10748C TrainerHandbook PDF

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
10748C
Planning and Deploying System Center 2012
Configuration Manager
MCT USE ONLY. STUDENT USE PROHIBITED
ii Planning and Deploying System Center 2012 Configuration Manager
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2014 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners.
Product Number: 10748C
Part Number: X19-17689
Released: 04/2014
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

Planning and Deploying System Center 2012 Configuration Manager xi
xii Planning and Deploying System Center 2012 Configuration Manager
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution in developing
this title. Their effort at various developmental stages has ensured that you have a good classroom
experience.
Conan Kezema: Content Developer

Conan Kezema, Bachelor of Education (B.Ed), Microsoft Certified Solutions Expert (MCSE), Microsoft
Certified Trainer (MCT), is an educator, consultant, architect of network systems, and author who
specializes in Microsoft® technologies. As an associate of S.R. Technical Services, Conan has been a
subject-matter expert, instructional designer, and author on numerous Microsoft courseware
development projects.
David Susemiehl: Content Developer

David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has
extensive experience consulting on Microsoft Systems Management Server and Microsoft System Center
Configuration Manager 2012, as well as Active Directory® products, Microsoft Exchange Server, and
Terminal Server and Citrix deployments. David has developed courseware for Microsoft and Hewlett-
Packard, and delivered those courses successfully in Europe, Central America, and across North America.
For the last several years, David has been writing courseware for Microsoft Learning, and has been
managing the Microsoft System Center and Exchange Server deployments for a nationwide insurance
company.
Orin Thomas: Content Developer

Orin Thomas is a Microsoft Most Valuable Professional (MVP), an MCT and has a string of Microsoft MCSE
and Microsoft Certified IT Professional (MCITP) certifications. He is the author of more than 20 books for
Microsoft Press®, and is a contributing editor at Windows IT Pro magazine. He has been working in IT
since the early 1990s. He is a regular speaker at events such as TechEd in Australia and around the world
on the topics of Windows Server®, Windows® Client, System Center, and security topics. Orin founded and
runs the Melbourne System Center Users Group.
Telmo Sampaio: Content Developer

Telmo Sampaio, who has a Bachelor of Science (B.S.) degree, also is an MCT, MCSE, Microsoft Certified
Solutions Developer (MCSD), and an MCT Regional Lead. He is the “Chief Geek” for MCTrainer.NET and
TechKnowLogical. Telmo specializes in System Center, Microsoft SharePoint®, Microsoft SQL Server®, and
.NET, and has worked for IBM, Microsoft, and several start-ups during the past 20 years. He is very active
in the MCT community, and travels the world providing consulting services and attending training
engagements. His home base is Miami, Florida. Telmo has passed more than 80 Microsoft exams since his
first certification in 1996.
Bob Lawler: Technical Reviewer

Bob Lawler, B.S., is an MCITP, MCSE, and MCT, and in 2012 was selected as a charter member of the MCT
Regional Lead program. He is the owner and president of XPO-NET Corporation, and has more than 20
years of IT experience. As a professional technical writer, he has authored, contributed to, and edited a
variety of training software and videos, books, magazine articles, and courseware for multiple Microsoft
and third-party technologies. As a consultant and trainer, Bob has provided expertise and guidance on
several technologies, including Exchange Server, Microsoft Internet and Security Acceleration (ISA) Server,
and System Center Configuration Manager for many organizations, including some of the most
recognizable names in American business.
Planning and Deploying System Center 2012 Configuration Manager xiii
Contents
Module 1: Overview of System Center 2012 R2 Configuration Manager
Lesson 1: Introduction to System Center 2012 R2 Configuration Manager 1-2
Lesson 2: Overview of the Configuration Manager Site System Roles 1-13
Lesson 3: Overview of the Configuration Manager Optional Site System
Roles 1-21
Lesson 4: Overview of Configuration Manager Deployment Scenarios 1-29
Lesson 5: Overview of the Configuration Manager Client 1-35
Module 2: Planning and Deploying a Stand-Alone Primary Site

Lesson 1: Planning a Configuration Manager Stand-Alone Primary Site
Deployment 2-3
Lesson 2: Preparing to Deploy a Configuration Manager Primary Site 2-7
Lesson 3: Installing a Configuration Manager Site Server 2-21
Lab A: Installing a Configuration Manager Primary Site 2-26
Lesson 4: Performing Post-Setup Configuration Tasks 2-31
Lesson 5: Tools for Monitoring and Troubleshooting a Configuration
Manager Site 2-38
Lab B: Performing Post-Setup Configuration Tasks 2-43
Module 3: Planning and Configuring Role-Based Administration

Lesson 1: Overview of Role-Based Administration 3-2
Lesson 2: Identifying IT Roles in Your Organization 3-10
Lesson 3: Configuring Role-Based Administration 3-16
Lab: Planning and Configuring Role-Based Administration 3-19
Module 4: Planning and Deploying a Multiple-Site Hierarchy

Lesson 1: Planning a Configuration Manager 2012 Multiple-Site
Hierarchy 4-2
Lesson 2: Deploying a Configuration Manager 2012 Site 4-9
Lesson 3: Deploying the Central Administration Site 4-16
Lab A: Installing a Site Hierarchy 4-23
Lesson 4: Deploying Primary Sites in a Hierarchy 4-26
Lab B: Verifying a Site Hierarchy 4-33
Lesson 5: Deploying Secondary Sites 4-37
Lab C: Installing a Secondary Site 4-41
xiv Planning and Deploying System Center 2012 Configuration Manager
Module 5: Replicating Data and Managing Content in Configuration Manager 2012

Lesson 1: Introduction to Data Types and Replication 5-2
Lesson 2: Managing Data Replication 5-12
Lab A: Configuring, Monitoring, and Troubleshooting Data Replication 5-21
Lesson 3: Planning Content Management 5-26
Lab B: Planning and Configuring Content Management 5-35
Module 6: Planning Resource Discovery and Client Deployment

Lesson 1: Identifying Resources by Using Configuration Manager
Discovery Methods 6-3
Lesson 2: Client Deployment in Configuration Manager 6-13
Lesson 3: Deploying Windows-Based Configuration Manager Clients 6-25
Lab: Implementing Configuration Manager Client Deployment 6-36
Lesson 4: Managing Configuration Manager Clients 6-42
Lesson 5: Monitoring Client Status in Configuration Manager 6-50
Module 7: Configuring Internet and Cloud-Based Client Management

Lesson 1: Managing Remote Clients by Using System Center 2012 R2
Configuration Manager 7-2
Lesson 2: Managing Internet-Based Configuration Manager Clients 7-8
Lab A: Configuring PKI for Configuration Manager 7-14
Lesson 3: Configuring Cloud Services in System Center 2012 R2
Lab B: Configuring Windows Intune Integration with System Center
2012 R2 Configuration Manager 7-26
Module 8: Maintaining and Monitoring System Center 2012 Configuration Manager

Lesson 1: Overview of Configuration Manager 2012 Site Maintenance 8-2
Lesson 2: Performing Backup and Recovery of a Configuration Manager
Site 8-9
Lesson 3: Monitoring Configuration Manager 2012 Site Systems 8-19
Lab: Maintaining System Center 2012 Configuration Manager 8-23
Module 9: Migrating to System Center 2012 R2 Configuration Manager

Lesson 1: Overview of the Migration Process 9-2
Lesson 2: Preparing Configuration Manager 2007 Sites for Migration 9-8
Lesson 3: Configuring Migration Settings 9-11
Lesson 4: Migrating Objects 9-17
Lesson 5: Upgrading Configuration Manager 2012 to Configuration
Manager 2012 with SP1 and then to System Center 2012 R2
Lab: Migrating from System Center Configuration Manager 2007 to
System Center 2012 Configuration Manager 9-30
Planning and Deploying System Center 2012 Configuration Manager xv
Lab Answer Keys

Module 2 Lab A: Installing a Configuration Manager Primary Site L2-1
Module 2 Lab B: Performing Post-Setup Configuration Tasks L2-5
Module 3 Lab: Planning and Configuring Role-Based Administration L3-9
Module 4 Lab A: Installing a Site Hierarchy L4-15
Module 4 Lab B: Verifying a Site Hierarchy L4-19
Module 4 Lab C: Installing a Secondary Site L4-23
Module 5 Lab A: Configuring, Monitoring, and Troubleshooting
Data Replication L5-27
Module 5 Lab B: Planning and Configuring Content Management L5-32
Module 6 Lab: Implementing Configuration Manager Client
Deployment L6-37
Module 7 Lab A: Configuring PKI for Configuration Manager L7-43
Module 7 Lab B: Configuring Windows Intune Integration with
System Center 2012 R2 Configuration Manager L7-49
Module 8 Lab: Maintaining System Center 2012 Configuration
Manager L8-55
Module 9 Lab: Migrating from System Center Configuration
Manager 2007 to System Center 2012 Configuration Manager L9-59
About This Course xvii
About This Course

This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
This three-day course describes how to design and deploy a System Center 2012 R2 Configuration
Manager hierarchy, including a central administration site; one or more primary sites and secondary
sites; and all associated site systems. The course also covers migrating to a System Center 2012 R2
Configuration Manager hierarchy from System Center Configuration Manager 2007 and from the initial
release of System Center 2012 Configuration Manager.
Audience
This course is intended for Information Technology (IT) professionals who are responsible for designing
and deploying one or more System Center 2012 R2 Configuration Manager sites and all supporting
systems. They should have three to five years of experience in medium to large enterprise organizations,
in a role in which they are supporting multiple desktop and server computers that run Windows®-based
operating systems.
This course is also for individuals who are interested in taking exam 70-243 TS: Administering and
Deploying System Center 2012 Configuration Manager.
Both 10747D: Administering System Center 2012 Configuration Manager and 10748C: Planning and
Deploying System Center 2012 Configuration Manager are necessary to prepare for this exam.
Student Prerequisites
Before attending this course, students must have a working knowledge at the system-administrator level
of:
• Networking fundamentals, including TCP/IP and Domain Name System (DNS).
• Active Directory® Domain Services (AD DS) principles and management.
• Windows Server management, including managing Windows Server 2008 R2 and Windows
Server 2012.
• Windows Client fundamentals.
• Deployment, configuration, and troubleshooting for Windows-based personal computers.

• Basic public key infrastructure (PKI) concepts.
• Configuration Manager features and administrative tasks including:
• Working with the System Center 2012 Configuration Manager or newer administrator console.
• Installing clients.
• Maintaining hardware and software inventory.
• Working with collections.
• Reporting.
• Deploying applications.
• Managing software updates.

xviii About This Course
• Deploying operating systems.
• Settings management.
Students who attend this training can meet the prerequisites by obtaining equivalent knowledge and skills
or by attending the following courses:
• Course 6419: Configuring, Managing, and Maintaining Windows Server® 2008–based Servers
• Course 20411: Administering Windows Server® 2012

• Course 20687: Configuring Windows® 8.1
And EITHER:
o Course 10747: Administering System Center 2012 Configuration Manager
OR:
o Course 6451: Planning, Deploying, and Managing Microsoft System Center Configuration
Manager 2007
AND
o Six months of hands-on experience with System Center 2012 Configuration Manager or newer
Course Objectives
After completing this course, students will be able to:
• Describe the System Center 2012 R2 Configuration Manager infrastructure.

• Plan and deploy a stand-alone primary site.
• Plan and configure role-based administration.
• Plan and deploy a multiple site hierarchy.

• Replicate data and manage content in Configuration Manager.
• Plan resource discovery and client deployment.
• Configure Internet and cloud-based client management.

• Maintain and monitor System Center 2012 R2 Configuration Manager.
• Migrate to System Center 2012 R2 Configuration Manager.
Course Outline
The course outline is as follows:
Module 1, Overview of System Center 2012 R2 Configuration Manager
This module explains the System Center 2012 R2 Configuration Manager infrastructure and the
typical deployment scenarios.
Module 2, Planning and Deploying a Stand-Alone Primary Site
This module explains how to plan and deploy a stand-alone primary site.
Module 3, Planning and Configuring Role-Based Administration
This module explains how to plan and configure Configuration Manager administrative users
and access.
About This Course xix
Module 4, Planning and Deploying a Multiple Site Hierarchy
This module explains how to plan and deploy a multiple site hierarchy including a central
administration site, primary sites, and a secondary site.
Module 5, Replicating Data and Managing Content in Configuration Manager 2012
This module explains how to plan, configure, and monitor data types, intersite communication,
replication, and content.
Module 6, Planning Resource Discovery and Client Deployment

This module explains how to plan and use various methods to discover resources and deploy
the Configuration Manager client.
Module 7, Configuring Internet and Cloud-Based Client Management
This module explains how to plan and configure Internet and cloud-based client management.
Module 8, Maintaining and Monitoring System Center 2012 R2 Configuration Manager
This module explains how to perform maintenance tasks and monitor the Configuration
Manager site systems.
Module 9, Migrating to System Center 2012 R2 Configuration Manager

This module explains how to perform migration tasks from Configuration Manager 2007 and
upgrade Configuration Manager 2012 to Configuration Manager 2012 SP1 and then to System
Center 2012 R2 Configuration Manager.
Exam/Course Mapping
This course, 10748C: Deploying System Center 2012 Configuration Manager, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-243: Administering and Deploying System
Center 2012 Configuration Manager.
The following table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en-us/exam-70-243.aspx, under Skills Measured.
xx About This Course
Exam Objective Domain: 70-243: Administering and Deploying

Course Content
System Center 2012 Configuration Manager
1. Design and Plan System Center Configuration Manager
Infrastructure (10 - 15%) Module Lesson Lab
1.1. Plan System This objective may include but is not limited to: pre- Mod 2 Lessons Mod 2 Labs
Center installation requirements, examining the current 1/2/3/4/5 A/B
Configuration computing environment, CAS, primary and secondary
Manager sites, branch cache, designing and recommending
hierarchy and System Center Configuration Manager server Mod 4 Lessons Mod 4 Labs
site system roles. architecture, extending the Active Directory schema 1/2/3/4 A/B/C
(DNS service records, WINS), managed providers,
discovery methods, and planning migration
1.2. Plan and This objective may include but is not limited to: PKI or Mod 3 Lessons Mod 3 Lab
configure self-signed certificates, HTTP or HTTPs 1/2/3
security. implementation, NAP, FEP, and planning role-based
security
1.3. Define the This objective may include but is not limited to: Mod 8 Lessons Mod 8 Lab
Business disaster recovery and site maintenance 1/2/3
Continuity Plan
(BCP).
5. Manage Sites (10 - 15%)
5.2. Monitor site This objective may include but is not limited to: SSRS, Mod 8 Lessons Mod 8 Lab
health. log files, In Console Monitoring, Toolkit 1/2/3
5.4. Manage site This objective may include but is not limited to: Mod 5 Lessons Mod 5 Labs
communications. configuring bandwidth settings for a site address, 1/2/3 A/B
configuring senders, secondary sites (file-based
replication, SQL replication paths), resolving DP
connections
5.6. Manage This objective may include but is not limited to: Mod 3 Lessons Mod 3 Lab
role-based security scopes, custom roles, cloned security roles 1/2/3
security. and permissions
6. Manage Clients (10 - 15%)

6.1. Deploy This objective may include but is not limited to: GPO, Mod 6 Lessons Mod 6 Lab
clients. WSUS, logon scripts, manual, client push, OSD task 1/2/3/4/5
sequence, monitoring client health
Note: Attending this course in itself will not successfully prepare you to pass any associated
certification exams.
There may also be additional study and preparation resources, such as practice tests, available
for you to prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en-us/exam-70-243.aspx, under Preparation options.
About This Course xxi
You should also check out the Microsoft Virtual Academy, http://www.microsoftvirtualAcademy.com to
view further additional study resources and online courses which are available to assist you with exam
preparation and career development.
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam
is available at the following URL: http://www.microsoft.com/learning/en-us/course.aspx?ID=10748C,
under Overview, Audience Profile.
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject
to change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
Course Materials
The following materials are included with your kit:
• Course Handbook: A succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide on-the-job reference material to boost knowledge
and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site:

Searchable, easy-to-browse digital content with integrated premium online resources that
supplement the Course Handbook.
• Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers, and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, Microsoft Developer Network (MSDN®), or Microsoft
Press®.
Student Course files: on the http://www.microsoft.com/learning/companionmoc site.
• Course evaluation: At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
xxii About This Course
Virtual Machine Environment

This section provides the information about the lab scenario that is used in this course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V® to perform the labs.
Important At the end of each lab, you must revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine that is used in this course:
Virtual machine Role

�
10748C-LON-DC1 (A,B,C) Domain controller for the Adatum.com domain
10748C-LON-CFG (A,B,C) Configuration Manager primary site server
10748C-LON-CAS-(B,C) Central administration site server
10748C-LON-SVR1-C Server in the adatum.com domain
10748C-LON-CM7-C Configuration Manager 2007 installation used for migration
10748C-TOR-CFG-(B,C) Secondary site server for the Toronto branch office
10748C-NYC-CFG-(B,C) Primary site server for New York
Software Configuration
The following software is installed on each virtual machine:
• Windows Server 2012 R2
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
You may be accessing the lab virtual machines in either in a hosted online environment with a web
browser or by using Hyper-V on a local machine. The labs and virtual machines are the same in both
scenarios however there may be some slight variations because of hosting requirements. Any
discrepancies will be called out in the Lab Notes on the hosted lab platform.
Your Microsoft Certified Trainer will provide details about your specific lab environment.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
• The minimum equipment configuration for this course is hardware level 7 with 16 gigabytes (GB) of
random access memory (RAM)
About This Course xxiii
Hardware Level 7
• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
• Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better. The hard disks should be configured with
a separate volume (Drive C: and Drive D:) on each hard disk.
• 16 GB random access memory (RAM) or higher
• DVD drive
• Network adapter
• Super VGA (SVGA) 17-inch monitor
• Microsoft Mouse or compatible pointing device
• Sound card with amplified speakers
1-1
Module 1
Overview of System Center 2012 R2 Configuration Manager
Contents:
Module Overview 1-1
Lesson 1: Introduction to System Center 2012 R2 Configuration Manager 1-2
Lesson 2: Overview of the Configuration Manager Site System Roles 1-13

Lesson 3: Overview of the Configuration Manager Optional Site System Roles 1-21
Lesson 4: Overview of Configuration Manager Deployment Scenarios 1-29

Lesson 5: Overview of the Configuration Manager Client 1-35
Module Review and Takeaways 1-41
Module Overview
By using the features of Microsoft® System Center 2012 Configuration Manager and System Center 2012
R2 Configuration Manager, you can perform complex management tasks, including the following:
• Hardware and software inventory.
• Application management.
• Operating-system deployment.
• Settings management.
• Software update management.
• Remote client troubleshooting.
• Protection from malware.
Knowledge of these features helps you design and deploy a Configuration Manager infrastructure. Other
areas of knowledge that can you in your design and deployment tasks include:
• An understanding of Configuration Manager components and functionality.
• Knowledge of site system roles.
• An understanding of the architecture of the Configuration Manager client.
Objectives
After completing this module, you will be able to:
• Describe the System Center 2012 R2 products.
• Describe Configuration Manager and the new functionality in System Center 2012 Configuration
Manager with Service Pack 1 (SP1) and in System Center 2012 R2 Configuration Manager.
• Describe the Configuration Manager server infrastructure.
• Describe typical Configuration Manager deployment scenarios.
• Describe the Configuration Manager console.
1-2 Overview of System Center 2012 R2 Configuration Manager
Lesson 1
Introduction to System Center 2012 R2 Configuration
Manager
Configuration Manager is a management solution with many useful features. In this lesson, you will
discover how to design a Configuration Manager hierarchy that helps you use these features more
efficiently. You will examine the role of Configuration Manager in the System Center 2012 R2 family of
products and determine whether Configuration Manager is the appropriate product to use in your
organization.
You will also examine how the changes introduced in the System Center 2012 R2 Configuration Manager
2007 and 2012 versions affect your overall site hierarchy design.
In Configuration Manager 2007, data is transferred between sites by using file-based replication.
Although System Center 2012 R2 Configuration Manager still uses file-based replication for content, it
uses database replication to replicate operational data. In this lesson, you will examine what global data
and site data are and how data is replicated throughout the hierarchy.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the features of Configuration Manager.
• Explain how Configuration Manager is positioned in the System Center 2012 R2 family of products.
• Describe site and hierarchy differences between Configuration Manager 2007, System Center 2012
Configuration Manager, and System Center 2012 R2 Configuration Manager.
• Understand the layout and functionality of the Configuration Manager console.
Overview of the System Center 2012 R2 Set of Products

System Center solutions help you manage
the physical and virtual information technology
(IT) environments across data centers, client
computers, and mobile devices. You can improve
your productivity by using the integrated and
automated solutions of System Center.
The following table lists the System Center

products.
Product Details
System Center 2012 R2 You can use the System Center 2012 R2 App Controller to provide self-
App Controller service access for application administrators. Then administrators can
create and manage virtual machines and services based on templates,
and manage private cloud resources and public cloud Windows Azure™
subscriptions from a single web interface.
Planning and Deploying System Center 2012 Configuration Manager 1-3
Product Details
System Center 2012 R2 You can use the change and configuration management capabilities of
Configuration Manager System Center 2012 R2 Configuration Manager to perform tasks such as:
• Deploying operating systems, software applications, and software
updates.
• Monitoring and remediating computers for compliance settings.
• Collecting hardware and software inventory.
• Remote administration.
System Center 2012 R2 You can use the System Center 2012 R2 Data Protection Manager (DPM)
Data Protection Manager to perform disk-based and tape-based continuous data protection and
recovery for file servers, Active Directory® Domain Services (AD DS) and
application servers such as Microsoft SQL Server®, Exchange Server,
Microsoft SharePoint®, and Microsoft Hyper-V®–based virtualization
hosts. You can use DPM to protect the data on Windows® desktops and
laptops.
System Center 2012 R2 You can use System Center 2012 R2 Endpoint Protection to provide
Endpoint Protection malware protection for your client systems. System Center 2012 R2
Endpoint Protection is built into Configuration Manager, creating a
single infrastructure for deploying and managing Endpoint Protection.
System Center 2012 R2 You can use System Center 2012 R2 Operations Manager to monitor
Operations Manager services, devices, and applications on multiple computers in a single
console. System Center 2012 R2 Operations Manager enables you to
view the state of the information technology environment and services
running across different systems. You can view state, health, and
performance information in addition to real-time alerts generated for
availability, performance, configuration, and security incidents.
System Center 2012 R2 You can use the System Center 2012 R2 Orchestrator to orchestrate,
Orchestrator integrate, and automate the IT processes in an organization. Orchestrator
enables you to define and automate processes from a central point and
integrate with existing management solutions, from both the System
Center family and third-party management platforms.
System Center 2012 R2 You can use the System Center 2012 R2 Service Manager for automating
Service Manager and adapting the organization’s processes to IT service management best
practices, such as those found in Microsoft Operations Framework and
Information Technology Infrastructure Library. System Center 2012 R2
Service Manager also provides built-in processes for incident and
problem management, change management, release management,
and risk and compliance management.
System Center 2012 R2 You can use the System Center 2012 R2 Virtual Machine Manager to
Virtual Machine Manager configure and manage virtualization hosts, networking, and storage
resources. This management solution for the virtualized datacenter also
helps you create and deploy virtual machines and services to private
clouds.
Note: For System Center 2012 licensing information, please visit Microsoft Server and
Cloud Platform Pricing and Licensing at http://go.microsoft.com/fwlink/?LinkId=253177.
Question: Which of the System Center family of products, including the previous versions, are you using
in your organization?
Licensing for System Center 2012 R2 Server Management

There are two editions of the System Center 2012 R2 suite—Standard and Datacenter—which the follow
table details.
Server license Products Virtual machines per license
System Center 2012 R2 App Controller Two

Standard Edition Configuration Manager
Data Protection Manager
System Center 2012 R2 Unlimited
Datacenter Edition Endpoint Protection
Operations Manager
Orchestrator
Service Manager
Virtual Machine Manager
The Standard and the Datacenter editions are limited to two physical processors. If you deploy these
editions on a server with four processors, you need to purchase an additional suite license. You can
purchase System Center 2012 R2 licensing for client management in a variety of packages. System Center
2012 R2 includes licensing for a version of SQL Server Standard edition that supports System Center 2012
and System Center 2012 R2.
Overview of Configuration Manager 2012

The following table outlines the features of
System Center 2012 Configuration Manager.
Feature Feature usage
Asset management
Hardware and Software You can use the tools and resources provided in the Hardware and
Inventory Software Inventory feature to maintain a record of hardware and software
in your organization.
Asset Intelligence You can use the Asset Intelligence feature to obtain more insight from the
inventory data that the Hardware and Software Inventory feature records.
Asset Intelligence uses a catalog that contains software and imported
license information to identify the inventoried software.
Software Metering You can use the Software Metering feature to monitor and collect software
usage data and generate reports to determine how your organization uses
applications.
Change Management
Application You can use the tools and resources in the Application Management
management feature to create, manage, deploy, and monitor applications in your
organization.
Software Updates You can use the tools and resources in the Software Updates Management
Management feature to manage, deploy, and monitor software updates in your
organization.
Operating System You can use the Operating System Deployment feature to plan and deploy
Deployment operating systems by using images.
Content Management You can use the tools and resources in the Content Management feature to
manage content files for applications, packages, software updates, and
operating-system deployment.
Compliance Settings You can use the tools and resources of the Compliance Settings feature to
help you assess, track, and remediate the configuration compliance of
client computers in the organization.
Power Management You can use the tools and resources of the Power Management feature to
manage and monitor the power consumption of client computers in the
organization.
Client Health You can use the tools and resources of the Client Health feature to manage
and monitor the health of the Configuration Manager client software.
Network Access You can use the Network Access Protection feature as a health validator.
Protection (NAP) This feature works in conjunction with Network Access Protection in
Microsoft Windows Server® 2008, Windows Server 2012, and Windows
Server 2012 R2.
Endpoint Protection You can use this new functionality in Configuration Manager 2012 to
protect clients against malware. This functionality was available previously
in Microsoft Forefront® Endpoint Protection.
Administrative Features
Reporting You can use the SQL Reporting Services in Configuration Manager 2012
for report generation. Administrators can create subscriptions so that SQL
Reporting Services generates reports on a schedule and distributes them in
various formats by email.
Monitoring You can use the Monitoring feature to supervise site systems and client
health. It also provides automatic remediation for specific client errors.
Remote Management You can use the Remote Management feature to assist users by remotely
accessing any client computer in the hierarchy. You can use the remote
control to troubleshoot hardware and software configuration problems on
client computers and to provide help-desk support when access to a user’s
computer is necessary.
Role-Based You can use role-based administration to assign roles and permissions to
Administration the administrators, to allow them to access and use Configuration Manager
and its various features.
New Functionality in the System Center 2012 R2 Configuration Manager

Release
System Center 2012 Configuration Manager SP1
introduced new features that were not available
in the original Release to Manufacturing (RTM)
version. The release of System Center 2012 R2
Configuration Manager builds on the SP1 release
and introduces additional features.
New Features in System Center 2012

Configuration Manager SP1
introduces support for the following significant
features:
• The Configuration Manager client on computers that are running Windows® 8 and Windows
Server 2012.
• The ability to use Configuration Manager to deploy Windows 8 or to upgrade computers that are
running Windows 7 to Windows 8.
• Support for Windows To Go deployment and clients.

• User data and profiles configurations that enable Configuration Manager to manage folder
redirection, offline files, and roaming profiles.
• Deployment of Windows Store apps (.appx files) to clients running Windows 8, through sideloading
or links to the Windows Store.
• Use of a metered Internet connection and the Always On, Always Connected Windows 8 features.
• The ability to use Windows Server 2012 for site systems and as client devices.
• The ability to use SQL Server 2012 to host the Configuration Manager database.
• The ability to use computers running Mac OS X, Linux, or UNIX as Configuration Manager client
devices.
• The ability to use mobile devices that are running Windows Phone 8, Windows RT, iOS, or Android
through a Windows Intune™ organizational account.
• Windows PowerShell® cmdlets that you can use to automate Configuration Manager operations
through Windows PowerShell scripts.
• Windows Azure-based distribution points.

• The ability to expand a stand-alone primary site into a hierarchy by adding a new central
administration site.
• Migrating a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy.
• More than one software update point in a site.

• The ability to trigger some client operations, such as downloading policy and malware scans, from the
Configuration Manager console.
• Microsoft Application Virtualization (App-V) virtual environments that make it possible for App-V
applications to share data from file systems and registries.
• Increased email alert subscriptions.
New Features in System Center 2012 R2 Configuration Manager

In addition to the features discussed above, System Center 2012 R2 Configuration Manager supports the
following new features:
• Windows Server 2012 R2 and Windows 8.1.

• Boot images that you create by using Windows Automated Installation Kit (AIK) for Windows 7 SP1.
• The new site system role for certificate registration points. This role enables deployment to, and
management of, certificates to Configuration Manager client devices.
• Certificate profiles that support user and device certificates to managed devices that are running the
iOS, Windows 8.1, Windows 8.1 RT, and Android operating systems.
• The merging of System Center 2012 R2 Configuration Manager hierarchies.
• The migration of data from a System Center 2012 Configuration Manager test environment to a
System Center 2012 R2 Configuration Manager production environment.
• The enrollment of Mac OS X computers and deployment of client certificates through an enrollment
wizard.
• The ability to reassign Configuration Manager client devices (including managed mobile devices) to a
different site in the Configuration Manager hierarchy, either individually or through bulk
reassignment.
• The enrollment of Android devices by using the Company Portal app that is available through the
Google Play store. The Company Portal app includes the Configuration Manager Management agent
that enables management capabilities, such as password settings, encryption settings, and a camera.
• The enrollment of iOS devices by using the Company Portal app available through the App Store. The
Company Portal app enables users to change or reset passwords; download and install apps that the
organization owns; and enroll, unenroll, or remove organizational content from their iOS devices.
• Devices that run the Windows RT, iOS, and Android mobile operating systems and that support the
required deployment purpose.
• The Wipe and Retire function, which enables administrators to remove organizational content from
mobile devices, while leaving the user’s personal information on the device.
• Windows Intune, which you can use to manage Windows 8.1 devices that are not domain-joined and
that do not have the Configuration Manager client installed.
• Additional compliance settings that relate to mobile devices.
• The deployment of web applications through a new deployment type.
• Windows 8.1 app bundles (.appxbundle) to optimize the deployment of Windows Store apps and
resource packages.
• Featured applications that display prominently in the Company Portal.
• The configuration of per-application virtual private network (VPN) profiles that enable an application
to open a VPN connection.
• Remote connection profiles, which enable users to connect remotely to their work computers from
the company portal.
• VPN profiles, which enable you to deploy VPN settings to devices that are running iOS, Windows RT,
and Windows RT 8.1.
• Wi-Fi profiles that enable you to deploy Wi-Fi connection settings to devices that are running iOS,
Windows 8, Windows 8.1, Windows RT, and Windows RT 8.1.
• Support for Windows 8 and Windows 8.1 distribution points.
• Software updates for specific maintenance windows.
• Previews of software updates in an automatic deployment rule.
• The alteration of deployment packages for existing deployment rules, so that you can add new
software updates more efficiently.
• The ability to view resultant client settings, so that you can see effective client settings that are
applied to specific devices.
• Nondefault locations for site database files during setup.
• The creation of prestaged content files for task sequence content.

• Virtual hard-disk management.
• New task-sequence steps that include Run PowerShell Script, Check Readiness, and Set Dynamic
Variables.
• Pull distribution points that enable administrators to configure priorities for source distribution points.
• The pushing of status information about completed actions by pull distribution points to the site
server.
• Summary reports of distribution point usage, which enable administrators to view details that
compare individual distribution-point utilization.
• Configuration Manager reporting filters reports’ data based on the permissions of the user who runs
the report.
Sites and Hierarchies

You can implement Configuration Manager as:
• A single primary site with optional secondary
sites.
• Multiple sites in a hierarchical relationship,

including a central administration site,
multiple primary sites, and secondary sites.
Unlike Configuration Manager 2007, sites in

Configuration Manager are no longer security
boundaries and do not limit the administrative
scope. You use multiple primary sites for scale-out
operations to accommodate a larger number of
clients.
Changes to Site Types

Configuration Manager introduces changes to site types including:
• Central administration site. In Configuration Manager 2007 and previous versions, the top-level
primary site was called a central site. Configuration Manager introduces a new site type—the central
administration site—that:
o Is required only when implementing multiple primary sites.
o Provides centralized management of primary sites in the hierarchy.
o Is used to generate reports that contain data from the entire hierarchy.
o Supports a subset of site system roles.
o Does not have directly assigned clients or process client data. It receives client data from the
other primary sites in the hierarchy. The central administration site does not support roaming
clients. With System Center 2012 Configuration Manager, if you wanted to use a central
administration site, you needed to install it first, and then install other primary sites that would be
part of the hierarchy under the central administration site. However, with System Center 2012
SP1 Configuration Manager and System Center 2012 R2 Configuration Manager, you can deploy
a primary site. If you need additional primary sites, you can join that primary site to a central site.
• Primary sites. Prior to Configuration Manager 2012, you could tier primary sites below other primary
sites, and use them to enable decentralized administration, define custom configurations for client
agents, or serve as a security scope. In Configuration Manager, you no longer use primary sites to
provide those functions. Configuration Manager primary sites:
o Are used to increase scalability by supporting a larger number of clients when you add another
primary site.
o Manage the clients assigned to them and perform client data processing.
o Cannot be linked to another primary site in a parent-child relationship. Only secondary sites can
be a child site of a primary site.
o Are installed either as a stand-alone site or as the child to an existing central administration site
when you install it in a hierarchy. After installation, you can change the parent-child association
only by uninstalling and reinstalling the primary site or by joining a primary site to a central
o Do not limit the administrative scope. Configurations that administrative users perform at any of
the sites replicate throughout the hierarchy. You can restrict administrative access by using
security roles.
• Secondary sites. In Configuration Manager 2007, you could use secondary sites to manage the
network bandwidth for sending client data and content to remote locations. In Configuration
Manager, you use secondary sites to control the flow of client data in the hierarchy. Secondary sites:
o Use a SQL Server database, which is on a SQL Server Express instance and installed locally on the
secondary site server.
o Always include a management point and distribution point.
o Participate in database replication with their parent primary site.
o Must be a child of a primary site.
o Support the routing of file-based content to other secondary sites.
Question: If you have an existing Configuration Manager 2007 implementation, what is your current
architecture?
Using the Configuration Manager Console

The System Center 2012 R2 Configuration
Manager console has the ribbon design similar to
Microsoft Office 2010. The System Center 2012 R2
Configuration Manager console is context
sensitive and organized into multiple panes.
The five panes in the System Center 2012 R2

Configuration Manager console are the:
• Ribbon. The ribbon contains the actions that
you can perform on the currently selected
object. These actions also are available by
right-clicking the object.
• Workspaces. The workspaces are the navigation tools that help you navigate quickly through the
different management areas.
• Navigation pane. The Navigation pane is the main navigation area, and it contains the nodes that
make up the selected workspace. When you perform certain tasks, such as searches or queries,
Configuration Manager creates temporary nodes that display the task results.
• Results pane. The Results pane shows the objects available under the currently selected workspace or
node.
• Preview pane. The Preview pane is a tabbed pane that appears as the bottom part of the Results
pane. The Preview pane may or may not appear, depending on the object currently selected in the
Results pane.
Assets and Compliance Workspace

You can use the Assets and Compliance workspace to manage the compliance of your environment’s
objects. The Assets and Compliance workspace provides different nodes, through which you can manage
objects, including the following:
• Users. Use this node to manage Configuration Manager users and groups.
• Devices. Use this node to manage Configuration Manager computers and mobile devices.
• User Collections. Use this node to manage user collections.
• Device Collections. Use this node to manage device collections.
• User State Migration. Use this node to manage the user state during operating system deployments.
• Asset Intelligence. This folder contains the Catalog, the Inventoried Software, and the Hardware
Requirements nodes, which you can use to manage the objects that you use for Asset Intelligence.
• Software Metering. Use this node to manage rules for monitoring software usage.
• Compliance Settings. This folder contains the Configuration Items, the Configuration Baselines, User
Data and Profiles, Remote Connection Profiles, and Company Resource Access nodes, which you can
use to manage the objects that you use for assessing and remediating compliance of settings on
devices.
• Endpoint Protection. This folder contains nodes for antimalware and firewall policies.
Software Library Workspace

You can use the Software Library workspace to manage software that you are deploying in your System
Center 2012 R2 Configuration Manager environment. The Software Library workspace is organized into
the following nodes:
• Application Management. This folder contains the Applications, Packages, Approval Requests, and
Global Conditions nodes.
• Software Updates. This folder contains the All Software Updates, Software Updates Groups,
Deployment Packages, and Automatic Deployment Rules nodes.
• Operating Systems. This folder contains the Drivers, Driver Packages, Operating Systems Images,
Operating System Installers, Boot Images, Task Sequences, and Virtual Hard Disks nodes.
Monitoring Workspace
You can use the Monitoring workspace to manage the alerts, queries, reports, status messages, and other
components that allow you to monitor your environment. The Monitoring workspace includes the
following nodes:
• Alerts. Use this node to view and manage alerts. This node contains the Subscriptions subnode, which
enables you to create subscriptions to alerts.
• Queries. Use this node to run, view, and manage Configuration Manager queries.
• Reporting. This folder contains the Reports and Report Subscriptions nodes.
• Site Hierarchy. Use this node to view and manage the status of all sites in the hierarchy, by using a
hierarchy view or geographical view.
• System Status. This folder contains the following nodes: Site Status, Component Status, Conflicting
Records, and Status Message Queries.
• Deployments. Use this node to view the status of software deployments.
• Client Operations. Use this node to get details on client operations.

• Client Status. Use this folder to view Client Health and Client Activity nodes.
• Database Replication. Use this node to view site-to-site link status for SQL Server based replication.
• Distribution Status. This folder contains the Content Status, Distribution Point Group Status, and
Distribution Point Configuration Status nodes.
• Software Update Point Synchronization Status. Use this node to view the status of the synchronization
process for the software update points.
• Endpoint Protection Status. Use this node for security and operational states, and to view the status of
the site’s Endpoint Protection.
Administration Workspace
You can use the Administration workspace to manage your System Center 2012 R2 Configuration
Manager environment. The Administration workspace includes the following nodes:
• Hierarchy Configuration. This folder contains the Discovery Methods, Boundaries, Boundary Groups,
Exchange Server Connectors, Addresses, and the Active Directory Forests nodes.
• Cloud Services. This contains the Windows Intune Subscriptions and Cloud Distribution Points nodes.
• Site Configuration. This folder contains the Sites and Servers node and the Site System Roles node.
• Client Settings. Use this node to manage client settings.

• Security. This folder contains the Administrative Users, Security Roles, Security Scopes, Accounts, and
Certificates nodes.
• Distribution Points. Use this node to manage individual distribution points.

• Distribution Points Groups. Use this node to manage distribution points groups.
• Migration. This folder contains the Active Source Hierarchy, Migration Jobs, and Distribution Point
Updates nodes, which you can use to manage data migration from Configuration Manager 2007.
Lesson 2
Overview of the Configuration Manager Site System Roles
Configuration Manager has multiple site roles that you can install on the same computer or, for scalability,
on multiple servers. Default site roles are installed in every Configuration Manager implementation.
Optional site roles provide additional functionality, and you can install them, as necessary.
By understanding the functionality of the site roles, you can make design decisions regarding the
configuration and placement of each role in your Configuration Manager implementation.
Lesson Objectives
• Describe the functionality of the default site system roles.

• Identify the site roles you need to install in your implementation.
• Describe planning and design considerations for the default site system roles.
Overview of the Configuration Manager Site System Roles

When you install a Configuration Manager site,
several site system roles are installed by default.
The roles installed are required for the core
operations of each site. You can move some
of these roles to other servers, but you cannot
remove them from the site. When you install
additional site servers for optional roles, some
default site system roles are also installed.
Configuration Manager no longer supports the
concept of a site mode. Instead, you configure
each appropriate individual site role to use either
HTTP or HTTPS.
Default Site System Roles

When you install a site server, the default system roles are installed automatically. The SMS Provider role
is the only role that does not have an object exposed in the Configuration Manager console. You can
configure two optional roles—the management point and distribution point roles—for automatic
installation when you install a primary or secondary site server.
The following table lists the default site system roles.
Site system role Description
Site server A site server is the computer on which you run Configuration Manager
Setup. The site server provides the core functionality for the site.
Component server A component server runs the Configuration Manager services and installs
automatically with all site systems, except the distribution point.
SMS Provider An SMS Provider is the interface between the Configuration Manager
console and the site database. This role installs automatically when
you install a central administration site or primary site. Installation of a
secondary site does not install the SMS Provider. You can install the SMS
Provider on the site server, the site database server (unless the site database
is hosted on a clustered instance of SQL Server), or on another computer.
You can also move the SMS Provider to another computer after the site
installs, or you can install multiple SMS Providers on additional computers.
Site system A site system is any computer that hosts one or more site system roles for a
Configuration Manager site.
Site database server A site database server hosts the SQL Server database to store information
about assets and site data.
Management point A management point provides policy and content location information to
clients. It also receives data from clients. You cannot install a management
point in a central administration site.
Distribution point A distribution point contains source files for clients to download, such as
application content, software packages, software updates, operating system
images, and boot images. You can control content distribution by using
bandwidth, throttling, and scheduling options. You cannot install a
distribution point on a central administration site.
Optional Site System Roles

Optional site roles provide additional functionality to your Configuration Manager implementation. Some
of the roles, such as Windows Server roles, have external prerequisites and features that you must install
on that server first.
The following table provides some examples of optional site roles.
Application An Application Catalog web service point provides software information to the
Catalog web Application Catalog website from the Software Library. This is a role introduced in
service point Configuration Manager 2012.
Application An Application Catalog website point provides users with a list of available
Catalog website software. This is a role introduced in Configuration Manager 2012.
point
Asset Intelligence An Asset Intelligence synchronization point connects to System Center Online to
synchronization download Asset Intelligence catalog information. It can also upload uncategorized
point titles that the administrator selected previously for inclusion in the catalog.
Certificate A certificate registration point connects to a server running Network Device

registration point Enrollment Service and manages certificate requests from devices that use the
Simple Certificate Enrollment Protocol (SCEP).
Endpoint An Endpoint Protection point provides the ability to manage malware and
Protection point Windows Firewall remediation for System Center 2012 Endpoint Protection.
Enrollment point An enrollment point uses public key infrastructure (PKI) certificates to complete
mobile device enrollment and provision computers that are running Active
Management Technology (AMT). This is a role introduced in Configuration
Manager 2012.
Enrollment proxy An enrollment proxy point manages enrollment requests from mobile devices so
point that Configuration Manager can manage them. This is a role introduced in
Configuration Manager 2012.
Fallback status A fallback status point helps you monitor client installation and identify the clients
point that are unmanaged because they cannot communicate with their management
point.
Out of band An out of band service point provisions and configures AMT-based computers for
service point out-of-band management.
Reporting A reporting services point integrates with SQL Server Reporting Services to create
services point and run reports for Configuration Manager.
Software update A software update point manages Windows Server Update Services (WSUS) in
point order to synchronize the software update metadata from a configured source,
such as Microsoft Update, and make the data available to Configuration Manager.
State migration A state migration point stores user state data when a computer is migrated to a
point new operating system.
System Health A System Health Validator point validates Configuration Manager Network Access
Validator point Protection (NAP) policies. You must install this site system role on a NAP health
policy server.
Windows Intune A Windows Intune connector manages mobile devices through a Windows Intune
connector subscription.
Planning the Site Database

The site database role hosts the Configuration
Manager database.
Planning Considerations for the Site

Database
When you are planning your site database role,
you should consider that:
• The site database server must be running one

of the following:
o SQL Server 2008 Service Pack 2 (SP2) with

Cumulative Update 9 or newer
o SQL Server 2008 Service Pack 3 (SP3) with Cumulative Update 4 or newer
o SQL Server 2008 R2 SP1 and Cumulative Update 6 or newer
o SQL Server 2008 R2 SP2 or newer

o SQL Server 2012 or newer
o SQL Server 2012 SP1 or newer
• The site database server can use the Standard or Enterprise version of SQL Server 2008, SQL Server
2008 R2, or SQL Server 2012. When planning the site database, the relevant differences between the
Enterprise edition of SQL Server and the Standard edition include that the Enterprise edition:
o Supports up to 400,000 clients in the hierarchy. The Standard edition supports a maximum of
50,000 in the hierarchy.
o Supports more than four sockets or 16 processor cores.
o Supports more than 64 gigabytes (GB) random access memory (RAM).
o Supports more than two AlwaysOn Failover Cluster instances.
o Supports AlwaysOn Availability Groups.
• Secondary sites use SQL Server Express 2008 R2 with SP1 and Cumulative Update 4 by default, but
you can configure them to use Standard or Enterprise editions, as well.
• The site database role can use a default instance or a named instance of SQL Server. It is possible to
use the same SQL Server to host databases for multiple sites. However, each Configuration Manager
site requires a unique instance of SQL Server.
• You can configure the SQL Server service by using a domain user account or the local system account
of the computer that is running SQL Server. Using a domain user account as the SQL Server service
account is a best practice. However, you must manually register the service principle name (SPN) for
the account.
Site Database Placement

At a central administration site and at primary sites, you can collocate the database server on the site
server or place it on a remote server. At secondary sites, the database server is always collocated on the
If you use a remote database-server computer, ensure that the network connection between the site
server and site database is a high-availability, high-bandwidth network connection. This is necessary
because the site server and some site system roles must constantly communicate with the SQL Server
that is hosting the site database.
When you are planning to install the site database on a remote server, you should consider that:
• The amount of bandwidth required for communications to the database server depends upon a
combination of many different site and client configurations. Therefore, the actual bandwidth
required cannot be predicted accurately.
• Each computer that runs the SMS Provider and that connects to the site database increases network
bandwidth requirements.
• The computer that runs SQL Server must be in a domain that has a two-way trust with the site server
and all computers that are running the SMS Provider.
• You cannot use a clustered SQL Server for the site database server when the site database is
collocated with the site server.
Planning the Site Server Role

When you install a Configuration Manager site,
several roles are installed by default, and they
provide the site’s core functionality.
The Configuration Manager roles installed on a

server during the Configuration Manager Setup
process are:
• Site server. The site server role provides core

functionality for a Configuration Manager
site. When you install Configuration Manager
on the first server in a site, the site server
role installs automatically. There are no
configurable properties for the site server
role.
• Component server. You can install the component server role on any site system that runs the SMS
Executive service. All Configuration Manager components, except the distribution point role, use the
SMS Executive service. There are no configurable properties for the component server role.
• Site system. You can install the site system role on any server that hosts a Configuration Manager
role. When you install a site role on a server from the Configuration Manager console, the site server
connects remotely to that computer, configures it as a site system, and then installs the site role that
you requested. The site system role includes the following configuration options:
o Specify an FQDN for this site system for use on the Internet. If the roles that this server supports
are going to be accessible from the Internet, you must configure an Internet fully qualified
domain Name (FQDN). However, the intranet FQDN is configured automatically during the
installation of the Configuration Manager server.
o Require the site server to initiate connections to this site system. When you choose this option,
you also must configure the site system installation account. This option is useful when the site
system is in a perimeter network and security policies will not allow it to initiate communication
with the internal network.
o Site System Installation Account. This setting allows you to configure the account that the site
server uses to install this site system role. By default, the site server computer account is used.
o Active Directory membership. This setting allows you to configure the Active Directory forest and
domain FQDNs that the site system is a member of.
Design Considerations
The site server role installs automatically when you install a central administration site or primary site. It
installs on the server from which you run Configuration Manager Setup. When you install a secondary site
by using the Configuration Manager console, the site server role is installed on the server that you specify
as the secondary site server. You cannot move the site server role to another server without reinstalling
the site.
Because the site server is a critical component in a Configuration Manager implementation, you must
ensure that you can recover your site server configuration if a server loss or malfunction occurs. You
achieve this by configuring the site backup task to back up the site server. For more information and
details about how to configure site maintenance tasks, including the backup task, refer to Module 7.
Planning the SMS Provider Role

The SMS Provider manages read and write access
to the Configuration Manager databases in
primary and central administration sites.
There must be at least one SMS Provider in each
primary site and at least one SMS Provider in
the central administration site. When you install a
site, an SMS Provider for that site also installs by
default. You can deploy multiple SMS Providers
in a site. If there is only one SMS Provider at a
site and the server that hosts the SMS Provider
is offline, you will be unable to access the site
database by using the Configuration Manager console. However, you can view the locations of all SMS
Providers installed at a site, on the General tab of the Site Properties dialog box in the Configuration
Manager console.
The server that hosts the SMS Provider must meet the following prerequisites:
• The server must be part of the same Active Directory forest as the servers that host the site server and
site system roles for the site database.
• The server cannot host site system roles from different sites or an existing SMS Provider.
• The server must have enough free space to support the installation of Windows Assessment and
Deployment Kit (Windows ADK) components if you are deploying System Center 2012 Configuration
Manager with Service Pack 1 or System Center 2012 R2 Configuration Manager. If you are deploying
System Center 2012 Configuration Manager, there must be sufficient space for deployment of
Windows AIK components.
• The Configuration Manager console and any site systems that interact with the site database access
the database through the SMS Provider.
• You specify the SMS Provider location during site installation. By default, the SMS provider is located
on the Configuration Manager site server.
• You can relocate the SMS provider by using the Configuration Manager site maintenance action from
the Configuration Manager Setup program.
Beyond ensuring that the role is highly available, you should deploy multiple SMS Providers to a site
under the following conditions:
• The site has a large number of administrative users who use the Configuration Manager console
concurrently.
• Your organization is using the Configuration Manager Software Development Kit (SDK) or any other
products that perform frequent calls to the SMS provider.
SMS Provider Placement

When you install a site, the installation automatically installs the first SMS Provider for the site. You can
specify any of the following supported locations for the SMS Provider:
• The site server computer.
• The site database computer.

• Any other computer that does not hold an SMS Provider.
Planning the Management Point Role

The management point provides policy and
content location information to Configuration
Manager clients. Each client that you assign to a
site locates the management point for that site,
connects to it to download policy, and then sends
the collected information, such as hardware
inventory, and task results to the site server. It
then implements the management point as a web
service, which Internet Information Services (IIS)
hosts.
Note: In Configuration Manager 2007, you

can configure management points to use network load balancing (NLB) for high availability.
Management points in Configuration Manager 2012 do not support the use of NLB.
When planning for management points, consider the following:
• Each primary and secondary site must contain at least one management point.
• Secondary sites do not support more than one management point, and you install them on the site
server. You cannot move them to another server. Secondary site management points cannot support
mobile devices that are enrolled by Configuration Manager.
• To ensure high availability of the management point, you can install multiple management points in
the same primary site.
• You can configure each management point to use either HTTP or HTTPS for client communications.
To use HTTPS, you need to request and install PKI-based certificates.
• By default, clients use the most secure method available for communication. If both are available, a
client will use an HTTPS-configured management point before it will use an HTTP-configured one.
• To manage clients on the Internet, you will need at least one management point that you configure
to use HTTPS. This management point must be accessible from the Internet to manage remote clients.
Planning the Distribution Point Role

You can use the distribution point role to
provide the content necessary for features such
as deployment of applications, software updates,
and operating systems to the Configuration
Manager clients.
The distribution point implements as a web

service that IIS hosts. The clients access the
distribution point to download package files,
operating-system images, applications, or
updates.
Configuration Manager Features

Configuration Manager 2012 has several features that you can use to implement the distribution point,
including the following:
• Distribution points can be configured individually to use HTTP or HTTPS depending on the
capabilities of the clients. If you are managing clients over the Internet, you need at least one
distribution point configured to use HTTPS.
• Distribution points now include the functionality of the PXE service point. To enable this functionality,
you need to install Windows Deployment Services (Windows DS) on the same computer that hosts
the distribution point.
• To control the content distribution, you can create distribution point groups which enable you to
manage content on multiple distribution points as a single entity.
• Distribution points now include the option to perform content validation to verify the status of the
content replicated from the site server or from other distribution points. This option is not enabled by
default.
• Distribution points can be associated with one or more boundary groups, so you can configure which
clients can access content from the distribution point.
• Distribution points that are not site servers have settings for bandwidth throttling and scheduling the
transfer of content so you can control network traffic.
• Distribution points now use a single instance store, and they put into effect the concept of a content
library.
When you are planning distribution points, consider these factors:
• Place a distribution point close to the clients it will serve. For example, place one on the same high-
speed network segment.
• Deploy multiple distribution points if you frequently use features such as software distribution,
software update management, and operating-system deployment.
• Install distribution points on desktop operating systems and on 32-bit systems.

System Center 2012 R2 Configuration Manager supports distribution points that Windows Azure hosts.
Windows Azure distribution points simplify the deployment of content to clients that may not be located
on the organizational network, because these clients can connect to the cloud-hosted distribution point.
You must have a Windows Azure account to deploy a Windows Azure distribution point.
You will learn more about distribution points in Module 5.

Lesson 3
Overview of the Configuration Manager Optional Site
System Roles
Configuration Manager optional site roles provide additional functionality to the site, and you can install
them as necessary.
During the planning and design phase of your Configuration Manager implementation, you need to
identify the necessary roles, functionality, and capacity requirements. This lesson describes the basic
functionality of the optional site system roles, as well as planning and design considerations for these
optional roles.
Lesson Objectives
After completing this lesson, you will be able to plan the placement of the following optional site roles:
• Application Catalog web service point

• Application Catalog website point
• Asset Intelligence synchronization point
• Certificate registration point

• Endpoint protection point
• Enrollment point
• Enrollment proxy point

• Fallback status point
• Out of band service point
• Reporting services point

• Software update point
• State migration point
• System Health Validator point
• Windows Intune connector
Planning for Reporting Services

The reporting services point is a site system that
you install on a server that is running Microsoft
SQL Server Reporting Services (SSRS), which
provides advanced reporting capabilities and
rich authoring tools for building reports.
You can run reports from the Configuration

Manager console or directly from the reporting
services point website, and then you can save
them in a variety of formats. In addition to
running reports manually, the reporting services
point supports report subscriptions, which are
recurring requests to deliver reports at specific times or in response to events. In the subscription, you can
specify the application file format of the report.
When you are planning for the reporting services points, consider the following:
• You must install the reporting services point on a computer that is running SQL Server Reporting
Services that is the same version as the site database.
• Each SSRS instance can support one site only.
• You can install multiple reporting services points in your hierarchy.
• If you install a reporting services point in a primary site, the reports show the data collected from that
site. However, reports that you run in the central administration site, on a reporting services point in
the central administration site, return data collected from the entire hierarchy.
Planning Roles for Client Management

Performing client management requires a number
of roles. The roles that you deploy for client
management include the:

• Windows Intune connector
• Out of band service point
Fallback Status Point

A fallback status point is a hierarchy-wide role that monitors client deployment activity and identifies
clients that are unmanaged because they cannot communicate with a management point. Mobile devices
do not use a fallback status point.
When planning for a fallback status point, consider the following:
• You need to install a fallback status point if you want client computers to report installation failures,
particularly when they cannot communicate with a management point.
• You need to install a fallback status point if you want to use the client deployment reports. These
reports depend on information sent to the fallback status point.
• You can use a dedicated server to host the fallback status point and have additional security measures
in place to help protect against attack.
Enrollment Point and Enrollment Proxy Point

You can use Configuration Manager to manage mobile devices. There are multiple methods you can use
for managing mobile devices, including that you can use:
• Exchange Connector to manage mobile devices through the Exchange ActiveSync® protocol.
• The Configuration Manager mobile client to provide richer hardware inventory, settings
management, and software deployment. Configuration Manager uses the enrollment point and the
enrollment proxy point to provide depth management for supported mobile devices. Configuration
Manager can use in-depth management to manage mobile devices that are running a supported
Windows Mobile operating system or Nokia Symbian devices. The enrollment point roles also support
AMT devices.
• The Windows Intune connector through a Windows Intune subscription to manage devices running
iOS, Android, Windows Phone 8, or Mac OS X.
The enrollment point roles work together to provide the depth-management functionality through the
use of an:
• Enrollment point. This role uses PKI certificates to complete the enrollment of mobile devices and
AMT-capable computers (for out-of-band management) by Configuration Manager.
• Enrollment proxy point. Mobile devices connect to this role to submit client-installation requests and
download the client. Enrollment requests are sent to the Enrollment point for completion.
When planning for mobile device management, consider the following:
• The enrollment point role is a site-wide role. Additionally, the enrollment proxy point is typically
accessed from the Internet, so you should place it in a perimeter network or publish it through a
firewall.
• Light management provides basic management functionality and uses the Exchange connector.
• Depth management installs a client and provides additional management features.
• You must use depth management if you require:
o Customizable mobile device hardware inventory.

o The ability to specify mobile device settings.
o The ability to deploy software.
Windows Intune Connector

The Windows Intune connector is a site system role that you can use to connect the Configuration
Manager infrastructure and a Windows Intune subscription. You must deploy this role in conjunction
with a connection to an existing Windows Intune subscription that you configure to synchronize with
on-premises AD DS.
Out of Band Service Point

Out of band management lets an administrative user connect to a supported computer's AMT
management controller when the computer is turned off or is in hibernation, or the operating system is
otherwise unresponsive. In these situations, administrative users can manage these computers without
requiring local access to the computer.
Typical out of band management tasks include:
• Powering on one or more computers.
• Powering off unresponsive computers.
• Enabling and disabling AMT audit logging.
When planning for the out of band service point, consider the following:
• Client systems must have the Intel vPro chipset and a supported version of the AMT.
• You must use the following certificates for out of band management:
o An AMT provisioning certificate on the out of band service point. This allows configuration of
computers for out of band management.
o A web servicer certificate on the enrollment point. This provides secure communication with the
out of band service point during the provisioning process.
o Client certificates. This is necessary when you use 802.1X authentication.
You can use an audit log on the AMT-based computers to record out of band activity and to make it
auditable.
Planning Roles for Software Updates

The central administration site and all primary
child sites must have an active software update
point for you to deploy software updates to all
clients. When planning the infrastructure for
software update points, you need to determine
which server should be the active software update
point for the site. You also need to decide if the
software update point will be collocated with
the site server or installed on a remote server.
Additionally, you need to determine which sites
require an Internet-based software update point.
Finally, you need to decide if you need an active
software update point in any secondary sites.
When planning the infrastructure for software update points, you should consider that:
• You must install the software update point on a server that is hosting WSUS 3.0.
• You can install a software update point in every site.
• By default, the software update point at the central administration site (or at the stand-alone primary
site) synchronizes with Microsoft Update.
• By default, the software update points installed in child sites synchronize with their parent site.
• You should schedule the synchronizations for a time frame that is suitable for your environment.
Planning Roles for Endpoint Protection

The Endpoint Protection point role is required
before you can enable Endpoint Protection in
Configuration Manager. The Endpoint Protection
point sends information collected by the Endpoint
Protection clients to the Microsoft Active
Protection Service. This information is used to
update the definitions that identify harmful
software. During the installation of the Endpoint
Protection point, you must accept a separate
license agreement.
When planning for the Endpoint Protection point,
consider the following:
• You can install the Endpoint Protection point in the Central Administration site or in a stand-alone
primary site.
• You must install an Endpoint Protection point before you can begin to use and manage System
Center Endpoint Protection.
• You can choose one of three levels of membership with the Microsoft Active Protection Service:
o Nonparticipating. The Endpoint Protection point sends no information to Microsoft. Users will be
alerted only about unclassified software.
o Basic membership. The Endpoint Protection point sends basic information about detected
software to the Microsoft Active Protection Service.
o Full membership. Endpoint protection will alert users about unclassified software. In addition
to the basic information, the Endpoint Protection point sends more detailed information to the
Microsoft Active Protection Service about software that the Endpoint Protection client detects.
Planning Roles for Application Management

The Application Catalog enables users to select
and install applications automatically by placing
requests in a portal, which can be approved for
installation, or if specially configured, allow
installation to occur.
You can implement the Application Catalog by

using the following two site roles:
• Application catalog web service point. This

role provides software information from
the software library. As an administrator,
you configure this information for each
application that publishes in the catalog.
• Application catalog website point. This role is the web interface for end users. Users can use this
portal to see the list of available applications, as well as to request and install applications.
When planning for the Application Catalog, you should consider that:
• The Application Catalog is a hierarchy-wide role. Typically, in a hierarchy with multiple primary sites,
you install one instance of each role, although multiple instances are supported.
• You cannot install the Application Catalog in a secondary site or on a central administration site.
• The Application Catalog allows users to install deployed applications or to request available
applications, which will deploy after approval.
• The Application Catalog allows users to configure some preferences and wipe their mobile devices
that are being managed through Configuration Manager.
• The Application Catalog supports integration with Microsoft SharePoint®.
Asset Intelligence Synchronization Point

You can use the Asset Intelligence synchronization point to connect to System Center Online (over HTTPS)
to download updates to Asset Intelligence catalog information. Configuration Manager supports only a
single instance of this site system role at the top-level site in a hierarchy. Asset Intelligence catalog
information is replicated to all primary sites.
When planning for the Asset intelligence Synchronization point, you should consider that:
• You can install the asset intelligence synchronization point only at the top-level site in the hierarchy.
• The asset intelligence synchronization point must be able to make an Internet connection over HTTPS
to System Center online.
• Microsoft treats unidentified software title information that uploads to System Center Online for
categorization as public information.
Planning Roles for Operating System Deployment

The state migration point stores user state
data remotely when performing certain types
of operating-system deployments by using
Configuration Manager. You must store the user
state data remotely on the state migration point
when you use a side-by-side deployment.
However, when you are using the same computer,
such as an update deployment where you are
updating the operating system on the destination
computer, you can store the data locally or on
the state migration point. For some computer
deployments, when you create the state store,
Configuration Manager automatically creates an association between the state store and the destination
computer.
The state migration point requires that IIS.
When planning for the state migration point, you should consider:
• User state size. You need to plan for enough storage space to store the migration data.
• Retention policy. You need to determine how long you will retain the migration data.
• Drives. You can use one or more drives on the site system for storing migration data.
Planning Roles for Securing the Configuration Manager Infrastructure

You deploy the Certificate registration point
when you want to allow devices to request
and receive certificates from an organizational
certification authority. The Certificate registration
point role communicates with a server that has
the Network Device Enrollment Service installed.
The Network Device Enrollment Service is a special
service that communicates with a certification
authority and allows devices that support SCEP to
request and receive certificates. When you deploy
the Certificate registration point, this site service
mediates device certificate requests and
deployment to devices that support SCEP.
Overview of Role Placement

Depending on the site type, you can install
only certain site system roles in a site. In a single
primary site hierarchy, you can install all roles on
the primary site server. When using a multiple
primary site hierarchy, there are some limits to
where you can place roles and the number of
instances of each role.
For example, a central administration site does

not have any assigned clients. Because of this, you
cannot install any of the roles involved in client
management, such as the management point and
distribution point, in a central administration site.
If you are planning a complex hierarchy with a central administration site and multiple primary and
secondary sites, you should consider that:
• Some roles provide functionality for their local site only.
• Some roles provide functionality for the entire hierarchy.
• When installing software update points in a multiple primary site hierarchy, install the software
update point in the central administration site first.
• In a secondary site, only the distribution point is supported on a remote system.

The following table shows the site system roles that you can install in the different site types.
Central Child
Secondary Site-specific or hierarchy-
Site system role administration primary
site wide functionality
site site
Application Catalog No Yes No Hierarchy

web service point
Application Catalog No Yes No Hierarchy

website point
Asset Intelligence Yes No No Hierarchy, only one

synchronization point instance per hierarchy
Certificate registration Yes Yes No Hierarchy

point
Distribution point No Yes Yes Site, multiple instances

supported per site and
hierarchy
Endpoint Protection Yes No No Hierarchy

point
Enrollment point No Yes No Site
Enrollment proxy point No Yes No Site
Fallback status point No Yes No Hierarchy

Central Child
Secondary Site-specific or hierarchy-
Site system role administration primary
site wide functionality
site site
Management point No No Yes Yes
Out of band service No Yes No Site

point
Reporting services Yes Yes Yes, Hierarchy, multiple

point instances supported per
site and hierarchy
Software update point Yes Yes Yes Site, one per site, multiple
in hierarchy
State migration point No Yes No Site, multiple instances

supported per site and
hierarchy
System Health Yes Yes No Hierarchy, multiple

Validator point instances supported per
site and hierarchy
Windows Intune Yes No No Hierarchy

connector
Lesson 4
Overview of Configuration Manager Deployment
Scenarios
One of the first questions you may ask yourself when you design a Configuration Manager
implementation is whether to use a single primary site or multiple sites in a hierarchy.
To help you answer this question, in this lesson you will examine different implementation scenarios and
compare the advantages and disadvantages of each. You will also develop a set of design criteria that you
can use to choose the most appropriate implementation model for your organization.
Lesson Objectives
• Identify the deployment scenario most appropriate to your organization.
• Determine when to use a single primary site.
• Determine when to use a central administration site and multiple primary sites.
• Identify the need to use secondary sites or a distribution point instead of a site in a remote location.
• Describe a typical implementation scenario of Configuration Manager for a small-to-medium size

organization, for a medium-to-large size organization, and for a global organization.
Determining When to Use a Primary Site

You need to install at least one Configuration
Manager primary site to be able to manage any
clients. Primary sites provide core functionality to
your Configuration Manager implementation.
The following are some of the reasons for
installing a primary site:
• To directly manage clients. Only a primary site

can have clients assigned to it.
• To scale up the number of clients to manage.

Each primary site can support up to 50,000
clients if SQL Server is collocated with
Configuration Manager, or 100,000 clients if SQL Server and Configuration Manager are on separate
servers.
• To reduce the effect of failure of a single primary site. This prevents all clients from being affected
while the site is recovered.
• To provide a local point of connectivity for administration. The Configuration Manager console can
connect only to a primary site or central administration site. When using the Configuration Manager
console from a computer that is running a client operating system, ensure that the client computer
has reliable high speed access to a primary or central administration site.
• To manage content independently and meet organizational management requirements. For example,
the organization may have a specific requirement that a different team of administrators manage
clients from a given location, such as management occurring within national borders. To meet this
requirement, you can install another primary site and offer a local point of connectivity.
The following are some of the characteristics of a primary site:
• A primary site can be either a stand-alone primary site or a member of a hierarchy.
• A primary site supports a central administration site as a parent site. Primary sites cannot have
another primary site as a parent, as was the case in Configuration Manager 2007 and older versions.
• A primary site supports secondary sites as child sites.
• With System Center 2012 Configuration Manager, a primary site cannot change its parent site
relationship after installation. With System Center 2012 Configuration Manager with SP1, you can join
a primary site to a new central administration site after deployment.
• The client-originated data processing occurs only at the primary site to which the clients are assigned.
If the primary site is the child of a central administration site, the data will then be replicated to the
central administration site.
• When you install a primary site in a hierarchy, database replication is automatically configured with its
designated central administration site.
• You can install all site system roles on a stand-alone primary site, but not on all primary sites that are
part of a hierarchy.
Determining When to Use a Central Administration Site

A central administration site is necessary if you
need to install multiple primary sites and perform
consolidated management and reporting of data
from all sites. You can use a central administration
site to configure hierarchy-wide settings and to
monitor all sites and objects in the hierarchy.
This site type does not manage clients directly.
However, you can use it to perform hierarchy-
wide management, which includes the
configuration of sites and clients settings
throughout the hierarchy.
Planning a Central Administration Site

Use the following information to help you plan for a central administration site:
• The central administration site is the top-level site in a hierarchy. If your initial plans for a hierarchy
that has more than one primary site, you must install a central administration site.
• When using a central administration site with SQL Server Enterprise edition, the hierarchy can contain
up to 400,000 clients.
• When you use SQL Server Standard edition for the site database at the central administration site, the
shared database and hierarchy support up to 50,000 clients. This is due to the partitioning of the
database. After you install Configuration Manager, if you upgrade the edition of SQL Server at the
central administration site from Standard to Enterprise, the database does not repartition and this
limitation remains.
• The central administration site:

o Supports up to 25 primary sites as child sites.
o Cannot have clients assigned to it.

o Does not support all site system roles.
o Is the only place where you can see site data from all sites. This data includes information such as
inventory data and status messages.
o Enables you to connect with the Configuration Manager console to manage all clients in the
hierarchy and perform site management tasks for any primary site.
o Enables you to configure discovery method options for each site in the hierarchy.
Determining When to Use a Secondary Site

You can use secondary sites to manage multiple
clients in remote locations. You can manage a
secondary site from a central administration site
or from the secondary site’s parent primary site.
Consider using a secondary site:
• When the location does not have a local

administrator.
• To manage the transfer of upward-flowing
client data across low-bandwidth networks.
The following are some of the characteristics of

secondary sites:
• Secondary sites are installed from a primary site. The primary site is the secondary site’s parent. You
cannot change the parent of a secondary site without uninstalling and reinstalling the site.
• They use SQL Server Express by default; however, they can use a local instance of SQL Server if one is
available.
• They use file-based replication to receive deployment content transferred from a primary site.
• They use database replication to receive a subset of global data from the parent primary site.
• They use file-based replication to transfer client information to the parent primary site.
• They can route content between peer secondary sites to help manage the replication of deployment
content if the two secondary sites have the same parent site.
• Installation automatically deploys a management point and distribution point that are located on the
• A primary site can support up to 250 secondary sites as child sites.
• A secondary site can support up to 5,000 clients.

Implementing Configuration Manager 2012 for a Small-to-Medium

Organization
The single primary site implementation scenario is
most appropriate for organizations that:
• Have a centralized administration approach in

which a single team administers all systems
from a single location and where political and
regulatory requirements do not necessitate
multiple primary sites.
• Have fewer than 100,000 clients.
Note: A single Configuration Manager

primary site can accommodate up to 50,000
clients, or up to 100,000 clients if the SQL Server and Configuration Manager server are not
collocated. To reach this capacity, you probably need to install additional management points or
secondary sites.
Primary Site Roles

Usually, the following site system roles deploy to a primary site, and you can install them on a single
server or distribute them across multiple servers for scalability. Mandatory roles include:
• Site server. The site server is the first server installed. In a small-to-medium organization scenario, the
site server typically is the only server on which site system roles are installed by the Configuration
Manager Setup Wizard.
• Site database. A site database is installed on the same server as the site server, or you can install it on
a separate server to increase the site scalability.
• Management point. The management point serves as a point of communication between the
Configuration Manager clients and the site server. Primary sites must have at least one management
point deployed to manage clients.
• Distribution point. Distribution points distribute content and prerequisites needed for deployments.
You can deploy other roles, depending on the features that you require. Typical roles may include:
• Reporting services point. This role provides you with the ability to generate reports and export them
in various formats.
• Software update point. This role provides you with the ability to synchronize the software update
metadata from Microsoft Update and make it available to Configuration Manager.
• Fallback status point. This role allows clients to send state messages to the fallback status point, which
forwards them to the site server. For example, this would occur if they cannot connect to a
management point.
Other roles commonly installed in a single primary site include the:
• Application Catalog web service point
• Endpoint Protection point

Question: What other roles do you typically use in your organization?
Implementing Configuration Manager 2012 for a Medium-to-Large

Organization
In larger organizations with multiple remote
locations and a large number of users, you may
need to scale out the Configuration Manager
deployment without necessarily adding additional
primary sites. You may need to scale out if:
• You have fewer than 100,000 clients but more

than 50,000 clients. Your SQL database must
be located on a dedicated server other than
the Configuration Manager server.
• Your client count grows. You then must

consider that each management point can
support approximately 25,000 clients, and you
can use multiple management points in a single site for scalability.
• You need to manage the bandwidth between the primary site location and remote locations. In this
scenario, you can install secondary sites or remote distribution points.
Secondary Site
A secondary site includes a management point and distribution point. You can use a secondary site to:
• Offload the client communication from the primary site when clients are in a remote location and
network connections are slow.
• Provide tiered content routing for deep network topologies.
Distribution Point
You can choose to install only a distribution point instead of a secondary site when:
• You have a small number of clients in the remote location.
• You do not have a server available in the remote location. A computer running 64-bit version of
Windows Server 2008, 2008 R2, 2012, or 2012 R2 is required to run the secondary site, while you also
can install a distribution point on 32-bit servers and workstations that can support the IIS role.
• You do not need to control client-to-management point traffic from the remote location to the
primary site.
Implementing Configuration Manager 2012 for a Global Organization

Global organizations have a large number of
clients distributed across multiple locations
worldwide, with multiple administration teams
and different administrative requirements. To
accommodate these types of scenarios, you can
implement Configuration Manager 2012 by using
multiple primary sites in a hierarchy.
Multiple Sites in a Hierarchy

Using multiple sites in a hierarchy is a more
complex model to implement and it requires
additional servers to host the site systems
roles. Before deciding to use multiple sites in a
hierarchy, you need to analyze your environment and determine if a single primary site can meet your
requirements.
You should use this implementation scenario if you have:
• More clients than you can manage by using a single primary site. A single primary site can support up
to 100,000 clients, while a hierarchy can accommodate up to 400,000 clients.
• Multiple administrative teams that need to manage their own locations.
• More than 250 of remote locations requiring secondary sites or remote locations with more than
5,000 clients.
• Export regulations on content.
Question: What type of organizations would use the multiple sites in a hierarchy model?
Discussion: Determining When to Use a Stand-Alone Primary Site or a

Hierarchy
Use these discussion questions to help you plan
a Configuration Manager installation, including
when to use a single primary site or a complex
hierarchy.
Discussion Questions
• How many clients do you need to manage?
• How will the existing network infrastructure
influence your Configuration Manager
design?
• What are your business requirements for

using Configuration Manager?
• How many locations do you need to support?

• Do you need to manage the clients locally?
• Are restrictions in place that control how client information transfers across borders?
Lesson 5
Overview of the Configuration Manager Client
To perform management tasks on client computers, the Configuration Manager client application
is installed on client computers. The term client is often used to refer to either of the following:
• The computer that Configuration Manager manages.

• The Configuration Manager client software.
Understanding Configuration Manager client architecture and prerequisites helps you design your
Configuration Manager implementation.
Lesson Objectives
• Describe the Configuration Manager client functionality.

• Describe the types of clients supported in System Center 2012 R2 Configuration Manager.
• Describe the Configuration Manager client architecture.

• Explain how Configuration Manager clients locate site systems.
Role of the Configuration Manager Client

The Configuration Manager client has multiple
features, corresponding to the Configuration
Manager functionalities that are implemented
by using client components. For example, the
hardware inventory agent collects hardware
data according to a scheduled interval and then
sends data to the site database through the
management point. The administrator enables
or disables each client component individually
by using client settings.
The Configuration Manager client:
• Connects to the management point

according to a scheduled interval (the default is 60 minutes) and on demand, and then downloads
and processes any policies applicable to the client.
• Performs hardware and software inventory and metering according to a scheduled interval and on
demand, and then sends the collected data through the management point to the site server.
• Downloads the content of packages and applications from the distribution point, and then installs
software and updates.
• Executes the task sequences that the administrator assigns to that computer by using the Operating
System Deployment feature.
• Collects compliance results data specified in configuration baselines and sends the results to the
site server through the management point. If the computer is not compliant, depending on the
configuration item, the client can also execute remediation actions to make it compliant, as long as
content is not required to bring the client into compliance.
• Allows administrators to connect to remote computers by using remote tools or the Remote
Assistance feature, to support end users.
• Performs health validation that is used in conjunction with NAP.

• Installs the Endpoint Protection client when Endpoint Protection is enabled and an Endpoint
Protection role is installed in the hierarchy.
Client Types Supported by System Center 2012 R2 Configuration Manager

You can deploy the System Center 2012 R2
Configuration Manager client to operating
systems other than Windows and Windows Server.
You can install the System Center 2012 R2
Configuration Manager client on the following
operating systems:
• Windows XP (not supported after April 2014)

• Windows Vista®
• Windows 7
• Windows 8
• Windows 8.1
• Windows Server 2003
• Mac OS X 10.6
• Mac OS X 10.7
• Mac OS X 10.8
• AIX Version 7.1, 6.1, 5.3
• Solaris Version 11, 10, 9
• HP-UX Version 11iv2
• HP-UX Version 11iv3
• RHEL Version 4, 5, 6
• SLES 9, 10, 11
• CentOS 5, 6
• Debian 5, 6
• Ubuntu 10.4, 12.4
• Oracle Linux 5, 6
As new revisions of these operating systems become available, new versions of the Configuration
Manager client will likely become available to support them.
Configuration Manager Client Architecture

The Configuration Manager client consists of
many components that together provide all the
functionality in Configuration Manager. Although
the client installs most of the components during
the initial installation, the installed components
are not all enabled by default; only the Endpoint
Protection client is not installed by default.
When planning your Configuration Manager
deployment you must consider the functionality
that you need and configure the client settings
appropriately.
The Configuration Manager client uses some

built-in Windows components and some additional run-time components. In addition to the specific
Configuration Manager components, the Configuration Manager client for computers running Windows
will also use the components in the following table.
Windows component or
Use
run-time module
Windows Management WMI is the infrastructure for management data and operations on
Instrumentation (WMI) Windows-based operating systems.
Windows Installer Supports the use of Windows Installer (.msi) and Windows Installer
update files (.msp) for installing and updating applications.
Windows Update Agent Supports update detection and deployment.
Microsoft Core XML Services Supports the use of Windows Installer (.msi) and Windows Installer
(MSXML) update files (.msp) for installing and updating applications.
Microsoft Remote Differential Used to optimize data transmission over the network.
Compression (RDC)
Microsoft Visual C++® 2008 Supports client operations.

Redistributable
Microsoft Visual C++ 2005 Supports Microsoft SQL Server Compact operations.
Redistributable
Windows Imaging APIs Allows Configuration Manager to manage Windows image (.wim)
files.
Microsoft Policy Platform Allows clients to evaluate compliance settings.
Microsoft Silverlight® Supports the Application Catalog website.
Microsoft .NET Framework 4 Supports client operations.
Microsoft SQL Server Compact Stores information related to client operations.

3.5 SP2 components
Microsoft Background Intelligent Allows throttled data transfers between the client computer and
Transfer Service (BITS) version 2.5 the Configuration Manager site systems.
You can view the client components and their status on the Components tab in the Configuration
Manager client for computers running Windows. The following table describes the components that are
installed when the client is installed.
Component Overview
Core Configuration Manager Several different components that are used for core functionality and
Components that show only a status of installed or not installed:
• CCM Framework
• CCM Policy Agent
• CCM Status and Eventing Agent
• Core Components, Maintenance Task Coordinator
• Operating System Deployment Components
• Shared Components and Task Sequence Components
Compliance and Settings Performs compliance and settings tasks.

Management
Hardware Inventory Agent Uses WMI to collect inventory information as configured in the client
settings.
Out of Band Management Allows out of band management for AMT-based computers.
Agent
Power Management Agent Applies power management settings configured for collections in
Configuration Manager.
Remote Tools Agent Manages the Remote Control and Remote Assistance settings for the
client computers.
Software Distribution Agent Manages the deployment of programs and applications to client
devices.
Software Inventory Agent Performs the software inventory as configured in the client settings.
Software Metering Agent Tracks software usage on the client computer.
Software Updates Agent Interacts with the software update point to detect which software
updates are needed on the client computer and interacts with the
management point and distribution point to install those updates.
Source List Update Agent Contacts a management point and retrieves the location for
downloading deployed content.
The Configuration Manager client for Mac OS X computers has components that support the following
features:
• Hardware inventory. You can use hardware inventory data collected from Mac computers to create
collections, reports, and queries. You can also use Resource Explorer to view hardware inventory data
for Mac OS X computers.
• Software deployment. You can use Configuration Manager to deploy software packaged in the
following formats to Mac computers:
o Mac OS Installer Package (.PKG)

o Mac OS X Application (.APP)
o Apple Disk Image (.DMG)
o Meta Package File (.MPKG)
• Compliance settings. Configuration Manager supports the use of Mac OS X Preference settings (.plist
files) to enforce the configuration of different elements on Mac computers, or shell scripts to monitor
and remediate settings.
The Configuration Manager client for Linux-based and UNIX-based computers has components that
support the following features:
• Hardware inventory. You can use hardware inventory data collected from Linux and UNIX computers
to create collections, reports, and queries. You can also use Resource Explorer to view hardware
inventory data for Linux-based and UNIX-based computers.
• Software deployment. You can use Configuration Manager to deploy software to Linux-based and
UNIX-based computers by using packages and programs. Software deployment on Linux-based and
UNIX-based computers by using Configuration Manager does not support any kind of user
interaction.
How Clients Locate Site Systems

Client systems communicate to Configuration
Manager through one of two types of
management points: Internet-based management
points or intranet management points. If clients
are unable to communicate with a management
point, they send a message to a fallback status
point, if configured. However, they cannot
retrieve policy without communicating with a
management point.
Because of this, it is imperative that clients

locate and communicate with a management
point for the site that they are assigned to. Clients
communicate to the management point through either HTTP or HTTPS; therefore, any intervening
firewalls must allow the traffic. There are several methods for the client to locate a management point. It
is preferable to use AD DS because, besides providing the location of the management point, AD DS can
also update the communication settings for the clients. For example, if the communication ports change,
the client could retrieve this information from AD DS before attempting to communicate. Clients use the
following methods, in the order listed, to locate site systems.
AD DS
AD DS is the preferred method for clients to locate site systems. To use this method, you must ensure that
you meet the following prerequisites:
• You must extend the Active Directory schema for Configuration Manager.
• The Configuration Manager site(s) must publish information to AD DS.

• The client computer must be a member of the Active Directory forest where the information is
published and must have access to a Global Catalog server.
DNS
Clients can use DNS to locate a management point. However, this method has some specific DNS system
requirements. Additionally, if you use this as your primary method for locating management points, the
client will not update automatically if you make changes to the communication ports.
You can use this method for locating site systems if:
• The AD DS schema is not extended to support Configuration Manager.
• Clients on the intranet are located in a forest that is not enabled for Configuration Manager
publishing.
• Clients are on workgroup computers and are not configured for Internet-only client management.
To use this method, the following prerequisites must be met:
• You must assign the clients to a specific site rather than use automatic site assignment.
• You must configure a client property that specifies the domain suffix of the management point.
• Your DNS servers must support service location resource records, by using a version of Berkeley
Internet Name Domain (BIND) that is at least 8.1.2.
• The intranet FQDNs for the Configuration Manager site systems have corresponding host entries
in DNS.
When your DNS servers support automatic updates, you can configure Configuration Manager to
automatically publish management points on the intranet to DNS.
Windows Internet Name Service (WINS)

When other service location mechanisms fail, clients can find an initial management point by checking
WINS.
• The first management point in the primary site that is configured to accept HTTP client connections is
automatically published to WINS.
• When the clients connect to this management point, they download a list of other management
points and can use them for subsequent connections.
If you do not want clients to locate a management point using WINS, configure clients with the
CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS.
Module Review and Takeaways

Review Questions
Question: What are the major features of Configuration Manager 2012?
Question: What are the three types of sites in Configuration Manager 2012?
Question: What are the new site roles introduced in Configuration Manager 2012?
2-1
Module 2
Planning and Deploying a Stand-Alone Primary Site
Contents:
Module Overview 2-1
Lesson 1: Planning a Configuration Manager Stand-Alone Primary Site

Deployment 2-3
Lesson 2: Preparing to Deploy a Configuration Manager Primary Site 2-7
Lesson 3: Installing a Configuration Manager Site Server 2-21

Lab A: Installing a Configuration Manager Primary Site 2-26
Lesson 4: Performing Post-Setup Configuration Tasks 2-31
Lesson 5: Tools for Monitoring and Troubleshooting a Configuration

ManagerSite 2-38
Lab B: Performing Post-Setup Configuration Tasks 2-43
Module Overview
Planning a Microsoft® System Center 2012 Configuration Manager site deployment is a complex process
that requires numerous inputs, such as:
• Network topology.
• Number of managed clients.

• Desired features.
• Capacity requirements.
Scalability improvements in Configuration Manager 2012 enable a stand-alone primary site to

accommodate infrastructures that have up to 100,000 clients.
In this module, you will review the planning process, inputs, and typical planning activities for deploying
a stand-alone primary site. You also will review prerequisites for installing a site server and related
components, perform and validate the installation of a stand-alone primary site, and perform the initial
site configuration. Finally, you will review the requirements for managing Internet-based clients.
Objectives
• Describe the planning tasks for a Configuration Manager 2012 primary site deployment.
• Identify the preparation steps for deploying Configuration Manager 2012.
• Install a Configuration Manager 2012 primary site.

• Perform post-setup configuration tasks.
2-2 Planning and Deploying a Stand-Alone Primary Site
• Describe the tools that you can use to monitor and troubleshoot a Configuration Manager 2012
installation.
• Describe processes that you can use to manage Internet-based clients.

Lesson 1
Planning a Configuration Manager Stand-Alone Primary
Site Deployment
The design of a System Center 2012 Configuration Manager stand-alone primary site deployment can
vary from a stand-alone server with all required site roles, to more-complex deployments with site roles
that you distribute on multiple servers.
In this lesson, you will review the tasks that the planning process typically involves when you are
deploying a stand-alone primary site. These tasks include determining the site system roles that you
need to deploy, the number of servers necessary for deployment, and your deployment’s prerequisites.
Additionally, you will review Configuration Manager Setup options, examine site code and naming
conventions, and examine the requirements for configuring client communication modes.
Lesson Objectives
• Describe the planning tasks for a Configuration Manager 2012 primary site deployment.
• Describe planning a Configuration Manager 2012 stand-alone primary site deployment.

• Describe naming conventions for sites.
• Describe the client communication modes.
• Discuss planning a Configuration Manager 2012 stand-alone primary-site deployment.
Planning Tasks for a Configuration Manager Deployment

Before deploying Configuration Manager, you
must plan for an architecture that supports your
environment’s technical and business needs. No
matter how simple or complex your environment
is, you can use the following process to plan for a
Configuration Manager deployment:
• Identify your network infrastructure, including

the number of physical locations, subnets,
network connections between locations,
and link speeds. This information helps you
determine the number of primary sites,
secondary sites, and site system roles that you
need to deploy, and the locations for each server and site system role. Work together with your
organization’s Active Directory® administrators to view how many Active Directory sites and subnets
your environment has.
• Determine the number of devices that you must manage, and their locations. A single primary site
can support up to 100,000 clients devices. If you need to manage more devices, you will need more
than one primary site.
• Identify the business requirements for Configuration Manager. Business requirements map to
the different features available in Configuration Manager, which include hardware and software
inventory, software metering, software updates, and operating-system deployment. Review the
business requirements with key stakeholders to get their input as to what features your environment
requires. Depending on the features that you require, you will need different site system roles.
• Identify the structure of your organization’s information technology (IT) department. Some larger
global corporations maintain a very rigid separation of IT groups among geographical locations.
Therefore, you may need to have a different primary site for each of these individual geographies.
Keep in mind that this is a business requirement, not a technical requirement.
• Determine your migration requirements, in case you are moving from Configuration Manager
2007 to Configuration Manager 2012. If your organization has a Configuration Manager 2007
environment, you need to consider whether you need a hierarchy restructure. You also need to
consider migrating each site, and clients to Configuration Manager 2012, and different objects, such
as packages, operating-system images, and collections.
Planning a Stand-Alone Primary Site Deployment
Site System Roles

While you can deploy a primary site on a single
server, you also can move roles or install new roles
onto different servers. When deploying a stand-
alone primary site, the Configuration Manager
setup installs the following site system roles by
default:
• Site server. This is the main system role for
• Site System. This includes any server that

hosts one or more Configuration Manager roles.
• Site database server. This is the Microsoft SQL Server® Database server for Configuration Manager.
• Component server. This is any server that is running the SMS_EXECUTIVE service.
• SMS Provider. This is the interface between the Configuration Manager console and the site database.
• Management point. This is the main communication point for clients.
• Distribution point. This stores content for deployment to clients.
You can install additional roles as necessary. However, before deploying clients, you should install the
fallback status point to help monitor client-deployment issues. You also should install the Reporting
services point so that you can review reports about the site and client-installation progress.
The number of clients that you can manage using a stand-alone primary site depends on the following
site configuration and role placement:
• If the site server and site database roles are collocated on the same server, you can manage up to
50,000 Configuration Manager clients.
• If the site server and site database roles are on different servers, you can manage up to 100,000
Configuration Manager clients.
Multiple Physical Locations

A stand-alone primary site can span multiple physical locations while managing clients across your entire
infrastructure. To get the maximum benefit from your Configuration Manager deployment, while still
using a stand-alone primary site, you can perform the following implementation tasks:
• Install distribution points in locations that have a larger number of clients to reduce wide area
network (WAN) traffic and increase the efficiency of features such as software distribution, software
update management, or operating-system deployment.
• Use role-based administration and security scopes to implement your desired security model, rather
than deploying multiple primary sites to define administrative roles and permissions.
• Place site system roles on separate servers for additional scalability with respect to how many clients
you can manage.
• Configure multiple management points to improve scalability.
Site Naming Conventions

You use site codes and site names to identify sites
in a System Center 2012 Configuration Manager
hierarchy. You configure the site code and site
name when you install Configuration Manager,
and you cannot change them after installation.
Even if you are installing a stand-alone primary

site, you should choose the site code and site
name carefully to avoid future conflicts, such as
in migration scenarios. Consider the following
naming convention guidelines.
A site code:
• Must be a three-character alphanumeric code that uses letters A through Z, numbers 0 through 9, or
combinations of the two.
• Must be unique in a Configuration Manager hierarchy.
• Should not use Microsoft Windows®-reserved names such as AUX, CON, NUL, PRN, or SMS.
A site name:
• Is a friendly name identifier for the site.

• Must be unique in a Configuration Manager hierarchy.
• Uses the standard alphanumeric characters A through Z and a through z, numbers 0 through 9,
spaces, and the hyphen (-).
You use site codes for client assignment, and if you extend your schema, the site servers can publish site
codes in AD DS. This enables clients to determine the site assignment, and then locate the management
point.
If you perform a migration from Configuration Manager 2007 to Configuration Manager 2012 R2, you
cannot reuse site codes because they must be unique in the source and destination hierarchies. For
more details, please review the migration topics in “Module 9: Migrating to System Center 2012 R2
Configuration Manager.”
Client Communication Modes

In System Center Configuration Manager 2007,
you can configure a site to work in either mixed
mode or native mode. In mixed mode, all site
systems use HTTP for client communication, and
sites perform mutual authentication by using
Kerberos version 5 protocol in the Active Directory
forest. In native mode, all site systems use HTTPS
and public key infrastructure (PKI)-issued
certificates to perform mutual authentication.
One of the most important changes in

Configuration Manager 2012 is that you configure
communication for site system roles independent
of the site. You can configure site system roles that use Internet Information Services (IIS), such as
management point or distribution point, to use either HTTP or HTTPS individually. You can use site system
roles that you configure for HTTP only with client computers that are on the intranet. To support clients
on the Internet, the site system roles that you expose to the Internet must use HTTPS. To use HTTPS, a
server requires an X.509 server certificate issued by a PKI that both the servers and clients trust.
When and administrator installs the Configuration Manager client on a client computer, the client
creates a self-signed certificate. For client computers to communicate by using HTTPs, they must have an
X.509 client certificate issued by a PKI that both the client and servers trust. This certificate authenticates
the Configuration Manager client with the site system role. By default, Configuration Manager clients
communicate by using the most secure protocol available. If you configure them with a X.509 certificate
and they can find a site system role by using HTTPS, they connect with that site system by using HTTPS. If
they cannot find a site system role by using HTTPS, they connect by using HTTP.
Discussion: Planning a Configuration Manager 2012 Stand-Alone Primary

Site Deployment
You can use the following questions as a guideline
to determine the configuration of your System
Center 2012 Configuration Manager deployment.
Question: How can you use a stand-alone

primary site to manage clients in multiple network
locations?
Question: How can you implement different

administrative requirements for multiple
administrative teams in a stand-alone primary
site?
Question: What site system roles would you
deploy in a stand-alone primary site?
Question: What communication modes can client and site system roles use?
Lesson 2
Preparing to Deploy a Configuration Manager Primary
Site
When preparing for a Configuration Manager primary site deployment, you must determine the site
system’s hardware and software requirements. You can use prerequisite checker to determine whether a
server meets the prerequisites for hosting site system roles that you select during the setup process.
As part of your preparation, you also can extend the Active Directory schema to enable the site server to
publish information in AD DS. Clients can use this information to determine their assigned site and locate
the management point.
Lesson Objectives
• Explain the purpose of extending the Active Directory schema.

• Describe extending the Active Directory schema.
• Describe site server and site database requirements for a Configuration Manager primary site
deployment.
• Describe the site system roles requirements for a Configuration Manager primary site deployment.
• Identify, install, and configure the prerequisites for site system deployment.
• Explain the functionality of prerequisite checker.
• Describe the installation and configuration of operating-system prerequisites.
Extending the Active Directory Schema

System Center 2012 Configuration Manager uses
the same schema extensions as System Center
Configuration Manager 2007. If you extended the
schema for System Center Configuration Manager
2007, you do not need to extend the schema
again. When installing subsequent versions or
service packs, you need to read a specific version’s
release notes to determine whether you need to
extend the schema’s time to allow for the
associated update’s changes.
Extending the Active Directory schema is
optional unless you are implementing network
access protection (NAP). However, extending the Active Directory schema helps ease the management of
the Configuration Manager site. When you extend the Active Directory schema, the site server publishes
information to AD DS to help with:
• Client computer installation and site assignment. During Configuration Manager client installation,
the client searches AD DS to find a management point from which to download the client software
and a site for site assignment.
• Port configuration for client-to-server communication. During installation, the client obtains the IIS
port information for the client-to-server communications from AD DS. If you change the client-to-
server port information after you install clients, the clients can obtain the updated port information
from AD DS.
• NAP. Configuration Manager publishes health state references to AD DS so that the System Health
Validator point can validate a client’s statement of health.
You can extend the schema by running the following program:
<installation source>\smssetup\bin\x64\extadsch.exe
Optionally, you can extend the schema by using the LDAP Data Interchange Format Data Exchange
(LDIFDE) tool to import the installation source \smssetup\bin\x64\ConfigMgr_ad_schema.ldf file. You need
to edit the .ldf file to include the forest name before you can use it.
For example, the following command line imports the schema extensions into AD DS, turns on verbose
logging, and creates a log file during the import process:
ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>
The System Management Container

Configuration Manager publishes its information into the AD DS Root\System\System Management
container in AD DS. Extending the Active Directory schema does not create this container automatically.
You must create the container in each domain that includes a Configuration Manager central
administration site, a primary site server, or secondary site server that publishes site information to AD DS.
You can create the System Management container manually by using the ADSIEdit.msc tool. When you
are creating the System Management container manually, you have to assign the Configuration Manager
site server full control permissions for the System Management container and all descendant objects.
Optionally, you can grant the Configuration Manager site server full control permissions to the System
container in AD DS, and then the System Management container is created automatically when the
Configuration Manager site server first publishes information to AD DS.
If you have additional AD DS forests that contain clients, and allow your site to publish site data to
additional forests, you also need to extend the Active Directory schema and grant the site server rights to
publish to the remote forests.
Workarounds for Client Installation and Settings

If you decide not to extend the Active Directory schema, you have to use workarounds for the client
installation and maintenance settings that the client receives from AD DS, including that you can use the
following workarounds for:
• Client computer installation and site assignment:
o Use client push installation, and configure installation properties for the site in the Client Push
Installation Properties window.
o Install clients manually and provide client installation properties by using CCMSetup installation
command-line options.
o Publish the management point in Domain Name System (DNS) or Windows Internet Naming
Service (WINS).
• Port configuration for client-to-server communication:
o Reinstall clients and configure them to use the new port information.
o Deploy a script to clients to update the port information through an external method, such as by
using Group Policy.
Demonstration: Extending the Active Directory Schema

In this demonstration, you will see how to extend the Active Directory schema, verify that the schema was
extended successfully, create the System Management container in AD DS, and configure permissions on
the System Management container.
Demonstration Steps
1. On LON-DC1, start File Explorer, and then browse to \\LON-CFG\E$\ConfigMgr2012R2\SMSSETUP
\BIN\X64. Locate and then run the ExtADSch.exe file.
2. Browse to drive C, open the ExtADSch.log file, and then verify the success of the operation by
observing the classes and attributes added to Active Directory® Domain Services (AD DS) and the
message that confirms the schema’s successful extension.
3. In the Run dialog box, type adsiedit.msc, and then click OK.
4. In the ADSI Edit console, connect to the default naming context.
5. In the ADSI Edit console, expand Default naming context [LON-DC1.Adatum.com], expand the
DC=Adatum,DC=Com container, and then select the CN=System container.
6. Create an object under CN=System with the type container and the name System Management.
7. In the ADSI Edit console, verify that the CN=System Management container appears in the results
pane, and then close the console.
8. In the Active Directory Users and Computers console, from the View menu, enable Advanced
Features.
9. Locate the System Management container, and then access its Properties.
10. On the Security tab, assign Full Control permission to the LON-CFG computer, and then click
Advanced.
11. In the Advanced Security Settings for System Management dialog box, edit the entry for the
LON-CFG computer so Full Control permission will apply to This object and all descendant
objects, and then click OK.
12. Click OK on each dialog box to close them.
13. Close the Active Directory Users and Computers console.
Note: After the installation, the Configuration Manager 2012 site server will publish
information in the System Management container. It enables clients to determine their assigned
site and locate the management point.
Site Server and Site Database Requirements
Hardware Requirements
To install a stand-alone Configuration Manager
2012 primary site in an environment that has up
to 100 clients, and that supports all of the features
of Configuration Manager 2012, you need to
ensure that you meet the minimum hardware
requirements that the following table lists.
Hardware component Minimum
Processor AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support,
Intel Pentium IV with EM64T support. Minimum: 1.4 gigahertz (GHz)
RAM 2 gigabytes (GB) of random access memory (RAM)
Free disk space Available: 10 GB

Total, including the operating system: 50 GB
Network adapter Site system computers must have network connectivity to other
Configuration Manager site systems, and they must have clients to
manage them.
This hardware configuration is suitable only for testing environments. If you want to install Configuration
Manager 2012 in a production environment, the minimum hardware requirements are not sufficient.
The following table lists the recommended hardware requirements for a stand-alone System Center 2012
Configuration Manager primary site server that has SQL Server installed on the site server computer.
Hardware component Recommended
Processor 8 cores (Intel Xeon 1.4GHz or comparable central processing unit [CPU])
RAM 32 GB of RAM
Free disk space 550-GB hard-disk space for the operating system, SQL Server, and all
database files
Network adapter Site system computers must have network connectivity to other
Configuration Manager site systems, and they must have clients to
manage them.
When you use an instance of SQL Server that is installed on the same computer as the site server, the
primary site can support up to 50,000 clients. When you use an instance of SQL Server that is installed on
a computer that is remote from the site server, the primary site can support up to 100,000 clients.
Operating-System Requirements
In System Center 2012 Configuration Manager, all site systems, with the exception of distribution points,
require 64-bit server systems that are running one of the following operating systems:
• Windows Server® 2008 Service Pack 2 (SP2) Standard, Enterprise, or Datacenter

o System Center 2012 Configuration Manager
o System Center 2012 Configuration Manager Service Pack 1 (SP1)
o System Center 2012 Configuration Manager R2
• Windows Server 2008 R2 (no service pack or SP1) Standard, Enterprise, or Datacenter
o System Center 2012 Configuration Manager SP1
• Windows Server 2012 Standard or Datacenter
• Windows Server 2012 R2 Standard or Datacenter


A computer configured as a read-only domain controller (RODC) will not support secondary sites and site
database servers.
SQL Server Requirements

The following table lists the server requirements for the different versions of SQL Server that
Configuration Manager 2012 can use.
Central
SQL Server Primary Secondary
Edition administration Notes
version site site
site
SQL Server Standard, Supported Supported Supported Using Standard Edition at

2008 with Enterprise the central administration
SP2 and site limits the total number
Cumulative of clients to 50,000.
Update 9
SQL Server Standard, Supported Supported Supported Using Standard Edition at

2008 with Enterprise the central administration
Service site limits the total number
Pack 3 of clients to 50,000.
(SP3) and
Cumulative
Update 4
Central
SQL Server Primary Secondary
Edition administration Notes
version site site
site
SQL Server Standard, Supported Supported Supported Using Standard

2008 R2 Enterprise Edition at the central
with SP1 administration site limits
and the total number of
Cumulative clients to 50,000.
Update 6

2012 Enterprise Edition at the central
administration site limits
the total number of
clients to 50,000.

2012 SP1 Enterprise Edition at the central
administration site limits
the total number of
clients to 50,000.
SQL Server Not Not supported Not Supported None

Express applicable supported
2008 R2
with SP1
and
Cumulative
Update 6

2012 applicable supported
Express

2012 applicable supported
Express SP1
Additionally, you need to ensure that you apply the following settings to SQL Server:
• Database collation. Configuration Manager requires the collation for both the database instance and
the Configuration Manager itself be set to SQL_Latin1_General_CP1_CI_AS.
• Authentication. Configuration Manager can use only Windows authentication to communicate with
SQL Server.
• SQL Server instance. Each Configuration Manager site must have a dedicated SQL Server instance.
• Reporting Services. You must install SQL Server Reporting on a database server to provide reporting
capabilities in Configuration Manager.
Requirements for Site System Roles

The management point and the distribution point
are two common site system roles that you can
install during the Configuration Manager setup.
You can provide scalability by installing additional
instances of these site system roles in a primary
site or secondary site.
Requirements for Management Points

Each primary site-management point can support
up to 25,000 computer clients. For example, to
support 100,000 clients, you would need at least
four management points.
Each primary site can support up to 10 management points. If you install additional management points
in a stand-alone primary site, note the hardware requirements that the following table lists.
Processor 4 cores (Intel Xeon 2.0 GHz or comparable CPU)
RAM 8 GB of RAM
Free disk space 50 GB of disk space for the operating system and Configuration
Manager
Memory and processor capacity are the primary influences on management point performance.
Requirements for Distribution Points

Each primary site supports up to 250 distribution points, and each distribution point can support up to
4,000 clients.
You also can increase scalability by installing a secondary site. By default, a secondary site includes a
management point and a distribution point, both of which you install on the secondary site server. Each
secondary site supports up to 250 distribution points. Each distribution point can support up to the same
number of clients that the hardware configuration of the secondary site server supports, to a maximum of
4,000 clients.
Each primary site supports a combined total of up to 5,000 distribution points, which includes:
• All distribution points at the primary site
• All distribution points that belong to the primary site’s child secondary sites
If you install additional distribution points, note the hardware requirements that the following table lists.
Processor 2 cores (Intel Xeon 2.0 GHz or comparable CPU)
RAM 8 GB of RAM
Free disk space Disk space, as required for the operating system and content that you
deploy to the distribution point.
Network and disk input/output (I/O) are the primary influences on distribution point performance.
In addition to Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server
2012 R2, you can deploy distribution points to the operating systems that the following table lists.
Operating system Architecture Edition Notes
Windows Vista® x64 • Business Edition (SP1) Can only host the
standard distribution
• Enterprise Edition (SP1)
point
• Ultimate Edition (no service pack
or SP1)
Windows® 7 x86 or x64 • Professional (no service pack or Can only host the
SP1) standard distribution
point
• Enterprise Edition (no service pack
or SP1)
• Ultimate Edition (no service pack
or SP1)
Windows 8 x86 or x64 • Pro Can only host the

• Enterprise
point
Windows 8.1 x86 or x64 • Pro Can only host the

• Enterprise
point
Windows Server x86 or x64 • Standard Edition (SP2) Does not support
2003 multicast
• Enterprise Edition (SP2)
• Datacenter Edition (SP2)
Windows Server x86 • Web Edition (SP2) Does not support

2003 multicast
• Storage Server Edition (SP2)
Windows Server x86 or x64 • Standard Edition Does not support

2003 R2 multicast
• Enterprise Edition
Some 32-bit operating systems support distribution points, unlike other site system roles. However, only
specific operating systems support additional distribution-point features, such as Pre-Boot EXecution
Environment (PXE) and multicast.
Note: You can install the site server or any site system role on virtual machines. When using
virtual machines, you need to ensure that the Hyper-V® host meets the hardware requirements
for all virtual machines that it is hosting.
Prerequisites for Installing and Configuring Configuration Manager

There are many prerequisites for Configuration
Manager. Some roles require specific operating-
system components or settings, while other roles
use functionality from other programs. The
following table lists the prerequisites and roles
that need them.
Prerequisite Role or feature Notes
Microsoft .NET All web-based roles Install both .NET 3.5 and Windows Communication
Framework 3.5 Foundation (WCF) activation.
Features This is a Windows feature that installs with the
Windows Server Manager. When you install the .NET
Framework 3.5 features, you receive a prompt to add
required roles and services. IIS then installs with the
required features.
Internet All web-based roles • Common HTTP features

Information
o Static content
Server
o Default document
o Directory browsing
o HTTP errors
o HTTP redirection
• Application development
o ASP.NET
o .NET extensibility
o ISAPI extensions
o ISAPI filters
• Health and diagnostics
o HTTP logging
o Logging tools
o Request monitor
o Tracing
• Security
o Windows authentication
o Request filtering
• Performance
o Static content compression
Prerequisite Role or feature Notes

• Management tools
o IIS Management Console
o IIS management scripts and tools
o IIS 6 management compatibility
o IIS 6 metabase compatibility
o IIS 6 Windows Management Instrumentation
(WMI) compatibility
Net Framework • Application Catalog • Windows Server 2008 R2

4.5 web service point
o Download .NET Framework 4.5 from Microsoft’s
• Application Catalog website, and then install it.
website point
o Install the .NET Framework 4.5 feature
• Asset Intelligence
synchronization point
• Reporting Services
point
• Enrollment proxy
point
BITS Management point The Background Intelligent Transfer Service (BITS) is a

Distribution point Windows feature that installs through the Windows
Server Manager.
Remote Site Servers Remote Differential Compression is a Windows feature

Differential that installs through the Windows Server Manager.
Compression
WDS PXE-enabled You can install the Windows Deployment Services

distribution point (WDS) Role by using Windows Server Manager, and it
is a prerequisite if you want to use PXE or multicast.
Windows Operating System The Windows Automated Installation Kit installs

Automated Deployment automatically when the Configuration Manager 2012
Installation Kit Setup Wizard runs. This prerequisite is for the
operating-system deployment feature.
Windows ADK Operating System The Windows Assessment and Deployment Kit
Deployment (Windows ADK) replaces Windows Automated
Installation Kit for Windows Server 2012 and Window
8 and newer operating systems, and you must install it
on the site server. You can install WAIK or Windows
ADK, but both kits cannot coexist on the same server.
Depending on the site system role that you want to implement, you must configure one or more of the
following prerequisites:
• IIS with ASP.NET and .NET Framework 3.5.1. Most site system roles use HTTP or HTTPS to
communicate with clients, so you should install the Web Server (IIS) server role on the majority of
servers that are hosting site system roles.
• BITS. Site system roles, such as management and distribution points, use BITS for bandwidth
throttling.
• .NET Framework 4.5. This is required when you install any of the following:
o Application catalog
o Software update point
o Asset Intelligence synchronization point
o Reporting Services point
o Enrollment point
o Enrollment proxy point
• WSUS. The software update point role uses Windows Server Update Services (WSUS).
• WDS. WDS is required when you use PXE-initiated deployments of operating systems or if you wish to
use multicast deployment of operating-system images.
Configuration Manager Setup Downloader

Configuration Manager Setup Downloader (SetupDL.exe) is a stand-alone application that you can use to
download the Configuration Manager client prerequisites, language packs, and SQL Server Express 2008
R2 SP1. These prerequisites are requested during the System Center 2012 Configuration Manager Setup
Wizard, and you can download them from the Microsoft web site during setup.
If the site server does not have a direct connection to the Internet, you can use the Configuration
Manager Setup Downloader (SetupDL.exe). You can find this on the Configuration Manager installation
media in the \\SMSSETUP\BIN\X64 folder, and it enables you to download the prerequisites on another
computer that does not have Internet connectivity. You then can copy the prerequisites to the server on
which you plan to install Configuration Manager.
SQL Server Configuration

When you install and configure the SQL Server that Configuration Manager 2012 uses, refer to the
settings that the following table describes.
Configuration More information
Database collation The instance of SQL Server in use at each site must use the following
collation: SQL_Latin1_General_CP1_CI_AS.
SQL Server features Only the Database Engine Services feature is required for each site
server. You also can install SQL Server Reporting Services to support the
Reporting Services point role.
Note: Configuration Manager replication does not require the

SQL Server replication feature.
Windows authentication Configuration Manager requires Windows authentication to validate

connections to the database.
Configuration More information
SQL Server instance You must use a dedicated instance of SQL Server for each site.
SQL Server memory When you use a database server that is co-located with the site server,
limit the memory for SQL Server to 50 to 80 percent of the available
addressable system memory.
When you use a dedicated SQL Server, limit the memory reserved for
SQL Server to 80 to 90 percent of the available addressable system
memory.
Configuration Manager requires SQL Server to reserve a minimum of 8
GB of memory in the buffer pool that an instance of SQL Server uses
for the central administration and primary sites.
What Is Prerequisite Checker?

Prerequisite checker (ConfigMgrSourceFiles
\SMSSETUP\BIN\x64\prereqchk.exe) is a stand-
alone application included with the System Center
2012 installation media. Use the prerequisite
checker application to verify that a server is ready
for a site server installation or the installation of
specific site system roles. The prerequisite checker
application performs tests in the following
categories:
• Security rights. Prerequisite checker

performs validation for the security rights of
the administrative user who is performing the
setup. It verifies administrative permissions on the central administration site, if a central
administration site exists; local administrator permissions on the computer where Configuration
Manager is installed; and permissions on the SQL Server that was used for the installation.
• Configuration Manager dependencies. Prerequisite checker tests for Configuration Manager

dependencies, such as:
o Verifying that BITS is enabled.
o Checking the SQL Server configuration.
o Checking the Windows Firewall settings.

o Checking the IIS configuration.
o Checking publishing to AD DS permissions.
o Checking for the installation of the required Configuration Manager prerequisites.

• System requirements. Prerequisite checker validates the hardware and operating-system
configuration, AD DS functional level, Active Directory schema extensions, domain membership,
and the free disk space on the server on which you perform the installation.
You can run prerequisite checker manually when preparing a server for Configuration Manager, but it
is not a requirement. If you choose to run prerequisite checker manually, you can remediate any issues
that you find before you run the Configuration Manager Setup program. The Configuration Manager
Setup program runs it as the last step in the Setup Wizard, because installation cannot begin until all
prerequisites for the chosen roles are met.
Prerequisite Checker notifies you of any warnings or errors that it encounters. Tests that result in a
warning do not prevent you from installing System Center 2012 Configuration Manager successfully.
However, you should resolve the condition that generated the warning before running the Configuration
Manager 2012 Setup Wizard. Tests that result in an error prevent you from completing the Configuration
Manager setup process. Additionally, you can avoid interrupting the setup process by remediating any
prerequisite errors before running Configuration Manager 2012 Setup Wizard.
The following table lists the available options to use when you run Prerequisite Checker from a command
line.
Command-line option Description
/NOUI Use this option to start Prerequisite Checker without displaying the
user interface. You must specify this option before any other option
in the command-line.
/PRI or /CAS Verifies that the local computer meets the requirements for the
primary site or central administration site. You can specify only one
option. You cannot combine this option with the /SEC option.
/SEC FQDN of secondary site Verifies that the specified computer meets the requirements for the
secondary site. This option cannot be combined with the /PRI or
/CAS option.
[/INSTALLSQLEXPRESS] Verifies SQL Express on the specified computer. You can use this
option only after the /SEC option.
/SQL FQDN of SQL Server Verifies that the specified computer meets the requirements for SQL
Server to host the Configuration Manager site database. This option
is required when you use the /PRI or /CAS option.
/SDK FQDN of SMS Provider Verifies that the specified computer meets the requirements for the
SMS Provider. This option is required when you use the /PRI or /CAS
option.
/JOIN FQDN of central Verifies that the local computer meets the requirements for
administration site connecting to the central administration server. This option is only
valid when you use the /PRI option.
/MP FQDN of management Verifies that the specified computer meets the requirements for the
point management point site system role. This option is only supported
when you use the /PRI option.
/DP FQDN of distribution Verifies that the specified computer meets the requirements for the
point distribution point site system role. This option is only supported
when you use the /PRI option.
/ADMINUI Verifies that the local computer meets the prerequisites for the
Configuration Manager console. This option cannot be combined
with any other option.
Prerequisite Checker verifies that the site server computer account has permissions to write in AD DS, but
it does not check permissions for any groups of which the site server is a member.
Demonstration: Installing and Configuring Operating-System Prerequisites

In this demonstration, you will see what Windows Server 2012 R2 roles and features are necessary to
support the Configuration Manager installation.
Demonstration Steps
1. On LON-CFG, start the Server Manager console.
2. In the Server Manager console, verify that the following roles and features are installed:
o .NET Framework 3.5 Features
o Background Intelligent Transfer Service (BITS)

o Remote Differential Compression
o Web Server
Lesson 3
Installing a Configuration Manager Site Server
After preparing the environment, your next step is to install the Configuration Manager 2012 site server.
You can use the System Center 2012 Configuration Manager Setup Wizard to:
• Install a primary site, either as a stand-alone site or as part of a hierarchy.

• Install a central administration site.
• Recover a site server.
• Perform site maintenance.

• Uninstall the site.
You can select additional configuration options for site systems during setup.
You will review the available setup options, and then determine the most appropriate settings for your
implementation.
Lesson Objectives
• Describe the Configuration Manager 2012 setup process.
• Explain the Configuration Manager 2012 setup options.

• Describe the installation of a Configuration Manager 2012 primary site.
The Configuration Manager 2012 Setup Process

The following table lists the steps of the System
Center 2012 Configuration Manager Setup
Wizard, and information that you input for each
step.
Wizard step Input required
Getting Started Choose: Install a Configuration Manager primary site server.

Optionally, you can check: Use typical installation options for a stand-alone
primary site.
Product Key Enter the product key or select Install this product as an evaluation.
Microsoft Software Accept the license terms in this step to continue with the setup.
License Terms
Prerequisite In this step, you must accept the licenses for Microsoft SQL Server 2008 R2

Licenses Express, Microsoft SQL Server 2008 Native Client, and Microsoft Silverlight® 4
to continue with the setup.
Prerequisite In this step, you can download the Configuration Manager prerequisites or
Downloads specify a folder where you downloaded them previously.
Server Language This option enables you to specify additional language packs to download and
Selection install for the admin console and reports.
Client Language This option enables you to specify additional language packs to download and
Selection install for the Configuration Manager client.
Site and Installation Configure the site code and site name. You cannot change these settings once
Settings you configure them. You also can choose whether to install the Configuration
Manager console.
Primary Site If you selected Install a Configuration Manager primary site in the first step,
Installation you can indicate whether the site is a stand-alone site or is part of a hierarchy.
Database Input the fully qualified domain name (FQDN) of the SQL server, the name of
Information the Configuration Manager database, and the port to use for the SQL Server
Service Broker.
SMS Provider Input the FQDN name of the server that hosts the SMS Provider. By default,
Settings this installs on the site server. We recommend installing this role on the
database server, unless the database is clustered.
Client Computer In this step, you can configure choose either of the following:
Communication • All site systems roles accept only HTTPS communication from clients
Settings
• Configure the communication method on each site system role
If you choose to configure site system roles separately, you can check the:
Clients use HTTPS when they have a valid PKI certificate and HTTPS-enabled
site roles are available check box.
Site System Roles In this step, you can choose to install a management point and/or a
distribution point, and specify the FQDNs for the roles. By default, both roles
are installed by using the server’s FQDN.
Option Role configuration
All site systems roles accept only HTTPS Both roles are configured for
communication from clients. HTTPS and you cannot modify
them during setup.
Configure the communication method Both roles are configured for

on each site system role. HTTP and you cannot modify
them during setup.
Configure the communication method Both roles are configured for

on each site system role, and you check HTTPS. You can modify them
Clients will use HTTPS when they have a during setup.
valid PKI certificate and HTTPS-enabled
site roles are available.
Customer In this step, you can choose to participate in the Customer Experience
Experience Improvement Program.
Improvement
Program
Configuration
Settings Summary Review your selections to determine whether you need to make changes.
Prerequisite Check The Setup Wizard launches the prerequisite checker application to evaluate
the server readiness for hosting selected roles.
Begin install Select the option to start the installation. Alternatively, you can go back and
make additional changes, or you can install missing prerequisites.
If you want to install the console on an administrative user’s workstation, you can use the
ConsoleSetup.exe in SMSSETUP/BIN/i386. The Configuration Manager console is a 32-bit application
that you can install on 32-bit and 64-bit operating systems.
Setup Options for Configuration Manager 2012

You can use the options in the first step of the
System Center 2012 Configuration Manager Setup
Wizard to:
• Install a Configuration Manager primary site.
Select this option to install a primary site. You
have the opportunity later to select whether it
is a stand-alone site or part of a hierarchy.
• Install a Configuration Manager central

administration site. If you are installing a
hierarchy, you must install the central
administration site first.
• Upgrade an existing Configuration Manager 2012 installation. This option enables you to upgrade the
current Configuration Manager 2012 site to a newer version, such as SP1.
• Recover a site. Use this option to perform the first step in recovering a failed site server. Module 7
provides more details on site-server recovery.
• Perform site maintenance or reset this site. Use this option to modify the SQL server configuration,
manage the SMS Provider, or perform a site reset after restoring from a backup.
• Uninstall a Configuration Manager site. We recommend this approach to remove a site server from a
hierarchy.
Note: The option to install a secondary site is not available in the Setup Wizard. You can
install the secondary sites by using the Configuration Manager console connected to an existing
primary site.
The Configuration Manager setup differs from the Configuration Manager 2007 setup in the following
ways:
• With the exception of the management point and distribution point site roles, you cannot install any
of the optional roles during the setup process.
• Setup Downloader (SetupDL.exe) and Prerequisite Checker (prereqchk.exe) now are separate
applications that you can launch without starting the Configuration Manager Setup Wizard.
Demonstration: Installing a Configuration Manager Primary Site

In this demonstration, you will see how to install a Configuration Manager primary site.
Demonstration Steps
1. On LON-CFG, open File Explorer, and then navigate to the E:\ConfigMgr2012R2\ folder.
2. Double-click splash.hta.
3. In the System Center 2012 R2 Configuration Manager Setup dialog box, click Install.
4. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. Use the following
settings to install a stand-alone primary site.
a. On the Getting Started page, select Install a Configuration Manager primary site.
b. On the Product Key page, select Install the evaluation edition of this product.
c. On the Microsoft Software License Terms page, accept the license terms.
d. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms. Under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms
and automatic updates of Silverlight.
e. On the Prerequisite Downloads page, select Use previously downloaded files, and then
specify the E:\ConfigMgr2012R2\Redist as the location.
f. On the Server Language Selection and Client Language Selection pages, click Next.
g. On the Site and Installation Settings page, configure the following options.
 Site code: LON
 Site name: Adatum Site
 Install the Configuration Manager console: selected
h. On the Primary Site Installation page, select Install the primary site as a stand-alone site.
i. On the Database Information page, accept the default settings.

j. On the SMS Provider Settings page, accept the default settings.
k. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role.
l. On the Site System Roles page, verify that both Install a management point and Install a
distribution point check boxes are selected. Additionally, verify that LON-CFG.Adatum.com
appears in both FQDN text boxes.
m. On the Customer Experience Improvement Program Configuration, select I don’t want to

join the program at this time.
n. On the Settings Summary page, click Next.

o. On the Prerequisite Check page, wait for the prerequisite checking to finish, review the results,
and then click Begin Install.
Lab A: Installing a Configuration Manager Primary Site

Scenario
You are the network administrator for A. Datum Corporation. Adatum wants to deploy System Center
2012 Configuration Manager as a stand-alone primary site.
You need to test the deployment by:

1. Configuring prerequisites for the Configuration Manager 2012 deployment.
2. Extending the Active Directory schema.
3. Installing a System Center 2012 Configuration Manager stand-alone primary site.
Objectives
At the end of this lab, you will be able to:
• Configure the prerequisites for a System Center 2012 R2 Configuration Manager deployment.
• Extend the Active Directory schema, and configure permissions for the Configuration Manager site
server.
• Install a Configuration Manager 2012 stand-alone primary site.
Lab Setup
Estimated Time: 30 minutes
Virtual Machines 10748C-LON-DC1-A

10748C-LON-CFG-A
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, from the Start screen, click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-A, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 10748C-LON-CFG-A.

Exercise 1: Configuring the Prerequisites for Configuration Manager 2012

Deployment
Scenario
You have received your virtual environment to use for testing. The virtual machines are configured with
the Windows Server 2012 R2 operating systems. Additionally, IIS, the required prerequisites, and SQL
Server 2012 SP1 are installed.
You need to verify the configuration of prerequisites for the Configuration Manager deployment.
The main tasks for this exercise are as follows:
1. Start Server Manager.
2. Verify the installation of the Web Server (IIS) role.

3. Verify the required features.
4. Verify that Windows ADK for Windows 8.1 is installed.
 Task 1: Start Server Manager

• On 10748C-LON-CFG-A, start the Server Manager console, and then click to the Local Server node.
 Task 2: Verify the installation of the Web Server (IIS) role

• In the Server Manager console, scroll to the Roles and Features section, and verify that the Web
Server (IIS) role is installed.
 Task 3: Verify the required features

1. In the Server Manager console, verify that the following features are installed:
o Remote Differential Compression
2. Close the Server Manager console.
 Task 4: Verify that Windows ADK for Windows 8.1 is installed

• Open File Explorer, and then browse to C:\Program Files (x86)\Windows Kits\8.1\Assessment and
Deployment Kit. Verify that the following components have been installed:
o Deployment Tools
o Windows Preinstallation Environment

o User State Migration Tool
Results: After this exercise, you should have validated the prerequisites for installing System Center 2012
Exercise 2: Extending the Active Directory Schema

Scenario
The virtual environment includes a domain controller with AD DS that is configured in the Adatum.com
domain.
You need to prepare AD DS for Configuration Manager 2012 by extending the AD DS schema, and then
by creating the System Management container manually in which the Configuration Manager 2012 server
will publish information.
1. Run EXTADSCH on the domain controller.
2. Create a System Management container by using ADSI Edit.
3. Assign Full Control permissions to the site server for the System Management container.
 Task 1: Run EXTADSCH on the domain controller

1. On LON-DC1, open File Explorer, navigate to the \\LON-CFG\E$\ConfigMgr2012R2
\SMSSETUP\BIN\X64 folder, and then locate and run extadsch.exe.
2. Browse to drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
success of the operation by observing the classes and attributes added to AD DS and the message
that confirms the schema’s successful extension.
 Task 2: Create a System Management container by using ADSI Edit

1. On LON-DC1, in the Run dialog box, type adsiedit.msc, and then click OK.
2. In the Active Directory Service Interfaces (ADSI) Edit console, connect to the default naming context.
3. In the ADSI Edit console, expand Default naming context [LON-DC1.Adatum.com], expand the
DC=Adatum,DC=Com container, and then select the CN=System container.
4. Create an object under CN=System with the type container and the name System Management.
5. In the ADSI Edit console, verify that CN=System Management container appears in the results pane,
and then close the console.
 Task 3: Assign Full Control permissions to the site server for the System Management
container
1. Open the Active Directory Users and Computers console, and then from the View menu, verify that
Advanced Features is selected.
2. Under the System container, browse to the System Management container, and then access its
Properties.
3. On the Security tab, assign Full Control permission to the LON-CFG server, and then click
Advanced.
4. In the Advanced Security Settings for System Management dialog box, edit the entry for the
LON-CFG computer so Full Control permission will apply to This object and all descendant
objects, and then click OK.
5. Close all dialog boxes with OK.

Note: After the installation, the Configuration Manager 2012 site server will publish
information in the System Management container. This enables clients to determine their
assigned site and locate their management point.
Results: At the end of this exercise, you should have extended the Active Directory schema, created the
System Management container, and assigned permissions to the Configuration Manager server.
Exercise 3: Installing a Configuration Manager 2012 Stand-Alone Primary

Site
Scenario
After you verify that you have installed all prerequisites, and you have extended the AD DS schema, you
need to install Configuration Manager 2012 in a stand-alone primary site.
1. Run the setup for Configuration Manager 2012.

2. Install a Configuration Manager 2012 stand-alone primary site.
3. To prepare for the next lab.
 Task 1: Run the setup for Configuration Manager 2012

1. On LON-CFG, open File Explorer, and then navigate to the E:\ConfigMgr2012R2\ folder.
2. Double-click splash.hta, and then click Microsoft (R) HTML Application host.
 Task 2: Install a Configuration Manager 2012 stand-alone primary site

1. On the System Center 2012 R2 Configuration Manager Setup window, click Install. The Microsoft
System Center 2012 Configuration Manager Setup Wizard starts.
2. Use the following settings to install a stand-alone primary site:
a. On the Getting Started page, select Install a Configuration Manager primary site.
b. On the Product Key page, select Install the evaluation edition of this product.
these License Terms. Under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms
and automatic updates of Silverlight.
f. On the Server Language Selection and Client Language Selection pages, verify that English is
selected.
g. On the Site and Installation Settings page, configure the following options:
 Site code: LON
 Site name: Adatum Site
h. On the Primary Site Installation page, select Install the primary site as a stand-alone site.
i. On the Database Information pages, accept the default settings.
j. On the SMS Provider Settings page, accept the default settings.
k. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role.
l. On the Site System Roles page, verify that a management point and a distribution point will be
installed on LON-CFG.Adatum.com.
m. On the Customer Experience Improvement Program Configuration page, select I don’t want
to join the program at this time.
n. On the Settings Summary page, click Next.
o. On the Prerequisite Check page, wait for the prerequisite check to finish, and then click Begin
Install.
3. Wait for the installation to finish, and then close the wizard.
Note: The installation may take up to 30 minutes
 Task 3: To prepare for the next lab

• When you finish the lab, leave the virtual machines running.
Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager
in a stand-alone primary site.
Question: What prerequisites are required for installing a stand-alone Configuration

Manager primary site?
Question: To validate server readiness for installation, Prerequisite Checker verifies
prerequisites for which components?
Question: What user rights are required to extend the Active Directory schema?
Question: What setup options are available in the Configuration Manager 2012 Setup
Wizard?
Lesson 4
Performing Post-Setup Configuration Tasks
You can verify that the successful installation of System Center 2012 Configuration Manager by starting
the Configuration Manager console, reviewing the installation logs, and then reading the status messages.
Additionally, you need to perform initial site configuration by defining the boundaries and boundary
groups, and by installing optional, additional site roles.
Lesson Objectives
• Verify a Configuration Manager 2012 primary site installation.
• View and interpret status messages.
• Configure status summarizers.

• Configure boundaries and boundary groups.
• Configure Active Directory Forest Discovery.
• Install additional site system roles.

• Describe performing post-configuration tasks.
Verifying the Configuration Manager 2012 Installation

You can perform the following actions to verify
the Configuration Manager 2012 installation:
1. Use the Services console to verify that the
SMS Executive and related services have
started.
2. Start the Configuration Manager console. This
verifies that the default site components are
functioning correctly. If the console cannot
connect, verify that you are logged on with
the same account that you used for Setup.
3. View the installation logs:
o ConfigMgrPrereq.log. Prerequisite checker generates this log, regardless of whether you run it
stand-alone or as part of Setup.
o ConfigMgrSetup.log. Configuration Manager Setup Wizard generates this log, and is the primary
setup log. Look here to identify any abnormal errors that the wizard encountered during Setup.
For example, when you run Setup, the wizard attempts to connect to the database. Since the
database does not exist at this point, this action generates an error.
o ConfigMgrSetupWizard.log. The Setup Wizard generates this log.
o ConfigMgrAdminUI.log. The console setup generates this log. Because installing the console is
not mandatory, this is a separate log.
4. View the Status Messages in the Monitoring section.

Viewing Status Messages

All major Configuration Manager components
generate status messages.
One way to use status messages is to validate a

Configuration Manager installation and its core
component functionality. You can find status
messages in the Monitoring workspace at the
following nodes:
• Site Status
• Component Status
After selecting a site system or component, use

the Status Messages Viewer to view the associated
status messages. Start this application by clicking Show Messages in the ribbon.
Status messages can also be viewed using status message reports.
Overview of Status Summarizers

Status messages help you track data flow through
the Configuration Manager components. State
messages represent a client’s point-in-time
condition. You can use the status message viewer
to read status messages, but there is no such
equivalent for state messages. State messages are
seen largely in reports, various data in the console
(such as number of systems needing an update),
or the client logs themselves.
Browsing through all status messages can be a

tedious task. Configuration Manager aggregates
status messages by using status summarizers that
determine the overall health of each component.
There are four status summarizers:
• Application Deployment Summarizer, which aggregates state messages that clients generate when
involved in deploying applications clients.
• Application Statistics Summarizer, which aggregates information about status messages for
application deployment.
• Component Status Summarizer, which aggregates status messages that site-system components
generate.
• Site System Status Summarizer, which aggregates status messages that site systems generate.
Additional tools for working with status messages are:
• Status filter rules, which control the processing of status messages based on both built-in rules that
you can modify and on rules that you create.
Configuring Boundaries and Boundary Groups

A boundary is an intranet network location that
can contain one or devices that more you want
to manage. There are multiple ways to define
boundaries, and a hierarchy can have boundaries
that you define by using any combination of the
available methods. Boundary information is stored
as global data and, as such, replicates throughout
the hierarchy. To use boundaries for Configuration
Manager operations, you must add them to
boundary groups.
Internet-based clients or clients that you configure

as Internet-only clients do not use boundary
information. Because these clients cannot use automatic site assignment, when you configure the
distribution point to allow client connections from the Internet, they download content from any
distribution point in their assigned site.
Boundaries
Each boundary represents a network location in your hierarchy. A boundary does not enable you to
manage clients at the network location. You can use it to identify available network locations. To manage
a client, the boundary must be a member of a boundary group.
You can define a boundary by using an:
• IP subnet. You can specify an IP address and subnet mask, and then Configuration Manager calculates
the subnet ID or you can provide the subnet ID.
Note: Configuration Manager does not support the use of supernetworks for boundaries. If
you try to use a supernetwork address, Configuration Manager changes it to a class A, class B, or
class C subnet.
• Active Directory site name. You can specify any sites that you define in your AD DS environment.
• IPv6 Prefix. You can use an IPv6 prefix for a boundary if you are using IPv6 in your environment.
• IP address range. You can specify a range of IP addresses if you want to limit your boundaries.
An administrator can create boundaries manually, or Configuration Manager 2012 can create IP address
range boundaries automatically by using the Active Directory Forest Discovery method. We recommend
that you use IP address ranges to define boundaries instead of using IP subnets, because IP address
ranges do not rely on the subnet mask’s configuration being correct at the client.
Boundary Groups
Boundary groups contain one or more boundaries. They enable clients on the intranet to find an assigned
site and locate content.
Boundary groups are functionally equivalent to Configuration Manager 2007 boundaries, and are
associated with sites. Clients use them to identify the site to which they are assigned, and use them to
locate content.
Site Assignment
A client can use boundary groups for automatic site assignment by finding an appropriate site to join,
based on the client’s current network location. You must enable the Use this boundary group for site
assignment setting to enable automatic site assignment to use a particular boundary. This setting is in
the boundary group’s Properties dialog box on the References tab. When you enable a boundary group
for automatic site assignment, you also can configure the site to which you want to assign the clients.
Configuration Manager publishes boundary group information to AD DS, and the client queries them
after installation. After a client receives a site assignment, the client does not change that site assignment
automatically. For example, a client’s site assignment does not change if that client roams to a different
network location that a boundary, in a site’s boundary group than the client’s assigned site, represents.
Content Location
Clients also use boundary groups to identify available distribution points or state migration points,
based upon the client’s current network location. When configuring a boundary group, you specify the
distribution points and state migration points that clients use within one of the boundary group’s
boundaries.
When a client requests content, it retrieves a list of all distribution points that contain the content from
all the boundary groups of which the client is a member. The client then downloads the content from the
distribution point that is the best choice, based on the boundary and its speed.
Overlapping Boundary Groups

There might be situations where you want a boundary to be in multiple boundary groups. While this
configuration works well with content location, you might get unpredictable results if you overlap
boundaries in boundary groups that you are using for site assignment. Therefore, Configuration Manager
2012 does not support overlapping boundary groups for site assignment.
Depending on your environment’s complexity, you might decide to create two sets of boundary groups—
one for site assignment and one for content location. This enables you to configure the boundary groups
for content location to contain overlapping boundaries and not affect site assignment.
Network Connection Speed

When you add a distribution point to a boundary group, you specify whether it is Fast or Slow for the
boundary group to which you are adding it. By default, distribution points are Fast. Clients use this value
when determining the distribution point to which to connect. The network connection speed and the
deployment configuration determine whether a client can download content from a distribution point
when the client is in an associated boundary group.
Question: After defining a boundary, what should you do next?
What Is Active Directory Forest Discovery?

Active Directory Forest Discovery discovers IP
subnets and Active Directory sites from AD DS,
and can add them to the Configuration Manager
hierarchy as IP address-range boundaries or
Active Directory site boundaries. You can use
these boundaries in boundary groups, which
Configuration Manager clients use for site
assignment or for content location.
Unlike other discovery methods, Active Directory
Forest Discovery does not discover resources that
you can manage, such as computers, users, or
groups.
Active Directory Forest Discovery configuration options are in the System Center 2012 Configuration
Manager console’s Administration workspace under the Hierarchy Configuration node, and include:
• Discovery Methods. You can enable Active Directory Forest Discovery in the hierarchy. You also
can configure a simple schedule to run discovery, and specify whether it should create boundaries
automatically from the IP subnets and Active Directory sites that Configuration Manager discovers in
the Active Directory Forest(s). You cannot run Active Directory Forest Discovery at a secondary site,
but you can trigger a discovery cycle on demand.
• Active Directory Forests. Here you configure the additional Active Directory forests that you want
to discover, specify the account to use as the Active Directory Forest Account for each forest, and
configure publishing to each forest. Additionally, you can specify the discovery of IP subnets and
Active Directory sites.
The following information is published to AD DS when you enable publishing for an Active Directory
forest if the schema was previously extended and configured for Configuration Manager publishing:
• SMS-Site-<site code>
• SMS-MP-<site code>-<site system server name>

• SMS-<site code>-<Active Directory site name or subnet>
To publish data into AD DS, each site server must have full permissions on the System Management
container and all descendant objects. Secondary sites always use the computer account of the secondary
site server to publish to AD DS. Therefore, you must ensure that secondary site servers have full
permissions.
You can configure Active Directory Forest Discovery at the central administration site or any primary site
in the hierarchy. To avoid conflicts with discovery data, you should not configure multiple sites to discover
the same Active Directory Forest.
Active Directory Forest Discovery actions are recorded in the following logs, which reside in the site
server’s <InstallationPath>\Logs folder:
• All actions, with the exception of actions related to publishing, are in the ADForestDisc.log.
• Active Directory Forest Discovery publishing actions are in the hman.log.
Question: How does Configuration Manager use IP subnets that Active Directory Forest Discovery
locates?
Installing Site System Roles

To provide flexibility when determining the site
role installation, you can install only management
and distribution points during setup. You install
other roles from the Configuration Manager
console after performing a setup.
You will need to determine whether the roles are

installed:
• On an existing site system, by using the Add

Site System Roles Wizard.
• On a new site system, by using the Create Site
System Server Wizard.
The two wizards are the same, except that you need to select an existing server and designate it as a new
site system in the Configuration Manager site in the Create Site System Server Wizard. Conversely, you do
not need to reconfigure the Add Site System Roles Wizard information on the General page. Please note
that the Add Site System Roles Wizard does not list roles that are installed already on the site systems.
Demonstration: Performing Post-Configuration Tasks

In this demonstration, you will see how to configure Active Directory Forest Discovery to create
boundaries based on AD DS sites, create a boundary group, and assign the new boundary. You also will
see how to configure site system roles and install additional roles, and how to configure a management
and distribution point.
Demonstration Steps
1. On LON-DC1, start the Active Directory Sites and Services console.
2. In the Active Directory Sites and Services console, under the Sites node, rename Default-First-Site-
Name to London.
3. Under the Subnets node, create a subnet for 10.10.0.0/24, and then assign it to the London site.
4. Close the Active Directory Sites and Services console.
5. On LON-CFG, open the Configuration Manager console, in the Administration workspace, expand
Hierarchy Configuration, and then select Discovery Methods.
6. In the results pane, access the properties for Active Directory Forest Discovery, and then select
the Enable Active Directory Forest Discovery and Automatically create Active Directory site
boundaries when they are discovered check boxes.
7. In the Configuration Manager console, in the Active Directory Forests node, access the Properties
of Adatum.com. Review the settings, and then close the dialog box.
8. Under the Boundaries node, access the Properties of the created boundary. Review the settings, and
then close the dialog box.
9. In the Configuration Manager console, select the Boundary Groups node, and then on the ribbon,
click Create Boundary Group.
10. Create a boundary group with the following settings:

o Name of the boundary group: London Clients
o Add the London boundary.
o On the References tab, select the option Use this boundary group for site assignment.
o Add \\LON-CFG.Adatum.com as the site system server.
11. In in the Configuration Manager console, under Site Configuration, select the Servers and Site
System Roles node.
12. Select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site
System Roles.
13. In the Add Site System Roles Wizard, use the following settings to install the site system roles:
o On the General page, verify that the Name for the site server is LON-CFG.Adatum.com.
o On the System Role Selection page, select Fallback status point and Reporting services
point.
o On the Fallback Status Point page, accept the default settings.
o On the Reporting services point page, use the Verify button to validate access to database.
o Under User name click Set, New Account, and then specify the following credentials:
 User name: ADATUM\Administrator
 Password: Pa$$w0rd
 Confirm password: Pa$$w0rd
14. Complete the wizard by accepting the default settings.
15. In the Configuration Manager console, select \\LON-CFG.Adatum.com.
16. In the preview pane, access the Properties for the Management point.
17. Select the option Generate alert when the management point is not healthy, and then close the
dialog box.
18. In the preview pane, access the Properties for the Distribution point.
19. On the Boundary Groups tab, verify that the London Clients boundary group you have created
previously appears in the list, and then close the dialog box.
Note: The association between the distribution point and the boundary group was created
when you added the site system to the boundary group in a previous task.
Lesson 5
Tools for Monitoring and Troubleshooting a
Configuration Manager Site
You were introduced to the status messages feature when you validated the installation of the System
Center 2012 Configuration Manager primary site. All major Configuration Manager components generate
status messages that you can use to monitor and troubleshoot your installations.
In this lesson, you will review additional features that pertain to status messages, such as status
summarizers, status filter rules, and status reports.
Configuration Manager site systems and components also generate detailed logs. In this lesson, you will
review the logs, and then identify the most appropriate log to use when troubleshooting a specific
feature.
You also will examine the Configuration Manager console, which also includes features that you can use
for monitoring and alerting.
Lesson Objectives
• Describe using the Configuration Manager 2012 logs for troubleshooting.
• Describe using the monitoring features in the in the Configuration Manager 2012 console.
• Configure alerts and subscriptions for site system processes.
Using Configuration Manager Logs for Troubleshooting a Configuration

Manager Site
System Center 2012 Configuration Manager site
systems and clients generate logs that you can
use for troubleshooting your deployment.
There are three types of logs:
• Setup logs. The Setup Wizard generates setup

logs in the root of the %SystemDrive%.
• Site server logs. Site systems and

components generate site server logs in the
InstallationPath\LOGS folder. On computers
that serve as management points or Fallback
Status Points, some log files are located in the
%ProgramFiles%\SMS_CCM\Logs folder.
• Several roles, such as the management point and distribution point, use IIS. The IIS log file is in the
%Windir%\System32\logfiles\W3SVC1 folder on the IIS server.
The Configuration Manager Trace Log Tool (CMTrace.exe) is an add-on tool that you can use to view
logs, quickly locate warning and errors, and view the latest real-time updates to logs. The Configuration
Manager Trace Log Tool is a stand-alone executable file in the installation media\SMSSETUP\TOOLS folder
or in the installation path\TOOLS folder.
You can use this tool to view and monitor log files, including:
• Log files in all Configuration Manager versions.
• Plain ASCII or Unicode text files, such as Windows Installer logs.
Log files
Most processes and roles generate their own log files. The following table lists the log files that pertain to
installation and default roles, including the management and distribution points.
Log file Description
compmon.log Located in the InstallationPath\LOGS folder. This log file records

the status of the component threads.
compsumm.log Located in the InstallationPath\LOGS folder. This log file records

Component Status Summarizer tasks.
ComRegSetup.log Located in the InstallationPath\LOGS folder. This log file records

the initial installation of COM registration results.
ConfigMgrAdminUISetup.log Located in the root of the %SystemDrive%. This log file records
the installation of the Configuration Manager console.
ConfigMgrPrereq.log Located in the root of the %SystemDrive%. This log file records
the results of the prerequisites checker.
ConfigMgrSetup.log Located in the root of the %SystemDrive%. This log file records
the installation of the Configuration Manager server.
ConfigMgrSetupWizard.log Located in the root of the %SystemDrive%. This log file records
the progress of the Configuration Manager Setup Wizard.
distmgr.log Located in the InstallationPath\LOGS folder. This log file records

package creation, compression, delta replication, and
information updates.
hman.log Located in the InstallationPath\LOGS folder. This log file records

site configuration changes and publishing of site information in
AD DS.
mpcontrol.log Located in the InstallationPath\LOGS folder. This log file records

the availability of the management point every 10 minutes.
mpfdm.log Located in the InstallationPath\LOGS folder. This log file records

the activity of the management point component that moves
client files to the corresponding INBOXES folder on the site
server.
mpMSI.log Located in the InstallationPath\LOGS folder. This log file records

details about the management point installation.
MPSetup.log Located in the InstallationPath\LOGS folder. This log file records

the management point installation wrapper process.
PerfSetup.log Located in the InstallationPath\LOGS folder. This log file records

the results of the installation of performance counters.
Log file Description
sitecomp.log Located in the InstallationPath\LOGS folder. This log file records

the installation of site system roles, as well as maintenance of the
installed site components.
sitectrl.log Located in the InstallationPath\LOGS folder. This log file records

site setting changes made to site control objects in the database.
sitestat.log Located in the InstallationPath\LOGS folder. This log file records

the availability and disk space monitoring activity for all site
systems.
smsdbmon.log Located in the InstallationPath\LOGS folder. This log file records

database changes.
smsexec.log Located in the InstallationPath\LOGS folder. This log file records

the processing of all site server component threads.
SMSProv.log Located in the InstallationPath\LOGS folder. This log file records

WMI provider access to the site database.
statesys.log Located in the InstallationPath\LOGS folder. This log file records

the processing of system state messages.
statmgr.log Located in the InstallationPath\LOGS folder. This log file records

the writing of all status messages to the database.
Note: For a full list of logs that the Configuration Manager site server and site system roles
generate, refer to the Additional Reading link in the Course Companion Content at
http://www.microsoft.com/learning/companionmoc/.
Monitoring Features in the Configuration Manager Console

You can use the Configuration Manager
console to view aggregated information about
the health state of your Configuration Manager
infrastructure. This information is available in the
console’s Monitoring section.
You can use the Configuration Manager console

to:
• Configure the generation of alerts if site

systems are not functioning.
• Create status message queries.
• Access the reports.
• View the diagram of your Configuration Manager hierarchy.
• View the aggregated health status of the site systems, site components, and deployments.
• View the health status of Configuration Manager clients.
• View the status of database replication between the sites in a hierarchy.
• View the content distribution status.
“Module 8: Maintaining and Monitoring System Center 2012 R2 Configuration Manager” provides more
detail about monitoring features.
Configuring Alerts and Subscriptions for Site System Processes

Configuration Manager generates alerts based on
predefined conditions. Typically, Configuration
Manager generates alerts when errors occur to
inform administrators of the error, which enables
them to fix it. You can configure alerts for client
status and Endpoint Protection operations per
collection. You also can use the following default
alerts that are available in Configuration Manager:
• Database replication component failed to run.

Occurs when the database replication
component is unable to replicate data
between sites.
• Low sideloading activations. Occurs when there are less than 10 activations available for a sideloading
key.
• Warning low free space alert for database on site. Occurs when the amount of free space in the
database is less than 10 GB.
• Critical low free space alert for database on site. Occurs when the amount of free space in the
database is less than 5 GB.
Note: You can change the thresholds for existing alerts.
The following table lists the events for which you can create alerts.
Alert Events
Client health alerts • Client check pass or no results for active clients falls below threshold
• Client remediation success falls below the threshold
• Client activity falls below threshold
Endpoint protection alerts • Malware is detected

• The same type of malware is detected on a number of computers
• The same type of malware is repeatedly detected within the
specified interval on a computer
• Multiple types of malware are detected on the same computer with
the specified interval
Alert Events
Site server alerts • Deployments

• Database replication
• Database (drive capacity)
• Low sideloading activations (Windows 8)
Site system alerts • Software update point

• Management point
You can view alerts in the Configuration Manager console, or you can subscribe to alerts, so that you can
receive them by email. To receive alerts by email, you must:
1. Configure alert email settings.

2. Configure alerts.
3. Subscribe to existing alerts.
Demonstration: View and Monitor Site Status

In this demonstration, you will see how to:
• View site status.
• Configure email settings for alerts.
• Configure collection alerts.

• Subscribe to alerts.
Demonstration Steps
1. Find all status messages with an ID of 5103 for the management point component.
2. Configure the site to use LON-CFG as a Simple Mail Transfer Protocol (SMTP) server for alert
subscriptions.
3. Configure an alert to generate when client activity falls below 70 percent for the All Systems device
collection.
4. Subscribe to the newly created alert.

Lab B: Performing Post-Setup Configuration Tasks

Scenario
You have installed a System Center 2012 Configuration Manager stand-alone primary site in the lab
environment.
You need to validate the installation and perform the initial site configuration.
Objectives
After completing this lab, you will be able to:
• Validate the installation of the Configuration Manager primary site.

• Perform the initial configuration of the primary site.
Lab Setup
Virtual Machines 10748C-LON-DC1-A

10748C-LON-CFG-A
Password Pa$$w0rd
For this lab, you use the available virtual machine environment. Before you begin the lab, you must ensure
the following virtual machines are still running:
• 10748C-LON-DC1-A
• 10748C-LON-CFG-A
Exercise 1: Validating the Installation of the Primary Site

Scenario
You need to examine the Site Status and Component Status nodes and review any error messages related
to the installations. You also need to view the installation logs that the Prerequisite Checker and
Configuration Manager setup create.
1. View the Site Status and Component Status.

2. View the status messages that pertain to the Configuration Manager 2012 installation.
3. View the installation logs.
 Task 1: View the Site Status and Component Status

1. On LON-CFG, start the Configuration Manager Console.
2. In the Configuration Manager console, in the Monitoring workspace, under the System Status
\Site Status node, view the status of each site system role.
3. In the Component Status node, view the status of each component.

 Task 2: View the status messages that pertain to the Configuration Manager 2012
installation
1. Select the Site Status node, and then in the results pane, select Site server.
2. On the ribbon, click the Show Messages button, and then click All.
3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK.
4. In the Configuration Manager Status Message Viewer for <LON> <Adatum Site>, double-click
on any message, and then review the details of the status message. Use the Next and Previous
buttons to view additional status messages, and then close the Status Message Details dialog box.
5. Close the Configuration Manager Status Message Viewer window.
 Task 3: View the installation logs

1. On LON-CFG, open File Explorer.
2. Navigate to drive C, and then open the ConfigMgrPrereq.log file located in the root folder. Review
the file, note any errors or warnings reported by Prerequisite Checker, and then close the log file.
3. Open the ConfigMgrSetup.log file. Review the file, note any errors or warnings reported by Setup,
and then close the log file.
Note: The root folder also stores the ConfigMgrSetupWizard.log. If you installed the
console, you should see ConfigMgrAdminUISetup.log.
Results: At the end of this exercise, you will have validated the installation of System Center 2012
Exercise 2: Performing the Initial Configuration of the Primary Site

Scenario
You need to configure Active Directory Forest Discovery to create boundaries from the AD DS sites. Begin
by creating a new AD DS site in Active Directory Sites and Services, and then configure Active Directory
Forest Discovery in the Configuration Manager console.
Next, you will install new site system roles, such as Fallback Status Point and Reporting Services Point, and
then configure the management and distribution points.
1. Configure the London Active Directory site.
2. Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site.
3. Configure a boundary group, and include the new boundary.
4. Install additional site system roles: the Fallback Status Point and Reporting Services Point.
5. Configure the management and distribution points.
6. To prepare for the next module.

 Task 1: Configure the London Active Directory site

1. On LON-DC1, start the Active Directory Sites and Services console.
2. In the Active Directory Sites and Services console, under the Sites node, rename the Default-First-
Site-Name site to London (without a space).
3. Under the Subnets node, create a subnet for 172.16.0.0/16, and then assign it to the London site.
 Task 2: Configure Active Directory Forest Discovery to create a new boundary from
the Active Directory site
1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand
Hierarchy Configuration, and then select Discovery Methods.
2. In the results pane, access the properties for Active Directory Forest Discovery and select the
Enable Active Directory Forest Discovery, and the Automatically create Active Directory site
boundaries when they are discovered check boxes.
3. In in the Configuration Manager console, under the Active Directory Forests node, access the
Properties of Adatum.com. Review the settings, and then close the dialog box.
4. Under the Boundaries node, access the Properties of the London boundary. Review the settings,
and then close the dialog box. You may need to refresh the console to see the London boundary.
 Task 3: Configure a boundary group, and include the new boundary

1. In the Configuration Manager console, select the Boundary Groups node, and then on the ribbon,
click Create Boundary Group.
2. Create a boundary group with the following settings:
o Name of the boundary group: London Clients

o Add the London boundary imported by Active Directory Forest Discovery.
o On the References tab, select the option Use this boundary group for site assignment.
o Add \\LON-CFG.Adatum.com as the site system server for content location.
 Task 4: Install additional site system roles: the Fallback Status Point and Reporting
Services Point
1. In in the Configuration Manager console, under Site Configuration, select the Servers and Site
System Roles node.
2. Select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and then click Add Site
System Roles.
3. In the Add Site System Roles Wizard, use the following settings to install the site system roles:
o On the General page, verify that the Name for the site server is LON-CFG.Adatum.com.
o On the System Role Selection page, select Fallback status point and Reporting services
point.
o On the Fallback Status Point page, accept the default settings.
o On the Reporting Services Point page, use the Verify button to validate access to database.
o Under User name click Set, New Account, and then specify the following credentials:
 User name: ADATUM\Administrator
 Password: Pa$$w0rd
 Confirm password: Pa$$w0rd
4. Complete the wizard, by accepting the default settings.
 Task 5: Configure the management and distribution points

1. In the Configuration Manager console, select \\LON-CFG.Adatum.com.
3. Select the option Generate alert when the management point is not healthy, and then close the
dialog box.
4. In the preview pane, access the Properties for the Distribution point.
5. On the Boundary Groups tab, verify that the London Clients boundary group you created
previously appears in the list, and then close the dialog box.
 Task 6: To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 10748C-LON-DC1-A, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 10748C-LON-CFG-A.
Results: At the end of this exercise, you will have performed the initial configuration of a System Center
2012 Configuration Manager stand-alone primary site.
Question: Which logs can you use to validate an installation?
Question: What are status summarizers?
Question: When you can have overlapping boundaries for multiple boundary groups?

Review Questions
Question: What site system roles can you configure during setup of a stand-alone primary
site?
Question: What tools can you use to troubleshoot Configuration Manager?
Tools
The tools in the following table are useful during the Configuration Manager 2012 deployment process.
Tool Use for Where to find it
Prerequisite Checker Validating the prerequisites for the On the installation media
Configuration Manager site server
and roles installation
Setup Downloader Downloading the client prerequisites On the installation media
Configuration Manager Viewing the logs in an interactive On the installation media

Trace mode, searching and filtering
3-1
Module 3
Planning and Configuring Role-Based Administration
Contents:
Module Overview 3-1
Lesson 1: Overview of Role-Based Administration 3-2
Lesson 2: Identifying IT Roles in Your Organization 3-10

Lesson 3: Configuring Role-Based Administration 3-16
Lab: Planning and Configuring Role-Based Administration 3-19

Module Overview
Microsoft® System Center 2012 Configuration Manager and System Center 2012 R2 Configuration
Manager implement role-based access control (RBAC). With RBAC, you can use security roles, security
scopes, and collections to define access permissions for your administrative users.
This module shows you how to customize the security roles and scopes to match your specific
organizational requirements.
Objectives
• Describe role-based administration concepts.
• Describe the process of identifying a typical information technology (IT) department’s job roles and
identify its responsibilities and activities.
• Describe the process for creating new security roles and configuring scopes in Configuration Manager
2012 and System Center 2012 R2 Configuration Manager.
3-2 Planning and Configuring Role-Based Administration
Lesson 1
Overview of Role-Based Administration
You can use role-based administration in Configuration Manager to centrally define security settings
and to delegate administrative tasks to users or groups. You can assign an administrative user one or
more security roles that represent a set of administration tasks. The security role includes all permissions
necessary to complete the tasks that relate to the role. For example, you can assign the Application
Deployment Manager security role to a user who will manage application deployments. This role
automatically grants permissions to deploy applications to computer devices or users.
You can further define the objects that a security role can administer, thereby limiting administrative
access to specific collections and security scopes. You can use a security scope to associate specific objects
with one or more administrative users. For example, you can give an administrator permission to deploy
only specific applications by associating those applications with a security scope, instead of permissions to
deploy all applications.
Administrative users can see only the objects that they have permission to manage, which the security
role, security scope, and collection define.
You can use the built-in security roles and scopes, or you can create your own custom security settings to
use throughout the hierarchy. When you create administrative users, you configure and replicate security
assignments throughout the central administration site and the hierarchy’s primary sites.
Lesson Objectives
• Explain the benefits of role-based administration.
• Describe the functionality of security roles.

• Describe Configuration Manager’s built-in roles.
• Describe security scopes.
• Describe collections.
• Describe planning role-based administration.
Benefits of Role-Based Administration

The benefit of role-based administration is
that it allows organizations to be specific when
granting privileges to users who need to perform
tasks. Rather than assign a general role that
allows a user to perform many tasks across the
Configuration Manager deployment, you can use
role-based administration to grant users specific
privileges over specific securable objects. For
example, you can give a user the ability to deploy
specific apps to specific device collections, rather
than a more general permission to deploy any
app to any device collection.
In Configuration Manager, you manage role-based administration by creating administrative users. An

administrative user includes an Active Directory® Domain Services (AD DS) user or group account, one or
more security roles, one or more security scopes, and collections as necessary. The best practice is to
create an administrative user by specifying an AD DS security group. Then you can assign AD DS user
accounts to security group by adding the accounts to the associated AD DS security group. Security roles
are collections of permissions to perform administrative tasks. Security scopes are groups of securable
objects.
Role-based administration helps ensure that a user who connects by using the Configuration Manager
console or Windows PowerShell® can view and modify only those Configuration Manager objects that the
user has permission to manage. This reduces the chance that a user can perform unauthorized actions.
Role-based administration also simplifies the auditing of administrative actions, making it easier to
determine who performed a particular administrative task.
Security Roles
A security role is a group of permissions that are
necessary for performing specific administrative
tasks. The role consists of individual permissions
for each object type that an administrative user is
allowed to manage.
For example, the Application Administrator role

has a cumulative set of permissions that define
its security role. This role consists of a set of
individual permissions to manage a variety of
objects, including the following permissions for
application objects:
• Approve
• Create
• Delete
• Modify
• Modify Folder
• Move Object
• Read
• Modify Report
• Set Security Scope
You can use scopes and collections to limit access by administrative users to individual object instances
because the roles themselves do not specify user permissions for individual objects.
Configuration Manager includes 15 built-in roles that include permissions for executing typical tasks on
different types of objects.
You cannot modify or delete the built-in roles, but you can create custom roles to match special
administrative requirements.
Question: What are security roles?

Built-In Roles
Configuration Manager includes the 15 built-in
security roles that the following table lists. Each
role gives specific permissions to an administrative
user to perform actions on certain types of
objects.
Security role Description
Application Grants permissions:

Administrator • That both the Application Author and Application Deployment Manager
roles include.
• To manage queries, read site settings, manage collections, and manage
settings for user device affinity.
• To manage Microsoft Application Virtualization (App-V) virtual
environments.
Application Author Grants permissions to:

• Create, modify, and retire applications.
• Manage packages and programs, and manage alerts for the
applications.
• Manage App-V virtual environments.
Application Deployment Grants permissions to:

Manager • View applications and manage deployments, alerts, templates,
packages, and programs.
• View collections and their members, status messages, queries, and
conditional delivery rules.
Asset Manager Grants permissions to manage hardware and software inventory, software
metering, the Asset Intelligence sync point, and the Asset Intelligence
reporting classes.
Company Resource Grants permissions to create, deploy, and manage company resource
Access Manager access profiles such as virtual private network (VPN), Wi-Fi, and certificate
profiles to users and devices.
Compliance Settings Grants permissions to:

Manager • Create, modify, and delete configuration items and configuration
baselines.
• Deploy configuration baselines to collections, initiate compliance
evaluation, and initiate remediation.
Security role Description
Endpoint Protection Grants permissions to perform tasks that are necessary to administer
Manager Endpoint Protection in Configuration Manager, including creating and
deploying Endpoint Protection policies, alerts, and reports.
Full Administrator Grants all permissions in Configuration Manager. The user who creates a
new Configuration Manager installation is associated with this security role
automatically.
Infrastructure Grants permissions to:

Administrator • Create, delete, and modify the Configuration Manager server
infrastructure.
• Perform migration tasks.
Operating System Grants permissions to:

Deployment Manager • Manage operating-system installation packages, images, task
sequences, drivers, boot images, and state migration settings.
• Create and deploy operating-system images to computers.
Operations Grants permissions for all actions in Configuration Manager, with the
Administrator exception of managing security of administrative users, security roles,
security scopes, and collections.
Read-only Analyst Grants Read permissions to all Configuration Manager objects.
Remote Tools Operator Grants permissions to run the out-of-band management console, remote
control, Windows Remote Assistance, and Remote Desktop Services.
Security Administrator Grants permissions to add and remove administrative users and to
associate those administrative users with security roles, security scopes,
and collections.
Software Update Grants permissions to manage collections, software update groups,

Manager deployments, and templates.
Custom Security Roles

If a user performs tasks that relate to multiple roles, you can perform one of the following options:
• Add multiple security roles to the administrative user, as necessary.
• Create a custom security role that specifies the required permissions.

To create a custom security role, right-click an existing role, and then click Copy. Provide a new name, and
customize the permissions for the new security role.
Question: Which security role does Configuration Manager assign to you when you first install it?
Security Scopes
You can assign a securable object to one or more
security scopes, and then assign appropriate
security scopes to administrative users. This
enables you to specify the objects that the users
can view and manage within the Configuration
Manager console. When you create an
administrative user, you must assign at least one
security scope to provide administrative access to
objects. Configuration Manager contains two
built-in security scopes:
• All. Contains all securable objects. You cannot

modify or delete this scope.
• Default. Enables you to associate securable objects.

Security scopes determine the securable objects that an administrative user can view and manage.
Securable objects include:
• Boundary groups
• Applications, packages, and deployments

• Boot images and operating-system images
• Task sequences
• Queries
• Sites
• Custom client settings
• Distribution points and distribution-point groups

• Software-update groups
• Software-metering rules
• Configuration items and configuration baselines
Creating Security Scopes

You can create custom security scopes to help control access to specific instances of securable objects. For
example, you can create one security scope for desktop administrators and another security scope for
server administrators. You then can associate specific applications with the appropriate security scope,
based on administrative requirements. This enables desktop administrators to view and manage only
applications that relate to their administrative role. Additionally, server administrators can view and
manage only applications that relate to their tasks.
To create a custom security scope, perform the following procedure:
1. In the Configuration Manager console, click the Administration workspace.
2. Expand the Security node, and then click Security Scopes. The results pane displays all of the scopes
created for the hierarchy.
3. Right-click Security Scopes, and then click Create Security Scope.

4. Type a security scope name, and then assign administrative users as necessary.
To associate a security scope with an object, right-click one or more securable objects, and then click Set
Security Scopes. You then can select the security scopes that you want to associate with the specific
object.
Note: Computer and user objects are not assigned to scopes. Collections limit
administrative permissions to sets of computer or user objects. However, you can assign
collection objects to scopes.
Question: What is the purpose of the All security scope?
Collections
You can use collections to implement security
for user and computer objects separately from
other securable objects in Configuration Manager.
Administrative users must have collections
assigned to them to be able to manage the user
or device objects that those collections include.
The security roles that you assign to administrative

users limit the level of management that those
users have over those objects.
Collection rules determine membership in each
collection. There are four types of collection rules:
• Direct. Members are specified directly.

• Query. Members are determined by running a query against the Configuration Manager database.
The query is evaluated at each site.
• Include. Members are determined by specifying members of other collections to include.

• Exclude. Members are determined by specifying members of other collections to exclude.
If you assign either of the following built-in, read-only root collections to an administrative user, they
have administrative rights to all users and devices in the hierarchy:
• All Systems. This collection contains all devices discovered in a Configuration Manager hierarchy.
• All Users and User Groups. This collection contains all discovered users and user groups.
For example, consider the following scenario:
• The All Users and User Groups collection has 1,000 users.
• The All Systems collection has 1,000 computers.
• The Toronto Users collection contains only 20 users.
• The Toronto Systems collection contains only 20 systems.

You assign only the Toronto-based collections to a user. When the user opens the Configuration Manager
console, the following are visible:
• The 20 users from the Toronto Users collection

• The 20 systems from the Toronto Systems collection
• The Toronto-based collections assigned to the user

If you assign a user a security role that allows creating collections, the user can create new collections
where the limiting collection is one of the Toronto-based collections. The members of the new collections,
therefore, are a subset of one of the Toronto-based collections to which the user has been assigned a
security role.
Planning Role-Based Administration

Configuring role-based administration requires
careful consideration. When you plan to add an
administrative user, you must consider the security
roles, security scopes, and collections.
When planning security configuration, consider

the following factors:
• Security roles control what you allow an
administrative user to do.
• Security scopes control the securable

Configuration Manager objects that the
administrative user can administer.
• Collections control the users and devices that an administrative user can manage.
• You must assign an administrative user to at least one security scope.
• You can map each administrative user to separate security scopes and collections.
Question: How would you plan security roles, security scopes, and collections for a scenario in which you
are managing a remote location with local administrative users who:
• Need to be able to deploy applications, create collections for their users and devices, and run queries
and reports about their users.
• Should not be able to manage software updates for their location.

• Must be limited to managing users and devices in their location.
Discussion: Planning Role-Based Administration

Consider the following scenario: You are the
administrator for A. Datum Corporation. You need
to plan administrative permissions for application
administrators who are in London and Toronto.
London application administrators should be

able to:
• Configure applications used in London and
Toronto.
• Deploy applications to desktop computers
and users who are based in London and
Toronto.
Toronto application administrators should be able to:
• Deploy applications to desktop computers and users based in Toronto.
You need to plan for security roles, security scopes, and collections. Assume that corresponding security
groups in AD DS exist.
Activity: Describe Roles, Security Scopes, and Collections

Use the following table or a separate piece of notepaper to describe the roles you would use and the
security scopes and collections that you need to create.
Security group Security role Security scopes Collections
London Admins
Toronto Admins
Lesson 2
Identifying IT Roles in Your Organization
Organizations can have a variety of IT department structures with diverse sets of roles and responsibilities.
Role-based administration accommodates the various security models that organizations might use.
This lesson examines the process of identifying the roles and responsibilities in an IT department, and it
explores the process of matching those roles and responsibilities to the security roles that Configuration
Manager includes.
Lesson Objectives
• Describe a typical IT department’s structure.

• Identify IT roles and responsibilities.
• Identify administrative scopes.
• Identify the need for custom collections.

• Match to existing built-in roles in Configuration Manager.
• Identify the need for additional roles.
• Discuss identifying roles, activities, and scopes.
Identifying an IT Department’s Structure

The first step in designing the security model for
your Configuration Manager implementation is to
identify the specific job roles and responsibilities
in your organization’s IT department and how
those job roles are structured.
For example, IT roles might include, but are not

limited to, the following:
• An IT manager, who manages the enterprise’s
IT operations activities.
• Application administrators, who create

application packages, perform and monitor
the application deployments, and configure content distribution on the infrastructure.
• Server administrators, who manage the server infrastructure of a Configuration Manager site.
• Desktop administrators and server administrators, who administer the desktops, deploy software
updates, and deploy operating systems.
• Helpdesk personnel, who provide support to users.
• Security and audit personnel, who administer security and perform audits, such as software-update
compliance audits.
• Asset management personnel, who perform asset inventory for hardware and software.
Note: The roles in the list above are examples only. The actual roles that your organization
uses may vary.
Question: Who is responsible for performing the software updates on desktops?
Question: Who is responsible for tracking the use of administrative privileges?
Question: Who is responsible for managing hardware and software inventory?
Identifying Job Roles and Responsibilities

What tasks do you want administrative users to
perform? This is the primary question that you
should ask yourself when you are determining
your organization’s roles and responsibilities.
After identifying the job roles in your IT
organization, you need to determine how the
built-in roles in Configuration Manager map
to the specific tasks that each job role in your
organization performs. These tasks might relate
to one or more groups of management activities,
• Deploying applications and packages.

• Deploying operating systems.
• Deploying settings for compliance.
• Configuring sites and security.

• Auditing.
• Remotely controlling computers.
• Analyzing the inventory data and creating reports.

When designing your model of security roles, you must:
• Determine whether the Configuration Manager built-in roles allow you to perform the actions on
specific objects that each job role requires.
• Determine whether your organization has any regulatory or policy requirements.

• Discover any internal processes that might affect actions that each role needs. To do this, you can
adapt the security model to comply with your processes, or you can use the Configuration Manager
implementation as an opportunity to re-engineer and rationalize your internal processes.
Question: What is the next step you should take after identifying your organization’s roles?
Identifying Administrative Scopes

What is the best way to limit access to object
instances? You should answer this primary
question when you are determining whether
you need to create scopes. You can determine
whether to use security scopes by examining:
• The size of your organization.
• How your organization manages resources.
• The number of administrative teams your

organization has.
Some small-to-medium organizations may not

require security scopes. Administrative users then
have access to all objects, dependent only on the permissions included in the associated roles. This is
more important in single primary-site implementation scenarios than in multiple-site hierarchies.
Typically, enterprise organizations that decide to implement a complex hierarchy are interested in
defining security scopes to limit administrative access.
To determine whether you need to use security scopes in your organization, first determine whether you
need to:
• Make some objects available to select administrative users.
• Manage some objects individually, but manage other objects in groups.
• Implement approval or deployment processes that your organization uses.

• Specify which administrative users will manage individual instances of objects.
Question: How can you determine whether you need to create custom scopes?
Identifying the Need for Custom Collections

You can use custom collections to limit
administrative access to specific instances of user
and device objects. When you determine which
custom collections to create, consider which user
and computer resources each administrative user
should manage.
When determining the custom collections that

you need to create to limit administrative scope,
you can identify existing segmentation criteria for
your organization’s users and devices, including
the:
• Internal structure of your organization, such

as departments.
• Users and devices in the same geographic area as your organization.
• Numbers of servers versus desktops that your organization has.
• Unique characteristics of managed devices or users.

• Groups with special security requirements.
• Business processes that require different resource collections.
If different administrative users need to manage users and devices in each of these segments, then you
should create custom collections.
Note: Collections are discussed in more detail in Module 2, “Discovering and Organizing
Resources” in course 10747D: Administering System Center 2012 R2 Configuration Manager.
Question: How can you determine whether you need to create custom collections?
Mapping to Existing Built-in Roles in Configuration Manager

To better adapt the Configuration Manager
security model to your organization, compare the
job roles and responsibilities in your organization
with the built-in Configuration Manager security
roles. You then can match your IT functions with
the Configuration Manager security roles as
closely as possible.
You can analyze tasks that each administrative
user performs to help identify the corresponding
security role in Configuration Manager.
If some administrative users perform tasks that

multiple Configuration Manager security roles
define, you should directly assign these multiple security roles to these administrative users, rather than
create a new security role that combines all of the tasks. If instead you create a new security role that
combines all tasks, you could inadvertently grant some administrative users additional permissions to
perform tasks that you do not want them to perform.
If different administrative users are performing tasks that the same built-in Configuration Manager role
includes, then you may consider:
• Segregating the tasks by creating separate custom security roles.
• Using one built-in role for users, and using scopes or collections to limit user access to objects.
For example, say one administrative user in your organization performs application deployments on
desktops, while another administrative user performs application deployments on servers. You can assign
the Application Deployment Manager role to both users, and then limit their access to objects by:
• Placing different objects in scopes to which you give the administrative users permission.
• Using collections to limit their access to desktops and servers, respectively.
For example, you might try to map the typical IT department to the built-in Configuration Manager
security roles, which the following table describes.
IT role Possible Configuration Manager security role mappings
IT Manager Full Administrator None
Application Administrators Application Administrator None

IT role Possible Configuration Manager security role mappings
Server Administrators Infrastructure Administrator Operations Administrator
Desktop Administrators OS Deployment Manager Software Update Manager
Helpdesk Endpoint Protection Manager Remote Tools Operator
Security and Audit Security Administrator Compliance Settings Manager
Asset Management Asset Manager Read-only Analyst
Note: In some organizations, a desktop administrator may perform the same tasks that
the Endpoint Protection Manager role performs. However, in other organizations, a security
administrator may perform these tasks.
Question: Which job role in your organization is performing the tasks that the Endpoint Protection
Manager role specifies?
Identifying the Need for Additional Roles

In most cases, the built-in Configuration
Manager roles satisfy an organization’s needs
with respect to security roles. If the tasks that the
organizational roles you identify do not map to
the actions of the built-in security roles, you need
to create new security roles.
You do not need to create new security roles

if you need to limit access only for some
administrative users to specific resources. Instead,
you can create custom scopes and custom
collections to address that issue.
Test any new security role by running the console
as the new administrative user that you have assigned to that role. This enables you to verify that the user
has access to the appropriate objects and corresponding permissions.
Each administrative user in Configuration Manager is associated with one or more of the following:
• Security roles that provide permissions to perform specific tasks on various types of objects.
• Security scopes that might limit administrative access to specific object instances.
• User or device collections that might limit administrative access to specific user or device resources.
Note: When you associate multiple administrative users with multiple security scopes, you
are granting that administrative user access to all object instances from each assigned scope. That
administrative user can perform all actions that their associated roles permit, to all the object
instances associated with the assigned scopes. In other words, scopes are cumulative.
Discussion: Planning for Custom Roles, Scopes, and Collections

Consider the following scenario: You are the
administrator for A. Datum. You need to plan
for custom roles, scopes, and collections for the
administrative users who are based in London and
Toronto.
The administrative users in London must be

able to:
• Create and deploy applications to London
users, desktops, and servers.
• Manage software updates on servers and

desktops in all locations.
• Manage anti-malware protection on servers and desktops in all locations.
• Manage content on the distribution points in all locations.

The administrative users in Toronto must be able to:
• Create and deploy applications to Toronto users and desktops.
• Manage content on the Toronto distribution points.
Activity: Create Custom Roles, Scopes, and Collections

Fill in the following table (or use notepaper), providing the names and details (such as permissions) of
the custom roles, scopes, and collections that you need to create to fulfill the criteria that you listed
previously. Assume that the corresponding security groups in AD DS exist.
Names of new roles, scopes, and

Details
collections
Custom roles
Custom scopes
Custom collections
Activity: Describe the Proposed Configuration

Fill in the following table with descriptions of your proposed configuration for roles, security scopes, and
collections.
Security group Security roles Security scopes Collections
London Admins
Toronto Admins
Review Questions
Question: When would you need to create custom roles in a Configuration Manager implementation?
Question: When would you need to create custom scopes in a Configuration Manager implementation?
Question: When would you need to create custom collections in a Configuration Manager
implementation?
Lesson 3
Configuring Role-Based Administration
After determining the security roles that your organization uses, the next step in securing your
Configuration Manager environment is to implement those roles in Configuration Manager. Depending
on your requirements, you may need to create custom security roles and scopes.
This lesson examines the process of creating custom security roles and scopes. Additionally, this lesson
covers how to associate administrative users with roles, scopes, and collections.
Lesson Objectives
• Describe the process for creating custom security roles.

• Describe the process for creating custom security scopes.
• Describe the process for adding administrative users to the security roles.
Creating Custom Security Roles

To create a custom security role in System Center
2012 Configuration Manager or System Center
2012 R2 Configuration Manager, you should make
a copy of an existing role that is the closest match
to your desired set of actions. You then must
modify the copy to meet your specific
requirements.
To create a custom security role, perform the

following procedure:
1. Select an existing role and click Copy on the
ribbon.
2. Specify the name and description for the new security role.
3. You can specify individual permissions in the Customize the permissions for this copy of the security
role area by expanding each object type and then clicking Yes or No next to each individual
permission.
Because security roles are global data, any custom security roles that you create will be replicated to all of
the sites in your Configuration Manager hierarchy.
You can export your custom security role configurations by clicking the Export Security Role button on
the ribbon. Then the role definition is saved as an XML file that you can import into another Configuration
Manager environment or use to restore permissions after a site recovery.
Question: How can you create a custom security role?
Creating Custom Security Scopes

To limit access for administrative users to specific
instances of objects, you need to create a custom
security scope. You then can associate objects
with the new scope.
Create a Custom Security Scope

To create a custom security scope in
Configuration Manager, perform the following
procedure:
1. In the Configuration Manager console, select

the Administration workspace.
2. In the navigation pane, expand the Security
node, and then click the Security Scopes node.
3. Click the Create Security Scope button on the ribbon.

4. Type a name and a description, and then click OK.
Associate Objects with the Scope

After you create the custom security scope, you can associate objects with the scope by selecting the
objects, and then clicking the Set Security Scope button on the ribbon.
Because you can associate objects with multiple security scopes, administrative users may also obtain
permissions to manage specific objects when you assign them multiple security scopes. The effective
permissions they have on the objects depend on their associated security roles.
Question: How can you associate an object with a security scope?
Adding Administrative Users

The last step in configuring role-based
administration is to associate administrative users
and groups to the Configuration Manager security
roles, scopes, and collections.
To add an administrative user or group, perform

the following procedure:
1. In the Configuration Manager console, select

2. In the navigation pane, expand the Security

node, and then click Administrative Users.
3. On the ribbon, click the Add User or Group

button.
4. Next to User or group name, click the Browse button to select the user or group from AD DS.
5. To associate one or more Configuration Manager roles with the administrative user or group, under
Assigned security roles, click the Add button, and then select the role.
6. In the Assigned security scopes and collections area, select one of the following options:
o All instances of the objects that are related to the assigned security roles. This option
associates the administrative user with:
 The All security scope.
 The root-level built-in collections for All Systems, and All Users and User Groups.
 Choosing the All instances of the objects that are related to the assigned security roles
option defines access to objects only by the security roles assigned to the user. Use this
approach sparingly because it enables users to manage all objects. You can use the principle
of least privilege by limiting users’ access to objects with security scopes and collections.
o Only the instances of objects that are assigned to the specified security scopes or
collections. Use this option to associate individual scopes and collections with the administrative
user or group.
A best practice is to use groups when you need to assign the same security roles, scopes, and collections
to multiple administrative users, rather than adding each administrative user to a role individually.
All securable objects in Configuration Manager are associated by design with the All built-in security
scope. Administrative users who you associate with this scope can manage all objects in Configuration
Manager. Their only management limitations are by the permissions assigned to their associated security
roles. You can limit administrative users’ access to specific instances of objects by removing the All scope
and adding more specific scopes. Similarly, if you want to limit administrative users’ access to specific user
and group resources, you must remove the All Systems and All Users and User Groups collections from
the list, and then add more restrictive collections.
Question: How do administrative users obtain permissions to individual object instances in Configuration
Manager?
Demonstration: Creating New Roles and Scopes

In this demonstration, you will see how to create a custom security role and a custom security scope.
Demonstration Steps
1. In the Configuration Manager console, in the Administration workspace, under the Security node,
select Security Roles.
2. Select an existing security role, such as the Application Administrator, to use as the source for the
new security role, and then on the ribbon, click Copy.
3. In the Copy Security Role dialog box, perform the following configurations:
o In the Name box, type a name for the new custom security role.
o Under Permissions, expand each node to display the existing permission settings, click the drop-
down list next to the setting, and then select either Yes or No.
4. To save the new security role, click OK.
5. In the Configuration Manager console, in the Administration workspace, under the Security node,
select Security Scopes.
6. On the ribbon, click Create Security Scope.
7. In the Create Security Scope dialog box, type a name for the new security scope.
8. To save the new security scope, click OK.

Lab: Planning and Configuring Role-Based Administration

Scenario
You are the network administrator for A. Datum. You are reviewing role-based administration, and you
want to limit the scope of tasks that application administrators from different branch offices can perform.
Objectives
Objectives covered in the lab:
• Review built-in roles.
• Create new roles and scopes.
• Test the new roles by using a different user account.
Lab Setup
Virtual machines 10748C-LON-DC1-B

10748C-LON-CFG-B
User name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following procedure:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10748C-LON-DC1-B, and then in the Actions pane, click Start.
4. Sign in by using the following credentials:
o Domain: Adatum
5. Repeat steps 2 through 4 for 10748C-LON-CFG-B.
Exercise 1: Reviewing Built-in Security Roles and Scopes

Scenario
As the network administrator for A. Datum, you have completed the proof-of-concept deployment in
your lab environment. Now, you must evaluate the role-based administration features by reviewing the
built-in Configuration Manager security roles and scopes.
1. Review the default security roles and scopes.
2. Review the default permissions for a security role.

 Task 1: Review the default security roles and scopes

1. On LON-CFG, start the Configuration Manager console.
2. In the Configuration Manager console, in the Administration workspace, expand the Security node,
and then click the Security Roles node.
3. Review the list of roles available in the results pane. Note that there are 15 built-in roles.
4. Under the Security Scopes node, review the list of scopes available in the results pane. Note there
are two built-in scopes: All and Default.
5. Under the Administrative Users node, select ADATUM\Administrator, and then review the
information in the preview pane. By default, the user who performed the Configuration Manager
setup is assigned the Full Administrator role, the All security scope, and the All Systems and All
Users and User Groups collections.
 Task 2: Review the default permissions for a security role

1. In the Configuration Manager console, under the Security Roles node, access the Properties for the
Application Administrator role.
2. In the Application Administrator Properties dialog box:
• On the General tab, examine the role description.
• On the Administrative Users tab, note there are no users associated with this role. Additionally,
note that you cannot add users from this property window.
• On the Permissions tab, examine the permissions associated with this role. Expand each
category, and then review the individual permissions. Note that you cannot modify the
permissions for built-in roles.
3. Close the Application Administrator Properties dialog box.
Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated
permissions, and the built-in security scopes.
Exercise 2: Creating Custom Security Roles and Scopes

Scenario
You have reviewed the built-in security roles, and you need to create custom security roles, security
scopes, and custom collections. Additionally, you need to test the functionality in the lab.

1. Create a new user and group for application administrators, and then add the user to the group.
2. Create a custom scope for the London application administrators.
3. Create a custom collection.
4. Create a custom security role for application administrators.
5. Add a new group of administrative users, and then assign a custom role and a custom scope.
 Task 1: Create a new user and group for application administrators, and then add the
user to the group
1. On LON-DC1, start the Active Directory Users and Computers console.
2. In the Active Directory Users and Computers console, create a new user in the Users container, with
the following attributes:
o First name and User logon name: LondonAdmin
o Password and Confirm password: Pa$$w0rd
o Clear the User must change password at next logon check box.
3. In the Active Directory Users and Computers console, create a new group in the Users container,
named London Application Admins.
4. Access the properties of the London Application Admins group, and add the LondonAdmin user
account as a member.
 Task 2: Create a custom scope for the London application administrators

1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand the
Security node, and then click the Security Scopes node.
2. On the ribbon, click Create Security Scope, and then create a security scope named London.
3. Under the Distribution Points node, select LON-CFG.ADATUM.COM, and then on the ribbon, click
Set Security Scopes.
4. Assign the London security scope to the distribution point.
Note: Do not remove the Default scope from the distribution point.
 Task 3: Create a custom collection

1. In the Configuration Manager console, in the Assets and Compliance workspace, click the Device
Collections node.
2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a
device collection with the following attributes:
o Name: London Servers

o Limiting collection: All Systems
o Create a Direct Rule and search for System Resources with a name like LON%.
o Select LON-CFG as a direct member.
 Task 4: Create a custom security role for application administrators

1. In the Configuration Manager console, in the Administration workspace, expand the Security node,
and then click the Security Roles node.
2. Select Application Administrator, and then on the ribbon, click Copy.
3. In the Copy Security Role dialog box, use the following settings to create a new role:
o Name: Application and Update Administrator

o In the Permissions box, configure the following permissions by expanding each permission
group and selecting Yes next to each individual permission:
 All permissions under Software Update Group
 All permissions under Software Update Package
 All permissions under Software Updates
 Task 5: Add a new group of administrative users, and then assign a custom role and a
custom scope
1. In the Configuration Manager console, under the Security node, click the Administrative Users
node.
2. On the ribbon, click Add User or Group. Use the following information to configure the new
administrative group:
o Click Browse to select the London Application Admins group.
o Assign the Application and Update Administrator security role.
o Verify that the Only the instances of objects that are assigned to the specified scopes or
collections option is selected.
o Remove the existing collections and security scope.
o Add the London security scope.
o Add the London Servers collection by selecting Device Collections in the Select Collections
dialog box.
3. In the Configuration Manager console, click Adatum\London Application Admins, and then review
the information from the preview pane.
4. Close the Configuration Manager console.
Note: The users added to the London Application Admins group will have access only to
the Configuration Manager objects associated with the London scope and resources in the
London Servers collection.
Results: By the end of this exercise, you should have created a custom security scope, a custom collection,
and a custom security role.
Exercise 3: Testing the Permissions of the New Role

Scenario
You have created a custom security role, a security scope, and a custom collection, and you have assigned
them to an administrative user. You need to test the assigned permissions by logging in with the
administrative user.
1. Start the Configuration Manager console by using the London application administrator account.
2. Verify the permissions assigned to the new security role.

 Task 1: Start the Configuration Manager console by using the London application
administrator account
1. On LON-CFG, press the Shift key, and in the Start menu, right-click Configuration Manager
Console, and then select Run as a different user.
2. Use LondonAdmin with the password Pa$$w0rd as credentials for the Configuration Manager
console.
 Task 2: Verify the permissions assigned to the new security role

1. In the Configuration Manager console, in the Assets and Compliance workspace, under the Device
Collections node, verify that you can see only the London Servers collection.
2. Under the Devices node, verify that you can see only the resources associated to your collection.
3. In the Administration workspace, under the Distribution Points node, verify that you can see the
LON-CFG.ADATUM.COM server.
4. Under the Security node, verify that you do not have access to the Administrative Users, Security
Roles, or Security Scopes nodes.

following steps:
2. In the Virtual Machines list, right-click 10748C-LON-DC1-B, and then click Revert.
4. Repeat steps 2 and 3 for 10748C-LON-CFG-B.
Results: By the end of this exercise, you should have tested the new role permissions.
Question: What are the differences between the Application Administrator role and the
Software Update Manager role?
Question: What was the purpose of creating the Applications and Updates Administrator
custom role?
Question: What was the purpose of creating the London security scope?
Question: How did you assign permissions to administrators in London?


Review Questions
Question: Which built-in role is able to perform software updates?
Question: How can you assign multiple security permissions to an administrative user?
Question: How can you limit an administrative user’s access to specific instances of objects
and resources?
4-1
Module 4
Planning and Deploying a Multiple-Site Hierarchy
Contents:
Module Overview 4-1
Lesson 1: Planning a Configuration Manager 2012 Multiple-Site Hierarchy 4-2
Lesson 2: Deploying a Configuration Manager 2012 Site 4-9

Lesson 3: Deploying the Central Administration Site 4-16
Lab A: Installing a Site Hierarchy 4-23

Lesson 4: Deploying Primary Sites in a Hierarchy 4-26
Lab B: Verifying a Site Hierarchy 4-33
Lesson 5: Deploying Secondary Sites 4-37
Lab C: Installing a Secondary Site 4-41

Module Overview
You can implement a Microsoft® System Center 2012 Configuration Manager to accommodate the
requirements of a multiple-site hierarchy. For example, you can deploy to larger numbers of clients and
distributed administrative teams, and regulate the distribution of content.
In this module, you will review the criteria for installing a multiple-site hierarchy and learn about the
characteristics of the central administration site. You will also perform an installation of a multiple-site
hierarchy including the central administration site, multiple primary sites, and a secondary site.
Objectives
• Describe the Configuration Manager 2012 hierarchy model, types of sites, and when to use each site
type.
• Describe the role of the central administration site in a hierarchy.
• Install the central administration site.

• Install a primary site in an existing hierarchy.
• Install a secondary site.

4-2 Planning and Deploying a Multiple-Site Hierarchy
Lesson 1
Planning a Configuration Manager 2012 Multiple-Site
Hierarchy
The System Center 2012 Configuration Manager hierarchy model accommodates a large variety of
deployment scenarios. In addition, it is a simpler hierarchy model than the one presented in Configuration
Manager 2007.
In this lesson, you will review the following types of sites, which you can implement in Configuration
Manager:
• Central administration sites
• Multiple primary sites
• Multiple secondary sites

You will examine the criteria you will use to decide whether to implement a multiple-site hierarchy.
Lesson Objectives
• Describe the Configuration Manager 2012 hierarchy model.

• Describe the functionality of Configuration Manager 2012 sites, including the central administration
site, primary sites, and secondary sites.
• Describe alternatives to using secondary sites.

• Explain the typical considerations for implementing a multiple-site hierarchy.
• Plan a Configuration Manager hierarchy for a specific scenario.
Overview of the Configuration Manager 2012 Hierarchy Model

Global organizations can have multiple
administrative teams, varying administrative
requirements, and a large number of clients
distributed across multiple locations worldwide.
To accommodate these factors, you can
implement Configuration Manager 2012 in a
multiple-site hierarchy.
The Configuration Manager 2012 hierarchy model

has only three tiers:
• Central administration site. The central

administration site is located at the top
of the hierarchy. You use it to centralize
administration and reporting for the entire hierarchy. You can implement only one central
administration site in a hierarchy. Unlike primary sites, a Configuration Manager 2012 central
administration site cannot have clients assigned to it. In addition, a central administration site can
have only primary sites as child sites. Once installed, the central administration site name, site code,
and role cannot be changed.
• Primary site. Primary sites are located in the middle tier of the hierarchy. You use them to manage
clients directly. Primary sites in the Configuration Manager 2012 hierarchy serve the same purpose as
they do in Configuration Manager 2007. The major difference between primary sites in Configuration
Manager 2007 and Configuration Manager 2012 is the relationships they can have with other sites.
Unlike primary sites in Configuration Manager 2007, a primary site in Configuration Manager 2012
cannot be a child of another primary site; it can be a child of only the central administration site. A
primary site can have only secondary sites as child sites. Once you install them in a hierarchy, you
cannot change them to stand-alone primary sites.
• Secondary site. Secondary sites are located at the bottom tier of the hierarchy. Secondary sites are
optional and you can use them to manage the transfer of client data and deployments across low
bandwidth networks. A management point and a distribution point are installed automatically with
each secondary site. A secondary site can be a child site of only a primary site, not a central
Administrators in the central administration site can view and manage all the objects in the hierarchy and
can configure hierarchy-wide settings.
Beginning with System Center 2012 Configuration Manager Service Pack 1 (SP1), you can join an
existing stand-alone primary site to a hierarchy at the time when you install the central administration
site. You can migrate additional existing stand-alone primary sites into the new hierarchy. The central
administration site must be the first site in the hierarchy in System Center 2012 Configuration Manager
and older versions.
Overview of Configuration Manager Sites

Each type of Configuration Manager site brings
different functionality to a hierarchy.
Central Administration Site

A central administration site provides the
following functionality in a hierarchy:
• The ability to create a multisite hierarchy
• Centralized administration for all the sites in
the hierarchy
• Centralized reporting for all the sites in the

hierarchy
Primary Site
Primary sites provide the following functionality in a hierarchy:
• Increased number of clients that Configuration Manager 2012 can manage in the hierarchy
• Independent content management
• Traffic management for software deployments

Secondary Site
Secondary sites provide the following functionality:
• Management of the transfer of client data up the hierarchy across low bandwidth networks, without
the overhead of a primary site
• Management of the transfer of content down the hierarchy across low bandwidth networks, without
the overhead of a primary site
Alternatives to Using a Secondary Site

When you have clients in remote network
locations, rather than installing a secondary
site, you might want to consider more efficient
alternatives. Often, you can eliminate the need
for another site by configuring a distribution
point in the remote location or using Windows
BranchCache®.
Secondary Site
If you want to control upward network traffic
from remote clients to the primary site, you must
install a secondary site in the remote location.
When planning for installing a secondary site, you
should consider the following:
• You must use a computer running a supported version of a server operating system, such as Windows
Server® 2008 R2. You cannot install the secondary site role on desktop operating systems.
• You must locate the site database on the same server as the secondary site server. You can install any
supported Microsoft SQL Server® version. If you do not install SQL Server in advance, the setup
process installs Microsoft SQL Server 2012 Express.
• When you install a secondary site, the setup process automatically installs a management point and
distribution point on the site server.
• Secondary sites support only a limited number of Configuration Manager roles. The following roles
are supported:
o Distribution point. You can install additional distribution points in a secondary site. Each
secondary site supports up to 250 distribution points and each distribution point can support up
to 4,000 clients.
o Management point. You can have only a single management point in a secondary site and you
must install it on the secondary site server.
o Software update point. When data transfer across the network is slow, you can install a software
update point in a secondary site if you want to perform software update management in the
remote site.
o State migration point. When data transfer across the network is slow, you can install a state
migration point in a secondary site if you want to perform user state migration during operating
system deployment in the remote site.
Distribution Point
Depending on the number of clients and the available bandwidth for the network connection to a remote
physical location, you might find it more efficient to use a distribution point to support clients in a remote
location, instead of a secondary site. If any of the following conditions apply, you may want to consider
using a local distribution point:
• There is sufficient network bandwidth between locations to support management point

communications but insufficient network bandwidth to allow clients to download content. The client
uses Background Intelligent Transfer Service (BITS) when downloading content from distribution
points. However, even if the client uses BITS, the bandwidth may not be sufficient for the clients to
download content across a wide area network (WAN) link. In terms of content delivery, a distribution
point alone can be as effective as a secondary site with a distribution point.
• You want to use multicast to deploy operating systems to computers at the remote location. Multicast
functionality is built into the distribution point role. When planning to use multicast for deployment,
you only need to consider using a distribution point.
• You want to stream virtual applications to computers at the remote location. You can stream
applications from a distribution point.
BranchCache
BranchCache is a feature included in Windows Server 2008 R2 and newer operating systems. You use
BranchCache to distribute content using peer-to-peer technology. Typically, you use BranchCache with
clients that are connected to the distribution points via a high latency WAN connection. When one client
finishes downloading all of the content, the remaining clients in the remote location will copy the content
from a peer client. You can configure BranchCache settings on a deployment type, for applications, and
on the deployment, for a package.
To use BranchCache, the following requirements must be in place:

• You must configure at least one distribution point on a computer running Windows Server 2008 R2 or
a newer version in BranchCache distributed cache mode.
• Clients must run one of the following compatible operating systems configured in BranchCache
distributed cache mode:
o Windows Vista® Service Pack 2 (SP2) with KB960568 installed
o Windows® 7
o Windows Server 2008 with KB960568 installed
o Windows Server 2008 R2
o Windows 8
o Windows 8.1
o Windows Server 2012
o Windows Server 2012 R2

Considerations for Implementing Configuration Manager Sites

When deciding which implementation scenario
is most appropriate for your organization, you
need to consider a variety of factors. These factors
include the number and locations of clients, the
planned administration approach, availability of
bandwidth between locations, and server and
other infrastructure limitations.
Stand-Alone Primary Site

The stand-alone primary site implementation
scenario is most appropriate for your organization
if:
• There are no requirements for local administration of content.
• You have 100,000 clients or fewer.
Additional Secondary Sites

A secondary site includes a management point and a distribution point. You can install additional
secondary sites to:
• Offload the client communication from the primary site when clients are in a remote location and you
need to control network traffic both to and from the remote location. However, secondary sites do
not increase the number of clients that a primary site can support.
• Provide tiered content routing between secondary sites that have the same parent.
Alternative Content Management

You can use a distribution point or BranchCache configuration for a remote site to:
• Provide content locally in a remote location when you do not need to control the traffic from the
remote location to the parent location.
Multiple-Site Hierarchy
A multiple-site hierarchy is a more complex model to implement due to the additional servers and roles
included. Before deciding to create a multiple-site hierarchy, you must analyze your environment and
determine whether a stand-alone primary site can meet your requirements.
You should use the multiple-site hierarchy scenario if:
• You have more clients than a stand-alone primary site can manage. A stand-alone primary site can
support up to 100,000 clients. A multiple site hierarchy can support up to 400,000 clients.
• You have remote administrative teams that require local administration of their Configuration
Manager environment.
• You have 5,000 or more remote locations that you cannot accommodate by using a stand-alone
primary site and secondary sites.
• You are subject to export regulations on content.

Discussion: Planning Multiple Configuration Manager Sites
You are an infrastructure architect working for

A. Datum Corporation, an international financial
company with headquarters in New York. The
New York headquarters provides financial services
for customers in North America and Europe.
A. Datum has 150,000 workstations, distributed as
follows across North America and Europe:
• The central office is located in New York and

contains 50,000 clients.
• The regional office is located in Toronto and

contains 20,000 clients.
• A. Datum has 500 office locations across North America with a total of 50,000 clients. Each office
contains between 50 and 1,000 clients.
• There are international offices in London and Paris with a total of 30,000 clients.
Number of
Office Location Network bandwidth
workstations
Headquarters New York 50,000 Local Gigabyte
Regional office Toronto 20,000 T1
United Kingdom office London 15,000 E1
France office Paris 15,000 E1
Office locations 500 locations across 50,000 in total T1

North America
A. Datum wants to implement System Center 2012 Configuration Manager to administer its workstations
in a centralized way.
A team of 40 full-time administrators manages the company data center in New York. The administrators
in New York are providing support for all the locations in North America, including Toronto. A small data
center is located in Toronto and is administered remotely from New York. The data center for Europe is
located in London and has a dedicated team of 15 administrators. They manage all of the resources in the
London and Paris offices.
You need to choose which hierarchy model to implement. Use the following questions to help you choose
the most appropriate implementation model.
Use the table below to record your proposed scenario.
Managing clients
Location Site type Administered by Distribution point
from
Lesson 2
Deploying a Configuration Manager 2012 Site
When planning for a Configuration Manager deployment, you should take into consideration the
supported number of sites and site systems and the maximum number of supported clients. You should
also consider the existing network environment and the Configuration Manager 2012 design you will
implement to accommodate multiple domains or forests.
When deploying a multiple-site Configuration Manager 2012 hierarchy, you should install the sites in
a specific order, starting with the central administration site, and then continuing with the primary and
secondary sites. In Configuration Manager 2012 SP1 and later versions, you can install a single primary
site before installing the central administration site. You can also install a central administration site and
expand one primary site into the hierarchy. You can install additional site systems at any time after you
install the site servers.
You must select the appropriate setup options when installing the sites in an existing hierarchy, and use
the appropriate resources to validate a successful installation.
Lesson Objectives
• Describe the maximum limits for a Configuration Manager 2012 hierarchy.
• Describe the implementation of Configuration Manager 2012 in an environment with multiple

domains or forests.
• Describe the deployment process for a multiple-site hierarchy.
• Describe the Configuration Manager setup options.
• Explain how to verify a successful site system installation.
Planning a Multiple-Site Hierarchy
Central Administration Site

The maximum number of supported clients per
hierarchy depends on the central administration
site’s SQL Server edition, but not on the SQL
Server edition that is installed on the primary or
secondary sites. A central administration site will:
• Support up to 25 child primary sites.

• Not support any client management roles.
You cannot assign clients to the central
administration site, only to primary sites.
• Support up to 400,000 clients in the hierarchy when using SQL Server Enterprise Edition for the site
database.
• Support up to 50,000 clients in the hierarchy when using SQL Server Standard Edition for the site
database.
These limitations are due to the partitioning of the site database. If you install the central administration
site by using SQL Server Standard Edition, and then upgrade to SQL Server Enterprise Edition, the
database is not repartitioned and these limitations remain in effect.
Primary Sites
You use primary sites to manage clients. Each primary site can accommodate up to 50.000 or 100,000
clients, depending on whether SQL Server is co-located on the site server or is installed on a separate
computer. However, the number of clients that a primary site supports is still limited to 50,000 if the
central administration site uses SQL Server Standard Edition. A primary site will:
• Support up to 250 secondary sites.

• Support up to 250 distribution points. Each distribution point can support up to 4,000 clients,
depending on the type of content you are distributing.
• Support up to 5,000 distribution points. This total includes all distribution points at the primary site
and all distribution points that belong to the primary site’s child secondary sites.
• Support up to ten management points. Each primary site management point can support up to
25,000 computer clients. To support 100,000 clients you must have at least four management points.
When you have more than four management points in a primary site, the supported client count of
the primary site does not increase beyond 100,000. Instead, any additional management points
provide redundancy for communications from the clients.
• Support up to 50,000 clients when SQL Server is co-located on the site server.
• Support up to 100,000 clients when SQL Server is installed on a separate computer from the site
server.
Secondary Sites
You can use secondary sites to manage the upward traffic from the clients in a remote location to the
primary site server. You can also use a secondary site to increase the total number of distribution points
that can be installed on a primary site. A secondary site will:
• Support up to 250 distribution points. Each distribution point can support up to 4,000 clients,
depending on the type of content you are distributing.
• Support a single management point located on the site server.
• Support SQL Server Express 2012 in addition to the other supported SQL Server versions for the site
database. You can install SQL Server on the same computer as the secondary site server if you do not
want to use SQL Server Express.
• Support communications for up to 5,000 clients.
Software Update Point

Each site supports one active software update point for use on the intranet and, optionally, one
software update point for use on the Internet. You can configure each of these software update points
as a Network Load Balancing (NLB) cluster. You can have up to four software update points in the NLB
cluster. A software update point that is installed on the site server can support up to 25,000 clients. A
software update point that is installed on a computer that is remote from the site server can support up to
100,000 clients. Configuration Manager 2012 SP1 introduced software update point switching. If a client’s
scan for software updates fails, it will automatically attempt to use a different software update point.
Note: Before upgrading from Configuration Manager with no service pack to Configuration
Manager SP1, you must remove NLB from your active software update point. After the upgrade is
complete, you can reconfigure NLB by using Windows PowerShell®.

You can install a fallback status point to enable clients to send state messages to the site, and enable
CCMSetup to report deployment issues. Each primary site supports one fallback status point and each
fallback status point can support up to 100,000 clients.
Application Catalog Website Point and Application Catalog Web Service Point
Each instance of this site system role supports up to 400,000 clients, providing service for the entire
hierarchy. You can install multiple instances of the Application Catalog website point at the primary sites.
For improved performance, you should plan to support up to 50,000 clients per instance.
System Health Validator Point

You can install a System Health Validator point in each site to integrate with the Windows Server Network
Access Protection functionality. Each System Health Validator point can support up to 100,000 clients.
Planning for Multiple Domains and Forests

supports sites and hierarchies that span Active
Directory® Domain Services (AD DS) forests.
Configuration Manager also supports domain
computers that are not in the same Active
Directory forest as the site server, and computers
that are in workgroups.
To support domain computers in a trusted

forest, you can install a child site in a remote
forest that has a required two-way trust with the
forest of the parent site. For example, you can
place a secondary site in a different forest from its
primary parent site if a two-way forest trust that supports Kerberos authentication exists. If you do not
have a two-way forest trust that supports Kerberos authentication, you cannot install a Configuration
Manager child site in the remote forest.
To support domain computers in a forest that your site server’s forest does not trust, you can install the
appropriate site system roles in that untrusted forest. In addition, you have the option to publish site
information to that Active Directory forest. When you install site system servers in the client’s forest, the
client-to-server communication takes place within the client’s forest and the remote site system role can
authenticate the computer using Kerberos. When planning to deploy to an untrusted forest, consider the
following:
• When you publish site information to the client’s forest, clients can retrieve site information, such as
a list of available management points, from their Active Directory forest rather than downloading this
information from their assigned management point. You cannot install the out of band service point
and the Application Catalog web service point in an untrusted forest. You can install them only in the
same forest as the site server. The same restriction applies for the site database, which you must install
in the same forest as the site server.
• When you specify a computer to be a site system server, you must specify the Site System Installation
Account. This account must have local administrative credentials to systems that it connects to, so
that it can then install the site system roles on the specified computer.
• When you install a site system role in an untrusted forest, you must select the Require the site server
to initiate connections to this site system option. This configuration enables the site server to establish
connections to the site system server to transfer data to and from the site system server. This prevents
the site system server in the untrusted location from initiating contact with the site server in your
trusted network. The connection uses the Site System Installation Account that you use to install the
site system server.
• The management point and enrollment point site system roles connect to the site database. By
default, when you install these site system roles, Configuration Manager configures the computer
account of the new site system server as the connection account and adds the account to the
appropriate SQL Server database role. When you install these site system roles in an untrusted
forest, you must configure the site system role connection account to enable the site system role to
obtain information from the database. If you configure a domain user account for these connection
accounts, ensure that the account has appropriate access to the SQL Server database for that site.
The following roles are supported and require that you configure the associated database connection
account:
o Management point: Management Point Connection Account
o Enrollment point: Enrollment Point Connection Account
To support computers in a workgroup that use HTTP client connection to site system roles, you must
approve them manually. This is because Configuration Manager cannot authenticate these computers
by using Kerberos. In addition, you must configure the Network Access Account, regardless of the HTTP
or HTTPS configuration, so that these computers can retrieve content from distribution points. Because
workgroup clients cannot retrieve site information from AD DS, you must provide an alternative
mechanism for these clients to find the management points. You can use Domain Name System (DNS)
publishing or Windows Internet Name Service (WINS), or assign a management point directly. You can
also use Internet-based client management and public key infrastructure–issued (PKI-issued) certificates to
enable management of clients in an untrusted forest or in a workgroup.
Deploying a Multiple-Site Hierarchy

You must follow this process when you deploy a
multiple-site hierarchy if no site exists yet.
Deploying the Central Administration

Site
• Extend the Active Directory schema. You must
decide whether you will extend the Active
Directory schema to enable site servers and
site systems to publish information to AD DS.
If you extend the schema, you need to grant
the site server accounts permission to publish
to the system management container.
• Install Configuration Manager 2012 as a central administration site first, before installing any sites that
will join the hierarchy.
Deploying Primary Sites

• Install Configuration Manager 2012 as a primary site in the existing hierarchy. Run Setup to install
Configuration Manager 2012. Specify the central administration site that you want to use as a parent
site.
Deploying Secondary Sites

• Add the primary site server computer account to the local Administrators group on the target
• Run the Secondary Site Installation Wizard from the primary site. You can select whether to use an
existing instance of SQL Server on the secondary site server or install SQL Server Express.
Deploying Additional Site System Roles

• Run the Add Site System Roles Wizard for each site. You can select which roles to install for each
particular site:
o When they are part of a hierarchy, some roles cannot be installed in all sites. You will learn which
roles are available later in this module.
o For specific roles, you may be able to install only a single instance of the role. For example, there
can be only a single instance of the Asset Intelligence synchronization point, and you must install
this role at the top-level site in the hierarchy.
Beginning with Configuration Manager 2012 SP1, you can expand an existing primary site into a
hierarchy after you install the primary site. For example, if you have deployed a single primary site and
your organization later enlarges, you can expand the primary site into a hierarchy without losing any data.
The process for doing this is similar to the process for deploying a multisite hierarchy as described above.
Deploying the Central Administration Site

• Extend the Active Directory schema. If you did not perform this operation when you installed the
initial primary site, you must perform it now.
• Install Configuration Manager 2012 as a central administration site. During the installation process,
you specify the site that you are expanding into the hierarchy.
Deploying Additional Sites and Roles

• The creation of the rest of the hierarchy is similar to the process described above.
Configuration Manager 2012 Setup Options

To install a central administration site or a
primary site, you use the setup program from the
installation media. Generally, we recommend that
you run the Prerequisite Checker (prereqchk.exe)
before starting the installation process so that you
can address any problems quickly. If you do not
run the Prerequisite Checker prior to running
setup, the setup process will automatically run
it later. If you are planning to use HTTPS
communication, you should acquire an
appropriate certificate before beginning Setup.
The Prerequisite Checker will not check for a
certificate because installation does not require one. We recommend that you run the Setup Downloader
(SetupDL.exe) prior to starting the installation. This tool downloads the required installation updates. Like
the Prerequisite Checker, this tool will be run later in the setup process. Running it manually allows you to
save time during the process.
Before running the System Center 2012 R2 Configuration Manager Setup Wizard, you must spend time
planning the process. You will need to make the following decisions:
• Will you install a Configuration Manager primary site or a Configuration Manager central
administration site? Typically, when you install a multisite hierarchy, you start with the central
administration site. Once you have installed the central administration site, you can continue
building the hierarchy by installing the primary sites. Alternatively, you can start with a primary site
and expand it into a new hierarchy later. However, you can only expand a single stand-alone site into
a hierarchy.
• Will you choose Prerequisite downloads, Download required files, or Use previously downloaded
files? You will see these options after you advance through the licensing pages in the System Center
2012 R2 Configuration Manager Setup Wizard. If you have not downloaded the prerequisite files
previously, you must do so at this time. When you deploy multiple sites, the files should be stored in a
central location available to each server where you are deploying Configuration Manager 2012.
• Are you supporting additional languages? You can install language support for both the server and
clients separately. If you need to support additional client languages, you specify them during the site
installation, or you can specify additional languages later. If you are expanding an existing primary
site into a hierarchy, during the central administration site installation, you should specify the same
client languages supported in the existing primary site. If you do not install client language support
for a language supported in the existing primary site, Setup will remove support for that language.
• What will you chose for the Site code, Site name, and Installation folder? The next decision point is on
the Site and Installation settings page of the wizard. The site code and site names must be unique and
cannot be changed without reinstalling.
• Will you install a central administration site as the first site in a new hierarchy, or expand an existing
stand-alone primary into a hierarchy? When you install a central administration site, you have the
following options:
o Start a new hierarchy.
o Expand an existing primary site into a hierarchy as a child of the central administration site that
you are installing.
• Will you join the primary site to an existing hierarchy or install the primary site as a stand-alone site?
When you install a primary administration site, you have the following options:
o Starting a new hierarchy.
o Join an existing hierarchy as a child of the central administration site.
• Will you use a local or remote SQL Server? System Center 2012 R2 Configuration Manager requires
a SQL Server to host the databases that the site uses. The SQL Server installation can be on the same
server as the Configuration Manager server or on a remote server. Additionally, during the installation
process you can specify the location for the SQL Server database files.
• Where will the SMS Provider be located? The SMS Provider provides a communication layer between
the management tools and the databases. Typically, the Configuration Manager server is also the SMS
Provider. However, you can choose to install the SMS Provider on a separate server.
• What communications methods will you use? When you install a primary site, you must decide
whether the clients will communicate using HTTP or HTTPS. If you are going to use HTTPS, you
should have installed the appropriate certificate already. If you have not installed an appropriate
certificate, you should install the primary site by using HTTP communication and configure HTTPS
communication as soon as you acquire an appropriate certificate. This setup option is not available
for a central administration site since it does not support clients directly.
Verifying a Configuration Manager 2012 Site Installation

You can perform the following steps to verify the
success of a Configuration Manager 2012 site
installation:
1. In the Configuration Manager console, in the

Monitoring workspace, under System Status,
there are two status nodes:
o System Status node. Displays the status

for the installed roles.
o Component Status nodes. Displays the

status for all the components on each site
server.
A status of OK verifies that the site and the site components are functioning normally. If the status
displays as warning or critical, you will need to review the messages and troubleshoot the issues you
find.
2. Verify that the SMS_EXECUTIVE, SMS_SITE_COMPONENT_MANAGER service, and any other listed
Configuration Manager services, except for the SMS_SITE_BACKUP service, are listed as automatic and
started in the Services console.
3. View the installation logs:
o ConfigMgrPrereq.log. Prerequisite Checker generates this log, whether you run it as stand-alone
or as part of Setup.
o ConfigMgrSetup.log. This is the primary setup log. View this log to identify any if abnormal errors
were encountered during Setup.
o ConfigMgrSetupWizard.log. The Configuration Manager Setup Wizard generates this log.
o ConfigMgrAdminUI.log. The console installation generates this log. This is a separate log because
installing the console is not mandatory.
o SMS_BOOTSTRAP.log. This log is located on the intended secondary site server. It records
information about the progress of launching the secondary site installation process.
ConfigMgrSetup.log contains details of the actual setup process.
4. View the status messages in the Monitoring workspace.

Lesson 3
Deploying the Central Administration Site
Typically, when implementing a hierarchy of multiple primary sites, the central administration site is the
first site you install. The central administration site is the hub of the entire hierarchy. You join primary sites
to it to build your hierarchy.
In this lesson, you will review the role of the central administration site in a multiple site hierarchy.
Lesson Objectives
• Describe the characteristics of the central administration site.
• Determine whether to install a central administration site.
• Describe how to install a central administration site.

• Describe installing site system roles and configuring security roles and scopes in the central
What Is the Central Administration Site?

The central administration site is the top-level
site in a hierarchy. Frequently, it is the first site
that you install in the hierarchy. You can use the
central administration site to manage all objects
and perform site management tasks for all sites
in the hierarchy. From the central administration
site, you can view global data and site data from
all primary sites in the hierarchy. The central
administration site is the only location where you
can access this site in a consolidated data view.
The central administration site:

• Supports only primary sites as child sites. You
must specify the central administration site’s site server during the installation of a primary site that
joins the same hierarchy.
• Can be used to expand a primary site into a multisite hierarchy. When expanding a single stand-alone
primary site into a multisite hierarchy, you install the central administration site and specify the
primary site that you want to expand during installation.
• Cannot have clients assigned to it. You must have at least one primary site in the central
administration site’s hierarchy to manage clients.
• Does not process client data. Site data from clients is processed at primary sites, and then replicated
to the central administration site.
• Does not support all site system roles. You cannot install any of the roles related to client
management in the central administration site.
• Offloads administration and reporting from the primary sites. You can run reports to contain
consolidated information from all sites in the hierarchy.
• Participates in database replication with primary sites. The database replication is configured
automatically when installing a primary site as a child of the central administration site.
• Contains site data replicated from all the sites in the hierarchy. The central administration site
consolidates site data from all sites in the hierarchy.
Determining When to Install a Central Administration Site

You must install a central administration site if
you are going to have multiple primary sites in
a hierarchy. You use the central administration
site to configure hierarchy-wide settings and to
monitor all sites and objects in the hierarchy.
The central administration site does not manage
clients directly. However, it does coordinate
inter-site data replication, which includes the
configuration of sites and clients throughout the
hierarchy.
Use the following information to help you plan for
the central administration site installation:
• If you need to support more than 100,000 clients, you must have the central administration site and
multiple primary sites in the hierarchy. The central administration site can support up to 25 primary
sites.
• You can manage all clients in the hierarchy and perform site management tasks for any primary site
when you use a Configuration Manager console that is connected to the central administration site.
• The central administration site is the only place where you can view site data from all sites. This data
includes information such as inventory data and status messages.
• You can configure discovery operations throughout the hierarchy from the central administration site
by assigning discovery methods to run at individual sites.
• Although the central administration site does not support the distribution point role, you can create
content in the central administration site and distribute it to all sites in the hierarchy.
You do not need to install a central administration site to:

• Manage fewer than 100,000 clients. You can use a stand-alone primary site and install additional
secondary sites or additional distribution points as necessary.
• Support multiple locations. A stand-alone primary site with remote distribution points or secondary
sites can span multiple locations.
• Manage clients. You can assign clients to only primary sites, not the central administration site.
Additionally, primary sites support the site system roles related to client management and the central
administration site does not.
• Decentralize administration for a primary site. You can use security roles and scopes to limit
administrative permissions to a subset of objects. The central administration site does not limit the
administrative permissions. Instead, it centralizes administration across multiple sites.
• Perform content routing. If you are using a stand-alone primary site, you can implement distribution
points or secondary sites to perform content routing.
In a merger or acquisition scenario, installing a central administration site will not offer an advantage over
a stand-alone primary site:
• If the second organization has deployed Configuration Manager 2007, you can use the migration
feature to migrate objects to the Configuration Manager 2012 hierarchy.
• If the second organization has deployed Configuration Manager 2007, you can use the Export and
Import functionality to copy objects between hierarchies.
• Beginning with Configuration Manager 2012 SP1, you can merge data from hierarchies that are on
the same version and service pack of Configuration Manager.
Installing the Central Administration Site

After deciding to install a Configuration Manager
central administration site, you must run the
Setup program. When planning the central
administration site, choose the site code and site
name carefully because you cannot change them
after installation without reinstalling the site. In
the case of a central administration site, that
would mean reinstalling the entire hierarchy.
Beginning with System Center Configuration
Manager 2012 with SP1, if you have an existing
stand-alone primary site, you can expand the
stand-alone primary site into a new hierarchy.
During the installation of a central administration site, you are able to expand one primary site into the
site hierarchy. The primary site must be online and available or the expansion will fail. You must merge
any additional primary sites with the new hierarchy if you want to save the data. After you merge any
data, you must uninstall and then reinstall the additional primary sites.
The following table lists the steps that the System Center 2012 Configuration Manager Setup Wizard
performs when installing the central administration site. The table also includes the information that you
supply for each step.
Wizard page Input required
Getting Started Choose to install a central administration site.
Product Key Choose whether you want to install an evaluation version or provide a
product key.
Microsoft Software Read and accept the license terms to continue with the setup.
License Terms
Prerequisite Licenses Accept the licenses for the various prerequisite components to continue with
the setup.
Prerequisite You can specify whether to download the Configuration Manager

Downloads prerequisite files now or to use the files from a folder where you have
downloaded them previously.
Server Language This page allows you to specify additional language packs to be downloaded
Selection and installed for the administration console and site servers.
Client Language Specify the additional language packs to be downloaded and installed for the
Selection Configuration Manager client.
Site and Installation There are several required settings on this page: site code, site name, and
Settings Installation folder. You cannot change these settings later. Additionally, you
can choose whether to install the Configuration Manager console on this
page.
Central You must choose between creating a new hierarchy and expanding an
Administration Site existing stand-alone primary site into a hierarchy. If you choose to expand an
Installation existing stand-alone primary site, you must specify the fully qualified domain
name (FQDN) of the primary site.
Database Information If necessary, enter the FQDN for the instance name of the SQL Server, the
name of the Configuration Manager database, and the port you will use for
SQL Server Service Broker.
Database Information The wizard contains two database information pages. You must specify the
installation paths for the SQL Server files on this page.
SMS Provider Settings Enter the FQDN of the server that will host the SMS Provider. By default, this
is installed on the site server.
Customer Experience Select this option if you want to join the Customer Experience Improvement
Improvement Program.
Program
Configuration
Settings Summary Review your selections to determine whether you need to go back to make
any changes.
Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker to
evaluate the server readiness for hosting the selected roles. Once all the
checks have finished, you can begin the installation.
Configuring the Central Administration Site

After you install the central administration site,
you perform several configuration steps, such
as installing additional site system roles and
configuring security roles and scopes. You can
install only the following subset of site system
roles in the central administration site:
• Asset Intelligence synchronization point.

Configuration Manager can inventory all
the applications that are in use in your
environment. Then, you can use this
information through the Asset Intelligence
catalog to manage license usage in your
environment. The Asset Intelligence synchronization point synchronizes the Asset Intelligence catalog
with System Center Online.
• Endpoint Protection point. The Endpoint Protection point manages Endpoint Protection in your
hierarchy. Note that Endpoint Protection is a separate installation.
• Reporting services point. The reporting services point provides a location for running and viewing
reports. A reporting services point in the central administration site allows you to view reports
pertaining to all sites in the hierarchy.
• Software update point. You install a software update point at the top of the hierarchy to synchronize
with Microsoft updates. The software update points at primary sites will synchronize with the software
update point deployed in the central administration site.
• System Health Validator point. Network Access Protection (NAP) integrates with a Windows Network
Policy server to validate Configuration Manager NAP policies.
Note: You can install only one Asset Intelligence synchronization point and one Endpoint
Protection point in a hierarchy. You can install only these two roles in the top-level site in the
hierarchy.
Role-Based Administration
Role-based administration allows you to define the management security in Configuration Manager 2012.
You define role-based administration in the Administration workspace, under the Security node. You
apply role-based administration configurations at each site in a hierarchy. Role-based administration is
composed of three components–roles, scopes, and collections–that allow you to define management
rights for your hierarchy:
• Security roles. There are several built-in security roles, and you can create custom roles. Security roles
define what can be done to the various object classes defined in Configuration Manager.
• Security scopes. There are two built-in security scopes, and you can create custom scopes. The
security scope defines which objects an administrator can manage.
• Collections. You use collections to limit the users or computers that an administrative user can
manage.
When defining permissions for administrative users, you define their security roles and the objects
and collections that they will be able to access. By default, the user that installed the configuration
manager site has the Full Administrator role for all objects and collections. You add a user or group
in the Administrative Users node in the Security folder. When you add a user or group, you can assign
one or more roles, one or more defined security scopes, and one or more collections that you want to
manage.
Expanding a Stand-Alone Primary Site into a Hierarchy with a New Central

Administration Site
Prior to System Center 2012 Configuration
Manager SP1, if you decided to transition from
a single site hierarchy to a multi-site hierarchy,
you had to uninstall the site and start over.
System Center Configuration Manager 2012
with SP1 introduced the ability to install a central
administration site as a parent site of an existing
stand-alone primary site. You can do this with
only one stand-alone primary site. If you have
several stand-alone sites, you must uninstall and
then reinstall any additional sites that you want to
join to the multisite hierarchy.
Expanding a stand-alone primary site into a multisite hierarchy adds one step to the central
administration site installation. During the installation process, you specify the stand-alone site that you
are expanding into the hierarchy.
Prerequisites for Expanding a Stand-Alone Site

Before you can expand a stand-alone site into a multisite hierarchy, the stand-alone site must meet the
following requirements.
Prerequisite Additional information
The stand-alone primary site must be Before you install the central administration site,
on the same version of Configuration upgrade the primary site to the same version of
Manager that you will use to install the Configuration Manager that you will use to install
central administration site. the central administration site. You must use either
Configuration Manager 2012 with SP1 or System Center
2012 R2 Configuration Manager.
You must not configure the stand-alone You always perform site migrations from the top-level
primary site to migrate data from another site. Once the expansion is complete, you can perform
Configuration Manager hierarchy. any site migrations using the central administration site.
You can migrate data to the central administration site
or any primary site in the hierarchy.
When you configure the stand-alone If you migrate data from another site using data
primary site for migration, you must stop gathering, you must stop all active data gathering
all active data gathering before starting the processes. After completing the expansion process, you
expansion process. can restart any data gathering processes.
The computer account for the computer This is required only during the expansion process and
that will host the central administration site you can remove it once the process is complete.
must be in the local Administrators group
on the stand-alone primary site’s
computer.
The user performing the expansion must The user performing the expansion must be defined in
be an administrator of the site that he or role-based administration as either a Full Administrator
she is expanding. or an Infrastructure Administrator at the site that he or
she is expanding.
Prerequisite Additional information
You must uninstall any roles that are not If you install the Asset Intelligence synchronization
supported in a child primary site from the point, Endpoint Protection point, and Windows Intune™
stand-alone primary site that is being connector roles, they must be located in the central
expanded. administration site of a multisite hierarchy.
The SQL Server Service Broker must be The Prerequisite Checker does not verify that the SQL
able to transfer data between the central Server Service Broker port is open.
administration site and the child primary
sites.
Considerations When Expanding a Stand-Alone Primary Site

When you expand a stand-alone primary site into a multisite hierarchy, many objects and configuration
settings in the primary site database are shared with the new central administration site. You need to
address several of these objects and settings after the expansion is complete.
Considerations Additional information
Software update point In a multisite hierarchy, a software update point at the primary site will
reconfigure automatically to synchronize with the software update point
in the central administration site. You should install a new software
update point in the central administration site as soon as possible.
Software deployment Software deployment packages that you created previously in the
packages stand-alone primary site will replicate to the central administration site
as global data. Then you can manage the packages at either the primary
site or the central administration site. The default client installation
package is the only exception to this process.
Client installation package Ownership of the client installation package transfers to the central
administration site. The client installation package maintains the same
package number; however, Setup reconfigures it to support only the
languages that the central administration site supports.
Client settings Once the expansion is complete, you must restart the
SMS_POLICY_PROVIDER component on the primary site. Until the
component is restarted, the primary site will not provide any new or
updated client settings to the clients.
Default Boot WIM The central administration site creates and deploys a new default boot
Windows image file (WIM) that will be used throughout the hierarchy.
The boot WIM at the primary site is not modified and existing operating
system deployments will continue to function.
Lab A: Installing a Site Hierarchy

Scenario
You are the network administrator for A. Datum Corporation. A. Datum wants to expand its System Center
2012 R2 Configuration Manager stand-alone primary site installation into a complex hierarchy with a
central administration site, two primary sites, and a secondary site.
A. Datum has already deployed the primary site as a stand-alone site.
Objectives
You must perform the installation of a System Center 2012 R2 Configuration Manager central
administration site by using hierarchy expansion.
Lab Setup

10748C-LON-CFG-B
10748C-LON-CAS-B
10748C-NYC-CFG-B
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
2. In Hyper-V® Manager, click 10748C-LON-DC1-B, and in the Actions pane, click Start.
4. Sign in using the following credentials:
o Domain: Adatum
5. Repeat steps 2 to 4 for 10748C-LON-CFG-B.
6. Do not start 10748C-LON-CAS-B or 10748C-NYC-CFG-B until instructed by the lab.
Exercise 1: Using Hierarchy Expansion to Install the Central Administration

Site
Scenario
You need to install a Configuration Manager 2012 central administration site in London with the site code
CAS on the LON-CAS.Adatum.com server. You will expand the primary site on LON-CFG as a child site of
the new central administration site.
1. Prepare the environment for the hierarchy expansion.
2. Start additional lab servers.
3. Run Installation Prerequisite Check, and verify that the expansion prerequisites are met.
4. Run the splash screen for Configuration Manager 2012.
5. Run Setup to install a Configuration Manager 2012 R2 central administration site and expand an
existing primary site into the hierarchy.
 Task 1: Prepare the environment for the hierarchy expansion

1. On LON-CFG, open Computer Management, and then add LON-CAS to the local Administrators
group.
2. Switch to LON-DC1.
3. Open Active Directory Users and Computers, and then add LON-CAS and NYC-CFG to the
ConfigMgrServers security group.
 Task 2: Start additional lab servers

1. Start 10748C-LON-CAS-B, and then sign in as Adatum\Administrator.
2. Start 10748C-NYC-CFG-B, and then sign in as Adatum\Administrator.
 Task 3: Run Installation Prerequisite Check, and verify that the expansion
prerequisites are met
1. On LON-CAS, open an Administrator: Command Prompt.
2. In the Administrator: Command Prompt, navigate to E:\ConfigMgr2012R2\SMSSetup\BIN\X64.
3. Run the following command in the Administrator: Command Prompt:
Prereqchk.exe /CAS /SQL LON-CAS.Adatum.com /SDK LON-CAS.Adatum.com /Expand LON-

CFG.Adatum.com
4. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several
warnings), and then click OK.
5. Close the Administrator: Command Prompt.
 Task 4: Run the splash screen for Configuration Manager 2012

1. On LON-CAS, navigate to the E:\ConfigMgr2012R2\ folder.
3. Open the .hta file with the Microsoft (R) HTML Application host.
 Task 5: Run Setup to install a Configuration Manager 2012 R2 central administration

site and expand an existing primary site into the hierarchy
1. In the System Center 2012 R2 Configuration Manager Setup screen, click Install.
2. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. Use the following
settings to install a central administration site:
a. On the Getting Started page, select Install a Configuration Manager central administration
site.
b. On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
these License Terms, under Microsoft SQL Server 2012 Native Client, select I accept these
License Terms, under Microsoft Silverlight 5, select I accept these License Terms and
automatic updates of Silverlight, and then click Next.
f. On the Server Language Selection and Client Language Selection pages, click Next.
g. On the Site and Installation Settings page, configure the following options:
 Site code: CAS
 Site name: London Central Administration Site
h. On the Central Administration Site Installation page, select Expand an existing stand-alone
primary into a hierarchy, and then in the Stand-alone primary site server (FQDN) field, type
LON-CFG.Adatum.com.
i. On the Database Information page, accept the default settings.

j. On the second Database Information page, accept the default settings.
k. On the SMS Provider Settings page, accept the default settings.
l. On the Customer Experience Improvement Program Configuration page, select I don’t want
to join the program at this time.
m. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click
Begin Install.
3. Wait for the installation to finish, and then close the Setup Wizard and the System Center 2012 R2
Configuration Manager Setup screen.
Note: When the System Center R2 Configuration Manager Setup Wizard displays
Core setup has completed, the setup is not complete. Do not continue with the lab until the
Applying the snapshot data task has completed. The installation process may take up to 45
minutes.
Results: At the end of this exercise, you should have installed a Microsoft® System Center 2012 R2
Configuration Manager central administration site and a primary site in a hierarchy.
Question: How do you install a primary site in an existing hierarchy?

Lesson 4
Deploying Primary Sites in a Hierarchy
After installing the central administration site, you can install additional primary sites in your hierarchy.
Primary sites are support clients in a Configuration Manager hierarchy. You must install primary sites
before you can deploy clients.
In this lesson, you will discuss the primary site role, the factors that determine when to install a primary
site, and the roles that you can install on a primary site.
Lesson Objectives
• Describe a primary site.

• Determine if it is appropriate to install a primary site in a hierarchy.
• Describe the installation of a primary site in a hierarchy.
• Describe various site installation methods.

• Describe the configuration of a primary site in a hierarchy.
Primary Sites in a Configuration Manager Hierarchy

A primary site is the middle tier in a multisite
hierarchy and is required to manage clients. You
can use a primary site to manage all objects and
perform site management tasks for the primary
site and any child secondary sites that report to
the primary site. From a primary site, you can view
global data, site data from the local primary site,
and information about any child secondary sites in
the primary site’s branch of the hierarchy.
A primary site:
• Can be a stand-alone primary site or a

member of a hierarchy.
• Supports most of the Configuration Manager roles.

• Supports only the central administration site as a parent site.
• Supports only secondary sites as child sites.
• Can support up to 250 secondary child sites, up to 250 distribution points, and 2000 pull distribution
points.
• Cannot change its parent site relationship after installation.

• Is responsible for processing all client data from its assigned clients.
• Uses database replication, which is configured automatically, to communicate to its central

• Can support the distribution point and management point roles, if you choose to install them during
site installation.
Determining Whether to Install a Primary Site

You must install at least one primary site in your
hierarchy to support clients. You cannot assign
clients to the central administration site or a
secondary site.
Consider adding a primary site to your hierarchy

when you need to:
• Increase the number of clients you are

managing. Each primary site can support up
to 100,000 clients.
• Reduce the effect of failure of a stand-alone

primary site. If a primary site fails, you cannot
manage any clients assigned to that site until the site is restored. Activity on the client, such as
inventory collection, continues and the results are stored locally as usual. However, reporting of this
activity is delayed until the site is restored. When you have multiple primary sites in a hierarchy, a site
failure affects only the clients assigned to that primary site.
• Provide a local point of connectivity for a large business unit so that you can perform administration
tasks for the clients in the business unit.
• Meet organizational management requirements. Different locations may be under different

regulations for the storage of data or the use of encryption. Using a separate primary site may help
you meet these requirements.
You do not need additional primary sites in your hierarchy if you are:
• Providing decentralized administration. You can use role-based administration to segregate the
administration of resources.
• Performing logical data segmentation. All data that exists in a hierarchy is replicated to the
central administration site. If you are required to maintain client data separation and want to use
Configuration Manager to manage clients, consider using a separate stand-alone installation.
• Configuring different client settings. You can configure custom client settings individually or by
collection; these settings are replicated throughout the entire hierarchy.
• Supporting a different site language. You can configure multiple languages for the same site.
• Performing content routing. You can configure content routing between two distribution points
located in two secondary sites that have the same parent. This can reduce the network traffic
associated with the WAN links
Installing a Primary Site in a Hierarchy

Installing a Configuration Manager primary site
requires some additional preplanning before
you run Setup. Since you will use the primary
site to support clients, you should decide how
clients would connect to the primary site before
performing the installation. If you plan to use
HTTPS communications, you should acquire the
appropriate certificate before installation. Unlike
client communication settings, you cannot change
the following after installation without reinstalling
the site:
• The parent central administration site to

which the primary site is assigned
• The site code
• The site name
The following table lists the steps in the Configuration Manager Setup Wizard that you use to install a
primary site, and the information that you supply for each step.
Getting Started Select the option for installing a primary site. To speed up the process,
you can install a primary site with typical settings.
Product Key Choose between installing an evaluation version and providing a product
key.
Microsoft Software Read and accept the license terms.

License Terms
Prerequisite Licenses Accept the licenses for the various prerequisite components.
Prerequisite Downloads You can specify to download the Configuration Manager prerequisites
files now, or to use the files from a folder where you have downloaded
them previously.
Server Language Selection This page allows you to specify additional language packs you want to
download and install for the Administration console and the site servers.
Client Language Selection Specify the additional language packs you want to download and install
for the Configuration Manager client.
Site and Installation There are several required settings on this page: site code, site name, and
Settings Installation folder. You cannot change these settings later. Additionally,
you can choose if you want to install the Configuration Manager console.
Primary Site Installation You can choose if the primary site you are installing is stand-alone or a
part of the hierarchy.
Database Information Enter the FQDN of the computer running SQL Server, the name of the
Configuration Manager database, and the port to use for the SQL Server
Service Broker.
Database Information The wizard contains two database information pages. On this page, you
must specify the installation paths for the SQL Server files.
SMS Provider Settings Enter the FQDN name of the server that hosts the SMS Provider. By
default, this is installed on the site server.
Client Computer You can choose either to configure HTTPS communication or to

Communication Settings configure communication requirements for each role individually. If you
choose to configure HTTPS communication, you need to have the
appropriate certificate installed.
Site System Roles You can choose to install both a management point and a distribution
point, or just one of the two. You must specify the FQDNs for these roles.
By default, both roles will be installed using the FQDN of the server.
Depending on what you configured on the previous page, you can also
choose the client communication method, either HTTP or HTTPS.
Customer Experience Select this option if you want to join the Customer Experience
Improvement Program Improvement Program.
Configuration
Settings Summary Review your selections to determine if you need to go back to make any
changes.
Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker
to evaluate the server readiness for hosting the selected roles. Once all
the checks have finished, you can begin the installation.
Site Installation Methods

To install a new primary site, you can either use
the Configuration Manager 2012 Setup Wizard or
perform an unattended installation by using the
scripted installation method.
You can perform an unattended installation for

a new primary site using a setup command-line
option and an unattended installation file,
which is stored in an initialization file (.ini file).
You can create the file manually or use the
%TEMP%\ConfigMgrAutoSave.ini file that Setup
generated during the installation of another
primary site, such as in a test environment. You
can also create the unattended installation .ini file by running the Configuration Manager 2012 Setup
Wizard until you reach the Prerequisite Check page. You can name or rename the actual file name, but it
must have an .ini extension.
To perform the unattended installation, run the following command:

Setup /script path\filename.ini
For example, if you created an installation .ini file named InstPrimSite.ini and stored it in the root of drive
C:, the command would be:
Setup /script C:\InstPrimSite.ini
Note: When using an unattended installation .ini file, the Setup program uses only the
values in the .ini file. You must specify all required setup options, or the installation will fail;
however, you can leave the ServerLanguages and ClientLanguages options blank.
This example illustrates a typical script used for installing a primary site in a hierarchy:
[Identification]
Action=InstallPrimarySite
[Options]
ProductID=
SiteCode=LON
SiteName=London Primary Site
SMSInstallDir=C:\Program Files\Microsoft Configuration Manager
SDKServer=LON-CFG.ADATUM.COM
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
PrerequisiteComp=1
PrerequisitePath= E:\ConfigMgr2012\Redist
MobileDeviceLanguage=0
ManagementPoint=LON-CFG.ADATUM.COM
ManagementPointProtocol=HTTP
DistributionPoint=LON-CFG.ADATUM.COM
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=1
AdminConsole=1
[SQLConfigOptions]
SQLServerName=LON-CFG.ADATUM.COM
DatabaseName=CM_LON
SQLSSBPort=4022
[HierarchyExpansionOption]
CCARSiteServer=NYC-CAS.ADATUM.COM
Configuring a Primary Site

When you install a primary site as part of a
hierarchy, there are certain site system roles that
you cannot install in the primary site. These roles
are:
• Asset Intelligence synchronization point.

Synchronizes the Asset Intelligence catalog
for the entire hierarchy.
• Endpoint Protection point. Provides the

configuration for Endpoint Protection for the
entire hierarchy.
• Intune Connector. Provides mobile device

management through Windows Intune.
A primary site in a hierarchy supports all other optional Configuration Manager roles. You decide how to
distribute roles throughout your hierarchy based on your business requirements and on the functionality
that you need to provide.
For example, although you can install multiple reporting points in a hierarchy, only a reporting services
point that you install in the central administration site can provide reports on all objects in the hierarchy.
You might decide to install only a single reporting services point and run all reports in the central
administration site. Alternatively, you might decide to install a reporting services point in each site so
local administrators can run their own reports. With either option, you can run both standard and custom
reports.
The following table shows the optional roles that you can install in a child primary site and whether they
provide site-only functionality or hierarchy-wide functionality.
Site system role Scope Notes
Application Site or An Application Catalog web service point provides application

Catalog web hierarchy information for one or more Application Catalog website points.
service point Because this type of information is replicated as global data,
all Application Catalog web service points provide the same
information. Therefore, you can install this role in a single site
or in multiple sites for load balancing.
Application Site or An Application Catalog website point displays global data

Catalog website hierarchy retrieved from an Application Catalog web service point.
point Because this is global data, all Application Catalog website
points provide the same information. Therefore, you can install
this role in a single site or in multiple sites for load balancing.
Distribution point Site A distribution point provides support based on the site
boundary groups to which it belongs. You can install multiple
distribution points in a single site to provide load balancing or
to provide intranet and Internet support from separate servers.
Fallback status Site or A fallback status point allows clients that cannot communicate
point hierarchy with a management point to send state messages to the site.
The fallback status point will forward any messages received
from the clients to the appropriate primary site. This information
is replicated as site data and is available in reports at the central
Management Site Clients use a management point to communicate with their

point assigned site. You can install multiple management points in a
single site to provide load balancing or to provide intranet and
Internet support from separate servers.
Enrollment point Site Clients use an enrollment point to create mobile device and Intel
Active Management Technology (AMT) device objects in a site.
You can configure one enrollment point per site.
Enrollment proxy Site An enrollment proxy point allows mobile devices and AMT
point devices to join a site. You can configure one enrollment proxy
point per site.
Out of band Site An out of band service point allows you to manage AMT devices
service point that are offline by using out of band management. There can be
only one out of band service point per primary site and you
must install it in a primary site that it also contains the
enrollment point role.
Reporting services Site or A reporting services point installed in a primary site rather than
point hierarchy the central administration site can display data from only that
primary site and any child secondary sites. That includes global
data replicated to the site in addition to the site data.
Software update Site You use a software update point to synchronize the metadata
point about software update information. You install a software
update point in the central administration site to synchronize
with Windows Server Update Services and in all primary sites
that will use the software updates feature.
State migration Site A state migration point temporarily stores user data during
point certain operating system deployment processes. You can
configure multiple state migration points in a site to support
a large-scale operating system migration.
System Health Site or You use a System Health Validator point with network access
Validator point hierarchy protection. Only one System Health Validator point is required
in the hierarchy; however, you can install multiple System Health
Validator points for load balancing.
Lab B: Verifying a Site Hierarchy

Scenario
You are the network administrator for A. Datum Corporation. A. Datum wants to expand its System Center
2012 R2 Configuration Manager stand-alone primary site installation into a complex hierarchy with a
central administration site, two primary sites, and a secondary site.
A. Datum has already deployed the primary site as a stand-alone site.
Objectives
You must verify that the System Center 2012 R2 Configuration Manager central administration site
expansion was successful. Then you must add an additional primary site and automate the installation of a
second primary site.
Lab Setup

10748C-LON-CFG-B
10748C-LON-CAS-B
10748C-NYC-CFG-B
Password Pa$$w0rd
complete the previous lab, and the Configuration Manager installation must be complete on LON-CAS-B.
Exercise 1: Validating the Installation

Scenario
You installed the central administration site and expanded the A. Datum System Center 2012 R2
Configuration Manager stand-alone site into the hierarchy.
You need to validate the installation of the System Center 2012 R2 Configuration Manager central
1. View the site status and component status.

2. View the status messages for the Configuration Manager 2012 installation.
3. View the database replication status.
4. View the installation logs.

5. Review the available site system roles.
 Task 1: View the site status and component status

1. On LON-CAS, start the Configuration Manager console.
2. In the Configuration Manager console, in the Monitoring workspace, under the Site Status node,
view the status of each site system and site system role.
3. Under the Component Status node, view the status of site system and each component.
 Task 2: View the status messages for the Configuration Manager 2012 installation
1. Click the Site Status node, and then in the results pane, for \\LON-CAS.Adatum.com, select Site
server.
2. On the ribbon, click Show Messages, and then click All.

3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK.
4. In the Configuration Manager Status Message Viewer, double-click any message, and then review
the details of the status message. Use the Next and Previous buttons to view additional status
messages, and then close the Status Message Details dialog box.
 Task 3: View the database replication status

1. Select the Database Replication node.
2. View the status of the database replication link between CAS and S01.
Note: If the Link State is Link Failed, you must reinitialize the replication. To reinitialize the
replication, perform the following steps:
1. On LON-CFG, create and move a file named configuration data.pub to C:\Program Files
\Microsoft Configuration Manager\inboxes\rcm.box.
2. After the configuration data.pub file is removed, switch to LON-CAS, and after 10 minutes, in
Database Replication, refresh the replication link for Parent Site CAS and Child Site S01. The link
should now display Link Active.

1. Navigate to drive C, open the ConfigMgrPrereq.log file. By default, it will open with Notepad.
Review the file, note any errors or warnings reported by Prerequisite Checker, and then close
Notepad.
2. Open the ConfigMgrSetup.log file. By default, it will open with Notepad. Review the file, note any
errors or warnings reported by Setup, and then close Notepad.
Note: When a log file reaches a certain size, which varies depending on the process, a new
log file is created and the old log file is renamed with a .lo_ extension. The ConfigMgrSetup.log
might have only a few entries, and you might need to review the ConfigMgrSetup.lo_ file.
 Task 5: Review the available site system roles

1. In the Configuration Manager console, in the Administration workspace, expand Site
Configuration, and then click Servers and Site System Roles.
2. In the results pane, click LON-CAS.Adatum.com, and then in the preview pane, review the roles
installed on the server.
3. In the results pane, right-click LON-CAS.Adatum.com, and then click Add Site System Roles. The
Add Site System Roles Wizard starts.
4. On the System Role Selection page, review the roles available for install.
Note: When you install certain site system roles as part of a hierarchy, including the Asset
Intelligence synchronization point, software update point, and Endpoint Protection point, you
cannot install them in a primary site but must install them at the central administration site.
5. Cancel the Add Site System Roles Wizard.
Results: At the end of this exercise, you will have validated the installation of System Center 2012 R2
Exercise 2: Automating the Installation of a Primary Site

Scenario
You have installed the central administration site and a primary child site in the A. Datum network
environment. Now you need to install a second System Center 2012 R2 Configuration Manager primary
child site by using the automated method, which performs a scripted installation. The site will be installed
in New York City with the site code NYC on the NYC-CFG.Adatum.com server.
1. Review the contents of the installation script.

2. Run Setup for Configuration Manager 2012 and use the script option.
 Task 1: Review the contents of the installation script

1. On LON-CAS, in Windows Explorer, navigate to E:\ConfigMgr2012R2\NYC, and then open the
ConfigMgrAutoSave_NYC.ini file.
2. Review the contents of the file, and then close the viewer:
[Identification]
[Options]
ProductID=EVAL
SiteCode=NYC
SiteName=New York City Primary Site
SDKServer=NYC-CFG.Adatum.com
PrerequisiteComp=1
PrerequisitePath=\\LON-CAS\E$\ConfigMgr2012R2\Redist
ManagementPoint= NYC-CFG.Adatum.com
DistributionPoint= NYC-CFG.Adatum.com
AdminConsole=1
JoinCEIP=0
[SQLConfigOptions]
SQLServerName= NYC-CFG.Adatum.com
DatabaseName=CM_NYC
SQLSSBPort=4022
SQLDataFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
SQLLogFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
CCARSiteServer=LON-CAS.Adatum.COM
 Task 2: Run Setup for Configuration Manager 2012 and use the script option
1. On NYC-CFG, open an Administrator: Command Prompt window.
2. At the command prompt, type the following commands. Press Enter after each command line:
Net Use I: \\LON-CAS\E$\ConfigMgr2012R2

I:
cd smssetup\bin\X64
setup /script I:\NYC\ConfigMgrAutoSave_NYC.ini
Note: The Configuration Manager Setup will run in unattended mode. The installation
process may take up to 30 minutes. You can use Task Manager to monitor the Setup progress.
On the Details tab, when you see CcmExec.exe as a running process, the setup is complete.
Results: At the end of this exercise, you should have installed a System Center 2012 R2 Configuration
Manager primary site in an existing hierarchy by using the automated setup method.
Question: Which roles cannot be installed in a primary site if it is a member of a hierarchy?

Question: Which primary site roles, when installed in a multisite hierarchy, can support the
entire hierarchy with a single instance?
Lesson 5
Deploying Secondary Sites
If you have remote locations that connect to the primary site server’s location by using low bandwidth
network links, you may want to install secondary sites to manage the transfer of client data and
deployments. In this lesson, you will review the installation process for a secondary site.
Lesson Objectives
• Describe the characteristics of a secondary site.

• Determine when you need to install a secondary site.
• Describe the process for installing a secondary site.
• Describe the site system roles that you can install in a secondary site.
What Is a Secondary Site?

If you have clients in remote locations and you
want to manage client-to-server communication
across slow network links, you have the option to
install a secondary site.
A secondary site:
• Cannot perform local administration tasks. A

secondary site does not provide connectivity
for the Configuration Manager console.
• Uses SQL Server Express or a local instance

of SQL Server to store information. If a local
SQL Server instance is not already installed,
the secondary site installation process will install SQL Server Express.
• Uses SQL Server replication to replicate a subset of global data from the primary site.
• Replicates information to its primary site using file-based replication.
• Supports routing of file-based content to other secondary sites.
• By design, includes a management point and a distribution point on the site server. The secondary
site and all its components are managed from its parent primary site.
Each primary site can support up to 250 secondary sites. Each secondary site can support communications
from up to 5,000 clients. However, the total number of clients assigned to a primary site with multiple
child secondary sites still cannot exceed 100,000 clients.
Determining Whether to Install a Secondary Site

You should install a secondary site only if you
need to manage client data and content across
low bandwidth networks. Managing client data
transfer includes managing the download of
policies from the management point to the client.
Additionally, client data transfer includes the
upload of hardware and software inventory and
other types of client data from the client to the
primary site. It is possible to manage client data
transfers for clients within the boundaries of a
secondary site because the secondary site’s
management point acts as a proxy for the parent
primary site’s management point.
Because a secondary site also includes a distribution point on its site server, you can control the transfer
of deployment-related files, including applications, packages, software updates, and operating system
images.
A secondary site does not provide local connectivity for the Configuration Manager consoles. You need to
manage the secondary site by using a console that is connected to the parent primary site.
Installing a Secondary Site

You install secondary sites from the primary site
that will be the secondary site’s parent. After
installation, you cannot change the parent of a
secondary site without removing the secondary
site and reinstalling it from a different parent.
Before installing the secondary site, you should
complete the following preparation steps:
• Prepare the intended secondary site server

with the appropriate prerequisites.
• Decide whether to use SQL Server or SQL

Server Express. If you use SQL Server, you
must preinstall SQL Server on the intended
• Add the primary site server computer account to the local Administrators group of the new secondary
site server.
• Ensure that the user performing the installation has:
o Local Administrator rights on the intended secondary site computer.
o Local Administrator rights on the remote site database server for the primary site.
o The Infrastructure Administrator or Full Administrator security role on the parent primary site.
• Choose the account you want to use for site-to-site communications. The account you use for site-to-
site communications must have local administrator rights on the parent site. The default is the parent
site computer account.
After you prepare the server, you start the secondary site installation from within the Configuration
Manager console by using the Create Secondary Site Wizard. After completing the wizard, you can
monitor the progress of the installation in the Configuration Manager console. After selecting the
secondary site, click Show Install Status on the ribbon to monitor the installation progress.
The following table lists the steps in the Create Secondary Site Wizard, and the information that you enter
for each step.
Before You Begin This page briefly describes the Create Secondary Site Wizard, and lists the
site that will be the parent for this secondary site. There is no input on
this page; however, you should verify that the correct parent site displays
before continuing.
General Configure the site code, the FQDN of the intended secondary site server,
the site name, and the installation directory.
Installation Source Files You need to specify the source of the files. You can copy the files from
the parent site to the secondary site, use source files from a network
location, or use source files that are already available locally on the
SQL Server Settings You have the option to install and configure SQL Server Express or to use
an existing instance of SQL Server. SQL Server Express options include the
SQL Server service port and SQL Server Service Broker port. When using
an existing SQL Service instance you need to specify the FQDN of the
SQL Server, an instance name if applicable, the database name, and the
SQL Server Service Broker port.
Distribution Point This page contains the distribution point settings. If necessary, you can
install Internet Information Services (IIS) on the secondary site server.
Additionally, you configure the client communication settings and you
can configure the distribution point for prestaged content.
Drive Settings You configure the drive space reserve, the minimum free space
Configuration Manager will leave on a drive. Additionally, you can
configure the drives to locate the content.
Content Validation You can set a schedule to validate the content of the distribution point
with the source.
Boundary Groups You should identify the boundary groups on which this distribution point
will be available.
Windows PowerShell
System Center 2012 Configuration Manager SP1 introduced support for additional Windows PowerShell
Configuration Manager cmdlets, including a cmdlet for installing a secondary site. You can use the
New-CMSecondarySite cmdlet to install a secondary site. For more information about the options
available with this cmdlet, see: http://technet.microsoft.com/en-us/library/jj850174(v=sc.10).aspx.
Configuring a Secondary Site

A secondary site can support a limited number
of the optional Configuration Manager roles. The
following table shows the optional roles that you
can install in a secondary site and whether they
provide site-only functionality or hierarchy-wide
functionality.
Distribution point Site By default, Setup installs a distribution point when a

secondary site is installed.
Management point Site By default, Setup installs a management point when a

secondary site is installed.
Software update point Site You can install a software update point in a secondary
site so that clients will not have to access a software
update point across a low bandwidth WAN link.
State migration point Site You can install a state migration point in a secondary
site to support operating system deployment
operations in a remote location.
System Health Validator Hierarchy You can install a System Health Validator point in a
point secondary site to support Network Access Protection
(NAP) operations in a remote location.
Lab C: Installing a Secondary Site

Scenario
You are a network administrator for A. Datum Corporation. A. Datum wants to deploy System Center 2012
Configuration Manager in a complex hierarchy with a central administration site, two primary sites, and a
secondary site.
Previously, you installed the central administration site and two primary sites.
Objectives
You must install a secondary site under the existing New York primary site by:
1. Configuring prerequisites.
2. Installing a secondary site from a primary site.
3. Validating the installation.
Lab Setup

10748C-LON-CFG-B
10748C-LON-CAS-B
10748C-NYC-CFG-B
10748C-TOR-CFG-B
Password Pa$$w0rd
1. On the host computer, if it is not already started, start Hyper-V Manager.
2. In Hyper-V Manager, verify that 10748C-LON-DC1-B, 10748C-LON-CAS-B, and 10748C-NYC-CFG-B

are still running and connected, and that you are signed in as Adatum\Administrator.
3. Do not start 10748C-TOR-CFG-B until the lab instructs you to.
Exercise 1: Configuring Prerequisites

Scenario
You need to validate that the prerequisites required for the secondary site installation are configured
correctly on the server.
1. Prepare the environment for the TOR-CFG secondary site.
2. Start TOR-CFG and launch Server Manager.

3. Verify that Web Server (IIS) and related role services are installed.
4. Verify that the BITS and remote differential compression features are installed.
 Task 1: Prepare the environment for the TOR-CFG secondary site

• On LON-DC1, add TOR-CFG to the ConfigMgrServers security group.
 Task 2: Start TOR-CFG and launch Server Manager

1. Start 10748C-TOR-CFG-B, and then sign in as Adatum\Administrator.
2. Start Server Manager.

3. On TOR-CFG, from Server Manager, open Computer Management.
4. Expand Local Users and Groups, and then click the Groups node.
5. Add the computer account of the primary site server NYC-CFG to the local Administrators group.
6. Close the Computer Management console.
 Task 3: Verify that Web Server (IIS) and related role services are installed
• In the Server Manager console, click Local Server, and then under the Roles and Features section,
verify that the following Role Services are installed:
o Common HTTP Features
 Default Document
o Security
 Windows Authentication
o Application Development
 ASP.NET 3.5
 ASP.NET 4.5
 .NET Extensibility 3.5
o IIS 6 Management Compatibility
 IIS 6 Metabase Compatibility
 IIS 6 WMI Compatibility
 Task 4: Verify that the BITS and remote differential compression features are
installed
• In the Server Manager console, under the Roles And Features section, verify that the following
features are installed:

o Remote differential compression
Results: At the end of this exercise, you should have validated the prerequisites for installing a System
Center 2012 Configuration Manager secondary site.
Exercise 2: Installing a Secondary Site from a Primary Site

Scenario
You need to perform the installation of the secondary site in the Toronto branch office with the site code
TOR on the TOR-CFG.adatum.com server by running the Secondary Site Installation Wizard from the New
York primary site.
The main task for this exercise is as follows:

1. Run the Secondary Site Installation Wizard.
 Task 1: Run the Secondary Site Installation Wizard

1. On NYC-CFG, start the Configuration Manager console.
2. In the Configuration Manager console, in the Administration workspace, under Site Configuration,
click the Sites node.
3. In the results pane, select NYC – New York City Primary Site, and then, on the ribbon, click Create
Secondary Site.
4. In the Create Secondary Site Wizard, use the following settings to install a secondary site:
a. On the General page, configure the following options:

 Site code: TOR
 Site server name: TOR-CFG.Adatum.com
 Site Name: Toronto Secondary Site
b. On the Installation Source Files page, click Copy installation source files over the network
from the parent site server.
c. On the SQL Server Settings page, click Install and configure a local copy of SQL Server
Express on the secondary site computer, and then verify that the following information is
specified:
 SQL Server service port: 1433
 SQL Server Service Broker Port: 4022
d. On the Distribution Point page, accept the default settings.
e. On the Drive Settings page, accept the default settings.

f. On the Content Validation page, accept the default settings.
g. On the Boundary Groups page, accept the default settings.
h. Finalize and close the wizard.
Note: When the Create Secondary Site Wizard finishes, the installation will continue in the
background on the target server. To validate the installation, verify the installation logs in the
next exercise.
5. In the Configuration Manager console, select TOR – Toronto Secondary Site, and then, on the
ribbon, click Show Install Status. Review the progress of the installation actions, click Refresh to
monitor the status, and then close the dialog box. It takes approximately 15-20 minutes for the
installation to complete.
Results: At the end of this exercise, you should have installed the System Center 2012 Configuration
Manager secondary site.

Scenario
You need to validate the installation of the secondary site. You will review the setup log found on the
secondary site server after installation and view the system status of the secondary site by using the
Configuration Manager console that is connected to the parent primary site.

1. View the setup logs.
2. View the system status for the new secondary site.
 Task 1: View the setup logs

• On TOR-CFG, open Windows Explorer, navigate to drive C, and then open the ConfigMgrSetup.log
file in Notepad. Review the file, note any errors or warnings reported by Setup, and then close
Notepad.
 Task 2: View the system status for the new secondary site
1. On NYC-CFG, in the Configuration Manager console, in the Monitoring workspace, under the Site
Status node, view the status of the site systems for TOR-CFG.
Note: You can view the secondary site status at the parent primary site and at the central
administration site. It may take several minutes until the installation finishes and the secondary
site status appears in the console.
2. Under the Component Status node, view the status of the components for TOR-CFG.
3. Under the Database Replication node, view the status of the replication link between NYC and TOR.
It should show that the link is active.
4. Under the Site Hierarchy node, view the site hierarchy diagram. On the NYC icon, click the plus sign
to view TOR.
Note: The line between NYC and TOR represents the state of the database replication
between the sites. This line can have several different symbols depending on the replication
status.
• ? in a white circle is shown when the status has not yet been reported.
• X in a red circle is shown when the status has been reported and the initial replication is incomplete
or there is an error during ongoing replication.
• √ in a green circle is shown when the initial replication has competed successfully and there are no
errors in the ongoing replication.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
4. Repeat steps 2 and 3 for 10748C-LON-CAS-B, 10748C-NYC-CFG-B, 10748C-LON-CFG-B, and

10748C-TOR-CFG-B.
Results: At the end of this exercise, you should have validated the installation of a System Center 2012
Configuration Manager 2012 secondary site.
Question: How do you install a secondary site?
Question: What site roles are installed in a secondary site?

Question: When can you use a distribution point instead of a secondary site?

Review Questions
Question: Which roles cannot be installed in the central administration site?
Question: Which roles cannot be installed in a child primary site?
Question: How can you install a secondary site?
Tools
The tools in the following table are useful during the Configuration Manager deployment process.
Tool Use Where to find it
Extadsch.exe To extend the Active Directory® Configuration Manager installation

Domain Services schema media in the \smssetup\bin\x64\ folder
Ldifde.exe As an alternative method for extending Built-in Windows tool

the Active Directory schema
SetupDL.exe To predownload updated components Configuration Manager installation

required for Configuration Manager media in the \smssetup\bin\x64\ folder
installation
Prereqchk.exe To verify that a system is ready for Configuration Manager installation

Configuration Manager installation media in the \smssetup\bin\x64\ folder
5-1
Module 5
Replicating Data and Managing Content in Configuration
Manager 2012
Contents:
Module Overview 5-1
Lesson 1: Introduction to Data Types and Replication 5-2

Lesson 2: Managing Data Replication 5-12
Lab A: Configuring, Monitoring, and Troubleshooting Data Replication 5-21

Lesson 3: Planning Content Management 5-26
Lab B: Planning and Configuring Content Management 5-35
Module Overview
In a Microsoft® System Center 2012 R2 Configuration Manager multiple-site hierarchy, data is transferred
between sites to allow for centralized administration and reporting. Understanding how data transfer
works helps you monitor the data flow in your Configuration Manager hierarchy and troubleshoot
replication issues.
Configuration Manager 2012 uses database replication and file-based transfer to transfer data between
sites. The data transfer method that Configuration Manager 2012 uses depends on the type of data it is
transferring.
In this module, you will review the data types, including global data, site data, and content. You will also
examine the location of the data and the replication process of the data to other sites in a Configuration
Manager hierarchy. Additionally, you will use the features in the Configuration Manager console to
monitor and troubleshoot replication.
Configuration Manager 2012 relies on the distribution point infrastructure to provide content
management functionality. In this module, you will review the content management features, plan the
configuration of distribution points, and distribute and monitor content. You will also perform content
validation and content prestaging.
Objectives
• Describe site and global data types and how data is replicated throughout the hierarchy.
• Manage data replication.
• Plan for content management.

5-2 Replicating Data and Managing Content in Configuration Manager 2012
Lesson 1
Introduction to Data Types and Replication
Configuration Manager 2012 data that is transferred between sites is categorized in three data types:
global data, site data, and content. Depending on its type, some data is copied to all sites; other data is
copied to only some sites in the hierarchy. By understanding each data type—where it is created, how it is
transferred, and where it is used—you can monitor and troubleshoot Configuration Manager inter-site
communication efficiently.
In this lesson, you will review where each of these types of data is created and used in a Configuration
Manager hierarchy.
Lesson Objectives
• Describe the different types of data that Configuration Manager 2012 uses.
• Describe the types of global data.
• Describe the types of site data.

• Describe the content types.
• Describe database replication and file-based replication.
• Describe how global data is replicated in a hierarchy.

• Describe how site data is replicated in a hierarchy.
• Describe how content is transferred between sites and within the same site.
Data Types in Configuration Manager 2012

uses site-to-site communications to transfer
the following types of data between sites:
• Global data, which consists of objects that

an administrator creates at the central
administration site or at primary sites.
• Site data, which is operational information

that site systems in a primary site and the
clients assigned to them generate
automatically.
• Content, such as packages, application files,
and software updates that deployments use.
Depending on its type, data can be used in the local site only or can be replicated to other sites in the
hierarchy. The administrator determines where content is transferred by configuring content distribution.
Configuration Manager 2012 uses different replication methods, depending on the data type being
replicated.
The following table summarizes the three data types, where they are created, and the replication methods
used.
Data type Where it is created Where it is transferred Replication method
Global data At the central To the central administration Database replication

administration site and site and all primary sites; a
at primary sites subset of global data is
transferred to secondary sites
Site data At primary sites To the central administration Database replication

site
At secondary sites To the parent primary site File-based replication
Content At primary sites To distribution points in the File-based replication

and at the central same site or child sites in a
administration site hierarchy
Note: You will learn about database replication and file-based replication in more detail in
Lesson 2.
Types of Global Data

Global data consists of objects that administrators
create at the central administration site or at
primary sites. Administrators can create global
data by using the Configuration Manager console
connected to the central administration site or to
primary sites.
An example of global data is collection
membership rules. The administrator creates
the collection membership rules that define
each collection. Collection rules’ definitions
are replicated throughout the hierarchy and
evaluated at each site to determine the list of
collection members.
In contrast, the list of collection members is site data. You will see an explanation of collection members in
the next topic.
Global data is replicated automatically from the primary site where it is created to the central
administration site and to all the other primary sites; global data created at the central administration
site is also replicated to all primary sites. A subset of global data is replicated to secondary sites. Because
of this, administrators see global data in the same way regardless of the site database to which he or
she connects with the Configuration Manager console. For example, a collection definition that an
administrator creates at one of the sites is replicated to the central administration site and all primary
sites in the hierarchy.
The following table lists some examples of global data.
Global data types Usage
Alert rules Alert rules determine when to notify the administrators for specific
events by specifying the events that will raise alerts and the recipients
who will receive the alerts.
Collection rules Collection rules determine the membership of each collection. Four
types of collection rules exist: direct, query, include, or exclude. The
collection rules are evaluated independently at each primary site.
Deployments Deployment definitions describe the objects associated in a deployment,

including the content to be deployed and the collection to which it is
deployed.
Package metadata Package metadata contains information about the software and the
source files used in a deployment, platforms on which the software can
be deployed, and other information necessary to perform the
deployment.
Program metadata Program metadata contains information about the command line and
parameters that Configuration Manager uses to perform a deployment.
Software update Software update deployment definitions contain information about the
deployments objects used in a software update deployment, including the updates to
be deployed and the collection to which they are deployed.
Software update Software update metadata contains information about the executable
metadata files included in software updates, platforms to which the updates apply,
and other useful software update information, such as language, name,
date released, and sensitivity.
Configuration item Configuration item metadata contains the definition of configuration

metadata items used to determine the compliance of managed systems with
configuration settings that the administrator defines.
Task sequence metadata Task sequence metadata defines the task sequence as individual steps to
be executed.
Site control definition The site control definition contains information about the site
configuration.
Site servers list The site servers list contains the list of servers and corresponding site
system roles installed in each site.
Role-based administration Security roles are assigned to administrative users to grant permissions
security roles, security on object types in the Configuration Manager hierarchy. Security scopes
scopes, and administrative limit administrative permissions to specific objects in the hierarchy.
users Administrative users associate roles, scopes, and collections to the Active
Directory® Domain Services (AD DS) users and groups.
Types of Site Data

Site data is operational information that
Configuration Manager sites and clients generate
automatically. After site data is generated at the
originating primary site or secondary site, it
replicates to the central administration site but
not to other primary or secondary sites.
For example, primary sites use collection rules to

determine collection membership, resulting in the
list of members. The list of members is an example
of site data. The list contains clients assigned to a
primary site, and clients that meet the collection’s
membership criteria.
Another example of site data is client inventory. Clients generate hardware and software inventory, which
is then added to each primary site’s database, which in turn replicates to the central administration site.
The following table lists some examples of site data.
Site data types Description
Alert messages Site systems at each site generate alert messages.
Collection Collection membership lists contain the objects that are members of the
membership lists collection after evaluating the collection rules at each primary site.
Hardware inventory The hardware inventory client agent collects hardware inventory data from
data the Configuration Manager clients.
Software inventory The software inventory client agent collects software inventory data from the
data Configuration Manager clients.
Software metering The software metering client agent collects software metering data from the
data Configuration Manager clients.
Asset Intelligence Asset Intelligence data adds additional classes and attributes to the data
data collected by the hardware inventory agent at the Configuration Manager
clients.
Status messages and Site systems and clients generate status messages to report status
alerts information to the site server. The site server generates alerts when it
encounters specific error conditions that administrators have configured.
Software distribution Clients generate software distribution status details that report the status of a
status details particular deployment.
Component and site Component and site status summarizers aggregate status messages to
status summarizers determine the overall health status of the site systems and components.
Client health data Configuration Manager determines client health data by using information
such as last connection time, hardware inventory, and software inventory.
Client health history Client health history contains aggregated information about client health.
You can use client health history to obtain reports about client health over a
specific period.
Site data types Description
Wake On LAN data Wake On LAN data contains the history of all Wake On LAN operations
performed.
Quarantine client Quarantine client restriction history contains the list of clients that are
restriction history restricted by Network Access Protection.
If the Configuration Manager console is connected to a primary site, you will see the global data and only
the site data that has originated from that site or any child secondary site. To see site data from all sites
and to perform administration and reporting for the entire hierarchy, you must use a Configuration
Manager console at the central administration site. You can modify site data only at the primary site
where it was created.
Content Types
Configuration Manager administrators create
content at the central administration site or at
primary sites. Content is transferred down the
hierarchy to site servers and distribution points
according to distribution settings that
administrators configure.
Configuration Manager 2012 uses the same Server

Message Block–based (SMB-based), file-based
replication mechanism as Configuration Manager
2007 to transfer content, such as packages,
between sites.
Content Description
Applications Applications contain all objects used to deploy software. The application
metadata, definitions for deployment types, requirements, supersedence, and
other application settings for deploying software are replicated by using the new
application model; however, only the source files are replicated by using file-
based replication.
Software Software packages contain source files and definitions used to deploy software by
packages using the classic software deployment model.
Software update Software update packages contain software update metadata and update files
packages used to perform update management.
Driver packages Driver packages contain driver metadata and driver files. Driver packages are used
for operating system deployments. Only the driver files are replicated by using
file-based replication.
Operating Operating system images contain preconfigured operating system installations.

system images These images are used for operating system deployments.
Operating Operation system installers contain installation files imported from the installation
System installers media. Operating system deployments utilize these installers.
Boot images Boot images contain the Windows Preinstallation Environment (Windows PE) that
is used to boot computers and initiate the operating system deployment process.
Intersite Communication in Configuration Manager 2012

Within a hierarchy, the sites communicate
with each other by exchanging data. The
communications occur by using either
database replication or file-based replication.
Database Replication
Configuration Manager 2012 database replication
is a custom replication method. Configuration
Manager 2012 does not use the older replication
methods included in Microsoft SQL Server®, such
as transactional replication. You do not need to
install SQL Server–based replication components.
Configuration Manager database replication uses SQL Server Service Broker to transfer data between
SQL Server databases installed in different sites in a hierarchy.
By default, the Configuration Manager database replication mechanism uses the following ports to
transfer data:
• Port 1433 for the SQL Server instance

• Port 4022 for the SQL Server Service Broker
If you have configured the SQL Server instance to use different ports, the SQL Server Service port will
be detected automatically and you will have to specify a non-default SQL Server Service Broker port.
File-Based Replication
File-based replication between Configuration Manager 2012 sites uses the same mechanism as
Configuration Manager 2007 replication. This mechanism is based on senders and the SMB protocol.
The SMB protocol uses TCP port 445.
Note: A sender is the communication mechanism implemented in Configuration Manager

to transmit data between sites and control bandwidth usage. The sender uses SMB as the
underlying communication protocol. Unlike Configuration Manager 2007, Configuration
Manager 2012 supports only a single type of sender.
Configuration Manager 2012 secondary sites use file-based replication to transfer site data to their parent
primary site. File-based replication is also used to transfer fallback status point state messages to the
assigned site when a client’s assigned site does not have a fallback status point. In addition, the initial
transfer of discovery data records to the assigned site requires the use of file-based replication.
The following table summarizes data types that are transferred by using file-based replication between
sites.
Data Destination
Package files used by Sent to distribution points located in primary and secondary sites.
deployments
Secondary site data Sent to the parent primary site of the secondary site.
Fallback status point state Forwarded to the assigned site when only a single fallback status
messages point is in use in a hierarchy.
Data Destination
Discovery data records Forwarded to the assigned site when clients are not assigned to
the site that discovered them. The discovery data record is
processed locally at the assigned site and the information is
replicated to other sites in the hierarchy by using database
replication.
Data collected from clients at Transferred to the parent primary site by using file-based
secondary sites replication.
How Global Data Is Replicated in a Hierarchy

Global data consists of configuration information
that administrators create. Global data is
replicated to all sites in the hierarchy.
Creation of Global Data

Administrators can create global data by using the
Configuration Manager console connected at the
central administration site or at any primary site.
The types of global data that an administrator can
create depend on the security roles assigned to
that administrator:
• Typically, the hierarchy administrator can
create global data in any site in the hierarchy.
• Security scopes usually limit the primary site administrators’ permissions. This allows primary site
administrators to manage objects from only their primary site. Any objects that they create are global
data and will be replicated to the central administration site and all other primary sites.
Replication of Global Data

Global data is replicated to the central administration site and all primary sites in the hierarchy by using
database replication. A subset of global data is replicated to secondary sites by using database replication.
For example, consider a Configuration Manager hierarchy that consists of a central administration site and
two primary sites, Site A and Site B. An administrator creates a collection in primary Site A. The collection
definition, which includes membership rules, is replicated to the central administration site and to primary
Site B. The collection membership rules are evaluated at both primary sites; both Site A and Site B
determine the list of collection members for their respective sites based on collection membership rules.
Collection membership, however, is site data.
Multiple Edits of Global Data

Different administrators who are in different locations can attempt to edit the same global object at the
same time. To prevent multiple administrators from editing the same data, when the first administrator
opens an object for editing, this action places a lock on the object. When other administrators attempt to
open the object, they will receive a message indicating that the object is in use and is available as read-
only. After the first administrator closes the object, other administrators can edit the object.
How Site Data Is Replicated in a Hierarchy

Site data is generated automatically as a
result of site activity. Configuration Manager
administrators can review and delete site data,
but depending on how it was created, it may
be generated again.
Creation of Site Data

Both Configuration Manager clients and site
systems in each site can generate site data. For
example:
• A site server can generate an alert if the

replication between sites is not functioning
correctly.
• A client collects hardware and software inventory and sends it to its assigned primary site.
• A client sends status messages related to a deployment to the primary site.
Replication of Site Data

Site data is located at the originating primary site and is replicated to only the central administration site
by using database replication. Secondary sites use file-based replication to transfer site data to their
parent primary site.
Accessing Site Data

Site data is available in the Configuration Manager console and through reports. When using reports,
administrators can access site data from a primary site or from the entire hierarchy, depending on the
location from which the reports are run. Hierarchy administrators can access site data from all sites in
the hierarchy by connecting the Configuration Manager console to the central administration site or
by running reports on a reporting services point in the central administration site. Administrators who
connect the Configuration Manager console to a primary site or run reports from a reporting point in a
primary site generate reports that contain site data from only the local site.
For example, consider a hierarchy that contains a central administration site, primary sites named Site A
and Site B, and a secondary site, Site C, which is a child of Site B. In this scenario, the site administrator
from Site A can access site data from only Site A and the site administrator from Site B can access site data
from only primary Site B and its secondary Site C. The administrator from the central administration site
can access site data from all the sites in the hierarchy.
How Content Is Replicated in a Hierarchy

Content, such as files that will be used for a
deployment, is distributed by using file-based
replication to site servers and distribution points
according to distribution settings that
administrators configure.
When planning for distributing content in a

Configuration Manager hierarchy, you must follow
your organization’s content lifecycle. You should
be able to answer the following questions:
• Where is content created?

• Where is content distributed?
• Where is content deployed?
By answering the questions above, you will be able to design your distribution infrastructure to fit your
organization’s needs. You will learn more about planning for content management in Lesson 3, later in
this module.
Content Creation
Configuration Manager administrators can create content at any primary site or central administration
site.
Initially, content is placed in the content library located on the site server in the originating site. Content
library, a new feature included in Configuration Manager 2012, implements single-instance storage for
content.
Content Distribution
After creating content, the administrator can distribute the content to distribution points—that the site
is aware of—located throughout the hierarchy. One method administrators can use to distribute content
simultaneously to multiple distribution points is to implement distribution point groups. When an
administrator assigns a package to a distribution point group, the package will be transferred to all
distribution points that are part of that group. When an administrator adds a new distribution point to
the distribution point group, the content is distributed automatically to the new distribution point.
Content is transferred between sites by using senders that use the SMB protocol. Content is transferred
within the same site between the site server and distribution points by using Package Transfer Manager,
which also uses file-based replication and the SMB protocol. For this reason, any firewalls located between
sites, and between the site servers and distribution points, must allow SMB traffic.
The administrator can configure content routing between two secondary sites by configuring the content
to be copied from a secondary site to another secondary site instead of directly from the primary site
server. This process can reduce the network traffic on the link between a secondary site and parent
primary site if the secondary sites have a better connection among themselves than with the parent site.
Content Deployment
Because deployment definitions are global data and are replicated to all sites in the hierarchy, an
administrator from a primary site can deploy content that an administrator creates in a different primary
site. However, to perform the deployment successfully, and so that clients can access the content locally,
the content should first be distributed to distribution points in the local primary site.
Configuration Manager clients connect by using HTTP or HTTPS to a distribution point in their assigned
site that has the content available, download the content, and install it on the local system, according to
the deployment settings received in the policy. Because the transfer from the distribution point to the
local system uses HTTP or HTTPS, the traffic can usually pass through any firewalls.
Lesson 2
Managing Data Replication
When you install a primary site or a secondary site in an existing Configuration Manager hierarchy,
database replication is configured automatically with the parent site. Additionally, when expanding a
Configuration Manager 2012 stand-alone site into a hierarchy with a central administration site, database
replication is automatically configured. However, you can configure some settings for use by the new site,
such as the SQL Server ports and the SQL Server instance. After upgrading to Configuration Manager R2
or Configuration Manager SP1, you benefit from the additional configuration options, including defining
on-demand data replication.
In the Configuration Manager console, you can monitor Configuration Manager database replication. You
can use tools, such as Replication Link Analyzer, to troubleshoot the replication process.
Lesson Objectives
• Describe how to manage file-based replication.
• Describe how to manage database replication.
• Describe the tools for monitoring replication.

• Manage and monitor replication.
• Describe the reports for monitoring replication traffic.
• Describe how to troubleshoot replication.
Managing File-Based Replication

When you create a parent-child relationship in a
Configuration Manager hierarchy, replication is
configured automatically between the parent and
child sites. Later, you can create routes manually,
if you want to customize the connection
configuration. You can view the file-based
connections in the File Replication node,
under the Hierarchy Configuration folder in the
Administration workspace. For each parent-child
relationship that you create, a corresponding file
replication route is also created.
File-based replication used to communicate

between site servers uses a file replication account to connect to the SMS_SITE share on the destination
server; each file replication route can define a separate file replication account. When a site server is
installed, a local group named SMS_SiteToSiteConnection_xxx (where xxx is the site code) is created.
The SMS_SiteToSiteConnection_xxx group is granted change permissions to the SMS_SITE share and
modify permissions to the underlying folder. When a new file replication route is created, the destination
computer’s Active Directory computer account is added to the SMS_SiteToSiteConnection_xxx group.
Note: Configuration Manager 2012 SP1 introduced name changes to the file-based
replication components for naming consistency with database replication. The following table
lists the name changes.
Configuration Manager 2012 SP1 and newer

Prior to Configuration Manager 2012 SP1
versions
Site Address Account File replication account
Address File replication route
Addresses node in the Configuration Manager File Replication node in the Configuration
console Manager console
You can configure a file replication route to support the connection to the remote site and to control the
bandwidth that the file replication route can use. A file replication route’s properties dialog box has three
tabs that you use to configure file-based replication:
• General tab. The General tab displays general information that you cannot change without recreating
the route. This includes the Source site code and site name, the Destination site code and site name,
and the destination servers’ name. The configurable option on the General tab is the File Replication
Account. By default, the file replication route uses the source computer’s Active Directory account.
You can change the account that a primary site will use to any Active Directory account. Secondary
sites always use the computer account of the secondary site server as the File Replication Account.
The File Replication Account needs permissions to write to the destination site servers SMS_SITE share.
• Schedule tab. You can use the Schedule tab to limit the amount of communication traffic during
configured time periods by restricting when data can be sent to the destination site. By default, the
file replication route is open to all priorities at all times. The following table describes the options for
configuring the schedule.
Time Priorities
The minimum unit of time that you can For the selected blocks of time, you can choose:
schedule is one hour. You can choose any
• Open for all priorities
one-hour block, multiple one-hour blocks,
entire days, or a block of time across all • Allow medium and high priority
days.
• Allow high priority only
• Closed
• Rate Limits tab. The Rate Limits tab has configuration options to prevent Configuration Manager from
consuming all available bandwidth on the connection. The options for configuring the rate limits are:
o Unlimited when sending to this destination. There are no limits on the bandwidth usage.
o Pulse mode. You can specify the amount of data to send at one time, in kilobytes (KB), and how
long to wait between transmissions, in seconds.
o Limited to specified maximum transfer rates by hour. By using this setting, you can specify the
maximum percentage of bandwidth that can be used during each hour of the day.
 You can configure how the data will be transmitted based on one-hour increments through
the day.
 All days share the same schedule.
The file replication route relies on the sender process to transmit the data. The sender is the Configuration
Manager component that transmits the data from one site to another. You can control some behavior of
the sender by using the configuration options on the Sender tab in the site properties dialog box.
You can use the Maximum concurrent sendings option to specify the maximum number of simultaneous
communications. The following table describes the settings in this option.
Setting Description
All sites By default, the site will have a combined maximum number of five simultaneous
communications to all sites.
Per site By default, the site will have a maximum of three simultaneous communications to
a single site.
You can use the Retry Settings option to specify what actions to take when a communication fails. The
following table describes the settings in this option.
Setting Description
Number of retries By default, a failed communication will be retried two times.
Delay before retrying (minutes) By default, retries will be tried one minute apart.
Managing Database Replication

Configuration Manager database replication is
performed by using a custom replication method
based on SQL Server Service Broker that is built
into Configuration Manager.
Because Configuration Manager does not use
older SQL Server–based replication methods, such
as transactional replication, configuration settings
for Configuration Manager database replication
are not accessible in the SQL Management Studio
console. Therefore, Configuration Manager 2012
RTM database administrators had no ability to
manage the replication of Configuration Manager
data between sites. Administrators can monitor Configuration Manager database replication only in the
When you install a primary site in a hierarchy, or expand a primary site into a hierarchy when installing
a central administration site, replication is configured automatically between the primary site and the
central administration site. Similarly, replication is configured automatically between each secondary site
and the parent primary site.
Beginning with Configuration Manager 2012 SP1, a Configuration Manager administrator can configure
some database replication settings. There are several configuration options for managing the database
replication link:
• Distributed views. You can configure this option on the General tab of the
<ParentSiteCode><ChildSiteCode>Replication Link Properties. You can enable distributed views for
any or all of the following: Hardware inventory, Software inventory and software metering, and Status
messages. When you enable distributed views, the primary site does not replicate the selected
information to the central administration site. By default, these settings are not enabled. Distributed
views are only available for primary site to central administration site replication.
• Replication data summary. You can find this option on the General tab of the
<ParentSiteCode><ChildSiteCode>Replication Link Properties. You can use the Replication data
summary setting to configure how often Configuration Manager summarizes reporting data for
database replication traffic. By default, this interval is 15 minutes.
• Scheduling. You can schedule database replication on the Schedule tab of the
<ParentSiteCode><ChildSiteCode>Replication Link Properties. You can configure when replication
will be available throughout the week. Additionally, you can control which data will replicate during
those times, either All site data or any or all of the following:
o Hardware inventory
o Software inventory and software metering
o Status messages
Additional database replication configuration options are available by right-clicking the
<ParentSiteCode><ChildSiteCode> Replication Link and selecting either Child Database Properties or
Parent Database Properties. On the Database tab of the <Site> Database Properties, you can configure
the following options:
• SQL Server Service Broker port. By default, the SQL Server Service Broker uses port 4022.
• Data compression. By default, compression is enabled. This setting applies to all the data replication
links.
• Data retention. Data retention can be set between 1 and 14 days, and is set to 5 days by default. If
replication is interrupted for longer than the data retention period, the global data will be reinitialized
from the parent site after replication is restored.
By default, database replication takes place over ports 1433 and 4022. These ports need to be open at
firewalls before installing the new Configuration Manager sites to allow replication between sites. Because
ports are configurable, you can change their settings during or after installation of the new sites. You also
need to ensure that the site server can communicate with the site database if the site database is hosted
on a separate server.
Monitoring Replication
You can monitor replication in the Configuration
Manager console, in the Monitoring workspace,
in the Database Replication node. You can review
the link statuses for all replication connections. A
replication link will have one of the following
statuses:
• Link Active. No problems have been detected

and communication across the link is current.
• Link Degraded. Replication is functional,

but at least one replication object has been
delayed. You should monitor links in this
state and review information from both sites
involved for indications that the link might fail.
• Link Failed. Replication is not functional. It is possible that a replication link will recover without
further action. Consider using Replication Link Analyzer to investigate and remediate replication on
this link.
When you select a replication connection in the results pane, you can view detailed information in the
preview pane, including:
• A summary of the replication status between the parent and child site.
• Detailed replication information about the parent site.
• Detailed information about the child site.
• Detailed information about each replication group.
• Detailed information about the replication process.
You can obtain additional information by saving a diagnostic file. You need to select the replication
connection and then click the Save Diagnostic File button on the ribbon. The diagnostic file is a text file
containing detailed information about the replication and link statuses.
For further troubleshooting, you can use Replication Link Analyzer, to perform a series of tests for the
replication link:
• Checking the SMS_EXECUTIVE on the parent site server

• Checking the SMS_EXECUTIVE on the child site server
• Checking network connectivity between sites

• Checking replication queues on the local SQL Server instance
• Checking replication queues on the remote SQL Server instance
• Checking connectivity between the local site server and the remote SQL Server instance
• Checking connectivity between the local SQL Server instance and remote SQL Server instance
• Checking replication initialization on sites
• Checking computer clock synchronization between site servers

• Checking for a valid SQL Server Service Broker certificate on site servers
• Checking for a valid SQL Server Service Broker account on site servers
• Checking for free disk space on the system running SQL Server
You can save the test results as an XML file by clicking the Replication Link Analyzer Report link on the
Troubleshooting Report page.
You also can configure alerts to be generated when the replication link is inactive for a specified interval
of time (the default interval is 30 minutes) in the <ParentSiteCode><ChildSiteCode>Replication Link
Properties dialog box.
The console displays alerts if the replication link is inactive for the specified period.
Demonstration: Managing and Monitoring Replication

• Configure a file replication link.

• Configure a database replication link.
• Configure sender properties.
• Monitor replication.
Demonstration Steps
Configure file-based replication
1. On LON-CAS, start the Configuration Manager console, and then click the Administration
workspace.
2. Open the Hierarchy Configuration folder, and then click the File Replication node.
3. Configure the Adatum Site S01 London Central Administration Site CAS with the following
settings:
o For Sunday midnight availability, select Closed
o For 0 to 4, set Limit available bandwidth (%) to 50%.
Configure database replication

1. Click the Database Replication node.
2. Review the CAS Central administration site S01 Primary site database replication link, and then
click Child Database Properties.
3. Configure the Link Properties of the CAS Central administration site S01 Primary site database
replication link, with the following settings:
o Summarization interval (minutes): 5

4. Review the settings on the Schedule and Alerts tabs.
Configure sender properties

1. Expand the Site Configuration node and navigate to S01 – Adatum Site.
2. Open the Software Distribution settings for S01 – Adatum Site.
3. Configure the General tab with the following settings:
o Maximum number of packages: 5
o Maximum threads per package: 8
o Number of retries: 5
o Delay before retrying (minutes): 5
Monitor replication
1. Open the Monitoring workspace.
2. In the Database Replication node, select the CAS to S01 replication link. Verify that the Link State
shows Link Active. If it does not, refresh the results pane.
3. Review the information available in the preview pane, under Replication Status. Verify that, in the
Site Replication Status section, both Parent Site State and Child Site State display a status of
Replication Active.
4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global
State and Child Site to Parent Site Global State display a status of Link Active and that the Last
Synchronization Time reflects today’s date.
5. In the preview pane, at the Parent Site tab, review the information available in the Replication
Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022.
6. In the preview pane, on the Child Site tab, review the information available in the Replication Status
area.
Reports for Monitoring Replication Traffic

By default, Configuration Manager summarizes
reporting of data for database replication every 15
minutes. This data is used in reports that you can
use to monitor the data replication environment.
The following table describes the replication
traffic reports.
Report name Description
Global Data Replication Traffic This report contains a line chart that displays total global data
Per Link (line chart) replication traffic on a specific link for a specified number of days.
Global Data Replication Traffic This report contains a pie chart that displays total global data
Per Link (pie chart) replication traffic on a specific link for a specified number of days.
Hierarchy Replication Traffic By This report contains a pie chart report that displays total replication
Link traffic for each link in the hierarchy for a specified number of days.
Hierarchy Top Ten Replication This report contains a pie chart report that displays the replication
Group’s Traffic Per Link (pie traffic for the top ten replication groups across the entire hierarchy
chart) by link.
Link Replication Traffic This report contains a line chart that displays total replication traffic
for all data for a specified number of days.
Replication group traffic link This report contains a line chart that displays the replication group
network traffic over a specific database replication link for a
specified number of days.
Site Data Replication Traffic This report contains a line chart that displays total site data
Per Link (line chart) replication traffic on a specific link for a specified number of days.
Site Data Replication Traffic This report contains a pie chart report that displays total site data
Per Link (pie chart) replication traffic on a specific link for a specified number of days.
Total Hierarchy Replication This report contains a line chart that displays hierarchy aggregate
Traffic (line chart) global and site data replication for each direction of every link for a
specified number of days.
Total Hierarchy Replication This report contains a pie chart report that displays hierarchy
Traffic (pie chart) aggregate global and site data replication for each direction of
every link for a specified number of days.
Troubleshooting Replication
Multiple Configuration Manager components
are involved in a database replication. The
troubleshooting actions that you perform depend
on the components that fail. Troubleshooting the
replication process is similar to troubleshooting
other aspects of Configuration Manager; that is,
you use the available tools and log files. Perform
the following steps to troubleshoot replication
errors:
1. Use the Replication Link Analyzer. The

Replication Link Analyzer will identify most
issues with the replication link.
2. Check replication log files. If you cannot find the issue in the Replication Link Analyzer, check the
rcmctrl.log and replmgr.log files. You can adjust the logging level with the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components
\SMS_REPLICATION_CONFIGURATION_MONITOR\Verbose logging
The values that you can use are:

o Value 0. Errors and key messages (default value)
o Value 1. All information in value 0 and warnings and more general information
o Value 2. Verbose (all information)
3. Run a stored procedure on SQL Server. On the SQL Server instance, you can run the spDiagDRS
stored procedure to view detailed information about the database replication process.
4. Check the SQL Server Service Broker log. By default, the SQL Service Broker log file is located at
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\ErrorLog.
5. Reinitiate the data. You can use the spDrsSendSubscriptionInvalid stored procedure to reinitiate
the data. You should consider this step as a last resort because it will cause all the data to be
rereplicated between the sites.
The following table lists typical remediation actions that you can perform.
Issue Corrective action
SMSExec service stopped on • If SMSExec stops responding, restart it on the sending or target
sending or target site site server.
Network communication down • Verify network adapter and drivers.

• Call network support/external help.
Connection with SQL Server • Restart SQL Server Service.

cannot be established
• Restart SQL Server Service Broker.
Site server clocks are not in • Verify that domain controllers are configured to use a Network
sync Time Protocol (NTP) server.
Service accounts or certificate • Reset the password for service accounts and reissue certificates.
issues
Replication Best Practices

When content is created, the site at which it is created becomes the owner of the content. The source
files are copied from the specified path to the content library on the site that owns the content. When you
start an Update Content or Update Distribution Point action, the files are recopied from the source path
to the content library of the site that owns the package. When creating packages, consider the network
connection between the source file location and the site that will own the package.
Question: What troubleshooting steps can you perform if Replication Link Analyzer reports SQL Server
connectivity issues?
Lab A: Configuring, Monitoring, and Troubleshooting

Data Replication
Scenario
You are the network administrator for A. Datum Corporation. A. Datum has deployed System Center 2012
Configuration Manager in a complex hierarchy that includes the central administration site, two primary
sites, and a secondary site. You need to use the Configuration Manager console to monitor data
replication between a primary site and the central administration site and to troubleshoot the replication.
Objectives
• Verify and configure replication settings.

• Monitor replication.
• Troubleshoot replication.
Lab Setup
Virtual machines 10748C-LON-DC1-C

10748C-LON-CAS-C
10748C-LON-CFG-C
User name Adatum\administrator
Password Pa$$w0rd
2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.
4. Log on using the following credentials:
o Domain: Adatum
5. Repeat steps two through four for the following virtual machines:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
Exercise 1: Verifying and Configuring Replication Settings

Scenario
You need to configure the replication settings between the London primary site and the A. Datum central

1. Configuring file replication settings.
2. Configuring database replication settings.
3. Configuring sender properties.
 Task 1: Configuring file replication settings

1. On LON-CAS, start the Configuration Manager console, and then open the Administration
workspace.
2. Open Hierarchy Configuration, and then click the File Replication node.
3. Configure the Adatum Site S01 London Central Administration Site CAS file replication link with
the following settings:
o Sunday midnight availability: Closed

o Midnight to 4 A.M.: Limit available bandwidth (%) to 50%.
 Task 2: Configuring database replication settings

2. Configure the CAS Central administration site S01 Primary site database replication link with the
Summarization interval (minutes) as 5 under Link Properties.
3. Review the settings on the Schedule and Alerts tabs.
 Task 3: Configuring sender properties

1. Expand the Site Configuration node and navigate to S01 – Adatum Site.
2. Open the Software Distribution settings for S01 – Adatum Site.
3. Configure the General tab with the following settings:
o Maximum number of packages: 5
o Maximum Threads per package: 8
o Number of Retries: 5
o Delay before Retrying (Minutes): 5
Results: At the end of this exercise, you should have configured the replication settings between the A.
Datum central administration site and the London primary site.
Exercise 2: Monitoring Replication

Scenario
You need to use the Configuration Manager console to monitor replication between the London primary
site and the A. Datum central administration site.

1. Review the replication information and configuration settings.
2. Create a custom collection.
3. Monitor the replication of the collection to the primary site.
 Task 1: Review the replication information and configuration settings

1. On LON-CAS, open the Monitoring workspace.
2. In the Database Replication node, select the CAS to S01 replication link. Verify that the Link State
shows Link Active. If it does not, refresh the results pane.
3. Review the information available in the preview pane, under Replication Status. Verify that, in the
Site Replication Status section, both Parent Site State and Child Site State display a status of
Replication Active.
State and Child Site to Parent Site Global State display Link Active status and that the Last
Note: If the status of Parent Site to Child Site Global State and Child Site to Parent Site
Global State is Link Inactive, verify that both LON-CAS and LON-CFG have started. To refresh
the status, click the CAS to S01 replication link, and then press F5.
5. In the preview pane, on the Parent Site tab, review the information available in the Replication
6. In the preview pane, on the Child Site tab, review the information available in the Replication Status
area.

1. In the Configuration Manager console, click the Assets and Compliance workspace, and then click
the Device Collections node.
2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a
device collection with the following attributes:
o Name: London Computers
o Limiting collection: All Systems
o Create a Direct Rule and search for System Resources with the name LON%.
o Select LON-CAS and LON-CFG as direct members.
 Task 3: Monitor the replication of the collection to the primary site

2. In the Configuration Manager console, in the Assets and Compliance workspace, click the Device
Collections node.
3. Verify that the London Computers collection appears in the list of device collections.
4. Right-click the London Computers collection, and then click Show Members. Notice that a new
node appears in the navigation pane under Devices. Notice also that the members of the collection
appear in the results pane.
Results: At the end of this exercise, you should have verified the replication between the A. Datum central
administration site and the London primary site.
Exercise 3: Troubleshooting Replication

Scenario
You need to use the Configuration Manager console to troubleshoot the replication between a primary
site and the central administration site.
1. Configure in-console alerts for monitoring replication.

2. Stop the SMS_EXECUTIVE service on LON-CFG.
3. Troubleshoot the replication issue.
4. Resolve the issue and verify that replication is functioning correctly.
 Task 1: Configure in-console alerts for monitoring replication

1. On LON-CAS, in the Configuration Manager console, in the Monitoring workspace, click the
Database Replication node.
2. Access the Properties of the CAS to S01 replication link.
3. In the CAS <-> Replication Link Properties dialog box, on the Alerts tab, verify that Generate an
alert when this replication link is not working for a specified period of time is selected.
4. Change the value of the Number of minutes to 3 minutes.
 Task 2: Stop the SMS_EXECUTIVE service on LON-CFG

1. On LON-CFG, on the Start screen, click Administrative Tools, and then open the Services console.
2. In the Services console, stop the SMS_EXECUTIVE service.
3. In the Service Control window, wait for the service to stop. Wait at least three minutes before
continuing to the next task.
 Task 3: Troubleshoot the replication issue

1. On LON-CAS, browse to C:\Program Files\Microsoft Configuration Manager\tools\, and then
start CMTRACE.exe. Associate CMTRACE.exe with all log files, and then close the tool.
2. On LON-CAS, in the Configuration Manager console, in the Alerts node, click All Alerts, click the
alert named Replication link down between parent site and S01, and then on the ribbon, click
Configure.
3. In the Replication link down between parent site and S01 Properties dialog box, verify that
Minutes replication link connectivity down greater than has a value of 3.
4. In the Assets and Compliance workspace, click the Device Collections node.
5. Access the Properties of the London Computers collection, and change the name of the collection
to London Servers.
6. In the Monitoring workspace, in the Database Replication node, select the CAS to S01 replication
connection.
7. Verify that the status of the replication link is either Link Failed or Link Degraded. Press F5, if
required, to refresh the status.
8. Right-click the CAS to S01 replication link, and then click Save Diagnostics Files.
9. Save the file with the name Replication Diagnostics in drive C.
10. In Windows Explorer, browse to drive C, and then open the file Replication Diagnostics in Notepad.
11. Review the content of the file. Note that the Child Site to Parent Site Global State shows the status
of Link Failed or Link Degraded. Close Notepad.
 Task 4: Resolve the issue and verify that replication is functioning correctly
1. On LON-CAS, right-click the CAS to S01 replication link, and then click Replication Link Analyzer.
Replication Link Analyzer starts detecting problems.
2. In the CAS <-> S01 Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation
to finish.
3. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Continue.
Note: Based on timing, there may still be issues that are detected. If issues are detected,
first click the Check to see if the problem is fixed link.
4. Wait for the operation to finish, and then on the Troubleshooting Report page, click View Report.
The content of ReplicationAnalysis.xml opens in Internet Explorer®.
5. Review the content of the file, and then close Internet Explorer.
6. In the Replication Link Analyzer window, click the View Log. The content of
ReplicationLinkAnalysis.log opens in Configuration Manager Trace Log Tool.
7. Review the content of the file, and then close Configuration Manager Trace Log Tool.
8. In the Replication Link Analyzer window, click Close.
Results: At the end of this exercise, you should have troubleshot replication between the primary site and
the central administration site.

• When you finish this lab, leave the virtual machines running.
Lesson 3
Planning Content Management
System Center 2012 Configuration Manager provides content management functionality that you can use
to create, distribute, and monitor content. The content management feature relies on distribution points
as the core components of the distribution infrastructure. Distribution points in Configuration Manager
2012 include new features such as content validation and content prestaging. In this lesson, you will
review these new features and learn about planning a content management infrastructure, including the
prerequisites you may need to consider. In addition, you will learn how to plan for managing network
bandwidth.
Lesson Objectives
• Describe the considerations for implementing preferred and fallback distribution points.
• Describe the network bandwidth considerations for distribution points.
• Describe how to configure pull-distribution points.

• Describe the considerations for content prestaging.
• Describe how to plan and configure a cloud-based distribution point.
• Describe how clients use cloud-based distribution points.

• Describe how to monitor distribution point distributions.
• Describe how to implement BranchCache® integration.
Considerations for Implementing Preferred and Fallback Distribution

Points
When creating a distribution point, you can
associate one or more boundary groups with
the distribution point. Optionally, you can add
boundary groups to the distribution point’s list
after creating a distribution point. Clients will
use preferred distribution points, which are
distribution points assigned to their boundary
group. Regardless of the boundary settings, you
can also configure a distribution point to be
available as a fallback distribution point. Fallback
distribution points are distribution points that a
client uses when no preferred distribution points
are available for the client.
When a client device needs to download deployed content, the client sends a content source location
request to a management point. The management point compiles a list of available distribution points
that are preferred distribution points for the client’s boundary group. The client then chooses one of the
listed distribution points to contact for the content.
You can configure content for a deployment type or package to allow the client to use a fallback
distribution point if the content is not available on a preferred distribution point. When a client needs to
download content, and this setting is enabled for the content, the content source location request asks for
fallback distribution points. The management point response will include preferred distribution points and
fallback distribution points.
Network Connection Speed

Additionally, you can specify whether to treat the connection between the clients and a distribution point
as fast or slow. When a client connects to a fallback distribution point, the connection to the distribution
point is considered slow. For connections to distribution points in a slow boundary, or fallback distribution
points, you can choose any of the following options:
• Do not download content
• Download content from distribution point and run locally
On-Demand Content Distribution

If you set the Distribute the content for this package to preferred distribution points property for an
application or package, on-demand content distribution is enabled. If this setting is enabled and a client
tries to download content that is not available on any preferred distribution points, the content will be
distributed to all the preferred distribution points for that client.
Content Source Location Scenarios

When you deploy applications or packages to clients, the following settings influence the content source
location process:
• Allow fallback source location for content. By selecting this setting, you ensure that clients can
download content from distribution points that are designated as fallback distribution points when
content is unavailable on a preferred distribution point.
• Deployment behavior for slow network. You can configure whether clients will download content
from slow distribution points.
• Distribute the content for this package to preferred distribution points. By selecting this setting, you
enable on-demand content distribution for the application or package.
Question: In Scenario A, from where will Client A and Client B download content?
Question: In Scenario B, from where will Client A and Client B download content?
Question: In Scenario C, from where will Client A and Client B download content?
Question: In Scenario D, from where will Client A and Client B download content?
Network Bandwidth Considerations for Distribution Points

Distributing content in a Configuration Manager
2012 infrastructure generates network traffic at
various points in the distribution process:
• When content files are copied from the

source path to the site server, if the source
path is on a different server than the site
server. In this case, files transfers use the
SMB protocol. The effect of this traffic on the
network is usually negligible because it occurs
over a high-speed network.
• When content files are copied from the site

server to remote distribution points. In this
situation, file transfers use the SMB protocol. This traffic can have a significant impact on network
utilization, especially over low-speed network connections. You can manage this traffic by using
content throttling and distribution scheduling, except for distribution points located on site servers.
Consider the following when configuring content throttling and scheduling:

• Content distribution detects updated files so that only the new or updated files are distributed when
content source files are updated.
• You can configure scheduling and set specific throttling settings that determine when and how much
bandwidth is consumed during content distribution to remote distribution points. You can configure
the throttling settings on the Rate Limits tab and the scheduling settings on the Schedule tab. The
Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not
installed on a site server.
• You can configure remote distribution points with different settings based on the network bandwidth
limitations from the site server to the remote distribution point. Each remote distribution point
configured as a pull-distribution point will use its own throttling settings and schedule to transfer
content.
Distribution Point Priority

Beginning with System Center 2012 R2 Configuration Manager, Configuration Manager assigns a priority
to each distribution point, depending on how long content distribution has taken in prior distributions, on
average. This priority is evaluated constantly as you distribute content. When you distribute content to
multiple distribution points at the same time, the highest priority distribution point will receive content
first. The Configuration Manager console does not include any options for managing the distribution
point priority settings.
Distribution point priority is not related to package priority. Package priority still determines the order of
package distribution and the time at which package distribution is permitted.
Planning for Network Bandwidth Management

When planning for network bandwidth management in Configuration Manager 2012, you need to
consider how you can reduce the content distribution network traffic:
• Configure scheduling and bandwidth throttling settings on distribution points and senders.
• Use content prestaging to transfer the content offline.
• Place distribution points on the same high-speed networks as clients.

• Install standard applications as part of the operating system images.
• Include standard application installer files in the operating system image and use custom task
sequence commands to install those applications from the local source files.
Both senders and Package Transfer Manager use file-based replication and the SMB protocol. Any
firewalls placed between sites or between the site server and distribution points must allow SMB traffic.
Configuring Pull-Distribution Points

Beginning with Configuration Manager 2012 SP1,
you can configure non-site server distribution
points as pull-distribution points. When content
is assigned to a pull-distribution point, the pull-
distribution point copies the content files from the
specified distribution point. When distributing
content to a large number of distribution points,
this reduces the processing utilization of the site
server. Pull-distribution points support the same
configurations and functionality as typical
Configuration Manager distribution points with
the following exceptions:
• You cannot configure a cloud-based distribution point as a pull-distribution point or as a source

server for pull distributions.
• You cannot configure a distribution point on a site server as a pull-distribution point.
• Prestaged content distribution settings override pull distribution. If content is configured for
prestaging, then a pull-distribution point will not pull it.
• Rate limit configurations do not apply to pull-distribution points.
• Retry settings do not apply to pull-distribution points. The Package Transfer Manager service on the
site server does not notify the pull-distribution point to start downloading the content until it has
verified the pull-distribution point as available on a source server.
• If the pull-distribution point is in a remote forest, the Configuration Manager client must be installed
on the distribution point and the Network Access Account must be able to access the source
distribution point.
You can configure a distribution point as a pull-distribution point during the creation of the distribution
point or any time thereafter. When configuring a distribution point as a pull-distribution point, you must
also specify one or more source distribution points. You can use only distribution points that support
HTTP as source distribution points when using the Configuration Manager console. Beginning with
System Center 2012 R2 Configuration Manager, you can configure the source distribution points with
priorities.
Note: The Configuration Manager Software Development Kit (SDK) includes information
and tools for configuring a pull-distribution source by using HTTPS.
Considerations for Content Prestaging

Content prestaging allows you to transfer and
preload content by using an offline method,
such as shipping media from a site server to a
distribution point. You can use this method
instead of file-based replication, to reduce
network traffic between the site server and the
distribution point. Content prestaging:
• Works with all content types.

• Works with content libraries and package
shares.
• Registers content availability automatically

with the site server upon content extraction on the distribution point.
• Uses a compressed prestaged content file with the extension .pkgx.

• Can be used to prestage multiple content files in a single operation.
• Offers a conflict detection mechanism as part of the extraction tool to prevent earlier versions of
content from being prestaged on a distribution point.
Planning for Content Prestaging

Consider using prestaging content for applications and packages when:
• There is limited network bandwidth from the site server to distribution point. While distributing
content over the network to a remote distribution point, consider prestaging the content on the
distribution point when scheduling and throttling do not reduce network traffic sufficiently.
• You need to restore the content library on a site server. When a site server fails, information about
packages and applications in the content library is restored to the site database as part of the restore
process. However, the site backup does not include content library files by default. If you do not have
a file system backup to restore the content library, you can create a prestaged content file from
another site that contains the packages and applications you need, and then extract the prestaged
content file on the recovered site server.
Planning and Configuring a Cloud-Based Distribution Point

Introduced in Configuration Manager 2012 SP1,
you can use cloud-based distribution points in
Windows Azure™ to host a distribution point.
You configure cloud-based distribution points
in the Cloud services node in the Administration
workspace. Additionally, you must configure a
client settings policy to allow clients to use cloud-
based distribution points. Finally, to help control
the costs associated with a cloud-based
distribution point, you can configure thresholds
for the amount of storage that the distribution
point uses and the amount of client traffic to the
distribution point.
Cloud-based distribution points include the following distribution point features:
• Supports individual or group-based management.
• Can be a fallback distribution point.
• Supports intranet and Internet-based clients.
• Supports BranchCache-configured systems to download content from the cloud-based distribution

point.
There are additional features specific to using a cloud-based distribution point in Windows Azure. When
content is sent to a Windows Azure–based distribution point, the content is encrypted while traversing the
Internet. Additionally, you can quickly scale the size of your distribution points as necessary without
investing in additional hardware.
However, you also need to consider the limitations of a cloud-based distribution point:
• Cloud-based distribution points cannot host software update packages.

• Cloud-based distribution points cannot be configured for Pre-Boot EXecution Environment (PXE) or
multicast deployments.
• Cloud-based distribution points cannot be used with task sequences that use the deployment option
Download content locally when needed by running task sequence.
• Cloud-based distribution points do not support packages that run from the distribution point.
• Cloud-based distribution points do not support streaming packages.

• Cloud-based distribution points cannot be configured for prestaged content.
• Cloud-based distribution points cannot be configured as pull-distribution points.
Additional Considerations
There are other factors to consider before using a cloud-based distribution point, such as:
• Availability. Cloud-based storage may not be accessible in certain countries or locations.
• Cost. Several factors determine the cost of using Windows Azure, including the number of virtual
machines that are running, the amount of storage used, and the amount of data that is transferred
each month.
Additional Reading: For a current information on Windows Azure

pricing and availability, visit the Windows Azure pricing at-a-glance website:
http://go.microsoft.com/fwlink/?LinkID=391480&clcid=0x409
Windows Intune
Windows Azure is a cloud-based service that primarily provides infrastructure as a service (IaaS),
whereas Windows Intune™ is a cloud-based client management service. Windows Intune provides client
management including application deployment, software and hardware inventory, anti-malware, and
policy control. You can deploy Windows Intune as a stand-alone product or integrate it with your System
Center 2012 R2 Configuration Manager environment.
How Clients Use Cloud-Based Distribution Points

Client devices cannot use cloud-based distribution
points unless configured to do so. Cloud-based
distribution points are always considered remote
distribution points. Clients on an intranet will use
a cloud-based distribution point only if no on-
premises distribution points have the desired
content and are available. Clients on the Internet
will not use cloud-based distribution points if
they are configured to use an Internet-based
distribution point. An Internet-based distribution
point is a distribution point that is part of one of
your on-premises Configuration Manager sites
and configured to accept connections from the Internet.
You can place cloud-based distribution points in any region in Windows Azure. Client devices are not
aware of Windows Azure regions and clients using cloud-based distribution points will not necessarily use
the closest region.
The process that clients use for choosing a cloud-based distribution point is:
1. Clients always attempt to use a preferred distribution point first.
2. If a preferred distribution point is not available, clients will attempt to use remote (fallback) on-
premises distribution points.
3. If no preferred distribution points or fallback distribution points are available, the client will use a
cloud-based distribution point.
When a client connects to a cloud-based distribution point, the cloud-based distribution point must
authenticate the client by using a Configuration Manager access token. If the client trusts the cloud-based
distribution point certificate, the client will download the requested content.
Monitoring Distribution Point Distributions

You can use the Distribution Status folder in the
Monitoring workspace of the Configuration
Manager console to perform monitoring for:
• Content status, which includes the status of

individual packages, applications and driver
packages in relation to their distribution
points. When viewing the content status, you
can cancel an in-progress distribution.
• Distribution point group status, which

includes the aggregate status of content
assigned to a specific distribution point
group.
• Distribution point configuration status, which includes the aggregate status of the content assigned
to a distribution point and status of the optional components (PXE and multicast).
To troubleshoot content distribution, you can also use:
• Configuration Manager reports.

• Configuration Manager status messages.
• Configuration Manager logs.
To troubleshoot issues with content management, you can use the following Configuration Manager logs:
• SMSProv.log. You can use this log to troubleshoot actions started from the UI or the SDK.
• DistMgr.log. You can use this log to troubleshoot content creation, update, deletion, and start of
distribution. You can use this log on the site server from the source site, to verify that Distribution
Manager processes the content.
• Scheduler.log. You can use this log to see the current status of the sender job. You can use this log on
the site server from the source site to verify that the content was queued for the sender.
• Sender.log. You can use this log to troubleshoot the copy of the compressed content to the
destination site. You can use this log on the site server from the source site, to determine whether the
sender has transferred the content to a different site.
• Despooler.log. You can use this log to troubleshoot the extraction of the compressed copy to the
content library on the destination site. You can use this log file on the site server from the destination
site to verify that the despooler received and processed the content.
• PkgXferMgr.log. You can use this log to troubleshoot the distribution of content from the site server
to the distribution point. You can use this log on the site server to determine whether the content was
processed by Package Transfer Manager and transferred to a distribution point located in the same
site as the site server.
• SMSDPProv.log. You can use this log to troubleshoot the addition of content to the content library on
the distribution point. You can use this log on a distribution point to verify that content was added to
the content library.
• SMSPXE.log. You can use this log to troubleshoot the PXE provider. You can find this log on a
distribution point that is configured to use PXE.
You can use the following Windows logs to troubleshoot distribution point configuration:
• u_exYYMMDD.log (where YYMMDD is the year, month, and day). You can use these IIS logs for
troubleshooting issues related to Internet Information Services (IIS). You can find the IIS logs on the
distribution point in the C:\Inetpub\Logs\LogFiles\W3SVC1\ folder.
• WDS.log. You can use the Windows Deployment Services (Windows DS) log for troubleshooting issues
related to Windows DS.
Implementing BranchCache Integration for Content Distribution

BranchCache is included in the Windows® 7 and
Windows Server® 2008 R2 and newer operating
systems. It enables content from file and web
servers on a wide area network (WAN) to be
cached on computers at a local branch office.
BranchCache can improve application response
time and reduce WAN traffic.
You can configure BranchCache in Windows Server 2008 R2 to work in two modes:
• Distributed cache mode. Cached content is distributed across peer client computers.
• Hosted cache mode. A server hosts cached content. Configuration Manager does not support this
mode.
BranchCache Support in Configuration Manager

To support BranchCache on a site server, install the Windows BranchCache feature to a site system server
that is configured as a distribution point. No additional configuration is necessary.
Configuration Manager supports BranchCache with the following operating systems configured in
BranchCache distributed cache mode:
• Windows 8.1
• Windows 8
• Windows 7 with SP1

• Windows Server 2008 R2 with no service pack, with SP1, or with SP2
Clients running a supported version of Windows Vista® SP2 and Windows Server 2008 SP2 by using
the Background Intelligent Transfer Service (BITS) 4.0 release also can use BranchCache BITS transferred
content only. These operating systems do not support the BranchCache client functionality for:
• Software deployments that are configured to run from the network.
• SMB file transfers.
• Content copied from cloud-based distribution points.

You can install the BITS 4.0 release on Configuration Manager clients by using software updates or
software deployment.
BranchCache management is integrated in the Configuration Manager console. For applications, you can
configure BranchCache on a deployment type. For programs and software updates, you can configure the
BranchCache settings on the deployment.
Planning to Use BranchCache

When you plan to use BranchCache for content distribution, consider whether:
• Windows Server 2008 R2 or a later version is in a central location and is configured in BranchCache
distributed mode.
• Workstations situated in remote locations are running a supported operating system for
BranchCache, such as Windows 8 or Windows 7 with SP1.
Lab B: Planning and Configuring Content Management

Scenario
Configuration Manager in a distributed environment that includes multiple locations with WAN
connections to the central campus location.
You need to configure your content management infrastructure by installing and configuring an
additional distribution point for a remote office, creating a distribution point group, and adding the
distribution points to the groups. You will also distribute content and perform content validation. You
will use content prestaging for transferring packages to the remote distribution point.
Objectives
• Plan content distribution.

• Implement distribution points.
• Implement content prestaging.

• Implement BranchCache to support content management.
Lab Setup

10748C-LON-CAS-C
10748C-LON-CFG-C
10748C-LON-SVR1-C
Password Pa$$w0rd
1. In Hyper-V Manager, verify that the following virtual machines are running:
o 10748C-LON-DC1-C
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
2. Log on, if necessary, by using the following credentials:

o Domain: Adatum
Exercise 1: Planning Content Distribution

Scenario
Read the following scenario and plan for configuring content distribution.
A. Datum is an international organization that includes a central campus location in London with three
buildings and approximately 4,000 users. There are six remote offices in the European continent, several
of which have local information technology (IT) staff. New York is the central location for North American
operations. The New York offices are largely autonomous. They support a user base that is similar in size
to the London user base. The Toronto office is the central location for Canadian operations, and although
there is a small IT staff in Toronto, it is managed by the New York office. There are eight additional remote
offices in North America. The remote offices each support between 50 and 1,000 users. In addition, there
are more than 1,000 field agents with laptops requiring management and connectivity. The office in New
York communicates with the London central office through a satellite connection. The Toronto office is
connected directly to the New York office via high-speed connections.
The remote locations are connected through Multiprotocol Label Switching (MPLS) connections to the
main offices in their respective continents; these connections can be 80 percent utilized at peak times. You
need to plan for software distribution that affects the corporate network minimally during business hours.
You are planning to build a central administration site and one primary site in London and one primary
site in New York. You plan to create a secondary site in the Toronto office. The remaining remote offices
will be managed from the primary site in their respective continents. You can recommend any additional
distribution components that you think are necessary.
The main task for this exercise is to plan the deployment.
 Task: Planning the deployment

• Discuss a deployment plan with the class.
Results: At the end of this exercise, you will have planned distribution architecture for the company.
Exercise 2: Implementing Distribution Points

Scenario
You need to install a new distribution point in a remote location on a server named LON-SRV1. You will
configure the distribution point for content prestaging. Then you will create a distribution point group
and include all distribution points in the London area in the group.
1. Add the primary site server computer account to the local Administrators group.
2. Create a distribution point.
3. Create and populate a distribution point group.
 Task 1: Add the primary site server computer account to the local Administrators
group
1. On LON-SVR1, from Server Manager, start Computer Management.
2. In the Computer Management console, under Local Users and Groups, select Groups.
3. Add LON-CFG as a member of the Administrators local group.
4. Close the Computer Management console and Server Manager.
 Task 2: Create a distribution point

1. On LON-CAS, in the Configuration Manager console, in the Administration workspace, expand Site
Configuration, and then click Servers and Site System Roles.
2. On the ribbon, on the Home tab, click Create Site System Server. The Create Site System Server
Wizard starts. Use the following settings to create the new distribution point (use default settings for
pages that are not specified):
o On the General page, browse to select LON-SVR1 as the new site system server, and then in the
Site Code drop-down list, select S01 – Adatum Site.
o On the System Role Selection page, select Distribution Point.
o On the Distribution Point page, select Install and configure IIS if required by Configuration
Manager and Enable this distribution point for prestaged content.
o On the Content Validation page, select Validate content on a schedule.
o Complete the wizard.
3. In the Configuration Manager console, verify that \\LON-SVR1.Adatum.com appears in the results
pane.
 Task 3: Create and populate a distribution point group

1. Navigate to the Distribution Points node.
2. Select LON-CFG.ADATUM.COM, NYC-CFG.ADATUM.COM and TOR-CFG.ADATUM.COM.

3. On the ribbon, select Add Selected Items to New Distribution Point Group.
4. Create a new distribution point group named Primary and Secondary Site Distribution Points.
Results: At the end of this exercise, you should have created a distribution point, created a distribution
point group, and added distribution points to the group.
Exercise 3: Implementing Content Prestaging

Scenario
Previously, you configured the LON-SRV1 distribution point to use content prestaging. You need to
prestage the content of the package you distributed. You will create the prestage content file, copy it to
the remote server, extract the file on the remote distribution point by using the Extractcontent.exe tool,
and then monitor the prestaged content status.
1. Create and distribute a package.

2. Create a prestaged content file.
3. Extract a prestaged content file on a distribution point.
4. Monitor the prestaged content status.

 Task 1: Create and distribute a package

1. On LON-CFG, in the Configuration Manager console, in the Software Library workspace, expand
Application Management, and then click the Applications node.
2. On the ribbon, click Create Application. The Create Application Wizard starts. Use the following
settings to create an application:
o On the General page, verify that in the Type box, Windows Installer (*.msi) is selected, in the
Location text box, type \\LON-CFG\E$\Software\MSI_Files\PPTViewer, and then select
ppviewer.msi.
o Accept the default settings for all other pages, and then complete the wizard.
3. In the Configuration Manager console, in the results pane, select the Microsoft PowerPoint Viewer
application, and then on the ribbon, click Distribute Content. The Distribute Content Wizard starts.
Use the following settings to distribute content:
o On the Content Destination page, add the LON-CFG.ADATUM.COM distribution point.
 Task 2: Create a prestaged content file

1. On LON-CFG, in the Configuration Manager console, in the Software Library workspace, under the
Application node, select Microsoft PowerPoint Viewer, and then on the ribbon, click Create
Prestaged Content File. The Create Prestaged Content File Wizard starts. Use the following settings
to create the prestaged content file:
o On the General page, browse to drive E, and then save the file with the name
PowerPointViewer.
o On the Content Locations page, add LON-CFG.Adatum.com as a source of content.
2. In Windows Explorer, browse to drive E, and then copy PowerPointViewer.pkgx to \\LON-SVR1\C$.
 Task 3: Extract a prestaged content file on a distribution point

1. On LON-SVR1, open a command prompt.
2. At the command prompt, type the following commands, pressing Enter after each line:
CD C:\SMS_DP$\sms\Tools
extractcontent.exe /P:C:\PowerPointViewer.pkgx /S
 Task 4: Monitor the prestaged content status

1. On LON-CFG, in the Configuration Manager console, in the Monitoring workspace, expand
Distribution Status, and then click the Content Status node.
2. In the results pane, click Microsoft PowerPoint Viewer, and then review the information in the
preview pane. Notice that two distribution points were targeted and Success is now listed as 2.
Results: At the end of this exercise, you should have performed content prestaging.
Exercise 4: Implementing BranchCache to Support Content Management

Scenario
The planning exercise helped you determine that you wanted to use BranchCache for the remote
locations without a distribution point. In this exercise, you need to enable support for BranchCache on the
LON-SVR1 server.

1. Configure LON-SVR1 to support BranchCache.
2. Verify that an application is ready for BranchCache.
 Task 1: Configure LON-SVR1 to support BranchCache

1. On LON-SVR1, open Server Manager.
2. Click Add roles and features, and then use the Add Roles and Features Wizard to install the
BranchCache feature.
 Task 2: Verify that an application is ready for BranchCache

1. On LON-CFG, in the Configuration Manager console, navigate to the Software Library workspace.
2. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box, on
the Content tab, verify that the Microsoft PowerPoint Viewer – Windows Installer (*.msi file)
deployment type has the Allow clients to share content with other clients on the same subnet
check box selected.
Results: At the end of this exercise, you will have enabled BranchCache support on LON-SVR1.

following steps:
1. On the host computer, start Hyper-V® Manager.

2. In the Virtual Machines list, right-click 10748C-LON-DC1-C, and then click Revert.
4. Repeat steps 2 and 3 for the following virtual machines:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C

Review Questions
Question: What are the two methods that Configuration Manager 2012 uses to replicate
data between sites? What types of data does each method replicate?
Question: How is hardware inventory transferred from a secondary site to the central
administration site?
Question: How can you create a file that contains diagnostics information for replication
links?
6-1
Module 6
Planning Resource Discovery and Client Deployment
Contents:
Module Overview 6-1
Lesson 1: Identifying Resources by Using Configuration Manager Discovery

Methods 6-3
Lesson 2: Client Deployment in Configuration Manager 6-13
Lesson 3: Deploying Windows-Based Configuration Manager Clients 6-25

Lab: Implementing Configuration Manager Client Deployment 6-36
Lesson 4: Managing Configuration Manager Clients 6-42
Lesson 5: Monitoring Client Status in Configuration Manager 6-50
Module Overview
You can configure the Configuration Manager resource-discovery methods to locate resources in your
network environment. In this module, you will examine the discovery methods available in Configuration
Manager and consider which of these discovery methods to use based on the resources you need to
manage.
You can use Configuration Manager to manage computer resources by installing the Configuration
Manager client on the computers that you want to manage.
Configuration Manager provides several methods for installing the Configuration Manager client on
computer resources. This module covers various client-installation methods, and then examines the
advantages and disadvantages of each method. You will examine how to choose the most appropriate
client-installation methods to use in your organization’s environment.
Depending on the client-installation methods that you decide to use, you may be able to configure client
installation properties that are applied during installation. You can configure site servers to publish client
installation properties in Active Directory® Domain Services (AD DS). Configuration Manager clients use
these properties after installation to identify the assigned site and locate appropriate site systems. This
module discusses how to configure client-installation properties when using the client push and Group
Policy installation methods.
This module also covers the Client Health feature that you can use for monitoring Configuration Manager
clients. This feature can perform automatic remediation for certain client configuration issues.
6-2 Planning Resource Discovery and Client Deployment
Objectives
• Describe processes and methods for resource discovery.

• Describe the client-installation process and client-deployment methods.
• Plan and complete a typical client deployment.
• Describe managing Configuration Manager clients after installation.

• Deploy the Configuration Manger client.
• Describe the new Client Health feature in Configuration Manager.

Lesson 1
Identifying Resources by Using Configuration Manager
Discovery Methods
Resource discovery is the process that Configuration Manager uses to discover an infrastructure’s
manageable resources, such as computers, groups, user accounts, sites, and IP subnets. Configuration
Manager uses multiple discovery methods to discover resources.
The primary source of information for discovering resources is AD DS. Configuration Manager has several
discovery methods that use AD DS as a source of information.
Configuration Manager also can search the network to discover network topology and devices that have
an IP address.
This lesson covers discovery methods, the advantages and the disadvantages of each method, and how to
decide which methods are the most appropriate to use to discover resources in your environment.
To detect which installed clients are still active in the network, Configuration Manager uses Heartbeat
Discovery, which is a special discovery method. This method does not discover new computers. Instead, it
rediscovers existing clients that are active in the network.
Lesson Objectives
• Describe the role of discovery methods for resource discovery.

• Describe the available discovery methods.
• Describe the Active Directory discovery methods for systems, users, and groups.
• Describe the Active Directory Forest Discovery method.

• Describe Network Discovery.
• Describe the role of Heartbeat Discovery.
Overview of Resource Discovery

In a multiple-site Configuration Manager
environment, you can configure discovery
methods at different levels in the hierarchy.
The following table describes the discovery
methods available in Configuration Manager
and where you can configure them in a
Configuration Manager hierarchy.
Discovery method Supported locations
Active Directory Forest Discovery Central administration site

Primary site
Active Directory System Discovery Primary site
Active Directory Group Discovery Primary site
Active Directory User Discovery Primary site
Network Discovery Primary site

Secondary site
Heartbeat Discovery Primary site
When a discovery method successfully discovers a resource, it creates a file that is a discovery data record
(DDR). In a single primary site environment, the site server processes DDRs and enters them into the
Configuration Manager database. In a multiple-site hierarchy, DDRs that are created at primary and
secondary sites for the newly discovered resources are forwarded to the central administration site for
processing. Then, database replication replicates the information about the discovered computers to
primary sites, making the discovery data available at each site in the hierarchy, regardless of where it was
discovered or processed. Subsequent discoveries for the existing resources, such as DDRs that Heartbeat
Discovery creates, are processed at the primary sites.
Consider the following for Resource discovery in Configuration Manager:

• A DDR is processed only once, and then it is entered into the database at a primary site or central
administration site. After processing, the DDR file is deleted.
• Discovery information entered into the database at one site is replicated to all primary sites in the
hierarchy by using the Configuration Manager database replication feature.
• Active Directory Forest Discovery is not used to discover resources, but rather is used to discover
subnets and Active Directory sites, and then add them as boundaries for the hierarchy.
• When a primary site is in a different AD DS forest, you can enable and configure Active Directory
Forest Discovery at the central administration site, or at primary sites, to accommodate deployment
scenarios.
• Active Directory Group Discovery in System Center 2012 Configuration Manager discovers groups
and their membership, and is the replacement for the Configuration Manager 2007 discovery
method, Active Directory Security Group Discovery.
• Active Directory System Discovery and Active Directory Group Discovery both support options to
filter the discovery of stale computer records based on the timestamp of the last logon or the last
password change.
• Active Directory System Discovery, Active Directory User Discovery, and Active Directory Group
Discovery all support delta discovery, which detects changes in AD DS more frequently than by using
the default discovery schedule. Delta discovery differs from the Configuration Manager 2007 R3
version, because it can detect the addition or removal of computers or users from a group.
You will learn about each of these discovery methods and their available configuration settings in
upcoming topics, enabling you to choose the discovery methods that are most appropriate for your
environment.
Discovery Methods
You can use a variety of resource discovery
methods with Configuration Manager to
discover resources in your infrastructure, such
as computers, groups, user accounts, and network
infrastructure topology.
The following table describes the resource

discovery methods that are available and how
you use them.
Discovery method Usage
Active Directory Forest Introduced in Configuration Manager, this method discovers Active
Discovery Directory sites and subnets, and it can create Configuration Manager
boundaries for each site and IP subnet that it discovers.
Active Directory System Discovers computer systems from AD DS. Additionally, it can discover
Discovery Active Directory container names, as does the Configuration Manager
2007 Active Directory System Group Discovery.
Active Directory Group Discovers local, global, and universal groups and their membership from
Discovery AD DS.
Active Directory User Discovers users from the specified locations in AD DS.
Discovery
Network Discovery Discovers the network topology and devices.
Heartbeat Discovery Updates existing Configuration Manager client-discovery records in the

database.
When you choose which discovery methods to implement, consider what types of resources that you
need to discover, such as computers, users, or groups. The following table lists various types of resources
in a typical corporate infrastructure, and the discovery methods that you can use to discover each type of
resource.
Resources Discovery methods
Computers Active Directory System Discovery. Active Directory System Discovery discovers
computer resources from AD DS, and it provides additional information about the
computer resources, such as the organizational units (OUs) in which the computer
resources are located.
Network Discovery. Network Discovery provides information about your network
topology that you cannot acquire with other discovery methods.
Note: You must ensure discovery of computer resources before you install
the Configuration Manager client by using the client-push installation method.
You can use Active Directory System Discovery and Network Discovery to discover
computer resources before client installation.
Heartbeat Discovery. If you install the Configuration Manager client by using a

different method than client push, Heartbeat Discovery forces the discovery of
active clients and then creates records in the database. Heartbeat Discovery
collects only limited information about computer resources, which may not be
detailed enough to build complex queries or collections.
Users Active Directory User Discovery. You can discover user resources by using Active
Directory User Discovery. This method discovers users from AD DS, and it includes
basic information about users, such as username and email address. You can use
this information to build queries and collections similar to those for computers.
You can configure User Discovery to retrieve other attributes from Active
Directory, such as manager, office, and phone number.
Groups and their Active Directory Group Discovery. You can discover groups and group
membership memberships by using Active Directory Group Discovery. This discovery
method creates resource records for security groups. Additionally, it identifies
the members of each group, and optionally any nested groups within that group.
Active Directory Group Discovery also discovers limited information about group
members. This does not replace Active Directory System or User Discovery, and
typically it is insufficient to use to build complex queries and collections, or to
serve as the base of a client-push installation.
Infrastructure Active Directory Forest Discovery. You can use Active Directory Forest Discovery
to search an Active Directory forest for information about subnets and Active
Directory sites. You then can use these objects to configure your Configuration
Manager boundaries.
Network Discovery. You also can use Network Discovery to discover your network
topology. Network Discovery can discover subnets and router topology of your
network, in addition to computer resources.
Question: What discovery methods can you use to discover computer resources?
Active Directory Discovery Methods for Systems, Users, and Groups

You can use the following three Active Directory
discovery methods in Configuration Manager:
• Active Directory System Discovery
• Active Directory User Discovery
• Active Directory Group Discovery
These discovery methods are similar in

configuration and operation, but they retrieve
different types of information. You can configure
each of these discovery methods to search one or
more Active Directory locations in the local forest
or in remote forests. If you configure multiple
instances of these Active Directory discovery methods on multiple primary sites in a Configuration
Manager hierarchy, you should configure the source location for each discovery method, so that the
same resources are not discovered more than once. In smaller environments, you should consider
configuring all Active Directory discovery methods from the same location. You can configure each
method to perform a full discovery and a delta discovery based on a specified schedule. The default
schedule for a full discovery is once a week, and the default schedule for a delta discovery is every five
minutes. Because delta discovery discovers only new resources, the impact on AD DS and network traffic
decreases.
Active Directory System Discovery

Active Directory System Discovery searches for computer resources in the administrator-specified AD DS
locations. Active Directory System Discovery has the ability to filter obsolete computer records based on
the lastLogonTimeStamp and pwdLastSet attributes in AD DS. If you want to improve the quality of
discovery, you should identify old computer records in AD DS by using a dsquery command. You then
can disable them before configuring discovery. For a computer resource to be discovered by using Active
Directory System Discovery, it must have the following:
• An enabled computer account in AD DS. Active Directory System Discovery filters out disabled
computers, by default.
• A computer record in Domain Name System (DNS). Active Directory System Discovery tries to resolve
the name of each computer resource to an IP address. If the DNS contains obsolete records, it might
cause the discovery of computers that are no longer active on the network. To avoid this, you should
remove obsolete records in DNS by activating DNS scavenging.
If the computer resource meets the preceding conditions, the discovery method generates a DDR for the
computer and populates the DDR with information that identifies the computer resource.
Active Directory System Discovery discovers basic information about a computer, including the:
• Computer name
• Operating system and version

• Active Directory container name
• IP address
• Active Directory site
• Last Logon Time Stamp: Universal Time Coordinate (UTC)

Additionally, you can configure the discovery of extended attributes from AD DS in the Active Directory
System Discovery Properties dialog box on the Active Directory Attributes tab.
Active Directory System Discovery includes functionality to discover Active Directory container names,
such as Organizational Units, which is available in Configuration Manager 2007 in Active Directory System
Group Discovery.
Active Directory User Discovery

Active Directory System Discovery searches the specified AD DS location to identify user accounts and
their associated attributes.
Active Directory User Discovery discovers basic information about the user account, including the
following:
• User name
• Unique user name (includes the domain name)
• Domain
• Active Directory container names
In addition to this basic information, you can configure the discovery of extended attributes from AD DS
in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab.
Active Directory Group Discovery

Active Directory Group Discovery discovers basic information about the groups and their membership,
• Groups
• Groups membership
• Limited information about a groups member computers and users
By default, Active Directory Group Discover only discovers security groups. To discover the membership of
distribution groups, you must select the check box for the option Discover the membership of distribution
groups in the Active Directory Group Discovery Properties dialog box on the Option tab.
There are two options when configuring Active Directory Group Discovery searches:
• Location. You can search one or more Active Directory containers, such as a forest, domain, container
or OU. You can use a recursive search of the specified Active Directory container, so that the search
includes all child containers under the container that you specify. This process continues until Active
Directory Group Discovery does not find any more child containers.
• Groups. You can specify one or more Active Directory groups. When configuring this option, you can
use the default domain and forest for the site or limit the search to an individual domain controller. If
you do not specify at least one group, this method performs a location search of the location that you
specify.
You can use both of these options more than once and at the same time. For example, you might want
to find all the members of all groups in a particular location (forest, domain, container or OU) plus all the
members of one particular group in a different location.
Active Directory Discovery Log Files

The following logs record Active Directory Discovery actions. These logs are in the InstallationPath\Logs
folder on the site server, and they include the following:
• Active Directory System Discovery actions are in the adsysdis.log.
• Active Directory User Discovery actions are in the adusrdis.log.
• Active Directory Group Discovery actions are in the adsgdis.log.
What Is Network Discovery?

Network Discovery discovers the topology of
your network and devices on your network by
searching for devices that have IP addresses.
Network Discovery searches your network for
IP-enabled resources by querying:
• The Windows® browse list for Active Directory

domains.
• Servers that run a Microsoft® implementation

of the Dynamic Host Configuration Protocol
(DHCP).
• Address Resolution Protocol (ARP) caches in

routers.
• Devices enabled with Simple Network Management Protocol (SNMP).
Network Discovery must identify the IP address and the subnet mask to successfully discover a resource.
Network Discovery can discover resources that cannot support the Configuration Manager client software,
such as printers, routers, and bridges. Network Discovery creates discovery records that include the
following information, as appropriate:
• NetBIOS name
• IP addresses
• Resource domain
• System roles
• SNMP community name

• Media access control (MAC) addresses
Network Discovery and Heartbeat Discovery are the only discovery methods that can discover computers
in workgroups.
To configure Network Discovery, you must specify the level of discovery, which the following table
outlines.
Level of discovery Details
Topology This level discovers routers and subnets, but it does not identify a subnet
mask for objects.
Topology and client This level discovers topology and potential clients, such as computers, and
resources, such as printers and routers. This level of discovery attempts to
identify the subnet mask of objects that it finds.
Topology, client, and In addition to topology and potential clients, this level attempts to discover
client operating the computer operating-system name and version. This level uses Windows
system Browser service and Windows Networking calls.
For Network Discovery to discover an object, it must identify the object IP address and then identify
its subnet mask or Active Directory site membership. It then creates a DDR for that object. If Network
Discovery cannot determine the subnet mask or Active Directory site membership of an object, it does
not create a DDR.
To discover computer resources, you must configure at least the Topology and client discovery level. You
can configure Network Discovery to use the following sources of information:
• Domains. Network Discovery discovers any computer from the domain that you specify. This
information must be visible when browsing the network. Network Discovery retrieves the IP address
and then uses an Internet Control Message Protocol (ICMP) echo request to ping each device that it
finds to determine which computers are currently active. It then initiates Windows networking
application programming interface (API) calls to the resource to discover its operating-system
information.
• SNMP. Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that
responds to the query. The ipNetToMediaTable value returns arrays of IP addresses that are client
computers or other resources, such as printers, routers, or other IP-addressable devices.
• DHCP. Network Discovery queries Microsoft DHCP servers for a list of devices that are registered with
each server. Network Discovery retrieves information by using remote procedure calls to the database
on the DHCP server. Network Discovery supports only DHCP servers that run the Microsoft
implementation of DHCP.
You can limit Network Discovery by specifying the following options:

• Subnets. You can configure the subnets that Network Discovery queries when it uses the SNMP and
DHCP options. These two options search only the subnets that you enable.
• SNMP community names. You can specify SNMP community names that Network Discovery uses to
query SNMP devices.
• Maximum hops. You limit the number of network segments and routers that Network Discovery can
query by using SNMP.
To identify the subnet mask, Network Discovery uses the following methods:
• Router ARP cache. Network Discovery queries the ARP cache of a router to find subnet information.
• DHCP. Network Discovery queries each administrator-specified DHCP server to discover the devices
for which the DHCP server has provided a lease.
• SNMP device. Network Discovery directly queries a SNMP device, and then makes an additional call
to obtain the subnet mask information.
Question: What level of Network Discovery must you configure to discover computers?
What Is Heartbeat Discovery?

Heartbeat Discovery is a Configuration
Manager discovery method. It rediscovers
existing computers that have the Configuration
Manager client installed and that are active
in the network. Configuration Manager uses it
to maintain the records of active clients in the
database and to force discovery of active clients
that were removed from the database, or installed
but not discovered by another discovery method.
The following list describes the functions of Heartbeat Discovery:
• Heartbeat Discovery is enabled by default, and it runs on a schedule on each computer client to
create a Heartbeat Discovery DDR. To send the Heartbeat Discovery record, the client computer must
be able to contact a management point.
• For mobile device clients, the management point that the mobile device client uses creates the DDR.
• The default schedule for Heartbeat Discovery is set to run every seven days.
• Heartbeat Discovery provides details about the client installation status by updating a system-
resource client attribute to active status.
• The following maintenance tasks use discovery information. If you adjust the heartbeat interval, you
should adjust these tasks:
• Clear Install Flag. This maintenance task is not enabled by default. If you enable this task, the
default schedule is 00:00 and 05:00 every Sunday. This task clears the install flag of any client that
has not submitted a Heartbeat DDR within the past 21 days. This forces a client reinstallation if
you enable the client push installation method.
• Delete Aged Discovery Data. By default, this maintenance task is enabled and runs between 00:00
and 05:00 every Saturday. By default, this task removes any discovery data that is more than 90
days old. If a DDR for the resource has not added in the past 90 days, this task deletes everything
relevant to that resource from the Configuration Manager database.
• This task affects all types of resources: systems, users, and groups. This task removes database
records about discovered computers that have not had the Configuration Manager client
installed during the last 90 days.
• Delete Inactive Client Discovery Data. By default, this maintenance task is not enabled. If you
enable this task, the default schedule is 00:00 to 05:00 every Saturday. The Delete Inactive Client
Discovery Data task is similar to the Delete Aged Discovery Data task. However, this task operates
only on resources that are Configuration Manager clients. When you enable this task, it removes
records for inactive clients that have not sent a heartbeat during the last 90 days.
• You cannot configure Heartbeat Discovery on secondary sites, but secondary sites can receive the
Heartbeat DDR from a client, and forward it to the primary site.
Question: If you change the default schedule for Heartbeat Discovery, you should ensure that Heartbeat
Discovery runs more frequently than which site-maintenance tasks?
Discussion: Planning Discovery

Only the Heartbeat Discovery method is enabled
by default. You can modify this method, but you
should not disable it. Depending on what you
plan to manage, you can enable any or all of the
Heartbeat Discovery methods.
The following table summarizes the discovery methods.
Discovery method Default schedule Description
Active Directory Once a week after you enable Discovers computers in AD DS from the
System Discovery it, and delta discovery every specified forests, domains, and containers.
five minutes. Discovers basic Active Directory attributes for
the computers.
Active Directory Once a week after you enable Discovers users in AD DS from the specified
User Discovery it, and delta discovery every forests, domains, and containers.
five minutes. Discovers basic Active Directory attributes for
the users.
Active Directory Once a week after you enable Discovers groups and group memberships in
Group Discovery it, and delta discovery every AD DS from the specified forests, domains,
five minutes. and containers.
Discovers minimal information about the
group members.
Active Directory Once a week after you enable Discovers groups and group memberships in
Forest Discovery it. AD DS from the specified forests, domains,
and containers.
Discovers minimal information about the
group members.
Network Discovery Once, running for two hours Discovers Network Devices that respond to
when you enable it. the configured Network Discovery method.
Heartbeat Once a week after you install Client systems generate a new DDR to keep
Discovery the client. their data active in the Configuration
Manager database.
Considering your environment, discuss the following questions with the rest of the class:
Question: Which discovery methods might you enable, and why?
Question: For the discovery methods that you would enable, how do you think you would schedule
them?
Question: If you intended to enable Active Directory System Discovery or Active Directory User Discovery,
would you enable additional attributes as well?
Lesson 2
Client Deployment in Configuration Manager
You can install Configuration Manager clients by using a variety of methods. Regardless of the method
that you choose, you should start by using either CCMSetup.exe or CCMSetup.msi, which is a bootstrap
for CCMSetup.exe.
This lesson covers the client-installation process and the CCMSetup parameters that you can use with
CCMSetup.exe to control the deployment process.
You will examine typical Configuration Manager client-installation methods and Configuration Manager
site systems that are involved in client deployment. This lesson also discusses the role of AD DS in client
deployment.
Lesson Objectives
• Explain the importance and the role of AD DS in the client-deployment process.

• Describe the site systems that Configuration Manager uses during the client-deployment process.
• Describe how to use Configuration Manager boundaries and boundary groups for client assignment
and content location.
• Describe how Configuration Manager clients find Configuration Manager site systems.
• Describe the requirements for client installation.
• Describe the Configuration Manager client-installation process for Mac computers.
• Describe the Configuration Manager client-installation process for UNIX and Linux computers.
• Describe typical client-deployment methods.
The Role of AD DS in Client Deployment

Although not mandatory, you can extend AD DS
to simplify the management of your Configuration
Manager site. Extending the AD DS schema and
publishing Configuration Manager information
to AD DS simplifies the client-installation process
by automatically providing the installation
parameters that you configure. You can use
AD DS publishing with any installation method
to allow for automatic site assignment. AD DS
publishing also enables you to provide the client
with the name of a management point to
communicate with.
Configuration Manager publishes client-installation properties to AD DS, including:
• The management point to be used for downloading content for client installation.
• The Configuration Manager site code.
• The Hypertext Transfer Protocol (HTTP) port used for client communications.
• The Hypertext Transfer Protocol Secure (HTTPS) port that is used for client communication.
• A setting to indicate that the client must communicate by using HTTPS.
• The fallback status point. If the site has multiple fallback status points, only the first one installed is
published to AD DS.
• The criteria for certificate selection. This might be required when the client has more than one valid
certificate.
• Installation properties specified in the Installation Properties tab of the Client Push Installation
Properties dialog box.
Additionally, if you use alternate ports for your site systems, clients are automatically updated when you
make a change.
Extending the Active Directory schema is an irreversible forest-wide action that you need to perform only
once per forest. When deploying Configuration Manager in a multiple-forest environment, you need to
extend the schema in each forest to which you want to publish information.
If you previously extended the schema for Configuration Manager 2007, you do not need to extend it
again for System Center 2012 R2 Configuration Manager. Only a member of the Schema Admins group or
an administrator that has sufficient permissions to modify the schema can extend it.
If you extend the schema before installation, Configuration Manager automatically configures the site to
publish site information during installation and publishes site information to AD DS at the completion of
installation. However, you can extend the schema after the Configuration Manager installation and then
manually configure the site to publish to AD DS.
Note: For more information about extending the Active Directory schema for
Configuration Manager, refer to “Module 2, Planning and Deploying a Stand-Alone
Environment.”
Question: How do Group Policy initiated deployments use AD DS during Group Policy installation?
Question: Are you planning to extend the Active Directory schema in your environment?
Site Systems That Client Deployment Uses

The process for installing the Configuration
Manager client involves several different site
systems. In addition to the site systems that play
a direct role in client deployment, there are a few
site systems that you might find useful during a
deployment.
The following site system roles are directly

involved when you install client devices.
Management Point
A management point is required to complete the
client-installation process, although you can install
the client components successfully without one. The installation process is complete when the client
registers with a primary site, is assigned its initial policy, and retrieves the policy. This initial policy sets
the components to their desired state. For standard installation methods, the client downloads a copy of
CCMSetup.exe from a management point. All other files are downloaded from a distribution point. After
the installation program is complete, the client contacts the management point to register itself and
obtain its site assignment. It then reports the state of the installation. If the client cannot contact the
management point, all client components appear as installed rather than enabled or disabled.
The client software has several methods that it can use to locate the management point, and it uses them
in the following order:
1. Setup Parameters. As part of the installation command, you can specify a management point.
2. AD DS. The client software queries AD DS for an appropriate management point.
3. DNS. The client searches for a service record (SRV) record type for a management point. To find the
right SRV record in DNS, you must configure the clients with their site code.
4. Windows Internet Name Service (WINS). A management point automatically updates its WINS record
with the appropriate information.
Automatic client assignment is based on boundaries, which are members of a boundary group for
which you enable automatic assignment. In previous Configuration Manager versions, if clients fall outside
of all boundaries, automatic site assignment fails and clients are not managed. However, Configuration
Manager enables you to configure a fallback site for client assignment at the hierarchy level. If you install
a client that is outside of any configured boundary groups, the automatic site-assignment process uses
this site, and the installation process completes successfully.

The fallback status point is an optional site system that is used during the client-installation process.
A fallback status point monitors client deployment and identifies unmanaged clients that cannot
communicate with a management point. The fallback status point uses unauthenticated connections from
clients over HTTP. To reduce exposure to security risks due to use of unauthenticated connections, you
should use a dedicated system for the fallback status point. Furthermore, in a production environment,
you should not install other site system roles on the fallback status point server.
Additionally, Configuration Manager client deployment reports use data sent by clients through the
fallback status point.
Mobile devices that Configuration Manager enrolls, and mobile devices that the Exchange Server
connector manages, do not use a fallback status point.
Software Update Point

You can install the Configuration Manager client by using software update-point push installations. If you
choose to use this method, you need to configure the software update point on a Windows Server Update
Services (WSUS) server. This installs the client when computers scan for applicable software updates.
Enrollment Point and Enrollment Proxy Point

Mobile devices and the Mac OS X use the enrollment point for Configuration Manager enrollment. The
enrollment proxy point manages the enrollment requests from mobile devices. These site system roles are
not required if you plan to manage mobile devices by using the Exchange connector, Windows Intune, or
if you install the Configuration Manager client for Windows CE.
Distribution Point
The distribution point is used to copy all client installation files, except for CCMSetup.exe, unless
CCMSetup has been invoked by using the /source: parameter and points to a folder with all files and
prerequisites. When you deploy an operating system by using the Configuration Manager operating-
system deployment feature, CCMSetup is downloaded from a distribution point to the client’s local
cache. A standard installation is then invoked, including the download of a copy of CCMSetup from the
management point to the %WINDIR%\ccmsetup folder and the download of client.msi and prerequisite
files from a distribution point.
When you upgrade the client by using software deployment, the installation package downloads from a
distribution point. The installation of the Window CE client also uses a distribution point.
Reporting Services Point

In addition to the required and optional roles that client installation uses directly, you might find it useful
to install a reporting services point. This enables you to view any reports about the client installation
process or the status of clients.
Planning for Windows-Based Client Installation

Before deploying the Configuration Manager
client for Windows-based computers, you need
to understand the client requirements and the
different methods that you can use to deploy
the client, based on how you will manage it.
Prerequisites
Some of the prerequisites for client deployment
install automatically on client computers during
the deployment process. You must install other
prerequisites before you deploy the client, and
those prerequisites vary depending on the client
version that you are deploying. The following list
contains all prerequisites that you need to successfully deploy the Configuration Manager client to
Windows-based computers:
• External dependencies. You must install these prerequisites before you deploy the client:
o Client Bridge ActiveX® Control. This client uses this control for computers that run a
version of the client prior to System Center 2012 Configuration Manager Service Pack 1
(SP1). For those computers, you must exclude the Microsoft.ConfigurationManager
.SoftwareCatalog.Website.ClientBridgeControl.dll control from ActiveX filtering in Windows
Internet Explorer®. This control installs automatically with the client for versions prior to System
Center 2012 Configuration Manager SP1.
o Windows Installer version 3.1.4000.2435. This is the minimum version of the installer that is
necessary for software updates and .msp files in packages.
o KB2552033. This update is necessary for servers that are running Windows Server® 2008 R2, if
you use client push to deploy the Windows-based client.
o Background Intelligent Transfer Service (BITS) 2.5. BITS throttles communication between client
and servers. BITS does not install automatically on all Windows versions, so you need to
determine whether it is installed. If it is not, you need to install it.
• Dependencies that install automatically during deployment. CCMSeup.exe downloads these

prerequisites from a distribution point and, if necessary, installs them during deployment:
o Microsoft .NET Framework 4 Client Profile. The Configuration Manager client is a .NET
application, so it needs .NET Framework. Download this component only if none of the following
are installed on the client:
 Microsoft .NET Framework 3.0
o Microsoft Core XML Services (MSXML) 6.20.5002. Processes XML documents in Windows.
o Microsoft Policy Platform 1.2.3514.0. Evaluates compliance settings on the client.
o Microsoft remote differential compression (RDC). Compresses data for transmission over a
network.
o Microsoft Silverlight 4.0.50524.0. Used by the Application Catalog website on computers that are
running versions of the Configuration Manager client prior to System Center 2012 Configuration
Manager SP1.
o Microsoft Silverlight 5.1.10411.0. Used by the Application Catalog website on computers that are
running the System Center 2012 Configuration Manager SP1 and older versions of the
Configuration Manager client.
o Microsoft SQL Server Compact 3.5 SP2 components. Stores information that client operations
require.
o Microsoft Visual C++ 2005 Redistributable version 8.0.50727.42. Used by SQL Server®
Compact 3.5.
o Microsoft Visual C++ 2008 Redistributable version 9.0.30729.4148. Used by the client to execute
various client operations.
o Microsoft Windows Imaging Components. Used by the .NET Framework for computers that are
running Windows Server 2003 or Windows XP SP2 for 64-bit.
o Windows Imaging APIs 6.0.6001.18000. Manages .WIM files.
o Windows Update Agent version 7.0.6000.363. Supports software updates.
• Communication ports. Client deployment uses these ports:
o TCP 80. Used in all client deployment methods for communication with a fallback status point.
Also used for communication with the management point and distribution point.
o TCP 443. Used in all client deployment methods for communication between the client and a
management point and distribution point, if you configure the management point and
distribution point to use HTTPS instead of HTTP.
o TCP 445. Used by Server Message Block (SMB) block messages when downloading the client files
in a client push installation or in any installation that uses the /source property for CCMSetup.
o UDP/TCP 135. Used with dynamic ports on the client to support Remote Procedure call (RPC)
communication between client and site servers during a client-push installation.
o TCP 8530. Used for HTTP communication with a software update point when you install the client
by using software updates.
o TCP 8531. Used for HTTPS communication with a software update point when you install the
client by using software updates.
Note: These ports are the default ports that Configuration Manager uses. You can modify
them. For more information about ports that client deployment uses and alternative ports, refer
to “Windows Firewall and Port Settings for Client Computers in Configuration Manager” at
http://go.microsoft.com/fwlink/?LinkID=391457.
Overview of the Windows Client-Installation Process

Depending on the client-installation method
that you use, the complexity of configuration can
vary significantly. However, all of the installation
methods use the same files, and they finish the
installation essentially in the same way.
The installation process for the Configuration

Manager client uses the following files.
CCMSetup.exe
CCMSetup.exe generally begins the client-
installation process and runs in all client-
installation methods. CCMSetup performs the
following actions:
• Determines the location from which to download client prerequisites and installation files. If you start
CCMSetup without command-line options and if you extend the AD DS schema for Configuration
Manager, the setup process reads the client-installation properties from AD DS to find an appropriate
management point. If you do not extend the Active Directory schema, CCMSetup searches DNS or
WINS for a management point to contact. Alternatively, you can specify a management point by
providing the /mp:ComputerName switch or a specific UNC location by using the /source:path
switch.
• Downloads a copy of itself from the management point or specified source folder to the
%windir%\ccmsetup folder.
• Downloads the client prerequisite files. Files include the Client.msi file and any prerequisite files that
are missing, which this module discussed previously.
• Invokes the startup of the Client.msi file. The Client.msi file installs the Configuration Manager client
software on the client.
CCMSetup copies all of the files that it needs to %systemroot%\CCMSetup, and it creates the
ccmsetup.log file, which is stored in the %systemroot%\CCMSetup\logs folder. Numerous switches are
available for modifying the behavior of CCMSetup.exe, which the following topic discusses.
Client.msi
After CCMSetup installs the prerequisites on the client that you specify, it invokes Client.msi. This
Windows Installer file installs the client on the system.
Client.msi creates the client.msi.log log file in the %systemroot%\CCMSetup folder.

You can modify the Client.msi installation behavior by providing specific properties on the CCMSetup.exe
command line. Alternatively, you can specify the properties on the Installation Properties tab of the Client
Push Installation Properties dialog box. These settings then publish to AD DS, and the various installation
methods use these settings.
CCMSetup.msi
The Configuration Manager installation process uses the CCMSetup.msi Windows installer file when using
an AD DS Group Policy to publish or assign the Configuration Manager client to computers. This file is in
the installation directory\bin\i386 folder on the Configuration Manager site server.
Client Assignment
After the client installation is complete, the client is assigned to a site to allow for client management.
Client devices can be assigned to any primary site. However, client devices cannot be assigned to either a
secondary site or a central administration site.
Most clients reside within site-assignment boundary groups and are automatically assigned based on the
boundary definition. You can configure a site in the hierarchy settings as a fallback site, so that when you
select a client, the client is assigned to the site if the client is outside the configured boundary groups of
all defined sites. You also can assign a client to a site through a client.msi option, either directly or
through the Client tab of the Client Push Installation Properties dialog box.
If you do not extend the AD DS schema, you have the following options for site assignment:
• You can specify a site code by using the client.msi property SMSSITECODE=sitecode.
• You can manually assign a group of clients to a site by using Group Policy.
You also can choose to install a client offline and not immediately assign it to a site. However,
Configuration Manager cannot manage a client until it is assigned to a site.
After the client is assigned to a site, the client remains assigned to that site, even if the client changes its
IP address and roams to another site. Under normal circumstances, only an administrator can manually
assign the client to another site.
If the client auto-assignment fails, the client software remains installed, but Configuration Manager does
not manage it until it locates a site. If the client remains unassigned, every time that the CCMExec process
starts, it attempts to perform autoassignment.
Question: How does the client-deployment process use the management point?
Question: Which executable determines the location of the source files and then downloads them to start
the Configuration Manager client-installation process?
CCMSetup Installation Properties

CCMSetup.exe switches allow you to specify
the installation properties of the Configuration
Manager client. You can type these switches at a
command line when using the manual installation
or logon installation methods, or they can be read
from AD DS. You also can use CCMSetup.exe to
provide properties for client.msi when you are
using these methods.
The CCMSetup.exe command line uses the
following format:
CCMSetup.exe /[CCMSetup switch] [client.msi setup properties]

The following table lists a few of the switches that CCMSetup.exe supports. For a complete list of the
available settings, refer to “About Configuration Manager Client Installation Properties” at
CCMSetup switch Purpose
/source:Path Specifies the location to download installation files from. You can use a
local or UNC installation path. Files are downloaded by using the SMB
protocol. The Windows user account that you use for client installation
must have Read permissions to the installation location.
/mp:Computer Specifies the source management point for downloading installation files.
Files are downloaded over an HTTP or HTTPS connection, depending on
the management configuration for client connections. This download
uses BITS throttling, if you configure it. If you configure the management
point for HTTPS client connections only, you must verify that the client
computer has a valid public key infrastructure (PKI) client certificate.
/skipprereq:filename Specifies to skip prerequisite software that installs automatically.
/forceinstall Specifies the uninstallation of any existing client and the installation of a
new client.
Client.msi Properties
You can combine client.msi properties with CCMSetup switches when you perform an installation by using
CCMSetup. You can specify these properties manually or by changing Client Push Installation Properties in
the Configuration Manager console. The following list shows the properties that are used most commonly:
• CCMHOSTNAME. Use for Internet-based clients. Points to the management point that the client will
use.
• SMSCACHESIZE. Use to specify the size, in megabytes (MB), of the local cache that the client uses
when downloading files and packages from a distribution point.
• SMSMP. Use to specify the management point that the client will use.
• SMSSITECODE. Use to specify the site that you will assign the client to.
• FSP. Use to specify the fallback status point that the client will use.
Note: For more information about CCMSetup.exe switches and Client.msi properties, refer
to “About Client Installation Properties in Configuration Manager” at http://go.microsoft.com
/fwlink/?LinkID=391458.
Question: What should you type at a command prompt to install the Configuration Manager client from
a network share, and to specify that the client should use the LON site code and LON-CFG.adatum.com as
the management point after installation?
Planning for Installing the Configuration Manager Client on Mac

Computers
introduces support for Mac computers. However,
you cannot use all Configuration Manager
features on Mac computers, and Configuration
Manager does not support all versions of the Mac
operating system.
Supported Operating Systems

Configuration Manager supports the following
Mac operating systems:
• Mac OS X 10.6 (Snow Leopard): Supported on

SP1 and newer versions.
• Mac OS X 10.7 (Lion): Supported on System Center 2012 Configuration Manager SP1 and newer
versions.
• Mac OS X 10.8 (Mountain Lion): Supported on System Center 2012 Configuration Manager SP1 with
Cumulative Update 1 and newer versions.
Deployment
Configuration Manager client installation and management for Mac computers require the use of PKI
certificates. The Configuration Manager client for Mac computers always performs a certificate revocation
check, and you cannot disable this check. If a Mac computer cannot perform the check, it does not
connect to Configuration Manager site systems.
Mac computers communicate with Configuration Manager site systems as if they were Internet-based
clients. This means that all communication happens by using HTTPS. You must configure management
points and distribution points to support Mac computers.
Features Supported
The Configuration Manager client for Mac supports only three features: hardware inventory, software
deployment, and compliance settings.
Note: Compliance settings use .plist files and shell scripts for remediation.
Planning for Installing the Configuration Manager Client on Linux and

UNIX Computers
introduces support for Linux and UNIX computers.
However, you cannot use all features of
Configuration Manager on Linux and UNIX
machines, and some versions of Linux and UNIX
operating systems require an individual client
agent.
Microsoft introduced a universal client with

Cumulative Update 1 for System Center for
Client for Linux and UNIX. You can use the
universal agent for both the SP1 and R2 versions
of Configuration Manager, and it consists of two files:
• ccm-Universalx86.build.tar. Used for 32-bit implementations.

• ccm-Universalx64.build.tar. Used for 64-bit implementations.
You must ensure that the operating system and version of your Linux or UNIX implementation support
the universal installer before using it. The following implementations of Linux and UNIX support the
universal agent:
• Red Hat Enterprise Linux (RHEL)
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
• SUSE Linux Enterprise Server (SLES)
o Version 10 SP1, x86
• CentOS
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
• Debian
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
o Version 7, x86
o Version 7, x64
• Ubuntu
o Version 10.4 LTS, x86
• Oracle Linux
o Version 5, x86
o Version 5, x64
o Version 6, x86
o Version 6, x64
Configuration Manager can also manage computers that are running other versions of Linux or UNIX.
However, for those versions, you need a specific installer. The following list shows the installers for each
version:
• AIX
o Version 5.3 (Power): ccm-Aix53ppc.build.tar
• HP-UX
• Version 11iv2 IA64: ccm-HpuxB.11.23i64.build.tar
o Version 11iv2 PA-RISC: ccm-HpuxB.11.23PA.build.tar
o Version 11iv3 IA64: ccm-HpuxB.11.31i64.build.tar
o Version 11iv3 PA-RISC: ccm-HpuxB.11.31PA.build.tar
• SUSE Linux Enterprise Server (SLES)
o Version 9, x86: ccm-SLES9x86.build.tar
• Solaris
o Version 9 SPARC: ccm-Sol9sparc.build.tar
o Version 10 x86: ccm-Sol10x86.build.tar
o Version 10 SPARC ccm-Sol10sparc.build.tar
o Version 11 x86: ccm-Sol11x86.build.tar
o Version 11 SPARC: ccm-Sol11sparc.build.tar
• Red Hat Enterprise Linux (RHEL)
o Version 4, x86: ccm-RHEL4x86.build.tar
o Version 4, x64: ccm-RHEL4x64.build.tar
Note: There are external dependencies that you must ensure are met if you want a client to
work on computers that are running Linux or UNIX. For a list of dependencies, refer to “Planning
for Client Deployment for Linux and UNIX Servers” at
SHA-256 Support
The Configuration Manager client uses SHA-256 to validate data coming from site systems. Specifically,
SHA-256 validation verifies the site server signature for management points when downloading policies,
and it validates the hash for packages that download from a distribution point. However, some Linux and
UNIX operating systems do not support SHA-256. If you have computers that are running any of the
following operating systems, you must use the ignoreSHA256validation switch during installation:
• HP-UX Version 11iv2 (PA-RISH/IA64)

• Red Hat Enterprise Linux Version 4 (x86/x64)
• Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86)

• SUSE Linux Enterprise Server Version 9 (x86)
Deployment
You must deploy the Configuration Manager client in a computer that is running a supported Linux or
UNIX operating system in the same way that you deploy the client on workgroup-based computers. This
means that you must configure a Network Access Account to allow these clients to access resources in the
AD DS domain that is hosting the site systems. You must initiate the installation manually.
Supported Features
The Configuration Manager client for Linux and UNIX supports only two features: hardware inventory and
software deployment.
Lesson 3
Deploying Windows-Based Configuration Manager Clients
To install the Configuration Manager client, the target systems must meet certain prerequisites. Some of
the prerequisites download and install automatically during client setup. However, you must install other
prerequisites manually on the target system before you install the Configuration Manager client.
This lesson discusses how to deploy clients by using the following client-deployment methods:
• Client push
• Group Policy
• Login script
• Manual installation
• Client upgrade
Additionally, this lesson covers installation prerequisites, and the advantages and disadvantages for each
installation method.
Lesson Objectives
• Describe the system requirements for installing Configuration Manager clients.
• Describe using silent push to install Configuration Manager clients.
• Describe using a software update point to install Configuration Manager clients.

• Describe using Group Policy to install Configuration Manager clients.
Overview of Client Deployment Methods

To efficiently deploy the Configuration Manager
client components to potential resources, you
need to decide which deployment method to
use. You should consider the details of each
installation method, and decide which is best for
your environment.
The client deployment methods are:
• Client-push installation. This method pushes

the Configuration Manager client software
to client computers. You can automate this
deployment method, so that client installation
occurs on systems that are assigned to the
site. Or you can manually initiate a client push installation to any discovered system that
Configuration Manager supports for client installation.
• Group Policy installation. This method uses Group Policy to publish or assign the Configuration
Manager client to computers when the GPO runs on the computer.
• Software update-point installation. You can use this method to publish the Configuration Manager
client installation program (CCMSetup.exe) as a software update to a software update point. This is
useful if your environment uses WSUS, especially if the Windows firewall is enabled but not
configured to support other installation methods.
• Manual installation. This method manually installs the Configuration Manager client software on
computers by using CCMSetup.exe. Use this method if you need to install the client on a small
number of workstations. If the Configuration Manager information publishes to AD DS, and you run
CCMSetup.exe without any command-line parameters, the client-installation process retrieves the
published client-installation parameters from AD DS.
• Logon script installation. This method uses CCMSetup.exe in a logon script to trigger the client
installation. This method ensures that the Configuration Manager client installs on all computers to
which the user has local administrator permissions.
• Upgrade installation (software deployment). You can use this method to upgrade existing client
software on computers to newer Configuration Manager versions.
• Operating-system deployment. When using operating system deployment to deploy a new operating
system, or upgrade an existing one, you include the Configuration Manager client as part of the
operating system deployment process.
• Computer imaging. You can use this method to preinstall the Configuration Manager client software
on a master image computer that builds your organization’s computers.
The following table outlines the advantages and disadvantages for the various client-deployment
methods.
Client-deployment
Advantages Disadvantages
method
Client push Using the Client push installation Can cause high network traffic when
installation wizard, you can use this method pushing to large collections.
to push to a single computer, a You can use this only on computers that
collection, or to the results from a Configuration Manager discovers.
query.
You must specify a client-push installation
Using site-wide client push, you can account, which has administrative rights
use this method to install the client to the intended client computer. If you do
automatically on discovered not configure an account, Configuration
computers. Manager tries to use the site system’s
Uses client-installation properties computer account, which must have
defined on the Installation administrative rights on the target client.
Properties tab of the Client Push You must configure the Windows firewall
Installation Properties dialog box. on client computers and all firewalls
between the clients and site server, with
exceptions to allow client-push
installation to finish.
Group Policy Does not require you to discover Can cause high network traffic if you are
installation computers before you can install the installing a large number of clients.
client. If you do not extend the Active Directory
You can use this method for new schema for Configuration Manager or if
client installations or for upgrades. the site does not publish to AD DS, you
If you extend the Active Directory must use Group Policy to add client-
schema, computers can read installation properties to computers in
installation properties that publish your site.
to AD DS. Works only for systems that belong to an
Does not require administrative Active Directory domain.
rights on client computers. Applies Group Policy settings to
Does not require firewall exceptions. computers at reboot only, which can
delay installation.
Client-deployment
method
Software update- Uses your existing software updates Requires a WSUS infrastructure that the
based client infrastructure to manage the client systems are currently using.
installation software. Must use the same server for client
Installs the client software installation and software updates, and
automatically on new computers if this server must reside in a primary site.
WSUS is configured correctly. If you do not extend the Active Directory
Does not require Configuration schema for Configuration Manager or if
Manager to discover computers the site does not publish to AD DS, you
before you can install the client. must use a GPO to add client installation
Reads installation properties in properties to your site’s computers.
AD DS.
Reinstalls the client software if it is
removed.
Does not require administrative
rights on client computers.
Does not require firewall exceptions.
Manual installation Does not require Configuration No automation. Therefore, this can be
Manager to discover computers time-consuming.
before you can install the client. Works only for users who are local
Can be useful for testing purposes. administrators.
Supports using command-line
properties for CCMSetup.
Allows you to retrieve configuration
properties from AD DS.
Logon script Does not require Configuration Can cause high network traffic if you are
installation Manager to discover computers installing a large number of clients over a
before you can install the client. short period of time.
Supports using command-line Requires that the logged-on user be a
properties for CCMSetup. local administrator for the computer.
Upgrade Can leverage the Configuration Can cause high network traffic when
installation Manager features to upgrade clients distributing the client to large collections.
(software by collections, at a time that you You can use this only to upgrade the
deployment) specify. client software on computers that have
Supports using command-line been discovered and assigned to the site.
properties for CCMSetup.
Does not require administrative
rights on client computers.
Operating-system Deploys Configuration Manager as Can cause high network traffic if you are
deployment part of the image. deploying a large number of clients over
Site assignment is automatic. a short period of time.
Can use Client.msi options. Requires that an operating-system
deployment infrastructure be in place.
Client-deployment
method
Computer imaging The image may preinstall Requires specific infrastructure

Configuration Manager, and it does considerations for storing and deploying
not require a separate deployment the computer images.
task. Communication to the If the reference computer is not properly
Configuration Manager site can prepared and is allowed to register with
begin almost immediately after the a site, all clients that are deployed from
image is deployed. that image have the same globally unique
identifier (GUID).
Installing Clients by Using Client Push

You can use client push installation to deploy
the Configuration Manager client to support
computer systems that it discovers and for which
it registers a DDR in the site database.
You can use client push to install the client on

domain-based computers discovered by using
Active Discovery methods, or on workgroup
computers discovered by using Network
Discovery. You must provide local administrator
credentials by configuring the client push
installation method to use an account that has
local administrator permissions on the target
computers.
You can automate the client push installation for the entire site by enabling site-wide client push
installation. Additionally, you can manually initiate this installation for individual systems or for entire
collections by using the Client Push Installation Wizard. The primary difference between the automatic
and manual methods occurs when installation is initiated:
• When you configure automatic push installation, the installation starts as soon as Configuration
Manager discovers a system and the system is placed within a site-assignment boundary group.
• When you configure manual push installation, you decide when and on which systems to install the
client.
Whether you use only one of these methods or both, you must configure certain properties for client
push installation.
When you perform a client push installation, if the site server cannot contact the client computer or start
the setup process, it automatically repeats the installation attempt every hour for up to seven days, until it
succeeds. To help track the client installation process, install a fallback status-point site system before you
install clients, which clients automatically use when client push installs them.
Automatic Client Push Installation

You can configure client push installation at the site level so that client installation occurs automatically
on devices that Configuration Manager discovers and assigns within the site’s configured site-assignment
boundary group. If a device is assigned to the site and you enable the site setting for client push
installation, the site server generates a Client Configuration Request for the discovered resource. If the
discovered resource matches the configuration criteria that you established for the client push installation
method, Configuration Manager processes the Client Configuration Request, and starts the client
installation.
You configure automatic client push installation on the General tab of the Client Push Installation
Properties dialog box. After enabling the automatic client push installation, you can choose what types
of systems install automatically. You can configure the following options:
• Enable automatic site-wide client push installation. You can use this check box to enable or disable
automatic client push installation. It includes the following options:
o Servers. This check box allows you to enable or disable automatic push installation to server
systems.
o Workstations. You can use this check box to enable or disable automatic push installation to
workstations systems.
o Configuration Manager site system servers. You can use this check box to enable or disable
automatic push installation to Configuration Manager site system servers.
• Always install the Configuration Manager client on domain controllers. You can use this option to
enable or disable client installation on domain controllers.
• Never install the Configuration Manager client on domain controllers, unless the Client Push
Installation Wizard specifies it. You can use this option to specify that the client installs only on
domain controllers when you use push install and that you want to manually specify during push
install that the client can be installed on domain controllers.
Common Settings for Client Push Installation

Both the automatic push and manual push methods involve pushing the client from the site server. The
Client Push Installation Properties dialog box affects both methods. The dialog box is available on the
ribbon in the Settings section when you select a site, or from a site’s right-click menu. You must configure
two tabs to use either of the client push-installation methods.
Accounts Tab
You can use the Accounts tab to list the accounts that are used to attempt a client push installation. The
installation must use an account with Administrative rights on the client system that you are targeting. If
more than one account is listed, installation is attempted by using each account starting at the top and
working down the list until the installation finishes or until all accounts are tried. If you do not specify at
least one client push-installation account, Configuration Manager tries to use the site system’s computer
account.
Note: The password for the client push-installation account is limited to 38 characters
or less.
Installation Properties Tab

You can use the Installation Properties tab to configure the client.msi settings that you want to use for
your site. If you extend the schema for Configuration Manager, client-installation properties that this tab
specifies publish to AD DS. They are read by client installations where CCMSetup.exe runs without
installation properties.
Install Client Wizard

You can launch the Install Client Wizard by selecting one or more discovered devices under the Devices
node of the Assets and Compliance workspace, and then clicking Install Clients in the ribbon. You also can
use the Install Client Wizard from the Device Collections node.
After you launch the Install Client Wizard, you have the following options:
• Allow the Client software to be installed on domain controllers. You can use this check box to enable
the push installation to domain controllers.
• Always install the client software. You can use this check box to cause the client software, if it is
present, to be reinstalled, repaired, or upgraded. You also have an option to uninstall any existing
client software before the client is reinstalled.
• Install the client software from a specified site. You can use this check box to specify an alternate site
to use for installing the client software. This does not change the client site assignment.
Firewall Settings for Client Push Installation

Client push installation can fail if the client is running a firewall that is blocking the ports that the
installation process is using. To help ensure the success of the installation, you should configure the
settings in the following table for Windows Firewall or any other intervening firewalls.
To successfully use client push to install the Configuration Manager client, you must add the following
exceptions to the Windows Firewall:
• File and Printer Sharing
• Windows Management Instrumentation (WMI)

The client push-installation method uses the ports that the following table lists. Additionally, the method
confirms whether the client computer is available on the network by using ICMP echo request messages,
or the PING protocol, from the site server to the client computer to confirm whether the client computer
is available.
Description UDP TCP
HTTP from the client computer to a fallback status point. Not 80

applicable
SMB between the site server and client computer. Not 445
applicable
RPC endpoint mapper between the site server and the client computer. 135 135
RPC dynamic ports between the site server and the client computer. Not Dynamic
applicable
HTTP from the client computer to an intranet-only management point. Not 80

applicable
HTTPS from the client computer to an Internet-capable management Not 443

point. applicable
Installing Clients by Using Software Updates

If you use WSUS to deploy software updates
to client computers, you can use the same
procedures for deploying the Configuration
Manager client as if it were a software update.
You can use software update-based client
installation to install new clients or to upgrade
existing Configuration Manager clients to newer
versions.
One important advantage of using this method is

that it does not require administrative permissions
on target computers. With this method, you can
install the client on computers when a firewall
prevents you from using alternate automated methods, and you cannot configure the firewall exceptions
for alternate installation methods.
The following are some of the prerequisite configurations that you must perform before using the
software updates method:
• If a client system has a previous version of the Configuration Manager client installed and is using the
software update point, you do not need to do additional configuration.
• If a client system does not have the Configuration Manager client installed, you must configure and
assign a GPO in AD DS. This GPO specifies the WSUS server that you configure as a software update
point from which the computer obtains software updates.
• The software update method uses the configuration information that is published in AD DS, if
available. If no configuration information is published, you should create a GPO by using the
ConfigMgrInstallation.adm template to provide client installation settings for your site’s computers.
Use the Software Update-Based Client Installation dialog box to publish the Configuration Manager
client-installation program (CCMSetup.exe) to a software update point as an additional software update.
To access the dialog box, navigate to the Administration workspace, expand Site Configuration, click Sites,
click a site in the results pane, on the ribbon in the Settings group click Client Installation Settings, and
then click Software-Update Based Client Installation.
When you use this installation method, the client is installed during the next software update cycle on the
target computers.
Firewall Settings for Software Update-Based Client Installation

Software Update-Based Client Installation can fail if the client is running a firewall that is blocking ports
that the installation process is using. To help ensure the success of the installation, configure the port
settings for Windows Firewall or any intervening firewalls listed in the following table.
Processes used in client deployment UDP TCP
HTTP from the client computer to a fallback status point. Not applicable 80
HTTP from the client computer to the software update point. Not applicable 80 or 8530
HTTPS from the client computer to the software update point. Not applicable 443 or 8531
Question: What are some of the benefits of using the software update-point installation method?
Demonstration: Installing Clients by Using Software Updates

• Configure a GPO to connect to a software update point.

• Publish the Configuration Manager client to a software update point.
Demonstration Steps
1. Create a GPO named CMClientInstall that is linked to the Adatum.com domain.
2. Configure the GPO to use http://lon-cas.adatum.com:8530 as the Windows update server.
3. Set up Software Update-Based Client Installation.
When you finish the demo, revert the virtual machines to their initial state. To do this, complete the
following steps:

4. Repeat steps 2 and 3 for 10748C-LON-CAS-C.
Installing Clients by Using Group Policy

You can use Group Policy to deploy the
Configuration Manager client when you want to
use an automated method for client installation,
but still want to control when the deployment
occurs. By using Group Policy, you can plan a
client roll out that mirrors your AD DS OU
structure. To use Group Policy for this purpose,
consider the following requirements:
• You can use the Group Policy installation
method only for systems that are members
of the Active Directory domain.
• You must use the CCMSetup.msi file that the
Configuration Manager installation directory\bin\I386 folder on the site server provides. You cannot
modify the command line that you use to launch the CCMSetup.msi. You must use other methods,
such as using the ConfigMgrInstallation.adm Group Policy template or publishing properties to
AD DS with the Client Push Installation Properties on the Installation Properties tab.
• You should extend the AD DS schema to support Configuration Manager and ensure that the site is
publishing to AD DS. This ensures that all Group Policy-based clients find installation properties that
the client push-installation properties publish in AD DS when you install the Configuration Manager
client. Additionally, if you later change settings, such as ports, clients update when they perform
AD DS lookups for Configuration Manager systems.
There are two Group Policy administrative templates on the Configuration Manager installation media
located in TOOLS\ConfigMgrADMTemplates: ConfigMgrInstallation.adm and ConfigMgrAssignment.adm.
The ConfigMgrInstallation.adm template provides installation properties to client computers, including
the site code needed for site assignment.
Group Policy provides the following option for deploying software to network clients:
• Assign. You can assign the CCMSetup.msi file, which means that the Configuration Manager client
installs when you start the computer after the policy has been applied.
Firewall Settings for Group Policy Client Installation

Group Policy installation can fail if the client is running a firewall that is blocking the ports that the
installation process is using. To help ensure the success of the installation, you should configure the
following settings for Windows Firewall or any intervening firewalls.
To use Group Policy to install the Configuration Manager client, you must add the following File and
Printer Sharing exception to Windows Firewall.
Group Policy installation uses the ports that the following table lists.
Description UDP TCP
HTTP from the client computer to a fallback status point. Not 80

applicable
HTTP from the client computer to an intranet-only management point. Not 80

applicable
HTTPS from the client computer to an Internet-capable management point. Not 443
applicable
SMB between the source server and client computer if you specify an Not 445
alternate source server with CCMSetup using /source:<Path>. applicable
Question: Why would you want to assign the Configuration Manager client to a computer through a
GPO?
Question: When do you need to provision the client installation properties in AD DS by using Group
Policy?
Additional Client-Installation Methods

Configuration Manager supports several
additional installation methods that you can
use to deploy the Configuration Manager client
components. The following sections discuss
considerations for each of these additional
methods.
Manual or Logon Script-Based

Installations
Even though the manual installation method
has the most administrative overhead of all
methods, it is useful for troubleshooting. To
use this method, the logged-on user must have
administrative rights to the client computer. If the user running CCMSetup.exe does not have
administrative privileges, the installation does not start.
CCMSetup.exe is in the Configuration Manager Installation location\Client folder on the site server, which
is also shared as site server name\SMS_site code\Client.
You can specify command-line properties for both CCMSetup.exe and Client.msi to modify this client
installation’s behavior. Consider the following command-line example:
CCMSetup.exe /mp:MP01.ADATUM.COM SMSSITECODE=AUTO FSP=FP01.ADATUM.COM
In the previous example, the client installation uses the properties in the following table.
Property Description
/mp:MP01.ADATUM.COM Specifies the management point, MP01, from which to download the
necessary client installation files.
SMSSITECODE=AUTO Specifies that the client should use AD DS or the management point
to determine the Configuration Manager site code to use.
FSP=FP01.ADATUM.COM Specifies that the fallback status point named FP01 receives state
messages sent from the client computer related to client deployment,
and is the daily management point check.
Note: For a full list of properties that you can use with CCMSetup.exe, refer to “About
Configuration Manager Client Installation Properties” at http://go.microsoft.com/fwlink
/?LinkID=247706.
The logon script-based installation method is a manual method that uses the /logon command-line
switch and that launches from a script. When you specify the /logon installation property for
CCMSetup.exe, client installation does not occur if any version of the client already exists on the
computer. This prevents the client’s reinstallation each time the logon script runs.
Logon script installation uses the same methods as manual client installation. Therefore, you can use the
same command-line switches for logon script-based installations. It also means that the user running the
logon script requires administrative rights. For example, you could modify the preceding command-line
example as shown in the following example to use it in a logon script:
CCMSetup.exe /mp:MP01.ADATUM.COM /logon SMSSITECODE=AUTO FSP=FP01.ADATUM.COM
When CCMSetup.exe runs, it copies all necessary installation prerequisites to the client computer, and calls
the Windows Installer package (Client.msi) to perform the client installation. You cannot perform the
installation by directly invoking the Client.msi installation file.
Software Deployment-Based Installations

You cannot upgrade Configuration Manager 2007 clients to Configuration Manager by using
Application Management. Instead, you must uninstall the Configuration Manager 2007 client, and install
the Configuration Manager client by using one of the other client-deployment methods. You can create
a package in Configuration Manager 2007 to uninstall the Configuration Manager 2007 client, and then
start a Configuration Manager client installation.
Operating-System Deployment
As part of an operating-system deployment task sequence, the Configuration Manager client installs.
Including the Configuration Manager Client in System Images

You can preinstall the Configuration Manager client software on a reference computer image and then
deploy that image throughout your network environment.
To prepare the reference computer for imaging, complete the following steps:
1. Manually install the Configuration Manager client software on the reference system computer in an
isolated network segment, so that automatic site assignment does not occur. Do not specify the
client’s site code in the CCMSetup.exe command-line properties.
2. Ensure that the SMS Agent Host service (CCMExec.exe) is not running on the reference computer, by
typing net stop ccmexec at a command prompt and then pressing Enter.
3. Remove any certificates that the reference computer is storing.
4. If you plan to install the clients in a Configuration Manager hierarchy different from the master image
computer, remove the Trusted Root Key from the master image computer.
5. Run sysprep.exe on the reference computer, and use your imaging software to capture the reference
system computer’s image.
6. Deploy the image to target computers.
Note: Failure to follow this procedure results in duplicate Configuration Manager unique
IDs on clients and, thus, clients missing from the Configuration Manager database.
Question: How would you install the Configuration Manager client on computers for remote workers?
Discussion: Planning Client Deployment

When planning client deployment in your
organization, you can choose between all of the
deployment methods. You do not need to use a
single deployment method for all of your clients.
Therefore, you should evaluate each situation, and
then determine the best deployment method to
use.
Considering your environment, discuss the

following questions with the class:
Question: Do you have potential clients in remote
locations? If so, how would you deploy these
clients?
Question: Do you have workers who infrequently visit an office? If so, how would you deploy clients to
their systems?
Question: Are you going to deploy clients to the servers in your data center? If yes, what method will you
use?
Question: Are there systems on which you do not want to install the client?
Lab: Implementing Configuration Manager Client

Deployment
Scenario
You are the network administrator for A. Datum Corporation. A. Datum has deployed Configuration
Manager in a complex hierarchy. There is a central administration site, two primary sites, and a secondary
site. You need to configure discovery methods and install the Configuration Manager clients by using
various installation methods.
Objectives
In this lab, you will:
1. Configure Active Directory resource discovery methods.

2. Use client push to install the Configuration Manager client.
3. Use Group Policy to install the Configuration Manager client.
Lab Setup
Virtual machines: 10748C-LON-DC1-C

10748C-LON-CAS-C
10748C-LON-CFG-C
User name: Adatum\Administrator
Password: Pa$$w0rd
• User name: Administrator
• Password: Pa$$w0rd
• Domain: Adatum
5. Repeat steps 2 through 4 for 10748C-LON-CAS-C and 10748C-LON-CFG-C.

Exercise 1: Configuring Active Directory Discovery Methods

Scenario
In this exercise, you use the Configuration Manager console to configure Active Directory System
Discovery, Active Directory User Discovery, and Active Directory Group Discovery.

1. Configure Active Directory System Discovery.
2. Configure Active Directory User Discovery.
3. Configure Active Directory Group Discovery.

4. Verify that the discovered computers appear in the All Systems collection and are assigned to the site
correctly.
 Task 1: Configure Active Directory System Discovery

1. On LON-CFG, open the Configuration Manager console.
2. In the Configuration Manager console, in the Administration workspace, expand Hierarchy
Configuration, and then click Discovery Methods.
3. In the results pane, access the properties for Active Directory System Discovery. In the Active
Directory System Discovery Properties dialog box, use the following settings to configure System
Discovery, and then click OK:
o At the General tab, click Enable Active Directory System Discovery, and then click New.
o In the Active Directory Container dialog box, browse to click the Adatum domain, and then
close the dialog box.
o At the Polling Schedule tab, review the settings.
o At the Active Directory Attributes tab, review the settings.

o At the Options tab, review the settings.
 Task 2: Configure Active Directory User Discovery

• In the results pane, access the properties for Active Directory User Discovery. In the Active
Directory User Discovery Properties dialog box, use the following settings to configure User
Discovery:
o At the General tab, click Enable Active Directory User Discovery, and then click New.
o In the Active Directory Container dialog box, browse to click the Adatum domain, and then
close the dialog box.
o At the Active Directory Attributes tab, review the settings.
 Task 3: Configure Active Directory Group Discovery

• In the results pane, access the properties for Active Directory Group Discovery. In the Active
Directory Group Discovery Properties dialog box, use the following settings to configure System
Discovery:
o At the General tab, click Enable Active Directory Group Discovery, click Add, and then click
Location.
o In the Add Active Directory Location dialog box, in the Name box, type Adatum domain, and
then browse to click the Adatum domain. Close the dialog box.
o At the Options tab, review the settings.
 Task 4: Verify that the discovered computers appear in the All Systems collection and
are assigned to the site correctly
1. In the Configuration Manager console, click the Assets and Compliance workspace, and then click
the Device Collections node.
2. Click the All Systems collection, and then on the ribbon, click the Show Members button.
3. A new node called All Systems appears in the navigation pane, under the Devices node. In the
results pane, observe the systems that are members of the All Systems collection and their assigned
site. On the Site Code column, you should see S01 for most systems.
Results: At the end of this exercise, you should have configured the Active Directory discovery methods.
Exercise 2: Using Client Push to Install the Configuration Manager Client

Scenario
You need to use the Configuration Manager console to configure the client push installation method, and
install the client on systems by using client push.
1. Create a client push installation account.

2. Configure the client push installation method.
3. Install the client by using client push.
4. Verify the client installation.
 Task 1: Create a client push installation account

1. On LON-DC1, start the Active Directory Users and Computers console.
2. In the Active Directory Users and Computers console, in the Users container, create a new user
account with the following settings:
o In the First name and User logon name text boxes, type ConfigMgrClientPush.
o In the Password and Confirm password text boxes, type Pa$$w0rd.

o Clear the User must change password at next logon box.
o Select the User cannot change password and Password never expires check boxes.
3. In the Active Directory Users and Computers console, access the Properties of the
ConfigMgrClientPush user account, and then add the user to the Domain Admins group.

 Task 2: Configure the client push installation method

1. On LON-CFG, in the Configuration Manager console, in the Administration workspace, expand Site
Configuration, and then click the Sites node.
2. Right-click S01 – Adatum Site, click Client Installation Settings, and then click Client Push
Installation.
3. In the Client Push Installation Properties dialog box, use the following settings to configure the
client push installation method:
o At the Accounts tab, click the New button, and then click New Account.
o In the Windows User Account dialog box, click the Browse button.
o In the Select User dialog box, type ConfigMgrClientPush, click the Check Names button, and
then close the dialog box.
o In the Windows User Account dialog box, in both the Password and Confirm password boxes,
type Pa$$w0rd and then click Verify. The Windows User Account dialog box expands.
o In the Windows User Account dialog box, in the Network Share box, type \\LON-DC1\C$, and
then click Test connection. Close the dialog box.
o In the Client Push Installation Properties dialog box, at the Installation Properties tab, in the
Installation properties box, after the text SMSSITECODE=S01 type a space, and then type
FSP=LON-CFG.adatum.com.
Note: The entire line should read SMSSITECODE=S01 FSP=LON-CFG.adatum.com.
 Task 3: Install the client by using client push

1. On LON-CFG, in the Configuration Manager console, in the Assets and Compliance workspace,
under Device Collections, click the All Systems node.
2. In the results pane, right-click LON-CFG, and then click Install Client.
3. The Install Configuration Manager Client Wizard starts. Use the following settings to install the client
on LON-CFG:
o In the Installation Options page, check the Install the client software from a specified site
box, and then verify that in the Site list appears S01 – Adatum Site.
o Complete the wizard by using the default settings.
4. In the results pane, right-click LON-DC1, and then click Install Client.
5. The Install Configuration Manager Client Wizard starts. Use the following settings to install the client
on LON-DC1:
o In the Installation Options page, check the Allow the client software to be installed on
domain controllers box.
o Complete the wizard by using the default settings.
 Task 4: Verify the client installation

2. In Control Panel, start Configuration Manager.

3. In the Configuration Manager Properties dialog box:
o On the General tab, review the information.
o On the Components tab, verify the status of the agents: some of the agents should have the
Status of Installed.
o On the Actions tab, in the Actions list, click Machine Policy Retrieval & Evaluation Cycle, and
then click Run Now. This initiates the connection of the Configuration Manager client to the
management point.
Note: When the Configuration Manager client is running inside a virtual machine, it uses
randomization for the initial time interval of connection to the management point. Manually
running the Machine Policy Retrieval & Evaluation Cycle helps ensure that all components are
updated, as necessary.
Results: At the end of this exercise, you should have started the installation of the Configuration Manager
client by using the client push installation method.
Exercise 3: Using Group Policy to Install the Configuration Manager Client

Scenario
You have client computers in a remote office that you want to install automatically. To help ensure that
the Configuration Manager client installs on the computers as they come online, you have decided to use
Group Policy to deploy the Configuration Manager client. However, you need to do some additional
configuration to support the remote office.

1. Import the configmgrinstallation.adm file.
2. Configure client-installation properties within a GPO.
3. Import CCMSetup.msi, and then deploy the Configuration Manager client by using Group Policy.
4. Verify client installation.
 Task 1: Import the configmgrinstallation.adm file

1. From LON-DC1, create a new Group Policy Object (GPO) in the Group Policy Management console,
named SCCM Client Install, which is linked to the Adatum.com domain.
2. Import the configmgrinstallation.adm template to the GPO.
 Task 2: Configure client-installation properties within a GPO

• Configure the Configure Configuration Manager 2012 Client Deployment Settings GPO as follows:
o State: Enabled
o CCMSetup options: SMSSITECODE=S01 FSP=LON-CFG.adatum.com

 Task 3: Import CCMSetup.msi, and then deploy the Configuration Manager client by
using Group Policy
1. Create a share in LON-DC1 with the following settings:
o Folder: C:\SCCMClient
o Share: SCCMClient
o Permissions: Read for everyone
2. Copy the ccmsetup.msi file from LON-CFG to the SCCMClient in LON-DC1.
3. Create a new software installation package in the SCCM Client Install GPO with the following
settings:
o MSI file: \\LON-DC1\SCCMClient\ccmsetup.msi
o Deployment type: assigned

4. In Hyper-V® Manager, start the 10748C-LON-SVR1-C virtual machine.
 Task 4: Verify client installation

1. Sign in to LON-SVR1 by using the following credentials:
o Username: ADATUM\Administrator
2. Verify that ccmsetup.msi or ccmsetup.exe is running.

following steps:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
Results: At the end of this exercise, you should have installed the Configuration Manager client by using a
GPO.
Question: How do you discover computers?
Question: What are the prerequisites for installing clients by using client push?
Question: How do you validate a client installation?

Lesson 4
Managing Configuration Manager Clients
After installing the Configuration Manager client, you can begin managing the computer systems in the
site. You can perform several tasks for the client systems from within the Configuration Manager console.
Additionally, you can configure the client settings to control how the client behaves by default in addition
to by collection.
Lesson Objectives
• Describe the available client-management tasks.
• Explain how to configure client settings.
• Reassign clients.
• Use certificate profiles.
Managing Clients
When Configuration Manager discovers a
system, it displays in the Assets and Compliance
workspace in the Devices node. You can also add
the systems to collections. The All Systems and
All Desktop and Server Clients collections in the
Device Collections node populate automatically.
No significant client management can take place
until after you install the Configuration Manager
client. When you select a device or collection
that contains devices with the Configuration
Manager client installed, you can select various
management operations. Additionally, there are
management tasks that involve other workspaces in the console, such as client settings, which the next
topic discusses. Additionally, there are some tasks that do not use the Configuration Manager console.
Managing Clients from the Assets and Compliance Workspace

You perform management tasks for individual clients in the Devices node. From the Devices node, you
can perform the following actions, per client:
• Add a device to a collection.

• Install a client on a device.
• Start Resource Explorer for the device.
• Start Remote Control, Remote Assistance, or Remote Desktop for the device.
• Approve the device for management.
• Block the device from management.
• Unblock the device for management.

• Perform out-of-band management.
• Perform a malware scan on the device.

• Edit primary users for the device.
• View device discovery data.
• Delete the device from Configuration Manager.
• Wipe mobile devices.
Managing Clients from the Device Collections Node

At the collection level, you can perform many of the client-management tasks that you can perform on
a single device. This has the advantage of automatically applying the management task to all eligible
devices in the collection. Although this can be a convenient method to manage multiple clients at once,
it can also generate increased network packets. This increases central processing unit (CPU) usage on the
site server. Additionally, you can perform some tasks only against collections.
Before you perform collection-level client management tasks, consider how many devices are in the
collection, whether they are connected by low-bandwidth network connections, and how long the task
will take to complete for all the devices. When you perform a client management task, you cannot stop it
from the console.
Management tasks for collections are performed in the Device Collections node. From the Device
Collections node, you can perform the following actions, per collection:
• View collection members.
• Add collection members to other collections.

• Install the client.
• Manage affinity requests.
• Manage out-of-band features.

• Perform malware scans on devices.
• Export a collection definition.
• Copy a collection.
• Simulate a deployment.
• Deploy applications.
• Move a collection.
• Change collection properties.
Additional Tasks for Managing the Client

You can perform additional client-management actions. These management actions include:
• Change the client cache configuration. An administrator can do this from the Configuration Manager
properties on the client itself.
• Uninstall the client. You can do this from the client or from the console.
• Manage conflicting records. This typically occurs automatically. However, if Configuration Manager
cannot resolve the conflict, it uses a hierarchy setting that merges the records automatically when it
detects duplicate hardware IDs (the default setting), allows you can decide when to merge, block, or
create new client records. If you decide to manually manage duplicate records, you must manually
resolve the conflicting records by using the Configuration Manager console.
• Initiate a policy retrieval cycle. You can do this from the client or from the console.
Configuring Client Settings

You can manage Configuration Manager client
settings in the Configuration Manager console,
in the Administration workspace from the Client
Settings node. When you install Configuration
Manager, a default client settings object is
created. You can modify the default client
settings. However, you cannot delete them,
because these settings are applied to all clients
in the hierarchy. You also can configure custom
client settings that override the default client
settings when you assign them to collections.
You can create multiple custom clients settings

that are applied, in order, based on the priorities assigned to the client settings. The default client settings
have a priority of 10,000 and are always applied first. Custom policies have priorities beginning at one and
increasing incrementally as they are created. You can change the priority of custom settings to change the
order in which they are applied. When multiple custom settings adjust the same setting value, the last
value applied is the effective value.
Many of the client settings are self-explanatory. Refer to the following tables for more information about
the client settings.
Client Settings for Devices

The Administration workspace groups client settings by feature, which include:
• Background Intelligent Transfer. You can specify whether to use BITS and schedule times for
throttling.
• Client Policy. You can specify the schedule for retrieving policies.
• Compliance Settings. Allows you to enable compliance settings for clients, and schedule evaluation.
• Computer Agent. Allows you to configure general client settings, such as notification for application
deployments, and Windows PowerShell® execution policy.
• Computer Restart. Allows you to configure user notifications to be displayed when the device is about
to be restarted by Configuration Manager.
• Endpoint Protection. Allows you to manage Endpoint Protection settings.
• Hardware Inventory. Allows you to configure hardware inventory settings.

• Network Access Protection. Allows you to manage NAP settings from Configuration Manager.
• Power Management. Allows you to configure Power Management profiles for client devices.
• Remote Tools. Allows you to configure remote tools, remote assistance, and remote-desktop settings.
• Software Deployment. Allows you to schedule reevaluation for deployments.

• Software Inventory. Allows you to configure software-inventory frequency and other settings.
• Software Metering. Allows you to configure software-metering scheduling.
• Software Updates. Allows you to schedule update cycles, and other update settings.
• State Messaging. Allows you to configure the frequency for sending status messages to the server.
• User and Device Affinity. Allows you to configure whether users can change their affinity settings.
Question: How do you configure classes so that the hardware inventory collects them?
Client Reassignment
Configuration Manager clients are always
assigned to a primary site. However, a
Configuration Manager hierarchy can consist of
several primary sites. Usually, a primary site links
to a physical location or to a collection of physical
locations. For example, a company may have
operations in several countries in North America,
Europe, and South America. In its System Center
2012 Configuration Manager hierarchy, it may
create an individual primary site for each country.
In environments like this, you need to consider
what happens as computers move from one
physical location to another, and consequently, move from one primary site to another. There are two
ways to classify these moves: roaming or reassignment.
Roaming
After the Configuration Manager client installs, the client is assigned to a site. Even if the assignment
occurs automatically, based on boundaries, the actual assignment does not change after installation.
Therefore, even in a scenario where users travel with their laptops between locations, and connect from
different boundaries that belong to different primary sites, the computers remain assigned to their
original site.
Usually, when a client starts, it requests a list of management points for its site. This process repeats every
25 hours and any time the computer receives a new IP address. When a client receives an IP address that
is not within the boundary of its assigned site, the client is roaming. If the client detects that its IP address
is within the boundary of a secondary site, the client connects to the management point for the secondary
site. This enables it to avoid using a potentially slow connection to the primary site. However, if the client
is roaming to a different primary site or to a secondary site for another primary site, the client connects to
a management point for its assigned site to retrieve policies and upload data.
Client Reassignment
In larger organizations that have multiple primary sites, there are always clients that roam from one site
to another. However, sometimes a client actually is moving permanently from one physical location to
another. In this scenario, you should reassign the client to the new site. There are three ways to reassign a
client: reinstall the client, manually reassign the client, and use a GPO.
Reinstall the client

You can use a client push install at any time to reinstall the client on a computer that moves from one site
boundary to another. During client push, if the client resides within the boundary of a new site, and you
configure the client push to automatically assign a site, the client is assigned to the new site. The same
process works for manual installations, scripted installations, and installations where you manually specify
the actual site code. To use this process, you must be able to identify which computers need their site
reassigned.
Manually reassign the client

As the name suggests, in a manual reassignment, you must enter the new site for the computer by using
the Configuration Manager setting in Control Panel for the client. This process is best for re-assigning one
client, or a very small number of clients, because it does not require you to force an install. However, you
still need to identify the computers that need reassignment, because you need to connect to them locally.
Additionally, you must use a local administrator account on the computers to make the change. To
reassign a computer to a new site, follow this procedure:
1. Log on to the computer by using an account that has local administrator permissions.
2. Open the Configuration Manager settings in Control Panel.
3. Click the Site tab, and then click Configure Settings.
4. Reassign the client by doing the following:
a. Type the site code in the Currently assigned to site code box.
b. Click Find Site to automatically assign the client by using boundaries.
5. Click OK.
Use a GPO
You can also reassign clients to a site by using a GPO. Microsoft provides an administrative template
named configmgrassignment.adm, which you can use to assign clients to a site. Be aware that if you
choose this option, all computers that have the GPO applied to them will be reassigned to the site that
the GPO specifies. To assign a client by using a GPO, follow this procedure:
1. Create a new GPO.
2. Import the configmgrassigment.adm template to the GPO.

3. Configure the Configure Configuration Manager 2012 Site Assignment setting, as follows:
a. Click Enabled to enable the setting.
b. In the Assigned Site textbox, type the site code that you want to assign the clients to.
c. In the Site Assignment Retry Interval (Mins) numeric textbox, specify how frequently the client
will start a reassignment process.
d. In the Site Assignment Retry Duration (Hours) numeric box, type how long the client will keep
trying to reassign itself before failing.
4. Link the GPO to the domain or OU that contains the computer accounts for the systems that you
want to reassign.
The main advantage of this process is that you do not need to identify each individual computer that
you need to reassign. This also reassigns computers for which the computer account has moved from
one OU or site to another due to physical relocation. However, if you are linking the OU to sites, you may
incorrectly reassign computers that are simply roaming.
Securing Clients by Using Certificate Profiles

The assignment of certificate profiles is a new
feature in System Center 2012 R2 Configuration
Manager. Certificates can be issued automatically
to clients that Configuration Manager manages in
the following scenarios:
• User and device certificates that support Wi-Fi

and VPN connections.
• Root certification authority (CA) and
intermediate CA certificates that are used
to create a chain of trust for server
authentication.
To provide certificates for managed clients, you must install a certificate registration point, and you must
install the Configuration Manager Policy Module on a server running Windows Server 2012 R2 with the
Active Directory Certificate Services and the Network Device Enrollment service roles installed.
Supported Clients
Configuration Manager supports the deployment of certificates to devices that are running one of the
following operating systems:
• Windows RT 8.1
• Windows 8.1
• Android
• iOS
Types of Certificate Profiles

You can manage two types of certificate profiles in Configuration Manager:
• Simple Certificate Enrollment Protocol (SCEP) settings. This profile allows devices to request a
certificate for a user or a device from a server that is running Windows Server 2012 R2 and the
Network Device Enrollment Service by using SCEP. You can use user and device certificates for
authentication on Wi-Fi networks and VPNs.
• Trusted CA certificate. You can use this certificate profile to deploy a trusted root CA or intermediate
CA certificates to devices. You can use trusted root CA and intermediate CA certificates to establish a
chain of trust for server authentication.
Configuring Certificate Profiles

To configure your Configuration Manager environment to use certificate profiles, perform the following
procedure:
1. Install the Network Device Enrollment Service (NDES) on a computer that is running Windows Server
2012 R2.
Note: For detailed information about how to install NDES, refer to “Network Device
Enrollment Service Guidance“ at http://go.microsoft.com/fwlink/?LinkID=391461.
2. Modify the certificate template permissions for the certificates that you intend to enroll for by using
certificate profiles, as follows:
o Add Read permission to the accounts that run the Configuration Manager console.
o Add Read and Enroll permission to the account that the NDES application pool uses.
Note: For detailed information about how to deploy certificate templates, refer to “Deploy
Client Computer Certificates” at http://go.microsoft.com/fwlink/?LinkID=391463.
3. Deploy a web server PKI certificate to the server that is running NDES.
Note: For detailed information about how to deploy a web server certificate
for the NDES server, refer to “Deploying the Client Certificate for Distribution Points” at
http://go.microsoft.com/fwlink/?LinkID=391467. The content targets Windows Server 2008
computers, but it works in the same manner for Windows Server 2012 R2.
4. Export the root CA certificate to a .cer file. You will need this file later when you configure the site
system role for the certificate registration point.
5. On the NDES server, change the following registry values in the HKEY_LOCAL_MACHINE
\CurrentControlSet\Services\HTTP\Parameters key:
o MaxFieldLength. Use the maximum value for this parameter, which is 65534.
o MaxRequestBytes. Use the maximum value for this parameter, which is 16777216.
6. On the NDES server, in Internet Information Services (IIS) Manager, configure the request-filtering
settings for the /certsrv/mscep application by specifying the following values in the Edit Request
Filtering Settings dialog box:
o Maximum allowed content length (Bytes). 30000000

o Maximum URL length (Bytes): 65534
o Maximum query string (Bytes): 65534
Note: You need to restart IIS for these settings to take effect.
7. Install and configure the site system role for the certificate registration point in a server in the primary
site or the central administration site. You need the URL for the NDES web application and the .cer file
for the root CA that you exported earlier. The URL for the NDES application typically is
https://computer/certsrv/mscep/mscep.dll.
8. Copy the PolicyModule.msi and PolicyModuleSetup.exe files from ConfigMgrInstallationMedia
\SMSSETUP\POLICYMODULE\X64 to the NDES server, and then run PolicyModuleSetup.exe to
install the System Center Policy Module. You need to specify the URL for the certificate registration
point during the setup, which typically is https://serverh/CMCertificateRegistration, and the
certificate that you deployed in step 3 above, along with the root CA certificate that you exported to
a .cer file.
Note: For detailed information about how to set up certificate profiles, refer to
“Configuring Certificate Profiles in Configuration Manager” at http://go.microsoft.com/fwlink
/?LinkID=391469.
Creating and Deploying Certificate Profiles

After you configure a certificate registration point, you can create, deploy, and monitor Certificate Profiles.
Before you can create a SCEP profile, you need to configure at least one Trusted CA certificate profile. To
create a Trusted CA certificate profile, perform the following procedure:
1. From the Configuration Manager console, in the Assets and Compliance workspace, expand
Compliance Settings, expand Company Resource Access, and then click Certificate Profiles.
2. Right-click Certificate Profiles, and then click Create Certificate Profile.
3. In the Create Certificate Profile Wizard, on the General page, in the Name box, type a name for the
profile.
4. Click Trusted CA certificate, and then click Next.
5. On the Configure a trusted CA certificate page, click the Import button to locate the .cer file that
you created initially for the root CA or an intermediate CA, and then click OK.
6. Click the appropriate Destination store based on the type of certificate that you selected in step 5
above, and where the certificate should be stored (user certificate store, or computer certificate store),
and then click Next.
7. On the Supported Platforms page, click the type of devices that can use the profile, and then click
Next.
8. On the Summary page, click Finish, and then on the Completion page, click Close.
9. Right-click the certificate profile you just created, and then click Deploy.
10. In the Deploy Certificate Profile dialog box, click Browse, click the collection for deployment, and
then click OK.
11. Click Generate an alert to generate an alert if the certificate profile compliance is less than a given
percentage after a specified time.
12. Specify the schedule for the compliance setting, and then click OK.
Lesson 5
Monitoring Client Status in Configuration Manager
Client Health is a feature that Configuration Manager introduces. Administrators can use Client Health to
determine the overall health status of clients and to identify individual client issues, such as missing
prerequisites, WMI issues, and clients that are not functioning.
Client Health builds on the Client Status Reporting feature included Configuration Manager 2007, by
offering client status monitoring and automatic remediation for client issues.
Lesson Objectives
• Describe the Client Health feature in Configuration Manager.

• Describe the Configuration Manager Health Evaluation Task.
• Monitor client activity.
• Use Client Check to monitor Configuration Manager clients.

• Use reports to monitor client status.
Overview of Client Status

In previous Configuration Manager versions,
assessing client health could present a challenge
to administrators. However, identifying and
remediating unhealthy clients is crucial to
ensuring the success of Configuration
Management operations. Thus, administrators
often need to answer the following questions:
• How many clients in my hierarchy are
healthy?
• How many clients in my hierarchy are

inactive because they have been powered
off for an extended period or because the
Configuration Manager client is uninstalled?
• What is the primary cause of unhealthy clients in my hierarchy?
From the perspective of Configuration Manager, an active client is healthy when it connects to
management points to download policies and upload data, such as hardware and software inventory.
However, whether a client is active might not adequately explain its health. To get an accurate
determination of the client’s health, the client must perform several additional local checks.
If a client is inactive, it might be because it has been powered off for an extended period, or because
the Configuration Manager client is uninstalled or is not functioning. When the client is inactive, the site
systems cannot evaluate the client’s health status because the client is not connecting to the management
point. The only way to evaluate the client’s health is to perform validation checks directly on the client
computer to determine that:
• The necessary prerequisites and dependencies are present.
• The Configuration Manager client is installed correctly.

The Configuration Manager client runs a scheduled task to evaluate its client health status, and then sends
the evaluation results to the site as a state message to the management point. If there is any change in
the evaluation result since the most recent state message, the health status is sent back by using a state
message. By default, the task runs between midnight and 1:00 A.M.
Similar to the initial installation process, if the client fails to send its state message to a management
point, it then sends the state message to a fallback status point, if one exists in your hierarchy. If a fallback
status point is not installed in your hierarchy, the site server might not receive some evaluation results.
The site server summarizes the client health-evaluation results and activities, and then displays these in
the Configuration Manager console, in the Client Status folder located in the Monitoring workspace.
The following items are new or have changed for client status reporting (now Client Status) since
Configuration Manager 2007 Client Status Reporting:
• Client health and client activity information are integrated into the Configuration Manager console.
• Configuration Manager automatically remediates typical client problems that reporting detects.
• Configuration Manager does not use the Ping tool from Configuration Manager 2007 R2 Client Status
Reporting.
When you click the Client Status node, the results pane displays a dashboard that shows a summary of
the Client Activity and Client Check nodes. The information available is organized differently than in either
the Client Activity or Client Check nodes, because it displays results that are based on both monitors. The
following links are available in the Client Status dashboard:
• Active clients that passed client check or no results
• Active clients that failed client check

• Inactive clients that failed client check
• Inactive clients that passed client check or no results
• No configuration Manager Client Installed

Additionally, there is a graph showing the Most Frequent Client Check Errors. If you click the links
available, a sticky node is created under the Devices node in the Assets and Compliance workspace,
and the console changes automatically to the newly created sticky node. Sticky nodes remain in the
Configuration Manager console until you manually remove them or until you close the console. For
example, when you click the Active clients that failed the client check link, which denotes the clients that
failed the Client Health checks, this action creates a sticky node for these unhealthy clients and selects it
automatically.
Note: By default, client status information is updated once a day. You can modify this
interval in the Schedule Client Status Update dialog box or force summarization on demand.
Question: What are some of the causes of an unhealthy and active client?
Question: How does Client Status improve client monitoring compared with previous Configuration
Manager versions?
Overview of the Configuration Manager Health Evaluation Task

Client Status in the Configuration manager
console receives its information from the Client
Health evaluation engine running on each client.
The Client Health evaluation engine is the
executable file CCMEval.exe. CCMEval.exe is
installed with the Configuration Manager client,
and it runs on computers. It is not part of the
mobile device client. When you install the
Configuration Manager client, the installation
process creates the scheduled task Configuration
Manager Health Evaluation. This task runs
CCMEval.exe between midnight and 01:00. The
results are reported as a state message to the clients’ management point or to a fallback status point, if
the management point is unavailable. You can run the Configuration Manager Health Evaluation process
on demand, as required by running CCMEval.exe.
To view the client health rules that the Client Health evaluator engine is using, you can look in the
client location\ccmeval.xml file. However, you cannot make changes to this file.
If the computer is not running when the scheduled Configuration Manager Health Evaluation task is due
to run, the task runs automatically as soon as possible, such as when the operating system is loaded or is
brought out of sleep mode.
The following table lists the health evaluation rules and remediation actions.
Health check Remediation
Verify WMI service exists No automatic remediation
Verify/Remediate WMI service startup type Set service startup to automatic
Verify/Remediate WMI service status Start service
WMI Repository Integrity Test Reinstall Client
Reset WMI Repository and Reinstall Client No automatic remediation
Automatic remediation might not be desirable on all systems, such as for mission critical servers where
the remediation activities might be disruptive. By installing the Configuration Manager client with the
client.msi property NotifyOnly=True or by changing the HKEY_LOCAL_MACHINE\Software\Microsoft
\CCM\CcmEval\NotifyOnly registry value to True, you can disable automatic remediation.
Question: Why would you disable automatic remediation on servers?

Monitoring Client Activity

On the server side, the administrator can define
the frequency of client-server communications
that determine whether the client has an active or
inactive status.
You can configure the client communication

thresholds in the Client Status Settings Properties
dialog box. The following table lists the settings
and their default values.
Setting Default value
Client policy requests during the following days 7 days
Heartbeat Discovery during the following days 7 days
Hardware inventory during the following days 7 days
Software inventory during the following days 7 days
Status messages during the following days 7 days
Retain client status history for the following number of days 31 days
You can use the Configuration Manager console to view interactions between the client and the
management system, which helps the administrator distinguish between unhealthy clients and clients that
are offline. Configuration Manager retrieves information from AD DS to identify the inactive clients based
on the LastLogonTimeStamp.
When you click the Client Activity node, the results pane divides into two sections that show information
based on the client activity monitors that you configure, including:
• Client activity for all devices. Displays a chart showing active computers, inactive computers, and
computers with no Configuration Manager client installed. Click a section of the pie chart to create a
sticky node that shows a list of computers with the status that you select. You can view activity detail
for each of the node’s clients to determine their displayed status.
• Client activity trend for all devices. Displays a graph showing client activity over a specified period.
You can configure the time period that you want to view from five to 90 days from the Client activity
period drop-down list.
Using Client Check to Monitor Configuration Manager Clients

When you click the Client Check node, the results
pane becomes divided into the following two
separate sections that display information based
on the Configuration Manager Health Evaluation
task:
• Client check results for all devices displays a

chart showing computers that passed client
check, computers that failed client check,
computers that have not reported results and
computers with no Configuration Manager
client installed. Click a section of the pie
chart to create a sticky node showing a list of
computers with the status you selected. You can click the Client Check Detail tab in the results for
individual systems to discover any remediation actions that Configuration Manager took.
• Client check trend for all active clients displays a graph showing client computers that passed client
check over a specified period. You can configure the time (from five to 90 days) that you want to view
from the Client activity period drop-down list.
Using Reports to View Client Status

In addition to the Client Check and Client
Activity information in the Configuration Manager
console, you also can use the Client Status reports.
After you install and configure a reporting services
point role, the Client Status reports become
available in the Client Status folder in the
Configuration Manager console or in the
“ConfigMgr_site code\Client Status” path in the
reporting website. The following table lists the
available reports.
Report Description
Client Remediation Details This report provides client remediation details for a given collection.
Client Remediation Summary This report provides remediation summary information for a given
collection.
Client Status History This report provides a historical view of the overall client status in the
environment.
Client Status Summary This report provides administrators with the current percentages of
healthy and active clients for a given Collection.
Report Description
Client Time to Request Policy This report shows the percentage of clients that have requested
policy as least once in the last 30 days. Each day represents a
percentage of the total clients that have requested policy since Day 1
in the cycle. This information is useful to help determine the time it
takes to distribute a policy update to your client population. Client
deployments or changes in client count can affect the accuracy of
the report.
Clients with Failed Client This report displays details about clients that client check failed for a
Check Details specified collection.
Inactive Clients Details This report provides a detailed list of inactive clients for a given
Collection.
Question: Which reports can you use to view information about client status?

Review Questions
Question: What discovery method can you use to create boundaries in Configuration
Manager, and how are the boundaries determined?
Question: In what situation would you need to provision client properties by using Group
Policy?
Question: In what situation would you need to configure DNS for locating site systems?
Question: What is the difference between an inactive client and an unhealthy client?
7-1
Module 7
Configuring Internet and Cloud-Based Client Management
Contents:
Module Overview 7-1
Lesson 1: Managing Remote Clients by Using System Center 2012 R2

Lesson 2: Managing Internet-Based Configuration Manager Clients 7-8
Lab A: Configuring PKI for Configuration Manager 7-14

Lesson 3: Configuring Cloud Services in System Center 2012 R2
Lab B: Configuring Windows Intune Integration with System Center

2012 R2 Configuration Manager 7-26
Module Overview
In an increasing number of organizations, direct connections between workers’ computers and the
organizational network are becoming rare. Workers are either bringing their own devices (BYOD) or using
devices that the organization provides, such as laptop computers and tablets. They use these devices at
home, in coffee shops, or in other remote locations. The cloud management functionality of Microsoft®
System Center 2012 R2 Configuration Manager allows you to support and manage the increasing number
of clients that perform organizational tasks in locations far from organizational networks.
Objectives
After completing this module, students will be able to:
• Manage remote clients by using System Center 2012 R2 Configuration Manager.
• Manage Internet-based Configuration Manager clients.
• Configure cloud services in System Center 2012 R2 Configuration Manager.

7-2 Configuring Internet and Cloud-Based Client Management
Lesson 1
Managing Remote Clients by Using System Center 2012
R2 Configuration Manager
You can use System Center 2012 R2 Configuration Manager to manage clients that can connect to the
Internet from outside the organizational network. By using Configuration Manager, you can manage a
variety of remote clients, including those that make connections by using technologies such as a virtual
private network (VPN) or DirectAccess. You can also allow mobile devices and Internet-connected
computers to be managed by integrating Configuration Manager with a Windows Intune™ subscription.
Lesson Objectives
• Describe the challenges in managing remote Configuration Manager clients.
• Describe the methods used to provide local area network (LAN) connections for remote clients.
• Describe how to support remote clients with Configuration Manager.

• Describe when to deploy the profile types.
• Describe how Windows Intune supports remote clients.
Challenges in Managing Remote Configuration Manager Clients

An increasing number of computers used
for organizational work reside outside the
organizational network permanently or for
extended periods. Workers use these computers
in their home offices, in hotel rooms, and in
coffee shops. As the nature of work changes,
people are working in locations outside of the
traditional business office. People may even
connect to the Internet while travelling by plane;
it is now practical to work online regardless of the
location, which, however, poses new management
challenges.
This change in work habits presents challenges when you are trying to perform configuration
management tasks by using System Center 2012 R2 Configuration Manager. It is far simpler to manage
a desktop computer connected to a wired network in your organization’s office than it is to manage a
roaming laptop computer.
When managing remote clients, a Configuration Manager administrator faces these challenges:
• Heartbeat issues. You may find it difficult to determine whether a client is still active. When a client
connected to an internal network is not active for 60 days, it is considered no longer active. When a
remote client is not active for 60 days, that determination is harder to make.
• Software updates. You may find it difficult to determine if the client is up-to-date and has installed
the most recent software updates.
• Software deployment. It is challenging to deploy large applications and packages to clients that
connect infrequently. Therefore, remote clients may be running older software than other clients in
the organization.
• Inventory collection. You may find it difficult to determine whether hardware and software
configuration information is current. Remote clients may return data infrequently to the
Configuration Manager organization.
• Endpoint Protection. It is challenging to keep definitions up to date. Outdated definitions present a

security risk.
Methods Used to Provide LAN Connections for Remote Clients

One way you can manage Configuration
Manager clients on the Internet is to configure
them to be able to access your organization’s
internal network infrastructure through remote
access technologies. You can accomplish this by
using two methods: DirectAccess or VPN.
DirectAccess is a technology introduced with

Windows Server® 2008 R2 and Windows® 7,
available in editions of the Windows client
operating system that can be volume-licensed.
DirectAccess is a computer-authenticated remote
access solution that initiates an automatic remote
access connection to the internal organizational network when an Internet connection is detected.
DirectAccess requires that the client be a member of an Active Directory® Domain Services (AD DS)
domain.
Client computers running the Windows 7 and Windows 8 operating systems support the following VPN
protocols, which can be deployed on Windows Server 2012 R2, Windows Server 2012, and Windows
Server 2008 R2 remote access servers:
• Internet Key Exchange version 2 (IKEv2). This protocol supports VPN reconnect, which allows a
VPN connection to be reestablished automatically after a disruption that lasts up to eight hours
Reconnections can also occur when Internet connections are switched, such as when a user switches
from connecting through a mobile broadband device to using a coffee shop’s free Wi-Fi.
• Layer Two Tunneling Protocol/Internet Protocol Security (L2TP/IPsec). L2TP/IPsec uses IPsec for
transport encryption. L2TP/IPsec requires a public key infrastructure (PKI) deployment.
• Point-to-Point Tunneling Protocol (PPTP). A large number of vendors support this older protocol, but
it is not as secure as newer protocols such as L2TP/IPsec.
• Secure Socket Tunneling Protocol (SSTP). This protocol tunnels the VPN connection over HTTPS. The
benefit of this technology is that while some public Internet connections block VPN protocols like
L2TP/IPsec and PPTP, they rarely block port 443 used by HTTPS, because this would also block secure
web browsing.
Windows-based clients may also use third-party VPN server solutions that support all or some of the
VPN protocols listed above. Users can initiate remote access connections by using a VPN even when their
computers are not members of an AD DS domain. A substantial disadvantage of VPN technologies is that
they require the user to initiate the VPN connection and perform authentication.
Supporting Remote Clients with Configuration Manager

Configuration Manager supports management of
clients through Internet-based client management
and Windows Intune. Administrators using
Internet-based client management have options
for supporting remote clients, but they must
publish certain site system roles through the
organizational firewall.
When Configuration Manager is integrated with

Windows Intune, you can manage clients running
mobile device operating systems. This integration
does not require the publication of site system
roles through the organizational firewall.
You can use a Windows Intune subscription to manage remote clients without integrating Windows
Intune with Configuration Manager. A managed client cannot contain both the Windows Intune agents
and the Configuration Manager client. If you manage some clients through Windows Intune and others
through Configuration Manager, you must use the different management interfaces associated with
each management platform. When Windows Intune is integrated with Configuration Manager, you can
perform mobile device management tasks by using either the Configuration Manager console or the
Configuration Manager Windows PowerShell® module. If you integrate your Windows Intune subscription
with Configuration Manager, computers under the Windows Intune subscription are still managed
through the Windows Intune management interfaces unless you retire them from Windows Intune and
then install the Configuration Manager client.
You can manage clients that are connected through DirectAccess connections as you would manage
clients connected to a branch office network. You can configure these clients to use cloud-based
distribution points.
Planning for the Deployment of Profiles

You can use System Center 2012 R2 Configuration
Manager to deploy four profile types to clients to
assist with networking, certificates, and remote
access. These profile types are the VPN, Wi-Fi,
remote connection, and certificate profiles.
VPN Profiles
You can use VPN profiles to deploy VPN
connection configuration information to System
Center 2012 R2 Configuration Manager clients
that are running Windows RT 8.1, Windows RT,
Windows 8.1, or Windows 8, or to Apple iPhone
and Apple iPad devices that are running iOS 5 and
iOS 6. You can use VPN profiles to deploy VPN connections that use the following connection types:
• Cisco AnyConnect
• Juniper Pulse
• F5 Edge Client
• Dell SonicWALL Mobile Connect

• Check Point Mobile VPN
• Microsoft Secure Socket Tunneling Protocol (SSTP)
• IKEv2
• PPTP
• L2TP
Wi-Fi Profiles
You can use Wi-Fi profiles to deploy wireless network settings to users so that the users can connect
automatically to preconfigured wireless networks. You can use Wi-Fi profiles with devices running the
following:
• Windows 8.1 (x86 and x64)

• Windows RT 8.1
• iOS 5
• iOS 6
• Android version 4
Remote Connection Profiles

You can use remote connection profiles to configure System Center 2012 R2 Configuration Manager
clients to allow users to make remote connections across the Internet to their work computers. For
example, you can use remote connection profiles to configure a collection of computers so that, when
users use their personal computers at home, they can establish a remote desktop connection to their work
computers. Through this connection, they can interact with files stored on those computers and access
resources, such as printers, that are configured to work with their work computers.
You can configure remote connection profiles to:
• Use a Remote Desktop Gateway server address. This is the address of the Remote Desktop Gateway
server that makes the connection. Remote clients can connect across the Internet only through a
Remote Desktop Gateway server.
• Allow users who are listed as primary users of a work computer to make remote connections to that
computer from remote hosts. Users can make connections to computers only if they are primary
users.
• Configure Windows Firewall with Advanced Security rules to allow connections when the computer
connects to a domain or private network.
Certificate Profiles
You can use certificate profiles to deploy certificates to System Center 2012 R2 Configuration Manager
clients for the purposes of authentication and authorization. You can configure automatic certificate
deployment to clients that are not members of the organization’s AD DS domain and therefore, cannot
participate in the Active Directory Certificate Services (AD CS) autoenrollment process. These clients could
be Windows RT 8.1, Windows 8.1, iOS, and Android operating systems. Certificate profiles support the
following capabilities:
• Certificate enrollment and renewal from enterprise or stand-alone certification authorities (CAs).
• Deployment of trusted CA certificates to compatible System Center 2012 R2 Configuration Manager

clients.
• Monitoring and reporting on installed certificates.
To use certificate profiles, you must deploy the certificate registration point on a site system server in the
central administration site or in a primary site. You cannot deploy this role in a secondary site. This role is
new in System Center 2012 R2 Configuration Manager.
Supporting Remote Clients with Windows Intune

Windows Intune provides an alternate method
of managing remote clients that do not often
connect to the organizational network by using
DirectAccess or a VPN. You can use Windows
Intune to manage clients separately or you can
integrate Windows Intune with Configuration
Manager.
Windows Intune supports managing clients that

run on the following operating systems:
• Windows 8 (x86, x64), Windows 7, Windows

Vista®, Windows XP
• Windows RT
• Windows Phone® 8
• Apple iOS
• Android (requires Exchange ActiveSync®)
Windows Intune supports managing mobile devices directly or through Exchange ActiveSync. It also
supports direct management for mobile devices that are running Windows RT, Windows Phone 8, and
iOS.
To deploy applications directly to mobile devices that are running Windows RT, you must obtain
sideloading keys, and you must have a code-signing certificate to sign the applications. The device
running Windows RT or Windows Phone 8 must trust this code-signing certificate. Additionally, you can
use deep linking to deploy an application from the appropriate Windows App store directly to mobile
devices that are running the Windows RT or Windows Phone 8 mobile operating systems.
You can use Windows Intune to deploy applications to iOS devices by deep linking to the Apple store
or by sideloading apps, which means you are installing them by using direct access to the source files. To
deploy applications to iOS devices, you must obtain the appropriate mobile device management
certificates from Apple.
The following table details the mobile device–management tasks that you can perform when you
configure the Windows Intune connector for Configuration Manager.
Windows RT 8.1/Windows RT
Management task Windows Phone 8 iOS Android
/Windows 8.1/Windows 8
Device life-cycle Yes Yes Yes No

management
Compliance Yes Yes Yes No

settings
Line-of-business Yes Yes Yes Yes

app management
Deep-linked app Yes Yes Yes Yes

deployment
Hardware Yes Yes Yes No

inventory
Lesson 2
Managing Internet-Based Configuration Manager Clients
To be able to manage Internet-based clients, you need to configure site systems to support Internet-
based clients and publish those site systems through the firewall. You must configure these site systems
with certificates issued by a certification authority (CA) trusted by the clients. In addition, all Internet-
based clients must have computer certificates issued by the same certification authority. Data transmitted
between these computers and the site systems is encrypted by using Secure Sockets Layer (SSL).
Lesson Objectives
• Describe the site system roles involved in Internet-based client management.

• Describe how to configure certificates in Internet-based client management.
• Prepare certificates for Configuration Manager.
• Describe how to publish site system roles through a firewall.
Site System Roles Involved in Internet-Based Client Management

Internet-based client management utilizes the
following site system roles:
• Management point
• Distribution point

In contrast with previous versions, System Center
2012 R2 Configuration Manager sites no longer rely on a single default management point. You can
install multiple management points in the same site and the client selects one automatically based on
network location and capability (HTTPS or HTTP).
You can configure some management points in a site to support HTTPS client connections and others
to support HTTP client connections. Using this approach, you can configure separate management points
for Internet-based client management. You must configure these management points to use certificates
from a PKI solution trusted by the clients and the servers. Additionally, your Internet-based Configuration
Manager clients need a valid PKI certificate from a PKI solution trusted by both the client and server for
authentication with the site systems.
The fallback status point always uses HTTP because this role provides an alternate method of
communication when clients cannot communicate with site system roles, even when SSL traffic might
fail for some reason.
All site systems must reside in an Active Directory domain; however, you can install site systems for
Internet-based client management in an untrusted forest. This scenario might be appropriate for a
perimeter network that requires high security.
When you plan to manage client computers over the Internet, you must decide whether to configure
them for management on the intranet and the Internet, or for Internet-only client management:
Note: You can configure the client management option only during the installation of a
client. If you change your mind later, you must reinstall the client.
• Client computers that you configure for Internet-only client management communicate with only
those site systems that are configured for client connections from the Internet. Mobile device clients
are configured automatically as Internet-only when they are configured to use an Internet-based
management point.
• Client computers that you configure for Internet-based and intranet client management can switch
automatically between the two when they detect a change of network. If these clients can find and
connect to a management point that is configured for client connections on the intranet, these clients
are managed as intranet clients that have full Configuration Manager management functionality. If
the clients cannot find or connect to a management point that is configured for client connections
on the intranet, they attempt to connect to an Internet-based management point. If this is successful,
these clients are then managed by the Internet-based site systems in their assigned site.
Not all client management functionality is available when using Internet-based client management.
Features that rely on AD DS, or features that are not appropriate for a public network (such as operating
system deployments), are not supported for Internet management. The following features are not
supported when clients are managed on the Internet:
• Client deployment. For example, Client Push and software update–based client deployment. You must
use manual client installation to install the Configuration Manager client on these computers.
• Auto-site assignment. Clients must be configured with an assigned site at installation. Clients try to
locate the site systems by using Domain Name System (DNS). The Internet fully qualified domain
name (FQDN) of site systems that support Internet-based client management must be registered as
host entries on public DNS servers. Clients select one of the Internet-based site systems, regardless of
bandwidth or physical location.
• Network Access Protection (NAP). NAP relies on AD DS and cannot function on the Internet.
• Wake On LAN wake-up packets.

• Operating system deployments. You cannot perform these deployments on the Internet, but you
can perform task sequences that do not deploy an operating system, such as task sequences that run
scripts and maintenance tasks on clients.
• The remote control feature. This feature is not available for Internet-based clients because these
computers cannot be located by using public DNS.
• Out of band management by using Intel Active Management Technology (AMT).
• Software deployments to users. You cannot deploy software to users unless the Internet-based
management point can authenticate the user in AD DS by using Windows authentication (Kerberos or
NTLM). This is possible when the Internet-based management point trusts the forest where the user
account resides.
Configuring Certificates in Internet-Based Client Management

When clients connect to the site systems located
on the internal network, the computers perform
mutual authentication by using Kerberos. This is
possible because clients and site systems can
access the Active Directory infrastructure. For
Internet-based client management, you must
assign and install certificates to enable mutual
authentication.
When you configure certificates for Internet-

based client management, keep in mind that you
must configure each client and each site system
involved in Internet-based client management
with certificates to perform mutual authentication on the Internet. You can perform this configuration by
following this process:
1. Configuration Manager site system roles that communicate by using HTTPS use certificates to
verify that their server name is the same as the server to which the clients are trying to connect. The
Enhanced Key Usage field in this type of certificate includes Server Authentication (1.3.6.1.5.5.7.3.1).
When using an AD CS Enterprise CA, you should create a template based on the existing Web Server
template in the template store. Secure Hash Algorithm 1 (SHA-1) and Secure Hash Algorithm 2
(SHA-2) are supported. There is no limit for the maximum supported key length for this certificate.
o If the site system accepts connections from the Internet, the Subject Name or Subject Alternative
Name must contain the Internet FQDN.
o If the site system accepts connections from both the Internet and the intranet, you must specify
both the Internet FQDN and the intranet FQDN (or computer name) by using the ampersand (&)
symbol delimiter between the two names.
2. Configuration Manager site systems that are hosting the distribution point role use certificates
configured for client authentication. The Enhanced Key Usage field in this type of certificate includes
Client Authentication (1.3.6.1.5.5.7.3.2). When using an AD CS Enterprise CA, you should create a
template based on the existing Workstation Authentication template in the template store. The
private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. The maximum
supported key length is 2,048 bits.
The certificate:
o Is used to authenticate the distribution point to an HTTPS-enabled management point before the
distribution point sends status messages.
o Is sent to computers when the Enable PXE support for clients distribution point option is selected.
This ensures that the client computers can connect to a HTTPS-enabled management point
during the deployment of the operating system if task sequences in the operating system
deployment process include client actions such as client policy retrieval or sending inventory
information.
Note: The private key must be exportable because you must import the certificate as a
file on the distribution point properties, rather than select it from the certificate store. You need
to export the issued certificate in the Public Key Cryptography Standard (PKCS #12) format (.pfx
file).
3. Internet-based clients can use those certificates generated by the PKI solution for authentication
when connecting to a Configuration Manager site system. The Enhanced Key Usage field in this type
of certificate includes Client Authentication (1.3.6.1.5.5.7.3.2). When using an AD CS Enterprise CA,
you should create a template based on the existing Workstation Authentication template in the
template store. Client computers must have a unique value in the Subject Name field or in the
Subject Alternative Name field. The maximum supported key length is 2,048 bits.
Template-based certificates can be issued by an Enterprise CA running on a supported edition of the

server operating system, such as Windows Server 2012 Datacenter or Standard.
Note: When you use Enterprise CA and certificate templates, do not use the version
3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create
certificates that are incompatible with Configuration Manager. When prompted for the version
of the template, select version 2 (Windows Server 2003).
Ensure that clients trust the CA that issues both the client certificates the management point certificate.
Configuring Server and Client Certificates for Internet-Based Client Management

The configuration of server and client certificates required for Internet-based client management typically
involves the following steps:
1. Deploying the Web Server certificate for site systems that run Internet Information Services (IIS). This
includes the following procedures:
a. Creating and issuing the Web Server certificate template on the certification authority.
b. Requesting a Web Server certificate from each of the site systems.

c. Configuring IIS to use the Web Server certificate on each site system.
2. Deploying the distribution point certificate for site systems that are hosting the distribution point role.
This includes the following procedures:
a. Creating and issuing the distribution point certificate template on the certification authority.
b. Requesting a distribution point certificate from each distribution point and exporting the
certificate in a .pfx file.
c. Configuring the distribution point to use the certificate.
3. Deploying the client certificate for computers. If the computers are also connecting to the intranet
and can authenticate to AD DS, the certificate deployment includes the following procedures:
a. Creating and issuing the Workstation Authentication certificate template on the certification
authority.
b. Configuring autoenrollment of the Workstation Authentication template by using Group Policy.
c. Enrolling the Workstation Authentication certificate automatically and verifying its installation on
computers.
4. If the computers are not connecting to AD DS, issuing and installing the client certificates manually.
Demonstration: Preparing Certificates for Configuration Manager

In this demonstration, you will see how to configure a client certificate template and a client distribution
point certificate template.
Demonstration Steps
1. On LON-DC1, start the Certification Authority console.
2. In the Certification Authority console, right-click the Certificate Templates folder, and then click
Manage. The Certificate Templates console opens.
3. Duplicate the Workstation Authentication template, and then click the Windows Server 2003
compatibility option.
4. In the Properties of New Template dialog box, configure the following settings:
o On the General tab, name the template Configuration Manager Client Certificate.
o On the Security tab, click the Domain Computers group, and then add the Read and
Autoenroll permissions.
5. Duplicate the Workstation Authentication template, and then click the Windows Server 2003
option.
6. In the Properties of New Template dialog box, configure the following settings:
o On the General tab, name the template Configuration Manager Client Site System
Certificate.
o On the Request Handling tab, select Allow private key to be exported.
o On the Security tab, remove the Enroll permission from the security groups Domain Admins
and Enterprise Admins. Add the ConfigMgrServers group, and then grant the
ConfigMgrServers group the Enroll permission.
Note: This certificate template is based on the Workstation Authentication template,

which is the same template that the Configuration Manager client certificate uses. However, this
template requires the private key to be exportable, because you must import the certificate as a
file, rather than select it from the certificate store.
Publishing Site System Roles Through a Firewall

You must publish the site systems configured to
support Internet-based client management on the
Internet. You can do this by using one of the
following methods:
• Place the site systems configured to support

Internet-based client management on a
perimeter network. This method is more
secure but more difficult to implement. To
follow this method, configure your firewalls as
follows:
1. Configure the external firewall to allow
HTTPS communications from the Internet
to site systems. The clients communicate to the fallback status point by using HTTP.
2. Configure the internal firewall to allow communications between the perimeter network site
systems and the internal servers. You can adjust port values for any customization in your
environment. However, the following communications must be allowed:
 Management point. Communicates with the computer running Microsoft SQL Server®
through the SMS Provider to read policy, and communicates directly with the site server to
report state messages.
 Distribution point. Communicates with the site server to read configuration information and
replicate content by using file-based replication.
 Software update point. Communicates with an upstream software update point or directly
with Microsoft Update.
 Fallback status point. Communicates with the site server.
• Configure the internal site systems to support Internet-based client management and publish
them through a firewall. This method is less secure but easier to implement. To follow this method,
configure your firewall to allow direct HTTPS access from the Internet to the site systems (also known
as tunneling or pass-through). If you are using a proxy web server without SSL termination (tunneling),
no additional certificates are required on the proxy web server. However, the clients are connecting
directly to the site systems, and the firewall cannot inspect the traffic, which can pose additional
security risks. If you are using a proxy web server with SSL termination (bridging) for incoming
Internet connections, the proxy web server has the following certificate requirements:
o Certificates are installed on the proxy web server with Enhanced Key Usage configured for server
and client authentication. You can use the Web Server and Workstation Authentication
templates.
o The Subject Name field or Subject Alternative Name field includes Internet FQDN. If you are
using Microsoft certificate templates, the Subject Alternative Name is available only with the
workstation template.
o A server authentication certificate is used to authenticate servers to Internet clients and to

encrypt all the data transferred between the client and servers by using SSL.
o Client authentication is used to bridge client connections between clients running System Center
2012 Configuration Manager and newer versions and the Internet-based site systems located on
the intranet.
Lab A: Configuring PKI for Configuration Manager

Scenario
You have installed System Center 2012 R2 Configuration Manager in the lab environment.
You must configure a Microsoft PKI solution to use with Configuration Manager as a method of
improving security. To do this, you will create templates for Configuration Manager, and then deploy the
certificates to your Configuration Manager infrastructure.
Objectives
• Create certificate templates for Configuration Manager.

• Deploy certificates for Configuration Manager.
Lab Setup

10748C-LON-CAS-C
10748C-LON-CFG-C
Password Pa$$w0rd
1. On the host computer, open Hyper-V Manager.
o Domain: Adatum
Exercise 1: Creating Certificate Templates for Configuration Manager

Scenario
In this exercise, you will create a group for the Configuration Manager servers and then create certificate
templates for Configuration Manager certificates.
1. Create a Configuration Manager IIS servers group.
2. Create a Configuration Manager Web Server certificate template.

3. Create a Configuration Manager client certificate template.
4. Create a Configuration Manager client distribution point certificate template.
5. Create a Configuration Manager mobile device client certificate template.
6. Enable the Configuration Manager certificate templates.
 Task 1: Create a Configuration Manager IIS servers group

1. On LON-DC1, from Server Manager, start Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the Users container, create a new group
named Configuration Manager IIS Servers.
3. Add LON-CFG to the Configuration Manager IIS Servers group.
4. Close Active Directory Users and Computers.
 Task 2: Create a Configuration Manager Web Server certificate template

1. On LON-DC1, from Server Manager, start the Certification Authority console.
2. In the Certification Authority console, right-click the Certificate Templates folder, and then click
Manage. The Certificate Templates console opens.
3. Duplicate the Web Server template, and then on the Compatibility tab, ensure that the Windows
Server 2003 option is selected.
4. In the Properties of New Template dialog box:

o On the General tab, name the template Configuration Manager Web Server Certificate.
o On the Subject Name tab, ensure that the Supply in the request option is selected.
and Enterprise Admins. Add the Configuration Manager IIS Servers group, and then grant the
Configuration Manager IIS Servers group the Enroll permission.
 Task 3: Create a Configuration Manager client certificate template

1. Duplicate the Workstation Authentication template, and then on the Compatibility tab, ensure
that the Windows Server 2003 option is selected.
o On the General tab, name the template Configuration Manager Client Certificate.
o On the Security tab, select the Domain Computers group, and then add the Read and
Autoenroll permissions.
 Task 4: Create a Configuration Manager client distribution point certificate template

1. Duplicate the Workstation Authentication template, and then on the Compatibility tab, ensure
that the Windows Server 2003 option is selected.
o On the General tab, name the template Configuration Manager Client Distribution Point
Certificate.
o On the Request Handling tab, select Allow private key to be exported.
and Enterprise Admins. Add the Configuration Manager IIS Servers group, and then grant the
Configuration Manager IIS Servers group the Enroll permission.

 Task 5: Create a Configuration Manager mobile device client certificate template

1. Duplicate the Authenticated Session template, and then on the Compatibility tab, ensure that the
Windows Server 2003 option is selected.
o On the General tab, name the template Configuration Manager Mobile Device Certificate.
o On the Subject Name tab, ensure that the Build from this Active Directory information
option is selected, and in the Subject name format list, select Common name, and then clear
the User principal name (UPN) check box.
3. Close the Certificate Templates console.
 Task 6: Enable the Configuration Manager certificate templates

1. If necessary, in the navigation pane of the Certification Authority console, expand the AdatumCA
node, and then click Certificates Templates.
2. Enable the following certificates:
o Configuration Manager Client Certificate
o Configuration Manager Client Distribution Point Certificate

o Configuration Manager Mobile Device Certificate
o Configuration Manager Web Server Certificate
3. Close the Certification Authority console.
Results: After this exercise, you should have created a group for the Microsoft® System Center 2012 R2
Configuration Manager servers and created the templates for Configuration Manager certificates.
Exercise 2: Deploying Certificates for Configuration Manager

Scenario
You are going to deploy the certificates to the Configuration Manager infrastructure by using the
templates you created. You will deploy the workstation certificates through a Group Policy Object (GPO)
to take advantage of autoenrollment. You will request the web certificate and distribution point certificate
for the Configuration Manager web-based services. Then you will configure the site system roles to use
HTTPS.
1. Create an autoenrollment GPO.

2. Request a Configuration Manager IIS certificate on the management point.
3. Request a Configuration Manager client distribution point certificate.
4. Assign the Configuration Manager IIS certificate to Web Services.

5. Configure HTTPS for the Configuration Manager roles.
6. Deploy certificate profiles to clients.
 Task 1: Create an autoenrollment GPO

1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. At the root of the domain, create a GPO named Enable Autoenrollment of Certificates.
3. Edit the Enable Autoenrollment of Certificates GPO.
4. Navigate to the Computer Configuration/Policies/Windows Settings/Security Settings

/Public Key Policies/Certificate Services Client – Auto-Enrollment object.
5. Configure the following values for the Certificate Services Client – Auto-Enrollment object:
o In the Configuration Model list, select Enabled.
o Select the Renew expired certificates, update pending certificates, and remove revoked
certificates check box.
o Select the Update certificates that use certificate templates check box.
 Task 2: Request a Configuration Manager IIS certificate on the management point

1. On LON-CFG, restart the server.
2. Wait for the machine to restart, and then sign in as Adatum\Administrator with the password of
Pa$$w0rd.
3. Start a Microsoft Management Console (MMC), and then add the Certificates snap-in for the Local
computer: (the computer this console is running on).
4. In the MMC window, expand Certificates (Local Computer), and click Personal. Right-click
Personal, and then select the option Request New Certificate.
5. In the Certificate Enrollment wizard, request a new certificate by using the following information:
o On the Request Certificates page, select the Configuration Manager Web Server Certificate
check box, and then click More information is required to enroll for this certificate. Click
here to configure settings.
o On the Subject tab, in the Alternative name area, in the Type list, select DNS, in the Value box,
type LON-CFG.Adatum.com, and then click Add.
o On the General tab, in the Friendly name box, type Configuration Manager Web Services.
o Complete the request, wait until the certificate is installed, and then click Finish.
 Task 3: Request a Configuration Manager client distribution point certificate

1. In the MMC window, under the Personal folder, right-click Certificates, and then select the option
Request New Certificate.
2. In the Certificate Enrollment Wizard, request a new certificate by using the following information:
o On the Request Certificates page, select the Configuration Manager Client Distribution
Point Certificate check box, and then click Enroll.
o Complete the request, wait until the certificate is installed, and then click Finish.
3. In the MMC window, expand Personal, and then select Certificates.

4. Select the certificate that has Configuration Manager Client Distribution Point Certificate on the
Certificate Template column, right-click the certificate, and then select Export. The Certificate
Export Wizard opens.
5. In the Certificate Export Wizard, use the following information to export the certificate:
o On the Export Private Key page, select Yes, export the private key.
o On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12
(.PFX) option is selected.
o On the Security page, type Pa$$w0rd in both the Password and Confirm password text boxes.
o On the File to Export page, in the File name text box, type
C:\ConfigMgrClientDPCertificate.pfx.
o Complete the export of the certificate.
6. Close the MMC window.
 Task 4: Assign the Configuration Manager IIS certificate to Web Services

1. On LON-CFG, from Server Manager, open Internet Information Services (IIS) Manager.
2. Expand LON-CFG (ADATUM\Administrator), dismiss the dialog box, expand Sites, right-click
Default Web Site, and then click Edit Bindings.
3. In the Site Bindings dialog box, edit the https entry, in the SSL certificate list, select the
Configuration Manager Web Services certificate, click OK, and then close all open windows.
 Task 5: Configure HTTPS for the Configuration Manager roles

1. On LON-CFG, from the task bar, start the Configuration Manager console.
2. In the Administration workspace, expand Site Configuration, and then click Servers and Site
System Roles.
3. In the results pane, select \\LON-CFG.Adatum.com, and then, in the preview pane, access the
Properties for the Site system.
4. In Site system Properties, configure the following:
• Select Specify an FQDN for this site system for use on the Internet.
• In the Internet FQDN text box, type LON-CFG.Adatum.com, and then close the dialog box.
5. In the preview pane, access the Properties for Distribution point.
6. In the Distribution point Properties dialog box:
• On the General tab, select Import certificate, and then browse to and click the
C:\ConfigMgrClientDPCertificate.pfx certificate file.
• In the Password text box, type Pa$$w0rd.
• Select HTTPS, under Requires computers to have a valid PKI client certificate, select Allow
intranet and Internet connections, and then close the dialog box.
8. In the Management point Properties dialog box:
o On the General tab, click HTTPS, and then under This option requires client computers to
have a valid PKI client certificate for client authentication, select Allow intranet and
Internet connections.
o Select the Allow mobile devices to use this management point check box, and then close the
dialog box.
 Task 6: Deploy certificate profiles to clients

1. On LON-CFG, open File Explorer.
2. Copy the \\LON-DC1\CertEnroll\LON-DC1.Adatum.com_AdatumCA.crt file to the desktop.
3. In the Assets and Compliance workspace, navigate to Certificate Profiles, and then create a
certificate profile.
4. Name the profile AdatumEnterpriseRootCA, and then set the profile type to Trusted CA
certificate.
5. Import the certificate that you copied to the desktop and ensure that it will be placed in the
Computer certificate store – Root location.
6. Configure the profile for all supported platforms.
7. Deploy the certificate profile to the All Desktop and Server Clients collection.
Results: After this exercise, you should have issued the Configuration Manager certificates and configured
HTTPS communication for Configuration Manager roles.
Lesson 3
Configuring Cloud Services in System Center 2012 R2
By integrating cloud services into a Configuration Manager deployment, you can extend your
organization’s ability to distribute content and manage mobile devices. Cloud-based distribution
points allow you to deploy distribution points hosted in a public Windows Azure™ cloud. You can deploy
a scalable distribution point rapidly to clients on both the Internet and internal networks without
provisioning a virtual machine or physical server to host it. You can also integrate Windows Intune with
System Center 2012 R2 Configuration Manager, thereby allowing you to manage mobile devices running
the iOS, Android, Windows Phone, and Windows RT operating systems.
Lesson Objectives
• Describe the benefits and limitations of cloud-based distribution points.
• List the prerequisites for implementing cloud-based management.
• Describe Windows Intune and its functionality.

• Explain the preparatory steps for implementing Windows Intune integration.
• Explain how to configure the Windows Intune connector site system role.
• List the certificate requirements for mobile devices.
Cloud-Based Distribution Points in System Center 2012 R2 Configuration

Manager
In Windows Azure, you can distribute content by
using cloud-hosted distribution points. This means
that you can make content accessible to clients on
the Internet and clients on the internal network
without deploying additional distribution points
on internal networks. For example, if you are
planning content distribution to very small branch
offices, you can use a cloud-based distribution
point instead of using physical hardware or a
virtual machine to deploy a distribution point at
the branch office locations.
You can manage cloud-based distribution points

individually or as part of distribution point groups. This feature offers the following benefits:
• Provides encryption. Configuration Manager encrypts content transmitted to a cloud-based

distribution point before transmission to Windows Azure.
• Can scale as necessary. You can scale the cloud-based distribution point up or down to meet the
changing demands for content. For example, you can scale it up when you require more deployment
capacity, and scale it down when you require less deployment capacity. By doing so, you will find it
less necessary to deploy additional distribution points within the organization.
• Can be used by both intranet and Internet-based clients.

• Supports Windows BranchCache®.
• Can be used as a fallback content location.
Cloud-based distribution points have the following limitations:
• Cannot host software update packages.
• Cannot be used for Pre-Boot eXecution Environment (PXE) or multicast-enabled deployment.
• Does not support packages that run from the distribution point; content must be downloaded from
the distribution point and run locally.
• Does not support streaming applications by using Microsoft Application Virtualization (App-V).
• Does not support prestaged content.

• Cannot be configured as pull-distribution points.
When you use Windows Intune with Configuration Manager, a cloud-based distribution point is created
automatically for distributing content through Windows Intune. This distribution point distributes content
for clients that are managed through the Windows Intune connector.
Prerequisites for Implementing Cloud-Based Management

You can implement a cloud-based distribution
point by using two methods: Windows Azure and
Windows Intune. Each method has its own
prerequisites.
Cloud-based distribution points in Windows Azure
must meet the following prerequisites:
• A Windows Azure subscription

• A management certificate (either self-
signed or issued from a CA) that is used for
communication between the primary site
server and Windows Azure
• A service certificate that Configuration Manager clients use to connect to Windows Azure cloud-
based distribution points to retrieve content by using the HTTP protocol
• The Allow access to cloud distribution points client setting set to Yes for the Configuration Manager
device or user
• The client attempting to access the cloud-based distribution point is able to access the Internet
• The client attempting to access the cloud-based distribution point is able to resolve the name of the
cloud service; this will require a canonical name (CNAME) record in the local DNS namespace mapped
to the name of the cloud-based distribution point
The only prerequisite for a Windows Intune cloud-based distribution point is that Windows Intune
integration must be configured. This requires a Windows Intune subscription, the Windows Intune
connector site system role, and configuration of directory synchronization.
You can use the Directory Synchronization tool, also known as DirSync, to synchronize AD DS user
accounts and passwords with Windows Azure Active Directory. Windows Azure Active Directory stores
user accounts and passwords for Windows Intune, Windows Azure, and other services such as Microsoft
Office 365™.
Versions of DirSync after 6382.000 support password synchronization. Because you no longer have to
deploy Active Directory Federation Services (AD FS), it is simpler to integrate an on-site Configuration
Manager deployment with Windows Azure and Windows Intune.
Overview of Windows Intune

You can use Windows Intune, a cloud-based
management service, to perform the following
management tasks on client computers and
mobile devices:
• Software updates
• Software deployments
• Hardware and software inventory
• Endpoint Protection
• Remote assistance
• Mobile device management
• Software licensing
• Windows Firewall policy
You can use Windows Intune to perform these management tasks on computers that rarely connect to an
organizational network and that might not be joined to an Active Directory domain. Additionally, you can
use Windows Intune to manage software deployment for computers that are running Windows, Android,
and Apple iOS operating systems.
Computers that you manage through Windows Intune require Windows Intune client software. You can
download the client software from the Windows Intune company portal. The client software includes an
account certificate that binds the client to a specific Windows Intune deployment. If your organization
chooses to use Windows Intune to manage client devices, you must develop a strategy to install the client
software on all end-user computers. After you install the client software on a device, the Windows Intune
administrator can manage that device remotely.
Note: You cannot deploy the Windows Intune client software on a computer that has the
System Center 2012 Configuration Manager SP1 agent or the System Center 2012 R2
Configuration Manager agent installed.
Prerequisites for Implementing Windows Intune Integration

Before configuring the Windows Intune
connector, you should perform the following
tasks:
• Sign up for a Windows Intune organizational

account. Before you can configure the
connector, you must have Windows
Intune administrator credentials for the
organizationname.onmicrosoft.com (where
organizationname.com is your organization’s
DNS suffix) domain. Do not use the account
that you used to sign up for Windows Intune
(the Outlook.com, Hotmail.com, or live.com
Microsoft account) to configure the connector.
• Add a public company domain to Windows Intune. You must have a public company domain for
which you can create DNS resource records, and you must configure this domain within Windows
Intune.
• Configure user account, or User Principal Name (UPN), suffixes. You must configure user accounts
with UPNs for the public company domain.
• Configure directory synchronization. You must configure Active Directory synchronization between
your on-premises AD DS and the Windows Azure Active Directory that you are using with the
Windows Intune organizationname.onmicrosoft.com domain.
• Configure DNS alias. Create a CNAME record in DNS that maps

enterpriseenrollment.organizationname.com to manage.microsoft.com.
• Obtain relevant certificates or keys. Depending on the mobile devices that you will be managing
through Windows Intune, you need the certificates or keys. You will learn more about these in a later
topic in this lesson.
The Windows Intune Connector Site System Role

The Windows Intune connector is a site system
role that you use to connect the Configuration
Manager infrastructure with a Windows Intune
subscription. You must deploy this role in
conjunction with a connection to an existing
Windows Intune subscription that is configured
to synchronize with on-premises AD DS. The
Windows Intune connector will use the proxy
server configuration of the site system server on
which you install the role. You configure the proxy
server configuration for a site system server when
you install a site system role. You can edit the
proxy server by editing the properties of the site system server. All site system roles on a site system server
use the same proxy server configuration.
To create the Windows Intune connector, perform the following procedure:
1. In the Administration workspace, expand the Hierarchy Configuration folder, and then click
Windows Intune Subscriptions.
2. On the ribbon, click Add Windows Intune Subscription.
3. On the Introduction page, click Next.
4. On the Subscription page, sign in by using an account configured as an administrator for your
Windows Intune organization. Select the Allow the Configuration Manager console to manage
this subscription check box.
5. Review the privacy links.
6. On the General page, specify the following settings:
o Specify the user collection whose members will be able to enroll their devices for
management. Browse to the appropriate collection.
o Company name. Specify your organization name.
o URL to company privacy information. Provide privacy information (optional).
o Color scheme for company portal. Change the color of the company portal, or accept the
default color.
o Configuration Manager site code. Specify the primary site for mobile devices.
7. On the Platforms page, choose the device types you want to manage (devices running Android, iOS,
Windows, or Windows Phone 8), and then review the platform requirements. For each device type
that you choose, you need to configure additional settings. You can configure these settings on a
per-device type basis when necessary.
When you enable the Allow the Configuration Manager console to manage this subscription option,
Configuration Manager takes control of the Windows Intune subscription for mobile device management.
You cannot undo this step. If you later decide that you do not want to manage Windows Intune by using
Configuration Manager, you must create a new Windows Intune subscription.
To deploy the site system role for the Windows Intune connector, perform the following procedure on a
site system server that will communicate with the Windows Intune servers on the Internet:
1. In the Administration workspace, expand the Site Configuration folder, and then click Servers and
Site System Roles.
2. Select the site system server, and then on the ribbon, click Add Site System Roles.
3. On the System Role Selection page, select Windows Intune Connector, and then click Next.
4. Complete the wizard.
Certificate Requirements for Supporting Devices

Depending on the mobile device operating
system, you will need certificates or keys to enroll
mobile devices through the Windows Intune
connector with Configuration Manager. The
following table details those specifications.
Mobile device
Certificates or keys Notes
operating system
Windows Phone 8 Code-signing certificate (all Purchase a code-signing certificate

sideloaded apps must be code- from Symantec
signed)
Windows RT Sideloading keys to allow Obtain sideloading keys from

installation of sideloaded apps Microsoft
All apps that you sideload must be Sign apps by using a code-signing
code-signed certificate that an internal or third-
party trusted CA issues
iOS Apple Push Notification service Obtain from Apple

certificate
Android Not required Not applicable

Lab B: Configuring Windows Intune Integration with

System Center 2012 R2 Configuration Manager
Scenario
You are responsible for managing apps at A. Datum Corporation’s Melbourne office. An increasing
number of users at the Melbourne office need to use mobile devices to interact with sensitive
organizational content. With this in mind, your job is to manage mobile devices through the
organization’s existing Configuration Manager infrastructure. You need to configure the infrastructure
so that users are able to self-enroll their devices, such as mobile phones. You should also configure the
infrastructure so that users are able to self-enroll user-owned computers by visiting a website on the
Internet.
Objectives
• Sign up for a Windows Intune trial account and configure directory synchronization.
• Configure the Windows Intune connector role.
Lab Setup

10748C-LON-CAS-C
10748C-LON-CFG-C
Password Pa$$w0rd
Virtual machines MSL-TMG1
User name Administrator
Password Pa$$w0rd
1. On the host computer, open Hyper-V Manager.
2. In Hyper-V Manager, click 10748C-LON-DC1-C, and then in the Actions pane, click Start.

o Domain: Adatum
6. Repeat steps 2 and 3 for MSL-TMG1. This is a gateway server that allows connections to the Internet.
Exercise 1: Signing Up for a Windows Intune Trial Account and Configuring

Directory Synchronization
Scenario
Before setting up a connection between Windows Intune and System Center 2012 R2 Configuration
Manager, you must configure an organizational Windows Intune subscription. When setting up a
Windows Intune subscription, you want to ensure that you do not have to configure a set of parallel user
accounts. You will configure directory synchronization that enables users to use one set of credentials to
authenticate against both Windows Server Active Directory Domain Services (AD DS) and Windows Azure
Active Directory.
1. Create a temporary email account name.

2. Create a Windows Intune account.
3. Configure a UPN suffix.
4. Configure directory synchronization.
 Task 1: Create a temporary email account name

• Create a temporary email account name and not an actual e-mail account using the following
scheme:
o The first part of the email address should be your first name, the first letter of your last name,
10748C, and the date in the format used in your region (mm/dd/yy or dd/mm/yy). For example,
JoeS10748C010114 if it is the first of January 2014.
o The domain (the portion of the address after the @ symbol) should be Adatum.com. For example
joeS10748C0110114@adatum.com.
 Task 2: Create a Windows Intune account

1. On LON-CAS, edit the properties of Internet Explorer® and set the security level for the trusted sites
zone to Low.
2. Remove the requirement for https, and then add *.microsoft.com to the list of trusted sites.
3. In Internet Explorer, navigate to the following URL: http://www.microsoft.com/intune.
4. In Internet Explorer, click the Try option, and then click Sign up for a Windows Intune free 30-day
trial.
5. On the Windows Intune Sign up page, provide the required information to sign up for the trial
account. Enter data for the following required fields, and then click Check Availability:
o Country or region: Select your country or region
o Organizational language: Choose your organizational language
o First name: Don

o Last Name: Funk
o Organization Name: Type the first three letters of the city in which you are attending the course;
the course number; the month, day, and year; and the number of your computer, counting from
the front left side of the classroom. For example, type MEL10748C02041405 to indicate that
you are attending the course in Melbourne; the course number is 10748C; the date is February 4,
2014; and you are using the fifth computer from the front left side of the classroom
o Address 1: Street address of the location in which you are attending the course
o City: City in which you are attending the course
o State: State in which you are attending the course
o ZIP code: ZIP code in which you are attending the course
o Phone Number: 555-555-1212
o Email address: The fake email address that you created in the first task of this exercise.
o New Domain Name: Type the first three letters of the city in which you are attending the course;
the front left side of the classroom. For example, type MEL10748C02041405 to indicate that you
are attending the course in Melbourne; the course number is 10748C; the date is February 4,
2014; and you are using the fifth computer from the front left side of the classroom
6. After the domain name is verified, enter the following information:
o New User ID: Student
o Create new password: Pa$$w0rd

o Confirm new password: Pa$$w0rd
7. In the Verification field, type the text that is shown as a graphic. Note that the text is not case-
sensitive.
8. Click I Accept and continue.
9. In the Windows Intune form, click Continue.

10. In the Don’t lose access to your account dialog box, click Remind me later.
11. Close Internet Explorer.
 Task 3: Configure a UPN suffix

1. On LON-DC1, use the Active Directory Domains and Trusts console to add the
organizationname.onmicrosoft.com UPN suffix, where organizationname is your Windows Intune
organization name.
2. Run Windows PowerShell ISE as Administrator, type the following, replacing

organizationname.onmicrosoft.com with your Windows Intune organization’s name, and then press
Enter:
Get-ADUser -Filter {UserPrincipalName -like "*@adatum.com"} -SearchBase

"DC=adatum,DC=com" |
ForEach-Object {
$UPN =
$_.UserPrincipalName.Replace("adatum.com","organizationname.onmicrosoft.com")
Set-ADUser $_ -UserPrincipalName $UPN
}
3. In the script pane, type the following, and then press Enter:
Add-DnsServerResourceRecordCname –HostNameAlias manage.microsoft.com –Name

EnterpriseEnrollment –ZoneName Adatum.com
4. Use Active Directory Administrative Center to verify that the new UPN has been applied to April
Reagan’s account.
 Task 4: Configure directory synchronization

1. On LON-CAS, open Internet Explorer.
2. Navigate to account.manage.microsoft.com in Internet Explorer, and then sign in as

student@organizationname.onmicrosoft.com, where organizationname is your Windows Intune
organization name, with the password Pa$$w0rd.
3. In the Users section, activate Active Directory synchronization.
4. Download and install the 64-bit version of the Active Directory synchronization tool by using the
default settings.
5. Sign out from LON-CAS, and then sign in as Adatum\administrator with the password Pa$$w0rd.
6. Run the Active Directory Sync tool Configuration Wizard with the following settings:
o Windows Azure Active Directory user name: student@organizationname.onmicrosoft.com,
where organizationname is your Windows Intune organization name
o Windows Azure Active Directory password: Pa$$w0rd
o Active Directory username: administrator@adatum.com
o Active Directory password: Pa$$w0rd
o Enable Hybrid Deployment: Enabled
o Enable Password Sync: Enabled
o Synchronize your directories now: Selected
7. Wait five minutes, return to the Windows Intune Admin page, click Users, and then verify that the
list of users in Windows Intune is now populated with users from AD DS.
8. In the User list, click Alex Darrow.

9. Select the Windows Intune check box, and then click Save.
10. On the Assign role page, leave default settings, and then select United States as the location.
11. Click Save.
Results: After this exercise, you will have created a Windows Intune™ account, and configured directory
synchronization between the local Windows Server® Active Directory® Domain Services (AD DS) instance
and Windows Azure™ Active Directory.
Exercise 2: Configuring the Windows Intune Connector Role

Scenario
Users at A. Datum use a variety of mobile platforms. You need to integrate Windows Intune so that you
can manage mobile devices.

1. Configure the Windows Intune connector.
2. Deploy the Windows Intune site system role.
3. Configure client access to the cloud-based distribution point.
 Task 1: Configure the Windows Intune connector

• On LON-CAS, in the Configuration Manager console, create a Windows Intune subscription through
the Windows Intune Subscriptions node, under the Cloud Services folder, by using the following
settings:
o Set the mobile device management authority to: Configuration Manager
o Username: student@organizationname.onmicrosoft.com, where organizationname is your

Windows Intune organization name
o Collection: All Users

o Company Name: Adatum
o Configuration Manager site code: S01
o Platforms: Do not select any platforms
 Task 2: Deploy the Windows Intune site system role

• Use the Configuration Manager console to add the site system role for the Windows Intune connector
to LON-CAS.
 Task 3: Configure client access to the cloud-based distribution point

• Edit the properties of the Default Client Settings to allow access to cloud-based distribution point.
Results: After this exercise, you will have integrated Configuration Manager with Windows Intune.

following steps:

4. Repeat steps 2 to 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C.


Review Questions
Question: Your organization has users with devices running Windows RT 8.1 and iOS 6.
These devices are Configuration Manager clients. What technology would you use to
provision these devices with VPN connection information?
Question: What are the limitations of cloud-based distribution points over distribution
points deployed on-premises?
8-1
Module 8
Maintaining and Monitoring System Center 2012
Contents:
Module Overview 8-1
Lesson 1: Overview of Configuration Manager 2012 Site Maintenance 8-2

Lesson 2: Performing Backup and Recovery of a Configuration Manager Site 8-9
Lesson 3: Monitoring Configuration Manager 2012 Site Systems 8-19

Lab: Maintaining System Center 2012 Configuration Manager 8-23
Module Overview
System Center 2012 Configuration Manager architecture includes multiple components on the site
server, site systems, and client devices. Although you can design your solution’s architecture to be
resilient to failures by implementing multiple site systems, using database clustering, and implementing
multiple primary sites to benefit from global-data replication, you must configure and perform regular
site-maintenance tasks to ensure that the solution that you implement is functional and effective.
Performing regular backups is an important maintenance activity that you implement in your
Configuration Manager environment. Performing regular backups is even more important if you have
a stand-alone primary site, so that you can recover the site configuration or the site database if failure
occurs.
If you have a multiple-site environment, data replicates to other sites in the hierarchy. However, we still
recommend that you perform backup for the site servers and databases in the central administration site
and the primary sites to protect your implementation in your operating system or site fails. The database-
replication mechanism helps you in the recovery process by replicating the most recent global data from
other sites in the hierarchy.
In addition to regular site backups, you should perform regular monitoring activities to determine
the health of your Configuration Manager implementation. You use the monitoring capabilities that
the Configuration Manager console includes to monitor the status of the site systems and replication.
Additionally, you can use external monitoring tools, such as System Center 2012 Operations Manager,
to automate monitoring and alerting.
Objectives
• Describe Configuration Manager site-maintenance tasks.
• Back up and recover a Configuration Manager site.

• Monitor Configuration Manager site systems.
8-2 Maintaining and Monitoring System Center 2012 Configuration Manager
Lesson 1
Overview of Configuration Manager 2012 Site
Maintenance
Configuration Manager 2012 includes built-in maintenance tasks that you can enable and then configure
to run on a schedule. After installing your Configuration Manager environment, you must review the
built-in maintenance tasks, so that you can determine which ones to enable and when they should run.
A crucial part of your site-maintenance setup that you should make a part of every Configuration
Manager design is a site-maintenance plan. When you create a site-maintenance plan, you should include
configuration details for the following:
• Built-in site maintenance tasks.
• Maintenance activities that you need to perform manually on a daily, weekly, or monthly schedule.
• Configuration of the status alert and status-monitoring systems that you can access from the
• External monitoring tools that you can use in the site, such as System Center 2012 Operations
Manager.
Lesson Objectives
• Provide an overview of Configuration Manager 2012 site maintenance.

• Describe typical tasks that you can use to maintain a Configuration Manager 2012 site.
• Maintain a Configuration Manager 2012 site.
• Describe the purpose and content of a site-maintenance plan.
Overview of Configuration Manager 2012 Site Maintenance

Site maintenance and monitoring for
Configuration Manager 2012 includes the
following types of activities:
• Performing site-maintenance tasks. You can

configure the built-in site maintenance tasks,
such as the Backup Site Server maintenance
task, and perform other regular maintenance
activities.
• Monitoring the site systems and replication.

You can use the monitoring features that the
Configuration Manager console includes to
view site-system status, evaluate client health,
and monitor site replication.
• Monitoring by using System Center 2012 Operations Manager. You can monitor the Configuration
Manager 2012 environment by using System Center 2012 Operations Manager to import the
Configuration Manager 2012 management pack, and then configuring the alerts and performance-
collection rules.
Configuring the Backup Site Server maintenance task, and ensuring that the backup occurs correctly, is
the most important action you perform in your Configuration Manager 2012 environment. By ensuring
these two factors, you can recover the site server and the database if an operating-system or site failure
occurs. The next lesson, “Performing Backup and Recovery of a Configuration Manager 2012 Site”, covers
backup and recovery in greater detail.
Question: Describe the tools that you can use to monitor the health of Configuration Manager 2012 site
systems.
Site Maintenance Tasks

Configuration Manager 2012 includes built-in
maintenance tasks that you can enable and
configure to run on a schedule. Configuration
Manager 2012 enables some of these tasks by
default, and they perform required clean-up
activities, including deleting aged information
from the database, ensuring removal of obsolete
information, and ensuring that reports show up-
to-date information.
You can view the site maintenance tasks by
performing the following procedure:
1. Open the Configuration Manager console.
2. In the Configuration Manager console, in the Administration workspace, expand Site

Configuration, and then click the Sites node.
3. Select the site for which you want to view the tasks, and then on the ribbon, click Settings, and then
click the Site Maintenance Tasks button.
4. In the Site Maintenance dialog box, click the maintenance task that you want to configure, and then
click Edit.
The following table lists the site-maintenance tasks and their purposes.
Site-maintenance task Purpose
Backup Site Server Backs up a Configuration Manager 2012 site, including the site
database, files, registry keys, and system-configuration information.
Rebuild Indexes Rebuilds the site database-table indexes to speed up data retrieval.
Monitor Keys Monitors the primary keys from the site database tables.
Delete Aged Inventory Deletes aged inventory history from the site database.
History
Delete Aged Status Messages Deletes aged status-message data from the site database.
Delete Aged Discovery Data Deletes aged client-discovery data from the site database.
Delete Aged Collected Files Deletes aged data regarding collected files from the site database
and from the site-server folder structure.
Delete Aged Software Deletes aged software-metering data from the site database.
Metering Data
Delete Aged Software Deletes aged software-metering summary data from the site
Metering Summary Data database.
Summarize Software Summarizes software-metering file-usage data from multiple, highly

Metering File Usage Data granular records into fewer, more generalized records.
Summarize Software Summarizes monthly software-metering usage data from multiple,

Metering Monthly Usage highly granular records into fewer, more generalized records.
Data
Clear Install Flag Clears the install flag in the database for clients whose Heartbeat
Discovery data records have not been updated in the specified
interval, so that the Configuration Manager client reinstalls
automatically by using Client Push.
Delete Inactive Client Deletes inactive client-discovery data from the site database.
Discovery Data
Delete Obsolete Client Deletes obsolete client-discovery data from the site database.
Discovery Data
Delete Aged Computer Deletes aged user-device affinity data from the site database.
Association Data
Evaluate Provisioned AMT Evaluates provisioned Active Management Technology (AMT)

Computer Certificates computer certificates.
Delete Obsolete Alerts Deletes alerts that have been closed for a specific period.
Delete unused application Deletes unreferenced application revisions.

revisions
Delete aged log data Deletes aged data from the replication logs, and cleans up object
lock requests.
Delete aged replication Deletes aged replication-tracking data.

tracking data
Delete aged application Deletes cancelled or denied application requests that are older than
request data the specified period.
Delete Aged Devices Deletes all obsolete records in the Exchange partnership properties
managed by the Exchange table that have a LastSuccessSyncTimeUTC earlier than the specified
Server Connector period. It also deletes the system records that correspond to the
obsolete partnership entries if they are managed solely by Exchange.
Delete aged device wipe Deletes aged device-wipe records from the site database.
record
Delete Obsolete Forest Deletes obsolete discovery data that the Active Directory® Forest
Discovery Sites and Subnets Discovery method creates by trying to find, and then remove, sites
and subnets that forest discovery has not discovered for a specific
period.
Check Application Title with Determines whether the correct application title displays in the Asset
Inventory Information Intelligence catalog. It does this by matching the installed software
data with catalog data, which is determined by calculating the
Software Properties Hash based on the Product Name, the Publisher,
and the Product Version.
Summarize installed software Summarizes installed software data.

data
Delete aged enrolled devices Deletes aged enrolled devices from the site database.
Delete aged threat data Deletes aged Endpoint Protection threat data from the database.
Delete aged endpoint Deletes aged Endpoint Protection health-status history data from the
protection health status site database.
history data
Delete aged client operations Deletes aged Endpoint Protection-related client operation data, such
as administrators-initiated scan and definition-download requests.
Evaluate collection members Evaluates the collection members incrementally, every five minutes
by default.
Update application catalog Synchronizes the Application Catalog website database cache with
tables the latest application information.
Delete aged delete detection Deletes old data-change information that external systems use when
data extracting data from database.
Delete aged user device Deletes aged information about user-device affinity.
affinity data
Question: Why should you delete aged-inventory history data?
Maintaining a Configuration Manager Site

Site maintenance for Configuration Manager 2012
involves several types of activities that you need
to perform to ensure that your Configuration
Manager implementation is working properly, and
that you can recover if a hardware or software
failure occurs.
The first step that you can take to configure your
installation’s site maintenance is to create a site-
maintenance plan. This plan lists the configuration
of the built-in site-maintenance tasks, describes
additional maintenance activities such as monitoring of the site systems and clients, and describes
recovery procedures that you must follow if a site failure occurs.
Built-in site maintenance tasks include typical maintenance features, but you should complement them
with additional tools for end-to-end maintenance and monitoring of your Configuration Manager
implementation.
Typical activities for maintaining and monitoring a Configuration Manager 2012 environment include:
• Create a site-maintenance plan. In a site -plan, you describe the:
o Configuration of the built-in site-maintenance tasks.
o Daily, weekly, and periodic activities that you need to perform.
o Required custom external-maintenance tasks.
o Configuration of the status system.
o Configuration of alerting features.
o Recovery procedures to use if a site failure occurs.

• Create any necessary custom maintenance tasks that are external to Configuration Manager. Custom
maintenance tasks perform activities that the built-in tasks do not include. You can implement these
custom tasks as scripts that the Task Scheduler runs automatically. You can use batch files or a
scripting language, such as Windows PowerShell®, to implement these tasks.
• Review, configure, and enable or disable site-maintenance tasks. Review the built-in site-maintenance
tasks, and then configure them, and enable or disable according to your site-maintenance plan.
• Configure the status summarizers. Configure the status summarizers to evaluate the health of your
site systems and components, based on the number and importance of status messages.
• Use the monitoring features that the Configuration Manager console includes. Use the Configuration
Manager console features to monitor replication and the status of the site systems.
• Configure alerts. Configure alerts that you want to generate for errors or specific thresholds.
• Consider using System Center 2012 Operations Manager. You can use System Center 2012
Operations Manager to monitor your Configuration Manager environment.
Creating a Site-Maintenance Plan

To ensure that you do not overlook important
maintenance activities, you should create a site-
maintenance plan. Typically, you create a site-
maintenance plan during the implementation
of your Configuration Manager environment. It
should reflect your particular implementation
architecture and your organization’s specific
information technology (IT) requirements with
respect to operations.
Your site-maintenance plan should be part of your Configuration Manager implementation

documentation, along with the implementation design, and procedures for installation, configuration, and
operations. Additionally, it should include recommendations for typical maintenance activities, such as:
• Configuring and verifying site backups.

• Checking for file backlog on site servers and site systems.
• Reviewing status messages for site systems and components.
• Configuring and reviewing alerts in the console.

• Checking for failed replication communication.
• Reviewing error and warning messages that System Center 2012 Operations Manager generates, if
applicable.
Site-maintenance plans can contain activities that you perform on a schedule, either manually or through
an automatic configuration. You can schedule the tasks to happen daily, weekly, or over a longer period.
The following table lists typical maintenance tasks and the suggested frequency of the tasks.
Frequency Typical maintenance tasks
Daily maintenance • Verify that built-in daily maintenance tasks are running successfully.
tasks
• Check the status of the Configuration Manager site database.
• Check the status of the site server.
• Check Configuration Manager site-system inboxes for backlogs.
• Check the status of the site systems.
• Check client status and health.
• Check the operating-system event logs on site systems.
• Check the SQL Server® error log.
• Check system performance.
Weekly • Verify that built-in weekly maintenance tasks are running successfully.
maintenance tasks
• Delete unnecessary files from site systems.
• Produce and distribute end-user reports, if necessary.
• Back up and then clear application, security, and system-event logs.
• Check the size of the site database, and then verify that the site database has
enough available disk space to enable growth.
• Perform SQL Server database maintenance on the site database, according to
your SQL Server maintenance plan.
• Check available disk space on all site systems.
• Run disk-defragmentation tools on all site systems.
Frequency Typical maintenance tasks
Periodic • Review the security plan for any required changes.

maintenance tasks
• Change accounts and passwords, if necessary, according to your security plan.
• Review the maintenance plan to verify that you have scheduled maintenance
tasks properly and effectively, depending on the configuration of your site
settings.
• Review the design of the Configuration Manager hierarchy.
• Check network performance to ensure changes have not been made that
affect site operations.
• Verify that Active Directory Domain Services (AD DS) settings affecting site
operations have not changed. For example, you should ensure that no
changes have been made to subnets that are assigned to Active Directory
sites, and that a Configuration Manager site is using the Active Directory
Forest Discovery method to create site boundaries.
• Review the disaster-recovery plan for any required changes.
• Perform a site recovery in a test lab according to the disaster-recovery plan
by using a backup copy of the most recent backup snapshot that the Backup
Site Server maintenance task created.
• Check hardware for any available errors or hardware updates.
For each maintenance task in the site-maintenance plan, you should assign an owner who is responsible
for performing that task. Administrative users to whom you assign the Infrastructure Administrator or
Operations Administrator security roles can perform most daily or weekly maintenance tasks.
When configuring the built-in site maintenance tasks, you must ensure that you are not scheduling the
maintenance tasks too aggressively, which can create additional processing load on your site server and
database. Conversely, ensure your schedule is not too passive, which can result in obsolete information
not being deleted. In most implementations, you should use the default schedules for the built-in
maintenance tasks.
Lesson 2
Performing Backup and Recovery of a Configuration
Manager Site
Configuring the Backup Site Server task and ensuring that backups occur regularly and successfully can
help ensure that you can recover your site configuration should your site server or site database fail.
The Backup Site Server task only backs up the site database, and certain folders and registry keys from
your site server. To recover your Configuration Manager implementation completely, you may need to
include additional data in your backup, such as custom reports, content files, and custom updates. You
also need to run the planned recovery procedures in a test environment, to ensure that you can recover
all necessary data from the site.
If the AfterBackup.bat batch file is present, the Backup Site Server task attempts to run it immediately
after performing the site backup. This lesson examines how to use the AfterBackup.bat to perform
additional backup operations. This lesson also explains how to troubleshoot your backup procedure and
results, and how to perform a site recovery from your backup.
Lesson Objectives
• Describe the backup and recovery processes for Configuration Manager 2012.
• Describe the resources that you need to back up.

• Configure the Backup Site Server task.
• Describe the resources that you can use to troubleshoot the backup.
• Perform site recovery.

• Recover a primary site.
Overview of Backup and Recovery

Planning the Configuration Manager backup and
recovery processes enables you to recover from
site failure. Backup and recovery processes must
be part of your site-maintenance plans to ensure
that you can recover sites and hierarchies quickly,
with minimal data loss.
Backup Site Server Maintenance Task

The Backup Site Server maintenance task runs
on a schedule, and backs up the site database,
specific registry keys, and specific folder and files.
It does not back up all files. However, you can
create the AfterBackup.bat file to perform post-
backup actions automatically after the backup-maintenance task finishes. These tasks might include
copying additional files from your site server and archiving the backup snapshot to a secure location.
Recovery Features
In case of hardware or software failure, you need to restore the site with minimal or no data loss. Site
recovery includes potentially replacing failed hardware, reinstalling the operating system and
Configuration Manager 2012, and restoring the site database from a backup.
Configuration Manager 2012 has recovery features that differ from previous versions. For example, in
Configuration Manager 2012, the Configuration Manager Setup Wizard includes a recovery option. There
is support for multiple recovery options, which the following table outlines.
Recovery option for: Recovery option available
The site server • Recover the site server from a backup

• Reinstall the site server
The site database • Recover the site database from a backup

• Create a new site database
• Use a site database that you recover manually
• Skip database recovery
If you have a multiple-site implementation of Configuration Manager, you can benefit from data
replication, which can minimize data loss after recovery. When recovering a site that is part of a hierarchy,
Configuration Manager uses database replication to retrieve the most current global data that the failed
site created before failure. This process minimizes data loss even when no backup is available.
When you need to recover a site, you can initiate an unattended site recovery by configuring an
unattended installation script, and then using the Setup /script command.
Volume Shadow Copy Service

The Backup Site Server maintenance task uses the Volume Shadow Copy Service (VSS) to create the
backup snapshot. By using VSS shadow copies when you run the Backup Site Server maintenance task,
you can minimize the time that site servers are offline. VSS must be available on both the site server and
the database server for the Backup Site Server maintenance task to complete successfully.
Question: How do you perform a recovery of your entire site if your site server fails?
Backing Up a Configuration Manager 2012 Site

Configuration Manager 2012 stores data in the
Microsoft® SQL Server site database, in the files
on the site server computer, and in registry keys.
To ensure that you can recover your entire
Configuration Manager environment if a site
failure occurs, you should configure the Backup
Site Server maintenance task for the central
administration site and for every primary site in
your hierarchy.
The Backup Site Server maintenance task runs

automatically, on a schedule that you configure.
When it runs, it stops the Configuration Manager
services, and then performs a backup snapshot of your site. This snapshot contains all necessary data to
perform a complete recovery, including the site database, certain folders from your Configuration
Manager installation path, and the registry settings that relate to Configuration Manager.
Backup and Recovery Scenarios

Depending on your implementation, you might not need to have a site backup to avoid data loss. In
multiple-site implementations, you might recover a primary site successfully by reinstalling it, and then
using database replication to retrieve the configuration settings that you were using before the failure.
The need for a site backup depends on the site implementation scenario, such as the following scenarios
for:
• A stand-alone primary site. To avoid data loss when a stand-alone primary site fails, you must have a
Configuration Manager backup.
• Secondary sites. You have no built-in features for the backup and recovery of secondary sites. When a
secondary site fails, you must reinstall it from the primary site server.
• A central administration site with child primary sites. You can configure the Backup Site Server task,
and perform recovery of the central administration site and all primary sites. Because your hierarchy
uses database replication, you can retrieve the data necessary for recovery from another site in the
hierarchy. This means that you can recover a primary site even when you do not have a site backup.
The benefit of having a backup is that you can restore the data by using the most recent backup, and
replication only needs to retrieve changes to the data since the last backup. This reduces the amount
of data that you are transferring over your network.
Configuring the Backup Site Server Task

To back up Configuration Manager sites, you must configure the Backup Site Server maintenance task
to run on a specific schedule, or it will not run. You can configure the Backup Site Server on central
administration and primary sites only. There is no backup support for secondary sites or site system
servers.
The Backup Site Server task implements as a Windows service called SMS_SITE_BACKUP, which is
configured for manual startup by default. You can configure this service to run on a schedule on the site
server and database server, and the Scheduler starts it at the time for which you configure a backup to
begin. You also can start the service manually to initiate an unscheduled backup.
When the backup service starts, it follows the instructions that have been predefined in the backup
control file, smsbkup.ctl, located in <ConfigMgrInstallationFolder>\Inboxes\smsbkup.box\. You can
modify the backup control file to change the behavior of the backup service. The changes that can be
incorporated by modifying the smsbkup.ctl file include adding files and/or registry keys to list of files
and registry keys backed up by default, stopping and starting additional Windows services, and running
external programs. The Backup Site Server tasks write site backup-status information to the smsbkup.log
file. Configuration Manager creates this log file automatically in the folder that you specify Backup Site
Server maintenance task’s Properties window.
Using the AfterBackup.bat File

You use the AfterBackup.bat file to copy additional files from your site server, archive the backup
snapshot at the end of every backup operation, and perform other post-backup tasks that the Backup Site
Server maintenance task does not perform.
After successfully backing up the site, the Backup Site Server task attempts to run the AfterBackup.bat file
automatically. If an AfterBackup.bat file exists, and is in the correct folder, the file automatically runs after
the backup task completes. You need to create the AfterBackup.bat file manually in the
<ConfigMgrInstallationFolder>\Inboxes\smsbkup folder.
To verify that the site backup task ran the AfterBackup.bat file successfully, open the Configuration
Manager console, and then click the Component Status node in the Monitoring workspace. In the results
pane, review the status messages for SMS_SITE_BACKUP. If the task initiates the AfterBackup.bat batch file
successfully, the message ID 5040 appears.
Question: What tool can you use to configure the archival of backup files that begins automatically after
the site backup completes?
Configuring the Site Backup Task

The configuration options that you choose for
the Backup Site Server task depend on your
site architecture. You need to configure the
appropriate options in the Backup Site Server
dialog box.
To configure the Backup Site Server task, perform

the following procedure:
1. In the Configuration Manager console, click
2. In the Administration workspace, expand
Site Configuration, and then click the Sites
node.
3. Select the site for which you are configuring the Backup Site Server task.
4. On the ribbon, in the Settings group, click the Site Maintenance Tasks button.
5. In the Site Maintenance dialog box, click Backup Site Server, and then click Edit.
6. Select Enable this task, and then click Set Paths to specify the backup destination. You have the
following options:
o Local drive on site server for site data and database. You specify a folder on the site server’s local
drive that stores the backup files for the site and site database. You must create this local folder
before the backup task runs, and the site server’s computer account must have write access to
the folder.
o Network path (UNC name) for site data and database. You specify a shared folder in the network
by using the universal naming convention (UNC) path to the location that stores the site’s backup
files and the site database. You must create this network-shared folder before the backup task
runs, and the site server’s computer account must have write access to the share.
o Local drives on site server and SQL Server. You specify a path on the site server’s local drive to
the location that stores the backup files for the site server. You also specify a path on the site
database server’s local drive to the location that stores the backup files for the site database.
You must create these local folders before the backup task runs, and the site server’s computer
account must have write access to both folders. This option is available only when the site
database is on a remote site system server.
7. Configure an appropriate schedule for the site backup task. As a best practice, consider a backup
schedule outside of active business hours.
8. Select the Enable alerts for backup task failures check box, click OK, and then click OK. When you
select this check box, Configuration Manager creates a critical alert for the backup failure. You can
view it from the Alerts node in the Monitoring workspace.
What is Backed Up?

The site backup includes the following files, by default:
• The Configuration Manager site database and registry keys

• The following Configuration Manager installation folders:
o <ConfigMgrInstallationPath>\inboxes
o <ConfigMgrInstallationPath>\Logs
o <ConfigMgrInstallationPath>\data
o <ConfigMgrInstallationPath>\srvacct
o <ConfigMgrInstallationPath>\install.map file
• The ..\HKEY_LOCAL_MACHINE\Software\Microsoft\SMS registry key
What is Not Backed Up?

The Backup Site Server task does not back up all Configuration Manager files. The backup occurs only on
the site server and the site database, and not on other site system roles, such as:
• Configuration Manager site systems and secondary sites. There is no need to back up data from site
systems, such as distribution points and management points. You can reinstall these site systems
easily by the site server if they fail. There is no backup support for secondary sites. You must reinstall
them from the parent primary site. There is also no backup of roles, such as the state migration point.
We strongly recommend using a highly available disk storage configuration (RAID 5 or better) for this
type of role.
• Custom Reporting Services reports. You must back up any custom reports that you create by using
Reporting Services and the database files for the report server. This enables you to recover them if a
site failure occurs. You should include the following in the report server backup:
o Source files for reports and models
o Encryption keys
o Custom assemblies or extensions
o Configuration files
o Custom SQL Server views that custom reports use
o Custom stored procedures
• Content library. You must back up the content library so that you can restore and redistribute content
to distribution points. When you initiate content redistribution, Configuration Manager copies the
files from the content library on the site server to the distribution points. The content library for the
site server is in the SCCMContentLib folder that typically is on the drive that had the most free disk
space when you installed the site.
• Package source files. You must maintain a copy of the package source files so that you can restore
them after a site failure. You then must update the content on distribution points. When you initiate a
content update, Configuration Manager copies new or modified files from the package source to the
content library, which then copies the files to associated distribution points.
• Windows Server Update Services (WSUS) database. You need to back up the WSUS database if you
want to recover the metadata about software updates. This provides an alternative if a failure occurs.
You can reinstall the software update point on a new WSUS instance. However, you will need to
reconfigure the synchronization settings.
• Backup custom software updates. You must include the System Center Updates Publisher 2011
database in your backup if you use System Center Updates Publisher 2011 to perform any of the
following activities:
o Publish custom software updates to WSUS

o Synchronize the software updates to Configuration Manager
o Assess software-updates compliance
o Deploy the custom software updates to clients
Performing Unscheduled Backups

You should perform unscheduled backups whenever you make changes to your Configuration Manager
environment, such as when you add new sites or site system roles.
You can perform an unscheduled backup by starting the SMS_SITE_BACKUP service on the site server.
Demonstration: Backing Up a Primary Site

In this demonstration, you will see how to configure the Backup Site Server task, and how to trigger and
monitor a backup.
Demonstration Steps
1. On LON-CFG, start the Configuration Manager Console.
2. In the Configuration Manager console, click the Administration workspace, expand Site
Configuration, and then select Sites.
3. Select S01 – Adatum Site, and on the ribbon, click Settings, and then click Site Maintenance.
4. In the Site Maintenance dialog box, edit the Backup Site Server task.
5. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then
click Set Paths.
6. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and
database is selected, and then browse to select a folder.
7. On drive E, create a folder called Backup, and then click Select Folder.
8. In the Set Backup Paths dialog box, verify that E:\Backup appears in the box, and then click OK.
9. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start three
minutes from now, verify that the Latest start time is at least one hour from now, and then click OK.
10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled.
11. From Administrative Tools, start the Services console.

12. In the Services console, start the SMS_SITE_BACKUP service.
13. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the
smsbkup.log file in Notepad.
14. If the backup completes successfully, at the end of the smsbkup.log file, the text Backup completed
appears, and then on the next line, the text STATMSG: ID=5035 appears.
15. Navigate to the E:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the
database files.
16. Navigate to the E:\Backup\S01Backup\SiteServer\SMSServer folder, double-click on the

SMSServer folder to open it, and then note that it contains the data, inboxes, Logs, and srvacct
folders.
17. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and
then select the Component Status node.
18. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages, and then click
All.
19. Accept the default of 1 day ago.
20. In Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035.
Troubleshooting a Site Backup

You can use the logs and monitoring features
that Configuration Manager includes to ensure
that the Backup Site Server task started according
to the backup schedule and that the backup
operations occur successfully.
To verify that the Backup Site Server maintenance

task finishes successfully, you can:
• Review the smsbkup.log located in
<ConfigMgrInstallationFolder>\Logs, or in
your backup destination folder, for any
warnings and errors. When the site backup
completes successfully, you will see the
message, Backup completed, with a timestamp, and STATMSG: ID=5035.
• Review the timestamp on the files in the backup destination folder that the Backup Site Server
maintenance task creates. Verify that the timestamp is the same as the last scheduled Backup Site
Server maintenance task run time.
• Navigate to the Component Status node in the Monitoring workspace, and then review the status
messages for SMS_SITE_BACKUP. If the backup has started, you will see the message ID 5055. When
the site backup completes successfully, message ID 5035 appears, indicating that the site backup
completed without any errors.
• Configure the Backup Site Server maintenance task to create an alert when a backup fails. You can
check the Alerts node in the Monitoring workspace for these backup failure alerts.
• Review the Event Viewer logs for account and access violations. Ensure that the service account for
SMS_SITE_BACKUP can access any remote locations that you specify in the SMS Backup control file
and that the service account has the appropriate privileges to perform the tasks in the Configuration
Manager Backup control file in the [Tasks] section. By default, the SMS_SITE_BACKUP runs under the
local system account.
Archiving Multiple Backup Snapshots

Every time the Backup Site Server maintenance task runs, it creates a backup snapshot, and overwrites any
previous snapshot. Only one backup snapshot—the most recent one—is in the backup destination folder
at any given time. As a mitigation measure, we recommend that you archive multiple versions of the
backup snapshot, so that you can use a previous version if the most recent version becomes corrupt.
Question: What tasks can you perform to verify that the backup was successful?
Site Recovery
You must recover a System Center 2012
Configuration Manager site whenever the site
fails or data loss occurs in the site database.
You can initiate the site recovery by running the
System Center 2012 Configuration Manager Setup
Wizard or by using an unattended installation
script with the Setup /script command. Your
recovery options depend on whether you have a
backup of the System Center 2012 Configuration
Manager site and the site database.
To start the site recovery process, perform the

1. Start the Microsoft System Center 2012 Configuration Manager Setup Wizard by running
<Configuration Manager 2012 Installation Source Path>\SMSSETUP\BIN\X64\setup.exe.
2. On the Before You Begin page, click Next.
3. On the Getting Started page, select Recover a site, and then click Next.
When performing the site recovery in System Center 2012 Configuration Manager, you must recover the
site server and the site database. If you simply want to perform site maintenance or a site reset, start the
setup from the installation path.
Site Server Recovery Options

You have the following recovery options for the failed site server:
• Recover the site server by using an existing backup. Use this option when you have a backup of the
Configuration Manager site server that you created before the site failure. You can reinstall the site
and reconfigure the site settings to match what they were when you backed up the site.
• Reinstall this site server. Use this option when you do not have a backup of the site server. You can
reinstall the site server, and then you must specify the site settings. You must use the same site name,
site code, and configurations as the failed site, if you want to recover your site successfully.
Note: When Setup detects an existing System Center 2012 Configuration Manager site on
the server, it disables the recovery options for the site server, and uses the existing Configuration
Manager site files and registry keys.
Site Database Recovery Options

At various steps during the Site Recovery Wizard, you can use the following recovery options for the site
database:
• Recover the site database by using the backup set at the following location. Use this option when you
have a backup of the Configuration Manager site database that you created before the site database
failure. When you have a hierarchy, Configuration Manager uses replication to retrieve from other
sites the changes made to the site database after the last site database backup. When you recover
the site database for a stand-alone primary site, you lose any changes made to the site since the last
backup.
Note: If you select to restore the site database by using a backup set, and the site database
already exists, the recovery will fail. You must delete the existing database files manually before
attempting recovery.
• Create a new database for this site. Use this option when you do not have a backup of the
Configuration Manager site database. When you have a hierarchy, you can create a new site
database, and the use replication to recover data from other sites in the hierarchy. This recovery
option is not available when you are recovering a stand-alone primary site or a central administration
site that has no primary sites.
• Use a site database that you recover manually. Use this option when you recover the Configuration
Manager site database by using a method other than the Backup Site Server maintenance task. When
you have a hierarchy, you can create a new site database, and the use replication to recover data
from other sites in the hierarchy. When you recover the site database for a stand-alone primary site,
you lose any changes made to the site since the last backup.
• Skip database recovery. Use this option when the site failure did not cause data loss in the
Configuration Manager site database, and you recover only the site server.
Post-Recovery Tasks
There are several post-recovery tasks that you may need to perform to complete the site recovery process:
• Reenter user account passwords. You must reenter user account passwords for the user accounts that
the site specifies, because all passwords are reset during the site recovery. The accounts for which you
must reset passwords are on the Finished page of the Setup Wizard after site recovery completes, and
are saved on the recovered site server in the C:\ConfigMgrPostRecoveryActions.html file.
• Reinstall hotfixes on the recovered site server. You must reinstall any hotfixes that were applied to the
site server. A list of hotfixes installed previously is on the Finished page of the Setup Wizard after the
site recovery completes, and saves to C:\ConfigMgrPostRecoveryActions.html on the recovered site
server.
• Recover custom reports. You must reimport any custom reports that you created on Reporting
Services.
• Recover content files. You must restore the content library and package source files to their original
locations. The site database contains information about the content files’ storage locations on the site
server, but the backup and recovery process does not back up or restore content files. You can restore
these files from a file system backup of the site server.
Question: How do you recover a stand-alone primary site when the database becomes corrupt?
Demonstration: Recovering a Primary Site

Demonstration Steps
1. Run E:\ConfigMgr2012\SMSSETUP\BIN\X64\setup.exe. The System Center 2012 Configuration
Manager Setup Wizard starts.
Note: To perform site recovery, you need to start the setup program from the installation
media. If you want to perform a site reset only, you need to start the setup from the installation
path.
2. In the Microsoft System Center 2012 Configuration Manager Setup Wizard, use the following settings
to restore the site:
o On the Getting Started page, at Available Setup Options, click Recover a site.
o On the Site Server and Database Recovery Options page, click Recover the site database
using the backup set at the following location, and then browse to the folder where the
backup is stored.
o On the Site Recovery Information page, verify that the option Recover primary site is
selected.
o On the Product Key page, select Install the evaluation edition of this product.
o On the Microsoft Software License Terms page, select the I accept the license terms check
box.
o On the Prerequisite Licenses page, accept all prerequisite components.
o On the Prerequisite Downloads page, select Use previously downloaded files, and then in the
path box, type E:\ConfigMgr2012\Redist.
o In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite
validation to finish.
o On the Site and Installation Settings page, click Next.

o On the Database Information page, click Next twice.
o On the Customer Experience Improvement Program configuration page, select I don’t want
to join the program at this time, and then click Next.
o On the Settings Summary page, click Next.
o On the Prerequisite Check page, click Cancel. For a real system recovery, you would click Begin
Install. However, for the purposes of this demonstration, you cancel the wizard.
Lesson 3
Monitoring Configuration Manager 2012 Site Systems
Configuration Manager 2012 includes monitoring and alerting features that you can use to detect and
troubleshoot critical conditions that pertain to site systems and clients. You can configure the status
system to determine the overall health of your Configuration Manager environment, based on status
messages.
For further monitoring capabilities, you can implement System Center 2012 Operations Manager, which
provides proactive server and applications monitoring and alerting. You then can use the information that
these features provide to detect and resolve critical issues.
Lesson Objectives
• Configure alerts.
• Configure the status system and summarizers.
• Describe the features of System Center 2012 R2 Operations Manager that you can use to monitor
Configuration Manager 2012 site systems.
Configuring Alerts
Configuration Manager 2012 includes an alerting
system that generates alerts in the Configuration
Manager console when it encounters specific
conditions.
You can configure alerts for:

• Endpoint Protection events for a collection.
You can configure alerts manually that
generate for different endpoint protection
events for collections.
• Client status events for a collection. You can

configure alerts manually to generate for
different client status events for collections.
• Site System role health. You can configure some site system roles manually, such as management
points, to generate alerts when they are not healthy.
• Database replication. Configuration Manager provides an alert automatically for database replication
issues.
• Database disk space usage. Configuration Manager provides alerts automatically regarding free
database space.
• Low Sideloading activations. Configuration Manager provides alerts automatically for sideloading
activations.
• Deployments. You can configure alerts manually for deployment of applications and compliance
settings.
Alerts generate every 30 minutes by default if conditions that the alert rules include evaluate to true. You
can view all configured alert rules in the Configuration Manager console in the Monitoring workspace
under the Alerts node. Additionally, you can change the frequency with which the alerts generate.
In System Center 2012 Configuration Manager, you could create alert subscriptions only for Endpoint
Protection. Beginning with Configuration Manager 2012 SP1, you can create subscriptions for any alert.
To create a subscription, you must specify:
1. The subscription name.
2. The email addresses.
3. The alert rules for which you want to receive email messages.
Configuring the Status System

Configuration Manager 2012 generates status
messages about actions that various Configuration
Manager components perform, and about site
systems and client status. All Configuration
Manager components generate status messages.
The Configuration Manager database stores

status messages, which you can view individually
by using the Configuration Manager Status
Message Viewer. You also can aggregate status
messages by using summarizers to determine the
health of the Configuration Manager site system
or components, and to obtain statistics about
application deployment. There are four types of summarizers:
• Application Deployment Summarizer. Summarizes the status messages that pertain to application
deployments.
• Application Statistics Summarizer. Summarizes information about the installed deployment process,
so that you can create statistics.
• Component Status Summarizer. Summarizes the status messages that pertain to Configuration
Manager components, to determine their health.
• Site System Status Summarizer. Summarizes the status messages that pertain to Configuration
Manager site systems, to determine their health.
To configure the status summarizers, perform the following procedure:
2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select
the site.
3. On the ribbon, in the Settings group, click Status Summarizers.

4. In the Status Summarizers dialog box, select the summarizer that you want to configure, and then
click Edit.
You can use the Configuration Manager console to view the aggregated health information for site
systems and components that summarizers calculate. This information is in the Monitoring workspace,
under the System Status node. At this location, you can find the aggregated health status under the Site
Status and Component Status nodes.
You can configure status filter rules to detect critical conditions based on specific status messages, and
perform automated actions based on the conditions detected. The built-in status filter rules create events
in the Windows event logs when it detects specific status messages. You also can create custom status-
filter rules to control the processing of status messages.
To configure the status filter rules, you must perform the following procedure:
2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select
the site.
3. On the ribbon, in the Settings group, click Status Filter Rules.

4. In the Status Filter Rules dialog box, select the rule that you want to configure, and then click Edit.
You also can create new status-filter rules in this dialog box.
Status Reporting
By configuring status reporting, you can modify how the server and client components report status
messages to the Configuration Manager status system. You then can configure the location to which the
components send status messages. By default, the components send all status messages for All Milestones
without details to Configuration Manager, and Configuration Manager does not write the information to
event logs.
To configure the status reporting, perform the following procedure:

2. In the navigation pane expand Site Configuration, click Sites, and then in the results pane, select the
site.
3. On the ribbon, in the Settings group, click Configure Site Components, and then click Status
Reporting.
4. In the Status Reporting Component Properties dialog box, select the level of details for Server
component status reporting and for Client component status reporting.
Note: The default reporting settings are appropriate for most environments, and you
should use caution when changing them. When you increase the level of status reporting, by
choosing to report all status details, you can increase the amount of status messages that process.
This increases the processing load on the site server and site database.
Monitoring by Using System Center 2012 R2 Operations Manager

System Center 2012 R2 Operations Manager
provides proactive server and applications
monitoring that you can use to identify the
conditions that lead to potential issues before they
affect your environment. Additionally, it provides
troubleshooting information that is specific to
detected issues. This information can help you
resolve issues more quickly.
System Center 2012 R2 Operations Manager uses

agents that you install on servers that you want to
monitor. These agents evaluate the health of
applications and services, and monitor performance. The management packs include the rules that
describe those components that agents are monitoring.
The Configuration Manager 2012 Management Pack for Operations Manager helps administrators
manage and administer Configuration Manager 2012 servers, computers, databases, services, disks,
applications, and other objects that require monitoring.
This release of this Management Pack improves Configuration Manager 2012 monitoring, and includes
the following improvements:
• Monitoring the availability status of all server roles.
• Monitoring the health status of key services.

• Monitoring SQL replication health status.
• Monitoring general central processing unit (CPU), memory, and disk-system resource usage.
• Providing a topology diagram of the Configuration Manager 2012 site hierarchy.
• Monitoring the performance trends of some Configuration Manager performance counters.
By using System Center 2012 Operations Manager, you can monitor physical hardware, operating-system
components, and core network services, such as Domain Name System (DNS), Dynamic Host
Configuration Protocol (DHCP), and AD DS. Additional management packs for monitoring applications are
available in the management-pack catalog on the Microsoft website.
Lab: Maintaining System Center 2012 Configuration

Manager
Scenario
R2 Configuration Manager in a complex hierarchy with a central administration site, two primary sites, and
a secondary site.
You need to configure site-maintenance tasks to reduce the space that the Configuration Manager
database uses, and configure the Backup Site Server task to backup and recover a primary site.
Objectives
At the end of this lab, you will be able to:
• Configure site-maintenance tasks.

• Configure the Site Backup Task.
• Recover the site from a backup.
Lab Setup
Virtual Machines 10748C-LON-DC1-C

10748C-LON-CAS-C
10748C-LON-CFG-C
Password Pa$$w0rd
o Domain: Adatum
5. Repeat steps two through four for 10748C-LON-CAS-C and 10748C-LON-CFG-C.

Exercise 1: Configuring maintenance tasks in Configuration Manager

Scenario
You need to configure maintenance tasks to delete aged software metering and inventory data.
1. Verify the default settings for maintenance tasks.
2. Configure the Delete Aged Inventory History task.
3. Configure the Delete Aged Software Metering Data tasks.
 Task 1: Verify the default settings for maintenance tasks

Configuration, click Sites, and then click the S01 – Adatum Site.
3. On the ribbon, in the Settings group, click Site Maintenance.

4. In the Site Maintenance dialog box, review the tasks that are enabled by default. Notice that most
tasks pertain to database cleaning.
5. Verify the settings for the Delete Aged Discovery Data task.
 Task 2: Configure the Delete Aged Inventory History task

• Configure the Delete Aged Inventory History by using the following settings:
o Delete data that has been inactive for: 365 days.
o Schedule: every Sunday between 1 AM and 3 AM.
 Task 3: Configure the Delete Aged Software Metering Data tasks

1. Configure the Delete Aged Software Metering Data tasks by using the following settings:
o Delete data that has been inactive for: 7 days
o Schedule: every day between 1 AM and 3 AM.
2. Configure the Delete Aged Software Metering Summary Data by using the following settings:
o Delete data that has been inactive for: 120 days.
o Schedule: every Saturday between 1 AM and 3 AM.
Results: At the end of this exercise, you will have configured maintenance tasks in Configuration
Manager.
Exercise 2: Configuring the Site Backup Task

Scenario
You need to configure the Backup Site Server task, trigger the backup, and then verify that the backup
completes successfully.

1. Configure the Site Backup task.
2. Trigger the backup of the site, and verify its completion.
 Task 1: Configure the Site Backup task

Configuration, and then select Sites.
3. Select S01 – Adatum Site, and on the ribbon, click Settings, and then click Site Maintenance.
4. In the Site Maintenance dialog box, edit the Backup Site Server task.
click Set Paths.
6. In the Set Backup Paths dialog box, verify that the option Local drive on site server for site data
and database is selected, and then browse to select a folder.
Note: In practice, you should use either Network path (UNC name) for site data and
database to save backup on a network share, or you should use Local drives on site server and
SQL Server if the database is installed on a separate server.
7. Create a new folder called Backup in the Local Disk (C:) drive, and then click Select Folder.
8. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK.
minutes from now, and then click OK.
10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled.
 Task 2: Trigger the backup of the site, and verify its completion
1. From Server Manager, start the Services console.
2. In the Services console, start the SMS_SITE_BACKUP service.

4. If the backup occurs successfully, in the smsbkup.log file, the text Backup completed appears, and
then, on the next line, the text STATMSG: ID=5035 appears.
5. Navigate to the C:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the
database files.
6. Navigate to the C:\Backup\S01Backup\SiteServer folder, double-click on the SMSServer folder to
open it, and then note that it contains the data, inboxes, Logs, and srvacct folders.
7. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and
then select the Component Status node.
8. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages, and then click
All.
9. Accept the default of 1 day ago.

10. In the Configuration Manager Status Message Viewer, search for a message with a Message ID of
5035.
Note: When site backup completes successfully, message ID 5035 appears. This indicates
that the site backup completed without any errors.
11. Close the Configuration Manager Status Message Viewer.
Results: At the end of this exercise, you should have performed a backup for the Configuration Manager
site.
Exercise 3: Recovering a Site from a Backup

Scenario
You need to use the Site Recovery Wizard to recover the site from a backup.

1. Use the Site Recovery wizard to recover a site from backup.
 Task 1: Use the Site Recovery wizard to recover a site from backup
1. On LON-CFG, run E:\ConfigMgr2012R2\SMSSETUP\BIN\X64\setup.exe. The System Center 2012
R2 Configuration Manager Setup Wizard starts.
2. In the Microsoft System Center 2012 R2 Configuration Manager Setup Wizard, use the following
settings to restore the site:
o On the Getting Started page at Available Setup Options, click Recover a site.
o On the Site Server and Database Recovery Options page, click Recover the site database
using the backup set at the following location, and then browse to select the
C:\Backup\S01Backup folder. This folder stores the backup that you performed in the previous
exercise.
o On the Site Recovery Information page, verify that the option Recover primary site is
selected.
o On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
o On the Microsoft Software License Terms page, click the I accept these license terms check
box, and then click Next.
o On the Prerequisite Licenses page, accept all prerequisite components.

o On the Prerequisite Downloads page, select Use previously downloaded files, and then
specify E:\ConfigMgr2012R2\Redist as the location.
o On the Site and Installation Settings page, click Next.
o On the Database Information page, accept the default settings.
o On the Customer Experience Improvement Program configuration page, select I don’t want
to join the program at this time, and then click Next.
o Complete the wizard by using the default options. At the Prerequisite Check step, click Cancel,
and then click Yes.
Note: It takes time to restore the site. Therefore, for expediency in this lab, you cancel the
restoration process.

following steps:

4. Repeat steps 2 and 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C.
Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 R2
primary site.
Question: How do you configure a site backup?

Question: How do you perform site recovery?
Question: What can you do to maintain your Configuration Manager database as small as
possible?

Review Questions
Question: For what purposes do you use the AfterBackup.Bat file?
Question: What factors determine how frequently you should perform a backup?
Question: Under what circumstances should you perform unscheduled backups?
Question: How can you minimize data loss when you do not perform backups?
9-1
Module 9
Migrating to System Center 2012 R2 Configuration Manager
Contents:
Module Overview 9-1
Lesson 1: Overview of the Migration Process 9-2
Lesson 2: Preparing Configuration Manager 2007 Sites for Migration 9-8

Lesson 3: Configuring Migration Settings 9-11
Lesson 4: Migrating Objects 9-17

Lesson 5: Upgrading Configuration Manager 2012 to Configuration
Manager 2012 with SP1 and then to System Center 2012 R2
Lab: Migrating from System Center Configuration Manager 2007 to
System Center 2012 Configuration Manager 9-30

Course Evaluation 9-39
Module Overview
Microsoft® System Center 2012 Configuration Manager provides a rich feature set that you can use to
migrate objects from Microsoft® System Center Configuration Manager 2007 through Configuration
Manager 2012 to System Center 2012 R2 Configuration Manager. In addition, it provides the necessary
tools for restructuring your site hierarchy during migration.
Differences between Configuration Manager 2007 site architecture and Configuration Manager 2012 site
architecture may require you to perform site consolidation when performing migration. Using the built-in
migration functionality, you can migrate objects from any source site in the Configuration Manager 2007
hierarchy to the central administration site in the Configuration Manager 2012 hierarchy. From the central
administration site, the migrated objects are replicated as global data to all sites in the hierarchy.
Using the Migration Job Wizard, you can migrate different types of objects such as collections,
advertisements, software packages, software updates, Asset Intelligence customizations, operating system
deployment objects, desired configuration management objects, and software metering rules.
Objectives
• Describe the migration process from Configuration Manager 2007 to Configuration Manager 2012.
• Prepare Configuration Manager 2007 sites for migration.

• Configure migration settings.
• Migrate objects.
• Upgrade a Configuration Manager site to System Center 2012 R2 Configuration Manager.

9-2 Migrating to System Center 2012 R2 Configuration Manager
Lesson 1
Overview of the Migration Process
The migration process from Configuration Manager 2007 to Configuration Manager 2012 includes
configuring the source hierarchy, configuring additional source sites, configuring shared distribution
points, migrating collections, migrating objects by type, monitoring the migration process, and migrating
Configuration Manager clients. When the migration process is completed, you perform migration data
cleanup by removing the configuration of the source hierarchy.
In this lesson, you will review the migration process, review the types of objects that can be migrated,
discuss the restrictions for migrating collections, and analyze consolidation requirements for migrating
primary sites.
Lesson Objectives
• Describe the migration process.

• Describe the types of objects that can be migrated.
• Describe the restrictions imposed on collections.
• Describe the need for consolidating primary sites.
Overview of the Migration Process

There are two ways to move your existing
Configuration Manager environment to System
Center 2012 R2 Configuration Manager: you can
perform an upgrade or a migration. The upgrade
option applies only to versions of Configuration
Manager 2012. You can upgrade System Center
2012 Configuration Manager without a service
pack to System Center 2012 Configuration
Manager with SP1, which you can then upgrade
to System Center 2012 R2 Configuration Manager.
You cannot perform an in-place upgrade from
without a service pack to System Center 2012 R2 Configuration Manager directly.
When you migrate a Configuration Manager 2007 hierarchy to a Configuration Manager 2012 hierarchy,
you always perform a side-by-side migration. You install a fully functional Configuration Manager 2012
hierarchy in the same network environment as the Configuration Manager 2007 hierarchy, select and
migrate objects in batches, and lastly, migrate clients. By using the migration approach, you minimize the
risks associated with an in-place upgrade. Additionally, if the Configuration Manager 2012 installation
fails, you can discard the new installation easily and revert to the previous source hierarchy.
By performing a side-by-side migration, you also have the opportunity to consolidate sites. This is because
the Configuration Manager 2012 hierarchy can have a maximum of three site levels made up of the
central administration site, one level of primary sites below that, and a level of secondary sites below the
primary sites. If you have primary sites that are child sites of primary sites in the Configuration Manager
2007 hierarchy, you need to restructure your hierarchy when migrating to Configuration Manager 2012.
Primary sites cannot be the child sites of other primary sites in Configuration Manager 2012. This is a
significant change from all prior versions of Configuration Manager.
You cannot migrate secondary sites in-place. If you want to reuse the same server hardware, you must
first uninstall secondary sites from Configuration Manager 2007 before installing them in Configuration
Manager 2012. You can also convert secondary sites from Configuration Manager 2007 to distribution
points in Configuration Manager 2012. This provides the advantages of hierarchical simplification in cases
of reasonable bandwidth with fewer than a thousand clients at the former secondary site locations.
You can upgrade clients by using any of the client installation methods, including Client Push, Group
Policy installation, logon script, or manual installation. After you upgrade, the Configuration Manager
clients maintain the execution history for advertisements.
The migration process has two uses: migrating from an existing Configuration Manager 2007 site and
consolidating existing Configuration Manager 2012 hierarchies. The following table lists the source
hierarchies that you can migrate and the hierarchy version to which you can migrate them. Permitted
migrations to and from Configuration Manager 2012 with SP1 and newer can be very useful when you
are moving from a lab or staging environment into production. It is also useful in hierarchy simplification
through merger scenarios. This migration capability was added in System Center Configuration Manager
2012 with SP1.
Source hierarchy Destination hierarchy
Configuration Manager 2007 SP2 or R3 System Center 2012 Configuration Manager

with no service pack
Configuration Manager 2007 SP2 or R3 System Center 2012 Configuration Manager

System Center 2012 Configuration Manager with SP1 with SP1
Configuration Manager 2007 SP2 or R3 System Center 2012 R2 Configuration

System Center 2012 R2 Configuration Manager Manager
You perform the following steps for a typical migration process:
1. Configure the source hierarchy. In the first step of the migration process, you configure the source
hierarchy by specifying the top-level site in the Configuration Manager 2007 implementation. This
site also becomes a source site for migrating Configuration Manager objects.
2. Configure additional source sites. You can specify additional source sites that contain objects you
want to migrate. You can configure only source sites that are under the top-level site that you
configured in the previous step. When migrating a Configuration Manager 2012 site to a new
Configuration Manager 2012 site, you do not need to configure additional source sites for child
sites, since the Client Access server site database contains all of the objects that you can replicate.
3. Configure distribution point sharing. In this optional step, you configure a Configuration Manager
2007 distribution point so that it is visible to Configuration Manager 2012 clients after migration.
You use this approach to make packages available to Configuration Manager 2012 clients without
distributing the content to the Configuration Manager 2012 distribution points.
4. Migrate collections and associated objects. You create a migration job to migrate collections and
associated objects, such as advertisements or packages.
5. Migrate objects by type. You select the types of objects to migrate, including boundaries, Asset
Intelligence customizations, software updates, operating system deployment objects, desired
configuration management baselines and configuration items, and software metering rules.
6. Migrate Configuration Manager clients. You can use any of the client installation methods to upgrade
the client to the Configuration Manager 2012 version in place. This process maintains the client
execution history.
7. Convert secondary sites to distribution points. In this optional step, you can convert Configuration
Manager 2007 secondary sites to Configuration Manager 2012 distribution points. The Upgrade
Shared Distribution Point Wizard uninstalls the secondary site and then configures the server as a
distribution point in Configuration Manager 2012, while maintaining the content on the distribution
point.
After migration, you should:

1. Remove distribution point sharing. After you migrate all Configuration Manager clients to the
Configuration Manager 2012 version, you can remove the distribution point sharing.
2. Remove the source hierarchy configuration and decommission the old hierarchy. This is the last
step in the migration process. After you ensure that you have migrated all of the necessary objects,
remove the source hierarchy configuration and then decommission the Configuration Manager 2007
hierarchy.
Note: You cannot reuse any site codes in a migration. You must provide unique site codes
across Configuration Manager 2007 and Configuration Manager 2012 hierarchies.
Types of Objects You Can Migrate

The majority of object types are supported for
migration from Configuration Manager 2007 to
Configuration Manager 2012. When you create a
migration job, you can select which objects you
want to migrate. The following table lists the types
of objects that you can migrate.
Object What you can migrate
Collections You can migrate query-based or direct membership collections with the
following restrictions:
• You cannot migrate mixed collections (which contain both users and
devices).
• You migrate collections that have the membership limited to other
collections as individual collections with additional inclusion rules.
Advertisements You can migrate existing advertisements for packages, software updates, or
task sequences so that the Configuration Manager 2012 clients receive them.
Advertisements migrated from Configuration Manager 2007 become
deployments in Configuration Manager 2012.
Boundaries You can migrate the existing boundaries to Configuration Manager 2012. You
need to assign the boundaries to boundary groups to use them for client
assignment or content lookup in Configuration Manager 2012.
Object What you can migrate
Software You can migrate software distribution packages. We recommend that you
distribution configure the package source using a Universal Naming Convention (UNC)
packages path to minimize the need for reconfiguring the package source after
migration.
Virtual application You can migrate the virtual application packages to Configuration Manager
packages 2012 applications. Any existing advertisements of virtual application packages
are not migrated.
Software updates To migrate objects related to software updates, first you need to configure a
software update point in Configuration Manager 2012, and then you
synchronize software update metadata with the same sync source as the
source hierarchy uses. After you do this, you can migrate the following types of
objects:
• Deployments
• Deployment packages
• Templates
• Software update lists
Asset Intelligence You can migrate any customizations you made to the Asset Intelligence
customizations catalog, including custom categories, software families, labels, hardware
requirements, and software lists.
Operating system You can migrate the following types of objects that you use in operating
deployment system deployment:
• Boot images
• Driver packages
• Drivers
• Images
• Packages
• Task sequences
Desired You can migrate configuration baselines and configuration items you have
configuration created previously in Configuration Manager 2007.
management
Software metering You can migrate software metering rules, but not the metering history.
rules
The following types of objects cannot be migrated using the included Configuration Manager migration
tools:
• Queries
• Security rights and instances for the site and objects
• Configuration Manager 2007 web reports or Microsoft SQL Server® Reporting Services (SSRS) reports
• Client inventory and history data (from the site database); however, clients maintain execution history
• Intel Active Management Technology (AMT) client provisioning information
• Files in the client cache

SSRS reports can be migrated outside of the Configuration Manager migration process. If there are
reports that you want to migrate you can export the Report Definition Language (.RDL) files from the SSRS
in your Configuration Manager 2007 environment and import them into the SSRS in your new
environment.
Collection Restrictions
When you migrate collections that are linked
to other collections or that have subcollections,
Configuration Manager 2012 creates multiple
objects in either the User Collections node or the
Device Collections node:
• In the root of the appropriate node,

Configuration Manager 2012 creates a
collection named after the parent collection.
This collection is populated by any members
from the parent collection only.
• In the root of the appropriate node,
Configuration Manager 2012 creates a
collection named Migrated Collection <parent collection name> and subcollections. The membership
rules include the parent and subcollections that were migrated.
• In the root of the appropriate node, Configuration Manager 2012 creates a folder with the parent
collection’s name. Located under this folder are the migrated subcollections of the migrated parent
folder.
You cannot migrate collections that contain a reference to a collection of a different resource type.
In Configuration Manager 2007, empty collections (collections that have no associated resources) are used
to organize other collections. When you migrate an empty collection, it converts to an organizational
folder that contains no users or devices.
You cannot migrate mixed collections that contain both users and devices because Configuration
Manager 2012 does not support them. To migrate mixed collections, you must create individual
collections that contain only users or only devices.
Typically, Configuration Manager 2007 used empty collections with no rules to organize other collections.
In Configuration Manager 2012, you can migrate empty collections as folders.
The collections must be independent of one another in Configuration Manager 2012 to avoid circular
references, because collections are evaluated at all primary sites in the hierarchy. For example, if you have
a collection called New York, containing all clients from New York, with two subcollections called Servers
and Desktops, and you migrate all of them to Configuration Manager 2012, the result is three
independent collections.
You can add additional inclusion rules to the Servers and Desktops collections to ensure that they have
the same membership after migration. If the top-level collection has no membership rules or targeted
advertisements, the New York collection will migrate to a folder in Configuration Manager 2012. The
subcollections Servers and Desktops will migrate as collections with additional inclusion rules in the New
York folder.
Consolidation Requirements for Primary Sites

In Configuration Manager 2012, a primary site
cannot be the child of another primary site; it can
only be a child of the central administration site.
Similarly, a secondary site must have a primary site
as its parent site. Due to these restrictions, the
hierarchy model in Configuration Manager 2012
can have a maximum of three levels:
• Central administration site. Situated

at the top level of the hierarchy, the
central administration site maintains the
configuration for the entire hierarchy.
• Primary sites. You use primary sites to
manage clients.
• Secondary sites. You use secondary sites to manage client communication traffic on slow wide area
network (WAN) links.
A Configuration Manager 2007 hierarchy can have more than three levels. For instance, a primary site can
have another primary site as its parent. When you migrate to Configuration Manager 2012, you need to
consolidate any primary site that is a child of another primary site.
You cannot assign clients that you assigned to central primary sites in Configuration Manager 2007 to the
central administration site in Configuration Manager 2012. This is because the central administration site
cannot have assigned clients. You need to reassign the clients that were assigned to the central site in
Configuration Manager 2007 to another primary site in the Configuration Manager 2012 hierarchy.
You cannot migrate secondary sites directly to Configuration Manager 2012. For any existing secondary
sites in the Configuration Manager 2007 hierarchy, you need to perform one of the following actions:
• Uninstall the sites, and then reinstall them as new secondary sites in Configuration Manager 2012.
• Convert the sites to distribution points in the new Configuration Manager 2012 installation.
Lesson 2
Preparing Configuration Manager 2007 Sites for
Migration
To migrate objects from Configuration Manager 2007 to Configuration Manager 2012, you need to
ensure that both the source and destination hierarchies meet certain prerequisites.
In this lesson, you will review the preparation steps that you must perform on Configuration Manager
2007 sites to ensure successful migration of objects. You will also review the prerequisites for configuring
source sites and running migration jobs.
Lesson Objectives
• Describe the steps for preparing Configuration Manager 2007 sites for migration.
• Describe the prerequisites for migration from Configuration Manager 2007 to Configuration Manager
2012.
Preparing Configuration Manager 2007 Sites for Migration

To ensure a successful migration, you should
review your Configuration Manager 2007
hierarchy settings and make changes as required.
Not all of the changes described below are
required to perform the migration; however,
they help streamline the migration process.
Consider the following points when reviewing
your Configuration Manager 2007 hierarchy
settings:
• You must install Configuration Manager 2007
with SP2 or Configuration Manager 2007 R3
for all source sites. You need to upgrade all
Configuration Manager 2007 sites in the source hierarchy to Configuration Manager 2007 SP2.
Additionally, if you installed Configuration Manager 2007 R2 or R3, you can migrate Microsoft
Application Virtualization (App-V) packages.
• Migration is an opportunity to restructure the hierarchy configuration, because a Configuration

Manager 2012 hierarchy can have a maximum of three levels. Primary sites cannot have other primary
sites as child sites in Configuration Manager 2012. Therefore, you must migrate all of the objects in
your Configuration Manager 2007 hierarchy from the multiple primary sites that are in a parent-child
relationship to a single primary site in your new Configuration Manager 2012 hierarchy.
• Configuration Manager 2012 requires Windows Server® 2008 or newer, SQL Server 2008 or newer,
and 64-bit systems. While it is not necessary to upgrade the source hierarchy to use these versions,
you should test them to ensure that your organization environment supports them before installing
the new Configuration Manager 2012 hierarchy.
• Consider implementing Microsoft BranchCache® in Configuration Manager 2007 R2 as an alternative

to using distribution points. You can use BranchCache after migrating to Configuration Manager
2012.
• In some organizations, it can take a long time to acquire additional server hardware to implement
your Configuration Manager 2012 hierarchy. You can speed up the migration process by using server
virtualization technologies, which enable the rapid creation of new virtual servers.
• Mixed collections and subcollections may require changes to their collection definitions to enable
migration to Configuration Manager 2012.
• You should configure all software packages with a UNC path to reduce the need for reconfiguration
after you migrate them.
• All site codes need to be unique throughout the source and destination hierarchies.
• You should remove any references to SMSSITECODE=AUTO. All site codes should be explicitly stated.
The use of SMSSITECODE=AUTO was encouraged in earlier versions of Configuration Manager, but
this practice can cause the loss of a client’s management point when migrating.
Configuration Manager 2007 Prerequisites for Migration

To perform migration, prepare Configuration
Manager 2007 sites to meet prerequisites by:
• Updating Configuration Manager 2007
at all source sites with Service Pack 2 or
Configuration Manager 2007 R3.
• Configuring the following two user
accounts in Configuration Manager 2012 with
permissions in each source site that you want
to migrate:
o The Source Site SMS Provider Account.

This account requires Read permission to
all source site objects.
o The Source Site SQL Server Account. This account requires Read and Execute permissions to the
source site database.
Note: Use the computer account for the Source Site SMS Provider Account and the Source
Site SQL Server Account rather than a user account.
• Opening the following network protocols and ports in the firewalls between the Configuration
Manager 2007 site and the Configuration Manager 2012 site:
o NetBIOS/Server Message Block (SMB), 445 (TCP)
o Remote Procedure Call (RPC) (WMI), 135 (TCP)
o SQL Server, 1433 (TCP)

Configuration Manager 2012 Prerequisites for Migration

You cannot perform an in-place upgrade
of an existing Configuration Manager 2007
infrastructure to System Center 2012
Configuration Manager. Instead, you must
perform a side-by-side migration by installing
a Configuration Manager 2012 hierarchy on
different systems than the Configuration Manager
2007 site installation.
Before you begin migration, you need to install

and configure your Configuration Manager 2012
hierarchy in the same network environment as
your existing Configuration Manager 2007
implementation. The new hierarchy can be one of the following:
• Multiple-site. Install a central administration site and then install at least one primary site in the
hierarchy.
• Stand-alone primary site. Install a single primary site, which will be the only primary site in the
hierarchy.
Before migrating, ensure that the following Configuration Manager 2012 migration prerequisites are
complete:
• Use an account in the Configuration Manager 2012 hierarchy that has the Full Administrator security
role, so that you can create objects in any site in the Configuration Manager 2012 hierarchy.
• Configure a software update point in your Configuration Manager 2012 hierarchy. Synchronize the
software update metadata using the same source as the existing software update point in your
Configuration Manager 2007 hierarchy. This enables you to migrate software updates.
• Configure at least one Configuration Manager 2012 primary site, or the central administration site, to
use the same port numbers as the original Configuration Manager 2007 source site. In this way, client
requests are directed properly. In addition, client requests can use shared distribution points from the
Configuration Manager 2007 site.
• Assign Site Delete permissions to the Source Site Access Account on the source site to remove the
distribution points automatically from the Configuration Manager 2007 site during migration.
Lesson 3
Configuring Migration Settings
Your first step in the migration process is to configure the source hierarchy by specifying the top-level site
in your Configuration Manager 2007 hierarchy.
After you have configured the source hierarchy, the migration data gathering process begins. It collects
information about sites, and objects within those sites, in the Configuration Manager 2007 hierarchy
starting from the top-level site that you specified. The top-level site is configured as a source site
containing objects to be migrated.
You can configure additional sites from the Configuration Manager 2007 hierarchy as source sites, which
makes it possible to migrate objects from these sites to Configuration Manager 2012.
Lesson Objectives
• Describe the process of configuring a source hierarchy.

• Describe the data gathering process.
• Describe how you can use multiple-source hierarchies in the migration process.
• Describe the process for configuring distribution point sharing.

• Describe how you can migrate secondary sites to distribution points in the Configuration Manager
2012 hierarchy.
Process of Configuring the Source Hierarchy

The source hierarchy is the set of Configuration
Manager 2007 sites that contain objects that you
want to migrate to Configuration Manager 2012.
To configure the source hierarchy, you must input
the following information in the Specify Source
Hierarchy dialog box:
• The fully qualified domain name (FQDN) of

the top-level Configuration Manager 2007
site server.
• The Source Site Account you use to connect

to the SMS Provider of the source site.
• The Source Site Database Account you use to connect to the site database of the source site.
When you configure a Configuration Manager 2007 site as the top-level site, you can migrate objects
from it and from any child primary sites. You can migrate objects from only the site that you selected, in
addition to sites that are under the source site, so we recommend selecting the site located at the top of
the Configuration Manager 2007 hierarchy. This is called a central site.
Configuration Manager 2012 uses these settings to retrieve information about objects and distribution
points from the source site. During the data gathering process, child sites in the Configuration Manager
2007 hierarchy are identified. Then you can configure these sites as source sites for migration.
You can configure multiple instances of source hierarchies. However, only one source hierarchy can be
active at a given time. If you configure an additional source hierarchy before you complete migration
from the active source hierarchy, it cancels any active migration jobs and postpones any scheduled
migration jobs. The newly configured source hierarchy becomes the active source hierarchy. You can
configure connection credentials, source sites, and migration jobs for the current active source hierarchy.
To configure a source hierarchy, perform the following procedure:

2. In the navigation pane, expand Migration, and then click the Source Hierarchy node.
3. On the ribbon, click Specify Source Hierarchy.

4. In the Specify Source Hierarchy dialog box:
o Select New source hierarchy for the active source hierarchy.
o Type the name of the top-level Configuration Manager 2007 site server.
o Configure the Source Site Account.
o Configure the Source Site Database Account.
Demonstration: Configuring the Source Hierarchy

In this demonstration, you will see how to configure the source hierarchy.
Demonstration Steps
2. In the Configuration Manager console, in the Administration workspace, under the Migration node,
click the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy.
3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source
hierarchy:
o In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com.

o Under Specify the Source Site Account to use to access the SMS Provider for the source site
server. This account requires Read permissions to all source site objects, verify that User
Account is selected, and then use Set to configure a new account with the following information:
 In the User name box, type Adatum\Administrator.
 In the Password and Confirm password boxes, type Pa$$w0rd.
 Use Verify and Test connection to validate the credentials and connection to source site.
o Under Specify the Source Site Database Account to use to access the SQL Server for the
source site server. This account requires Read and Execute permissions to the source site
database, verify that Use the same account as the Source Site SMS Provider Account is
selected.
o Select the Enable distribution-point sharing for the source site server check box, and then
click OK.
4. After you have configured the source hierarchy, the Data Gathering Status process will start. Wait
for the data collection to complete, and then click Close.
Migration Data Gathering

The migration data gathering process collects
information about the source hierarchy
configuration and objects that you can migrate
from source sites.
The migration data gathering process starts after:
• You specify an active source hierarchy.
• You configure credentials for an additional

source site in an active source hierarchy.
• You share the distribution points for a source

site with Configuration Manager 2012.
The migration data gathering process then repeats on a simple schedule to maintain synchronization with
any changes to data in the source sites. By default, the process repeats every four hours. You can modify
the schedule for this cycle by editing the properties of the source site in the Configuration Manager
console. The initial data gathering process must review all objects in the Configuration Manager 2007
database. It may take longer to finish than subsequent data gathering processes that identify only
changes to the data.
To gather data, the Configuration Manager 2012 top-level site connects to the SMS Provider and to the
site database of the source site, and then retrieves a list of objects and distribution points.
You can use the Gather Data Now action in the Configuration Manager console to start the migration
data gathering process immediately and to reset the start time of the next cycle. Data gathering runs on
the configured schedule until you change the active source hierarchy or until you use the Stop Gathering
Data action to end the data gathering process for that site. You can use the Stop Gathering Data action to
end the data gathering process for a source site when you no longer want Configuration Manager 2012
to identify new or changed objects from that site.
Note: Regardless of where you configure the source hierarchy, the migration jobs,
including the initial data gathering, are run from the top-level site. In a multisite hierarchy, to
troubleshoot migration issues, review the migmctrl.log on the central administration site server.
Configuring Additional Source Sites

Source sites are sites in the active source hierarchy
that have data that you migrate to Configuration
Manager 2012. When you configure a source
hierarchy, you must specify the top-level site of
the hierarchy first, which is configured as the first
source site for that source hierarchy.
After Configuration Manager gathers the initial

data for the top-level site of the source hierarchy,
any child sites of that site are visible in the
Configuration Manager console. You must
configure the child sites as source sites to migrate
objects from those sites. You must specify
credentials for each additional source site for migration. When you configure additional source sites, you
must configure source sites from the top down, and configure the bottom-tier sites last.
You do not have to configure additional source sites before creating migration jobs. However, you can
only migrate data from source sites that you have configured, and the migration data gathering process
must have gathered data from these sites successfully.
To configure additional source sites in the active source hierarchy, perform the following procedure:
2. In the navigation pane, expand Migration, and then click Source Hierarchy.
3. In the results pane, click the site that you want to configure as a source site.
4. On the ribbon, in the Source Site group, click Configure Credentials.
5. In the Source Site Credentials dialog box, for the Source Site Access Accounts, specify accounts that
have Read permission to the SMS Provider and to the SQL Server database in the specified site, and
then click OK.
Configuring Distribution Point Sharing

You can share Configuration Manager 2007
distribution points with Configuration Manager
2012. This makes the content that is distributed
to Configuration Manager 2007 distribution
points immediately available to the clients in the
Configuration Manager 2012 hierarchy. By using
this approach, you can ensure that the same
content remains available for clients in both
hierarchies. You can maintain this content until
you stop gathering data and complete the
migration.
Distribution point sharing is a site-wide setting

that, when enabled, configures all eligible distribution points in a Configuration Manager 2007 primary
site and its secondary sites as shared distribution points. You cannot select individual distribution points to
share when you enable distribution point sharing.
Prerequisites
When planning for distribution point sharing, consider the following prerequisites:
• You must configure distribution points with a FQDN to be eligible for sharing.
• At least one Configuration Manager 2012 primary site or the central administration site must use the
same port numbers for client requests that the Configuration Manager 2007 site uses.
• Configuration Manager 2012 clients can receive content location information for packages that are
installed on shared distribution points in the Configuration Manager 2007 hierarchy, including branch
distribution points, distribution points on server shares, and standard distribution points.
• When you share a protected distribution point, Configuration Manager 2012 creates a boundary
group that includes the protected network locations of the Configuration Manager 2007 distribution
point.
• You need to ensure that the package version for packages that you migrate is the same in the source
hierarchy and in Configuration Manager 2012. Then Configuration Manager 2012 clients will be able
to retrieve the content from the shared distribution point.
• You cannot use shared distribution points to host packages for App-V. You must migrate and convert
the App-V packages for Configuration Manager 2012 clients.
Reassigning Shared Distribution Points

You can reassign shared distribution points in place to Configuration Manager 2012 distribution points,
thereby preserving their content. Distribution points can be one of the following:
• Stand-alone distribution points, which you can upgrade in place to Configuration Manager 2012
• Secondary site servers, which you can convert to stand-alone distribution points in Configuration
Manager 2012
When you no longer have to support clients in your Configuration Manager 2007 environment, you can
reassign a shared distribution point in your Configuration Manager 2012 hierarchy. When you reassign
the distribution points in place, you do not have to redeploy content to new distribution points.
To reassign a distribution point, the Configuration Manager 2007 site system server must meet the
following conditions:
• The Configuration Manager 2007 site system server must have only the distribution point role
assigned to it. You cannot upgrade a Configuration Manager 2007 distribution point that has any
additional site system roles.
• You must configure the Configuration Manager 2007 site system with an intranet FQDN.
• The site system server must have sufficient disk space to convert the content from the Configuration
Manager 2007 content storage format to the single instance store format. This requires available free
space equal to two times the existing data on the distribution point.
• The site system server must run an operating system version that Configuration Manager 2012
supports as a distribution point.
Note: Prior to System Center 2012 R2 Configuration Manager, distribution point

reassignment was referred to as upgrading. The Upgrade Distribution Point migration job is now
referred to as Reassign Distribution Point migration point.
Uninstalling Distribution Points

You can also choose to uninstall the existing distribution points from the Configuration Manager 2007
hierarchy and reuse the same hardware by installing the servers as distribution points in the Configuration
Manager 2012 hierarchy. In this case, you need to redeploy the content to the new distribution points.
Migrating Secondary Sites to Distribution Points

You can convert secondary sites in
Configuration Manager 2007 to distribution
points in Configuration Manager 2012. There
are several advantages to using a distribution
point instead of a secondary site. Configuration
Manager 2012 distribution points have more
features than their Configuration Manager 2007
counterparts, such as single instance store and
better management of data transfers. Unless you
need the management point functionality from
the Configuration Manager 2007 secondary site,
typically you will migrate your Configuration
Manager 2007 secondary sites to distribution points.
The conversion process is the same as the distribution point reassignment process, with the additional
step of uninstalling the secondary site.
The reassignment process first uninstalls the Configuration Manager 2007 secondary site, and then waits
until the next data gathering cycle to upgrade the distribution point in place to a Configuration Manager
2012 distribution point. If you use the default settings for the data gathering cycle, the wait time may be
up to four hours. This step ensures that the secondary site was uninstalled successfully before the
distribution point reassignment starts.
When converting a secondary site to a distribution point, consider the following restrictions:
• To be able to reassign, the secondary site must not have any Configuration Manager site system roles
assigned to the server, except for the management point.
• You must configure the Configuration Manager 2007 site system with an intranet FQDN.
• Any content that is present on the distribution point will be converted to a Configuration Manager
2012 single instance store. Because of this, you must ensure that available free space is equal to two
times the size of existing content on the distribution point. In Configuration Manager 2012 with SP1
and newer versions, the old content is removed once the migration is complete.
• Before reassigning a secondary site to a distribution point, ensure that you have upgraded all existing
remote distribution points at that site. After the secondary site is uninstalled during the distribution
point upgrade, the remaining remote distribution points will become orphan files and will not be
eligible for upgrade.
Lesson 4
Migrating Objects
To migrate objects from Configuration Manager 2007 sites to Configuration Manager 2012, you need to
create migration jobs. You can use these jobs to migrate collections and associated objects or to migrate
objects by type. You can choose to migrate objects that were migrated previously if they have changed
after migration to Configuration Manager 2012.
In this lesson, you will learn about the steps required to create migration jobs, review the migrated
objects, and use the migration reports.
Lesson Objectives
• Create migration jobs.

• Describe the steps used to migrate collections.
• Describe the steps used to migrate objects by object type.

• Review migrated objects in the console.
• Use the migration reports to validate the migration.
Migration Jobs
You must create migration jobs to migrate
objects from Configuration Manager 2007 sites
to Configuration Manager 2012. A migration job
lists the objects that are migrated and includes
migration settings. You can schedule migration
jobs to run at a specific time. You can create
migration jobs to perform the following types of
migrations:
• Collection migration
o With this type of migration, you can

migrate collections and objects that are
related to selected collections, such as
advertisements and software packages.
o By default, all objects associated with members of the collection are selected for migration. You
can deselect the objects that you do not want to migrate.
o You can exclude individual object instances from migration. You might do this because you want
to migrate them at a later time using object migration, for example.
• Object migration
o With this type of migration, you can select individual object types and object instances to
migrate.
o By default, object types and instances are not selected. You need to select the specific data that
you want to migrate.
• Objects modified after migration
o With this type of migration, you can remigrate any objects that were migrated previously, but
have since been updated in the source hierarchy.
Migrating Collections
You can migrate collection definitions and
associated objects, such as packages and
advertisements, from Configuration Manager
2007 to Configuration Manager 2012.
To migrate collections, use the Create Migration

Job Wizard and select the following options:
• General. Type a name for the migration job

and select the Collection migration option.
• Select Collections. Select individual collections
to migrate.
• Select Objects. Select packages,

advertisements, and other objects that are associated with collections to migrate.
• Content Ownership. Select the Configuration Manager 2012 site that will get the ownership for the
migrated object’s content.
• Security Scope. Associate the migrated objects with an existing security scope or create a new scope.
This helps limit the administrative permissions to the migrated objects.
• Collection Limiting. You can configure how collection limiting settings from Configuration Manager
2007 are translated to inclusion rules in Configuration Manager 2012.
• Site Code Replacement. On this page, you can configure site code replacement in the collection
queries. This is required if you have query rules that are based on the Configuration Manager site
code, because you are migrating to a new site with a new site code.
• Review Information. You can review the objects included in the migration job and information about
the migration of those objects.
• Settings. You can run the migration job immediately or schedule it for a later time. Also, you can:
o Configure whether previously migrated objects can be overwritten.

o Transfer the organization folder structure for objects to the destination site.
o Enable programs for deployments after advertisements are migrated.
Migrating Objects by Type

You can migrate objects of different types from
Configuration Manager 2007 to Configuration
Manager 2012, including:
• Boundaries
• Software distribution packages
• Virtual application packages
• Software update objects

• Operating system deployment objects
• Desired configuration management

configuration items
• Configuration baselines
• Asset Intelligence customizations
• Software metering rules

To migrate objects by type, use the Create Migration Job Wizard and select the following options:
• General. Type a name for the migration job and select the Object migration option.
• Select Objects. Select object types and individual objects to migrate.
• Content Ownership. Select the Configuration Manager 2012 site that will get the ownership for the
migrated objects’ content.
• Security Scope. Associate the migrated objects with an existing security scope or create a new scope.
This helps limit the administrative permissions to the migrated objects.
• Review Information. You can review the objects included in the migration job and information about
the migration of those objects.
• Settings. You can run the migration job immediately or schedule it for a later time. You can also
configure whether previously migrated objects can be overwritten, and whether to transfer the
organization folder structure for objects to the destination site.
Demonstration: Creating Migration Jobs

In this demonstration, you will see how to migrate collections and migrate objects by type.
Demonstration Steps
1. On LON-CFG, in the Configuration Manager console, click the Migration Jobs node.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the following
settings to configure the migration job:
o On the General page, configure the following options:
 Name: Collections and associated objects
 Description (optional): Migrate collections and associated objects
 In the Job type box, select Collection migration
o On the Select Collections page, select Adatum Servers (this also selects London Servers and
ConfigMgr Servers), and then verify that the Migrate objects that are associated with the
specified collections option is selected.
o On the Select Objects page:

 Select Software Distribution Deployments, and then clear the KB977384 check box.
 Select Software Distribution Packages, clear the KB977384 – Advanced Client Hotfix –
CM7 check box, and then click Next.
o On the Content Ownership page, set the Destination Site to S01 – Adatum Site.
o On the Security Scope page, select Default.

o Complete the wizard by choosing the default settings. Select the Run the migration job now
option so that the migration job will run automatically after the wizard completes.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, click
Refresh.
4. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the
following settings to configure the migration job:

 Name: Migrate objects by type
 Description (optional): Migration of specific objects
 In the Job type box, select Object migration
o On the Select Objects page, under Object types, select the following types of objects:
 Boundaries
 Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of
configuration items.
 Asset Intelligence Catalog
o On the Content Ownership page, click Next.
o On the Security Scope page, select Default, and then click Next.
o Complete the wizard and choose the default settings. Select the Run the migration job now
option so that the migration job will run automatically after the wizard completes.
Refresh.
Reviewing Migrated Objects

You can review the progress of Configuration
Manager 2012 migration actions in the
Configuration Manager console, in the
Administration workspace, under the Migration
node. You can view summary information for
each migration job, including objects that have
and have not migrated, the number of objects
excluded from the migration, and details about
any migration problems.
To view the progress of object migration for a

migration job, select a migration job, and then in
the Objects in Job tab, select the objects for which
you want to view the summary information.
Migration actions are recorded in the migmctrl.log file in the <InstallationPath>\Logs folder on the site
server.
After you perform the migration, the administrator can review migrated objects and their properties, and
compare them with the objects in the source site.
Viewing Migration Reports

Configuration Manager 2012 includes several
reports that you can use to review migration jobs,
objects included in migration jobs, objects that
failed to migrate, collections that used collection
limiting, and Configuration Manager 2007 clients
excluded from the upgrade to Configuration
Manager 2012.
To view the migration reports, perform the
1. In the Configuration Manager console, click

the Monitoring workspace.
2. In the navigation pane, expand Reporting, expand Reports, and then click the Migration folder.
3. In the results pane, click Migration Job properties, and then on the ribbon, click Run.
4. After Migration Job Name, click Values.
5. Under Migration Job Name, click a migration job, and then click OK.
6. Click View Report.
7. Close the Migration Job properties window.
8. In the results pane, click Migration jobs, and then on the ribbon, click Run.
9. Close the Migration jobs window.

Migrating Clients
You can use any supported client deployment
method to migrate clients. When CCMSetup
detects a Configuration Manager 2007 client
on the target computer, it uninstalls the existing
client software and installs the new client software.
Before migrating the clients, you must ensure that

you have migrated all objects the clients will use
in the new environment, such as collections or
packages.
You can migrate clients in any order. However,

we recommend that you migrate them in phases
to limit the impact on network bandwidth. This
distributes the traffic associated with the client installation and initial inventory cycle across a longer
period.
The following information is retained on the client:
• The globally unique identifier (GUID). The GUID associates a client with its information in the
Configuration Manager database.
• The advertisement history. The advertisement history prevents clients from rerunning advertisements
unnecessarily.
The following information is not retained:

• The files in the client cache. If these files are necessary to install a package, the client downloads them
again from a distribution point.
• Information about any advertisements that have not yet run. If the advertisements have not run, they
are deleted. You must migrate or re-create the advertisements in the new Configuration Manager
2012 hierarchy.
• Inventory data. Clients perform an inventory cycle after upgrading, and then send the new data to the
management point.
• Compliance data. Clients evaluate compliance against the baselines assigned in the new environment,
and then send the compliance data to the management point.
Lesson 5
Upgrading Configuration Manager 2012 to Configuration
Manager 2012 with SP1 and then to System Center 2012
R2 Configuration Manager
You cannot upgrade Configuration Manager 2012 without a service pack directly to System Center 2012
R2 Configuration Manager. When performing an in-place upgrade of Configuration Manager 2012
without a service pack to System Center 2012 R2 Configuration Manager, you must first upgrade to
Configuration Manager 2012 with SP1.
In this lesson, you will learn the steps required to upgrade Configuration Manager 2012 without a service
pack to System Center 2012 R2 Configuration Manager.
Lesson Objectives
• Describe the requirements for upgrading to Configuration Manager 2012 with SP1.
• Describe the requirements for upgrading to System Center 2012 R2 Configuration Manager.
• Describe the upgrade considerations for Configuration Manager 2012.
• Configure automatic client upgrade.
Prerequisites for Upgrading to Configuration Manager 2012 with SP1

You must upgrade Configuration Manager
2012 to Configuration Manager 2012 with SP1
before upgrading further. When upgrading to
Configuration Manager 2012 with SP1 you must
upgrade the prerequisites first. When preparing to
upgrade to Configuration Manager 2012 with SP1,
you should review the following checklist, which
lists the configuration modifications necessary for
the upgrade.
Modification Description
Ensure the environment meets the Configuration Manager 2012 uses the Windows Automated
Configuration Manager 2012 with Installation Kit (Windows AIK) for operating system
SP1 prerequisites deployment. Configuration Manager 2012 with SP1 uses the
Windows Assessment and Deployment Kit 8 (Windows ADK
8). You must uninstall the Windows AIK and then install
Windows ADK 8.
Review the site hierarchy and resolve Before you perform the upgrade, ensure you resolve all
any issues operational issues.
Install all critical updates on the site Apply all updates and perform all necessary restarts before
server, database server, and any you start the installation.
remote site systems
Review requirements for add-ins or Before you upgrade, review the requirements for any add-ins
extensions used or extensions to avoid any compatibility problems.
Disable any database replicas that The Configuration Manager 2012 with SP1 upgrade will fail if
management points use at primary a management point on a primary site is using a replica
sites database.
Reconfigure any network load Software update points using NLB cannot be upgraded.
balancing (NLB) software update
points
Back up the site database Before upgrading, always back up the database in case you
need to perform a disaster recovery.
Disable all site maintenance tasks Tasks such as Backup Site Server can interrupt the upgrade
process and you need to stop them for the duration of the
upgrade.
Create a duplicate of any built-in Built-in collections in Configuration Manager 2012 with SP1
collections you modified are read-only and you cannot modify them.
Run the Prerequisite Checker The Configuration Manager 2012 with SP1 prerequisites are
different from Configuration Manager 2012. Running the
Prerequisite Checker allows you to find any missing
prerequisites.
Download the prerequisite and Use the Setup Downloader to download the additional files
redistributable files for Configuration used during setup. These include prerequisite redistributables,
Manager 2012 with SP1 language packs, and the latest product updates. Place them in
a location that is accessible during setup.
Plan for server and client language If you have previously installed support for additional
support languages, you may need to download the appropriate files
for the Configuration Manager 2012 with SP1 installation.
If you do not download the language files for an installed
language, the installation process will remove support for the
missing language files.
Plan for site system role The Prerequisite Checker does not check prerequisites for site
prerequisites system roles on the site server or remote system servers.
Review the site upgrade Review the automatic changes and manual changes required
considerations for the upgrade to be complete.
Test the database upgrade process Restore the site database to an additional computer running
SQL Server and verify that you can upgrade the database
without incident.
Restart all the servers in the Ensure that there are no pending processes before you begin
hierarchy the upgrade.
Install Configuration Manager 2012 Start at the top-level site. Once the top-level site is complete,
with SP1 upgrade any child sites.
Upgrade any stand-alone Before managing a Configuration Manager 2012 with SP1
Configuration Manager console site, you must upgrade a management console to
installations Configuration Manager with SP1.
Reconfigure any database replicas If you use database replicas for management points, you can
reconfigure them once the upgrade is complete.
Reconfigure any database Once the upgrade is complete, you can reconfigure the
maintenance tasks disabled maintenance tasks.
previously
Upgrade clients Although Configuration Manager 2012 with SP1 supports

client communications from lower level clients, you should
upgrade the clients as soon as possible. Systems using lower
level clients cannot take advantage of the new functionality.
Prerequisites for Upgrading to System Center 2012 R2 Configuration

Manager
After upgrading to Configuration Manager
2012 with SP1, you can upgrade to System
Center 2012 R2 Configuration Manager. The
process for upgrading to System Center 2012 R2
Configuration Manager is similar to the process
for upgrading to Configuration Manager 2012
with SP1. Before installing System Center 2012 R2
Configuration Manager, you should review the
following checklist.
Ensure you upgrade all the sites in You must upgrade to System Center 2012 R2 Configuration
the hierarchy to Configuration Manager from Configuration Manager 2012 with SP1.
Manager 2012 with SP1
Ensure that the environment meets System Center 2012 R2 Configuration Manager uses Windows
the System Center 2012 R2 ADK 8.1. You must uninstall the Windows ADK 8 and install
Configuration Manager prerequisites the Windows ADK 8.1.
Review the site hierarchy and resolve Before you perform the upgrade, ensure that you resolve all
any issues operational issues.
Install all critical updates on the site Apply all updates and perform all necessary restarts before
server, database server, and any you start the installation.
remote site systems
Review requirements for add-ins or Before you upgrade, review the requirements for any add-ins
extensions or extensions to avoid any compatibility problems.
Disable any database replicas that The Configuration Manager 2012 with SP1 upgrade will fail if
management points at primary sites a management point on a primary site is using a replica
are using database.
Reconfigure any NLB software You cannot upgrade software update points using NLB.
update points
Back up the site database Before upgrading, always back up the database in case you
need to perform a disaster recovery.
Disable all site maintenance tasks Tasks such as Backup Site Server can interrupt the upgrade
process and you must stop them for the duration of the
upgrade.
Create a duplicate of any built-in You cannot modify built-in collection in Configuration
collections you modified Manager 2012 with SP1.
Run the Prerequisite Checker The Configuration Manager 2012 with SP1 prerequisites are
different from Configuration Manager 2012. Running the
Prerequisite Checker allows you to find any missing
prerequisites.
Download the prerequisite and Use the Setup Downloader to download the additional files
redistributable files for System during setup. These include prerequisite redistributables,
Center 2012 R2 Configuration language packs, and the latest product updates. Place them
Manager in a location that is accessible during setup.
Prepare to upgrade secondary sites System Center 2012 R2 Configuration Manager secondary
sites use SQL Server 2012 Express Edition with cumulative
update package 2. When attempting to upgrade a secondary
site from an earlier version of SQL Server 2012 Express, the
upgrade will fail.
Plan for server and client language If you have previously installed support for additional
support languages, you may need to download the appropriate
files for the Configuration Manager 2012 with SP1 installation.
If you do not download the language files for an installed
language, the installation process will remove support for the
missing language files.
Plan for site system role The Prerequisite Checker does not check prerequisites for site
prerequisites system roles on the site server or remote system servers.
Review the site upgrade Review the automatic changes and manual changes required
considerations for the upgrade to be complete.
Test the database upgrade process Restore the site database to an additional computer running
SQL Server and verify that you can upgrade the database
without incident.
Restart all the servers in the Ensure that there are no pending processes before you begin
hierarchy the upgrade.
Install System Center 2012 R2 Start at the top-level site. Once the top-level site is complete,
Configuration Manager upgrade any child sites.
Upgrade any stand-alone Before managing a Configuration Manager 2012 with SP1
Configuration Manager console site, you must upgrade a management console to
installation Configuration Manager 2012 with SP1.
Reconfigure any database replicas If you use database replicas for management points, you can
reconfigure them once the upgrade is complete.
Reconfigure any database Once the upgrade is complete, you can reconfigure
maintenance tasks you disabled maintenance tasks.
previously
Upgrade clients While Configuration Manager 2012 with SP1 supports client
communications from lower level clients, you should upgrade
the clients as soon as possible. Systems using lower level
clients cannot take advantage of the new functionality.
Considerations for Upgrading to System Center 2012 R2 Configuration

Manager
When planning to upgrade a Configuration
Manager 2012 site to System Center 2012 R2
Configuration Manager, you must keep in mind
certain considerations. You cannot upgrade
directly from Configuration Manager 2012
without a service pack to System Center 2012 R2
Configuration Manager. You must first upgrade
to Configuration Manager 2012 with SP1.
When upgrading to Configuration Manager 2012
with SP1, consider the following actions:
• Automatic actions. When you apply a service

pack to Configuration Manager 2012, several
actions will occur automatically:
o A site reset will reinstall all site system roles automatically.

o When upgrading the top-level site, the client installation package will be updated on each
distribution point in the hierarchy. Additionally, the default boot images are upgraded to the
Windows® 8 version of Windows Preinstallation Environment (Windows PE).
o The client upgrade package will be updated on each primary site.
• Manual actions. Once the site upgrade is complete, you must complete the following steps manually:
o Upgrade the clients to the latest client software.

o Upgrade each Configuration Manager console installation.
o Reconfigure database replicas that were used for management points.
• Other considerations. When upgrading a site to Configuration Manager 2012 with SP1, several
settings are reset to their default values:
o Software settings. Work information business hours are reset to 5:00 AM to 10:00 PM Monday
through Friday. Computer maintenance is set to Suspend Software Center activities when my
computer is in presentation mode. Remote Control is set to the value in the applicable client
settings.
o Custom summarization schedules for software updates are reset to the default value of one hour.
When upgrading from Configuration Manager 2012 with SP1 to System Center 2012 R2 Configuration
Manager, the considerations are identical, with the following exception:
• Automatic actions. The default boot images are upgraded to Windows PE 5.0, which is capable of
deploying Windows 8.1 and Windows Server 2012 R2. Windows PE 5.0 is backward compatible with
Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. Windows PE 5.0 cannot
deploy Windows Server 2008, Windows Vista®, or older operating systems.
Automatically Upgrading the Configuration Manager Client

You can configure the Configuration Manager
2012 client to upgrade to the latest version of the
client automatically. Two examples of scenarios
when you would enable automatic upgrade are:
• After you upgrade the site to a new version
• After you install a new language pack
Configuration Manager 2012 creates an upgrade

package by default and distributes it to all
distribution points automatically. If you modify
the client package at the central administration
site, such as by adding a new language pack,
Configuration Manager automatically updates and distributes the client upgrade package. If you enable
automatic client upgrade, Configuration Manager will attempt to upgrade every client.
Note: Configuration Manager does not upgrade cloud-based distribution points

automatically.
To configure a Configuration Manager 2012 site automatic client upgrade, follow this procedure:
• On the Home tab, click Hierarchy Settings, and then click the Client Installation Settings tab.
Note that in Configuration Manager 2012 with SP1 and later versions, the Client Installation Settings
tab has been renamed Automatic Client Upgrade.
The availability of automatic upgrade options depends on the version of Configuration Manager 2012, as
illustrated in the following table.
Option Notes
Upgrade client automatically when new client You must select this check box to enable the
updates are available automatic client upgrade.
Allow clients to use a fallback source location for This setting was removed in Configuration
content Manager 2012 with SP1.
Do not run program when a client is within a This setting was removed in Configuration
slow or unreliable network boundary or when Manager 2012 with SP1.
the client uses a fallback source location for
content
Automatically upgrade clients within days Specifies the number of days, from the time the
client receives the policy, within which the client
will attempt to upgrade. To prevent network
saturation, the client will attempt the upgrade at a
random time interval within the number of days
specified.
Automatically upgrade clients that are this This setting was removed in Configuration
version or earlier Manager 2012 with SP1.
Automatically distribute client installation This is a new setting in Configuration Manager

package to distribution points that are enabled 2012 with SP1.
for prestaged content
Demonstration: Configuring Client Upgrades

In this demonstration, you will see how to configure automatic client upgrades.
Demonstration Steps
1. On LON-CFG, in the Configuration Manager console, in the Site Configuration folder, click the Sites
node.
2. On the ribbon, click Hierarchy Settings. The Site Settings Properties dialog box is displayed.
3. On the Automatic Client Upgrade tab, select the Upgrade client automatically when new client
updates are available check box.
4. Accept the changes.

Lab: Migrating from System Center Configuration

Manager 2007 to System Center 2012 Configuration
Manager
Scenario
You are the network administrator for the A Datum Corporation. A. Datum has Configuration Manager
2007 and System Center 2012 Configuration Manager deployed as stand-alone primary sites.
You need to perform the migration of Configuration Manager objects by:

1. Configuring the source hierarchy.
2. Creating a migration job and performing migration.
Objectives
• Configure a source hierarchy.

• Migrate a Configuration Manager 2007 SP2 site to System Center 2012 R2 Configuration Manager.
Lab Setup
Virtual machines 10748C-LON- DC1-C

10748C-LON-CM7-C
10748C-LON-SVR1-C
10748C-LON-CAS-C
10748C-LON-CFG-C
Password Pa$$w0rd

2. In Hyper-V® Manager, click 10748C-LON-DC1-C, and in the Actions pane, click Start.
o Domain: Adatum
5. Repeat steps two through four for 10748C-LON-CM7-C, 10748C-LON-SVR1-C,

10748C-LON-CAS-C, and 10748C-LON-CFG-C. For LON-CM7, wait until the virtual machine starts
and you sign in before starting the rest of the virtual machines. This is so that all services start as
expected and do not time out.
Exercise 1: Configuring the Source Hierarchy

Scenario
You must examine the source hierarchy and review the objects that you will migrate. Then you will
configure the source hierarchy by specifying the name of the site server and credentials to connect
to the SMS Provider and site database. Because you will be migrating content, you must prepare the
Configuration Manager 2007 servers to allow the Configuration Manager 2012 site server to access the
content source shares.

1. Review the objects that must be migrated (Optional).
2. Prepare permissions on LON-CM7 and LON-SRV1.
3. Configure the source hierarchy.
 Task 1: Review the objects that must be migrated (Optional)

1. On LON-CM7, start the Configuration Manager console.
2. In the Configuration Manager console, under Site Database, click the Site Management node, and
verify that the version of the site is 4.00.6487.2000, which means the site is running Configuration
Manager 2007 Service Pack 2.
3. Under Site Database, expand Site Management, expand CM7-London Configuration Manager
2007, expand Site Settings, click the Boundaries node, and then review the Properties of the
existing IP subnet boundary.
4. Under Site Database, under Site Management, under CM7-London Configuration Manager
2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, click
\\LON-SVR1, and then verify the roles for LON-SVR1.
5. Under Computer Management, expand Collections, and then access the Properties of the Adatum
Servers collection.
6. In the Adatum Servers Properties dialog box, under Membership Rules, observe that there are no
membership rules defined.
Note: The Adatum Servers collection does not have any members and serves as a container
for the other two collections.
7. Under Adatum Servers, access the Properties of the London Servers collection.
8. Review the Membership rules for the London Servers collection, and then examine the query used
to determine the membership of the collection.
Note: The London Servers collection uses a query rule to include all computers with a name
starting with LON.
9. Under Adatum Servers, access the Properties of the ConfigMgr Servers collection.
10. Review the Membership rules for the ConfigMgr Servers collection, and then observe the direct
membership rule created for LON-CM7.
Note: The ConfigMgr Servers collection uses a direct membership rule to include
LON-CM7 as a member.
11. Under Software Distribution, click the Packages node.
12. Access the Properties of the Microsoft Corporation Microsoft Office Word Viewer 2003 package,
and then review its settings, including the distribution points to which it is distributed. Note that this
is a Windows Installer package.
13. Access the Properties of the Excel Viewer 1 package, and then review its settings, including the
distribution points to which it is distributed. Note that this is an App-V package.
14. Under the Advertisements node, review the existing advertisements.
15. Under Asset Intelligence, expand Customize Catalog, click the Software Categories node, and
then review the Adatum Software custom category.
16. Under the Software Families node, review the Adatum LOB Applications custom family.
17. Under the Custom Labels node, review the Adatum Application custom label.
18. Under Desired Configuration Management, click the Configuration Items node.
19. Access the Properties of the Windows Firewall Enabled configuration item, review the
properties, and then at the Settings tab, review the settings of the configuration item. Note that this
configuration item is using a WMI query language (WQL) query to check the status of the Windows
Firewall.
20. Under the Configuration Baselines node, access the Properties of the Adatum Security Policy
Validation baseline, and then review the settings.
 Task 2: Prepare permissions on LON-CM7 and LON-SRV1

1. Add LON-CAS and LON-CFG to the Administrators group on LON-CM7.
2. On LON-CM7, start the Configuration Manager console, if it is not already started.

3. Under Site Database, under Site Management, under CM7-London Configuration Manager
2007, expand FHM - Fulham Secondary Site, expand Site Settings, expand Site Systems, click
\\LON-SVR1, and then open the properties for the ConfigMgr site system role. Configure
LON-SVR1 with an intranet FQDN of LON-SVR1.Adatum.com.
4. Add LON-CAS and LON-CFG to the Administrators group on LON-SVR1.
 Task 3: Configure the source hierarchy

2. In the Configuration Manager console, in the Administration workspace, under the Migration node,
click the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy.
3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source
hierarchy:
o In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com.
o Under Specify the Source Site Account to use to access the SMS Provider for the source site
server. This account requires Read permissions to all source site objects, verify that User
Account is selected, and then use Set to configure a new account with the following information:
 In the User name box, type Adatum\Administrator.
 In the Password and Confirm password boxes, type Pa$$w0rd.
 Use Verify and Test connection to validate the credentials and connection to the source
site.
o Under Specify the Source Site Database Account to use to access the SQL Server for the
source site server. This account requires Read and Execute permissions to the source site
database, verify that Use the same account as the Source Site SMS Provider Account is
selected.
o Select the Enable distribution-point sharing for the source site server check box.
4. After you have configured the source hierarchy, the Data Gathering Status process will start. Wait
for the data collection to complete, and then click Close.
5. On the ribbon, click Refresh, and then on the Shared Distribution Points tab, verify that
LON-CM7.ADATUM.COM and LON-SVR1.ADATUM.COM appear.
Note: By configuring the Shared Distribution Points option, both the Configuration
Manager 2007 clients and Configuration Manager 2012 clients will have access to the packages
during migration.
Results: At the end of this exercise, you should have reviewed the configuration of the Microsoft® System
Center Configuration Manager 2007 site and configured the source hierarchy in Configuration Manager
2012.
Exercise 2: Creating a Migration Job and Performing Migration

Scenario
You must create a collection migration job to migrate custom collections and associated advertisements
and packages. Then you will create another migration job and migrate objects by type. You will validate
the successful migration by running the migration reports.
1. Create a collection migration job.

2. Review migrated objects.
3. Migrate objects by type.

5. View migration reports.
 Task 1: Create a collection migration job

1. On LON-CFG, in the Configuration Manager console, click the Migration Jobs node.

 Name: Collections and associated objects
 Description (optional): Migrate collections and associated objects
 In the Job type box, select Collection migration
o On the Select Collections page, select Adatum Servers (this also selects London Servers and
ConfigMgr Servers), and then verify that the Migrate objects that are associated with the
specified collections option is selected.
o On the Select Objects page:

 Select Software Distribution Deployments, and then clear the KB977384 check box.
 Select Software Distribution Packages, and then clear the KB977384 – Advanced Client
Hotfix – CM7 check box.
 Select Virtual Application Packages, verify that Excel Viewer is selected, and then click
Next.
o On the Content Ownership page, set the Destination Site to S01 – Adatum Site.
o On the Security Scope page, select Default.

o Continue the wizard and choose the default settings, and then on the Settings page, select the
Run the migration job now option.
Refresh.
 Task 2: Review migrated objects

1. In the Configuration Manager console, click the Collections and associated objects migration job,
and then review the objects included in the migration job.
2. Close and then reopen the Configuration Manager console.
3. In the Assets and Compliance workspace, under Device Collections, open the Adatum Servers
folder, and then observe the migrated ConfigMgr Servers and London Servers collections. If you do
not see the Adatum Servers folder, click the Overview node, and then press F5 on your keyboard to
refresh the navigation pane.
4. Access the Properties of the London Servers collection, and then review the Membership rules.
5. In the Software Library workspace, under Application Management, click the Packages node.
6. Click the migrated Microsoft Office Word Viewer 2003 package, and then in the preview pane,
review the information in the Deployments tab.
7. Under the Applications node, click the migrated Excel Viewer virtual application package, and then
in the preview pane, review the information in the Deployment Types tab.
 Task 3: Migrate objects by type

1. In the Configuration Manager console, in the Administration workspace, under Migration node,
click the Migration Jobs node.

 Name: Migrate objects by type
 Description (optional): Migration of specific objects
 In the Job type box, select Object migration
o On the Select Objects page, under Object types, select the following types of objects:
 Boundaries
 Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of
configuration items.
 Asset Intelligence Catalog
o On the Content Ownership page, use the default settings.
o On the Security Scope page, select Default, and then continue through the wizard.
o Continue the wizard by choosing the default settings, and then on the Settings page, select the
Run the migration job now option.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, select the
Migrate objects by type object, and then click Refresh.

1. In the Configuration Manager console, in the Assets and Compliance workspace, under the Asset
Intelligence node, click the Catalog node, and then review the User Defined objects.
2. Under the Compliance Settings node, click the Configuration Items node, and then review the
migrated configuration items.
3. Click the Configuration Baselines node, and then review the migrated baseline.
4. In the Administration workspace, under the Hierarchy Configuration node, click the Boundaries
node, and then review the migrated boundary.
5. Click the Boundary Groups node, and then review the boundary groups created for the
Configuration Manager 2007 site and for the distribution points.
 Task 5: View migration reports

1. In the Configuration Manager console, in the Monitoring workspace, under the Reporting node,
expand the Reports node.
2. Click the Migration folder.
3. From the results pane, run the Migration Job properties report.
4. In the report window, select the first migration job as a parameter, and then click View Report.
Review the results, and then close the report window.
6. In the results pane, run the Migration jobs report. Review the results, and then close the report
window.
Results: At the end of this exercise, you should have created migration jobs, performed object migration,
and viewed the migration reports.
Exercise 3: Migrate a Secondary Site to a Distribution Point

Scenario
You must create a distribution point migration job to migrate the LON-SVR Configuration Manager 2007
secondary site and its associated content. You will validate the successful migration by verifying that the
content is still present.

1. Reassign a secondary site as a distribution point.
3. Decommission the source hierarchy.

4. To prepare for the course finish.
 Task 1: Reassign a secondary site as a distribution point

1. On LON-CFG, in the Configuration Manager console, navigate to the Administration workspace,
Migration folder, Distribution Point Migration node.
2. On the ribbon, click Reassign Distribution Point. The Reassign Shared Distribution Point Wizard
starts. Use the following settings to configure the migration job. Use the default settings for the pages
that are not listed below:

 Name: LON-SVR1.ADATUM.COM
 Site code: S01 – Adatum Site
o On the Distribution point page, select the Install and configure IIS if required by
Configuration Manager check box.
o On the Boundary Groups page, add the CM7 (London Configuration Manager 2007)
boundary.
3. Once the Reassign Shared Distribution Point Wizard completes, monitor the status until the status
changes to Pending on secondary site uninstallation. To update the results pane, press F5.
4. Open the \\LON-SVR1\C$\ConfigMgrSetup.log in the Configuration Manager Trace Log tool.

5. Monitor the ConfigMgrSetup.log until the Completed the deinstall of the ConfigMgr site
message appears.
Note: The uninstallation of the secondary site should take about five minutes.
6. Close the Configuration Manager Trace Log tool.
7. Start a data gathering process on the CM7 source hierarchy.

8. Once the process is complete, click the Distribution Point Migration node and monitor the status of
the LON-SVR1.Adatum.com distribution point migration. Once the process completes, the status
Completed reassign distribution point appears. Click Refresh as necessary.
Note: The distribution point installation should take about five minutes.

1. In the Distribution Points node, verify that the CM7 (London Configuration Manager 2007)
boundary was added to LON_SVR1.ADATUM.COM.
2. In the Monitoring workspace, verify that the Excel Viewer application is distributed to
LON_SVR1.ADATUM.COM.
 Task 3: Decommission the source hierarchy

1. In the Configuration Manager console, in the Administration workspace, expand the Migration
node, and then click the Source Hierarchy node.
2. In the results pane, click CM7, and then on the ribbon, click Stop Gathering Data. Click Yes in the
Configuration Manager dialog box.
3. In the results pane, verify that CM7 has the status Have not gathered data, and then on the ribbon,
click Clean Up Migration Data.
4. In the Clean Up Migration Data dialog box, verify that CM7 (LON-CM7.Adatum.com) appears in
the Source hierarchy box, and then click OK. Click Yes in the Configuration Manager dialog box.
5. In the results pane, note that the source hierarchy has been removed.
 Task 4: To prepare for the course finish

following steps:

4. Repeat steps 2 and 3 for 10748C-LON-CAS-C, 10748C-LON-CFG-C, 10748C-LON-CM7-C, and
10748C-LON-SVR1-C.
Results: At the end of this exercise, you will have reassigned a secondary site.
Question: How do you configure the source hierarchy?

Question: How can you migrate collections?
Question: How can you migrate desired configuration management objects?


Review Questions
Question: What are the restrictions for migrating collections?
Question: Why would you need to consolidate primary sites?
Question: What are the restrictions for site codes during migration?
Question: What additional configurations do you need to perform when migrating objects
related to software updates?
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning
experience.
Please work with your training provider to access
the course evaluation form.
Microsoft will keep your answers to this survey

private and confidential and will use your
responses to improve your future learning
experience. Your open and honest feedback is
valuable and appreciated.
L2-1
Module 2: Planning and Deploying a Stand-Alone Primary

Site
Lab A: Installing a Configuration Manager
Primary Site
Exercise 1: Configuring the Prerequisites for Configuration Manager 2012
Deployment
 Task 1: Start Server Manager
1. On 10748C-LON-CFG-A, from the task bar, click Server Manager.
2. In the navigation pane of the Server Manager console, click Local Server.
 Task 2: Verify the installation of the Web Server (IIS) role

• In the Server Manager console, scroll to the Roles and Features section, and verify that the Web
Server (IIS) role is installed.
 Task 3: Verify the required features

1. In the Server Manager console, scroll to the Roles and Features section, and verify that the Remote
Differential Compression and Background Intelligent Transfer Service (BITS) features are
installed.
2. Close the Server Manager console.
 Task 4: Verify that Windows ADK for Windows 8.1 is installed

1. From the task bar, click File Explorer, and then navigate to C:\Program Files (x86)\Windows Kits
\8.1\Assessment and Deployment Kit.
2. Verify the following have been installed:
o Deployment Tools
o Windows Preinstallation Environment
o User State Migration Tool
3. Close File Explorer.
Results: After this exercise, you should have validated the prerequisites for installing System Center 2012
Exercise 2: Extending the Active Directory Schema

 Task 1: Run EXTADSCH on the domain controller
1. On LON-DC1, open File Explorer, navigate to the \\LON-CFG\E$\ConfigMgr2012R2
\SMSSETUP\BIN\X64 folder, and then locate extadsch.exe.
2. Double-click extadsch.exe.
L2-2 Planning and Deploying a Stand-Alone Primary Site
3. Browse to the drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
success of the operation by observing the classes and attributes added to AD DS and the message
that confirms the schema’s successful extension.
4. Close Notepad and the Local Disk (C:) window.
 Task 2: Create a System Management container by using ADSI Edit

1. On LON-DC1, from the Start screen, type Run, and then press Enter.
2. In the Run dialog box, type adsiedit.msc, and then click OK.
3. In the ADSI Edit console, right-click ADSI Edit, and then click Connect to.
4. In the Connection Settings dialog box, accept the defaults, and then click OK.
5. In the ADSI Edit console tree, expand Default naming context [LON-DC1.Adatum.com], expand
the DC=Adatum,DC=Com container, right-click the CN=System container, click New, and then click
Object.
6. In the Create Object page, select container, and then click Next.
7. In the Create Object page, in the Value text box, type System Management, click Next, and then
click Finish.
8. In the ADSI Edit console, click the CN=System container, verify that CN=System Management
container appears in the results pane, and then close the console.
 Task 3: Assign Full Control permissions to the site server for the System Management
container
1. On LON-DC1, from the Start screen, click Administrative Tools, and then double-click Active
Directory Users and Computers.
2. In the Active Directory Users and Computers console, from the View menu, select Advanced
Features.
3. In the navigation pane, expand Adatum.com, expand the System container, right-click the System
Management container, and then select Properties.
4. In the System Management Properties dialog box, select the Security tab, and then click Add.
5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
6. In the Object Types dialog box, select Computers, and then click OK.
7. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select text box, type LON-CFG, click Check Names, and then click OK.
8. In the System Management Properties dialog box, select LON-CFG (Adatum\LON-CFG$), and in
the Allow column, select the Full Control permission check box (all checkboxes are selected). Click
Advanced.
9. In the Advanced Security Settings for System Management dialog box, select
LON-CFG (Adatum\LON-CFG$) from the permission entry list, and then click Edit.
10. In the Permission Entry for System Management dialog box, in the Apply to drop-down list, select
This object and all descendant objects, and then click OK.
11. In the Advanced Security Settings for System Management dialog box, click OK.
12. In the System Management Properties dialog box, click OK.

Planning and Deploying System Center 2012 Configuration Manager L2-3
Note: After installation, the Configuration Manager 2012 site server publishes information
in this container. This enables clients to determine their assigned site and locate their
management point.
Results: At the end of this exercise, you should have extended the Active Directory schema, created the
System Management container, and assigned permissions to the Configuration Manager server.
Exercise 3: Installing a Configuration Manager 2012 Stand-Alone Primary

Site
 Task 1: Run the setup for Configuration Manager 2012
1. On LON-CFG, from the task bar, click File Explorer, and then navigate to the E:\ConfigMgr2012R2\
folder.
2. Double-click splash.hta, and then click Microsoft (R) HTML Application host.
 Task 2: Install a Configuration Manager 2012 stand-alone primary site

1. On the System Center 2012 R2 Configuration Manager Setup window, click Install.
2. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. On the Before You
Begin page, click Next.
3. On the Getting Started page, under Available Setup Options, select Install a Configuration
Manager primary site, and then click Next.
4. On the Product Key page, select Install the evaluation edition of this product, and then click
Next.
5. On the Microsoft Software License Terms page, select the I accept these license terms check box,
6. On the Prerequisite Licenses page, under Microsoft SQL Server 2012 Express, select I accept
these License Terms, and then under Microsoft SQL Server 2012 Native Client, select I accept
these License Terms. Under Microsoft Silverlight 5, select I accept these License Terms and
automatic updates of Silverlight, and then click Next.
7. On the Prerequisite Downloads page, select Use previously downloaded files, and then click
Browse.
8. In the Browse For Folder dialog box, select the E:\ConfigMgr2012R2\Redist folder, and then
click OK.
9. On the Prerequisite Downloads page, click Next.

10. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to
finish.
11. On the Server Language Selection page, click Next.
12. On the Client Language Selection page, click Next.

13. On the Site and Installation Settings page, type the following information, and then click Next:
o Site code: LON
o Site name: Adatum Site
o Install the Configuration Manager console check box: selected
14. On the Primary Site Installation page, select Install the primary site as a stand-alone site, and
then click Next.
15. In the Configuration Manager dialog box, click Yes.
16. On the Database Information page, verify that the SQL Server® name is LON-CFG.Adatum.com
and the database name is CM_LON, and then click Next twice.
17. On the SMS Provider Settings page, verify that the server name is LON-CFG.Adatum.com, and
then click Next.
18. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role, and then click Next.
19. On the Site System Roles page, verify that the Install a management point and Install a
distribution point check boxes are selected, verify that that LON-CFG.Adatum.com appears in both
FDQN text boxes, and then click Next.
20. On the Customer Experience Improvement Program Configuration page, select I don’t want to
join the program at this time, and then click Next.
21. On the Settings Summary page, review your selected settings, and then click Next.
22. On the Prerequisite Check page, wait until Prerequisite Check validates the server readiness to host
the selected roles, and then click Begin Install.
Note: The installation may take up to 30 minutes.
23. In the Install window, wait for the installation to finish, and then click Close.
24. In the System Center 2012 Configuration Manager Setup screen, click Exit.
25. Close all open windows on LON-CFG.

• When you finish the lab, leave the virtual machines running.
Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager
in a stand-alone primary site.
Lab B: Performing Post-Setup Configuration

Tasks
Exercise 1: Validating the Installation of the Primary Site
 Task 1: View the Site Status and Component Status
1. On LON-CFG, on the Start screen, click the down arrow, and then click Configuration Manager
Console.
2. In the Configuration Manager console, click the Monitoring workspace.
3. In the navigation pane, expand System Status, and then click Site Status.
4. View the status of each site system.
5. In the navigation pane, click Component Status.
6. View the status of each component.
 Task 2: View the status messages that pertain to the Configuration Manager 2012
installation
1. In the navigation pane, click Site Status.
2. In the results pane, select Site server.
3. On the ribbon, click the Show Messages button, and then click All.
4. In the Status Messages: Set Viewing Period dialog box, verify that in the Select date and time
drop-down list, 1 day ago is selected, and then click OK. The Configuration Manager Status
Message Viewer for <LON> <Adatum Site> dialog box opens.
5. Double-click on any message, and then in the Status Message Details dialog box that appears,
review the details of the status message. Use the Next and Previous buttons to view additional status
messages.
6. Click OK to close the Status Message Details dialog box.


1. Open File Explorer, and then navigate to drive C.
2. In the root folder, double-click the ConfigMgrPrereq.log file. Review the file, and then note any
errors or warnings reported by Prerequisite Checker.
3. Close the log file.
4. In the root folder, double-click the ConfigMgrSetup.log file. Review the file, and then note any
errors or warnings reported by Setup.
5. Close the log file, and then close File Explorer.
Note: The root folder also stores the ConfigMgrSetupWizard.log. If you installed the
console, you should see ConfigMgrAdminUISetup.log.
Results: At the end of this exercise, you will have validated the installation of System Center 2012
Exercise 2: Performing the Initial Configuration of the Primary Site

 Task 1: Configure the London Active Directory site
1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Sites and Services.
2. In the Active Directory Sites and Services console tree, expand the Sites folder, and then select
Default-First-Site-Name.
3. Right-click Default-First-Site-Name, and then click Rename.
4. Type London, and then press Enter.
5. In the Active Directory Sites and Services console tree, expand Sites, right-click the Subnets folder,
and then select New Subnet.
6. In the New Object – Subnet dialog box, in the Prefix text box, type 172.16.0.0/16.
7. In the Select a site object for this prefix list, select the London site, and then click OK.
 Task 2: Configure Active Directory Forest Discovery to create a new boundary from
the Active Directory site
1. On LON-CFG, in the Configuration Manager console, select the Administration workspace.
2. In the navigation pane, expand Hierarchy Configuration, and then select Discovery Methods.
3. In the results pane, select the Active Directory Forest Discovery, and then on the ribbon, click
Properties.
4. In the Active Directory Forest Discovery Properties dialog box, select Enable Active Directory
Forest Discovery, select the Automatically create Active Directory site boundaries when they
are discovered check box, and then click OK.
5. In the Configuration Manager dialog box, to initiate full discovery, click Yes.
6. In the navigation pane, click Active Directory Forests.

7. In the results pane, select Adatum.com, and then on the ribbon, click Properties.
8. In the Adatum.com Properties dialog box, review the settings, and then click the Publishing tab.
9. On the Publishing tab, review the settings, and then click Cancel.
10. In the navigation pane, click Boundaries. Refresh the console.
11. In the results pane, select London, and then on the ribbon, click Properties.
12. In the London Properties dialog box, review the settings, and then click Cancel.
 Task 3: Configure a boundary group, and include the new boundary

1. In the navigation pane, click Boundary Groups.
2. On the ribbon, click Create Boundary Group.
3. In the Create Boundary Group dialog box, on the General tab, in the Name text box, type London
Clients, and then click Add.
4. In the Add Boundaries dialog box, select the London boundary, and then click OK.
5. In the Create Boundary Group dialog box, click the References tab, and then select the Use this
boundary group for site assignment check box.
6. Under the Site system servers section, click Add.

7. In the Add Site Systems dialog box, select the \\LON-CFG.Adatum.com check box, and then
click OK.
8. In the Create Boundary Group dialog box, click OK.
 Task 4: Install additional site system roles: the Fallback Status Point and Reporting
Services Point
1. In the Configuration Manager console, in the navigation pane, expand Site Configuration, and then
click Servers and Site System Roles.
2. In the results pane, select \\LON-CFG.Adatum.com, and on the ribbon, select the Home tab, and
then click Add Site System Roles.
3. The Add Site System Roles Wizard starts. On the General page, verify that the Name for the site
server is LON-CFG.Adatum.com, and then click Next.
4. On the Proxy page, click Next.
5. On the System Role Selection page, select Fallback status point and Reporting services point,
6. On the Fallback Status Point page, review the settings, and then click Next.
7. On the Reporting Services Point page, verify that the Site database server name is
LON-CFG.Adatum.com and the Database name is CM_LON, and then click Verify. Wait for the
message Successfully verified to appear.
8. Click the Set button next to User name, and then click New Account.
9. In the Windows User Account dialog box, specify the following credentials, and then click OK:
o User name: ADATUM\Administrator
o Confirm password: Pa$$w0rd

10. On the Reporting Services Point page, click Next.
11. On the Summary page, review the settings, and then click Next.
12. On the Completion page, click Close.
 Task 5: Configure the management and distribution points

1. In the Configuration Manager console, in the results pane, select \\LON-CFG.Adatum.com.
2. In the preview pane, right-click the Management point, and then click Properties.
3. In the Management point Properties dialog box, review the settings, select the Generate alert
when the management point is not healthy check box, and then click OK.
4. In the preview pane, right-click the Distribution point, and then click Properties.
5. In the Distribution point Properties dialog box, review the settings on each of the following tabs:
o General
o PXE
o Multicast
o Content Validation
6. In the Distribution point Properties window, click the Boundary Groups tab, verify that the London
Clients boundary group you have created previously appears in the list, and then click Cancel.

following steps:

2. In the Virtual Machines list, right-click 10748C-LON-DC1-A, and then click Revert.

4. Repeat steps 2 and 3 for 10748C-LON-CFG-A.
Results: At the end of this exercise, you will have performed the initial configuration of a System Center
2012 Configuration Manager stand-alone primary site.
L3-9
Module 3: Planning and Configuring Role-Based

Administration
Lab: Planning and Configuring Role-Based
Administration
Exercise 1: Reviewing Built-in Security Roles and Scopes
 Task 1: Review the default security roles and scopes
1. On LON-CFG, click Configuration Manager Console on the taskbar.

3. In the navigation pane, expand the Security node, and then click Security Roles.
4. Review the list of roles available in the results pane. Note that there are 15 built-in roles.
5. In the navigation pane, click Security Scopes.

6. Review the list of scopes available in the results pane. Note there are two built-in scopes: All and
Default.
7. In the navigation pane, click Administrative Users.
8. In the results pane, select ADATUM\Administrator, and then review the information in the preview
pane. By default, the user who performed the Microsoft® System Center 2012 R2 Configuration
Manager setup is assigned the Full Administrator role, the All security scope, and the All Systems
and All Users and User Groups collections.
 Task 2: Review the default permissions for a security role

1. In the Configuration Manager console, in the navigation pane, click the Security Roles node.
2. In the results pane, select Application Administrator, and then, on the ribbon, click Properties.
3. In the Application Administrator Properties dialog box, on the General tab, examine the role
description.
4. Click the Administrative Users tab, and then note that there are no users associated with this role.
Additionally, note that you cannot add users from this property window.
5. Click the Permissions tab, and then examine the permissions associated with this role. Expand each
category, and then review the individual permissions. Note that you cannot modify the permissions
for built-in roles.
6. Click Cancel to close the Application Administrator Properties dialog box.
Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated
permissions, and the built-in security scopes.
L3-10 Planning and Configuring Role-Based Administration
Exercise 2: Creating Custom Security Roles and Scopes

 Task 1: Create a new user and group for application administrators, and then add the
user to the group
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, expand Adatum.com, right-click the Users
container, point to New, and then select User.
3. In the New Object – User dialog box, in both the First name and User logon name text boxes, type
LondonAdmin, and then click Next.
4. In the New Object – User dialog box, in both the Password and Confirm password text boxes, type
Pa$$w0rd, clear the User must change password at next logon check box, and then click Next.
5. In the New Object – User dialog box, click Finish.
6. In the Active Directory Users and Computers console, right-click the Users container, point to New,
and then click Group.
7. In the New Object – Group dialog box, in the Group name text box, type London Application
Admins as the group name, and then click OK.
8. Click the Users container, in the details pane, right-click the newly created London Application
Admins group, and then click Properties.
9. In the London Application Admins Properties dialog box, click the Members tab, and then
click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select field, type LondonAdmin, click Check Names, and then click OK.
11. In the London Application Admins Properties dialog box, click OK.
 Task 2: Create a custom scope for the London application administrators

1. On LON-CFG, in the Configuration Manager console, verify that you are still in the Administration
workspace.
2. In the navigation pane, expand the Security node, and then click Security Scopes.
3. On the ribbon, click Create Security Scope.
4. In the Create Security Scope dialog box, in the Security scope name text box, type London, and
then click OK.
5. In the Configuration Manager console, in the navigation pane, click Distribution Points.
6. In the results pane, select LON-CFG.ADATUM.COM, and then on the ribbon, click Set Security
Scopes.
7. In the Set Security Scopes dialog box, leave the Default scope selected, select London, and then
click OK.

1. In the Configuration Manager console, click the Assets and Compliance workspace.
2. In the navigation pane, expand the Overview node, and then click Device Collections.
3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts.
4. On the General page, in the Name box, type London Servers, and then next to Limiting collection,
click Browse.
5. In the Select Collection dialog box, select All Systems, and then click OK.
6. On the General page, click Next.
7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct
Membership Rule Wizard starts.
8. On the Welcome page, click Next.

9. On the Search for Resources page, in the Resource class list, verify that System Resource is
selected, in the Value text box, type LON%, and then click Next.
10. On the Select Resources page, select LON-CFG, and then click Next.
11. On the Summary page, click Next.
13. In the Create Device Collection Wizard, on the Membership Rules page, verify that LON-CFG was
added to the list, and then click Next.

 Task 4: Create a custom security role for application administrators

2. In the navigation pane, expand the Security node, and then select Security Roles.
3. In the results pane, select Application Administrator, and then on the ribbon, click Copy.
4. In the Copy Security Role dialog box, in the Name text box, type Application and Update
Administrator.
5. In the Copy Security Role dialog box, in the Customize the permissions for this copy of the
security role area, in the Permissions box, configure the following permissions by expanding each
permission group, and then selecting Yes next to each individual permission:
o All permissions under Software Update Group

o All permissions under Software Update Package
o All permissions under Software Updates

6. In the Copy Security Role dialog box, click OK.
 Task 5: Add a new group of administrative users, and then assign a custom role and a
custom scope
1. In the Configuration Manager console, in the navigation pane, under the Security node, click
Administrative Users.
2. On the ribbon, click Add User or Group.

3. In the Add User or Group dialog box, next to User or group name, click Browse.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select text
box, type London Application Admins, click Check Names, and then click OK.
5. In the Add User or Group dialog box, next to the Assigned security roles list box, click Add.
L3-12 Planning and Configuring Role-Based Administration
6. In the Add Security Role dialog box, select the Application and Update Administrator role, and
then click OK.
7. In the Add User or Group dialog box, under Assigned security scopes and collections, verify that
the Only the instances of objects that are assigned to the specified scopes or collections option
is selected. In the list box, select each collection and security scope, and then click Remove.
8. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and
then click Security Scope.
9. In the Add Security Scope dialog box, select London, and then click OK.
10. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and
then select Collection.
11. In the Select Collections dialog box, select Device Collections, select London Servers, and then
click OK.
12. In the Add User or Group dialog box, click OK.

13. In the Configuration Manager console in the results pane, click Adatum\London Application
Admins, and then review the information from the preview pane.
Note: The users added to the London Application Admins group will have access only to
the Configuration Manager objects associated with the London scope and resources in the
London Servers collection.
Results: By the end of this exercise, you should have created a custom security scope, a custom collection,
and a custom security role.
Exercise 3: Testing the Permissions of the New Role

 Task 1: Start the Configuration Manager console by using the London application
administrator account
1. On LON-CFG, hold the Shift key and right-click Configuration Manager on the taskbar, and then
click Run as a different user.
2. In the Windows Security dialog box, in the Username box, type LondonAdmin, and then in the
Password box, type Pa$$w0rd. Click OK.
3. The Configuration Manager console starts.
 Task 2: Verify the permissions assigned to the new security role

2. In the navigation pane, under the Overview node, click Device Collections.
3. In the results pane, verify that you can see only the London Servers collection.
4. In the navigation pane, click on the Devices node.
5. In the results pane, verify that you can see only the resources associated to your collection.

7. In the navigation pane, under the Overview node, click Distribution Points.
8. In the results pane, verify that you can see the LON-CFG.ADATUM.COM server.
9. In the navigation pane, expand the Security node.
10. Verify that you do not have access to the Administrative Users, Security Roles, or Security Scopes
nodes.

following steps:

4. Repeat steps 2 and 3 for 10748C-LON-CFG-B.
Results: By the end of this exercise, you should have tested the new role permissions.
L4-15
Module 4: Planning and Deploying a Multiple-Site Hierarchy

Lab A: Installing a Site Hierarchy
Exercise 1: Using Hierarchy Expansion to Install the Central Administration
Site
 Task 1: Prepare the environment for the hierarchy expansion
1. On LON-CFG, open Server Manager.
2. Click the Tools menu, and then click Computer Management.

3. In the Computer Management window, expand Local Users and Groups, and then click Groups.
4. Double-click Administrators.
5. In the Administrators Properties dialog box, click Add.

6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types.
7. In the Object Types dialog box, select the Computers check box, and then click OK.
8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type
LON-CAS, and then click Check Names.
9. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click OK.
10. In the Administrators Properties dialog box, click OK.
11. Close Computer Management and Server Manager.

13. In Server Manager, click the Tools menu, and then click Active Directory Users and Computers.
14. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Users container.
15. Double-click ConfigMgrServers.
16. In the ConfigMgrServers Properties dialog box, click the Members tab, and then click Add.
Types.
19. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type
LON-CAS; NYC-CFG, and then click Check Names.
21. In the ConfigMgrServers Properties dialog box, click OK.
22. Close Active Directory Users and Computers and Server Manager.
 Task 2: Start additional lab servers

2. In Hyper-V® Manager, click 10748C-LON-CAS-B, and then in the Actions pane, click Start.
L4-16 Planning and Deploying a Multiple-Site Hierarchy
o Domain: Adatum
5. Repeat steps 1 through 4 for 10748C-NYC-CFG-B.
 Task 3: Run Installation Prerequisite Check, and verify that the expansion
prerequisites are met
1. On LON-CAS, click to the Start screen, and then type cmd. Right-click Command Prompt, and then
click Run as administrator.
2. In the Administrator: Command Prompt, type the following and then press Enter:
E:
CD E:\ConfigMgr2012R2\SMSSetup\BIN\X64
Prereqchk.exe /CAS /SQL LON-CAS.Adatum.com /SDK LON-CAS.Adatum.com /Expand LON-

CFG.Adatum.com
5. The Installation Prerequisite Check starts and evaluates the server for installed prerequisites.
6. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several
warnings), and then click OK.
7. Close the Administrator: Command Prompt.
 Task 4: Run the splash screen for Configuration Manager 2012

1. On LON-CAS, click Start, and then click This PC.
2. In File Explorer, navigate to the E:\ConfigMgr2012R2\ folder.

4. In the How do you want to open this type of file (.hta)? dialog box, click Microsoft (R) HTML
Application host.
 Task 5: Run Setup to install a Configuration Manager 2012 R2 central administration

site and expand an existing primary site into the hierarchy
1. On the System Center 2012 R2 Configuration Manager Setup screen, click Install.
2. The System Center 2012 R2 Configuration Manager Setup Wizard starts. On the Before You Begin
page, click Next.
3. On the Getting Started page, in Available Setup Options, select Install a Configuration Manager
central administration site, and then click Next.
Next.
5. On the Microsoft Software License Terms page, select I accept these license terms, and then click
Next.
License Terms, under Microsoft Silverlight 5, select I accept these License Terms and automatic
updates of Silverlight, and then click Next.
Browse.
8. In the Browse For Folder dialog box, select E:\ConfigMgr2012R2\Redist, and then click OK.
10. Configuration Manager Setup Downloader starts to verify the prerequisites. Wait for the operation to
finish.
11. On the Server Language Selection page, click Next.

12. On the Client Language Selection page, click Next.
13. On the Site and Installation Settings page, enter the following settings, and then click Next:
o Site code: CAS

o Site name: London Central Administration Site
o Install the Configuration Manager console: selected
14. On the Central Administration Site Installation page, select Expand an existing stand-
alone primary into a hierarchy, in the Stand-alone primary site server (FQDN) field, type
LON-CFG.Adatum.com, and then click Next.
15. On the Database Information page, verify that the SQL Server name is LON-CAS.Adatum.com and
that the database name is CM_CAS, and then click Next.
16. On the second Database Information page, verify that the Path to the SQL Server data file is
configured as C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA.
17. On the second Database Information page, verify that the Path to the SQL Server log file is
configured as C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA,
18. On the SMS Provider Settings page, verify that the server name is LON-CAS.Adatum.com, and
then click Next.
19. On the Customer Experience Improvement Program Configuration page, select I don’t want to
join the program at this time, and then click Next.
20. On the Settings Summary page, review your selected settings, and then click Next.
21. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click Begin
Install.
22. In the Install window, wait for the installation to complete, and then click Close.
Note: When the System Center R2 Configuration Manager Setup Wizard displays Core
setup has completed, the setup is not complete. Do not continue with the lab until the
Applying the snapshot data task has completed. The installation process may take up to 45
minutes.
23. In the System Center 2012 R2 Configuration Manager Setup screen, click Exit.
24. Close the File Explorer window.
Results: At the end of this exercise, you should have installed a Microsoft® System Center 2012 R2
Configuration Manager central administration site and a primary site in a hierarchy.
Lab B: Verifying a Site Hierarchy

 Task 1: View the site status and component status
1. On LON-CAS, click Start, expand the start screen to show all applications, and then in the Microsoft
System Center 2012 R2 section, click Configuration Manager Console.
Note: If A Configuration Manager dialog box appears stating that your Configuration
Manager console is in read-only mode, click OK to continue.
4. View the status of each site system and site system roles.
5. In the navigation pane, select Component Status.
6. View the status of each component.
 Task 2: View the status messages for the Configuration Manager 2012 installation
1. In the navigation pane, click Site Status.
2. In the results pane, for \\LON-CAS.Adatum.com, select Site server.
3. On the ribbon, click Show Messages, and then select All.
4. In the Status Messages: Set Viewing Period dialog box, verify that Select date and time is selected
and that in the corresponding drop-down list, 1 day ago is selected, and then click OK.
5. In the Configuration Manager Status Message Viewer for <CAS> <London Central Administration
Site> window, double-click any status message, and then review the details. Click OK to close the
Status Message Details box.
6. Close the Configuration Manager Status Message Viewer for <CAS> <London Central Administration
Site> window.
 Task 3: View the database replication status

1. In the navigation pane, click Database Replication.
2. View the status of the database replication between Parent Site CAS and Child Site S01.
Note: If the Link State is Link Failed, you must reinitialize the replication. To reinitialize the
replication, perform the following steps:
1. Switch to LON-CFG.
2. On the Desktop, create a file named configuration data.pub.
3. Open File Explorer and move configuration data.pub to C:\Program Files\Microsoft

Configuration Manager\inboxes\rcm.box.
4. Wait for the file to move.
5. After 10 minutes, switch to LON-CAS and in Database Replication, refresh the replication link for
Parent Site CAS and Child Site S01. The link should now display Link Active.

1. In Windows Explorer, navigate to drive C.
2. In the root folder, open the ConfigMgrPrereq.log file. The file is displayed in Notepad.
3. Note any errors and warnings reported by Prerequisite Checker. Close Notepad.
4. In the root folder, open the ConfigMgrSetup.log file. The file is displayed in Notepad.
5. Note any errors and warnings reported by Setup. Close Notepad.
Note: When a log file reaches a certain size, which varies depending on the process, a new
log file is created and the old log file is renamed with a .lo_ extension. The ConfigMgrSetup.log
might have only a few entries and you might need to review the ConfigMgrSetup.lo_ file.
 Task 5: Review the available site system roles

2. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles.
3. In the results pane, click LON-CAS.Adatum.com, and then in the preview pane, note the roles
installed on the server, including:
o Component server
o Site database server
o Site server
o Site system
4. In the results pane, right-click LON-CAS.Adatum.com, and then click Add Site System Roles. The
Add Site System Roles Wizard starts.

7. On the System Role Selection page, note the available roles, including:
o Asset Intelligence synchronization point
o Certificate registration point
o Endpoint Protection point

o Reporting services point
o Software update point
o System Health Validator point

8. In the System Role Selection window, click Cancel.
9. In the Configuration Manager message box, click Yes.

Note: When you install certain site system roles as part of a hierarchy, you cannot install
them in a primary site. Instead, you must install these roles at the central administration site.
These roles include:
• Endpoint Protection point
Results: At the end of this exercise, you will have validated the installation of System Center 2012 R2
Exercise 2: Automating the Installation of a Primary Site

 Task 1: Review the contents of the installation script
1. On LON-CAS, in Windows Explorer, navigate to E:\ConfigMgr2012R2\NYC, and then open the
ConfigMgrAutoSave_NYC.ini file.
2. Review the contents of the file, and then close the viewer:
[Identification]
[Options]
ProductID=EVAL
SiteCode=NYC
SiteName= New York City Primary Site
SDKServer=NYC-CFG. Adatum.com
PrerequisiteComp=1
PrerequisitePath= \\LON-CAS\E$\ConfigMgr2012R2\Redist
ManagementPoint= NYC-CFG.Adatum.com
DistributionPoint= NYC-CFG.Adatum.com
AdminConsole=1
JoinCEIP=0
[SQLConfigOptions]
SQLServerName= NYC-CFG.Adatum.com
DatabaseName=CM_NYC
SQLSSBPort=4022
SQLDataFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
SQLLogFilePath=C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
CCARSiteServer=LON-CAS.Adatum.COM
 Task 2: Run Setup for Configuration Manager 2012 and use the script option
1. On NYC-CFG, click the Start menu, then on the Start screen, type cmd. Right–click Command
Prompt, and then click Run as Administrator.
2. At the command prompt, type the following commands. Press Enter after each command line:
Net Use I: \\LON-CAS\E$\ConfigMgr2012R2

I:
cd smssetup\bin\X64
setup /script I:\NYC\ConfigMgrAutoSave_NYC.ini
Note: The Configuration Manager Setup will run in unattended mode. The installation
process may take up to 30 minutes. You can use Task Manager to monitor the Setup progress.
On the Details tab, when you see CcmExec.exe as a running process, the setup is complete.
Results: At the end of this exercise, you should have installed a System Center 2012 R2 Configuration
Manager primary site in an existing hierarchy by using the automated setup method.
Lab C: Installing a Secondary Site

Exercise 1: Configuring Prerequisites
 Task 1: Prepare the environment for the TOR-CFG secondary site
1. On LON-DC1, in the Server Manager console, click the Tools menu, and then click Active Directory
Users and Computers.
2. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Users container.
3. Double-click ConfigMgrServers.
4. In the ConfigMgrServers Properties dialog box, click the Members tab, and then click Add.
Types.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type TOR-CFG,
and then click Check Names.
9. In the ConfigMgrServers Properties dialog box, click OK.

10. Close Active Directory Users and Computers and Server Manager.
 Task 2: Start TOR-CFG and launch Server Manager

2. In Hyper-V Manager, click 10748C-TOR-CFG-B, and then in the Actions pane, click Start.

o Domain: Adatum
5. On the task bar, click Server Manager.

6. On TOR-CFG, in Server Manager, click Tools, and then click Computer Management.
7. In the navigation pane, expand Local Users and Groups, and then click Groups.
8. In the results pane, double-click the Administrators group.

10. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, click Object
Types.
12. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, in the Enter
the object names to select text box, type NYC-CFG, click Check Names, and then click OK.
14. Close the Computer Management console.

 Task 3: Verify that Web Server (IIS) and related role services are installed
• In the Server Manager console, click Local Server, scroll to the Roles and Features section, and then
verify that the following Role Services are installed:
o Common HTTP Features

 Default Document
o Security
 Windows Authentication
o Application Development
 ASP.NET 3.5
 ASP.NET 4.5
o IIS 6 Management Compatibility
 IIS 6 Metabase Compatibility
 IIS 6 WMI Compatibility
 Task 4: Verify that the BITS and remote differential compression features are
installed
1. In the navigation pane in Server Manager, scroll to the Roles and Features section.
2. In the results pane, verify that the following features are installed:

o Remote differential compression
Results: At the end of this exercise, you should have validated the prerequisites for installing a System
Center 2012 Configuration Manager secondary site.
Exercise 2: Installing a Secondary Site from a Primary Site

 Task 1: Run the Secondary Site Installation Wizard
1. On NYC-CFG, click Start, expand the Start screen, and then click Configuration Manager Console.
3. In the navigation pane, expand Site Configuration, and then select Sites.
4. In the results pane, select NYC – New York City Primary Site, and then on the ribbon, click Create
Secondary Site. The Create Secondary Site Wizard starts.
5. On the Before You Begin page, click Next.

6. On the General page, configure the following options, and then click Next:
o Site code: TOR
o Site server name: TOR-CFG.Adatum.com
o Site Name: Toronto Secondary Site
7. On the Installation Source Files page, click Copy installation source files over the network from
the parent site server, and then click Next.
8. On the SQL Server Settings page, click Install and configure a local copy of SQL Server Express
on the secondary site computer, verify that the following information has been specified, and then
click Next:
o SQL Server service port: 1433
o SQL Server Service Broker Port: 4022
9. On the Distribution Point page, accept the default settings, and then click Next.
10. On the Drive Settings page, accept the default settings, and then click Next.
11. On the Content Validation page, click Next.
12. On the Boundary Groups page, click Next.

13. In the Summary page, review your selected settings, and then click Next.
14. In the Completion page, click Close.
Note: When the Create Secondary Site Wizard finishes, the installation continues in the
background on the target server. To validate the installation, verify the installation logs in the
next exercise.
15. In the Configuration Manager console, in the results pane, select TOR – Toronto Secondary Site,
and then on the ribbon, click Show Install Status.
16. In the Secondary Site Installation Status dialog box, review the progress of the installation actions,
click Refresh to monitor the status, and then click OK. It takes approximately 15-20 minutes for the
installation to complete.
Results: At the end of this exercise, you should have installed the System Center 2012 Configuration
Manager secondary site.

 Task 1: View the setup logs
1. On TOR-CFG, open Windows Explorer, and then navigate to drive C.
2. In the root folder, open the ConfigMgrSetup.log file. In the Open with box, select Notepad, and
then click OK.
3. Note any errors and warnings reported by Setup. Close Notepad.
 Task 2: View the system status for the new secondary site
1. On NYC-CFG, in the Configuration Manager console, in the navigation pane, click the Monitoring
workspace.
3. View the status of the site systems for TOR-CFG.
Note: You can view the secondary site status at the parent primary site or at the central
administration site. It may take several minutes until the installation finishes and the secondary
site status appears in the console.
4. In the navigation pane, click the Component Status node.
5. In the results pane, view the status of the components for TOR-CFG.
6. In the navigation pane, click the Database Replication node.
7. In the results pane, view the status of the replication link between NYC and TOR. It should show that
the link is active.
8. In the navigation pane, click the Site Hierarchy node.
9. In the results pane, view the site hierarchy diagram. On the NYC icon, click the plus sign to view TOR.

following steps:
4. Repeat steps 2 and 3 for 10748C-LON-CAS-B, 10748C-NYC-CFG-B, 10748C-LON-CFG-B, and

10748C-TOR-CFG-B.
Note: The line between NYC and TOR represents the state of the database replication
between the sites. This line can have several different symbols depending on the replication
status.
• ? in a white circle is shown when the status has not yet been reported.
• X in a red circle is shown when the status has been reported and the initial replication is incomplete
or there is an error during ongoing replication.
• √ in a green circle is shown when the initial replication has competed successfully and there are no
errors in the ongoing replication.
Results: At the end of this exercise, you should have validated the installation of a System Center 2012
Configuration Manager 2012 secondary site.
L5-27
Module 5: Replicating Data and Managing Content in

Configuration Manager 2012
Lab A: Configuring, Monitoring, and
Troubleshooting Data Replication
Exercise 1: Verifying and Configuring Replication Settings
 Task 1: Configuring file replication settings
1. On LON-CAS, on the taskbar, click Configuration Manager Console.

3. Expand the Hierarchy Configuration folder, and then click File Replication.
4. Right-click the Adatum Site S01 London Central Administration Site CAS file replication link, and
then click Properties.
5. On the Schedule tab, click the Sunday 0 hour.
6. In the Availability drop-down list, select Closed.
7. On the Rate Limits tab, click Limited to specified maximum transfer rates by hour.
8. Click the 0 hour that is on the left, hold the Shift key, and then click 4.
9. In the Limit available bandwidth (%) box, select 50.
10. In the Adatum Site Properties dialog box, click OK.
 Task 2: Configuring database replication settings

2. Right-click the CAS Central administration site S01 Primary site database replication link, and then
click Link Properties.
3. On the General tab, in the Summarization interval (minutes) box, select 5, and then click Apply.
4. Review the settings on the Schedule tab.
5. Review the settings on the Alerts tab.
6. In the CAS <-> S01 Replication Link Properties dialog box, click OK.
 Task 3: Configuring sender properties

1. Expand Site Configuration, and then click the Sites node.
2. Select S01 – Adatum Site.
3. On the ribbon, click Settings, click Configure Site Components, and then click Software
Distribution.
4. On the General tab, in the Maximum number of packages box, select 5.
5. In the Maximum threads per package box, select 8.
6. Under Retry settings, in the Number of retries box, select 5, and in the Delay before retrying
(minutes) box, select 5.
L5-28 Replicating Data and Managing Content in Configuration Manager 2012
7. In the Software Distribution Component Properties dialog box, click OK.
Results: At the end of this exercise, you should have configured the replication settings between the A.
Datum central administration site and the London primary site.
Exercise 2: Monitoring Replication

 Task 1: Review the replication information and configuration settings
1. On LON-CAS, open the Monitoring workspace.
2. In the navigation pane, click the Database Replication node, and then in the results pane, select the
CAS to S01 replication link. Verify that Link State shows Link Active. If it does not, refresh the results
pane.
3. Review the information available in the preview pane under the Replication Status area. In the Site
Replication Status section, verify that both Parent Site State and Child Site State display a status of
Replication Active.
State and Child Site to Parent Site Global State display the Link Active status and that the Last
Note: If the status of Parent Site to Child Site Global State and Child Site to Parent Site
Global State are Link Inactive, verify that both LON-CAS and LON-CFG have started. To refresh
the status, click the CAS to S01 replication link, and then press F5.
5. In the preview pane, click the Parent Site tab. Review the information available in the Replication
6. In the preview pane, click the Child Site tab. Review the information available in the Replication
Status area.

2. In the navigation pane, click the Device Collections node.
3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts.
4. On the General page, in the Name text box, type London Computers, and then click Browse.
5. In the Select Collection dialog box, click All Systems, and then click OK.

7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct
Membership Rule Wizard starts.
8. On the Welcome page, click Next.

9. On the Search for Resources page, in the Resource Class drop-down list, verify that System
Resource is selected. In the Value text box, type LON%, and then click Next.
10. On the Select Resources page, select both the LON-CAS and LON-CFG check boxes, and then click
Next.
13. In the Create Device Collection Wizard, on the Membership Rules page, verify that both LON-CAS
and LON-CFG were added in the list, and then click Next.
 Task 3: Monitor the replication of the collection to the primary site

1. On LON-CFG, on the task bar click Configuration Manager Console.
2. In the Configuration Manager console, verify that you are in the Assets and Compliance workspace.
4. In the results pane, verify that the London Computers collection appears in the list of device
collections.
5. Right-click the London Computers collection, and then click Show Members. Notice that a new
node appears in the navigation pane under Devices. Notice also that the members of the collection
appear in the results pane.
Results: At the end of this exercise, you should have verified the replication between the A. Datum central
administration site and the London primary site.
Exercise 3: Troubleshooting Replication

 Task 1: Configure in-console alerts for monitoring replication
1. On LON-CAS, in the Configuration Manager console, click the Monitoring workspace.
2. In the navigation pane, click the Database Replication node, and then in the results pane, click the
CAS to S01 replication link.
3. Right-click the CAS to S01 replication link, and then click Link Properties.
4. In the CAS <-> Replication Link Properties dialog box, on the Alerts tab, verify that the Generate
an alert when this replication link is not working for a specified period of time check box is
selected.
5. On the Alerts tab, in the Number of minutes box, change the value to 3 minutes, and then click OK.
 Task 2: Stop the SMS_EXECUTIVE service on LON-CFG

1. On LON-CFG, on the Start screen, click Administrative Tools, and then in the Administrative Tools
folder, double-click Services.
2. In the Services console, click the SMS_EXECUTIVE service, and then on the ribbon, click the Stop
Service button.
3. In the Service Control window, wait for the service to stop. Wait at least three minutes before
continuing to the next task.
 Task 3: Troubleshoot the replication issue

1. On LON-CAS, browse to C:\Program Files\Microsoft Configuration Manager\tools\, and then
double-click CMTRACE.exe.
2. In the Configuration Manager Trace Log Tool dialog box, click Yes to make the program the
default viewer for all log files, and then close the tool.
3. In the Configuration Manager console, in the navigation pane, click the Alerts node, and then click
All Alerts.
4. In the results pane, click the alert named Replication link down between parent site and S01, and
then on the ribbon, click Configure.
5. In the Replication link down between parent site and S01 Properties dialog box, verify that
Minutes replication link connectivity down greater than has a value of 3, and then click OK.
6. In the navigation pane, click the Assets and Compliance workspace, and then click the Device
Collections node.
7. Right-click the London Computers collection, and then click Properties.

8. In the London Computers Properties dialog box, in the Name text box, change the name of the
collection to London Servers, and then click OK.
9. In the navigation pane, click the Monitoring workspace.

10. In the navigation pane, click the Database Replication node, and then in the results pane, click the
CAS to S01 replication connection.
11. Verify that the status of the replication link is either Link Failed or Link Degraded. Press F5, if
necessary, to refresh the status.
12. Right-click the CAS to S01 replication link, and then click Save Diagnostic Files.
13. In the Save As dialog box, in the File name box, type Replication Diagnostics. In the navigation
pane, click Local Disk (C:), and then click Save.
14. From the taskbar, start Windows Explorer.

15. In Windows Explorer, navigate to the C: drive, and then open the file Replication Diagnostics in
Notepad.
16. Review the content of the file. Note that the Child Site to Parent Site Global State displays a status
of Link Failed or Link Degraded. Close Notepad.
 Task 4: Resolve the issue and verify that replication is functioning correctly
1. On LON-CAS, right-click the CAS to S01 replication link, and then click Replication Link Analyzer.
Replication Link Analyzer starts detecting problems. Wait for the operation to finish.
2. In the CAS <-> S01 Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation
to finish.
3. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service
on LON-CFG.Adatum.com page, click Continue.
4. In the Replication Link Analyzer window, click OK.
5. In the CAS <-> S01 Replication Link Analyzer window, click Reinitialize replicated tables.
6. In the CAS <-> S01 Replication Link Analyzer window, click Continue.
7. In the Replication Link Analyzer window, click OK.

8. In the CAS <-> S01 Replication Link Analyzer window, click Check to see if the problem is fixed.
Note: Based on timing, there may still be issues that are detected. If issues are detected,
first click the Check to see if the problem is fixed link.
9. In the CAS <-> S01 Replication Link Analyzer window, on the Troubleshooting Report page, click
View Report.
10. In the How do you want to open this type of file (.htm)? dialog box, click Internet Explorer. The
content of ReplicationAnalysis.xml opens in Internet Explorer®.
11. Review the content of the file, and then close Internet Explorer.
12. In the Replication Link Analyzer window, click View Log. The content of ReplicationLinkAnalysis.log
opens in Configuration Manager Trace Log Tool.
13. Review the content of the file, and then close Configuration Manager Trace Log Tool.
14. In the CAS <-> S01 Replication Link Analyzer window, click Close.
Results: At the end of this exercise, you should have troubleshot replication between the primary site and
the central administration site.

• When you finish this lab, leave the virtual machines running.
Lab B: Planning and Configuring Content

Management
Exercise 1: Planning Content Distribution
 Task 1: Planning the deployment
There is not one correct answer for this scenario. Possible recommendations include:
• Create boundaries for each location.

• Create additional distribution points in the remote offices at the central location. For the lab, build an
additional distribution point on LON-SRV1.
• Prestage content to the locations with information technology (IT) staff. For the lab, prestage content
to LON-SRV1.
• Use BranchCache® in the remote offices without sites or distribution points. For the lab, enable
BranchCache support on LON-CFG.
• Restrict replication during business hours to high priority traffic only.
• Create cloud-based distribution points for the field staff instead of Internet-based distribution points.
• Use the cloud-based distribution point for content fallback.
• Do not allow fallback to the central location.
Results: At the end of this exercise, you will have planned distribution architecture for the company.
Exercise 2: Implementing Distribution Points

 Task 1: Add the primary site server computer account to the local Administrators
group
1. On LON-SVR1, in Server Manager, click Tools, and then click Computer Management.
2. In the navigation pane of the Computer Management console, expand Local Users and Groups, and
then click Groups.
3. In the results pane, double-click the Administrators group.

5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
7. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select text box, type LON-CFG, click Check Names, and then click OK.
9. Close the Computer Management console and Server Manager.

 Task 2: Create a distribution point

1. On LON-CAS, in the Configuration Manager console, click the Administration workspace.
3. On the ribbon, click the Home tab, and then click Create Site System Server. The Create Site System
Server Wizard starts.
4. On the General page, click Browse.
5. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1.
Click Check Names, and then click OK.
6. On the General page, in the Site Code drop-down list, select S01 – Adatum Site, and then click
Next.
8. On the System Role Selection page, select Distribution point, and then click Next.
9. On the Distribution Point page, select Install and configure IIS if required by Configuration
Manager and Enable this distribution point for prestaged content, and then click Next.
10. On the Drive Settings page, review the default settings, and then click Next.
11. On the Pull Distribution Point page, click Next.

12. On the PXE Settings page, click Next.
13. On the Multicast page, click Next.
14. On the Content Validation page, select Validate content on a schedule, and then click Next.
16. On the Summary page, review the settings, and then click Next.

18. In the Configuration Manager console, verify that \\LON-SVR1.Adatum.com appears in the results
pane.
 Task 3: Create and populate a distribution point group

1. In the navigation pane, click Distribution Points.
2. In the results pane, click LON-CFG.ADATUM.COM, hold the Ctrl key, and then click
NYC-CFG.ADATUM.COM and TOR-CFG.ADATUM.COM.
3. On the ribbon, click Add Selected Items, and then click Add Selected Items to New Distribution
Point Group.
4. In the Create New Distribution Point Group dialog box, in the Name text box, type Primary and
Secondary Site Distribution Points, and then click OK.
5. In the navigation pane, click Distribution Point Groups.
6. Verify that the Primary and Secondary Site Distribution Points group has been created and that
the Member Count is 3.
Results: At the end of this exercise, you should have created a distribution point, created a distribution
point group, and added distribution points to the group.
Exercise 3: Implementing Content Prestaging

 Task 1: Create and distribute a package
1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace.
2. In the navigation pane, expand Application Management, and then click the Applications node.
3. On the ribbon, click Create Application. The Create Application Wizard starts.
4. On the General page, verify that in the Type box, Windows Installer (*.msi) is selected.
5. In the Location text box, type \\LON-CFG\E$\Software\MSI_Files\PPTViewer, select

ppviewer.msi, and then click Open.
7. On the Import Information page, click Next.

8. On the General Information page, click Next.

11. In the Configuration Manager console, in the results pane, click the Microsoft PowerPoint Viewer
application, and on the ribbon, click Distribute Content. The Distribute Content Wizard starts.
13. On the Content page, click Next.
14. On the Content Destination page, click Add, and then click Distribution Point.
15. In the Add Distribution Points dialog box, select LON-CFG.ADATUM.COM, and then click OK.
16. On the Content Destination page, click Next.

 Task 2: Create a prestaged content file

1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace, and then
verify that you are in the Applications node.
2. In the results pane, click Microsoft PowerPoint Viewer, and then on the ribbon, click Create
Prestaged Content File. The Create Prestaged Content File Wizard starts.
4. In the Prestaged content file dialog box, navigate to the Allfiles (E:) drive, in the File name box,
type PowerPointViewer, and then click Save.

6. On the Content page, click Next.
7. On the Content Locations page, click Add.
8. In the Add Distribution Points dialog box, select LON-CFG.Adatum.com, and then click OK.
9. On the Content Locations page, click Next.

12. On the taskbar, click Windows Explorer.
13. Browse to the Allfiles (E:) drive, right-click PowerPointViewer.pkgx, and then click Copy.
14. In the address bar, type \\LON-SVR1\C$, and then press Enter.
15. Right-click in the results pane, and then click Paste.
 Task 3: Extract a prestaged content file on a distribution point

1. On LON-SVR1, click Start, type CMD, and then click Command Prompt.
2. At the command prompt, type the following commands, pressing Enter after each line:
CD C:\SMS_DP$\sms\Tools
extractcontent.exe /P:C:\PowerPointViewer.pkgx /S
 Task 4: Monitor the prestaged content status

1. On LON-CFG, in the Configuration Manager console, click the Monitoring workspace.
2. In the navigation pane, expand Distribution Status, and then click the Content Status node.
3. In the results pane, click Microsoft PowerPoint Viewer, and then review the information in the
preview pane. Notice that two distribution points were targeted, and Success is now listed as 2.
Results: At the end of this exercise, you should have performed content prestaging.
Exercise 4: Implementing BranchCache to Support Content Management

 Task 1: Configure LON-SVR1 to support BranchCache
1. On LON-SVR1, open Server Manager.
2. In Server Manager, click Add roles and features.
3. On the Before you begin page of the Add Roles and Features Wizard, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, click Next.
6. On the Select features page, select the BranchCache check box, and then click Next.
7. On the Confirm installation selections page, select the Restart the destination server
automatically if required check box, and then in the message box, click Yes.
8. On the Confirm installation selections page, click Install.
9. On the Installation progress page, click Close.
 Task 2: Verify that an application is ready for BranchCache

1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace.
2. In the navigation pane, expand Application Management, and then click the Applications node.
3. Select the Microsoft PowerPoint Viewer application.
4. In the results pane, click the Deployment Types tab.

5. Right-click the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) deployment type,
and then click Properties.
6. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box, click
the Content tab.
7. Verify that the Allow clients to share content with other clients on the same subnet check box is
selected.
8. In the Microsoft PowerPoint Viewer – Windows Installer (*.msi file) Properties dialog box,
click OK.
Results: At the end of this exercise, you will have enabled BranchCache support on LON-SVR1.

following steps:


o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
L6-37
Module 6: Planning Resource Discovery and Client

Deployment
Lab: Implementing Configuration Manager
Client Deployment
Exercise 1: Configuring Active Directory Discovery Methods
 Task 1: Configure Active Directory System Discovery
1. On LON-CFG, on the task bar click Configuration Manager Console.
2. In the Configuration Manager Console, click the Administration workspace.

3. In the navigation pane, expand Hierarchy Configuration, and then click Discovery Methods.
4. In the results pane, click Active Directory System Discovery, and then on the ribbon, click
Properties.
5. In the Active Directory System Discovery Properties dialog box, click Enable Active Directory
System Discovery, and then click New.
6. In the Active Directory Container dialog box, click Browse.

7. In the Select New Container dialog box, click Adatum, and then click OK.
8. In the Active Directory Container dialog box, click OK.
9. In the Active Directory System Discovery Properties dialog box, click the Polling Schedule tab,
and then review the settings.
10. In the Active Directory System Discovery Properties dialog box, click the Active Directory
Attributes tab, and then review the settings.
11. In the Active Directory System Discovery Properties dialog box, click the Options tab, review the
settings, and then click OK.
 Task 2: Configure Active Directory User Discovery

1. In the results pane, click Active Directory User Discovery, and then on the ribbon, click Properties.
2. In the Active Directory User Discovery Properties dialog box, click Enable Active Directory User
Discovery, and then click New.
3. In the Active Directory Container dialog box, click Browse.

5. In the Active Directory Container dialog box, click OK.
6. In the Active Directory User Discovery Properties dialog box, click the Polling Schedule tab, and
then review the settings.
7. In the Active Directory User Discovery Properties dialog box, click the Active Directory
Attributes tab, review the settings, and then click OK.
L6-38 Planning Resource Discovery and Client Deployment
 Task 3: Configure Active Directory Group Discovery

1. In the results pane, click the Active Directory Group Discovery, and then on the ribbon, click
Properties.
2. In the Active Directory Group Discovery Properties dialog box, click Enable Active Directory
Group Discovery, click Add, and then click Location.
3. In the Add Active Directory Location dialog box, in the Name box, type Adatum domain, and then
click Browse.
5. In the Add Active Directory Location dialog box, click OK.
6. In the Active Directory Group Discovery Properties dialog box, click the Polling Schedule tab, and
then review the settings.
7. In the Active Directory Group Discovery Properties dialog box, click the Options tab, review the
settings, and then click OK.
 Task 4: Verify that the discovered computers appear in the All Systems collection and
are assigned to the site correctly.
1. In the Configuration Manager Console, click the Assets and Compliance workspace.

3. In the results pane, click the All Systems collection, and then on the ribbon, click the Show
Members button.
4. A new sticky node called All Systems appears in the navigation pane, under the Devices node. In the
results pane, observe the systems that are members of the All Systems collection and their assigned
site. On the Site Code column, you should see S01 for most systems.
Results: At the end of this exercise, you should have configured the Active Directory discovery methods.
Exercise 2: Using Client Push to Install the Configuration Manager Client

 Task 1: Create a client push installation account
1. On the LON-DC1 server, from Server Manager, click Tools, and then click Active Directory Users
and Computers.
2. In the Active Directory Users and Computers console, in the navigation pane, expand Adatum.com,
right-click the Users container, go to New, and then click User.
3. In the New Object – User window, in both the First name and User logon name text boxes, type
ConfigMgrClientPush, and then click Next.
4. In the New Object – User window, in both the Password and Confirm password text boxes, type
Pa$$w0rd, clear the User must change password at next logon box, select the User cannot
change password and Password never expires check boxes, and then click Next.
5. In the New Object – User window, click Finish.
6. In the Active Directory Users and Computers console, right-click the newly created
ConfigMgrClientPush user, and then click Properties.
7. In the ConfigMgrClientPush Properties dialog box, click the Member Of tab.
8. At the Member Of tab, click the Add button.
9. In the Select Groups dialog box, in the Enter the object names to select text box, type Domain
Admins, click the Check Names button, and then click OK.
10. In the ConfigMgrClientPush Properties dialog box, click OK.
 Task 2: Configure the client push installation method

1. On LON-CFG, in the Configuration Manager Console, verify that you are in the Administration
workspace.
2. In the navigation pane, expand Site Configuration, and then click the Sites node.
3. In the results pane, right-click S01 – Adatum Site, click Client Installation Settings, and then click
Client Push Installation.
4. In the Client Push Installation Properties dialog box, click the Accounts tab.
5. At the Accounts tab, click the New button, and then click New Account.
6. In the Windows User Account dialog box, click the Browse button.
7. In the Select User dialog box, in the Enter the object name to select text box, type
ConfigMgrClientPush, click the Check Names button, and then click OK.
8. In the Windows User Account dialog box, in both the Password and Confirm password boxes,
type Pa$$w0rd, and then click Verify. The Windows User Account dialog box expands.
9. In the Windows User Account dialog box, in the Network Share box, type \\LON-DC1\C$, and
then click Test connection.
10. In the Configuration Manager message box, click OK.

11. In the Windows User Account dialog box, click OK.
12. In the Client Push Installation Properties dialog box, click the Installation Properties tab.
13. At the Installation Properties tab, in the Installation properties box, after the text
SMSSITECODE=S01, type a space, and then type FSP=LON-CFG.Adatum.com.
Note: The entire line should read SMSSITECODE=S01 FSP=LON-CFG.adatum.com.
14. In the Client Push Installation Properties dialog box, click OK.
 Task 3: Install the client by using client push

1. On LON-CFG, in the Configuration Manager Console, click the Assets and Compliance workspace.
2. In the navigation pane, under Device Collections, click the All Systems node.
3. In the results pane, right-click LON-CFG, and then click Install Client. The Install Configuration
Manager Client Wizard starts.
4. In the Before You Begin page, click Next.

5. In the Installation Options page, check the Install the client software from a specified site box,
verify that in the Site list appears S01 – Adatum Site, and then click Next.
6. In the Summary page, click Next.

8. In the results pane, right-click LON-DC1, and then click Install Client. The Install Configuration
Manager Client Wizard starts.
9. In the Before You Begin page, click Next.
10. In the Installation Options page, check the Allow the client software to be installed on domain
controllers box, and then click Next.
11. In the Summary page, click Next.

 Task 4: Verify the client installation

2. From the Start screen, click Control Panel.

3. In the Control Panel window, next to View by, click Large icons.
4. In the Control Panel window, click Configuration Manager.

5. In the Configuration Manager Properties dialog box, on the General tab, review the information.
6. In the Configuration Manager Properties dialog box, click the Components tab, and then verify
the status of the agents. Some of the agents should have the Status of Installed.
7. In the Configuration Manager Properties dialog box, click the Actions tab.
8. In the Actions list, click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now to
initiate the connection of the Configuration Manager client to the management point.
Note: When the Configuration Manager client is running inside a virtual machine, it uses
randomization for the initial time interval of connection to the management point. Manually
running the Machine Policy Retrieval & Evaluation Cycle helps ensure that all components are
updated, as necessary.
9. In the Machine Policy Retrieval & Evaluation Cycle message box, click OK.
10. In the Configuration Manager Properties dialog box, click OK.
Results: At the end of this exercise, you should have started the installation of the Configuration Manager
client by using the client push installation method.
Exercise 3: Using Group Policy to Install the Configuration Manager Client

 Task 1: Import the configmgrinstallation.adm file
1. On LON-DC1, from the Task bar, click the Server Manager icon.
2. From Server Manager, click Tools, and then click Group Policy Management.
3. From the Group Policy Management console, expand Forest: Adatum.com, and then expand
Domains.
4. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
5. In the New GPO dialog box, in the Name textbox, type SCCM Client Install, and then click OK.
6. From the navigation pane, right-click the SCCM Client Install, and then click Edit.
7. In the Group Policy Editor window, in Computer Configuration, expand Policies.
8. Right-click Administrative Templates, and then click Add/Remove Templates.
9. In the Add/Remove Templates dialog box, click Add.
10. In the Policy Templates dialog box, navigate to \\LON-CFG\SMS_S01\tools

\ConfigMgrADMTemplates, click confgmgrinstallation.adm, and then click Open.
11. In the Add/Remove Templates dialog box, click Close.
12. In the navigation pane, expand Administrative Templates: Policy Definitions (ADMX files)
retrieved from the local computer, and then expand Classic Administrative Templates (ADM).
 Task 2: Configure client-installation properties within a GPO

1. From Group Policy Management Editor, expand Configuration Manager 2012, and then click
Configuration Manager 2012 Client.
2. From the details pane, double-click Configure Configuration Manager 2012 Client Deployment
Settings.
3. In the Configure Configuration Manager 2012 Client Deployment Settings dialog box, click
Enabled.
4. In the CCMSetup textbox, type SMSSITECODE=S01 FSP=LON-CFG.adatum.com, and then

click OK.
 Task 3: Import CCMSetup.msi, and then deploy the Configuration Manager client by
using Group Policy
1. From LON-DC1, click the File Explorer button on the task bar.
2. Navigate to Local Disk (C:).
3. In the details pane, right-click in the open area, navigate to New, and then click Folder.
4. Type SCCMClient, and then press Enter.
5. Right-click the SCCMClient folder, and then click Properties.
6. In the Properties dialog box, on the Sharing tab, click Share.
7. In the File Sharing dialog box, in the Type a name and then click Add, or click the arrow to find
someone drop-down list, click Everyone, click Add, click Share, and then click Done.
8. In the SCCMClient Properties dialog box, click Close.
9. From the Start screen, type Run, and then press Enter.
10. In the Run dialog box, in the Open textbox, type \\LON-CFG\SMS_S01\bin\i386, and then click OK.
11. In the new File Explorer window, right-click ccmsetup.msi, and then click Copy.
12. Close the i386 window.
13. In the Local Disk (C:) window, double-click the SCCMClient folder.
14. Right-click the empty area in the details pane, and then click Paste.
15. Close the SCCMClient window.
16. Switch to Group Policy Management Editor.

17. In the navigation pane, expand Computer Configuration, Software Settings.
18. Right-click Software Installations, navigate to New, and then click Package.
19. In the Open dialog box, in the File name text box, type \\LON-DC1\SCCMClient\ccmsetup.msi,
and then click Open.
20. In the Deploy Software dialog box, click Assigned, and then click OK.
21. Close the Group Policy Management Editor.

22. On the host computer, from the Start screen, click Hyper-V Manager.
23. In Hyper-V® Manager, click 10748C-LON-SVR1-C, and then in the Actions pane, click Start.
 Task 4: Verify client installation

1. Switch to LON-SVR1, and then sign in by using the following credentials:
o Username: ADATUM\Administrator
2. From the desktop, right-click the Task bar, and then click Task Manager.
3. In the Task Manager window, click More Details, and then click the Details tab.
4. Verify that ccmsetup.msi or ccmsetup.exe is running.

following steps:
o 10748C-LON-CAS-C
o 10748C-LON-CFG-C
o 10748C-LON-SVR1-C
Results: At the end of this exercise, you should have installed the Configuration Manager client by using a
GPO.
L7-43
Module 7: Configuring Internet and Cloud-Based Client

Management
Lab A: Configuring PKI for Configuration
Manager
Exercise 1: Creating Certificate Templates for Configuration Manager
 Task 1: Create a Configuration Manager IIS servers group
1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In the navigation pane, expand Adatum.com, and then select the Users container.
3. Right-click the Users container, point to New, and then click Group.
4. In the New Object – Group dialog box, in the Group name box, type Configuration Manager IIS
Servers, and then click OK.
5. Double-click Configuration Manager IIS Servers.
6. In the Configuration Manager IIS Servers Properties dialog box, on the Members tab, click Add.
Types, in the Object Types dialog box, select the Computers check box, and then click OK.
8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select box, type LON-CFG, click Check Names, and then click OK.
9. In the Configuration Manager IIS Servers Properties dialog box, click OK.
10. Close Active Directory Users and Computers.
 Task 2: Create a Configuration Manager Web Server certificate template

1. On LON-DC1, from Server Manager, click Tools, and then click Certification Authority.
2. In the Certification Authority console, expand AdatumCA, and then click Certificate Templates.
3. Right-click the Certificate Templates folder, and then click Manage. The Certificate Templates
console opens.
4. In the results pane, right-click Web Server, and then click Duplicate Template.
5. On the Compatibility tab, ensure that the Windows Server 2003 option is selected.
6. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Configuration Manager Web Server Certificate.
7. Click the Subject Name tab, and then ensure that the Supply in the request option is selected.
8. On the Security tab, under Group or user names, click Domain Admins, and under Permissions
for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll
check box.
9. On the Security tab, click Add. In the Select Users, Computers, Service Accounts or Groups dialog
box, in the Enter the object names to select box, type Configuration Manager IIS Servers, click
Check Names, and then click OK.
10. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK.
L7-44 Configuring Internet and Cloud-Based Client Management
 Task 3: Create a Configuration Manager client certificate template

1. In the Certificate Templates console, in the results pane, right-click Workstation Authentication,
and then click Duplicate Template.
box, type Configuration Manager Client Certificate.
4. On the Security tab, click Domain Computers, select the Read check box, select the Autoenroll
check box, and then click OK. Do not clear the Enroll check box.
 Task 4: Create a Configuration Manager client distribution point certificate template

1. In the Certificate Templates console, in the results pane, right-click Workstation Authentication,
and then click Duplicate Template.
box, type Configuration Manager Client Distribution Point Certificate.
4. On the Request Handling tab, select Allow private key to be exported.

5. On the Security tab, under Group or user names, click Domain Admins, and under Permissions
for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll
check box.
6. On the Security tab, click Add, and in the Select Users, Computers, Service Accounts or Groups
dialog box, in the Enter the object names to select box, type Configuration Manager IIS Servers,
click Check Names, and then click OK.
7. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK. Do not
clear the Read permission.

 Task 5: Create a Configuration Manager mobile device client certificate template

1. In the Certificate Templates console, in the results pane, right-click Authenticated Session, and then
click Duplicate Template.
box, type Configuration Manager Mobile Device Certificate.
4. Click the Subject Name tab, and then ensure that the Build from this Active Directory
information option is selected.
5. In the Subject name format list, select Common name, under Include this information in
alternate subject name, clear the User principal name (UPN) check box, and then click OK.
6. Close the Certificate Templates console.

 Task 6: Enable the Configuration Manager certificate templates

1. In the Certification Authority console, in the navigation pane, verify that you are still in the Certificate
Templates folder.
2. Right-click the Certificate Templates folder, point to New, and then click Certificate Template to
Issue.
3. In the Enable Certificate Templates dialog box, click Configuration Manager Client Certificate,
hold the Ctrl key, and then click Configuration Manager Client Distribution Point Certificate,
Configuration Manager Mobile Device Certificate, and Configuration Manager Web Server
Certificate.
4. In the Enable Certificate Templates dialog box, click OK, and then close the Certification Authority
console.
Results: After this exercise, you should have created a group for the Microsoft® System Center 2012 R2
Configuration Manager servers and created the templates for Configuration Manager certificates.
Exercise 2: Deploying Certificates for Configuration Manager

 Task 1: Create an autoenrollment GPO
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management console, expand Forest:Adatum.com, expand Domains, right-click
Adatum.com, and then click Create a GPO in this domain, and Link it here.
3. In the New GPO dialog box, in the Name box, type Enable Autoenrollment of Certificates, and
then click OK.
4. Right-click Enable Autoenrollment of Certificates, and then click Edit.
5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, and then click Public Key Policies.
6. Right-click Certificate Services Client – Auto-Enrollment, and then click Properties.
7. In the Configuration Model list, select Enabled, select the Renew expired certificates, update
pending certificates, and remove revoked certificates check box, select the Update certificates
that use certificate templates check box, and then click OK.
8. Close the Group Policy Management Editor window and the Group Policy Management console.
 Task 2: Request a Configuration Manager IIS certificate on the management point

1. On LON-CFG, restart the server.
2. Wait for the machine to restart, and then sign in as Adatum\Administrator with the password
Pa$$w0rd.
3. On LON-CFG, click to the Start screen, type mmc.exe, and then click mmc.exe.
4. In the Console 1 - [Console Root] console, click File, and then click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and
then click Add.
6. In the Certificates Snap-in Wizard, click Computer account, and then click Next.
7. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is
running on) option is selected, and then click Finish.
8. In the Add or Remove Snap-ins dialog box, click OK.

9. In the Console 1 - [Console Root] console, expand Certificates (Local Computer), and then click
Personal.
10. Under Object Type, right-click Certificates, point to All Tasks, and then click Request New
Certificate.
11. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
12. On the Select Certificate Enrollment Policy page, click Next.
13. On the Request Certificates page, select the Configuration Manager Web Server Certificate
check box, and then click the More information is required to enroll for this certificate. Click
here to configure settings link.
14. In the Certificate Properties dialog box, on the Subject tab, under the Alternative name area, in
the Type list, select DNS.
15. In the Value box, type LON-CFG.Adatum.com, and then click Add.
16. Click the General tab, in the Friendly name box, type Configuration Manager Web Services, and
then click OK.
17. On the Request Certificates page, click Enroll.

18. On the Certificates Installation Results page, wait until the certificate is installed, and then click
Finish.
 Task 3: Request a Configuration Manager client distribution point certificate

1. In the Console 1 - [Console Root] console, expand Certificates (Local Computer), and then click
Personal.
2. Under Object Type, right-click Certificates, point to All Tasks, and then click Request New
Certificate.
3. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
4. On the Select Certificate Enrollment Policy page, click Next.
5. On the Request Certificates page, select the Configuration Manager Client Distribution Point
Certificate check box, and then click Enroll.
6. On the Certificates Installation Results page, wait until the certificate is installed, and then click
Finish.
7. In the Console 1 - [Console Root] console, expand Personal, and then click Certificates.
8. In the results pane, right-click the certificate that has Configuration Manager Client Distribution
Point Certificate on the Certificate Template column, point to All Tasks, and then click Export.
The Certificate Export Wizard opens.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, select Yes, export the private key, and then click Next.
11. On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12
(.PFX) option is selected, and then click Next.
12. On the Security page, select the Password checkbox and in both the Password and Confirm
password text boxes, type Pa$$w0rd, and then click Next.
13. On the File to Export page, in the File name text box, type C:\ConfigMgrClientDPCertificate.pfx,
14. On the Completing the Certificate Export Wizard page, click Finish.
15. In the Certificate Export Wizard dialog box, click OK.
16. Close the Console 1 – [Console Root] console, and then in the Microsoft Management Console
dialog box, click No.
 Task 4: Assign the Configuration Manager IIS certificate to Web Services

1. On LON-CFG, open Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
2. Expand LON-CFG (ADATUM\Administrator), on the Internet Information Services (IIS) Manager

dialog box, click No, expand Sites, right-click Default Web Site, and then click Edit Bindings.
3. In the Site Bindings dialog box, click https, and then click Edit.
4. In the Edit Site Binding dialog box, in the SSL certificate list, select Configuration Manager Web
Services, and then click OK.
5. In the Site Bindings dialog box, click Close.
6. Close Internet Information Services (IIS) Manager.
 Task 5: Configure HTTPS for the Configuration Manager roles

1. On LON-CFG, on the task bar, click Configuration Manager Console.
4. In the results pane, click \\LON-CFG.Adatum.com, in the preview pane, right-click Site system, and
then click Properties.
5. In the Site system Properties dialog box, select Specify an FQDN for this site system for use on
the Internet.
6. In the Internet FQDN text box, type LON-CFG.Adatum.com, and then click OK.
7. In the preview pane, right-click Distribution point, and then click Properties.
8. In the Distribution point Properties dialog box, on the General tab, select Import certificate, and
then click Browse.
9. In the Open dialog box, browse to and click the C:\ConfigMgrClientDPCertificate.pfx certificate
file, and then click Open.
10. On the General tab, in the Password text box, type Pa$$w0rd.
11. On the General tab, click HTTPS, under Requires computers to have a valid PKI client certificate,
select Allow intranet and Internet connections, and then click OK.
12. In the preview pane, click Management point, and then click Properties.
13. In the Management point Properties dialog box, on the General tab, click HTTPS, and then under
This option requires client computers to have a valid PKI client certificate for client
authentication, select Allow intranet and Internet connections.
14. Select the Allow mobile devices to use this management point check box, and then click OK.
 Task 6: Deploy certificate profiles to clients

1. On LON-CFG, on the taskbar, click File Explorer.
2. In the navigation bar, type \\LON-DC1\CertEnroll, and then press Enter.
3. Right-click LON-DC1.Adatum.com_AdatumCA.crt, and then click Copy.
4. Right-click the desktop, and then click Paste.
5. Click the Configuration Manager icon on the taskbar.
6. In the Assets and Compliance workspace, expand Compliance Settings, and then expand
Company Resource Access.
7. Click Certificate Profiles, and then on the ribbon, click Create Certificate Profile.
8. On the General page of the Create Certificate Profile Wizard, in the Name box, type
AdatumEnterpriseRootCA, and then ensure that Trusted CA certificate is selected. Click Next.
9. On the Trusted CA Certificate page, click Import.
10. In the Open dialog box, click Desktop, click LON-DC1.Adatum.com_AdatumCA.crt, and then click
Open.
11. On the Trusted CA Certificate page, ensure that Computer certificate store – Root is selected, and
then click Next.
12. On the Supported Platforms page, click Select All, and then click Next.

15. While the Certificate Profiles node is selected, click AdatumEnterpriseRootCA, and then on the
ribbon, click Deploy.
16. In the Deploy Trusted CA Certificate Profile dialog box, click Browse.
17. In the Select Collection dialog box, click User Collections, and then click Device Collections.
18. Click All Desktop and Server Clients, and then click OK.
19. Click OK to close the Deploy Trusted CA Certificate Profile dialog box.
Results: After this exercise, you should have issued the Configuration Manager certificates and configured
HTTPS communication for Configuration Manager roles.
Lab B: Configuring Windows Intune

Integration with System Center 2012 R2
Exercise 1: Signing Up for a Windows Intune Trial Account and Configuring
Directory Synchronization
 Task 1: Create a temporary email account name
• Create a temporary email account name and not an actual e-mail account using the following
scheme:
o The first part of the email address should be your first name, the first letter of your last name,
10748C, and the date in the format used in your region (mm/dd/yy or dd/mm/yy). For example,
JoeS10748C010114 if it is the first of January 2014.
o The domain (the portion of the address after the @ symbol) should be Adatum.com. For
example joeS10748C0110114@adatum.com
 Task 2: Create a Windows Intune account

1. On LON-CAS, click the Start button, and then click Internet Explorer.
2. On the taskbar of Internet Explorer®, click the Gear icon, and then click Internet options.
3. In the Internet Options dialog box, click the Security tab.
4. On the Security tab, click Trusted Sites, and then move the Security level for this zone slider to
Low.
5. Click Sites. In the Trusted sites dialog box, clear the Require server verification (https:) for all
sites in this zone check box.
6. In the Add this website to the zone: text box, type *.microsoft.com, and then click Add.
7. To close the Trusted sites dialog box, click Close.
8. To close the Internet Options dialog box, click OK.

9. In the address bar, type the following URL, and then press Enter: http://www.microsoft.com/intune
10. In Internet Explorer, click No thanks to close the Please help us improve dialog box. Click the Try
option, and then click Sign up for a Windows Intune free 30-day trial.
11. On the Windows Intune Sign up page, provide the required information to sign up for the trial
account. Enter data for the following required fields:
o Country or region: Select your country or region
o Organizational language: Choose your organizational language

o First name: Don
o Last Name: Funk

o Organization Name: Type the first three letters of the city in which you are attending the course,
the course number, the month, day, and year and the number of your computer counting from
2014; and you are using the fifth computer from the front left side of the classroom.
o Address 1: Street address of the location where the course is being held
o City: City where the course is being held
o State: State where the course is being held
o ZIP code: Zip code where the course is being held
o Phone Number: 555-555-1212
o Email address: The fake email address that you created in the first task of this exercise.
o New Domain Name: Type the first three letters of the city in which you are attending the course;
2014; and you are using the fifth computer from the front left side of the classroom.
12. Click Check Availability. After the domain name is verified, enter the following information:
o New User ID: Student
o Create new password: Pa$$w0rd
o Confirm new password: Pa$$w0rd

13. In the Verification field, type the text that is shown as a graphic. Note that the text is not case-
sensitive.
14. Click I accept and continue.
15. In the Security Warning dialog box, click Yes.

16. In the Windows Intune form, click Continue.
18. Close Internet Explorer.
 Task 3: Configure a UPN suffix

1. On LON-DC1, on the Tools menu of the Server Manager console, click Active Directory Domains
and Trusts.
2. In the Active Directory Domains and Trust console, right-click Active Directory Domains and Trusts,
and then click Properties.
3. On the UPN Suffixes tab of the Active Directory Domains and Trusts dialog box, enter
the organization name in the form organizationname.onmicrosoft.com. For example, type
MEL10748C02041405.onmicrosoft.com for Melbourne, course 10748C, February 4, 2014 where
you are using the fifth computer from the front left side of the classroom. Click Add, and then click
OK to close the Active Directory Domains and Trusts dialog box.
4. On the taskbar, right-click the Windows PowerShell icon, and then click Run ISE as Administrator.
5. On the View menu of the Administrator: Windows PowerShell ISE window, click Show Script Pane.
6. In the script pane, type the following script, replacing organizationname.onmicrosoft.com with your
Windows Intune organization’s name:
Get-ADUser -Filter {UserPrincipalName -like "*@adatum.com"} -SearchBase

"DC=adatum,DC=com" |
ForEach-Object {
$UPN =
$_.UserPrincipalName.Replace("adatum.com","organizationname.onmicrosoft.com")
Set-ADUser $_ -UserPrincipalName $UPN
}
7. On the File menu, click Run
8. On the File menu, click New.

9. In the script pane, type the following:
Add-DnsServerResourceRecordCname –HostNameAlias manage.microsoft.com –Name

EnterpriseEnrollment –ZoneName Adatum.com
10. On the File menu, click Run.

11. On the Tools menu of the Server Manager console, click Active Directory Administrative Center.
12. In the Active Directory Administrative Center console, click Adatum (local), and then double-click IT.
13. Double-click April Reagan, and then verify that the user principal name (UPN) logon is set to
april@organizationname.onmicrosoft.com, where organizationname is your Windows Intune
organization’s name.
 Task 4: Configure directory synchronization

1. On LON-CAS, open Internet Explorer.
2. In the address bar, type account.manage.microsoft.com, and then press Enter.
3. When prompted, sign in as student@organizationname.onmicrosoft.com, where

organizationname is your Windows Intune organization name, with the password Pa$$w0rd.
4. In the Security Warning dialog box, click Yes.
6. On the Windows Intune page, under Management, click Users.
7. Next to Active Directory synchronization, click Set up.
8. Under step 3, click Activate.

9. In the Do you want to activate Active Directory synchronization dialog box, click Activate.
10. Under step 4, install and configure the directory synchronization tool, click Windows 64-bit version,
and then click Download.
11. Click Save As, and then save dirsync.exe to the Downloads folder.
12. When the download completes, click Open folder, and then double-click dirsync.exe.
13. On the Welcome page of the Windows Azure Active Directory Sync Setup Wizard, click Next.
14. On the Microsoft Software License Terms page, click I accept, and then click Next.
15. On the Select Installation Folder page, click Next. Installation of the DirSync tool takes
approximately 10 minutes to complete.
16. When the installation completes, click Next.

17. Clear the Start Configuration Wizard check box, and then click Finish.
18. Click Start, click Administrator, and then click Sign out.
19. Sign in to LON-CAS as Adatum\Administrator with the password Pa$$w0rd.
20. Double-click the Directory Sync Configuration icon on the desktop.
21. On the Welcome page of the Windows Azure Active Directory Sync tool Configuration Wizard, click
Next.
22. On the Windows Azure Active Directory Credentials page, enter the user name as
organization name. In the Password box, type Pa$$w0rd, and then click Next.
23. On the Active Directory Credentials page, in the Username box, type
administrator@adatum.com, in the Password box, type Pa$$w0rd, and then click Next.
24. On the Hybrid Deployment page, select Enable Hybrid Deployment, and then click Next.
25. On the Password Synchronization page, select Enable Password Sync, and then click Next.
26. On the Configuration page, click Next.
27. On the Finished page, ensure that Synchronize your directories now is selected, and then click
Finish.
28. In the Windows Azure Active Directory Sync Tool Configuration Wizard dialog box, click OK.
29. Wait for five minutes. Repeat steps 1-5 to return to the Windows Intune Admin page. Click Users.
30. If prompted to sign in again, in the Password box, type Pa$$w0rd, and then click Sign in.
31. Verify that the list of users in Windows Intune is now populated with users from AD DS.
32. In the User list, click Alex Darrow.

33. Select the Windows Intune check box, and then click Save.
34. On the Assign role page, leave default settings, and then in the Location box, select United States.
35. Click Save.
Results: After this exercise, you will have created a Windows Intune™ account, and configured directory
synchronization between the local Windows Server® Active Directory® Domain Services (AD DS) instance
and Windows Azure™ Active Directory.
Exercise 2: Configuring the Windows Intune Connector Role

 Task 1: Configure the Windows Intune connector
1. On LON-CAS, on the taskbar, click the Configuration Manager icon.
2. In the Administration workspace, expand the Cloud Services folder, and then click Windows
Intune Subscriptions.
3. On the ribbon, click Add Windows Intune Subscription.
4. On the Introduction page of the Create Windows Intune Subscription Wizard, click Next.
5. On the Subscription page, click Sign In.
6. If prompted in the Set the Mobile Device Management Authority dialog box, select I understand
that after I complete the sign-in process, the mobile device management authority is
permanently set to Configuration Manager and cannot be changed, and then click OK.
7. In the Subscription dialog box, in the Username box, type
organization name, and in the Password box, type Pa$$w0rd. Select Keep me signed in, and then
click Sign in.
8. If prompted by the Configuration Manager dialog box, click Yes.
9. On the Subscription page of the Create Windows Intune Subscription Wizard, click Next.
11. In the Select Collection dialog box, click All Users, and then click OK.
12. On the General page, enter the following information, and then click Next:
o Company Name: Adatum
o Configuration Manager site code: S01

13. On the Platforms page, click Next.
14. On the Company Contact Information page, click Next.
15. On the Company Logo page, click Next.

 Task 2: Deploy the Windows Intune site system role

1. Open the Configuration Manager console, and then click the Administration workspace.
2. In the Configuration Manager console, under the Site Configuration folder, click Sites.
3. On the ribbon, click Add Site System Roles.
4. On the General page of the Add Site System Roles Wizard, click Browse.
5. On the Select a Site System Server page, click \\LON-CAS, and then click OK.
8. On the System Role Selection page, click Windows Intune Connector, and then click Next.
 Task 3: Configure client access to the cloud-based distribution point

1. In the Configuration Manager console, click the Administration workspace, and then click Client
Settings.
2. Click Default Client Settings, and then on the ribbon, click Properties.
3. In the Default Settings dialog box, click Cloud Services. Next to allow access to cloud distribution
point, select Yes.
4. To close the Default Settings dialog box, click OK.
Results: After this exercise, you will have integrated Configuration Manager with Windows Intune.

following steps:

4. Repeat steps 2 to 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C.

L8-55
Module 8: Maintaining and Monitoring System Center 2012

Lab: Maintaining System Center 2012
Exercise 1: Configuring maintenance tasks in Configuration Manager
 Task 1: Verify the default settings for maintenance tasks
1. On LON-CFG, from task bar, click Configuration Manager Console.

3. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, click
S01 – Adatum Site.
4. On the ribbon, in the Settings group, click Site Maintenance.

5. In the Site Maintenance dialog box, verify the tasks that are enabled. Notice that most tasks pertain
to deleting data from the database. This keeps your database from growing without control.
6. Double-click the Delete Aged Discovery Data task.

7. In the Delete Aged Discovery Data Properties dialog box, notice that the task’s configuration is to
delete data older than 90 days, and to run once a week, every Saturday.
8. Click OK.
Note: You may need to change the aged period for some tasks, depending on your
company’s need for data retention.
 Task 2: Configure the Delete Aged Inventory History task

1. In the Configuration Manager console, double-click the Delete Aged Inventory History task.
2. In the Delete Aged Inventory History Properties dialog box, in the Delete data that has been
inactive for (days) numeric textbox, type 365.
3. In the Start after box, select 1:00 AM.
4. In the Latest start time box, select 3:00 AM.
5. In the list of days, select Sunday, clear the Saturday check box, and then click OK.
 Task 3: Configure the Delete Aged Software Metering Data tasks

1. In the Configuration Manager console, double-click the Delete Aged Software Metering Data task.
2. In the Delete Aged Software Metering Data Properties dialog box, in the Delete data that has
been inactive for (days) numeric textbox, type 7.

5. In the list of days, ensure that all days are selected, and then click OK.
6. In the Configuration Manager console, double-click Delete Aged Software Metering Summary
Data.
L8-56 Maintaining and Monitoring System Center 2012 Configuration Manager
7. In the Delete Aged Software Metering Summary Data Properties dialog box, in the Delete data
that has been inactive for (days) numeric textbox, type 120.

10. In the list of days, clear the Sunday check box, select the Saturday check box, click OK, and then click
OK again.
Results: At the end of this exercise, you will have configured maintenance tasks in Configuration
Manager.
Exercise 2: Configuring the Site Backup Task

 Task 1: Configure the Site Backup task
1. On the LON-CFG server, from the Start menu, click Configuration Manager Console.

3. In the navigation pane, expand Site Configuration, and then click Sites.
4. In the results pane, click S01 – Adatum Site.
5. On the ribbon, click Settings, and then click Site Maintenance.

6. In the Site Maintenance dialog box, click Backup Site Server, and then click Edit.
click Set Paths.
8. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and
database is selected, and then click Browse.
Note: In practice, you should use either Network path (UNC name) for site data and
database to save backup on a network share, or, if the database is installed on a separate server,
use Local drives on site server and SQL Server.
9. In the Select Folder dialog box, navigate to drive C, create a new folder called Backup, and then click
Select Folder.
10. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK.
minutes from now, and then click OK. You may need to adjust the Latest start time, so it is at least
one hour after the time that you enter in the Start after box.
12. In the Site Maintenance dialog box, on the Enabled column, next to the Backup Site Server task,
verify that the word Yes is displayed. Click OK.
 Task 2: Trigger the backup of the site, and verify its completion
1. From the Start screen, click Server Manager.
2. In the Server Manager windows, click Tools, and then click Services.
3. In the Services console, in the details pane, click the SMS_SITE_BACKUP service, and then on the
toolbar, click the Start Service button. Close the Services window.
5. If the backup occurs successfully, towards the end of the smsbkup.log file, the text Backup
completed appears, and then on the next line, the text STATMSG: ID=5035 appears.
6. Navigate to the C:\Backup\S01Backup\SiteDBServer folder, and then verify that it contains the
database files.
7. Navigate to the C:\Backup\S01Backup\SiteServer folder, double-click the SMSServer folder to

open it, and then note that it contains the data, inboxes, Logs, and srvacct folders.
9. In the navigation pane, expand System Status, and then click the Component Status node.
10. In the results pane, click the SMS_SITE_BACKUP component.

11. On the ribbon, click Show Messages, and then click All.
12. In the Status Messages: Set Viewing Period dialog box, accept the default of 1 day ago, and then
click OK.
13. In Configuration Manager Status Message Viewer, search for a message with a Message ID of 5035.
Note: When site backup completes successfully, message ID 5035 appears. This indicates
that the site backup completed without any errors.
14. Close Configuration Manager Status Message Viewer.
Results: At the end of this exercise, you should have performed a backup for the Configuration Manager
site.
Exercise 3: Recovering a Site from a Backup

 Task 1: Use the Site Recovery wizard to recover a site from backup
1. On LON-CFG, run E:\ConfigMgr2012R2\SMSSETUP\BIN\X64\setup.exe.
2. The Microsoft System Center 2012 R2 Configuration Manager Setup Wizard starts. On the Before
You Begin page, click Next.
3. On the Getting Started page at Available Setup Options, click Recover a site, and then click Next.
4. On the Site Server and Database Recovery Options page, click Recover the site database using
the backup set at the following location, and then click Browse.
5. In the Browse For Folder dialog box, select the C:\Backup\S01Backup folder, and then click OK.
6. On the Site Server and Database Recovery Options page, click Next.
7. On the Site Recovery Information page, verify that the option Recover primary site is selected,
L8-58 Maintaining and Monitoring System Center 2012 Configuration Manager
Next.
9. On the Microsoft Software License Terms page, select I accept these license terms, and then click
Next.
License Terms, and then under Microsoft Silverlight 5, select I accept these License Terms and
automatic updates of Silverlight. Click Next.
Browse.
12. In the Browse For Folder dialog box, select the E:\ConfigMgr2012R2\Redist folder, and then
click OK.
14. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to
finish.
15. On the Site and Installation Settings page, click Next.
16. On the Database Information page, click Next twice.
17. On the Customer Experience Improvement Program configuration page, select I don’t want to
join the program at this time, click Next, and then click Next again.
18. On the Settings Summary page, click Next.
19. In the Prerequisite Check dialog box, click Cancel, and then click Yes.
Note: It takes time to restore the site. Therefore, for expediency in this lab, you cancel the
restoration process.

following steps:
4. Repeat steps 2 and 3 for 10748C-LON-CAS-C and 10748C-LON-CFG-C.
Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 R2
primary site.
L9-59
Module 9: Migrating to System Center 2012 R2

Lab: Migrating from System Center
Configuration Manager 2007 to System
Center 2012 Configuration Manager
Exercise 1: Configuring the Source Hierarchy
 Task 1: Review the objects that must be migrated (Optional)
1. On LON-CM7, on the task bar, click Configuration Manager Console.
2. In the navigation pane, expand Site Database, and then click Site Management. In the results pane,
verify that in the Version column appears 4.00.6487.2000, which means the site is running
Configuration Manager 2007 Service Pack 2.
3. In the navigation pane under Site Database, expand Site Management, expand CM7-London
Configuration Manager 2007, expand Site Settings, and then click Boundaries.
4. In the results pane, right-click the IP subnet boundary, and then click Properties.
5. In the Properties dialog box, review the configuration of the boundary, and then click Cancel.
6. In the navigation pane, under Site Database, under Site Management, under CM7-London
Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings,
expand Site Systems, and then click \\LON-SVR1.
7. In the results pane, verify that the \\LON-SVR1 site system includes the following roles:
o ConfigMgr component server
o ConfigMgr distribution point
o ConfigMgr site server

o ConfigMgr site system
8. In the navigation pane, expand Computer Management, expand Collections, right-click the
Adatum Servers collection, and then click Properties.
9. In the Adatum Servers Properties dialog box, click the Membership Rules tab. Observe that there
are no membership rules defined, and then click OK.
Note: The Adatum Servers collection does not have any members and serves as a container
for the other two collections.
10. In the navigation pane, expand Adatum Servers, click the London Servers collection, and then in
the results pane, observe that LON-CM7 and LON-SVR1 are the only members of the collection.
11. In the navigation pane, right-click the London Servers collection, and then click Properties.
12. In the London Servers Properties dialog box, click the Membership Rules tab.
13. Under Membership Rules, click London Servers, and then click the Properties button.
14. In the Query Rule Properties dialog box, click Edit Query Statement.
L9-60 Migrating to System Center 2012 R2 Configuration Manager
15. In the London Servers Query Statement Properties dialog box, click Show Query Language.
16. In the London Servers Query Statement Properties dialog box, examine the query, and then click
Cancel.
17. In the Query Rule Properties dialog box, click Cancel.
18. In the London Servers Properties dialog box, click Cancel.
19. In the navigation pane, click the ConfigMgr Servers collection, and then in the results pane, observe
that LON-CM7 is the only member of the collection.
Note: The London Servers collection uses a query rule to include all computers with a name
starting with LON.
20. In the navigation pane, right-click the ConfigMgr Servers collection, and then click Properties.
21. In the ConfigMgr Servers Properties dialog box, click the Membership Rules tab.
22. Under Membership rules, observe the direct membership rule created for LON-CM7.
23. In the ConfigMgr Servers Properties dialog box, click Cancel.
Note: The ConfigMgr Servers collection uses a direct membership rule to include LON-CM7
as a member.
24. In the navigation pane, expand Software Distribution, and then click Packages.
25. In the results pane, right-click the Microsoft Office Word Viewer 2003 package, and then click
Properties. Note that this is a Windows Installer package.
26. Review the properties of the package, and then click Cancel.
27. Expand the Microsoft Corporation Microsoft Office Word Viewer 2003 package, and then click
Distribution Points. Note that the package is distributed to both \\LON-CM7 and \\LON-SVR1.
28. In the navigation pane, right-click the Excel Viewer 1 package, and then click Properties. Note that
this is a Microsoft Application Virtualization (App-V) package.
29. Review the properties of the package, and then click Cancel.
30. Expand the Excel Viewer 1 package, and then click Distribution Points. Note that the package is
distributed to both \\LON-CM7 and \\LON-SVR1.
31. In the navigation pane, click Advertisements.

32. In the results pane, review the existing advertisements.
33. In the navigation pane, expand Asset Intelligence, expand Customize Catalog, and then click
Software Categories. Review the Adatum Software custom category.
34. In the navigation pane, click Software Families. Review the Adatum LOB Applications custom
family.
35. In the navigation pane, click Custom Labels. Review the Adatum Application custom label.
36. In the navigation pane, expand Desired Configuration Management, and then click Configuration
Items.
37. In the results pane, right-click the Windows Firewall Enabled configuration item, and then click
Properties.
38. In the Windows Firewall Enabled Properties dialog box, on the General tab, review the properties,
and then click the Settings tab.
39. On the Settings tab, in the Name column, click the Windows Firewall is running setting, and then
click Edit.
40. In the Windows Firewall is running Properties dialog box, review the settings, and then click
Cancel. Note that this configuration item is using a WMI query language (WQL) query to check the
status of the Windows Firewall.
41. In the Windows Firewall Enabled Properties dialog box, click Cancel.
42. In the navigation pane, click Configuration Baselines.

43. In the results pane, right-click the Adatum Security Policy Validation baseline, and then click
Properties.
44. In the Adatum Security Policy Validation Properties dialog box, review the settings, and then click
Cancel.
 Task 2: Prepare permissions on LON-CM7 and LON-SRV1

1. On LON-CM7, open the Server Manager from the taskbar, in the Server Manager dashboard, click
Tools, and then click Computer Management.
2. In Computer Management, expand Local Users and Groups, and then click the Groups folder.
3. Double-click the Administrators group.

5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types, select
the Computers check box, and then click OK.
6. In the Enter the object names to select field, type LON-CAS; LON-CFG, and then click OK.
8. On LON-CM7, start the Configuration Manager console, if it is not already started.
9. In the navigation pane, under Site Database, under Site Management, under CM7-London
Configuration Manager 2007, expand FHM - Fulham Secondary Site, expand Site Settings,
expand Site Systems, and then click \\LON-SVR1.
10. Right-click ConfigMgr site system, and then select Properties.
11. Select the Specify a fully qualified domain name (FQDN) for this site system on the intranet
check box.
12. In the Intranet FQDN field, type LON-SVR1.Adatum.com, and then click OK.
13. Repeat steps 1 through 7 on LON-SVR1.
 Task 3: Configure the source hierarchy

1. On the LON-CFG server, on the task bar, click Configuration Manager Console.
3. In the navigation pane, expand the Migration node, and then click Source Hierarchy.
4. On the ribbon, click Specify Source Hierarchy.
5. In the Top-level Configuration Manager site server box, type LON-CM7.Adatum.com.

6. In the Specify Source Hierarchy dialog box, under Specify the Source Site Account to use to
access the SMS Provider for the source site server. This account requires Read permissions to
all source site objects, verify that User Account is selected, click Set, and then click New Account.
7. In the Windows User Account dialog box, in the User name box, type Adatum\Administrator.
8. In the Windows User Account dialog box, in the Password and Confirm password boxes, type
Pa$$w0rd, and then click Verify.
9. In the Windows User Account dialog box, click Test connection.
10. In the Configuration Manager message box, click OK.
11. In the Windows User Account dialog box, click OK.
12. In the Specify Source Hierarchy dialog box, under Specify the Source Site Database Account to
use to access the SQL Server for the source site server. This account requires Read and Execute
permissions to the source site database, verify that Use the same account as the Source Site
SMS Provider Account is selected.
13. Select the Enable distribution-point sharing for the source site server check box, and then
click OK.
14. In the Data Gathering Status dialog box, wait for the data collection to complete, and then click
Close.
15. On the ribbon, click Refresh, and then verify that LON-CM7.ADATUM.COM and
LON-SVR1.ADATUM.COM appear in the preview pane on the Shared Distribution Points tab.
Note: By configuring the Shared Distribution Points option, both the Configuration
Manager 2007 clients and Configuration Manager 2012 clients will have access to the packages
during migration.
Results: At the end of this exercise, you should have reviewed the configuration of the Microsoft® System
Center Configuration Manager 2007 site and configured the source hierarchy in Configuration Manager
2012.
Exercise 2: Creating a Migration Job and Performing Migration

 Task 1: Create a collection migration job
1. On LON-CFG, in the navigation pane, click Migration Jobs.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts.
3. On the General page, in the Name box, type Collections and associated objects, and then in the
Description (optional) box, type Migrate collections and associated objects.
4. On the General page, in the Job type drop-down box, select Collection migration, and then click
Next.
5. On the Select Collections page, select the Adatum Servers check box (this also selects London
Servers and ConfigMgr Servers), verify that the Migrate objects that are associated with the
specified collections check box is selected, and then click Next.
6. On the Select Objects page, under Object types, verify that Software Distribution Deployments is
selected.
7. Under Available objects, clear the KB977384 check box.
8. Under Object types, select Software Distribution Packages.
9. Under Available objects, clear the KB977384 – Advanced Client Hotfix – CM7 check box.
10. Under Object types, select Virtual Application Packages.
11. Under Available objects, verify that Excel Viewer 1 is selected, and then click Next.
12. On the Content Ownership page, select S01 – Adatum Site from the Destination Site drop-down
list, and then click Next.
13. On the Security Scope page, select the Default check box, and then click Next.
14. On the Collection Limiting page, click Next.

15. On the Site Code Replacement page, click Next.
16. On the Review Information page, review the objects to be migrated, and then click Next.
17. On the Settings page, verify that Run the migration job now is selected, review the other settings,

20. On the ribbon, click Refresh.
Refresh.

1. In the results pane, click the Collections and associated objects migration job.
2. In the preview pane, click the Objects in Job tab, and then review the objects included in the
migration job.
3. Close and then reopen the Configuration Manager console.

5. In the navigation pane, expand Device Collections, and then open the Adatum Servers folder. If
you do not see the Adatum Servers folder, click the Overview node, and then press F5 on your
keyboard to refresh the navigation pane.
6. In the results pane, observe the ConfigMgr Servers and London Servers collections.
7. Right-click the London Servers collection, and then click Properties.

8. In the London Servers Properties dialog box, click the Membership Rules tab.
9. Under Membership rules, select the London Servers rule, and then click Edit.
10. In the Query Rule Properties dialog box, review the query, and then click Cancel.
11. In the London Servers Properties dialog box, click Cancel.
12. In the Configuration Manager console, click the Software Library workspace.
13. In the navigation pane, expand Application Management, and then click the Packages node.
14. In the results pane, select Microsoft Office Word Viewer 2003, and then in the preview pane, click
the Deployments tab. Note the migrated deployment.
15. In the navigation pane, click the Applications node.
16. In the results pane, select the migrated Excel Viewer virtual application package, and then in the
preview pane, click the Deployment Types tab. Note the Microsoft Application Virtualization 4
deployment type.
 Task 3: Migrate objects by type

2. In the navigation pane, expand the Migration node, and then click the Migration Jobs node.
3. On the ribbon, click Create Migration Job.
4. In the Name box, type Migrate objects by type, and then in the Description (optional) box, type
Migration of specific objects.
5. On the General page, in the Job type drop-down box, select Object migration, and then click Next.
6. On the Select Objects page, under Object types, click to select the Boundaries check box.
7. Under Object types, select the Configuration Baselines check box.

8. In the Included Objects dialog box, click Continue.
9. Under Object types, select the Asset Intelligence Catalog check box.
10. On the Select Objects page, click Next.

11. On the Content Ownership page, click Next.
12. On the Security Scope page, click Default, and then click Next.
13. On the Review Information page, review the objects to be migrated, and then click Next.
14. On the Settings page, verify that Run the migration job now is selected, review the other settings,

17. On the ribbon, click Refresh.
18. In the results pane, verify that the status of the migration job is Completed. If necessary, select the
Migrate objects by type object, and then click Refresh.

2. In the navigation pane, expand Asset Intelligence, and then click Catalog.
3. In the results pane, click the Validation State column until the following User Defined objects
appear at the top of the list: Adatum LOB Applications, Adatum Software, and Adatum
Application.
4. In the navigation pane, expand Compliance Settings, and then click Configuration Items.
5. In the results pane, review the Windows Firewall Enabled and Windows Version is Windows 7
migrated configuration items.
6. In the navigation pane, click Configuration Baselines.

7. In the results pane, review the Adatum Security Policy Validation migrated baseline.

9. In the navigation pane, expand Hierarchy Configuration, and then click Boundaries.
10. In the results pane, review the migrated boundary.
11. In the navigation pane, click Boundary Groups.
12. In the results pane, review the CM7 (London Configuration Manager 2007) boundary group
created from the Configuration Manager 2007 site.
 Task 5: View migration reports

2. In the navigation pane, expand Reporting, and then expand Reports.

3. Click the Migration folder.
4. In the results pane, click Migration Job properties, and then on the ribbon, click Run.
5. After Migration Job Name, click Values.

6. Under Migration Job Name, click the Collections and associated objects migration job, and then
click OK.
7. Click View Report.
9. In the results pane, click Migration jobs, and then on the ribbon, click Run.
10. After reviewing the Migration jobs report, close the Migration jobs window.
Results: At the end of this exercise, you should have created migration jobs, performed object migration,
and viewed the migration reports.
Exercise 3: Migrate a Secondary Site to a Distribution Point

 Task 1: Reassign a secondary site as a distribution point
1. On LON-CFG, in the navigation pane, click the Administration workspace, expand Migration, and
then click Distribution Point Migration.
2. On the ribbon, click Reassign Distribution Point. The Reassign Shared Distribution Point Wizard
starts.
3. On the General page, next to the Name box, click Browse.
4. In the Select Distribution Point dialog box, click LON-SVR1.ADATUM.COM, and then click OK.
5. On the General page, in the Site code drop-down box, select S01 – Adatum Site, and then click
Next.
6. On the Distribution point page, select the Install and configure IIS if required by Configuration
Manager check box, and then click Next.
7. On the Drive Settings page, click Next.

8. On the Pull Distribution Point page, click Next.
9. On the PXE Settings page, click Next.

10. On the Content Validation page, click Next.
11. On the Boundary Groups page, click Add, select the CM7 (London Configuration Manager 2007)
check box, and then click OK.
13. Review the Content Conversion page, and then click Next.

16. Press the F5 key.
17. In the results pane, monitor the status of the migration job until it is Pending on secondary site
uninstallation. Click Refresh to update the status column as necessary.
18. Open File Explorer, and connect to \\LON-SVR1\C$.
19. Double-click ConfigMgrSetup.log. The ConfigMgrSetup.log opens in CMTrace.
20. Monitor the ConfigMgrSetup.log file until the Completed the deinstall of the ConfigMgr site
message appears.
Note: The uninstallation of the secondary site should take about five minutes.
21. Close CMTrace and File Explorer.

22. In the Configuration Manager console, click the Source Hierarchy node.
23. Click CM7, and then on the ribbon, click Gather Data Now.
24. In the Data Gathering Status dialog box, after the data gathering process completes, click Close.
25. Click the Distribution Point Migration node.
26. Select LON-SVR1.ADATUM.COM, and then click Refresh. The status should change to Reassigning
distribution point.
27. Monitor the status until Completed reassign distribution point appears. Click Refresh as necessary.
Note: The distribution point installation should take about five minutes.

1. In the Configuration Manager console, in the Administration workspace, click Distribution Points.
2. Click LON-SVR1.ADATUM.COM, and then on the ribbon, click Properties.

3. In the LON-SVR1.ADATUM.COM Properties dialog box, click the Boundary Groups tab. Verify that
the CM7 (London Configuration Manager 2007) boundary is listed.
4. In the LON-SVR1.ADATUM.Com Properties dialog box, click Cancel.
5. Click the Monitoring workspace, expand the Distribution Status folder, and then click the Content
Status node.
6. Click the Excel Viewer application, and then in the completion statistics, click View Status.
7. LON-SVR1.ADATUM.COM should be listed in the Asset Details pane.
 Task 3: Decommission the source hierarchy

2. In the navigation pane, expand the Migration node, and then click the Source Hierarchy node.
3. In the results pane, click CM7, and then on the ribbon, click Stop Gathering Data.
5. In the results pane, verify that CM7 has the status Have not gathered data, and then on the ribbon,
click Clean Up Migration Data.
6. In the Clean Up Migration Data dialog box, verify that CM7 (LON-CM7.Adatum.com) appears in
the Source hierarchy box, and then click OK.
8. In the results pane, note that the source hierarchy has been removed.
 Task 4: To prepare for the course finish

following steps:

4. Repeat steps 2 and 3 for 10748C-LON-CAS-C, 10748C-LON-CFG-C, 10748C-LON-CM7-C, and
10748C-LON-SVR1-C.
Results: At the end of this exercise, you will have reassigned a secondary site.

10748C TrainerHandbook PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10748C TrainerHandbook PDF

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

© 2014 Microsoft Corporation. All rights reserved.

Product Number: 10748C

Part Number: X19-17689

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

Revised July 2013

Conan Kezema: Content Developer

David Susemiehl: Content Developer

Orin Thomas: Content Developer

Telmo Sampaio: Content Developer

Bob Lawler: Technical Reviewer

Module 2: Planning and Deploying a Stand-Alone Primary Site

Module 3: Planning and Configuring Role-Based Administration

Module 4: Planning and Deploying a Multiple-Site Hierarchy

Module 5: Replicating Data and Managing Content in Configuration Manager 2012

Module 6: Planning Resource Discovery and Client Deployment

Module 7: Configuring Internet and Cloud-Based Client Management

Module 8: Maintaining and Monitoring System Center 2012 Configuration Manager

Module 9: Migrating to System Center 2012 R2 Configuration Manager

Lab Answer Keys

About This Course

• Active Directory® Domain Services (AD DS) principles and management.

• Deployment, configuration, and troubleshooting for Windows-based personal computers.

• Configuration Manager features and administrative tasks including:

• Working with collections.

• Managing software updates.

• Deploying operating systems.

• Course 20411: Administering Windows Server® 2012

o Course 10747: Administering System Center 2012 Configuration Manager

• Describe the System Center 2012 R2 Configuration Manager infrastructure.

• Plan and configure role-based administration.

• Plan and deploy a multiple site hierarchy.

• Plan resource discovery and client deployment.

• Configure Internet and cloud-based client management.

• Migrate to System Center 2012 R2 Configuration Manager.

Module 1, Overview of System Center 2012 R2 Configuration Manager

Module 2, Planning and Deploying a Stand-Alone Primary Site

Module 3, Planning and Configuring Role-Based Administration

Module 4, Planning and Deploying a Multiple Site Hierarchy

Module 6, Planning Resource Discovery and Client Deployment

Module 7, Configuring Internet and Cloud-Based Client Management

Module 8, Maintaining and Monitoring System Center 2012 R2 Configuration Manager

Module 9, Migrating to System Center 2012 R2 Configuration Manager

Exam Objective Domain: 70-243: Administering and Deploying

6. Manage Clients (10 - 15%)

• Lab Answer Keys: Provide step-by-step lab solution guidance.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site:

Student Course files: on the http://www.microsoft.com/learning/companionmoc site.

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

10748C-LON-CFG (A,B,C) Configuration Manager primary site server

10748C-LON-CAS-(B,C) Central administration site server

10748C-LON-SVR1-C Server in the adatum.com domain

10748C-LON-CM7-C Configuration Manager 2007 installation used for migration