Professional Documents
Culture Documents
10748C
Planning and Deploying System Center 2012
Configuration Manager
MCT USE ONLY. STUDENT USE PROHIBITED
ii Planning and Deploying System Center 2012 Configuration Manager
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
Released: 04/2014
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
MCT USE ONLY. STUDENT USE PROHIBITED
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
MCT USE ONLY. STUDENT USE PROHIBITED
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution in developing
this title. Their effort at various developmental stages has ensured that you have a good classroom
experience.
Contents
Module 1: Overview of System Center 2012 R2 Configuration Manager
Lesson 1: Introduction to System Center 2012 R2 Configuration Manager 1-2
Lesson 2: Overview of the Configuration Manager Site System Roles 1-13
Lesson 3: Overview of the Configuration Manager Optional Site System
Roles 1-21
Lesson 4: Overview of Configuration Manager Deployment Scenarios 1-29
Lesson 5: Overview of the Configuration Manager Client 1-35
Course Description
This three-day course describes how to design and deploy a System Center 2012 R2 Configuration
Manager hierarchy, including a central administration site; one or more primary sites and secondary
sites; and all associated site systems. The course also covers migrating to a System Center 2012 R2
Configuration Manager hierarchy from System Center Configuration Manager 2007 and from the initial
release of System Center 2012 Configuration Manager.
Audience
This course is intended for Information Technology (IT) professionals who are responsible for designing
and deploying one or more System Center 2012 R2 Configuration Manager sites and all supporting
systems. They should have three to five years of experience in medium to large enterprise organizations,
in a role in which they are supporting multiple desktop and server computers that run Windows®-based
operating systems.
This course is also for individuals who are interested in taking exam 70-243 TS: Administering and
Deploying System Center 2012 Configuration Manager.
Both 10747D: Administering System Center 2012 Configuration Manager and 10748C: Planning and
Deploying System Center 2012 Configuration Manager are necessary to prepare for this exam.
Student Prerequisites
Before attending this course, students must have a working knowledge at the system-administrator level
of:
• Networking fundamentals, including TCP/IP and Domain Name System (DNS).
• Windows Server management, including managing Windows Server 2008 R2 and Windows
Server 2012.
• Windows Client fundamentals.
• Working with the System Center 2012 Configuration Manager or newer administrator console.
• Installing clients.
• Maintaining hardware and software inventory.
• Reporting.
• Deploying applications.
• Settings management.
Students who attend this training can meet the prerequisites by obtaining equivalent knowledge and skills
or by attending the following courses:
• Course 6419: Configuring, Managing, and Maintaining Windows Server® 2008–based Servers
And EITHER:
OR:
o Course 6451: Planning, Deploying, and Managing Microsoft System Center Configuration
Manager 2007
AND
o Six months of hands-on experience with System Center 2012 Configuration Manager or newer
Course Objectives
After completing this course, students will be able to:
Course Outline
The course outline is as follows:
This module explains the System Center 2012 R2 Configuration Manager infrastructure and the
typical deployment scenarios.
This module explains how to plan and deploy a stand-alone primary site.
This module explains how to plan and configure Configuration Manager administrative users
and access.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xix
This module explains how to plan and deploy a multiple site hierarchy including a central
administration site, primary sites, and a secondary site.
Module 5, Replicating Data and Managing Content in Configuration Manager 2012
This module explains how to plan, configure, and monitor data types, intersite communication,
replication, and content.
This module explains how to plan and configure Internet and cloud-based client management.
This module explains how to perform maintenance tasks and monitor the Configuration
Manager site systems.
Exam/Course Mapping
This course, 10748C: Deploying System Center 2012 Configuration Manager, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-243: Administering and Deploying System
Center 2012 Configuration Manager.
The following table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en-us/exam-70-243.aspx, under Skills Measured.
MCT USE ONLY. STUDENT USE PROHIBITED
xx About This Course
5.4. Manage site This objective may include but is not limited to: Mod 5 Lessons Mod 5 Labs
communications. configuring bandwidth settings for a site address, 1/2/3 A/B
configuring senders, secondary sites (file-based
replication, SQL replication paths), resolving DP
connections
5.6. Manage This objective may include but is not limited to: Mod 3 Lessons Mod 3 Lab
role-based security scopes, custom roles, cloned security roles 1/2/3
security. and permissions
Note: Attending this course in itself will not successfully prepare you to pass any associated
certification exams.
There may also be additional study and preparation resources, such as practice tests, available
for you to prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en-us/exam-70-243.aspx, under Preparation options.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xxi
You should also check out the Microsoft Virtual Academy, http://www.microsoftvirtualAcademy.com to
view further additional study resources and online courses which are available to assist you with exam
preparation and career development.
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam
is available at the following URL: http://www.microsoft.com/learning/en-us/course.aspx?ID=10748C,
under Overview, Audience Profile.
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject
to change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
Course Materials
The following materials are included with your kit:
• Course Handbook: A succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide on-the-job reference material to boost knowledge
and skills retention.
• Resources: Include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, Microsoft Developer Network (MSDN®), or Microsoft
Press®.
• Course evaluation: At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
MCT USE ONLY. STUDENT USE PROHIBITED
xxii About This Course
Important At the end of each lab, you must revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine that is used in this course:
Software Configuration
The following software is installed on each virtual machine:
• Windows Server 2012 R2
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
You may be accessing the lab virtual machines in either in a hosted online environment with a web
browser or by using Hyper-V on a local machine. The labs and virtual machines are the same in both
scenarios however there may be some slight variations because of hosting requirements. Any
discrepancies will be called out in the Lab Notes on the hosted lab platform.
Your Microsoft Certified Trainer will provide details about your specific lab environment.
• The minimum equipment configuration for this course is hardware level 7 with 16 gigabytes (GB) of
random access memory (RAM)
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xxiii
Hardware Level 7
• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
• Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better. The hard disks should be configured with
a separate volume (Drive C: and Drive D:) on each hard disk.
• 16 GB random access memory (RAM) or higher
• DVD drive
• Network adapter
• Super VGA (SVGA) 17-inch monitor
• Microsoft Mouse or compatible pointing device
• Sound card with amplified speakers
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
1-1
Module 1
Overview of System Center 2012 R2 Configuration Manager
Contents:
Module Overview 1-1
Module Overview
By using the features of Microsoft® System Center 2012 Configuration Manager and System Center 2012
R2 Configuration Manager, you can perform complex management tasks, including the following:
• Hardware and software inventory.
• Application management.
• Operating-system deployment.
• Settings management.
• Software update management.
• Remote client troubleshooting.
• Protection from malware.
Knowledge of these features helps you design and deploy a Configuration Manager infrastructure. Other
areas of knowledge that can you in your design and deployment tasks include:
• An understanding of Configuration Manager components and functionality.
• Knowledge of site system roles.
• An understanding of the architecture of the Configuration Manager client.
Objectives
After completing this module, you will be able to:
• Describe the System Center 2012 R2 products.
• Describe Configuration Manager and the new functionality in System Center 2012 Configuration
Manager with Service Pack 1 (SP1) and in System Center 2012 R2 Configuration Manager.
• Describe the Configuration Manager server infrastructure.
• Describe typical Configuration Manager deployment scenarios.
• Describe the Configuration Manager console.
MCT USE ONLY. STUDENT USE PROHIBITED
1-2 Overview of System Center 2012 R2 Configuration Manager
Lesson 1
Introduction to System Center 2012 R2 Configuration
Manager
Configuration Manager is a management solution with many useful features. In this lesson, you will
discover how to design a Configuration Manager hierarchy that helps you use these features more
efficiently. You will examine the role of Configuration Manager in the System Center 2012 R2 family of
products and determine whether Configuration Manager is the appropriate product to use in your
organization.
You will also examine how the changes introduced in the System Center 2012 R2 Configuration Manager
2007 and 2012 versions affect your overall site hierarchy design.
In Configuration Manager 2007, data is transferred between sites by using file-based replication.
Although System Center 2012 R2 Configuration Manager still uses file-based replication for content, it
uses database replication to replicate operational data. In this lesson, you will examine what global data
and site data are and how data is replicated throughout the hierarchy.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the features of Configuration Manager.
• Explain how Configuration Manager is positioned in the System Center 2012 R2 family of products.
• Describe site and hierarchy differences between Configuration Manager 2007, System Center 2012
Configuration Manager, and System Center 2012 R2 Configuration Manager.
Product Details
System Center 2012 R2 You can use the System Center 2012 R2 App Controller to provide self-
App Controller service access for application administrators. Then administrators can
create and manage virtual machines and services based on templates,
and manage private cloud resources and public cloud Windows Azure™
subscriptions from a single web interface.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-3
Product Details
System Center 2012 R2 You can use the change and configuration management capabilities of
Configuration Manager System Center 2012 R2 Configuration Manager to perform tasks such as:
• Deploying operating systems, software applications, and software
updates.
• Monitoring and remediating computers for compliance settings.
• Collecting hardware and software inventory.
• Remote administration.
System Center 2012 R2 You can use the System Center 2012 R2 Data Protection Manager (DPM)
Data Protection Manager to perform disk-based and tape-based continuous data protection and
recovery for file servers, Active Directory® Domain Services (AD DS) and
application servers such as Microsoft SQL Server®, Exchange Server,
Microsoft SharePoint®, and Microsoft Hyper-V®–based virtualization
hosts. You can use DPM to protect the data on Windows® desktops and
laptops.
System Center 2012 R2 You can use System Center 2012 R2 Endpoint Protection to provide
Endpoint Protection malware protection for your client systems. System Center 2012 R2
Endpoint Protection is built into Configuration Manager, creating a
single infrastructure for deploying and managing Endpoint Protection.
System Center 2012 R2 You can use System Center 2012 R2 Operations Manager to monitor
Operations Manager services, devices, and applications on multiple computers in a single
console. System Center 2012 R2 Operations Manager enables you to
view the state of the information technology environment and services
running across different systems. You can view state, health, and
performance information in addition to real-time alerts generated for
availability, performance, configuration, and security incidents.
System Center 2012 R2 You can use the System Center 2012 R2 Orchestrator to orchestrate,
Orchestrator integrate, and automate the IT processes in an organization. Orchestrator
enables you to define and automate processes from a central point and
integrate with existing management solutions, from both the System
Center family and third-party management platforms.
System Center 2012 R2 You can use the System Center 2012 R2 Service Manager for automating
Service Manager and adapting the organization’s processes to IT service management best
practices, such as those found in Microsoft Operations Framework and
Information Technology Infrastructure Library. System Center 2012 R2
Service Manager also provides built-in processes for incident and
problem management, change management, release management,
and risk and compliance management.
System Center 2012 R2 You can use the System Center 2012 R2 Virtual Machine Manager to
Virtual Machine Manager configure and manage virtualization hosts, networking, and storage
resources. This management solution for the virtualized datacenter also
helps you create and deploy virtual machines and services to private
clouds.
Note: For System Center 2012 licensing information, please visit Microsoft Server and
Cloud Platform Pricing and Licensing at http://go.microsoft.com/fwlink/?LinkId=253177.
MCT USE ONLY. STUDENT USE PROHIBITED
1-4 Overview of System Center 2012 R2 Configuration Manager
Question: Which of the System Center family of products, including the previous versions, are you using
in your organization?
The Standard and the Datacenter editions are limited to two physical processors. If you deploy these
editions on a server with four processors, you need to purchase an additional suite license. You can
purchase System Center 2012 R2 licensing for client management in a variety of packages. System Center
2012 R2 includes licensing for a version of SQL Server Standard edition that supports System Center 2012
and System Center 2012 R2.
Asset management
Hardware and Software You can use the tools and resources provided in the Hardware and
Inventory Software Inventory feature to maintain a record of hardware and software
in your organization.
Asset Intelligence You can use the Asset Intelligence feature to obtain more insight from the
inventory data that the Hardware and Software Inventory feature records.
Asset Intelligence uses a catalog that contains software and imported
license information to identify the inventoried software.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-5
Software Metering You can use the Software Metering feature to monitor and collect software
usage data and generate reports to determine how your organization uses
applications.
Change Management
Application You can use the tools and resources in the Application Management
management feature to create, manage, deploy, and monitor applications in your
organization.
Software Updates You can use the tools and resources in the Software Updates Management
Management feature to manage, deploy, and monitor software updates in your
organization.
Operating System You can use the Operating System Deployment feature to plan and deploy
Deployment operating systems by using images.
Content Management You can use the tools and resources in the Content Management feature to
manage content files for applications, packages, software updates, and
operating-system deployment.
Compliance Settings You can use the tools and resources of the Compliance Settings feature to
help you assess, track, and remediate the configuration compliance of
client computers in the organization.
Power Management You can use the tools and resources of the Power Management feature to
manage and monitor the power consumption of client computers in the
organization.
Client Health You can use the tools and resources of the Client Health feature to manage
and monitor the health of the Configuration Manager client software.
Network Access You can use the Network Access Protection feature as a health validator.
Protection (NAP) This feature works in conjunction with Network Access Protection in
Microsoft Windows Server® 2008, Windows Server 2012, and Windows
Server 2012 R2.
Endpoint Protection You can use this new functionality in Configuration Manager 2012 to
protect clients against malware. This functionality was available previously
in Microsoft Forefront® Endpoint Protection.
Administrative Features
Reporting You can use the SQL Reporting Services in Configuration Manager 2012
for report generation. Administrators can create subscriptions so that SQL
Reporting Services generates reports on a schedule and distributes them in
various formats by email.
Monitoring You can use the Monitoring feature to supervise site systems and client
health. It also provides automatic remediation for specific client errors.
Remote Management You can use the Remote Management feature to assist users by remotely
accessing any client computer in the hierarchy. You can use the remote
control to troubleshoot hardware and software configuration problems on
client computers and to provide help-desk support when access to a user’s
computer is necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Overview of System Center 2012 R2 Configuration Manager
Role-Based You can use role-based administration to assign roles and permissions to
Administration the administrators, to allow them to access and use Configuration Manager
and its various features.
• The Configuration Manager client on computers that are running Windows® 8 and Windows
Server 2012.
• The ability to use Configuration Manager to deploy Windows 8 or to upgrade computers that are
running Windows 7 to Windows 8.
• Deployment of Windows Store apps (.appx files) to clients running Windows 8, through sideloading
or links to the Windows Store.
• Use of a metered Internet connection and the Always On, Always Connected Windows 8 features.
• The ability to use Windows Server 2012 for site systems and as client devices.
• The ability to use SQL Server 2012 to host the Configuration Manager database.
• The ability to use computers running Mac OS X, Linux, or UNIX as Configuration Manager client
devices.
• The ability to use mobile devices that are running Windows Phone 8, Windows RT, iOS, or Android
through a Windows Intune™ organizational account.
• Windows PowerShell® cmdlets that you can use to automate Configuration Manager operations
through Windows PowerShell scripts.
• Migrating a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy.
• The ability to trigger some client operations, such as downloading policy and malware scans, from the
Configuration Manager console.
• Microsoft Application Virtualization (App-V) virtual environments that make it possible for App-V
applications to share data from file systems and registries.
• Increased email alert subscriptions.
• The new site system role for certificate registration points. This role enables deployment to, and
management of, certificates to Configuration Manager client devices.
• Certificate profiles that support user and device certificates to managed devices that are running the
iOS, Windows 8.1, Windows 8.1 RT, and Android operating systems.
• The migration of data from a System Center 2012 Configuration Manager test environment to a
System Center 2012 R2 Configuration Manager production environment.
• The enrollment of Mac OS X computers and deployment of client certificates through an enrollment
wizard.
• The ability to reassign Configuration Manager client devices (including managed mobile devices) to a
different site in the Configuration Manager hierarchy, either individually or through bulk
reassignment.
• The enrollment of Android devices by using the Company Portal app that is available through the
Google Play store. The Company Portal app includes the Configuration Manager Management agent
that enables management capabilities, such as password settings, encryption settings, and a camera.
• The enrollment of iOS devices by using the Company Portal app available through the App Store. The
Company Portal app enables users to change or reset passwords; download and install apps that the
organization owns; and enroll, unenroll, or remove organizational content from their iOS devices.
• Devices that run the Windows RT, iOS, and Android mobile operating systems and that support the
required deployment purpose.
• The Wipe and Retire function, which enables administrators to remove organizational content from
mobile devices, while leaving the user’s personal information on the device.
• Windows Intune, which you can use to manage Windows 8.1 devices that are not domain-joined and
that do not have the Configuration Manager client installed.
• Windows 8.1 app bundles (.appxbundle) to optimize the deployment of Windows Store apps and
resource packages.
• The configuration of per-application virtual private network (VPN) profiles that enable an application
to open a VPN connection.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Overview of System Center 2012 R2 Configuration Manager
• Remote connection profiles, which enable users to connect remotely to their work computers from
the company portal.
• VPN profiles, which enable you to deploy VPN settings to devices that are running iOS, Windows RT,
and Windows RT 8.1.
• Wi-Fi profiles that enable you to deploy Wi-Fi connection settings to devices that are running iOS,
Windows 8, Windows 8.1, Windows RT, and Windows RT 8.1.
• The alteration of deployment packages for existing deployment rules, so that you can add new
software updates more efficiently.
• The ability to view resultant client settings, so that you can see effective client settings that are
applied to specific devices.
• New task-sequence steps that include Run PowerShell Script, Check Readiness, and Set Dynamic
Variables.
• Pull distribution points that enable administrators to configure priorities for source distribution points.
• The pushing of status information about completed actions by pull distribution points to the site
server.
• Summary reports of distribution point usage, which enable administrators to view details that
compare individual distribution-point utilization.
• Configuration Manager reporting filters reports’ data based on the permissions of the user who runs
the report.
• Central administration site. In Configuration Manager 2007 and previous versions, the top-level
primary site was called a central site. Configuration Manager introduces a new site type—the central
administration site—that:
o Is used to generate reports that contain data from the entire hierarchy.
o Does not have directly assigned clients or process client data. It receives client data from the
other primary sites in the hierarchy. The central administration site does not support roaming
clients. With System Center 2012 Configuration Manager, if you wanted to use a central
administration site, you needed to install it first, and then install other primary sites that would be
part of the hierarchy under the central administration site. However, with System Center 2012
SP1 Configuration Manager and System Center 2012 R2 Configuration Manager, you can deploy
a primary site. If you need additional primary sites, you can join that primary site to a central site.
• Primary sites. Prior to Configuration Manager 2012, you could tier primary sites below other primary
sites, and use them to enable decentralized administration, define custom configurations for client
agents, or serve as a security scope. In Configuration Manager, you no longer use primary sites to
provide those functions. Configuration Manager primary sites:
o Are used to increase scalability by supporting a larger number of clients when you add another
primary site.
o Manage the clients assigned to them and perform client data processing.
o Cannot be linked to another primary site in a parent-child relationship. Only secondary sites can
be a child site of a primary site.
o Are installed either as a stand-alone site or as the child to an existing central administration site
when you install it in a hierarchy. After installation, you can change the parent-child association
only by uninstalling and reinstalling the primary site or by joining a primary site to a central
administration site.
o Do not limit the administrative scope. Configurations that administrative users perform at any of
the sites replicate throughout the hierarchy. You can restrict administrative access by using
security roles.
• Secondary sites. In Configuration Manager 2007, you could use secondary sites to manage the
network bandwidth for sending client data and content to remote locations. In Configuration
Manager, you use secondary sites to control the flow of client data in the hierarchy. Secondary sites:
o Use a SQL Server database, which is on a SQL Server Express instance and installed locally on the
secondary site server.
Question: If you have an existing Configuration Manager 2007 implementation, what is your current
architecture?
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Overview of System Center 2012 R2 Configuration Manager
• Workspaces. The workspaces are the navigation tools that help you navigate quickly through the
different management areas.
• Navigation pane. The Navigation pane is the main navigation area, and it contains the nodes that
make up the selected workspace. When you perform certain tasks, such as searches or queries,
Configuration Manager creates temporary nodes that display the task results.
• Results pane. The Results pane shows the objects available under the currently selected workspace or
node.
• Preview pane. The Preview pane is a tabbed pane that appears as the bottom part of the Results
pane. The Preview pane may or may not appear, depending on the object currently selected in the
Results pane.
• Devices. Use this node to manage Configuration Manager computers and mobile devices.
• User State Migration. Use this node to manage the user state during operating system deployments.
• Asset Intelligence. This folder contains the Catalog, the Inventoried Software, and the Hardware
Requirements nodes, which you can use to manage the objects that you use for Asset Intelligence.
• Software Metering. Use this node to manage rules for monitoring software usage.
• Compliance Settings. This folder contains the Configuration Items, the Configuration Baselines, User
Data and Profiles, Remote Connection Profiles, and Company Resource Access nodes, which you can
use to manage the objects that you use for assessing and remediating compliance of settings on
devices.
• Endpoint Protection. This folder contains nodes for antimalware and firewall policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-11
• Application Management. This folder contains the Applications, Packages, Approval Requests, and
Global Conditions nodes.
• Software Updates. This folder contains the All Software Updates, Software Updates Groups,
Deployment Packages, and Automatic Deployment Rules nodes.
• Operating Systems. This folder contains the Drivers, Driver Packages, Operating Systems Images,
Operating System Installers, Boot Images, Task Sequences, and Virtual Hard Disks nodes.
Monitoring Workspace
You can use the Monitoring workspace to manage the alerts, queries, reports, status messages, and other
components that allow you to monitor your environment. The Monitoring workspace includes the
following nodes:
• Alerts. Use this node to view and manage alerts. This node contains the Subscriptions subnode, which
enables you to create subscriptions to alerts.
• Queries. Use this node to run, view, and manage Configuration Manager queries.
• Reporting. This folder contains the Reports and Report Subscriptions nodes.
• Site Hierarchy. Use this node to view and manage the status of all sites in the hierarchy, by using a
hierarchy view or geographical view.
• System Status. This folder contains the following nodes: Site Status, Component Status, Conflicting
Records, and Status Message Queries.
• Database Replication. Use this node to view site-to-site link status for SQL Server based replication.
• Distribution Status. This folder contains the Content Status, Distribution Point Group Status, and
Distribution Point Configuration Status nodes.
• Software Update Point Synchronization Status. Use this node to view the status of the synchronization
process for the software update points.
• Endpoint Protection Status. Use this node for security and operational states, and to view the status of
the site’s Endpoint Protection.
Administration Workspace
You can use the Administration workspace to manage your System Center 2012 R2 Configuration
Manager environment. The Administration workspace includes the following nodes:
• Hierarchy Configuration. This folder contains the Discovery Methods, Boundaries, Boundary Groups,
Exchange Server Connectors, Addresses, and the Active Directory Forests nodes.
• Cloud Services. This contains the Windows Intune Subscriptions and Cloud Distribution Points nodes.
• Site Configuration. This folder contains the Sites and Servers node and the Site System Roles node.
• Security. This folder contains the Administrative Users, Security Roles, Security Scopes, Accounts, and
Certificates nodes.
• Migration. This folder contains the Active Source Hierarchy, Migration Jobs, and Distribution Point
Updates nodes, which you can use to manage data migration from Configuration Manager 2007.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-13
Lesson 2
Overview of the Configuration Manager Site System Roles
Configuration Manager has multiple site roles that you can install on the same computer or, for scalability,
on multiple servers. Default site roles are installed in every Configuration Manager implementation.
Optional site roles provide additional functionality, and you can install them, as necessary.
By understanding the functionality of the site roles, you can make design decisions regarding the
configuration and placement of each role in your Configuration Manager implementation.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe planning and design considerations for the default site system roles.
Site server A site server is the computer on which you run Configuration Manager
Setup. The site server provides the core functionality for the site.
Component server A component server runs the Configuration Manager services and installs
automatically with all site systems, except the distribution point.
MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Overview of System Center 2012 R2 Configuration Manager
SMS Provider An SMS Provider is the interface between the Configuration Manager
console and the site database. This role installs automatically when
you install a central administration site or primary site. Installation of a
secondary site does not install the SMS Provider. You can install the SMS
Provider on the site server, the site database server (unless the site database
is hosted on a clustered instance of SQL Server), or on another computer.
You can also move the SMS Provider to another computer after the site
installs, or you can install multiple SMS Providers on additional computers.
Site system A site system is any computer that hosts one or more site system roles for a
Configuration Manager site.
Site database server A site database server hosts the SQL Server database to store information
about assets and site data.
Management point A management point provides policy and content location information to
clients. It also receives data from clients. You cannot install a management
point in a central administration site.
Distribution point A distribution point contains source files for clients to download, such as
application content, software packages, software updates, operating system
images, and boot images. You can control content distribution by using
bandwidth, throttling, and scheduling options. You cannot install a
distribution point on a central administration site.
Application An Application Catalog web service point provides software information to the
Catalog web Application Catalog website from the Software Library. This is a role introduced in
service point Configuration Manager 2012.
Application An Application Catalog website point provides users with a list of available
Catalog website software. This is a role introduced in Configuration Manager 2012.
point
Asset Intelligence An Asset Intelligence synchronization point connects to System Center Online to
synchronization download Asset Intelligence catalog information. It can also upload uncategorized
point titles that the administrator selected previously for inclusion in the catalog.
Endpoint An Endpoint Protection point provides the ability to manage malware and
Protection point Windows Firewall remediation for System Center 2012 Endpoint Protection.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-15
Enrollment point An enrollment point uses public key infrastructure (PKI) certificates to complete
mobile device enrollment and provision computers that are running Active
Management Technology (AMT). This is a role introduced in Configuration
Manager 2012.
Enrollment proxy An enrollment proxy point manages enrollment requests from mobile devices so
point that Configuration Manager can manage them. This is a role introduced in
Configuration Manager 2012.
Fallback status A fallback status point helps you monitor client installation and identify the clients
point that are unmanaged because they cannot communicate with their management
point.
Out of band An out of band service point provisions and configures AMT-based computers for
service point out-of-band management.
Reporting A reporting services point integrates with SQL Server Reporting Services to create
services point and run reports for Configuration Manager.
Software update A software update point manages Windows Server Update Services (WSUS) in
point order to synchronize the software update metadata from a configured source,
such as Microsoft Update, and make the data available to Configuration Manager.
State migration A state migration point stores user state data when a computer is migrated to a
point new operating system.
System Health A System Health Validator point validates Configuration Manager Network Access
Validator point Protection (NAP) policies. You must install this site system role on a NAP health
policy server.
Windows Intune A Windows Intune connector manages mobile devices through a Windows Intune
connector subscription.
• The site database server can use the Standard or Enterprise version of SQL Server 2008, SQL Server
2008 R2, or SQL Server 2012. When planning the site database, the relevant differences between the
Enterprise edition of SQL Server and the Standard edition include that the Enterprise edition:
o Supports up to 400,000 clients in the hierarchy. The Standard edition supports a maximum of
50,000 in the hierarchy.
• Secondary sites use SQL Server Express 2008 R2 with SP1 and Cumulative Update 4 by default, but
you can configure them to use Standard or Enterprise editions, as well.
• The site database role can use a default instance or a named instance of SQL Server. It is possible to
use the same SQL Server to host databases for multiple sites. However, each Configuration Manager
site requires a unique instance of SQL Server.
• You can configure the SQL Server service by using a domain user account or the local system account
of the computer that is running SQL Server. Using a domain user account as the SQL Server service
account is a best practice. However, you must manually register the service principle name (SPN) for
the account.
When you are planning to install the site database on a remote server, you should consider that:
• The amount of bandwidth required for communications to the database server depends upon a
combination of many different site and client configurations. Therefore, the actual bandwidth
required cannot be predicted accurately.
• Each computer that runs the SMS Provider and that connects to the site database increases network
bandwidth requirements.
• The computer that runs SQL Server must be in a domain that has a two-way trust with the site server
and all computers that are running the SMS Provider.
• You cannot use a clustered SQL Server for the site database server when the site database is
collocated with the site server.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-17
• Site system. You can install the site system role on any server that hosts a Configuration Manager
role. When you install a site role on a server from the Configuration Manager console, the site server
connects remotely to that computer, configures it as a site system, and then installs the site role that
you requested. The site system role includes the following configuration options:
o Specify an FQDN for this site system for use on the Internet. If the roles that this server supports
are going to be accessible from the Internet, you must configure an Internet fully qualified
domain Name (FQDN). However, the intranet FQDN is configured automatically during the
installation of the Configuration Manager server.
o Require the site server to initiate connections to this site system. When you choose this option,
you also must configure the site system installation account. This option is useful when the site
system is in a perimeter network and security policies will not allow it to initiate communication
with the internal network.
o Site System Installation Account. This setting allows you to configure the account that the site
server uses to install this site system role. By default, the site server computer account is used.
o Active Directory membership. This setting allows you to configure the Active Directory forest and
domain FQDNs that the site system is a member of.
Design Considerations
The site server role installs automatically when you install a central administration site or primary site. It
installs on the server from which you run Configuration Manager Setup. When you install a secondary site
by using the Configuration Manager console, the site server role is installed on the server that you specify
as the secondary site server. You cannot move the site server role to another server without reinstalling
the site.
Because the site server is a critical component in a Configuration Manager implementation, you must
ensure that you can recover your site server configuration if a server loss or malfunction occurs. You
achieve this by configuring the site backup task to back up the site server. For more information and
details about how to configure site maintenance tasks, including the backup task, refer to Module 7.
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Overview of System Center 2012 R2 Configuration Manager
Design Considerations
There must be at least one SMS Provider in each
primary site and at least one SMS Provider in
the central administration site. When you install a
site, an SMS Provider for that site also installs by
default. You can deploy multiple SMS Providers
in a site. If there is only one SMS Provider at a
site and the server that hosts the SMS Provider
is offline, you will be unable to access the site
database by using the Configuration Manager console. However, you can view the locations of all SMS
Providers installed at a site, on the General tab of the Site Properties dialog box in the Configuration
Manager console.
The server that hosts the SMS Provider must meet the following prerequisites:
• The server must be part of the same Active Directory forest as the servers that host the site server and
site system roles for the site database.
• The server cannot host site system roles from different sites or an existing SMS Provider.
• The server must have enough free space to support the installation of Windows Assessment and
Deployment Kit (Windows ADK) components if you are deploying System Center 2012 Configuration
Manager with Service Pack 1 or System Center 2012 R2 Configuration Manager. If you are deploying
System Center 2012 Configuration Manager, there must be sufficient space for deployment of
Windows AIK components.
• The Configuration Manager console and any site systems that interact with the site database access
the database through the SMS Provider.
• You specify the SMS Provider location during site installation. By default, the SMS provider is located
on the Configuration Manager site server.
• You can relocate the SMS provider by using the Configuration Manager site maintenance action from
the Configuration Manager Setup program.
Beyond ensuring that the role is highly available, you should deploy multiple SMS Providers to a site
under the following conditions:
• The site has a large number of administrative users who use the Configuration Manager console
concurrently.
• Your organization is using the Configuration Manager Software Development Kit (SDK) or any other
products that perform frequent calls to the SMS provider.
Design Considerations
When planning for management points, consider the following:
• Each primary and secondary site must contain at least one management point.
• Secondary sites do not support more than one management point, and you install them on the site
server. You cannot move them to another server. Secondary site management points cannot support
mobile devices that are enrolled by Configuration Manager.
• To ensure high availability of the management point, you can install multiple management points in
the same primary site.
• You can configure each management point to use either HTTP or HTTPS for client communications.
To use HTTPS, you need to request and install PKI-based certificates.
• By default, clients use the most secure method available for communication. If both are available, a
client will use an HTTPS-configured management point before it will use an HTTP-configured one.
• To manage clients on the Internet, you will need at least one management point that you configure
to use HTTPS. This management point must be accessible from the Internet to manage remote clients.
• Distribution points can be configured individually to use HTTP or HTTPS depending on the
capabilities of the clients. If you are managing clients over the Internet, you need at least one
distribution point configured to use HTTPS.
• Distribution points now include the functionality of the PXE service point. To enable this functionality,
you need to install Windows Deployment Services (Windows DS) on the same computer that hosts
the distribution point.
• To control the content distribution, you can create distribution point groups which enable you to
manage content on multiple distribution points as a single entity.
• Distribution points now include the option to perform content validation to verify the status of the
content replicated from the site server or from other distribution points. This option is not enabled by
default.
• Distribution points can be associated with one or more boundary groups, so you can configure which
clients can access content from the distribution point.
• Distribution points that are not site servers have settings for bandwidth throttling and scheduling the
transfer of content so you can control network traffic.
• Distribution points now use a single instance store, and they put into effect the concept of a content
library.
Design Considerations
When you are planning distribution points, consider these factors:
• Place a distribution point close to the clients it will serve. For example, place one on the same high-
speed network segment.
• Deploy multiple distribution points if you frequently use features such as software distribution,
software update management, and operating-system deployment.
Lesson 3
Overview of the Configuration Manager Optional Site
System Roles
Configuration Manager optional site roles provide additional functionality to the site, and you can install
them as necessary.
During the planning and design phase of your Configuration Manager implementation, you need to
identify the necessary roles, functionality, and capacity requirements. This lesson describes the basic
functionality of the optional site system roles, as well as planning and design considerations for these
optional roles.
Lesson Objectives
After completing this lesson, you will be able to plan the placement of the following optional site roles:
• Enrollment point
recurring requests to deliver reports at specific times or in response to events. In the subscription, you can
specify the application file format of the report.
Design Considerations
When you are planning for the reporting services points, consider the following:
• You must install the reporting services point on a computer that is running SQL Server Reporting
Services that is the same version as the site database.
• Each SSRS instance can support one site only.
• If you install a reporting services point in a primary site, the reports show the data collected from that
site. However, reports that you run in the central administration site, on a reporting services point in
the central administration site, return data collected from the entire hierarchy.
• Enrollment point
• You need to install a fallback status point if you want client computers to report installation failures,
particularly when they cannot communicate with a management point.
• You need to install a fallback status point if you want to use the client deployment reports. These
reports depend on information sent to the fallback status point.
• You can use a dedicated server to host the fallback status point and have additional security measures
in place to help protect against attack.
• Exchange Connector to manage mobile devices through the Exchange ActiveSync® protocol.
• The Configuration Manager mobile client to provide richer hardware inventory, settings
management, and software deployment. Configuration Manager uses the enrollment point and the
enrollment proxy point to provide depth management for supported mobile devices. Configuration
Manager can use in-depth management to manage mobile devices that are running a supported
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-23
Windows Mobile operating system or Nokia Symbian devices. The enrollment point roles also support
AMT devices.
• The Windows Intune connector through a Windows Intune subscription to manage devices running
iOS, Android, Windows Phone 8, or Mac OS X.
The enrollment point roles work together to provide the depth-management functionality through the
use of an:
• Enrollment point. This role uses PKI certificates to complete the enrollment of mobile devices and
AMT-capable computers (for out-of-band management) by Configuration Manager.
• Enrollment proxy point. Mobile devices connect to this role to submit client-installation requests and
download the client. Enrollment requests are sent to the Enrollment point for completion.
• The enrollment point role is a site-wide role. Additionally, the enrollment proxy point is typically
accessed from the Internet, so you should place it in a perimeter network or publish it through a
firewall.
• Light management provides basic management functionality and uses the Exchange connector.
• Depth management installs a client and provides additional management features.
When planning for the out of band service point, consider the following:
• Client systems must have the Intel vPro chipset and a supported version of the AMT.
• You must use the following certificates for out of band management:
o An AMT provisioning certificate on the out of band service point. This allows configuration of
computers for out of band management.
o A web servicer certificate on the enrollment point. This provides secure communication with the
out of band service point during the provisioning process.
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Overview of System Center 2012 R2 Configuration Manager
You can use an audit log on the AMT-based computers to record out of band activity and to make it
auditable.
When planning the infrastructure for software update points, you should consider that:
• You must install the software update point on a server that is hosting WSUS 3.0.
• By default, the software update point at the central administration site (or at the stand-alone primary
site) synchronizes with Microsoft Update.
• By default, the software update points installed in child sites synchronize with their parent site.
• You should schedule the synchronizations for a time frame that is suitable for your environment.
Design Considerations
When planning for the Endpoint Protection point,
consider the following:
• You can install the Endpoint Protection point in the Central Administration site or in a stand-alone
primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-25
• You must install an Endpoint Protection point before you can begin to use and manage System
Center Endpoint Protection.
• You can choose one of three levels of membership with the Microsoft Active Protection Service:
o Nonparticipating. The Endpoint Protection point sends no information to Microsoft. Users will be
alerted only about unclassified software.
o Basic membership. The Endpoint Protection point sends basic information about detected
software to the Microsoft Active Protection Service.
o Full membership. Endpoint protection will alert users about unclassified software. In addition
to the basic information, the Endpoint Protection point sends more detailed information to the
Microsoft Active Protection Service about software that the Endpoint Protection client detects.
When planning for the Application Catalog, you should consider that:
• The Application Catalog is a hierarchy-wide role. Typically, in a hierarchy with multiple primary sites,
you install one instance of each role, although multiple instances are supported.
• You cannot install the Application Catalog in a secondary site or on a central administration site.
• The Application Catalog allows users to install deployed applications or to request available
applications, which will deploy after approval.
• The Application Catalog allows users to configure some preferences and wipe their mobile devices
that are being managed through Configuration Manager.
• The Application Catalog supports integration with Microsoft SharePoint®.
When planning for the Asset intelligence Synchronization point, you should consider that:
• You can install the asset intelligence synchronization point only at the top-level site in the hierarchy.
• The asset intelligence synchronization point must be able to make an Internet connection over HTTPS
to System Center online.
• Microsoft treats unidentified software title information that uploads to System Center Online for
categorization as public information.
Design Considerations
When planning for the state migration point, you should consider:
• User state size. You need to plan for enough storage space to store the migration data.
• Retention policy. You need to determine how long you will retain the migration data.
• Drives. You can use one or more drives on the site system for storing migration data.
If you are planning a complex hierarchy with a central administration site and multiple primary and
secondary sites, you should consider that:
• Some roles provide functionality for their local site only.
• When installing software update points in a multiple primary site hierarchy, install the software
update point in the central administration site first.
Central Child
Secondary Site-specific or hierarchy-
Site system role administration primary
site wide functionality
site site
Central Child
Secondary Site-specific or hierarchy-
Site system role administration primary
site wide functionality
site site
Software update point Yes Yes Yes Site, one per site, multiple
in hierarchy
Lesson 4
Overview of Configuration Manager Deployment
Scenarios
One of the first questions you may ask yourself when you design a Configuration Manager
implementation is whether to use a single primary site or multiple sites in a hierarchy.
To help you answer this question, in this lesson you will examine different implementation scenarios and
compare the advantages and disadvantages of each. You will also develop a set of design criteria that you
can use to choose the most appropriate implementation model for your organization.
Lesson Objectives
After completing this lesson, you will be able to:
• Determine when to use a central administration site and multiple primary sites.
• Identify the need to use secondary sites or a distribution point instead of a site in a remote location.
• To provide a local point of connectivity for administration. The Configuration Manager console can
connect only to a primary site or central administration site. When using the Configuration Manager
console from a computer that is running a client operating system, ensure that the client computer
has reliable high speed access to a primary or central administration site.
• To manage content independently and meet organizational management requirements. For example,
the organization may have a specific requirement that a different team of administrators manage
clients from a given location, such as management occurring within national borders. To meet this
requirement, you can install another primary site and offer a local point of connectivity.
MCT USE ONLY. STUDENT USE PROHIBITED
1-30 Overview of System Center 2012 R2 Configuration Manager
• A primary site supports a central administration site as a parent site. Primary sites cannot have
another primary site as a parent, as was the case in Configuration Manager 2007 and older versions.
• With System Center 2012 Configuration Manager, a primary site cannot change its parent site
relationship after installation. With System Center 2012 Configuration Manager with SP1, you can join
a primary site to a new central administration site after deployment.
• The client-originated data processing occurs only at the primary site to which the clients are assigned.
If the primary site is the child of a central administration site, the data will then be replicated to the
central administration site.
• When you install a primary site in a hierarchy, database replication is automatically configured with its
designated central administration site.
• You can install all site system roles on a stand-alone primary site, but not on all primary sites that are
part of a hierarchy.
• The central administration site is the top-level site in a hierarchy. If your initial plans for a hierarchy
that has more than one primary site, you must install a central administration site.
• When using a central administration site with SQL Server Enterprise edition, the hierarchy can contain
up to 400,000 clients.
• When you use SQL Server Standard edition for the site database at the central administration site, the
shared database and hierarchy support up to 50,000 clients. This is due to the partitioning of the
database. After you install Configuration Manager, if you upgrade the edition of SQL Server at the
central administration site from Standard to Enterprise, the database does not repartition and this
limitation remains.
o Is the only place where you can see site data from all sites. This data includes information such as
inventory data and status messages.
o Enables you to connect with the Configuration Manager console to manage all clients in the
hierarchy and perform site management tasks for any primary site.
o Enables you to configure discovery method options for each site in the hierarchy.
• They use SQL Server Express by default; however, they can use a local instance of SQL Server if one is
available.
• They use file-based replication to receive deployment content transferred from a primary site.
• They use database replication to receive a subset of global data from the parent primary site.
• They use file-based replication to transfer client information to the parent primary site.
• They can route content between peer secondary sites to help manage the replication of deployment
content if the two secondary sites have the same parent site.
• Installation automatically deploys a management point and distribution point that are located on the
secondary site server.
• A primary site can support up to 250 secondary sites as child sites.
• Site database. A site database is installed on the same server as the site server, or you can install it on
a separate server to increase the site scalability.
• Management point. The management point serves as a point of communication between the
Configuration Manager clients and the site server. Primary sites must have at least one management
point deployed to manage clients.
• Distribution point. Distribution points distribute content and prerequisites needed for deployments.
You can deploy other roles, depending on the features that you require. Typical roles may include:
• Reporting services point. This role provides you with the ability to generate reports and export them
in various formats.
• Software update point. This role provides you with the ability to synchronize the software update
metadata from Microsoft Update and make it available to Configuration Manager.
• Fallback status point. This role allows clients to send state messages to the fallback status point, which
forwards them to the site server. For example, this would occur if they cannot connect to a
management point.
Secondary Site
A secondary site includes a management point and distribution point. You can use a secondary site to:
• Offload the client communication from the primary site when clients are in a remote location and
network connections are slow.
Distribution Point
You can choose to install only a distribution point instead of a secondary site when:
• You have a small number of clients in the remote location.
• You do not have a server available in the remote location. A computer running 64-bit version of
Windows Server 2008, 2008 R2, 2012, or 2012 R2 is required to run the secondary site, while you also
can install a distribution point on 32-bit servers and workstations that can support the IIS role.
• You do not need to control client-to-management point traffic from the remote location to the
primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
1-34 Overview of System Center 2012 R2 Configuration Manager
• More clients than you can manage by using a single primary site. A single primary site can support up
to 100,000 clients, while a hierarchy can accommodate up to 400,000 clients.
• More than 250 of remote locations requiring secondary sites or remote locations with more than
5,000 clients.
• Export regulations on content.
Question: What type of organizations would use the multiple sites in a hierarchy model?
Discussion Questions
• How many clients do you need to manage?
• How will the existing network infrastructure
influence your Configuration Manager
design?
• Are restrictions in place that control how client information transfers across borders?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-35
Lesson 5
Overview of the Configuration Manager Client
To perform management tasks on client computers, the Configuration Manager client application
is installed on client computers. The term client is often used to refer to either of the following:
Understanding Configuration Manager client architecture and prerequisites helps you design your
Configuration Manager implementation.
Lesson Objectives
After completing this lesson, you will be able to:
• Performs hardware and software inventory and metering according to a scheduled interval and on
demand, and then sends the collected data through the management point to the site server.
• Downloads the content of packages and applications from the distribution point, and then installs
software and updates.
• Executes the task sequences that the administrator assigns to that computer by using the Operating
System Deployment feature.
• Collects compliance results data specified in configuration baselines and sends the results to the
site server through the management point. If the computer is not compliant, depending on the
configuration item, the client can also execute remediation actions to make it compliant, as long as
content is not required to bring the client into compliance.
MCT USE ONLY. STUDENT USE PROHIBITED
1-36 Overview of System Center 2012 R2 Configuration Manager
• Allows administrators to connect to remote computers by using remote tools or the Remote
Assistance feature, to support end users.
Windows component or
Use
run-time module
Windows Management WMI is the infrastructure for management data and operations on
Instrumentation (WMI) Windows-based operating systems.
Windows Installer Supports the use of Windows Installer (.msi) and Windows Installer
update files (.msp) for installing and updating applications.
Microsoft Core XML Services Supports the use of Windows Installer (.msi) and Windows Installer
(MSXML) update files (.msp) for installing and updating applications.
Microsoft Remote Differential Used to optimize data transmission over the network.
Compression (RDC)
Microsoft Visual C++ 2005 Supports Microsoft SQL Server Compact operations.
Redistributable
Windows Imaging APIs Allows Configuration Manager to manage Windows image (.wim)
files.
Microsoft Background Intelligent Allows throttled data transfers between the client computer and
Transfer Service (BITS) version 2.5 the Configuration Manager site systems.
MCT USE ONLY. STUDENT USE PROHIBITED
1-38 Overview of System Center 2012 R2 Configuration Manager
You can view the client components and their status on the Components tab in the Configuration
Manager client for computers running Windows. The following table describes the components that are
installed when the client is installed.
Component Overview
Core Configuration Manager Several different components that are used for core functionality and
Components that show only a status of installed or not installed:
• CCM Framework
• CCM Policy Agent
• CCM Status and Eventing Agent
• Core Components, Maintenance Task Coordinator
• Operating System Deployment Components
• Shared Components and Task Sequence Components
Hardware Inventory Agent Uses WMI to collect inventory information as configured in the client
settings.
Out of Band Management Allows out of band management for AMT-based computers.
Agent
Power Management Agent Applies power management settings configured for collections in
Configuration Manager.
Remote Tools Agent Manages the Remote Control and Remote Assistance settings for the
client computers.
Software Distribution Agent Manages the deployment of programs and applications to client
devices.
Software Inventory Agent Performs the software inventory as configured in the client settings.
Software Updates Agent Interacts with the software update point to detect which software
updates are needed on the client computer and interacts with the
management point and distribution point to install those updates.
Source List Update Agent Contacts a management point and retrieves the location for
downloading deployed content.
The Configuration Manager client for Mac OS X computers has components that support the following
features:
• Hardware inventory. You can use hardware inventory data collected from Mac computers to create
collections, reports, and queries. You can also use Resource Explorer to view hardware inventory data
for Mac OS X computers.
• Software deployment. You can use Configuration Manager to deploy software packaged in the
following formats to Mac computers:
• Compliance settings. Configuration Manager supports the use of Mac OS X Preference settings (.plist
files) to enforce the configuration of different elements on Mac computers, or shell scripts to monitor
and remediate settings.
The Configuration Manager client for Linux-based and UNIX-based computers has components that
support the following features:
• Hardware inventory. You can use hardware inventory data collected from Linux and UNIX computers
to create collections, reports, and queries. You can also use Resource Explorer to view hardware
inventory data for Linux-based and UNIX-based computers.
• Software deployment. You can use Configuration Manager to deploy software to Linux-based and
UNIX-based computers by using packages and programs. Software deployment on Linux-based and
UNIX-based computers by using Configuration Manager does not support any kind of user
interaction.
AD DS
AD DS is the preferred method for clients to locate site systems. To use this method, you must ensure that
you meet the following prerequisites:
• You must extend the Active Directory schema for Configuration Manager.
DNS
Clients can use DNS to locate a management point. However, this method has some specific DNS system
requirements. Additionally, if you use this as your primary method for locating management points, the
client will not update automatically if you make changes to the communication ports.
You can use this method for locating site systems if:
• Clients on the intranet are located in a forest that is not enabled for Configuration Manager
publishing.
• Clients are on workgroup computers and are not configured for Internet-only client management.
To use this method, the following prerequisites must be met:
• You must assign the clients to a specific site rather than use automatic site assignment.
• You must configure a client property that specifies the domain suffix of the management point.
• Your DNS servers must support service location resource records, by using a version of Berkeley
Internet Name Domain (BIND) that is at least 8.1.2.
• The intranet FQDNs for the Configuration Manager site systems have corresponding host entries
in DNS.
When your DNS servers support automatic updates, you can configure Configuration Manager to
automatically publish management points on the intranet to DNS.
• When the clients connect to this management point, they download a list of other management
points and can use them for subsequent connections.
If you do not want clients to locate a management point using WINS, configure clients with the
CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 1-41
Question: What are the three types of sites in Configuration Manager 2012?
Question: What are the new site roles introduced in Configuration Manager 2012?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
2-1
Module 2
Planning and Deploying a Stand-Alone Primary Site
Contents:
Module Overview 2-1
Module Overview
Planning a Microsoft® System Center 2012 Configuration Manager site deployment is a complex process
that requires numerous inputs, such as:
• Network topology.
In this module, you will review the planning process, inputs, and typical planning activities for deploying
a stand-alone primary site. You also will review prerequisites for installing a site server and related
components, perform and validate the installation of a stand-alone primary site, and perform the initial
site configuration. Finally, you will review the requirements for managing Internet-based clients.
Objectives
After completing this module, you will be able to:
• Describe the planning tasks for a Configuration Manager 2012 primary site deployment.
• Describe the tools that you can use to monitor and troubleshoot a Configuration Manager 2012
installation.
Lesson 1
Planning a Configuration Manager Stand-Alone Primary
Site Deployment
The design of a System Center 2012 Configuration Manager stand-alone primary site deployment can
vary from a stand-alone server with all required site roles, to more-complex deployments with site roles
that you distribute on multiple servers.
In this lesson, you will review the tasks that the planning process typically involves when you are
deploying a stand-alone primary site. These tasks include determining the site system roles that you
need to deploy, the number of servers necessary for deployment, and your deployment’s prerequisites.
Additionally, you will review Configuration Manager Setup options, examine site code and naming
conventions, and examine the requirements for configuring client communication modes.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the planning tasks for a Configuration Manager 2012 primary site deployment.
• Determine the number of devices that you must manage, and their locations. A single primary site
can support up to 100,000 clients devices. If you need to manage more devices, you will need more
than one primary site.
• Identify the business requirements for Configuration Manager. Business requirements map to
the different features available in Configuration Manager, which include hardware and software
inventory, software metering, software updates, and operating-system deployment. Review the
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Planning and Deploying a Stand-Alone Primary Site
business requirements with key stakeholders to get their input as to what features your environment
requires. Depending on the features that you require, you will need different site system roles.
• Identify the structure of your organization’s information technology (IT) department. Some larger
global corporations maintain a very rigid separation of IT groups among geographical locations.
Therefore, you may need to have a different primary site for each of these individual geographies.
Keep in mind that this is a business requirement, not a technical requirement.
• Determine your migration requirements, in case you are moving from Configuration Manager
2007 to Configuration Manager 2012. If your organization has a Configuration Manager 2007
environment, you need to consider whether you need a hierarchy restructure. You also need to
consider migrating each site, and clients to Configuration Manager 2012, and different objects, such
as packages, operating-system images, and collections.
• Component server. This is any server that is running the SMS_EXECUTIVE service.
• SMS Provider. This is the interface between the Configuration Manager console and the site database.
You can install additional roles as necessary. However, before deploying clients, you should install the
fallback status point to help monitor client-deployment issues. You also should install the Reporting
services point so that you can review reports about the site and client-installation progress.
The number of clients that you can manage using a stand-alone primary site depends on the following
site configuration and role placement:
• If the site server and site database roles are collocated on the same server, you can manage up to
50,000 Configuration Manager clients.
• If the site server and site database roles are on different servers, you can manage up to 100,000
Configuration Manager clients.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-5
• Install distribution points in locations that have a larger number of clients to reduce wide area
network (WAN) traffic and increase the efficiency of features such as software distribution, software
update management, or operating-system deployment.
• Use role-based administration and security scopes to implement your desired security model, rather
than deploying multiple primary sites to define administrative roles and permissions.
• Place site system roles on separate servers for additional scalability with respect to how many clients
you can manage.
A site code:
• Must be a three-character alphanumeric code that uses letters A through Z, numbers 0 through 9, or
combinations of the two.
• Should not use Microsoft Windows®-reserved names such as AUX, CON, NUL, PRN, or SMS.
A site name:
• Uses the standard alphanumeric characters A through Z and a through z, numbers 0 through 9,
spaces, and the hyphen (-).
You use site codes for client assignment, and if you extend your schema, the site servers can publish site
codes in AD DS. This enables clients to determine the site assignment, and then locate the management
point.
If you perform a migration from Configuration Manager 2007 to Configuration Manager 2012 R2, you
cannot reuse site codes because they must be unique in the source and destination hierarchies. For
more details, please review the migration topics in “Module 9: Migrating to System Center 2012 R2
Configuration Manager.”
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Planning and Deploying a Stand-Alone Primary Site
Question: What communication modes can client and site system roles use?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-7
Lesson 2
Preparing to Deploy a Configuration Manager Primary
Site
When preparing for a Configuration Manager primary site deployment, you must determine the site
system’s hardware and software requirements. You can use prerequisite checker to determine whether a
server meets the prerequisites for hosting site system roles that you select during the setup process.
As part of your preparation, you also can extend the Active Directory schema to enable the site server to
publish information in AD DS. Clients can use this information to determine their assigned site and locate
the management point.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe site server and site database requirements for a Configuration Manager primary site
deployment.
• Describe the site system roles requirements for a Configuration Manager primary site deployment.
• Identify, install, and configure the prerequisites for site system deployment.
• Client computer installation and site assignment. During Configuration Manager client installation,
the client searches AD DS to find a management point from which to download the client software
and a site for site assignment.
• Port configuration for client-to-server communication. During installation, the client obtains the IIS
port information for the client-to-server communications from AD DS. If you change the client-to-
MCT USE ONLY. STUDENT USE PROHIBITED
2-8 Planning and Deploying a Stand-Alone Primary Site
server port information after you install clients, the clients can obtain the updated port information
from AD DS.
• NAP. Configuration Manager publishes health state references to AD DS so that the System Health
Validator point can validate a client’s statement of health.
You can extend the schema by running the following program:
<installation source>\smssetup\bin\x64\extadsch.exe
Optionally, you can extend the schema by using the LDAP Data Interchange Format Data Exchange
(LDIFDE) tool to import the installation source \smssetup\bin\x64\ConfigMgr_ad_schema.ldf file. You need
to edit the .ldf file to include the forest name before you can use it.
For example, the following command line imports the schema extensions into AD DS, turns on verbose
logging, and creates a log file during the import process:
If you have additional AD DS forests that contain clients, and allow your site to publish site data to
additional forests, you also need to extend the Active Directory schema and grant the site server rights to
publish to the remote forests.
o Use client push installation, and configure installation properties for the site in the Client Push
Installation Properties window.
o Install clients manually and provide client installation properties by using CCMSetup installation
command-line options.
o Publish the management point in Domain Name System (DNS) or Windows Internet Naming
Service (WINS).
• Port configuration for client-to-server communication:
o Reinstall clients and configure them to use the new port information.
o Deploy a script to clients to update the port information through an external method, such as by
using Group Policy.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-9
Demonstration Steps
1. On LON-DC1, start File Explorer, and then browse to \\LON-CFG\E$\ConfigMgr2012R2\SMSSETUP
\BIN\X64. Locate and then run the ExtADSch.exe file.
2. Browse to drive C, open the ExtADSch.log file, and then verify the success of the operation by
observing the classes and attributes added to Active Directory® Domain Services (AD DS) and the
message that confirms the schema’s successful extension.
3. In the Run dialog box, type adsiedit.msc, and then click OK.
4. In the ADSI Edit console, connect to the default naming context.
5. In the ADSI Edit console, expand Default naming context [LON-DC1.Adatum.com], expand the
DC=Adatum,DC=Com container, and then select the CN=System container.
6. Create an object under CN=System with the type container and the name System Management.
7. In the ADSI Edit console, verify that the CN=System Management container appears in the results
pane, and then close the console.
8. In the Active Directory Users and Computers console, from the View menu, enable Advanced
Features.
9. Locate the System Management container, and then access its Properties.
10. On the Security tab, assign Full Control permission to the LON-CFG computer, and then click
Advanced.
11. In the Advanced Security Settings for System Management dialog box, edit the entry for the
LON-CFG computer so Full Control permission will apply to This object and all descendant
objects, and then click OK.
Note: After the installation, the Configuration Manager 2012 site server will publish
information in the System Management container. It enables clients to determine their assigned
site and locate the management point.
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Planning and Deploying a Stand-Alone Primary Site
Hardware Requirements
To install a stand-alone Configuration Manager
2012 primary site in an environment that has up
to 100 clients, and that supports all of the features
of Configuration Manager 2012, you need to
ensure that you meet the minimum hardware
requirements that the following table lists.
Processor AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support,
Intel Pentium IV with EM64T support. Minimum: 1.4 gigahertz (GHz)
Network adapter Site system computers must have network connectivity to other
Configuration Manager site systems, and they must have clients to
manage them.
This hardware configuration is suitable only for testing environments. If you want to install Configuration
Manager 2012 in a production environment, the minimum hardware requirements are not sufficient.
The following table lists the recommended hardware requirements for a stand-alone System Center 2012
Configuration Manager primary site server that has SQL Server installed on the site server computer.
Processor 8 cores (Intel Xeon 1.4GHz or comparable central processing unit [CPU])
RAM 32 GB of RAM
Free disk space 550-GB hard-disk space for the operating system, SQL Server, and all
database files
Network adapter Site system computers must have network connectivity to other
Configuration Manager site systems, and they must have clients to
manage them.
When you use an instance of SQL Server that is installed on the same computer as the site server, the
primary site can support up to 50,000 clients. When you use an instance of SQL Server that is installed on
a computer that is remote from the site server, the primary site can support up to 100,000 clients.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-11
Operating-System Requirements
In System Center 2012 Configuration Manager, all site systems, with the exception of distribution points,
require 64-bit server systems that are running one of the following operating systems:
• Windows Server 2008 R2 (no service pack or SP1) Standard, Enterprise, or Datacenter
Central
SQL Server Primary Secondary
Edition administration Notes
version site site
site
Central
SQL Server Primary Secondary
Edition administration Notes
version site site
site
Additionally, you need to ensure that you apply the following settings to SQL Server:
• Database collation. Configuration Manager requires the collation for both the database instance and
the Configuration Manager itself be set to SQL_Latin1_General_CP1_CI_AS.
• Authentication. Configuration Manager can use only Windows authentication to communicate with
SQL Server.
• SQL Server instance. Each Configuration Manager site must have a dedicated SQL Server instance.
• Reporting Services. You must install SQL Server Reporting on a database server to provide reporting
capabilities in Configuration Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-13
Each primary site can support up to 10 management points. If you install additional management points
in a stand-alone primary site, note the hardware requirements that the following table lists.
RAM 8 GB of RAM
Free disk space 50 GB of disk space for the operating system and Configuration
Manager
Memory and processor capacity are the primary influences on management point performance.
Each primary site supports a combined total of up to 5,000 distribution points, which includes:
• All distribution points at the primary site
• All distribution points that belong to the primary site’s child secondary sites
If you install additional distribution points, note the hardware requirements that the following table lists.
RAM 8 GB of RAM
Free disk space Disk space, as required for the operating system and content that you
deploy to the distribution point.
Network and disk input/output (I/O) are the primary influences on distribution point performance.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Planning and Deploying a Stand-Alone Primary Site
In addition to Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server
2012 R2, you can deploy distribution points to the operating systems that the following table lists.
Windows Vista® x64 • Business Edition (SP1) Can only host the
standard distribution
• Enterprise Edition (SP1)
point
• Ultimate Edition (no service pack
or SP1)
Windows® 7 x86 or x64 • Professional (no service pack or Can only host the
SP1) standard distribution
point
• Enterprise Edition (no service pack
or SP1)
• Ultimate Edition (no service pack
or SP1)
Windows Server x86 or x64 • Standard Edition (SP2) Does not support
2003 multicast
• Enterprise Edition (SP2)
• Datacenter Edition (SP2)
Some 32-bit operating systems support distribution points, unlike other site system roles. However, only
specific operating systems support additional distribution-point features, such as Pre-Boot EXecution
Environment (PXE) and multicast.
Note: You can install the site server or any site system role on virtual machines. When using
virtual machines, you need to ensure that the Hyper-V® host meets the hardware requirements
for all virtual machines that it is hosting.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-15
Microsoft .NET All web-based roles Install both .NET 3.5 and Windows Communication
Framework 3.5 Foundation (WCF) activation.
Features This is a Windows feature that installs with the
Windows Server Manager. When you install the .NET
Framework 3.5 features, you receive a prompt to add
required roles and services. IIS then installs with the
required features.
Windows ADK Operating System The Windows Assessment and Deployment Kit
Deployment (Windows ADK) replaces Windows Automated
Installation Kit for Windows Server 2012 and Window
8 and newer operating systems, and you must install it
on the site server. You can install WAIK or Windows
ADK, but both kits cannot coexist on the same server.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-17
Depending on the site system role that you want to implement, you must configure one or more of the
following prerequisites:
• IIS with ASP.NET and .NET Framework 3.5.1. Most site system roles use HTTP or HTTPS to
communicate with clients, so you should install the Web Server (IIS) server role on the majority of
servers that are hosting site system roles.
• BITS. Site system roles, such as management and distribution points, use BITS for bandwidth
throttling.
• .NET Framework 4.5. This is required when you install any of the following:
o Application catalog
o Software update point
o Enrollment point
• WSUS. The software update point role uses Windows Server Update Services (WSUS).
• WDS. WDS is required when you use PXE-initiated deployments of operating systems or if you wish to
use multicast deployment of operating-system images.
Database collation The instance of SQL Server in use at each site must use the following
collation: SQL_Latin1_General_CP1_CI_AS.
SQL Server features Only the Database Engine Services feature is required for each site
server. You also can install SQL Server Reporting Services to support the
Reporting Services point role.
SQL Server instance You must use a dedicated instance of SQL Server for each site.
SQL Server memory When you use a database server that is co-located with the site server,
limit the memory for SQL Server to 50 to 80 percent of the available
addressable system memory.
When you use a dedicated SQL Server, limit the memory reserved for
SQL Server to 80 to 90 percent of the available addressable system
memory.
Configuration Manager requires SQL Server to reserve a minimum of 8
GB of memory in the buffer pool that an instance of SQL Server uses
for the central administration and primary sites.
You can run prerequisite checker manually when preparing a server for Configuration Manager, but it
is not a requirement. If you choose to run prerequisite checker manually, you can remediate any issues
that you find before you run the Configuration Manager Setup program. The Configuration Manager
Setup program runs it as the last step in the Setup Wizard, because installation cannot begin until all
prerequisites for the chosen roles are met.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-19
Prerequisite Checker notifies you of any warnings or errors that it encounters. Tests that result in a
warning do not prevent you from installing System Center 2012 Configuration Manager successfully.
However, you should resolve the condition that generated the warning before running the Configuration
Manager 2012 Setup Wizard. Tests that result in an error prevent you from completing the Configuration
Manager setup process. Additionally, you can avoid interrupting the setup process by remediating any
prerequisite errors before running Configuration Manager 2012 Setup Wizard.
The following table lists the available options to use when you run Prerequisite Checker from a command
line.
/NOUI Use this option to start Prerequisite Checker without displaying the
user interface. You must specify this option before any other option
in the command-line.
/PRI or /CAS Verifies that the local computer meets the requirements for the
primary site or central administration site. You can specify only one
option. You cannot combine this option with the /SEC option.
/SEC FQDN of secondary site Verifies that the specified computer meets the requirements for the
secondary site. This option cannot be combined with the /PRI or
/CAS option.
[/INSTALLSQLEXPRESS] Verifies SQL Express on the specified computer. You can use this
option only after the /SEC option.
/SQL FQDN of SQL Server Verifies that the specified computer meets the requirements for SQL
Server to host the Configuration Manager site database. This option
is required when you use the /PRI or /CAS option.
/SDK FQDN of SMS Provider Verifies that the specified computer meets the requirements for the
SMS Provider. This option is required when you use the /PRI or /CAS
option.
/JOIN FQDN of central Verifies that the local computer meets the requirements for
administration site connecting to the central administration server. This option is only
valid when you use the /PRI option.
/MP FQDN of management Verifies that the specified computer meets the requirements for the
point management point site system role. This option is only supported
when you use the /PRI option.
/DP FQDN of distribution Verifies that the specified computer meets the requirements for the
point distribution point site system role. This option is only supported
when you use the /PRI option.
/ADMINUI Verifies that the local computer meets the prerequisites for the
Configuration Manager console. This option cannot be combined
with any other option.
Prerequisite Checker verifies that the site server computer account has permissions to write in AD DS, but
it does not check permissions for any groups of which the site server is a member.
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Planning and Deploying a Stand-Alone Primary Site
Demonstration Steps
1. On LON-CFG, start the Server Manager console.
2. In the Server Manager console, verify that the following roles and features are installed:
o .NET Framework 3.5 Features
o Web Server
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-21
Lesson 3
Installing a Configuration Manager Site Server
After preparing the environment, your next step is to install the Configuration Manager 2012 site server.
You can use the System Center 2012 Configuration Manager Setup Wizard to:
You can select additional configuration options for site systems during setup.
You will review the available setup options, and then determine the most appropriate settings for your
implementation.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the Configuration Manager 2012 setup process.
Product Key Enter the product key or select Install this product as an evaluation.
Microsoft Software Accept the license terms in this step to continue with the setup.
License Terms
Prerequisite In this step, you must accept the licenses for Microsoft SQL Server 2008 R2
MCT USE ONLY. STUDENT USE PROHIBITED
2-22 Planning and Deploying a Stand-Alone Primary Site
Prerequisite In this step, you can download the Configuration Manager prerequisites or
Downloads specify a folder where you downloaded them previously.
Server Language This option enables you to specify additional language packs to download and
Selection install for the admin console and reports.
Client Language This option enables you to specify additional language packs to download and
Selection install for the Configuration Manager client.
Site and Installation Configure the site code and site name. You cannot change these settings once
Settings you configure them. You also can choose whether to install the Configuration
Manager console.
Primary Site If you selected Install a Configuration Manager primary site in the first step,
Installation you can indicate whether the site is a stand-alone site or is part of a hierarchy.
Database Input the fully qualified domain name (FQDN) of the SQL server, the name of
Information the Configuration Manager database, and the port to use for the SQL Server
Service Broker.
SMS Provider Input the FQDN name of the server that hosts the SMS Provider. By default,
Settings this installs on the site server. We recommend installing this role on the
database server, unless the database is clustered.
Client Computer In this step, you can configure choose either of the following:
Communication • All site systems roles accept only HTTPS communication from clients
Settings
• Configure the communication method on each site system role
If you choose to configure site system roles separately, you can check the:
Clients use HTTPS when they have a valid PKI certificate and HTTPS-enabled
site roles are available check box.
Site System Roles In this step, you can choose to install a management point and/or a
distribution point, and specify the FQDNs for the roles. By default, both roles
are installed by using the server’s FQDN.
All site systems roles accept only HTTPS Both roles are configured for
communication from clients. HTTPS and you cannot modify
them during setup.
Customer In this step, you can choose to participate in the Customer Experience
Experience Improvement Program.
Improvement
Program
Configuration
Settings Summary Review your selections to determine whether you need to make changes.
Prerequisite Check The Setup Wizard launches the prerequisite checker application to evaluate
the server readiness for hosting selected roles.
Begin install Select the option to start the installation. Alternatively, you can go back and
make additional changes, or you can install missing prerequisites.
If you want to install the console on an administrative user’s workstation, you can use the
ConsoleSetup.exe in SMSSETUP/BIN/i386. The Configuration Manager console is a 32-bit application
that you can install on 32-bit and 64-bit operating systems.
• Recover a site. Use this option to perform the first step in recovering a failed site server. Module 7
provides more details on site-server recovery.
• Perform site maintenance or reset this site. Use this option to modify the SQL server configuration,
manage the SMS Provider, or perform a site reset after restoring from a backup.
• Uninstall a Configuration Manager site. We recommend this approach to remove a site server from a
hierarchy.
Note: The option to install a secondary site is not available in the Setup Wizard. You can
install the secondary sites by using the Configuration Manager console connected to an existing
primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
2-24 Planning and Deploying a Stand-Alone Primary Site
The Configuration Manager setup differs from the Configuration Manager 2007 setup in the following
ways:
• With the exception of the management point and distribution point site roles, you cannot install any
of the optional roles during the setup process.
• Setup Downloader (SetupDL.exe) and Prerequisite Checker (prereqchk.exe) now are separate
applications that you can launch without starting the Configuration Manager Setup Wizard.
Demonstration Steps
1. On LON-CFG, open File Explorer, and then navigate to the E:\ConfigMgr2012R2\ folder.
2. Double-click splash.hta.
3. In the System Center 2012 R2 Configuration Manager Setup dialog box, click Install.
4. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. Use the following
settings to install a stand-alone primary site.
a. On the Getting Started page, select Install a Configuration Manager primary site.
b. On the Product Key page, select Install the evaluation edition of this product.
c. On the Microsoft Software License Terms page, accept the license terms.
d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms. Under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms
and automatic updates of Silverlight.
e. On the Prerequisite Downloads page, select Use previously downloaded files, and then
specify the E:\ConfigMgr2012R2\Redist as the location.
f. On the Server Language Selection and Client Language Selection pages, click Next.
g. On the Site and Installation Settings page, configure the following options.
Site code: LON
Site name: Adatum Site
Install the Configuration Manager console: selected
h. On the Primary Site Installation page, select Install the primary site as a stand-alone site.
k. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role.
l. On the Site System Roles page, verify that both Install a management point and Install a
distribution point check boxes are selected. Additionally, verify that LON-CFG.Adatum.com
appears in both FQDN text boxes.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-25
Objectives
At the end of this lab, you will be able to:
• Configure the prerequisites for a System Center 2012 R2 Configuration Manager deployment.
• Extend the Active Directory schema, and configure permissions for the Configuration Manager site
server.
Lab Setup
Estimated Time: 30 minutes
Password Pa$$w0rd
For this lab, you use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, from the Start screen, click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-A, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
You need to verify the configuration of prerequisites for the Configuration Manager deployment.
The main tasks for this exercise are as follows:
o Deployment Tools
Results: After this exercise, you should have validated the prerequisites for installing System Center 2012
Configuration Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Planning and Deploying a Stand-Alone Primary Site
You need to prepare AD DS for Configuration Manager 2012 by extending the AD DS schema, and then
by creating the System Management container manually in which the Configuration Manager 2012 server
will publish information.
3. Assign Full Control permissions to the site server for the System Management container.
2. Browse to drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
success of the operation by observing the classes and attributes added to AD DS and the message
that confirms the schema’s successful extension.
3. In the ADSI Edit console, expand Default naming context [LON-DC1.Adatum.com], expand the
DC=Adatum,DC=Com container, and then select the CN=System container.
4. Create an object under CN=System with the type container and the name System Management.
5. In the ADSI Edit console, verify that CN=System Management container appears in the results pane,
and then close the console.
Task 3: Assign Full Control permissions to the site server for the System Management
container
1. Open the Active Directory Users and Computers console, and then from the View menu, verify that
Advanced Features is selected.
2. Under the System container, browse to the System Management container, and then access its
Properties.
3. On the Security tab, assign Full Control permission to the LON-CFG server, and then click
Advanced.
4. In the Advanced Security Settings for System Management dialog box, edit the entry for the
LON-CFG computer so Full Control permission will apply to This object and all descendant
objects, and then click OK.
Note: After the installation, the Configuration Manager 2012 site server will publish
information in the System Management container. This enables clients to determine their
assigned site and locate their management point.
Results: At the end of this exercise, you should have extended the Active Directory schema, created the
System Management container, and assigned permissions to the Configuration Manager server.
a. On the Getting Started page, select Install a Configuration Manager primary site.
b. On the Product Key page, select Install the evaluation edition of this product.
c. On the Microsoft Software License Terms page, accept the license terms.
d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms. Under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms
and automatic updates of Silverlight.
e. On the Prerequisite Downloads page, select Use previously downloaded files, and then
specify the E:\ConfigMgr2012R2\Redist as the location.
f. On the Server Language Selection and Client Language Selection pages, verify that English is
selected.
g. On the Site and Installation Settings page, configure the following options:
Site code: LON
Site name: Adatum Site
Install the Configuration Manager console: selected
h. On the Primary Site Installation page, select Install the primary site as a stand-alone site.
MCT USE ONLY. STUDENT USE PROHIBITED
2-30 Planning and Deploying a Stand-Alone Primary Site
k. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role.
l. On the Site System Roles page, verify that a management point and a distribution point will be
installed on LON-CFG.Adatum.com.
m. On the Customer Experience Improvement Program Configuration page, select I don’t want
to join the program at this time.
o. On the Prerequisite Check page, wait for the prerequisite check to finish, and then click Begin
Install.
3. Wait for the installation to finish, and then close the wizard.
Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager
in a stand-alone primary site.
Question: What user rights are required to extend the Active Directory schema?
Question: What setup options are available in the Configuration Manager 2012 Setup
Wizard?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-31
Lesson 4
Performing Post-Setup Configuration Tasks
You can verify that the successful installation of System Center 2012 Configuration Manager by starting
the Configuration Manager console, reviewing the installation logs, and then reading the status messages.
Additionally, you need to perform initial site configuration by defining the boundaries and boundary
groups, and by installing optional, additional site roles.
Lesson Objectives
After completing this lesson, you will be able to:
o ConfigMgrPrereq.log. Prerequisite checker generates this log, regardless of whether you run it
stand-alone or as part of Setup.
o ConfigMgrSetup.log. Configuration Manager Setup Wizard generates this log, and is the primary
setup log. Look here to identify any abnormal errors that the wizard encountered during Setup.
For example, when you run Setup, the wizard attempts to connect to the database. Since the
database does not exist at this point, this action generates an error.
o ConfigMgrSetupWizard.log. The Setup Wizard generates this log.
o ConfigMgrAdminUI.log. The console setup generates this log. Because installing the console is
not mandatory, this is a separate log.
• Component Status
• Application Deployment Summarizer, which aggregates state messages that clients generate when
involved in deploying applications clients.
• Application Statistics Summarizer, which aggregates information about status messages for
application deployment.
• Component Status Summarizer, which aggregates status messages that site-system components
generate.
• Site System Status Summarizer, which aggregates status messages that site systems generate.
• Status filter rules, which control the processing of status messages based on both built-in rules that
you can modify and on rules that you create.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-33
Boundaries
Each boundary represents a network location in your hierarchy. A boundary does not enable you to
manage clients at the network location. You can use it to identify available network locations. To manage
a client, the boundary must be a member of a boundary group.
You can define a boundary by using an:
• IP subnet. You can specify an IP address and subnet mask, and then Configuration Manager calculates
the subnet ID or you can provide the subnet ID.
Note: Configuration Manager does not support the use of supernetworks for boundaries. If
you try to use a supernetwork address, Configuration Manager changes it to a class A, class B, or
class C subnet.
• Active Directory site name. You can specify any sites that you define in your AD DS environment.
• IPv6 Prefix. You can use an IPv6 prefix for a boundary if you are using IPv6 in your environment.
• IP address range. You can specify a range of IP addresses if you want to limit your boundaries.
An administrator can create boundaries manually, or Configuration Manager 2012 can create IP address
range boundaries automatically by using the Active Directory Forest Discovery method. We recommend
that you use IP address ranges to define boundaries instead of using IP subnets, because IP address
ranges do not rely on the subnet mask’s configuration being correct at the client.
Boundary Groups
Boundary groups contain one or more boundaries. They enable clients on the intranet to find an assigned
site and locate content.
Boundary groups are functionally equivalent to Configuration Manager 2007 boundaries, and are
associated with sites. Clients use them to identify the site to which they are assigned, and use them to
locate content.
Site Assignment
A client can use boundary groups for automatic site assignment by finding an appropriate site to join,
based on the client’s current network location. You must enable the Use this boundary group for site
MCT USE ONLY. STUDENT USE PROHIBITED
2-34 Planning and Deploying a Stand-Alone Primary Site
assignment setting to enable automatic site assignment to use a particular boundary. This setting is in
the boundary group’s Properties dialog box on the References tab. When you enable a boundary group
for automatic site assignment, you also can configure the site to which you want to assign the clients.
Configuration Manager publishes boundary group information to AD DS, and the client queries them
after installation. After a client receives a site assignment, the client does not change that site assignment
automatically. For example, a client’s site assignment does not change if that client roams to a different
network location that a boundary, in a site’s boundary group than the client’s assigned site, represents.
Content Location
Clients also use boundary groups to identify available distribution points or state migration points,
based upon the client’s current network location. When configuring a boundary group, you specify the
distribution points and state migration points that clients use within one of the boundary group’s
boundaries.
When a client requests content, it retrieves a list of all distribution points that contain the content from
all the boundary groups of which the client is a member. The client then downloads the content from the
distribution point that is the best choice, based on the boundary and its speed.
Depending on your environment’s complexity, you might decide to create two sets of boundary groups—
one for site assignment and one for content location. This enables you to configure the boundary groups
for content location to contain overlapping boundaries and not affect site assignment.
Active Directory Forest Discovery configuration options are in the System Center 2012 Configuration
Manager console’s Administration workspace under the Hierarchy Configuration node, and include:
• Discovery Methods. You can enable Active Directory Forest Discovery in the hierarchy. You also
can configure a simple schedule to run discovery, and specify whether it should create boundaries
automatically from the IP subnets and Active Directory sites that Configuration Manager discovers in
the Active Directory Forest(s). You cannot run Active Directory Forest Discovery at a secondary site,
but you can trigger a discovery cycle on demand.
• Active Directory Forests. Here you configure the additional Active Directory forests that you want
to discover, specify the account to use as the Active Directory Forest Account for each forest, and
configure publishing to each forest. Additionally, you can specify the discovery of IP subnets and
Active Directory sites.
The following information is published to AD DS when you enable publishing for an Active Directory
forest if the schema was previously extended and configured for Configuration Manager publishing:
• SMS-Site-<site code>
To publish data into AD DS, each site server must have full permissions on the System Management
container and all descendant objects. Secondary sites always use the computer account of the secondary
site server to publish to AD DS. Therefore, you must ensure that secondary site servers have full
permissions.
You can configure Active Directory Forest Discovery at the central administration site or any primary site
in the hierarchy. To avoid conflicts with discovery data, you should not configure multiple sites to discover
the same Active Directory Forest.
Active Directory Forest Discovery actions are recorded in the following logs, which reside in the site
server’s <InstallationPath>\Logs folder:
• All actions, with the exception of actions related to publishing, are in the ADForestDisc.log.
Question: How does Configuration Manager use IP subnets that Active Directory Forest Discovery
locates?
The two wizards are the same, except that you need to select an existing server and designate it as a new
site system in the Configuration Manager site in the Create Site System Server Wizard. Conversely, you do
not need to reconfigure the Add Site System Roles Wizard information on the General page. Please note
that the Add Site System Roles Wizard does not list roles that are installed already on the site systems.
Demonstration Steps
1. On LON-DC1, start the Active Directory Sites and Services console.
2. In the Active Directory Sites and Services console, under the Sites node, rename Default-First-Site-
Name to London.
3. Under the Subnets node, create a subnet for 10.10.0.0/24, and then assign it to the London site.
4. Close the Active Directory Sites and Services console.
5. On LON-CFG, open the Configuration Manager console, in the Administration workspace, expand
Hierarchy Configuration, and then select Discovery Methods.
6. In the results pane, access the properties for Active Directory Forest Discovery, and then select
the Enable Active Directory Forest Discovery and Automatically create Active Directory site
boundaries when they are discovered check boxes.
7. In the Configuration Manager console, in the Active Directory Forests node, access the Properties
of Adatum.com. Review the settings, and then close the dialog box.
8. Under the Boundaries node, access the Properties of the created boundary. Review the settings, and
then close the dialog box.
9. In the Configuration Manager console, select the Boundary Groups node, and then on the ribbon,
click Create Boundary Group.
o On the References tab, select the option Use this boundary group for site assignment.
o Add \\LON-CFG.Adatum.com as the site system server.
11. In in the Configuration Manager console, under Site Configuration, select the Servers and Site
System Roles node.
12. Select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site
System Roles.
13. In the Add Site System Roles Wizard, use the following settings to install the site system roles:
o On the General page, verify that the Name for the site server is LON-CFG.Adatum.com.
o On the System Role Selection page, select Fallback status point and Reporting services
point.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-37
o On the Reporting services point page, use the Verify button to validate access to database.
o Under User name click Set, New Account, and then specify the following credentials:
User name: ADATUM\Administrator
Password: Pa$$w0rd
Confirm password: Pa$$w0rd
14. Complete the wizard by accepting the default settings.
16. In the preview pane, access the Properties for the Management point.
17. Select the option Generate alert when the management point is not healthy, and then close the
dialog box.
18. In the preview pane, access the Properties for the Distribution point.
19. On the Boundary Groups tab, verify that the London Clients boundary group you have created
previously appears in the list, and then close the dialog box.
Note: The association between the distribution point and the boundary group was created
when you added the site system to the boundary group in a previous task.
MCT USE ONLY. STUDENT USE PROHIBITED
2-38 Planning and Deploying a Stand-Alone Primary Site
Lesson 5
Tools for Monitoring and Troubleshooting a
Configuration Manager Site
You were introduced to the status messages feature when you validated the installation of the System
Center 2012 Configuration Manager primary site. All major Configuration Manager components generate
status messages that you can use to monitor and troubleshoot your installations.
In this lesson, you will review additional features that pertain to status messages, such as status
summarizers, status filter rules, and status reports.
Configuration Manager site systems and components also generate detailed logs. In this lesson, you will
review the logs, and then identify the most appropriate log to use when troubleshooting a specific
feature.
You also will examine the Configuration Manager console, which also includes features that you can use
for monitoring and alerting.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe using the Configuration Manager 2012 logs for troubleshooting.
• Describe using the monitoring features in the in the Configuration Manager 2012 console.
• Several roles, such as the management point and distribution point, use IIS. The IIS log file is in the
%Windir%\System32\logfiles\W3SVC1 folder on the IIS server.
The Configuration Manager Trace Log Tool (CMTrace.exe) is an add-on tool that you can use to view
logs, quickly locate warning and errors, and view the latest real-time updates to logs. The Configuration
Manager Trace Log Tool is a stand-alone executable file in the installation media\SMSSETUP\TOOLS folder
or in the installation path\TOOLS folder.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-39
You can use this tool to view and monitor log files, including:
Log files
Most processes and roles generate their own log files. The following table lists the log files that pertain to
installation and default roles, including the management and distribution points.
ConfigMgrAdminUISetup.log Located in the root of the %SystemDrive%. This log file records
the installation of the Configuration Manager console.
ConfigMgrPrereq.log Located in the root of the %SystemDrive%. This log file records
the results of the prerequisites checker.
ConfigMgrSetup.log Located in the root of the %SystemDrive%. This log file records
the installation of the Configuration Manager server.
ConfigMgrSetupWizard.log Located in the root of the %SystemDrive%. This log file records
the progress of the Configuration Manager Setup Wizard.
Note: For a full list of logs that the Configuration Manager site server and site system roles
generate, refer to the Additional Reading link in the Course Companion Content at
http://www.microsoft.com/learning/companionmoc/.
• View the aggregated health status of the site systems, site components, and deployments.
• View the health status of Configuration Manager clients.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-41
“Module 8: Maintaining and Monitoring System Center 2012 R2 Configuration Manager” provides more
detail about monitoring features.
• Low sideloading activations. Occurs when there are less than 10 activations available for a sideloading
key.
• Warning low free space alert for database on site. Occurs when the amount of free space in the
database is less than 10 GB.
• Critical low free space alert for database on site. Occurs when the amount of free space in the
database is less than 5 GB.
The following table lists the events for which you can create alerts.
Alert Events
Client health alerts • Client check pass or no results for active clients falls below threshold
• Client remediation success falls below the threshold
• Client activity falls below threshold
Alert Events
You can view alerts in the Configuration Manager console, or you can subscribe to alerts, so that you can
receive them by email. To receive alerts by email, you must:
Demonstration Steps
1. Find all status messages with an ID of 5103 for the management point component.
2. Configure the site to use LON-CFG as a Simple Mail Transfer Protocol (SMTP) server for alert
subscriptions.
3. Configure an alert to generate when client activity falls below 70 percent for the All Systems device
collection.
You need to validate the installation and perform the initial site configuration.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Password Pa$$w0rd
For this lab, you use the available virtual machine environment. Before you begin the lab, you must ensure
the following virtual machines are still running:
• 10748C-LON-DC1-A
• 10748C-LON-CFG-A
2. In the Configuration Manager console, in the Monitoring workspace, under the System Status
\Site Status node, view the status of each site system role.
Task 2: View the status messages that pertain to the Configuration Manager 2012
installation
1. Select the Site Status node, and then in the results pane, select Site server.
2. On the ribbon, click the Show Messages button, and then click All.
3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK.
4. In the Configuration Manager Status Message Viewer for <LON> <Adatum Site>, double-click
on any message, and then review the details of the status message. Use the Next and Previous
buttons to view additional status messages, and then close the Status Message Details dialog box.
2. Navigate to drive C, and then open the ConfigMgrPrereq.log file located in the root folder. Review
the file, note any errors or warnings reported by Prerequisite Checker, and then close the log file.
3. Open the ConfigMgrSetup.log file. Review the file, note any errors or warnings reported by Setup,
and then close the log file.
Note: The root folder also stores the ConfigMgrSetupWizard.log. If you installed the
console, you should see ConfigMgrAdminUISetup.log.
Results: At the end of this exercise, you will have validated the installation of System Center 2012
Configuration Manager.
Next, you will install new site system roles, such as Fallback Status Point and Reporting Services Point, and
then configure the management and distribution points.
2. Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site.
4. Install additional site system roles: the Fallback Status Point and Reporting Services Point.
2. In the Active Directory Sites and Services console, under the Sites node, rename the Default-First-
Site-Name site to London (without a space).
3. Under the Subnets node, create a subnet for 172.16.0.0/16, and then assign it to the London site.
Task 2: Configure Active Directory Forest Discovery to create a new boundary from
the Active Directory site
1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand
Hierarchy Configuration, and then select Discovery Methods.
2. In the results pane, access the properties for Active Directory Forest Discovery and select the
Enable Active Directory Forest Discovery, and the Automatically create Active Directory site
boundaries when they are discovered check boxes.
3. In in the Configuration Manager console, under the Active Directory Forests node, access the
Properties of Adatum.com. Review the settings, and then close the dialog box.
4. Under the Boundaries node, access the Properties of the London boundary. Review the settings,
and then close the dialog box. You may need to refresh the console to see the London boundary.
Task 4: Install additional site system roles: the Fallback Status Point and Reporting
Services Point
1. In in the Configuration Manager console, under Site Configuration, select the Servers and Site
System Roles node.
2. Select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site
System Roles.
3. In the Add Site System Roles Wizard, use the following settings to install the site system roles:
o On the General page, verify that the Name for the site server is LON-CFG.Adatum.com.
o On the System Role Selection page, select Fallback status point and Reporting services
point.
o On the Reporting Services Point page, use the Verify button to validate access to database.
o Under User name click Set, New Account, and then specify the following credentials:
User name: ADATUM\Administrator
MCT USE ONLY. STUDENT USE PROHIBITED
2-46 Planning and Deploying a Stand-Alone Primary Site
Password: Pa$$w0rd
Confirm password: Pa$$w0rd
4. Complete the wizard, by accepting the default settings.
2. In the preview pane, access the Properties for the Management point.
3. Select the option Generate alert when the management point is not healthy, and then close the
dialog box.
4. In the preview pane, access the Properties for the Distribution point.
5. On the Boundary Groups tab, verify that the London Clients boundary group you created
previously appears in the list, and then close the dialog box.
Note: The association between the distribution point and the boundary group was created
when you added the site system to the boundary group in a previous task.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-A, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: At the end of this exercise, you will have performed the initial configuration of a System Center
2012 Configuration Manager stand-alone primary site.
Question: When you can have overlapping boundaries for multiple boundary groups?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 2-47
Tools
The tools in the following table are useful during the Configuration Manager 2012 deployment process.
Prerequisite Checker Validating the prerequisites for the On the installation media
Configuration Manager site server
and roles installation
Module 3
Planning and Configuring Role-Based Administration
Contents:
Module Overview 3-1
Module Overview
Microsoft® System Center 2012 Configuration Manager and System Center 2012 R2 Configuration
Manager implement role-based access control (RBAC). With RBAC, you can use security roles, security
scopes, and collections to define access permissions for your administrative users.
This module shows you how to customize the security roles and scopes to match your specific
organizational requirements.
Objectives
After completing this module, you will be able to:
• Describe role-based administration concepts.
• Describe the process of identifying a typical information technology (IT) department’s job roles and
identify its responsibilities and activities.
• Describe the process for creating new security roles and configuring scopes in Configuration Manager
2012 and System Center 2012 R2 Configuration Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
3-2 Planning and Configuring Role-Based Administration
Lesson 1
Overview of Role-Based Administration
You can use role-based administration in Configuration Manager to centrally define security settings
and to delegate administrative tasks to users or groups. You can assign an administrative user one or
more security roles that represent a set of administration tasks. The security role includes all permissions
necessary to complete the tasks that relate to the role. For example, you can assign the Application
Deployment Manager security role to a user who will manage application deployments. This role
automatically grants permissions to deploy applications to computer devices or users.
You can further define the objects that a security role can administer, thereby limiting administrative
access to specific collections and security scopes. You can use a security scope to associate specific objects
with one or more administrative users. For example, you can give an administrator permission to deploy
only specific applications by associating those applications with a security scope, instead of permissions to
deploy all applications.
Administrative users can see only the objects that they have permission to manage, which the security
role, security scope, and collection define.
You can use the built-in security roles and scopes, or you can create your own custom security settings to
use throughout the hierarchy. When you create administrative users, you configure and replicate security
assignments throughout the central administration site and the hierarchy’s primary sites.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain the benefits of role-based administration.
• Describe collections.
• Describe planning role-based administration.
more security roles, one or more security scopes, and collections as necessary. The best practice is to
create an administrative user by specifying an AD DS security group. Then you can assign AD DS user
accounts to security group by adding the accounts to the associated AD DS security group. Security roles
are collections of permissions to perform administrative tasks. Security scopes are groups of securable
objects.
Role-based administration helps ensure that a user who connects by using the Configuration Manager
console or Windows PowerShell® can view and modify only those Configuration Manager objects that the
user has permission to manage. This reduces the chance that a user can perform unauthorized actions.
Role-based administration also simplifies the auditing of administrative actions, making it easier to
determine who performed a particular administrative task.
Security Roles
A security role is a group of permissions that are
necessary for performing specific administrative
tasks. The role consists of individual permissions
for each object type that an administrative user is
allowed to manage.
• Approve
• Create
• Delete
• Modify
• Modify Folder
• Move Object
• Read
• Modify Report
You can use scopes and collections to limit access by administrative users to individual object instances
because the roles themselves do not specify user permissions for individual objects.
Configuration Manager includes 15 built-in roles that include permissions for executing typical tasks on
different types of objects.
You cannot modify or delete the built-in roles, but you can create custom roles to match special
administrative requirements.
Built-In Roles
Configuration Manager includes the 15 built-in
security roles that the following table lists. Each
role gives specific permissions to an administrative
user to perform actions on certain types of
objects.
Asset Manager Grants permissions to manage hardware and software inventory, software
metering, the Asset Intelligence sync point, and the Asset Intelligence
reporting classes.
Company Resource Grants permissions to create, deploy, and manage company resource
Access Manager access profiles such as virtual private network (VPN), Wi-Fi, and certificate
profiles to users and devices.
Endpoint Protection Grants permissions to perform tasks that are necessary to administer
Manager Endpoint Protection in Configuration Manager, including creating and
deploying Endpoint Protection policies, alerts, and reports.
Full Administrator Grants all permissions in Configuration Manager. The user who creates a
new Configuration Manager installation is associated with this security role
automatically.
Operations Grants permissions for all actions in Configuration Manager, with the
Administrator exception of managing security of administrative users, security roles,
security scopes, and collections.
Remote Tools Operator Grants permissions to run the out-of-band management console, remote
control, Windows Remote Assistance, and Remote Desktop Services.
Security Administrator Grants permissions to add and remove administrative users and to
associate those administrative users with security roles, security scopes,
and collections.
Question: Which security role does Configuration Manager assign to you when you first install it?
MCT USE ONLY. STUDENT USE PROHIBITED
3-6 Planning and Configuring Role-Based Administration
Security Scopes
You can assign a securable object to one or more
security scopes, and then assign appropriate
security scopes to administrative users. This
enables you to specify the objects that the users
can view and manage within the Configuration
Manager console. When you create an
administrative user, you must assign at least one
security scope to provide administrative access to
objects. Configuration Manager contains two
built-in security scopes:
• Boundary groups
• Task sequences
• Queries
• Sites
• Software-metering rules
• Configuration items and configuration baselines
2. Expand the Security node, and then click Security Scopes. The results pane displays all of the scopes
created for the hierarchy.
To associate a security scope with an object, right-click one or more securable objects, and then click Set
Security Scopes. You then can select the security scopes that you want to associate with the specific
object.
Note: Computer and user objects are not assigned to scopes. Collections limit
administrative permissions to sets of computer or user objects. However, you can assign
collection objects to scopes.
Collections
You can use collections to implement security
for user and computer objects separately from
other securable objects in Configuration Manager.
Administrative users must have collections
assigned to them to be able to manage the user
or device objects that those collections include.
If you assign either of the following built-in, read-only root collections to an administrative user, they
have administrative rights to all users and devices in the hierarchy:
• All Systems. This collection contains all devices discovered in a Configuration Manager hierarchy.
• All Users and User Groups. This collection contains all discovered users and user groups.
• The All Users and User Groups collection has 1,000 users.
• The All Systems collection has 1,000 computers.
If you assign a user a security role that allows creating collections, the user can create new collections
where the limiting collection is one of the Toronto-based collections. The members of the new collections,
therefore, are a subset of one of the Toronto-based collections to which the user has been assigned a
security role.
• Collections control the users and devices that an administrative user can manage.
• You must assign an administrative user to at least one security scope.
• You can map each administrative user to separate security scopes and collections.
Question: How would you plan security roles, security scopes, and collections for a scenario in which you
are managing a remote location with local administrative users who:
• Need to be able to deploy applications, create collections for their users and devices, and run queries
and reports about their users.
You need to plan for security roles, security scopes, and collections. Assume that corresponding security
groups in AD DS exist.
London Admins
Toronto Admins
MCT USE ONLY. STUDENT USE PROHIBITED
3-10 Planning and Configuring Role-Based Administration
Lesson 2
Identifying IT Roles in Your Organization
Organizations can have a variety of IT department structures with diverse sets of roles and responsibilities.
Role-based administration accommodates the various security models that organizations might use.
This lesson examines the process of identifying the roles and responsibilities in an IT department, and it
explores the process of matching those roles and responsibilities to the security roles that Configuration
Manager includes.
Lesson Objectives
After completing this lesson, you will be able to:
• Server administrators, who manage the server infrastructure of a Configuration Manager site.
• Desktop administrators and server administrators, who administer the desktops, deploy software
updates, and deploy operating systems.
• Security and audit personnel, who administer security and perform audits, such as software-update
compliance audits.
• Asset management personnel, who perform asset inventory for hardware and software.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 3-11
Note: The roles in the list above are examples only. The actual roles that your organization
uses may vary.
• Determine whether the Configuration Manager built-in roles allow you to perform the actions on
specific objects that each job role requires.
Question: What is the next step you should take after identifying your organization’s roles?
MCT USE ONLY. STUDENT USE PROHIBITED
3-12 Planning and Configuring Role-Based Administration
To determine whether you need to use security scopes in your organization, first determine whether you
need to:
Question: How can you determine whether you need to create custom scopes?
If different administrative users need to manage users and devices in each of these segments, then you
should create custom collections.
Note: Collections are discussed in more detail in Module 2, “Discovering and Organizing
Resources” in course 10747D: Administering System Center 2012 R2 Configuration Manager.
Question: How can you determine whether you need to create custom collections?
• Using one built-in role for users, and using scopes or collections to limit user access to objects.
For example, say one administrative user in your organization performs application deployments on
desktops, while another administrative user performs application deployments on servers. You can assign
the Application Deployment Manager role to both users, and then limit their access to objects by:
• Placing different objects in scopes to which you give the administrative users permission.
For example, you might try to map the typical IT department to the built-in Configuration Manager
security roles, which the following table describes.
Note: In some organizations, a desktop administrator may perform the same tasks that
the Endpoint Protection Manager role performs. However, in other organizations, a security
administrator may perform these tasks.
Question: Which job role in your organization is performing the tasks that the Endpoint Protection
Manager role specifies?
• Security roles that provide permissions to perform specific tasks on various types of objects.
• Security scopes that might limit administrative access to specific object instances.
• User or device collections that might limit administrative access to specific user or device resources.
Note: When you associate multiple administrative users with multiple security scopes, you
are granting that administrative user access to all object instances from each assigned scope. That
administrative user can perform all actions that their associated roles permit, to all the object
instances associated with the assigned scopes. In other words, scopes are cumulative.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 3-15
Custom roles
Custom scopes
Custom collections
London Admins
Toronto Admins
Review Questions
Question: When would you need to create custom roles in a Configuration Manager implementation?
Question: When would you need to create custom scopes in a Configuration Manager implementation?
Question: When would you need to create custom collections in a Configuration Manager
implementation?
MCT USE ONLY. STUDENT USE PROHIBITED
3-16 Planning and Configuring Role-Based Administration
Lesson 3
Configuring Role-Based Administration
After determining the security roles that your organization uses, the next step in securing your
Configuration Manager environment is to implement those roles in Configuration Manager. Depending
on your requirements, you may need to create custom security roles and scopes.
This lesson examines the process of creating custom security roles and scopes. Additionally, this lesson
covers how to associate administrative users with roles, scopes, and collections.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the process for adding administrative users to the security roles.
3. You can specify individual permissions in the Customize the permissions for this copy of the security
role area by expanding each object type and then clicking Yes or No next to each individual
permission.
Because security roles are global data, any custom security roles that you create will be replicated to all of
the sites in your Configuration Manager hierarchy.
You can export your custom security role configurations by clicking the Export Security Role button on
the ribbon. Then the role definition is saved as an XML file that you can import into another Configuration
Manager environment or use to restore permissions after a site recovery.
Question: How can you create a custom security role?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 3-17
4. Next to User or group name, click the Browse button to select the user or group from AD DS.
5. To associate one or more Configuration Manager roles with the administrative user or group, under
Assigned security roles, click the Add button, and then select the role.
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Planning and Configuring Role-Based Administration
6. In the Assigned security scopes and collections area, select one of the following options:
o All instances of the objects that are related to the assigned security roles. This option
associates the administrative user with:
The All security scope.
The root-level built-in collections for All Systems, and All Users and User Groups.
Choosing the All instances of the objects that are related to the assigned security roles
option defines access to objects only by the security roles assigned to the user. Use this
approach sparingly because it enables users to manage all objects. You can use the principle
of least privilege by limiting users’ access to objects with security scopes and collections.
o Only the instances of objects that are assigned to the specified security scopes or
collections. Use this option to associate individual scopes and collections with the administrative
user or group.
A best practice is to use groups when you need to assign the same security roles, scopes, and collections
to multiple administrative users, rather than adding each administrative user to a role individually.
All securable objects in Configuration Manager are associated by design with the All built-in security
scope. Administrative users who you associate with this scope can manage all objects in Configuration
Manager. Their only management limitations are by the permissions assigned to their associated security
roles. You can limit administrative users’ access to specific instances of objects by removing the All scope
and adding more specific scopes. Similarly, if you want to limit administrative users’ access to specific user
and group resources, you must remove the All Systems and All Users and User Groups collections from
the list, and then add more restrictive collections.
Question: How do administrative users obtain permissions to individual object instances in Configuration
Manager?
Demonstration Steps
1. In the Configuration Manager console, in the Administration workspace, under the Security node,
select Security Roles.
2. Select an existing security role, such as the Application Administrator, to use as the source for the
new security role, and then on the ribbon, click Copy.
3. In the Copy Security Role dialog box, perform the following configurations:
o In the Name box, type a name for the new custom security role.
o Under Permissions, expand each node to display the existing permission settings, click the drop-
down list next to the setting, and then select either Yes or No.
5. In the Configuration Manager console, in the Administration workspace, under the Security node,
select Security Scopes.
7. In the Create Security Scope dialog box, type a name for the new security scope.
Objectives
Objectives covered in the lab:
Lab Setup
Estimated Time: 20 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following procedure:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-B, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
2. In the Configuration Manager console, in the Administration workspace, expand the Security node,
and then click the Security Roles node.
3. Review the list of roles available in the results pane. Note that there are 15 built-in roles.
4. Under the Security Scopes node, review the list of scopes available in the results pane. Note there
are two built-in scopes: All and Default.
5. Under the Administrative Users node, select ADATUM\Administrator, and then review the
information in the preview pane. By default, the user who performed the Configuration Manager
setup is assigned the Full Administrator role, the All security scope, and the All Systems and All
Users and User Groups collections.
• On the Administrative Users tab, note there are no users associated with this role. Additionally,
note that you cannot add users from this property window.
• On the Permissions tab, examine the permissions associated with this role. Expand each
category, and then review the individual permissions. Note that you cannot modify the
permissions for built-in roles.
3. Close the Application Administrator Properties dialog box.
Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated
permissions, and the built-in security scopes.
5. Add a new group of administrative users, and then assign a custom role and a custom scope.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 3-21
Task 1: Create a new user and group for application administrators, and then add the
user to the group
1. On LON-DC1, start the Active Directory Users and Computers console.
2. In the Active Directory Users and Computers console, create a new user in the Users container, with
the following attributes:
o First name and User logon name: LondonAdmin
o Clear the User must change password at next logon check box.
3. In the Active Directory Users and Computers console, create a new group in the Users container,
named London Application Admins.
4. Access the properties of the London Application Admins group, and add the LondonAdmin user
account as a member.
3. Under the Distribution Points node, select LON-CFG.ADATUM.COM, and then on the ribbon, click
Set Security Scopes.
4. Assign the London security scope to the distribution point.
Note: Do not remove the Default scope from the distribution point.
o Create a Direct Rule and search for System Resources with a name like LON%.
3. In the Copy Security Role dialog box, use the following settings to create a new role:
o In the Permissions box, configure the following permissions by expanding each permission
group and selecting Yes next to each individual permission:
All permissions under Software Update Group
All permissions under Software Update Package
All permissions under Software Updates
Task 5: Add a new group of administrative users, and then assign a custom role and a
custom scope
1. In the Configuration Manager console, under the Security node, click the Administrative Users
node.
2. On the ribbon, click Add User or Group. Use the following information to configure the new
administrative group:
o Click Browse to select the London Application Admins group.
o Verify that the Only the instances of objects that are assigned to the specified scopes or
collections option is selected.
o Remove the existing collections and security scope.
o Add the London Servers collection by selecting Device Collections in the Select Collections
dialog box.
3. In the Configuration Manager console, click Adatum\London Application Admins, and then review
the information from the preview pane.
4. Close the Configuration Manager console.
Note: The users added to the London Application Admins group will have access only to
the Configuration Manager objects associated with the London scope and resources in the
London Servers collection.
Results: By the end of this exercise, you should have created a custom security scope, a custom collection,
and a custom security role.
1. Start the Configuration Manager console by using the London application administrator account.
Task 1: Start the Configuration Manager console by using the London application
administrator account
1. On LON-CFG, press the Shift key, and in the Start menu, right-click Configuration Manager
Console, and then select Run as a different user.
2. Use LondonAdmin with the password Pa$$w0rd as credentials for the Configuration Manager
console.
2. Under the Devices node, verify that you can see only the resources associated to your collection.
3. In the Administration workspace, under the Distribution Points node, verify that you can see the
LON-CFG.ADATUM.COM server.
4. Under the Security node, verify that you do not have access to the Administrative Users, Security
Roles, or Security Scopes nodes.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: By the end of this exercise, you should have tested the new role permissions.
Question: What are the differences between the Application Administrator role and the
Software Update Manager role?
Question: What was the purpose of creating the Applications and Updates Administrator
custom role?
Question: What was the purpose of creating the London security scope?
Question: How can you assign multiple security permissions to an administrative user?
Question: How can you limit an administrative user’s access to specific instances of objects
and resources?
MCT USE ONLY. STUDENT USE PROHIBITED
4-1
Module 4
Planning and Deploying a Multiple-Site Hierarchy
Contents:
Module Overview 4-1
Module Overview
You can implement a Microsoft® System Center 2012 Configuration Manager to accommodate the
requirements of a multiple-site hierarchy. For example, you can deploy to larger numbers of clients and
distributed administrative teams, and regulate the distribution of content.
In this module, you will review the criteria for installing a multiple-site hierarchy and learn about the
characteristics of the central administration site. You will also perform an installation of a multiple-site
hierarchy including the central administration site, multiple primary sites, and a secondary site.
Objectives
After completing this module, you will be able to:
• Describe the Configuration Manager 2012 hierarchy model, types of sites, and when to use each site
type.
Lesson 1
Planning a Configuration Manager 2012 Multiple-Site
Hierarchy
The System Center 2012 Configuration Manager hierarchy model accommodates a large variety of
deployment scenarios. In addition, it is a simpler hierarchy model than the one presented in Configuration
Manager 2007.
In this lesson, you will review the following types of sites, which you can implement in Configuration
Manager:
Lesson Objectives
After completing this lesson, you will be able to:
• Primary site. Primary sites are located in the middle tier of the hierarchy. You use them to manage
clients directly. Primary sites in the Configuration Manager 2012 hierarchy serve the same purpose as
they do in Configuration Manager 2007. The major difference between primary sites in Configuration
Manager 2007 and Configuration Manager 2012 is the relationships they can have with other sites.
Unlike primary sites in Configuration Manager 2007, a primary site in Configuration Manager 2012
cannot be a child of another primary site; it can be a child of only the central administration site. A
primary site can have only secondary sites as child sites. Once you install them in a hierarchy, you
cannot change them to stand-alone primary sites.
• Secondary site. Secondary sites are located at the bottom tier of the hierarchy. Secondary sites are
optional and you can use them to manage the transfer of client data and deployments across low
bandwidth networks. A management point and a distribution point are installed automatically with
each secondary site. A secondary site can be a child site of only a primary site, not a central
administration site.
Administrators in the central administration site can view and manage all the objects in the hierarchy and
can configure hierarchy-wide settings.
Beginning with System Center 2012 Configuration Manager Service Pack 1 (SP1), you can join an
existing stand-alone primary site to a hierarchy at the time when you install the central administration
site. You can migrate additional existing stand-alone primary sites into the new hierarchy. The central
administration site must be the first site in the hierarchy in System Center 2012 Configuration Manager
and older versions.
Primary Site
Primary sites provide the following functionality in a hierarchy:
• Increased number of clients that Configuration Manager 2012 can manage in the hierarchy
Secondary Site
Secondary sites provide the following functionality:
• Management of the transfer of client data up the hierarchy across low bandwidth networks, without
the overhead of a primary site
• Management of the transfer of content down the hierarchy across low bandwidth networks, without
the overhead of a primary site
Secondary Site
If you want to control upward network traffic
from remote clients to the primary site, you must
install a secondary site in the remote location.
When planning for installing a secondary site, you
should consider the following:
• You must use a computer running a supported version of a server operating system, such as Windows
Server® 2008 R2. You cannot install the secondary site role on desktop operating systems.
• You must locate the site database on the same server as the secondary site server. You can install any
supported Microsoft SQL Server® version. If you do not install SQL Server in advance, the setup
process installs Microsoft SQL Server 2012 Express.
• When you install a secondary site, the setup process automatically installs a management point and
distribution point on the site server.
• Secondary sites support only a limited number of Configuration Manager roles. The following roles
are supported:
o Distribution point. You can install additional distribution points in a secondary site. Each
secondary site supports up to 250 distribution points and each distribution point can support up
to 4,000 clients.
o Management point. You can have only a single management point in a secondary site and you
must install it on the secondary site server.
o Software update point. When data transfer across the network is slow, you can install a software
update point in a secondary site if you want to perform software update management in the
remote site.
o State migration point. When data transfer across the network is slow, you can install a state
migration point in a secondary site if you want to perform user state migration during operating
system deployment in the remote site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-5
Distribution Point
Depending on the number of clients and the available bandwidth for the network connection to a remote
physical location, you might find it more efficient to use a distribution point to support clients in a remote
location, instead of a secondary site. If any of the following conditions apply, you may want to consider
using a local distribution point:
• You want to use multicast to deploy operating systems to computers at the remote location. Multicast
functionality is built into the distribution point role. When planning to use multicast for deployment,
you only need to consider using a distribution point.
• You want to stream virtual applications to computers at the remote location. You can stream
applications from a distribution point.
BranchCache
BranchCache is a feature included in Windows Server 2008 R2 and newer operating systems. You use
BranchCache to distribute content using peer-to-peer technology. Typically, you use BranchCache with
clients that are connected to the distribution points via a high latency WAN connection. When one client
finishes downloading all of the content, the remaining clients in the remote location will copy the content
from a peer client. You can configure BranchCache settings on a deployment type, for applications, and
on the deployment, for a package.
• Clients must run one of the following compatible operating systems configured in BranchCache
distributed cache mode:
o Windows® 7
o Windows Server 2008 with KB960568 installed
o Windows 8
o Windows 8.1
Multiple-Site Hierarchy
A multiple-site hierarchy is a more complex model to implement due to the additional servers and roles
included. Before deciding to create a multiple-site hierarchy, you must analyze your environment and
determine whether a stand-alone primary site can meet your requirements.
• You have more clients than a stand-alone primary site can manage. A stand-alone primary site can
support up to 100,000 clients. A multiple site hierarchy can support up to 400,000 clients.
• You have remote administrative teams that require local administration of their Configuration
Manager environment.
• You have 5,000 or more remote locations that you cannot accommodate by using a stand-alone
primary site and secondary sites.
• A. Datum has 500 office locations across North America with a total of 50,000 clients. Each office
contains between 50 and 1,000 clients.
• There are international offices in London and Paris with a total of 30,000 clients.
Number of
Office Location Network bandwidth
workstations
A. Datum wants to implement System Center 2012 Configuration Manager to administer its workstations
in a centralized way.
A team of 40 full-time administrators manages the company data center in New York. The administrators
in New York are providing support for all the locations in North America, including Toronto. A small data
center is located in Toronto and is administered remotely from New York. The data center for Europe is
located in London and has a dedicated team of 15 administrators. They manage all of the resources in the
London and Paris offices.
You need to choose which hierarchy model to implement. Use the following questions to help you choose
the most appropriate implementation model.
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Planning and Deploying a Multiple-Site Hierarchy
Managing clients
Location Site type Administered by Distribution point
from
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-9
Lesson 2
Deploying a Configuration Manager 2012 Site
When planning for a Configuration Manager deployment, you should take into consideration the
supported number of sites and site systems and the maximum number of supported clients. You should
also consider the existing network environment and the Configuration Manager 2012 design you will
implement to accommodate multiple domains or forests.
When deploying a multiple-site Configuration Manager 2012 hierarchy, you should install the sites in
a specific order, starting with the central administration site, and then continuing with the primary and
secondary sites. In Configuration Manager 2012 SP1 and later versions, you can install a single primary
site before installing the central administration site. You can also install a central administration site and
expand one primary site into the hierarchy. You can install additional site systems at any time after you
install the site servers.
You must select the appropriate setup options when installing the sites in an existing hierarchy, and use
the appropriate resources to validate a successful installation.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the maximum limits for a Configuration Manager 2012 hierarchy.
• Support up to 400,000 clients in the hierarchy when using SQL Server Enterprise Edition for the site
database.
• Support up to 50,000 clients in the hierarchy when using SQL Server Standard Edition for the site
database.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Planning and Deploying a Multiple-Site Hierarchy
These limitations are due to the partitioning of the site database. If you install the central administration
site by using SQL Server Standard Edition, and then upgrade to SQL Server Enterprise Edition, the
database is not repartitioned and these limitations remain in effect.
Primary Sites
You use primary sites to manage clients. Each primary site can accommodate up to 50.000 or 100,000
clients, depending on whether SQL Server is co-located on the site server or is installed on a separate
computer. However, the number of clients that a primary site supports is still limited to 50,000 if the
central administration site uses SQL Server Standard Edition. A primary site will:
• Support up to 5,000 distribution points. This total includes all distribution points at the primary site
and all distribution points that belong to the primary site’s child secondary sites.
• Support up to ten management points. Each primary site management point can support up to
25,000 computer clients. To support 100,000 clients you must have at least four management points.
When you have more than four management points in a primary site, the supported client count of
the primary site does not increase beyond 100,000. Instead, any additional management points
provide redundancy for communications from the clients.
• Support up to 50,000 clients when SQL Server is co-located on the site server.
• Support up to 100,000 clients when SQL Server is installed on a separate computer from the site
server.
Secondary Sites
You can use secondary sites to manage the upward traffic from the clients in a remote location to the
primary site server. You can also use a secondary site to increase the total number of distribution points
that can be installed on a primary site. A secondary site will:
• Support up to 250 distribution points. Each distribution point can support up to 4,000 clients,
depending on the type of content you are distributing.
• Support a single management point located on the site server.
• Support SQL Server Express 2012 in addition to the other supported SQL Server versions for the site
database. You can install SQL Server on the same computer as the secondary site server if you do not
want to use SQL Server Express.
Note: Before upgrading from Configuration Manager with no service pack to Configuration
Manager SP1, you must remove NLB from your active software update point. After the upgrade is
complete, you can reconfigure NLB by using Windows PowerShell®.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-11
Application Catalog Website Point and Application Catalog Web Service Point
Each instance of this site system role supports up to 400,000 clients, providing service for the entire
hierarchy. You can install multiple instances of the Application Catalog website point at the primary sites.
For improved performance, you should plan to support up to 50,000 clients per instance.
To support domain computers in a forest that your site server’s forest does not trust, you can install the
appropriate site system roles in that untrusted forest. In addition, you have the option to publish site
information to that Active Directory forest. When you install site system servers in the client’s forest, the
client-to-server communication takes place within the client’s forest and the remote site system role can
authenticate the computer using Kerberos. When planning to deploy to an untrusted forest, consider the
following:
• When you publish site information to the client’s forest, clients can retrieve site information, such as
a list of available management points, from their Active Directory forest rather than downloading this
information from their assigned management point. You cannot install the out of band service point
and the Application Catalog web service point in an untrusted forest. You can install them only in the
same forest as the site server. The same restriction applies for the site database, which you must install
in the same forest as the site server.
• When you specify a computer to be a site system server, you must specify the Site System Installation
Account. This account must have local administrative credentials to systems that it connects to, so
that it can then install the site system roles on the specified computer.
• When you install a site system role in an untrusted forest, you must select the Require the site server
to initiate connections to this site system option. This configuration enables the site server to establish
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Planning and Deploying a Multiple-Site Hierarchy
connections to the site system server to transfer data to and from the site system server. This prevents
the site system server in the untrusted location from initiating contact with the site server in your
trusted network. The connection uses the Site System Installation Account that you use to install the
site system server.
• The management point and enrollment point site system roles connect to the site database. By
default, when you install these site system roles, Configuration Manager configures the computer
account of the new site system server as the connection account and adds the account to the
appropriate SQL Server database role. When you install these site system roles in an untrusted
forest, you must configure the site system role connection account to enable the site system role to
obtain information from the database. If you configure a domain user account for these connection
accounts, ensure that the account has appropriate access to the SQL Server database for that site.
The following roles are supported and require that you configure the associated database connection
account:
o Management point: Management Point Connection Account
To support computers in a workgroup that use HTTP client connection to site system roles, you must
approve them manually. This is because Configuration Manager cannot authenticate these computers
by using Kerberos. In addition, you must configure the Network Access Account, regardless of the HTTP
or HTTPS configuration, so that these computers can retrieve content from distribution points. Because
workgroup clients cannot retrieve site information from AD DS, you must provide an alternative
mechanism for these clients to find the management points. You can use Domain Name System (DNS)
publishing or Windows Internet Name Service (WINS), or assign a management point directly. You can
also use Internet-based client management and public key infrastructure–issued (PKI-issued) certificates to
enable management of clients in an untrusted forest or in a workgroup.
• Run the Secondary Site Installation Wizard from the primary site. You can select whether to use an
existing instance of SQL Server on the secondary site server or install SQL Server Express.
o When they are part of a hierarchy, some roles cannot be installed in all sites. You will learn which
roles are available later in this module.
o For specific roles, you may be able to install only a single instance of the role. For example, there
can be only a single instance of the Asset Intelligence synchronization point, and you must install
this role at the top-level site in the hierarchy.
Beginning with Configuration Manager 2012 SP1, you can expand an existing primary site into a
hierarchy after you install the primary site. For example, if you have deployed a single primary site and
your organization later enlarges, you can expand the primary site into a hierarchy without losing any data.
The process for doing this is similar to the process for deploying a multisite hierarchy as described above.
• Install Configuration Manager 2012 as a central administration site. During the installation process,
you specify the site that you are expanding into the hierarchy.
Before running the System Center 2012 R2 Configuration Manager Setup Wizard, you must spend time
planning the process. You will need to make the following decisions:
• Will you install a Configuration Manager primary site or a Configuration Manager central
administration site? Typically, when you install a multisite hierarchy, you start with the central
administration site. Once you have installed the central administration site, you can continue
building the hierarchy by installing the primary sites. Alternatively, you can start with a primary site
and expand it into a new hierarchy later. However, you can only expand a single stand-alone site into
a hierarchy.
• Will you choose Prerequisite downloads, Download required files, or Use previously downloaded
files? You will see these options after you advance through the licensing pages in the System Center
2012 R2 Configuration Manager Setup Wizard. If you have not downloaded the prerequisite files
previously, you must do so at this time. When you deploy multiple sites, the files should be stored in a
central location available to each server where you are deploying Configuration Manager 2012.
• Are you supporting additional languages? You can install language support for both the server and
clients separately. If you need to support additional client languages, you specify them during the site
installation, or you can specify additional languages later. If you are expanding an existing primary
site into a hierarchy, during the central administration site installation, you should specify the same
client languages supported in the existing primary site. If you do not install client language support
for a language supported in the existing primary site, Setup will remove support for that language.
• What will you chose for the Site code, Site name, and Installation folder? The next decision point is on
the Site and Installation settings page of the wizard. The site code and site names must be unique and
cannot be changed without reinstalling.
• Will you install a central administration site as the first site in a new hierarchy, or expand an existing
stand-alone primary into a hierarchy? When you install a central administration site, you have the
following options:
o Expand an existing primary site into a hierarchy as a child of the central administration site that
you are installing.
• Will you join the primary site to an existing hierarchy or install the primary site as a stand-alone site?
When you install a primary administration site, you have the following options:
• Will you use a local or remote SQL Server? System Center 2012 R2 Configuration Manager requires
a SQL Server to host the databases that the site uses. The SQL Server installation can be on the same
server as the Configuration Manager server or on a remote server. Additionally, during the installation
process you can specify the location for the SQL Server database files.
• Where will the SMS Provider be located? The SMS Provider provides a communication layer between
the management tools and the databases. Typically, the Configuration Manager server is also the SMS
Provider. However, you can choose to install the SMS Provider on a separate server.
• What communications methods will you use? When you install a primary site, you must decide
whether the clients will communicate using HTTP or HTTPS. If you are going to use HTTPS, you
should have installed the appropriate certificate already. If you have not installed an appropriate
certificate, you should install the primary site by using HTTP communication and configure HTTPS
communication as soon as you acquire an appropriate certificate. This setup option is not available
for a central administration site since it does not support clients directly.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-15
A status of OK verifies that the site and the site components are functioning normally. If the status
displays as warning or critical, you will need to review the messages and troubleshoot the issues you
find.
2. Verify that the SMS_EXECUTIVE, SMS_SITE_COMPONENT_MANAGER service, and any other listed
Configuration Manager services, except for the SMS_SITE_BACKUP service, are listed as automatic and
started in the Services console.
o ConfigMgrPrereq.log. Prerequisite Checker generates this log, whether you run it as stand-alone
or as part of Setup.
o ConfigMgrSetup.log. This is the primary setup log. View this log to identify any if abnormal errors
were encountered during Setup.
o ConfigMgrSetupWizard.log. The Configuration Manager Setup Wizard generates this log.
o ConfigMgrAdminUI.log. The console installation generates this log. This is a separate log because
installing the console is not mandatory.
o SMS_BOOTSTRAP.log. This log is located on the intended secondary site server. It records
information about the progress of launching the secondary site installation process.
ConfigMgrSetup.log contains details of the actual setup process.
Lesson 3
Deploying the Central Administration Site
Typically, when implementing a hierarchy of multiple primary sites, the central administration site is the
first site you install. The central administration site is the hub of the entire hierarchy. You join primary sites
to it to build your hierarchy.
In this lesson, you will review the role of the central administration site in a multiple site hierarchy.
Lesson Objectives
After completing this lesson, you will be able to:
• Can be used to expand a primary site into a multisite hierarchy. When expanding a single stand-alone
primary site into a multisite hierarchy, you install the central administration site and specify the
primary site that you want to expand during installation.
• Cannot have clients assigned to it. You must have at least one primary site in the central
administration site’s hierarchy to manage clients.
• Does not process client data. Site data from clients is processed at primary sites, and then replicated
to the central administration site.
• Does not support all site system roles. You cannot install any of the roles related to client
management in the central administration site.
• Offloads administration and reporting from the primary sites. You can run reports to contain
consolidated information from all sites in the hierarchy.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-17
• Participates in database replication with primary sites. The database replication is configured
automatically when installing a primary site as a child of the central administration site.
• Contains site data replicated from all the sites in the hierarchy. The central administration site
consolidates site data from all sites in the hierarchy.
• If you need to support more than 100,000 clients, you must have the central administration site and
multiple primary sites in the hierarchy. The central administration site can support up to 25 primary
sites.
• You can manage all clients in the hierarchy and perform site management tasks for any primary site
when you use a Configuration Manager console that is connected to the central administration site.
• The central administration site is the only place where you can view site data from all sites. This data
includes information such as inventory data and status messages.
• You can configure discovery operations throughout the hierarchy from the central administration site
by assigning discovery methods to run at individual sites.
• Although the central administration site does not support the distribution point role, you can create
content in the central administration site and distribute it to all sites in the hierarchy.
• Support multiple locations. A stand-alone primary site with remote distribution points or secondary
sites can span multiple locations.
• Manage clients. You can assign clients to only primary sites, not the central administration site.
Additionally, primary sites support the site system roles related to client management and the central
administration site does not.
• Decentralize administration for a primary site. You can use security roles and scopes to limit
administrative permissions to a subset of objects. The central administration site does not limit the
administrative permissions. Instead, it centralizes administration across multiple sites.
• Perform content routing. If you are using a stand-alone primary site, you can implement distribution
points or secondary sites to perform content routing.
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Planning and Deploying a Multiple-Site Hierarchy
In a merger or acquisition scenario, installing a central administration site will not offer an advantage over
a stand-alone primary site:
• If the second organization has deployed Configuration Manager 2007, you can use the migration
feature to migrate objects to the Configuration Manager 2012 hierarchy.
• If the second organization has deployed Configuration Manager 2007, you can use the Export and
Import functionality to copy objects between hierarchies.
• Beginning with Configuration Manager 2012 SP1, you can merge data from hierarchies that are on
the same version and service pack of Configuration Manager.
The following table lists the steps that the System Center 2012 Configuration Manager Setup Wizard
performs when installing the central administration site. The table also includes the information that you
supply for each step.
Product Key Choose whether you want to install an evaluation version or provide a
product key.
Microsoft Software Read and accept the license terms to continue with the setup.
License Terms
Prerequisite Licenses Accept the licenses for the various prerequisite components to continue with
the setup.
Server Language This page allows you to specify additional language packs to be downloaded
Selection and installed for the administration console and site servers.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-19
Client Language Specify the additional language packs to be downloaded and installed for the
Selection Configuration Manager client.
Site and Installation There are several required settings on this page: site code, site name, and
Settings Installation folder. You cannot change these settings later. Additionally, you
can choose whether to install the Configuration Manager console on this
page.
Central You must choose between creating a new hierarchy and expanding an
Administration Site existing stand-alone primary site into a hierarchy. If you choose to expand an
Installation existing stand-alone primary site, you must specify the fully qualified domain
name (FQDN) of the primary site.
Database Information If necessary, enter the FQDN for the instance name of the SQL Server, the
name of the Configuration Manager database, and the port you will use for
SQL Server Service Broker.
Database Information The wizard contains two database information pages. You must specify the
installation paths for the SQL Server files on this page.
SMS Provider Settings Enter the FQDN of the server that will host the SMS Provider. By default, this
is installed on the site server.
Customer Experience Select this option if you want to join the Customer Experience Improvement
Improvement Program.
Program
Configuration
Settings Summary Review your selections to determine whether you need to go back to make
any changes.
Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker to
evaluate the server readiness for hosting the selected roles. Once all the
checks have finished, you can begin the installation.
• Endpoint Protection point. The Endpoint Protection point manages Endpoint Protection in your
hierarchy. Note that Endpoint Protection is a separate installation.
• Reporting services point. The reporting services point provides a location for running and viewing
reports. A reporting services point in the central administration site allows you to view reports
pertaining to all sites in the hierarchy.
• Software update point. You install a software update point at the top of the hierarchy to synchronize
with Microsoft updates. The software update points at primary sites will synchronize with the software
update point deployed in the central administration site.
• System Health Validator point. Network Access Protection (NAP) integrates with a Windows Network
Policy server to validate Configuration Manager NAP policies.
Note: You can install only one Asset Intelligence synchronization point and one Endpoint
Protection point in a hierarchy. You can install only these two roles in the top-level site in the
hierarchy.
Role-Based Administration
Role-based administration allows you to define the management security in Configuration Manager 2012.
You define role-based administration in the Administration workspace, under the Security node. You
apply role-based administration configurations at each site in a hierarchy. Role-based administration is
composed of three components–roles, scopes, and collections–that allow you to define management
rights for your hierarchy:
• Security roles. There are several built-in security roles, and you can create custom roles. Security roles
define what can be done to the various object classes defined in Configuration Manager.
• Security scopes. There are two built-in security scopes, and you can create custom scopes. The
security scope defines which objects an administrator can manage.
• Collections. You use collections to limit the users or computers that an administrative user can
manage.
When defining permissions for administrative users, you define their security roles and the objects
and collections that they will be able to access. By default, the user that installed the configuration
manager site has the Full Administrator role for all objects and collections. You add a user or group
in the Administrative Users node in the Security folder. When you add a user or group, you can assign
one or more roles, one or more defined security scopes, and one or more collections that you want to
manage.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-21
Expanding a stand-alone primary site into a multisite hierarchy adds one step to the central
administration site installation. During the installation process, you specify the stand-alone site that you
are expanding into the hierarchy.
The stand-alone primary site must be Before you install the central administration site,
on the same version of Configuration upgrade the primary site to the same version of
Manager that you will use to install the Configuration Manager that you will use to install
central administration site. the central administration site. You must use either
Configuration Manager 2012 with SP1 or System Center
2012 R2 Configuration Manager.
You must not configure the stand-alone You always perform site migrations from the top-level
primary site to migrate data from another site. Once the expansion is complete, you can perform
Configuration Manager hierarchy. any site migrations using the central administration site.
You can migrate data to the central administration site
or any primary site in the hierarchy.
When you configure the stand-alone If you migrate data from another site using data
primary site for migration, you must stop gathering, you must stop all active data gathering
all active data gathering before starting the processes. After completing the expansion process, you
expansion process. can restart any data gathering processes.
The computer account for the computer This is required only during the expansion process and
that will host the central administration site you can remove it once the process is complete.
must be in the local Administrators group
on the stand-alone primary site’s
computer.
The user performing the expansion must The user performing the expansion must be defined in
be an administrator of the site that he or role-based administration as either a Full Administrator
she is expanding. or an Infrastructure Administrator at the site that he or
she is expanding.
MCT USE ONLY. STUDENT USE PROHIBITED
4-22 Planning and Deploying a Multiple-Site Hierarchy
You must uninstall any roles that are not If you install the Asset Intelligence synchronization
supported in a child primary site from the point, Endpoint Protection point, and Windows Intune™
stand-alone primary site that is being connector roles, they must be located in the central
expanded. administration site of a multisite hierarchy.
The SQL Server Service Broker must be The Prerequisite Checker does not verify that the SQL
able to transfer data between the central Server Service Broker port is open.
administration site and the child primary
sites.
Software update point In a multisite hierarchy, a software update point at the primary site will
reconfigure automatically to synchronize with the software update point
in the central administration site. You should install a new software
update point in the central administration site as soon as possible.
Software deployment Software deployment packages that you created previously in the
packages stand-alone primary site will replicate to the central administration site
as global data. Then you can manage the packages at either the primary
site or the central administration site. The default client installation
package is the only exception to this process.
Client installation package Ownership of the client installation package transfers to the central
administration site. The client installation package maintains the same
package number; however, Setup reconfigures it to support only the
languages that the central administration site supports.
Client settings Once the expansion is complete, you must restart the
SMS_POLICY_PROVIDER component on the primary site. Until the
component is restarted, the primary site will not provide any new or
updated client settings to the clients.
Default Boot WIM The central administration site creates and deploys a new default boot
Windows image file (WIM) that will be used throughout the hierarchy.
The boot WIM at the primary site is not modified and existing operating
system deployments will continue to function.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-23
Objectives
You must perform the installation of a System Center 2012 R2 Configuration Manager central
administration site by using hierarchy expansion.
Lab Setup
Estimated Time: 80 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-B, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o Password: Pa$$w0rd
o Domain: Adatum
3. Run Installation Prerequisite Check, and verify that the expansion prerequisites are met.
5. Run Setup to install a Configuration Manager 2012 R2 central administration site and expand an
existing primary site into the hierarchy.
2. Switch to LON-DC1.
3. Open Active Directory Users and Computers, and then add LON-CAS and NYC-CFG to the
ConfigMgrServers security group.
Task 3: Run Installation Prerequisite Check, and verify that the expansion
prerequisites are met
1. On LON-CAS, open an Administrator: Command Prompt.
2. In the Administrator: Command Prompt, navigate to E:\ConfigMgr2012R2\SMSSetup\BIN\X64.
4. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several
warnings), and then click OK.
3. Open the .hta file with the Microsoft (R) HTML Application host.
a. On the Getting Started page, select Install a Configuration Manager central administration
site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-25
b. On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
c. On the Microsoft Software License Terms page, accept the license terms.
d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, under Microsoft Silverlight 5, select I accept these License Terms and
automatic updates of Silverlight, and then click Next.
e. On the Prerequisite Downloads page, select Use previously downloaded files, and then
specify the E:\ConfigMgr2012R2\Redist as the location.
f. On the Server Language Selection and Client Language Selection pages, click Next.
g. On the Site and Installation Settings page, configure the following options:
Site code: CAS
Site name: London Central Administration Site
Install the Configuration Manager console: selected
h. On the Central Administration Site Installation page, select Expand an existing stand-alone
primary into a hierarchy, and then in the Stand-alone primary site server (FQDN) field, type
LON-CFG.Adatum.com.
l. On the Customer Experience Improvement Program Configuration page, select I don’t want
to join the program at this time.
m. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click
Begin Install.
3. Wait for the installation to finish, and then close the Setup Wizard and the System Center 2012 R2
Configuration Manager Setup screen.
Note: When the System Center R2 Configuration Manager Setup Wizard displays
Core setup has completed, the setup is not complete. Do not continue with the lab until the
Applying the snapshot data task has completed. The installation process may take up to 45
minutes.
Results: At the end of this exercise, you should have installed a Microsoft® System Center 2012 R2
Configuration Manager central administration site and a primary site in a hierarchy.
Lesson 4
Deploying Primary Sites in a Hierarchy
After installing the central administration site, you can install additional primary sites in your hierarchy.
Primary sites are support clients in a Configuration Manager hierarchy. You must install primary sites
before you can deploy clients.
In this lesson, you will discuss the primary site role, the factors that determine when to install a primary
site, and the roles that you can install on a primary site.
Lesson Objectives
After completing this lesson, you will be able to:
• Can support up to 250 secondary child sites, up to 250 distribution points, and 2000 pull distribution
points.
• Provide a local point of connectivity for a large business unit so that you can perform administration
tasks for the clients in the business unit.
You do not need additional primary sites in your hierarchy if you are:
• Providing decentralized administration. You can use role-based administration to segregate the
administration of resources.
• Performing logical data segmentation. All data that exists in a hierarchy is replicated to the
central administration site. If you are required to maintain client data separation and want to use
Configuration Manager to manage clients, consider using a separate stand-alone installation.
• Configuring different client settings. You can configure custom client settings individually or by
collection; these settings are replicated throughout the entire hierarchy.
• Supporting a different site language. You can configure multiple languages for the same site.
• Performing content routing. You can configure content routing between two distribution points
located in two secondary sites that have the same parent. This can reduce the network traffic
associated with the WAN links
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Planning and Deploying a Multiple-Site Hierarchy
The following table lists the steps in the Configuration Manager Setup Wizard that you use to install a
primary site, and the information that you supply for each step.
Getting Started Select the option for installing a primary site. To speed up the process,
you can install a primary site with typical settings.
Product Key Choose between installing an evaluation version and providing a product
key.
Prerequisite Licenses Accept the licenses for the various prerequisite components.
Prerequisite Downloads You can specify to download the Configuration Manager prerequisites
files now, or to use the files from a folder where you have downloaded
them previously.
Server Language Selection This page allows you to specify additional language packs you want to
download and install for the Administration console and the site servers.
Client Language Selection Specify the additional language packs you want to download and install
for the Configuration Manager client.
Site and Installation There are several required settings on this page: site code, site name, and
Settings Installation folder. You cannot change these settings later. Additionally,
you can choose if you want to install the Configuration Manager console.
Primary Site Installation You can choose if the primary site you are installing is stand-alone or a
part of the hierarchy.
Database Information Enter the FQDN of the computer running SQL Server, the name of the
Configuration Manager database, and the port to use for the SQL Server
Service Broker.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-29
Database Information The wizard contains two database information pages. On this page, you
must specify the installation paths for the SQL Server files.
SMS Provider Settings Enter the FQDN name of the server that hosts the SMS Provider. By
default, this is installed on the site server.
Site System Roles You can choose to install both a management point and a distribution
point, or just one of the two. You must specify the FQDNs for these roles.
By default, both roles will be installed using the FQDN of the server.
Depending on what you configured on the previous page, you can also
choose the client communication method, either HTTP or HTTPS.
Customer Experience Select this option if you want to join the Customer Experience
Improvement Program Improvement Program.
Configuration
Settings Summary Review your selections to determine if you need to go back to make any
changes.
Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker
to evaluate the server readiness for hosting the selected roles. Once all
the checks have finished, you can begin the installation.
For example, if you created an installation .ini file named InstPrimSite.ini and stored it in the root of drive
C:, the command would be:
Setup /script C:\InstPrimSite.ini
Note: When using an unattended installation .ini file, the Setup program uses only the
values in the .ini file. You must specify all required setup options, or the installation will fail;
however, you can leave the ServerLanguages and ClientLanguages options blank.
This example illustrates a typical script used for installing a primary site in a hierarchy:
[Identification]
Action=InstallPrimarySite
[Options]
ProductID=
SiteCode=LON
SiteName=London Primary Site
SMSInstallDir=C:\Program Files\Microsoft Configuration Manager
SDKServer=LON-CFG.ADATUM.COM
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
PrerequisiteComp=1
PrerequisitePath= E:\ConfigMgr2012\Redist
MobileDeviceLanguage=0
ManagementPoint=LON-CFG.ADATUM.COM
ManagementPointProtocol=HTTP
DistributionPoint=LON-CFG.ADATUM.COM
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=1
AdminConsole=1
[SQLConfigOptions]
SQLServerName=LON-CFG.ADATUM.COM
DatabaseName=CM_LON
SQLSSBPort=4022
[HierarchyExpansionOption]
CCARSiteServer=NYC-CAS.ADATUM.COM
For example, although you can install multiple reporting points in a hierarchy, only a reporting services
point that you install in the central administration site can provide reports on all objects in the hierarchy.
You might decide to install only a single reporting services point and run all reports in the central
administration site. Alternatively, you might decide to install a reporting services point in each site so
local administrators can run their own reports. With either option, you can run both standard and custom
reports.
The following table shows the optional roles that you can install in a child primary site and whether they
provide site-only functionality or hierarchy-wide functionality.
Distribution point Site A distribution point provides support based on the site
boundary groups to which it belongs. You can install multiple
distribution points in a single site to provide load balancing or
to provide intranet and Internet support from separate servers.
Fallback status Site or A fallback status point allows clients that cannot communicate
point hierarchy with a management point to send state messages to the site.
The fallback status point will forward any messages received
from the clients to the appropriate primary site. This information
is replicated as site data and is available in reports at the central
administration site.
Enrollment point Site Clients use an enrollment point to create mobile device and Intel
Active Management Technology (AMT) device objects in a site.
You can configure one enrollment point per site.
Enrollment proxy Site An enrollment proxy point allows mobile devices and AMT
point devices to join a site. You can configure one enrollment proxy
point per site.
Out of band Site An out of band service point allows you to manage AMT devices
service point that are offline by using out of band management. There can be
only one out of band service point per primary site and you
must install it in a primary site that it also contains the
enrollment point role.
MCT USE ONLY. STUDENT USE PROHIBITED
4-32 Planning and Deploying a Multiple-Site Hierarchy
Reporting services Site or A reporting services point installed in a primary site rather than
point hierarchy the central administration site can display data from only that
primary site and any child secondary sites. That includes global
data replicated to the site in addition to the site data.
Software update Site You use a software update point to synchronize the metadata
point about software update information. You install a software
update point in the central administration site to synchronize
with Windows Server Update Services and in all primary sites
that will use the software updates feature.
State migration Site A state migration point temporarily stores user data during
point certain operating system deployment processes. You can
configure multiple state migration points in a site to support
a large-scale operating system migration.
System Health Site or You use a System Health Validator point with network access
Validator point hierarchy protection. Only one System Health Validator point is required
in the hierarchy; however, you can install multiple System Health
Validator points for load balancing.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-33
Objectives
You must verify that the System Center 2012 R2 Configuration Manager central administration site
expansion was successful. Then you must add an additional primary site and automate the installation of a
second primary site.
Lab Setup
Estimated Time: 50 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the previous lab, and the Configuration Manager installation must be complete on LON-CAS-B.
You need to validate the installation of the System Center 2012 R2 Configuration Manager central
administration site.
2. In the Configuration Manager console, in the Monitoring workspace, under the Site Status node,
view the status of each site system and site system role.
3. Under the Component Status node, view the status of site system and each component.
Task 2: View the status messages for the Configuration Manager 2012 installation
1. Click the Site Status node, and then in the results pane, for \\LON-CAS.Adatum.com, select Site
server.
4. In the Configuration Manager Status Message Viewer, double-click any message, and then review
the details of the status message. Use the Next and Previous buttons to view additional status
messages, and then close the Status Message Details dialog box.
Note: If the Link State is Link Failed, you must reinitialize the replication. To reinitialize the
replication, perform the following steps:
1. On LON-CFG, create and move a file named configuration data.pub to C:\Program Files
\Microsoft Configuration Manager\inboxes\rcm.box.
2. After the configuration data.pub file is removed, switch to LON-CAS, and after 10 minutes, in
Database Replication, refresh the replication link for Parent Site CAS and Child Site S01. The link
should now display Link Active.
2. Open the ConfigMgrSetup.log file. By default, it will open with Notepad. Review the file, note any
errors or warnings reported by Setup, and then close Notepad.
Note: When a log file reaches a certain size, which varies depending on the process, a new
log file is created and the old log file is renamed with a .lo_ extension. The ConfigMgrSetup.log
might have only a few entries, and you might need to review the ConfigMgrSetup.lo_ file.
2. In the results pane, click LON-CAS.Adatum.com, and then in the preview pane, review the roles
installed on the server.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-35
3. In the results pane, right-click LON-CAS.Adatum.com, and then click Add Site System Roles. The
Add Site System Roles Wizard starts.
4. On the System Role Selection page, review the roles available for install.
Note: When you install certain site system roles as part of a hierarchy, including the Asset
Intelligence synchronization point, software update point, and Endpoint Protection point, you
cannot install them in a primary site but must install them at the central administration site.
Results: At the end of this exercise, you will have validated the installation of System Center 2012 R2
Configuration Manager.
[Identification]
Action=InstallPrimarySite
[Options]
ProductID=EVAL
SiteCode=NYC
SiteName=New York City Primary Site
SMSInstallDir=C:\Program Files\Microsoft Configuration Manager
SDKServer=NYC-CFG.Adatum.com
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
PrerequisiteComp=1
PrerequisitePath=\\LON-CAS\E$\ConfigMgr2012R2\Redist
MobileDeviceLanguage=0
ManagementPoint= NYC-CFG.Adatum.com
ManagementPointProtocol=HTTP
DistributionPoint= NYC-CFG.Adatum.com
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=0
AdminConsole=1
JoinCEIP=0
[SQLConfigOptions]
SQLServerName= NYC-CFG.Adatum.com
MCT USE ONLY. STUDENT USE PROHIBITED
4-36 Planning and Deploying a Multiple-Site Hierarchy
DatabaseName=CM_NYC
SQLSSBPort=4022
SQLDataFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
SQLLogFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
[HierarchyExpansionOption]
CCARSiteServer=LON-CAS.Adatum.COM
Task 2: Run Setup for Configuration Manager 2012 and use the script option
1. On NYC-CFG, open an Administrator: Command Prompt window.
2. At the command prompt, type the following commands. Press Enter after each command line:
Note: The Configuration Manager Setup will run in unattended mode. The installation
process may take up to 30 minutes. You can use Task Manager to monitor the Setup progress.
On the Details tab, when you see CcmExec.exe as a running process, the setup is complete.
Results: At the end of this exercise, you should have installed a System Center 2012 R2 Configuration
Manager primary site in an existing hierarchy by using the automated setup method.
Lesson 5
Deploying Secondary Sites
If you have remote locations that connect to the primary site server’s location by using low bandwidth
network links, you may want to install secondary sites to manage the transfer of client data and
deployments. In this lesson, you will review the installation process for a secondary site.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the site system roles that you can install in a secondary site.
• By design, includes a management point and a distribution point on the site server. The secondary
site and all its components are managed from its parent primary site.
Each primary site can support up to 250 secondary sites. Each secondary site can support communications
from up to 5,000 clients. However, the total number of clients assigned to a primary site with multiple
child secondary sites still cannot exceed 100,000 clients.
MCT USE ONLY. STUDENT USE PROHIBITED
4-38 Planning and Deploying a Multiple-Site Hierarchy
Because a secondary site also includes a distribution point on its site server, you can control the transfer
of deployment-related files, including applications, packages, software updates, and operating system
images.
A secondary site does not provide local connectivity for the Configuration Manager consoles. You need to
manage the secondary site by using a console that is connected to the parent primary site.
• Add the primary site server computer account to the local Administrators group of the new secondary
site server.
o Local Administrator rights on the remote site database server for the primary site.
o The Infrastructure Administrator or Full Administrator security role on the parent primary site.
• Choose the account you want to use for site-to-site communications. The account you use for site-to-
site communications must have local administrator rights on the parent site. The default is the parent
site computer account.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-39
After you prepare the server, you start the secondary site installation from within the Configuration
Manager console by using the Create Secondary Site Wizard. After completing the wizard, you can
monitor the progress of the installation in the Configuration Manager console. After selecting the
secondary site, click Show Install Status on the ribbon to monitor the installation progress.
The following table lists the steps in the Create Secondary Site Wizard, and the information that you enter
for each step.
Before You Begin This page briefly describes the Create Secondary Site Wizard, and lists the
site that will be the parent for this secondary site. There is no input on
this page; however, you should verify that the correct parent site displays
before continuing.
General Configure the site code, the FQDN of the intended secondary site server,
the site name, and the installation directory.
Installation Source Files You need to specify the source of the files. You can copy the files from
the parent site to the secondary site, use source files from a network
location, or use source files that are already available locally on the
secondary site server.
SQL Server Settings You have the option to install and configure SQL Server Express or to use
an existing instance of SQL Server. SQL Server Express options include the
SQL Server service port and SQL Server Service Broker port. When using
an existing SQL Service instance you need to specify the FQDN of the
SQL Server, an instance name if applicable, the database name, and the
SQL Server Service Broker port.
Distribution Point This page contains the distribution point settings. If necessary, you can
install Internet Information Services (IIS) on the secondary site server.
Additionally, you configure the client communication settings and you
can configure the distribution point for prestaged content.
Drive Settings You configure the drive space reserve, the minimum free space
Configuration Manager will leave on a drive. Additionally, you can
configure the drives to locate the content.
Content Validation You can set a schedule to validate the content of the distribution point
with the source.
Boundary Groups You should identify the boundary groups on which this distribution point
will be available.
Windows PowerShell
System Center 2012 Configuration Manager SP1 introduced support for additional Windows PowerShell
Configuration Manager cmdlets, including a cmdlet for installing a secondary site. You can use the
New-CMSecondarySite cmdlet to install a secondary site. For more information about the options
available with this cmdlet, see: http://technet.microsoft.com/en-us/library/jj850174(v=sc.10).aspx.
MCT USE ONLY. STUDENT USE PROHIBITED
4-40 Planning and Deploying a Multiple-Site Hierarchy
Software update point Site You can install a software update point in a secondary
site so that clients will not have to access a software
update point across a low bandwidth WAN link.
State migration point Site You can install a state migration point in a secondary
site to support operating system deployment
operations in a remote location.
System Health Validator Hierarchy You can install a System Health Validator point in a
point secondary site to support Network Access Protection
(NAP) operations in a remote location.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-41
Previously, you installed the central administration site and two primary sites.
Objectives
You must install a secondary site under the existing New York primary site by:
1. Configuring prerequisites.
2. Installing a secondary site from a primary site.
Lab Setup
Estimated Time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
1. On the host computer, if it is not already started, start Hyper-V Manager.
4. Verify that the BITS and remote differential compression features are installed.
MCT USE ONLY. STUDENT USE PROHIBITED
4-42 Planning and Deploying a Multiple-Site Hierarchy
4. Expand Local Users and Groups, and then click the Groups node.
5. Add the computer account of the primary site server NYC-CFG to the local Administrators group.
6. Close the Computer Management console.
Task 3: Verify that Web Server (IIS) and related role services are installed
• In the Server Manager console, click Local Server, and then under the Roles and Features section,
verify that the following Role Services are installed:
o Common HTTP Features
Default Document
o Security
Windows Authentication
o Application Development
ASP.NET 3.5
ASP.NET 4.5
.NET Extensibility 3.5
.NET Extensibility 4.5
o IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
Task 4: Verify that the BITS and remote differential compression features are
installed
• In the Server Manager console, under the Roles And Features section, verify that the following
features are installed:
Results: At the end of this exercise, you should have validated the prerequisites for installing a System
Center 2012 Configuration Manager secondary site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-43
2. In the Configuration Manager console, in the Administration workspace, under Site Configuration,
click the Sites node.
3. In the results pane, select NYC – New York City Primary Site, and then, on the ribbon, click Create
Secondary Site.
4. In the Create Secondary Site Wizard, use the following settings to install a secondary site:
c. On the SQL Server Settings page, click Install and configure a local copy of SQL Server
Express on the secondary site computer, and then verify that the following information is
specified:
SQL Server service port: 1433
SQL Server Service Broker Port: 4022
d. On the Distribution Point page, accept the default settings.
Note: When the Create Secondary Site Wizard finishes, the installation will continue in the
background on the target server. To validate the installation, verify the installation logs in the
next exercise.
5. In the Configuration Manager console, select TOR – Toronto Secondary Site, and then, on the
ribbon, click Show Install Status. Review the progress of the installation actions, click Refresh to
monitor the status, and then close the dialog box. It takes approximately 15-20 minutes for the
installation to complete.
Results: At the end of this exercise, you should have installed the System Center 2012 Configuration
Manager secondary site.
MCT USE ONLY. STUDENT USE PROHIBITED
4-44 Planning and Deploying a Multiple-Site Hierarchy
Task 2: View the system status for the new secondary site
1. On NYC-CFG, in the Configuration Manager console, in the Monitoring workspace, under the Site
Status node, view the status of the site systems for TOR-CFG.
Note: You can view the secondary site status at the parent primary site and at the central
administration site. It may take several minutes until the installation finishes and the secondary
site status appears in the console.
2. Under the Component Status node, view the status of the components for TOR-CFG.
3. Under the Database Replication node, view the status of the replication link between NYC and TOR.
It should show that the link is active.
4. Under the Site Hierarchy node, view the site hierarchy diagram. On the NYC icon, click the plus sign
to view TOR.
Note: The line between NYC and TOR represents the state of the database replication
between the sites. This line can have several different symbols depending on the replication
status.
• ? in a white circle is shown when the status has not yet been reported.
• X in a red circle is shown when the status has been reported and the initial replication is incomplete
or there is an error during ongoing replication.
• √ in a green circle is shown when the initial replication has competed successfully and there are no
errors in the ongoing replication.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 4-45
Results: At the end of this exercise, you should have validated the installation of a System Center 2012
Configuration Manager 2012 secondary site.
Tools
The tools in the following table are useful during the Configuration Manager deployment process.
Module 5
Replicating Data and Managing Content in Configuration
Manager 2012
Contents:
Module Overview 5-1
Module Overview
In a Microsoft® System Center 2012 R2 Configuration Manager multiple-site hierarchy, data is transferred
between sites to allow for centralized administration and reporting. Understanding how data transfer
works helps you monitor the data flow in your Configuration Manager hierarchy and troubleshoot
replication issues.
Configuration Manager 2012 uses database replication and file-based transfer to transfer data between
sites. The data transfer method that Configuration Manager 2012 uses depends on the type of data it is
transferring.
In this module, you will review the data types, including global data, site data, and content. You will also
examine the location of the data and the replication process of the data to other sites in a Configuration
Manager hierarchy. Additionally, you will use the features in the Configuration Manager console to
monitor and troubleshoot replication.
Configuration Manager 2012 relies on the distribution point infrastructure to provide content
management functionality. In this module, you will review the content management features, plan the
configuration of distribution points, and distribute and monitor content. You will also perform content
validation and content prestaging.
Objectives
After completing this module, you will be able to:
• Describe site and global data types and how data is replicated throughout the hierarchy.
Lesson 1
Introduction to Data Types and Replication
Configuration Manager 2012 data that is transferred between sites is categorized in three data types:
global data, site data, and content. Depending on its type, some data is copied to all sites; other data is
copied to only some sites in the hierarchy. By understanding each data type—where it is created, how it is
transferred, and where it is used—you can monitor and troubleshoot Configuration Manager inter-site
communication efficiently.
In this lesson, you will review where each of these types of data is created and used in a Configuration
Manager hierarchy.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the different types of data that Configuration Manager 2012 uses.
• Describe how content is transferred between sites and within the same site.
Depending on its type, data can be used in the local site only or can be replicated to other sites in the
hierarchy. The administrator determines where content is transferred by configuring content distribution.
Configuration Manager 2012 uses different replication methods, depending on the data type being
replicated.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-3
The following table summarizes the three data types, where they are created, and the replication methods
used.
Note: You will learn about database replication and file-based replication in more detail in
Lesson 2.
In contrast, the list of collection members is site data. You will see an explanation of collection members in
the next topic.
Global data is replicated automatically from the primary site where it is created to the central
administration site and to all the other primary sites; global data created at the central administration
site is also replicated to all primary sites. A subset of global data is replicated to secondary sites. Because
of this, administrators see global data in the same way regardless of the site database to which he or
she connects with the Configuration Manager console. For example, a collection definition that an
administrator creates at one of the sites is replicated to the central administration site and all primary
sites in the hierarchy.
MCT USE ONLY. STUDENT USE PROHIBITED
5-4 Replicating Data and Managing Content in Configuration Manager 2012
Alert rules Alert rules determine when to notify the administrators for specific
events by specifying the events that will raise alerts and the recipients
who will receive the alerts.
Collection rules Collection rules determine the membership of each collection. Four
types of collection rules exist: direct, query, include, or exclude. The
collection rules are evaluated independently at each primary site.
Package metadata Package metadata contains information about the software and the
source files used in a deployment, platforms on which the software can
be deployed, and other information necessary to perform the
deployment.
Program metadata Program metadata contains information about the command line and
parameters that Configuration Manager uses to perform a deployment.
Software update Software update deployment definitions contain information about the
deployments objects used in a software update deployment, including the updates to
be deployed and the collection to which they are deployed.
Software update Software update metadata contains information about the executable
metadata files included in software updates, platforms to which the updates apply,
and other useful software update information, such as language, name,
date released, and sensitivity.
Task sequence metadata Task sequence metadata defines the task sequence as individual steps to
be executed.
Site control definition The site control definition contains information about the site
configuration.
Site servers list The site servers list contains the list of servers and corresponding site
system roles installed in each site.
Role-based administration Security roles are assigned to administrative users to grant permissions
security roles, security on object types in the Configuration Manager hierarchy. Security scopes
scopes, and administrative limit administrative permissions to specific objects in the hierarchy.
users Administrative users associate roles, scopes, and collections to the Active
Directory® Domain Services (AD DS) users and groups.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-5
Another example of site data is client inventory. Clients generate hardware and software inventory, which
is then added to each primary site’s database, which in turn replicates to the central administration site.
The following table lists some examples of site data.
Collection Collection membership lists contain the objects that are members of the
membership lists collection after evaluating the collection rules at each primary site.
Hardware inventory The hardware inventory client agent collects hardware inventory data from
data the Configuration Manager clients.
Software inventory The software inventory client agent collects software inventory data from the
data Configuration Manager clients.
Software metering The software metering client agent collects software metering data from the
data Configuration Manager clients.
Asset Intelligence Asset Intelligence data adds additional classes and attributes to the data
data collected by the hardware inventory agent at the Configuration Manager
clients.
Status messages and Site systems and clients generate status messages to report status
alerts information to the site server. The site server generates alerts when it
encounters specific error conditions that administrators have configured.
Software distribution Clients generate software distribution status details that report the status of a
status details particular deployment.
Component and site Component and site status summarizers aggregate status messages to
status summarizers determine the overall health status of the site systems and components.
Client health data Configuration Manager determines client health data by using information
such as last connection time, hardware inventory, and software inventory.
Client health history Client health history contains aggregated information about client health.
You can use client health history to obtain reports about client health over a
specific period.
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Replicating Data and Managing Content in Configuration Manager 2012
Wake On LAN data Wake On LAN data contains the history of all Wake On LAN operations
performed.
Quarantine client Quarantine client restriction history contains the list of clients that are
restriction history restricted by Network Access Protection.
If the Configuration Manager console is connected to a primary site, you will see the global data and only
the site data that has originated from that site or any child secondary site. To see site data from all sites
and to perform administration and reporting for the entire hierarchy, you must use a Configuration
Manager console at the central administration site. You can modify site data only at the primary site
where it was created.
Content Types
Configuration Manager administrators create
content at the central administration site or at
primary sites. Content is transferred down the
hierarchy to site servers and distribution points
according to distribution settings that
administrators configure.
Content Description
Applications Applications contain all objects used to deploy software. The application
metadata, definitions for deployment types, requirements, supersedence, and
other application settings for deploying software are replicated by using the new
application model; however, only the source files are replicated by using file-
based replication.
Software Software packages contain source files and definitions used to deploy software by
packages using the classic software deployment model.
Software update Software update packages contain software update metadata and update files
packages used to perform update management.
Driver packages Driver packages contain driver metadata and driver files. Driver packages are used
for operating system deployments. Only the driver files are replicated by using
file-based replication.
Operating Operation system installers contain installation files imported from the installation
System installers media. Operating system deployments utilize these installers.
Boot images Boot images contain the Windows Preinstallation Environment (Windows PE) that
is used to boot computers and initiate the operating system deployment process.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-7
Database Replication
Configuration Manager 2012 database replication
is a custom replication method. Configuration
Manager 2012 does not use the older replication
methods included in Microsoft SQL Server®, such
as transactional replication. You do not need to
install SQL Server–based replication components.
Configuration Manager database replication uses SQL Server Service Broker to transfer data between
SQL Server databases installed in different sites in a hierarchy.
By default, the Configuration Manager database replication mechanism uses the following ports to
transfer data:
File-Based Replication
File-based replication between Configuration Manager 2012 sites uses the same mechanism as
Configuration Manager 2007 replication. This mechanism is based on senders and the SMB protocol.
The SMB protocol uses TCP port 445.
Configuration Manager 2012 secondary sites use file-based replication to transfer site data to their parent
primary site. File-based replication is also used to transfer fallback status point state messages to the
assigned site when a client’s assigned site does not have a fallback status point. In addition, the initial
transfer of discovery data records to the assigned site requires the use of file-based replication.
The following table summarizes data types that are transferred by using file-based replication between
sites.
Data Destination
Package files used by Sent to distribution points located in primary and secondary sites.
deployments
Secondary site data Sent to the parent primary site of the secondary site.
Fallback status point state Forwarded to the assigned site when only a single fallback status
messages point is in use in a hierarchy.
MCT USE ONLY. STUDENT USE PROHIBITED
5-8 Replicating Data and Managing Content in Configuration Manager 2012
Data Destination
Discovery data records Forwarded to the assigned site when clients are not assigned to
the site that discovered them. The discovery data record is
processed locally at the assigned site and the information is
replicated to other sites in the hierarchy by using database
replication.
Data collected from clients at Transferred to the parent primary site by using file-based
secondary sites replication.
• Security scopes usually limit the primary site administrators’ permissions. This allows primary site
administrators to manage objects from only their primary site. Any objects that they create are global
data and will be replicated to the central administration site and all other primary sites.
For example, consider a Configuration Manager hierarchy that consists of a central administration site and
two primary sites, Site A and Site B. An administrator creates a collection in primary Site A. The collection
definition, which includes membership rules, is replicated to the central administration site and to primary
Site B. The collection membership rules are evaluated at both primary sites; both Site A and Site B
determine the list of collection members for their respective sites based on collection membership rules.
Collection membership, however, is site data.
• A client collects hardware and software inventory and sends it to its assigned primary site.
By answering the questions above, you will be able to design your distribution infrastructure to fit your
organization’s needs. You will learn more about planning for content management in Lesson 3, later in
this module.
Content Creation
Configuration Manager administrators can create content at any primary site or central administration
site.
Initially, content is placed in the content library located on the site server in the originating site. Content
library, a new feature included in Configuration Manager 2012, implements single-instance storage for
content.
Content Distribution
After creating content, the administrator can distribute the content to distribution points—that the site
is aware of—located throughout the hierarchy. One method administrators can use to distribute content
simultaneously to multiple distribution points is to implement distribution point groups. When an
administrator assigns a package to a distribution point group, the package will be transferred to all
distribution points that are part of that group. When an administrator adds a new distribution point to
the distribution point group, the content is distributed automatically to the new distribution point.
Content is transferred between sites by using senders that use the SMB protocol. Content is transferred
within the same site between the site server and distribution points by using Package Transfer Manager,
which also uses file-based replication and the SMB protocol. For this reason, any firewalls located between
sites, and between the site servers and distribution points, must allow SMB traffic.
The administrator can configure content routing between two secondary sites by configuring the content
to be copied from a secondary site to another secondary site instead of directly from the primary site
server. This process can reduce the network traffic on the link between a secondary site and parent
primary site if the secondary sites have a better connection among themselves than with the parent site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-11
Content Deployment
Because deployment definitions are global data and are replicated to all sites in the hierarchy, an
administrator from a primary site can deploy content that an administrator creates in a different primary
site. However, to perform the deployment successfully, and so that clients can access the content locally,
the content should first be distributed to distribution points in the local primary site.
Configuration Manager clients connect by using HTTP or HTTPS to a distribution point in their assigned
site that has the content available, download the content, and install it on the local system, according to
the deployment settings received in the policy. Because the transfer from the distribution point to the
local system uses HTTP or HTTPS, the traffic can usually pass through any firewalls.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Replicating Data and Managing Content in Configuration Manager 2012
Lesson 2
Managing Data Replication
When you install a primary site or a secondary site in an existing Configuration Manager hierarchy,
database replication is configured automatically with the parent site. Additionally, when expanding a
Configuration Manager 2012 stand-alone site into a hierarchy with a central administration site, database
replication is automatically configured. However, you can configure some settings for use by the new site,
such as the SQL Server ports and the SQL Server instance. After upgrading to Configuration Manager R2
or Configuration Manager SP1, you benefit from the additional configuration options, including defining
on-demand data replication.
In the Configuration Manager console, you can monitor Configuration Manager database replication. You
can use tools, such as Replication Link Analyzer, to troubleshoot the replication process.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how to manage file-based replication.
Note: Configuration Manager 2012 SP1 introduced name changes to the file-based
replication components for naming consistency with database replication. The following table
lists the name changes.
Addresses node in the Configuration Manager File Replication node in the Configuration
console Manager console
You can configure a file replication route to support the connection to the remote site and to control the
bandwidth that the file replication route can use. A file replication route’s properties dialog box has three
tabs that you use to configure file-based replication:
• General tab. The General tab displays general information that you cannot change without recreating
the route. This includes the Source site code and site name, the Destination site code and site name,
and the destination servers’ name. The configurable option on the General tab is the File Replication
Account. By default, the file replication route uses the source computer’s Active Directory account.
You can change the account that a primary site will use to any Active Directory account. Secondary
sites always use the computer account of the secondary site server as the File Replication Account.
The File Replication Account needs permissions to write to the destination site servers SMS_SITE share.
• Schedule tab. You can use the Schedule tab to limit the amount of communication traffic during
configured time periods by restricting when data can be sent to the destination site. By default, the
file replication route is open to all priorities at all times. The following table describes the options for
configuring the schedule.
Time Priorities
The minimum unit of time that you can For the selected blocks of time, you can choose:
schedule is one hour. You can choose any
• Open for all priorities
one-hour block, multiple one-hour blocks,
entire days, or a block of time across all • Allow medium and high priority
days.
• Allow high priority only
• Closed
• Rate Limits tab. The Rate Limits tab has configuration options to prevent Configuration Manager from
consuming all available bandwidth on the connection. The options for configuring the rate limits are:
o Unlimited when sending to this destination. There are no limits on the bandwidth usage.
o Pulse mode. You can specify the amount of data to send at one time, in kilobytes (KB), and how
long to wait between transmissions, in seconds.
o Limited to specified maximum transfer rates by hour. By using this setting, you can specify the
maximum percentage of bandwidth that can be used during each hour of the day.
You can configure how the data will be transmitted based on one-hour increments through
the day.
All days share the same schedule.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Replicating Data and Managing Content in Configuration Manager 2012
The file replication route relies on the sender process to transmit the data. The sender is the Configuration
Manager component that transmits the data from one site to another. You can control some behavior of
the sender by using the configuration options on the Sender tab in the site properties dialog box.
You can use the Maximum concurrent sendings option to specify the maximum number of simultaneous
communications. The following table describes the settings in this option.
Setting Description
All sites By default, the site will have a combined maximum number of five simultaneous
communications to all sites.
Per site By default, the site will have a maximum of three simultaneous communications to
a single site.
You can use the Retry Settings option to specify what actions to take when a communication fails. The
following table describes the settings in this option.
Setting Description
Delay before retrying (minutes) By default, retries will be tried one minute apart.
Beginning with Configuration Manager 2012 SP1, a Configuration Manager administrator can configure
some database replication settings. There are several configuration options for managing the database
replication link:
• Distributed views. You can configure this option on the General tab of the
<ParentSiteCode><ChildSiteCode>Replication Link Properties. You can enable distributed views for
any or all of the following: Hardware inventory, Software inventory and software metering, and Status
messages. When you enable distributed views, the primary site does not replicate the selected
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-15
information to the central administration site. By default, these settings are not enabled. Distributed
views are only available for primary site to central administration site replication.
• Replication data summary. You can find this option on the General tab of the
<ParentSiteCode><ChildSiteCode>Replication Link Properties. You can use the Replication data
summary setting to configure how often Configuration Manager summarizes reporting data for
database replication traffic. By default, this interval is 15 minutes.
• Scheduling. You can schedule database replication on the Schedule tab of the
<ParentSiteCode><ChildSiteCode>Replication Link Properties. You can configure when replication
will be available throughout the week. Additionally, you can control which data will replicate during
those times, either All site data or any or all of the following:
o Hardware inventory
o Status messages
Additional database replication configuration options are available by right-clicking the
<ParentSiteCode><ChildSiteCode> Replication Link and selecting either Child Database Properties or
Parent Database Properties. On the Database tab of the <Site> Database Properties, you can configure
the following options:
• SQL Server Service Broker port. By default, the SQL Server Service Broker uses port 4022.
• Data compression. By default, compression is enabled. This setting applies to all the data replication
links.
• Data retention. Data retention can be set between 1 and 14 days, and is set to 5 days by default. If
replication is interrupted for longer than the data retention period, the global data will be reinitialized
from the parent site after replication is restored.
By default, database replication takes place over ports 1433 and 4022. These ports need to be open at
firewalls before installing the new Configuration Manager sites to allow replication between sites. Because
ports are configurable, you can change their settings during or after installation of the new sites. You also
need to ensure that the site server can communicate with the site database if the site database is hosted
on a separate server.
Monitoring Replication
You can monitor replication in the Configuration
Manager console, in the Monitoring workspace,
in the Database Replication node. You can review
the link statuses for all replication connections. A
replication link will have one of the following
statuses:
• Link Failed. Replication is not functional. It is possible that a replication link will recover without
further action. Consider using Replication Link Analyzer to investigate and remediate replication on
this link.
When you select a replication connection in the results pane, you can view detailed information in the
preview pane, including:
• A summary of the replication status between the parent and child site.
You can obtain additional information by saving a diagnostic file. You need to select the replication
connection and then click the Save Diagnostic File button on the ribbon. The diagnostic file is a text file
containing detailed information about the replication and link statuses.
For further troubleshooting, you can use Replication Link Analyzer, to perform a series of tests for the
replication link:
• Checking connectivity between the local site server and the remote SQL Server instance
• Checking connectivity between the local SQL Server instance and remote SQL Server instance
• Checking replication initialization on sites
• Checking for a valid SQL Server Service Broker account on site servers
• Checking for free disk space on the system running SQL Server
You can save the test results as an XML file by clicking the Replication Link Analyzer Report link on the
Troubleshooting Report page.
You also can configure alerts to be generated when the replication link is inactive for a specified interval
of time (the default interval is 30 minutes) in the <ParentSiteCode><ChildSiteCode>Replication Link
Properties dialog box.
The console displays alerts if the replication link is inactive for the specified period.
• Monitor replication.
Demonstration Steps
Configure file-based replication
1. On LON-CAS, start the Configuration Manager console, and then click the Administration
workspace.
2. Open the Hierarchy Configuration folder, and then click the File Replication node.
3. Configure the Adatum Site S01 London Central Administration Site CAS with the following
settings:
3. Configure the Link Properties of the CAS Central administration site S01 Primary site database
replication link, with the following settings:
o Number of retries: 5
Monitor replication
1. Open the Monitoring workspace.
2. In the Database Replication node, select the CAS to S01 replication link. Verify that the Link State
shows Link Active. If it does not, refresh the results pane.
3. Review the information available in the preview pane, under Replication Status. Verify that, in the
Site Replication Status section, both Parent Site State and Child Site State display a status of
Replication Active.
4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global
State and Child Site to Parent Site Global State display a status of Link Active and that the Last
Synchronization Time reflects today’s date.
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Replicating Data and Managing Content in Configuration Manager 2012
5. In the preview pane, at the Parent Site tab, review the information available in the Replication
Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022.
6. In the preview pane, on the Child Site tab, review the information available in the Replication Status
area.
Global Data Replication Traffic This report contains a line chart that displays total global data
Per Link (line chart) replication traffic on a specific link for a specified number of days.
Global Data Replication Traffic This report contains a pie chart that displays total global data
Per Link (pie chart) replication traffic on a specific link for a specified number of days.
Hierarchy Replication Traffic By This report contains a pie chart report that displays total replication
Link traffic for each link in the hierarchy for a specified number of days.
Hierarchy Top Ten Replication This report contains a pie chart report that displays the replication
Group’s Traffic Per Link (pie traffic for the top ten replication groups across the entire hierarchy
chart) by link.
Link Replication Traffic This report contains a line chart that displays total replication traffic
for all data for a specified number of days.
Replication group traffic link This report contains a line chart that displays the replication group
network traffic over a specific database replication link for a
specified number of days.
Site Data Replication Traffic This report contains a line chart that displays total site data
Per Link (line chart) replication traffic on a specific link for a specified number of days.
Site Data Replication Traffic This report contains a pie chart report that displays total site data
Per Link (pie chart) replication traffic on a specific link for a specified number of days.
Total Hierarchy Replication This report contains a line chart that displays hierarchy aggregate
Traffic (line chart) global and site data replication for each direction of every link for a
specified number of days.
Total Hierarchy Replication This report contains a pie chart report that displays hierarchy
Traffic (pie chart) aggregate global and site data replication for each direction of
every link for a specified number of days.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-19
Troubleshooting Replication
Multiple Configuration Manager components
are involved in a database replication. The
troubleshooting actions that you perform depend
on the components that fail. Troubleshooting the
replication process is similar to troubleshooting
other aspects of Configuration Manager; that is,
you use the available tools and log files. Perform
the following steps to troubleshoot replication
errors:
2. Check replication log files. If you cannot find the issue in the Replication Link Analyzer, check the
rcmctrl.log and replmgr.log files. You can adjust the logging level with the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components
\SMS_REPLICATION_CONFIGURATION_MONITOR\Verbose logging
o Value 1. All information in value 0 and warnings and more general information
o Value 2. Verbose (all information)
3. Run a stored procedure on SQL Server. On the SQL Server instance, you can run the spDiagDRS
stored procedure to view detailed information about the database replication process.
4. Check the SQL Server Service Broker log. By default, the SQL Service Broker log file is located at
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\ErrorLog.
5. Reinitiate the data. You can use the spDrsSendSubscriptionInvalid stored procedure to reinitiate
the data. You should consider this step as a last resort because it will cause all the data to be
rereplicated between the sites.
The following table lists typical remediation actions that you can perform.
SMSExec service stopped on • If SMSExec stops responding, restart it on the sending or target
sending or target site site server.
Site server clocks are not in • Verify that domain controllers are configured to use a Network
sync Time Protocol (NTP) server.
Service accounts or certificate • Reset the password for service accounts and reissue certificates.
issues
MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Replicating Data and Managing Content in Configuration Manager 2012
Question: What troubleshooting steps can you perform if Replication Link Analyzer reports SQL Server
connectivity issues?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-21
Objectives
After completing this lab, you will be able to:
• Troubleshoot replication.
Lab Setup
Estimated Time: 40 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps two through four for the following virtual machines:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Replicating Data and Managing Content in Configuration Manager 2012
2. Open Hierarchy Configuration, and then click the File Replication node.
3. Configure the Adatum Site S01 London Central Administration Site CAS file replication link with
the following settings:
2. Configure the CAS Central administration site S01 Primary site database replication link with the
Summarization interval (minutes) as 5 under Link Properties.
o Number of Retries: 5
Results: At the end of this exercise, you should have configured the replication settings between the A.
Datum central administration site and the London primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-23
2. In the Database Replication node, select the CAS to S01 replication link. Verify that the Link State
shows Link Active. If it does not, refresh the results pane.
3. Review the information available in the preview pane, under Replication Status. Verify that, in the
Site Replication Status section, both Parent Site State and Child Site State display a status of
Replication Active.
4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global
State and Child Site to Parent Site Global State display Link Active status and that the Last
Synchronization Time reflects today’s date.
Note: If the status of Parent Site to Child Site Global State and Child Site to Parent Site
Global State is Link Inactive, verify that both LON-CAS and LON-CFG have started. To refresh
the status, click the CAS to S01 replication link, and then press F5.
5. In the preview pane, on the Parent Site tab, review the information available in the Replication
Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022.
6. In the preview pane, on the Child Site tab, review the information available in the Replication Status
area.
2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a
device collection with the following attributes:
o Create a Direct Rule and search for System Resources with the name LON%.
3. Verify that the London Computers collection appears in the list of device collections.
4. Right-click the London Computers collection, and then click Show Members. Notice that a new
node appears in the navigation pane under Devices. Notice also that the members of the collection
appear in the results pane.
Results: At the end of this exercise, you should have verified the replication between the A. Datum central
administration site and the London primary site.
3. In the CAS <-> Replication Link Properties dialog box, on the Alerts tab, verify that Generate an
alert when this replication link is not working for a specified period of time is selected.
3. In the Service Control window, wait for the service to stop. Wait at least three minutes before
continuing to the next task.
4. In the Assets and Compliance workspace, click the Device Collections node.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-25
5. Access the Properties of the London Computers collection, and change the name of the collection
to London Servers.
6. In the Monitoring workspace, in the Database Replication node, select the CAS to S01 replication
connection.
7. Verify that the status of the replication link is either Link Failed or Link Degraded. Press F5, if
required, to refresh the status.
8. Right-click the CAS to S01 replication link, and then click Save Diagnostics Files.
10. In Windows Explorer, browse to drive C, and then open the file Replication Diagnostics in Notepad.
11. Review the content of the file. Note that the Child Site to Parent Site Global State shows the status
of Link Failed or Link Degraded. Close Notepad.
Task 4: Resolve the issue and verify that replication is functioning correctly
1. On LON-CAS, right-click the CAS to S01 replication link, and then click Replication Link Analyzer.
Replication Link Analyzer starts detecting problems.
2. In the CAS <-> S01 Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation
to finish.
3. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Continue.
Note: Based on timing, there may still be issues that are detected. If issues are detected,
first click the Check to see if the problem is fixed link.
4. Wait for the operation to finish, and then on the Troubleshooting Report page, click View Report.
The content of ReplicationAnalysis.xml opens in Internet Explorer®.
5. Review the content of the file, and then close Internet Explorer.
6. In the Replication Link Analyzer window, click the View Log. The content of
ReplicationLinkAnalysis.log opens in Configuration Manager Trace Log Tool.
7. Review the content of the file, and then close Configuration Manager Trace Log Tool.
Results: At the end of this exercise, you should have troubleshot replication between the primary site and
the central administration site.
Lesson 3
Planning Content Management
System Center 2012 Configuration Manager provides content management functionality that you can use
to create, distribute, and monitor content. The content management feature relies on distribution points
as the core components of the distribution infrastructure. Distribution points in Configuration Manager
2012 include new features such as content validation and content prestaging. In this lesson, you will
review these new features and learn about planning a content management infrastructure, including the
prerequisites you may need to consider. In addition, you will learn how to plan for managing network
bandwidth.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the considerations for implementing preferred and fallback distribution points.
When a client device needs to download deployed content, the client sends a content source location
request to a management point. The management point compiles a list of available distribution points
that are preferred distribution points for the client’s boundary group. The client then chooses one of the
listed distribution points to contact for the content.
You can configure content for a deployment type or package to allow the client to use a fallback
distribution point if the content is not available on a preferred distribution point. When a client needs to
download content, and this setting is enabled for the content, the content source location request asks for
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-27
fallback distribution points. The management point response will include preferred distribution points and
fallback distribution points.
• Allow fallback source location for content. By selecting this setting, you ensure that clients can
download content from distribution points that are designated as fallback distribution points when
content is unavailable on a preferred distribution point.
• Deployment behavior for slow network. You can configure whether clients will download content
from slow distribution points.
• Distribute the content for this package to preferred distribution points. By selecting this setting, you
enable on-demand content distribution for the application or package.
Question: In Scenario A, from where will Client A and Client B download content?
Question: In Scenario B, from where will Client A and Client B download content?
Question: In Scenario C, from where will Client A and Client B download content?
Question: In Scenario D, from where will Client A and Client B download content?
situation, file transfers use the SMB protocol. This traffic can have a significant impact on network
utilization, especially over low-speed network connections. You can manage this traffic by using
content throttling and distribution scheduling, except for distribution points located on site servers.
• You can configure scheduling and set specific throttling settings that determine when and how much
bandwidth is consumed during content distribution to remote distribution points. You can configure
the throttling settings on the Rate Limits tab and the scheduling settings on the Schedule tab. The
Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not
installed on a site server.
• You can configure remote distribution points with different settings based on the network bandwidth
limitations from the site server to the remote distribution point. Each remote distribution point
configured as a pull-distribution point will use its own throttling settings and schedule to transfer
content.
Distribution point priority is not related to package priority. Package priority still determines the order of
package distribution and the time at which package distribution is permitted.
• Include standard application installer files in the operating system image and use custom task
sequence commands to install those applications from the local source files.
Both senders and Package Transfer Manager use file-based replication and the SMB protocol. Any
firewalls placed between sites or between the site server and distribution points must allow SMB traffic.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-29
• Prestaged content distribution settings override pull distribution. If content is configured for
prestaging, then a pull-distribution point will not pull it.
• Retry settings do not apply to pull-distribution points. The Package Transfer Manager service on the
site server does not notify the pull-distribution point to start downloading the content until it has
verified the pull-distribution point as available on a source server.
• If the pull-distribution point is in a remote forest, the Configuration Manager client must be installed
on the distribution point and the Network Access Account must be able to access the source
distribution point.
You can configure a distribution point as a pull-distribution point during the creation of the distribution
point or any time thereafter. When configuring a distribution point as a pull-distribution point, you must
also specify one or more source distribution points. You can use only distribution points that support
HTTP as source distribution points when using the Configuration Manager console. Beginning with
System Center 2012 R2 Configuration Manager, you can configure the source distribution points with
priorities.
Note: The Configuration Manager Software Development Kit (SDK) includes information
and tools for configuring a pull-distribution source by using HTTPS.
MCT USE ONLY. STUDENT USE PROHIBITED
5-30 Replicating Data and Managing Content in Configuration Manager 2012
• Offers a conflict detection mechanism as part of the extraction tool to prevent earlier versions of
content from being prestaged on a distribution point.
• There is limited network bandwidth from the site server to distribution point. While distributing
content over the network to a remote distribution point, consider prestaging the content on the
distribution point when scheduling and throttling do not reduce network traffic sufficiently.
• You need to restore the content library on a site server. When a site server fails, information about
packages and applications in the content library is restored to the site database as part of the restore
process. However, the site backup does not include content library files by default. If you do not have
a file system backup to restore the content library, you can create a prestaged content file from
another site that contains the packages and applications you need, and then extract the prestaged
content file on the recovered site server.
• Cloud-based distribution points cannot be used with task sequences that use the deployment option
Download content locally when needed by running task sequence.
• Cloud-based distribution points do not support packages that run from the distribution point.
Additional Considerations
There are other factors to consider before using a cloud-based distribution point, such as:
• Availability. Cloud-based storage may not be accessible in certain countries or locations.
• Cost. Several factors determine the cost of using Windows Azure, including the number of virtual
machines that are running, the amount of storage used, and the amount of data that is transferred
each month.
Windows Intune
Windows Azure is a cloud-based service that primarily provides infrastructure as a service (IaaS),
whereas Windows Intune™ is a cloud-based client management service. Windows Intune provides client
management including application deployment, software and hardware inventory, anti-malware, and
policy control. You can deploy Windows Intune as a stand-alone product or integrate it with your System
Center 2012 R2 Configuration Manager environment.
MCT USE ONLY. STUDENT USE PROHIBITED
5-32 Replicating Data and Managing Content in Configuration Manager 2012
You can place cloud-based distribution points in any region in Windows Azure. Client devices are not
aware of Windows Azure regions and clients using cloud-based distribution points will not necessarily use
the closest region.
The process that clients use for choosing a cloud-based distribution point is:
2. If a preferred distribution point is not available, clients will attempt to use remote (fallback) on-
premises distribution points.
3. If no preferred distribution points or fallback distribution points are available, the client will use a
cloud-based distribution point.
When a client connects to a cloud-based distribution point, the cloud-based distribution point must
authenticate the client by using a Configuration Manager access token. If the client trusts the cloud-based
distribution point certificate, the client will download the requested content.
• Distribution point configuration status, which includes the aggregate status of the content assigned
to a distribution point and status of the optional components (PXE and multicast).
To troubleshoot content distribution, you can also use:
To troubleshoot issues with content management, you can use the following Configuration Manager logs:
• SMSProv.log. You can use this log to troubleshoot actions started from the UI or the SDK.
• DistMgr.log. You can use this log to troubleshoot content creation, update, deletion, and start of
distribution. You can use this log on the site server from the source site, to verify that Distribution
Manager processes the content.
• Scheduler.log. You can use this log to see the current status of the sender job. You can use this log on
the site server from the source site to verify that the content was queued for the sender.
• Sender.log. You can use this log to troubleshoot the copy of the compressed content to the
destination site. You can use this log on the site server from the source site, to determine whether the
sender has transferred the content to a different site.
• Despooler.log. You can use this log to troubleshoot the extraction of the compressed copy to the
content library on the destination site. You can use this log file on the site server from the destination
site to verify that the despooler received and processed the content.
• PkgXferMgr.log. You can use this log to troubleshoot the distribution of content from the site server
to the distribution point. You can use this log on the site server to determine whether the content was
processed by Package Transfer Manager and transferred to a distribution point located in the same
site as the site server.
• SMSDPProv.log. You can use this log to troubleshoot the addition of content to the content library on
the distribution point. You can use this log on a distribution point to verify that content was added to
the content library.
• SMSPXE.log. You can use this log to troubleshoot the PXE provider. You can find this log on a
distribution point that is configured to use PXE.
You can use the following Windows logs to troubleshoot distribution point configuration:
• u_exYYMMDD.log (where YYMMDD is the year, month, and day). You can use these IIS logs for
troubleshooting issues related to Internet Information Services (IIS). You can find the IIS logs on the
distribution point in the C:\Inetpub\Logs\LogFiles\W3SVC1\ folder.
• WDS.log. You can use the Windows Deployment Services (Windows DS) log for troubleshooting issues
related to Windows DS.
You can configure BranchCache in Windows Server 2008 R2 to work in two modes:
• Distributed cache mode. Cached content is distributed across peer client computers.
• Hosted cache mode. A server hosts cached content. Configuration Manager does not support this
mode.
Configuration Manager supports BranchCache with the following operating systems configured in
BranchCache distributed cache mode:
• Windows 8.1
• Windows 8
• Windows Server 2008 R2 with no service pack, with SP1, or with SP2
Clients running a supported version of Windows Vista® SP2 and Windows Server 2008 SP2 by using
the Background Intelligent Transfer Service (BITS) 4.0 release also can use BranchCache BITS transferred
content only. These operating systems do not support the BranchCache client functionality for:
• Software deployments that are configured to run from the network.
BranchCache management is integrated in the Configuration Manager console. For applications, you can
configure BranchCache on a deployment type. For programs and software updates, you can configure the
BranchCache settings on the deployment.
• Workstations situated in remote locations are running a supported operating system for
BranchCache, such as Windows 8 or Windows 7 with SP1.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-35
You need to configure your content management infrastructure by installing and configuring an
additional distribution point for a remote office, creating a distribution point group, and adding the
distribution points to the groups. You will also distribute content and perform content validation. You
will use content prestaging for transferring packages to the remote distribution point.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 40 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. In Hyper-V Manager, verify that the following virtual machines are running:
o 10748C-LON-DC1-C
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
o Domain: Adatum
MCT USE ONLY. STUDENT USE PROHIBITED
5-36 Replicating Data and Managing Content in Configuration Manager 2012
A. Datum is an international organization that includes a central campus location in London with three
buildings and approximately 4,000 users. There are six remote offices in the European continent, several
of which have local information technology (IT) staff. New York is the central location for North American
operations. The New York offices are largely autonomous. They support a user base that is similar in size
to the London user base. The Toronto office is the central location for Canadian operations, and although
there is a small IT staff in Toronto, it is managed by the New York office. There are eight additional remote
offices in North America. The remote offices each support between 50 and 1,000 users. In addition, there
are more than 1,000 field agents with laptops requiring management and connectivity. The office in New
York communicates with the London central office through a satellite connection. The Toronto office is
connected directly to the New York office via high-speed connections.
The remote locations are connected through Multiprotocol Label Switching (MPLS) connections to the
main offices in their respective continents; these connections can be 80 percent utilized at peak times. You
need to plan for software distribution that affects the corporate network minimally during business hours.
You are planning to build a central administration site and one primary site in London and one primary
site in New York. You plan to create a secondary site in the Toronto office. The remaining remote offices
will be managed from the primary site in their respective continents. You can recommend any additional
distribution components that you think are necessary.
Results: At the end of this exercise, you will have planned distribution architecture for the company.
1. Add the primary site server computer account to the local Administrators group.
Task 1: Add the primary site server computer account to the local Administrators
group
1. On LON-SVR1, from Server Manager, start Computer Management.
2. In the Computer Management console, under Local Users and Groups, select Groups.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-37
2. On the ribbon, on the Home tab, click Create Site System Server. The Create Site System Server
Wizard starts. Use the following settings to create the new distribution point (use default settings for
pages that are not specified):
o On the General page, browse to select LON-SVR1 as the new site system server, and then in the
Site Code drop-down list, select S01 – Adatum Site.
o On the System Role Selection page, select Distribution Point.
o On the Distribution Point page, select Install and configure IIS if required by Configuration
Manager and Enable this distribution point for prestaged content.
o On the Content Validation page, select Validate content on a schedule.
o Complete the wizard.
3. In the Configuration Manager console, verify that \\LON-SVR1.Adatum.com appears in the results
pane.
4. Create a new distribution point group named Primary and Secondary Site Distribution Points.
Results: At the end of this exercise, you should have created a distribution point, created a distribution
point group, and added distribution points to the group.
2. On the ribbon, click Create Application. The Create Application Wizard starts. Use the following
settings to create an application:
o On the General page, verify that in the Type box, Windows Installer (*.msi) is selected, in the
Location text box, type \\LON-CFG\E$\Software\MSI_Files\PPTViewer, and then select
ppviewer.msi.
o Accept the default settings for all other pages, and then complete the wizard.
3. In the Configuration Manager console, in the results pane, select the Microsoft PowerPoint Viewer
application, and then on the ribbon, click Distribute Content. The Distribute Content Wizard starts.
Use the following settings to distribute content:
o Accept the default settings for all other pages, and then complete the wizard.
o On the General page, browse to drive E, and then save the file with the name
PowerPointViewer.
o On the Content Locations page, add LON-CFG.Adatum.com as a source of content.
o Accept the default settings for all other pages, and then complete the wizard.
2. In Windows Explorer, browse to drive E, and then copy PowerPointViewer.pkgx to \\LON-SVR1\C$.
2. At the command prompt, type the following commands, pressing Enter after each line:
CD C:\SMS_DP$\sms\Tools
extractcontent.exe /P:C:\PowerPointViewer.pkgx /S
2. In the results pane, click Microsoft PowerPoint Viewer, and then review the information in the
preview pane. Notice that two distribution points were targeted and Success is now listed as 2.
Results: At the end of this exercise, you should have performed content prestaging.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 5-39
2. Click Add roles and features, and then use the Add Roles and Features Wizard to install the
BranchCache feature.
Results: At the end of this exercise, you will have enabled BranchCache support on LON-SVR1.
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
MCT USE ONLY. STUDENT USE PROHIBITED
5-40 Replicating Data and Managing Content in Configuration Manager 2012
Question: How is hardware inventory transferred from a secondary site to the central
administration site?
Question: How can you create a file that contains diagnostics information for replication
links?
MCT USE ONLY. STUDENT USE PROHIBITED
6-1
Module 6
Planning Resource Discovery and Client Deployment
Contents:
Module Overview 6-1
Module Overview
You can configure the Configuration Manager resource-discovery methods to locate resources in your
network environment. In this module, you will examine the discovery methods available in Configuration
Manager and consider which of these discovery methods to use based on the resources you need to
manage.
You can use Configuration Manager to manage computer resources by installing the Configuration
Manager client on the computers that you want to manage.
Configuration Manager provides several methods for installing the Configuration Manager client on
computer resources. This module covers various client-installation methods, and then examines the
advantages and disadvantages of each method. You will examine how to choose the most appropriate
client-installation methods to use in your organization’s environment.
Depending on the client-installation methods that you decide to use, you may be able to configure client
installation properties that are applied during installation. You can configure site servers to publish client
installation properties in Active Directory® Domain Services (AD DS). Configuration Manager clients use
these properties after installation to identify the assigned site and locate appropriate site systems. This
module discusses how to configure client-installation properties when using the client push and Group
Policy installation methods.
This module also covers the Client Health feature that you can use for monitoring Configuration Manager
clients. This feature can perform automatic remediation for certain client configuration issues.
MCT USE ONLY. STUDENT USE PROHIBITED
6-2 Planning Resource Discovery and Client Deployment
Objectives
After completing this module, you will be able to:
Lesson 1
Identifying Resources by Using Configuration Manager
Discovery Methods
Resource discovery is the process that Configuration Manager uses to discover an infrastructure’s
manageable resources, such as computers, groups, user accounts, sites, and IP subnets. Configuration
Manager uses multiple discovery methods to discover resources.
The primary source of information for discovering resources is AD DS. Configuration Manager has several
discovery methods that use AD DS as a source of information.
Configuration Manager also can search the network to discover network topology and devices that have
an IP address.
This lesson covers discovery methods, the advantages and the disadvantages of each method, and how to
decide which methods are the most appropriate to use to discover resources in your environment.
To detect which installed clients are still active in the network, Configuration Manager uses Heartbeat
Discovery, which is a special discovery method. This method does not discover new computers. Instead, it
rediscovers existing clients that are active in the network.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the Active Directory discovery methods for systems, users, and groups.
When a discovery method successfully discovers a resource, it creates a file that is a discovery data record
(DDR). In a single primary site environment, the site server processes DDRs and enters them into the
Configuration Manager database. In a multiple-site hierarchy, DDRs that are created at primary and
secondary sites for the newly discovered resources are forwarded to the central administration site for
processing. Then, database replication replicates the information about the discovered computers to
primary sites, making the discovery data available at each site in the hierarchy, regardless of where it was
discovered or processed. Subsequent discoveries for the existing resources, such as DDRs that Heartbeat
Discovery creates, are processed at the primary sites.
• Discovery information entered into the database at one site is replicated to all primary sites in the
hierarchy by using the Configuration Manager database replication feature.
• Active Directory Forest Discovery is not used to discover resources, but rather is used to discover
subnets and Active Directory sites, and then add them as boundaries for the hierarchy.
• When a primary site is in a different AD DS forest, you can enable and configure Active Directory
Forest Discovery at the central administration site, or at primary sites, to accommodate deployment
scenarios.
• Active Directory Group Discovery in System Center 2012 Configuration Manager discovers groups
and their membership, and is the replacement for the Configuration Manager 2007 discovery
method, Active Directory Security Group Discovery.
• Active Directory System Discovery and Active Directory Group Discovery both support options to
filter the discovery of stale computer records based on the timestamp of the last logon or the last
password change.
• Active Directory System Discovery, Active Directory User Discovery, and Active Directory Group
Discovery all support delta discovery, which detects changes in AD DS more frequently than by using
the default discovery schedule. Delta discovery differs from the Configuration Manager 2007 R3
version, because it can detect the addition or removal of computers or users from a group.
You will learn about each of these discovery methods and their available configuration settings in
upcoming topics, enabling you to choose the discovery methods that are most appropriate for your
environment.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-5
Discovery Methods
You can use a variety of resource discovery
methods with Configuration Manager to
discover resources in your infrastructure, such
as computers, groups, user accounts, and network
infrastructure topology.
Active Directory Forest Introduced in Configuration Manager, this method discovers Active
Discovery Directory sites and subnets, and it can create Configuration Manager
boundaries for each site and IP subnet that it discovers.
Active Directory System Discovers computer systems from AD DS. Additionally, it can discover
Discovery Active Directory container names, as does the Configuration Manager
2007 Active Directory System Group Discovery.
Active Directory Group Discovers local, global, and universal groups and their membership from
Discovery AD DS.
Active Directory User Discovers users from the specified locations in AD DS.
Discovery
When you choose which discovery methods to implement, consider what types of resources that you
need to discover, such as computers, users, or groups. The following table lists various types of resources
in a typical corporate infrastructure, and the discovery methods that you can use to discover each type of
resource.
Computers Active Directory System Discovery. Active Directory System Discovery discovers
computer resources from AD DS, and it provides additional information about the
computer resources, such as the organizational units (OUs) in which the computer
resources are located.
Network Discovery. Network Discovery provides information about your network
topology that you cannot acquire with other discovery methods.
Note: You must ensure discovery of computer resources before you install
the Configuration Manager client by using the client-push installation method.
You can use Active Directory System Discovery and Network Discovery to discover
computer resources before client installation.
Users Active Directory User Discovery. You can discover user resources by using Active
Directory User Discovery. This method discovers users from AD DS, and it includes
basic information about users, such as username and email address. You can use
this information to build queries and collections similar to those for computers.
You can configure User Discovery to retrieve other attributes from Active
Directory, such as manager, office, and phone number.
Groups and their Active Directory Group Discovery. You can discover groups and group
membership memberships by using Active Directory Group Discovery. This discovery
method creates resource records for security groups. Additionally, it identifies
the members of each group, and optionally any nested groups within that group.
Active Directory Group Discovery also discovers limited information about group
members. This does not replace Active Directory System or User Discovery, and
typically it is insufficient to use to build complex queries and collections, or to
serve as the base of a client-push installation.
Infrastructure Active Directory Forest Discovery. You can use Active Directory Forest Discovery
to search an Active Directory forest for information about subnets and Active
Directory sites. You then can use these objects to configure your Configuration
Manager boundaries.
Network Discovery. You also can use Network Discovery to discover your network
topology. Network Discovery can discover subnets and router topology of your
network, in addition to computer resources.
Question: What discovery methods can you use to discover computer resources?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-7
• An enabled computer account in AD DS. Active Directory System Discovery filters out disabled
computers, by default.
• A computer record in Domain Name System (DNS). Active Directory System Discovery tries to resolve
the name of each computer resource to an IP address. If the DNS contains obsolete records, it might
cause the discovery of computers that are no longer active on the network. To avoid this, you should
remove obsolete records in DNS by activating DNS scavenging.
If the computer resource meets the preceding conditions, the discovery method generates a DDR for the
computer and populates the DDR with information that identifies the computer resource.
Active Directory System Discovery discovers basic information about a computer, including the:
• Computer name
• IP address
Additionally, you can configure the discovery of extended attributes from AD DS in the Active Directory
System Discovery Properties dialog box on the Active Directory Attributes tab.
Active Directory System Discovery includes functionality to discover Active Directory container names,
such as Organizational Units, which is available in Configuration Manager 2007 in Active Directory System
Group Discovery.
Active Directory User Discovery discovers basic information about the user account, including the
following:
• User name
• Unique user name (includes the domain name)
• Domain
• Active Directory container names
In addition to this basic information, you can configure the discovery of extended attributes from AD DS
in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab.
There are two options when configuring Active Directory Group Discovery searches:
• Location. You can search one or more Active Directory containers, such as a forest, domain, container
or OU. You can use a recursive search of the specified Active Directory container, so that the search
includes all child containers under the container that you specify. This process continues until Active
Directory Group Discovery does not find any more child containers.
• Groups. You can specify one or more Active Directory groups. When configuring this option, you can
use the default domain and forest for the site or limit the search to an individual domain controller. If
you do not specify at least one group, this method performs a location search of the location that you
specify.
You can use both of these options more than once and at the same time. For example, you might want
to find all the members of all groups in a particular location (forest, domain, container or OU) plus all the
members of one particular group in a different location.
Network Discovery must identify the IP address and the subnet mask to successfully discover a resource.
Network Discovery can discover resources that cannot support the Configuration Manager client software,
such as printers, routers, and bridges. Network Discovery creates discovery records that include the
following information, as appropriate:
• NetBIOS name
• IP addresses
• Resource domain
• System roles
Network Discovery and Heartbeat Discovery are the only discovery methods that can discover computers
in workgroups.
To configure Network Discovery, you must specify the level of discovery, which the following table
outlines.
Topology This level discovers routers and subnets, but it does not identify a subnet
mask for objects.
Topology and client This level discovers topology and potential clients, such as computers, and
resources, such as printers and routers. This level of discovery attempts to
identify the subnet mask of objects that it finds.
Topology, client, and In addition to topology and potential clients, this level attempts to discover
client operating the computer operating-system name and version. This level uses Windows
system Browser service and Windows Networking calls.
For Network Discovery to discover an object, it must identify the object IP address and then identify
its subnet mask or Active Directory site membership. It then creates a DDR for that object. If Network
Discovery cannot determine the subnet mask or Active Directory site membership of an object, it does
not create a DDR.
MCT USE ONLY. STUDENT USE PROHIBITED
6-10 Planning Resource Discovery and Client Deployment
To discover computer resources, you must configure at least the Topology and client discovery level. You
can configure Network Discovery to use the following sources of information:
• Domains. Network Discovery discovers any computer from the domain that you specify. This
information must be visible when browsing the network. Network Discovery retrieves the IP address
and then uses an Internet Control Message Protocol (ICMP) echo request to ping each device that it
finds to determine which computers are currently active. It then initiates Windows networking
application programming interface (API) calls to the resource to discover its operating-system
information.
• SNMP. Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that
responds to the query. The ipNetToMediaTable value returns arrays of IP addresses that are client
computers or other resources, such as printers, routers, or other IP-addressable devices.
• DHCP. Network Discovery queries Microsoft DHCP servers for a list of devices that are registered with
each server. Network Discovery retrieves information by using remote procedure calls to the database
on the DHCP server. Network Discovery supports only DHCP servers that run the Microsoft
implementation of DHCP.
• SNMP community names. You can specify SNMP community names that Network Discovery uses to
query SNMP devices.
• Maximum hops. You limit the number of network segments and routers that Network Discovery can
query by using SNMP.
To identify the subnet mask, Network Discovery uses the following methods:
• Router ARP cache. Network Discovery queries the ARP cache of a router to find subnet information.
• DHCP. Network Discovery queries each administrator-specified DHCP server to discover the devices
for which the DHCP server has provided a lease.
• SNMP device. Network Discovery directly queries a SNMP device, and then makes an additional call
to obtain the subnet mask information.
Question: What level of Network Discovery must you configure to discover computers?
• Heartbeat Discovery is enabled by default, and it runs on a schedule on each computer client to
create a Heartbeat Discovery DDR. To send the Heartbeat Discovery record, the client computer must
be able to contact a management point.
• For mobile device clients, the management point that the mobile device client uses creates the DDR.
• The default schedule for Heartbeat Discovery is set to run every seven days.
• Heartbeat Discovery provides details about the client installation status by updating a system-
resource client attribute to active status.
• The following maintenance tasks use discovery information. If you adjust the heartbeat interval, you
should adjust these tasks:
• Clear Install Flag. This maintenance task is not enabled by default. If you enable this task, the
default schedule is 00:00 and 05:00 every Sunday. This task clears the install flag of any client that
has not submitted a Heartbeat DDR within the past 21 days. This forces a client reinstallation if
you enable the client push installation method.
• Delete Aged Discovery Data. By default, this maintenance task is enabled and runs between 00:00
and 05:00 every Saturday. By default, this task removes any discovery data that is more than 90
days old. If a DDR for the resource has not added in the past 90 days, this task deletes everything
relevant to that resource from the Configuration Manager database.
• This task affects all types of resources: systems, users, and groups. This task removes database
records about discovered computers that have not had the Configuration Manager client
installed during the last 90 days.
• Delete Inactive Client Discovery Data. By default, this maintenance task is not enabled. If you
enable this task, the default schedule is 00:00 to 05:00 every Saturday. The Delete Inactive Client
Discovery Data task is similar to the Delete Aged Discovery Data task. However, this task operates
only on resources that are Configuration Manager clients. When you enable this task, it removes
records for inactive clients that have not sent a heartbeat during the last 90 days.
• You cannot configure Heartbeat Discovery on secondary sites, but secondary sites can receive the
Heartbeat DDR from a client, and forward it to the primary site.
Question: If you change the default schedule for Heartbeat Discovery, you should ensure that Heartbeat
Discovery runs more frequently than which site-maintenance tasks?
Active Directory Once a week after you enable Discovers computers in AD DS from the
System Discovery it, and delta discovery every specified forests, domains, and containers.
five minutes. Discovers basic Active Directory attributes for
the computers.
Active Directory Once a week after you enable Discovers users in AD DS from the specified
User Discovery it, and delta discovery every forests, domains, and containers.
five minutes. Discovers basic Active Directory attributes for
the users.
Active Directory Once a week after you enable Discovers groups and group memberships in
Group Discovery it, and delta discovery every AD DS from the specified forests, domains,
five minutes. and containers.
Discovers minimal information about the
group members.
Active Directory Once a week after you enable Discovers groups and group memberships in
Forest Discovery it. AD DS from the specified forests, domains,
and containers.
Discovers minimal information about the
group members.
Network Discovery Once, running for two hours Discovers Network Devices that respond to
when you enable it. the configured Network Discovery method.
Heartbeat Once a week after you install Client systems generate a new DDR to keep
Discovery the client. their data active in the Configuration
Manager database.
Considering your environment, discuss the following questions with the rest of the class:
Question: For the discovery methods that you would enable, how do you think you would schedule
them?
Question: If you intended to enable Active Directory System Discovery or Active Directory User Discovery,
would you enable additional attributes as well?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-13
Lesson 2
Client Deployment in Configuration Manager
You can install Configuration Manager clients by using a variety of methods. Regardless of the method
that you choose, you should start by using either CCMSetup.exe or CCMSetup.msi, which is a bootstrap
for CCMSetup.exe.
This lesson covers the client-installation process and the CCMSetup parameters that you can use with
CCMSetup.exe to control the deployment process.
You will examine typical Configuration Manager client-installation methods and Configuration Manager
site systems that are involved in client deployment. This lesson also discusses the role of AD DS in client
deployment.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how to use Configuration Manager boundaries and boundary groups for client assignment
and content location.
• Describe how Configuration Manager clients find Configuration Manager site systems.
• Describe the Configuration Manager client-installation process for UNIX and Linux computers.
• Describe typical client-deployment methods.
• The management point to be used for downloading content for client installation.
• The Hypertext Transfer Protocol (HTTP) port used for client communications.
• The Hypertext Transfer Protocol Secure (HTTPS) port that is used for client communication.
MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Planning Resource Discovery and Client Deployment
• The fallback status point. If the site has multiple fallback status points, only the first one installed is
published to AD DS.
• The criteria for certificate selection. This might be required when the client has more than one valid
certificate.
• Installation properties specified in the Installation Properties tab of the Client Push Installation
Properties dialog box.
Additionally, if you use alternate ports for your site systems, clients are automatically updated when you
make a change.
Extending the Active Directory schema is an irreversible forest-wide action that you need to perform only
once per forest. When deploying Configuration Manager in a multiple-forest environment, you need to
extend the schema in each forest to which you want to publish information.
If you previously extended the schema for Configuration Manager 2007, you do not need to extend it
again for System Center 2012 R2 Configuration Manager. Only a member of the Schema Admins group or
an administrator that has sufficient permissions to modify the schema can extend it.
If you extend the schema before installation, Configuration Manager automatically configures the site to
publish site information during installation and publishes site information to AD DS at the completion of
installation. However, you can extend the schema after the Configuration Manager installation and then
manually configure the site to publish to AD DS.
Note: For more information about extending the Active Directory schema for
Configuration Manager, refer to “Module 2, Planning and Deploying a Stand-Alone
Environment.”
Question: How do Group Policy initiated deployments use AD DS during Group Policy installation?
Question: Are you planning to extend the Active Directory schema in your environment?
Management Point
A management point is required to complete the
client-installation process, although you can install
the client components successfully without one. The installation process is complete when the client
registers with a primary site, is assigned its initial policy, and retrieves the policy. This initial policy sets
the components to their desired state. For standard installation methods, the client downloads a copy of
CCMSetup.exe from a management point. All other files are downloaded from a distribution point. After
the installation program is complete, the client contacts the management point to register itself and
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-15
obtain its site assignment. It then reports the state of the installation. If the client cannot contact the
management point, all client components appear as installed rather than enabled or disabled.
The client software has several methods that it can use to locate the management point, and it uses them
in the following order:
1. Setup Parameters. As part of the installation command, you can specify a management point.
3. DNS. The client searches for a service record (SRV) record type for a management point. To find the
right SRV record in DNS, you must configure the clients with their site code.
4. Windows Internet Name Service (WINS). A management point automatically updates its WINS record
with the appropriate information.
Automatic client assignment is based on boundaries, which are members of a boundary group for
which you enable automatic assignment. In previous Configuration Manager versions, if clients fall outside
of all boundaries, automatic site assignment fails and clients are not managed. However, Configuration
Manager enables you to configure a fallback site for client assignment at the hierarchy level. If you install
a client that is outside of any configured boundary groups, the automatic site-assignment process uses
this site, and the installation process completes successfully.
Additionally, Configuration Manager client deployment reports use data sent by clients through the
fallback status point.
Mobile devices that Configuration Manager enrolls, and mobile devices that the Exchange Server
connector manages, do not use a fallback status point.
Distribution Point
The distribution point is used to copy all client installation files, except for CCMSetup.exe, unless
CCMSetup has been invoked by using the /source: parameter and points to a folder with all files and
prerequisites. When you deploy an operating system by using the Configuration Manager operating-
system deployment feature, CCMSetup is downloaded from a distribution point to the client’s local
cache. A standard installation is then invoked, including the download of a copy of CCMSetup from the
management point to the %WINDIR%\ccmsetup folder and the download of client.msi and prerequisite
files from a distribution point.
MCT USE ONLY. STUDENT USE PROHIBITED
6-16 Planning Resource Discovery and Client Deployment
When you upgrade the client by using software deployment, the installation package downloads from a
distribution point. The installation of the Window CE client also uses a distribution point.
Prerequisites
Some of the prerequisites for client deployment
install automatically on client computers during
the deployment process. You must install other
prerequisites before you deploy the client, and
those prerequisites vary depending on the client
version that you are deploying. The following list
contains all prerequisites that you need to successfully deploy the Configuration Manager client to
Windows-based computers:
• External dependencies. You must install these prerequisites before you deploy the client:
o Client Bridge ActiveX® Control. This client uses this control for computers that run a
version of the client prior to System Center 2012 Configuration Manager Service Pack 1
(SP1). For those computers, you must exclude the Microsoft.ConfigurationManager
.SoftwareCatalog.Website.ClientBridgeControl.dll control from ActiveX filtering in Windows
Internet Explorer®. This control installs automatically with the client for versions prior to System
Center 2012 Configuration Manager SP1.
o Windows Installer version 3.1.4000.2435. This is the minimum version of the installer that is
necessary for software updates and .msp files in packages.
o KB2552033. This update is necessary for servers that are running Windows Server® 2008 R2, if
you use client push to deploy the Windows-based client.
o Background Intelligent Transfer Service (BITS) 2.5. BITS throttles communication between client
and servers. BITS does not install automatically on all Windows versions, so you need to
determine whether it is installed. If it is not, you need to install it.
o Microsoft .NET Framework 4 Client Profile. The Configuration Manager client is a .NET
application, so it needs .NET Framework. Download this component only if none of the following
are installed on the client:
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.0
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-17
o Microsoft Core XML Services (MSXML) 6.20.5002. Processes XML documents in Windows.
o Microsoft remote differential compression (RDC). Compresses data for transmission over a
network.
o Microsoft Silverlight 4.0.50524.0. Used by the Application Catalog website on computers that are
running versions of the Configuration Manager client prior to System Center 2012 Configuration
Manager SP1.
o Microsoft Silverlight 5.1.10411.0. Used by the Application Catalog website on computers that are
running the System Center 2012 Configuration Manager SP1 and older versions of the
Configuration Manager client.
o Microsoft SQL Server Compact 3.5 SP2 components. Stores information that client operations
require.
o Microsoft Visual C++ 2005 Redistributable version 8.0.50727.42. Used by SQL Server®
Compact 3.5.
o Microsoft Visual C++ 2008 Redistributable version 9.0.30729.4148. Used by the client to execute
various client operations.
o Microsoft Windows Imaging Components. Used by the .NET Framework for computers that are
running Windows Server 2003 or Windows XP SP2 for 64-bit.
o Windows Imaging APIs 6.0.6001.18000. Manages .WIM files.
o TCP 80. Used in all client deployment methods for communication with a fallback status point.
Also used for communication with the management point and distribution point.
o TCP 443. Used in all client deployment methods for communication between the client and a
management point and distribution point, if you configure the management point and
distribution point to use HTTPS instead of HTTP.
o TCP 445. Used by Server Message Block (SMB) block messages when downloading the client files
in a client push installation or in any installation that uses the /source property for CCMSetup.
o UDP/TCP 135. Used with dynamic ports on the client to support Remote Procedure call (RPC)
communication between client and site servers during a client-push installation.
o TCP 8530. Used for HTTP communication with a software update point when you install the client
by using software updates.
o TCP 8531. Used for HTTPS communication with a software update point when you install the
client by using software updates.
Note: These ports are the default ports that Configuration Manager uses. You can modify
them. For more information about ports that client deployment uses and alternative ports, refer
to “Windows Firewall and Port Settings for Client Computers in Configuration Manager” at
http://go.microsoft.com/fwlink/?LinkID=391457.
MCT USE ONLY. STUDENT USE PROHIBITED
6-18 Planning Resource Discovery and Client Deployment
CCMSetup.exe
CCMSetup.exe generally begins the client-
installation process and runs in all client-
installation methods. CCMSetup performs the
following actions:
• Determines the location from which to download client prerequisites and installation files. If you start
CCMSetup without command-line options and if you extend the AD DS schema for Configuration
Manager, the setup process reads the client-installation properties from AD DS to find an appropriate
management point. If you do not extend the Active Directory schema, CCMSetup searches DNS or
WINS for a management point to contact. Alternatively, you can specify a management point by
providing the /mp:ComputerName switch or a specific UNC location by using the /source:path
switch.
• Downloads a copy of itself from the management point or specified source folder to the
%windir%\ccmsetup folder.
• Downloads the client prerequisite files. Files include the Client.msi file and any prerequisite files that
are missing, which this module discussed previously.
• Invokes the startup of the Client.msi file. The Client.msi file installs the Configuration Manager client
software on the client.
CCMSetup copies all of the files that it needs to %systemroot%\CCMSetup, and it creates the
ccmsetup.log file, which is stored in the %systemroot%\CCMSetup\logs folder. Numerous switches are
available for modifying the behavior of CCMSetup.exe, which the following topic discusses.
Client.msi
After CCMSetup installs the prerequisites on the client that you specify, it invokes Client.msi. This
Windows Installer file installs the client on the system.
CCMSetup.msi
The Configuration Manager installation process uses the CCMSetup.msi Windows installer file when using
an AD DS Group Policy to publish or assign the Configuration Manager client to computers. This file is in
the installation directory\bin\i386 folder on the Configuration Manager site server.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-19
Client Assignment
After the client installation is complete, the client is assigned to a site to allow for client management.
Client devices can be assigned to any primary site. However, client devices cannot be assigned to either a
secondary site or a central administration site.
Most clients reside within site-assignment boundary groups and are automatically assigned based on the
boundary definition. You can configure a site in the hierarchy settings as a fallback site, so that when you
select a client, the client is assigned to the site if the client is outside the configured boundary groups of
all defined sites. You also can assign a client to a site through a client.msi option, either directly or
through the Client tab of the Client Push Installation Properties dialog box.
If you do not extend the AD DS schema, you have the following options for site assignment:
• You can specify a site code by using the client.msi property SMSSITECODE=sitecode.
• You can manually assign a group of clients to a site by using Group Policy.
You also can choose to install a client offline and not immediately assign it to a site. However,
Configuration Manager cannot manage a client until it is assigned to a site.
After the client is assigned to a site, the client remains assigned to that site, even if the client changes its
IP address and roams to another site. Under normal circumstances, only an administrator can manually
assign the client to another site.
If the client auto-assignment fails, the client software remains installed, but Configuration Manager does
not manage it until it locates a site. If the client remains unassigned, every time that the CCMExec process
starts, it attempts to perform autoassignment.
Question: How does the client-deployment process use the management point?
Question: Which executable determines the location of the source files and then downloads them to start
the Configuration Manager client-installation process?
The following table lists a few of the switches that CCMSetup.exe supports. For a complete list of the
available settings, refer to “About Configuration Manager Client Installation Properties” at
http://go.microsoft.com/fwlink/?LinkID=391458.
/source:Path Specifies the location to download installation files from. You can use a
local or UNC installation path. Files are downloaded by using the SMB
protocol. The Windows user account that you use for client installation
must have Read permissions to the installation location.
/mp:Computer Specifies the source management point for downloading installation files.
Files are downloaded over an HTTP or HTTPS connection, depending on
the management configuration for client connections. This download
uses BITS throttling, if you configure it. If you configure the management
point for HTTPS client connections only, you must verify that the client
computer has a valid public key infrastructure (PKI) client certificate.
/forceinstall Specifies the uninstallation of any existing client and the installation of a
new client.
Client.msi Properties
You can combine client.msi properties with CCMSetup switches when you perform an installation by using
CCMSetup. You can specify these properties manually or by changing Client Push Installation Properties in
the Configuration Manager console. The following list shows the properties that are used most commonly:
• CCMHOSTNAME. Use for Internet-based clients. Points to the management point that the client will
use.
• SMSCACHESIZE. Use to specify the size, in megabytes (MB), of the local cache that the client uses
when downloading files and packages from a distribution point.
• SMSMP. Use to specify the management point that the client will use.
• SMSSITECODE. Use to specify the site that you will assign the client to.
• FSP. Use to specify the fallback status point that the client will use.
Note: For more information about CCMSetup.exe switches and Client.msi properties, refer
to “About Client Installation Properties in Configuration Manager” at http://go.microsoft.com
/fwlink/?LinkID=391458.
Question: What should you type at a command prompt to install the Configuration Manager client from
a network share, and to specify that the client should use the LON site code and LON-CFG.adatum.com as
the management point after installation?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-21
• Mac OS X 10.7 (Lion): Supported on System Center 2012 Configuration Manager SP1 and newer
versions.
• Mac OS X 10.8 (Mountain Lion): Supported on System Center 2012 Configuration Manager SP1 with
Cumulative Update 1 and newer versions.
Deployment
Configuration Manager client installation and management for Mac computers require the use of PKI
certificates. The Configuration Manager client for Mac computers always performs a certificate revocation
check, and you cannot disable this check. If a Mac computer cannot perform the check, it does not
connect to Configuration Manager site systems.
Mac computers communicate with Configuration Manager site systems as if they were Internet-based
clients. This means that all communication happens by using HTTPS. You must configure management
points and distribution points to support Mac computers.
Features Supported
The Configuration Manager client for Mac supports only three features: hardware inventory, software
deployment, and compliance settings.
Note: Compliance settings use .plist files and shell scripts for remediation.
MCT USE ONLY. STUDENT USE PROHIBITED
6-22 Planning Resource Discovery and Client Deployment
You must ensure that the operating system and version of your Linux or UNIX implementation support
the universal installer before using it. The following implementations of Linux and UNIX support the
universal agent:
• Red Hat Enterprise Linux (RHEL)
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
• SUSE Linux Enterprise Server (SLES)
o Version 10 SP1, x86
o Version 10 SP1, x64
o Version 11 SP1, x86
o Version 11 SP1, x64
• CentOS
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
• Debian
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
o Version 7, x86
o Version 7, x64
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-23
• Ubuntu
o Version 10.4 LTS, x86
o Version 10.4 LTS, x64
o Version 12.4 LTS, x86
o Version 12.4 LTS, x64
• Oracle Linux
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
Configuration Manager can also manage computers that are running other versions of Linux or UNIX.
However, for those versions, you need a specific installer. The following list shows the installers for each
version:
• AIX
o Version 5.3 (Power): ccm-Aix53ppc.build.tar
o Version 6.1 (Power): ccm-Aix61ppc.build.tar
o Version 7.1 (Power): ccm-Aix71ppc.build.tar
• HP-UX
• Version 11iv2 IA64: ccm-HpuxB.11.23i64.build.tar
o Version 11iv2 PA-RISC: ccm-HpuxB.11.23PA.build.tar
o Version 11iv3 IA64: ccm-HpuxB.11.31i64.build.tar
o Version 11iv3 PA-RISC: ccm-HpuxB.11.31PA.build.tar
• SUSE Linux Enterprise Server (SLES)
o Version 9, x86: ccm-SLES9x86.build.tar
• Solaris
o Version 9 SPARC: ccm-Sol9sparc.build.tar
o Version 10 x86: ccm-Sol10x86.build.tar
o Version 10 SPARC ccm-Sol10sparc.build.tar
o Version 11 x86: ccm-Sol11x86.build.tar
o Version 11 SPARC: ccm-Sol11sparc.build.tar
• Red Hat Enterprise Linux (RHEL)
o Version 4, x86: ccm-RHEL4x86.build.tar
o Version 4, x64: ccm-RHEL4x64.build.tar
Note: There are external dependencies that you must ensure are met if you want a client to
work on computers that are running Linux or UNIX. For a list of dependencies, refer to “Planning
for Client Deployment for Linux and UNIX Servers” at
http://go.microsoft.com/fwlink/?LinkID=391459.
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Planning Resource Discovery and Client Deployment
SHA-256 Support
The Configuration Manager client uses SHA-256 to validate data coming from site systems. Specifically,
SHA-256 validation verifies the site server signature for management points when downloading policies,
and it validates the hash for packages that download from a distribution point. However, some Linux and
UNIX operating systems do not support SHA-256. If you have computers that are running any of the
following operating systems, you must use the ignoreSHA256validation switch during installation:
Deployment
You must deploy the Configuration Manager client in a computer that is running a supported Linux or
UNIX operating system in the same way that you deploy the client on workgroup-based computers. This
means that you must configure a Network Access Account to allow these clients to access resources in the
AD DS domain that is hosting the site systems. You must initiate the installation manually.
Supported Features
The Configuration Manager client for Linux and UNIX supports only two features: hardware inventory and
software deployment.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-25
Lesson 3
Deploying Windows-Based Configuration Manager Clients
To install the Configuration Manager client, the target systems must meet certain prerequisites. Some of
the prerequisites download and install automatically during client setup. However, you must install other
prerequisites manually on the target system before you install the Configuration Manager client.
This lesson discusses how to deploy clients by using the following client-deployment methods:
• Client push
• Group Policy
• Login script
• Manual installation
• Client upgrade
Additionally, this lesson covers installation prerequisites, and the advantages and disadvantages for each
installation method.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the system requirements for installing Configuration Manager clients.
• Group Policy installation. This method uses Group Policy to publish or assign the Configuration
Manager client to computers when the GPO runs on the computer.
• Software update-point installation. You can use this method to publish the Configuration Manager
client installation program (CCMSetup.exe) as a software update to a software update point. This is
MCT USE ONLY. STUDENT USE PROHIBITED
6-26 Planning Resource Discovery and Client Deployment
useful if your environment uses WSUS, especially if the Windows firewall is enabled but not
configured to support other installation methods.
• Manual installation. This method manually installs the Configuration Manager client software on
computers by using CCMSetup.exe. Use this method if you need to install the client on a small
number of workstations. If the Configuration Manager information publishes to AD DS, and you run
CCMSetup.exe without any command-line parameters, the client-installation process retrieves the
published client-installation parameters from AD DS.
• Logon script installation. This method uses CCMSetup.exe in a logon script to trigger the client
installation. This method ensures that the Configuration Manager client installs on all computers to
which the user has local administrator permissions.
• Upgrade installation (software deployment). You can use this method to upgrade existing client
software on computers to newer Configuration Manager versions.
• Operating-system deployment. When using operating system deployment to deploy a new operating
system, or upgrade an existing one, you include the Configuration Manager client as part of the
operating system deployment process.
• Computer imaging. You can use this method to preinstall the Configuration Manager client software
on a master image computer that builds your organization’s computers.
The following table outlines the advantages and disadvantages for the various client-deployment
methods.
Client-deployment
Advantages Disadvantages
method
Client push Using the Client push installation Can cause high network traffic when
installation wizard, you can use this method pushing to large collections.
to push to a single computer, a You can use this only on computers that
collection, or to the results from a Configuration Manager discovers.
query.
You must specify a client-push installation
Using site-wide client push, you can account, which has administrative rights
use this method to install the client to the intended client computer. If you do
automatically on discovered not configure an account, Configuration
computers. Manager tries to use the site system’s
Uses client-installation properties computer account, which must have
defined on the Installation administrative rights on the target client.
Properties tab of the Client Push You must configure the Windows firewall
Installation Properties dialog box. on client computers and all firewalls
between the clients and site server, with
exceptions to allow client-push
installation to finish.
Group Policy Does not require you to discover Can cause high network traffic if you are
installation computers before you can install the installing a large number of clients.
client. If you do not extend the Active Directory
You can use this method for new schema for Configuration Manager or if
client installations or for upgrades. the site does not publish to AD DS, you
If you extend the Active Directory must use Group Policy to add client-
schema, computers can read installation properties to computers in
installation properties that publish your site.
to AD DS. Works only for systems that belong to an
Does not require administrative Active Directory domain.
rights on client computers. Applies Group Policy settings to
Does not require firewall exceptions. computers at reboot only, which can
delay installation.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-27
Client-deployment
Advantages Disadvantages
method
Software update- Uses your existing software updates Requires a WSUS infrastructure that the
based client infrastructure to manage the client systems are currently using.
installation software. Must use the same server for client
Installs the client software installation and software updates, and
automatically on new computers if this server must reside in a primary site.
WSUS is configured correctly. If you do not extend the Active Directory
Does not require Configuration schema for Configuration Manager or if
Manager to discover computers the site does not publish to AD DS, you
before you can install the client. must use a GPO to add client installation
Reads installation properties in properties to your site’s computers.
AD DS.
Reinstalls the client software if it is
removed.
Does not require administrative
rights on client computers.
Does not require firewall exceptions.
Manual installation Does not require Configuration No automation. Therefore, this can be
Manager to discover computers time-consuming.
before you can install the client. Works only for users who are local
Can be useful for testing purposes. administrators.
Supports using command-line
properties for CCMSetup.
Allows you to retrieve configuration
properties from AD DS.
Logon script Does not require Configuration Can cause high network traffic if you are
installation Manager to discover computers installing a large number of clients over a
before you can install the client. short period of time.
Supports using command-line Requires that the logged-on user be a
properties for CCMSetup. local administrator for the computer.
Does not require firewall exceptions.
Upgrade Can leverage the Configuration Can cause high network traffic when
installation Manager features to upgrade clients distributing the client to large collections.
(software by collections, at a time that you You can use this only to upgrade the
deployment) specify. client software on computers that have
Supports using command-line been discovered and assigned to the site.
properties for CCMSetup.
Does not require administrative
rights on client computers.
Does not require firewall exceptions.
Operating-system Deploys Configuration Manager as Can cause high network traffic if you are
deployment part of the image. deploying a large number of clients over
Site assignment is automatic. a short period of time.
Can use Client.msi options. Requires that an operating-system
deployment infrastructure be in place.
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Planning Resource Discovery and Client Deployment
Client-deployment
Advantages Disadvantages
method
You can automate the client push installation for the entire site by enabling site-wide client push
installation. Additionally, you can manually initiate this installation for individual systems or for entire
collections by using the Client Push Installation Wizard. The primary difference between the automatic
and manual methods occurs when installation is initiated:
• When you configure automatic push installation, the installation starts as soon as Configuration
Manager discovers a system and the system is placed within a site-assignment boundary group.
• When you configure manual push installation, you decide when and on which systems to install the
client.
Whether you use only one of these methods or both, you must configure certain properties for client
push installation.
When you perform a client push installation, if the site server cannot contact the client computer or start
the setup process, it automatically repeats the installation attempt every hour for up to seven days, until it
succeeds. To help track the client installation process, install a fallback status-point site system before you
install clients, which clients automatically use when client push installs them.
discovered resource matches the configuration criteria that you established for the client push installation
method, Configuration Manager processes the Client Configuration Request, and starts the client
installation.
You configure automatic client push installation on the General tab of the Client Push Installation
Properties dialog box. After enabling the automatic client push installation, you can choose what types
of systems install automatically. You can configure the following options:
• Enable automatic site-wide client push installation. You can use this check box to enable or disable
automatic client push installation. It includes the following options:
o Servers. This check box allows you to enable or disable automatic push installation to server
systems.
o Workstations. You can use this check box to enable or disable automatic push installation to
workstations systems.
o Configuration Manager site system servers. You can use this check box to enable or disable
automatic push installation to Configuration Manager site system servers.
• Always install the Configuration Manager client on domain controllers. You can use this option to
enable or disable client installation on domain controllers.
• Never install the Configuration Manager client on domain controllers, unless the Client Push
Installation Wizard specifies it. You can use this option to specify that the client installs only on
domain controllers when you use push install and that you want to manually specify during push
install that the client can be installed on domain controllers.
Accounts Tab
You can use the Accounts tab to list the accounts that are used to attempt a client push installation. The
installation must use an account with Administrative rights on the client system that you are targeting. If
more than one account is listed, installation is attempted by using each account starting at the top and
working down the list until the installation finishes or until all accounts are tried. If you do not specify at
least one client push-installation account, Configuration Manager tries to use the site system’s computer
account.
Note: The password for the client push-installation account is limited to 38 characters
or less.
After you launch the Install Client Wizard, you have the following options:
• Allow the Client software to be installed on domain controllers. You can use this check box to enable
the push installation to domain controllers.
• Always install the client software. You can use this check box to cause the client software, if it is
present, to be reinstalled, repaired, or upgraded. You also have an option to uninstall any existing
client software before the client is reinstalled.
• Install the client software from a specified site. You can use this check box to specify an alternate site
to use for installing the client software. This does not change the client site assignment.
To successfully use client push to install the Configuration Manager client, you must add the following
exceptions to the Windows Firewall:
SMB between the site server and client computer. Not 445
applicable
RPC endpoint mapper between the site server and the client computer. 135 135
RPC dynamic ports between the site server and the client computer. Not Dynamic
applicable
• If a client system has a previous version of the Configuration Manager client installed and is using the
software update point, you do not need to do additional configuration.
• If a client system does not have the Configuration Manager client installed, you must configure and
assign a GPO in AD DS. This GPO specifies the WSUS server that you configure as a software update
point from which the computer obtains software updates.
• The software update method uses the configuration information that is published in AD DS, if
available. If no configuration information is published, you should create a GPO by using the
ConfigMgrInstallation.adm template to provide client installation settings for your site’s computers.
Use the Software Update-Based Client Installation dialog box to publish the Configuration Manager
client-installation program (CCMSetup.exe) to a software update point as an additional software update.
To access the dialog box, navigate to the Administration workspace, expand Site Configuration, click Sites,
click a site in the results pane, on the ribbon in the Settings group click Client Installation Settings, and
then click Software-Update Based Client Installation.
When you use this installation method, the client is installed during the next software update cycle on the
target computers.
HTTP from the client computer to a fallback status point. Not applicable 80
HTTP from the client computer to the software update point. Not applicable 80 or 8530
HTTPS from the client computer to the software update point. Not applicable 443 or 8531
Question: What are some of the benefits of using the software update-point installation method?
MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Planning Resource Discovery and Client Deployment
Demonstration Steps
1. Create a GPO named CMClientInstall that is linked to the Adatum.com domain.
When you finish the demo, revert the virtual machines to their initial state. To do this, complete the
following steps:
• You should extend the AD DS schema to support Configuration Manager and ensure that the site is
publishing to AD DS. This ensures that all Group Policy-based clients find installation properties that
the client push-installation properties publish in AD DS when you install the Configuration Manager
client. Additionally, if you later change settings, such as ports, clients update when they perform
AD DS lookups for Configuration Manager systems.
There are two Group Policy administrative templates on the Configuration Manager installation media
located in TOOLS\ConfigMgrADMTemplates: ConfigMgrInstallation.adm and ConfigMgrAssignment.adm.
The ConfigMgrInstallation.adm template provides installation properties to client computers, including
the site code needed for site assignment.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-33
Group Policy provides the following option for deploying software to network clients:
• Assign. You can assign the CCMSetup.msi file, which means that the Configuration Manager client
installs when you start the computer after the policy has been applied.
To use Group Policy to install the Configuration Manager client, you must add the following File and
Printer Sharing exception to Windows Firewall.
Group Policy installation uses the ports that the following table lists.
HTTPS from the client computer to an Internet-capable management point. Not 443
applicable
SMB between the source server and client computer if you specify an Not 445
alternate source server with CCMSetup using /source:<Path>. applicable
Question: Why would you want to assign the Configuration Manager client to a computer through a
GPO?
Question: When do you need to provision the client installation properties in AD DS by using Group
Policy?
CCMSetup.exe is in the Configuration Manager Installation location\Client folder on the site server, which
is also shared as site server name\SMS_site code\Client.
MCT USE ONLY. STUDENT USE PROHIBITED
6-34 Planning Resource Discovery and Client Deployment
You can specify command-line properties for both CCMSetup.exe and Client.msi to modify this client
installation’s behavior. Consider the following command-line example:
In the previous example, the client installation uses the properties in the following table.
Property Description
/mp:MP01.ADATUM.COM Specifies the management point, MP01, from which to download the
necessary client installation files.
SMSSITECODE=AUTO Specifies that the client should use AD DS or the management point
to determine the Configuration Manager site code to use.
FSP=FP01.ADATUM.COM Specifies that the fallback status point named FP01 receives state
messages sent from the client computer related to client deployment,
and is the daily management point check.
Note: For a full list of properties that you can use with CCMSetup.exe, refer to “About
Configuration Manager Client Installation Properties” at http://go.microsoft.com/fwlink
/?LinkID=247706.
The logon script-based installation method is a manual method that uses the /logon command-line
switch and that launches from a script. When you specify the /logon installation property for
CCMSetup.exe, client installation does not occur if any version of the client already exists on the
computer. This prevents the client’s reinstallation each time the logon script runs.
Logon script installation uses the same methods as manual client installation. Therefore, you can use the
same command-line switches for logon script-based installations. It also means that the user running the
logon script requires administrative rights. For example, you could modify the preceding command-line
example as shown in the following example to use it in a logon script:
When CCMSetup.exe runs, it copies all necessary installation prerequisites to the client computer, and calls
the Windows Installer package (Client.msi) to perform the client installation. You cannot perform the
installation by directly invoking the Client.msi installation file.
Operating-System Deployment
As part of an operating-system deployment task sequence, the Configuration Manager client installs.
To prepare the reference computer for imaging, complete the following steps:
1. Manually install the Configuration Manager client software on the reference system computer in an
isolated network segment, so that automatic site assignment does not occur. Do not specify the
client’s site code in the CCMSetup.exe command-line properties.
2. Ensure that the SMS Agent Host service (CCMExec.exe) is not running on the reference computer, by
typing net stop ccmexec at a command prompt and then pressing Enter.
4. If you plan to install the clients in a Configuration Manager hierarchy different from the master image
computer, remove the Trusted Root Key from the master image computer.
5. Run sysprep.exe on the reference computer, and use your imaging software to capture the reference
system computer’s image.
Note: Failure to follow this procedure results in duplicate Configuration Manager unique
IDs on clients and, thus, clients missing from the Configuration Manager database.
Question: How would you install the Configuration Manager client on computers for remote workers?
Question: Do you have workers who infrequently visit an office? If so, how would you deploy clients to
their systems?
Question: Are you going to deploy clients to the servers in your data center? If yes, what method will you
use?
Question: Are there systems on which you do not want to install the client?
MCT USE ONLY. STUDENT USE PROHIBITED
6-36 Planning Resource Discovery and Client Deployment
Objectives
In this lab, you will:
Lab Setup
Estimated Time: 45 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following procedure:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
• Password: Pa$$w0rd
• Domain: Adatum
3. In the results pane, access the properties for Active Directory System Discovery. In the Active
Directory System Discovery Properties dialog box, use the following settings to configure System
Discovery, and then click OK:
o At the General tab, click Enable Active Directory System Discovery, and then click New.
o In the Active Directory Container dialog box, browse to click the Adatum domain, and then
close the dialog box.
o At the General tab, click Enable Active Directory User Discovery, and then click New.
o In the Active Directory Container dialog box, browse to click the Adatum domain, and then
close the dialog box.
o At the General tab, click Enable Active Directory Group Discovery, click Add, and then click
Location.
o In the Add Active Directory Location dialog box, in the Name box, type Adatum domain, and
then browse to click the Adatum domain. Close the dialog box.
MCT USE ONLY. STUDENT USE PROHIBITED
6-38 Planning Resource Discovery and Client Deployment
Task 4: Verify that the discovered computers appear in the All Systems collection and
are assigned to the site correctly
1. In the Configuration Manager console, click the Assets and Compliance workspace, and then click
the Device Collections node.
2. Click the All Systems collection, and then on the ribbon, click the Show Members button.
3. A new node called All Systems appears in the navigation pane, under the Devices node. In the
results pane, observe the systems that are members of the All Systems collection and their assigned
site. On the Site Code column, you should see S01 for most systems.
Results: At the end of this exercise, you should have configured the Active Directory discovery methods.
2. In the Active Directory Users and Computers console, in the Users container, create a new user
account with the following settings:
o In the First name and User logon name text boxes, type ConfigMgrClientPush.
o Select the User cannot change password and Password never expires check boxes.
3. In the Active Directory Users and Computers console, access the Properties of the
ConfigMgrClientPush user account, and then add the user to the Domain Admins group.
2. Right-click S01 – Adatum Site, click Client Installation Settings, and then click Client Push
Installation.
3. In the Client Push Installation Properties dialog box, use the following settings to configure the
client push installation method:
o At the Accounts tab, click the New button, and then click New Account.
o In the Windows User Account dialog box, click the Browse button.
o In the Select User dialog box, type ConfigMgrClientPush, click the Check Names button, and
then close the dialog box.
o In the Windows User Account dialog box, in both the Password and Confirm password boxes,
type Pa$$w0rd and then click Verify. The Windows User Account dialog box expands.
o In the Windows User Account dialog box, in the Network Share box, type \\LON-DC1\C$, and
then click Test connection. Close the dialog box.
o In the Client Push Installation Properties dialog box, at the Installation Properties tab, in the
Installation properties box, after the text SMSSITECODE=S01 type a space, and then type
FSP=LON-CFG.adatum.com.
3. The Install Configuration Manager Client Wizard starts. Use the following settings to install the client
on LON-CFG:
o In the Installation Options page, check the Install the client software from a specified site
box, and then verify that in the Site list appears S01 – Adatum Site.
4. In the results pane, right-click LON-DC1, and then click Install Client.
5. The Install Configuration Manager Client Wizard starts. Use the following settings to install the client
on LON-DC1:
o In the Installation Options page, check the Allow the client software to be installed on
domain controllers box.
o On the Components tab, verify the status of the agents: some of the agents should have the
Status of Installed.
o On the Actions tab, in the Actions list, click Machine Policy Retrieval & Evaluation Cycle, and
then click Run Now. This initiates the connection of the Configuration Manager client to the
management point.
Note: When the Configuration Manager client is running inside a virtual machine, it uses
randomization for the initial time interval of connection to the management point. Manually
running the Machine Policy Retrieval & Evaluation Cycle helps ensure that all components are
updated, as necessary.
Results: At the end of this exercise, you should have started the installation of the Configuration Manager
client by using the client push installation method.
3. Import CCMSetup.msi, and then deploy the Configuration Manager client by using Group Policy.
4. Verify client installation.
o State: Enabled
Task 3: Import CCMSetup.msi, and then deploy the Configuration Manager client by
using Group Policy
1. Create a share in LON-DC1 with the following settings:
o Folder: C:\SCCMClient
o Share: SCCMClient
3. Create a new software installation package in the SCCM Client Install GPO with the following
settings:
o Username: ADATUM\Administrator
o Password: Pa$$w0rd
2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for the following virtual machines:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
Results: At the end of this exercise, you should have installed the Configuration Manager client by using a
GPO.
Question: What are the prerequisites for installing clients by using client push?
Lesson 4
Managing Configuration Manager Clients
After installing the Configuration Manager client, you can begin managing the computer systems in the
site. You can perform several tasks for the client systems from within the Configuration Manager console.
Additionally, you can configure the client settings to control how the client behaves by default in addition
to by collection.
Lesson Objectives
After completing this lesson, you will be able to:
• Reassign clients.
• Use certificate profiles.
Managing Clients
When Configuration Manager discovers a
system, it displays in the Assets and Compliance
workspace in the Devices node. You can also add
the systems to collections. The All Systems and
All Desktop and Server Clients collections in the
Device Collections node populate automatically.
No significant client management can take place
until after you install the Configuration Manager
client. When you select a device or collection
that contains devices with the Configuration
Manager client installed, you can select various
management operations. Additionally, there are
management tasks that involve other workspaces in the console, such as client settings, which the next
topic discusses. Additionally, there are some tasks that do not use the Configuration Manager console.
• Start Remote Control, Remote Assistance, or Remote Desktop for the device.
Before you perform collection-level client management tasks, consider how many devices are in the
collection, whether they are connected by low-bandwidth network connections, and how long the task
will take to complete for all the devices. When you perform a client management task, you cannot stop it
from the console.
Management tasks for collections are performed in the Device Collections node. From the Device
Collections node, you can perform the following actions, per collection:
• View collection members.
• Copy a collection.
• Simulate a deployment.
• Deploy applications.
• Move a collection.
• Change the client cache configuration. An administrator can do this from the Configuration Manager
properties on the client itself.
• Uninstall the client. You can do this from the client or from the console.
• Manage conflicting records. This typically occurs automatically. However, if Configuration Manager
cannot resolve the conflict, it uses a hierarchy setting that merges the records automatically when it
detects duplicate hardware IDs (the default setting), allows you can decide when to merge, block, or
create new client records. If you decide to manually manage duplicate records, you must manually
resolve the conflicting records by using the Configuration Manager console.
• Initiate a policy retrieval cycle. You can do this from the client or from the console.
MCT USE ONLY. STUDENT USE PROHIBITED
6-44 Planning Resource Discovery and Client Deployment
• Background Intelligent Transfer. You can specify whether to use BITS and schedule times for
throttling.
• Client Policy. You can specify the schedule for retrieving policies.
• Compliance Settings. Allows you to enable compliance settings for clients, and schedule evaluation.
• Computer Agent. Allows you to configure general client settings, such as notification for application
deployments, and Windows PowerShell® execution policy.
• Computer Restart. Allows you to configure user notifications to be displayed when the device is about
to be restarted by Configuration Manager.
• Power Management. Allows you to configure Power Management profiles for client devices.
• Remote Tools. Allows you to configure remote tools, remote assistance, and remote-desktop settings.
• Software Updates. Allows you to schedule update cycles, and other update settings.
• State Messaging. Allows you to configure the frequency for sending status messages to the server.
• User and Device Affinity. Allows you to configure whether users can change their affinity settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-45
Question: How do you configure classes so that the hardware inventory collects them?
Client Reassignment
Configuration Manager clients are always
assigned to a primary site. However, a
Configuration Manager hierarchy can consist of
several primary sites. Usually, a primary site links
to a physical location or to a collection of physical
locations. For example, a company may have
operations in several countries in North America,
Europe, and South America. In its System Center
2012 Configuration Manager hierarchy, it may
create an individual primary site for each country.
In environments like this, you need to consider
what happens as computers move from one
physical location to another, and consequently, move from one primary site to another. There are two
ways to classify these moves: roaming or reassignment.
Roaming
After the Configuration Manager client installs, the client is assigned to a site. Even if the assignment
occurs automatically, based on boundaries, the actual assignment does not change after installation.
Therefore, even in a scenario where users travel with their laptops between locations, and connect from
different boundaries that belong to different primary sites, the computers remain assigned to their
original site.
Usually, when a client starts, it requests a list of management points for its site. This process repeats every
25 hours and any time the computer receives a new IP address. When a client receives an IP address that
is not within the boundary of its assigned site, the client is roaming. If the client detects that its IP address
is within the boundary of a secondary site, the client connects to the management point for the secondary
site. This enables it to avoid using a potentially slow connection to the primary site. However, if the client
is roaming to a different primary site or to a secondary site for another primary site, the client connects to
a management point for its assigned site to retrieve policies and upload data.
Client Reassignment
In larger organizations that have multiple primary sites, there are always clients that roam from one site
to another. However, sometimes a client actually is moving permanently from one physical location to
another. In this scenario, you should reassign the client to the new site. There are three ways to reassign a
client: reinstall the client, manually reassign the client, and use a GPO.
client, or a very small number of clients, because it does not require you to force an install. However, you
still need to identify the computers that need reassignment, because you need to connect to them locally.
Additionally, you must use a local administrator account on the computers to make the change. To
reassign a computer to a new site, follow this procedure:
1. Log on to the computer by using an account that has local administrator permissions.
a. Type the site code in the Currently assigned to site code box.
5. Click OK.
Use a GPO
You can also reassign clients to a site by using a GPO. Microsoft provides an administrative template
named configmgrassignment.adm, which you can use to assign clients to a site. Be aware that if you
choose this option, all computers that have the GPO applied to them will be reassigned to the site that
the GPO specifies. To assign a client by using a GPO, follow this procedure:
1. Create a new GPO.
b. In the Assigned Site textbox, type the site code that you want to assign the clients to.
c. In the Site Assignment Retry Interval (Mins) numeric textbox, specify how frequently the client
will start a reassignment process.
d. In the Site Assignment Retry Duration (Hours) numeric box, type how long the client will keep
trying to reassign itself before failing.
4. Link the GPO to the domain or OU that contains the computer accounts for the systems that you
want to reassign.
The main advantage of this process is that you do not need to identify each individual computer that
you need to reassign. This also reassigns computers for which the computer account has moved from
one OU or site to another due to physical relocation. However, if you are linking the OU to sites, you may
incorrectly reassign computers that are simply roaming.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-47
To provide certificates for managed clients, you must install a certificate registration point, and you must
install the Configuration Manager Policy Module on a server running Windows Server 2012 R2 with the
Active Directory Certificate Services and the Network Device Enrollment service roles installed.
Supported Clients
Configuration Manager supports the deployment of certificates to devices that are running one of the
following operating systems:
• Windows RT 8.1
• Windows 8.1
• Android
• iOS
• Trusted CA certificate. You can use this certificate profile to deploy a trusted root CA or intermediate
CA certificates to devices. You can use trusted root CA and intermediate CA certificates to establish a
chain of trust for server authentication.
1. Install the Network Device Enrollment Service (NDES) on a computer that is running Windows Server
2012 R2.
Note: For detailed information about how to install NDES, refer to “Network Device
Enrollment Service Guidance“ at http://go.microsoft.com/fwlink/?LinkID=391461.
MCT USE ONLY. STUDENT USE PROHIBITED
6-48 Planning Resource Discovery and Client Deployment
2. Modify the certificate template permissions for the certificates that you intend to enroll for by using
certificate profiles, as follows:
o Add Read permission to the accounts that run the Configuration Manager console.
o Add Read and Enroll permission to the account that the NDES application pool uses.
Note: For detailed information about how to deploy certificate templates, refer to “Deploy
Client Computer Certificates” at http://go.microsoft.com/fwlink/?LinkID=391463.
3. Deploy a web server PKI certificate to the server that is running NDES.
Note: For detailed information about how to deploy a web server certificate
for the NDES server, refer to “Deploying the Client Certificate for Distribution Points” at
http://go.microsoft.com/fwlink/?LinkID=391467. The content targets Windows Server 2008
computers, but it works in the same manner for Windows Server 2012 R2.
4. Export the root CA certificate to a .cer file. You will need this file later when you configure the site
system role for the certificate registration point.
5. On the NDES server, change the following registry values in the HKEY_LOCAL_MACHINE
\CurrentControlSet\Services\HTTP\Parameters key:
o MaxFieldLength. Use the maximum value for this parameter, which is 65534.
o MaxRequestBytes. Use the maximum value for this parameter, which is 16777216.
6. On the NDES server, in Internet Information Services (IIS) Manager, configure the request-filtering
settings for the /certsrv/mscep application by specifying the following values in the Edit Request
Filtering Settings dialog box:
Note: You need to restart IIS for these settings to take effect.
7. Install and configure the site system role for the certificate registration point in a server in the primary
site or the central administration site. You need the URL for the NDES web application and the .cer file
for the root CA that you exported earlier. The URL for the NDES application typically is
https://computer/certsrv/mscep/mscep.dll.
8. Copy the PolicyModule.msi and PolicyModuleSetup.exe files from ConfigMgrInstallationMedia
\SMSSETUP\POLICYMODULE\X64 to the NDES server, and then run PolicyModuleSetup.exe to
install the System Center Policy Module. You need to specify the URL for the certificate registration
point during the setup, which typically is https://serverh/CMCertificateRegistration, and the
certificate that you deployed in step 3 above, along with the root CA certificate that you exported to
a .cer file.
Note: For detailed information about how to set up certificate profiles, refer to
“Configuring Certificate Profiles in Configuration Manager” at http://go.microsoft.com/fwlink
/?LinkID=391469.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-49
1. From the Configuration Manager console, in the Assets and Compliance workspace, expand
Compliance Settings, expand Company Resource Access, and then click Certificate Profiles.
2. Right-click Certificate Profiles, and then click Create Certificate Profile.
3. In the Create Certificate Profile Wizard, on the General page, in the Name box, type a name for the
profile.
4. Click Trusted CA certificate, and then click Next.
5. On the Configure a trusted CA certificate page, click the Import button to locate the .cer file that
you created initially for the root CA or an intermediate CA, and then click OK.
6. Click the appropriate Destination store based on the type of certificate that you selected in step 5
above, and where the certificate should be stored (user certificate store, or computer certificate store),
and then click Next.
7. On the Supported Platforms page, click the type of devices that can use the profile, and then click
Next.
8. On the Summary page, click Finish, and then on the Completion page, click Close.
9. Right-click the certificate profile you just created, and then click Deploy.
10. In the Deploy Certificate Profile dialog box, click Browse, click the collection for deployment, and
then click OK.
11. Click Generate an alert to generate an alert if the certificate profile compliance is less than a given
percentage after a specified time.
12. Specify the schedule for the compliance setting, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
6-50 Planning Resource Discovery and Client Deployment
Lesson 5
Monitoring Client Status in Configuration Manager
Client Health is a feature that Configuration Manager introduces. Administrators can use Client Health to
determine the overall health status of clients and to identify individual client issues, such as missing
prerequisites, WMI issues, and clients that are not functioning.
Client Health builds on the Client Status Reporting feature included Configuration Manager 2007, by
offering client status monitoring and automatic remediation for client issues.
Lesson Objectives
After completing this lesson, you will be able to:
From the perspective of Configuration Manager, an active client is healthy when it connects to
management points to download policies and upload data, such as hardware and software inventory.
However, whether a client is active might not adequately explain its health. To get an accurate
determination of the client’s health, the client must perform several additional local checks.
If a client is inactive, it might be because it has been powered off for an extended period, or because
the Configuration Manager client is uninstalled or is not functioning. When the client is inactive, the site
systems cannot evaluate the client’s health status because the client is not connecting to the management
point. The only way to evaluate the client’s health is to perform validation checks directly on the client
computer to determine that:
The Configuration Manager client runs a scheduled task to evaluate its client health status, and then sends
the evaluation results to the site as a state message to the management point. If there is any change in
the evaluation result since the most recent state message, the health status is sent back by using a state
message. By default, the task runs between midnight and 1:00 A.M.
Similar to the initial installation process, if the client fails to send its state message to a management
point, it then sends the state message to a fallback status point, if one exists in your hierarchy. If a fallback
status point is not installed in your hierarchy, the site server might not receive some evaluation results.
The site server summarizes the client health-evaluation results and activities, and then displays these in
the Configuration Manager console, in the Client Status folder located in the Monitoring workspace.
The following items are new or have changed for client status reporting (now Client Status) since
Configuration Manager 2007 Client Status Reporting:
• Client health and client activity information are integrated into the Configuration Manager console.
• Configuration Manager automatically remediates typical client problems that reporting detects.
• Configuration Manager does not use the Ping tool from Configuration Manager 2007 R2 Client Status
Reporting.
When you click the Client Status node, the results pane displays a dashboard that shows a summary of
the Client Activity and Client Check nodes. The information available is organized differently than in either
the Client Activity or Client Check nodes, because it displays results that are based on both monitors. The
following links are available in the Client Status dashboard:
• Active clients that passed client check or no results
Note: By default, client status information is updated once a day. You can modify this
interval in the Schedule Client Status Update dialog box or force summarization on demand.
Question: What are some of the causes of an unhealthy and active client?
Question: How does Client Status improve client monitoring compared with previous Configuration
Manager versions?
MCT USE ONLY. STUDENT USE PROHIBITED
6-52 Planning Resource Discovery and Client Deployment
To view the client health rules that the Client Health evaluator engine is using, you can look in the
client location\ccmeval.xml file. However, you cannot make changes to this file.
If the computer is not running when the scheduled Configuration Manager Health Evaluation task is due
to run, the task runs automatically as soon as possible, such as when the operating system is loaded or is
brought out of sleep mode.
The following table lists the health evaluation rules and remediation actions.
Automatic remediation might not be desirable on all systems, such as for mission critical servers where
the remediation activities might be disruptive. By installing the Configuration Manager client with the
client.msi property NotifyOnly=True or by changing the HKEY_LOCAL_MACHINE\Software\Microsoft
\CCM\CcmEval\NotifyOnly registry value to True, you can disable automatic remediation.
Retain client status history for the following number of days 31 days
You can use the Configuration Manager console to view interactions between the client and the
management system, which helps the administrator distinguish between unhealthy clients and clients that
are offline. Configuration Manager retrieves information from AD DS to identify the inactive clients based
on the LastLogonTimeStamp.
When you click the Client Activity node, the results pane divides into two sections that show information
based on the client activity monitors that you configure, including:
• Client activity for all devices. Displays a chart showing active computers, inactive computers, and
computers with no Configuration Manager client installed. Click a section of the pie chart to create a
sticky node that shows a list of computers with the status that you select. You can view activity detail
for each of the node’s clients to determine their displayed status.
• Client activity trend for all devices. Displays a graph showing client activity over a specified period.
You can configure the time period that you want to view from five to 90 days from the Client activity
period drop-down list.
MCT USE ONLY. STUDENT USE PROHIBITED
6-54 Planning Resource Discovery and Client Deployment
• Client check trend for all active clients displays a graph showing client computers that passed client
check over a specified period. You can configure the time (from five to 90 days) that you want to view
from the Client activity period drop-down list.
Report Description
Client Remediation Details This report provides client remediation details for a given collection.
Client Remediation Summary This report provides remediation summary information for a given
collection.
Client Status History This report provides a historical view of the overall client status in the
environment.
Client Status Summary This report provides administrators with the current percentages of
healthy and active clients for a given Collection.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 6-55
Report Description
Client Time to Request Policy This report shows the percentage of clients that have requested
policy as least once in the last 30 days. Each day represents a
percentage of the total clients that have requested policy since Day 1
in the cycle. This information is useful to help determine the time it
takes to distribute a policy update to your client population. Client
deployments or changes in client count can affect the accuracy of
the report.
Clients with Failed Client This report displays details about clients that client check failed for a
Check Details specified collection.
Inactive Clients Details This report provides a detailed list of inactive clients for a given
Collection.
Question: Which reports can you use to view information about client status?
MCT USE ONLY. STUDENT USE PROHIBITED
6-56 Planning Resource Discovery and Client Deployment
Question: In what situation would you need to provision client properties by using Group
Policy?
Question: In what situation would you need to configure DNS for locating site systems?
Question: What is the difference between an inactive client and an unhealthy client?
MCT USE ONLY. STUDENT USE PROHIBITED
7-1
Module 7
Configuring Internet and Cloud-Based Client Management
Contents:
Module Overview 7-1
Module Overview
In an increasing number of organizations, direct connections between workers’ computers and the
organizational network are becoming rare. Workers are either bringing their own devices (BYOD) or using
devices that the organization provides, such as laptop computers and tablets. They use these devices at
home, in coffee shops, or in other remote locations. The cloud management functionality of Microsoft®
System Center 2012 R2 Configuration Manager allows you to support and manage the increasing number
of clients that perform organizational tasks in locations far from organizational networks.
Objectives
After completing this module, students will be able to:
Lesson 1
Managing Remote Clients by Using System Center 2012
R2 Configuration Manager
You can use System Center 2012 R2 Configuration Manager to manage clients that can connect to the
Internet from outside the organizational network. By using Configuration Manager, you can manage a
variety of remote clients, including those that make connections by using technologies such as a virtual
private network (VPN) or DirectAccess. You can also allow mobile devices and Internet-connected
computers to be managed by integrating Configuration Manager with a Windows Intune™ subscription.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the methods used to provide local area network (LAN) connections for remote clients.
This change in work habits presents challenges when you are trying to perform configuration
management tasks by using System Center 2012 R2 Configuration Manager. It is far simpler to manage
a desktop computer connected to a wired network in your organization’s office than it is to manage a
roaming laptop computer.
When managing remote clients, a Configuration Manager administrator faces these challenges:
• Heartbeat issues. You may find it difficult to determine whether a client is still active. When a client
connected to an internal network is not active for 60 days, it is considered no longer active. When a
remote client is not active for 60 days, that determination is harder to make.
• Software updates. You may find it difficult to determine if the client is up-to-date and has installed
the most recent software updates.
• Software deployment. It is challenging to deploy large applications and packages to clients that
connect infrequently. Therefore, remote clients may be running older software than other clients in
the organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-3
• Inventory collection. You may find it difficult to determine whether hardware and software
configuration information is current. Remote clients may return data infrequently to the
Configuration Manager organization.
• Internet Key Exchange version 2 (IKEv2). This protocol supports VPN reconnect, which allows a
VPN connection to be reestablished automatically after a disruption that lasts up to eight hours
Reconnections can also occur when Internet connections are switched, such as when a user switches
from connecting through a mobile broadband device to using a coffee shop’s free Wi-Fi.
• Layer Two Tunneling Protocol/Internet Protocol Security (L2TP/IPsec). L2TP/IPsec uses IPsec for
transport encryption. L2TP/IPsec requires a public key infrastructure (PKI) deployment.
• Point-to-Point Tunneling Protocol (PPTP). A large number of vendors support this older protocol, but
it is not as secure as newer protocols such as L2TP/IPsec.
• Secure Socket Tunneling Protocol (SSTP). This protocol tunnels the VPN connection over HTTPS. The
benefit of this technology is that while some public Internet connections block VPN protocols like
L2TP/IPsec and PPTP, they rarely block port 443 used by HTTPS, because this would also block secure
web browsing.
Windows-based clients may also use third-party VPN server solutions that support all or some of the
VPN protocols listed above. Users can initiate remote access connections by using a VPN even when their
computers are not members of an AD DS domain. A substantial disadvantage of VPN technologies is that
they require the user to initiate the VPN connection and perform authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
7-4 Configuring Internet and Cloud-Based Client Management
You can use a Windows Intune subscription to manage remote clients without integrating Windows
Intune with Configuration Manager. A managed client cannot contain both the Windows Intune agents
and the Configuration Manager client. If you manage some clients through Windows Intune and others
through Configuration Manager, you must use the different management interfaces associated with
each management platform. When Windows Intune is integrated with Configuration Manager, you can
perform mobile device management tasks by using either the Configuration Manager console or the
Configuration Manager Windows PowerShell® module. If you integrate your Windows Intune subscription
with Configuration Manager, computers under the Windows Intune subscription are still managed
through the Windows Intune management interfaces unless you retire them from Windows Intune and
then install the Configuration Manager client.
You can manage clients that are connected through DirectAccess connections as you would manage
clients connected to a branch office network. You can configure these clients to use cloud-based
distribution points.
VPN Profiles
You can use VPN profiles to deploy VPN
connection configuration information to System
Center 2012 R2 Configuration Manager clients
that are running Windows RT 8.1, Windows RT,
Windows 8.1, or Windows 8, or to Apple iPhone
and Apple iPad devices that are running iOS 5 and
iOS 6. You can use VPN profiles to deploy VPN connections that use the following connection types:
• Cisco AnyConnect
• Juniper Pulse
• F5 Edge Client
• IKEv2
• PPTP
• L2TP
Wi-Fi Profiles
You can use Wi-Fi profiles to deploy wireless network settings to users so that the users can connect
automatically to preconfigured wireless networks. You can use Wi-Fi profiles with devices running the
following:
• iOS 5
• iOS 6
• Android version 4
• Use a Remote Desktop Gateway server address. This is the address of the Remote Desktop Gateway
server that makes the connection. Remote clients can connect across the Internet only through a
Remote Desktop Gateway server.
• Allow users who are listed as primary users of a work computer to make remote connections to that
computer from remote hosts. Users can make connections to computers only if they are primary
users.
• Configure Windows Firewall with Advanced Security rules to allow connections when the computer
connects to a domain or private network.
Certificate Profiles
You can use certificate profiles to deploy certificates to System Center 2012 R2 Configuration Manager
clients for the purposes of authentication and authorization. You can configure automatic certificate
deployment to clients that are not members of the organization’s AD DS domain and therefore, cannot
participate in the Active Directory Certificate Services (AD CS) autoenrollment process. These clients could
be Windows RT 8.1, Windows 8.1, iOS, and Android operating systems. Certificate profiles support the
following capabilities:
• Certificate enrollment and renewal from enterprise or stand-alone certification authorities (CAs).
To use certificate profiles, you must deploy the certificate registration point on a site system server in the
central administration site or in a primary site. You cannot deploy this role in a secondary site. This role is
new in System Center 2012 R2 Configuration Manager.
• Windows Phone® 8
• Apple iOS
Windows Intune supports managing mobile devices directly or through Exchange ActiveSync. It also
supports direct management for mobile devices that are running Windows RT, Windows Phone 8, and
iOS.
To deploy applications directly to mobile devices that are running Windows RT, you must obtain
sideloading keys, and you must have a code-signing certificate to sign the applications. The device
running Windows RT or Windows Phone 8 must trust this code-signing certificate. Additionally, you can
use deep linking to deploy an application from the appropriate Windows App store directly to mobile
devices that are running the Windows RT or Windows Phone 8 mobile operating systems.
You can use Windows Intune to deploy applications to iOS devices by deep linking to the Apple store
or by sideloading apps, which means you are installing them by using direct access to the source files. To
deploy applications to iOS devices, you must obtain the appropriate mobile device management
certificates from Apple.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-7
The following table details the mobile device–management tasks that you can perform when you
configure the Windows Intune connector for Configuration Manager.
Windows RT 8.1/Windows RT
Management task Windows Phone 8 iOS Android
/Windows 8.1/Windows 8
Lesson 2
Managing Internet-Based Configuration Manager Clients
To be able to manage Internet-based clients, you need to configure site systems to support Internet-
based clients and publish those site systems through the firewall. You must configure these site systems
with certificates issued by a certification authority (CA) trusted by the clients. In addition, all Internet-
based clients must have computer certificates issued by the same certification authority. Data transmitted
between these computers and the site systems is encrypted by using Secure Sockets Layer (SSL).
Lesson Objectives
After completing this lesson, you will be able to:
• Distribution point
• Software update point
• Fallback status point
You can configure some management points in a site to support HTTPS client connections and others
to support HTTP client connections. Using this approach, you can configure separate management points
for Internet-based client management. You must configure these management points to use certificates
from a PKI solution trusted by the clients and the servers. Additionally, your Internet-based Configuration
Manager clients need a valid PKI certificate from a PKI solution trusted by both the client and server for
authentication with the site systems.
The fallback status point always uses HTTP because this role provides an alternate method of
communication when clients cannot communicate with site system roles, even when SSL traffic might
fail for some reason.
All site systems must reside in an Active Directory domain; however, you can install site systems for
Internet-based client management in an untrusted forest. This scenario might be appropriate for a
perimeter network that requires high security.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-9
When you plan to manage client computers over the Internet, you must decide whether to configure
them for management on the intranet and the Internet, or for Internet-only client management:
Note: You can configure the client management option only during the installation of a
client. If you change your mind later, you must reinstall the client.
• Client computers that you configure for Internet-only client management communicate with only
those site systems that are configured for client connections from the Internet. Mobile device clients
are configured automatically as Internet-only when they are configured to use an Internet-based
management point.
• Client computers that you configure for Internet-based and intranet client management can switch
automatically between the two when they detect a change of network. If these clients can find and
connect to a management point that is configured for client connections on the intranet, these clients
are managed as intranet clients that have full Configuration Manager management functionality. If
the clients cannot find or connect to a management point that is configured for client connections
on the intranet, they attempt to connect to an Internet-based management point. If this is successful,
these clients are then managed by the Internet-based site systems in their assigned site.
Not all client management functionality is available when using Internet-based client management.
Features that rely on AD DS, or features that are not appropriate for a public network (such as operating
system deployments), are not supported for Internet management. The following features are not
supported when clients are managed on the Internet:
• Client deployment. For example, Client Push and software update–based client deployment. You must
use manual client installation to install the Configuration Manager client on these computers.
• Auto-site assignment. Clients must be configured with an assigned site at installation. Clients try to
locate the site systems by using Domain Name System (DNS). The Internet fully qualified domain
name (FQDN) of site systems that support Internet-based client management must be registered as
host entries on public DNS servers. Clients select one of the Internet-based site systems, regardless of
bandwidth or physical location.
• Network Access Protection (NAP). NAP relies on AD DS and cannot function on the Internet.
• The remote control feature. This feature is not available for Internet-based clients because these
computers cannot be located by using public DNS.
• Software deployments to users. You cannot deploy software to users unless the Internet-based
management point can authenticate the user in AD DS by using Windows authentication (Kerberos or
NTLM). This is possible when the Internet-based management point trusts the forest where the user
account resides.
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Configuring Internet and Cloud-Based Client Management
o If the site system accepts connections from both the Internet and the intranet, you must specify
both the Internet FQDN and the intranet FQDN (or computer name) by using the ampersand (&)
symbol delimiter between the two names.
2. Configuration Manager site systems that are hosting the distribution point role use certificates
configured for client authentication. The Enhanced Key Usage field in this type of certificate includes
Client Authentication (1.3.6.1.5.5.7.3.2). When using an AD CS Enterprise CA, you should create a
template based on the existing Workstation Authentication template in the template store. The
private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. The maximum
supported key length is 2,048 bits.
The certificate:
o Is used to authenticate the distribution point to an HTTPS-enabled management point before the
distribution point sends status messages.
o Is sent to computers when the Enable PXE support for clients distribution point option is selected.
This ensures that the client computers can connect to a HTTPS-enabled management point
during the deployment of the operating system if task sequences in the operating system
deployment process include client actions such as client policy retrieval or sending inventory
information.
Note: The private key must be exportable because you must import the certificate as a
file on the distribution point properties, rather than select it from the certificate store. You need
to export the issued certificate in the Public Key Cryptography Standard (PKCS #12) format (.pfx
file).
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-11
3. Internet-based clients can use those certificates generated by the PKI solution for authentication
when connecting to a Configuration Manager site system. The Enhanced Key Usage field in this type
of certificate includes Client Authentication (1.3.6.1.5.5.7.3.2). When using an AD CS Enterprise CA,
you should create a template based on the existing Workstation Authentication template in the
template store. Client computers must have a unique value in the Subject Name field or in the
Subject Alternative Name field. The maximum supported key length is 2,048 bits.
Note: When you use Enterprise CA and certificate templates, do not use the version
3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create
certificates that are incompatible with Configuration Manager. When prompted for the version
of the template, select version 2 (Windows Server 2003).
Ensure that clients trust the CA that issues both the client certificates the management point certificate.
1. Deploying the Web Server certificate for site systems that run Internet Information Services (IIS). This
includes the following procedures:
a. Creating and issuing the Web Server certificate template on the certification authority.
a. Creating and issuing the distribution point certificate template on the certification authority.
b. Requesting a distribution point certificate from each distribution point and exporting the
certificate in a .pfx file.
c. Configuring the distribution point to use the certificate.
3. Deploying the client certificate for computers. If the computers are also connecting to the intranet
and can authenticate to AD DS, the certificate deployment includes the following procedures:
a. Creating and issuing the Workstation Authentication certificate template on the certification
authority.
c. Enrolling the Workstation Authentication certificate automatically and verifying its installation on
computers.
4. If the computers are not connecting to AD DS, issuing and installing the client certificates manually.
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Configuring Internet and Cloud-Based Client Management
Demonstration Steps
1. On LON-DC1, start the Certification Authority console.
2. In the Certification Authority console, right-click the Certificate Templates folder, and then click
Manage. The Certificate Templates console opens.
3. Duplicate the Workstation Authentication template, and then click the Windows Server 2003
compatibility option.
4. In the Properties of New Template dialog box, configure the following settings:
o On the General tab, name the template Configuration Manager Client Certificate.
o On the Security tab, click the Domain Computers group, and then add the Read and
Autoenroll permissions.
5. Duplicate the Workstation Authentication template, and then click the Windows Server 2003
option.
6. In the Properties of New Template dialog box, configure the following settings:
o On the General tab, name the template Configuration Manager Client Site System
Certificate.
o On the Request Handling tab, select Allow private key to be exported.
o On the Security tab, remove the Enroll permission from the security groups Domain Admins
and Enterprise Admins. Add the ConfigMgrServers group, and then grant the
ConfigMgrServers group the Enroll permission.
2. Configure the internal firewall to allow communications between the perimeter network site
systems and the internal servers. You can adjust port values for any customization in your
environment. However, the following communications must be allowed:
Management point. Communicates with the computer running Microsoft SQL Server®
through the SMS Provider to read policy, and communicates directly with the site server to
report state messages.
Distribution point. Communicates with the site server to read configuration information and
replicate content by using file-based replication.
Software update point. Communicates with an upstream software update point or directly
with Microsoft Update.
Fallback status point. Communicates with the site server.
• Configure the internal site systems to support Internet-based client management and publish
them through a firewall. This method is less secure but easier to implement. To follow this method,
configure your firewall to allow direct HTTPS access from the Internet to the site systems (also known
as tunneling or pass-through). If you are using a proxy web server without SSL termination (tunneling),
no additional certificates are required on the proxy web server. However, the clients are connecting
directly to the site systems, and the firewall cannot inspect the traffic, which can pose additional
security risks. If you are using a proxy web server with SSL termination (bridging) for incoming
Internet connections, the proxy web server has the following certificate requirements:
o Certificates are installed on the proxy web server with Enhanced Key Usage configured for server
and client authentication. You can use the Web Server and Workstation Authentication
templates.
o The Subject Name field or Subject Alternative Name field includes Internet FQDN. If you are
using Microsoft certificate templates, the Subject Alternative Name is available only with the
workstation template.
You must configure a Microsoft PKI solution to use with Configuration Manager as a method of
improving security. To do this, you will create templates for Configuration Manager, and then deploy the
certificates to your Configuration Manager infrastructure.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 35 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
2. In the Active Directory Users and Computers console, in the Users container, create a new group
named Configuration Manager IIS Servers.
3. Add LON-CFG to the Configuration Manager IIS Servers group.
3. Duplicate the Web Server template, and then on the Compatibility tab, ensure that the Windows
Server 2003 option is selected.
o On the Subject Name tab, ensure that the Supply in the request option is selected.
o On the Security tab, remove the Enroll permission from the security groups Domain Admins
and Enterprise Admins. Add the Configuration Manager IIS Servers group, and then grant the
Configuration Manager IIS Servers group the Enroll permission.
o On the General tab, name the template Configuration Manager Client Certificate.
o On the Security tab, select the Domain Computers group, and then add the Read and
Autoenroll permissions.
o On the General tab, name the template Configuration Manager Client Distribution Point
Certificate.
o On the Security tab, remove the Enroll permission from the security groups Domain Admins
and Enterprise Admins. Add the Configuration Manager IIS Servers group, and then grant the
Configuration Manager IIS Servers group the Enroll permission.
MCT USE ONLY. STUDENT USE PROHIBITED
7-16 Configuring Internet and Cloud-Based Client Management
o On the General tab, name the template Configuration Manager Mobile Device Certificate.
o On the Subject Name tab, ensure that the Build from this Active Directory information
option is selected, and in the Subject name format list, select Common name, and then clear
the User principal name (UPN) check box.
Results: After this exercise, you should have created a group for the Microsoft® System Center 2012 R2
Configuration Manager servers and created the templates for Configuration Manager certificates.
2. At the root of the domain, create a GPO named Enable Autoenrollment of Certificates.
3. Edit the Enable Autoenrollment of Certificates GPO.
5. Configure the following values for the Certificate Services Client – Auto-Enrollment object:
o Select the Renew expired certificates, update pending certificates, and remove revoked
certificates check box.
o Select the Update certificates that use certificate templates check box.
3. Start a Microsoft Management Console (MMC), and then add the Certificates snap-in for the Local
computer: (the computer this console is running on).
4. In the MMC window, expand Certificates (Local Computer), and click Personal. Right-click
Personal, and then select the option Request New Certificate.
5. In the Certificate Enrollment wizard, request a new certificate by using the following information:
o On the Request Certificates page, select the Configuration Manager Web Server Certificate
check box, and then click More information is required to enroll for this certificate. Click
here to configure settings.
o On the Subject tab, in the Alternative name area, in the Type list, select DNS, in the Value box,
type LON-CFG.Adatum.com, and then click Add.
o On the General tab, in the Friendly name box, type Configuration Manager Web Services.
o Complete the request, wait until the certificate is installed, and then click Finish.
2. In the Certificate Enrollment Wizard, request a new certificate by using the following information:
o On the Request Certificates page, select the Configuration Manager Client Distribution
Point Certificate check box, and then click Enroll.
o Complete the request, wait until the certificate is installed, and then click Finish.
4. Select the certificate that has Configuration Manager Client Distribution Point Certificate on the
Certificate Template column, right-click the certificate, and then select Export. The Certificate
Export Wizard opens.
5. In the Certificate Export Wizard, use the following information to export the certificate:
o On the Export Private Key page, select Yes, export the private key.
o On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12
(.PFX) option is selected.
o On the Security page, type Pa$$w0rd in both the Password and Confirm password text boxes.
o On the File to Export page, in the File name text box, type
C:\ConfigMgrClientDPCertificate.pfx.
3. In the Site Bindings dialog box, edit the https entry, in the SSL certificate list, select the
Configuration Manager Web Services certificate, click OK, and then close all open windows.
3. In the results pane, select \\LON-CFG.Adatum.com, and then, in the preview pane, access the
Properties for the Site system.
4. In Site system Properties, configure the following:
• Select Specify an FQDN for this site system for use on the Internet.
• In the Internet FQDN text box, type LON-CFG.Adatum.com, and then close the dialog box.
• On the General tab, select Import certificate, and then browse to and click the
C:\ConfigMgrClientDPCertificate.pfx certificate file.
• Select HTTPS, under Requires computers to have a valid PKI client certificate, select Allow
intranet and Internet connections, and then close the dialog box.
7. In the preview pane, access the Properties for the Management point.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-19
o On the General tab, click HTTPS, and then under This option requires client computers to
have a valid PKI client certificate for client authentication, select Allow intranet and
Internet connections.
o Select the Allow mobile devices to use this management point check box, and then close the
dialog box.
3. In the Assets and Compliance workspace, navigate to Certificate Profiles, and then create a
certificate profile.
4. Name the profile AdatumEnterpriseRootCA, and then set the profile type to Trusted CA
certificate.
5. Import the certificate that you copied to the desktop and ensure that it will be placed in the
Computer certificate store – Root location.
7. Deploy the certificate profile to the All Desktop and Server Clients collection.
Results: After this exercise, you should have issued the Configuration Manager certificates and configured
HTTPS communication for Configuration Manager roles.
MCT USE ONLY. STUDENT USE PROHIBITED
7-20 Configuring Internet and Cloud-Based Client Management
Lesson 3
Configuring Cloud Services in System Center 2012 R2
Configuration Manager
By integrating cloud services into a Configuration Manager deployment, you can extend your
organization’s ability to distribute content and manage mobile devices. Cloud-based distribution
points allow you to deploy distribution points hosted in a public Windows Azure™ cloud. You can deploy
a scalable distribution point rapidly to clients on both the Internet and internal networks without
provisioning a virtual machine or physical server to host it. You can also integrate Windows Intune with
System Center 2012 R2 Configuration Manager, thereby allowing you to manage mobile devices running
the iOS, Android, Windows Phone, and Windows RT operating systems.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the benefits and limitations of cloud-based distribution points.
• Explain how to configure the Windows Intune connector site system role.
• Can scale as necessary. You can scale the cloud-based distribution point up or down to meet the
changing demands for content. For example, you can scale it up when you require more deployment
capacity, and scale it down when you require less deployment capacity. By doing so, you will find it
less necessary to deploy additional distribution points within the organization.
• Does not support packages that run from the distribution point; content must be downloaded from
the distribution point and run locally.
• Does not support streaming applications by using Microsoft Application Virtualization (App-V).
When you use Windows Intune with Configuration Manager, a cloud-based distribution point is created
automatically for distributing content through Windows Intune. This distribution point distributes content
for clients that are managed through the Windows Intune connector.
• A service certificate that Configuration Manager clients use to connect to Windows Azure cloud-
based distribution points to retrieve content by using the HTTP protocol
• The Allow access to cloud distribution points client setting set to Yes for the Configuration Manager
device or user
• The client attempting to access the cloud-based distribution point is able to access the Internet
• The client attempting to access the cloud-based distribution point is able to resolve the name of the
cloud service; this will require a canonical name (CNAME) record in the local DNS namespace mapped
to the name of the cloud-based distribution point
The only prerequisite for a Windows Intune cloud-based distribution point is that Windows Intune
integration must be configured. This requires a Windows Intune subscription, the Windows Intune
connector site system role, and configuration of directory synchronization.
You can use the Directory Synchronization tool, also known as DirSync, to synchronize AD DS user
accounts and passwords with Windows Azure Active Directory. Windows Azure Active Directory stores
user accounts and passwords for Windows Intune, Windows Azure, and other services such as Microsoft
Office 365™.
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Configuring Internet and Cloud-Based Client Management
Versions of DirSync after 6382.000 support password synchronization. Because you no longer have to
deploy Active Directory Federation Services (AD FS), it is simpler to integrate an on-site Configuration
Manager deployment with Windows Azure and Windows Intune.
• Software updates
• Software deployments
• Endpoint Protection
• Remote assistance
• Software licensing
• Windows Firewall policy
You can use Windows Intune to perform these management tasks on computers that rarely connect to an
organizational network and that might not be joined to an Active Directory domain. Additionally, you can
use Windows Intune to manage software deployment for computers that are running Windows, Android,
and Apple iOS operating systems.
Computers that you manage through Windows Intune require Windows Intune client software. You can
download the client software from the Windows Intune company portal. The client software includes an
account certificate that binds the client to a specific Windows Intune deployment. If your organization
chooses to use Windows Intune to manage client devices, you must develop a strategy to install the client
software on all end-user computers. After you install the client software on a device, the Windows Intune
administrator can manage that device remotely.
Note: You cannot deploy the Windows Intune client software on a computer that has the
System Center 2012 Configuration Manager SP1 agent or the System Center 2012 R2
Configuration Manager agent installed.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-23
• Configure directory synchronization. You must configure Active Directory synchronization between
your on-premises AD DS and the Windows Azure Active Directory that you are using with the
Windows Intune organizationname.onmicrosoft.com domain.
• Obtain relevant certificates or keys. Depending on the mobile devices that you will be managing
through Windows Intune, you need the certificates or keys. You will learn more about these in a later
topic in this lesson.
1. In the Administration workspace, expand the Hierarchy Configuration folder, and then click
Windows Intune Subscriptions.
2. On the ribbon, click Add Windows Intune Subscription.
4. On the Subscription page, sign in by using an account configured as an administrator for your
Windows Intune organization. Select the Allow the Configuration Manager console to manage
this subscription check box.
o Specify the user collection whose members will be able to enroll their devices for
management. Browse to the appropriate collection.
o Company name. Specify your organization name.
o Color scheme for company portal. Change the color of the company portal, or accept the
default color.
o Configuration Manager site code. Specify the primary site for mobile devices.
7. On the Platforms page, choose the device types you want to manage (devices running Android, iOS,
Windows, or Windows Phone 8), and then review the platform requirements. For each device type
that you choose, you need to configure additional settings. You can configure these settings on a
per-device type basis when necessary.
When you enable the Allow the Configuration Manager console to manage this subscription option,
Configuration Manager takes control of the Windows Intune subscription for mobile device management.
You cannot undo this step. If you later decide that you do not want to manage Windows Intune by using
Configuration Manager, you must create a new Windows Intune subscription.
To deploy the site system role for the Windows Intune connector, perform the following procedure on a
site system server that will communicate with the Windows Intune servers on the Internet:
1. In the Administration workspace, expand the Site Configuration folder, and then click Servers and
Site System Roles.
2. Select the site system server, and then on the ribbon, click Add Site System Roles.
3. On the System Role Selection page, select Windows Intune Connector, and then click Next.
4. Complete the wizard.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-25
Mobile device
Certificates or keys Notes
operating system
Objectives
After completing this lab, you will be able to:
• Sign up for a Windows Intune trial account and configure directory synchronization.
• Configure the Windows Intune connector role.
Lab Setup
Estimated Time: 130 minutes
Password Pa$$w0rd
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
2. In Hyper-V Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Domain: Adatum
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 7-27
6. Repeat steps 2 and 3 for MSL-TMG1. This is a gateway server that allows connections to the Internet.
o The first part of the email address should be your first name, the first letter of your last name,
10748C, and the date in the format used in your region (mm/dd/yy or dd/mm/yy). For example,
JoeS10748C010114 if it is the first of January 2014.
o The domain (the portion of the address after the @ symbol) should be Adatum.com. For example
joeS10748C0110114@adatum.com.
4. In Internet Explorer, click the Try option, and then click Sign up for a Windows Intune free 30-day
trial.
5. On the Windows Intune Sign up page, provide the required information to sign up for the trial
account. Enter data for the following required fields, and then click Check Availability:
o Country or region: Select your country or region
o Organization Name: Type the first three letters of the city in which you are attending the course;
the course number; the month, day, and year; and the number of your computer, counting from
the front left side of the classroom. For example, type MEL10748C02041405 to indicate that
you are attending the course in Melbourne; the course number is 10748C; the date is February 4,
2014; and you are using the fifth computer from the front left side of the classroom
o Address 1: Street address of the location in which you are attending the course
o City: City in which you are attending the course
o ZIP code: ZIP code in which you are attending the course
o Phone Number: 555-555-1212
o Email address: The fake email address that you created in the first task of this exercise.
o New Domain Name: Type the first three letters of the city in which you are attending the course;
the course number; the month, day, and year; and the number of your computer, counting from
the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you
are attending the course in Melbourne; the course number is 10748C; the date is February 4,
2014; and you are using the fifth computer from the front left side of the classroom
6. After the domain name is verified, enter the following information:
7. In the Verification field, type the text that is shown as a graphic. Note that the text is not case-
sensitive.
3. In the script pane, type the following, and then press Enter:
4. Use Active Directory Administrative Center to verify that the new UPN has been applied to April
Reagan’s account.
4. Download and install the 64-bit version of the Active Directory synchronization tool by using the
default settings.
5. Sign out from LON-CAS, and then sign in as Adatum\administrator with the password Pa$$w0rd.
6. Run the Active Directory Sync tool Configuration Wizard with the following settings:
o Windows Azure Active Directory user name: student@organizationname.onmicrosoft.com,
where organizationname is your Windows Intune organization name
o Windows Azure Active Directory password: Pa$$w0rd
o Active Directory username: administrator@adatum.com
o Active Directory password: Pa$$w0rd
o Enable Hybrid Deployment: Enabled
o Enable Password Sync: Enabled
o Synchronize your directories now: Selected
7. Wait five minutes, return to the Windows Intune Admin page, click Users, and then verify that the
list of users in Windows Intune is now populated with users from AD DS.
Results: After this exercise, you will have created a Windows Intune™ account, and configured directory
synchronization between the local Windows Server® Active Directory® Domain Services (AD DS) instance
and Windows Azure™ Active Directory.
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Configuring Internet and Cloud-Based Client Management
o Password: Pa$$w0rd
Results: After this exercise, you will have integrated Configuration Manager with Windows Intune.
Question: What are the limitations of cloud-based distribution points over distribution
points deployed on-premises?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
8-1
Module 8
Maintaining and Monitoring System Center 2012
Configuration Manager
Contents:
Module Overview 8-1
Module Overview
System Center 2012 Configuration Manager architecture includes multiple components on the site
server, site systems, and client devices. Although you can design your solution’s architecture to be
resilient to failures by implementing multiple site systems, using database clustering, and implementing
multiple primary sites to benefit from global-data replication, you must configure and perform regular
site-maintenance tasks to ensure that the solution that you implement is functional and effective.
Performing regular backups is an important maintenance activity that you implement in your
Configuration Manager environment. Performing regular backups is even more important if you have
a stand-alone primary site, so that you can recover the site configuration or the site database if failure
occurs.
If you have a multiple-site environment, data replicates to other sites in the hierarchy. However, we still
recommend that you perform backup for the site servers and databases in the central administration site
and the primary sites to protect your implementation in your operating system or site fails. The database-
replication mechanism helps you in the recovery process by replicating the most recent global data from
other sites in the hierarchy.
In addition to regular site backups, you should perform regular monitoring activities to determine
the health of your Configuration Manager implementation. You use the monitoring capabilities that
the Configuration Manager console includes to monitor the status of the site systems and replication.
Additionally, you can use external monitoring tools, such as System Center 2012 Operations Manager,
to automate monitoring and alerting.
Objectives
After completing this module, you will be able to:
• Describe Configuration Manager site-maintenance tasks.
Lesson 1
Overview of Configuration Manager 2012 Site
Maintenance
Configuration Manager 2012 includes built-in maintenance tasks that you can enable and then configure
to run on a schedule. After installing your Configuration Manager environment, you must review the
built-in maintenance tasks, so that you can determine which ones to enable and when they should run.
A crucial part of your site-maintenance setup that you should make a part of every Configuration
Manager design is a site-maintenance plan. When you create a site-maintenance plan, you should include
configuration details for the following:
• Maintenance activities that you need to perform manually on a daily, weekly, or monthly schedule.
• Configuration of the status alert and status-monitoring systems that you can access from the
Configuration Manager console.
• External monitoring tools that you can use in the site, such as System Center 2012 Operations
Manager.
Lesson Objectives
After completing this lesson, you will be able to:
Configuring the Backup Site Server maintenance task, and ensuring that the backup occurs correctly, is
the most important action you perform in your Configuration Manager 2012 environment. By ensuring
these two factors, you can recover the site server and the database if an operating-system or site failure
occurs. The next lesson, “Performing Backup and Recovery of a Configuration Manager 2012 Site”, covers
backup and recovery in greater detail.
Question: Describe the tools that you can use to monitor the health of Configuration Manager 2012 site
systems.
3. Select the site for which you want to view the tasks, and then on the ribbon, click Settings, and then
click the Site Maintenance Tasks button.
4. In the Site Maintenance dialog box, click the maintenance task that you want to configure, and then
click Edit.
The following table lists the site-maintenance tasks and their purposes.
Backup Site Server Backs up a Configuration Manager 2012 site, including the site
database, files, registry keys, and system-configuration information.
Rebuild Indexes Rebuilds the site database-table indexes to speed up data retrieval.
Monitor Keys Monitors the primary keys from the site database tables.
Delete Aged Inventory Deletes aged inventory history from the site database.
History
Delete Aged Status Messages Deletes aged status-message data from the site database.
Delete Aged Discovery Data Deletes aged client-discovery data from the site database.
Delete Aged Collected Files Deletes aged data regarding collected files from the site database
and from the site-server folder structure.
MCT USE ONLY. STUDENT USE PROHIBITED
8-4 Maintaining and Monitoring System Center 2012 Configuration Manager
Delete Aged Software Deletes aged software-metering data from the site database.
Metering Data
Delete Aged Software Deletes aged software-metering summary data from the site
Metering Summary Data database.
Clear Install Flag Clears the install flag in the database for clients whose Heartbeat
Discovery data records have not been updated in the specified
interval, so that the Configuration Manager client reinstalls
automatically by using Client Push.
Delete Inactive Client Deletes inactive client-discovery data from the site database.
Discovery Data
Delete Obsolete Client Deletes obsolete client-discovery data from the site database.
Discovery Data
Delete Aged Computer Deletes aged user-device affinity data from the site database.
Association Data
Delete Obsolete Alerts Deletes alerts that have been closed for a specific period.
Delete aged log data Deletes aged data from the replication logs, and cleans up object
lock requests.
Delete aged application Deletes cancelled or denied application requests that are older than
request data the specified period.
Delete Aged Devices Deletes all obsolete records in the Exchange partnership properties
managed by the Exchange table that have a LastSuccessSyncTimeUTC earlier than the specified
Server Connector period. It also deletes the system records that correspond to the
obsolete partnership entries if they are managed solely by Exchange.
Delete aged device wipe Deletes aged device-wipe records from the site database.
record
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-5
Delete Obsolete Forest Deletes obsolete discovery data that the Active Directory® Forest
Discovery Sites and Subnets Discovery method creates by trying to find, and then remove, sites
and subnets that forest discovery has not discovered for a specific
period.
Check Application Title with Determines whether the correct application title displays in the Asset
Inventory Information Intelligence catalog. It does this by matching the installed software
data with catalog data, which is determined by calculating the
Software Properties Hash based on the Product Name, the Publisher,
and the Product Version.
Delete aged enrolled devices Deletes aged enrolled devices from the site database.
Delete aged threat data Deletes aged Endpoint Protection threat data from the database.
Delete aged endpoint Deletes aged Endpoint Protection health-status history data from the
protection health status site database.
history data
Delete aged client operations Deletes aged Endpoint Protection-related client operation data, such
as administrators-initiated scan and definition-download requests.
Evaluate collection members Evaluates the collection members incrementally, every five minutes
by default.
Update application catalog Synchronizes the Application Catalog website database cache with
tables the latest application information.
Delete aged delete detection Deletes old data-change information that external systems use when
data extracting data from database.
Delete aged user device Deletes aged information about user-device affinity.
affinity data
additional maintenance activities such as monitoring of the site systems and clients, and describes
recovery procedures that you must follow if a site failure occurs.
Built-in site maintenance tasks include typical maintenance features, but you should complement them
with additional tools for end-to-end maintenance and monitoring of your Configuration Manager
implementation.
Typical activities for maintaining and monitoring a Configuration Manager 2012 environment include:
• Review, configure, and enable or disable site-maintenance tasks. Review the built-in site-maintenance
tasks, and then configure them, and enable or disable according to your site-maintenance plan.
• Configure the status summarizers. Configure the status summarizers to evaluate the health of your
site systems and components, based on the number and importance of status messages.
• Use the monitoring features that the Configuration Manager console includes. Use the Configuration
Manager console features to monitor replication and the status of the site systems.
• Configure alerts. Configure alerts that you want to generate for errors or specific thresholds.
• Consider using System Center 2012 Operations Manager. You can use System Center 2012
Operations Manager to monitor your Configuration Manager environment.
• Reviewing error and warning messages that System Center 2012 Operations Manager generates, if
applicable.
Site-maintenance plans can contain activities that you perform on a schedule, either manually or through
an automatic configuration. You can schedule the tasks to happen daily, weekly, or over a longer period.
The following table lists typical maintenance tasks and the suggested frequency of the tasks.
Daily maintenance • Verify that built-in daily maintenance tasks are running successfully.
tasks
• Check the status of the Configuration Manager site database.
• Check the status of the site server.
• Check Configuration Manager site-system inboxes for backlogs.
• Check the status of the site systems.
• Check client status and health.
• Check the operating-system event logs on site systems.
• Check the SQL Server® error log.
• Check system performance.
Weekly • Verify that built-in weekly maintenance tasks are running successfully.
maintenance tasks
• Delete unnecessary files from site systems.
• Produce and distribute end-user reports, if necessary.
• Back up and then clear application, security, and system-event logs.
• Check the size of the site database, and then verify that the site database has
enough available disk space to enable growth.
• Perform SQL Server database maintenance on the site database, according to
your SQL Server maintenance plan.
• Check available disk space on all site systems.
• Run disk-defragmentation tools on all site systems.
MCT USE ONLY. STUDENT USE PROHIBITED
8-8 Maintaining and Monitoring System Center 2012 Configuration Manager
For each maintenance task in the site-maintenance plan, you should assign an owner who is responsible
for performing that task. Administrative users to whom you assign the Infrastructure Administrator or
Operations Administrator security roles can perform most daily or weekly maintenance tasks.
When configuring the built-in site maintenance tasks, you must ensure that you are not scheduling the
maintenance tasks too aggressively, which can create additional processing load on your site server and
database. Conversely, ensure your schedule is not too passive, which can result in obsolete information
not being deleted. In most implementations, you should use the default schedules for the built-in
maintenance tasks.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-9
Lesson 2
Performing Backup and Recovery of a Configuration
Manager Site
Configuring the Backup Site Server task and ensuring that backups occur regularly and successfully can
help ensure that you can recover your site configuration should your site server or site database fail.
The Backup Site Server task only backs up the site database, and certain folders and registry keys from
your site server. To recover your Configuration Manager implementation completely, you may need to
include additional data in your backup, such as custom reports, content files, and custom updates. You
also need to run the planned recovery procedures in a test environment, to ensure that you can recover
all necessary data from the site.
If the AfterBackup.bat batch file is present, the Backup Site Server task attempts to run it immediately
after performing the site backup. This lesson examines how to use the AfterBackup.bat to perform
additional backup operations. This lesson also explains how to troubleshoot your backup procedure and
results, and how to perform a site recovery from your backup.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the backup and recovery processes for Configuration Manager 2012.
Recovery Features
In case of hardware or software failure, you need to restore the site with minimal or no data loss. Site
recovery includes potentially replacing failed hardware, reinstalling the operating system and
Configuration Manager 2012, and restoring the site database from a backup.
Configuration Manager 2012 has recovery features that differ from previous versions. For example, in
Configuration Manager 2012, the Configuration Manager Setup Wizard includes a recovery option. There
is support for multiple recovery options, which the following table outlines.
If you have a multiple-site implementation of Configuration Manager, you can benefit from data
replication, which can minimize data loss after recovery. When recovering a site that is part of a hierarchy,
Configuration Manager uses database replication to retrieve the most current global data that the failed
site created before failure. This process minimizes data loss even when no backup is available.
When you need to recover a site, you can initiate an unattended site recovery by configuring an
unattended installation script, and then using the Setup /script command.
perform a complete recovery, including the site database, certain folders from your Configuration
Manager installation path, and the registry settings that relate to Configuration Manager.
The need for a site backup depends on the site implementation scenario, such as the following scenarios
for:
• A stand-alone primary site. To avoid data loss when a stand-alone primary site fails, you must have a
Configuration Manager backup.
• Secondary sites. You have no built-in features for the backup and recovery of secondary sites. When a
secondary site fails, you must reinstall it from the primary site server.
• A central administration site with child primary sites. You can configure the Backup Site Server task,
and perform recovery of the central administration site and all primary sites. Because your hierarchy
uses database replication, you can retrieve the data necessary for recovery from another site in the
hierarchy. This means that you can recover a primary site even when you do not have a site backup.
The benefit of having a backup is that you can restore the data by using the most recent backup, and
replication only needs to retrieve changes to the data since the last backup. This reduces the amount
of data that you are transferring over your network.
After successfully backing up the site, the Backup Site Server task attempts to run the AfterBackup.bat file
automatically. If an AfterBackup.bat file exists, and is in the correct folder, the file automatically runs after
the backup task completes. You need to create the AfterBackup.bat file manually in the
<ConfigMgrInstallationFolder>\Inboxes\smsbkup folder.
To verify that the site backup task ran the AfterBackup.bat file successfully, open the Configuration
Manager console, and then click the Component Status node in the Monitoring workspace. In the results
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Maintaining and Monitoring System Center 2012 Configuration Manager
pane, review the status messages for SMS_SITE_BACKUP. If the task initiates the AfterBackup.bat batch file
successfully, the message ID 5040 appears.
Question: What tool can you use to configure the archival of backup files that begins automatically after
the site backup completes?
5. In the Site Maintenance dialog box, click Backup Site Server, and then click Edit.
6. Select Enable this task, and then click Set Paths to specify the backup destination. You have the
following options:
o Local drive on site server for site data and database. You specify a folder on the site server’s local
drive that stores the backup files for the site and site database. You must create this local folder
before the backup task runs, and the site server’s computer account must have write access to
the folder.
o Network path (UNC name) for site data and database. You specify a shared folder in the network
by using the universal naming convention (UNC) path to the location that stores the site’s backup
files and the site database. You must create this network-shared folder before the backup task
runs, and the site server’s computer account must have write access to the share.
o Local drives on site server and SQL Server. You specify a path on the site server’s local drive to
the location that stores the backup files for the site server. You also specify a path on the site
database server’s local drive to the location that stores the backup files for the site database.
You must create these local folders before the backup task runs, and the site server’s computer
account must have write access to both folders. This option is available only when the site
database is on a remote site system server.
7. Configure an appropriate schedule for the site backup task. As a best practice, consider a backup
schedule outside of active business hours.
8. Select the Enable alerts for backup task failures check box, click OK, and then click OK. When you
select this check box, Configuration Manager creates a critical alert for the backup failure. You can
view it from the Alerts node in the Monitoring workspace.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-13
o <ConfigMgrInstallationPath>\inboxes
o <ConfigMgrInstallationPath>\Logs
o <ConfigMgrInstallationPath>\data
o <ConfigMgrInstallationPath>\srvacct
o <ConfigMgrInstallationPath>\install.map file
• The ..\HKEY_LOCAL_MACHINE\Software\Microsoft\SMS registry key
o Encryption keys
o Custom assemblies or extensions
o Configuration files
• Content library. You must back up the content library so that you can restore and redistribute content
to distribution points. When you initiate content redistribution, Configuration Manager copies the
files from the content library on the site server to the distribution points. The content library for the
site server is in the SCCMContentLib folder that typically is on the drive that had the most free disk
space when you installed the site.
• Package source files. You must maintain a copy of the package source files so that you can restore
them after a site failure. You then must update the content on distribution points. When you initiate a
content update, Configuration Manager copies new or modified files from the package source to the
content library, which then copies the files to associated distribution points.
• Windows Server Update Services (WSUS) database. You need to back up the WSUS database if you
want to recover the metadata about software updates. This provides an alternative if a failure occurs.
You can reinstall the software update point on a new WSUS instance. However, you will need to
reconfigure the synchronization settings.
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Maintaining and Monitoring System Center 2012 Configuration Manager
• Backup custom software updates. You must include the System Center Updates Publisher 2011
database in your backup if you use System Center Updates Publisher 2011 to perform any of the
following activities:
You can perform an unscheduled backup by starting the SMS_SITE_BACKUP service on the site server.
Demonstration Steps
1. On LON-CFG, start the Configuration Manager Console.
2. In the Configuration Manager console, click the Administration workspace, expand Site
Configuration, and then select Sites.
3. Select S01 – Adatum Site, and on the ribbon, click Settings, and then click Site Maintenance.
4. In the Site Maintenance dialog box, edit the Backup Site Server task.
5. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then
click Set Paths.
6. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and
database is selected, and then browse to select a folder.
7. On drive E, create a folder called Backup, and then click Select Folder.
8. In the Set Backup Paths dialog box, verify that E:\Backup appears in the box, and then click OK.
9. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three
minutes from now, verify that the Latest start time is at least one hour from now, and then click OK.
10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled.
13. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the
smsbkup.log file in Notepad.
14. If the backup completes successfully, at the end of the smsbkup.log file, the text Backup completed
appears, and then on the next line, the text STATMSG: ID=5035 appears.
15. Navigate to the E:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the
database files.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-15
17. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and
then select the Component Status node.
18. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages, and then click
All.
20. In Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035.
• Navigate to the Component Status node in the Monitoring workspace, and then review the status
messages for SMS_SITE_BACKUP. If the backup has started, you will see the message ID 5055. When
the site backup completes successfully, message ID 5035 appears, indicating that the site backup
completed without any errors.
• Configure the Backup Site Server maintenance task to create an alert when a backup fails. You can
check the Alerts node in the Monitoring workspace for these backup failure alerts.
• Review the Event Viewer logs for account and access violations. Ensure that the service account for
SMS_SITE_BACKUP can access any remote locations that you specify in the SMS Backup control file
and that the service account has the appropriate privileges to perform the tasks in the Configuration
Manager Backup control file in the [Tasks] section. By default, the SMS_SITE_BACKUP runs under the
local system account.
Site Recovery
You must recover a System Center 2012
Configuration Manager site whenever the site
fails or data loss occurs in the site database.
You can initiate the site recovery by running the
System Center 2012 Configuration Manager Setup
Wizard or by using an unattended installation
script with the Setup /script command. Your
recovery options depend on whether you have a
backup of the System Center 2012 Configuration
Manager site and the site database.
1. Start the Microsoft System Center 2012 Configuration Manager Setup Wizard by running
<Configuration Manager 2012 Installation Source Path>\SMSSETUP\BIN\X64\setup.exe.
2. On the Before You Begin page, click Next.
3. On the Getting Started page, select Recover a site, and then click Next.
When performing the site recovery in System Center 2012 Configuration Manager, you must recover the
site server and the site database. If you simply want to perform site maintenance or a site reset, start the
setup from the installation path.
• Recover the site server by using an existing backup. Use this option when you have a backup of the
Configuration Manager site server that you created before the site failure. You can reinstall the site
and reconfigure the site settings to match what they were when you backed up the site.
• Reinstall this site server. Use this option when you do not have a backup of the site server. You can
reinstall the site server, and then you must specify the site settings. You must use the same site name,
site code, and configurations as the failed site, if you want to recover your site successfully.
Note: When Setup detects an existing System Center 2012 Configuration Manager site on
the server, it disables the recovery options for the site server, and uses the existing Configuration
Manager site files and registry keys.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-17
• Recover the site database by using the backup set at the following location. Use this option when you
have a backup of the Configuration Manager site database that you created before the site database
failure. When you have a hierarchy, Configuration Manager uses replication to retrieve from other
sites the changes made to the site database after the last site database backup. When you recover
the site database for a stand-alone primary site, you lose any changes made to the site since the last
backup.
Note: If you select to restore the site database by using a backup set, and the site database
already exists, the recovery will fail. You must delete the existing database files manually before
attempting recovery.
• Create a new database for this site. Use this option when you do not have a backup of the
Configuration Manager site database. When you have a hierarchy, you can create a new site
database, and the use replication to recover data from other sites in the hierarchy. This recovery
option is not available when you are recovering a stand-alone primary site or a central administration
site that has no primary sites.
• Use a site database that you recover manually. Use this option when you recover the Configuration
Manager site database by using a method other than the Backup Site Server maintenance task. When
you have a hierarchy, you can create a new site database, and the use replication to recover data
from other sites in the hierarchy. When you recover the site database for a stand-alone primary site,
you lose any changes made to the site since the last backup.
• Skip database recovery. Use this option when the site failure did not cause data loss in the
Configuration Manager site database, and you recover only the site server.
Post-Recovery Tasks
There are several post-recovery tasks that you may need to perform to complete the site recovery process:
• Reenter user account passwords. You must reenter user account passwords for the user accounts that
the site specifies, because all passwords are reset during the site recovery. The accounts for which you
must reset passwords are on the Finished page of the Setup Wizard after site recovery completes, and
are saved on the recovered site server in the C:\ConfigMgrPostRecoveryActions.html file.
• Reinstall hotfixes on the recovered site server. You must reinstall any hotfixes that were applied to the
site server. A list of hotfixes installed previously is on the Finished page of the Setup Wizard after the
site recovery completes, and saves to C:\ConfigMgrPostRecoveryActions.html on the recovered site
server.
• Recover custom reports. You must reimport any custom reports that you created on Reporting
Services.
• Recover content files. You must restore the content library and package source files to their original
locations. The site database contains information about the content files’ storage locations on the site
server, but the backup and recovery process does not back up or restore content files. You can restore
these files from a file system backup of the site server.
Question: How do you recover a stand-alone primary site when the database becomes corrupt?
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Maintaining and Monitoring System Center 2012 Configuration Manager
Note: To perform site recovery, you need to start the setup program from the installation
media. If you want to perform a site reset only, you need to start the setup from the installation
path.
2. In the Microsoft System Center 2012 Configuration Manager Setup Wizard, use the following settings
to restore the site:
o On the Getting Started page, at Available Setup Options, click Recover a site.
o On the Site Server and Database Recovery Options page, click Recover the site database
using the backup set at the following location, and then browse to the folder where the
backup is stored.
o On the Site Recovery Information page, verify that the option Recover primary site is
selected.
o On the Product Key page, select Install the evaluation edition of this product.
o On the Microsoft Software License Terms page, select the I accept the license terms check
box.
o On the Prerequisite Licenses page, accept all prerequisite components.
o On the Prerequisite Downloads page, select Use previously downloaded files, and then in the
path box, type E:\ConfigMgr2012\Redist.
o In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite
validation to finish.
o On the Customer Experience Improvement Program configuration page, select I don’t want
to join the program at this time, and then click Next.
o On the Prerequisite Check page, click Cancel. For a real system recovery, you would click Begin
Install. However, for the purposes of this demonstration, you cancel the wizard.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-19
Lesson 3
Monitoring Configuration Manager 2012 Site Systems
Configuration Manager 2012 includes monitoring and alerting features that you can use to detect and
troubleshoot critical conditions that pertain to site systems and clients. You can configure the status
system to determine the overall health of your Configuration Manager environment, based on status
messages.
For further monitoring capabilities, you can implement System Center 2012 Operations Manager, which
provides proactive server and applications monitoring and alerting. You then can use the information that
these features provide to detect and resolve critical issues.
Lesson Objectives
After completing this lesson, you will be able to:
• Configure alerts.
• Describe the features of System Center 2012 R2 Operations Manager that you can use to monitor
Configuration Manager 2012 site systems.
Configuring Alerts
Configuration Manager 2012 includes an alerting
system that generates alerts in the Configuration
Manager console when it encounters specific
conditions.
• Site System role health. You can configure some site system roles manually, such as management
points, to generate alerts when they are not healthy.
• Database replication. Configuration Manager provides an alert automatically for database replication
issues.
• Database disk space usage. Configuration Manager provides alerts automatically regarding free
database space.
• Low Sideloading activations. Configuration Manager provides alerts automatically for sideloading
activations.
• Deployments. You can configure alerts manually for deployment of applications and compliance
settings.
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Maintaining and Monitoring System Center 2012 Configuration Manager
Alerts generate every 30 minutes by default if conditions that the alert rules include evaluate to true. You
can view all configured alert rules in the Configuration Manager console in the Monitoring workspace
under the Alerts node. Additionally, you can change the frequency with which the alerts generate.
In System Center 2012 Configuration Manager, you could create alert subscriptions only for Endpoint
Protection. Beginning with Configuration Manager 2012 SP1, you can create subscriptions for any alert.
To create a subscription, you must specify:
1. The subscription name.
3. The alert rules for which you want to receive email messages.
• Application Statistics Summarizer. Summarizes information about the installed deployment process,
so that you can create statistics.
• Component Status Summarizer. Summarizes the status messages that pertain to Configuration
Manager components, to determine their health.
• Site System Status Summarizer. Summarizes the status messages that pertain to Configuration
Manager site systems, to determine their health.
2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select
the site.
You can configure status filter rules to detect critical conditions based on specific status messages, and
perform automated actions based on the conditions detected. The built-in status filter rules create events
in the Windows event logs when it detects specific status messages. You also can create custom status-
filter rules to control the processing of status messages.
To configure the status filter rules, you must perform the following procedure:
2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select
the site.
Status Reporting
By configuring status reporting, you can modify how the server and client components report status
messages to the Configuration Manager status system. You then can configure the location to which the
components send status messages. By default, the components send all status messages for All Milestones
without details to Configuration Manager, and Configuration Manager does not write the information to
event logs.
4. In the Status Reporting Component Properties dialog box, select the level of details for Server
component status reporting and for Client component status reporting.
Note: The default reporting settings are appropriate for most environments, and you
should use caution when changing them. When you increase the level of status reporting, by
choosing to report all status details, you can increase the amount of status messages that process.
This increases the processing load on the site server and site database.
applications and services, and monitor performance. The management packs include the rules that
describe those components that agents are monitoring.
The Configuration Manager 2012 Management Pack for Operations Manager helps administrators
manage and administer Configuration Manager 2012 servers, computers, databases, services, disks,
applications, and other objects that require monitoring.
This release of this Management Pack improves Configuration Manager 2012 monitoring, and includes
the following improvements:
• Monitoring general central processing unit (CPU), memory, and disk-system resource usage.
By using System Center 2012 Operations Manager, you can monitor physical hardware, operating-system
components, and core network services, such as Domain Name System (DNS), Dynamic Host
Configuration Protocol (DHCP), and AD DS. Additional management packs for monitoring applications are
available in the management-pack catalog on the Microsoft website.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-23
You need to configure site-maintenance tasks to reduce the space that the Configuration Manager
database uses, and configure the Backup Site Server task to backup and recover a primary site.
Objectives
At the end of this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following procedure:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
2. In the Configuration Manager console, click the Administration workspace, expand Site
Configuration, click Sites, and then click the S01 – Adatum Site.
5. Verify the settings for the Delete Aged Discovery Data task.
2. Configure the Delete Aged Software Metering Summary Data by using the following settings:
o Delete data that has been inactive for: 120 days.
Results: At the end of this exercise, you will have configured maintenance tasks in Configuration
Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 8-25
2. In the Configuration Manager console, click the Administration workspace, expand Site
Configuration, and then select Sites.
3. Select S01 – Adatum Site, and on the ribbon, click Settings, and then click Site Maintenance.
4. In the Site Maintenance dialog box, edit the Backup Site Server task.
5. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then
click Set Paths.
6. In the Set Backup Paths dialog box, verify that the option Local drive on site server for site data
and database is selected, and then browse to select a folder.
Note: In practice, you should use either Network path (UNC name) for site data and
database to save backup on a network share, or you should use Local drives on site server and
SQL Server if the database is installed on a separate server.
7. Create a new folder called Backup in the Local Disk (C:) drive, and then click Select Folder.
8. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK.
9. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three
minutes from now, and then click OK.
10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled.
Task 2: Trigger the backup of the site, and verify its completion
1. From Server Manager, start the Services console.
4. If the backup occurs successfully, in the smsbkup.log file, the text Backup completed appears, and
then, on the next line, the text STATMSG: ID=5035 appears.
5. Navigate to the C:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the
database files.
6. Navigate to the C:\Backup\S01Backup\SiteServer folder, double-click on the SMSServer folder to
open it, and then note that it contains the data, inboxes, Logs, and srvacct folders.
7. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and
then select the Component Status node.
MCT USE ONLY. STUDENT USE PROHIBITED
8-26 Maintaining and Monitoring System Center 2012 Configuration Manager
8. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages, and then click
All.
Note: When site backup completes successfully, message ID 5035 appears. This indicates
that the site backup completed without any errors.
Results: At the end of this exercise, you should have performed a backup for the Configuration Manager
site.
Task 1: Use the Site Recovery wizard to recover a site from backup
1. On LON-CFG, run E:\ConfigMgr2012R2\SMSSETUP\BIN\X64\setup.exe. The System Center 2012
R2 Configuration Manager Setup Wizard starts.
2. In the Microsoft System Center 2012 R2 Configuration Manager Setup Wizard, use the following
settings to restore the site:
o On the Getting Started page at Available Setup Options, click Recover a site.
o On the Site Server and Database Recovery Options page, click Recover the site database
using the backup set at the following location, and then browse to select the
C:\Backup\S01Backup folder. This folder stores the backup that you performed in the previous
exercise.
o On the Site Recovery Information page, verify that the option Recover primary site is
selected.
o On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
o On the Microsoft Software License Terms page, click the I accept these license terms check
box, and then click Next.
o On the Customer Experience Improvement Program configuration page, select I don’t want
to join the program at this time, and then click Next.
o Complete the wizard by using the default options. At the Prerequisite Check step, click Cancel,
and then click Yes.
Note: It takes time to restore the site. Therefore, for expediency in this lab, you cancel the
restoration process.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert.
Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 R2
primary site.
Question: What can you do to maintain your Configuration Manager database as small as
possible?
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Maintaining and Monitoring System Center 2012 Configuration Manager
Question: What factors determine how frequently you should perform a backup?
Question: How can you minimize data loss when you do not perform backups?
MCT USE ONLY. STUDENT USE PROHIBITED
9-1
Module 9
Migrating to System Center 2012 R2 Configuration Manager
Contents:
Module Overview 9-1
Module Overview
Microsoft® System Center 2012 Configuration Manager provides a rich feature set that you can use to
migrate objects from Microsoft® System Center Configuration Manager 2007 through Configuration
Manager 2012 to System Center 2012 R2 Configuration Manager. In addition, it provides the necessary
tools for restructuring your site hierarchy during migration.
Differences between Configuration Manager 2007 site architecture and Configuration Manager 2012 site
architecture may require you to perform site consolidation when performing migration. Using the built-in
migration functionality, you can migrate objects from any source site in the Configuration Manager 2007
hierarchy to the central administration site in the Configuration Manager 2012 hierarchy. From the central
administration site, the migrated objects are replicated as global data to all sites in the hierarchy.
Using the Migration Job Wizard, you can migrate different types of objects such as collections,
advertisements, software packages, software updates, Asset Intelligence customizations, operating system
deployment objects, desired configuration management objects, and software metering rules.
Objectives
After completing this module, you will be able to:
• Describe the migration process from Configuration Manager 2007 to Configuration Manager 2012.
• Migrate objects.
Lesson 1
Overview of the Migration Process
The migration process from Configuration Manager 2007 to Configuration Manager 2012 includes
configuring the source hierarchy, configuring additional source sites, configuring shared distribution
points, migrating collections, migrating objects by type, monitoring the migration process, and migrating
Configuration Manager clients. When the migration process is completed, you perform migration data
cleanup by removing the configuration of the source hierarchy.
In this lesson, you will review the migration process, review the types of objects that can be migrated,
discuss the restrictions for migrating collections, and analyze consolidation requirements for migrating
primary sites.
Lesson Objectives
After completing this lesson, you will be able to:
When you migrate a Configuration Manager 2007 hierarchy to a Configuration Manager 2012 hierarchy,
you always perform a side-by-side migration. You install a fully functional Configuration Manager 2012
hierarchy in the same network environment as the Configuration Manager 2007 hierarchy, select and
migrate objects in batches, and lastly, migrate clients. By using the migration approach, you minimize the
risks associated with an in-place upgrade. Additionally, if the Configuration Manager 2012 installation
fails, you can discard the new installation easily and revert to the previous source hierarchy.
By performing a side-by-side migration, you also have the opportunity to consolidate sites. This is because
the Configuration Manager 2012 hierarchy can have a maximum of three site levels made up of the
central administration site, one level of primary sites below that, and a level of secondary sites below the
primary sites. If you have primary sites that are child sites of primary sites in the Configuration Manager
2007 hierarchy, you need to restructure your hierarchy when migrating to Configuration Manager 2012.
Primary sites cannot be the child sites of other primary sites in Configuration Manager 2012. This is a
significant change from all prior versions of Configuration Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-3
You cannot migrate secondary sites in-place. If you want to reuse the same server hardware, you must
first uninstall secondary sites from Configuration Manager 2007 before installing them in Configuration
Manager 2012. You can also convert secondary sites from Configuration Manager 2007 to distribution
points in Configuration Manager 2012. This provides the advantages of hierarchical simplification in cases
of reasonable bandwidth with fewer than a thousand clients at the former secondary site locations.
You can upgrade clients by using any of the client installation methods, including Client Push, Group
Policy installation, logon script, or manual installation. After you upgrade, the Configuration Manager
clients maintain the execution history for advertisements.
The migration process has two uses: migrating from an existing Configuration Manager 2007 site and
consolidating existing Configuration Manager 2012 hierarchies. The following table lists the source
hierarchies that you can migrate and the hierarchy version to which you can migrate them. Permitted
migrations to and from Configuration Manager 2012 with SP1 and newer can be very useful when you
are moving from a lab or staging environment into production. It is also useful in hierarchy simplification
through merger scenarios. This migration capability was added in System Center Configuration Manager
2012 with SP1.
1. Configure the source hierarchy. In the first step of the migration process, you configure the source
hierarchy by specifying the top-level site in the Configuration Manager 2007 implementation. This
site also becomes a source site for migrating Configuration Manager objects.
2. Configure additional source sites. You can specify additional source sites that contain objects you
want to migrate. You can configure only source sites that are under the top-level site that you
configured in the previous step. When migrating a Configuration Manager 2012 site to a new
Configuration Manager 2012 site, you do not need to configure additional source sites for child
sites, since the Client Access server site database contains all of the objects that you can replicate.
3. Configure distribution point sharing. In this optional step, you configure a Configuration Manager
2007 distribution point so that it is visible to Configuration Manager 2012 clients after migration.
You use this approach to make packages available to Configuration Manager 2012 clients without
distributing the content to the Configuration Manager 2012 distribution points.
4. Migrate collections and associated objects. You create a migration job to migrate collections and
associated objects, such as advertisements or packages.
5. Migrate objects by type. You select the types of objects to migrate, including boundaries, Asset
Intelligence customizations, software updates, operating system deployment objects, desired
configuration management baselines and configuration items, and software metering rules.
6. Migrate Configuration Manager clients. You can use any of the client installation methods to upgrade
the client to the Configuration Manager 2012 version in place. This process maintains the client
execution history.
MCT USE ONLY. STUDENT USE PROHIBITED
9-4 Migrating to System Center 2012 R2 Configuration Manager
7. Convert secondary sites to distribution points. In this optional step, you can convert Configuration
Manager 2007 secondary sites to Configuration Manager 2012 distribution points. The Upgrade
Shared Distribution Point Wizard uninstalls the secondary site and then configures the server as a
distribution point in Configuration Manager 2012, while maintaining the content on the distribution
point.
2. Remove the source hierarchy configuration and decommission the old hierarchy. This is the last
step in the migration process. After you ensure that you have migrated all of the necessary objects,
remove the source hierarchy configuration and then decommission the Configuration Manager 2007
hierarchy.
Note: You cannot reuse any site codes in a migration. You must provide unique site codes
across Configuration Manager 2007 and Configuration Manager 2012 hierarchies.
Collections You can migrate query-based or direct membership collections with the
following restrictions:
• You cannot migrate mixed collections (which contain both users and
devices).
• You migrate collections that have the membership limited to other
collections as individual collections with additional inclusion rules.
Advertisements You can migrate existing advertisements for packages, software updates, or
task sequences so that the Configuration Manager 2012 clients receive them.
Advertisements migrated from Configuration Manager 2007 become
deployments in Configuration Manager 2012.
Boundaries You can migrate the existing boundaries to Configuration Manager 2012. You
need to assign the boundaries to boundary groups to use them for client
assignment or content lookup in Configuration Manager 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-5
Software You can migrate software distribution packages. We recommend that you
distribution configure the package source using a Universal Naming Convention (UNC)
packages path to minimize the need for reconfiguring the package source after
migration.
Virtual application You can migrate the virtual application packages to Configuration Manager
packages 2012 applications. Any existing advertisements of virtual application packages
are not migrated.
Software updates To migrate objects related to software updates, first you need to configure a
software update point in Configuration Manager 2012, and then you
synchronize software update metadata with the same sync source as the
source hierarchy uses. After you do this, you can migrate the following types of
objects:
• Deployments
• Deployment packages
• Templates
• Software update lists
Asset Intelligence You can migrate any customizations you made to the Asset Intelligence
customizations catalog, including custom categories, software families, labels, hardware
requirements, and software lists.
Operating system You can migrate the following types of objects that you use in operating
deployment system deployment:
• Boot images
• Driver packages
• Drivers
• Images
• Packages
• Task sequences
Desired You can migrate configuration baselines and configuration items you have
configuration created previously in Configuration Manager 2007.
management
Software metering You can migrate software metering rules, but not the metering history.
rules
The following types of objects cannot be migrated using the included Configuration Manager migration
tools:
• Queries
• Configuration Manager 2007 web reports or Microsoft SQL Server® Reporting Services (SSRS) reports
• Client inventory and history data (from the site database); however, clients maintain execution history
• Intel Active Management Technology (AMT) client provisioning information
SSRS reports can be migrated outside of the Configuration Manager migration process. If there are
reports that you want to migrate you can export the Report Definition Language (.RDL) files from the SSRS
in your Configuration Manager 2007 environment and import them into the SSRS in your new
environment.
Collection Restrictions
When you migrate collections that are linked
to other collections or that have subcollections,
Configuration Manager 2012 creates multiple
objects in either the User Collections node or the
Device Collections node:
• In the root of the appropriate node, Configuration Manager 2012 creates a folder with the parent
collection’s name. Located under this folder are the migrated subcollections of the migrated parent
folder.
You cannot migrate collections that contain a reference to a collection of a different resource type.
In Configuration Manager 2007, empty collections (collections that have no associated resources) are used
to organize other collections. When you migrate an empty collection, it converts to an organizational
folder that contains no users or devices.
You cannot migrate mixed collections that contain both users and devices because Configuration
Manager 2012 does not support them. To migrate mixed collections, you must create individual
collections that contain only users or only devices.
Typically, Configuration Manager 2007 used empty collections with no rules to organize other collections.
In Configuration Manager 2012, you can migrate empty collections as folders.
The collections must be independent of one another in Configuration Manager 2012 to avoid circular
references, because collections are evaluated at all primary sites in the hierarchy. For example, if you have
a collection called New York, containing all clients from New York, with two subcollections called Servers
and Desktops, and you migrate all of them to Configuration Manager 2012, the result is three
independent collections.
You can add additional inclusion rules to the Servers and Desktops collections to ensure that they have
the same membership after migration. If the top-level collection has no membership rules or targeted
advertisements, the New York collection will migrate to a folder in Configuration Manager 2012. The
subcollections Servers and Desktops will migrate as collections with additional inclusion rules in the New
York folder.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-7
• Secondary sites. You use secondary sites to manage client communication traffic on slow wide area
network (WAN) links.
A Configuration Manager 2007 hierarchy can have more than three levels. For instance, a primary site can
have another primary site as its parent. When you migrate to Configuration Manager 2012, you need to
consolidate any primary site that is a child of another primary site.
You cannot assign clients that you assigned to central primary sites in Configuration Manager 2007 to the
central administration site in Configuration Manager 2012. This is because the central administration site
cannot have assigned clients. You need to reassign the clients that were assigned to the central site in
Configuration Manager 2007 to another primary site in the Configuration Manager 2012 hierarchy.
You cannot migrate secondary sites directly to Configuration Manager 2012. For any existing secondary
sites in the Configuration Manager 2007 hierarchy, you need to perform one of the following actions:
• Uninstall the sites, and then reinstall them as new secondary sites in Configuration Manager 2012.
• Convert the sites to distribution points in the new Configuration Manager 2012 installation.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Migrating to System Center 2012 R2 Configuration Manager
Lesson 2
Preparing Configuration Manager 2007 Sites for
Migration
To migrate objects from Configuration Manager 2007 to Configuration Manager 2012, you need to
ensure that both the source and destination hierarchies meet certain prerequisites.
In this lesson, you will review the preparation steps that you must perform on Configuration Manager
2007 sites to ensure successful migration of objects. You will also review the prerequisites for configuring
source sites and running migration jobs.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the steps for preparing Configuration Manager 2007 sites for migration.
• Describe the prerequisites for migration from Configuration Manager 2007 to Configuration Manager
2012.
• Configuration Manager 2012 requires Windows Server® 2008 or newer, SQL Server 2008 or newer,
and 64-bit systems. While it is not necessary to upgrade the source hierarchy to use these versions,
you should test them to ensure that your organization environment supports them before installing
the new Configuration Manager 2012 hierarchy.
• In some organizations, it can take a long time to acquire additional server hardware to implement
your Configuration Manager 2012 hierarchy. You can speed up the migration process by using server
virtualization technologies, which enable the rapid creation of new virtual servers.
• Mixed collections and subcollections may require changes to their collection definitions to enable
migration to Configuration Manager 2012.
• You should configure all software packages with a UNC path to reduce the need for reconfiguration
after you migrate them.
• All site codes need to be unique throughout the source and destination hierarchies.
• You should remove any references to SMSSITECODE=AUTO. All site codes should be explicitly stated.
The use of SMSSITECODE=AUTO was encouraged in earlier versions of Configuration Manager, but
this practice can cause the loss of a client’s management point when migrating.
Note: Use the computer account for the Source Site SMS Provider Account and the Source
Site SQL Server Account rather than a user account.
• Opening the following network protocols and ports in the firewalls between the Configuration
Manager 2007 site and the Configuration Manager 2012 site:
• Multiple-site. Install a central administration site and then install at least one primary site in the
hierarchy.
• Stand-alone primary site. Install a single primary site, which will be the only primary site in the
hierarchy.
Before migrating, ensure that the following Configuration Manager 2012 migration prerequisites are
complete:
• Use an account in the Configuration Manager 2012 hierarchy that has the Full Administrator security
role, so that you can create objects in any site in the Configuration Manager 2012 hierarchy.
• Configure a software update point in your Configuration Manager 2012 hierarchy. Synchronize the
software update metadata using the same source as the existing software update point in your
Configuration Manager 2007 hierarchy. This enables you to migrate software updates.
• Configure at least one Configuration Manager 2012 primary site, or the central administration site, to
use the same port numbers as the original Configuration Manager 2007 source site. In this way, client
requests are directed properly. In addition, client requests can use shared distribution points from the
Configuration Manager 2007 site.
• Assign Site Delete permissions to the Source Site Access Account on the source site to remove the
distribution points automatically from the Configuration Manager 2007 site during migration.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-11
Lesson 3
Configuring Migration Settings
Your first step in the migration process is to configure the source hierarchy by specifying the top-level site
in your Configuration Manager 2007 hierarchy.
After you have configured the source hierarchy, the migration data gathering process begins. It collects
information about sites, and objects within those sites, in the Configuration Manager 2007 hierarchy
starting from the top-level site that you specified. The top-level site is configured as a source site
containing objects to be migrated.
You can configure additional sites from the Configuration Manager 2007 hierarchy as source sites, which
makes it possible to migrate objects from these sites to Configuration Manager 2012.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how you can use multiple-source hierarchies in the migration process.
• The Source Site Database Account you use to connect to the site database of the source site.
When you configure a Configuration Manager 2007 site as the top-level site, you can migrate objects
from it and from any child primary sites. You can migrate objects from only the site that you selected, in
addition to sites that are under the source site, so we recommend selecting the site located at the top of
the Configuration Manager 2007 hierarchy. This is called a central site.
Configuration Manager 2012 uses these settings to retrieve information about objects and distribution
points from the source site. During the data gathering process, child sites in the Configuration Manager
2007 hierarchy are identified. Then you can configure these sites as source sites for migration.
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Migrating to System Center 2012 R2 Configuration Manager
You can configure multiple instances of source hierarchies. However, only one source hierarchy can be
active at a given time. If you configure an additional source hierarchy before you complete migration
from the active source hierarchy, it cancels any active migration jobs and postpones any scheduled
migration jobs. The newly configured source hierarchy becomes the active source hierarchy. You can
configure connection credentials, source sites, and migration jobs for the current active source hierarchy.
2. In the navigation pane, expand Migration, and then click the Source Hierarchy node.
o Type the name of the top-level Configuration Manager 2007 site server.
Demonstration Steps
1. On LON-CFG, start the Configuration Manager console.
2. In the Configuration Manager console, in the Administration workspace, under the Migration node,
click the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy.
3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source
hierarchy:
o Select the Enable distribution-point sharing for the source site server check box, and then
click OK.
4. After you have configured the source hierarchy, the Data Gathering Status process will start. Wait
for the data collection to complete, and then click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-13
You can use the Gather Data Now action in the Configuration Manager console to start the migration
data gathering process immediately and to reset the start time of the next cycle. Data gathering runs on
the configured schedule until you change the active source hierarchy or until you use the Stop Gathering
Data action to end the data gathering process for that site. You can use the Stop Gathering Data action to
end the data gathering process for a source site when you no longer want Configuration Manager 2012
to identify new or changed objects from that site.
Note: Regardless of where you configure the source hierarchy, the migration jobs,
including the initial data gathering, are run from the top-level site. In a multisite hierarchy, to
troubleshoot migration issues, review the migmctrl.log on the central administration site server.
You do not have to configure additional source sites before creating migration jobs. However, you can
only migrate data from source sites that you have configured, and the migration data gathering process
must have gathered data from these sites successfully.
To configure additional source sites in the active source hierarchy, perform the following procedure:
1. In the Configuration Manager console, click the Administration workspace.
2. In the navigation pane, expand Migration, and then click Source Hierarchy.
3. In the results pane, click the site that you want to configure as a source site.
4. On the ribbon, in the Source Site group, click Configure Credentials.
5. In the Source Site Credentials dialog box, for the Source Site Access Accounts, specify accounts that
have Read permission to the SMS Provider and to the SQL Server database in the specified site, and
then click OK.
Prerequisites
When planning for distribution point sharing, consider the following prerequisites:
• You must configure distribution points with a FQDN to be eligible for sharing.
• At least one Configuration Manager 2012 primary site or the central administration site must use the
same port numbers for client requests that the Configuration Manager 2007 site uses.
• Configuration Manager 2012 clients can receive content location information for packages that are
installed on shared distribution points in the Configuration Manager 2007 hierarchy, including branch
distribution points, distribution points on server shares, and standard distribution points.
• When you share a protected distribution point, Configuration Manager 2012 creates a boundary
group that includes the protected network locations of the Configuration Manager 2007 distribution
point.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-15
• You need to ensure that the package version for packages that you migrate is the same in the source
hierarchy and in Configuration Manager 2012. Then Configuration Manager 2012 clients will be able
to retrieve the content from the shared distribution point.
• You cannot use shared distribution points to host packages for App-V. You must migrate and convert
the App-V packages for Configuration Manager 2012 clients.
• Stand-alone distribution points, which you can upgrade in place to Configuration Manager 2012
• Secondary site servers, which you can convert to stand-alone distribution points in Configuration
Manager 2012
When you no longer have to support clients in your Configuration Manager 2007 environment, you can
reassign a shared distribution point in your Configuration Manager 2012 hierarchy. When you reassign
the distribution points in place, you do not have to redeploy content to new distribution points.
To reassign a distribution point, the Configuration Manager 2007 site system server must meet the
following conditions:
• The Configuration Manager 2007 site system server must have only the distribution point role
assigned to it. You cannot upgrade a Configuration Manager 2007 distribution point that has any
additional site system roles.
• You must configure the Configuration Manager 2007 site system with an intranet FQDN.
• The site system server must have sufficient disk space to convert the content from the Configuration
Manager 2007 content storage format to the single instance store format. This requires available free
space equal to two times the existing data on the distribution point.
• The site system server must run an operating system version that Configuration Manager 2012
supports as a distribution point.
The conversion process is the same as the distribution point reassignment process, with the additional
step of uninstalling the secondary site.
The reassignment process first uninstalls the Configuration Manager 2007 secondary site, and then waits
until the next data gathering cycle to upgrade the distribution point in place to a Configuration Manager
2012 distribution point. If you use the default settings for the data gathering cycle, the wait time may be
up to four hours. This step ensures that the secondary site was uninstalled successfully before the
distribution point reassignment starts.
When converting a secondary site to a distribution point, consider the following restrictions:
• To be able to reassign, the secondary site must not have any Configuration Manager site system roles
assigned to the server, except for the management point.
• You must configure the Configuration Manager 2007 site system with an intranet FQDN.
• Any content that is present on the distribution point will be converted to a Configuration Manager
2012 single instance store. Because of this, you must ensure that available free space is equal to two
times the size of existing content on the distribution point. In Configuration Manager 2012 with SP1
and newer versions, the old content is removed once the migration is complete.
• Before reassigning a secondary site to a distribution point, ensure that you have upgraded all existing
remote distribution points at that site. After the secondary site is uninstalled during the distribution
point upgrade, the remaining remote distribution points will become orphan files and will not be
eligible for upgrade.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-17
Lesson 4
Migrating Objects
To migrate objects from Configuration Manager 2007 sites to Configuration Manager 2012, you need to
create migration jobs. You can use these jobs to migrate collections and associated objects or to migrate
objects by type. You can choose to migrate objects that were migrated previously if they have changed
after migration to Configuration Manager 2012.
In this lesson, you will learn about the steps required to create migration jobs, review the migrated
objects, and use the migration reports.
Lesson Objectives
After completing this lesson, you will be able to:
Migration Jobs
You must create migration jobs to migrate
objects from Configuration Manager 2007 sites
to Configuration Manager 2012. A migration job
lists the objects that are migrated and includes
migration settings. You can schedule migration
jobs to run at a specific time. You can create
migration jobs to perform the following types of
migrations:
• Collection migration
o By default, all objects associated with members of the collection are selected for migration. You
can deselect the objects that you do not want to migrate.
o You can exclude individual object instances from migration. You might do this because you want
to migrate them at a later time using object migration, for example.
• Object migration
o With this type of migration, you can select individual object types and object instances to
migrate.
o By default, object types and instances are not selected. You need to select the specific data that
you want to migrate.
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Migrating to System Center 2012 R2 Configuration Manager
o With this type of migration, you can remigrate any objects that were migrated previously, but
have since been updated in the source hierarchy.
Migrating Collections
You can migrate collection definitions and
associated objects, such as packages and
advertisements, from Configuration Manager
2007 to Configuration Manager 2012.
• Content Ownership. Select the Configuration Manager 2012 site that will get the ownership for the
migrated object’s content.
• Security Scope. Associate the migrated objects with an existing security scope or create a new scope.
This helps limit the administrative permissions to the migrated objects.
• Collection Limiting. You can configure how collection limiting settings from Configuration Manager
2007 are translated to inclusion rules in Configuration Manager 2012.
• Site Code Replacement. On this page, you can configure site code replacement in the collection
queries. This is required if you have query rules that are based on the Configuration Manager site
code, because you are migrating to a new site with a new site code.
• Review Information. You can review the objects included in the migration job and information about
the migration of those objects.
• Settings. You can run the migration job immediately or schedule it for a later time. Also, you can:
• Boundaries
• Software distribution packages
• Configuration baselines
• Asset Intelligence customizations
• Content Ownership. Select the Configuration Manager 2012 site that will get the ownership for the
migrated objects’ content.
• Security Scope. Associate the migrated objects with an existing security scope or create a new scope.
This helps limit the administrative permissions to the migrated objects.
• Review Information. You can review the objects included in the migration job and information about
the migration of those objects.
• Settings. You can run the migration job immediately or schedule it for a later time. You can also
configure whether previously migrated objects can be overwritten, and whether to transfer the
organization folder structure for objects to the destination site.
Demonstration Steps
1. On LON-CFG, in the Configuration Manager console, click the Migration Jobs node.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following
settings to configure the migration job:
o On the General page, configure the following options:
Name: Collections and associated objects
Description (optional): Migrate collections and associated objects
In the Job type box, select Collection migration
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Migrating to System Center 2012 R2 Configuration Manager
o On the Select Collections page, select Adatum Servers (this also selects London Servers and
ConfigMgr Servers), and then verify that the Migrate objects that are associated with the
specified collections option is selected.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, click
Refresh.
4. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the
following settings to configure the migration job:
o Complete the wizard and choose the default settings. Select the Run the migration job now
option so that the migration job will run automatically after the wizard completes.
5. In the results pane, verify that the status of the migration job is Completed. If necessary, click
Refresh.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-21
Migration actions are recorded in the migmctrl.log file in the <InstallationPath>\Logs folder on the site
server.
After you perform the migration, the administrator can review migrated objects and their properties, and
compare them with the objects in the source site.
2. In the navigation pane, expand Reporting, expand Reports, and then click the Migration folder.
3. In the results pane, click Migration Job properties, and then on the ribbon, click Run.
5. Under Migration Job Name, click a migration job, and then click OK.
8. In the results pane, click Migration jobs, and then on the ribbon, click Run.
Migrating Clients
You can use any supported client deployment
method to migrate clients. When CCMSetup
detects a Configuration Manager 2007 client
on the target computer, it uninstalls the existing
client software and installs the new client software.
• The globally unique identifier (GUID). The GUID associates a client with its information in the
Configuration Manager database.
• The advertisement history. The advertisement history prevents clients from rerunning advertisements
unnecessarily.
• Information about any advertisements that have not yet run. If the advertisements have not run, they
are deleted. You must migrate or re-create the advertisements in the new Configuration Manager
2012 hierarchy.
• Inventory data. Clients perform an inventory cycle after upgrading, and then send the new data to the
management point.
• Compliance data. Clients evaluate compliance against the baselines assigned in the new environment,
and then send the compliance data to the management point.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-23
Lesson 5
Upgrading Configuration Manager 2012 to Configuration
Manager 2012 with SP1 and then to System Center 2012
R2 Configuration Manager
You cannot upgrade Configuration Manager 2012 without a service pack directly to System Center 2012
R2 Configuration Manager. When performing an in-place upgrade of Configuration Manager 2012
without a service pack to System Center 2012 R2 Configuration Manager, you must first upgrade to
Configuration Manager 2012 with SP1.
In this lesson, you will learn the steps required to upgrade Configuration Manager 2012 without a service
pack to System Center 2012 R2 Configuration Manager.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the requirements for upgrading to Configuration Manager 2012 with SP1.
• Describe the requirements for upgrading to System Center 2012 R2 Configuration Manager.
• Describe the upgrade considerations for Configuration Manager 2012.
• Configure automatic client upgrade.
Modification Description
Ensure the environment meets the Configuration Manager 2012 uses the Windows Automated
Configuration Manager 2012 with Installation Kit (Windows AIK) for operating system
SP1 prerequisites deployment. Configuration Manager 2012 with SP1 uses the
Windows Assessment and Deployment Kit 8 (Windows ADK
8). You must uninstall the Windows AIK and then install
Windows ADK 8.
Review the site hierarchy and resolve Before you perform the upgrade, ensure you resolve all
any issues operational issues.
Install all critical updates on the site Apply all updates and perform all necessary restarts before
server, database server, and any you start the installation.
remote site systems
MCT USE ONLY. STUDENT USE PROHIBITED
9-24 Migrating to System Center 2012 R2 Configuration Manager
Modification Description
Review requirements for add-ins or Before you upgrade, review the requirements for any add-ins
extensions used or extensions to avoid any compatibility problems.
Disable any database replicas that The Configuration Manager 2012 with SP1 upgrade will fail if
management points use at primary a management point on a primary site is using a replica
sites database.
Reconfigure any network load Software update points using NLB cannot be upgraded.
balancing (NLB) software update
points
Back up the site database Before upgrading, always back up the database in case you
need to perform a disaster recovery.
Disable all site maintenance tasks Tasks such as Backup Site Server can interrupt the upgrade
process and you need to stop them for the duration of the
upgrade.
Create a duplicate of any built-in Built-in collections in Configuration Manager 2012 with SP1
collections you modified are read-only and you cannot modify them.
Run the Prerequisite Checker The Configuration Manager 2012 with SP1 prerequisites are
different from Configuration Manager 2012. Running the
Prerequisite Checker allows you to find any missing
prerequisites.
Download the prerequisite and Use the Setup Downloader to download the additional files
redistributable files for Configuration used during setup. These include prerequisite redistributables,
Manager 2012 with SP1 language packs, and the latest product updates. Place them in
a location that is accessible during setup.
Plan for server and client language If you have previously installed support for additional
support languages, you may need to download the appropriate files
for the Configuration Manager 2012 with SP1 installation.
If you do not download the language files for an installed
language, the installation process will remove support for the
missing language files.
Plan for site system role The Prerequisite Checker does not check prerequisites for site
prerequisites system roles on the site server or remote system servers.
Review the site upgrade Review the automatic changes and manual changes required
considerations for the upgrade to be complete.
Test the database upgrade process Restore the site database to an additional computer running
SQL Server and verify that you can upgrade the database
without incident.
Restart all the servers in the Ensure that there are no pending processes before you begin
hierarchy the upgrade.
Install Configuration Manager 2012 Start at the top-level site. Once the top-level site is complete,
with SP1 upgrade any child sites.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-25
Modification Description
Upgrade any stand-alone Before managing a Configuration Manager 2012 with SP1
Configuration Manager console site, you must upgrade a management console to
installations Configuration Manager with SP1.
Reconfigure any database replicas If you use database replicas for management points, you can
reconfigure them once the upgrade is complete.
Reconfigure any database Once the upgrade is complete, you can reconfigure the
maintenance tasks disabled maintenance tasks.
previously
Modification Description
Ensure you upgrade all the sites in You must upgrade to System Center 2012 R2 Configuration
the hierarchy to Configuration Manager from Configuration Manager 2012 with SP1.
Manager 2012 with SP1
Ensure that the environment meets System Center 2012 R2 Configuration Manager uses Windows
the System Center 2012 R2 ADK 8.1. You must uninstall the Windows ADK 8 and install
Configuration Manager prerequisites the Windows ADK 8.1.
Review the site hierarchy and resolve Before you perform the upgrade, ensure that you resolve all
any issues operational issues.
Install all critical updates on the site Apply all updates and perform all necessary restarts before
server, database server, and any you start the installation.
remote site systems
Review requirements for add-ins or Before you upgrade, review the requirements for any add-ins
extensions or extensions to avoid any compatibility problems.
MCT USE ONLY. STUDENT USE PROHIBITED
9-26 Migrating to System Center 2012 R2 Configuration Manager
Modification Description
Disable any database replicas that The Configuration Manager 2012 with SP1 upgrade will fail if
management points at primary sites a management point on a primary site is using a replica
are using database.
Reconfigure any NLB software You cannot upgrade software update points using NLB.
update points
Back up the site database Before upgrading, always back up the database in case you
need to perform a disaster recovery.
Disable all site maintenance tasks Tasks such as Backup Site Server can interrupt the upgrade
process and you must stop them for the duration of the
upgrade.
Create a duplicate of any built-in You cannot modify built-in collection in Configuration
collections you modified Manager 2012 with SP1.
Run the Prerequisite Checker The Configuration Manager 2012 with SP1 prerequisites are
different from Configuration Manager 2012. Running the
Prerequisite Checker allows you to find any missing
prerequisites.
Download the prerequisite and Use the Setup Downloader to download the additional files
redistributable files for System during setup. These include prerequisite redistributables,
Center 2012 R2 Configuration language packs, and the latest product updates. Place them
Manager in a location that is accessible during setup.
Prepare to upgrade secondary sites System Center 2012 R2 Configuration Manager secondary
sites use SQL Server 2012 Express Edition with cumulative
update package 2. When attempting to upgrade a secondary
site from an earlier version of SQL Server 2012 Express, the
upgrade will fail.
Plan for server and client language If you have previously installed support for additional
support languages, you may need to download the appropriate
files for the Configuration Manager 2012 with SP1 installation.
If you do not download the language files for an installed
language, the installation process will remove support for the
missing language files.
Plan for site system role The Prerequisite Checker does not check prerequisites for site
prerequisites system roles on the site server or remote system servers.
Review the site upgrade Review the automatic changes and manual changes required
considerations for the upgrade to be complete.
Test the database upgrade process Restore the site database to an additional computer running
SQL Server and verify that you can upgrade the database
without incident.
Restart all the servers in the Ensure that there are no pending processes before you begin
hierarchy the upgrade.
Install System Center 2012 R2 Start at the top-level site. Once the top-level site is complete,
Configuration Manager upgrade any child sites.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-27
Modification Description
Upgrade any stand-alone Before managing a Configuration Manager 2012 with SP1
Configuration Manager console site, you must upgrade a management console to
installation Configuration Manager 2012 with SP1.
Reconfigure any database replicas If you use database replicas for management points, you can
reconfigure them once the upgrade is complete.
Reconfigure any database Once the upgrade is complete, you can reconfigure
maintenance tasks you disabled maintenance tasks.
previously
Upgrade clients While Configuration Manager 2012 with SP1 supports client
communications from lower level clients, you should upgrade
the clients as soon as possible. Systems using lower level
clients cannot take advantage of the new functionality.
• Other considerations. When upgrading a site to Configuration Manager 2012 with SP1, several
settings are reset to their default values:
o Software settings. Work information business hours are reset to 5:00 AM to 10:00 PM Monday
through Friday. Computer maintenance is set to Suspend Software Center activities when my
MCT USE ONLY. STUDENT USE PROHIBITED
9-28 Migrating to System Center 2012 R2 Configuration Manager
computer is in presentation mode. Remote Control is set to the value in the applicable client
settings.
o Custom summarization schedules for software updates are reset to the default value of one hour.
When upgrading from Configuration Manager 2012 with SP1 to System Center 2012 R2 Configuration
Manager, the considerations are identical, with the following exception:
• Automatic actions. The default boot images are upgraded to Windows PE 5.0, which is capable of
deploying Windows 8.1 and Windows Server 2012 R2. Windows PE 5.0 is backward compatible with
Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. Windows PE 5.0 cannot
deploy Windows Server 2008, Windows Vista®, or older operating systems.
To configure a Configuration Manager 2012 site automatic client upgrade, follow this procedure:
• On the Home tab, click Hierarchy Settings, and then click the Client Installation Settings tab.
Note that in Configuration Manager 2012 with SP1 and later versions, the Client Installation Settings
tab has been renamed Automatic Client Upgrade.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-29
The availability of automatic upgrade options depends on the version of Configuration Manager 2012, as
illustrated in the following table.
Option Notes
Upgrade client automatically when new client You must select this check box to enable the
updates are available automatic client upgrade.
Allow clients to use a fallback source location for This setting was removed in Configuration
content Manager 2012 with SP1.
Do not run program when a client is within a This setting was removed in Configuration
slow or unreliable network boundary or when Manager 2012 with SP1.
the client uses a fallback source location for
content
Automatically upgrade clients within days Specifies the number of days, from the time the
client receives the policy, within which the client
will attempt to upgrade. To prevent network
saturation, the client will attempt the upgrade at a
random time interval within the number of days
specified.
Automatically upgrade clients that are this This setting was removed in Configuration
version or earlier Manager 2012 with SP1.
Demonstration Steps
1. On LON-CFG, in the Configuration Manager console, in the Site Configuration folder, click the Sites
node.
2. On the ribbon, click Hierarchy Settings. The Site Settings Properties dialog box is displayed.
3. On the Automatic Client Upgrade tab, select the Upgrade client automatically when new client
updates are available check box.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 45 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
o Password: Pa$$w0rd
o Domain: Adatum
3. Under Site Database, expand Site Management, expand CM7-London Configuration Manager
2007, expand Site Settings, click the Boundaries node, and then review the Properties of the
existing IP subnet boundary.
4. Under Site Database, under Site Management, under CM7-London Configuration Manager
2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, click
\\LON-SVR1, and then verify the roles for LON-SVR1.
5. Under Computer Management, expand Collections, and then access the Properties of the Adatum
Servers collection.
6. In the Adatum Servers Properties dialog box, under Membership Rules, observe that there are no
membership rules defined.
Note: The Adatum Servers collection does not have any members and serves as a container
for the other two collections.
7. Under Adatum Servers, access the Properties of the London Servers collection.
8. Review the Membership rules for the London Servers collection, and then examine the query used
to determine the membership of the collection.
Note: The London Servers collection uses a query rule to include all computers with a name
starting with LON.
9. Under Adatum Servers, access the Properties of the ConfigMgr Servers collection.
10. Review the Membership rules for the ConfigMgr Servers collection, and then observe the direct
membership rule created for LON-CM7.
MCT USE ONLY. STUDENT USE PROHIBITED
9-32 Migrating to System Center 2012 R2 Configuration Manager
Note: The ConfigMgr Servers collection uses a direct membership rule to include
LON-CM7 as a member.
12. Access the Properties of the Microsoft Corporation Microsoft Office Word Viewer 2003 package,
and then review its settings, including the distribution points to which it is distributed. Note that this
is a Windows Installer package.
13. Access the Properties of the Excel Viewer 1 package, and then review its settings, including the
distribution points to which it is distributed. Note that this is an App-V package.
14. Under the Advertisements node, review the existing advertisements.
15. Under Asset Intelligence, expand Customize Catalog, click the Software Categories node, and
then review the Adatum Software custom category.
16. Under the Software Families node, review the Adatum LOB Applications custom family.
17. Under the Custom Labels node, review the Adatum Application custom label.
18. Under Desired Configuration Management, click the Configuration Items node.
19. Access the Properties of the Windows Firewall Enabled configuration item, review the
properties, and then at the Settings tab, review the settings of the configuration item. Note that this
configuration item is using a WMI query language (WQL) query to check the status of the Windows
Firewall.
20. Under the Configuration Baselines node, access the Properties of the Adatum Security Policy
Validation baseline, and then review the settings.
2. In the Configuration Manager console, in the Administration workspace, under the Migration node,
click the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy.
3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source
hierarchy:
o In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com.
o Under Specify the Source Site Account to use to access the SMS Provider for the source site
server. This account requires Read permissions to all source site objects, verify that User
Account is selected, and then use Set to configure a new account with the following information:
In the User name box, type Adatum\Administrator.
In the Password and Confirm password boxes, type Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-33
Use Verify and Test connection to validate the credentials and connection to the source
site.
o Under Specify the Source Site Database Account to use to access the SQL Server for the
source site server. This account requires Read and Execute permissions to the source site
database, verify that Use the same account as the Source Site SMS Provider Account is
selected.
o Select the Enable distribution-point sharing for the source site server check box.
4. After you have configured the source hierarchy, the Data Gathering Status process will start. Wait
for the data collection to complete, and then click Close.
5. On the ribbon, click Refresh, and then on the Shared Distribution Points tab, verify that
LON-CM7.ADATUM.COM and LON-SVR1.ADATUM.COM appear.
Note: By configuring the Shared Distribution Points option, both the Configuration
Manager 2007 clients and Configuration Manager 2012 clients will have access to the packages
during migration.
Results: At the end of this exercise, you should have reviewed the configuration of the Microsoft® System
Center Configuration Manager 2007 site and configured the source hierarchy in Configuration Manager
2012.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following
settings to configure the migration job:
o On the Select Collections page, select Adatum Servers (this also selects London Servers and
ConfigMgr Servers), and then verify that the Migrate objects that are associated with the
specified collections option is selected.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, click
Refresh.
3. In the Assets and Compliance workspace, under Device Collections, open the Adatum Servers
folder, and then observe the migrated ConfigMgr Servers and London Servers collections. If you do
not see the Adatum Servers folder, click the Overview node, and then press F5 on your keyboard to
refresh the navigation pane.
4. Access the Properties of the London Servers collection, and then review the Membership rules.
5. In the Software Library workspace, under Application Management, click the Packages node.
6. Click the migrated Microsoft Office Word Viewer 2003 package, and then in the preview pane,
review the information in the Deployments tab.
7. Under the Applications node, click the migrated Excel Viewer virtual application package, and then
in the preview pane, review the information in the Deployment Types tab.
o On the Select Objects page, under Object types, select the following types of objects:
Boundaries
Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of
configuration items.
Asset Intelligence Catalog
o On the Content Ownership page, use the default settings.
o On the Security Scope page, select Default, and then continue through the wizard.
o Continue the wizard by choosing the default settings, and then on the Settings page, select the
Run the migration job now option.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, select the
Migrate objects by type object, and then click Refresh.
3. Click the Configuration Baselines node, and then review the migrated baseline.
4. In the Administration workspace, under the Hierarchy Configuration node, click the Boundaries
node, and then review the migrated boundary.
5. Click the Boundary Groups node, and then review the boundary groups created for the
Configuration Manager 2007 site and for the distribution points.
3. From the results pane, run the Migration Job properties report.
4. In the report window, select the first migration job as a parameter, and then click View Report.
Review the results, and then close the report window.
6. In the results pane, run the Migration jobs report. Review the results, and then close the report
window.
Results: At the end of this exercise, you should have created migration jobs, performed object migration,
and viewed the migration reports.
MCT USE ONLY. STUDENT USE PROHIBITED
9-36 Migrating to System Center 2012 R2 Configuration Manager
3. Once the Reassign Shared Distribution Point Wizard completes, monitor the status until the status
changes to Pending on secondary site uninstallation. To update the results pane, press F5.
Note: The uninstallation of the secondary site should take about five minutes.
Note: The distribution point installation should take about five minutes.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-37
2. In the Monitoring workspace, verify that the Excel Viewer application is distributed to
LON_SVR1.ADATUM.COM.
2. In the results pane, click CM7, and then on the ribbon, click Stop Gathering Data. Click Yes in the
Configuration Manager dialog box.
3. In the results pane, verify that CM7 has the status Have not gathered data, and then on the ribbon,
click Clean Up Migration Data.
4. In the Clean Up Migration Data dialog box, verify that CM7 (LON-CM7.Adatum.com) appears in
the Source hierarchy box, and then click OK. Click Yes in the Configuration Manager dialog box.
5. In the results pane, note that the source hierarchy has been removed.
Results: At the end of this exercise, you will have reassigned a secondary site.
Question: What are the restrictions for site codes during migration?
Question: What additional configurations do you need to perform when migrating objects
related to software updates?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager 9-39
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning
experience.
Please work with your training provider to access
the course evaluation form.
2. In the navigation pane of the Server Manager console, click Local Server.
o Deployment Tools
o Windows Preinstallation Environment
o User State Migration Tool
Results: After this exercise, you should have validated the prerequisites for installing System Center 2012
Configuration Manager.
2. Double-click extadsch.exe.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-2 Planning and Deploying a Stand-Alone Primary Site
3. Browse to the drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
success of the operation by observing the classes and attributes added to AD DS and the message
that confirms the schema’s successful extension.
2. In the Run dialog box, type adsiedit.msc, and then click OK.
3. In the ADSI Edit console, right-click ADSI Edit, and then click Connect to.
4. In the Connection Settings dialog box, accept the defaults, and then click OK.
5. In the ADSI Edit console tree, expand Default naming context [LON-DC1.Adatum.com], expand
the DC=Adatum,DC=Com container, right-click the CN=System container, click New, and then click
Object.
6. In the Create Object page, select container, and then click Next.
7. In the Create Object page, in the Value text box, type System Management, click Next, and then
click Finish.
8. In the ADSI Edit console, click the CN=System container, verify that CN=System Management
container appears in the results pane, and then close the console.
Task 3: Assign Full Control permissions to the site server for the System Management
container
1. On LON-DC1, from the Start screen, click Administrative Tools, and then double-click Active
Directory Users and Computers.
2. In the Active Directory Users and Computers console, from the View menu, select Advanced
Features.
3. In the navigation pane, expand Adatum.com, expand the System container, right-click the System
Management container, and then select Properties.
4. In the System Management Properties dialog box, select the Security tab, and then click Add.
5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
6. In the Object Types dialog box, select Computers, and then click OK.
7. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select text box, type LON-CFG, click Check Names, and then click OK.
8. In the System Management Properties dialog box, select LON-CFG (Adatum\LON-CFG$), and in
the Allow column, select the Full Control permission check box (all checkboxes are selected). Click
Advanced.
9. In the Advanced Security Settings for System Management dialog box, select
LON-CFG (Adatum\LON-CFG$) from the permission entry list, and then click Edit.
10. In the Permission Entry for System Management dialog box, in the Apply to drop-down list, select
This object and all descendant objects, and then click OK.
11. In the Advanced Security Settings for System Management dialog box, click OK.
Note: After installation, the Configuration Manager 2012 site server publishes information
in this container. This enables clients to determine their assigned site and locate their
management point.
Results: At the end of this exercise, you should have extended the Active Directory schema, created the
System Management container, and assigned permissions to the Configuration Manager server.
2. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. On the Before You
Begin page, click Next.
3. On the Getting Started page, under Available Setup Options, select Install a Configuration
Manager primary site, and then click Next.
4. On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
5. On the Microsoft Software License Terms page, select the I accept these license terms check box,
and then click Next.
6. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms, and then under Microsoft SQL Server 2012 Native Client, select I accept
these License Terms. Under Microsoft Silverlight 5, select I accept these License Terms and
automatic updates of Silverlight, and then click Next.
7. On the Prerequisite Downloads page, select Use previously downloaded files, and then click
Browse.
8. In the Browse For Folder dialog box, select the E:\ConfigMgr2012R2\Redist folder, and then
click OK.
13. On the Site and Installation Settings page, type the following information, and then click Next:
14. On the Primary Site Installation page, select Install the primary site as a stand-alone site, and
then click Next.
15. In the Configuration Manager dialog box, click Yes.
16. On the Database Information page, verify that the SQL Server® name is LON-CFG.Adatum.com
and the database name is CM_LON, and then click Next twice.
17. On the SMS Provider Settings page, verify that the server name is LON-CFG.Adatum.com, and
then click Next.
18. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role, and then click Next.
19. On the Site System Roles page, verify that the Install a management point and Install a
distribution point check boxes are selected, verify that that LON-CFG.Adatum.com appears in both
FDQN text boxes, and then click Next.
20. On the Customer Experience Improvement Program Configuration page, select I don’t want to
join the program at this time, and then click Next.
21. On the Settings Summary page, review your selected settings, and then click Next.
22. On the Prerequisite Check page, wait until Prerequisite Check validates the server readiness to host
the selected roles, and then click Begin Install.
23. In the Install window, wait for the installation to finish, and then click Close.
24. In the System Center 2012 Configuration Manager Setup screen, click Exit.
Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager
in a stand-alone primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L2-5
3. In the navigation pane, expand System Status, and then click Site Status.
Task 2: View the status messages that pertain to the Configuration Manager 2012
installation
1. In the navigation pane, click Site Status.
2. In the results pane, select Site server.
3. On the ribbon, click the Show Messages button, and then click All.
4. In the Status Messages: Set Viewing Period dialog box, verify that in the Select date and time
drop-down list, 1 day ago is selected, and then click OK. The Configuration Manager Status
Message Viewer for <LON> <Adatum Site> dialog box opens.
5. Double-click on any message, and then in the Status Message Details dialog box that appears,
review the details of the status message. Use the Next and Previous buttons to view additional status
messages.
2. In the root folder, double-click the ConfigMgrPrereq.log file. Review the file, and then note any
errors or warnings reported by Prerequisite Checker.
4. In the root folder, double-click the ConfigMgrSetup.log file. Review the file, and then note any
errors or warnings reported by Setup.
Note: The root folder also stores the ConfigMgrSetupWizard.log. If you installed the
console, you should see ConfigMgrAdminUISetup.log.
Results: At the end of this exercise, you will have validated the installation of System Center 2012
Configuration Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-6 Planning and Deploying a Stand-Alone Primary Site
2. In the Active Directory Sites and Services console tree, expand the Sites folder, and then select
Default-First-Site-Name.
5. In the Active Directory Sites and Services console tree, expand Sites, right-click the Subnets folder,
and then select New Subnet.
6. In the New Object – Subnet dialog box, in the Prefix text box, type 172.16.0.0/16.
7. In the Select a site object for this prefix list, select the London site, and then click OK.
Task 2: Configure Active Directory Forest Discovery to create a new boundary from
the Active Directory site
1. On LON-CFG, in the Configuration Manager console, select the Administration workspace.
2. In the navigation pane, expand Hierarchy Configuration, and then select Discovery Methods.
3. In the results pane, select the Active Directory Forest Discovery, and then on the ribbon, click
Properties.
4. In the Active Directory Forest Discovery Properties dialog box, select Enable Active Directory
Forest Discovery, select the Automatically create Active Directory site boundaries when they
are discovered check box, and then click OK.
5. In the Configuration Manager dialog box, to initiate full discovery, click Yes.
9. On the Publishing tab, review the settings, and then click Cancel.
10. In the navigation pane, click Boundaries. Refresh the console.
11. In the results pane, select London, and then on the ribbon, click Properties.
12. In the London Properties dialog box, review the settings, and then click Cancel.
3. In the Create Boundary Group dialog box, on the General tab, in the Name text box, type London
Clients, and then click Add.
4. In the Add Boundaries dialog box, select the London boundary, and then click OK.
5. In the Create Boundary Group dialog box, click the References tab, and then select the Use this
boundary group for site assignment check box.
7. In the Add Site Systems dialog box, select the \\LON-CFG.Adatum.com check box, and then
click OK.
Task 4: Install additional site system roles: the Fallback Status Point and Reporting
Services Point
1. In the Configuration Manager console, in the navigation pane, expand Site Configuration, and then
click Servers and Site System Roles.
2. In the results pane, select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and
then click Add Site System Roles.
3. The Add Site System Roles Wizard starts. On the General page, verify that the Name for the site
server is LON-CFG.Adatum.com, and then click Next.
5. On the System Role Selection page, select Fallback status point and Reporting services point,
and then click Next.
6. On the Fallback Status Point page, review the settings, and then click Next.
7. On the Reporting Services Point page, verify that the Site database server name is
LON-CFG.Adatum.com and the Database name is CM_LON, and then click Verify. Wait for the
message Successfully verified to appear.
8. Click the Set button next to User name, and then click New Account.
9. In the Windows User Account dialog box, specify the following credentials, and then click OK:
o User name: ADATUM\Administrator
o Password: Pa$$w0rd
3. In the Management point Properties dialog box, review the settings, select the Generate alert
when the management point is not healthy check box, and then click OK.
4. In the preview pane, right-click the Distribution point, and then click Properties.
5. In the Distribution point Properties dialog box, review the settings on each of the following tabs:
o General
o PXE
o Multicast
o Content Validation
MCT USE ONLY. STUDENT USE PROHIBITED
L2-8 Planning and Deploying a Stand-Alone Primary Site
6. In the Distribution point Properties window, click the Boundary Groups tab, verify that the London
Clients boundary group you have created previously appears in the list, and then click Cancel.
Note: The association between the distribution point and the boundary group was created
when you added the site system to the boundary group in a previous task.
Results: At the end of this exercise, you will have performed the initial configuration of a System Center
2012 Configuration Manager stand-alone primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-9
4. Review the list of roles available in the results pane. Note that there are 15 built-in roles.
8. In the results pane, select ADATUM\Administrator, and then review the information in the preview
pane. By default, the user who performed the Microsoft® System Center 2012 R2 Configuration
Manager setup is assigned the Full Administrator role, the All security scope, and the All Systems
and All Users and User Groups collections.
2. In the results pane, select Application Administrator, and then, on the ribbon, click Properties.
3. In the Application Administrator Properties dialog box, on the General tab, examine the role
description.
4. Click the Administrative Users tab, and then note that there are no users associated with this role.
Additionally, note that you cannot add users from this property window.
5. Click the Permissions tab, and then examine the permissions associated with this role. Expand each
category, and then review the individual permissions. Note that you cannot modify the permissions
for built-in roles.
6. Click Cancel to close the Application Administrator Properties dialog box.
Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated
permissions, and the built-in security scopes.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-10 Planning and Configuring Role-Based Administration
2. In the Active Directory Users and Computers console, expand Adatum.com, right-click the Users
container, point to New, and then select User.
3. In the New Object – User dialog box, in both the First name and User logon name text boxes, type
LondonAdmin, and then click Next.
4. In the New Object – User dialog box, in both the Password and Confirm password text boxes, type
Pa$$w0rd, clear the User must change password at next logon check box, and then click Next.
6. In the Active Directory Users and Computers console, right-click the Users container, point to New,
and then click Group.
7. In the New Object – Group dialog box, in the Group name text box, type London Application
Admins as the group name, and then click OK.
8. Click the Users container, in the details pane, right-click the newly created London Application
Admins group, and then click Properties.
9. In the London Application Admins Properties dialog box, click the Members tab, and then
click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select field, type LondonAdmin, click Check Names, and then click OK.
11. In the London Application Admins Properties dialog box, click OK.
12. Close the Active Directory Users and Computers console.
4. In the Create Security Scope dialog box, in the Security scope name text box, type London, and
then click OK.
5. In the Configuration Manager console, in the navigation pane, click Distribution Points.
6. In the results pane, select LON-CFG.ADATUM.COM, and then on the ribbon, click Set Security
Scopes.
7. In the Set Security Scopes dialog box, leave the Default scope selected, select London, and then
click OK.
3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L3-11
4. On the General page, in the Name box, type London Servers, and then next to Limiting collection,
click Browse.
5. In the Select Collection dialog box, select All Systems, and then click OK.
6. On the General page, click Next.
7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct
Membership Rule Wizard starts.
10. On the Select Resources page, select LON-CFG, and then click Next.
13. In the Create Device Collection Wizard, on the Membership Rules page, verify that LON-CFG was
added to the list, and then click Next.
2. In the navigation pane, expand the Security node, and then select Security Roles.
3. In the results pane, select Application Administrator, and then on the ribbon, click Copy.
4. In the Copy Security Role dialog box, in the Name text box, type Application and Update
Administrator.
5. In the Copy Security Role dialog box, in the Customize the permissions for this copy of the
security role area, in the Permissions box, configure the following permissions by expanding each
permission group, and then selecting Yes next to each individual permission:
Task 5: Add a new group of administrative users, and then assign a custom role and a
custom scope
1. In the Configuration Manager console, in the navigation pane, under the Security node, click
Administrative Users.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select text
box, type London Application Admins, click Check Names, and then click OK.
5. In the Add User or Group dialog box, next to the Assigned security roles list box, click Add.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-12 Planning and Configuring Role-Based Administration
6. In the Add Security Role dialog box, select the Application and Update Administrator role, and
then click OK.
7. In the Add User or Group dialog box, under Assigned security scopes and collections, verify that
the Only the instances of objects that are assigned to the specified scopes or collections option
is selected. In the list box, select each collection and security scope, and then click Remove.
8. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and
then click Security Scope.
9. In the Add Security Scope dialog box, select London, and then click OK.
10. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and
then select Collection.
11. In the Select Collections dialog box, select Device Collections, select London Servers, and then
click OK.
Note: The users added to the London Application Admins group will have access only to
the Configuration Manager objects associated with the London scope and resources in the
London Servers collection.
Results: By the end of this exercise, you should have created a custom security scope, a custom collection,
and a custom security role.
2. In the Windows Security dialog box, in the Username box, type LondonAdmin, and then in the
Password box, type Pa$$w0rd. Click OK.
2. In the navigation pane, under the Overview node, click Device Collections.
3. In the results pane, verify that you can see only the London Servers collection.
4. In the navigation pane, click on the Devices node.
5. In the results pane, verify that you can see only the resources associated to your collection.
7. In the navigation pane, under the Overview node, click Distribution Points.
8. In the results pane, verify that you can see the LON-CFG.ADATUM.COM server.
10. Verify that you do not have access to the Administrative Users, Security Roles, or Security Scopes
nodes.
Results: By the end of this exercise, you should have tested the new role permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L4-15
4. Double-click Administrators.
8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type
LON-CAS, and then click Check Names.
9. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK.
14. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Users container.
15. Double-click ConfigMgrServers.
16. In the ConfigMgrServers Properties dialog box, click the Members tab, and then click Add.
17. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types.
18. In the Object Types dialog box, select the Computers check box, and then click OK.
19. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type
LON-CAS; NYC-CFG, and then click Check Names.
20. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK.
21. In the ConfigMgrServers Properties dialog box, click OK.
22. Close Active Directory Users and Computers and Server Manager.
2. In Hyper-V® Manager, click 10748C-LON-CAS-B, and then in the Actions pane, click Start.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-16 Planning and Deploying a Multiple-Site Hierarchy
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
Task 3: Run Installation Prerequisite Check, and verify that the expansion
prerequisites are met
1. On LON-CAS, click to the Start screen, and then type cmd. Right-click Command Prompt, and then
click Run as administrator.
2. In the Administrator: Command Prompt, type the following and then press Enter:
E:
3. In the Administrator: Command Prompt, type the following and then press Enter:
CD E:\ConfigMgr2012R2\SMSSetup\BIN\X64
4. In the Administrator: Command Prompt, type the following and then press Enter:
5. The Installation Prerequisite Check starts and evaluates the server for installed prerequisites.
6. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several
warnings), and then click OK.
4. In the How do you want to open this type of file (.hta)? dialog box, click Microsoft (R) HTML
Application host.
3. On the Getting Started page, in Available Setup Options, select Install a Configuration Manager
central administration site, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L4-17
4. On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
5. On the Microsoft Software License Terms page, select I accept these license terms, and then click
Next.
6. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, under Microsoft Silverlight 5, select I accept these License Terms and automatic
updates of Silverlight, and then click Next.
7. On the Prerequisite Downloads page, select Use previously downloaded files, and then click
Browse.
8. In the Browse For Folder dialog box, select E:\ConfigMgr2012R2\Redist, and then click OK.
10. Configuration Manager Setup Downloader starts to verify the prerequisites. Wait for the operation to
finish.
13. On the Site and Installation Settings page, enter the following settings, and then click Next:
14. On the Central Administration Site Installation page, select Expand an existing stand-
alone primary into a hierarchy, in the Stand-alone primary site server (FQDN) field, type
LON-CFG.Adatum.com, and then click Next.
15. On the Database Information page, verify that the SQL Server name is LON-CAS.Adatum.com and
that the database name is CM_CAS, and then click Next.
16. On the second Database Information page, verify that the Path to the SQL Server data file is
configured as C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA.
17. On the second Database Information page, verify that the Path to the SQL Server log file is
configured as C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA,
and then click Next.
18. On the SMS Provider Settings page, verify that the server name is LON-CAS.Adatum.com, and
then click Next.
19. On the Customer Experience Improvement Program Configuration page, select I don’t want to
join the program at this time, and then click Next.
20. On the Settings Summary page, review your selected settings, and then click Next.
21. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click Begin
Install.
22. In the Install window, wait for the installation to complete, and then click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-18 Planning and Deploying a Multiple-Site Hierarchy
Note: When the System Center R2 Configuration Manager Setup Wizard displays Core
setup has completed, the setup is not complete. Do not continue with the lab until the
Applying the snapshot data task has completed. The installation process may take up to 45
minutes.
23. In the System Center 2012 R2 Configuration Manager Setup screen, click Exit.
Results: At the end of this exercise, you should have installed a Microsoft® System Center 2012 R2
Configuration Manager central administration site and a primary site in a hierarchy.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L4-19
Note: If A Configuration Manager dialog box appears stating that your Configuration
Manager console is in read-only mode, click OK to continue.
3. In the navigation pane, expand System Status, and then click Site Status.
4. View the status of each site system and site system roles.
Task 2: View the status messages for the Configuration Manager 2012 installation
1. In the navigation pane, click Site Status.
2. In the results pane, for \\LON-CAS.Adatum.com, select Site server.
4. In the Status Messages: Set Viewing Period dialog box, verify that Select date and time is selected
and that in the corresponding drop-down list, 1 day ago is selected, and then click OK.
5. In the Configuration Manager Status Message Viewer for <CAS> <London Central Administration
Site> window, double-click any status message, and then review the details. Click OK to close the
Status Message Details box.
6. Close the Configuration Manager Status Message Viewer for <CAS> <London Central Administration
Site> window.
2. View the status of the database replication between Parent Site CAS and Child Site S01.
Note: If the Link State is Link Failed, you must reinitialize the replication. To reinitialize the
replication, perform the following steps:
1. Switch to LON-CFG.
5. After 10 minutes, switch to LON-CAS and in Database Replication, refresh the replication link for
Parent Site CAS and Child Site S01. The link should now display Link Active.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-20 Planning and Deploying a Multiple-Site Hierarchy
2. In the root folder, open the ConfigMgrPrereq.log file. The file is displayed in Notepad.
3. Note any errors and warnings reported by Prerequisite Checker. Close Notepad.
4. In the root folder, open the ConfigMgrSetup.log file. The file is displayed in Notepad.
Note: When a log file reaches a certain size, which varies depending on the process, a new
log file is created and the old log file is renamed with a .lo_ extension. The ConfigMgrSetup.log
might have only a few entries and you might need to review the ConfigMgrSetup.lo_ file.
3. In the results pane, click LON-CAS.Adatum.com, and then in the preview pane, note the roles
installed on the server, including:
o Component server
o Site server
o Site system
4. In the results pane, right-click LON-CAS.Adatum.com, and then click Add Site System Roles. The
Add Site System Roles Wizard starts.
Note: When you install certain site system roles as part of a hierarchy, you cannot install
them in a primary site. Instead, you must install these roles at the central administration site.
These roles include:
Results: At the end of this exercise, you will have validated the installation of System Center 2012 R2
Configuration Manager.
[Identification]
Action=InstallPrimarySite
[Options]
ProductID=EVAL
SiteCode=NYC
SiteName= New York City Primary Site
SMSInstallDir=C:\Program Files\Microsoft Configuration Manager
SDKServer=NYC-CFG. Adatum.com
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
PrerequisiteComp=1
PrerequisitePath= \\LON-CAS\E$\ConfigMgr2012R2\Redist
MobileDeviceLanguage=0
ManagementPoint= NYC-CFG.Adatum.com
ManagementPointProtocol=HTTP
DistributionPoint= NYC-CFG.Adatum.com
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=0
AdminConsole=1
JoinCEIP=0
[SQLConfigOptions]
SQLServerName= NYC-CFG.Adatum.com
DatabaseName=CM_NYC
SQLSSBPort=4022
SQLDataFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
SQLLogFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
[HierarchyExpansionOption]
CCARSiteServer=LON-CAS.Adatum.COM
MCT USE ONLY. STUDENT USE PROHIBITED
L4-22 Planning and Deploying a Multiple-Site Hierarchy
Task 2: Run Setup for Configuration Manager 2012 and use the script option
1. On NYC-CFG, click the Start menu, then on the Start screen, type cmd. Right–click Command
Prompt, and then click Run as Administrator.
2. At the command prompt, type the following commands. Press Enter after each command line:
Note: The Configuration Manager Setup will run in unattended mode. The installation
process may take up to 30 minutes. You can use Task Manager to monitor the Setup progress.
On the Details tab, when you see CcmExec.exe as a running process, the setup is complete.
Results: At the end of this exercise, you should have installed a System Center 2012 R2 Configuration
Manager primary site in an existing hierarchy by using the automated setup method.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L4-23
2. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Users container.
3. Double-click ConfigMgrServers.
4. In the ConfigMgrServers Properties dialog box, click the Members tab, and then click Add.
5. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types.
6. In the Object Types dialog box, select the Computers check box, and then click OK.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type TOR-CFG,
and then click Check Names.
8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK.
2. In Hyper-V Manager, click 10748C-TOR-CFG-B, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Domain: Adatum
7. In the navigation pane, expand Local Users and Groups, and then click Groups.
10. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, click Object
Types.
11. In the Object Types dialog box, select Computers, and then click OK.
12. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, in the Enter
the object names to select text box, type NYC-CFG, click Check Names, and then click OK.
Task 3: Verify that Web Server (IIS) and related role services are installed
• In the Server Manager console, click Local Server, scroll to the Roles and Features section, and then
verify that the following Role Services are installed:
Task 4: Verify that the BITS and remote differential compression features are
installed
1. In the navigation pane in Server Manager, scroll to the Roles and Features section.
2. In the results pane, verify that the following features are installed:
Results: At the end of this exercise, you should have validated the prerequisites for installing a System
Center 2012 Configuration Manager secondary site.
3. In the navigation pane, expand Site Configuration, and then select Sites.
4. In the results pane, select NYC – New York City Primary Site, and then on the ribbon, click Create
Secondary Site. The Create Secondary Site Wizard starts.
6. On the General page, configure the following options, and then click Next:
7. On the Installation Source Files page, click Copy installation source files over the network from
the parent site server, and then click Next.
8. On the SQL Server Settings page, click Install and configure a local copy of SQL Server Express
on the secondary site computer, verify that the following information has been specified, and then
click Next:
9. On the Distribution Point page, accept the default settings, and then click Next.
10. On the Drive Settings page, accept the default settings, and then click Next.
11. On the Content Validation page, click Next.
Note: When the Create Secondary Site Wizard finishes, the installation continues in the
background on the target server. To validate the installation, verify the installation logs in the
next exercise.
15. In the Configuration Manager console, in the results pane, select TOR – Toronto Secondary Site,
and then on the ribbon, click Show Install Status.
16. In the Secondary Site Installation Status dialog box, review the progress of the installation actions,
click Refresh to monitor the status, and then click OK. It takes approximately 15-20 minutes for the
installation to complete.
Results: At the end of this exercise, you should have installed the System Center 2012 Configuration
Manager secondary site.
2. In the root folder, open the ConfigMgrSetup.log file. In the Open with box, select Notepad, and
then click OK.
3. Note any errors and warnings reported by Setup. Close Notepad.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-26 Planning and Deploying a Multiple-Site Hierarchy
Task 2: View the system status for the new secondary site
1. On NYC-CFG, in the Configuration Manager console, in the navigation pane, click the Monitoring
workspace.
2. In the navigation pane, expand System Status, and then click Site Status.
3. View the status of the site systems for TOR-CFG.
Note: You can view the secondary site status at the parent primary site or at the central
administration site. It may take several minutes until the installation finishes and the secondary
site status appears in the console.
5. In the results pane, view the status of the components for TOR-CFG.
7. In the results pane, view the status of the replication link between NYC and TOR. It should show that
the link is active.
8. In the navigation pane, click the Site Hierarchy node.
9. In the results pane, view the site hierarchy diagram. On the NYC icon, click the plus sign to view TOR.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Note: The line between NYC and TOR represents the state of the database replication
between the sites. This line can have several different symbols depending on the replication
status.
• ? in a white circle is shown when the status has not yet been reported.
• X in a red circle is shown when the status has been reported and the initial replication is incomplete
or there is an error during ongoing replication.
• √ in a green circle is shown when the initial replication has competed successfully and there are no
errors in the ongoing replication.
Results: At the end of this exercise, you should have validated the installation of a System Center 2012
Configuration Manager 2012 secondary site.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-27
4. Right-click the Adatum Site S01 London Central Administration Site CAS file replication link, and
then click Properties.
5. On the Schedule tab, click the Sunday 0 hour.
7. On the Rate Limits tab, click Limited to specified maximum transfer rates by hour.
8. Click the 0 hour that is on the left, hold the Shift key, and then click 4.
9. In the Limit available bandwidth (%) box, select 50.
3. On the General tab, in the Summarization interval (minutes) box, select 5, and then click Apply.
4. Review the settings on the Schedule tab.
6. In the CAS <-> S01 Replication Link Properties dialog box, click OK.
3. On the ribbon, click Settings, click Configure Site Components, and then click Software
Distribution.
6. Under Retry settings, in the Number of retries box, select 5, and in the Delay before retrying
(minutes) box, select 5.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-28 Replicating Data and Managing Content in Configuration Manager 2012
Results: At the end of this exercise, you should have configured the replication settings between the A.
Datum central administration site and the London primary site.
2. In the navigation pane, click the Database Replication node, and then in the results pane, select the
CAS to S01 replication link. Verify that Link State shows Link Active. If it does not, refresh the results
pane.
3. Review the information available in the preview pane under the Replication Status area. In the Site
Replication Status section, verify that both Parent Site State and Child Site State display a status of
Replication Active.
4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global
State and Child Site to Parent Site Global State display the Link Active status and that the Last
Synchronization Time reflects today’s date.
Note: If the status of Parent Site to Child Site Global State and Child Site to Parent Site
Global State are Link Inactive, verify that both LON-CAS and LON-CFG have started. To refresh
the status, click the CAS to S01 replication link, and then press F5.
5. In the preview pane, click the Parent Site tab. Review the information available in the Replication
Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022.
6. In the preview pane, click the Child Site tab. Review the information available in the Replication
Status area.
3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts.
4. On the General page, in the Name text box, type London Computers, and then click Browse.
5. In the Select Collection dialog box, click All Systems, and then click OK.
10. On the Select Resources page, select both the LON-CAS and LON-CFG check boxes, and then click
Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L5-29
13. In the Create Device Collection Wizard, on the Membership Rules page, verify that both LON-CAS
and LON-CFG were added in the list, and then click Next.
2. In the Configuration Manager console, verify that you are in the Assets and Compliance workspace.
4. In the results pane, verify that the London Computers collection appears in the list of device
collections.
5. Right-click the London Computers collection, and then click Show Members. Notice that a new
node appears in the navigation pane under Devices. Notice also that the members of the collection
appear in the results pane.
Results: At the end of this exercise, you should have verified the replication between the A. Datum central
administration site and the London primary site.
3. Right-click the CAS to S01 replication link, and then click Link Properties.
4. In the CAS <-> Replication Link Properties dialog box, on the Alerts tab, verify that the Generate
an alert when this replication link is not working for a specified period of time check box is
selected.
5. On the Alerts tab, in the Number of minutes box, change the value to 3 minutes, and then click OK.
3. In the Service Control window, wait for the service to stop. Wait at least three minutes before
continuing to the next task.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-30 Replicating Data and Managing Content in Configuration Manager 2012
2. In the Configuration Manager Trace Log Tool dialog box, click Yes to make the program the
default viewer for all log files, and then close the tool.
3. In the Configuration Manager console, in the navigation pane, click the Alerts node, and then click
All Alerts.
4. In the results pane, click the alert named Replication link down between parent site and S01, and
then on the ribbon, click Configure.
5. In the Replication link down between parent site and S01 Properties dialog box, verify that
Minutes replication link connectivity down greater than has a value of 3, and then click OK.
6. In the navigation pane, click the Assets and Compliance workspace, and then click the Device
Collections node.
11. Verify that the status of the replication link is either Link Failed or Link Degraded. Press F5, if
necessary, to refresh the status.
12. Right-click the CAS to S01 replication link, and then click Save Diagnostic Files.
13. In the Save As dialog box, in the File name box, type Replication Diagnostics. In the navigation
pane, click Local Disk (C:), and then click Save.
16. Review the content of the file. Note that the Child Site to Parent Site Global State displays a status
of Link Failed or Link Degraded. Close Notepad.
Task 4: Resolve the issue and verify that replication is functioning correctly
1. On LON-CAS, right-click the CAS to S01 replication link, and then click Replication Link Analyzer.
Replication Link Analyzer starts detecting problems. Wait for the operation to finish.
2. In the CAS <-> S01 Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation
to finish.
3. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Continue.
5. In the CAS <-> S01 Replication Link Analyzer window, click Reinitialize replicated tables.
6. In the CAS <-> S01 Replication Link Analyzer window, click Continue.
8. In the CAS <-> S01 Replication Link Analyzer window, click Check to see if the problem is fixed.
Note: Based on timing, there may still be issues that are detected. If issues are detected,
first click the Check to see if the problem is fixed link.
9. In the CAS <-> S01 Replication Link Analyzer window, on the Troubleshooting Report page, click
View Report.
10. In the How do you want to open this type of file (.htm)? dialog box, click Internet Explorer. The
content of ReplicationAnalysis.xml opens in Internet Explorer®.
11. Review the content of the file, and then close Internet Explorer.
12. In the Replication Link Analyzer window, click View Log. The content of ReplicationLinkAnalysis.log
opens in Configuration Manager Trace Log Tool.
13. Review the content of the file, and then close Configuration Manager Trace Log Tool.
14. In the CAS <-> S01 Replication Link Analyzer window, click Close.
Results: At the end of this exercise, you should have troubleshot replication between the primary site and
the central administration site.
• Prestage content to the locations with information technology (IT) staff. For the lab, prestage content
to LON-SRV1.
• Use BranchCache® in the remote offices without sites or distribution points. For the lab, enable
BranchCache support on LON-CFG.
• Restrict replication during business hours to high priority traffic only.
• Create cloud-based distribution points for the field staff instead of Internet-based distribution points.
• Use the cloud-based distribution point for content fallback.
• Do not allow fallback to the central location.
Results: At the end of this exercise, you will have planned distribution architecture for the company.
2. In the navigation pane of the Computer Management console, expand Local Users and Groups, and
then click Groups.
6. In the Object Types dialog box, select Computers, and then click OK.
7. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select text box, type LON-CFG, click Check Names, and then click OK.
2. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles.
3. On the ribbon, click the Home tab, and then click Create Site System Server. The Create Site System
Server Wizard starts.
5. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1.
Click Check Names, and then click OK.
6. On the General page, in the Site Code drop-down list, select S01 – Adatum Site, and then click
Next.
8. On the System Role Selection page, select Distribution point, and then click Next.
9. On the Distribution Point page, select Install and configure IIS if required by Configuration
Manager and Enable this distribution point for prestaged content, and then click Next.
10. On the Drive Settings page, review the default settings, and then click Next.
14. On the Content Validation page, select Validate content on a schedule, and then click Next.
15. On the Boundary Groups page, click Next.
16. On the Summary page, review the settings, and then click Next.
2. In the results pane, click LON-CFG.ADATUM.COM, hold the Ctrl key, and then click
NYC-CFG.ADATUM.COM and TOR-CFG.ADATUM.COM.
3. On the ribbon, click Add Selected Items, and then click Add Selected Items to New Distribution
Point Group.
4. In the Create New Distribution Point Group dialog box, in the Name text box, type Primary and
Secondary Site Distribution Points, and then click OK.
6. Verify that the Primary and Secondary Site Distribution Points group has been created and that
the Member Count is 3.
Results: At the end of this exercise, you should have created a distribution point, created a distribution
point group, and added distribution points to the group.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-34 Replicating Data and Managing Content in Configuration Manager 2012
2. In the navigation pane, expand Application Management, and then click the Applications node.
3. On the ribbon, click Create Application. The Create Application Wizard starts.
4. On the General page, verify that in the Type box, Windows Installer (*.msi) is selected.
14. On the Content Destination page, click Add, and then click Distribution Point.
15. In the Add Distribution Points dialog box, select LON-CFG.ADATUM.COM, and then click OK.
4. In the Prestaged content file dialog box, navigate to the Allfiles (E:) drive, in the File name box,
type PowerPointViewer, and then click Save.
8. In the Add Distribution Points dialog box, select LON-CFG.Adatum.com, and then click OK.
9. On the Content Locations page, click Next.
13. Browse to the Allfiles (E:) drive, right-click PowerPointViewer.pkgx, and then click Copy.
14. In the address bar, type \\LON-SVR1\C$, and then press Enter.
2. At the command prompt, type the following commands, pressing Enter after each line:
CD C:\SMS_DP$\sms\Tools
extractcontent.exe /P:C:\PowerPointViewer.pkgx /S
2. In the navigation pane, expand Distribution Status, and then click the Content Status node.
3. In the results pane, click Microsoft PowerPoint Viewer, and then review the information in the
preview pane. Notice that two distribution points were targeted, and Success is now listed as 2.
Results: At the end of this exercise, you should have performed content prestaging.
3. On the Before you begin page of the Add Roles and Features Wizard, click Next.
6. On the Select features page, select the BranchCache check box, and then click Next.
7. On the Confirm installation selections page, select the Restart the destination server
automatically if required check box, and then in the message box, click Yes.
6. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box, click
the Content tab.
7. Verify that the Allow clients to share content with other clients on the same subnet check box is
selected.
8. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box,
click OK.
Results: At the end of this exercise, you will have enabled BranchCache support on LON-SVR1.
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
MCT USE ONLY. STUDENT USE PROHIBITED
L6-37
4. In the results pane, click Active Directory System Discovery, and then on the ribbon, click
Properties.
5. In the Active Directory System Discovery Properties dialog box, click Enable Active Directory
System Discovery, and then click New.
9. In the Active Directory System Discovery Properties dialog box, click the Polling Schedule tab,
and then review the settings.
10. In the Active Directory System Discovery Properties dialog box, click the Active Directory
Attributes tab, and then review the settings.
11. In the Active Directory System Discovery Properties dialog box, click the Options tab, review the
settings, and then click OK.
6. In the Active Directory User Discovery Properties dialog box, click the Polling Schedule tab, and
then review the settings.
7. In the Active Directory User Discovery Properties dialog box, click the Active Directory
Attributes tab, review the settings, and then click OK.
8. In the Configuration Manager message box, click Yes.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-38 Planning Resource Discovery and Client Deployment
2. In the Active Directory Group Discovery Properties dialog box, click Enable Active Directory
Group Discovery, click Add, and then click Location.
3. In the Add Active Directory Location dialog box, in the Name box, type Adatum domain, and then
click Browse.
4. In the Select New Container dialog box, click Adatum, and then click OK.
6. In the Active Directory Group Discovery Properties dialog box, click the Polling Schedule tab, and
then review the settings.
7. In the Active Directory Group Discovery Properties dialog box, click the Options tab, review the
settings, and then click OK.
Task 4: Verify that the discovered computers appear in the All Systems collection and
are assigned to the site correctly.
1. In the Configuration Manager Console, click the Assets and Compliance workspace.
4. A new sticky node called All Systems appears in the navigation pane, under the Devices node. In the
results pane, observe the systems that are members of the All Systems collection and their assigned
site. On the Site Code column, you should see S01 for most systems.
Results: At the end of this exercise, you should have configured the Active Directory discovery methods.
3. In the New Object – User window, in both the First name and User logon name text boxes, type
ConfigMgrClientPush, and then click Next.
4. In the New Object – User window, in both the Password and Confirm password text boxes, type
Pa$$w0rd, clear the User must change password at next logon box, select the User cannot
change password and Password never expires check boxes, and then click Next.
6. In the Active Directory Users and Computers console, right-click the newly created
ConfigMgrClientPush user, and then click Properties.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L6-39
9. In the Select Groups dialog box, in the Enter the object names to select text box, type Domain
Admins, click the Check Names button, and then click OK.
2. In the navigation pane, expand Site Configuration, and then click the Sites node.
3. In the results pane, right-click S01 – Adatum Site, click Client Installation Settings, and then click
Client Push Installation.
4. In the Client Push Installation Properties dialog box, click the Accounts tab.
5. At the Accounts tab, click the New button, and then click New Account.
6. In the Windows User Account dialog box, click the Browse button.
7. In the Select User dialog box, in the Enter the object name to select text box, type
ConfigMgrClientPush, click the Check Names button, and then click OK.
8. In the Windows User Account dialog box, in both the Password and Confirm password boxes,
type Pa$$w0rd, and then click Verify. The Windows User Account dialog box expands.
9. In the Windows User Account dialog box, in the Network Share box, type \\LON-DC1\C$, and
then click Test connection.
13. At the Installation Properties tab, in the Installation properties box, after the text
SMSSITECODE=S01, type a space, and then type FSP=LON-CFG.Adatum.com.
14. In the Client Push Installation Properties dialog box, click OK.
2. In the navigation pane, under Device Collections, click the All Systems node.
3. In the results pane, right-click LON-CFG, and then click Install Client. The Install Configuration
Manager Client Wizard starts.
8. In the results pane, right-click LON-DC1, and then click Install Client. The Install Configuration
Manager Client Wizard starts.
9. In the Before You Begin page, click Next.
10. In the Installation Options page, check the Allow the client software to be installed on domain
controllers box, and then click Next.
6. In the Configuration Manager Properties dialog box, click the Components tab, and then verify
the status of the agents. Some of the agents should have the Status of Installed.
7. In the Configuration Manager Properties dialog box, click the Actions tab.
8. In the Actions list, click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now to
initiate the connection of the Configuration Manager client to the management point.
Note: When the Configuration Manager client is running inside a virtual machine, it uses
randomization for the initial time interval of connection to the management point. Manually
running the Machine Policy Retrieval & Evaluation Cycle helps ensure that all components are
updated, as necessary.
9. In the Machine Policy Retrieval & Evaluation Cycle message box, click OK.
Results: At the end of this exercise, you should have started the installation of the Configuration Manager
client by using the client push installation method.
2. From Server Manager, click Tools, and then click Group Policy Management.
3. From the Group Policy Management console, expand Forest: Adatum.com, and then expand
Domains.
4. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L6-41
5. In the New GPO dialog box, in the Name textbox, type SCCM Client Install, and then click OK.
6. From the navigation pane, right-click the SCCM Client Install, and then click Edit.
12. In the navigation pane, expand Administrative Templates: Policy Definitions (ADMX files)
retrieved from the local computer, and then expand Classic Administrative Templates (ADM).
3. In the Configure Configuration Manager 2012 Client Deployment Settings dialog box, click
Enabled.
Task 3: Import CCMSetup.msi, and then deploy the Configuration Manager client by
using Group Policy
1. From LON-DC1, click the File Explorer button on the task bar.
2. Navigate to Local Disk (C:).
3. In the details pane, right-click in the open area, navigate to New, and then click Folder.
4. Type SCCMClient, and then press Enter.
5. Right-click the SCCMClient folder, and then click Properties.
7. In the File Sharing dialog box, in the Type a name and then click Add, or click the arrow to find
someone drop-down list, click Everyone, click Add, click Share, and then click Done.
9. From the Start screen, type Run, and then press Enter.
10. In the Run dialog box, in the Open textbox, type \\LON-CFG\SMS_S01\bin\i386, and then click OK.
11. In the new File Explorer window, right-click ccmsetup.msi, and then click Copy.
12. Close the i386 window.
13. In the Local Disk (C:) window, double-click the SCCMClient folder.
14. Right-click the empty area in the details pane, and then click Paste.
18. Right-click Software Installations, navigate to New, and then click Package.
19. In the Open dialog box, in the File name text box, type \\LON-DC1\SCCMClient\ccmsetup.msi,
and then click Open.
20. In the Deploy Software dialog box, click Assigned, and then click OK.
23. In Hyper-V® Manager, click 10748C-LON-SVR1-C, and then in the Actions pane, click Start.
o Username: ADATUM\Administrator
o Password: Pa$$w0rd
2. From the desktop, right-click the Task bar, and then click Task Manager.
3. In the Task Manager window, click More Details, and then click the Details tab.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for the following virtual machines:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
Results: At the end of this exercise, you should have installed the Configuration Manager client by using a
GPO.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-43
2. In the navigation pane, expand Adatum.com, and then select the Users container.
3. Right-click the Users container, point to New, and then click Group.
4. In the New Object – Group dialog box, in the Group name box, type Configuration Manager IIS
Servers, and then click OK.
5. Double-click Configuration Manager IIS Servers.
6. In the Configuration Manager IIS Servers Properties dialog box, on the Members tab, click Add.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, in the Object Types dialog box, select the Computers check box, and then click OK.
8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select box, type LON-CFG, click Check Names, and then click OK.
9. In the Configuration Manager IIS Servers Properties dialog box, click OK.
3. Right-click the Certificate Templates folder, and then click Manage. The Certificate Templates
console opens.
4. In the results pane, right-click Web Server, and then click Duplicate Template.
5. On the Compatibility tab, ensure that the Windows Server 2003 option is selected.
6. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Configuration Manager Web Server Certificate.
7. Click the Subject Name tab, and then ensure that the Supply in the request option is selected.
8. On the Security tab, under Group or user names, click Domain Admins, and under Permissions
for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll
check box.
9. On the Security tab, click Add. In the Select Users, Computers, Service Accounts or Groups dialog
box, in the Enter the object names to select box, type Configuration Manager IIS Servers, click
Check Names, and then click OK.
10. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-44 Configuring Internet and Cloud-Based Client Management
2. On the Compatibility tab, ensure that the Windows Server 2003 option is selected.
3. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Configuration Manager Client Certificate.
4. On the Security tab, click Domain Computers, select the Read check box, select the Autoenroll
check box, and then click OK. Do not clear the Enroll check box.
2. On the Compatibility tab, ensure that the Windows Server 2003 option is selected.
3. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Configuration Manager Client Distribution Point Certificate.
2. On the Compatibility tab, ensure that the Windows Server 2003 option is selected.
3. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Configuration Manager Mobile Device Certificate.
4. Click the Subject Name tab, and then ensure that the Build from this Active Directory
information option is selected.
5. In the Subject name format list, select Common name, under Include this information in
alternate subject name, clear the User principal name (UPN) check box, and then click OK.
2. Right-click the Certificate Templates folder, point to New, and then click Certificate Template to
Issue.
3. In the Enable Certificate Templates dialog box, click Configuration Manager Client Certificate,
hold the Ctrl key, and then click Configuration Manager Client Distribution Point Certificate,
Configuration Manager Mobile Device Certificate, and Configuration Manager Web Server
Certificate.
4. In the Enable Certificate Templates dialog box, click OK, and then close the Certification Authority
console.
Results: After this exercise, you should have created a group for the Microsoft® System Center 2012 R2
Configuration Manager servers and created the templates for Configuration Manager certificates.
3. In the New GPO dialog box, in the Name box, type Enable Autoenrollment of Certificates, and
then click OK.
4. Right-click Enable Autoenrollment of Certificates, and then click Edit.
5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, and then click Public Key Policies.
6. Right-click Certificate Services Client – Auto-Enrollment, and then click Properties.
7. In the Configuration Model list, select Enabled, select the Renew expired certificates, update
pending certificates, and remove revoked certificates check box, select the Update certificates
that use certificate templates check box, and then click OK.
8. Close the Group Policy Management Editor window and the Group Policy Management console.
3. On LON-CFG, click to the Start screen, type mmc.exe, and then click mmc.exe.
4. In the Console 1 - [Console Root] console, click File, and then click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and
then click Add.
6. In the Certificates Snap-in Wizard, click Computer account, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-46 Configuring Internet and Cloud-Based Client Management
7. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is
running on) option is selected, and then click Finish.
10. Under Object Type, right-click Certificates, point to All Tasks, and then click Request New
Certificate.
11. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
13. On the Request Certificates page, select the Configuration Manager Web Server Certificate
check box, and then click the More information is required to enroll for this certificate. Click
here to configure settings link.
14. In the Certificate Properties dialog box, on the Subject tab, under the Alternative name area, in
the Type list, select DNS.
15. In the Value box, type LON-CFG.Adatum.com, and then click Add.
16. Click the General tab, in the Friendly name box, type Configuration Manager Web Services, and
then click OK.
3. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
4. On the Select Certificate Enrollment Policy page, click Next.
5. On the Request Certificates page, select the Configuration Manager Client Distribution Point
Certificate check box, and then click Enroll.
6. On the Certificates Installation Results page, wait until the certificate is installed, and then click
Finish.
7. In the Console 1 - [Console Root] console, expand Personal, and then click Certificates.
8. In the results pane, right-click the certificate that has Configuration Manager Client Distribution
Point Certificate on the Certificate Template column, point to All Tasks, and then click Export.
The Certificate Export Wizard opens.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, select Yes, export the private key, and then click Next.
11. On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12
(.PFX) option is selected, and then click Next.
12. On the Security page, select the Password checkbox and in both the Password and Confirm
password text boxes, type Pa$$w0rd, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L7-47
13. On the File to Export page, in the File name text box, type C:\ConfigMgrClientDPCertificate.pfx,
and then click Next.
14. On the Completing the Certificate Export Wizard page, click Finish.
15. In the Certificate Export Wizard dialog box, click OK.
16. Close the Console 1 – [Console Root] console, and then in the Microsoft Management Console
dialog box, click No.
4. In the Edit Site Binding dialog box, in the SSL certificate list, select Configuration Manager Web
Services, and then click OK.
5. In the Site Bindings dialog box, click Close.
3. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles.
4. In the results pane, click \\LON-CFG.Adatum.com, in the preview pane, right-click Site system, and
then click Properties.
5. In the Site system Properties dialog box, select Specify an FQDN for this site system for use on
the Internet.
6. In the Internet FQDN text box, type LON-CFG.Adatum.com, and then click OK.
7. In the preview pane, right-click Distribution point, and then click Properties.
8. In the Distribution point Properties dialog box, on the General tab, select Import certificate, and
then click Browse.
9. In the Open dialog box, browse to and click the C:\ConfigMgrClientDPCertificate.pfx certificate
file, and then click Open.
10. On the General tab, in the Password text box, type Pa$$w0rd.
11. On the General tab, click HTTPS, under Requires computers to have a valid PKI client certificate,
select Allow intranet and Internet connections, and then click OK.
12. In the preview pane, click Management point, and then click Properties.
13. In the Management point Properties dialog box, on the General tab, click HTTPS, and then under
This option requires client computers to have a valid PKI client certificate for client
authentication, select Allow intranet and Internet connections.
14. Select the Allow mobile devices to use this management point check box, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-48 Configuring Internet and Cloud-Based Client Management
6. In the Assets and Compliance workspace, expand Compliance Settings, and then expand
Company Resource Access.
7. Click Certificate Profiles, and then on the ribbon, click Create Certificate Profile.
8. On the General page of the Create Certificate Profile Wizard, in the Name box, type
AdatumEnterpriseRootCA, and then ensure that Trusted CA certificate is selected. Click Next.
10. In the Open dialog box, click Desktop, click LON-DC1.Adatum.com_AdatumCA.crt, and then click
Open.
11. On the Trusted CA Certificate page, ensure that Computer certificate store – Root is selected, and
then click Next.
12. On the Supported Platforms page, click Select All, and then click Next.
13. On the Summary page, click Next.
16. In the Deploy Trusted CA Certificate Profile dialog box, click Browse.
17. In the Select Collection dialog box, click User Collections, and then click Device Collections.
18. Click All Desktop and Server Clients, and then click OK.
19. Click OK to close the Deploy Trusted CA Certificate Profile dialog box.
Results: After this exercise, you should have issued the Configuration Manager certificates and configured
HTTPS communication for Configuration Manager roles.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L7-49
o The first part of the email address should be your first name, the first letter of your last name,
10748C, and the date in the format used in your region (mm/dd/yy or dd/mm/yy). For example,
JoeS10748C010114 if it is the first of January 2014.
o The domain (the portion of the address after the @ symbol) should be Adatum.com. For
example joeS10748C0110114@adatum.com
4. On the Security tab, click Trusted Sites, and then move the Security level for this zone slider to
Low.
5. Click Sites. In the Trusted sites dialog box, clear the Require server verification (https:) for all
sites in this zone check box.
6. In the Add this website to the zone: text box, type *.microsoft.com, and then click Add.
10. In Internet Explorer, click No thanks to close the Please help us improve dialog box. Click the Try
option, and then click Sign up for a Windows Intune free 30-day trial.
11. On the Windows Intune Sign up page, provide the required information to sign up for the trial
account. Enter data for the following required fields:
o Address 1: Street address of the location where the course is being held
o Email address: The fake email address that you created in the first task of this exercise.
o New Domain Name: Type the first three letters of the city in which you are attending the course;
the course number; the month, day, and year; and the number of your computer, counting from
the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you
are attending the course in Melbourne; the course number is 10748C; the date is February 4,
2014; and you are using the fifth computer from the front left side of the classroom.
12. Click Check Availability. After the domain name is verified, enter the following information:
o New User ID: Student
o Create new password: Pa$$w0rd
17. In the Don’t lose access to your account dialog box, click Remind me later.
18. Close Internet Explorer.
3. On the UPN Suffixes tab of the Active Directory Domains and Trusts dialog box, enter
the organization name in the form organizationname.onmicrosoft.com. For example, type
MEL10748C02041405.onmicrosoft.com for Melbourne, course 10748C, February 4, 2014 where
you are using the fifth computer from the front left side of the classroom. Click Add, and then click
OK to close the Active Directory Domains and Trusts dialog box.
4. On the taskbar, right-click the Windows PowerShell icon, and then click Run ISE as Administrator.
5. On the View menu of the Administrator: Windows PowerShell ISE window, click Show Script Pane.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L7-51
6. In the script pane, type the following script, replacing organizationname.onmicrosoft.com with your
Windows Intune organization’s name:
12. In the Active Directory Administrative Center console, click Adatum (local), and then double-click IT.
13. Double-click April Reagan, and then verify that the user principal name (UPN) logon is set to
april@organizationname.onmicrosoft.com, where organizationname is your Windows Intune
organization’s name.
5. In the Don’t lose access to your account dialog box, click Remind me later.
6. On the Windows Intune page, under Management, click Users.
10. Under step 4, install and configure the directory synchronization tool, click Windows 64-bit version,
and then click Download.
11. Click Save As, and then save dirsync.exe to the Downloads folder.
12. When the download completes, click Open folder, and then double-click dirsync.exe.
13. On the Welcome page of the Windows Azure Active Directory Sync Setup Wizard, click Next.
14. On the Microsoft Software License Terms page, click I accept, and then click Next.
15. On the Select Installation Folder page, click Next. Installation of the DirSync tool takes
approximately 10 minutes to complete.
17. Clear the Start Configuration Wizard check box, and then click Finish.
18. Click Start, click Administrator, and then click Sign out.
21. On the Welcome page of the Windows Azure Active Directory Sync tool Configuration Wizard, click
Next.
22. On the Windows Azure Active Directory Credentials page, enter the user name as
student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune
organization name. In the Password box, type Pa$$w0rd, and then click Next.
23. On the Active Directory Credentials page, in the Username box, type
administrator@adatum.com, in the Password box, type Pa$$w0rd, and then click Next.
24. On the Hybrid Deployment page, select Enable Hybrid Deployment, and then click Next.
25. On the Password Synchronization page, select Enable Password Sync, and then click Next.
26. On the Configuration page, click Next.
27. On the Finished page, ensure that Synchronize your directories now is selected, and then click
Finish.
28. In the Windows Azure Active Directory Sync Tool Configuration Wizard dialog box, click OK.
29. Wait for five minutes. Repeat steps 1-5 to return to the Windows Intune Admin page. Click Users.
30. If prompted to sign in again, in the Password box, type Pa$$w0rd, and then click Sign in.
31. Verify that the list of users in Windows Intune is now populated with users from AD DS.
34. On the Assign role page, leave default settings, and then in the Location box, select United States.
Results: After this exercise, you will have created a Windows Intune™ account, and configured directory
synchronization between the local Windows Server® Active Directory® Domain Services (AD DS) instance
and Windows Azure™ Active Directory.
2. In the Administration workspace, expand the Cloud Services folder, and then click Windows
Intune Subscriptions.
4. On the Introduction page of the Create Windows Intune Subscription Wizard, click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L7-53
6. If prompted in the Set the Mobile Device Management Authority dialog box, select I understand
that after I complete the sign-in process, the mobile device management authority is
permanently set to Configuration Manager and cannot be changed, and then click OK.
7. In the Subscription dialog box, in the Username box, type
student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune
organization name, and in the Password box, type Pa$$w0rd. Select Keep me signed in, and then
click Sign in.
9. On the Subscription page of the Create Windows Intune Subscription Wizard, click Next.
10. On the General page, click Browse.
11. In the Select Collection dialog box, click All Users, and then click OK.
12. On the General page, enter the following information, and then click Next:
4. On the General page of the Add Site System Roles Wizard, click Browse.
5. On the Select a Site System Server page, click \\LON-CAS, and then click OK.
8. On the System Role Selection page, click Windows Intune Connector, and then click Next.
9. On the Summary page, click Next.
2. Click Default Client Settings, and then on the ribbon, click Properties.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-54 Configuring Internet and Cloud-Based Client Management
3. In the Default Settings dialog box, click Cloud Services. Next to allow access to cloud distribution
point, select Yes.
Results: After this exercise, you will have integrated Configuration Manager with Windows Intune.
8. Click OK.
Note: You may need to change the aged period for some tasks, depending on your
company’s need for data retention.
5. In the list of days, select Sunday, clear the Saturday check box, and then click OK.
6. In the Configuration Manager console, double-click Delete Aged Software Metering Summary
Data.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-56 Maintaining and Monitoring System Center 2012 Configuration Manager
7. In the Delete Aged Software Metering Summary Data Properties dialog box, in the Delete data
that has been inactive for (days) numeric textbox, type 120.
10. In the list of days, clear the Sunday check box, select the Saturday check box, click OK, and then click
OK again.
Results: At the end of this exercise, you will have configured maintenance tasks in Configuration
Manager.
7. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then
click Set Paths.
8. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and
database is selected, and then click Browse.
Note: In practice, you should use either Network path (UNC name) for site data and
database to save backup on a network share, or, if the database is installed on a separate server,
use Local drives on site server and SQL Server.
9. In the Select Folder dialog box, navigate to drive C, create a new folder called Backup, and then click
Select Folder.
10. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK.
11. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three
minutes from now, and then click OK. You may need to adjust the Latest start time, so it is at least
one hour after the time that you enter in the Start after box.
12. In the Site Maintenance dialog box, on the Enabled column, next to the Backup Site Server task,
verify that the word Yes is displayed. Click OK.
Task 2: Trigger the backup of the site, and verify its completion
1. From the Start screen, click Server Manager.
2. In the Server Manager windows, click Tools, and then click Services.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L8-57
3. In the Services console, in the details pane, click the SMS_SITE_BACKUP service, and then on the
toolbar, click the Start Service button. Close the Services window.
4. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the
smsbkup.log file in Notepad.
5. If the backup occurs successfully, towards the end of the smsbkup.log file, the text Backup
completed appears, and then on the next line, the text STATMSG: ID=5035 appears.
6. Navigate to the C:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the
database files.
9. In the navigation pane, expand System Status, and then click the Component Status node.
12. In the Status Messages: Set Viewing Period dialog box, accept the default of 1 day ago, and then
click OK.
13. In Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035.
Note: When site backup completes successfully, message ID 5035 appears. This indicates
that the site backup completed without any errors.
Results: At the end of this exercise, you should have performed a backup for the Configuration Manager
site.
2. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. On the Before
You Begin page, click Next.
3. On the Getting Started page at Available Setup Options, click Recover a site, and then click Next.
4. On the Site Server and Database Recovery Options page, click Recover the site database using
the backup set at the following location, and then click Browse.
5. In the Browse For Folder dialog box, select the C:\Backup\S01Backup folder, and then click OK.
6. On the Site Server and Database Recovery Options page, click Next.
7. On the Site Recovery Information page, verify that the option Recover primary site is selected,
and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-58 Maintaining and Monitoring System Center 2012 Configuration Manager
8. On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
9. On the Microsoft Software License Terms page, select I accept these license terms, and then click
Next.
10. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms and
automatic updates of Silverlight. Click Next.
11. On the Prerequisite Downloads page, select Use previously downloaded files, and then click
Browse.
12. In the Browse For Folder dialog box, select the E:\ConfigMgr2012R2\Redist folder, and then
click OK.
13. On the Prerequisite Downloads page, click Next.
14. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to
finish.
15. On the Site and Installation Settings page, click Next.
16. On the Database Information page, click Next twice.
17. On the Customer Experience Improvement Program configuration page, select I don’t want to
join the program at this time, click Next, and then click Next again.
19. In the Prerequisite Check dialog box, click Cancel, and then click Yes.
Note: It takes time to restore the site. Therefore, for expediency in this lab, you cancel the
restoration process.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert.
Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 R2
primary site.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-59
2. In the navigation pane, expand Site Database, and then click Site Management. In the results pane,
verify that in the Version column appears 4.00.6487.2000, which means the site is running
Configuration Manager 2007 Service Pack 2.
3. In the navigation pane under Site Database, expand Site Management, expand CM7-London
Configuration Manager 2007, expand Site Settings, and then click Boundaries.
4. In the results pane, right-click the IP subnet boundary, and then click Properties.
5. In the Properties dialog box, review the configuration of the boundary, and then click Cancel.
6. In the navigation pane, under Site Database, under Site Management, under CM7-London
Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings,
expand Site Systems, and then click \\LON-SVR1.
7. In the results pane, verify that the \\LON-SVR1 site system includes the following roles:
o ConfigMgr component server
8. In the navigation pane, expand Computer Management, expand Collections, right-click the
Adatum Servers collection, and then click Properties.
9. In the Adatum Servers Properties dialog box, click the Membership Rules tab. Observe that there
are no membership rules defined, and then click OK.
Note: The Adatum Servers collection does not have any members and serves as a container
for the other two collections.
10. In the navigation pane, expand Adatum Servers, click the London Servers collection, and then in
the results pane, observe that LON-CM7 and LON-SVR1 are the only members of the collection.
11. In the navigation pane, right-click the London Servers collection, and then click Properties.
12. In the London Servers Properties dialog box, click the Membership Rules tab.
13. Under Membership Rules, click London Servers, and then click the Properties button.
14. In the Query Rule Properties dialog box, click Edit Query Statement.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-60 Migrating to System Center 2012 R2 Configuration Manager
15. In the London Servers Query Statement Properties dialog box, click Show Query Language.
16. In the London Servers Query Statement Properties dialog box, examine the query, and then click
Cancel.
17. In the Query Rule Properties dialog box, click Cancel.
19. In the navigation pane, click the ConfigMgr Servers collection, and then in the results pane, observe
that LON-CM7 is the only member of the collection.
Note: The London Servers collection uses a query rule to include all computers with a name
starting with LON.
20. In the navigation pane, right-click the ConfigMgr Servers collection, and then click Properties.
21. In the ConfigMgr Servers Properties dialog box, click the Membership Rules tab.
22. Under Membership rules, observe the direct membership rule created for LON-CM7.
Note: The ConfigMgr Servers collection uses a direct membership rule to include LON-CM7
as a member.
24. In the navigation pane, expand Software Distribution, and then click Packages.
25. In the results pane, right-click the Microsoft Office Word Viewer 2003 package, and then click
Properties. Note that this is a Windows Installer package.
26. Review the properties of the package, and then click Cancel.
27. Expand the Microsoft Corporation Microsoft Office Word Viewer 2003 package, and then click
Distribution Points. Note that the package is distributed to both \\LON-CM7 and \\LON-SVR1.
28. In the navigation pane, right-click the Excel Viewer 1 package, and then click Properties. Note that
this is a Microsoft Application Virtualization (App-V) package.
29. Review the properties of the package, and then click Cancel.
30. Expand the Excel Viewer 1 package, and then click Distribution Points. Note that the package is
distributed to both \\LON-CM7 and \\LON-SVR1.
33. In the navigation pane, expand Asset Intelligence, expand Customize Catalog, and then click
Software Categories. Review the Adatum Software custom category.
34. In the navigation pane, click Software Families. Review the Adatum LOB Applications custom
family.
35. In the navigation pane, click Custom Labels. Review the Adatum Application custom label.
36. In the navigation pane, expand Desired Configuration Management, and then click Configuration
Items.
37. In the results pane, right-click the Windows Firewall Enabled configuration item, and then click
Properties.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L9-61
38. In the Windows Firewall Enabled Properties dialog box, on the General tab, review the properties,
and then click the Settings tab.
39. On the Settings tab, in the Name column, click the Windows Firewall is running setting, and then
click Edit.
40. In the Windows Firewall is running Properties dialog box, review the settings, and then click
Cancel. Note that this configuration item is using a WMI query language (WQL) query to check the
status of the Windows Firewall.
41. In the Windows Firewall Enabled Properties dialog box, click Cancel.
44. In the Adatum Security Policy Validation Properties dialog box, review the settings, and then click
Cancel.
6. In the Enter the object names to select field, type LON-CAS; LON-CFG, and then click OK.
7. In the Administrators Properties dialog box, click OK.
9. In the navigation pane, under Site Database, under Site Management, under CM7-London
Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings,
expand Site Systems, and then click \\LON-SVR1.
11. Select the Specify a fully qualified domain name (FQDN) for this site system on the intranet
check box.
12. In the Intranet FQDN field, type LON-SVR1.Adatum.com, and then click OK.
3. In the navigation pane, expand the Migration node, and then click Source Hierarchy.
4. On the ribbon, click Specify Source Hierarchy.
6. In the Specify Source Hierarchy dialog box, under Specify the Source Site Account to use to
access the SMS Provider for the source site server. This account requires Read permissions to
all source site objects, verify that User Account is selected, click Set, and then click New Account.
7. In the Windows User Account dialog box, in the User name box, type Adatum\Administrator.
8. In the Windows User Account dialog box, in the Password and Confirm password boxes, type
Pa$$w0rd, and then click Verify.
12. In the Specify Source Hierarchy dialog box, under Specify the Source Site Database Account to
use to access the SQL Server for the source site server. This account requires Read and Execute
permissions to the source site database, verify that Use the same account as the Source Site
SMS Provider Account is selected.
13. Select the Enable distribution-point sharing for the source site server check box, and then
click OK.
14. In the Data Gathering Status dialog box, wait for the data collection to complete, and then click
Close.
15. On the ribbon, click Refresh, and then verify that LON-CM7.ADATUM.COM and
LON-SVR1.ADATUM.COM appear in the preview pane on the Shared Distribution Points tab.
Note: By configuring the Shared Distribution Points option, both the Configuration
Manager 2007 clients and Configuration Manager 2012 clients will have access to the packages
during migration.
Results: At the end of this exercise, you should have reviewed the configuration of the Microsoft® System
Center Configuration Manager 2007 site and configured the source hierarchy in Configuration Manager
2012.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts.
3. On the General page, in the Name box, type Collections and associated objects, and then in the
Description (optional) box, type Migrate collections and associated objects.
4. On the General page, in the Job type drop-down box, select Collection migration, and then click
Next.
5. On the Select Collections page, select the Adatum Servers check box (this also selects London
Servers and ConfigMgr Servers), verify that the Migrate objects that are associated with the
specified collections check box is selected, and then click Next.
6. On the Select Objects page, under Object types, verify that Software Distribution Deployments is
selected.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L9-63
9. Under Available objects, clear the KB977384 – Advanced Client Hotfix – CM7 check box.
11. Under Available objects, verify that Excel Viewer 1 is selected, and then click Next.
12. On the Content Ownership page, select S01 – Adatum Site from the Destination Site drop-down
list, and then click Next.
13. On the Security Scope page, select the Default check box, and then click Next.
16. On the Review Information page, review the objects to be migrated, and then click Next.
17. On the Settings page, verify that Run the migration job now is selected, review the other settings,
and then click Next.
18. On the Summary page, click Next.
5. In the navigation pane, expand Device Collections, and then open the Adatum Servers folder. If
you do not see the Adatum Servers folder, click the Overview node, and then press F5 on your
keyboard to refresh the navigation pane.
6. In the results pane, observe the ConfigMgr Servers and London Servers collections.
9. Under Membership rules, select the London Servers rule, and then click Edit.
10. In the Query Rule Properties dialog box, review the query, and then click Cancel.
12. In the Configuration Manager console, click the Software Library workspace.
13. In the navigation pane, expand Application Management, and then click the Packages node.
14. In the results pane, select Microsoft Office Word Viewer 2003, and then in the preview pane, click
the Deployments tab. Note the migrated deployment.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-64 Migrating to System Center 2012 R2 Configuration Manager
16. In the results pane, select the migrated Excel Viewer virtual application package, and then in the
preview pane, click the Deployment Types tab. Note the Microsoft Application Virtualization 4
deployment type.
2. In the navigation pane, expand the Migration node, and then click the Migration Jobs node.
3. On the ribbon, click Create Migration Job.
4. In the Name box, type Migrate objects by type, and then in the Description (optional) box, type
Migration of specific objects.
5. On the General page, in the Job type drop-down box, select Object migration, and then click Next.
6. On the Select Objects page, under Object types, click to select the Boundaries check box.
9. Under Object types, select the Asset Intelligence Catalog check box.
12. On the Security Scope page, click Default, and then click Next.
13. On the Review Information page, review the objects to be migrated, and then click Next.
14. On the Settings page, verify that Run the migration job now is selected, review the other settings,
and then click Next.
18. In the results pane, verify that the status of the migration job is Completed. If necessary, select the
Migrate objects by type object, and then click Refresh.
2. In the navigation pane, expand Asset Intelligence, and then click Catalog.
3. In the results pane, click the Validation State column until the following User Defined objects
appear at the top of the list: Adatum LOB Applications, Adatum Software, and Adatum
Application.
4. In the navigation pane, expand Compliance Settings, and then click Configuration Items.
5. In the results pane, review the Windows Firewall Enabled and Windows Version is Windows 7
migrated configuration items.
9. In the navigation pane, expand Hierarchy Configuration, and then click Boundaries.
12. In the results pane, review the CM7 (London Configuration Manager 2007) boundary group
created from the Configuration Manager 2007 site.
4. In the results pane, click Migration Job properties, and then on the ribbon, click Run.
9. In the results pane, click Migration jobs, and then on the ribbon, click Run.
10. After reviewing the Migration jobs report, close the Migration jobs window.
Results: At the end of this exercise, you should have created migration jobs, performed object migration,
and viewed the migration reports.
2. On the ribbon, click Reassign Distribution Point. The Reassign Shared Distribution Point Wizard
starts.
4. In the Select Distribution Point dialog box, click LON-SVR1.ADATUM.COM, and then click OK.
5. On the General page, in the Site code drop-down box, select S01 – Adatum Site, and then click
Next.
6. On the Distribution point page, select the Install and configure IIS if required by Configuration
Manager check box, and then click Next.
11. On the Boundary Groups page, click Add, select the CM7 (London Configuration Manager 2007)
check box, and then click OK.
12. On the Boundary Groups page, click Next.
13. Review the Content Conversion page, and then click Next.
17. In the results pane, monitor the status of the migration job until it is Pending on secondary site
uninstallation. Click Refresh to update the status column as necessary.
20. Monitor the ConfigMgrSetup.log file until the Completed the deinstall of the ConfigMgr site
message appears.
Note: The uninstallation of the secondary site should take about five minutes.
23. Click CM7, and then on the ribbon, click Gather Data Now.
24. In the Data Gathering Status dialog box, after the data gathering process completes, click Close.
25. Click the Distribution Point Migration node.
26. Select LON-SVR1.ADATUM.COM, and then click Refresh. The status should change to Reassigning
distribution point.
27. Monitor the status until Completed reassign distribution point appears. Click Refresh as necessary.
Note: The distribution point installation should take about five minutes.
5. Click the Monitoring workspace, expand the Distribution Status folder, and then click the Content
Status node.
6. Click the Excel Viewer application, and then in the completion statistics, click View Status.
7. LON-SVR1.ADATUM.COM should be listed in the Asset Details pane.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning and Deploying System Center 2012 Configuration Manager L9-67
2. In the navigation pane, expand the Migration node, and then click the Source Hierarchy node.
3. In the results pane, click CM7, and then on the ribbon, click Stop Gathering Data.
5. In the results pane, verify that CM7 has the status Have not gathered data, and then on the ribbon,
click Clean Up Migration Data.
6. In the Clean Up Migration Data dialog box, verify that CM7 (LON-CM7.Adatum.com) appears in
the Source hierarchy box, and then click OK.
8. In the results pane, note that the source hierarchy has been removed.
Results: At the end of this exercise, you will have reassigned a secondary site.
MCT USE ONLY. STUDENT USE PROHIBITED