Saturday 10 August 2013

ConfigMgr 2012 / SCCM 2012 Design Considerations

Back to ConfigMgr 2012 menu



Central Administration Site

  • A central administration site can support up to 25 child primary sites
  • When you use SQL Server Enterprise or Datacenter for the site database at the central administration site, the shared database and hierarchy supports up to 400,000 clients
  • In most cases a CAS is not required. You only need a CAS if:
    • you REQUIRE more than one Primary Site
    • you have over 100,000 clients

Primary Site
  • A stand-alone primary site always supports up to 100,000 clients
  • Each primary site management point can support up to 25,000 computer clients. To support 100,000 clients you must have at least four management points. Each primary site can support up to 10 management points
  • Each primary site can support up to 250 secondary sites

Primary Site Server (local or remote SQL)
 
  • Microsoft support both scenarios and do not care where SQL is installed. However most ConfigMgr consultants will tell you to install SQL locally. You have more control and your solution will be less problematic.
  • Also the ConfigMgr Primary Site Server computer account must be local administrator and Sysadmin for the SQL instance. This is a hard sell for most DBAs in a shared SQL environment.
 
Secondary Site
  • The number of secondary sites per primary site is based on continuously connected and reliable wide area network (WAN) connections. For locations that have fewer than 500 clients, consider a distribution point instead of a secondary site
  • Each secondary site supports a single management point that must be installed on the secondary site server.
  • Maximum number of clients in 5,000

Distribution Point
  • Individually, each primary site supports up to 250 distribution points and each distribution point can support up to 4,000 clients.
  • Individually, each secondary site supports up to 250 distribution points and each distribution point can support up to the same number of clients as supported by the hardware configuration of the secondary site server, up to no more than 4,000 clients.
  • Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites.
  • Each distribution point supports a combined total of up to 10,000 packages and applications.

Boundaries
Best practice is to use IP Ranges

High Availability
  • ConfigMgr is not a real-time service like Exchange or SharePoint. It has not been designed to be "highly available" (even though you can introduce a certain amount of redundancy by deploying additional management points). It is more useful that you implement a backup strategy (with regular test restores) so that you can recover a failed site in an acceptable time-frame.
  • Note that ConfigMgr 2012 supports full recovery via SQL backup alone.


120 comments:

  1. Hi Gerry. I have read about the conveniences of installing a Distribution Point instead of a secondary site in some circunstances. I Understood that if you have less than 500 clients in a remote site is best option to use DP instead of Secondary Site.

    In my case I have a central office with a WAN link speed of 6 MB and about 10 remote sites with WAN links speed of about 1 MB and less than 100 users in each Branch Office.

    What is your suggestions, should I install secondary sites or Distribution Point + management point in the remote sites?

    ReplyDelete
  2. It's really impossible to say without knowing further information. However I would start with Distribution Points in each location and monitor the WAN links. You can use the inbuilt rate limits and scheduling to throttle the bandwidth. If you feel it is necessary you can then deploy secondary sites.

    ReplyDelete
  3. Thanks Gerry. That's what I am planning to do.

    ReplyDelete
  4. Hi Gerry - I am having a hard time finding HD size recommendations for OS, SCCM (SQL seems to be more talked about). I'm running a small environment - 500 devices/users, and I want to manage a few image deployments, push windows updates and delivery some applications. I know this is not a lot of information, but I have no idea what kind of database requirements this might have, or how much space on a D: drive, for example, I would need when all roles are on a single server (eg. DP, WSUS, MP, etc.). Do you have any recommendations? Thank you

    ReplyDelete
    Replies
    1. For a small site like that I would start with 3 partitions:

      C: OS - 80GB
      E: Apps - 80GB
      F: Distribution Point- 300GB

      These are only guidelines. It's impossible to be definitive. You should be in a position to extend the storage if you need to.

      Delete
  5. Thanks Gerry, appreciate your input. For SQL, should you always separate TempDB and SQL primary data? Or for smaller environments, could I put everything on for example D: in this case? Great blog series, I have learned a lot.

    ReplyDelete
    Replies
    1. You're right. It's not so important for small environments.

      Delete
  6. Hello Gerry,
    Can I install SCCM 2012 on Windows 2008 R2 STD 64 BIT with SQL 2008?

    ReplyDelete
    Replies
    1. All versions of ConfigMgr 2012 (RTM, SP1 & R2) can be installed on Windows 2008R2 Std x64. For the database, you will require a minimum of either:
      SQL Server 2008 SP2 CU9
      or
      SQL Server 2008 SP3 CU4

      Delete
  7. Looking to install SCCM 2012 for about 600 devices..the issue is they are in multiple ad sites. Can i manage all from one primary server, or will i need distribution points at all the locations. and if so, can that distribution point be installed on the DC?

    ReplyDelete
    Replies
    1. Did I just answer this question on the Technet forum?

      Delete
    2. Hi Gerry,
      which url please ?

      Tks
      Mark

      Delete
    3. Sorry Mark. I can't remember. There isn't enough detail in the question above.

      Delete
  8. Hi Gary,

    Excuse the stupid question but can I deploy a management point and a distribution point on the same 2008r2 box or do they have to be independent entities??

    ReplyDelete
    Replies
    1. Yes, you can. All single server implementations have both.

      Delete
    2. Thanks Gerry for the prompt reply and sorry for misspelling of your name.

      I am just starting planning our config manager setup. 1 main site (3000 devices) with standalone primary, multiple out centers (no more than 1000 devices) each with DPS and MPs. No point deploying central admin for the amount of devices we have and same goes for secondary site as all our links are 1gb min. Does this sound ok for a start??

      Delete
    3. No bother. Yes, install a standalone Primary Site in your main site (3000 users). However be careful with the other locations. Installing the DP is OK and recommended. However deploying remote MPs does not make sense. Multiple MPs are deployed for load balancing and you cannot control which MP your clients will use. It's completely random. Therefore you could have a situation where clients in your main site will use a remote MP and vice versa.

      If you need remote clients to use a remote MP then you need to deploy a secondary site at that location.

      Delete
  9. Gerry, We're thinking of implementing SCCM in our environment. We have about 400 laptops & 400 desktops and SCCM will be used mainly for OSD, Patching, App deployment, Asset management and Software metering. We have remote sites across Australia and the HQ is in Melbourne. We have implemented MPLS recently. Please let me know if the following site hierarchy suits our requirement
    1 Primary Site in Melbourne
    DP in Queensland, New south wales and Western Australia - Do we need 3 VM's for DP??
    SQL will be installed locally on the Primary site server

    Can I install SCCM2012, SQL 2012, WSUS 4.0 and DP on a single VM?
    C: OS - 80GB
    E: Apps - 50GB
    F: Distribution Point- 300GB

    Let me know. Thanks in advance

    ReplyDelete
    Replies
    1. It's difficult to say but it sounds reasonable. I would deploy a DP on all sites with more than 20 users. You should have decent RAM (perhaps 12GB) and at least 2 virtual processors. Also, why so little disk space? I would raise E: and F: (especially if you are doing OSD).

      Delete
  10. Hi Gerry, Thanks for your great blog. i am installing sccm and wondering if there will be any conflict installing sccm2012, sql2012 in my primary site in an environment where there is an existing sql2008 in use by another application?

    ReplyDelete
  11. I have 5000 clients in the same location.They are divided into 3 main branches in The OU and subnet. Will it be ok installing primary site and 3 distribution points without a secondary site.

    ReplyDelete
    Replies
    1. If all your clients are in the same location then you do not need a Secondary Site. You just need a Standalone Primary Site. The number of DPs you require will depend on how busy you will be with deployments. I've seen customers of that size with just one suitably resourced DP.

      Delete
  12. Hi Gerry,

    In our environment, we are going to implement SCCM2012, we have a corporate office nearly 400 Servers and 8 locations have less than 100 servers, please let me know how to design?

    ReplyDelete
    Replies
    1. You haven't given me enough information.

      Will you manage servers & workstations (you haven't quantified)?
      What are WAN links between offices?
      What ConfigMgr features will you be implementing?

      Delete
  13. Gerry:

    We currently have a SCCM 2012 r2 environment, but we would like to have better controls over the servers and would like to separate them out from the 25,000+ desktops. Would it make more sense for us to have a secondary site for the 1500+ servers or should they be a standalone instance, and are there any gotchas either way that I should know about? I haven't been able to find much information online about this type of situation.

    Thanks for the great blog and appreciate the advice!

    ReplyDelete
    Replies
    1. I couldn't give design advice without knowing more about your infrastructure.
      How many locations?
      No. of users in each location?
      WAN links between sites?

      I will say that you don't specifically need a Secondary Site (and certainly not another Primary) to manage your servers and logically separate them. You can do this with collections.

      Delete
  14. Hi Gerry,

    Liked you blog and its very interesting.

    We are planning to install SCCM 2012 R2 ,so my doubt is what are the things we need consider while designing the SCCM 2012 .can you tell me the points . Please help me on SCCM design.Thanks

    ReplyDelete
    Replies
    1. I will be able to advise you if you give me some details

      1. No. of users per site
      2. Quality of WAN links
      3. What features will you be implementing

      Delete
  15. Hi Gerry,

    What's your advise in regards to installing SCCM 2012, SQL 2012 and WSUS all on one server. SCCM will be managing around 250 clients. Is this a good design or what will you propose in this case?

    ReplyDelete
  16. Hi Gerry,

    You did not talk about the firewall consideration during planing and how to configure it?

    ReplyDelete
    Replies
    1. You're right. I didn't. You can find the Technical Reference for Ports Used in Configuration Manager here

      http://technet.microsoft.com/en-us/library/hh427328.aspx

      Delete
  17. IP address Range is not a best practice , check it

    ReplyDelete
    Replies
    1. It depends where you look. In reality you should use the solution that fits in your environment and works for you.

      Delete
    2. I believe IP ranges are less taxing on resources. Most PFE & MCS that I have spoken with say that ranges are preferred.

      Delete
  18. HI Gerry

    I am planning to implement Configuration Manager 2012 on 3 different forest and domain (no trust between them)

    Each domain has 5000 Client. There is many way to achive that but one way i found install primary site on each domain and manage all primary with CAS.
    What do you recommend ?

    ReplyDelete
    Replies
    1. Sorry for the late response. You don't need a CAS to manage 15,000 clients, regardless of their domain membership. Have a look as this good blog series for managing clients in untrusted domains.

      http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

      http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx

      http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx

      Delete
  19. Hi Gerry,

    Will it be possible for you to share which ports i need to open just to manage Windows update? I am planning to install SCCM as a stand alone and it seems i need to open so many ports which i am worried about. Are there ports that needs opening on SCCM server but not on the clients?

    ReplyDelete
    Replies
    1. You will find that information here

      http://technet.microsoft.com/en-us/library/bb632618.aspx

      http://technet.microsoft.com/en-us/library/gg682180.aspx

      Delete
  20. Hi Gerry,

    We are a small organisation with about 250 client/users looking to implement SCCM primarly to Deploy OS, application, Updates, asset mangement and software metering.We have several remote sites with very minimum users. I have provided below the detailed information on the same .

    Site 1 -150 clients
    Site 2 -55 Clients
    Site 3 - 15 Cleints
    All the three sites are connected by 1Gbps Fiber link.
    in addition we have two other Sites
    Site 4 - 10 clients
    Site 5 - 10 Clients
    These two sites are connected to site 1 via a 10Mbps link.


    I was wondering if we could just implement a Standalone Primary to services SITEs 1,2 and 3 and thinking of using Win 7 as BranchCache for Site 4 and 5 ( Can Win 7 Professional be used for Branch Cache?).

    I was wondering if you would recommmand this design or a different ?.

    And also, regarding the SQL, we currently run SQL server 2008 R2. Should we create a separate instance for running SCCM database or use the current instance .

    Thanks,

    ReplyDelete
    Replies
    1. 1. I would implement a standalone Primary Site in Site 1. Install SQL on the same server. You can also make this your MP and DP.
      2. I wouldn't do anything special with Sites 2 and 3 as they are well-connected with few clients
      3. It's a tough call as to what to do with Sites 4 and 5. It really depends on what you need to do. If you are going to be deploying a lot of software you may need local Distribution Points. You could use a Windows 7 computer for this. If you want to image computers via PXE you will need a server OS.

      Delete
    2. Hi Gerry , Thank you for you recommendation. It was very helpful. To add to this I have few more questions.
      1. Due to SQL license cost and budget constrains, procuring a new license is a no. Instead could we use our existing SQL DB Server or will this cause any critical issues.
      2. what would be your recommended hardware configuration on the standalone primary site(not running SQL locally and running SQL locally) for our environment.

      Thanks and Regards,

      Delete
    3. The is no SQL cost when you install it locally. It is included in the cost for all System Center products.

      Delete
  21. Hi Gerry,

    Thanks for the write up, good to see people helping out others. =)

    Was hoping you could check to see if the design consideration is worth deploying or do you recommend a different approach? Thanks in Advance!

    2 Forests- One way Trust. One way trust in place

    Looking to deploy a Primary with a remote SQL as we will have all the other SC packages in the near future. Secondary will host its local SQL instance with separate DPs at each site on different VLANs so if any major changes/updates need to occur on the primary/secondary we won't have any major disruptions.

    Any feedback would be great. =)

    Once again thanks for your time.

    Cheers,
    Blaz

    ReplyDelete
    Replies
    1. I would keep SQL local on the Primary Site Server Blaz. It is not recommended to share the SQL instance with any other System Center product.

      Delete
  22. hi Gerry,

    I was wondering if you can confirm my design idea.

    3 sites
    A - B - C
    a-b link is 1gig
    b-c is 300meg
    a has about 700 clients
    b has 1000 clients
    c has 1700 clients

    I was thinking of a primary at site b with local sql
    secondary at b and c

    ReplyDelete
    Replies
    1. I'm presuming you mean Secondary Sites at Site A and Site C. That would certainly work. It's possibly that you may not need a secondary site at Site A though. You could start off without it and monitor the WAN traffic for any problems.

      Delete
    2. hi Gerry for right I meant A and C.
      sorry never worked with a secondary site before, can I use the secondary site to deploy images and for capturing user profiles (usmt) aswell?

      Delete
  23. Hello Gerry

    After reading a lot of your comments on this blog it seems you always need information to give the correct advice.

    I have some questions for you and something I am having dufficulty getting an answer for.

    I have read multiple articles and information regarding SCCM as I am quite new to the topic on how to design our Infrastructure.

    Active Direcotry:
    Each Town as below has a DC.
    AD has different sites set up for each of the Towns below.

    WSUS
    Hosting - Primary WSUS - each Town is a Downstream WSUS

    Current Environment currently SCCM 2012 R2:
    Hosting Centre: Primary site + 18 Seconday Sites - Managing about 20 Servers
    Town1 - 10mbps Fiber to Hosting Centre - Secondary site with DP & MP - 250 Computers and 10 Servers
    Town2 - 4mbps Fiber to Hosting Centre - Secondary site with DP & MP - 50 Computers
    Town3 - 4mbps Fiber to Hosting Centre - Secondary site with DP & MP - 50 Computers
    Town4 - 4mbps Fiber to Hosting Centre - Secondary site with DP & MP - 75 Computers
    Town5 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town6 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town7 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town8 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town9 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town10 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town11 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town12 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town13 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town14 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town15 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town16 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town17 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers
    Town18 - 2mbps DSL VPN Tunnel to Hosting Centre - Secondary site with DP & MP - 25 Computers

    Currently we are still using a WSUS infrastructure that is not deployed through SCCM but this is our goal to get it integrated.
    Also we want to integrate SCUP so that it deploys 3rd party application updates.

    The questions I have is as follows.

    Do I need to deploy a CAS or should SCCM Primary Site with Seconday sites do the job? Cannot find a definate answer for this so if you can larify for me I would be verry happy.

    Scenario 1 - If we do need a CAS "Currenlty no budget for another server.
    1. Would you recommend on the information above that I get rid of the Secondary Sites and run as 1 Stand Alone Primary Site.
    2. Would you recommend deploying WSUS updates through SCCM or should I stick with the current WSUS.

    Scenario 2 - If we do need a CAS and have the budget:
    1. Would you say I must deploy a CAS, Pri Site and Secondary Site to each town.
    2. Rather run WSUS and SCUP through SCCM.

    If you can answer these questions for me I would really appreciate the input.

    ReplyDelete
  24. Hi Gerry,

    Bookmarked the moment i saw complete information on SCCM.....Your blog is just amazing....

    Could you guide me on this implementation plan ....
    SCOM & SCCM with DB on SQL Cluster with dedicated instance for SCOM & SCCM (Thats how the client wants)

    For SUP Part, could i use the same SCCM dedicated instance for WSUS?

    For Reporting of SCOM & SCCM,
    i plan to use one node(default instance) of sql cluster for SCOM Reporting &
    the other node(default instance) of sql cluster for SCCM Reporting. (As ssrs is non cluster aware & also SCOM does not share SSRS feature).
    Your thoughts on this?

    Thank you.

    ReplyDelete
    Replies
    1. I ALWAYS try to keep SQL local fro SCCM (SCOM is different - you should NOT keep it local). You can use the local database for all System Center related products (WSUS for example).

      Delete
  25. Hi Gerry,
    Thanks for your Blog, learning a lot.
    Hoping to ask what you would recommend for an enterprise site deployment strategy for our SCCM2012.
    We have one home site and three satellite sites with T1 links, but they will be upgraded soon to 5MBPS. We have about 250 server/clients at the home site and about 50 total at each of our satellite locations. Each satellite location has just one Domain Controller (2008R2) and We'll be using SCCM mainly for OSD, Patching, App deployment, Asset management, etc...
    Our home site has a pair of DC's (2008R2) and a separate server platform with SQL 2008R2 with instances for other applications/services. We are planning on installing SCCM on a new non-DC server. No virtualization yet. All under one domain.
    Should we at our home site install SCCM as the Primary Site and our satellite locations as Distribution/Management points, or keep the appropriate functions only at our home site? Or maybe you recommend something else? Is there an issue running the Distribution/Management points on a DC?
    Also, are there additional license requirements if we install Distribution Points at each of our satellite sites? We apparently have a Standard license which is good for a server with 2 processors. All our servers are running 2 processors.
    Thanks

    ReplyDelete
    Replies
    1. I would use a single server in your home site and install SCCM and SQL to create a standalone primary site. You should also have a DP and MP on this server. I would deploy DPs to the remote sites. Deploying DPs on DCs is supported but not recommended.
      You should talk to your Microsoft License Reseller about licensing. It can get quite complicated and I'm not able to advise you on your benefits.

      Delete
  26. Hi Gerry,

    I really like your blogs, well structured recommendations and great advice !!!!!

    I have a scenario here, need your advice :

    Planning to deploy Config Mgr 2012 & Service Manager 2012
    Brief about the environment
    ------------------------------------
    500 Clients
    Need Software Patching, App Deployment, OSD going forward

    Size Consideration so far
    SCCM 2012
    -----------------
    Standalone Primary Site :
    OS: 50 GB
    Apps/DP: 200

    Remote SQL 2012
    OS: 50 GB
    Database: 200 GB


    Just wanted to make sure that we don't have to change the configuration again n again, as it will be all physical environment.

    Please suggest, if this planning would be good enough ?
    I am not in favour of remote SQL server
    But, company wants a remote SQL server.
    ( ---------------It will be huge cost for it's licensing, as it is per core :( --------------- )

    And , Can We save the licensing cost by installing SQL locally ?????

    Much appreciate your help, Mate !!


    Thanks,

    ReplyDelete
    Replies
    1. I have some comments:

      1. I think 50GB is too small for Windows Server 2012 (I use 80GB Minimum)
      2. I wouldn't use the same SQL instance for ConfigMgr and Service Manager
      3. I would install SQL locally. There is no licensing cost for this - it's included with the System Center license.
      4. You will have to get advice elsewhere about the licensing requirements for Service Manager.

      Delete
  27. Thanks a lot for the reply ,

    SCCM
    Will be using 100 GB for Server
    With Local SQL = 200 GB

    But,,,
    200 GB for Apps/DP content....Is it enough ?.
    or
    You recommend ....
    Apps = 200 GB
    DP Content= 200 GB


    ******
    SCSM
    It will be remote SQL Server :))

    ReplyDelete
    Replies
    1. 500 clients is not a very big environment. Therefore the SQL design is not as crucial as it would be on larger site. In any case there are many things to consider with SQL design. You haven't specified whether you are using physical or virtual servers.

      The following should be located on different disk volumes (not partitions on the same volume)
      OS
      SQL installation
      Database
      Logs
      TempDB

      This makes sense when you are using physical servers. It doesn't make sense when you are using VMs (as the disks presented share the same SAN resources).

      You should also then consider creating several database files.

      Therefore the configuration you are proposing is not optimal but it will do for your small environment (I don't want to be seen approving a design that is not best practice).

      As for the disk sizes, that really depends. What will you be doing? Remember, if you are doing OSD and you have several 10GB images your drives will fill up pretty quickly. The important thing to ensure is that the drives can be extended if necessary.

      Delete
  28. Thanks a lot Gerry,
    That answers all my question ( Being Physical environment )

    Thanks Again ...........................keeping Rocking !!!

    Cheers!!!!

    ReplyDelete
  29. Is is possible to have two Standalone Primary Sites in the same domain?

    One site as a test environment and the other for production.

    Or would I have to setup a CAS and have the two Primary Sites under it.

    ReplyDelete
    Replies
    1. Technically you can do that Troy. That's the way migrations are done for example. You just need to be aware of overlapping boundaries.

      However I am totally against the idea. Test is for test. Production is for Production. They should absolutely be independent.

      Delete
    2. There is a place for production testing but I do not believe a site would be needed. Limiting collections/collection rules effectively fence clients as long as RBAC is implemented in such a manner to only allow test users and admins to access/deploy to "test clients" and production users/admins to access production. This is very useful when performing user acceptance testing for applications and packages. Test lab is where I test significant SCCM infrastructure changes. My $0.02 :-)

      Delete
  30. Gerry,
    Great site and love the quick responses. Need recommendation:
    3500 devices, including servers
    2000 users
    Single physical site

    Planned Servers - virtual, with Server 2012, latest release:
    1. Primary site w\SQL installed - MP as well
    -- What would the partitions be (including size) and where to install SQL
    2. DP
    3. SUP
    4. WSUS

    Planned Feature Implementation:
    1. OSD - workstations
    2. Software Delivery
    3. Patching - workstations and servers
    4. Reporting
    5. Remote Control
    6. Software Metering

    Features we're looking at:
    1. OSD - servers
    2. Software Catalog
    3. Mac Management
    4. Mobile Device Management

    Will the planned server deployment meet the needs of the planned feature set implementation? Will additional servers be required to meet the needs of the features we are looking at?

    Thank you for your time!

    E

    ReplyDelete
    Replies
    1. This is not a huge installation but I wouldn't like to hazard a guess at a design without knowing more about the environment. You are talking about implementing most of the ConfigMgr features. Look at MAC Management for example. This requires a PKI infrastructure so you would have to build additional MP and DP to be configured for https. There are too many unknowns here.

      Delete
  31. Hello Gerry,

    I have a query on applications distributed to a DP.
    Is it possible to manage SCCM such that software could be distributed on a particular drive on DP and OS images to another drive on the same DP?
    Also, if this could be done, could the process be performed after DP is installed?
    Thank you for your help.

    ReplyDelete
    Replies
    1. No, unfortunately I don't believe this is possible.

      Delete
  32. Hi Gerry,

    There is lot of information around web on SCCM but much of links confuses among when to use CAS, Primary, 2ndry and DP.
    However I find this blog to be well structured and live, thanks !!!

    Well, need to implement /deploy a DP on branch /remote location . Do you have a step by step guide or link that I can follow?
    Thanks in advance!

    ReplyDelete
  33. Installing a remote DP

    http://www.gerryhampsoncm.blogspot.ie/2014/06/configmgr-2012-additional-distribution.html

    ReplyDelete
  34. HI Gary,

    Great site and love the quick responses. Need recommendation:

    We got two forest and trusting each other with multiple child domains.
    I'm going to install SCCM inot Forest which dosent have any child domain.


    Planned Servers - virtual, with Server 2012 R2 , SQL 2012 R2 Same Server?
    Number of Servers: 200
    Number of Wks/Laptop: 2000

    Planned Feature Implementation:
    1. OSD - workstations
    2. Software Delivery
    3. Patching - workstations and servers
    4. Reporting
    5. Remote Control
    6. Software Metering

    So how do i design this implementation.

    As

    ReplyDelete
    Replies
    1. A single server will do for an environment of that size. See here for cross-forest support with ConfigMgr 2012

      http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

      Delete
  35. Gerry

    I have currently set up a virtual SCCM 2012 R2 environment in vmware environment and have the following setup (currently in test mode).

    1. Windows 2012 R2 with SCCM 2012 R2 Server (All Roles exception of SQL Databases) (8 GB with 2 CPU)
    With C:\ 70 GB (OS Install)

    E:\ 200 GB (for all source images, DP, MP etc.

    2. Windows 2012 R2 with SQL 2012 (Using this for Database and Reporting Databases) (4 GB memory with 1 CPU)
    With C:\ 70 GB (only no separation of Logs, TempDB etc.)

    3. Site setup - We have about 155 Users with 350 devices and 3 locations (Main Office 125 users, other 2 offices about 15 each)
    Most functions used will be deployment of software updates to desktops, windows patching, KMS (Microsoft Licensing),

    Questions:

    1. Do you think we are up to technical spec on the setup of the environment?

    2. We plan to migrate the SQL 2012 to SQL 2014 on a Windows 2012 R2 Server that is in Production. Can this be done as this is the company's

    policy to keep databases on a single server with encryption. Note: This is a shared SQL server with other databases.

    Your thoughts on all

    Thank you for your help.

    John

    ReplyDelete
    Replies
    1. I think that your design is way over-specced John. You can easily manage 350 users with a single server. I always recommend to install SQL locally.

      Delete
  36. Hi Gerry,

    Your blog is full of great information and has been extremely helpful.

    I have had more than a few server admins share with me some pretty bad horror stories regarding their unbearably slow SCCM implementations. If at all possible, I would very much like to avoid claiming membership to the "slow and sluggish" club.

    I believe I've given plenty of consideration to sizing and future growth thus far while still in the project's planning phase. However, I'm concerned that my plan may be a bit robust for our needs ... I was hoping to get your input on a couple of points, to help me dial the plan in where necessary.

    So, thank you in advance!

    My questions are related to SQL Server for SCCM 2012 R2 (given the following):

    SCCM will be used to manage all WSUS patching fo all Servers and workstations enterprise wide as well as EndPoint Protection. Total clients = approx 2500 all microsoft.

    AD environment = Multi-forest (three forests, with 1 AD domain each), Single site (per forest/domain) all servers (for all forests) are centrally located in the same data center, all workstations are Win 7 joined to the production domain and are distributed across ~60 small office locations all within a single metropolitan area.

    We have multiple servers in various DMZs which need to be managed by SCCM as well; however, DMZ servers are either in a separate domain from either Production or Messaging, or are stand-alone.

    Questions:

    1.) Should I deploy SQL Server 2014 Standard (2 server active-passive cluster) separate from the "Stand-alone" Central Admin Site server? Or should I pile everything onto a single server?

    2.) If I go with a separate SQL cluster running SQL Server 2014 Standard (or a separate non-clustered SQL server), and the SQL server/cluster is dedicated to only SCCM 2012 R2 ... do I need to pay for SQL licensing? Or is SQL licensing free only if installed on the same server as the Primary site server (same OSE)?

    3.) Final question, If I place SCCM 2012 R2 in my Production environment/forest/domain, will I need to put any SCCM components (management, distribution, software update point, etc...) in my DMZs to manage those hosts there? And can I have those components joined to a domain/forest separate from Production?

    Note: (no firewall can be configured to allow a DMZ host to initiate communication inbound to a Production host, regardless of port.

    Again, thank you very much for your time, any advice is very much appreciated!

    ReplyDelete
  37. Hi Gerry,

    Your blog is full of great information and has been extremely helpful.

    I have had more than a few server admins share with me some pretty bad horror stories regarding their unbearably slow SCCM implementations. If at all possible, I would very much like to avoid claiming membership to the "slow and sluggish" club.

    I believe I've given plenty of consideration to sizing and future growth thus far while still in the project's planning phase. However, I'm concerned that my plan may be a bit robust for our needs ... I was hoping to get your input on a couple of points, to help me dial the plan in where necessary.

    So, thank you in advance!

    My questions are related to SQL Server for SCCM 2012 R2 (given the following):

    SCCM will be used to manage all WSUS patching fo all Servers and workstations enterprise wide as well as EndPoint Protection. Total clients = approx 2500 all microsoft.

    AD environment = Multi-forest (three forests, with 1 AD domain each), Single site (per forest/domain) all servers (for all forests) are centrally located in the same data center, all workstations are Win 7 joined to the production domain and are distributed across ~60 small office locations all within a single metropolitan area.

    We have multiple servers in various DMZs which need to be managed by SCCM as well; however, DMZ servers are either in a separate domain from either Production or Messaging, or are stand-alone.

    Questions:

    1.) Should I deploy SQL Server 2014 Standard (2 server active-passive cluster) separate from the "Stand-alone" Central Admin Site server? Or should I pile everything onto a single server?

    2.) If I go with a separate SQL cluster running SQL Server 2014 Standard (or a separate non-clustered SQL server), and the SQL server/cluster is dedicated to only SCCM 2012 R2 ... do I need to pay for SQL licensing? Or is SQL licensing free only if installed on the same server as the Primary site server (same OSE)?

    3.) Final question, If I place SCCM 2012 R2 in my Production environment/forest/domain, will I need to put any SCCM components (management, distribution, software update point, etc...) in my DMZs to manage those hosts there? And can I have those components joined to a domain/forest separate from Production?

    Note: (no firewall can be configured to allow a DMZ host to initiate communication inbound to a Production host, regardless of port.

    Again, thank you very much for your time, any advice is very much appreciated!

    ReplyDelete
  38. Hi Gerry,

    What about failover or HA? In this documentation Microsoft says "Deploy a hierarchy of sites with a central administration site, and one or more child primary sites" so if I have more than one primary site server, i need a cas server to manage them, right? From this point CAS Server is needed for HA?
    https://technet.microsoft.com/en-us/library/hh846246.aspx


    Actually all I want to know is when one primary site goes down, clients automatically assign or continues reporting other primary site if i have more than one primary site server in my environment?

    Could you please describe all this considerations?

    Thanks

    ReplyDelete
  39. hi Gerry ,

    Good Day,

    As we are moving our existing SCCM 2012R2(cas and primary)servers to a new Data Center at the same time we need to change IP address with new Vlan .

    1.Do we get any impact or issue .
    2.what is the procedure to change with new IP Address.

    Thanks &Regards.

    ReplyDelete
    Replies
    1. ConfigMgr uses DNS to locate site systems so there should be no impact as long as DNS is functioning correctly.

      Delete
  40. Hi Gerry, Great blog and so much helpful advice.

    I have a Main site with about 100 pcs, and 3 other sites with about 50 pcs each. I plan on doing a primary site and secondary/subsites sites at the other locations in sccm because I want to do imaging, software deployments, metering etc...

    I installed one subsite on a server at my other location. I then pushed the client to it, however the site code on the server now reads the main site, vs the subsite's site code. Boundary groups seem setup correctly, and other PC's in that site read the correct code, just the subsite server is different.

    Is this expected behavior, or a glitch I have to work out? I thought the client typically reports to itself(same server) in this case.

    Thanks in advance!
    -Dave

    ReplyDelete
    Replies
    1. You really don't need secondary sites for 50 computers Dave. You should be using Distribution Points in those locations.

      Delete
  41. I am very new to sccm and looking for some advise here. below is the scenario. can you please advise what option shall i go with?

    3 Datacenters in 3 different countries[ 3 domains ( 1 domain spread across the 3 datacenters )]

    1000 computers per site.

    Requirement -Software and patches deployment, Software /Hardware Inventory, Infrastructure Monitoring.

    My proposal - is to go with 1 Primary and 2 Secondary.Is this is the good option to go with ? Or can we go with just secondary sites without implementing primary?


    ReplyDelete
    Replies
    1. Difficult to say without more information but seems like a Primary Site and 2 Secondary Sites would be a good bet. You "may" get away with a single Primary site as you are not doing OSD (you didn't mention how good the WAN connections are).
      You cannot have a Secondary Site without a Primary.

      Delete
  42. Hi there,

    I am looking at building a test sccm environment at work.

    Instead of replicating the production environment (too much work !)

    could i add a secondary site as a test environment so i could test out sp releases as well as test out packages etc?

    ReplyDelete
    Replies
    1. No, that would make no sense. A Secondary Site performs totally different functions to a Primary Site and would not "mirror" your environment in any way.

      Delete
  43. Hi Gerry,
    Do Distribution Point servers have to be dedicated, or could we install a DP on a server already hosting a print queue (and nothing else)?
    Thanks,
    Jacqui

    ReplyDelete
    Replies
    1. Yes a DP could easily co-host with a print queue. You just need to ensure that you have enough disk space.

      Delete
  44. Hi Gerry,

    Your suggestions have really helped in the past, grateful always :)

    I have a situation here:
    There is an existing SCCM environment in an organization
    But the setup is terrible.

    So, I decided to setup a new environment.
    Now, there are two SCCM in a single forest.
    System Management Container is generated.
    All Devices are discovered....Basic setup complete.

    But, I am having HTTP errors, when trying to add MP
    (Error : Call to HttpSendRequestSync failed for port 80 with status code 404, text: Not Found)

    Also, When trying to access the Report Server, error on Port 80

    Indicating towards HttP erros

    So, My question is can I run the setup like this.
    Or
    I have to Uninstall Roles from old SCCM first and then Configure the new environment?
    * Whole idea is to bring new SCCM environment in place, as there is no documentation around old environment.

    Please suggest, what is the best solution

    ReplyDelete
  45. Hi Gerry,

    Presently I have 5 SCCM 2012 R2 Primary Site (Stand-alone) on 5 sites.

    1) First HeadOffice site consists of 1000 users (Primary Stand-alone SCCM Server)
    2) Second HeadOffice site consists of 1200 users (Primary Stand-alone SCCM Server)
    3) First BranchOffice site consists of 3000 users (Primary Stand-alone SCCM Server)
    4) Second BranchOffice site consists of 350 users (Primary Stand-alone SCCM Server)
    5) Third BranchOffice site consists of 300 users (Primary Stand-alone SCCM Server)

    All offices are connected together with 10Mbps MPLS link.

    Now I was told to remove Primary Site standalone from 3 branchoffices and install only DP. For two offices (No. 4 & 5) it is okay as users are less (350 & 300).

    -- But for first branch office (No. 3) for 3000 users is it recommended to have DP, or I have to go with secondary site.
    -- Can I add secondary site on standalone Primary Site at one of my HeadOffice.
    -- Also can I install CAS to manage all sites from one place? Will there be management issue for installing CAS.

    Mohammed

    ReplyDelete
    Replies
    1. All your questions are answered in this blog.
      Your sites are well connected. However the following would be a sensible approach:

      #1 Primary Site
      #2 Secondary Site (maybe)
      #3 Secondary Site
      #4 Distribution Point
      #5 Distribution Point

      You do NOT need a CAS (nor should you implement one).

      Delete
  46. Good afternoon Gerry, we are starting the 2007 to 2012 migration project.
    Number of Clients - 40000
    Six sites (with heavy user base) - In the UK (well connected)
    I am thinking if we can do without the CAS?

    ReplyDelete
  47. Excellent Blog, I was struggling a bit until I found this. I know you have done a tremendous job of trying to answer everyone's question, I hope you have enough will power for one more:

    2 Datacenters 1 NY (250 users) 1 BAHRAIN (700 users) WAN: 1GB.
    1 remote office in Abu Dhabi (10MB link to Bahrain DC) 50 users.
    PLAN: Asset Management, Software deployment, WSUS, reporting.

    I am thinking to do 1 PRIMARY in US, 1 DP in BAHRAIN. Will this support Abu Dhabi? Also if I do 2 PRIMARY, 1 in the US 1 in Bahrain and 1 DP for abu Dhabi, can they be centrally managed from 1 console / location instead of independently?

    In addition after this is complete, I want to integrate SCCM with Microsoft INTUNE (Cloud) which I read is possible. Pointing this out there if needed for your advise.

    Lastly, any real benefit of using a CAS?

    Your reply would be extremely appreciated, thank you.

    ReplyDelete
    Replies
    1. Thanks. Now, you have 1000 users. You do NOT need a CAS. It will give you no benefit and a lot of hassle. You need a Primary Site. Your only decision is where that should be deployed. Where is your IT? Will you be imaging? It's normally better to capture images on the Primary Site.
      Anther thing to consider - if you choose NY as the Primary Site then you should probably deploy a Secondary Site in Bahrain.

      Delete
  48. Thanks Gerry, we have IT spread across the US and Bahrain.I made a mistake the WAN link between the US and Bahrain is 40MB, will that be sufficient for 1 Primary in the US and perhaps a DP in Bahrain or is the secondary site still the better way to go?

    ReplyDelete
    Replies
    1. There is a chance that you will need a secondary site in Bahrain. You could just start with a DP and monitor the WAN traffic. You can add the secondary site afterwards.

      Delete
  49. Hi Gerry, awesome post !

    We are looking to migrate from SCCM 2007 to 2012 (timescale wise, probably SCCM 2016)

    Our setup is countrywide, with approx 15000 clients based over 500 locations in a single AD forest.
    Most locations will have between 5 and 30 clients, with a few main areas having a few hundred clients within.
    The network connections vary between 10 and 100 mb to the smaller sites with the main sites having Gb connections.

    What hierarchical setup do you think would best suit this scenario ?

    Many thanks.

    ReplyDelete
    Replies
    1. Looks like you should use a single Primary Site with remote Distribution Points where required.

      Delete
  50. Hi Gerry, I know you said it's not a good idea to have a test installation of sccm alongside a production, but can you tell me why? I've been asked to implement it but looking for a valid reason to say no. Thanks

    ReplyDelete
    Replies
    1. I'm not sure where you saw that Hussein. I think it's a great idea to have an SCCM lab environment for testing. However I would always try to keep it on an isolated network to avoid overlapping boundaries and any other interference.

      Delete
    2. Hi Gerry, sorry I should have been more clear. I meant a test lab on the production LAN. Other than overlapping boundaries, what else could interfere?

      Delete
  51. Hi Gerry,

    We have a requirement to deliver automation into a part of the business that has 255 desktops over 13 sites. This is a public environment and budget is low.
    The site link speeds are as follows
    Site 1          100M/100M
    Site 2 10M/100M
    Site 3 100M/100M
    Site 4              10M/100M
    Site 5              10M/100M
    Site 6             10M/100M
    Site 7             10M/10M
    Site 8              10M/100M
    Site 9              10M/10M
    Site 10            10M/100M
    Site 11            100M/100M
    Site 12            100M/100M
    Site 13 10M/100M

    5 sites have over 20 machines

    Site 1
    Site 2
    Site 3
    Site 11
    Site 12

    We want to provide patching, application and OS deployments and monitoring.

    One of the sites that has over 20 machines is on a 10MB links.
    Can it be done without adding additional servers as DP servers to the remote sites.
    Can we use Branchcach on a windows 7 desktop.
    Do we need a PXE server on each site to boot images if we want to deliver OS's.

    As I advised budget is very low and minimal infrastructure is the only option.

    What are your thoughts Gerry?

    ReplyDelete
    Replies
    1. The short answer is it really depends on what you will be doing? OSD is the big one here. How often will you re-image computers? If it is infrequently then you may be able to tolerate the network traffic generated by a very large WIM file (out of hours). If it will be regular then you need to have the content files available locally.

      If you want to use PXE then you need a server OS (for WDS). Therefore you won't be able to use Windows 7 as a DP.

      You could also consider the option of re-imaging computers at the remote sites using removable media based task sequence (flash drive).

      Software Updates can also generate quite a bit of network traffic but you can use a Windows 7 DP for this.

      Delete
  52. Hi Gerry,

    So would I need a PXE server on each site that we would like to boot and image windows 7 machines at?
    Or could this be beside my SCCM server in the datacenter?

    ReplyDelete
    Replies
    1. I can't answer that for you. If you use a remote WDS server then the boot image has to traverse the WAN every time you PXE boot a computer. This could be 300MB to 500MB depending on the number of drivers you inject. You should test and baseline to see if this traffic is acceptable on the network.

      Delete
  53. Hi Gerry,

    To answer the question it would be infrequently but still would like optimal (taking into account my budget constraints) delivery.

    So over view of solution (bearing in mind a PXE server in the datacenter is suitable)
    1 x SCCM Primary Site Server - Datacenter
    1 x PXE Server - Datacenter
    5 x Branch Cache machines at sites over 20 devices

    ReplyDelete
  54. Hey Gerry,

    Your post has been most helpful. I’m new to SCCM and wanted to run a design by you since I’m unsure on the hierarchy design if you please have time to answer.

    We have 13 locations spanning across North America (US and Canada). Each site has about 300 users and devices and contains a DC, WSUS, and a VM environment with a good size SAN as well. The MPLS connection between each site is no less than 15Mbps with some at 50Mbps. We would like to use SCCM for OSD, WSUS, APP/Content deployment, hardware monitoring, Intune, and endpoint protection (AV). The WSUS server is managed at one location and all others are downstream servers.

    This year we are looking to move our primary servers to an offsite datacenter, but our current situation is that one of the 13 sites just host all those servers. There is an IT admin at each site.

    From what I’m reading, we can do this design with 1 primary site and all the other sites just setup as a DP and MP. What would be the benefit to have a secondary site vs DP/MP? Then when we get ready to move to an offsite Datacenter, move the primary server and create a new DP/MP or secondary site to replace the primary site server? So for the project, would have to stand up new VM servers or could I use the current downstream server already in place at each location? We have the budget to put in new if recommended. Thank you in advance for your response and thoughts.

    ReplyDelete
  55. Hello Gary,
    If I want to deploy CAS, do I need a license for it? not the server OS, I mean system center license?

    ReplyDelete
  56. Hi Gary,
    We are an organisation of about 10.000 devices (clients + servers), spread over 190+ sites around the globe.
    Our infrastructure consists of 5 different forests all 2way trusted with each other connected with a toplevel domain above them.
    the 5 different forests are also 5 different companies with different needs and different setups.
    I'm thinking to setup a CAS on the toplevel domain with primary sites at every forest. It's not the amount of devices but my reason for using a CAS is the fact that all primary sites can administrate their own specific settings without this being replicated to the rest.
    Or is this possible with a stand-alone primary site on the toplevel and secondary sites with DP's beneath using roles and security scopes?
    Roles need to be windows patching / software installations / software updates / OS deployment.

    Thanks a lot for the advice,

    Bert

    ReplyDelete
  57. I am new to the design and implementation of SCCM 2012 R2 . I have worked only in the functionality used in the SCCM console. Now I have been asked to design and implement the SCCM 2012 to an IT organisation. What are the details now I need to ask them to define the hierarchical structure. Please guide me.

    ReplyDelete
    Replies
    1. The information on this page is a good starting point. In particular you need to understand the organization's goals, network topology and client counts in each location.

      Delete
  58. Hi Gerry, We're thinking of implementing SCCM in our environment. SCCM will be used mainly for OSD, Patching, App deployment, Asset management and Software metering. We have remote sites across Australia (100 users each site) and the HQ is in Melbourne (650 users) and 250 users in Malaysia. We have implemented MPLS recently. Please let me know if the following site hierarchy suits our requirement
    1 Primary Site in Melbourne
    DP in Queensland, New south wales and Western Australia and Malaysia - Do we need 4 VM's for DP??
    SQL will be installed locally on the Primary site server

    Can I install SCCM2012, SQL 2012, WSUS 4.0 and DP on a single VM?
    C: OS - 100 GB
    E: Apps - 100 GB
    F: Distribution Point- 500GB

    Let me know. Thanks in advance

    ReplyDelete
    Replies
    1. 1. I would deploy ConfigMgr Current Branch and SQL 2016 but yes, you could put them all on one server.
      2. I would use a DP in every location.

      Delete
    2. Thanks Gerry, I really appreciate your quick response. I am new to SCCM designing and excuse me if i am asking stupid questions

      1) For SQL, should you always separate TempDB and SQL primary data?
      2) Do we need a Separate WSUS server?
      3) Do we need a PXE server on each site to boot images if we want to deliver OS's.
      4) Do Distribution Point servers have to be dedicated, or could we install a DP on a server already hosting few other things?

      Thanks

      Delete
    3. 1. Theoretically yes, but you have a small site so perhaps it's not so important.
      2. No, not for 1300 users. Make sure that the Primary Site Server has suitable resources.
      3. Yes
      4. You could co-locate as long as there is enough disk space.

      Delete
    4. HI Gerry, Just got clarification on number of users. So we have only 650 user in Melbourne and 250 users in Malaysia to support.
      Planned Feature Implementation:
      1. OSD - workstations/servers
      2. Software Delivery
      3. Patching - workstations and servers
      4. Reporting
      5. Remote Control
      6. Software Metering
      7. Software Catalog
      8. Mac Management
      9. Mobile Device Management

      Do you think one primary site server in Melbourne and DP in Malaysia should be ok?
      - primary site server (virtual) in Melbourne will have SCCM CB, SQL 2016, WSUS, MP, DP etc
      - One DP in Malaysia

      when all roles are on a single server (eg. DP, WSUS, MP, etc.). Do you have any recommendations on the disk space and other resources?

      one more challenge is that Melbourne users use different models of laptops(Lenovo, Dell, macbooks etc). How can that be managed for OSDs?

      Delete
  59. Hello,

    I want to have a highly available architecture for my sccm 2016 deployment project.

    My environment is:
    single domain with DR site
    users 20000
    Client OS: W7sp1 and W10
    Mobile: iOS android and windows phone

    How to achieve high availability fro client perspective and server side.
    how to replicate sccm to DR site in case primary site fails.


    Please suggest any best practice

    ReplyDelete
    Replies
    1. Have a look at this document for HA with ConfigMgr.
      https://docs.microsoft.com/en-us/sccm/protect/understand/high-availability-options
      Be careful though, implementing some of these techniques could cost you money and you'll have to manage it afterwards. What is your goal? ConfigMgr is not a real-time solution like Exchange so sometimes some down-time can be tolerated.
      Perhaps your money would be better spend in developing a robust backup solution.

      Delete
  60. Hi Gerry,

    Since there is now support for SQL AlwaysON Availability Groups. I have a question in regards to a hierarchy. Can you place the CAS and all child PMs in one AOAG? if so I assume you have to use multiple name instance.

    If not what is the best practice for this, i have not seen much written on this subject. Thank you!

    ReplyDelete
  61. Hi gerry i m stuck during sccm installation showing error message setup can not create the database on sql server plz help me i m using 2012 sql and cm version.

    ReplyDelete
    Replies
    1. That's not much to go on but it sounds like a permissions issue.

      Delete