SCCM Sites

SCCM Site:

• A site consists of a site server, site system roles, clients, and resources.
• There are several types of sites in SCCM12.
• Site uses boundaries to determine the clients belonging to the which site.
• Multiple sites can be configured into site hierarchies and connected such that you can                 manage bandwidth utilization between sites.
• Site is identified by the threecharacter code and the friendly site name configured during Setup

   

Types of sites as follows.

Central Administrative Site (CAS):

• The central administration site coordinates intersite data replication across the hierarchy             by using Configuration Manager database replication.
• CAS is a sits on top of the SCCM 2012 Hierarchy.
• CAS cannot directly manage clients.
• CAS used when multiple primaries are needed like having over 100k clients.
• CAS can manage all SCCM 2012 Site Servers from one console.
• CAS hardware requirnment:-
•  Microsoft recommends CPU-16 cores,
•  64 GB of RAM
• 1.5 TB Disk space for all the files.
• CAS function is to replicate all data from every primary and also functions as a                 reporting server.
• Data replicated from the bottom up.
• The CAS also enables the administration of hierarchywide configurations for client agents, discovery, and other operations.
• You can only join one existing Primary to a CAS, then after that you deploy your other Primary servers.
• A central administration site can support up to 25 child primary sites.
• Only limited site system roles can be installed on CAS. Management Point (MP) and Distribution Point (DP) can’t be installed in CAS.

Planning for CAS:-

★ Use the following information to help you plan for a central administration site:

• The central administration site is the toplevel site in a hierarchy.
• When you configure a hierarchy that has more than one primary site, you must install a central administration site, and it must be the first site that you install.
• The central administration site supports only primary sites as child sites.
• Central administration site cannot have clients assigned to it.
• The central administration site does not support all site system roles.
• You can manage all clients in the hierarchy and perform site management tasks for any primary site when you use a Configuration Manager console that is connected to the central administration site.
• When you use a central administration site, the central administration site is the only place where you can see site data from all sites. This data includes information such as inventory data and status messages.
• You can configure discovery operations throughout the hierarchy from the central administration site by assigning discovery methods to run at individual sites.
• You can manage security throughout the hierarchy by assigning different security roles, security scopes, and collections to different administrative users. These configurations apply at each site in the hierarchy.
• You can configure file replication and database replication to control communication between sites in the hierarchy. This includes scheduling database replication for site data, and managing the bandwidth for the transfer of filebased data between sites.

❖ Primary Site:

• To manage clients directly.
• Each primary site can support up to 100,000 clients.
• To provide a local point of connectivity for administration.
• To meet organizational management requirements. For example, you might install a primary site at a remote location to manage the transfer of deployment content across a lowbandwidth network.
• A primary site only supports a central administration site as a parent site.
• A primary site only supports secondary sites as child sites and can support one or more secondary child sites.
• A primary site cannot change its parent site relationship after installation.Primary sites are responsible for processing all client data from their assigned clients.
• When a primary site is installed, it automatically configures database replication with its designated central administration site.
• Primary sites use database replication to communicate directly to their central administration site.
• Hardware Requirnment:-
• Microsoft recommends CPU 4 cores
• 8 GB of RAM 
• 200GB Disk space for all the files.
• Support 10 MP, 250 Secondary Site,250 DP.

★ Consider installing a primary site for any of the following reasons:

• To manage clients directly.
• To increase the number of clients and devices you can manage with a single hierarchy.
• To provide a local point of connectivity for administration.
• To meet organizational management requirements. For example, you might install a primary site at a remote location to manage the transfer of deployment content across a lowbandwidth network. However, with System Center 2012 Configuration Manager you can use options to throttle the network bandwidth use when transferring data to a distribution point and this capability can replace the need to install additional sites.
• A primary site can be a standalone 
• primary site or a child primary site in a larger hierarchy. When a primary site is a member of a hierarchy with a central administration site, the sites use database replication to replicate data between the sites. Unless you need to support more clients and devices than a single primary site can support,consider installing a standaloneprimary site. Beginning with Configuration Manager SP1, you can convert a standalone primary site into a larger hierarchy when your deployment exceeds the capacity of a single primary site.
• A primary site supports only a central administration site as a parent site.
• A primary site supports only secondary sites as child sites and can support one or more secondary child sites.
• When you use Configuration Manager with no service pack, a primary site cannot change its parent site relationship after installation. However, beginning with Configuration Manager SP1, you can install a new central administration site as a parent site of an existing standalone primary site.
• Primary sites are responsible for processing all client data from their assigned clients.
• When a primary site installs, it automatically configures database replication with its designated central administration site.
• Primary sites use database replication to communicate directly to their central administration site.

❖ Secondary Site:

• Manages clients in remote locations where network bandwidth control is required.
• Use secondary sites to manage the transfer of deployment content and client data across lowbandwidth networks.
• You manage a secondary site from a central administration site or the secondary site’s parent primary site.
• Secondary sites must be attached to a primary site, and you cannot move them to a different parent site without uninstalling them, and then reinstalling them as a child site below the new primary site.
• You can route content between peer secondary sites to help manage the filebased replication of deployment content. To transfer client data to a primary site, the secondary site uses filebased replication. However, a secondary site also uses database replication to communicate with its parent primary site.
• You do not require a local administrative user for the site.
• You have to manage the transfer of deployment content to sites lower in the hierarchy.
• You have to manage client information that is sent to sites higher in the hierarchy.
• If you do not want to install a secondary site and you have clients in remote locations,consider using Windows BranchCache or distribution points that are enabled for bandwidth control and scheduling. You can use these content management options with or without secondary sites, and they can help you to reduce the number of sites and servers that you have to install.
• Use the following details to help you plan for secondary sites:
• Secondary sites automatically install SQL Server Express during site installation if a local instance of SQL Server is not available.
• Secondary site installation is initiated from the Configuration Manager console when it is connected to the central administration site or a primary site.
• When a secondary site is installed, it automatically configures database replication with its parent primary site. 
• Secondary sites use database replication to communicate directly to their parent primary site and to obtain a subset of the shared Configuration Manager database.
• Secondary sites support the routing of filebased content to other secondary sites that have a common parent primary site.
• Secondary site installations automatically deploy a management point and distribution point that are located on the secondary site server.

➢ Roles decommissioned in Configuration Manager 2012:-

• The reporting point.
• The PXE service point. This functionality is moved to the distribution point.
• The server locator point. This functionality is moved to the management point.
• The branch distribution point. Use Distribution point or BranchCache

Which site system roles can be installed in Which Site:-

SCCM -Site Hierarchy

SCCM 2012 Hierarchy:-

CENTRAL ADMINISTRATIVE SITE (CAS):

                                                    Sits on top of the SCCM 2012 Hierarchy, Cannot directly manage clients, Used when multiple primaries are needed like having over 100k clients, can manage all SCCM 2012 Site Servers from one console. 

PRIMARY SITE:                                                                                                                                                                                                   Works the same functions as 2007 except No ability to tier primary site servers – they are only peers in a hierarchy with a CAS, No need deploy a primary site server to support different settings, policy, and administrative control, No need to tier for content routing, language neutral support you may install multiple languages per primary site, Client settings are now applied at the collection level and not at the primary site, Administration is logically segmented through role-based settings and scopes and not by using a separate primary sites

SECONDARY SITE: 

Now have SQL Express to replicate, control the upward flowing traffic, clients can be assigned a local management point (Note: All clients still have to register with a Primary first before they are assigned the Secondary MP, can be used as local SUP. Still has to be managed from primary.

SITE SYSTEMS: Systems that hold a SCCM role

What Do I Need?

So with all the basic hierarchy info explained above the question remains on what are the common deployment scenarios used with SCCM 2012. Do we use a CAS or not use a CAS? What are the circumstances where you would deploy multiple Primary servers calling for the need for a CAS? When do we deploy a Secondary Site Server VS using just DP/MP roles to a site system?

Every SCCM deployment architecture needs to be considered based on the customers environment with these in mind.

• Clients – The total number of clients to be managed and amount of clients per location.
• Security – Segmented Networks like PCI and DMZ environments
• Political – Need for Segregating Administration geographically
• Infrastructure – Forest, Domains, Sites, Firewalls, Workgroups, Internet Clients, Bandwidth

With this in mind I will give you a few scenarios that have the need for different Architecture.

Single Active Directory Forest

The most common scenario used to deploy SCCM 2012 is the deployment of a single Primary Server with DP/MP strategically place throughout the locations. Since Each Primary site supports up to 250 secondary sites, up to 250 DP/PXE and up to 100k clients machines attached, this can support most companies looking to deploy SCCM 2012. Always consider using Distribution Points VS Secondary Sites and use multiple MPs for redundancy for communication for the clients. You also can throttle data from the each individual DP itself. Keep in mind Each primary can have only 10 MPs so if you have a need for more without expanding to Multiple Primaries you could then use Secondary’s Site servers for additional MPs but this adds SQL replication traffic and more points of failure to troubleshoot if there are issues. I have seen much improvement in using secondary sites where there is limited bandwidth and you need to control the client traffic. By placing a secondary site with MP, SUP and DP roles on a site creates very little WAN traffic coming from that clients at that location. One more note on secondary sites is that the only way to guarantee traffic flow to a MP you want your clients to connect to is to have a secondary site or another Primary site with a CAS server. Just having MP roles spread out across the organization does not guarantee that clients local to those MP will connect to those MPs unless you use a Primary or Secondary site at the location. One thing to note is MP traffic is very small, if there is not a need to localize the SUP than I wouldn’t use a secondary site. With the new bits functionality, site boundary assignments with logical DP assignments I have yet to use secondary sites even in global deployments but I am aware of a company that used over a hundred of them because they had small satellite links with big latency issues and it worked great.

Segmented secure Networks with single point to manage (Multi-forest, Large DMZs, PCI)

Here is a situation that is very common scenario. Many companies out there have this kind of Infrastructure in place especially if you are dealing with industry where compliance is regulated. These systems are highly secure and usually segmented from the corporate environment by firewalls, and separate Active Directory forest. The straight forward approach is to just have separate SCCM 2012 Hierarchies for each segmented environment but this will add a lot of extra administrative tasks like manually duplicating all your configurations in each hierarchy. Another approach would be to manage these systems via SSL Certificate but this requires a PKI infrastructure and limits some functionality like OS deployments. This is a good choice for managing systems in a DMZ and you can use a reverse proxy or open 443 internal to get this to work. SCCM 2012 no longer has Native mode so it can manage internal clients via port 80 and Internet clients via 443 at the same time.

If you are going to want to manage multiple segmented environments from a one console than you will need to have Kerberos authentication ability across the environments with a list of open ports across firewalls. Best practice for this would be to have a transitive forest trust for multi-forest and to limit opening ports just between Site Server to Site Server. In this scenario you would need to have a CAS server because the site server would need to be a primary so clients can register without having to open the firewall to all clients. With this you can manage all the systems in the secure network.

Another method you can use if a Trust is available and you want to limit the ports open would be to install a secondary site server. This would still require ports to be open from Site Server to Site Server limiting the cheese grater effect on the firewall. With this approach you will still need to open a port for clients to initially register with the primary server (port 80/443) but this can be customized for clients to use whatever port you want. After the clients register with the Primary you could then close the port and the client can use the secondary site as a local MP for all client management at that point. Even though the Proxy Management role is not an option the secondary site server still acts like a proxy management server. Some features will still be unavailable because they require direct communication from the Console to the client like Remote Access functions, Wake on LAN, and third part tools like Right Click Tools. They still need ports to be open to work, but this way allows very secure networks with the ability to limit opening a bunch of port and the best part is you will not need a CAS server nor PKI unless you use Port 443 then you still need PKI.

If the trust is not an option but you can open firewall ports for clients to communicate with the Primary site server than you could manage the segmented systems as a workgroup but you would need to have a way for the clients to locate the MP so special install commands would be used and DNS would need to be configured for the clients to find the Primary Site. There are a list of ports that would need to be open but some of them can be changed to using custom ports.

The Central Administrative Server (CAS)

There is a lot of blogging going on about whether you should install a CAS in your SCCM Hierarchy or not. Most opinions are to not use a CAS unless:

• You are installing multiple Primaries
• Have over 100k Clients

Keep In mind the CAS server has to be a pretty beefy machine.  Microsoft recommends 16 cores, 64 GB of ram and 1.5 TB disk space for all the files. The reasoning behind this is because the CAS function is to replicate all data from every primary and also functions as a reporting server. This is how Microsoft could move from the Parent Child Primary hierarchy where data replicated from the bottom up. Now it replicates horizontally via the CAS. So you can say in a way it’s like an SQL proxy taking data from one SCCM SQL instance and duplicating it on another. The CAS also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. When a CAS exist use this site for all administration and reporting for the hierarchy. You can Join a primary to a CAS if you discover later that you have a need for multiple primaries. This does not mean you can deploy multiple Hierarchies and then join them later with a CAS. You can only join one existing Primary to a CAS, then after that you deploy your other Primary servers.

With all this said I can go on and on about the specs on all the feature and functions of SCCM 2012 but I just wanted give you an idea on which direction you should go more than the specific configuration. I hope this gave you a good overview so you can have some clarity about how to get this going in your environment.