On the Customer Experience Improvement Program Configuration page, select I don’t want to join the program at this time, and then click Next. 21. On the Settings Summary page, review your selected settings, and then click Next. 22. On the Prerequisite Check page, wait until Prerequisite Check validates the server readiness to host the selected roles, and then click Begin Install. Note: The installation may take up to 30 minutes. 23. In the Install window, wait for the installation to finish, and then click Close. 24. In the System Center 2012 Configuration Manager Setup screen, click Exit. 25. Close all open windows on LON-CFG.  Task 3: To prepare for the next lab • When you finish the lab, leave the virtual machines running. Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager in a stand-alone primary site. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L2-5 Lab B: Performing Post-Setup Configuration Tasks Exercise 1: Validating the Installation of the Primary Site  Task 1: View the Site Status and Component Status 1. On LON-CFG, on the Start screen, click the down arrow, and then click Configuration Manager Console. 2. In the Configuration Manager console, click the Monitoring workspace. 3. In the navigation pane, expand System Status, and then click Site Status. 4. View the status of each site system. 5. In the navigation pane, click Component Status. 6. View the status of each component.  Task 2: View the status messages that pertain to the Configuration Manager 2012 installation 1. In the navigation pane, click Site Status. 2. In the results pane, select Site server. 3. On the ribbon, click the Show Messages button, and then click All. 4. In the Status Messages: Set Viewing Period dialog box, verify that in the Select date and time drop-down list, 1 day ago is selected, and then click OK. The Configuration Manager Status Message Viewer for <LON> <Adatum Site> dialog box opens. 5. Double-click on any message, and then in the Status Message Details dialog box that appears, review the details of the status message. Use the Next and Previous buttons to view additional status messages. 6. Click OK to close the Status Message Details dialog box. 7. Close the Configuration Manager Status Message Viewer window.  Task 3: View the installation logs 1. Open File Explorer, and then navigate to drive C. 2. In the root folder, double-click the ConfigMgrPrereq.log file. Review the file, and then note any errors or warnings reported by Prerequisite Checker. 3. Close the log file. 4. In the root folder, double-click the ConfigMgrSetup.log file. Review the file, and then note any errors or warnings reported by Setup. 5. Close the log file, and then close File Explorer. Note: The root folder also stores the ConfigMgrSetupWizard.log. If you installed the console, you should see ConfigMgrAdminUISetup.log. Results: At the end of this exercise, you will have validated the installation of System Center 2012 Configuration Manager. Exercise 2: Performing the Initial Configuration of the Primary Site  Task 1: Configure the London Active Directory site MCT USE ONLY. STUDENT USE PROHIBITED L2-6 Planning and Deploying a Stand-Alone Primary Site 1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Sites and Services. 2. In the Active Directory Sites and Services console tree, expand the Sites folder, and then select Default-First-Site-Name. 3. Right-click Default-First-Site-Name, and then click Rename. 4. Type London, and then press Enter. 5. In the Active Directory Sites and Services console tree, expand Sites, right-click the Subnets folder, and then select New Subnet. 6. In the New Object – Subnet dialog box, in the Prefix text box, type 172.16.0.0/16. 7. In the Select a site object for this prefix list, select the London site, and then click OK. 8. Close the Active Directory Sites and Services console.  Task 2: Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site 1. On LON-CFG, in the Configuration Manager console, select the Administration workspace. 2. In the navigation pane, expand Hierarchy Configuration, and then select Discovery Methods. 3. In the results pane, select the Active Directory Forest Discovery, and then on the ribbon, click Properties. 4. In the Active Directory Forest Discovery Properties dialog box, select Enable Active Directory Forest Discovery, select the Automatically create Active Directory site boundaries when they are discovered check box, and then click OK. 5. In the Configuration Manager dialog box, to initiate full discovery, click Yes. 6. In the navigation pane, click Active Directory Forests. 7. In the results pane, select Adatum.com, and then on the ribbon, click Properties. 8. In the Adatum.com Properties dialog box, review the settings, and then click the Publishing tab. 9. On the Publishing tab, review the settings, and then click Cancel. 10. In the navigation pane, click Boundaries. Refresh the console. 11. In the results pane, select London, and then on the ribbon, click Properties. 12. In the London Properties dialog box, review the settings, and then click Cancel.  Task 3: Configure a boundary group, and include the new boundary 1. In the navigation pane, click Boundary Groups. 2. On the ribbon, click Create Boundary Group. 3. In the Create Boundary Group dialog box, on the General tab, in the Name text box, type London Clients, and then click Add. 4. In the Add Boundaries dialog box, select the London boundary, and then click OK. 5. In the Create Boundary Group dialog box, click the References tab, and then select the Use this boundary group for site assignment check box. 6. Under the Site system servers section, click Add. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L2-7 7. In the Add Site Systems dialog box, select the \\LON-CFG.Adatum.com check box, and then click OK. 8. In the Create Boundary Group dialog box, click OK.  Task 4: Install additional site system roles: the Fallback Status Point and Reporting Services Point 1. In the Configuration Manager console, in the navigation pane, expand Site Configuration, and then click Servers and Site System Roles. 2. In the results pane, select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site System Roles. 3. The Add Site System Roles Wizard starts. On the General page, verify that the Name for the site server is LON-CFG.Adatum.com, and then click Next. 4. On the Proxy page, click Next. 5. On the System Role Selection page, select Fallback status point and Reporting services point, and then click Next. 6. On the Fallback Status Point page, review the settings, and then click Next. 7. On the Reporting Services Point page, verify that the Site database server name is LON-CFG.Adatum.com and the Database name is CM_LON, and then click Verify. Wait for the message Successfully verified to appear. 8. Click the Set button next to User name, and then click New Account. 9. In the Windows User Account dialog box, specify the following credentials, and then click OK: o User name: ADATUM\Administrator o Password: Pa$$w0rd o Confirm password: Pa$$w0rd 10. On the Reporting Services Point page, click Next. 11. On the Summary page, review the settings, and then click Next. 12. On the Completion page, click Close.  Task 5: Configure the management and distribution points 1. In the Configuration Manager console, in the results pane, select \\LON-CFG.Adatum.com. 2. In the preview pane, right-click the Management point, and then click Properties. 3. In the Management point Properties dialog box, review the settings, select the Generate alert when the management point is not healthy check box, and then click OK. 4. In the preview pane, right-click the Distribution point, and then click Properties. 5. In the Distribution point Properties dialog box, review the settings on each of the following tabs: o General o PXE o Multicast o Content Validation 6. MCT USE ONLY. STUDENT USE PROHIBITED L2-8 Planning and Deploying a Stand-Alone Primary Site In the Distribution point Properties window, click the Boundary Groups tab, verify that the London Clients boundary group you have created previously appears in the list, and then click Cancel. Note: The association between the distribution point and the boundary group was created when you added the site system to the boundary group in a previous task.  Task 6: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-A, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CFG-A. Results: At the end of this exercise, you will have performed the initial configuration of a System Center 2012 Configuration Manager stand-alone primary site. MCT USE ONLY. STUDENT USE PROHIBITED L3-9 Module 3: Planning and Configuring Role-Based Administration Lab: Planning and Configuring Role-Based Administration Exercise 1: Reviewing Built-in Security Roles and Scopes  Task 1: Review the default security roles and scopes 1. On LON-CFG, click Configuration Manager Console on the taskbar. 2. In the Configuration Manager console, click the Administration workspace. 3. In the navigation pane, expand the Security node, and then click Security Roles. 4. Review the list of roles available in the results pane. Note that there are 15 built-in roles. 5. In the navigation pane, click Security Scopes. 6. Review the list of scopes available in the results pane. Note there are two built-in scopes: All and Default. 7. In the navigation pane, click Administrative Users. 8. In the results pane, select ADATUM\Administrator, and then review the information in the preview pane. By default, the user who performed the Microsoft® System Center 2012 R2 Configuration Manager setup is assigned the Full Administrator role, the All security scope, and the All Systems and All Users and User Groups collections.  Task 2: Review the default permissions for a security role 1. In the Configuration Manager console, in the navigation pane, click the Security Roles node. 2. In the results pane, select Application Administrator, and then, on the ribbon, click Properties. 3. In the Application Administrator Properties dialog box, on the General tab, examine the role description. 4. Click the Administrative Users tab, and then note that there are no users associated with this role. Additionally, note that you cannot add users from this property window. 5. Click the Permissions tab, and then examine the permissions associated with this role. Expand each category, and then review the individual permissions. Note that you cannot modify the permissions for built-in roles. 6. Click Cancel to close the Application Administrator Properties dialog box. Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated permissions, and the built-in security scopes. Exercise 2: Creating Custom Security Roles and Scopes MCT USE ONLY. STUDENT USE PROHIBITED L3-10 Planning and Configuring Role-Based Administration  Task 1: Create a new user and group for application administrators, and then add the user to the group 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. 2. In the Active Directory Users and Computers console, expand Adatum.com, right-click the Users container, point to New, and then select User. 3. In the New Object – User dialog box, in both the First name and User logon name text boxes, type LondonAdmin, and then click Next. 4. In the New Object – User dialog box, in both the Password and Confirm password text boxes, type Pa$$w0rd, clear the User must change password at next logon check box, and then click Next. 5. In the New Object – User dialog box, click Finish. 6. In the Active Directory Users and Computers console, right-click the Users container, point to New, and then click Group. 7. In the New Object – Group dialog box, in the Group name text box, type London Application Admins as the group name, and then click OK. 8. Click the Users container, in the details pane, right-click the newly created London Application Admins group, and then click Properties. 9. In the London Application Admins Properties dialog box, click the Members tab, and then click Add. 10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select field, type LondonAdmin, click Check Names, and then click OK. 11. In the London Application Admins Properties dialog box, click OK. 12. Close the Active Directory Users and Computers console.  Task 2: Create a custom scope for the London application administrators 1. On LON-CFG, in the Configuration Manager console, verify that you are still in the Administration workspace. 2. In the navigation pane, expand the Security node, and then click Security Scopes. 3. On the ribbon, click Create Security Scope. 4. In the Create Security Scope dialog box, in the Security scope name text box, type London, and then click OK. 5. In the Configuration Manager console, in the navigation pane, click Distribution Points. 6. In the results pane, select LON-CFG.ADATUM.COM, and then on the ribbon, click Set Security Scopes. 7. In the Set Security Scopes dialog box, leave the Default scope selected, select London, and then click OK.  Task 3: Create a custom collection 1. In the Configuration Manager console, click the Assets and Compliance workspace. 2. In the navigation pane, expand the Overview node, and then click Device Collections. 3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L3-11 4. On the General page, in the Name box, type London Servers, and then next to Limiting collection, click Browse. 5. In the Select Collection dialog box, select All Systems, and then click OK. 6. On the General page, click Next. 7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct Membership Rule Wizard starts. 8. On the Welcome page, click Next. 9. On the Search for Resources page, in the Resource class list, verify that System Resource is selected, in the Value text box, type LON%, and then click Next. 10. On the Select Resources page, select LON-CFG, and then click Next. 11. On the Summary page, click Next. 12. On the Completion page, click Close. 13. In the Create Device Collection Wizard, on the Membership Rules page, verify that LON-CFG was added to the list, and then click Next. 14. On the Summary page, click Next. 15. On the Completion page, click Close.  Task 4: Create a custom security role for application administrators 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand the Security node, and then select Security Roles. 3. In the results pane, select Application Administrator, and then on the ribbon, click Copy. 4. In the Copy Security Role dialog box, in the Name text box, type Application and Update Administrator. 5. In the Copy Security Role dialog box, in the Customize the permissions for this copy of the security role area, in the Permissions box, configure the following permissions by expanding each permission group, and then selecting Yes next to each individual permission: 6. o All permissions under Software Update Group o All permissions under Software Update Package o All permissions under Software Updates In the Copy Security Role dialog box, click OK.  Task 5: Add a new group of administrative users, and then assign a custom role and a custom scope 1. In the Configuration Manager console, in the navigation pane, under the Security node, click Administrative Users. 2. On the ribbon, click Add User or Group. 3. In the Add User or Group dialog box, next to User or group name, click Browse. 4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select text box, type London Application Admins, click Check Names, and then click OK. 5. In the Add User or Group dialog box, next to the Assigned security roles list box, click Add. MCT USE ONLY. STUDENT USE PROHIBITED L3-12 Planning and Configuring Role-Based Administration 6. In the Add Security Role dialog box, select the Application and Update Administrator role, and then click OK. 7. In the Add User or Group dialog box, under Assigned security scopes and collections, verify that the Only the instances of objects that are assigned to the specified scopes or collections option is selected. In the list box, select each collection and security scope, and then click Remove. 8. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and then click Security Scope. 9. In the Add Security Scope dialog box, select London, and then click OK. 10. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and then select Collection. 11. In the Select Collections dialog box, select Device Collections, select London Servers, and then click OK. 12. In the Add User or Group dialog box, click OK. 13. In the Configuration Manager console in the results pane, click Adatum\London Application Admins, and then review the information from the preview pane. 14. Close the Configuration Manager console. Note: The users added to the London Application Admins group will have access only to the Configuration Manager objects associated with the London scope and resources in the London Servers collection. Results: By the end of this exercise, you should have created a custom security scope, a custom collection, and a custom security role. Exercise 3: Testing the Permissions of the New Role  Task 1: Start the Configuration Manager console by using the London application administrator account 1. On LON-CFG, hold the Shift key and right-click Configuration Manager on the taskbar, and then click Run as a different user. 2. In the Windows Security dialog box, in the Username box, type LondonAdmin, and then in the Password box, type Pa$$w0rd. Click OK. 3. The Configuration Manager console starts.  Task 2: Verify the permissions assigned to the new security role 1. In the Configuration Manager console, click the Assets and Compliance workspace. 2. In the navigation pane, under the Overview node, click Device Collections. 3. In the results pane, verify that you can see only the London Servers collection. 4. In the navigation pane, click on the Devices node. 5. In the results pane, verify that you can see only the resources associated to your collection. 6. In the Configuration Manager console, click the Administration workspace. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L3-13 7. In the navigation pane, under the Overview node, click Distribution Points. 8. In the results pane, verify that you can see the LON-CFG.ADATUM.COM server. 9. In the navigation pane, expand the Security node. 10. Verify that you do not have access to the Administrative Users, Security Roles, or Security Scopes nodes. 11. Close the Configuration Manager console.  Task 3: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CFG-B. Results: By the end of this exercise, you should have tested the new role permissions. MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED L4-15 Module 4: Planning and Deploying a Multiple-Site Hierarchy Lab A: Installing a Site Hierarchy Exercise 1: Using Hierarchy Expansion to Install the Central Administration Site  Task 1: Prepare the environment for the hierarchy expansion 1. On LON-CFG, open Server Manager. 2. Click the Tools menu, and then click Computer Management. 3. In the Computer Management window, expand Local Users and Groups, and then click Groups. 4. Double-click Administrators. 5. In the Administrators Properties dialog box, click Add. 6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types. 7. In the Object Types dialog box, select the Computers check box, and then click OK. 8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type LON-CAS, and then click Check Names. 9. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK. 10. In the Administrators Properties dialog box, click OK. 11. Close Computer Management and Server Manager. 12. Switch to LON-DC1. 13. In Server Manager, click the Tools menu, and then click Active Directory Users and Computers. 14. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then click the Users container. 15. Double-click ConfigMgrServers. 16. In the ConfigMgrServers Properties dialog box, click the Members tab, and then click Add. 17. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types. 18. In the Object Types dialog box, select the Computers check box, and then click OK. 19. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type LON-CAS; NYC-CFG, and then click Check Names. 20. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK. 21. In the ConfigMgrServers Properties dialog box, click OK. 22. Close Active Directory Users and Computers and Server Manager.  Task 2: Start additional lab servers 1. On the host computer, start Hyper-V Manager. 2. In Hyper-V® Manager, click 10748C-LON-CAS-B, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in using the following credentials: 5. o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum Repeat steps 1 through 4 for 10748C-NYC-CFG-B.  Task 3: Run Installation Prerequisite Check, and verify that the expansion prerequisites are met MCT USE ONLY. STUDENT USE PROHIBITED L4-16 Planning and Deploying a Multiple-Site Hierarchy 1. On LON-CAS, click to the Start screen, and then type cmd. Right-click Command Prompt, and then click Run as administrator. 2. In the Administrator: Command Prompt, type the following and then press Enter: E: 3. In the Administrator: Command Prompt, type the following and then press Enter: CD E:\ConfigMgr2012R2\SMSSetup\BIN\X64 4. In the Administrator: Command Prompt, type the following and then press Enter: Prereqchk.exe /CAS /SQL LON-CAS.Adatum.com /SDK LON-CAS.Adatum.com /Expand LONCFG.Adatum.com 5. The Installation Prerequisite Check starts and evaluates the server for installed prerequisites. 6. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several warnings), and then click OK. 7. Close the Administrator: Command Prompt.  Task 4: Run the splash screen for Configuration Manager 2012 1. On LON-CAS, click Start, and then click This PC. 2. In File Explorer, navigate to the E:\ConfigMgr2012R2\ folder. 3. Double-click splash.hta. 4. In the How do you want to open this type of file (.hta)? dialog box, click Microsoft (R) HTML Application host.  Task 5: Run Setup to install a Configuration Manager 2012 R2 central administration site and expand an existing primary site into the hierarchy 1. On the System Center 2012 R2 Configuration Manager Setup screen, click Install. 2. The System Center 2012 R2 Configuration Manager Setup Wizard starts. On the Before You Begin page, click Next. 3. On the Getting Started page, in Available Setup Options, select Install a Configuration Manager central administration site, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L4-17 4. On the Product Key page, select Install the evaluation edition of this product, and then click Next. 5. On the Microsoft Software License Terms page, select I accept these license terms, and then click Next. 6. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these License Terms, under Microsoft Silverlight 5, select I accept these License Terms and automatic updates of Silverlight, and then click Next. 7. On the Prerequisite Downloads page, select Use previously downloaded files, and then click Browse. 8. In the Browse For Folder dialog box, select E:\ConfigMgr2012R2\Redist, and then click OK. 9. On the Prerequisite Downloads page, click Next. 10. Configuration Manager Setup Downloader starts to verify the prerequisites. Wait for the operation to finish. 11. On the Server Language Selection page, click Next. 12. On the Client Language Selection page, click Next. 13. On the Site and Installation Settings page, enter the following settings, and then click Next: o Site code: CAS o Site name: London Central Administration Site o Install the Configuration Manager console: selected 14. On the Central Administration Site Installation page, select Expand an existing standalone primary into a hierarchy, in the Stand-alone primary site server (FQDN) field, type LON-CFG.Adatum.com, and then click Next. 15. On the Database Information page, verify that the SQL Server name is LON-CAS.Adatum.com and that the database name is CM_CAS, and then click Next. 16. On the second Database Information page, verify that the Path to the SQL Server data file is configured as C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA. 17. On the second Database Information page, verify that the Path to the SQL Server log file is configured as C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA, and then click Next. 18. On the SMS Provider Settings page, verify that the server name is LON-CAS.Adatum.com, and then click Next. 19. On the Customer Experience Improvement Program Configuration page, select I don’t want to join the program at this time, and then click Next. 20. On the Settings Summary page, review your selected settings, and then click Next. 21. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click Begin Install. 22. In the Install window, wait for the installation to complete, and then click Close. Note: When the System Center R2 Configuration Manager Setup Wizard displays Core setup has completed, the setup is not complete. Do not continue with the lab until the Applying the snapshot data task has completed. The installation process may take up to 45 minutes. 23. In the System Center 2012 R2 Configuration Manager Setup screen, click Exit. 24. Close the File Explorer window. Results: At the end of this exercise, you should have installed a Microsoft® System Center 2012 R2 Configuration Manager central administration site and a primary site in a hierarchy. MCT USE ONLY. STUDENT USE PROHIBITED L4-18 Planning and Deploying a Multiple-Site Hierarchy MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L4-19 Lab B: Verifying a Site Hierarchy Exercise 1: Validating the Installation  Task 1: View the site status and component status 1. On LON-CAS, click Start, expand the start screen to show all applications, and then in the Microsoft System Center 2012 R2 section, click Configuration Manager Console. Note: If A Configuration Manager dialog box appears stating that your Configuration Manager console is in read-only mode, click OK to continue. 2. In the Configuration Manager console, click the Monitoring workspace. 3. In the navigation pane, expand System Status, and then click Site Status. 4. View the status of each site system and site system roles. 5. In the navigation pane, select Component Status. 6. View the status of each component.  Task 2: View the status messages for the Configuration Manager 2012 installation 1. In the navigation pane, click Site Status. 2. In the results pane, for \\LON-CAS.Adatum.com, select Site server. 3. On the ribbon, click Show Messages, and then select All. 4. In the Status Messages: Set Viewing Period dialog box, verify that Select date and time is selected and that in the corresponding drop-down list, 1 day ago is selected, and then click OK. 5. In the Configuration Manager Status Message Viewer for <CAS> <London Central Administration Site> window, double-click any status message, and then review the details. Click OK to close the Status Message Details box. 6. Close the Configuration Manager Status Message Viewer for <CAS> <London Central Administration Site> window.  Task 3: View the database replication status 1. In the navigation pane, click Database Replication. 2. View the status of the database replication between Parent Site CAS and Child Site S01. Note: If the Link State is Link Failed, you must reinitialize the replication. To reinitialize the replication, perform the following steps: 1. Switch to LON-CFG. 2. On the Desktop, create a file named configuration data.pub. 3. Open File Explorer and move configuration data.pub to C:\Program Files\Microsoft Configuration Manager\inboxes\rcm.box. 4. Wait for the file to move. 5. After 10 minutes, switch to LON-CAS and in Database Replication, refresh the replication link for Parent Site CAS and Child Site S01. The link should now display Link Active.  Task 4: View the installation logs 1. In Windows Explorer, navigate to drive C. 2. In the root folder, open the ConfigMgrPrereq.log file. The file is displayed in Notepad. 3. Note any errors and warnings reported by Prerequisite Checker. Close Notepad. 4. In the root folder, open the ConfigMgrSetup.log file. The file is displayed in Notepad. 5. Note any errors and warnings reported by Setup. Close Notepad. Note: When a log file reaches a certain size, which varies depending on the process, a new log file is created and the old log file is renamed with a .lo_ extension. The ConfigMgrSetup.log might have only a few entries and you might need to review the ConfigMgrSetup.lo_ file.  Task 5: Review the available site system roles MCT USE ONLY. STUDENT USE PROHIBITED L4-20 Planning and Deploying a Multiple-Site Hierarchy 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles. 3. In the results pane, click LON-CAS.Adatum.com, and then in the preview pane, note the roles installed on the server, including: o Component server o Site database server o Site server o Site system 4. In the results pane, right-click LON-CAS.Adatum.com, and then click Add Site System Roles. The Add Site System Roles Wizard starts. 5. On the General page, click Next. 6. On the Proxy page, click Next. 7. On the System Role Selection page, note the available roles, including: o Asset Intelligence synchronization point o Certificate registration point o Endpoint Protection point o Reporting services point o Software update point o System Health Validator point 8. In the System Role Selection window, click Cancel. 9. In the Configuration Manager message box, click Yes. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L4-21 Note: When you install certain site system roles as part of a hierarchy, you cannot install them in a primary site. Instead, you must install these roles at the central administration site. These roles include: • Asset Intelligence synchronization point • Endpoint Protection point • Software update point Results: At the end of this exercise, you will have validated the installation of System Center 2012 R2 Configuration Manager. Exercise 2: Automating the Installation of a Primary Site  Task 1: Review the contents of the installation script 1. On LON-CAS, in Windows Explorer, navigate to E:\ConfigMgr2012R2\NYC, and then open the ConfigMgrAutoSave_NYC.ini file. 2. Review the contents of the file, and then close the viewer: [Identification] Action=InstallPrimarySite [Options] ProductID=EVAL SiteCode=NYC SiteName= New York City Primary Site SMSInstallDir=C:\Program Files\Microsoft Configuration Manager SDKServer=NYC-CFG. Adatum.com RoleCommunicationProtocol=HTTPorHTTPS ClientsUsePKICertificate=0 PrerequisiteComp=1 PrerequisitePath= \\LON-CAS\E$\ConfigMgr2012R2\Redist MobileDeviceLanguage=0 ManagementPoint= NYC-CFG.Adatum.com ManagementPointProtocol=HTTP DistributionPoint= NYC-CFG.Adatum.com DistributionPointProtocol=HTTP DistributionPointInstallIIS=0 AdminConsole=1 JoinCEIP=0 [SQLConfigOptions] SQLServerName= NYC-CFG.Adatum.com DatabaseName=CM_NYC SQLSSBPort=4022 SQLDataFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA SQLLogFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA [HierarchyExpansionOption] CCARSiteServer=LON-CAS.Adatum.COM  Task 2: Run Setup for Configuration Manager 2012 and use the script option 1. On NYC-CFG, click the Start menu, then on the Start screen, type cmd. Right–click Command Prompt, and then click Run as Administrator. 2. At the command prompt, type the following commands. Press Enter after each command line: Net Use I: \\LON-CAS\E$\ConfigMgr2012R2 I: cd smssetup\bin\X64 setup /script I:\NYC\ConfigMgrAutoSave_NYC.ini Note: The Configuration Manager Setup will run in unattended mode. The installation process may take up to 30 minutes. You can use Task Manager to monitor the Setup progress. On the Details tab, when you see CcmExec.exe as a running process, the setup is complete. Results: At the end of this exercise, you should have installed a System Center 2012 R2 Configuration Manager primary site in an existing hierarchy by using the automated setup method. MCT USE ONLY. STUDENT USE PROHIBITED L4-22 Planning and Deploying a Multiple-Site Hierarchy MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L4-23 Lab C: Installing a Secondary Site Exercise 1: Configuring Prerequisites  Task 1: Prepare the environment for the TOR-CFG secondary site 1. On LON-DC1, in the Server Manager console, click the Tools menu, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then click the Users container. 3. Double-click ConfigMgrServers. 4. In the ConfigMgrServers Properties dialog box, click the Members tab, and then click Add. 5. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types. 6. In the Object Types dialog box, select the Computers check box, and then click OK. 7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type TOR-CFG, and then click Check Names. 8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK. 9. In the ConfigMgrServers Properties dialog box, click OK. 10. Close Active Directory Users and Computers and Server Manager.  Task 2: Start TOR-CFG and launch Server Manager 1. On the host computer, start Hyper-V Manager. 2. In Hyper-V Manager, click 10748C-TOR-CFG-B, and then in the Actions pane, click Start. 3. In the Actions pane, click Connect. Wait until the virtual machine starts. 4. Sign in using the following credentials: o User name: Administrator o Password: Pa$$w0rd o Domain: Adatum 5. On the task bar, click Server Manager. 6. On TOR-CFG, in Server Manager, click Tools, and then click Computer Management. 7. In the navigation pane, expand Local Users and Groups, and then click Groups. 8. In the results pane, double-click the Administrators group. 9. In the Administrators Properties dialog box, click Add. 10. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, click Object Types. 11. In the Object Types dialog box, select Computers, and then click OK. 12. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select text box, type NYC-CFG, click Check Names, and then click OK. 13. In the Administrators Properties dialog box, click OK. 14. Close the Computer Management console.  Task 3: Verify that Web Server (IIS) and related role services are installed • MCT USE ONLY. STUDENT USE PROHIBITED L4-24 Planning and Deploying a Multiple-Site Hierarchy In the Server Manager console, click Local Server, scroll to the Roles and Features section, and then verify that the following Role Services are installed: o Common HTTP Features  o Security  o o Default Document Windows Authentication Application Development  ASP.NET 3.5  ASP.NET 4.5  .NET Extensibility 3.5  .NET Extensibility 4.5 IIS 6 Management Compatibility  IIS 6 Metabase Compatibility  IIS 6 WMI Compatibility  Task 4: Verify that the BITS and remote differential compression features are installed 1. In the navigation pane in Server Manager, scroll to the Roles and Features section. 2. In the results pane, verify that the following features are installed: o .NET Framework 3.5 Features o .NET Framework 4.5 Features o Background Intelligent Transfer Service (BITS) o Remote differential compression Results: At the end of this exercise, you should have validated the prerequisites for installing a System Center 2012 Configuration Manager secondary site. Exercise 2: Installing a Secondary Site from a Primary Site  Task 1: Run the Secondary Site Installation Wizard 1. On NYC-CFG, click Start, expand the Start screen, and then click Configuration Manager Console. 2. In the Configuration Manager console, click the Administration workspace. 3. In the navigation pane, expand Site Configuration, and then select Sites. 4. In the results pane, select NYC – New York City Primary Site, and then on the ribbon, click Create Secondary Site. The Create Secondary Site Wizard starts. 5. On the Before You Begin page, click Next. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L4-25 6. On the General page, configure the following options, and then click Next: o Site code: TOR o Site server name: TOR-CFG.Adatum.com o Site Name: Toronto Secondary Site 7. On the Installation Source Files page, click Copy installation source files over the network from the parent site server, and then click Next. 8. On the SQL Server Settings page, click Install and configure a local copy of SQL Server Express on the secondary site computer, verify that the following information has been specified, and then click Next: 9. o SQL Server service port: 1433 o SQL Server Service Broker Port: 4022 On the Distribution Point page, accept the default settings, and then click Next. 10. On the Drive Settings page, accept the default settings, and then click Next. 11. On the Content Validation page, click Next. 12. On the Boundary Groups page, click Next. 13. In the Summary page, review your selected settings, and then click Next. 14. In the Completion page, click Close. Note: When the Create Secondary Site Wizard finishes, the installation continues in the background on the target server. To validate the installation, verify the installation logs in the next exercise. 15. In the Configuration Manager console, in the results pane, select TOR – Toronto Secondary Site, and then on the ribbon, click Show Install Status. 16. In the Secondary Site Installation Status dialog box, review the progress of the installation actions, click Refresh to monitor the status, and then click OK. It takes approximately 15-20 minutes for the installation to complete. Results: At the end of this exercise, you should have installed the System Center 2012 Configuration Manager secondary site. Exercise 3: Validating the Installation  Task 1: View the setup logs 1. On TOR-CFG, open Windows Explorer, and then navigate to drive C. 2. In the root folder, open the ConfigMgrSetup.log file. In the Open with box, select Notepad, and then click OK. 3. Note any errors and warnings reported by Setup. Close Notepad.  Task 2: View the system status for the new secondary site MCT USE ONLY. STUDENT USE PROHIBITED L4-26 Planning and Deploying a Multiple-Site Hierarchy 1. On NYC-CFG, in the Configuration Manager console, in the navigation pane, click the Monitoring workspace. 2. In the navigation pane, expand System Status, and then click Site Status. 3. View the status of the site systems for TOR-CFG. Note: You can view the secondary site status at the parent primary site or at the central administration site. It may take several minutes until the installation finishes and the secondary site status appears in the console. 4. In the navigation pane, click the Component Status node. 5. In the results pane, view the status of the components for TOR-CFG. 6. In the navigation pane, click the Database Replication node. 7. In the results pane, view the status of the replication link between NYC and TOR. It should show that the link is active. 8. In the navigation pane, click the Site Hierarchy node. 9. In the results pane, view the site hierarchy diagram. On the NYC icon, click the plus sign to view TOR.  Task 3: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-B, 10748C-NYC-CFG-B, 10748C-LON-CFG-B, and 10748C-TOR-CFG-B. Note: The line between NYC and TOR represents the state of the database replication between the sites. This line can have several different symbols depending on the replication status. • ? in a white circle is shown when the status has not yet been reported. • X in a red circle is shown when the status has been reported and the initial replication is incomplete or there is an error during ongoing replication. • √ in a green circle is shown when the initial replication has competed successfully and there are no errors in the ongoing replication. Results: At the end of this exercise, you should have validated the installation of a System Center 2012 Configuration Manager 2012 secondary site. MCT USE ONLY. STUDENT USE PROHIBITED L5-27 Module 5: Replicating Data and Managing Content in Configuration Manager 2012 Lab A: Configuring, Monitoring, and Troubleshooting Data Replication Exercise 1: Verifying and Configuring Replication Settings  Task 1: Configuring file replication settings 1. On LON-CAS, on the taskbar, click Configuration Manager Console. 2. In the Configuration Manager console, click the Administration workspace. 3. Expand the Hierarchy Configuration folder, and then click File Replication. 4. Right-click the Adatum Site S01 London Central Administration Site CAS file replication link, and then click Properties. 5. On the Schedule tab, click the Sunday 0 hour. 6. In the Availability drop-down list, select Closed. 7. On the Rate Limits tab, click Limited to specified maximum transfer rates by hour. 8. Click the 0 hour that is on the left, hold the Shift key, and then click 4. 9. In the Limit available bandwidth (%) box, select 50. 10. In the Adatum Site Properties dialog box, click OK.  Task 2: Configuring database replication settings 1. Click the Database Replication node. 2. Right-click the CAS Central administration site S01 Primary site database replication link, and then click Link Properties. 3. On the General tab, in the Summarization interval (minutes) box, select 5, and then click Apply. 4. Review the settings on the Schedule tab. 5. Review the settings on the Alerts tab. 6. In the CAS <-> S01 Replication Link Properties dialog box, click OK.  Task 3: Configuring sender properties 1. Expand Site Configuration, and then click the Sites node. 2. Select S01 – Adatum Site. 3. On the ribbon, click Settings, click Configure Site Components, and then click Software Distribution. 4. On the General tab, in the Maximum number of packages box, select 5. 5. In the Maximum threads per package box, select 8. 6. Under Retry settings, in the Number of retries box, select 5, and in the Delay before retrying (minutes) box, select 5. 7. In the Software Distribution Component Properties dialog box, click OK. MCT USE ONLY. STUDENT USE PROHIBITED L5-28 Replicating Data and Managing Content in Configuration Manager 2012 Results: At the end of this exercise, you should have configured the replication settings between the A. Datum central administration site and the London primary site. Exercise 2: Monitoring Replication  Task 1: Review the replication information and configuration settings 1. On LON-CAS, open the Monitoring workspace. 2. In the navigation pane, click the Database Replication node, and then in the results pane, select the CAS to S01 replication link. Verify that Link State shows Link Active. If it does not, refresh the results pane. 3. Review the information available in the preview pane under the Replication Status area. In the Site Replication Status section, verify that both Parent Site State and Child Site State display a status of Replication Active. 4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global State and Child Site to Parent Site Global State display the Link Active status and that the Last Synchronization Time reflects today’s date. Note: If the status of Parent Site to Child Site Global State and Child Site to Parent Site Global State are Link Inactive, verify that both LON-CAS and LON-CFG have started. To refresh the status, click the CAS to S01 replication link, and then press F5. 5. In the preview pane, click the Parent Site tab. Review the information available in the Replication Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022. 6. In the preview pane, click the Child Site tab. Review the information available in the Replication Status area.  Task 2: Create a custom collection 1. In the Configuration Manager console, click the Assets and Compliance workspace. 2. In the navigation pane, click the Device Collections node. 3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. 4. On the General page, in the Name text box, type London Computers, and then click Browse. 5. In the Select Collection dialog box, click All Systems, and then click OK. 6. On the General page, click Next. 7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct Membership Rule Wizard starts. 8. On the Welcome page, click Next. 9. On the Search for Resources page, in the Resource Class drop-down list, verify that System Resource is selected. In the Value text box, type LON%, and then click Next. 10. On the Select Resources page, select both the LON-CAS and LON-CFG check boxes, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L5-29 11. On the Summary page, click Next. 12. On the Completion page, click Close. 13. In the Create Device Collection Wizard, on the Membership Rules page, verify that both LON-CAS and LON-CFG were added in the list, and then click Next. 14. On the Summary page, click Next. 15. On the Completion page, click Close.  Task 3: Monitor the replication of the collection to the primary site 1. On LON-CFG, on the task bar click Configuration Manager Console. 2. In the Configuration Manager console, verify that you are in the Assets and Compliance workspace. 3. In the navigation pane, click the Device Collections node. 4. In the results pane, verify that the London Computers collection appears in the list of device collections. 5. Right-click the London Computers collection, and then click Show Members. Notice that a new node appears in the navigation pane under Devices. Notice also that the members of the collection appear in the results pane. Results: At the end of this exercise, you should have verified the replication between the A. Datum central administration site and the London primary site. Exercise 3: Troubleshooting Replication  Task 1: Configure in-console alerts for monitoring replication 1. On LON-CAS, in the Configuration Manager console, click the Monitoring workspace. 2. In the navigation pane, click the Database Replication node, and then in the results pane, click the CAS to S01 replication link. 3. Right-click the CAS to S01 replication link, and then click Link Properties. 4. In the CAS <-> Replication Link Properties dialog box, on the Alerts tab, verify that the Generate an alert when this replication link is not working for a specified period of time check box is selected. 5. On the Alerts tab, in the Number of minutes box, change the value to 3 minutes, and then click OK.  Task 2: Stop the SMS_EXECUTIVE service on LON-CFG 1. On LON-CFG, on the Start screen, click Administrative Tools, and then in the Administrative Tools folder, double-click Services. 2. In the Services console, click the SMS_EXECUTIVE service, and then on the ribbon, click the Stop Service button. 3. In the Service Control window, wait for the service to stop. Wait at least three minutes before continuing to the next task.  Task 3: Troubleshoot the replication issue MCT USE ONLY. STUDENT USE PROHIBITED L5-30 Replicating Data and Managing Content in Configuration Manager 2012 1. On LON-CAS, browse to C:\Program Files\Microsoft Configuration Manager\tools\, and then double-click CMTRACE.exe. 2. In the Configuration Manager Trace Log Tool dialog box, click Yes to make the program the default viewer for all log files, and then close the tool. 3. In the Configuration Manager console, in the navigation pane, click the Alerts node, and then click All Alerts. 4. In the results pane, click the alert named Replication link down between parent site and S01, and then on the ribbon, click Configure. 5. In the Replication link down between parent site and S01 Properties dialog box, verify that Minutes replication link connectivity down greater than has a value of 3, and then click OK. 6. In the navigation pane, click the Assets and Compliance workspace, and then click the Device Collections node. 7. Right-click the London Computers collection, and then click Properties. 8. In the London Computers Properties dialog box, in the Name text box, change the name of the collection to London Servers, and then click OK. 9. In the navigation pane, click the Monitoring workspace. 10. In the navigation pane, click the Database Replication node, and then in the results pane, click the CAS to S01 replication connection. 11. Verify that the status of the replication link is either Link Failed or Link Degraded. Press F5, if necessary, to refresh the status. 12. Right-click the CAS to S01 replication link, and then click Save Diagnostic Files. 13. In the Save As dialog box, in the File name box, type Replication Diagnostics. In the navigation pane, click Local Disk (C:), and then click Save. 14. From the taskbar, start Windows Explorer. 15. In Windows Explorer, navigate to the C: drive, and then open the file Replication Diagnostics in Notepad. 16. Review the content of the file. Note that the Child Site to Parent Site Global State displays a status of Link Failed or Link Degraded. Close Notepad.  Task 4: Resolve the issue and verify that replication is functioning correctly 1. On LON-CAS, right-click the CAS to S01 replication link, and then click Replication Link Analyzer. Replication Link Analyzer starts detecting problems. Wait for the operation to finish. 2. In the CAS <-> S01 Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service on LON-CFG.Adatum.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation to finish. 3. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service on LON-CFG.Adatum.com page, click Continue. 4. In the Replication Link Analyzer window, click OK. 5. In the CAS <-> S01 Replication Link Analyzer window, click Reinitialize replicated tables. 6. In the CAS <-> S01 Replication Link Analyzer window, click Continue. 7. In the Replication Link Analyzer window, click OK. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L5-31 8. In the CAS <-> S01 Replication Link Analyzer window, click Check to see if the problem is fixed. Note: Based on timing, there may still be issues that are detected. If issues are detected, first click the Check to see if the problem is fixed link. 9. In the CAS <-> S01 Replication Link Analyzer window, on the Troubleshooting Report page, click View Report. 10. In the How do you want to open this type of file (.htm)? dialog box, click Internet Explorer. The content of ReplicationAnalysis.xml opens in Internet Explorer®. 11. Review the content of the file, and then close Internet Explorer. 12. In the Replication Link Analyzer window, click View Log. The content of ReplicationLinkAnalysis.log opens in Configuration Manager Trace Log Tool. 13. Review the content of the file, and then close Configuration Manager Trace Log Tool. 14. In the CAS <-> S01 Replication Link Analyzer window, click Close. Results: At the end of this exercise, you should have troubleshot replication between the primary site and the central administration site.  Task 5: To prepare for the next lab • When you finish this lab, leave the virtual machines running. Lab B: Planning and Configuring Content Management Exercise 1: Planning Content Distribution  Task 1: Planning the deployment There is not one correct answer for this scenario. Possible recommendations include: MCT USE ONLY. STUDENT USE PROHIBITED L5-32 Replicating Data and Managing Content in Configuration Manager 2012 • Create boundaries for each location. • Create additional distribution points in the remote offices at the central location. For the lab, build an additional distribution point on LON-SRV1. • Prestage content to the locations with information technology (IT) staff. For the lab, prestage content to LON-SRV1. • Use BranchCache® in the remote offices without sites or distribution points. For the lab, enable BranchCache support on LON-CFG. • Restrict replication during business hours to high priority traffic only. • Create cloud-based distribution points for the field staff instead of Internet-based distribution points. • Use the cloud-based distribution point for content fallback. • Do not allow fallback to the central location. Results: At the end of this exercise, you will have planned distribution architecture for the company. Exercise 2: Implementing Distribution Points  Task 1: Add the primary site server computer account to the local Administrators group 1. On LON-SVR1, in Server Manager, click Tools, and then click Computer Management. 2. In the navigation pane of the Computer Management console, expand Local Users and Groups, and then click Groups. 3. In the results pane, double-click the Administrators group. 4. In the Administrators Properties dialog box, click Add. 5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 6. In the Object Types dialog box, select Computers, and then click OK. 7. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select text box, type LON-CFG, click Check Names, and then click OK. 8. In the Administrators Properties dialog box, click OK. 9. Close the Computer Management console and Server Manager. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L5-33  Task 2: Create a distribution point 1. On LON-CAS, in the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles. 3. On the ribbon, click the Home tab, and then click Create Site System Server. The Create Site System Server Wizard starts. 4. On the General page, click Browse. 5. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1. Click Check Names, and then click OK. 6. On the General page, in the Site Code drop-down list, select S01 – Adatum Site, and then click Next. 7. On the Proxy page, click Next. 8. On the System Role Selection page, select Distribution point, and then click Next. 9. On the Distribution Point page, select Install and configure IIS if required by Configuration Manager and Enable this distribution point for prestaged content, and then click Next. 10. On the Drive Settings page, review the default settings, and then click Next. 11. On the Pull Distribution Point page, click Next. 12. On the PXE Settings page, click Next. 13. On the Multicast page, click Next. 14. On the Content Validation page, select Validate content on a schedule, and then click Next. 15. On the Boundary Groups page, click Next. 16. On the Summary page, review the settings, and then click Next. 17. On the Completion page, click Close. 18. In the Configuration Manager console, verify that \\LON-SVR1.Adatum.com appears in the results pane.  Task 3: Create and populate a distribution point group 1. In the navigation pane, click Distribution Points. 2. In the results pane, click LON-CFG.ADATUM.COM, hold the Ctrl key, and then click NYC-CFG.ADATUM.COM and TOR-CFG.ADATUM.COM. 3. On the ribbon, click Add Selected Items, and then click Add Selected Items to New Distribution Point Group. 4. In the Create New Distribution Point Group dialog box, in the Name text box, type Primary and Secondary Site Distribution Points, and then click OK. 5. In the navigation pane, click Distribution Point Groups. 6. Verify that the Primary and Secondary Site Distribution Points group has been created and that the Member Count is 3. Results: At the end of this exercise, you should have created a distribution point, created a distribution point group, and added distribution points to the group. Exercise 3: Implementing Content Prestaging  Task 1: Create and distribute a package MCT USE ONLY. STUDENT USE PROHIBITED L5-34 Replicating Data and Managing Content in Configuration Manager 2012 1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace. 2. In the navigation pane, expand Application Management, and then click the Applications node. 3. On the ribbon, click Create Application. The Create Application Wizard starts. 4. On the General page, verify that in the Type box, Windows Installer (*.msi) is selected. 5. In the Location text box, type \\LON-CFG\E$\Software\MSI_Files\PPTViewer, select ppviewer.msi, and then click Open. 6. On the General page, click Next. 7. On the Import Information page, click Next. 8. On the General Information page, click Next. 9. On the Summary page, click Next. 10. On the Completion page, click Close. 11. In the Configuration Manager console, in the results pane, click the Microsoft PowerPoint Viewer application, and on the ribbon, click Distribute Content. The Distribute Content Wizard starts. 12. On the General page, click Next. 13. On the Content page, click Next. 14. On the Content Destination page, click Add, and then click Distribution Point. 15. In the Add Distribution Points dialog box, select LON-CFG.ADATUM.COM, and then click OK. 16. On the Content Destination page, click Next. 17. On the Summary page, click Next. 18. On the Completion page, click Close.  Task 2: Create a prestaged content file 1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace, and then verify that you are in the Applications node. 2. In the results pane, click Microsoft PowerPoint Viewer, and then on the ribbon, click Create Prestaged Content File. The Create Prestaged Content File Wizard starts. 3. On the General page, click Browse. 4. In the Prestaged content file dialog box, navigate to the Allfiles (E:) drive, in the File name box, type PowerPointViewer, and then click Save. 5. On the General page, click Next. 6. On the Content page, click Next. 7. On the Content Locations page, click Add. 8. In the Add Distribution Points dialog box, select LON-CFG.Adatum.com, and then click OK. 9. On the Content Locations page, click Next. 10. On the Summary page, click Next. 11. On the Completion page, click Close. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L5-35 12. On the taskbar, click Windows Explorer. 13. Browse to the Allfiles (E:) drive, right-click PowerPointViewer.pkgx, and then click Copy. 14. In the address bar, type \\LON-SVR1\C$, and then press Enter. 15. Right-click in the results pane, and then click Paste.  Task 3: Extract a prestaged content file on a distribution point 1. On LON-SVR1, click Start, type CMD, and then click Command Prompt. 2. At the command prompt, type the following commands, pressing Enter after each line: CD C:\SMS_DP$\sms\Tools extractcontent.exe /P:C:\PowerPointViewer.pkgx /S  Task 4: Monitor the prestaged content status 1. On LON-CFG, in the Configuration Manager console, click the Monitoring workspace. 2. In the navigation pane, expand Distribution Status, and then click the Content Status node. 3. In the results pane, click Microsoft PowerPoint Viewer, and then review the information in the preview pane. Notice that two distribution points were targeted, and Success is now listed as 2. Results: At the end of this exercise, you should have performed content prestaging. Exercise 4: Implementing BranchCache to Support Content Management  Task 1: Configure LON-SVR1 to support BranchCache 1. On LON-SVR1, open Server Manager. 2. In Server Manager, click Add roles and features. 3. On the Before you begin page of the Add Roles and Features Wizard, click Next. 4. On the Select destination server page, click Next. 5. On the Select server roles page, click Next. 6. On the Select features page, select the BranchCache check box, and then click Next. 7. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then in the message box, click Yes. 8. On the Confirm installation selections page, click Install. 9. On the Installation progress page, click Close.  Task 2: Verify that an application is ready for BranchCache 1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace. 2. In the navigation pane, expand Application Management, and then click the Applications node. 3. Select the Microsoft PowerPoint Viewer application. 4. In the results pane, click the Deployment Types tab. 5. Right-click the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) deployment type, and then click Properties. MCT USE ONLY. STUDENT USE PROHIBITED L5-36 Replicating Data and Managing Content in Configuration Manager 2012 6. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box, click the Content tab. 7. Verify that the Allow clients to share content with other clients on the same subnet check box is selected. 8. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box, click OK. Results: At the end of this exercise, you will have enabled BranchCache support on LON-SVR1.  Task 3: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for the following virtual machines: o 10748C-LON-CAS-C o 10748C-LON-CFG-C o 10748C-LON-SVR1-C MCT USE ONLY. STUDENT USE PROHIBITED L6-37 Module 6: Planning Resource Discovery and Client Deployment Lab: Implementing Configuration Manager Client Deployment Exercise 1: Configuring Active Directory Discovery Methods  Task 1: Configure Active Directory System Discovery 1. On LON-CFG, on the task bar click Configuration Manager Console. 2. In the Configuration Manager Console, click the Administration workspace. 3. In the navigation pane, expand Hierarchy Configuration, and then click Discovery Methods. 4. In the results pane, click Active Directory System Discovery, and then on the ribbon, click Properties. 5. In the Active Directory System Discovery Properties dialog box, click Enable Active Directory System Discovery, and then click New. 6. In the Active Directory Container dialog box, click Browse. 7. In the Select New Container dialog box, click Adatum, and then click OK. 8. In the Active Directory Container dialog box, click OK. 9. In the Active Directory System Discovery Properties dialog box, click the Polling Schedule tab, and then review the settings. 10. In the Active Directory System Discovery Properties dialog box, click the Active Directory Attributes tab, and then review the settings. 11. In the Active Directory System Discovery Properties dialog box, click the Options tab, review the settings, and then click OK. 12. In the Configuration Manager message box, click Yes.  Task 2: Configure Active Directory User Discovery 1. In the results pane, click Active Directory User Discovery, and then on the ribbon, click Properties. 2. In the Active Directory User Discovery Properties dialog box, click Enable Active Directory User Discovery, and then click New. 3. In the Active Directory Container dialog box, click Browse. 4. In the Select New Container dialog box, click Adatum, and then click OK. 5. In the Active Directory Container dialog box, click OK. 6. In the Active Directory User Discovery Properties dialog box, click the Polling Schedule tab, and then review the settings. 7. In the Active Directory User Discovery Properties dialog box, click the Active Directory Attributes tab, review the settings, and then click OK. 8. In the Configuration Manager message box, click Yes.  Task 3: Configure Active Directory Group Discovery MCT USE ONLY. STUDENT USE PROHIBITED L6-38 Planning Resource Discovery and Client Deployment 1. In the results pane, click the Active Directory Group Discovery, and then on the ribbon, click Properties. 2. In the Active Directory Group Discovery Properties dialog box, click Enable Active Directory Group Discovery, click Add, and then click Location. 3. In the Add Active Directory Location dialog box, in the Name box, type Adatum domain, and then click Browse. 4. In the Select New Container dialog box, click Adatum, and then click OK. 5. In the Add Active Directory Location dialog box, click OK. 6. In the Active Directory Group Discovery Properties dialog box, click the Polling Schedule tab, and then review the settings. 7. In the Active Directory Group Discovery Properties dialog box, click the Options tab, review the settings, and then click OK. 8. In the Configuration Manager message box, click Yes.  Task 4: Verify that the discovered computers appear in the All Systems collection and are assigned to the site correctly. 1. In the Configuration Manager Console, click the Assets and Compliance workspace. 2. In the navigation pane, click the Device Collections node. 3. In the results pane, click the All Systems collection, and then on the ribbon, click the Show Members button. 4. A new sticky node called All Systems appears in the navigation pane, under the Devices node. In the results pane, observe the systems that are members of the All Systems collection and their assigned site. On the Site Code column, you should see S01 for most systems. Results: At the end of this exercise, you should have configured the Active Directory discovery methods. Exercise 2: Using Client Push to Install the Configuration Manager Client  Task 1: Create a client push installation account 1. On the LON-DC1 server, from Server Manager, click Tools, and then click Active Directory Users and Computers. 2. In the Active Directory Users and Computers console, in the navigation pane, expand Adatum.com, right-click the Users container, go to New, and then click User. 3. In the New Object – User window, in both the First name and User logon name text boxes, type ConfigMgrClientPush, and then click Next. 4. In the New Object – User window, in both the Password and Confirm password text boxes, type Pa$$w0rd, clear the User must change password at next logon box, select the User cannot change password and Password never expires check boxes, and then click Next. 5. In the New Object – User window, click Finish. 6. In the Active Directory Users and Computers console, right-click the newly created ConfigMgrClientPush user, and then click Properties. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L6-39 7. In the ConfigMgrClientPush Properties dialog box, click the Member Of tab. 8. At the Member Of tab, click the Add button. 9. In the Select Groups dialog box, in the Enter the object names to select text box, type Domain Admins, click the Check Names button, and then click OK. 10. In the ConfigMgrClientPush Properties dialog box, click OK. 11. Close the Active Directory Users and Computers console.  Task 2: Configure the client push installation method 1. On LON-CFG, in the Configuration Manager Console, verify that you are in the Administration workspace. 2. In the navigation pane, expand Site Configuration, and then click the Sites node. 3. In the results pane, right-click S01 – Adatum Site, click Client Installation Settings, and then click Client Push Installation. 4. In the Client Push Installation Properties dialog box, click the Accounts tab. 5. At the Accounts tab, click the New button, and then click New Account. 6. In the Windows User Account dialog box, click the Browse button. 7. In the Select User dialog box, in the Enter the object name to select text box, type ConfigMgrClientPush, click the Check Names button, and then click OK. 8. In the Windows User Account dialog box, in both the Password and Confirm password boxes, type Pa$$w0rd, and then click Verify. The Windows User Account dialog box expands. 9. In the Windows User Account dialog box, in the Network Share box, type \\LON-DC1\C$, and then click Test connection. 10. In the Configuration Manager message box, click OK. 11. In the Windows User Account dialog box, click OK. 12. In the Client Push Installation Properties dialog box, click the Installation Properties tab. 13. At the Installation Properties tab, in the Installation properties box, after the text SMSSITECODE=S01, type a space, and then type FSP=LON-CFG.Adatum.com. Note: The entire line should read SMSSITECODE=S01 FSP=LON-CFG.adatum.com. 14. In the Client Push Installation Properties dialog box, click OK.  Task 3: Install the client by using client push 1. On LON-CFG, in the Configuration Manager Console, click the Assets and Compliance workspace. 2. In the navigation pane, under Device Collections, click the All Systems node. 3. In the results pane, right-click LON-CFG, and then click Install Client. The Install Configuration Manager Client Wizard starts. 4. In the Before You Begin page, click Next. 5. In the Installation Options page, check the Install the client software from a specified site box, verify that in the Site list appears S01 – Adatum Site, and then click Next. 6. In the Summary page, click Next. 7. In the Completion page, click Close. 8. In the results pane, right-click LON-DC1, and then click Install Client. The Install Configuration Manager Client Wizard starts. 9. In the Before You Begin page, click Next. MCT USE ONLY. STUDENT USE PROHIBITED L6-40 Planning Resource Discovery and Client Deployment 10. In the Installation Options page, check the Allow the client software to be installed on domain controllers box, and then click Next. 11. In the Summary page, click Next. 12. In the Completion page, click Close.  Task 4: Verify the client installation 1. Switch to LON-DC1. 2. From the Start screen, click Control Panel. 3. In the Control Panel window, next to View by, click Large icons. 4. In the Control Panel window, click Configuration Manager. 5. In the Configuration Manager Properties dialog box, on the General tab, review the information. 6. In the Configuration Manager Properties dialog box, click the Components tab, and then verify the status of the agents. Some of the agents should have the Status of Installed. 7. In the Configuration Manager Properties dialog box, click the Actions tab. 8. In the Actions list, click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now to initiate the connection of the Configuration Manager client to the management point. Note: When the Configuration Manager client is running inside a virtual machine, it uses randomization for the initial time interval of connection to the management point. Manually running the Machine Policy Retrieval & Evaluation Cycle helps ensure that all components are updated, as necessary. 9. In the Machine Policy Retrieval & Evaluation Cycle message box, click OK. 10. In the Configuration Manager Properties dialog box, click OK. Results: At the end of this exercise, you should have started the installation of the Configuration Manager client by using the client push installation method. Exercise 3: Using Group Policy to Install the Configuration Manager Client  Task 1: Import the configmgrinstallation.adm file 1. On LON-DC1, from the Task bar, click the Server Manager icon. 2. From Server Manager, click Tools, and then click Group Policy Management. 3. From the Group Policy Management console, expand Forest: Adatum.com, and then expand Domains. 4. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L6-41 5. In the New GPO dialog box, in the Name textbox, type SCCM Client Install, and then click OK. 6. From the navigation pane, right-click the SCCM Client Install, and then click Edit. 7. In the Group Policy Editor window, in Computer Configuration, expand Policies. 8. Right-click Administrative Templates, and then click Add/Remove Templates. 9. In the Add/Remove Templates dialog box, click Add. 10. In the Policy Templates dialog box, navigate to \\LON-CFG\SMS_S01\tools \ConfigMgrADMTemplates, click confgmgrinstallation.adm, and then click Open. 11. In the Add/Remove Templates dialog box, click Close. 12. In the navigation pane, expand Administrative Templates: Policy Definitions (ADMX files) retrieved from the local computer, and then expand Classic Administrative Templates (ADM).  Task 2: Configure client-installation properties within a GPO 1. From Group Policy Management Editor, expand Configuration Manager 2012, and then click Configuration Manager 2012 Client. 2. From the details pane, double-click Configure Configuration Manager 2012 Client Deployment Settings. 3. In the Configure Configuration Manager 2012 Client Deployment Settings dialog box, click Enabled. 4. In the CCMSetup textbox, type SMSSITECODE=S01 FSP=LON-CFG.adatum.com, and then click OK.  Task 3: Import CCMSetup.msi, and then deploy the Configuration Manager client by using Group Policy 1. From LON-DC1, click the File Explorer button on the task bar. 2. Navigate to Local Disk (C:). 3. In the details pane, right-click in the open area, navigate to New, and then click Folder. 4. Type SCCMClient, and then press Enter. 5. Right-click the SCCMClient folder, and then click Properties. 6. In the Properties dialog box, on the Sharing tab, click Share. 7. In the File Sharing dialog box, in the Type a name and then click Add, or click the arrow to find someone drop-down list, click Everyone, click Add, click Share, and then click Done. 8. In the SCCMClient Properties dialog box, click Close. 9. From the Start screen, type Run, and then press Enter. 10. In the Run dialog box, in the Open textbox, type \\LON-CFG\SMS_S01\bin\i386, and then click OK. 11. In the new File Explorer window, right-click ccmsetup.msi, and then click Copy. 12. Close the i386 window. 13. In the Local Disk (C:) window, double-click the SCCMClient folder. 14. Right-click the empty area in the details pane, and then click Paste. 15. Close the SCCMClient window. 16. Switch to Group Policy Management Editor. 17. In the navigation pane, expand Computer Configuration, Software Settings. 18. Right-click Software Installations, navigate to New, and then click Package. 19. In the Open dialog box, in the File name text box, type \\LON-DC1\SCCMClient\ccmsetup.msi, and then click Open. 20. In the Deploy Software dialog box, click Assigned, and then click OK. 21. Close the Group Policy Management Editor. 22. On the host computer, from the Start screen, click Hyper-V Manager. 23. In Hyper-V® Manager, click 10748C-LON-SVR1-C, and then in the Actions pane, click Start.  Task 4: Verify client installation 1. Switch to LON-SVR1, and then sign in by using the following credentials: o Username: ADATUM\Administrator o Password: Pa$$w0rd 2. From the desktop, right-click the Task bar, and then click Task Manager. 3. In the Task Manager window, click More Details, and then click the Details tab. 4. Verify that ccmsetup.msi or ccmsetup.exe is running.  Task 5: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for the following virtual machines: o 10748C-LON-CAS-C o 10748C-LON-CFG-C o 10748C-LON-SVR1-C MCT USE ONLY. STUDENT USE PROHIBITED L6-42 Planning Resource Discovery and Client Deployment Results: At the end of this exercise, you should have installed the Configuration Manager client by using a GPO. MCT USE ONLY. STUDENT USE PROHIBITED L7-43 Module 7: Configuring Internet and Cloud-Based Client Management Lab A: Configuring PKI for Configuration Manager Exercise 1: Creating Certificate Templates for Configuration Manager  Task 1: Create a Configuration Manager IIS servers group 1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and Computers. 2. In the navigation pane, expand Adatum.com, and then select the Users container. 3. Right-click the Users container, point to New, and then click Group. 4. In the New Object – Group dialog box, in the Group name box, type Configuration Manager IIS Servers, and then click OK. 5. Double-click Configuration Manager IIS Servers. 6. In the Configuration Manager IIS Servers Properties dialog box, on the Members tab, click Add. 7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, in the Object Types dialog box, select the Computers check box, and then click OK. 8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type LON-CFG, click Check Names, and then click OK. 9. In the Configuration Manager IIS Servers Properties dialog box, click OK. 10. Close Active Directory Users and Computers.  Task 2: Create a Configuration Manager Web Server certificate template 1. On LON-DC1, from Server Manager, click Tools, and then click Certification Authority. 2. In the Certification Authority console, expand AdatumCA, and then click Certificate Templates. 3. Right-click the Certificate Templates folder, and then click Manage. The Certificate Templates console opens. 4. In the results pane, right-click Web Server, and then click Duplicate Template. 5. On the Compatibility tab, ensure that the Windows Server 2003 option is selected. 6. In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Configuration Manager Web Server Certificate. 7. Click the Subject Name tab, and then ensure that the Supply in the request option is selected. 8. On the Security tab, under Group or user names, click Domain Admins, and under Permissions for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll check box. 9. On the Security tab, click Add. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type Configuration Manager IIS Servers, click Check Names, and then click OK. 10. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK.  Task 3: Create a Configuration Manager client certificate template MCT USE ONLY. STUDENT USE PROHIBITED L7-44 Configuring Internet and Cloud-Based Client Management 1. In the Certificate Templates console, in the results pane, right-click Workstation Authentication, and then click Duplicate Template. 2. On the Compatibility tab, ensure that the Windows Server 2003 option is selected. 3. In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Configuration Manager Client Certificate. 4. On the Security tab, click Domain Computers, select the Read check box, select the Autoenroll check box, and then click OK. Do not clear the Enroll check box.  Task 4: Create a Configuration Manager client distribution point certificate template 1. In the Certificate Templates console, in the results pane, right-click Workstation Authentication, and then click Duplicate Template. 2. On the Compatibility tab, ensure that the Windows Server 2003 option is selected. 3. In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Configuration Manager Client Distribution Point Certificate. 4. On the Request Handling tab, select Allow private key to be exported. 5. On the Security tab, under Group or user names, click Domain Admins, and under Permissions for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll check box. 6. On the Security tab, click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type Configuration Manager IIS Servers, click Check Names, and then click OK. 7. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK. Do not clear the Read permission. Note: This certificate template is based on the Workstation Authentication template, which is the same template that the Configuration Manager client certificate uses. However, this template requires the private key to be exportable, because you must import the certificate as a file, rather than select it from the certificate store.  Task 5: Create a Configuration Manager mobile device client certificate template 1. In the Certificate Templates console, in the results pane, right-click Authenticated Session, and then click Duplicate Template. 2. On the Compatibility tab, ensure that the Windows Server 2003 option is selected. 3. In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Configuration Manager Mobile Device Certificate. 4. Click the Subject Name tab, and then ensure that the Build from this Active Directory information option is selected. 5. In the Subject name format list, select Common name, under Include this information in alternate subject name, clear the User principal name (UPN) check box, and then click OK. 6. Close the Certificate Templates console. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L7-45  Task 6: Enable the Configuration Manager certificate templates 1. In the Certification Authority console, in the navigation pane, verify that you are still in the Certificate Templates folder. 2. Right-click the Certificate Templates folder, point to New, and then click Certificate Template to Issue. 3. In the Enable Certificate Templates dialog box, click Configuration Manager Client Certificate, hold the Ctrl key, and then click Configuration Manager Client Distribution Point Certificate, Configuration Manager Mobile Device Certificate, and Configuration Manager Web Server Certificate. 4. In the Enable Certificate Templates dialog box, click OK, and then close the Certification Authority console. Results: After this exercise, you should have created a group for the Microsoft® System Center 2012 R2 Configuration Manager servers and created the templates for Configuration Manager certificates. Exercise 2: Deploying Certificates for Configuration Manager  Task 1: Create an autoenrollment GPO 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. 2. In the Group Policy Management console, expand Forest:Adatum.com, expand Domains, right-click Adatum.com, and then click Create a GPO in this domain, and Link it here. 3. In the New GPO dialog box, in the Name box, type Enable Autoenrollment of Certificates, and then click OK. 4. Right-click Enable Autoenrollment of Certificates, and then click Edit. 5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Public Key Policies. 6. Right-click Certificate Services Client – Auto-Enrollment, and then click Properties. 7. In the Configuration Model list, select Enabled, select the Renew expired certificates, update pending certificates, and remove revoked certificates check box, select the Update certificates that use certificate templates check box, and then click OK. 8. Close the Group Policy Management Editor window and the Group Policy Management console.  Task 2: Request a Configuration Manager IIS certificate on the management point 1. On LON-CFG, restart the server. 2. Wait for the machine to restart, and then sign in as Adatum\Administrator with the password Pa$$w0rd. 3. On LON-CFG, click to the Start screen, type mmc.exe, and then click mmc.exe. 4. In the Console 1 - [Console Root] console, click File, and then click Add/Remove Snap-in. 5. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. 6. In the Certificates Snap-in Wizard, click Computer account, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED L7-46 Configuring Internet and Cloud-Based Client Management 7. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) option is selected, and then click Finish. 8. In the Add or Remove Snap-ins dialog box, click OK. 9. In the Console 1 - [Console Root] console, expand Certificates (Local Computer), and then click Personal. 10. Under Object Type, right-click Certificates, point to All Tasks, and then click Request New Certificate. 11. On the Before You Begin page of the Certificate Enrollment Wizard, click Next. 12. On the Select Certificate Enrollment Policy page, click Next. 13. On the Request Certificates page, select the Configuration Manager Web Server Certificate check box, and then click the More information is required to enroll for this certificate. Click here to configure settings link. 14. In the Certificate Properties dialog box, on the Subject tab, under the Alternative name area, in the Type list, select DNS. 15. In the Value box, type LON-CFG.Adatum.com, and then click Add. 16. Click the General tab, in the Friendly name box, type Configuration Manager Web Services, and then click OK. 17. On the Request Certificates page, click Enroll. 18. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.  Task 3: Request a Configuration Manager client distribution point certificate 1. In the Console 1 - [Console Root] console, expand Certificates (Local Computer), and then click Personal. 2. Under Object Type, right-click Certificates, point to All Tasks, and then click Request New Certificate. 3. On the Before You Begin page of the Certificate Enrollment Wizard, click Next. 4. On the Select Certificate Enrollment Policy page, click Next. 5. On the Request Certificates page, select the Configuration Manager Client Distribution Point Certificate check box, and then click Enroll. 6. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 7. In the Console 1 - [Console Root] console, expand Personal, and then click Certificates. 8. In the results pane, right-click the certificate that has Configuration Manager Client Distribution Point Certificate on the Certificate Template column, point to All Tasks, and then click Export. The Certificate Export Wizard opens. 9. On the Welcome to the Certificate Export Wizard page, click Next. 10. On the Export Private Key page, select Yes, export the private key, and then click Next. 11. On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected, and then click Next. 12. On the Security page, select the Password checkbox and in both the Password and Confirm password text boxes, type Pa$$w0rd, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L7-47 13. On the File to Export page, in the File name text box, type C:\ConfigMgrClientDPCertificate.pfx, and then click Next. 14. On the Completing the Certificate Export Wizard page, click Finish. 15. In the Certificate Export Wizard dialog box, click OK. 16. Close the Console 1 – [Console Root] console, and then in the Microsoft Management Console dialog box, click No.  Task 4: Assign the Configuration Manager IIS certificate to Web Services 1. On LON-CFG, open Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. 2. Expand LON-CFG (ADATUM\Administrator), on the Internet Information Services (IIS) Manager dialog box, click No, expand Sites, right-click Default Web Site, and then click Edit Bindings. 3. In the Site Bindings dialog box, click https, and then click Edit. 4. In the Edit Site Binding dialog box, in the SSL certificate list, select Configuration Manager Web Services, and then click OK. 5. In the Site Bindings dialog box, click Close. 6. Close Internet Information Services (IIS) Manager.  Task 5: Configure HTTPS for the Configuration Manager roles 1. On LON-CFG, on the task bar, click Configuration Manager Console. 2. In the Configuration Manager console, click the Administration workspace. 3. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles. 4. In the results pane, click \\LON-CFG.Adatum.com, in the preview pane, right-click Site system, and then click Properties. 5. In the Site system Properties dialog box, select Specify an FQDN for this site system for use on the Internet. 6. In the Internet FQDN text box, type LON-CFG.Adatum.com, and then click OK. 7. In the preview pane, right-click Distribution point, and then click Properties. 8. In the Distribution point Properties dialog box, on the General tab, select Import certificate, and then click Browse. 9. In the Open dialog box, browse to and click the C:\ConfigMgrClientDPCertificate.pfx certificate file, and then click Open. 10. On the General tab, in the Password text box, type Pa$$w0rd. 11. On the General tab, click HTTPS, under Requires computers to have a valid PKI client certificate, select Allow intranet and Internet connections, and then click OK. 12. In the preview pane, click Management point, and then click Properties. 13. In the Management point Properties dialog box, on the General tab, click HTTPS, and then under This option requires client computers to have a valid PKI client certificate for client authentication, select Allow intranet and Internet connections. 14. Select the Allow mobile devices to use this management point check box, and then click OK.  Task 6: Deploy certificate profiles to clients 1. On LON-CFG, on the taskbar, click File Explorer. 2. In the navigation bar, type \\LON-DC1\CertEnroll, and then press Enter. 3. Right-click LON-DC1.Adatum.com_AdatumCA.crt, and then click Copy. 4. Right-click the desktop, and then click Paste. 5. Click the Configuration Manager icon on the taskbar. 6. In the Assets and Compliance workspace, expand Compliance Settings, and then expand Company Resource Access. 7. Click Certificate Profiles, and then on the ribbon, click Create Certificate Profile. 8. On the General page of the Create Certificate Profile Wizard, in the Name box, type AdatumEnterpriseRootCA, and then ensure that Trusted CA certificate is selected. Click Next. 9. On the Trusted CA Certificate page, click Import. MCT USE ONLY. STUDENT USE PROHIBITED L7-48 Configuring Internet and Cloud-Based Client Management 10. In the Open dialog box, click Desktop, click LON-DC1.Adatum.com_AdatumCA.crt, and then click Open. 11. On the Trusted CA Certificate page, ensure that Computer certificate store – Root is selected, and then click Next. 12. On the Supported Platforms page, click Select All, and then click Next. 13. On the Summary page, click Next. 14. On the Completion page, click Close. 15. While the Certificate Profiles node is selected, click AdatumEnterpriseRootCA, and then on the ribbon, click Deploy. 16. In the Deploy Trusted CA Certificate Profile dialog box, click Browse. 17. In the Select Collection dialog box, click User Collections, and then click Device Collections. 18. Click All Desktop and Server Clients, and then click OK. 19. Click OK to close the Deploy Trusted CA Certificate Profile dialog box. Results: After this exercise, you should have issued the Configuration Manager certificates and configured HTTPS communication for Configuration Manager roles. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L7-49 Lab B: Configuring Windows Intune Integration with System Center 2012 R2 Configuration Manager Exercise 1: Signing Up for a Windows Intune Trial Account and Configuring Directory Synchronization  Task 1: Create a temporary email account name • Create a temporary email account name and not an actual e-mail account using the following scheme: o The first part of the email address should be your first name, the first letter of your last name, 10748C, and the date in the format used in your region (mm/dd/yy or dd/mm/yy). For example, JoeS10748C010114 if it is the first of January 2014. o The domain (the portion of the address after the @ symbol) should be Adatum.com. For example joeS10748C0110114@adatum.com  Task 2: Create a Windows Intune account 1. On LON-CAS, click the Start button, and then click Internet Explorer. 2. On the taskbar of Internet Explorer®, click the Gear icon, and then click Internet options. 3. In the Internet Options dialog box, click the Security tab. 4. On the Security tab, click Trusted Sites, and then move the Security level for this zone slider to Low. 5. Click Sites. In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this zone check box. 6. In the Add this website to the zone: text box, type *.microsoft.com, and then click Add. 7. To close the Trusted sites dialog box, click Close. 8. To close the Internet Options dialog box, click OK. 9. In the address bar, type the following URL, and then press Enter: http://www.microsoft.com/intune 10. In Internet Explorer, click No thanks to close the Please help us improve dialog box. Click the Try option, and then click Sign up for a Windows Intune free 30-day trial. 11. On the Windows Intune Sign up page, provide the required information to sign up for the trial account. Enter data for the following required fields: o Country or region: Select your country or region o Organizational language: Choose your organizational language o First name: Don o Last Name: Funk o Organization Name: Type the first three letters of the city in which you are attending the course, the course number, the month, day, and year and the number of your computer counting from the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you are attending the course in Melbourne; the course number is 10748C; the date is February 4, 2014; and you are using the fifth computer from the front left side of the classroom. MCT USE ONLY. STUDENT USE PROHIBITED L7-50 Configuring Internet and Cloud-Based Client Management o Address 1: Street address of the location where the course is being held o City: City where the course is being held o State: State where the course is being held o ZIP code: Zip code where the course is being held o Phone Number: 555-555-1212 o Email address: The fake email address that you created in the first task of this exercise. o New Domain Name: Type the first three letters of the city in which you are attending the course; the course number; the month, day, and year; and the number of your computer, counting from the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you are attending the course in Melbourne; the course number is 10748C; the date is February 4, 2014; and you are using the fifth computer from the front left side of the classroom. 12. Click Check Availability. After the domain name is verified, enter the following information: o New User ID: Student o Create new password: Pa$$w0rd o Confirm new password: Pa$$w0rd 13. In the Verification field, type the text that is shown as a graphic. Note that the text is not casesensitive. 14. Click I accept and continue. 15. In the Security Warning dialog box, click Yes. 16. In the Windows Intune form, click Continue. 17. In the Don’t lose access to your account dialog box, click Remind me later. 18. Close Internet Explorer.  Task 3: Configure a UPN suffix 1. On LON-DC1, on the Tools menu of the Server Manager console, click Active Directory Domains and Trusts. 2. In the Active Directory Domains and Trust console, right-click Active Directory Domains and Trusts, and then click Properties. 3. On the UPN Suffixes tab of the Active Directory Domains and Trusts dialog box, enter the organization name in the form organizationname.onmicrosoft.com. For example, type MEL10748C02041405.onmicrosoft.com for Melbourne, course 10748C, February 4, 2014 where you are using the fifth computer from the front left side of the classroom. Click Add, and then click OK to close the Active Directory Domains and Trusts dialog box. 4. On the taskbar, right-click the Windows PowerShell icon, and then click Run ISE as Administrator. 5. On the View menu of the Administrator: Windows PowerShell ISE window, click Show Script Pane. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L7-51 6. In the script pane, type the following script, replacing organizationname.onmicrosoft.com with your Windows Intune organization’s name: Get-ADUser -Filter {UserPrincipalName -like "*@adatum.com"} -SearchBase "DC=adatum,DC=com" | ForEach-Object { $UPN = $_.UserPrincipalName.Replace("adatum.com","organizationname.onmicrosoft.com") Set-ADUser $_ -UserPrincipalName $UPN } 7. On the File menu, click Run 8. On the File menu, click New. 9. In the script pane, type the following: Add-DnsServerResourceRecordCname –HostNameAlias manage.microsoft.com –Name EnterpriseEnrollment –ZoneName Adatum.com 10. On the File menu, click Run. 11. On the Tools menu of the Server Manager console, click Active Directory Administrative Center. 12. In the Active Directory Administrative Center console, click Adatum (local), and then double-click IT. 13. Double-click April Reagan, and then verify that the user principal name (UPN) logon is set to april@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization’s name.  Task 4: Configure directory synchronization 1. On LON-CAS, open Internet Explorer. 2. In the address bar, type account.manage.microsoft.com, and then press Enter. 3. When prompted, sign in as student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization name, with the password Pa$$w0rd. 4. In the Security Warning dialog box, click Yes. 5. In the Don’t lose access to your account dialog box, click Remind me later. 6. On the Windows Intune page, under Management, click Users. 7. Next to Active Directory synchronization, click Set up. 8. Under step 3, click Activate. 9. In the Do you want to activate Active Directory synchronization dialog box, click Activate. 10. Under step 4, install and configure the directory synchronization tool, click Windows 64-bit version, and then click Download. 11. Click Save As, and then save dirsync.exe to the Downloads folder. 12. When the download completes, click Open folder, and then double-click dirsync.exe. 13. On the Welcome page of the Windows Azure Active Directory Sync Setup Wizard, click Next. 14. On the Microsoft Software License Terms page, click I accept, and then click Next. 15. On the Select Installation Folder page, click Next. Installation of the DirSync tool takes approximately 10 minutes to complete. 16. When the installation completes, click Next. 17. Clear the Start Configuration Wizard check box, and then click Finish. 18. Click Start, click Administrator, and then click Sign out. 19. Sign in to LON-CAS as Adatum\Administrator with the password Pa$$w0rd. 20. Double-click the Directory Sync Configuration icon on the desktop. MCT USE ONLY. STUDENT USE PROHIBITED L7-52 Configuring Internet and Cloud-Based Client Management 21. On the Welcome page of the Windows Azure Active Directory Sync tool Configuration Wizard, click Next. 22. On the Windows Azure Active Directory Credentials page, enter the user name as student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization name. In the Password box, type Pa$$w0rd, and then click Next. 23. On the Active Directory Credentials page, in the Username box, type administrator@adatum.com, in the Password box, type Pa$$w0rd, and then click Next. 24. On the Hybrid Deployment page, select Enable Hybrid Deployment, and then click Next. 25. On the Password Synchronization page, select Enable Password Sync, and then click Next. 26. On the Configuration page, click Next. 27. On the Finished page, ensure that Synchronize your directories now is selected, and then click Finish. 28. In the Windows Azure Active Directory Sync Tool Configuration Wizard dialog box, click OK. 29. Wait for five minutes. Repeat steps 1-5 to return to the Windows Intune Admin page. Click Users. 30. If prompted to sign in again, in the Password box, type Pa$$w0rd, and then click Sign in. 31. Verify that the list of users in Windows Intune is now populated with users from AD DS. 32. In the User list, click Alex Darrow. 33. Select the Windows Intune check box, and then click Save. 34. On the Assign role page, leave default settings, and then in the Location box, select United States. 35. Click Save. Results: After this exercise, you will have created a Windows Intune™ account, and configured directory synchronization between the local Windows Server® Active Directory® Domain Services (AD DS) instance and Windows Azure™ Active Directory. Exercise 2: Configuring the Windows Intune Connector Role  Task 1: Configure the Windows Intune connector 1. On LON-CAS, on the taskbar, click the Configuration Manager icon. 2. In the Administration workspace, expand the Cloud Services folder, and then click Windows Intune Subscriptions. 3. On the ribbon, click Add Windows Intune Subscription. 4. On the Introduction page of the Create Windows Intune Subscription Wizard, click Next. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L7-53 5. On the Subscription page, click Sign In. 6. If prompted in the Set the Mobile Device Management Authority dialog box, select I understand that after I complete the sign-in process, the mobile device management authority is permanently set to Configuration Manager and cannot be changed, and then click OK. 7. In the Subscription dialog box, in the Username box, type student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune organization name, and in the Password box, type Pa$$w0rd. Select Keep me signed in, and then click Sign in. 8. If prompted by the Configuration Manager dialog box, click Yes. 9. On the Subscription page of the Create Windows Intune Subscription Wizard, click Next. 10. On the General page, click Browse. 11. In the Select Collection dialog box, click All Users, and then click OK. 12. On the General page, enter the following information, and then click Next: o Company Name: Adatum o Configuration Manager site code: S01 13. On the Platforms page, click Next. 14. On the Company Contact Information page, click Next. 15. On the Company Logo page, click Next. 16. On the Summary page, click Next. 17. On the Completion page, click Close.  Task 2: Deploy the Windows Intune site system role 1. Open the Configuration Manager console, and then click the Administration workspace. 2. In the Configuration Manager console, under the Site Configuration folder, click Sites. 3. On the ribbon, click Add Site System Roles. 4. On the General page of the Add Site System Roles Wizard, click Browse. 5. On the Select a Site System Server page, click \\LON-CAS, and then click OK. 6. On the General page, click Next. 7. On the Proxy page, click Next. 8. On the System Role Selection page, click Windows Intune Connector, and then click Next. 9. On the Summary page, click Next. 10. On the Completion page, click Close.  Task 3: Configure client access to the cloud-based distribution point 1. In the Configuration Manager console, click the Administration workspace, and then click Client Settings. 2. Click Default Client Settings, and then on the ribbon, click Properties. MCT USE ONLY. STUDENT USE PROHIBITED L7-54 Configuring Internet and Cloud-Based Client Management 3. In the Default Settings dialog box, click Cloud Services. Next to allow access to cloud distribution point, select Yes. 4. To close the Default Settings dialog box, click OK. Results: After this exercise, you will have integrated Configuration Manager with Windows Intune.  Task 4: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 to 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. MCT USE ONLY. STUDENT USE PROHIBITED L8-55 Module 8: Maintaining and Monitoring System Center 2012 Configuration Manager Lab: Maintaining System Center 2012 Configuration Manager Exercise 1: Configuring maintenance tasks in Configuration Manager  Task 1: Verify the default settings for maintenance tasks 1. On LON-CFG, from task bar, click Configuration Manager Console. 2. In the Configuration Manager Console, click the Administration workspace. 3. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, click S01 – Adatum Site. 4. On the ribbon, in the Settings group, click Site Maintenance. 5. In the Site Maintenance dialog box, verify the tasks that are enabled. Notice that most tasks pertain to deleting data from the database. This keeps your database from growing without control. 6. Double-click the Delete Aged Discovery Data task. 7. In the Delete Aged Discovery Data Properties dialog box, notice that the task’s configuration is to delete data older than 90 days, and to run once a week, every Saturday. 8. Click OK. Note: You may need to change the aged period for some tasks, depending on your company’s need for data retention.  Task 2: Configure the Delete Aged Inventory History task 1. In the Configuration Manager console, double-click the Delete Aged Inventory History task. 2. In the Delete Aged Inventory History Properties dialog box, in the Delete data that has been inactive for (days) numeric textbox, type 365. 3. In the Start after box, select 1:00 AM. 4. In the Latest start time box, select 3:00 AM. 5. In the list of days, select Sunday, clear the Saturday check box, and then click OK.  Task 3: Configure the Delete Aged Software Metering Data tasks 1. In the Configuration Manager console, double-click the Delete Aged Software Metering Data task. 2. In the Delete Aged Software Metering Data Properties dialog box, in the Delete data that has been inactive for (days) numeric textbox, type 7. 3. In the Start after box, select 1:00 AM. 4. In the Latest start time box, select 3:00 AM. 5. In the list of days, ensure that all days are selected, and then click OK. 6. In the Configuration Manager console, double-click Delete Aged Software Metering Summary Data. MCT USE ONLY. STUDENT USE PROHIBITED L8-56 Maintaining and Monitoring System Center 2012 Configuration Manager 7. In the Delete Aged Software Metering Summary Data Properties dialog box, in the Delete data that has been inactive for (days) numeric textbox, type 120. 8. In the Start after box, select 1:00 AM. 9. In the Latest start time box, select 3:00 AM. 10. In the list of days, clear the Sunday check box, select the Saturday check box, click OK, and then click OK again. Results: At the end of this exercise, you will have configured maintenance tasks in Configuration Manager. Exercise 2: Configuring the Site Backup Task  Task 1: Configure the Site Backup task 1. On the LON-CFG server, from the Start menu, click Configuration Manager Console. 2. In the Configuration Manager Console, click the Administration workspace. 3. In the navigation pane, expand Site Configuration, and then click Sites. 4. In the results pane, click S01 – Adatum Site. 5. On the ribbon, click Settings, and then click Site Maintenance. 6. In the Site Maintenance dialog box, click Backup Site Server, and then click Edit. 7. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then click Set Paths. 8. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and database is selected, and then click Browse. Note: In practice, you should use either Network path (UNC name) for site data and database to save backup on a network share, or, if the database is installed on a separate server, use Local drives on site server and SQL Server. 9. In the Select Folder dialog box, navigate to drive C, create a new folder called Backup, and then click Select Folder. 10. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK. 11. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three minutes from now, and then click OK. You may need to adjust the Latest start time, so it is at least one hour after the time that you enter in the Start after box. 12. In the Site Maintenance dialog box, on the Enabled column, next to the Backup Site Server task, verify that the word Yes is displayed. Click OK.  Task 2: Trigger the backup of the site, and verify its completion 1. From the Start screen, click Server Manager. 2. In the Server Manager windows, click Tools, and then click Services. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L8-57 3. In the Services console, in the details pane, click the SMS_SITE_BACKUP service, and then on the toolbar, click the Start Service button. Close the Services window. 4. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the smsbkup.log file in Notepad. 5. If the backup occurs successfully, towards the end of the smsbkup.log file, the text Backup completed appears, and then on the next line, the text STATMSG: ID=5035 appears. 6. Navigate to the C:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the database files. 7. Navigate to the C:\Backup\S01Backup\SiteServer folder, double-click the SMSServer folder to open it, and then note that it contains the data, inboxes, Logs, and srvacct folders. 8. In the Configuration Manager console, click the Monitoring workspace. 9. In the navigation pane, expand System Status, and then click the Component Status node. 10. In the results pane, click the SMS_SITE_BACKUP component. 11. On the ribbon, click Show Messages, and then click All. 12. In the Status Messages: Set Viewing Period dialog box, accept the default of 1 day ago, and then click OK. 13. In Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035. Note: When site backup completes successfully, message ID 5035 appears. This indicates that the site backup completed without any errors. 14. Close Configuration Manager Status Message Viewer. 15. Close the Configuration Manager console. Results: At the end of this exercise, you should have performed a backup for the Configuration Manager site. Exercise 3: Recovering a Site from a Backup  Task 1: Use the Site Recovery wizard to recover a site from backup 1. On LON-CFG, run E:\ConfigMgr2012R2\SMSSETUP\BIN\X64\setup.exe. 2. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. On the Before You Begin page, click Next. 3. On the Getting Started page at Available Setup Options, click Recover a site, and then click Next. 4. On the Site Server and Database Recovery Options page, click Recover the site database using the backup set at the following location, and then click Browse. 5. In the Browse For Folder dialog box, select the C:\Backup\S01Backup folder, and then click OK. 6. On the Site Server and Database Recovery Options page, click Next. 7. On the Site Recovery Information page, verify that the option Recover primary site is selected, and then click Next. MCT USE ONLY. STUDENT USE PROHIBITED L8-58 Maintaining and Monitoring System Center 2012 Configuration Manager 8. On the Product Key page, select Install the evaluation edition of this product, and then click Next. 9. On the Microsoft Software License Terms page, select I accept these license terms, and then click Next. 10. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms and automatic updates of Silverlight. Click Next. 11. On the Prerequisite Downloads page, select Use previously downloaded files, and then click Browse. 12. In the Browse For Folder dialog box, select the E:\ConfigMgr2012R2\Redist folder, and then click OK. 13. On the Prerequisite Downloads page, click Next. 14. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to finish. 15. On the Site and Installation Settings page, click Next. 16. On the Database Information page, click Next twice. 17. On the Customer Experience Improvement Program configuration page, select I don’t want to join the program at this time, click Next, and then click Next again. 18. On the Settings Summary page, click Next. 19. In the Prerequisite Check dialog box, click Cancel, and then click Yes. Note: It takes time to restore the site. Therefore, for expediency in this lab, you cancel the restoration process.  Task 2: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C. Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 R2 primary site. MCT USE ONLY. STUDENT USE PROHIBITED L9-59 Module 9: Migrating to System Center 2012 R2 Configuration Manager Lab: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager Exercise 1: Configuring the Source Hierarchy  Task 1: Review the objects that must be migrated (Optional) 1. On LON-CM7, on the task bar, click Configuration Manager Console. 2. In the navigation pane, expand Site Database, and then click Site Management. In the results pane, verify that in the Version column appears 4.00.6487.2000, which means the site is running Configuration Manager 2007 Service Pack 2. 3. In the navigation pane under Site Database, expand Site Management, expand CM7-London Configuration Manager 2007, expand Site Settings, and then click Boundaries. 4. In the results pane, right-click the IP subnet boundary, and then click Properties. 5. In the Properties dialog box, review the configuration of the boundary, and then click Cancel. 6. In the navigation pane, under Site Database, under Site Management, under CM7-London Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, and then click \\LON-SVR1. 7. In the results pane, verify that the \\LON-SVR1 site system includes the following roles: o ConfigMgr component server o ConfigMgr distribution point o ConfigMgr site server o ConfigMgr site system 8. In the navigation pane, expand Computer Management, expand Collections, right-click the Adatum Servers collection, and then click Properties. 9. In the Adatum Servers Properties dialog box, click the Membership Rules tab. Observe that there are no membership rules defined, and then click OK. Note: The Adatum Servers collection does not have any members and serves as a container for the other two collections. 10. In the navigation pane, expand Adatum Servers, click the London Servers collection, and then in the results pane, observe that LON-CM7 and LON-SVR1 are the only members of the collection. 11. In the navigation pane, right-click the London Servers collection, and then click Properties. 12. In the London Servers Properties dialog box, click the Membership Rules tab. 13. Under Membership Rules, click London Servers, and then click the Properties button. 14. In the Query Rule Properties dialog box, click Edit Query Statement. 15. In the London Servers Query Statement Properties dialog box, click Show Query Language. MCT USE ONLY. STUDENT USE PROHIBITED L9-60 Migrating to System Center 2012 R2 Configuration Manager 16. In the London Servers Query Statement Properties dialog box, examine the query, and then click Cancel. 17. In the Query Rule Properties dialog box, click Cancel. 18. In the London Servers Properties dialog box, click Cancel. 19. In the navigation pane, click the ConfigMgr Servers collection, and then in the results pane, observe that LON-CM7 is the only member of the collection. Note: The London Servers collection uses a query rule to include all computers with a name starting with LON. 20. In the navigation pane, right-click the ConfigMgr Servers collection, and then click Properties. 21. In the ConfigMgr Servers Properties dialog box, click the Membership Rules tab. 22. Under Membership rules, observe the direct membership rule created for LON-CM7. 23. In the ConfigMgr Servers Properties dialog box, click Cancel. Note: The ConfigMgr Servers collection uses a direct membership rule to include LON-CM7 as a member. 24. In the navigation pane, expand Software Distribution, and then click Packages. 25. In the results pane, right-click the Microsoft Office Word Viewer 2003 package, and then click Properties. Note that this is a Windows Installer package. 26. Review the properties of the package, and then click Cancel. 27. Expand the Microsoft Corporation Microsoft Office Word Viewer 2003 package, and then click Distribution Points. Note that the package is distributed to both \\LON-CM7 and \\LON-SVR1. 28. In the navigation pane, right-click the Excel Viewer 1 package, and then click Properties. Note that this is a Microsoft Application Virtualization (App-V) package. 29. Review the properties of the package, and then click Cancel. 30. Expand the Excel Viewer 1 package, and then click Distribution Points. Note that the package is distributed to both \\LON-CM7 and \\LON-SVR1. 31. In the navigation pane, click Advertisements. 32. In the results pane, review the existing advertisements. 33. In the navigation pane, expand Asset Intelligence, expand Customize Catalog, and then click Software Categories. Review the Adatum Software custom category. 34. In the navigation pane, click Software Families. Review the Adatum LOB Applications custom family. 35. In the navigation pane, click Custom Labels. Review the Adatum Application custom label. 36. In the navigation pane, expand Desired Configuration Management, and then click Configuration Items. 37. In the results pane, right-click the Windows Firewall Enabled configuration item, and then click Properties. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L9-61 38. In the Windows Firewall Enabled Properties dialog box, on the General tab, review the properties, and then click the Settings tab. 39. On the Settings tab, in the Name column, click the Windows Firewall is running setting, and then click Edit. 40. In the Windows Firewall is running Properties dialog box, review the settings, and then click Cancel. Note that this configuration item is using a WMI query language (WQL) query to check the status of the Windows Firewall. 41. In the Windows Firewall Enabled Properties dialog box, click Cancel. 42. In the navigation pane, click Configuration Baselines. 43. In the results pane, right-click the Adatum Security Policy Validation baseline, and then click Properties. 44. In the Adatum Security Policy Validation Properties dialog box, review the settings, and then click Cancel.  Task 2: Prepare permissions on LON-CM7 and LON-SRV1 1. On LON-CM7, open the Server Manager from the taskbar, in the Server Manager dashboard, click Tools, and then click Computer Management. 2. In Computer Management, expand Local Users and Groups, and then click the Groups folder. 3. Double-click the Administrators group. 4. In the Administrators Properties dialog box, click Add. 5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK. 6. In the Enter the object names to select field, type LON-CAS; LON-CFG, and then click OK. 7. In the Administrators Properties dialog box, click OK. 8. On LON-CM7, start the Configuration Manager console, if it is not already started. 9. In the navigation pane, under Site Database, under Site Management, under CM7-London Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, and then click \\LON-SVR1. 10. Right-click ConfigMgr site system, and then select Properties. 11. Select the Specify a fully qualified domain name (FQDN) for this site system on the intranet check box. 12. In the Intranet FQDN field, type LON-SVR1.Adatum.com, and then click OK. 13. Repeat steps 1 through 7 on LON-SVR1.  Task 3: Configure the source hierarchy 1. On the LON-CFG server, on the task bar, click Configuration Manager Console. 2. In the Configuration Manager console, click the Administration workspace. 3. In the navigation pane, expand the Migration node, and then click Source Hierarchy. 4. On the ribbon, click Specify Source Hierarchy. 5. In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com. MCT USE ONLY. STUDENT USE PROHIBITED L9-62 Migrating to System Center 2012 R2 Configuration Manager 6. In the Specify Source Hierarchy dialog box, under Specify the Source Site Account to use to access the SMS Provider for the source site server. This account requires Read permissions to all source site objects, verify that User Account is selected, click Set, and then click New Account. 7. In the Windows User Account dialog box, in the User name box, type Adatum\Administrator. 8. In the Windows User Account dialog box, in the Password and Confirm password boxes, type Pa$$w0rd, and then click Verify. 9. In the Windows User Account dialog box, click Test connection. 10. In the Configuration Manager message box, click OK. 11. In the Windows User Account dialog box, click OK. 12. In the Specify Source Hierarchy dialog box, under Specify the Source Site Database Account to use to access the SQL Server for the source site server. This account requires Read and Execute permissions to the source site database, verify that Use the same account as the Source Site SMS Provider Account is selected. 13. Select the Enable distribution-point sharing for the source site server check box, and then click OK. 14. In the Data Gathering Status dialog box, wait for the data collection to complete, and then click Close. 15. On the ribbon, click Refresh, and then verify that LON-CM7.ADATUM.COM and LON-SVR1.ADATUM.COM appear in the preview pane on the Shared Distribution Points tab. Note: By configuring the Shared Distribution Points option, both the Configuration Manager 2007 clients and Configuration Manager 2012 clients will have access to the packages during migration. Results: At the end of this exercise, you should have reviewed the configuration of the Microsoft® System Center Configuration Manager 2007 site and configured the source hierarchy in Configuration Manager 2012. Exercise 2: Creating a Migration Job and Performing Migration  Task 1: Create a collection migration job 1. On LON-CFG, in the navigation pane, click Migration Jobs. 2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. 3. On the General page, in the Name box, type Collections and associated objects, and then in the Description (optional) box, type Migrate collections and associated objects. 4. On the General page, in the Job type drop-down box, select Collection migration, and then click Next. 5. On the Select Collections page, select the Adatum Servers check box (this also selects London Servers and ConfigMgr Servers), verify that the Migrate objects that are associated with the specified collections check box is selected, and then click Next. 6. On the Select Objects page, under Object types, verify that Software Distribution Deployments is selected. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L9-63 7. Under Available objects, clear the KB977384 check box. 8. Under Object types, select Software Distribution Packages. 9. Under Available objects, clear the KB977384 – Advanced Client Hotfix – CM7 check box. 10. Under Object types, select Virtual Application Packages. 11. Under Available objects, verify that Excel Viewer 1 is selected, and then click Next. 12. On the Content Ownership page, select S01 – Adatum Site from the Destination Site drop-down list, and then click Next. 13. On the Security Scope page, select the Default check box, and then click Next. 14. On the Collection Limiting page, click Next. 15. On the Site Code Replacement page, click Next. 16. On the Review Information page, review the objects to be migrated, and then click Next. 17. On the Settings page, verify that Run the migration job now is selected, review the other settings, and then click Next. 18. On the Summary page, click Next. 19. On the Completion page, click Close. 20. On the ribbon, click Refresh. 21. In the results pane, verify that the status of the migration job is Completed. If necessary, click Refresh.  Task 2: Review migrated objects 1. In the results pane, click the Collections and associated objects migration job. 2. In the preview pane, click the Objects in Job tab, and then review the objects included in the migration job. 3. Close and then reopen the Configuration Manager console. 4. In the Configuration Manager console, click the Assets and Compliance workspace. 5. In the navigation pane, expand Device Collections, and then open the Adatum Servers folder. If you do not see the Adatum Servers folder, click the Overview node, and then press F5 on your keyboard to refresh the navigation pane. 6. In the results pane, observe the ConfigMgr Servers and London Servers collections. 7. Right-click the London Servers collection, and then click Properties. 8. In the London Servers Properties dialog box, click the Membership Rules tab. 9. Under Membership rules, select the London Servers rule, and then click Edit. 10. In the Query Rule Properties dialog box, review the query, and then click Cancel. 11. In the London Servers Properties dialog box, click Cancel. 12. In the Configuration Manager console, click the Software Library workspace. 13. In the navigation pane, expand Application Management, and then click the Packages node. 14. In the results pane, select Microsoft Office Word Viewer 2003, and then in the preview pane, click the Deployments tab. Note the migrated deployment. 15. In the navigation pane, click the Applications node. MCT USE ONLY. STUDENT USE PROHIBITED L9-64 Migrating to System Center 2012 R2 Configuration Manager 16. In the results pane, select the migrated Excel Viewer virtual application package, and then in the preview pane, click the Deployment Types tab. Note the Microsoft Application Virtualization 4 deployment type.  Task 3: Migrate objects by type 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand the Migration node, and then click the Migration Jobs node. 3. On the ribbon, click Create Migration Job. 4. In the Name box, type Migrate objects by type, and then in the Description (optional) box, type Migration of specific objects. 5. On the General page, in the Job type drop-down box, select Object migration, and then click Next. 6. On the Select Objects page, under Object types, click to select the Boundaries check box. 7. Under Object types, select the Configuration Baselines check box. 8. In the Included Objects dialog box, click Continue. 9. Under Object types, select the Asset Intelligence Catalog check box. 10. On the Select Objects page, click Next. 11. On the Content Ownership page, click Next. 12. On the Security Scope page, click Default, and then click Next. 13. On the Review Information page, review the objects to be migrated, and then click Next. 14. On the Settings page, verify that Run the migration job now is selected, review the other settings, and then click Next. 15. On the Summary page, click Next. 16. On the Completion page, click Close. 17. On the ribbon, click Refresh. 18. In the results pane, verify that the status of the migration job is Completed. If necessary, select the Migrate objects by type object, and then click Refresh.  Task 4: Review migrated objects 1. In the Configuration Manager console, click the Assets and Compliance workspace. 2. In the navigation pane, expand Asset Intelligence, and then click Catalog. 3. In the results pane, click the Validation State column until the following User Defined objects appear at the top of the list: Adatum LOB Applications, Adatum Software, and Adatum Application. 4. In the navigation pane, expand Compliance Settings, and then click Configuration Items. 5. In the results pane, review the Windows Firewall Enabled and Windows Version is Windows 7 migrated configuration items. 6. In the navigation pane, click Configuration Baselines. 7. In the results pane, review the Adatum Security Policy Validation migrated baseline. 8. In the Configuration Manager console, click the Administration workspace. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L9-65 9. In the navigation pane, expand Hierarchy Configuration, and then click Boundaries. 10. In the results pane, review the migrated boundary. 11. In the navigation pane, click Boundary Groups. 12. In the results pane, review the CM7 (London Configuration Manager 2007) boundary group created from the Configuration Manager 2007 site.  Task 5: View migration reports 1. In the Configuration Manager console, click the Monitoring workspace. 2. In the navigation pane, expand Reporting, and then expand Reports. 3. Click the Migration folder. 4. In the results pane, click Migration Job properties, and then on the ribbon, click Run. 5. After Migration Job Name, click Values. 6. Under Migration Job Name, click the Collections and associated objects migration job, and then click OK. 7. Click View Report. 8. Close the Migration Job properties window. 9. In the results pane, click Migration jobs, and then on the ribbon, click Run. 10. After reviewing the Migration jobs report, close the Migration jobs window. Results: At the end of this exercise, you should have created migration jobs, performed object migration, and viewed the migration reports. Exercise 3: Migrate a Secondary Site to a Distribution Point  Task 1: Reassign a secondary site as a distribution point 1. On LON-CFG, in the navigation pane, click the Administration workspace, expand Migration, and then click Distribution Point Migration. 2. On the ribbon, click Reassign Distribution Point. The Reassign Shared Distribution Point Wizard starts. 3. On the General page, next to the Name box, click Browse. 4. In the Select Distribution Point dialog box, click LON-SVR1.ADATUM.COM, and then click OK. 5. On the General page, in the Site code drop-down box, select S01 – Adatum Site, and then click Next. 6. On the Distribution point page, select the Install and configure IIS if required by Configuration Manager check box, and then click Next. 7. On the Drive Settings page, click Next. 8. On the Pull Distribution Point page, click Next. 9. On the PXE Settings page, click Next. 10. On the Content Validation page, click Next. MCT USE ONLY. STUDENT USE PROHIBITED L9-66 Migrating to System Center 2012 R2 Configuration Manager 11. On the Boundary Groups page, click Add, select the CM7 (London Configuration Manager 2007) check box, and then click OK. 12. On the Boundary Groups page, click Next. 13. Review the Content Conversion page, and then click Next. 14. On the Summary page, click Next. 15. On the Completion page, click Close. 16. Press the F5 key. 17. In the results pane, monitor the status of the migration job until it is Pending on secondary site uninstallation. Click Refresh to update the status column as necessary. 18. Open File Explorer, and connect to \\LON-SVR1\C$. 19. Double-click ConfigMgrSetup.log. The ConfigMgrSetup.log opens in CMTrace. 20. Monitor the ConfigMgrSetup.log file until the Completed the deinstall of the ConfigMgr site message appears. Note: The uninstallation of the secondary site should take about five minutes. 21. Close CMTrace and File Explorer. 22. In the Configuration Manager console, click the Source Hierarchy node. 23. Click CM7, and then on the ribbon, click Gather Data Now. 24. In the Data Gathering Status dialog box, after the data gathering process completes, click Close. 25. Click the Distribution Point Migration node. 26. Select LON-SVR1.ADATUM.COM, and then click Refresh. The status should change to Reassigning distribution point. 27. Monitor the status until Completed reassign distribution point appears. Click Refresh as necessary. Note: The distribution point installation should take about five minutes.  Task 2: Review migrated objects 1. In the Configuration Manager console, in the Administration workspace, click Distribution Points. 2. Click LON-SVR1.ADATUM.COM, and then on the ribbon, click Properties. 3. In the LON-SVR1.ADATUM.COM Properties dialog box, click the Boundary Groups tab. Verify that the CM7 (London Configuration Manager 2007) boundary is listed. 4. In the LON-SVR1.ADATUM.Com Properties dialog box, click Cancel. 5. Click the Monitoring workspace, expand the Distribution Status folder, and then click the Content Status node. 6. Click the Excel Viewer application, and then in the completion statistics, click View Status. 7. LON-SVR1.ADATUM.COM should be listed in the Asset Details pane. MCT USE ONLY. STUDENT USE PROHIBITED Planning and Deploying System Center 2012 Configuration Manager L9-67  Task 3: Decommission the source hierarchy 1. In the Configuration Manager console, click the Administration workspace. 2. In the navigation pane, expand the Migration node, and then click the Source Hierarchy node. 3. In the results pane, click CM7, and then on the ribbon, click Stop Gathering Data. 4. In the Configuration Manager dialog box, click Yes. 5. In the results pane, verify that CM7 has the status Have not gathered data, and then on the ribbon, click Clean Up Migration Data. 6. In the Clean Up Migration Data dialog box, verify that CM7 (LON-CM7.Adatum.com) appears in the Source hierarchy box, and then click OK. 7. In the Configuration Manager dialog box, click Yes. 8. In the results pane, note that the source hierarchy has been removed.  Task 4: To prepare for the course finish When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V® Manager. 2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat steps 2 and 3 for 10748C-LON-CAS-C, 10748C-LON-CFG-C, 10748C-LON-CM7-C, and 10748C-LON-SVR1-C. Results: At the end of this exercise, you will have reassigned a secondary site. MCT USE ONLY. STUDENT USE PROHIBITED

SCCM Training book

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib