10748A-ENU-Deploying System Center 2012 Configuration Manager

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
10748A
Deploying System Center 2012
Configuration Manager
MCT USE ONLY. STUDENT USE PROHIBITED
ii 10748A: Deploying System Center 2012 Configuration Manager
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
Product Number: 10748A
Part Number: X18-40576
Released: 06/2012
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i. Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructor-
led courseware that educates IT professionals or developers on Microsoft technologies.
j. Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center:

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure
server located on your premises where the Authorized Training Session is held for access and
use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching
the Authorized Training Session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom
Device for access and use by one (1) End User attending the Authorized Training Session, or by
one (1) MCT teaching the Authorized Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior to
their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their accessing
the Licensed Content,
3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
b. If you are a MPN Member.

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1)
Classroom Device, or (B) one (1) dedicated, secure server located at your premises where
the training session is held for use by one (1) of your employees attending a training session
provided by you, or by one (1) MCT that is teaching the training session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1)
Classroom Device for use by one (1) End User attending a Private Training Session, or one (1)
MCT that is teaching the Private Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior
to their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their
accessing the Licensed Content,
3. for all training sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of each training session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
c. If you are an End User:

You may use the Licensed Content solely for your personal training use. If the Licensed Content is in
digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in
the form provided to you on one (1) Personal Device and install another copy on another Personal
Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1)
copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device
you do not own or control.
d. If you are a MCT.
i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an
Authorized Training Session or Private Training Session. For each license you acquire, you may
install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal
Device and install one (1) additional copy on another Personal Device as a backup copy, which may
be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed
Content on a device you do not own or control.
ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion
thereof (including any permitted modifications) to any third parties without the express written permission
of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
install more copies of the Licensed Content on devices than the number of licenses you acquired;
allow more individuals to access the Licensed Content than the number of licenses you acquired;
publicly display, or make the Licensed Content available for others to access or use;
install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to

o anything related to the Licensed Content, services made available through the Licensed Content, or
content (including code) on third party Internet sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous

pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y
compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011

x 10748A: Deploying System Center 2012 Configuration Manager
10748A: Deploying System Center 2012 Configuration Manager xi
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Adrian Stoian --- Subject Matter Expert

Adrian Stoian, MCSE, MCT, CISSP, CISA, is a trainer and consultant at TechReady, in Cluj-Napoca, Romania.
Adrian became a Microsoft Certified Trainer in 1998, when he began delivering Windows NT 4.0 courses.
Since then, he has delivered training sessions on Windows, Exchange Server, System Management Server,
System Center Configuration Manager, Microsoft Operations Manager, System Center Operations
Manager, and System Center Virtual Machine Manager. Adrian specializes in system management and
virtualization. He recently created and delivered seminars on building private cloud solutions using
Microsoft Hyper-V and System Center.
Conan Kezema --- Subject Matter Expert

Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems architect, and author who
specializes in Microsoft technologies. As an associate of S.R. Technical Services, Conan has been a subject
matter expert, instructional designer, and author on numerous Microsoft courseware development
projects.
David Susemiehl --- Content Developer

David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has
extensive experience consulting on Microsoft Systems Management Server and System Center
Configuration Manager 2007, as well as Active Directory, Exchange Server, and Terminal Server/Citrix
deployments. David has developed courseware for Microsoft and Hewlett-Packard, and delivered those
courses successfully in Europe, Central America, and across North America. David has several years
experience developing courseware for Microsoft Learning, and consulting on infrastructure transitions in
Michigan. In 2009, David took a position managing the Exchange Server and System Center environments
for a nationwide company.
Bob Lawler --- Technical Reviewer

Bob Lawler, B.S., MCITP, MCSE, MCT, is the owner and president of XPO-NET Corporation. He has more
than 20 years of Information Technology (IT) experience. As a professional technical writer, he has
authored, contributed to, and edited a variety of training software and videos, books, magazine articles,
and courseware about many Microsoft and third-party technologies. As a consultant and trainer, Bob has
provided expertise and guidance on technologies such as Microsoft Exchange Server, Internet Security
and Acceleration (ISA) Server, and System Center Configuration Manager for many organizations,
including some of the most recognizable names in American business.
xii 10748A: Deploying System Center 2012 Configuration Manager
Contents
Module 1: Overview of System Center 2012 Configuration Manager
Lesson 1: Introduction to System Center 2012 Configuration Manager 1-4
Lesson 2: Overview of the Configuration Manager 2012 Server Default
Site System Roles 1-16
Lesson 3: Overview of the Configuration Manager 2012 Server Optional
Lesson 4: Overview of Configuration Manager 2012 Deployment
Scenarios 1-43
Lesson 5: Overview of the Configuration Manager 2012 Client 1-57
Module 2: Planning and Deploying a Stand-Alone Primary Site

Lesson 1: Planning a System Center 2012 Configuration Manager
Stand-Alone Primary Site Deployment 2-3
Lesson 2: Preparing to Deploy a Configuration Manager 2012
Primary Site 2-10
Lesson 3: Installing a Configuration Manager 2012 Site Server 2-28
Lab A: Installing a Configuration Manager 2012 Primary Site 2-36
Lesson 4: Performing Post-Setup Configuration Tasks 2-42
Lesson 5: Tools for Monitoring and Troubleshooting a Configuration
Manager 2012 Installation 2-52
Lab B: Performing Post-Setup Configuration Tasks 2-57
Lesson 6: Managing Internet-Based Clients 2-61
Lab C: Configuring PKI for Configuration Manager 2-69
Module 3: Planning and Configuring Role-Based Administration

Lesson 1: Overview of Role-Based Administration 3-3
Lesson 2: Identifying IT Roles in Your Organization 3-15
Lesson 3: Configuring Role-Based Administration 3-25
Lab: Planning and Configuring Role-Based Administration 3-31
Module 4: Planning and Deploying a Multiple-Site Hierarchy

Lesson 1: Planning a Configuration Manager 2012 Multi-Site Hierarchy 4-3
Lesson 2: Deploying a Configuration Manager 2012 Site 4-15
Lesson 3: Deploying the Central Administration Site 4-26
Lab A: Installing the Central Administration Site 4-34
Lesson 4: Deploying Primary Sites in a Hierarchy 4-41
Lab B: Installing a Primary Site in an Existing Hierarchy 4-53
Lesson 5: Deploying Secondary Sites 4-60
Lab C: Installing a Secondary Site 4-66
10748A: Deploying System Center 2012 Configuration Manager xiii
Module 5: Data Replication and Content Management

Lesson 1: Introduction to Data Types and Replication 5-3
Lesson 2: Monitoring and Troubleshooting Data Replication 5-17
Lab A: Monitoring and Troubleshooting Data Replication 5-23
Lesson 3: Planning for Content Management 5-28
Lesson 4: Configuring and Monitoring Content Management 5-49
Lab B: Configuring Content Management 5-65
Module 6: Planning and Completing System Center 2012

Configuration Manager Client Deployment
Lesson 1: Introduction to Discovery Methods 6-4
Lesson 2: Introduction to Configuration Manager 2012
Client Deployment 6-21
Lesson 3: Deploying Configuration Manager 2012 Clients 6-42
Lab: Planning and Completing Configuration Manager 2012
Client Deployment 6-56
Lesson 4: Managing Configuration Manager 2012 Clients 6-66
Lesson 5: Monitoring Configuration Manager 2012 Client Health 6-78
Module 7: Maintaining and Monitoring System Center 2012

Lesson 1: Overview of Configuration Manager 2012 Site Maintenance 7-3
Lesson 2: Performing Backup and Recovery of a Configuration
Manager 2012 Site 7-13
Lesson 3: Monitoring Configuration Manager 2012 Site Systems 7-30
Lab: Maintaining and Monitoring System Center 2012
Configuration Manager 7-36
Module 8: Migrating from System Center Configuration Manager 2007 to

System Center 2012 Configuration Manager
Lesson 1: Overview of the Migration Process 8-3
Lesson 2: Preparing Configuration Manager 2007 Sites for Migration 8-11
Lesson 3: Configuring Migration Settings 8-18
Lesson 4: Migrating Objects 8-27
Lab: Migrating from System Center Configuration Manager 2007
to System Center 2012 Configuration Manager 8-37
xiv 10748A: Deploying System Center 2012 Configuration Manager
Appendix: Lab Answer Keys

Module 2 Lab A: Installing a Configuration Manager 2012 Primary Site L2-1
Module 2 Lab B: Performing Post-Setup Configuration Tasks L2-6
Module 2 Lab C: Configuring PKI for Configuration Manager L2-11
Module 3 Lab: Planning and Configuring Role-Based Administration L3-19
Module 4 Lab A: Installing a Central Administration Site L4-25
Module 4 Lab B: Installing a Primary Site in an Existing Hierarchy L4-31
Module 4 Lab C: Installing a Secondary Site L4-37
Module 5 Lab A: Monitoring and Troubleshooting Data Replication L5-41
Module 5 Lab B: Configuring Content Management L5-45
Module 6 Lab: Planning and Completing Configuration Manager 2012
Client Deployment L6-51
Module 7 Lab: Maintaining and Monitoring System Center 2012
Configuration Manager L7-61
Module 8 Lab: Migrating from System Center Configuration
Manager 2007 to System Center 2012 Configuration Manager L8-67
About This Course xv
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
This three-day course describes how to plan and deploy a Microsoft System Center 2012 Configuration
Manager hierarchy, including the central administration site, one or more primary sites and secondary
sites, and all associated site systems. This course also covers migration from Microsoft System Center
Configuration Manager 2007.
Audience
This course is intended for:
Systems Engineers who need to plan a System Center 2012 Configuration Manager deployment. They
have three to five years of experience in medium to large enterprise organizations supporting
multiple desktop and server computers that run Microsoft Windows.
Configuration Manager Administrators responsible for designing and deploying one or more System
Center 2012 Configuration Manager sites and all supporting systems. They have three to five years of
experience in medium to large enterprise organizations supporting multiple desktop and server
computers that run Microsoft Windows Server.
Individuals who are interested in taking exam 70-243 TS: Microsoft System Center 2012 Configuration
Manager, Configuring can also attend this course. Both Configuration Manager courses will be
necessary to prepare for the exam.
Student Prerequisites
This course requires that you meet the following prerequisites:
Networking fundamentals, including TCP/IP and Domain Name System (DNS)
Active Directory principles and management
Windows Server management including Windows Server 2008 and Windows Server 2008 R2
Microsoft Windows client fundamentals
Deployment, configuration, and troubleshooting for Windows-based personal computers
Microsoft SQL Server 2008 including Reporting Services
Basic Public Key Infrastructure (PKI) concepts
Desired: Have a base-level understanding of System Center Configuration Manager 2007

xvi About This Course
Course Objectives
After completing this course, students will be able to:
Describe the Configuration Manager 2012 infrastructure and describe typical deployment scenarios.
Plan and deploy a stand-alone primary site.

Plan and configure administrative roles.
Plan and deploy a multiple-site hierarchy including the central administration site, primary sites, and
secondary sites.
Describe replication and data types, and monitor the replication of data throughout the hierarchy.
Use various methods to plan and deploy Configuration Manager 2012 clients.
Perform maintenance tasks and monitor site systems.

Perform migration of objects from Configuration Manager 2007 to Configuration Manager 2012.
Course Outline
This section provides an outline of the course:
Module 1: Overview of System Center 2012 Configuration Manager
Module 2: Planning and Deploying a Stand-Alone Primary Site
Module 3: Planning and Configuring Role-Based Administration
Module 6: Planning and Completing System Center 2012 Configuration Manager Client Deployment
Module 7: Maintaining and Monitoring System Center 2012 Configuration Manager
Module 8: Migrating from System Center Configuration Manager 2007 to System Center 2012
About This Course xvii
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press.
Student Course Files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the

Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation: At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
xviii About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V deployed on Windows Server 2008 R2 SP1 to perform the
labs.
Important: At the end of each lab, you must revert the virtual machine back to the state the virtual
machine was in before the lab started. To revert a virtual machine, perform the following steps:
1. In Hyper-V Manager, right click the virtual machine name, and click Revert.
2. In the Revert dialog box, click Yes.
The following table shows the role of each virtual machine used in this course:
Virtual machine Role

10748A-NYC-DC1 Domain Controller for the Contoso.com domain. Contains the
(A,B,C) following:
Active Directory Domain Services (AD DS)
DNS
10748A-NYC-CFG Configuration Manager 2012 primary site in New York

(A,B,C)
10748A-NYC-CAS Configuration Manager 2012 central administration site

(A,C)
10748A-LON-CFG Configuration Manager 2012 primary site in London

(A,C)
10748A-TOR-CFG Configuration Manager 2012 secondary site

(A,C)
10748A-NYC-CM7-B Configuration Manager 2007 primary site
10748A-NYC-SVR1-C Member server in the Contoso domain
Software Configuration
The following software is installed in this course:
Windows Server 2008 R2 SP1

System Center 2012 Configuration Manager
About This Course xix
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All of the
aforementioned virtual machines are deployed in each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires the following minimum
equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning
Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught:
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 revolutions per minute (RPM) SATA or better*
8 GB random access memory (RAM)
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft mouse or compatible pointing device
Sound card with amplified speakers

*Striped
1-1
Module 1
Overview of System Center 2012 Configuration Manager
Contents:
Lesson 1: Introduction to System Center 2012 Configuration Manager 1-3
Lesson 2: Overview of the Configuration Manager 2012 Server Default

Lesson 3: Overview of the Configuration Manager 2012 Server Optional

Lesson 4: Overview of Configuration Manager 2012 Deployment Scenarios 1-43

Lesson 5: Overview of the Configuration Manager 2012 Client 1-57
1-2 Overview of
o System Center 2012 Configuration Mannager
Module Overrview
Microsoft System
m Center 2012 Configuration
n Manager pro ovides a set of features that enable you to
perfform complex management tasks includinng the followin
ng:
Hardware and
d software inventory
Application management
m
Operating sysstem deployment
Settings management
Software upd
date managem
ment
Remote clientt troubleshootting
Protection fro
om malware
Kno
owledge of theese features he
elps you design
n and deploy a Configuratio 012 infrastructure.
on Manager 20
Oth
her topics which help you in your design an
nd deploymen nt tasks includee:
An understan
nding of Config
guration Mana mponents and functionality.
ager 2012 com
The knowledg
ge of site syste
em roles.
An understan t Configurattion Manager 2012 client.
nding of the arrchitecture of the
Commpared with previous version ns, System Cen nter 2012 Connfiguration Manager introduces a number of
changes to the sitte architecture
e model which may affect ho ow you plan a Configuration n Manager
hierrarchy. This mo
odule providess an overview of the technollogies that willl be discussed throughout thhe
rest of the course. In this module, you will expplore these chaanges by exam
mining several typical deployyment
scennarios, which use
u a variety off site architecttures.
10748A: Deploying System Center 2012 Configuration Manager 1-3
After completing this module, you will be able to:
Describe the System Center 2012 Configuration Manager architecture.
Describe the Configuration Manager 2012 server infrastructure.
Describe typical Configuration Manager 2012 deployment scenarios.
Describe the Configuration Manager 2012 client.

1-4 Overview of
o System Center 2012 Configuration Mannager
Lesson 1
Introduction to
t Syste
em Center 201
12 Confiiguratio
on
Manag ger
Systtem Center 2012 Configuration Manager is a feature-ricch managemen nt solution. In this lesson, yo
ou
will discover how to design a Co onfiguration Manager
M hierarrchy that helpss you use thesse features mo ore
efficciently. You will examine the
e role of Config
guration Manaager in the Sysstem Center 20 012 family of
prod ducts and deteermine whethe er Configuratio
on Manager iss the appropriaate product to o use in your
orga anization.
You
u will also exam
mine how the changes
c introd
duced in Confiiguration Man
nager 2012 as ccompared with
h
prevvious versions affect your ovverall site hiera
archy design.
In Configuration
C Manager
M 20077, data is transfferred betwee n sites using fiile-based replication. Althou
ugh
Connfiguration Ma anager 2012 sttill uses file-based replication
n for content, database repliication is used to
repllicate operatio
onal data. In th
his lesson, you will examine w what global daata and site daata are, and hoow
dataa is replicated throughout thhe hierarchy.
Afte
er completing this lesson, yo
ou will be able to:
Describe the features of Co

onfiguration Manager
M 2012.
Explain how Configuration

C Manager 2012
2 is positioned
d in the System
m Center 2012 family of prod
ducts.
Describe site and hierarchy differences be

etween Config
guration Manaager 2007 and Configuration
n
Manager 201 12.
Describe the architecture and functionalitty of the Conffiguration Man

nager 2012 clie
ent.
Describe the differences be

etween global data and site d
data.
Explain how data
d replicatess throughout the hierarchy.
10748A: Deployingg System Center 2012 Configuration Mannager 1-5
Overview
O of
o Configuration Manager 201
12
Th
he following ta
able outlines the features of System Centeer 2012 Config
guration Manager.
Feature Feature usa

age
Asset
A manage
ement
Hardware and
d Software You can usse the tools an
nd resources p
provided in thee Hardware an
nd
Inventory Software Inventory featuure to maintain a record of h
hardware and
software in
n your organizzation.
Asset Intellige
ence You can usse the Asset In ntelligence feature to obtainn more insight from
the inventory data recorrded by the Haardware and SSoftware Inventory
feature. Assset Intelligencce uses a catalog that contains software an
nd
license info
ormation to id dentify the inveentoried softw
ware.
Software Mettering You can usse the Softwarre Metering feature to monitor and collectt
software usage
u data and
d generate repports to determ
mine how appllications
are used in
n your organizzation.
Remote Mana
agement You can usse the Remotee Management feature to re emotely access any
client com
mputer in the h
hierarchy to asssist a user. Youu can use the rremote
control to troubleshoot hardware and d software conffiguration problems
on client computers
c d to provide heelp-desk support when acce
and ess to a
users com
mputer is necesssary.
1-6 Overview of System Center 2012 Configuration Manager
(continued)
Feature Feature usage

Deployment
Application management You can use the tools and resources in the Application Management
feature to create, manage, deploy, and monitor applications in the
organization.
Software Updates You can use the tools and resources in the Software Updates
Management Management feature to manage, deploy, and monitor software updates
in the organization.
Operating System You can use the Operating System Deployment feature to plan and
Deployment deploy operating systems by using images.
Content Management You can use the tools and resources in the Content Management feature
to manage content files for applications, packages, software updates, and
operating system deployment.
Compliance management
Compliance Settings You can use the tools and resources of the Compliance Settings feature
to help you assess, track, and remediate the configuration compliance of
client computers in the organization.
Power Management You can use the tools and resources provided by the Power Management
feature to manage and monitor the power consumption of client
computers in the organization.
Client Health You can use the tools and resources provided by the Client Health
feature to manage and monitor the health of the Configuration Manager
client software.
Security
Role-based Administration You can use role-based administration to assign roles and permissions
for the administrators to allow them to access and use the features of
Configuration Manager.
Network Access Protection You can use the Network Access Protection feature as a health validator.
This feature works in conjunction with Network Access Protection in
Microsoft Windows Server 2008.
Endpoint Protection You can use this new functionality in Configuration Manager 2012 to
protect clients against malware. This functionality was available
previously in Forefront Endpoint Protection (FEP).
Common features
Reporting You can use the SQL Reporting Services in Configuration Manager 2012
for report generation. Administrators can create subscriptions so that
reports are generated on a schedule and distributed in various formats
by email.
Monitoring You can use the Monitoring feature to supervise site systems and client
health. It also provides automatic remediation for specific client errors.
Question: Summarize the functionality of Configuration Manager 2012.

Overview
O of
o the System Centerr 2012 Fam
mily of Pro
oducts
Syystem Center solutions

s help you manage the t physical annd virtual inforrmation techn
nology (IT)
ennvironments across data cennters, client computers, and mobile devicees. You can imp prove your
productivity by using the inte
egrated and au utomated solu tions of System
m Center.
Th
he following ta
able lists the Microsoft
M Syste
em Center prod
ducts.
Product Details
System Cente
er 2012 App You can use the
t System Cen nter 2012 App p Controller to provide self-sservice
Controller access for app
plication admi nistrators, to eenable them too create and mmanage
nes and servicees on the basiss of templatess, and manage private
virtual machin
cloud resourcces and public cloud Window ws Azure subscriptions fromma
single web intterface.
System Centeer 2012 You can use the

t change and d configuratio
on managemen nt capabilities of
Configuration
n Manager System Centeer 2012 Config uration Manag ger to performm tasks such ass
deploying operating systemms, software appplications, and software updates;
monitoring annd remediatin g computers ffor compliance e settings; colle
ecting
hardware andd software inveentory; and rem
mote administtration.
System Centeer 2012 Data You can use the

t System Cen nter 2012 Dataa Protection M
Manager to perform
Protection Maanager disk-based an nd tape-based continuous data protection n and recoveryy for file
e Directory D
servers, Active Domain Servicees (AD DS) and d application servers

such as SQL Server
S , Exchannge Server, SharePoint, and
d Hyper-V baased
virtualization hosts. You can n use Data Pro
otection Manager (DPM) to p protect

the data on Windows
W deskktops and lapttops.
(continued)
Product Details
System Center 2012 You can use System Center Endpoint Protection to provide malware
Endpoint Protection protection for your client systems. System Center Endpoint Protection is
built on Configuration Manager, creating a single infrastructure for
deploying and managing endpoint protection.
System Center 2012 You can use System Center 2012 Operations Manager to monitor services,
Operations Manager devices, and applications on multiple computers in a single console.
Operations Manager 2012 enables you to view the state of the Information
Technology (IT) environment and services running across different systems
using views that show state, health, and performance information in
addition to real-time alerts generated for availability, performance,
configuration, and security incidents.
System Center 2012 You can use the System Center 2012 Orchestrator to orchestrate, integrate,
Orchestrator and automate the IT processes in an organization. Orchestrator enables you
to define and automate processes from a central point and integrate with
existing management solutions, both from the System Center family and
third-party management platforms.
System Center 2012 You can use the System Center 2012 Service Manager for automating and
Service Manager adapting the organization processes to IT service management best
practices, such as those found in Microsoft Operations Framework (MOF)
and Information Technology Infrastructure Library (ITIL). System Center 2012
Service Manager also provides built-in processes for incident and problem
management, change management, release management, and risk and
compliance management.
System Center 2012 You can use the System Center 2012 Virtual Machine Manager to configure
Virtual Machine and manage virtualization hosts, networking, and storage resources. This
Manager management solution for the virtualized datacenter also helps you create
and deploy virtual machines and services to private clouds.
Note For System Center 2012 licensing information, please visit Microsoft Server and
Cloud Platform Pricing and Licensing at http://go.microsoft.com/fwlink/?LinkId=253177.
Question: Which of the System Center family of products, including the previous versions,
are you using in your organization?
Sites and Hierarchies

H s
Yo
ou can implem
ment the Configuration Manager 2012 as:
A single priimary site with

h optional seco
ondary sites.
Multiple sittes in a hierarcchical relationsship, including a central adm

ministration site
e, multiple prim
mary
sites, and se
econdary sitess.
Unlike Configurration Manage er 2007, sites in

n Configuratioon Manager 20012 are no longer security
bo
oundaries, andd do not limit the
t administra ative scope. Yo
ou use multiplee primary sitess for scale-out
op
perations to acccommodate a larger number of clients.
Changes
C to Site
S Types
M 2012 introduces ch
hanges to site ttypes including
g:
Central admministration sitte. In Configurration Manageer 2007 and prrevious version ns, the top-leve
el
primary site
e was called a central site. In n Manager 2012, a new site type called the
n Configuration
ministration sitee has been introduced. The ccentral admin istration site:
central adm
Is only required when ng multiple priimary sites.

n implementin
Provide
es centralized management of the other p
primary sites in
n the hierarchyy.
Is used to generate reports

r that co
ontain data fro m the entire h
hierarchy.
Supporrts a subset of site system ro

oles.
n have directtly-assigned clients or processs client data. It receives clie

Does not ent data from tthe
other primary
p sites in
n the hierarchyy. The central aadministration
n site does nott support roam
ming
clients.
If you decid
de to use a cenntral administrration site, you
u must install itt first, and the
en install otherr
primary site
es that will be part of the hie
erarchy under the central ad dministration site.
Primary sites. In Configuration Manager 2007, primary sites could be tiered below other primary sites,
and were often used to enable decentralized administration, define custom configurations for client
agents, or serve as a security scope. In Configuration Manager 2012, primary sites are no longer used
to provide those functions. Configuration Manager 2012 primary sites:
Are used to increase scalability by supporting a larger number of clients when you add another
primary site.
Manage the clients assigned to them and perform client data processing.
Cannot be linked to another primary site in a parent-child relationship. Only secondary sites can
be a child site of a primary site.
Are installed either as a stand-alone site or as the child to an existing central administration site
when you install it in a hierarchy. Once installed, the parent-child association can be changed
only by uninstalling and reinstalling the primary site.
Do not limit the administrative scope. Configurations performed by administrative users at any of
the sites are replicated throughout the hierarchy. You can restrict administrative access using
security roles.
Secondary sites. In Configuration Manager 2007, secondary sites were used to manage the network
bandwidth for sending client data and content to remote locations. In Configuration Manager 2012,
secondary sites are used mainly to control the upward flow of client data in the hierarchy.
Secondary sites:
Use a SQL Server database. Typically, this is located on a SQL Server Express instance and installed
locally on the secondary site server.
Always include a management point and distribution point.
Participate in database replication with their parent primary site.
Must be a child of a primary site.
Support the routing of file-based content to other secondary sites.
Question: If you have an existing Configuration Manager 2007 implementation, what is your
current architecture?
Question: If a company has a primary site that reports to another primary site, what needs to
happen when the primary site is moved to Configuration Manager 2012?
10748A: Deploying System Center 2012 Configuration Manaager 1-11
Configurat
C ion Manag
ger 2012 Client
C
Th
he Configuratiion Manager 2012
2 Client is the
t software innstalled on thee computers or mobile devicces you
want
w to manage nstall Configurration Manageer 2012 client software on a device such as a
e. When you in
workstation,
w po
ortable computter, server, or mobile
m device,, that device iss referred to ass a client.
Yo
ou can use Configuration Manager client software
s to au
utomate client managementt tasks such as::
Collecting hardware
h and software inven
ntory informattion and sendiing the data to
o the Configurration
Manager site.
Running deeployments of applications, applying
a softw
ware updates, rrunning scripts, and installin
ng
operating systems.
s The deployments ca an take place o
on a specific d
date and time, or when userss
request the
e installation of software usin
ng the Applicaation Catalog.
Monitoring g application usages by recording the appllication start aand stop times. This data is sent to
the site and
d made availabble for reports.
Defining cliient configurattion settings that will be evaaluated on all cclients and rem
mediating the client
configuratioon if they are out of complia ance.
Troublesho ooting computers by using Remote

R Contro
ol, or by using Active Managgement Technoologies
(AMT) operrations for AMT-based comp puters that do not have a Coonfiguration M
Manager client
installed.
Implementing power management setttings to manag

ge and monito
or the power cconsumption o
of
computers.
Protecting against malwa

are by using En
ndpoint Protecction.
1-12 Overview of System Center 20012 Configuration Maanager
Wh
hat Are Glo
obal and Site
S Data Types?
T
In Configuration
C Manager
M 20122, data is repliccated between n the sites in th
he hierarchy. D
Depending on the
typee of data being
g replicated, itt can be classiffied as either g
global data or site data. A thhird data type, called
loca
al data, does not replicate to
o other sites. Lo ocal data incluudes informatio on that is not required by otther
sitess.
Glo
obal Data
Globbal data consissts of administtrator-created objects that reeplicate to all primary sites, in addition to the
centtral administra
ation site, acro hy. Administra tors can createe global data using the conssole
oss the hierarch
connected at the central administration site or o at primary siites. Examples of global dataa include the
follo
owing:
Collection rulles
Software dep
ployment defin
nitions
Package meta
adata
Program mettadata
Software upd
dates deployment definitionss
Configuration
n item metada
ata
Software upd
date metadata
Task sequencce metadata
Site control fiile

Site servers list
Role-based administration security roles and security scopes
Alert rules
Site Data
Site data is operational information created by Configuration Manager primary sites, and by the clients
assigned to primary sites. Site data only replicates to the central administration site and is not replicated
to other primary sites. Examples of site data include:
Collection members from query-based collections
Hardware inventory data
Software inventory and metering data
Asset intelligence tracking data

Status messages and alerts
Software distribution status details
Component and site status summarizers
Client status data
Client status history
Wake On LAN
Quarantine client restriction history
You can only view the site data from all sites at the central administration site. This enables you to
perform administration and reporting for the entire hierarchy. A primary site only contains site data
originated from that site. You can modify site data only at the primary site where it was created.
Content
The actual content of the packages which is used to deploy software applications, updates, and operating
system images is not replicated using database replication, but with file-based replication, for example,
the Server Message Block (SMB) protocol.
In the same primary site, the content is transferred from the site server to distribution point using file-
based replication. Administrators can configure bandwidth throttling and scheduling for the file transfer.
File-based replication mechanisms are also used to transfer the content to distribution points in other sites
in the hierarchy. Administrators can control the distribution points to which content is replicated by using
distribution point groups.
Question: What type of data is a custom client agent setting?

Ho
ow Data Re
eplicates Throughou
T ut the Hierrarchy
Commmunications in Configuration Manager 2012 2 has signifficantly changeed compared tto earlier versiions
of Configuration
C Manager.
M In th
he earlier versions of Configu uration Manag ger, inter-site ccommunicatio
ons
are completed using file transfeers. Most inter--site communiications in Con nfiguration Maanager 2012 are
noww completed with
w database replication.
r File
e-based replic ation is still ussed for data suuch as package
e files
usedd by deploymeents and disco overy data reco ords.
File
e-Based Rep
plication
File--based replication in Configuration Manag ger 2012 uses senders and aaddresses to trransfer data
betwween sites in the hierarchy. Unlike
U earlier versions,
v Confiiguration Man nager supportss only the standard
sendder. Communiication betwee en sites uses th
he Server Messsage Block (SM by using TCP port
MB) protocol b
445. File-based reeplication is automatically coonfigured for cchild sites, but you must con
nfigure it for
addditional routes.
The two compone

ents required for
f file-based replication
r aree:
Senders. Sendders manage the network co
onnectivity to o
other sites. A sstandard sender is installed aand
available by default.
d
Addresses. Adddresses are used by senders to establish a network con nnection to the
e site server off a
destination site. Addresses for child sites are automaticcally configured when the sitte is installed.
Dattabase Repllication
Connfiguration Ma anager 2012 usses database replication to ttransfer data a nd merge chaanges it receive es so
thatt all sites share
e the same info ormation. Whe en you install a site, databas e replication iss automaticallyy
configured betwe een the new sitte and its desig
gnated parentt site. The defaault instance off SQL Server uuses
TCP
P ports 1433 an nd 4022 for da atabase replica
ation. Other SQ QL Server instaances may use e different portts.
Whe en the site insttallation finishes, database re
eplication autoomatically starrts.
As part of the setup, Configuration Manager uses publication groups to establish and synchronize
database replication between sites. After setup, the database replication service synchronizes data in the
publication groups between SQL Servers using the SQL Server Service Broker. The database replication
service uses SQL Server change tracking to monitor the local site database for changes and then replicates
the changes to other sites.
Data transferred through database replication is classified into two categories:
Global Data. Administrator-created objects that replicate to all sites throughout the hierarchy.
However, secondary sites receive only a subset of global data.
Site Data. Operational information created by a Configuration Manager primary site. Site data
replicates to the central administration site but not to other primary sites.
All site data replicates to the central administration site. This enables the central administration site to
perform administration and reporting for the entire hierarchy.
Client Communications
In Configuration Manager 2012, site systems that communicate with clients can be independently
configured to support intranet clients through the use of Hypertext Transfer Protocol (HTTP) or Hypertext
Transfer Protocol Secure (HTTPS) or Internet-based clients through the use of HTTPS. This is different than
Configuration Manager 2007, where sites are either configured to be mixed-mode, using HTTP only, or
native-mode using HTTPS only.
Lesson 2
Overviiew of the
t Con nfiguration Man
nager 2
2012 Server
Defaullt Site System Roles
R
Con
nfiguration Maanager 2012 ha as multiple sitee roles that yo
ou can install eeither on the saame computerr or
on multiple
m servers for scalabilitty. Default site
e roles are instaalled in every C
imp
plementation. Optional
O site roles provide additional
a funcctionality and yyou can installl them as need
ded.
By understanding
u the functiona
ality of the site
e roles, you can
n make design
n decisions reg
garding the
configuration and
d placement off each role in your
y Configuraation Manager implementattion.
Afte
ou will be able to:
Describe the functionality of s system rol es.

o the default site
Identify the site roles you need

n to install in your implem
mentation.
Describe plan
nning and desiign considerations for the deefault site systeem roles.
Overview
O of
o the Conffiguration Manager 2012 Site
e System R
Roles
When
W you instaall a Configurattion Manager 2012 site, seveeral site system
m roles are insttalled by defau ult. The
oles installed are required for the core ope
ro eration of each
h site. Some off these roles caan be moved tto other
se
ervers but cann not be remove ed from the sitte. When you iinstall addition
nal site serverss for optional rroles,
so
ome default sitte system roless are also insta
alled.
In
n Configuration n Manager 2012, the concep pt of site modee is discontinu
ued, and each appropriate
in
ndividual site ro
ole is configurred to use either HTTP or HTTTPS.
Default
D Site System Role
es
When
W you insta
all a site server,, the default syystem roles aree automaticallly installed. The SMS Provide
er role is
th
he only role that does not ha ave an object exposed
e in thee Configuratio n Manager co onsole. Two op
ptional
ro
oles, the management point,, and distribution point roless are also auto omatically instaalled when you u install
a primary or seccondary site se erver.
The following table lists the default site system roles.
Site system role Description
Site server A site server is the computer on which you run Configuration Manager 2012
Setup. The site server provides the core functionality for the site.
Component server A component server runs the Configuration Manager services and is
automatically installed with all site systems except the distribution point.
SMS Provider A SMS Provider is the interface between the Configuration Manager
console and the site database. This role is installed automatically when you
install a central administration site or primary site. Secondary sites do not
install the SMS Provider. You can install the SMS Provider on the site server,
the site database server (unless the site database is hosted on a clustered
instance of SQL Server), or on another computer. You can also move the
SMS Provider to another computer after the site is installed, or install
multiple SMS Providers on additional computers.
Site system A site system is any computer that hosts one or more site system roles for a
Configuration Manager site.
Site database server A site database server hosts the SQL Server database to store information
about assets and site data.
Management point A management point provides policy and content location information to
clients. It also receives data from clients. You cannot install a management
point on a central administration site.
Distribution point A distribution point contains source files for clients to download, such as
application content, software packages, software updates, operating system
images, and boot images. You can control content distribution by using
bandwidth, throttling, and scheduling options. You cannot install a
distribution point on a central administration site.
Optional Site System Roles

Optional site roles provide additional functionality to your Configuration Manager implementation. Some
of the roles (like Windows Server roles) have external prerequisites and features that need to be installed
first on that server.
The following table provides some examples of optional site roles.
Application Catalog An Application Catalog web service point provides software information to the
web service point Application Catalog website from the Software Library. This is a new role
introduced in Configuration Manager 2012.
Application Catalog An Application Catalog website point provides users with a list of available
website point software. This is a new role introduced in Configuration Manager 2012.
(continued)
Asset Intelligence An Asset Intelligence synchronization point connects to System Center Online to
synchronization point download Asset Intelligence catalog information. It can also upload
uncategorized titles that the administrator selected previously for inclusion in
the catalog.
Endpoint Protection An Endpoint Protection point provides the ability to manage malware and
point Windows Firewall remediation for System Center 2012 Endpoint Protection.
Enrollment point An enrollment point uses PKI certificates to complete mobile device enrollment
and provision AMT-based computers. This is a new role introduced in
Enrollment proxy An enrollment proxy point manages enrollment requests from mobile devices so
point that Configuration Manager can manage them. This is a new role introduced in
Fallback status point A fallback status point helps you monitor client installation and identify the
clients that are unmanaged because they cannot communicate with their
management point.
Out of band service An out of band service point provisions and configures AMT-based computers
point for out of band management.
Reporting services A reporting services point integrates with SQL Server Reporting Services to
point create and run reports for Configuration Manager.
Software update point A software update point manages Windows Server Update Services (WSUS) to
synchronize the software update metadata from a configured source, such as
Microsoft Update and make the data available to Configuration Manager.
State migration point A state migration point stores user state data when a computer is migrated to a
new operating system.
System Health A System Health Validator point validates Configuration Manager Network
Validator point Access Protection (NAP) policies. You must install this site system role on a NAP
health policy server.
Site System Role Changes

Several roles have changed from Configuration Manager 2007 and have been integrated with other roles
in Configuration Manager 2012.
The following table summarizes the Configuration Manager 2012 site system role integration.
Branch distribution point Branch distribution points have been retired. Configuration Manager 2012
supports only a single type of distribution point role, which can be installed
on servers or workstations running supported operating systems. Bandwidth
throttling settings are available on the distribution point properties.
PXE service point The PXE service point functionality has been integrated into the distribution
point role.
Reporting point The reporting point role has been retired. Configuration Manager leverages
SQL Server Reporting Services for running reports.
Server locator point The functionality of the server locator point has been integrated with the
management point role.
Site Server
When
W you instaall a Configurattion Manager site several ro
oles are installeed by default. T
These roles provide
th onality for the site.
he core functio
Th
he Configuratiion Manager roles
r installed on
o a server du
uring the Confiiguration Man
nager Setup are
e:
Site Server. The site serverr role providess core function
nality for a Connfiguration Maanager site. WWhen
you install Configuration
C Manager on the
t first server in a site, the ssite server role is automaticaally
installed. Th
here are no coonfigurable pro operties for thee site server ro
ole.
Componentt server. The coomponent servver role is instaalled on any sitte system thatt runs the SMSS
Executive se
ervice. All Con
nfiguration manager compon nents, except tthe distributio
on point role, u
use the
SME Executtive service. Th
here are no configurable pro operties for thee component sserver role.
alled on any seerver that host s a Configurattion Manager role.

Site system. The site systeem role is insta
When you install a site roole on a server from the Con nfiguration Manager console e, the site serve
er
connects reemotely to that computer, co onfigures it as a site system, and then installs the site role you
requested. The site system m role includes the following g configuratioon options:
Specifyy an FQDN for this site system

m for use on th
he Internet. If tthe roles suppo
orted on this sserver
are goiing to be accessible from thee Internet, an Internet FQDN N must be con nfigured. The inntranet
Fully Qualified
Q Domaain Name (FQD DN) is configu red automaticcally during the e installation o
of the
Configuration Manag ger server.
Requiree the site serveer to initiate co

onnections to th
his site system. When this op ption is chosen
n the
site sysstem installatio
on account mu ust also be con
nfigured. This o option is typiccally used when
n the
site sysstem is in a perimeter netwo ork and securityy policies will not allow it to
o initiate
commu unication with the internal network.
n
Site System Installation Account. This setting allows you to configure the account used by site
server to install this site system role. By default, the site server computer account is used.
Active Directory membership. This setting allows you to configure the Active Directory forest and
domain FQDNS that the site system is a member of.
Design Considerations
The site server role is automatically installed when you install a central administration site or primary site.
It is installed on the server from which you run Configuration Manager Setup. When you install a
secondary site by using the Configuration Manager console, the site server role is installed on the server
that you specify as the secondary site server. The site server role cannot be moved to another server
without reinstalling the site.
Because the site server is a critical component in a Configuration Manager implementation, you must
ensure that you can recover your site server configuration in the event of a server loss or malfunction. You
achieve this by configuring the site backup task to back up the site server. More details on how to
configure site maintenance tasks, including the backup task, are found in Module 7, Maintaining and
Monitoring System Center 2012 Configuration Manager.
Site Databa
ase
Th
here are two ro
oles associated
d with the dataabase used byy Configuration n Manager, the site database role
an
nd the SMS Provider role. Thhe site databasse role hosts th
2012 database e and
th
he SMS Provider role providees the interface between Co nfiguration Manager and th he site databasse.
Thhe SMS Provid der is a Windowws Manageme ent Instrumenttation (WMI) p provider that pprovides and coontrols
acccess to the Co
M site database. The SSMS Admins lo ocal group is p
provided full co
ontrol
acccess by defauult and Configu
uration Manag up on the site server
ger automaticaally creates thi s security grou
an
nd on each SM MS Provider co omputer. You mustm have at leeast one SMS Provider in each central
ad
dministration site
s and prima ary site. Second dary sites do n
not install the SSMS Provider.
Planning
P Con
nsiderations for the Sitte Database
e
So
ome planning considerations for the site database
d role i nclude:
The site dattabase must be SQL Server 2008

2 SP2 with cumulative U pdate 9 or late
er, or SQL Servver 2008
R2 with SP11 and Cumulattive Update 4 or later.
The site dattabase server can
c use the Sta
andard or Enteerprise version
n of SQL Serve
er 2008.
Secondary sites use SQL Server

S Express 2008 R2 with SP1 and cum ulative Update
e 4 by default, but can
be configurred to use Stan
ndard or Enterrprise editions as well.
The site dattabase role can use either a default instan ce or a named
d instance of SSQL Server. It iss
possible to use the same SQL Server to host the data bases for multtiple sites; howwever, each
s requires a unique instancce of SQL Servver.
Configuratiion Manager site
You can configure the SQ QL Server service by using a domain user aaccount or the e local system aaccount
of the computer running SQL Server. Using
U a domainn user accountt as the SQL Se erver service acccount
is a best pra
actice, howeve ed to manuallyy register the SService Principle Name (SPN) for the
er you will nee
account.
Site Database Placement

At a central administration site and at primary sites, you can co-locate the database server on the site
server, or place it on a remote server. At secondary sites, the database server is always co-located on the
secondary site server.
If you use a remote database server computer, ensure the network connection between the site server and
site database is a high-availability, high-bandwidth network connection. This is because the site server and
some site system roles must constantly communicate with the SQL Server that is hosting the site database.
Consider the following when you plan to install the site database on a remote server:
The amount of bandwidth required for communications to the database server depends upon a
combination of many different site and client configurations; therefore, the actual bandwidth
required cannot be adequately predicted.
Each computer that runs the SMS Provider and that connects to the site database increases network
bandwidth requirements.
The computer that runs SQL Server must be located in a domain that has a two-way trust with the site
server and all computers running the SMS Provider.
You cannot use a clustered SQL Server for the site database server when the site database is co-
located with the site server.
Planning Considerations for the SMS Provider

Some planning considerations for the SMS provider role include:
The Configuration Manager 2012 console and any site systems that interact with the site database are
accessing the database through the SMS Provider.
The SMS Provider is specified during site installation. By default the SMS provider is located on the
Configuration Manager site server.
You can relocate both the site database and the SMS provider by using the Configuration
Manager 2012 site maintenance action from the Configuration Manager 2012 Setup program.
To be able to host the SMS Provider role a computer system must be a member of a domain that has
two-way trust with the site server and site database systems.
To be able to host the SMS Provider role a computer must be running an operating system that is
supported as a site server.
A server hosting the SMS Provider role cannot host any Configuration Manager roles from any other
sites.
SMS Provider Placement

The Configuration Manager console, Resource Explorer, tools, and custom scripts use the SMS Provider so
that Configuration Manager administrative users can access information that is stored in the database.
The SMS Provider does not interact with Configuration Manager clients. The SMS Provider helps enforce
Configuration Manager security. It returns only the information that the administrative user who is
running the Configuration Manager console is authorized to view.
When all servers that hold a SMS Provider for a site are offline, Configuration Manager consoles cannot
connect to that sites database. You can install multiple SMS Providers in a central administration site or
primary site to provide high availability for the administrative users connecting with the Configuration
Manager consoles.
When you install a site, the installation automatically installs the first SMS Provider for the site. You can
specify any of the following supported locations for the SMS Provider:
The site server computer
The site database computer
Any other computer that does not hold an SMS Provider

Ma
anagemen
nt Point
The managementt point provide es policy and content

c locatio
on information
n to Configuration Manager 2012
clien
nts. Each clientt that is assign
ned to a site tries to locate th
he managemeent point for th
hat site and
connects to it to download
d policy and send th he collected innformation (such as hardwarre inventory) aand
taskk results to the
e site server. Th
he management point is imp plemented as a web service aand is hosted in
ernet Informatiion Services (IIS).
Inte
Note In Co onfiguration Manager

M 2007, managementt points could be configured d to use
network load
d balancing (N
NLB) for high availability.
a Maanagement po
oints in Configu
uration
Manager 2012 do not sup pport using NLB.
Dessign Consid
derations
Whe
en planning fo
or managemen
nt point(s), con
nsider the follo
owing:
Each primary and secondarry site must contain at least o

one managem
ment point. Seccondary sites d
do not
support more e than one management poiint. This mana gement point cannot suppo ort mobile devvices
that are enrolled by Configuration Managger.
To ensure hig
gh availability of
o the manage
ement point, yyou can install multiple manaagement poin
nts in
the same prim
mary site.
anagement point to use eith er HTTP or HTTTPS for client communicatio
You can configure each ma ons.
To use HTTPS
S, you need to request and in
nstall PKI-baseed certificates.
By default, cliients use the most

m secure me
ethod availablle for commun nication. If botth are available
e, a
client will use
e an HTTPS-configured mana agement pointt before it will use an HTTP--configured on ne.
To manage clients on the In w need at leasst one manageement point th

nternet, you will hat is configurred to
use HTTPS. Thhis managemeent points musst be accessiblee from the Inteernet, to be ab
ble to manage e
remote clientts.
Distributio
D n Point
Th
he distribution
n point role is used
u to provid
de the contentt used by featu
ures like appliccation deploym
ment,
so
oftware updatees deploymentt or operating system deplo yment to the C Configuration Manager 201 12
clients.
Th
he distributionn point is imple
emented as a web
w service an nd hosted in In nternet Inform
mation Servicess. The
clients access th
he distribution point to down
nload packagee files, operatin
ng system imaages, or updatees.
Configuratio
C on Managerr 2012 Featu
ures
M 2012 introduces ne
ew features wh
hen implementting the distrib
bution point,
in
ncluding the fo
ollowing:
Distribution
n points can be e configured individually to use HTTP or H HTTPS depend ding on the
anaging clientss over the Inteernet, you will need at least o
capabilities of the clients.. If you are ma one
distribution
n point configu ured to use HT TTPS.
Distribution
n points now include the fun nctionality of tthe Pre-Boot EExecution Envirronment (PXE)) service
nable this funcctionality, you need to installl Windows Deeployment Servvices (WDS) on
point. To en n the
same comp puter that hostts the distributtion point.
To control the
t content diistribution, you
u can create d istribution poiint groups whiich enable you
u to
manage content on multtiple distributio
on points as a single entity.
Distribution
n points now include the opttion to perform
m content valiidation to veriffy the status o
of the
content repplicated from the
t site server or from otherr distribution p
points. This opttion is not enaabled by
default.
Distribution
n points can be
e associated with
w one or mo ore boundary g
groups, so you e which
u can configure
clients can access content from the disttribution pointt.
Distribution points have settings for bandwidth throttling and scheduling the transfer of content so
you can control network traffic.
Distribution points now use a single instance store and implement the concept of content library.
When planning for the distribution point(s), consider the following:
Place a distribution point closer to the clients it will serve, for example on the same high-speed
network subnet.
Use protected site systems for servers hosting the distribution point role so that the servers accept
connections only from clients in the same boundary group.
Deploy multiple distribution points if you frequently use features like software distribution, software
update management and operating system deployment.
Distribution points can be installed on desktop operating systems and also can be installed on 32-bit
systems.
Distribution points are discussed in more detail in Module 5.

Lesson
n3
Overv
view of the Configuration Maanager 2012 Se
erver
Optio
onal Site
e System
m Roless
M 2012 optional site roles
r provide aadditional funcctionality to th
he site and you
u can
in
nstall them as needed.
n
During the plannning and design phase of yo our Configura tion Manager 2012 impleme entation, you need to
id
dentify the role
es needed, fun
nctionality, and
d capacity requ
uirements. Thiss lesson descriibes the basic
fu
unctionality of the optional site
s system role es in addition to planning an
nd design con nsiderations.
After completin y will be able to:

ng this lesson, you
Describe th
he functionalityy of each of th
he following op
ptional site rolles:
Applica
ation Catalog
Asset In
ntelligence syn
nchronization point
Endpoiint Protection point
Enrollm
ment point
Enrollm
ment proxy point
Fallbacck status point
Out of band service point
p
Reporting services po
oint
Software update point
State migration
m point
System
m Health Valida
ator point
Determine the number and placement of each site ro
ole.
Ap
pplication Catalog
C
The Application Catalog

C is a new
w feature in Configuration MManager 2012 that enables u
users to selectt and
install applications automatically by placing re ortal.
equests in a po
The Application Catalog

C is implemented using
g the following
g two site rolees:
Application caatalog web serrvice point. This role providess software info
ormation from
m the software
library. As an Administratorr, you configurre this informaation for each application pu
ublished in the
e
catalog.
Application ca
atalog website point. This rolle is the web in nterface for en
nd users. Using g this portal, users
can see the list of available applications, request
r appliccations, and insstall applicatio
ons.
Dessign Consid
derations
Whe
en planning fo
or the Applicattion catalog, co
onsider the fo
ollowing:
The Application Catalog is a hierarchy-wiide role. In a m

multiple primary site hierarch
hy you typicallly
install one insstance of each role, although
h multiple insttances are supported.
The Application Catalog cannot be installed on a secon
ndary site or o n a central administration siite.
The Application Catalog allows users to manage

m option
nal application o users or to allow
ns deployed to
users to request available applications.
The Application Catalog allows users to configure
c somee preferences and wipe their mobile devicces
that are being
g managed through Configu uration Managger.
The Application Catalog supports integra

ation with Micrrosoft SharePo
oint.
Asset
A Intelligence Synchronizattion Pointt
Thhe Asset Intelliigence synchro

onization poin nt is used to coonnect to Systeem Center Online (over HTT TPS) to
doownload catalog information updates. Configuration Maanager supports a single insstance of this ssite
syystem role in a hierarchy andd only at the toop-level site in
n the hierarchyy. Asset Intellig
gence catalog
in
nformation is replicated to alll primary sitess.
Thhe Asset Intelliigence synchroonization poinnt site role lets you schedule automatic syn
nchronization with
Syystem Center online,
o equests can bee performed o n demand. In addition to
or syncchronization re
doownloading ne ew asset intelligence catalogg information, the Asset inteelligence Synch
hronization po
oint can
uppload custom software title information to o System Cent er Online for ccategorization.
Asset intelligencce software reports provide information a bout softwaree families, categ gories, and specific
so
oftware titles that are installe
ed on compute ers in the orgaanization. The software repo orts present
in
nformation abo out browser he elper objects, software
s that sstarts automattically, and mo
ore. These repoorts can
be e used to iden
ntify adware, sppyware, and otther malware, and identify ssoftware redun ndancy to helpp
sttreamline softw
ware purchasin ng and supporrt.
Design
D Considerations
When
W planning for the Asset intelligence Syynchronization
n point, consid
der the following:
The asset in
ntelligence synnchronization point
p can onlyy be installed aat the top-leve
el site in the hierarchy
in the centrral administrattion site, or sta
and-alone prim
mary site.
The asset in
ntelligence syn
nchronization point
p must be able to make an Internet co
onnection over HTTPS
to System Center
C online.
Custom sofftware titles in at is uploaded to System Cen

nformation tha nter Online forr categorizatio
on is
treated by Microsoft as public
p informattion.
End
dpoint Pro
otection Point
The Endpoint Protection point role

r is required
d before endppoint protectio on can be enabbled in
Connfiguration Maanager 2012. The
T Endpoint Protection
P poinnt is used to seend informatio
on collected byy the
end
dpoint protection clients to the Microsoft Active
A Protectiion Service. Th n is used to update
his information
the definitions use
ed to identify harmful software. During th e installation o
of the endpoin
nt protection ppoint,
you must accept a separate license agreemen nt.
Dessign Consid
derations
Whe
en planning fo
or the endpoin
nt protection point,
p considerr the following
g:
The Endpointt Protection po

oint can only be
b installed in the Central Ad
dministration ssite, or stand-aalone
primary site.
You must insttall an Endpoin
nt Protection point
p before yyou can begin to use endpoint protection.
You can choo

ose one of thre
ee levels of me
embership with
h the Microsofft Active Prote
ection Service:
Non-partticipating --
- noo information sent
s to Microssoft. Users will only be alerte
ed about
unclassifiied software.
Basic membership --- ba

asic informatio
on about softw
ware that endp on detects will be
point protectio
sent to th
he Microsoft Active
A Protectio
on service.
Full mem
mbership --- Enddpoint protectiion will alert u
users about un classified softw
ware. In additio
on to
the basicc information, more detailed information iss sent to the M
Microsoft Activve Protection
Service about software that is detected by the end point protection client.
Enrollmentt Point and

d Enrollme
ent Proxy P
Point
Yo
ou can use Configuration Manager to man nage mobile d
devices. There are two distincct methods yo
ou can
usse for managin nagement and depth manag
ng mobile devvices: light man gement:
Light mana ovides basic maanagement feaatures through

agement is clientless and pro h the Exchange
connector, such as remotte wipe and a limited hardwaare inventory.
Depth management insta d provides a riccher hardwaree inventory, settings manage

alls a client and ement,
and software deployment. Configuratio on Manager 20012 uses the eenrollment point and the enrrollment
proxy pointt to provide de
epth managem ment for suppo orted mobile ddevices. Configguration Manaager
2012 can use depth mana agement to manage
m mobilee devices that aare running a supported Win ndows
Mobile opeerating system or Nokia Sym mbian devices. TThe enrollmen nt point roles aare also used tto
support AM
MT devices.
hese two enrollment point ro

Th oles work toge
ether to provid
de the depth m
management ffunctionality in
n the
fo
ollowing ways:
Enrollment point. This role
e uses PKI certtificates to com
mplete the enrrollment of mo
obile devices aand
AMT-capab ble computers so that they can
c be manageed by Configuration Manage er.
Enrollment proxy point. Mobile

M devices connect to th is role to subm
mit client installation requestts and
download the
t client. Enroollment requessts are sent to the Enrollmennt point for coompletion.
When planning for mobile device management, consider the following:
The enrollment point roles are site-wide roles; the enrollment proxy point is typically accessed from
the Internet and should be placed in a perimeter network, or published through a firewall.
Light management provides basic management functionality and uses the Exchange connector.
Depth management installs a client and provides additional management features.
You must use depth management if you require:
Customizable mobile device hardware inventory
The ability to specify mobile device settings
The ability to deploy software

Fallback Sta
atus Pointt
A fallback status point is a hie

erarchy-wide site role that is used to monitor client deplloyment activity and
id
dentify clients that
t are unmanaged because they cannott communicatee with a manag gement point. Mobile
deevices do not use a fallback status point.
Thhe fallback status point alwa

ays uses HTTP for client com munication; th hese are unautthenticated
coonnections witth data sent in clear text. Beccause of this, aand to help red
duce the attacck surface, the fallback
sttatus point sho
ould be placedd on a dedicate ed server.
If configured too use a fallback k status point, CCMSetup wi ll send state m

messages to the
e fallback statu us point
duuring installatiion. If a client is unable to co
ommunicate w
with a manage ment point, th hey will send sttate
messages
m to thee fallback statu c use these sstate messagees to help identtify clients that are
us point. You can
haaving commun nication failure es.
Design
D Consideration
When
W planning for a fallback status point, consider
c the fo
ollowing:
You need to install a fallb
back status poiint if you wantt client compu
uters to report any failures,
particularlyy when they caannot commun nicate with a m
management p point.
You need to install a fallb

back status poiint if you wantt to use the cliient deployme
ent reports; the
ese
reports dep
pend on inform mation sent to the fallback sttatus point.
You can use dditional security

e a dedicated server to host the fallback sttatus point and can have ad
measures in
n place to help
p protect again
nst attack.
Ou
ut of Band Service Po
oint
Outt of band mana agement lets ana administrattive user conneect to a compu uter's AMT maanagement
controller when thhe computer is turned off, in n hibernation, or otherwise u
unresponsive tthrough the
opeerating system.. In these situa
ations, adminisstrative users ccan manage th
hese computerrs without requ
uiring
loca
al access to the
e computer.
Typical out of ban

nd management tasks includ
de:
Powering on one or more computers

c
Powering off unresponsive computers
Dessign Consid
derations
Whe
en planning fo
or the out of band
b service po
oint, consider tthe following:
Client systems must have th

he Intel vPro chipset and a ssupported verssion of the Inte
el Active
Managementt Technology (Intel
( AMT).
You are requiired to use the

e following cerrtificates for ou
ut of band management:
An AMT provisioning certificate

c on the out of band
d service pointt. This allows ccomputers to b
be
configure
ed for out of band
b managem ment.
A web seervicer certifica

ate on the enro
ollment point. This provides secured comm
munication witth the
and service point during the provisioning p
out of ba process.
Client certificates, when entication is u sed.

n 802.1X authe
d and is auditable by using aan audit log on

Outt of band activvity is recorded n the AMT-bassed computerss.
Reporting
R Services
S Po
oint
Thhe reporting services point is a site system

m that is installeed on a serverr running Micro
osoft SQL Servver
Reeporting Services. SQL Serve er Reporting Seervices (SSRS) provides advaanced reporting capabilities, and
ricch authoring tools
t for buildiing reports.
Re
eports can be run from the Configuration
C Manager conssole, or directlly from the repporting service
es point
website
w and savved in a varietyy of formats. In
n addition to m
manually runn ing reports, thhe reporting seervices
po
oint supports report subscrip ptions. A report subscriptionn in Reporting Services is a re
ecurring requeest to
eliver a report at a specific time or in respo
de onse to an eveent, and in an application file format that you
sp
pecify in the su
ubscription.
Th
he reporting point
p functiona
ality in Configu
uration Managger 2007 that w
was based on Active Server Pages
(A
ASP) reports is no longer avaailable in Confiiguration Man
nager 2012.
Design
D Considerations
When
W planning for the reportting services point(s), consid er the followin
ng:
The reporting services pooint must be in
nstalled on a co
omputer runn
ning SQL Serve
er Reporting Se
ervices
that is the same
s version as
a the site data
abase.
The SQL Se
erver Reporting
g Services are configured au tomatically byy Configuration Manager.
ng Services insttance can onlyy support one site.

Each SQL Server Reportin
You can insstall multiple re

eporting servicces points in yyour hierarchy..
ng services point is installed in a primary ssite, the reportts show the data collected from that
If a reportin
site. Howevver, reports run
n in the centra al administratio
on site show d data collected ffrom the entire
hierarchy.
Sofftware Update Pointt
Softtware updates in System Cen nter 2012 Conffiguration Man nager provide a set of tools and resourcess that
can help you man nage the comp plex task of tracking and app plying softwaree updates to cclient compute ers in
your organization n. Software upddates synchron nize Configuraation Managerr with the softw ware updates
mettadata from Microsoft Updatte. The software updates meetadata is first synchronized with the WSU US
dataabase, and the en the data is synchronized
s with
w the Config guration Manaager site datab base. After the
e top-
leve
el site is synchrronized, the so
oftware update es metadata is replicated to all child sites aand stored in tthe
childd sites databa
ase.
The central admin a all primaryy child sites m ust have an acctive software update point for
nistration site and
you to deploy sofftware updatess to all clients. When plannin ng the softwarre update poin nt infrastructurre, you
need to determine which serverr should be the e active softwaare update po oint for the site
e. You also neeed to
decide if the softw
ware update point will be co ollocated with tthe site serverr or installed on a remote server.
Add
ditionally, you need to determine which sittes require an Internet-based d software upd date point. Fin
nally,
you need to decid de if you need an active software update p point at any seecondary sites..
Dessign Consid
derations
Whe
en planning th
he software up
pdate point inffrastructure, co
onsider the folllowing:
The software update point must be installled on a serveer hosting WSU

US 3.0.
You can insta

all one software update point per site.
he software update point at the

By default, th t central adm
ministration site (or at the sttand-alone priimary
site) synchron
nizes with Micrrosoft Update..
By default, th
he software update points insstalled in child
d sites synchro
onize with theirr parent site.
You should scchedule the syynchronization

ns for a time fraame suitable ffor your enviro
onment.
State Migra
ation Point
Thhe state migraation point is used

u to store user state data remotely wheen performing an operating system
deeployment using Configurattion Manager. You must storre the user sta te data remotely on the statte
migration
m pointt when you use de deploymentt; however, wh
e a side-by-sid hen you are ussing the same
co
omputer, such as an update deployment where w you are updating the operating systtem on the
de mputer, you can store the data locally or o n the state mi gration point. For some com
estination com mputer
deeployments, when
w ore, Configurattion Manager automaticallyy creates an
you creatte the state sto
asssociation betw
ween the state e store and thee destination ccomputer.
Th
he state migra
ation point req ernet Informatiion Services (IIIS) is installed.
quires that Inte
Design
D Considerations
When
W planning for the state migration
m poin
nt, consider th e following:
User state size.

s You need to plan for en
nough storagee space to storee the migratio
on data.
User state migration

m tool. You need to create a packaage for the useer state migrattion tool 4.0.
Retention policy.
p You nee
ed to determin ou will retain tthe migration data.
ne how long yo
Drives. You can use one or ng migration d

o more drivess on the site syystem for storin data.
Sysstem Healtth Validato

or Point
The system health h validator point works in co

onjunction with h a Windows SServer 2008 Ne etwork Access
Prottection (NAP) server to monitor the health h of client systeems. The NAP server is used
d to prevent cliients
thatt are not in compliance fromm accessing your network ressources.
Whe en non-compliant clients aree configured for NAP enforccement and reemediation on the Network P Policy
Servver, the System
m Health Valida
ator point mig
ght send instru
uctions to the cclient, depend
ding on the ressults
of the failed healtth check.
Dessign Consid
derations
Whe
en planning fo
or the system health
h validato
or point, consid
der the follow
wing:
You can have

e multiple syste
em health valid
dation points in a site or hieerarchy.
You configure
e the system health
h validato
or through the site componeents settings.
You can configure how ofte en the systems health validaator queries th
he network acccess protection
n
point for health state refere
ences.
Planning
P fo
or Role Pla
acement
Depending on the t site type, you

y can only in nstall certain siite system rolees in a site. In a single primary site
hiierarchy, all roles can be insttalled on the primary
p site serrver. When usiing a multiple primary site
hiierarchy, theree are some limits to where ro oles can be plaaced and the n number of insttances of each role.
Fo
or example:
A central addministration site

s does not have h any assig ned clients. Beecause of this, you cannot in
nstall
any of the roles
r involved in client mana agement, such
h as the manag gement point aand distributioon
point, in a central
c adminiistration site.
If you are plann

ning a complexx hierarchy witth a central ad
dministration s ite and multip
ple primary and
d
se
econdary sites,, consider thatt:
Some roles provide functtionality for their local site o nly.
Some roles provide functtionality for the entire hierarrchy.
When insta
alling software update pointss in a multiple primary site h
hierarchy, instaall the software
e
update point in the centrral administrattion site first.
In a second t distribution point is supp

dary site, only the ported on a reemote system.
The following table shows the site system roles that you can install in the different site types.
Central Child
administration primary Secondary Site-specific or hierarchy-wide
Site system role site site site Functionality
Application Catalog web No Yes No Hierarchy

service point
Application Catalog No Yes No Hierarchy

website point
Asset Intelligence Yes No No Hierarchy, only 1 instance per

synchronization point Hierarchy
Distribution point No Yes Yes Site, multiple instances supported

per site and hierarchy
Endpoint protection point Yes No No Hierarchy
Enrollment point No Yes No Site
Enrollment proxy point No Yes No Site
Fallback status point No Yes No Hierarchy
Management point No Yes Yes Site, multiple instances supported

Out of band service point No Yes No Site
Reporting services point Yes Yes Yes, Hierarchy, multiple instances

supported per site and hierarchy
Software update point Yes Yes Yes Site, one per site, multiple in
hierarchy
State migration point No Yes Yes Site, multiple instances supported

System Health Validator Yes Yes Yes Hierarchy, multiple instances

point supported per site and hierarchy
Lesson
n4
Overv
view of Configuration
n Manag
ger 2012 Deplo
oymentt
Scena
arios
One
O of the first questions you
u may ask yourrself when you
u design a Con nfiguration Maanager 2012
im
mplementation ou should use a single primaary site or use multiple sites in a hierarchy..
n is whether yo
Too help you learn how to answ wer this question, in this lessson you will exxamine differe
ent implementtation
sccenarios and compare the ad dvantages and d disadvantagees of each. You u also need to have a set of design
crriteria with which you can ch
hoose the mosst appropriate implementatio on model for yyour organizattion.

ng this lesson, you
e deployment scenario most appropriate tto your organizzation.
Identify the
Determine when to use a single primarry site.
Determine when to use a central admin

nistration site aand multiple p
primary sites.
Identify the
e need to use secondary
s sites or a distributtion point insttead of a site in
n a remote loccation.
Describe a typical implem

mentation scen
nario of Config
guration Manaager 2012 for a small-to-med
dium
organizatio
on.
Describe a typical implem
mentation scen guration Manaager 2012 for a medium-to-llarge
nario of Config
organizatio
on.
Describe a more complexx implementattion scenario o

of Configuratio 012 for a global
on Manager 20
organizatio
on.
Inttroduction
n to Deploy
yment Sce
enarios
Use the following process to he

elp determine the
t site design
n for your Configuration Manager 2012
imp
plementation.
Identify your network infrasstructure for Configuration

C M
Manager 2012 2, including thee number of
locations, sub
bnets, network
k connections between
b ocations and liink speeds. Based on this
the lo
information you
y will determmine the placement of site syystem roles.
Identify your business requirements for Configuration

C M
Manager 2012 2. Typical need
ds may includee
collecting invventory and geenerating repo
orts, deploying
g applications, software updaates and operaating
systems, and remote manag gement. You should
s discuss these requirements with the e stakeholderss to
identify which h Configuratio
on Manager 20012 features wwill be implemeented. Depend ding on these
requirementss, you can decide which addiitional site systtem roles are n
needed and thheir placementt.
Determine yo our migration requirements from

f Configurration Manageer 2007 to Con nfiguration Maanager
2012. If your organization has
h an existing g implementattion of Configu uration Manag ger 2007, you mmust
migrate existiing sites and clients
c to Confiiguration Man nager 2012. Thhis may include e restructuring
g the
site hierarchyy, migrating clients, migrating objects like collection defiinitions, softwaare packages aand
operating sysstem images.
Determine the number of clients
c that nee
ed to be manaaged and theirr locations. Thee number of clients
to manage is the most important criteria when decidin g to use a sing gle primary sitte or multiple ssites
in a hierarchyy. In addition, the
t number off clients influen
nces your desiign when decid ding the site roles
to be used annd their placem ment.
Determine the characteristics of your organization, for example, consider the following:
How is your AD DS forest structured? All sites in the hierarchy must be in the same forest or have
forest trusts in place.
How many physical locations do you have?
How are the network connections that connect your organization together? The physical
characteristics of your organization need to be considered when planning your site boundaries.
Where is your IT staff located? Is there anyone in a particular location who could manage that
location?
How many clients work remotely?
De
etermining
g When to Use a Prim
mary Site
Youu need to install at least one Configurationn Manager primmary site to bee able to manaage any clientss.
Prim
mary sites provvide core functtionality to you
ur Configuratio
on Manager im mplementation.
The following are some of the reasons

r for insttalling a primaary site:
To directly manage clients. Only a primarry site can havve clients assigned to it.
To scale-up the number of clients to man nage. Each prim

mary site can ssupport up to 50,000 clientss if
SQL Server is collocated witth Configuratio
on Manager oor 100,000 clie nts when SQL Server and
Configurationn Manager aree on separate servers.
s
To reduce the ure of a single primary site. TThis prevents aall clients from
e effect of failu m being affecte
ed
while the site is recovered.
To provide a local point of connectivity fo
or administrattion. The Confiiguration Manager 2012 con
nsole
can connect only
o to a primary site or central administraation site.
To manage co ontent indepeendently and meet

m organizattional manageement requirem ments. For exaample,
the organizattion may have a specific requ
uirement that clients from a given location n are managed d by a
different teamm of administrators. To meett this requirem
ment, you can iinstall anotherr primary site aand
offer a local point
p of conne
ectivity.
The following are some of the characteristics
c of a primary ssite:
A primary site
e can be either a stand-alone primary site or a member of a hierarchyy.
A primary site ministration sitte as a parent site. Primary ssites cannot haave
e only supportts a central adm
another primary site as a pa
arent, as it use
ed to be in Con
nfiguration Maanager 2007 aand previous
versions.
A primary site
e only supportts secondary siites as child sittes.
A primary site cannot change its parent site relationship after installation. If you decide to move from
a single primary site scenario to a hierarchy, you must first decommission the primary site and then
reinstall it as a new site.
The client-originated data processing is performed only at the primary site to which the clients are
assigned. If the primary site is the child of a central administration site, the data will then be
replicated to the central administration site.
When a primary site is installed in a hierarchy, database replication is automatically configured with
its designated central administration site.
All site system roles can be installed in a stand-alone primary site, but not on all primary sites that are
part of a hierarchy.
De
etermining
g When to Use a Cen
ntral Admiinistration Site
A ce
entral administtration site is required
r if you
u need to instaall multiple primary sites and d perform
consolidated man nagement and reporting of data d from all s ites. You can u
use a central administration site
to configure
c hiera
archy-wide settings and to monitor
m all sitees and objects in the hierarch
hy. This site typ
pe
doees not manage clients directly but it can be e used to perfo orm hierarchy-wide manage ement, which
includes the confiiguration of sittes and clients settings throu ughout the hieerarchy.
Pla
anning a Cen
ntral Admin
nistration Siite
Use the following information to help you pla
an for a centraal administratio
on site:
The central addministration site is the top--level site in a hierarchy. Wh or a hierarchy that
hen you plan fo
has more than one primaryy site, you musst install a centtral administraation site and it must be the first
site that you install for the hierarchy.
When using a central administration site with SQL Servver Enterprise eedition, the hie
erarchy can co
ontain
up to 400,000
0 clients.
When you use SQL Server Standard
S editio
on for the site database at th ministration site, the
he central adm
shared database and hierarrchy supports up u to 50,000 cclients. This is d
due to the parrtitioning of th
he
database. After you install Configuration
C Manager, if yo ou upgrade th he edition of SQ
QL Server at th he
central adminnistration site from
f Standardd to Enterprise,, the databasee does not repaartition and thhis
limitation rem
mains.
The central administration site:
Supports up to 25 primary sites as child sites.
Does not support secondary sites as child sites.
Cannot have clients assigned to it.
Does not support all site system roles.
Is the only place where you can see site data from all sites. This data includes information such as
inventory data and status messages.
Enables you to connect with the Configuration Manager 2012 console to manage all clients in
the hierarchy and perform site management tasks for any primary site.
Enables you to configure discovery method options for each site in the hierarchy.
De
etermining
g When to Use a Secondary Sitte
Use secondary site

es to manage multiple clientts in remote loocations. You ccan manage a secondary site
e
from
m a central adm
ministration site or from the
e secondary sittes parent prim
mary site.
Con
nsider using a secondary
s site
e:
ation does not have a local administrator.

Then the loca a
To manage th
he transfer of deployment
d co
ontent across low-bandwidtth networks.
To manage th
he transfer of upward-flowin
u ng client data aacross low-ba ndwidth networks.
The following are some of the characteristics
c of secondary ssites:
Secondary sittes:
Are installed from a priimary site. The

e primary site iis the secondaary sites parentt and you cann
not
change the parent of a secondary sitte without unin nstalling and rre-installing th
he site.
Use SQL Server Expresss by default; ho

owever, they ccan use a locall instance of SQ
QL Server if on
ne is
available.
Use file-b
based replication to receive deployment c ontent transfeerred from a primary site.
Use database replicatio obal data from the parent primary site.
on to receive a subset of glo
Use file-b
based replication to transfer client informaation to its parrent primary siite.
Can route content betwween peer secondary sites to

o help managee the replicatio
on of deploym
ment
content if the two seco
ondary sites ha
ave the same p
parent site.
Installation au
utomatically deploys a mana
agement pointt and distributtion point thatt are located o
on the
secondary site server.
A primary site
e can support up to 250 seco
ondary sites ass child sites.
A secondary site
s can suppo 0 clients in the site.
ort up to 5,000
Im
mplementting Config
guration Manager
M 2012 for a SSmall-to-M
Medium
Organizatio
O on
Th
he single primary site implem
mentation scenario is most aappropriate fo
or organization
ns that:
Have a centralized adminnistration apprroach. All systeems are admin

nistered from a single locatio
on by a
single team
m of administra
ators.
Have less th
han 100,000 cllients.
Note A single
s Configu
uration Manager 2012 primaary site can acccommodate up p to 50,000
clients, or up to 100,0000 clients if the SQL
S Server and
d Configuratio
on Manager se
erver are not
collocated d. To reach thiss capacity, add
ditional managgement points or secondary sites must be
installed.
Primary
P Site Roles
A primary site usually
u has the following site
e system roles d deployed. Theese can be insttalled on a sing
gle
se
erver or distrib
buted across multiple
m serverss for scalabilityy. Mandatory rroles include:
Site server. The site server is the first server installed aand, in this sceenario, is the o
only server insttalled
using the Configuration
C Manager
M Setupp Wizard.
Site databa
ase. A site database is installe
ed on the samee server as thee site server orr is installed on
na
separate se
erver to increasse the site scalability.
Manageme ent point. The management point serves a s a point of co ommunication between the
Configuratiion Manager 2012
2 nd the site servver. Primary sittes must have at least one
clients an
manageme ent point deplo
oyed to manag ge clients.
Distribution
n point. Distrib
bution points distribute
d conttent needed fo
or deploymentts.
Other roles may be deployed depending on the features needed. Typical roles may include:
Reporting Services point. This role, based on SQL Server 2008 Reporting Services, provides you with
the ability to generate reports and export them in various formats.
Software update point. This role provides you with the ability to synchronize the software update
metadata from Microsoft Update and make it available to the Configuration Manager.
Fallback status point. This role allows clients to send state messages to the site server; for example, if
they cannot connect to a management point.
Other roles commonly installed in a single primary site may include the following:
Application Catalog
Asset Intelligence synchronization point
Endpoint Protection point
Question: What other roles do you typically use in your organization?

Im
mplementting Config
guration Manager
M 2012 for a Medium-tto-Large
Organizatio
O on
In
n larger organizations with multiple
m remote locations an d a large num
mber of users sp
pread through
hout the
orrganization yo
ou may need to o scale put the
e Configuratio n Manager deeployment withhout necessariily
ad
dding additionnal primary site
es.
If you have fewer than 10

00,000 clients but more thann 50,000 clientts, your SQL Daatabase must be
located on a dedicated se
erver other thaan the Configu
uration Manag ger server.
As the clien
nt count growss, you must facctor in that eacch managemeent point can ssupport
approximattely 25,000 clie
ents. You can use
u multiple m management ppoints in a sing
gle site for scalability.
If you needd to manage th he bandwidth between the p primary site location and rem
mote location you can
install secondary sites or remote distrib
bution points.
Secondary Siite
A secondary site
e includes by default
d a mana
agement pointt and distributtion point, and
d can be used to:
Offload the
e client commuunication from
m the primary ssite when clien mote location and
nts are in a rem
network coonnections are slow.
Provide tierred content ro
outing for deep
p network top ologies.
Distribution Point
You can choose to install only a distribution point instead of a secondary site when:
You have a small number of clients in the remote location.
You do not have a server available in the remote location. A computer running 64-bit version of
Windows Server is required to run the secondary site, while a distribution point can be also installed
on 32-bit servers and workstations that can support the IIS role.
You do not need to control the upward client data from the remote location to the primary site.
Question: What is the minimum number of remote clients for which you would install a
secondary site?
Im
mplementting Config
guration Manager
M 2012 for a G
Global Org
ganization
n
Global organizaations have a la

arge number ofo clients distriibuted across multiple locations worldwide with
multiple
m administration teamss and differentt administrativve requiremen ts. To accomm modate these ttypes of
sccenarios, Confiiguration Manager 2012 can n be implemen nted using mu ltiple sites in a hierarchy.
Multiple
M Site
es in a Hiera
archy
Multiple
M sites in plex model to iimplement and requires add
n a hierarchy iss a more comp ditional serverss to
ho efore deciding to use multip le sites in a hieerarchy, you need to analyze
ost the site sysstems roles. Be e your
en
nvironment an nd determine if a single prim
mary site can m
meet your requ uirements.
ou should use this implemen

Yo ntation scenario if:
You have a larger numbe er of clients tha

an can be man naged using a single primaryy site. A single
e
primary site
e can support up to 100,000 0 clients while a hierarchy can accommodaate up to 400,0 000
clients.
You have multiple

m admin
nistrative teams that need to
o manage theirr own locations.
You have a large numberr of remote loccations.
You have export regulatio

ons on conten
nt.
Note Yo ou cannot switcch easily between the singlee primary site aand multiple sites in a
hierarchy model. If you implement a single
s primary site and then later decide too use a
multiple siite model, you
u must reinstall the primary ssite and then m
migrate all the
e clients. The
same is tru
ue if you start with a comple
ex hierarchy annd later decidee to use a single primary
site.
Question: What
W type of organizations
o would use thee multiple sitess in a hierarchyy model?
Disscussion: Determinin
D ng When to
t Use a Siingle Prim
mary Site orr a Comple
ex
Hieerarchy
Use these discussiion questions to

t help you th hink about the decisions youu need to make e when planning a
Connfiguration Ma
anager 2012 in nstallation, including when to
o use a single primary site or a complex
hierrarchy.
Disscussion Questions
1. How will the existing netwo
ork infrastructu
ure influence yyour Configuraation Managerr 2012 design??
2. What are you

ur business req
quirements for using Configu
uration Manag
ger?
3. What is the number of clien

nts you need to
t manage?
4. How many lo
ocations do you
u need to supp
port?
5. ents to locally manage the c lients?

Do you have the requireme
6. Are there resttrictions in place that contro

ol how client in
nformation is ttransferred acrross borders?
Lesson
n5
Overv
view of the Configuration Maanager 2012 C
Client
To
o perform the management tasks on the client
c computeers, the Config guration Manager 2012 clien nt
ap
pplication is in
nstalled on clie
ent computers.. The term clien
nt is often useed to refer to e
either of the fo
ollowing:
The compu
uter managed by Configuration Manager
The Configuration Manag

ger 2012 client software
Understanding Configuration
n Manager 201
12 client archittecture and preerequisites helps you design
n your
M 2012 implementation.

ng this lesson, you
Describe th
he Configuratio
on Manager 20
012 client funcctionality.
Describe th
he Configuratio
on Manager 20
012 client arch
hitecture.
Role of the Configurat

C tion Manager 2012 C
Client
The Configurationn Manager 201 12 client has multiple

m featur es, correspondding to the Coonfiguration
Man nager 2012 funnctionalities th
hat are implemmented by usinng client comp ponents. For exxample, the
harddware inventory agent colleccts hardware data
d according g to a scheduleed interval andd then sends d data
to the site database through the e managemen nt point. The a dministrator eenables or disaables each clien
nt
com
mponent individually by using client setting gs.
The Configuration
n Manager clie
ent:
Connects to the
t managemeent point acco
ording to a sch
heduled intervaal (the default is 60 minutes)), and
on demand, and
a then down
nloads and proocesses any poolicies applicab
ble to the clien
nt.
Performs harddware and sofftware inventory according tto a scheduledd interval and oon demand, an
nd
then sends th ata through the managemen
he collected da nt point to thee site server.
Downloads th
he content of the
t packages from
f the distriibution point, and then instaalls software an
nd
updates.
es assigned by the administraator to that co
Executes the task sequence omputer by using the Operating
System Deplooyment featuree.
Collects confiiguration data specified in co

onfiguration bbaselines and ssends the results to the site sserver,
through the management
m point.
p If the co
omputer is nott compliant, th
he client can allso execute
remediation actions
a to mak ontent is not reequired to bring the client into
ke it compliantt, as long as co
compliance.
Allows admin
nistrators to co
onnect to remo
ote computerss using remotee tools or Remo
ote Assistance
e to
provide support to end useers.
Performs health validation to be used in conjunction w

with NAP.
Installs the enndpoint protecction when end
dpoint protecttion is enabled
d and an endp
point protectio
on role
is installed in the hierarchy..
Configurat
C ion Manag
ger 2012 Client
C Arch
hitecture
Thhe Configuratiion Manager 2012 2 client con

nsists of many components tthat together provide all the e
fu
unctionality in Configuration n Manager. Although the clieent installs mo ost of the compponents during the
in
nitial installatio
on, all the insta
alled compone ents are not en
nabled by defaault; only the e
endpoint proteection
client is not insttalled by defau ult. When plan nning your Connfiguration Maanager deployyment you must
co
onsider the fun nctionality that you need and configure th he client settin
ngs to meet yoour needs.
Th
he Configuratiion Manager client
c uses som
me built-in win dows componnents in additio
on to some ad
dditional
ru
un-time compo onents. In add dition to the sp
pecific Configu
uration Manager componentts, the Configu
uration
Manager
M client will also use th
he componentts in the followwing table.
Windows
W com
mponent or
run-time mod
dule Use
Windows Management WMI is the

t infrastruct ure for manag
gement data and operationss on
Instrumentatiion (WMI) Windowws-based operaating systems.
Windows Insttaller Supportts the use of W

Windows Installer (.msi) and WWindows Instaaller
update files
f (.msp) forr installing and
d updating app
plications.
Windows Upd
date Agent Supportts Update deteection and dep
ployment.
Microsoft Corre XML Service

es Supportts the processi ng of XML doccuments in Wiindows.
(MSXML)
Microsoft Rem
mote Differenttial Used to optimize dataa transmission over the netw
work.
Compression (RDC)
(continued)
Windows component or
run-time module Use
Microsoft Visual C++ 2008 Supports client operations.

Redistributable
Microsoft Visual C++ 2005 Supports Microsoft SQL Server Compact operations.
Redistributable
Windows Imaging APIs Allows Configuration Manager to manage Windows image (.wim)
files.
Microsoft Policy Platform Allows clients to evaluate compliance settings.
Microsoft Silverlight Supports the Application Catalog website.
Microsoft .NET Framework 4 Supports client operations.
Microsoft SQL Server Compact Stores information related to client operations.

3.5 SP2 components
Microsoft Background Allows throttled data transfers between the client computer and the
Intelligent Transfer Service Configuration Manager site systems.
(BITS) version 2.5
The client components and their status can be viewed on the Components tab in the Configuration
Manager client. The components that are installed when the client is installed are in the following table.
Component Overview
Base Configuration Manager Several different components that are used for core functionality
Components and only show a status of installed or not installed:
CCM Framework, CCM Policy Agent, CCM Status and Eventing
Agent, Core Components, Maintenance Task Coordinator,
Operating System Deployment Components, Shared Components
and Task Sequence Components.
Compliance and Settings

Allows you to specify how client computers retrieve policy.
Management
Hardware Inventory Agent Uses WMI to collect inventory information as configured in the
client settings.
Out of Band Management

Allows Out of Band management for AMT based computers.
Agent
Power Management Agent Applies power management settings configured for collections in
Remote Tools Agent Manages the remote control and remote assistance settings for the
client computers.
(continued)
Component Overview
Software Distribution Agent Manages the deployment of packages and applications to client
devices.
Software Inventory Agent Performs the software inventory as configured in the client settings.
Software Metering Agent Tracks software usage on the client computer.
Software Updates Agent Interacts with the software update point to install appropriate
software updates to the client computer.
Source List Update Agent Responsible for contacting a management point and retrieving the
location for downloading deployed content.
Module Revie
ew and
d Takeaw
ways
Rev
view Questiions
1. What are the major feature
es of Configura
ation Managerr 2012?
2. What are the three types off sites in Configuration Man ager 2012?
3. What are the new site roless introduced in

n Configuratio n Manager 20
012?
2-1
Module 2
Planning and Deploying a Stand-Alone Primary Site
Contents:
Lesson 1: Planning a System Center 2012 Configuration Manager
Stand-Alone Primary Site Deployment 2-3
Lesson 2: Preparing to Deploy a Configuration Manager 2012 Primary Site 2-10
Lesson 3: Installing a Configuration Manager 2012 Site Server 2-28
Lab A: Installing a Configuration Manager 2012 Primary Site 2-36
Lesson 4: Performing Post-Setup Configuration Tasks 2-42

Lesson 5: Tools for Monitoring and Troubleshooting a Configuration
Manager 2012 Installation 2-52
Lab B: Performing Post-Setup Configuration Tasks 2-57
Lesson 6: Managing Internet-Based Clients 2-61
Lab C: Configuring PKI for Configuration Manager 2-69

2-2 Planning annd Deploying a Standd-Alone Environmentt
Module Overrview
nning a Microssoft System Center

Plan C 2012 Co
onfiguration M
Manager site deployment is a complex pro
ocess
thatt requires num
merous inputs such
s as:
Network topo
ology
Number of managed
m clientts
Desired featu
ures
Capacity requ
uirements
Scallability improvvements in Con

nfiguration Ma
anager 2012 eenable a stand--alone primaryy site to
acco
ommodate inffrastructures with
w up to 100,0 000 clients.
In th
his module, yo
ou will review the
t planning process,
p planning activities for deployying a
inputss, and typical p
stan
nd-alone prima ary site. You will
w also review prerequisites for installing a site server annd related
commponents, perfform and valid date the installa nd-alone primaary site, and perform the inittial
ation of a stan
site configuration. Finally, you will
w review the requirements for managing g Internet-base
ed clients.
Afte y will be able to:

er completing this module, you
Describe the planning taskss for a Configu

uration Manag
ger 2012 primaary site deployyment.
Identify the preparation

p ste
eps for deployiing Configurattion Manager 2012.
Install a Configuration Man

nager 2012 primary site.
Perform post-setup configu
uration tasks.
Describe the tools used to monitor

m and troubleshoot a Configuration
n Manager 201
12 installation.
Describe proccesses used to manage Interrnet-based clieents.

Lesson
n1
Plann
ning a System Center
C 2012
2 Co
onfigurration M
Manager
Stand
d-Alonee Primarry Site Deploym
D ment
Th
he design of a System Cente er 2012 Config guration Mana ger stand-alon ne primary site
e deployment can
va
ary from a stannd-alone serveer with all requ
uired site roless to more complex deployme ents with site rroles
diistributed on multiple
m serverrs.
In ou will review the tasks typiccally involved in the planning process to d

n this lesson, yo deploy a stand-alone
primary site, inccluding determmining the site system roles tthat you need to deploy, thee number of seervers
neecessary for deeployment, and the deploym ment prerequissites.
Additionally, yo
ou will review Configuration
C Manager Setuup options, exaamine site cod
de and naming
g
co
onventions, annd examine the e requirements for configuri ng client com munication modes.

ng this lesson, you
he planning tassks for a Configuration Manaager 2012 prim
Describe th mary site deployment.
Describe planning a Conffiguration Man

nager 2012 staand-alone prim
mary site deplo
oyment.
Describe sitte naming con

nventions.
Describe th
he client comm
munication modes.
Discuss planning a Config

guration Mana
ager 2012 stan
nd-alone primaary site deployyment.
Ov
verview of Planning Tasks for a Configurration Man
nager 2012 Primary Site
De
eploymentt
Typical planning tasks

t for a Systtem Center 20
012 Configurattion Manager installation incclude:
Documenting
g your network
k and computiing environmeent. You should
d identify:
Network locations and associated subnets.
Network connections and

a their speed
ds.
Number of clients that need to be managed
m in eacch location.
Identifying bu
usiness requireements. You ca an choose the features to usse in your enviironment and
identify administrative, user, and securityy requirementss.
Designing site
e architecture.. First, determine whether a stand-alone p
primary site sattisfies your
requirementss. If not, you must
m deploy a more
m complex hierarchy and
d then determiine the site rolles
and their con k factor to consider when determining tthe number off sites to config
nfiguration. A key gure
is the number of clients youu need to man nage.
Performing ca nd determine sserver hardwarre

apacity planning. You can esstimate the daatabase size an
configuration
n.
By following
f this planning
p proce
ess, you can determine the ssite configurattion, the site syystem roles thaat
need to be implem mented, and the server hard
dware configurration.
Question: What is the most important crriteria for dete rmining the n umber of sitess to
implement?
Planning
P a Configura
ation Mana
ager 2012 Stand-Alo
one Primaary Site
Deploymen
D nt
Site System Roles

R
While
W a primaryy site can be deployed on a single
s move roles or install new role
server, yyou can also m es onto
diifferent serverss. When deplooying a stand-a
alone primary site, the follow em roles are insstalled
wing site syste
byy default:
Site server. This is the ma

ain system role
e for Configuraation Managerr.
Site System
m. This includess any server that hosts one o
or more Config
guration Manaager roles.
Site databa oft SQL Databaase server for Configuration Manager.

ase server. Thiss is the Microso
Component server. This is any server ru MS_EXECUTIVE service.
unning the SM
SMS Provid ween the Confiiguration Man

der. This is the interface betw nager console and the site daatabase.
Manageme
ent point. This is the main po unication for cllients.
oint of commu
Distribution
n point. This sttores software for deploymeent to clients.
Additional roless are installed as needed; however, before deploying clieents, you shou uld install the FFallback
sttatus point to help
h monitor client
c deploymment issues. Yoou should also install the Rep
porting service es point
so
o that you can review reportts about the sitte and client in
nstallation pro
ogress.
Th
he number of clients that yo ou can manage d-alone prima ry site depend
e using a stand ds on the follow
wing
sitte configuratio
on and role pla
acement:
erver and site database roless are co-locateed on the sam e server, you ccan manage up to
If the site se
50,000 Con nfiguration Manager clients.
erver and site database roless are installed on different seervers, you can
If the site se n manage up tto
100,000 Co onfiguration Manager
M clientss.
2-6 Planning and Deploying a Stand-Alone Environment
Multiple Physical Locations

A stand-alone primary site can span multiple physical locations while managing clients across your entire
infrastructure. To get the maximum benefit from your Configuration Manager deployment while still
using a stand-alone primary site, you can perform the following implementation tasks:
Install distribution points in locations that have a larger number of clients to reduce wide area
network (WAN) traffic and increase the efficiency for features like software distribution, software
update management, or operating system deployment.
Use role-based administration and security scopes to implement your desired security model rather
than deploying multiple primary sites to define administrative roles and permissions.
Place site system roles on separate servers for additional scalability in the number of managed clients.
Configure multiple management points to improve scalability.
Question: What roles are required to manage clients?

Site Namin
ng Conventtions
Yo
ou use site coddes and site na
ames to identify sites in a Syystem Center 2
2012 Configuraation Manager
hiierarchy. Both the site code and site name
e are configureed at the time of installation and cannot b
be
ch
hanged after innstallation.
Evven if you are installing a sta

and-alone primmary site, you sshould always choose the sitte code and site name
ca
arefully to avoid future confllicts such as in migration sceenarios.
Consider the following namin

ng convention guidelines.
A site code:
Must be a three-letter
t alp
phanumeric co
ode comprising
g letters A thro bers 0 through 9, or
ough Z, numb
combinatio
ons of the two..
Must be un
nique in a Conffiguration Man
nager hierarch
hy.
e Microsoft Windows-reservved names succh as AUX, CON, NUL, PRN, or SMS.

Cannot use
A site name:
Is a friendlyy name identifier for the site.
Uses the sta

andard alphan
numeric characcters A throug h Z and a thro
ough z, numbe
ers 0 through 9
9,
spaces, and
d the hyphen (-).
Siite codes are used
u for client assignment. Iff the schema iss extended, the site servers ccan publish site codes
in
n AD DS. This enables
e clients to determine the site assignnment and loccate the manag gement point.
If you perform a migration froom Configurattion Manager 2007 to Confi guration Manaager 2012, you u
ca use they must be unique in b
annot reuse sitte codes becau both the sourcce and destinaation hierarchie
es. For
more
m details, please review th
he migration to
opics in Modu le 8: Migrating
g from System
m Center
M 2007 to System Cennter 2012 Con
nfiguration Maanager.
Client Comm
munication
n Modes
In System Center Configuration Manager 200 07, a site can b

be configured tto work in eithher mixed mod de
or native
n mode. In n mixed mode e, all site system
ms use HTTP fo or client commmunication, an nd mutual
authhentication is performed
p using Kerberos in n the Active D irectory foresst. In native moode, all site systems
use HTTPS and Pu ublic Key Infrasstructure (PKI)-issued certificcates to perforrm the mutuall authenticatio on.
One e of the most important changes in Config guration Manaager 2012 is th hat communicaation for
site system roles are
a configured d independently of the site. SSite system rolles that use IISS, such as
man nagement poin nt or distributiion point, can be configuredd to use either HTTP or HTTP PS individuallyy. Site
system roles that are configured d for HTTP can n be used onlyy with client coomputers that are located on n the
intra
anet. To suppoort clients on the
t Internet, th he site system roles exposed to the Interne et are requiredd to
use HTTPS. To use e HTTPS, a servver requires ann X.509 server certificate issu
ued by a PKI th hat is trusted b
by
both the servers and
a the clients.
Whe en the Configu uration Manag ger client is insstalled on a cli ent computer,, a self-signed certificate is
crea o communicate using HTTPss, they must haave an X.509 client certificate
ated. For clientt computers to e
issued by a PKI truusted by both the client and d servers. This ccertificate is ussed to authentticate the
Connfiguration Ma anager client with
w the site system role. By d default, Config guration Manaager clients
commmunicate usin ng the most seecure protocoll available. If th hey are config gured with a X..509 certificate
e
and can find a sitee system role using
u HTTPS, they
t connect wwith that site syystem using HHTTPS; if not, th
hey
connect with HTT TP.
Question: Do
o you need to implement a PKI
P to use HTTTPS for client ccommunications?
Discussion:
D Planning a Configu
uration Maanager 201
12 Stand-A
Alone Prim
mary
Site Deploy
yment
Yo
ou can use the
e following questions as a gu
uideline to dettermine the co
onfiguration off your System Center
012 Configuration Manager deployment.
20
Question: How can you use one primary siite to manage clients in multiple network
u a stand-alo
locations?
Question: How can you implement
i diffferent adminisstrative requireements for mu
ultiple
administrattive teams in a stand-alone primary
p site?
Question: What
W site syste
em roles would
d you deploy in a stand-alo ne primary site
e?
Question: What
W methodss can you use to deploy a st and-alone prim
mary site?
2-10 Planning and Deploying a Stannd-Alone Environmeent
Lesson 2
Preparring to Deploy a Configuratio
on Man
nager 20
012
Primarry Site
Wheen preparing for

f a Configuraation Manager primary site d deployment, aan important sstep is to deterrmine
the site systems hardware
h and software requirements. You can use Prereequisite Checke er to determin
ne
wheether a server meets
m the prerrequisites for hosting
h site sysstem roles seleected during SSetup.
As part
p of your prreparation, you u can also exte
end the Activee Directory schema to enable e the site serve
er to
pubblish informatio D Clients can use this inform
on in the AD DS. mation to deteermine their assigned site annd
loca
ate the management point.

Afte ou will be able to:
Explain the purpose of exte

ending the Acttive Directory sschema.
Describe exte
ending the Acttive Directory schema.
s
Describe site server and site quirements forr a Configurati on Manager p
e database req primary site
deployment.
Describe the site system roles requiremen

nts for a Confi guration Manaager primary ssite deployment.
Identify, insta ure the prerequisites for site system deplo yment.
all, and configu
unctionality of Prerequisite Checker.

Explain the fu C
Describe the installation an

nd configuratio
on of operating
g system prereequisites.
Extending the
t Active
e Directory
y Schema
Syystem Center 2012

2 Configurration Manage er uses the sam
me schema ext ensions as Sysstem Center
M ded the schem a for System C
2007. If you extend Center Configu
uration Managger
20007, you do no
ot need to extend the schem ma again. Wheen installing subsequent verssions or Servicee Packs,
yo
ou need to reaad the release notes associatted with that vversion to deteermine whetheer you need to
o extend
th
he schema an additional
a time for changes in the associatted update.
Exxtending the Active

A Directorry schema is op ptional unless implementing g network acce ess protection (NAP);
hoowever, extendding the Active Directory sch hema helps eaase the manag gement of the Configuration
Manager
M site. When
W the Activve Directory scchema is exten es information to the
nded, the site sserver publishe
Active Directoryy Domain Servvices (AD DS) to help with:
Client comp puter installatiion and site asssignment. Durring Configuraation Managerr client installaation,
the client seearches AD DS S to find a man nagement poi nt to downloaad the client so
oftware from aand a
site for site assignment.
Port configuration for clie

ent-to-server communicatio
c on. During installation, the cllient obtains th
he IIS
port inform
mation for the client-to-serve
c er communicattions from AD D DS. If you chaange the clientt-to-
server port information after clients are
e installed, thee clients can ob
btain the updaated port inforrmation
from AD DS S.
NAP. Configuration Mana ager publishess health state rreferences to A

AD DS so that the System He
ealth
Validator point can valida
ate a clients sttatement of heealth.
Yo
ou can extend the schema by
b running the following pro
ogram:
<installatio
on source>\sm
mssetup\bin\x
x64\extadsch.
.exe
Optionally, you can extend the schema by using the LDIFDE utility to import the installation source
\smssetup\bin\x64\ConfigMgr_ad_schema.ldf file. You need to edit the .ldf file to include the forest
name before you can use it.
For example, the following command line imports the schema extensions into AD DS, turns on verbose
logging, and creates a log file during the import process:
ldifde i f ConfigMgr_ad_schema.ldf v j <location to store log file>
The System Management Container

Configuration Manager publishes its information into the AD DS Root\System\System Management
container in AD DS. This container is not automatically created when the Active Directory schema is
extended. The container must be created in each domain that includes a Configuration Manager central
administration site, a primary site server or secondary site server that publishes site information to AD DS.
You can manually create the System Management container using the ADSIEdit.msc utility. When
manually creating the System Management container, you have to assign the Configuration Manager site
server full control permissions for the System Management container and all descendant objects.
Optionally, you can grant the Configuration Manager site server full control permissions to the System
container in AD DS, and the System Management container is created automatically when the
Configuration Manager site server first publishes information to AD DS.
If you have additional AD DS forests that contain clients, and allow your site to publish site data to
additional forests, you also need to extend the Active Directory schema and grant the site server rights to
publish to the remote forests.
Workarounds
If you decide not to extend the Active Directory schema, you have to use workarounds for the client
installation and maintenance settings that the client receives from AD DS.
Client computer installation and site assignment. The following workarounds can be used:
Use Client Push installation and configure installation properties for the site in the Client Push
Installation Properties window.
Manually install clients and provide client installation properties by using CCMSetup installation
command-line options.
Publish the management point in DNS or WINS.
Port configuration for client-to-server communication. The following workarounds can be used:
Reinstall clients and configure them to use the new port information.
Deploy a script to clients to update the port information through an external method such as
Group Policy.
Demonstra
D ation: Exten
nding the Active Dirrectory Schema
In
n this demonsttration, you will see how to extend
e the Acttive Directory sschema, verifyy that the schema was
su
uccessfully exte
ended, create the System Management co ontainer in AD D DS, and confiigure permissions on
th
he System Man nagement container.
Demonstrati
D ion Steps
Use EXTADSCH
H to extend th
he Active Dire
ectory schem
ma
1.. On NYC-DC
C1, start Windo a browse to \\NYC-CFG\E
ows Explorer and E$\ConfigMg
gr2012
\SMSSETUP\BIN\X64. Locate and then run the ExtA
ADSch.exe filee.
2.. Browse to drive

d C, open the
t ExtADSch.log file, and tthen verify thee success of the
e operation byy
observing the
t classes andd attributes added to AD DS and the messsage that confiirms the succeessful
extension of
o the schema.
ment container by using A

Create the Systtem Managem ADSIEDIT
1.. In the Run dialog box, tyype adsiedit.m

msc, and then cclick OK.
2.. e default nam ing context.

In the ADSII Edit console, connect to the
3.. In the ADSII Edit console, expand Defau

ult naming co
ontext, expand
d the DC=CON
NTOSO,DC=C
COM
container, and
a select the CN=System container.
c
4.. Create an object

o under CN=System
C ontainer, and the name Sysstem Management.
wiith the type co
5.. e CN=System Managemen

In the ADSII Edit console, verify that the nt container ap esults
ppears in the re
pane, and then
t close the console.
Assign Full Control permissions for the site server to the System Management container
1. In the Active Directory Users and Computers console, from the View menu enable Advanced
Features.
2. Locate the System Management container and access its Properties.
3. On the Security tab assign Full Control permission to the NYC-CFG computer, and then click
Advanced.
4. In the Advanced Security Settings for System Management dialog box edit the entry for the
NYC-CFG computer so Full Control permission will apply to This object and all descendant
objects, and then click OK.
5. Close all dialog boxes with OK.
6. Close the Active Directory Users and Computers console.
Note After the installation, the Configuration Manager 2012 site server will publish
information in the System Management container to enable clients to determine the
assigned site and locate the management point.
Site Server and Site Database

D Requireme
R ents
Hardware
H Re
equirements
To
o install a stand-alone Configuration Manager 2012 prim mary site in an
n environmentt that has up to
o 100
clients, and thatt supports all of
o the featuress of Configurattion Manager 2012, you neeed to ensure thhat the
minimum
m hardw
ware requirem ments listed in the
t following ttable are met.
Hardware com
mponent Minimum
Processor AMD Opterron, AMD Athllon 64, Intel Xeeon with Intel EM64T suppo
ort, Intel
Pentium IV with EM64T ssupport. Minim
mum: 1.4 GHz
RAM 2 gigabytess (GB) of RAM
Free disk spacce Available: 10

1 GB
Total (including the operaating system): 50 GB
Network adap
pter Site system computers m
must have netw work connectivvity to other
Configuration Manager ssite systems, an
nd they must hhave clients to
o
manage the em.
Th
his hardware configuration
c is only suitable
e for testing en
nvironments. Iff you want to install Configu
uration
Manager
M 2012 in a production environmen nt, the minimu m hardware reequirements are not sufficient.
The recommended hardware requirements for a stand-alone System Center 2012 Configuration Manager
primary site server that has SQL Server installed on the site server computer are listed in the following
table.
Hardware component Recommended
Processor 8 cores (Intel Xeon E5504 or comparable CPU)
RAM 32 GB of RAM
Free disk space 550-GB hard disk space for the operating system, SQL Server, and all
database files
Network adapter Site system computers must have network connectivity to other
Configuration Manager site systems, and they must have clients to
manage them.
When you use an instance of SQL Server that is installed on the same computer as the site server, the
primary site can support up to 50,000 clients. When you use an instance of SQL Server that is installed on
a computer that is remote from the site server, the primary site can support up to 100,000 clients.
Operating System Requirements

In Configuration Manager 2012, all site systems, with the exception of distribution points, require 64-bit
server systems running one of the following operating systems:
Windows Server 2008 (SP2) Standard, Enterprise, or Datacenter
Windows Server 2008 R2 (no SP or SP1) Standard, Enterprise, or Datacenter
Secondary sites and site database servers are not supported on a computer running Windows Server 2008
or Windows Server 2008 R2 that uses a read-only domain controller (RODC).
SQL Server Requirements

The following table lists the server requirements for the different versions of SQL Server that
Configuration Manager 2012 can use.
Central
SQL Server administration Primary Secondary
version Edition site (CAS) site site Notes
SQL Server 2008 Standard, Supported Supported Supported Using Standard Edition at
with SP2 and Enterprise the central administration
Cumulative site limits the total number
Update 9 of clients to 50,000.
with SP3 and Enterprise the central administration
R2 with SP1 and Enterprise the central administration
SQL Server Not Not Not Supported None

Express 2008 R2 applicable supported supported
with SP1 and
Cumulative
Update 6
Site System Roles

R Requ
uirements
Twoo common site e system roles are the manag gement point and the distrib bution point. T These roles can
n be
installed during thhe Configuration Manager Setup.
S Additionnal instances o
of these site syystem roles can
n be
installed in a prim
mary site or seccondary site fo
or scalability.
Ma
anagement Point Requiirements
Each
h primary site management point can sup pport up to 25,,000 computerr clients. For exxample, to sup
pport
100,000 clients yo
ou would need
d at least four management
m points.
Eachh primary site can support up

u to 10 manag gement pointss. If you install additional maanagement po
oints
in a stand-alone primary
p site, no
ote the hardware requiremeents listed in th
he following taable.
Ha
ardware comp
ponent Recommende
ed
Processor 4 cores (Intel Xeon 5140 orr comparable C

CPU)
RA
AM 8 GB of RAM
Frree disk space 50 GB of disk

k space for the operating sysstem and Conffiguration Man
nager
Man
nagement point performancce is influenced
d primarily by memory and processor capacity.
Disstribution Point Requirements

Each
h primary site supports up to
o 250 distributtion points and ution point can support up tto
d each distribu
4,00
00 clients.
You can also install a secondary site to increase scalability. By default, a secondary site includes a
management point and a distribution point, both of which are installed on the secondary site server. Each
secondary site supports up to 250 distribution points. Each distribution point can support up to the same
number of clients as supported by the hardware configuration of the secondary site server, to a maximum
of 4,000 clients.
Each primary site supports a combined total of up to 5,000 distribution points. This total includes:
All the distribution points at the primary site
All distribution points that belong to the primary sites child secondary sites
If you install additional distribution points, note the hardware requirements listed in the following table.
Hardware component Recommended
Processor 2 cores (Intel Xeon 5140 or comparable CPU)
RAM 8 GB of RAM
Free disk space Disk space as required for the operating system and content you deploy
to the distribution point.
Distribution point performance is influenced primarily by network I/O and disk I/O.
In addition to Windows Server 2008 and Windows Server 2008 R2, distribution points can be deployed to
the operating systems in the following table.
Operating system Architecture Edition Notes
Windows Vista x64 Business Edition (SP1) Can only host

Enterprise Edition (SP1) the standard
distribution
Ultimate Edition (no service pack or
point
SP1)
Windows 7 x86 or x64 Professional (no service pack or SP1) Can only host
Enterprise Edition (no service pack or the standard
SP1) distribution
point
Ultimate Edition (no service pack or
SP1)
Windows Server 2003 x86 or x64 Standard Edition (SP2) Does not
Enterprise Edition (SP2) support
multicast
Datacenter Edition (SP2)
Windows Server 2003 x86 Web Edition (SP2) Does not

Storage Server Edition (SP2) support
multicast
Windows Server 2003 R2 x86 or x64 Standard Edition Does not

Enterprise Edition support
multicast
Unlike other site system roles, distribution points are supported on some 32-bit operating systems.
Additional distribution point features, such as PXE and multicast, are only supported on specific operating
systems.
Insstalling and Configuring Prere

equisites
There are many prerequisites fo or Configuratio

on Manager. S ome roles require specific operating systeem
com
mponents or se ettings, while other
o e functionality from other prrograms. The following table
roles use e lists
the prerequisites and
a roles that need them.
Prerequisite Role or Fea

ature Notes
Microsoft
M .NET ased roles
All web ba Install both .NET 3.5.1 and WCF Activattion
Frramework 3.5.1 A windows feature that iss installed with h the Windowss
Fe
eatures Server Man nager. When in nstalling the .N
NET Frameworkk
3.5.1 Featurres, you are prrompted to ad dd required rolles
and servicees. IIS is then in equired features.
nstalled with re
In
nternet All web-ba
ased roles Commo on HTTP Featuures
In
nformation Staatic Content
Se
erver
Deefault Documeent
Dirrectory Browsiing
HTTTP Errors
HTTTP Redirection
Applicaation Developmment
ASSP.NET
.NEET Extensibilityy
ISA API Extensions
ISA API Filters
(continued)
Prerequisite Role or Feature Notes
Health and Diagnostics

HTTP Logging
Logging Tools
Request Monitor
Tracing
Security
Windows Authentication
Request Filtering
Performance
Static Content Compression
Management Tools
IIS Management Console
IIS Management Scripts and Tools
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
.Net Framework Application Catalog Download .NET Framework 4.0 from Microsofts website
4.0 web service point and then install it.
Application Catalog
website point
Asset Intelligence
synchronization point
Reporting Services point
Enrollment point
Enrollment proxy point
BITS Management point The Background Intelligent Transfer Service (BITS) is a

Distribution point Windows feature that is installed through the Windows
Server Manager.
Remote Site Servers Remote Differential Compression is a Windows feature

Differential that is installed through the Windows Server Manager.
Compression
WDS PXE-enabled The Windows Deployment Services Role (WDS) is installed

distribution point using Windows Server Manager and is a prerequisite if
you want to use PXE or multicast.
WAIK Operating System The Windows Automated Installation Kit (WAIK) is

Deployment installed automatically during Configuration Manager
2012 Setup Wizard. This prerequisite is needed for the
operating system deployment feature.
WSUS Software update point You can download Windows Software Update Services
(WSUS) from Microsofts website. WSUS is a prerequisite
to install the software update point.
Depending on the site system role you want to implement, you must configure one or more of the
following prerequisites:
IIS with ASP.NET and .NET Framework 3.5.1. Because most site system roles use HTTP or HTTPS to
communicate with clients, the Web Server (IIS) server role should be installed on the majority of
servers hosting site system roles.
BITS. Site system roles such as management point and distribution point use BITS for bandwidth
throttling.
.NET Framework 4.0. This is required when you install any of the following:
Application Catalog

Reporting Services point
Enrollment point

WSUS. The software update point role uses Windows Server Updates Services (WSUS).
WDS. Windows Deployment Services (WDS) is required when you use PXE-initiated deployments of
operating systems or if you wish to use multicast deployment of operating system images.
Configuration Manager Setup Downloader

Configuration Manager Setup Downloader (SetupDL.exe) is a stand-alone application that can be used to
download the Configuration Manager client prerequisites, language packs, and SQL Server Express 2008
R2 SP1. These prerequisites are requested during the Microsoft System Center 2012 Configuration
Manager Setup Wizard and can be downloaded directly from the Microsoft web site during Setup.
If the site server does not have a direct connection to the Internet, you can use the Configuration
Manager Setup Downloader (SetupDL.exe), which can be found on the Configuration Manager installation
media in the \\SMSSETUP\BIN\X64 folder, to download the prerequisites on another computer which
has Internet connectivity. Then you can copy the prerequisites on the server where you plan to install
SQL Server Configuration

When you install and configure the SQL Server that Configuration Manager 2012 will use, refer to the
settings described in the following table.
Configuration More information
Database collation The instance of SQL Server in use at each site must use the following
collation: SQL_Latin1_General_CP1_CI_AS.
SQL Server features Only the Database Engine Services feature is required for each site server.
You can also install SQL Server Reporting Services to support the Reporting
Services point role.
Note Configuration Manager database replication does

not require the SQL Server replication feature.
Windows Authentication Configuration Manager requires Windows authentication to validate

connections to the database.
SQL Server instance You must use a dedicated instance of SQL Server for each site.
SQL Server memory When you use a database server that is co-located with the site server, limit
the memory for SQL Server to 50 to 80 percent of the available addressable
system memory.
When you use a dedicated SQL Server, limit the memory reserved for SQL
Server to 80 to 90 percent of the available addressable system memory.
Configuration Manager requires SQL Server to reserve a minimum of 8 GB
of memory in the buffer pool used by an instance of SQL Server for the
central administration site and primary site.
Wh
hat Is Prerequisite Checker?
Prerrequisite Checker (ConfigMg grSourceFiles\SSMSSETUP\BIN N\x64\prereqch hk.exe) is a staand-alone

app
plication includ ded with the Syystem Center 2012
2 installatioon media. Usee Prerequisite C Checker to verrify
thatt a server is rea
ady for a site server
s installatiion or the insttallation of speecific site system roles.
Prerrequisite Checker performs a series of tests from the folllowing catego

ories:
Security rightts. Prerequisite

e Checker perfo orms validatio on for the security rights asso
ociated with th
he
administrative e user performming the Setup ministrative peermissions on the central
p. It verifies adm
dministrator peermissions on the computerr where
administration site (if appliccable), local ad
Configuration n Manager is installed, and permissions
p onn the SQL Servver that was ussed for the
installation.
Configuration
n Manager dep
pendencies. Prrerequisite Cheecker tests forr Configuration
n Manager
dependenciess, such as:
Verifying
g that BITS is enabled
Checking
g the SQL Server configuratio
on
Checking
g the Windowss Firewall settin
ngs
Checking
g the IIS config
guration
Checking
g publishing to
o AD DS permiissions
Checking
g for the installation of the re
equired Config
guration Manaager prerequissites
System requirrements. Prereequisite Checker validates thhe hardware an nd operating ssystem

configurationn, AD DS functional level, Acttive Directory schema extensions, domain membership, and
the free disk space
s on the server
s on which the installatiion is perform ed.
You can manually run Prerequisite Checker when preparing a server for Configuration Manager, but it is
not required. If you choose to manually run Prerequisite Checker, you can remediate any issues that you
find before you run the Configuration Manager Setup program. Regardless of your choice to manually
run Prerequisite Checker, the Configuration Manager Setup program runs it as the last step in the Setup
Wizard because installation cannot begin until all prerequisites for the chosen roles are met.
When you manually run Prerequisite Checker, you run it from a command prompt and specify specific
command-line options. Prerequisite Checker checks the specified servers for checks associated with the
site server or site systems specified in the command-line. You can also specify a remote server for
Prerequisite Checker to validate whether you have administrative rights on the remote system.
Prerequisite Checker notifies you of any warnings or errors encountered. Tests that result in a warning do
not prevent you from successfully installing System Center 2012 Configuration Manager; however, you
should resolve the condition that generated the warning before running the Configuration Manager 2012
Setup Wizard. Tests that result in an error prevent you from completing the Configuration Manager Setup
process. Additionally, you can avoid interrupting the setup process by remediating any prerequisite errors
before running Configuration Manager 2012 Setup Wizard.
The following options are available to use with Prerequisite Checker when run from a command line.
Command-line option Description
/NOUI Use this option to start Prerequisite Checker without displaying the user
interface. You must specify this option before any other option in the
command-line.
/PRI or /CAS Verifies that the local computer meets the requirements for the primary
site or central administration site. You can specify only one option, and
it cannot be combined with the SEC option.
/SEC FQDN of secondary site Verifies that the specified computer meets the requirements for the
secondary site. This option cannot be combined with the /PRI or /CAS
option.
[/INSTALLSQLEXPRESS] Verifies SQL Express on the specified computer. This option can only be
used after the /SEC option.
/SQL FQDN of SQL Server Verifies that the specified computer meets the requirements for SQL
Server to host the Configuration Manager site database. This option is
required when you use the /PRI or /CAS option.
/SDK FQDN of SMS Provider Verifies that the specified computer meets the requirements for the SMS
Provider. This option is required when you use the /PRI or /CAS option.
/JOIN FQDN of central Verifies that the local computer meets the requirements for connecting
administration site to the central administration server. This option is only valid when you
use the /PRI option.
(continued)
Command-line
option Description
/MP FQDN of Verifies that the specified computer meets the requirements for the
management point management point site system role. This option is only supported when you
use the /PRI option.
/DP FQDN of Verifies that the specified computer meets the requirements for the distribution
distribution point point site system role. This option is only supported when you use the /PRI
option.
/ADMINUI Verifies that the local computer meets the prerequisites for the Configuration
Manager console. This option cannot be combined with any other option.
Prerequisite Checker verifies that the site server computer account has permissions to write in AD DS, but
it does not check permissions for any groups of which the site server is a member.
Demonstra
D ation: Insta
alling and Configurin
ng Operatting System
m Prerequisites
In
n this demonsttration, you will see what Windows Server 2008 R2 roles and features aare required to
o
su
upport the Connfiguration Ma anager installa
ation.
Demonstrati
D ion Steps
Use Server Manager to review the prereq
quisites for in
nstalling Syste
em Center 20
012 Configura
ation
Manager
M
1.. On NYC-CFFG, start the Se

erver Managerr console.
2.. In the Serveer Manager co

onsole, under the
t Roles nod e, scroll to thee Web Server (IIS) section, aand
verify that the
t following features
f are installed:
Common HTTP featu

ures
ASP.NE
ET
Windows Authentica
ation
IIS 6 Metabase
M Comp
patibility
IIS 6 WMI
W Compatibiility
3.. In the Serve

er Manager co
onsole, under the
t Features n
node, verify that the followin
ng features are
e
installed:
Backgrround Intellige
ent Transfer Se
ervice (BITS)
Remote Differential Compression

C
.NET Frramework 3.5.1 Features
4.. In the Conttrol Panel at Prrograms and Features, veriify that Microsoft .NET Framework 4 Ex
xtended
and Microssoft SQL Serv 64-bit) are insttalled.
ver 2008 R2 (6
Lesson 3
Installiing a Co
M r 2012 SSite Serrver
Afte
er preparing th
he environmennt, your next sttep is to instal l the Configurration Manage
er 2012 site serrver.
You
u can use the System
S Center 2012 Configuration Manageer Setup Wizard to:
ary site, either stand-alone or

Install a prima o part of a hieerarchy.
Install a centrral administrattion site.
Recover a site
e server.
Perform site maintenance.
m
Uninstall the site.
Add
ditional configuration option
ns for the site systems
s can bee selected during setup.
You
u will review th nd determine tthe most appr opriate setting
he available settup options an gs for your
imp
plementation.
Afte
ou will be able to:
Describe the Configuration Manager 201

12 setup proceess.
Explain the Configuration Manager

M 2012 setup optionss.
Describe the installation of a Configuratio 012 primary siite.

on Manager 20
The
T Configuration Manager
M 20
012 Setup Process
Thhe following ta
able lists the stteps of the Sysstem Center 20012 Configuraation Managerr Setup Wizard
d, and
in
nformation thaat you input fo or each step.
Wizard
W step Input require
ed
Getting Starte
ed Choose: Instaall a Configurration Managger primary siite server.
Optionally, yo
ou can check: Use typical in
nstallation op
ptions for a sttand-
alone primary site.
Product Key Enter the pro

oduct key or seelect Install th
his product ass an evaluatio
on.
Microsoft Sofftware Accept the liccense terms in

n this step to c ontinue with tthe setup.
License Termss
Prerequisite Licenses
L In this step yo
ou must acceppt the licenses for Microsoft SQL Server 20
008 R2
Express, Micrrosoft SQL Servver 2008 Nativve Client and M
Microsoft
Silverlight 4 to continue w
with the setup.
Prerequisite Downloads
D In this step, you
y can downlload the Confi guration Manager prerequissites or
specify a foldder where you have previoussly downloade
ed them.
Server Langua
age With this opttion you can sp
pecify addition
nal language p
packs to be
Selection downloaded and installed for the admin console and rreports.
Client Langua
age With this opttion you can sp
pecify addition
nal language p
packs to be
Selection downloaded and installed for the Config guration Manager client.
(continued)
Wizard step Input required

Site and Installation Configure the site code and site name. These settings cannot be changed
Settings later. You can also choose whether to install the Configuration Manager
console.
Primary Site Installation If you selected Install a Configuration Manager primary site in the first
step, you can indicate whether the site is stand-alone or is part of a
hierarchy.
Database Information Input the fully qualified domain name (FQDN) of the SQL server, the name
of the Configuration Manager database, and the port to use for the SQL
Server Service Broker.
SMS Provider Settings Input the FQDN name of the server that hosts the SMS Provider. By default,
this is installed on the site server.
Client Computer In this step, you can configure choose either of the following:
Communication Settings All site systems roles accept only HTTPS communication from clients
Configure the communication method on each site system role
If you choose to configure site system roles separately, you can check the:
Clients will use HTTPS when they have a valid PKI certificate and
HTTPS-enabled site roles are available check box.
Site System Roles In this step, you can choose to install a management point and/or a
distribution point and specify the FQDNs for the roles. By default both
roles are installed using the FQDN of the server.
If you chose:
All site systems roles accept only HTTPS communication from
clients, both roles are configured for HTTPS and cannot be modified
during setup.
Configure the communication method on each site system role,
both roles are configured for HTTP and cannot be modified during
setup.
Configure the communication method on each site system role,
and you checked Clients will use HTTPS when they have a valid PKI
certificate and HTTPS-enabled site roles are available, both roles
are configured for HTTPs and can be modified during setup.
Customer Experience In this step, you can optionally choose to participate in the Customer
Improvement Program Experience Improvement Program.
Configuration
Settings Summary Review your selections to determine whether you need to go back to make
changes.
Prerequisite Check The Setup Wizard launches Prerequisite Checker to evaluate the server
readiness for hosting the selected roles.
Begin install Select the option to start the installation. Alternatively, you can go back and
make additional changes or install missing prerequisites.
If you want to install the console on an administrative users workstation, you can use the
ConsoleSetup.exe in SMSSETUP/BIN/i386. The Configuration Manager console is a 32-bit application and
can be installed on both 32-bit and 64-bit operating systems.
Question: Why should you run Prerequisite Checker before running the Setup Wizard?
Co
onfiguratio
on Manage
er 2012 Se
etup Optio
ons
Usin
ng the optionss provided in the first step off the System C
Center 2012 Co
onfiguration M
Manager Setup
p
Wizzard you can:
Install a Configuration Mannager primary site. Select thiss option to insstall a primary site. You have
e the
opportunity later to select if
i is stand-alon
ne site or part of a hierarchyy.
Install a Configuration Man

nager central administration
a site. If you aree installing a h
hierarchy, the ccentral
administration site needs to
o be installed first.
f
Upgrade an existing
e Config
guration Manager 2012 instaallation. This o
option allows yyou to upgrade
e the
current Configuration Manager 2012 site
e to a newer veersion (such ass Service Pack 1).
Recover a site
e. Use this option to performm the first step in recovering a failed site se
erver. Site servver
recovery is co
overed in detail later, in Mod
dule 7.
Perform site maintenance

m or
o reset this sitte. Use this opttion to modifyy the SQL serve
er configuratio
on,
manage the SMS
S Provider, or perform a site
s reset afterr restoring from m a backup.
Uninstall a Co
M site. This
T is the reco proach to rem
ommended app move a site servver
from a hierarchy.
Note The option to insta all a secondaryy site is not avaailable in the SSetup Wizard. You can
econdary sites by using the Configuration
install the se C Manager conssole connected d to an
existing primmary site.
The Configuration Manager 2012 setup differs from the Configuration Manager 2007 setup in the
following ways:
With the exception of the management point and distribution point site roles, you cannot install any
of the optional roles during the setup process.
Setup Downloader (SetupDL.exe) and Prerequisite Checker (prereqchk.exe) are now separate
applications and can be launched without starting the Configuration Manager 2012 Setup Wizard.
De
emonstration: Installing a Conffiguration Manager 2012 Prim
mary Site
In th
his demonstration, you will see
s how to install a Configurration Manageer primary site
e.
Dem
monstration
n Steps
Run
n Prerequisite
e Checker and
d verify that the prerequisiites are met ffor the installa
ation
1. On NYC-CFG, navigate to the E:\ConfigM
Mgr2012\ fold
der.
2. Double-click splash.hta.
3. In the System
m Center 2012
2 Configuration Manager SSetup screen, click Assess sserver readine
ess.
4. In the Installa
ation Prerequissite Check window, verify thaat there are no
o errors, and then click OK.
Runn the System Center 2012 Configuration

C n Manager Seetup Wizard a
and select the
e option to in
nstall
a Co
onfiguration Manager 20112 stand-alon
ne primary site
e
1. In the System
m Center 2012
2 Configuration Manager SSetup screen, click Install.
2. The Microsofft System Cen nter 2012 Con nfiguration M Manager Setup
p Wizard startts. Use the
following setttings to install a stand-alone
e primary site.
On the Getting
G Starte
ed page, selectt Install a Con
nfiguration M
Manager prima
ary site.
On the Product
P Key page, select Insstall this prod
duct as an eva
aluation.
On the Microsoft
M e Terms page, accept the license terms.
Softtware License
On the Prerequisite
P Liicenses page, under Microssoft SQL Serve er 2008 R2 Ex xpress, select
I accept these License
e Terms, undeer Microsoft SSQL Server 20 008 Native Client, select I acccept
these Liccense Terms, and then undeer Microsoft SSilverlight 4, sselect I acceptt these Licensse
Terms an nd automaticc updates of Silverlight.
S
On the Prerequisite Downloads page, select Use previously downloaded updates from the
following location, and specify the E:\ConfigMgr2012\Redist as the location.
On the Server Language Selection and Client Language Selection pages, click Next.
On the Site and Installation Settings page, configure the following options.
Site code: NYC

Site name: Contoso Primary Site
Install the Configuration Manager console: selected
On the Primary Site Installation page, select Install the primary site as a stand-alone site.
On the Database Information page, accept the default settings.
On the SMS Provider Settings page, accept the default settings.
On the Client Computer Communication Settings page, select Configure the communication
method on each site system role.
On the Site System Roles page, verify that both Install a management point and Install a
distribution point check boxes are selected. Also verify that NYC-CFG.Contoso.com appears in
both FQDN text boxes.
On the Customer Experience Improvement Program Configuration select I dont want to

join the program at this time.
On the Settings Summary page, click Next.
3. On the Prerequisite Check page, wait for the prerequisite checking to finish, review the results, and
then click Begin Install.
Lab A: Installing a Co
onfigura
ation M
Managerr 2012
Primarry Site
Lab
b Setup
For this lab, you use
u the availabble virtual mach
hine environm
ment. Before yo
ou begin the laab, you must
com
mplete the folloowing steps:
1. On the host computer,
c click
k Start, point to
t Administraative Tools, an
nd then click H
Hyper-V Manager.
2. In Hyper-V Manager,
M click
k 10748A-NYC
C-DC1-A, and in the Actionss pane, click Sttart.
3. In the Actionss pane, click Connect. Wait until the virtuaal machine staarts.
4. Log on using the following credentials:
User nam
me: Administra
ator
Password
d: Pa$$w0rd
Domain: Contoso
5. or 10748A-NY
Repeat steps 2 through 4 fo YC-CFG-A.
Lab
b Scenario
Youu are the netwoork administra
ator for Contosso, Ltd. Contosso wants to deeploy System C Center 2012
Connfiguration Maanager, but the
ey need to evaaluate the funcctionality first. Thus, they havve decided to
perfform a Proof-oof-Concept deeployment in a lab environm ment. The Prooff-of-Concept d deployment iss
limited to a stand-alone primary site.
u need to test the
You t deploymen
nt by:
1. Configuring prerequisites
p fo
or the Configu
uration Manag
ger 2012 deplo
oyment.
2. Extending the
e Active Directtory schema.
3. Installing a Syystem Center 2012
2 Configuration Manageer stand-alone primary site.
Exercise 1: Configuring the Prerequisites for Configuration Manager 2012

Deployment
Scenario
You have received your virtual environment to use for testing. Virtual machines are already configured
with the Windows Server 2008 R2 operating systems. IIS and required prerequisites are already installed,
as well as SQL Server 2008.
You need to verify the configuration of prerequisites for the Configuration Manager deployment.
The tasks for this exercise are as follows:
1. Start Server Manager.
2. Verify the installation of Web Server (IIS) and related role services.
3. Verify the installation of the required features.
4. Verify that .NET Framework 4.0 and SQL Server 2008 are installed.
X Task 1: Start Server Manager

On NYC-CFG, start the Server Manager console.
X Task 2: Verify the installation of Web Server (IIS) and related role services
In the Server Manager console, under the Roles node, scroll to the Web Server (IIS) section, and
verify that the following features are installed:
Common HTTP features
ASP.NET
X Task 3: Verify the installation of the required features

1. In the Server Manager console, under the Features node, verify that the following features are
installed:
Background Intelligent Transfer Service (BITS)
.NET Framework 3.5.1 Features
2. Close the Server Manager console.
X Task 4: Verify that .NET Framework 4.0 and SQL Server 2008 R2 are installed
In the Control Panel in the Programs and Features section, verify that Microsoft .NET Framework
4 Extended and Microsoft SQL Server 2008 R2 are installed.
Results: After this exercise, you should have validated the prerequisites for installing System Center 2012
Exercise 2: Extending the Active Directory Schema

Scenario
The virtual environment includes a domain controller with AD DS already configured in the contoso.com
domain.
You need to prepare AD DS for Configuration Manager 2012 by extending the AD DS schema and
manually creating the System Management container where Configuration Manager 2012 server will
publish information.
1. Run EXTADSCH on the domain controller.
2. Create the System Management container by using ADSIEDIT.

3. Assign Full Control permissions for the System Management container to the site server.
X Task 1: Run EXTADSCH on the domain controller

1. On NYC-DC1, open Windows Explorer, navigate to the \\NYC-CFG\E$\ConfigMgr2012
\SMSSETUP\BIN\X64 folder, and then locate and run extadsch.exe.
2. Browse to drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
success of the operation by observing the classes and attributes added to AD DS and the message
that confirms the successful extension of the schema.
X Task 2: Create a System Management container by using ADSIEDIT

1. On NYC-DC1, in the Run dialog box, type adsiedit.msc, and then click OK.
2. In the ADSI Edit console, connect to the default naming context.
3. In the ADSI Edit console, expand Default naming context, expand the DC=CONTOSO,DC=COM
container, and select the CN=System container.
4. Create an object under CN=System with the type container, and the name System Management.
5. In the ADSI Edit console, verify that CN=System Management container appears in the results pane,
and then close the console.
X Task 3: Assign Full Control permissions for the System Management container to the
site server
1. Open the Active Directory Users and Computers console, and then from the View menu verify that
Advanced Features is selected.
2. Under the System container, browse to the System Management container and access its
Properties.
3. On the Security tab assign Full Control permission to the NYC-CFG server, and then click
Advanced.
4. In the Advanced Security Settings for System Management dialog box edit the entry for the
NYC-CFG computer so Full Control permission will apply to This object and all descendant
objects, and then click OK.
5. Close all dialog boxes with OK.
Note After the installation, the Configuration Manager 2012 site server will publish
information in the System Management container to enable clients to determine the
assigned site and locate the management point.
Results: At the end of this exercise, you should have extended the Active Directory schema, created the
System Management container, and assigned permissions to the Configuration Manager server.
Exercise 3: Installing a Configuration Manager 2012 Stand-Alone Primary

Site
Scenario
After you have verified that prerequisites are installed, and extended the AD DS schema, you need to test
the procedures for installing Configuration Manager 2012 in a stand-alone primary site.
The main tasks for this exercise are as follows:
1. Run the setup for Configuration Manager 2012.
2. Run Installation Prerequisite Check and verify that the prerequisites are met for the installation.
3. Run the System Center 2012 Configuration Manager Setup Wizard and select the option to install a
Configuration Manager 2012 stand-alone primary site.
X Task 1: Run the setup for Configuration Manager 2012

1. On NYC-CFG, navigate to the E:\ConfigMgr2012\ folder.
X Task 2: Run Installation Prerequisite Check and verify that the prerequisites are met
for the installation
1. In the System Center 2012 Configuration Manager Setup screen, select Assess server readiness.
2. In the Installation Prerequisite Check window, verify that there are no errors, and then click OK.
X Task 3: Run the System Center 2012 Configuration Manager Setup Wizard and select
the option to install a Configuration Manager 2012 stand-alone primary site
1. In the System Center 2012 Configuration Manager Setup screen, click Install.
2. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. Use the
following settings to install a stand-alone primary site.
On the Getting Started page, select Install a Configuration Manager primary site.
On the Product Key page, select Install this product as an evaluation.
On the Microsoft Software License Terms page, accept the license terms.
On the Prerequisite Licenses page, under Microsoft SQL Server 2008 R2 Express, select
I accept these License Terms, under Microsoft SQL Server 2008 Native Client, select I accept
these License Terms, and then under Microsoft Silverlight 4, select I accept these License
Terms and automatic updates of Silverlight.
On the Prerequisite Downloads page, select Use previously downloaded updates from the
following location, and specify the E:\ConfigMgr2012\Redist as the location.
On the Server Language Selection and Client Language Selection pages, verify that English is
selected.
Site code: NYC
Install the Configuration Manager console: selected
On the Primary Site Installation page, select Install the primary site as a stand-alone site.
On the Site System Roles page, verify that a management point and a distribution point will be
installed on NYC-CFG.Contoso.com.
On the Customer Experience Improvement Program Configuration select I dont want to

join the program at this time.
On the Prerequisite Check page, wait for the prerequisite check to finish, and then click Begin
Install.
3. Wait for the installation to finish, and then close the wizard.
Note The installation process may take up to 30 minutes.
Results: At the end of this exercise, you should have installed System Center 2012 Configuration Manager
in a stand-alone primary site.
X To prepare for the next lab

When you finish the lab, leave the virtual machines running.
Lesson 4
Performing Post-Setup Configuratiion Tasks
You
u can verify tha
at the installatiion of System Center 2012 CConfiguration Manager is successful by staarting
the Configurationn Manager con nsole, reviewing the installatiion logs, and rreading the staatus messagess.
You
u also need to perform the in oundaries and boundary groups
nitial site configuration by deefining the bo
and optionally byy installing add
ditional site roles.

Describe veriffying a Configuration Manag

ger 2012 prim
mary site installation.
Describe view preting status messages.

wing and interp
Describe the functionality of

o status summ
marizers.
Describe conffiguring bound
daries and bou
undary groupss.
Describe insta
alling addition
nal site system roles.
Describe perfforming post-cconfiguration tasks.

t
Verifying
V th
he Configu
uration Ma
anager 20
012 Installaation
Yo
ou can perform
m the following actions to ve
erify the Confiiguration Man
nager 2012 insttallation:
1.. Use the Serrvices console to verify that the

t SMS Execu
utive and related services are
e started.
2.. Start the Co

M consoole. This verifiees that the site default site co
omponents are e
functioning nnot connect, verify that you
g normally. If the console can u are logged o on with the sam
me
account thaat was used foor Setup.
3.. View the installation logss:
ConfigMgrPrereq.logg. This log is ge

enerated by P rerequisite Ch
hecker, whethe
er run stand-alone or
as partt of Setup.
ConfigMgrSetup.log.. This log is ge

enerated by thee Configuratio on Manager Se etup Wizard, aand is
the primary setup logg. Look here too identify any abnormal erro ors encountere ed during Setu up. For
example, when you runr Setup, the wizard attemp pts to connectt to the databaase. Since the
databaase at that poin
nt does not exxist, this action generates an error.
ConfigMgrSetupWiza
ard.log. This lo
og is generated
d by the Setup
p Wizard.
e installing the console

ConfigMgrAdminUI.llog. This log is generated byy the console ssetup. Because
is not mandatory,
m thiis is a separate
e log.
4.. View the Sttatus Messagess found in the Monitoring seection.
Question: What
W is the prrimary log for the
t Configurattion Manager setup?
Vie
ewing Stattus Messag
ges
All major
m Configuration Manage
er componentts generate staatus messages..
One
e way to use sttatus messages is to validate nstallation and
e a Configuratiion Manager in d its core
mponent functionality. You can
com c find status messages in t he Monitoring g workspace att the following
g
nod
des:
Site Status
Component Status
S
Afte
er selecting a site
s system or a component, use the Statuss Messages Vieewer to view the associated status
his application by clicking the Show Mess ages button in
messsages. Start th n the ribbon.
Stattus messages can ewed using status message r eports.

c also be vie
Overview
O of
o Status Summarizers
Sttatus messages help you tracck the flow of data through the Configuraation Managerr components. State
messages
m represent a point in on on a client. While you usee the status message viewer read
n time conditio
sttatus messagess. There is no such
s equivalennt for state meessages. The reesult of state m
messages is larg
gely
on nly seen in rep
ports, various data
d in the con
nsole (such as number of sysstems needing g an update), o
or the
client logs them mselves.
Brrowsing through all status messages

m can be
b a tedious taask. Configurattion Manager aggregates staatus
messages
m by using status summmarizers that determine thee overall healtth of each com
mponent.
Th
here are four status
s summarrizers:
n Deployment Summarizer, which

Application w aggregaates state messsages generate
ed by clients in
nvolved
in the deplo
oyment of app
plications clien
nts.
Application
n Statistics Sum
mmarizer, whicch aggregates information about the application deployyment
state messa
ages.
marizer, which aggregates staatus messagess generated byy components on site
Component Status Summ
systems.
Site System
m Status Summ
marizer, which aggregates
a staatus messages generated by site systems.
Additional toolss for working with
w status me
essages are:
Status filterr rules, which control

c ocessing of staatus messages based on both
the pro h built-in ruless that
you can mo odify and on ruules that you create.
c
Co
onfiguring Boundarie
es and Bou
undary Gro
oups
In System Center 2012 Configurration Manage er, clients use b

boundaries an
nd boundary groups to detecct
theiir assigned site
e or determine
e the closest co
ontent location n.
Bou
undaries repressent network locations wherre Configuratio on Manager cl ients are manaaged. Boundary
groups are logical groups of bo oundaries that are used durinng client installlation to dete
ermine the
Con
nfiguration Ma anager site that manages a client.
c ndary group configured for site assignmen
If a boun nt
doe
es not exist, the
e client installa
ation process uses
u gured fallback site for site asssignment.
the config
Addditionally, bounndary groups are points and statte migration points.

a used by cliients to locatee distribution p
Disttribution pointts and state miigration pointss are assigned by administraator to boundaary groups and d can
be members
m of multiple
m boundary groups. Att least one bou undary group is required forr clients to be able
to find content on n a distribution
n point. Bounddaries that are not memberss of a boundarry group are no ot
usedd for any purppose.
Bouundaries and boundary groups are global data,

d and theirr definitions arre replicated aacross the entirre
hierrarchy.
You
u can define bo
oundaries by using:
u
IP Subnet, byy specifying an IP subnet. Op

ptionally you caan specify an IIP address and
d subnet maskk and
the subnet ID
D that Configuration Manage er uses to calcuulate the IP su
ubnet.
An Active Directory site, byy selecting an Active

A Directorry site defined in the forest.
IPv6 prefix, byy specifying an

n IPv6 prefix.
IP address ran
nge, by specifyying a range of
o IPv4 addressses.
Wheen used for sitte assignment, boundary gro oups should noot have overla pping boundaaries. If a clientt is
loca
ated in an overrlapping bounndary, the site assignment
a prrocess is non-d
deterministic, w
which means tthat
the client can be assigned
a to an
ny of the sites.
When used to locate content, boundary groups can have overlapping boundaries. This means that a client
in a boundary that is part of multiple boundary groups can have access to multiple content locations.
As a best practice, you should use different boundary groups for site assignment and for content location.
Boundaries and boundary groups are discussed in more details in Module 6: Planning and Completing
System Center 2012 Configuration Manager Client Deployment.
Insstalling Site System Roles

R
To provide
p flexibility when dete
ermining the siite role installaation, only management poiint and distribu
ution
poin
nt can be insta
alled during se
etup. You install other roles ffrom the Confiiguration Man
nager console aafter
perfforming Setupp.
You
u will need to determine
d whe
ether the roless are installed:
On an existing site system using

u the Add Site System R oles Wizard.
On a new site
e system using the Create Sitte System Servver Wizard.
The two wizards are a the same with w the excepttion that you n need to select an existing se
erver and desig
gnate
it ass a new site sysstem in the Co onfiguration Manager
M site in
n the Create Sitte System Servver Wizard, wh
hereas
the Add Site Syste em Roles Wiza ard informationn on the Geneeral page does not need to b be reconfigureed.
Add ady installed on the site systeems are not lissted in the Add Site System Roles
ditionally, roless that are alrea
Wizzard.
Demonstra
D ation: Perfo
orming Po
ost-Configuration Taasks
In
n this demonsttration, you will see how to configure
c Activve Directory Foorest Discoverry to create
booundaries base ed on AD DS sites,
s create a boundary
b grouup, and assignn the new boun ndary. You also will
se nal roles, and how to configure a manage
ee how to conffigure site systtem roles and install addition ement
pooint and a disttribution pointt.
Demonstrati
D ion Steps
Create a new Active
A Directo
ory site
1.. C1, start the Active Directoryy Sites and Serrvices console.
On NYC-DC
2.. es console, un der the Sites n

In the Activve Directory Sittes and Service node, create a new site nam
med
NewYork (without
( a spacce), and assignn it to the DEFFAULTIPSITELLINK.
3.. Under the Subnets

S node
e, create a subn 0.0/24 and as sign it to the N
net for 10.10.0 NewYork site.
4.. Close the Active

A Directoryy Sites and Serrvices console..
Configure Actiive Directory Forest Discov

very to create
e a new boundary from the
e Active
Directory
D site
1.. On NYC-CFFG, in the Conffiguration Man

nager console,, in the Admin
nistration worrkspace, expan
nd
Hierarchy Configuration, and then seelect Discoveryy Methods.
2.. In the results pane, access the propertie

es for Active D
Directory Forest Discovery
y and select En
nable
Active Dire ectory Forest Discovery, annd Automaticcally create Acctive Directorry site boundaries
when they y are discovered check boxe es.
3. In in the Configuration Manager console, in the Active Directory Forests node, access the
Properties of Contoso.com. Review the settings, and then close the dialog box.
4. Under the Boundaries node access the Properties of the created boundary. Review the settings, and
then close the dialog box.
Configure a boundary group and include the new boundary
1. In the Configuration Manager console, select the Boundary Groups node, and on the ribbon, click
Create Boundary Group.
2. Create a boundary group with the following settings:

Name of the boundary group: New York Clients
Add the IP range boundary imported by Active Directory Forest Discovery.
On the References tab, select the option Use this boundary group for site assignment.
Add \\NYC-CFG.contoso.com as the site system server.
Install additional site system roles: Fallback Status Point and Reporting Services Point
1. In in the Configuration Manager console, under Site Configuration, select the Servers and Site
System Roles node.
2. Select \\NYC-CFG.Contoso.com, and on the ribbon select the Home tab, and then click Add Site
System Roles.
3. In the Add Site System Roles Wizard use the following settings to install the site system roles:
On the General page, verify that the Name for the site server is NYC-CFG.Contoso.com.
On the System Role Selection page, select Fallback status point and Reporting services
point.
On the Fallback Status Point page, accept the default settings.
On the Reporting Services Point page, use the Verify button to validate access to database.
Under User name click Set, New Account and specify the following credentials:
User name: CONTOSO\Administrator
Password: Pa$$w0rd
Confirm password: Pa$$w0rd
4. Complete the wizard accepting the default settings.
Configure the management point and the distribution point

1. In the Configuration Manager console, select \\NYC-CFG.Contoso.com.
2. In the preview pane, access the Properties for the Management point.
3. Select the option Generate alert when the management point is not healthy and then close the
dialog box.
4. In the preview pane, access the Properties for the Distribution point.
5. On the Boundary Groups tab, verify that the New York Clients boundary group you have created
previously appears in the list, and then close the dialog box.
Note The association between the distribution point and the boundary group was created
when you added the site system to the boundary group in a previous task.
Lesson 5
Tools for
f Mon nitoring
g and Trroublesshootingga
Config
guration
n Managger 20112 Installation
Youu were introduced to the stattus messages feature

f when yyou validated the installation of the System
m
Cennter 2012 Conffiguration Man nager primary site. Status meessages that yo
ou can use to monitor and
trou a generated by all major ccomponents of Configuratio
ubleshoot yourr installations are on Manager.
In th
his lesson, you dditional features related to status messag
u will review ad ges such as status summarize
ers,
status filter rules, and status rep
ports.
Connfiguration Maanager site systtems and com

mponents also ggenerate deta iled logs. In th
his lesson, you will
review the logs an ppropriate log to use when ttroubleshootin
nd then identiffy the most ap ng a specific fe
eature.
In addition to logs, you will examine the Conffiguration Man

nager console,, which also includes feature
es that
are used for moniitoring and aleerting.
Afte
ou will be able to:
Describe usin
ng the Configuration Manage
er 2012 logs fo
or troubleshoo
oting.
Describe usin
ng the monitorring features in
n the in the Co
onfiguration M
Manager 2012 console.
Using
U Conffiguration Manager Logs for T
Troublesho
ooting Site
e Server
In
nstallation
n
Syystem Center 2012

2 Configurration Manage
er site systems and clients geenerate logs th
hat you can use for
trroubleshooting
g your deploym
ment.
Th
here are three types of logs:
Setup logs. The Setup Wizzard generatess setup logs in the root of th
he %SystemDrrive%.
Site server logs.
l Site systems and compo onents generaate site server llogs in the InsttallationPath\LOGS
folder. On computers
c tha
at serve as man
nagement poin nts or Fallbackk Status Pointss, some log file
es are
located in the
t %Program mFiles%\SMS__CCM\Logs fo older.
Several role es such as the management point and disttribution pointt use Internet Information Se ervices
(IIS). The IIS
S log file is loca
ated in the %W
Windir%\Systtem32\logfile
es\W3SVC1 fo older on the IISS server.
Thhe Configuratiion Manager Trace

T Log Tooll (CMTrace.ex xe) is an add-o on tool that can be used to vview the
lo
ogs, quickly loccate warning and
a errors, and d view the late st updates to tthe logs in reaal time. The
M e Log Tool is a stand-alone eexecutable file.. and is found in the
Trace
in
nstallation meddia\SMSSETUP\\TOOLS folderr or in the instatallation path\TTOOLS folder.
Yo
ou can use this tool to view and monitor log files includ ing:
Log files in all versions off Configuration

n Manager.
Plain ASCII or Unicode te

ext files such ass Windows Insstaller logs.
Log files
Most processes and roles generate their own log files. The log files related to the installation and the
default roles including the management and distribution points are listed in the following table.
Log file Description
compmon.log Located in the InstallationPath\LOGS folder. This log file records the
status of the component threads.
compsumm.log Located in the InstallationPath\LOGS folder. This log file records

Component Status Summarizer tasks.
ComRegSetup.log Located in the InstallationPath\LOGS folder. This log file records the
initial installation of COM registration results.
ConfigMgrAdminUISetup.log Located in the root of the %SystemDrive%. This log file records the
installation of the Configuration Manager console.
ConfigMgrPrereq.log Located in the root of the %SystemDrive%. This log file records the
results of the prerequisites checker.
ConfigMgrSetup.log Located in the root of the %SystemDrive%. This log file records the
installation of the Configuration Manager server.
ConfigMgrSetupWizard.log Located in the root of the %SystemDrive%. This log file records the
progress of the Configuration Manager Setup Wizard.
distmgr.log Located in the InstallationPath\LOGS folder. This log file records

package creation, compression, delta replication, and information
updates.
hman.log Located in the InstallationPath\LOGS folder. This log file records site
configuration changes and publishing of site information in AD DS.
mpcontrol.log Located in the InstallationPath\LOGS folder. This log file records the
availability of the management point every 10 minutes.
mpfdm.log Located in the InstallationPath\LOGS folder. This log file records the
activity of the management point component that moves client files
to the corresponding INBOXES folder on the site server.
mpMSI.log Located in the InstallationPath\LOGS folder. This log file records

details about the management point installation.
MPSetup.log Located in the InstallationPath\LOGS folder. This log file records the
management point installation wrapper process.
PerfSetup.log Located in the InstallationPath\LOGS folder. This log file records the
results of the installation of performance counters.
sitecomp.log Located in the InstallationPath\LOGS folder. This log file records the
installation of site system roles, as well as maintenance of the
installed site components.
sitectrl.log Located in the InstallationPath\LOGS folder. This log file records site
setting changes made to site control objects in the database.
(continued)
Log file Description
sitestat.log Located in the InstallationPath\LOGS folder. This log file records the
availability and disk space monitoring activity for all site systems.
smsdbmon.log Located in the InstallationPath\LOGS folder. This log file records

database changes.
smsexec.log Located in the InstallationPath\LOGS folder. This log file records the
processing of all site server component threads.
SMSProv.log Located in the InstallationPath\LOGS folder. This log file records

WMI provider access to the site database.
statesys.log Located in the InstallationPath\LOGS folder. This log file records the
processing of system state messages.
statmgr.log Located in the InstallationPath\LOGS folder. This log file records the
writing of all status messages to the database.
Note For a full list of logs generated by Configuration Manager site server and site system
roles, refer to the Additional Reading link provided in the Course Companion Content on
the http://www.microsoft.com/learning/companionmoc/ site.
Mo
onitoring Features
F in
n the Conffiguration Manager Console
You
u can use the Configuration
C Manager
M conssole to view ag
ggregated info ormation abou ut the health sttate of
your Configuratio
on Manager inffrastructure. This informatio n is available iin the Monitorring section off the
console.
You
u can use the Configuration
C Manager
M conssole to:
Configure the
e generation of
o alerts if site systems
s are no
ot functioning.
Create status message querries.

Access the reports.
View the diag

gram of your Configuration
C Manager hieraarchy.
View the aggregated health

h status of the site systems, ssite componen
nts, and deplo
oyments.
View the health status of Co
M clientts.
View the status of database

e replication be
etween the sittes in a hierarcchy.
View the conttent distributio

on status.
Mon etail in Modulee 7: Maintaining and Monitoring System
nitoring featurres are discussed in more de
Cen
nter 2012 Conffiguration Man nager.
Lab B:
B Perforrming Post-Set
P tup Con
nfigurattion Tassks
Lab Setup
Fo
or this lab, you
u use the availa
able virtual maachine environ
nment. Before you begin the
e lab, you musst ensure
th
he following virtual machines are still runnning:
10748A-NY
YC-DC1-A
10748A-NY
YC-CFG-A
La
ab Scenario
o
Yo
ou have installled a System Center
C 2012 Co
onfiguration M
Manager stand
d-alone primarry site in the laab
en
nvironment.
Yo
ou need to vallidate the insta
allation and pe
erform the inittial site configu
uration.
Exercise 1: Validating the Installation of the Primary Site

Scenario
You need to examine the Site Status and Component Status nodes and review any error messages related
to the installations. You also need to view the installation logs created by Prerequisite Checker and
Configuration Manager setup.
1. View the Site Status node and the Component Status node.
2. View the status messages for the Configuration Manager 2012 installation.
3. View the installation logs.
X Task 1: View the Site Status and Component Status

1. On NYC-CFG, start the Configuration Manager Console.
2. In the Configuration Manager console, in the Monitoring workspace, under the System Status
\Site Status node, view the status of each site system role.
3. In the Component Status node, view the status of each component.
X Task 2: View the status messages related to the Configuration Manager 2012
installation
1. Select again the Site Status node and in the results pane select Site server.
2. On the ribbon, click the Show Messages button, and then click All.
3. In the Status Messages: Set Viewing Period dialog box accept the defaults, and then click OK.
4. In the Configuration Manager Status Message Viewer double-click on any message, and review
the details of the status message. Use the Next and Previous buttons to view additional status
messages, and then close the Status Message Details dialog box.
5. Close the Configuration Manager Status Message Viewer window.
X Task 3: View the installation logs

1. On NYC-CFG, open Windows Explorer.
2. Navigate to drive C and open the ConfigMgrPrereq.log file located in the root folder in Notepad.
Review the file and note any errors or warnings reported by Prerequisite Checker, and then close
Notepad.
3. Open the ConfigMgrSetup.log file in Notepad. Review the file and note any errors or warnings
reported by Setup, and then close Notepad.
Note Also in the root folder is ConfigMgrSetupWizard.log. If you installed the console
you should see ConfigMgrAdminUISetup.log.
Results: At the end of this exercise, you should have validated the installation of System Center 2012
Exercise 2: Performing the Initial Configuration of the Primary Site

Scenario
You need to test how Active Directory Forest Discovery can create boundaries from the AD DS sites. Begin
by creating a new AD DS site in Active Directory Sites and Services, and then configure Active Directory
Forest Discovery in the Configuration Manager console.
Next, you will install new site system roles, such as Fallback Status Point and Reporting Services Point, and
configure the management point and distribution point.
1. Create a new Active Directory site.
2. Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site.
3. Configure a boundary group and include the new boundary.
4. Install additional site system roles: Fallback Status Point and Reporting Services Point.
5. Configure the management point and distribution point.
X Task 1: Create a new Active Directory site

1. On NYC-DC1, start the Active Directory Sites and Services console.
2. In the Active Directory Sites and Services console, under the Sites node, rename the Default-First-
Site-Name site to NewYork (without a space).
3. Under the Subnets node, create a subnet for 10.10.0.0/24 and assign it to the NewYork site.
4. Close the Active Directory Sites and Services console.
X Task 2: Configure Active Directory Forest Discovery to create a new boundary from
the Active Directory site
1. On NYC-CFG, in the Configuration Manager console, in the Administration workspace, expand
Hierarchy Configuration, and then select Discovery Methods.
2. In the results pane, access the properties for Active Directory Forest Discovery and select Enable
Active Directory Forest Discovery, and Automatically create Active Directory site boundaries
when they are discovered check boxes.
3. In in the Configuration Manager console, under the Active Directory Forests node, access the
4. Under the Boundaries node access the Properties of the NewYork boundary. Review the settings,
and then close the dialog box.
X Task 3: Configure a boundary group and include the new boundary

1. In the Configuration Manager console, select the Boundary Groups node, and on the ribbon, click
Create Boundary Group.
Name of the boundary group: New York Clients
Add the NewYork boundary imported by Active Directory Forest Discovery.

Add \\NYC-CFG.contoso.com as the site system server used for content location.
X Task 4: Install additional site system roles: Fallback Status Point and Reporting
Services Point
1. In in the Configuration Manager console, under Site Configuration, select the Servers and Site
System Roles node.
System Roles.
3. In the Add Site System Roles Wizard use the following settings to install the site system roles:
On the System Role Selection page, select Fallback status point and Reporting services
point.
On the Reporting Services Point page, use the Verify button to validate access to database.
Under User name click Set, New Account and specify the following credentials:
Password: Pa$$w0rd
4. Complete the wizard accepting the default settings.
X Task 5: Configure the management point and the distribution point

3. Select the option Generate alert when the management point is not healthy and then close the
dialog box.
4. In the preview pane, access the Properties for the Distribution point.
5. On the Boundary Groups tab, verify that the New York Clients boundary group you have created
previously appears in the list, and then close the dialog box.
Results: At the end of this exercise, you should have performed the initial configuration of a System
Center 2012 Configuration Manager stand-alone primary site.

Lesson
n6
Mana
aging In
nternet--Based Clients
C
To
o be able to manage
m Interneet-based clientts, you need to
o configure sitte systems to ssupport Interne
et-
ba
ased clients an
nd publish those site systemss through the firewall.
All the site systeems used in Internet-based client

c manageement must bee configured w with certificatess issued
byy a certification authority tru
usted by the cllients. In addittion, all Interneet-based clientts must have
co
omputer certifficates issued byb the same ce ertification autthority, and daata transmitted d between these
co
omputers and the site system ms must be encrypted by us ing Secure Socckets Layer (SSSL).

ng this lesson, you
Describe th
he site system roles
r involved in Internet-baased client ma nagement.
Describe ussing certificate based client m anagement.
es in Internet-b
Describe pu
ublishing site system
s roles th
hrough a firew
wall.
Site System Roles

R Invo
olved in Intternet-Bassed Client Managem
ment
The following site

e system roles are
a used for In
nternet-based client manageement:
Managementt point
Distribution point
p
Software upd
date point
Fallback statu
us point
Application Catalog
C website point
Enrollment prroxy point
Unliike previous ve
ersions, Config
guration Mana ager 2012 sitess no longer relly on a single llogical default
mannagement poin nt. You can insstall multiple management
m ppoints in the saame site and tthe client
auto
omatically seleects one on thee basis of netwwork location aand capability (HTTPS or HT TTP).
You
u can configure e some manag gement points in a site to su pport HTTPS cclient connectiions and configure
som
me management points to su upport HTTP cllient connectio ons. Using thiss approach, yo ou can configure
sepa
arate managem ment points foor Internet-bassed client mannagement. You u must configu ure these
mannagement poin nts to use certificates from a PKI solution ttrusted by botth the client an
nd server and
HTTTPS. Additionally, your Intern
net-based Con nfiguration Maanager clients nneed a valid PKI certificate ffrom a
PKI solution truste
ed by both thee client and server for authe ntication with the site systemms.
The fallback status point alwayss uses HTTP beecause this rolee is used as an
n alternate metthod of
com
mmunication when
w the clientts cannot communicate with h site system rooles, including
g when the clie
ent
doe
es not have a PKI-issued
P certificate.
All site systems must reside in an Active Directory domain; however, you can install site systems for
Internet-based client management in an untrusted forest. This scenario might be appropriate for a
perimeter network that requires high security.
You must decide whether the client computers that will be managed over the Internet will be configured
for management on the intranet and the Internet, or for Internet-only client management. You can only
configure the client management option during the installation of a client computer. If you change your
mind later, you must reinstall the client.
Client computers that are configured for Internet-only client management only communicate with
the site systems that are configured for client connections from the Internet. Mobile device clients are
automatically configured as Internet-only when they are configured to use an Internet-based
management point.
Client computers that are configured for Internet and intranet client management can automatically
switch between Internet-based client management and intranet client management when they detect
a change of network. If these clients can find and connect to a management point that is configured
for client connections on the intranet, these clients are managed as intranet clients that have full
Configuration Manager management functionality. If the clients cannot find or connect to a
management point that is configured for client connections on the intranet, they attempt to connect
to an Internet-based management point, and, if this is successful, these clients are then managed by
the Internet-based site systems in their assigned site.
Not all client management functionality is available when using Internet-based client management.
Features that rely on AD DS, or features that are not appropriate for a public network such as operating
system deployments, are not supported for Internet management. The following features are not
supported when clients are managed on the Internet:
Client deployment over the Internet is not possible, for example Client Push and software update-
based client deployment. You must use manual client installation to install the Configuration
Manager client on these computers.
Auto-site assignment will not work on the Internet. Clients need to be configured with an assigned
site at installation. Clients try to locate the site systems using DNS. The Internet FQDN of site systems
that support Internet-based client management must be registered as host entries on public DNS
servers. Clients non-deterministically select one of the Internet-based site systems, regardless of
bandwidth or physical location.
Network Access Protection (NAP). This feature relies on AD DS and cannot function on the Internet.
Wake-On-LAN magic packets cannot be sent on the Internet.
Operating system deployment cannot be performed on the Internet; however, you can deploy task
sequences that do not deploy an operating system, such as task sequences that run scripts and
maintenance tasks on clients.
The remote control feature is not available for Internet-based clients, since these computers cannot
be located using DNS.
Out of band management using Intel Active Management Technology (AMT) cannot be used for
Internet-based clients.
Software deployments to users, cannot be performed unless the Internet-based management point
can authenticate the user in AD DS by using Windows authentication (Kerberos or NTLM). This is
possible when the Internet-based management point trusts the forest where the user account resides.
Use of Certifficates in In
nternet-Ba
ased Clien t Management
Whe en clients conn

nect to the site
e systems located in the inteernal network, the computerrs perform mutual
auth
hentication using Kerberos. This
T is possible e because cliennts and site syystems can access the Active
Dire
ectory infrastru
ucture. For Inte
ernet-based client managem ment, certificattes must be asssigned and insstalled
to enable
e mutual authentication n.
Whe en you configu ure certificatess for Internet-b

based client mmanagement, kkeep in mind that each client and
eachh site system involved in Inte ernet-based cllient managem ment must be cconfigured witth certificates to
perfform mutual authentication on the Interne et as follows:
Configuration n Manager site e system roles that commun icate by using HTTPS use ce ertificates to ve
erify
that their servver name is the same as the server the clieents are trying to connect to o. The Enhance ed Key
Usage field in
n this type of certificate
c inclu
udes Server Au uthentication ((1.3.6.1.5.5.7.3..1). When using a
Microsoft Acttive Directory Certificate
C Servvices Enterprisse CA, you sho
ould create a te emplate based d on
the existing Web
W Server tem mplate in the template
t storee. SHA-1 and SSHA-2 hash alg gorithms are
supported. Th here is no limitt for the maximmum supporteed key length ffor this certificcate.
If the site
e system accep
pts connection bject Name or Subject Altern
ns from the Inteernet, the Subj native
Name must contain the e Internet FQD
DN.
If the site
e system acceppts connection
ns from both th
he Internet and
d the intranet,, both the Inte
ernet
FQDN an nd the intranett FQDN (or com
mputer name)) must be speccified by using the ampersan nd (&)
symbol delimiter
d betweeen the two na
ames.
Configuration Manager site systems that are hosting the distribution point role are using certificates
configured for client authentication. The Enhanced Key Usage field in this type of certificate includes
Client Authentication (1.3.6.1.5.5.7.3.2). When using a Microsoft Active Directory Certificate Services
Enterprise CA, you should create a template based on the existing Workstation Authentication
template in the template store. The private key must be exportable. SHA-1 and SHA-2 hash
algorithms are supported. The maximum supported key length is 2,048 bits.
The certificate:
Is used to authenticate the distribution point to an HTTPS-enabled management point before the
distribution point sends status messages.
Is sent to computers when the Enable PXE support for clients distribution point option is
selected. This ensures that the client computers can connect to a HTTPS-enabled management
point during the deployment of the operating system if task sequences in the operating system
deployment process include client actions such as client policy retrieval or sending inventory
information.
Note The private key must be exportable because you must import the certificate as a file
on the distribution point properties, rather than select it from the certificate store. You need
to export the issued certificate in the Public Key Certificate Standard (PKCS #12) format
(.PFX file).
Internet-based clients can only use certificates generated by the PKI solution for authentication when
connecting to a Configuration Manager site system. The Enhanced Key Usage field in this type of
certificate includes Client Authentication (1.3.6.1.5.5.7.3.2). When using a Microsoft Active Directory
Certificate Services Enterprise CA, you should create a template on the basis of the existing
Workstation Authentication template in the template store. Client computers must have a unique
value in the Subject Name field or in the Subject Alternative Name field. The maximum supported key
length is 2,048 bits.
Template-based certificates can be issued only by an enterprise certification authority running on the
Enterprise Edition or Datacenter Edition of the server operating system, such as Windows Server 2008
Enterprise and Windows Server 2008 Datacenter.
Note When you use an enterprise certification authority and certificate templates, do not
use the version 3 templates (Windows Server 2008, Enterprise Edition). These certificate
templates create certificates that are incompatible with Configuration Manager. When
prompted for the version of the template, select version 2 (Windows Server 2003).
If the client certificates are issued by a different CA hierarchy than the CA hierarchy that issued the
management point certificate, the root CA certificate must be provided for clients.
The configuration of server and client certificates required for Internet-based client management typically
involves the following steps:
Deploying the Web Server certificate for site systems that run IIS. This includes the following
procedures:
Creating and issuing the Web Server certificate template on the certification authority.
Requesting a Web Server certificate from each of the site systems.
Configuring IIS to use the Web Server certificate on each site system.
Deploying the distribution point certificate for site systems that are hosting the distribution point role.
This includes the following procedures:
Creating and issuing the distribution point certificate template on the certification authority.
Requesting a distribution point certificate from each distribution point and exporting the
certificate in a .PFX file.
Configuring the distribution point to use the certificate.
Deploying the client certificate for computers. If the computers are also connecting to the intranet
and can authenticate to Active Directory, the certificate deployment has the following procedures:
Creating and issuing the Workstation Authentication certificate template on the certification
authority.
Configuring auto-enrollment of the Workstation Authentication template by using Group Policy.
Automatically enrolling the Workstation Authentication certificate and verifying its installation on
computers.
If the computers are not connecting to Active Directory, you need to issue and install the client
certificates manually.
Publishing
P Site System Roles Through a Firewall
Th
he site systemss configured to
o support Inte
ernet-based cliient managemment must be ppublished on the
In
nternet. You ca
an accomplish this by implemmenting one oof the following
g scenarios:
1.. Place the siite systems con nfigured to support Internett-based client management in a perimeterr
network. Thhis scenario is more secure but
b more difficcult to implem ent. To implem
ment this scenario,
configure your
y firewalls as
a follows:
Configure the extern

nal firewall to allow
a HTTPS co
ommunication ns from the Intternet to site syystems.
The clie
ents communiicate to the Fallback Status P
Point using HTTTP.
Configure the interna

al firewall to allow commun ications betweeen the perime eter network ssite
systems and the internal servers. Yoou can adjust port values fo
or any customizzation in your
environ
nment, however the followin ng communicaations must bee allowed:
Maanagement pooint. Communiicates with thee SQL Server th hrough the SM MS Provider to read
po
olicy and comm
municates directly with the ssite server to reeport state me
essages.
Disstribution poin
nt. Communica ates with the ssite server to reead configurattion informatio
on and
rep
plicate content using file-based replicationn.
So
oftware update municates with an upstream ssoftware updaate point or dirrectly
e point. Comm
witth Microsoft Update.
U
Fallback Status Point.

P Commun
nicates with th
he site server.
2. Configure the internal site systems to support Internet-based client management and publish them
through a firewall. This scenario is less secure but easier to implement.
To implement this scenario, configure your firewall to allow direct HTTPS access from the Internet to
the site systems (also known as tunneling, or pass-through). If you are using a proxy web server
without SSL termination (tunneling), no additional certificates are required on the proxy web server;
however, the clients are connecting directly to the site systems, and the firewall cannot inspect the
traffic, which can pose additional security risks.
3. If you are using a proxy web server with SSL termination (bridging) for incoming Internet connections,
the proxy web server has the following certificate requirements:
Certificates are installed on the proxy web server with Enhanced Key Usage configured for server
and client authentication. You can use the Web Server and Workstation Authentication
templates.
Internet FQDN is included in the Subject Name field or in the Subject Alternative Name field. If
you are using Microsoft certificate templates, the Subject Alternative Name is only available with
the workstation template.
A server authentication certificate is used to authenticate servers to Internet clients and to

encrypt using SSL all the data transferred between the client and servers.
Client authentication is used to bridge client connections between the System Center 2012
Configuration Manager clients and the Internet-based site systems located on the intranet.
Lab C:
C Config
guring PKI for Configuration
n Manag
ger
Lab Setup
Fo
or this lab, you
u use the availa
able virtual maachine environ
nment. Before you begin the
e lab, you musst ensure
th
he following virtual machines are still runnning:
10748A-NY
YC-DC1-A
10748A-NY
YC-CFG-A
La
ab Scenario
o
Yo
ou have installled a System Center
C 2012 Co
onfiguration M
Manager stand
d-alone primarry site in the laab
en
nvironment.
Yo
ou have been asked to confiigure a Microssoft PKI solutioon for use with
h Configuration Manager. To o do
th
his, you will cre
eate templatess for use by Co
onfiguration M
Manager, and tthen deploy th
he certificates tto your
M infrasstructure.
Exercise 1: Creating Certificate Templates for Configuration Manager

Scenario
You are going to create the templates necessary for use with Configuration Manager. When creating a
custom certificate, you want to ensure that it is only used for enrollment by the intended systems.
Certificates for computer systems are generally distributed through auto-enrollment policies. The main
tasks for this exercise are as follows:
1. Create a Configuration Manager IIS servers group.
2. Create a Configuration Manager Web server certificate template.
3. Create a Configuration Manager client certificate template.
4. Create a Configuration Manager client distribution point certificate template.

5. Create a Configuration Manager mobile device certificate template.
6. Enable the Configuration Manager certificate templates.
X Task 1: Create a Configuration Manager IIS servers group

1. On NYC-DC1, start Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the Users container, create a new group
named Configuration Manager IIS Servers.
3. Add NYC-CFG to the Configuration Manager IIS Servers group.
X Task 2: Create a Configuration Manager Web server certificate template

1. On NYC-DC1, start the Certification Authority console.
2. In the Certification Authority console, right-click the Certificate Templates folder, and then click
Manage. The Certificate Templates Console opens.
3. Duplicate the Web Server template, and select the Windows Server 2003 Enterprise option.
4. In the Properties of New Template dialog box:
On the General tab, name the template as Configuration Manager Web Server Certificate.
On Subject Name tab, ensure that the Supply in the request option is selected.
On the Security tab, remove the Enroll permission from the security groups: Domain Admins
and Enterprise Admins. Add the Configuration Manager IIS Servers group, and grant the
Configuration Manager IIS Servers group the Enroll permission.
X Task 3: Create a Configuration Manager client certificate template

1. Duplicate the Workstation Authentication template, and select the Windows Server 2003
Enterprise option.
On the General tab, name the template as Configuration Manager Client Certificate.
On the Security tab, select the Domain Computers group, and add the Read and Autoenroll
permissions.
X Task 4: Create a Configuration Manager client distribution point certificate template

1. Duplicate the Workstation Authentication template, and select the Windows Server 2003
Enterprise option.
On the General tab, name the template as Configuration Manager Client Distribution Point
Certificate.
On the Request Handling tab, select Allow private key to be exported.
On the Security tab, remove the Enroll permission from the security groups: Domain Admins
and Enterprise Admins. Add the Configuration Manager IIS Servers group, and grant the
Configuration Manager IIS Servers group the Enroll permission.
Note This certificate template is based on Workstation Authentication template, the

same used by the Configuration Manager client certificate, but requires the private key to
be exportable, because you must import the certificate as a file, rather than select it from
the certificate store.
X Task 5: Create a Configuration Manager mobile device certificate template

1. Duplicate the Authenticated Session template, and select the Windows Server 2003 Enterprise
option.
On the General tab, name the template as Configuration Manager Mobile Device Certificate.
On the Subject Name tab, ensure the Build from this Active Directory information option is
selected, and in the Subject name format list, select Common name, and then clear the User
principal name (UPN) check box.
3. Close the Certificate Templates Console.
X Task 6: Enable the Configuration Manager certificate templates

1. In the navigation pane of the Certification Authority console, expand the ContosoCA node, and click
Certificates Templates.
2. Enable the following certificates:

Configuration Manager Client Certificate
Configuration Manager Client Distribution Point Certificate
Configuration Manager Mobile Device Certificate
Configuration Manager Web Server Certificate
3. Close the Certification Authority console.
Results: After this exercise, you should have created a group for the Configuration Manager servers and
created the templates for Configuration Manager certificates.
Exercise 2: Deploying Certificates for Configuration Manager

Scenario
You are going to deploy the certificates to the Configuration Manager systems by using the templates
you created. You will deploy the workstation certificates through a Group Policy Object (GPO) to take
advantage of autoenrollment. You will request the Web certificate and distribution point certificate for the
Configuration Manager Web---based services. Then you will configure the site system roles to use HTTPS.
1. Create an auto enrollment GPO.
2. Request a Configuration Manager IIS certificate on the site server.
3. Request a Configuration Manager client distribution point certificate.

4. Assign the Configuration Manager IIS certificate to Web services.
5. Configure HTTPS for Configuration Manager roles.
X Task 1: Create an autoenrollment GPO

1. Click Start, click Administrative Tools, and then click Group Policy Management.
2. At the root of the domain, create a GPO named Enable Autoenrollment of Certificates.
3. Edit the Enable Autoenrollment of Certificates Group Policy.
4. Navigate to the Computer Configuration/Policies/Windows Settings/Security Settings

/Public Key Policies/Certificate Services Client --- Auto-enrollment object.
5. Configure the following values for the Certificate Services Client --- Auto-enrollment object:
In the Configuration Model list, select Enabled.
Select the Renew expired certificates, update pending certificates, and remove revoked
certificates check box.
Select the Update certificates that use certificate templates check box.
X Task 2: Request a Configuration Manager IIS certificate on the site server

1. On NYC-CFG, restart the server.
2. In the Shut Down Windows dialog box, under Option select Operating System: Reconfiguration
(Planned).
3. Wait for the virtual machine to restart and then logon as domain Administrator.
4. Start a Microsoft Management Console (MMC), and then add the Certificates snap-in for the Local
computer: (the computer this console is running on).
5. In the MMC window, expand Certificates (Local Computer), and then click Personal. Right-click
Personal and select the option Request New Certificate.
6. In the Certificate Enrollment Wizard, request a new certificate by using the following information:
On the Request Certificates page, select the Configuration Manager Web Server Certificate
check box, and then click More information is required to enroll for this certificate. Click
here to configure settings.
On the Subject tab, in the Alternative name area, in the Type list, select DNS, and in the Value
box, type NYC-CFG.Contoso.com, and then click Add.
On the General tab, in the Friendly name box, type Configuration Manager Web Services.
Complete the request, and wait until the certificate is installed, and then click Finish.
X Task 3: Request a Configuration Manager client distribution point certificate

1. In the Microsoft Management Console, right-click the Personal folder and select the option
Request New Certificate.
2. In the Certificate Enrollment Wizard, request a new certificate by using the following information:
On the Request Certificates page, select the Configuration Manager Client Distribution
Point Certificate check box and then click Enroll.
Complete the request, wait until the certificate is installed, and then click Finish.
3. In the Microsoft Management Console, expand Personal, and then select Certificates.
4. Select the certificate that has Configuration Manager Client Distribution Point Certificate on the
Certificate Template column, right click the certificate, and then select Export. The Certificate
Export Wizard opens.
5. In the Certificate Export Wizard page, use the following information to export the certificate:
On the Export Private Key page, select Yes, export the private key.
On the Export File Format page, ensure Personal Information Exchange --- PKCS #12 (.PFX)
option is selected.
On the Password page, type Pa$$w0rd in both Password and Type and confirm password
(mandatory) text boxes.
On the File to Export page, in the File name text box, type
C:\ConfigMgrClientDPCertificate.pfx.
Complete the export of the certificate.
6. Close the Microsoft Management Console.
X Task 4: Assign the Configuration Manager IIS certificate to Web services

1. On NYC-CFG, open Internet Information Services (IIS) Manager.
2. Expand NYC-CFG (CONTOSO\Administrator), expand Sites, right-click Default Web Site, and then
click Edit Bindings.
3. In the Site Bindings dialog box, edit the https entry, in the SSL certificate list, select the
Configuration Manager Web Services certificate, click OK, and then close all open windows.
X Task 5: Configure HTTPS for Configuration Manager roles

2. In the Administration workspace, expand Site Configuration, and then click Servers and Site
System Roles.
3. In the results pane select \\NYC-CFG.contoso.com, then, in the preview pane, access the Properties
for the Site system.
4. In Site system Properties:
Select Specify an FQDN for this site system for use on the Internet.
In the Internet FQDN text box, type NYC-CFG.contoso.com, and then close the dialog box.
5. In the preview pane, access the Properties for Distribution point.
6. In the Distribution point Properties dialog box:
On the General tab, select Import certificate, and then browse to select the
C:\ConfigMgrClientDPCertificate.pfx certificate file.
In the Password text box, type Pa$$w0rd.
Select HTTPS, and then under Requires computers to have a valid PKI client certificate, select
Allow intranet and Internet connections, and then close the dialog box.
8. In the Management point Properties dialog box:
On the General tab, click HTTPS, and then under This option requires client computers to
have a valid PKI client certificate for client authentication, select Allow intranet and
Internet connections.
Select the Allow mobile devices to use this management point check box, and then close the
dialog box.
Results: After this exercise, you should have issued the Configuration Manager certificates and configured
HTTPS communication for Configuration Manager roles.
X To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-A, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 10748A-NYC-CFG-A.

Modu
ule Reviiew and
d Takeaw
ways
Review
R Quesstions
1.. What site syystem roles ca
an you configu
ure during setu
up of a stand-aalone primary site?
2.. How can yo

ou download the
t prerequisittes when the ssite server is no
ot connected tto the Internett?
3.. What roles are involved in Internet-bassed client man

nagement?
Tools
Th
he tools in the
e following tab
ble are useful during
d the Con
nfiguration Maanager 2012 deployment pro
ocess.
Tool
T Use for Whe
ere to find it
Prerequisite Checker
C Validatinng the prerequ
uisites for the On the installation
n media
Configuration Manageer site server aand
roles insstallation
Setup Downlo
oader Downloa
ading the clien
nt prerequisitees On the installation
n media
Configuration
n Manager Tra
ace Viewing the logs in ann interactive m
mode, On the installation
n media
searchin
ng and filtering
g
3-1
Module 3
Planning and Configuring Role-Based Administration
Contents:
Lesson 1: Overview of Role-Based Administration 3-3
Lesson 2: Identifying IT Roles in Your Organization 3-15
Lesson 3: Configuring Role-Based Administration 3-25

Lab: Planning and Configuring Role-Based Administration 3-31
3-2 Planning annd Configuring Role--Based Administratioon
Module Overrview
Microsoft Systemm Center 2012 Configuration n Manager imp plements a mo odern security model based on
adm
ministrative roles. You can usse these roles to
t help define security perm ponding to your
missions corresp
anization-speccific roles and responsibilities.
orga
Thiss module prese ents role-based administration concepts aand how you can use securityy roles, securitty
scoppes, and collecctions to define access permissions for you
ur administratiive users.
Thiss module show ws you how to customize the

e security roless and scopes to
o match your specific
orgaanizational req
quirements.

Describe role-based administration conce

epts.
Describe the process of identifying a typical IT departm

ments job roles and identify their
responsibilitie
es and activitie
es.
Create new se
ecurity roles an
nd configure scopes
s in Conffiguration Man
nager 2012.
Lesson
n1
Overv
view of Role-Based Ad
dministration
Different organizations IT departments havve various rolee and responsib bility structure
es. For this reasson, it is
diifficult to creatte a security model
m that wou
uld work for th
he majority of organizations.
In
nstead of impoosing a rigid seecurity model, Configuration n Manager 201 12 provides a fflexible securitty
framework base ed on roles, sco opes, and colleections, which can be custommized for orgaanizations nee eds.
Th uilt-in security roles that include permissio ns for executin
here are 14 bu ng typical taskks; however, yo
ou can
crreate custom security
s roles and
a limit the sccope of securitty role assignm
ments to tailorr how administtrative
peermissions are
e assigned with hin your Config guration Manaager 2012 imp plementation.
In
n this lesson, yo
ou will examin
ne security models and built--in security rolles.
After completin
ng this lesson, you
y will be able to:
ole-based administration.
Explain the benefits of ro
Describe th
he functionalityy of security ro
oles.
Describe Co
onfiguration Managers
M builtt-in roles.
Describe se
ecurity scopes.
Describe co
ollections.
Describe planning role-based administration.
Benefits of Role-Based
R d Administtration
The primary objecctive of role-ba

ased administration is to sim
mplify the man
nagement of administrative
perm
missions acrosss multiple loca
ations, comple
ex hierarchies, and multiple aadministrative
e teams.
Sites in Configuration Manager 2012 are not security bound daries as they were in previo
ous versions.
Because administrative scopes area not limited
d by site, you ccan assign permmissions to ad
dministrative users
to manage
m objectts across the hierarchy.
Youu can easily implement securrity manageme ent concepts s uch as Segrega ation of Dutiess, which is inte
ended
to prevent
p a single person from
m executing a critical
c processs from beginni ng to end. Forr example, the e
persson who has th n Author role iss allowed to crreate the application and a d
he Application different perso on
whoo has the Application Deployyment Manage er role is allow
wed to perform
m the actual de eployment.
Connfiguration Maanager 2012 in ncludes built-in of predefined permissions an

n security roless that consist o nd
secu
urity scopes th
hat consist of securable objeccts. Administraative users assoociated with a security role ccan
use the assigned permissions
p to
o perform standard administtrative tasks. A Additionally, yo
ou can create
custtom roles to ad
ddress your orrganizations security model requirementss.
Admministrative use
ers do not obttain permissionns directly butt through theirr assigned secu urity roles and the
secu
urity scopes th
he user is assigned to. The prrocess of auditting administraative actions iss simplified be
ecause
you can track permissions throu ugh roles and scopes
s insteadd of tracking p
permissions thrrough each
individual user.
In th
he Configuratiion Manager console,
c adminnistrative userss can see only the objects they have
permmissions to ma
anage, thus reducing the risk
k of unauthoriized use.
Question: What is the prim

mary objective of role-based administration
n?
Security Ro
oles
A security role defines

d the acttions that an administrative user can perfo orm. The role cconsists of indiividual
pe
ermissions for each object tyype that an ad dministrative u ser is allowed to manage.
Fo
or example, the Application Administratorr role has a cum mulative set off permissions tthat define its security
ro
ole. This role co
onsists of a sett of individual permissions to
o manage a vaariety of objeccts, including thhe
fo
ollowing permissions for app plication objects:
Approve
Create
Delete
Modify
Modify Fold
der
Move Object
Read
port
Modify Rep
Set Securityy Scope
ou can use sco
Yo opes and collecctions to limit administrativee users access to individual object instancces
ecause the roles themselves do not specifyy user permisssions for individual objects.
be
M includ
des 14 built-in ons for executing typical tasks on
n roles that incclude permissio
diifferent types of
o objects.
ou cannot modify or delete the built-in ro

Yo om roles to match special
oles, but you caan create custo
ad
dministrative requirements.
r
Question: What
W are security roles?
Built-in Role
es
Con
nfiguration Ma anager include
es the 14 built--in security rolees listed in thee following tab
ble. Each role g
gives
speccific permissions to an administrative user to perform acctions on certaain types of ob bjects.
Ro
ole Pe
ermissions
Application Thhe Application Administratorr role grants p ermissions to perform both the
Administrator Application Dep ployment Man nager role and the Applicatio on Author role e.
Ad dministrative users
u associateed with this ro le also can maanage queries, view
sitte settings, ma
anage collectio er device affiniity.
ons, and edit ssettings for use
Application Autthor Th
he Application Author role g rants permissions to create, modify, and rretire
ap
pplications. Ad
dministrative u
users associate d with this role also can man
nage
ap
pplications and
d packages.
Application Dep
ployment Th
he Application Deployment M Manager role g grants permisssions to deployy
Manager
M ap
pplications. Ad
dministrative u
users associate d with this role can:
View the lisst of applicatio
ons.
Manage de eployments forr applications, alerts, templates packages, and
programs.
View collections and thei r members.
View statuss messages, qu

ueries, and con
nditional delive
ery rules.
(continued)
Role Permissions
Asset Manager The Asset Manager role grants permissions to manage the Asset Intelligence
Synchronization Point, Asset Intelligence reporting classes, software
inventory, hardware inventory, and metering rules.
Compliance Settings The Compliance Settings Manager role grants permissions to define and
Manager monitor Compliance Settings. Administrative users associated with this role
can create, modify, and delete configuration items and baselines. They also
can deploy configuration baselines to collections, initiate compliance
evaluation, and initiate remediation for non-compliant computers.
Endpoint Protection The Endpoint Protection Manager role grants permissions to define and
Manager monitor security policies. Administrative Users associated with this role can
create, modify and delete Endpoint Protection policies. They also can deploy
Endpoint Protection policies to collections, create and modify Alerts, and
monitor Endpoint Protection status.
Full Administrator The Full Administrator role grants all permissions in Configuration Manager
2012. The administrative user who creates a new Configuration Manager
installation is associated with this security role, all scopes, and all collections.
You must always have at least one Full Administrator. For this reason,
Configuration Manager 2012 does not allow you to delete the last Full
Administrator account.
Infrastructure The Infrastructure Administrator role grants permissions to create, delete,

Administrator and modify the Configuration Manager server infrastructure and perform
migration tasks.
Operating System The Operating System Deployment Manager role grants permissions to
Deployment Manager create operating system images and deploy them to computers.
Administrative users associated with this role can manage operating system
installation packages and images, task sequences, drivers, boot images, and
state migration settings.
Operations The Operations Administrator role grants permissions for all actions in
Administrator Configuration Manager except for the permissions required to manage
security, which includes managing administrative users, security roles, and
security scopes.
Read-only Analyst The Read-only Analyst role grants permissions to view all Configuration
Manager objects.
Remote Tools Operator The Remote Tools Operator role grants permissions to run and audit the
remote administration tools that help users resolve computer issues.
Administrative users associated with this role can run Remote Control,
Remote Assistance, and Remote Desktop from the Configuration Manager
console. In addition, they can run the Out Of Band Management console
and configure AMT power control options.
3-8 Planning and Configuring Role-Based Administration
(continued)
Role Permissions
Security Administrator The Security Administrator role grants permissions to add and remove
administrative users and to associate administrative users with security roles,
collections, and security scopes. In addition, administrative users associated
with this role can create, modify, and delete security roles and their assigned
security scopes and collections.
Software Update The Software Update Manager role grants permissions to define and deploy
Manager software updates. Administrative users associated with this role can manage
software update groups, deployments, and deployment templates. They also
can enable software updates for Network Access Protection (NAP).
Security Scopes
A security scopee is a named se

et of securable
e objects. Wheen a user or grooup is assigned a new security role,
th
hey must also be
b assigned a security scope e, which limits the instances of objects that can be manaaged by
th
hat user or gro
oup. A security scope can con more securablee objects and ccan contain securable
ntain one or m
ob
bjects of any type. For exam
mple, a securityy scope could ccontain an appplication, a que
ery, and a custtom
client agent settting.
A security scope
e does not pro ovide permissioons to the objeects that it con
ntains; it only g
groups the obbjects
to
ogether. Adminnistrative userss will receive permissions
p to the objects froom the associaated security rroles
when
w the securiity scope is asssigned to themm. The securityy scopes are ussed to limit thee instances of objects
on
n which the addministrative user
u he security roles.
can perforrm the actionss specified in th
To
o avoid circula
ar references, security
s scopess cannot be neested. In otherr words, a secu
urity scope can
nnot
co
ontain anotherr security scop
pe, just individu
ual objects. Ho
owever, you caan associate ann object with m
multiple
se
ecurity scopes.
M 2012 includes the following
f builtt-in security sc opes: All and D
Default.
All is a builtt-in security sccope that conttains all securaable objects. A Configuration
n Manager
administrattor associated with the All se ecurity scope w permissions of their role, or roles, for
will have the p
every objecct in the Config guration Mana ager environm ment. This security scope cannot be change ed or
deleted.
Default is a built-in security scope to which

w new objeects are autommatically assignned. All securab
ble
objects havve to be associated with a security scope; ttherefore, the securable obje ects created du
uring
the installattion of a site are
a assigned too the Default s ecurity scope, including site
e objects and ddefault
queries. This security scop pe cannot be deleted.
d
For example, you can create two security scopes:
Desktop applications. This scope contains applications that can be installed on desktop computers.
Server applications. This scope contains applications that can be installed on servers.
Using these scopes, you can limit administrative access for desktop applications only to desktop
administrators and limit access for server applications only for server administrators, thus preventing the
installation of applications on wrong systems.
There are a few objects that cannot be assigned in any scopes and have their security defined by the
various roles.
Modifiable security scope Included with a site scope Only affected by roles
Applications Default client settings Active Directory forests

Boot images Devices Administrative users
Boundary groups Discovery Methods Boundaries
Custom client settings Exchange Server connectors Security roles
Distribution points Site addresses Security scopes
Distribution point groups Site system roles
Packages Users
Queries
Sites
Software update groups
Note Computer and user objects are not assigned to scopes. Collections are used to limit
administrative permissions to sets of computer or user objects. However, collection objects
can be assigned to scopes.
Question: What is the purpose of the All security scope?

Collections
C s
Se
ecurity for user and compute
er objects is im
mplemented seeparately from m other securab ble objects in
M 2012 by using colleections. Adminnistrative userss must have co ollections assigned to
th
hem to be ablee to manage th
he user or devvice objects inccluded in thosee collections.
Thhe level of management tha

at administrativve users can peerform is limitted by the secu
urity roles thatt are
asssigned to them.
Membership
M in each collectio
on is determine
ed by the colleection rules. Th
here are four ccollection rule types:
Direct. Mem
mbers are speccified directly.
Query. Memmbers are deteermined by run

nning a query against the Configuration M
Manager datab
base.
The query is
i evaluated att each site.
Include. Me
embers are dettermined by sp
pecifying mem
mbers of other collections to include.
Exclude. Me
embers are determined by specifying mem
mbers of otherr collections to
o exclude.
If an administra
ative user is asssigned to eithe
er of the followwing built-in reead-only root collections, th
hey have
addministrative rights
r to all use
ers and devicees in the hierarrchy:
All Systems. This collectio

on contains all devices discovvered in a Con
nfiguration Maanager hierarch
hy.
All Users an
nd User Groupss. This collectio
on contains al l discovered users and user groups.
Fo
or example, co
onsider the folllowing scenariio:
The All Use on has 1,000 u sers.

ers and User Grroups collectio
The All Systtems collection

n has 1,000 co
omputers.
The Toronto Users collecttion contains only
o 20 users.
The Toronto Systems colllection contain

ns only 20 systtems.
You assign only the Toronto-based collections to a user. When the user opens the Configuration Manager
console, the following are visible:
The 20 users from the Toronto Users collection
The 20 systems from the Toronto Systems collection
The Toronto-based collections assigned to the user

Assuming that the user is assigned a security role that allows creating collections, the user can create new
collections where the limiting collection is one of the Toronto-based collections. The members of the new
collections, therefore, would represent a subset of one of the Toronto-based collections to which the user
has been assigned a security role.
Planning
P Role-Based Administrration
Configuring role-based admin nistration requ

uires careful co
onsideration. WWhen you plan n to add an
ad
dministrative user,
u you mustt consider the security roles, security scopees, and collections.
When
W planning security configuration, conssider the follow
wing factors:
Security roles control wha

at an administtrative user is aallowed to do.
Security sco
opes control th
he Configuration Manager o
objects the adm
ministrative usser is allowed tto
administer.
Collections control the ussers and device
es that an adm
ministrative useer is allowed to
o manage.
An Adminisstrative user must

m be assigne
ed to at least o
one security sccope or collecttion.
Each admin ed to separate security scopees and collections.

nistrative user can be mappe
Question: How would yo

ou plan securitty roles, securitty scopes, and collections fo
or the
following sccenario?
Scenario: Yo
ou are managing a remote location
l with l ocal administrrative users wh
ho:
Need to
t be able to deploy
d applicattions, create co
ollections for ttheir users and
d devices, and run
queriess and reports about
a their use
ers.
Should
d not be able to manage softtware updatess for their locattion.
Need to
t be limited to
o managing users and devicces in their locaation.
Disscussion: Planning
P Role-Based
R d Administtration
Con
nsider the follo
owing scenario
o: You are the administrator
a for Contoso Lttd. You need tto plan for
adm
ministrative permissions for application
a adm
ministrators baased in New Y
York and Toron nto.
New
w York application administrrators should be
b able to:
Configure only applicationss used in New York.
ktop computers and users baased in New Y

Deploy appliccations to desk York.
Toro
onto applicatio
on administrattors should be
e able to:
ktop computers and users baased in Torontto.

Deploy appliccations to desk
You
u need to plan for security ro
oles, security sccopes, and col lections. Assum
me that corressponding security
groups in AD DS are
a already cre eated.
Acttivity: Descrribe Roles, Security

S Sco
opes, and Co
ollections
Use the following table to descrribe the roles used,
u security scopes, and co
ollections you need to create
e.
Se
ecurity group Securitty role Security scop
pe(s) C
Collections
New
N York Admins
To
oronto Admins
Lesson
n2
Identifying IT Roles in Your Organ
nization
n
Organizations
O can
c have a variiety of IT depa artment structu
ures with diverrse sets of role
es and responssibilities.
Ro
ole-based admministration is designed
d to acccommodate vvarious securitty models used d by organizattions.
Thhis lesson exam bilities in an IT department and

mines the proccess of identifyying the roles aand responsib
exxplores the pro hing them to the security rolles included in
ocess of match n Configuration Manager.
After completin
ng this lesson, you
y will be able to:
Describe a typical IT depa
artments struccture.
Identify IT roles
r and respo
onsibilities.
ministrative scopes.
Identify adm
Identify the
e need for custtom collection
ns.
n roles in Configuration Man

Match to exxisting built-in nager.
Identify the
e need for add
ditional roles.
Discuss identifying roles, activities, and scopes.
Ide
entifying an
a IT Depa
artments Structure
S
The first step in de

esigning the security model for your Conffiguration Man nager implemeentation is to
iden
ntify the speciffic job roles an
nd responsibilitties in your org
ganizations ITT department aand how the
deppartments job roles are strucctured.
For example, IT ro
oles might include (but are not
n limited to) the following::
ges the IT operations activitiies

An IT Manageer, who manag
Application Administrators, who create ap

pplication packkages, perform m and monitorr the applicatio
on
deployments,, and configure the distributtion of contentt on the infrasstructure
Server Administrators, who manage the server infrastru

ucture of a Con
nfiguration Maanager site
Desktop Admministrators and

d Server Admin
nistrators, who
o administer th
he desktops, de
eploy software
e
updates, and deploy operatting systems
Helpdesk Perssonnel, who prrovide supportt to users
Security and Audit

A Personneel, who administer security aand perform a udits such as ssoftware updatte
compliance audits
Asset Manageement personn

nel, who perform asset inven
ntory for hardw
ware and softw
ware
Note The roles in the listt above are on

nly examples. TThe actual rolees used in your
organization
n may vary.
Question: Who is responsib

ble for perform
ming the softw
ware updates o
on desktops?
Id
dentifying Job Roless and Resp
ponsibilitiees
Th
he primary question you sho ould answer when you are d etermining the roles and ressponsibilities in your
orrganization is: What tasks do
d you want yoour administraative users to p
perform?
After identifying
g the job roless in your IT org
ganization, you
u need to deteermine how th he built-in roles in
M map to the specificc tasks performmed by each jo ob role in yourr organization. These
ta
asks might relaate to one or more
m groups of
o managemen nt activities, inccluding the folllowing:
Deploying applications and packages

Deploying operating systtems
Deploying settings for co

ompliance
Configuring
g sites and seccurity
Auditing
Remotely controlling com

mputers
Analyzing the
t inventory data
d and creatting reports
When
W designing
g your model of security role
es you must:
Determine whether the Configuration

C Manager
M w you to perforrm actions on specific
builtt-in roles allow
types of ob
bjects required by each job ro
ole.
Determine whether your organization has
h any regulaatory or policyy requirementss.
Discover an
ny internal pro
ocesses that miight affect actiions that each role needs. To
o do this, you can
adapt the security
s model to comply witth your processses or use thee Configuration Manager
implementa ation as an op
pportunity to re
e-engineer an d rationalize yyour internal p
processes.
Question: What
W is the ne
ext step after id
dentifying the roles in your o
organization?
Ide
entifying Administra
A ative Scope
es
The primary questtion you should answer whe en determining

g the need to ccreate scopes is: How do yo
ou
wan
nt to limit acce
ess to object in
nstances?
You ne whether to use security sccopes by exam

u can determin mining:
The size of th
he organization
n.
How resource
es are manage
ed.
o administrative teams.
The number of
Som
me small-to-me edium organizzations may de pes. Administraative users then
ecide not to crreate any scop
have access to all objects, dependent only on the permissio ons included in
n the associate
ed roles. This iss
morre important inn single primary site implem
mentation scen arios than in m
multiple-site hierarchies.
Typically, enterpriise organizatio

ons that decide
e to implemen nt a complex h
hierarchy are th
he most intere
ested
in defining
d securitty scopes to lim
mit administra
ative access.
To determine
d whe
ether you need
d to use securiity scopes in y our organizatiion, first determine whether you
need to:
Make some objects

o available to select administrative ussers.
Manage some objects indivvidually but ma

anage other o
objects in grou
ups.
Implement ap
pproval or dep
ployment proccesses used by your organizaation.
Specify which
h administrativve users will ma
anage individu
ual instances o
of objects.
Question: What methods can

c you use to
o determine wh
hether you neeed to create cu
ustom
scopes?
Id
dentifying the Need
d for Custo
om Collecttions
Yo
ou can use cusstom collection
ns to limit adm
ministrative acccess to specificc instances of user and devicce
ob
bjects. When you
y determine e which custom m collections to
o create, consiider which use er and computter
re
esources each administrative
e user should manage.
m
When
W determin ning the custom y need to crreate to limit aadministrative scope, you can
m collections you
id
dentify existing
g segmentationn criteria for your organizatiions users and
d devices, inclu
uding the follo
owing:
Your corpo
orations intern
nal structure su
uch as departm
ments
Users and devices
d in the same
s geograp
phic area as yo
our organizatio
on
Servers verssus desktops
Unique cha
aracteristics of managed devvices or users
Groups with special securrity requirements
Business prrocesses that re

equire differen
nt resource co llections
If different adm
ministrative users need to manage users an d devices in eaach of these se
egments, then
n you
sh
hould create cuustom collections.
Note Co ollections are discussed

d in moore detail in M
Module 2: Disccovering and O
Organizing
Resources in course 107
747A: Adminisstering System Center 2012 C Configuration M
Manager.
Question: How can you determine

d whe
ether you need
d to create custom collectio
ons?
Ma
apping to Existing Built-in Rolles in Conffiguration Manager
To better
b adapt thhe Configuration Manager security model to your organ nization, comp pare the job ro
oles
and responsibilitie anization with the built-in Co
es in your orga onfiguration MManager securrity roles and tthen
t match the IT functions with the Configu
try to uration Manag ger security rolles as closely aas possible.
Youu can analyze tasks

t performe
ed by each adm ntify the corresponding secu
ministrative us er to help iden urity
role
e in Configurattion Manager.
If so
ome administra ative users perrform tasks thaat are defined in multiple seecurity roles in Configuration n
Man nager, you shoould directly asssign these mu ultiple securityy roles to thesee administrativve users, ratherr than
creaate a new secuurity role that combines
c all th
he tasks. When n you create a new security role that comb bines
all the tasks, you run
r the risk of giving some administrative
a users addition nal permissions to perform ttasks
thatt they should not
n have.
ng tasks that arre all included in the same b

If diifferent administrative users are performin built-in
Con nfiguration Maanager role, then you may co onsider doing one of the following actionss:
Segregating the
t tasks by crreating separatte custom secu
urity roles.
Using one bu
uilt-in role for users
u and limitt users access to objects by using scopes o
or collections.
For example, one administrrative user in your

y organizat ion performs aapplication deeployments on
desktops andd another administrative userr performs appplication deplo
oyments on se ervers. You can
n
assign the Ap
pplication Deployment Mana ager role to bo
oth users and tthen limit their access to objjects
by:
Placing different
d o which you givve the adminisstrative users p
objectts in scopes to permission.
Using collections to lim

mit their accesss to desktops aand servers, reespectively.
For example, you might try to map the typical IT department to the build in security roles in Configuration
Manager, as described in the following table.
IT role Possible Configuration Manager security role mappings
IT Manager Full Administrator None
Application Administrators Application Administrator None
Server Administrators Infrastructure Administrator Operations Administrator
Desktop Administrators OS Deployment Manager Software Update Manager
Helpdesk Endpoint Protection Manager Remote Tools Operator
Security and Audit Security Administrator Compliance Settings Manager
Asset Management Asset Manager Read-only Analyst
Note In some organizations, tasks performed by the Endpoint Protection Manager role
might be performed by a Desktop Administrator, while in other organizations, they might
be performed by a Security Administrator.
Question: Which job role in your organization is performing the tasks specified by the
Endpoint Protection Manager role?
Ide
entifying the
t Need for
f Additio
onal Roles
In most
m cases, orgganizations security role nee
eds are satisfieed by the built--in security roles included in
n
Connfiguration Ma anager. You might need to create new sec urity roles wheen the tasks pe erformed by thhe
role
es you identifie
ed in your orgaanization do not
n map to thee actions includ ded in the built-in security roles.
Youu do not need to create new security roles if you need on nly to limit acccess for some administrative
e users
to specific resourcces. Instead, yo
ou can create custom
c scopess and custom collections to satisfy that neeed.
Testt any new secuurity role by ru

unning the connsole as the neew administrattive user that iss assigned to tthat
role
e to verify that the user has access
a to the appropriate obbjects and corrresponding permissions.
h administrativve user in Configuration Manager is assoc iated with onee or more of th

Each he following:
Security roless that provide permissions to

o perform speccific tasks on vvarious types o
of objects
Security scopes that might limit administrative access t o specific objeect instances
User or device collections that might limiit administrativve access to sp

pecific user or device resourcces
Note Whe en an administrative user is assigned

a to mu ultiple securityy scopes, the
administrativve user is gran
nted access to all object instaances from eacch assigned sccope. That
administrativve user can peerform all actio
ons permitted by their assoc iated roles to all the
object instan
nces associated d with the assiigned scopes. In other words, scopes are ccumulative.
Discussion:
D Planning for Custom Roles, SScopes, and
d Collectio
ons
Consider the following scenarrio: You are the administrato or for Contoso
o Ltd. You need
d to plan for custom
ro nd collections for the administrative users based in New
oles, scopes, an w York and Toronto.
Th
he administrattive users base
ed in New York
k must be ablee to:
w York users, deesktops, and sservers.

Create and deploy appliccations to New
Manage software update

es on servers an
nd desktops in
n both location
ns.
Manage an
nti-malware protection on se
ervers and deskktops in all loccations.
Manage co
ontent on the distribution
d po
oints in all locaations.
Th
he administrattive users base
ed in Toronto must
m be able tto:
Create and deploy appliccations to New

w York users an
nd desktops.
Manage co
d po
oints in Torontto.
Activity: Create Custom Roles, Scopes, and Collections

Fill in the following table with the names of and details (such as permissions) for the custom roles, scopes,
and collections you need to create to fulfill the previously-listed criteria. Assume that the corresponding
security groups in AD DS are already created.
Names of new role(s), scope(s), and

collection(s) Details
Custom role(s):
Custom scope(s):
Custom collection(s):
Activity: Describe the Proposed Configuration

Fill in the following table with descriptions of your proposed configuration for roles, security scopes, and
collections.
Security group Security roles Security scopes Collections
New York Admins
Toronto Admins
Review Questions
Question: When would you need to create custom roles?
Question: When would you need to create custom scopes in a Configuration Manager implementation?
Question: When would you need to create custom collections in a Configuration Manager
implementation?
Lesson
n3
Configuring Role-Based Ad
dministration
After determining the securityy roles used in

n your organizaation, the nextt step in securing your
M 2012 environment is to impleme nt those roles in Configuratiion Manager.
Depending on your
y requirements, you mayy need to creatte custom secu urity roles and scopes.
Th
his lesson exam
mines the proccess used to crreate custom ssecurity roles aand scopes. Ad
dditionally, thiss lesson
co
overs how to associate
a administrative userrs with roles, sccopes, and col lections.
After completin
ng this lesson, you
y will be able to:
Describe th
he process for creating
c om security rol es.
custo
Describe th
he process for creating
c custo
om security sco
opes.
Describe th
he process for adding
a administrative users to the securityy roles.
Cre
eating Cusstom Security Roles
To create
c a customm security rolee in System Ceenter 2012 Connfiguration Maanager, you must make a co opy of
an existing
e role th
hat is the close
est match to yo
our desired sett of actions an
nd then modifyy the copy to m
meet
your specific requuirements.
To create
c a custom
m security role
e, perform the following step
ps:
1. Select an exissting role and click

c Copy on the ribbon.
2. ame and descrription for the new security role.

Specify the na
3. You can specify individual permissions
p in the Customizze the permisssions for thiss copy of the
security role
e area by expannding each obbject type and then clicking Y
Yes or No nexxt to each indivvidual
permission.
Because security roles
r al data, any custom security roles you creaate will be replicated to all th
are globa he
sitess in your Configuration Mannager hierarchyy.
You
u can export yoour custom seccurity role connfigurations byy clicking the E
Export Securitty Role button
n on
the ribbon. The ro a an XML file tthat you can import into another Configuration
ole definition is then saved as
Mannager 2012 ennvironment or use to restore permissions aafter a site reco overy.
Question: Ho
ow can you cre
eate a custom security role?
Creating
C Cu
ustom Seccurity Scop
pes
Too limit access for

f administrattive users to sp
pecific instancees of object, yyou need to cre
eate a custom security
sccope, and thenn you can asso
ociate objects with
w the new sscope.
Create
C a Custom Securitty Scope
To
o create a custtom security sccope in Config
guration Manaager 2012, perfform the follow
wing steps:
1.. In the Conffiguration Man

nager console, select the Ad ministration workspace.
2.. gation pane, expand the Seccurity node, a nd then click tthe Security R
In the navig Roles node.
3.. y Scope button on the ribbo

Click the Crreate Security on.
4.. Type a nam

me and a descrription, and the
en click OK.
Associate
A Ob
bjects with the
t Scope
After you create
e the custom security
s scope, you can assocciate objects w
with the scope by selecting tthe
ob
bjects and pre
essing the Set Security
S Scop
pe button on t he ribbon.
ecause objectss can be associated with multiple security scopes, admin

Be nistrative userss may obtain
pe
ermissions to manage
m speciffic objects whe
en they are asssigned multiplle security scoppes. The effecttive
pe
ermissions the
ey have on the objects depen nd on their asssociated securrity roles.
Question: How can you associate

a an object with a seecurity scope?
Ad
dding Adm
ministrative
e Users
The last step in co

onfiguring role
e-based admin nistration is to associate adm
ministrative use
ers and groupss to
the Configuration n Manager security roles, sco
opes, and colleections.
To add
a an administrative user or
o group:
1. In the Configuration Manag elect the Adm inistration wo

ger console, se orkspace.
2. In the navigattion pane, exp

pand the Securrity node, and
d then click Ad
dministrative Users.
3. On the ribbon
n, click the Ad
dd User or Gro
oup button.
4. Next to the User
U he Browse bu tton to select the user or group from the
or group name, click th
Active Directo
ory Domain Seervices (AD DS).
5. To associate one
o or more Configuration
C Manager
M roless with the adm
ministrative use
er or group, un
nder
Assigned seccurity roles, click the Add button.
b
6. In the Assign
ned security scopes and co
ollections areaa, select one off the following
g options:
All instances of the objects that arre related to tthe assigned security roless. This option
associate
es the administtrative user witth:
The All
A security sco
ope.
The root-level built-in collection

ns for All System
ms, and All Ussers and User G
Groups.
Choosing g the All instances of the objects
o that arre related to tthe assigned security roless
option de efines access to
t objects onlyy by the securitty roles assign
ned to the userr. This approacch
should be used sparing gly because users can then m manage all objjects. You can use the princip ple of
least privvilege by limiting users access to objects w
with security sccopes and/or ccollections.
Only the instances of objects that are assigned to the specified security scopes or
collections. You can use this option to associate individual scopes and collections with the
administrative user or group.
A good working procedure is to use groups when you need to assign the same security roles, scopes, and
collections to multiple administrative users rather than individually adding each administrative user to a
role.
All objects in Configuration Manager are associated by default with the All built-in security scope.
Administrative users that are associated with this scope are able to manage all objects in Configuration
Manager, limited only by the permissions assigned to the associated security roles.
You can limit administrative users access to specific instances of objects by removing the All scope and
adding more specific scopes.
Similarly, if you want to limit administrative users access to specific user and group resources, you must
remove the All Systems and All Users and User Groups collections from the list and add more restrictive
collections.
Question: How do administrative users obtain permissions to individual instances of objects
in Configuration Manager?
De
emonstration: Creating New Roles and SScopes
In th
s how to cre
eate a custom security role aand a custom ssecurity scope..
Dem
monstration
n Steps
Create a new cusstom security
y role
1. In the Configuration Manag
ger console, in
n the Administtration worksspace, under th
he Security no
ode,
select Securitty Roles.
2. Select an exissting security role,

r such as th
he Application n Administrattor, to use as tthe source for the
new security role, and then on the ribbon n, click Copy.
3. In the Copy Security

S Role dialog box, pe
erform the folllowing configu
urations:
In the Na
ame box, type
e a name for th
he new custom
m security role..
Under Peermissions, exxpand each no ode to display tthe existing peermission settiings, click the drop-
down listt next to the se
etting, and the
en select eithe r Yes or No.
4. To save the new

n security ro
ole, click OK.
Create a new cusstom security
y scope

ger console, in
n the Administtration worksspace, under th
he Security no
ode,
select Securitty Scopes.
2. On the ribbon
n, click Create
e Security Sco
ope.
3. In the Create
e Security Scope dialog boxx, type a name for the new seecurity scope.
4. To save the new

n security scope, click OK.
Lab: Planning
P g and Configu
C ring Ro
ole-Base
ed Adm
ministrattion
Lab Setup
Fo
or this lab, you
u will use the available
a virtua
al machine envvironment. Beffore you begin
n the lab, you must
co
omplete the fo ollowing steps::
1.. On the host computer, click Start, poin

nt to Administtrative Tools, and then clickk Hyper-V Ma
anager.
2.. In Hyper-V Manager, cliick 10748A-NYC-DC1-B, an

nd then in the Actions pane, click Start.
3.. In the Actio

ons pane, click
k Connect. Wait until the virttual machine sstarts.
4.. Log on usin

ng the followin
ng credentials:
User na
ame: Adminisstrator
Passwo
ord: Pa$$w0rd
d
Domain: Contoso
5.. Repeat step

ps 2 through 4 for 10748A-N
NYC-CFG-B.
Scenario
Yoou are the network administtrator for Conttoso, Ltd. Conttoso wants to deploy System m Center 2012
M Theyy need to evalu
uate the functiionality firs, so
o they decide tto perform a P
Proof-of-
Concept in the lab environme ent. The Proof--of-Concept d deployment is limited to a staand-alone prim mary
sitte. You need to
t evaluate the
e role-based addministration features by peerforming the following taskks:
1.. t built-in seccurity roles and scopes.

Reviewing the
2.. Creating a custom securitty role, a custo

om security sco
ope, and a cusstom collection
n and associatte them
to a new ad
dministrative user.
u
3.. Testing the
e effective perm
missions as the
e new administtrative user.
Exercise 1: Reviewing Built-in Security Roles and Scopes

Scenario
As the network administrator for Contoso, Ltd, you have completed the Proof-of-Concept deployment in
your lab environment. Now, you must evaluate the role-based administration features by reviewing the
built-in security roles and scopes.
The tasks for this exercise are:
1. Review the default security roles and scopes.
2. Review the default permissions for a security role.
X Task 1: Review the default security roles and scopes

2. In the Configuration Manager console, in the Administration workspace, expand the Security node,
and then select the Security Roles node.
3. Review the list of roles available in the results pane. Note that there are 14 built-in roles.
4. Under the Security Scopes node, review the list of scopes available in the results pane. Note there
are two built-in scopes: All and Default.
5. Under the Administrative Users node, select CONTOSO\Administrator and review the information
presented in the preview pane. By default, the user who performed the Configuration Manager setup
is assigned the Full Administrator role, the All security scope, and the All Systems and All Users
and User Groups collections.
X Task 2: Review the default permissions for a security role

1. In the Configuration Manager console, under the Security Roles node, access the Properties for the
Application Administrator role.
2. In the Application Administrator Properties dialog box:
On the General tab, examine the role description.

On Administrative Users tab, note there are no users associated with this role. In addition, note
that you cannot add users from this property window.
On the Permissions tab, examine the permissions associated with this role. Expand each category
and review the individual permissions. Note that you cannot modify the permissions for built-in
roles.
3. Close the Application Administrator Properties dialog box.
Results: By the end of this exercise, you should have reviewed the built-in roles, including their associated
permissions, and the built-in security scopes.
Exercise 2: Creating Custom Security Roles and Scopes

Scenario
You have reviewed the built-in security roles and have decided that you need to create custom security
roles, security scopes, and custom collections. You need to test the functionality in the lab.
1. Create a new user and group for application administrators, and add the user to the group.
2. Create a custom scope for the New York application administrators.

3. Create a custom collection.
4. Create a custom security role for application administrators.
5. Add the new group of administrative users, and assign a custom role and a custom scope.
X Task 1: Create a new user and group for application administrators and add the user
to the group
1. On NYC-DC1, start the Active Directory Users and Computers console.
2. In the Active Directory Users and Computers console, create a new user in the Users container, with
the following attributes:
First name and User logon name: NewYorkAdmin
Password and Confirm password: Pa$$w0rd
Clear the User must change password at next logon box.
3. In the Active Directory Users and Computers console, create a new group in the Users container,
named New York Application Admins.
4. Access the properties of the New York Application Admins group, and add the NewYorkAdmin
user account as a member.
X Task 2: Create a custom scope for the New York application administrators
1. On NYC-CFG, in the Configuration Manager console, in the Administration workspace, expand the
Security node, and then select Security Scopes node.
2. On the ribbon, click Create Security Scope, and then create a security scope named New York.
3. Under the Distribution Points node, select \\NYC-CFG.Contoso.com, and then on the ribbon, click
Set Security Scopes.
4. Assign the New York security scope to the distribution point.
Note Do not remove the Default scope from the distribution point.
X Task 3: Create a custom collection

1. In the Configuration Manager console, in the Assets and Compliance workspace, select the Device
Collections node.
2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a
device collection with the following attributes:
Name: New York Servers
Limiting collection: All Systems
Create a Direct Rule and search for System Resources with the name like NYC%.
Select NYC-CFG as a direct member.
X Task 4: Create a custom security role for application administrators

1. In the Configuration Manager console, in the Administration workspace, expand the Security node,
and then select the Security Roles node.
2. Select Application Administrator, and then on the ribbon, click Copy.
3. In the Copy Security Role dialog box, use the following settings to create a new role:
Name: Application and Update Administrator
In the Permissions box, configure the following permissions by expanding each permission
group and selecting Yes next to each individual permission:
All permissions under Software Update Group

All permissions under Software Update Package
All permissions under Software Updates
X Task 5: Add a new group of administrative users, and assign a custom role and a
custom scope
1. In the Configuration Manager console, under the Security node, select the Administrative Users
node.
2. On the ribbon, click Add User or Group. Use the following information to configure the new
administrative group:
Click Browse to select the New York Application Admins group.
Assign the Application and Update Administrator security role.
Verify that the Only the instances of objects that are assigned to the specified scopes or
collections option is selected.
Remove the existing collections and security scope.
Add the New York security scope.

Add the New York Servers collection by selecting Device Collections in the Select Collections
dialog box.
3. In the Configuration Manager console, select the Contoso\New York Application Admins, and then
review the information from the preview pane.
4. Close the Configuration Manager console.
Note The users added to the New York Application Admins group will have access to only
the Configuration Manager objects associated with the New York scope and resources in
the New York Servers collection.
Results: By the end of this exercise, you should have created a custom security scope, a custom collection,
and a custom security role.
Exercise 3: Testing the Permissions of the New Role

Scenario
You have created a custom security role, a security scope, and a custom collection, and you have assigned
them to an administrative user. You need to test the assigned permissions by logging in with the
administrative user.
1. Start the Configuration Manager console by using the application administrator account.
2. Verify the permissions assigned to the new security role.
X Task 1: Start the Configuration Manager console by using the application

administrator account
1. On NYC-CFG, press the Shift key, and then in the Start menu, right-click Configuration Manager
Console and select Run as a different user.
2. Use NewYorkAdmin with the password of Pa$$w0rd as credentials for the Configuration Manager
console.
X Task 2: Verify the permissions assigned to the new security role

1. In the Configuration Manager console, in the Assets and Compliance workspace, under the Device
Collections node, verify that you can see only the New York Servers collection.
2. Under the Devices node, verify that you can see only the resources associated to your collection.
3. In the Administration workspace, under the Distribution Points node, verify that you can see the
\\NYC-CFG.Contoso.com server.
4. Under the Security node, verify that you do not have access to Administrative Users, the Security
Roles, or the Security Scopes nodes.
Results: By the end of this exercise, you should have tested the new role permissions.

following steps:
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-B, and then click Revert.
4. Repeat steps 2 to 3 for 10748A-NYC-CFG-B.

Modu
ule Reviiew and
d Takeaw
ways
Review
R Quesstions
1.. Which builtt-in role allowss administrativve users to perrform softwaree updates?
2.. How can yo

ou assign multtiple security permissions
p to an administraative user?
3.. How can yo ministrative ussers access to only specific in

ou limit an adm nstances of ob
bjects and reso
ources?
4-1
Module 4
Planning and Deploying a Multiple-Site Hierarchy
Contents:
Lesson 1: Planning a Configuration Manager 2012 Multiple-Site Hierarchy 4-3
Lesson 2: Deploying a Configuration Manager 2012 Site 4-15
Lesson 3: Deploying the Central Administration Site 4-26

Lab A: Installing the Central Administration Site 4-34
Lesson 4: Deploying Primary Sites in a Hierarchy 4-41
Lab B: Installing a Primary Site in an Existing Hierarchy 4-53
Lesson 5: Deploying Secondary Sites 4-60
Lab C: Installing a Secondary Site 4-66

4-2 Planning annd Deploying a Multiple-Site Hierarchy
Module Overrview
Youu can implement System Cen nter 2012 Conffiguration Man nager in a mulltiple-site hieraarchy to
accoommodate req quirements succh as larger nu
umbers of clien
nts, distributed
d administrativve teams, or re
egula
tion
ns on the distribution of conttent.
In th
his module, yoou will review the
t criteria forr installing a m
multiple-site hieerarchy as well as learn abou
ut the
t central administration site. You will alsso perform an installation off a multiple-sitte
characteristics of the
hierrarchy includin
ng the central administration
a n site, multiplee primary sites,, and a seconddary site.


12 hierarchy m
model, types of sites, and whe
en to use each
h
site type.
Describe the role of the cen

ntral administrration site in a hierarchy.
Install the cen

ntral administrration site.
Install a prima
ary site in an existing
e hierarcchy.
Install a secon
ndary site.
Lesson
n1
Plann
ning a Configu
C ration Manage
M er 2012 Multip
ple-Site
Hierarchy
he Microsoft System Center 2012 Configuration Manag

Th ger hierarchy m
model is desig
gned to accom
mmodate
a large variety of
o deploymentt scenarios while simplifying the hierarchy compared to Configuration
n
Manager
M 2007.
In
n this lesson yo
ou will review the
t types of sittes that can bee implemented
d in Configuraation Managerr by
exxamining:
The central administration site.
Multiple prrimary sites.
Multiple secondary sites.
Yo
ou will examin
ne the criteria used
u to decide
e whether to im
mplement a m
multiple-site hie
erarchy.
After completin
ng this lesson, you
y will be able to:
Describe th
he new Configu
uration Manag
ger 2012 hieraarchy model.
Describe thhe functionalityy of Configuration Manager 2012 sites inccluding the cen
ntral administrration
site, primarry sites, and secondary sites.
Describe altternatives to using

u secondarry sites.
Explain the typical consid

derations for im
mplementing a multiple-sitee hierarchy.
Plan a Conffiguration Man
nager hierarch
hy for a specificc scenario.
Ov
verview of the Config
guration Manager
M 2
2012 Hieraarchy Model
Global organizatio
ons can have multiple
m adminnistrative team
ms, different ad dministrative re
equirements, aand a
larg
ge number of clients
c distributed across mu
ultiple location s worldwide. TTo accommodate these facto ors,
you can implement Configuration Manager 20122 in a multiiple-site hierarrchy.
The Configuration
n Manager 201
12 hierarchy model
m has onlyy three tiers:
Central admin dministration ssite is located at the top of tthe hierarchy. It is

nistration site. The central ad
used to centrralize administration and rep porting for thee entire hierarcchy. Only one ccentral
administration site can be implemented in i a hierarchy. Unlike the cen ntral site in Co
onfiguration
Manager 200 07, a Configura ation Managerr 2012 central administration n site cannot h have clients
assigned to itt and can have e only primary sites as child ssites. Once installed, the cen ntral administraation
site name, site code and pu urpose cannot be changed.
Primary site. Primary

P sites are
a located in thet middle tierr of the hierarcchy and are ussed to directly
manage clien nts. Primary sitees in Configuraation Manageer 2012 hierarcchy serve the same purpose as in
Configuration n Manager 200 07; the primaryy difference is the relationshhips they can hhave with otheer
sites. Unlike in Configuratio on Manager 20 007, a primaryy site cannot bee a child of an
nother primaryy site;
it can be onlyy be a child of the central ad dministration s ite. A primary site can only hhave secondarry
sites as child sites. Once insstalled in a hierarchy, primarry sites cannot change position in the hieraarchy,
or cannot be changed to sttand-alone primary sites.
Secondary sitte. Secondary sites

s are locate
ed at the botto
om tier of the hierarchy. Seccondary sites are
optional and can be used to o manage the transfer of clieent data and d deployments aacross low-
bandwidth ne etworks. A management point and a distriibution point aare automaticaally installed w with
each secondaary site. A seco
ondary site can
n be only a chi ld site of a pri mary site.
You use the multiple-site hierarchy model to centralize administration. Administrators in the central
administration site can see and manage all the objects in the hierarchy and can configure hierarchy-wide
settings.
The administrators from each primary site can only see and manage only the site data from their primary
site and any secondary sites in their branch of the hierarchy. However, secondary sites do not allow local
connectivity for administrators. Secondary sites are managed through their parent primary site.
When you are implementing a multiple-site hierarchy, you must install the central administration site first.
Existing stand-alone primary sites cannot be joined to a hierarchy. You must decommission any existing
stand-alone primary sites and then reinstall them under the new hierarchy if you want to manage the
clients in the site as part of a hierarchy.
Ov
verview of Configura
ation Mana
ager Sites
Undderstanding the criteria used

d to determine e when to instaall each type o
of site helps yo
ou choose to either
install a stand-alo
one primary sitte or multiple sites
s in a hiera rchy.
Cen
ntral Admin
nistration Site
Install a central ad
dministration site
s if you need
d to:
Install multiple primary site

es in a hierarch
hy and centrali ze the administration and re
eporting for alll
sites.
Configure hieerarchy-wide settings that ap
pply to objectss in multiple siites, such as client settings o
or
collection rule
es.
Manage all sites and objectts in the hierarrchy but also liimit the permiissions of some
e administrativve
users by using
g security roles and scopes.
Primary Site
Install multiple primary sites in a hierarchy if you
y need to:
Increase the number
n of clie
ents that Configuration Manaager 2012 can
n manage.
Provide local connectivity for Configuration Manager cconsoles.
Manage conttent independe s if your org anization is su

ently in each site ent-distribution
ubject to conte
regulations.
Secondary Site
Install a secondary site if you need to:
Manage the transfer of client data up the hierarchy across low-bandwidth networks without the
overhead of a primary site.
Manage the transfer of content down the hierarchy across low-bandwidth networks without the
overhead of a primary site.
Provide some of the functionality of a site without requiring local administrators.

4-8 Planning and Deploying a Multiple-Site Hierarchy
Multiple Primary Sites in a Hierarchy, or Stand-Alone Primary Site with Secondaries?

You only need to install a central administration site if you plan to install multiple-primary sites. For most
organizations, the stand-alone primary site model, with optional secondary sites, may be sufficient. In this
case the Configuration Manager 2012 hierarchy model only has two tiers: primary site and secondary
sites.
Installing a central administration site with multiple primary sites does not add fault tolerance to your
hierarchy design. When a primary site fails, the clients assigned to that primary site remain unmanaged
until you restore the primary site. The clients will not fail-over to a different primary site; they are still
assigned to their original primary site.
Similarly, if the central administration site fails, you will not be able to perform centralized administration
or change configuration settings throughout the hierarchy. You need to restore the central administration
site from the backup to resume functionality of the hierarchy.
High Availability for Managing Clients

To implement high-availability for managing clients, you can install multiple management points inside a
primary site whether the primary site is stand-alone or part of a hierarchy. When a management point
fails, the clients communicate with any other management point available in the primary site.
In Configuration Manager 2012, there is no longer the notion of default management point for a primary
site, as it is the case in Configuration Manager 2007. You can install multiple management points in a
primary site. Also you cannot use Network Load Balancing (NLB) for management points, since clients will
fail-over automatically to any other management point available in the site.
Clients located in secondary sites will only communicate with the management point from that secondary
site, they will not fail-over to any management points located in the parent primary site. This preserves
the intent of using secondary sites to manage the transfer of client data up the hierarchy across low-
bandwidth networks.
Alternative
A es to Using
g a Second
dary Site
When
W you have
e clients in rem
mote network locations, you might contem mplate installing a secondaryy site;
hoowever, there are several altternatives to using secondaryy sites that yo u might want to consider. You can
offten remove th
he requiremen nt for another site when you configure a d distribution point in the remoote
ocation or use Windows Bra
lo anchCache.
Secondary Siite
If you want to control
c upward d network trafffic from the cl ients in the re mote location to the primarry site,
yoou need to insstall a secondary site in the remote locatio n. When plann ning for installing a secondaary site,
yoou need to con nsider the follo
owing:
u a computer running a supported versio

You must use on of a server operating systtem, such as W
Windows
Server 200
08 R2. Seconda ot be installed on desktop o perating systems.
ary sites canno
The site dattabase must be co-located on o the secondaary site server.. You can instaall any supportted
Microsoft SQL
S Server ve
ersion. If you do not install SQ
QL Server in a dvance, the Crreate Seconda ary Site
Wizard installs Microsoftt SQL Server Exxpress 2008 R R2.
When insta dary site, the Create Second ary Site Wiza
alling a second ard automaticaally installs a
manageme ent point and distribution
d po
oint on the sitee server.
You can insstall additionall site system ro
oles in a secon
ndary site. The following role
es are supporte
ed:
Distribution point. Yo
ou can install additional
a disttribution pointts in a secondaary site. Each
seconddary site suppoorts up to 250 distribution po oints and each
h distribution ppoint can supp port up
to the same number of clients as supported by t he hardware cconfiguration o of the secondaary site
server, up to a maximmum of 4,000 clients.
Management point. You can only have a single management point in a secondary site and it
must be installed on the secondary site server.
Software update point. You can install a software update point in a secondary site when you want
to perform patch management in the remote site and data transfer across the network is slow.
State migration point. You can install a state migration point in a secondary site when you want
to perform user state migration during operating system deployment in the remote site and data
transfer across the network is slow.
Distribution Point
Depending on the number of clients and the available bandwidth for the network connection to a remote
site, you may find it more efficient to use a distribution point to support clients instead of a secondary
site. There are several factors that can be used to help make this decision; if any of the following
conditions apply, you may want to consider using a local distribution point:
There is sufficient network bandwidth between locations to support management point

communications but insufficient network bandwidth to allow clients to download content.
Background Intelligent Transfer Service (BITS) is used when downloading content from distribution
points; even if you use BITS, the bandwidth may not be sufficient for the clients to download content
across a WAN link. When planning for content delivery, a distribution point by itself can be as
effective as a secondary site with a distribution point.
You want to use multicast to deploy operating systems to computers at the remote location. Multicast
functionality is built into the distribution point role. When planning to use multicast for deployment,
you only need to consider using a distribution point.
You want to stream virtual applications to computers at the remote location. When planning to
stream virtual applications to clients, these applications are streamed from a distribution point.
BranchCache
BranchCache is a feature included in Windows Server 2008 R2 and Windows 7 operating systems. With
BranchCache, you can distribute content using peer-to-peer technology. BranchCache settings are
configured on a deployment type for applications and on the deployment for a package.
To use BranchCache, the following requirements must be in place:
At least one distribution point on a Windows Server 2008 R2 computer must be configured in
BranchCache distributed cache mode.
Clients must run one of the following compatible operating systems configured in BranchCache
distributed cache mode:
Windows Vista Service Pack 2 (SP2) with KB960568 installed
Windows 7
Windows Server 2008 with KB960568 installed

Windows Server 2008 R2
Considerat
C ions for Im
mplementiing Config
guration M
Manager Sites
When
W deciding what impleme entation scena ario is most ap
ppropriate to yyour organization, you have to take
in
nto account a variety
v of facto
ors. These factoors include thee number and locations of cclients, the plan
nned
addministration approach,
a availability of ban
ndwidth betweeen locations, aand server andd other infrastrructure
lim
mitations.
Sttand-Alone
e Primary Sitte
Th
he stand-alone
e primary site implementatio organization if::
on scenario is most appropriate for your o
You have a centralized ad

dministration approach.
a All ssystems are ad
dministered fro
om a single loccation.
You have 100,000 clients or fewer.
Additional
A Secondary Siites
A secondary site
e includes, by default, a man
nagement poin
nt and distribu
ution point. Yo
ou can install
ad
dditional secon
ndary sites to:
Offload the
e client commuunication from m the primary ssite when clien mote location and you
nts are in a rem
need to con o and from thee remote locatiion; however, secondary site
ntrol network traffic both to es do
not increase the number of clients a prrimary site can support.
Provide tierred content ro n secondary si tes that have tthe same pare
outing between ent.
Alternative
A Content
C Management
Yo
ou can use a distribution
d point or BranchC
Cache configurration for a rem
mote site to:
Locally provvide content in

n a remote loccation when yo he traffic from the
ou do not neeed to control th
remote locaation to the paarent location..
Multiple-Site Hierarchy
Implementing a multiple-site hierarchy is a more complex model to implement due to the additional
servers and roles used. Before deciding to create a multiple-site hierarchy, you need to analyze your
environment and determine whether a stand-alone primary site can meet your requirements.
You should use the multiple-site hierarchy scenario if:
You have a larger number of clients than can be managed using a stand-alone primary site. A stand-
alone primary site can support up to 100,000 clients, while a multiple-site hierarchy can
accommodate up to 400,000 clients.
You have remote administrative teams that require local administration of their Configuration
Manager environment.
You have a large number of remote locations which you cannot accommodate using a stand-alone
primary site and secondary sites.
You are subject to export regulations on content.
Question: How many sites need to be implemented for 50,000 clients?

Discussion:
D Planning Multiple Configurat
C tion Manaager Sites
Scenario
Yo
ou are an infra
astructure arch
hitect working for Contoso LLtd., an internaational financiaal company wiith
he
eadquarters inn New York, whhich provides financial
f servicces for custom
mers in North AAmerica and Eu urope.
Contoso has 150,000 workstations, divided as follows, acrross North Am

merica and Euro
ope:
Office Location N umber of worrkstations N

Network bandw
width
Headquarterss New
N York 550,000 Local Gigaabit
Regional officce Toronto

T 220,000 T1
United Kingdom office London

L 115,000 E1
France office Paris

P 115,000 E1
Office locations 500

5 locations across
a 550,000 in total T1
North
N America
a
The central office is located in New Yorrk and contain

ns 50,000 clients.
Regional offfice is located in Toronto an

nd contains 200,000 clients.
Contoso ha ocations acrosss North Americca with a totall of 50,000 clie
as 500 office lo ents. Each officce
contains be
etween 50 and d 1,000 clients.
There are in
nternational offfices in Londo
on and Paris w
with a total of 3
30,000 clients.
Contoso wants to implement System Cente
er 2012 Config uration Manag
ger to adminisster its workstaations in
a centralized wa
ay.
The company datacenter is located in New York and is managed by a team of 40 full-time administrators.
The administrators in New York are providing support for all the locations in North America, including
Toronto. A small datacenter is located in Toronto and administered remotely from New York. The
datacenter for Europe is located in London and has a dedicated team of 15 administrators. They manage
all of the resources in the London and the Paris offices.
You need to choose what hierarchy model to implement. Use the following questions to help you choose
the most appropriate implementation model.
Question: Should you use a stand-alone primary site or a complex hierarchy?

Question: How many primary sites do you need to install?
Question: How many secondary sites do you need to install?
Question: In what location(s) should you install only distribution points?

Use the table below to record your proposed scenario.
Location Site type Managing clients from Administered by

Lesson
n2
Deplo
oying a Configuration
n Manag
ger 201
12 Site
When
W planning for a Configuration Manage er deploymentt, you need to
o take into con
nsideration the
e
upported number of sites, sitte systems and
su d the maximum
m number of ssupported clients. You also nneed to
co
onsider the existing network
k environment and design yoour Configurattion Manager 2012 impleme entation
o accommodatte multiple domains or foressts.
to
When
W deploying g a multiple-site Configuration Manager 22012 hierarchyy, you need to install the site es in a
pecific order, starting with th
sp he central admministration sitee, and continu
uing with primaary sites and
se
econdary sites.. You can instaall additional site systems at any time afterr you install the site servers.
Yo
ou also need to ppropriate setup options wh
t select the ap hen installing tthe sites in an existing hierarrchy,
an
nd use approp
priate resource
es to validate the successful iinstallation.

ng this lesson, you
he maximum limits for a Con

Describe th nfiguration Maanager 2012 hiierarchy.
Describe th
he implementa guration Mana ger 2012 in a multiple domaain or forest.
ation of Config
he deploymentt process for a multiple-site hierarchy.

Describe th
Describe th
he Configuratio
on Manager se
etup options.
Explain how uccessfully-insttalled site systeem.
w to verify a su
4-16 Planning and Deploying a Muultiple-Site Hierarchy
Pla
anning a Multiple-Si
M ite Hierarcchy
Cen
ntral Admin
nistration Site
The maximum number of suppo orted clients per
p hierarchy d depends on thee SQL Server e edition in the
centtral administra
ation site, and is independennt of the SQL SServer edition at primary or secondary sitees. A
centtral administra
ation site:
Supports up to
t 25 child primary sites.
Does not support any client management roles. Clientss cannot be as signed to the central
administration site, only to primary sites.
Supports up to ents in the hierrarchy when u sing SQL Serveer Enterprise ffor the site
t 400,000 clie
database.
Supports up to
t 50,000 clien archy when usiing SQL Serverr Standard for the site datab
nts in the hiera base.
The limitation is im
mposed by thee way the site database is paartitioned. If yo
ou install the ccentral
adm
ministration sitee using SQL Se
erver Standardd, and then uppgrade the edittion of SQL Se erver to Enterp
prise,
the database does not repartitioon and this lim
mitation remainns in effect.
Primary Sites
Prim
mary sites are used
u to manag ge clients. Eachh primary site can accommo odate up to 50 0.000 or 100,00 00
clien
nts, dependingg on whether the
t SQL Serverr is co-located d on the site seerver or is instaalled on a sepaarate
commputer. Howevver, the numbe er of clients supported in a pprimary site is still limited to 50,000 if the
ation site uses SQL Server Sta
centtral administra andard Editionn. A primary site:
Supports up to
t 250 secondary sites.
Supports up to
t 250 distribuution points. Ea
ach distributio
on point can su
upport up to 4
4,000 clients,
depending onn the type of content
c you arre distributing..
Supports a combined total of up to 5,000 distribution points. This total includes all the distribution
points at the primary site and all distribution points that belong to the primary sites child secondary
sites.
Supports up to 10 management points. Each primary site management point can support up to
25,000 computer clients. To support 100,000 clients you must have at least four management points.
When you have more than four management points in a primary site, the supported client count of
the primary site do not increase beyond 100,000. Instead, any additional management points provide
redundancy for communications from clients.
Supports up to 50,000 clients when SQL Server is co-located on the site server.
Supports up to 100,000 clients when SQL Server is installed on a separate computer from the site
server.
Secondary Site
Secondary sites can be used to manage the upward traffic from the clients in a remote location to the
primary site server. A secondary site can also be used to increase the total number of distribution points
that can be installed in a primary site. A secondary site:
Supports up to 250 distribution points. Each distribution point can support up to 4,000 clients,
depending on the type of content you are distributing.
Supports a single management point located on site server.
Supports SQL Server Express 2008 R2 in addition to the other supported SQL versions for the site
database. SQL Server must be installed on the same computer as the secondary site server.
Supports communications from up to 5,000 clients.
Software Update Point

Each site supports one active software update point for use on the intranet, and optionally, one software
update point for use on the Internet. You can configure each of these software update points as a
Network Load Balancing (NLB) cluster. You can have up to four software update points in the NLB cluster.
A software update point that is installed on the site server can support up to 25,000 clients.
A software update point that is installed on a computer that is remote from the site server can
support up to 100,000 clients.
Fallback Status Point

You can install a fallback status point to enable clients to send state messages to the site, and enable
CCMSetup to report deployment issues.
Each primary site supports one fallback status point.
Each fallback status point can support up to 100,000 clients.
Application Catalog Website Point and Application Catalog Web Service Point
Each instance of this site system role supports up to 400,000 clients, providing service for the entire
hierarchy.
You can install multiple instances of the Application Catalog website point at primary sites.
For improved performance, plan to support up to 50,000 clients per instance.

System Health Validator Point

You can install a System Health Validator point in each site to implement the Network Access Protection
functionality.
Each System Health Validator point can support up to 100,000 clients.
Question: What is the total number of distribution points that can be installed in a primary
site and its child secondary sites?
Planning
P fo
or Multiple
e Domainss and Foreests
Syystem Center 2012

2 Configurration Manage
er supports sitees and hierarch ory
hies that span Active Directo
fo
orests. Configuuration Manager also supporrts domain com mputers that aare not in the ssame Active D
Directory
fo
orest as the site
e server, and computers
c thatt are in workg roups.
To support domain comp puters in a trussted forest, yo u can install a child site in a remote forestt that
has a required two-way trust with the forest
f of the paarent site. For example: You can place a
secondary site
s in a differeent forest fromm its primary pparent site if a two-way foresst trust that supports
Kerberos auuthentication exists.
e If you do not have a ttwo-way forestt trust which supports Kerbe eros
authenticattion, then you cannot install a Configuratio on Manager child site in the e remote forestt.
To support domain comp est that is not trusted by you

puters in a fore ur site servers forest, you can install
appropriatee site system ro ntrusted forest,, with the optiion to publish site informatio
oles in that un on to
est. When you install site systtem servers in the clients fo
that Active Directory fore orest, the clientt-to-
server communication takes place within the clients forest and thee remote site ssystem role can n
authenticatte the computer using Kerbe eros.
When you publish site infformation to the t clients foreest, clients can
n retrieve site information, suuch as a
list of availa
able managem ment points, fro om their Activ e Directory fo rest rather thaan downloadin ng this
information n from their asssigned manag gement point. The out of ba nd service poiint and the
Application n Catalog web service point cannot
c be insttalled in an un
ntrusted forest;; they can onlyy be
installed in the same fore est as the site server.
s The samme restriction aapplies for the
e site databasee, which
must be insstalled in the same forest as the site serverr.
When youy specify a computer

c to be
b a site system
m server, you m
must specify th
he Site System
Installa
ation Account. This account must have locaal administrative credentialss to connect too, and
then innstall, site syste mputer.
em roles on the specified com
When you install a site system role in an untrusted forest, you must select the site system option
Require the site server to initiate connections to this site system. This configuration enables
the site server to establish connections to the site system server to transfer data. This prevents the
site system server that is in the untrusted location from initiating contact with the site server that
is inside your trusted network. The connection uses the Site System Installation Account that you
use to install the site system server.
The management point and enrollment point site system roles connect to the site database. By
default, when these site system roles are installed, Configuration Manager configures the
computer account of the new site system server as the connection account and adds the account
to the appropriate SQL Server database role. When you install these site system roles in an
untrusted forest, you must configure the site system role connection account to enable the site
system role to obtain information from the database. If you configure a domain user account for
these connection accounts, ensure that the account has appropriate access to the SQL Server
database at that site:
Management point: Management Point Database Connection Account
Enrollment point: Enrollment Point Connection Account
To support computers in a workgroup, you must manually approve these computers if they use HTTP
client connections to site system roles because Configuration Manager cannot authenticate these
computers by using Kerberos. In addition, you must configure the Network Access Account so that
these computers can retrieve content from distribution points. Because these clients cannot retrieve
site information from Active Directory Domain Services (AD DS), you must provide an alternative
mechanism for them to find management points. You can use DNS publishing, or WINS, or directly
assign a management point.
You can also use Internet-based client management (IBCM) and PKI-issued certificates to manage the
clients in an untrusted forest or clients in a workgroup.
Deploying
D a Multiple
e-Site Hierrarchy
Th
he process for deploying a multiple-site
m hierarchy includ
des the followiing steps.
Deploying
D th
he Central Administrat
A ion Site
Extend the Active Directo
ory schema. Yo ou need to deccide whether yyou will extend
d the Active Directory
schema to enable site serrvers and site systems
s to pub
blish informatiion into AD DSS.
Install Conffiguration Man nager 2012 as a central adm inistration sitee. Install the ce
entral administtration
site first, be
efore installing
g any sites thatt are to join th e hierarchy.
Deploying
D Primary Sitess
Install Conffiguration Mannager 2012 as a primary site in the existing g hierarchy. Ruun Setup for in
nstalling
2 and selecct the option to o Install a Co nfiguration MManager prim mary
e site is part off the hierarchyy, and then speecify the centrral administration site
site, indicatte whether the
to be used as a parent sitte.
Deploying
D Se
econdary Siites
Add the priimary site servver computer account
a to thee local Adminisstrators group on the target
secondary site
s server.
Run the Seccondary Site In

nstallation Wizzard from the primary site. Y
You can select whether to usse an
existing instance of SQL Server
S or install SQL Server EExpress.
Deploying Additional Site System Roles

Run the Add Site System Roles Wizard for each site. You can select which roles to install for each
particular site.
When part of a hierarchy, some roles cannot be installed in all sites. The available roles are
discussed later in this module.
For specific roles, only a single instance of the role may be installed. For example, the Asset
Intelligence synchronization point can only have a single instance of the role installed at the
central administration site or at a stand-alone primary site.
Configurat
C ion Manag
ger 2012 Setup
S Optiions
To
o install a centtral administration site or a primary
p site, yo
ou use the set up program frrom the installation
media.
m The setuup process runs Prerequisite Checker regarrdless of wheth her you have p previously run it. The
se
etup process prompts
p you too run Setup Do ownloader. If SSetup Downloaader was run p previously, youu can
po
oint the Setupp program to the location wh here you down nloaded the filles. After all off the prerequissite
ch
hecks complette and after all the updated components
c ddownload, the System Cente er 2012 Configuration
Manager
M Setup Wizard starts..
In ation Manager Setup Wizard

n the Configura d, the first step
p provides opttions that allow
w you to:
Install a Co
onfiguration Manager prim mary site serv ver. Select this option to insttall a primary ssite. You
have the op er to select if iss stand-alone or is part of a hierarchy.
pportunity late
You can choose the Use nstallation op tions for a sta

U typical in and-alone primary site option,
which:
Insstalls a Configu
uration Manag
ger primary sitte.
Usses default insttallation path.
onfigures local SQL Server wiith default setttings.

Co
Enables a local management

m point
p for Confiiguration Man
nager.
Enables common on Manager cliient agents.
n Configuratio
Install a Co
onfiguration Manager central administ ration site. If you are installling a hierarch
hy, the
central admministration site needs to be installed first.
Upgrade an existing Co onfiguration Manager
M 20122 installation. This option aallows you to u
upgrade
the current Configuration
n Manager 201 wer version (s uch as SP1).
12 site to a new
Recover a site. Use this option to perform the first step in recovering a failed site server. Site server
recovery is covered in detail in Module 7.
Perform site maintenance or reset this site. Use this option to modify the SQL server configuration,
manage SMS Provider, or perform a site reset after restoring the site from a backup.
Uninstall a Configuration Manager site. This is the recommended approach to remove a site server
from a hierarchy.
Note The option to install a secondary site is not available in the Configuration Manager
Setup Wizard. You can install a secondary site by using the Configuration Manager console
that is connected to an existing primary site.
The Configuration Manager 2012 setup differs from the Configuration Manager 2007 setup in the
following ways:
Besides the management point and distribution point site roles, you cannot install any of the optional
roles during the setup process.
Setup Downloader (SetupDL.exe) and Prerequisite Checker (prereqchk.exe) are now separate
applications and can be launched without starting the Configuration Manager Setup Wizard.
Question: Why should you run Prerequisite Checker before running Setup?
Verifying
V a Configura
ation Manager 2012
2 Site Instaallation
Yo
ou can perform
m the following actions to ve
erify the Confiiguration Man
nager 2012 insttallation:
1.. Start the Co

M consoole. This verifiees that the site default site co
omponents are e
functioning nnot connect, verify that you
g normally. If the console can u are logged o on with the samme
account thaat was used foor Setup. For a secondary sitee, the state chaanges from Pe ending to Activve.
2.. Verify that the SMS_EXEC CUTIVE, SMS_S SITE_COMPONNENT_MANAGER, and other Configuration n
Manager se SITE_BACKUP sservice, are staarted in the Se
ervices, exceptt for the SMS_S ervices console
e.
3.. View the installation logss:
ConfiggMgrPrereq.loog. This log is generated by Prerequisite C her run stand-alone or

Checker, wheth
as partt of Setup.
gMgrSetup.log. This is the primary

Config p setup log. Look heree to identify an
ny abnormal e
errors
encoun
ntered during Setup.
Config
gMgrSetupWiizard.log. Thiss log is genera ted by the Co nfiguration Manager Setup Wizard.
gMgrAdminUI.log. This log is generated b

Config by the consolee setup. Because installing th
he
console
e is not manda
atory, this is a separate log.
SMS_BBOOTSTRAP.lo og. This log is located on thee intended seccondary site se

erver. It record
ds
he progress of launching thee secondary sitte installation process. Details of the
information about th
actual setup process are containedd in ConfigMgrrSetup.log.
4.. View the status messagess found in the Monitoring seection.

Question: What
W is the prrimary log for the
t Configurattion Manager setup?
Lesson 3
Deploy
ying the
e Central Administration Site
e
Whe en implementing a hierarchyy of multiple primary

p sites, tthe first site yo
ou must install is the central
admministration site
e. The central administration
n site is the huub of the entiree hierarchy, an nd primary site es are
joined to it to build your hierarcchy.
In th
his lesson, you
u will review th
he role of the central
c adminisstration site in
n a multiple-sitte hierarchy.
Afte
ou will be able to:
Describe the characteristicss of the centrall administratio

on site.
Determine wh
hen to install a central administration site..
Describe how
w to install a ce
entral administtration site.
Describe insta
alling site syste
em roles and configuring
c seccurity roles an
nd scopes in th
he central
administration site.
What
W Is the
e Central Administra
A ation Site?
Th
he central adm ministration sitee is the top-levvel site in a hieerarchy and is the first site that you install in the
hiierarchy. You can
c use the central administration site to m manage all objjects and perfo orm site manaagement
ta
asks for all sites in the hierarcchy. From the central admin nistration site, yyou can see gllobal data andd site
daata from all prrimary sites in the hierarchy. The central ad dministration ssite is the onlyy place where yyou can
ee this site in a consolidated data view.
se
Th
he central adm
ministration site
e:
Supports only primary sittes as child sitees. You need too specify the ccentral administration site co
ode and
site server during
d the insttallation of a primary
p site in a hierarchy.
gned to it. You need to installl at least one primary site under the centrral
Cannot havve clients assig
administrattion site to manage clients.
Does not process client data.

d Site data from clients iss processed at primaries, the
en replicated to
o the
central adm
ministration site.
upport all site system roles. You
Does not su Y cannot insstall any of thee roles related to client
manageme ent in the centrral administrattion site.
Offloads ad a reporting from the prim

dministration and mary sites. You can run reportts to contain
consolidate
ed informationn from all sites in the hierarc hy.
Participatess in database replication

r with the primary sites. The dataabase replication is configured
automatica ally when installing a primaryy site as a child
d of the centraal administratio
on site.
Contains sitte data replica
ated from all th
he sites in the hierarchy. Thee central admin
nistration site
es site data from all sites in the hierarchy.
consolidate
Question: What
W data can
n the administrrator see with the console co
onnected at th
he central
administrattion site?
De
etermining
g When to Install a Central
C Ad ministratio
on Site
Youu must install a central admin nistration site if

i you plan on installing mulltiple primary ssites in a hieraarchy.
Youu use the centrral administration site to con nfigure hierarc hy-wide settin
ngs and to monitor all sites aand
objeects in the hierrarchy. The cenntral administrration site doees not managee clients directlly but does
coordinate inter-ssite data repliccation, which inncludes the coonfiguration off sites and clie
ents throughou ut the
hierrarchy.
Use the following information to help you pla

an for the centtral administraation site installation:
If you need to
o support morre than 100,000 clients, you have to have tthe central adm
ministration site
and multiple primary sites in hy. The central administration site can support up to 25
i the hierarch
primary sites.
You can manage all clients in the hierarch

hy and performm site manageement tasks fo or any primary site
when you use
e the Configurration Manage er console thatt is connected to the central administration site.
The central addministration site is the onlyy place where yyou can see site data from aall sites. This daata
includes inforrmation such as
a inventory da ata and status messages.
You can configure discoverry operations throughout

t thee hierarchy fro
om the central administratio
on site
by assigning discovery methods to run att individual sitees.
Although thee central admin

nistration site does
d not suppport the distrib bution point roole, you can cre
eate
content in the
e central admiinistration site and distributee it to all desired sites in the hierarchy.
You ntral administrration site in o rder to:

u do not need to install a cen
Manage up to o 100,000 cliennts. You can use a stand-alo

one primary sitte and install aadditional seco
ondary
sites or additiional distributiion points as necessary.
n
Support multtiple locations. A stand-alone

e primary site with remote d
distribution po
oints or second
dary
sites can span
n multiple loca
ations.
Manage clients. Only primary sites can have clients assigned to them; the central administration site
cannot. Additionally, primary sites support the site system roles related to client management, but the
central administration site does not.
Decentralize administration for a primary site. You can use security roles and scopes to limit
administrative permissions to a subset of objects. The central administration site does not limit the
administrative permissions but instead is used to centralize administration across multiple sites.
Perform content routing. If you are using a stand-alone primary site, you can implement distribution
points or secondary sites to perform content routing.
In the scenario of a merger or acquisition, installing a central administration site will not offer an
advantage over a stand-alone primary site:
If the second organization has Configuration Manager 2007 deployed, you can use the migration
feature to migrate objects to the Configuration manager 2012 hierarchy.
If the second organization has Configuration Manager 2007 deployed, you can use the Export and
Import functionality to copy objects between hierarchies.
Question: Do you need to install a multiple-site hierarchy to manage 150,000 clients?
Insstalling the
e Central Administra
A ation Site
Afteer deciding to install a Configguration Mana ager central ad dministration ssite, you must run the setup p
proggram. Since a central administration site does
d not suppo ort clients, there are not man ny decisions too be
mad de during the installation proocess. When planning
p the ceentral adminisstration site, caarefully choosee the
site code and site name because you cannot them t after insttallation witho
out reinstalling
g the site, whicch in
this case would mean
m the reinsttalling the entiire hierarchy.
The following table lists the stepps of the Syste

em Center 20112 Configuratio
on Manager Se etup Wizard w
when
installing the centtral administra
ation site, and the
t informatioon that you inp
put for each sttep.
Wizard
W step In
nput required
Getting Started Choose:

C Installl a Configurattion Managerr central adm
ministration sitte.
Microsoft
M Softw
ware Enter
E the produ
uct key and acccept the license terms in this step to conttinue
License Terms with
w the setup.
Updated Prereq
quisite In
n this step, you
u can downloaad the Configu
uration Managger prerequisites, or
Components you
y can specifyy a folder wherre you have prreviously downnloaded them.
Se
erver Language This
T option allo
ows you to speecify additionaal language paacks to be
Se
election downloaded
d an
nd installed fo r the admin co
onsole and sitee servers.
Client Language
e This
T option allo
ows you to speecify additionaal language paacks to be
election
Se downloaded
d an
nd installed fo r the Configurration Manageer client.
Siite and Installa

ation Configure
C the site
s code and ssite name. Theese settings cannot be chang
ged
Se
ettings la
ater.
(continued)
of the Configuration Manager database, and the port to use for SQL Server
Service Broker.
SMS Provider Settings Input the FQDN name of the server that hosts SMS Provider. By default, this
is installed on the site server.
Configuration
changes.
Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker to
evaluate the server readiness for hosting the selected roles.
Question: There is no option in the Configuration Manager Setup Wizard to configure site
system roles when installing the central administration site. Why not?
Co
onfiguring the Central Adminisstration Site
Afte
er you install th
he central adm
ministration site, you typicallyy perform seveeral configuration steps suchh as
nal site system roles and con
installing addition nfiguring securrity roles and sscopes. When installing site
system roles in the central administration site, you can instaall only the following subset of site system
m
role
es:
Asset Intellige
ence synchron
nization point

Reporting serrvices point
Software upd
date point
System Health Validator po

oint
Note You can install only one Asset Intelligence syn chronization p
point and one Endpoint
Protection point
p in a hiera
archy.
Role
es involved in client manage nnot be installeed in the centrral administrattion site includ
ement that can de:
Application Catalog
C web se
ervice point
Application Catalog
C website point
Distribution point
p
Fallback statu
us point
Managementt point
Enrollment po
oint
State migration point
Question: Why would you install the software update point at the central administration
site?
Lab A: Installing the Centrall Admin

nistratio
on Site
Lab
b Setup
For this lab, you will
w use the avaailable virtual machine
m enviro
onment. Beforre you begin the lab, you mu
ust
com

c click
k Start, point to
t Administraative Tools, an Hyper-V Manager.
nd then click H
M click
k 10748A-NYC
C-DC1-A, and in the Actionss pane, click Sttart.
User nam
me: Administra
ator
Password
d: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 fo

or 10748A-NY
YC-CAS-A.
Lab
b Scenario
You
u are a network
k administratoor for Contoso,, Ltd. Contoso wants to deplloy System Cen nter 2012
Connfiguration Ma
anager in a com
mplex hierarch primary sites and a
hy with a centrral administrattion site, two p
seco
ondary site.
You
u need to perfo
orm the installation of the ce
entral administtration site byy:
1. Extending the
e Active Directtory schema.
2. Installing the central admin

nistration site.
3. Validating the
e Installation.

Scenario
You need to extend the Active Directory schema with the classes and attributes used by Configuration
Manager 2012. You use ADSIEDIT to create the System Management container where Configuration
Manager site servers publish information. You need to create a group in AD DS for the Configuration
Manager servers and then assign the group Full Control permission for the System Management container
so the servers are able to publish information.
1. Use EXTADSCH to extend the AD DS schema on the domain controller.
2. Use ADSIEDIT to create the System Management container in AD DS.
3. Use Active Directory Users and Computers to create a group for the Configuration Manager servers.
4. Assign Full Control permissions for the System Management container to the group.

1. On NYC-DC1, open Windows Explorer, navigate to the \\NYC-CAS\E$\ConfigMgr2012
\SMSSETUP\BIN\X64 folder, and then locate and run extadsch.exe.
2. Browse to drive C, open the ExtADSch.log file created in the root of drive C, and then verify the

1. On NYC-DC1, in the Run dialog box, type adsiedit.msc, and then click OK.
2. In the ADSI Edit console, connect to the default naming context.

3. In the ADSI Edit console, expand Default naming context, expand DC=CONTOSO,DC=COM
container, and select the CN=System container.
4. Create an object under CN=System with the type container and the value of System Management.
5. In the ADSI Edit console, verify that CN=System Management container appears in the results pane,
and then close the console.
X Task 3: Create a group for the Configuration Manager servers in Active Directory
Users and Computers
1. Start the Active Directory Users and Computers console.
2. Create a new group in the Users container named ConfigMgrServers.
3. Add the following computers to the ConfigMgrServers group:
NYC-CAS
NYC-CFG
LON-CFG
TOR-CFG.
X Task 4: Assign Full Control permissions for the System Management container to
the group
1. In the Active Directory Users and Computers console, from the View menu verify that Advanced
Features is selected.
2. Under the System container, browse to the System Management container and access its
Properties.
3. On the Security tab, assign Full control permission to the ConfigMgrServers group, and then click
Advanced.
4. In the Advanced Security Settings for System Management dialog box, edit the entry for the
ConfigMgrServers group so that the Full control permission applies to This object and all
descendant objects, and then click OK.
5. Close all dialog boxes by clicking OK.
Note After the installation, Configuration Manager 2012 site servers publish information
in the System Management container that enables clients to determine the assigned site
and locate the management point.
System Management container, and assigned permissions to the group of Configuration Manager servers.
Exercise 2: Installing the Central Administration Site

Scenario
You will use Prerequisite Checker to validate that the prerequisites for installing Configuration Manager
2012 are met.
You then will run the Configuration Manager Setup Wizard and select the option to install a central
administration site with the site code CAS on the NYC-CAS.contoso.com server.
1. Run the splash screen for Configuration Manager 2012.
2. Run Installation Prerequisite Check and verify that the installation prerequisites are met.
3. Run Setup to install a Configuration Manager 2012 central administration site.
X Task 1: Run the splash screen for Configuration Manager 2012

1. On NYC-CAS, navigate to the E:\ConfigMgr2012\ folder.
X Task 2: Run Installation Prerequisite Check and verify that the installation
prerequisites are met
2. In the Installation Prerequisite Check window, verify that there are no errors (you may receive several
warnings), and then click OK.
X Task 3: Run Setup to install a Configuration Manager 2012 central administration site
following settings to install a central administration site:
On the Getting Started page, select Install a Configuration Manager central administration
site.
On the Product Key page, select Install this product as an evaluation.

On the Prerequisite Licenses page, under Microsoft SQL Server 2008 R2 Express, select
I accept these License Terms, under Microsoft SQL Server 2008 Native Client, select I accept
these License Terms, under Microsoft Silverlight 4, select I accept these License Terms and
automatic updates of Silverlight, and then click Next.
On the Prerequisite Downloads page, select Use previously downloaded files, and then
specify E:\ConfigMgr2012\Redist as the location.
On the Site and Installation Settings page, configure the following options:
Site code: CAS
Site name: Contoso Central Administration Site
Install the Admin Configuration Manager console: checked
On the Customer Experience Improvement Program Configuration page, select I dont want
to join the program at this time.
On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click
Begin Install.
3. Wait for the installation to finish, and then close the Setup Wizard and the System Center 2012
Configuration Manager Setup screen.
in the central administration site.
Exercise 3: Validating the Installation

Scenario
You need to validate the successful installation of Configuration Manager 2012 in the central
administration site. You will review the Site Status and Component Status, view status messages related to
installation, view installation logs, and review what site system roles can be installed in the central
1. View the Site Status and Component Status.

4. Review the available site system roles.

1. On NYC-CAS, start the Configuration Manager Console.
2. In the Configuration Manager console, in the Monitoring workspace, under the Site Status node,
view the status of each site system role.
3. Under the Component Status node, view the status of each component.
X Task 2: View the status messages for the Configuration Manager 2012 installation
1. Select the Site Status node, and then, in the results pane, select Site server.
3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK.
4. In the Configuration Manager Status Message Viewer, double-click on any message, and then
review the details of the status message. Use the Next and Previous buttons to view additional status

1. Open Windows Explorer, navigate to drive C, and then in the root folder double-click the
ConfigMgrPrereq.log file. Review the file, note any errors or warnings reported by Prerequisite
Checker, and then close Notepad.
2. Open the ConfigMgrSetup.log file in Notepad. Review the file, note any errors or warnings reported
by Setup, and then close Notepad.
3. Close Windows Explorer.

X Task 4: Review the available site system roles

1. In the Configuration Manager console, click the Administration workspace, expand Site
Configuration, and then select Servers and Site System Roles.
2. In the results pane, select NYC-CAS.contoso.com, and then review the roles installed on the server.
3. In the results pane, right-click on NYC-CAS.contoso.com, and then select Add Site System Roles.
The Add Site System Roles Wizard starts.
4. On the System Role Selection page, review the roles that can be installed on the site system.
Note The site system roles that are directly related to client management cannot be
installed in the central administration site.
5. Cancel the Add Site System Roles Wizard.

Lesson
n4
Deplo
oying Primary Sites in a Hieraarchy
After installing the

t central administration site, you can th en proceed to
o install primarry sites in yourr
hiierarchy.
Prrimary sites are

e required to support
s clientss in a Configurration Manageer hierarchy an
nd need to be
in
nstalled beforee you can deplooy clients.
In ou will discuss the role of the primary site,, the factors th

n this lesson, yo hat determine when to install a
primary site, and the roles thaat you can insttall on a primaary site.
After completin
ng this lesson, you
y will be able to:
Describe a primary site.

Determine when it is app
propriate to insstall a primary site in a hierarchy.
Describe th
he installation of
o a primary siite in a hierarcchy.
Describe va
arious site insta
allation metho
ods.
Describe th
he configuratio
on of a primaryy site in a hieraarchy.
Wh
hat Is a Priimary Site?
A primary site is the middle tierr in a hierarchyy and is requireed to manage clients. You caan use a primaary
site to manage alll objects and perform
p site management
m taasks for the priimary site and any child
secoondary sites asssigned to the primary site. From
F a primaryy site, you can
n see global daata and the sitee data
m the local primary site and the informatio
from on about any cchild secondarry sites in the pprimary sites b
branch
of the hierarchy.
A primary site:
Can be a stan
nd-alone prima
ary site or a member of a hieerarchy.
Supports onlyy the central administration site as a paren

nt site.
Supports onlyy secondary sittes as child site

es.
Can support up ondary child sites and up to 250 distributio
u to 250 seco on points.
ge its parent site relationship

Cannot chang p after installattion.
Is responsible
e for processing all client datta from their aassigned clients.
Uses database replication to
o communicatte to its centraal administratio
on site.
Add
ditionally, when a primary sitte is installed in a hierarchy:
Replication with
w its designa
ated central ad
dministration ssite is configurred automaticaally.
ution point an d managemen
You have the option to insttall the distribu nt point roles d
during site
installation.
Question: What data can the administrattor see from th

he console wh
hen the console
e is
connected at the central ad
dministration site?
s
Determinin
D ng When to Install a Primary SSite
Yo
ou must install at least one primary
p site in your hierarch y to support cclients. Neitherr the central
ad
dministration site
s nor a seco ondary site cann have client syystems assigneed to them.
Consider adding
g a primary sitte to your hierarchy when yo
ou need to:
e number of clients to mana
Increase the age. Each prim
mary site can su
upport up to 1
100,000 clientss.
Reduce the
e effect of failu
ure from a stan
nd-alone primaary site.
If a prim
mary site fails, all clients assiigned to that ssite cannot be managed unttil the site is re
estored.
Activityy such as invenntory collection on the clientts continues and the results are stored loccally as
usual; however,
h repoorting of this acctivity is delayeed until the sitte is restored.
y have multtiple primary sites in a hierarrchy, a site failure only affectts the clients aassigned
When you
to that primary site.
Provide a loocal point of connectivity for a business un

nit so that you
u can perform administration
n tasks
nts in the business unit.
for the clien
Meet organ nizational man nagement requ uirements. Diffferent location
ns may be undder different
ge of data or the use of encrryption. Using a separate primary site mayy help
regulationss for the storag
you meet these requirem ments.
Additional prim
mary sites are not
n needed in your
y hierarchyy if you are just trying to:
Provide deccentralized administration. Role-based

R ministration caan be used to segregate the
adm e
administrattion of resourcces.
Perform loggical data segm mentation. All data that exis ts in a hierarch
hy is replicated
d to the centraal
u are required to maintain cllient data sepaaration and waant to use
administrattion site. If you
Configuratiion Manager to manage clie ents, consider u
using a separaate stand-alone e installation.
Configure different client settings. Custom client settings can be configured individually by collection
and are replicated in the entire hierarchy.
Support a different site language. Multiple languages can be configured for the same site.
Perform content routing. You can configure content routing between two distribution points located
in two secondary sites that have the same parent. This reduces the network traffic associated with the
WAN links.
In
nstalling a Primary Site
S in a Hiierarchy
In
nstalling a Configuration Manager primaryy site requires ssome addition nal pre-plannin ng before runn ning
Se
etup. Since the
e primary site is
i used to suppport clients, yo
ou should deciide how the clients will conn nect to
th
he primary site
e before perforrming the instaallation. Altho ugh client commmunication ssettings can be e
ch
hanged after innstallation, the
e following can
nnot be chang ged after insta llation withoutt reinstalling the site:
The parent central admin

nistration site to
t which the p
primary site is aassigned
The site cod

de
The site nam
me
Th
he following taable lists the stteps of the Configuration M anager Setup Wizard when you use it to install a
primary site, and the informattion that you input
i for each step.
Wizard
W step Input require
ed
Getting Starte
ed Choose: Instaall a Configurration Managger primary siite server.
Optionally, yo
ou can check: Use typical in
nstallation op
ptions for a sttand-
alone primary site.
Microsoft Sofftware Enter the pro

oduct key and accept the liceense terms in tthis step to co
ontinue
License Termss with the setup.
Updated Prerrequisite In this step, you

y can downlload the Confi guration Manager prerequissites or
Components specify a foldder where you have previoussly downloade
ed them.
(continued)
Server Language This option allows you to specify additional language packs to be
Selection downloaded and installed for the admin console and site servers.
Client Language This option allows you to specify additional language packs to be
Selection downloaded and installed for the Configuration Manager client.
Site and Installation Configure the site code and site name. These settings cannot be changed
Settings later.
Primary Site Installation If you selected Install a Configuration Manager primary site in the first
step, you can indicate whether the site is stand-alone or a part of the
hierarchy.
of the Configuration Manager database, and the port to use for the SQL
Server Service Broker.
SMS Provider Settings Input the FQDN name of the server that hosts the SMS Provider. By default,
this is installed on the site server.
Client Computer In this step, you can configure choose one of the following:
Communication Settings All site systems roles accept only HTTPS communication from
clients
Configure the communication method on each site system role
If you choose to separately configure site system roles, you can
check: Clients will use HTTPS when they have a valid PKI
certificate and HTTPS-enabled site roles are available.
Site System Roles In this step, you can choose to install a management point and/or a
distribution point and specify the FQDNs for the roles. By default, both roles
will be installed using the FQDN of the server.
If you choose All site systems roles accept only HTTPS
communication from clients, both roles will be configured for HTTPS
and cannot be modified during Setup.
If you choose Configure the communication method on each site
system role, both roles will be configured for HTTP and cannot be
modified during Setup.
If you choose Configure the communication method on each site
system role, and checked the Clients will use HTTPS when they have
a valid PKI certificate and HTTPS-enabled site roles are available
check boxes, both roles will be configured for HTTPs, and you can
modify them during Setup.
Configuration
changes.
(continued
Prerequisite Check The Configuration Manager Setup Wizard launches Prerequisite Checker to
evaluate the server readiness for hosting the selected roles.
Question: What is the step in the wizard where you can configure a primary site to become
part of a hierarchy?
Site Installation Metho

ods
To install a new primary site, yo

ou can either use the Configu uration Manag ger 2012 Setup
p Wizard or
perfform an unatteended installattion using the scripted insta llation method
d.
You
u can perform an unattended d installation for a new prim mary site using a setup comm mand
swittch and an una attended installation .ini file. You can man ually create thhe file or use th
he
%TE EMP%\Config gMgrAutoSav ve.ini file that was generated d during the in
nstallation of a primary site,
suchh as in a test environment.
e You
Y can also crreate the unatttended installaation .ini file b by running the
Con
nfiguration Ma anager 2012 Seetup Wizard until you reach the Prerequisite Check page e. The actual ffile
me does not matter, but it must have an .in
nam ni extension.
To perform
p the un
nattended insttallation, run the following ccommand:
Se
etup /script path\filenam
me.ini
For example, if yo
ou created an installation
i .inii file named In
nstPrimSite.ini and stored it in the root of d
drive
C:, the
t command would be:
Se
etup /script C:\InstPrimS
Site.ini
Note Whe en using an insstallation .ini file, the Setup p

program uses o only the value
es in the .ini
file. You musst specify all se
etup options, or
o the installattion will fail; ho
owever, you caan leave
the ServerLaanguages and d ClientLanguuages options blank.
This example illustrates a typical script used for installing a primary site in a hierarchy:
[Identification]
Action=InstallPrimarySite
[Options]
ProductID=
SiteCode=LON
SiteName=London Primary Site
SMSInstallDir=C:\Program Files\Microsoft Configuration Manager
SDKServer=LON-CFG.CONTOSO.COM
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
PrerequisiteComp=1
PrerequisitePath= E:\ConfigMgr2012\Redist
ServerLanguages=
ClientLanguages=
MobileDeviceLanguage=0
ManagementPoint=LON-CFG.CONTOSO.COM
ManagementPointProtocol=HTTP
DistributionPoint=LON-CFG.CONTOSO.COM
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=1
AdminConsole=1
[SQLConfigOptions]
SQLServerName=LON-CFG.CONTOSO.COM
DatabaseName=CM_LON
SQLSSBPort=4022
[HierarchyExpansionOption]
CCARSiteServer=NYC-CAS.CONTOSO.COM
Co
onfiguring a Primary
y Site
Wheen a primary site

s is installed as a part of a hierarchy, certtain site system
m roles cannott be installed in the
prim
mary site. Thosse roles are:
Asset Intellige
ence synchron
nization point. This role is insstalled at the ccentral adminisstration site an
nd
synchronizes the Asset Intelligence catalo
og for the enti re hierarchy.
nd provides the
Endpoint Protection point. This role is insstalled at the ccentral adminisstration site an
configuration
n for Endpoint Protection forr the entire hieerarchy.
A primary site in a hierarchy sup
pports all othe nfiguration Maanager roles available. The
er optional Con
distribution of roles throughoutt your hierarch
hy depends on n your businesss requirements and on the
funcctionality that you need to provide.
p
For example, altho ough you can install multiple reporting po oints in a hieraarchy, only a re
eporting pointt
installed in the central administration site can n provide repo
orts on all objects in the hieraarchy. You theen
migght decide to innstall only a single reporting g point and runn all reports th
hrough the cen ntral administrration
site,, or you mightt decide to insttall a reporting
g point in each
h site so local aadministratorss can locally
man nage reports, both
b for their own
o site and custom
c reportss.
The following table shows the optional

o roles that
t you can in
nstall in a prim
mary site and w
whether they
provvide site-only functionality or
o hierarchy-w
wide functional ity.
Sitte System Role

e Scope
e No
otes
An
A Application Catalog web sservice point p provides appliccation
in
nformation forr one or more Application Caatalog website e
Application Cattalog Site or
o points. Since thhis type of info
ormation is rep plicated as glob bal
web
w service point hierarchy data so all App lication Cataloog web service e points provid de the
ame informatio
sa on, you can innstall this role iin a single site or in
multiple
m sites fo
or load balanc ing.
(continued)
Site System Role Scope Notes
Application Catalog Site or An Application Catalog website point displays global data
website point hierarchy retrieved from an Application Catalog web service point. Since
this is global data all Application Catalog website points
provide the same information, you can install this role in a
single site or in multiple sites for load balancing.
A distribution point provides support based on the site

boundary groups it belongs to. You can install multiple
Distribution point Site
distribution points in a single site for load balancing or to
provide intranet and Internet support from separate servers.
A fallback status point allows clients that cannot communicate

Site or with a management point to send state messages to the site.
Fallback status point
hierarchy This information is replicated as site data and is available in
reports at the central administration site.
A management point is used by the clients to communicate

with their assigned site. You can install multiple management
Management point Site
points in a single site to provide load balancing or to provide
intranet and Internet support from separate servers.
An enrollment point is used to create mobile device and Intel

Enrollment point Site Active Management Technology (AMT) device objects in a
site. One enrollment point can be configured per site.
An enrollment proxy point allows mobile devices and AMT

Enrollment proxy
Site devices to join a site. One enrollment proxy point can be
point
configured per site.
An out of band service point allows you to manage AMT

devices that are offline by using out of band management.
Out of band service
Site The out of band service point can be installed once per
point
primary site and must be installed in a primary site that also
contains the enrollment point role.
A reporting services point installed in a primary site rather

Reporting services Site or than the central administration site can display data from that
point hierarchy primary site only. That includes global data replicated to the
site as well as site data.
A software update point is used to synchronize the metadata

about software update information. Install a software update
Software update
Site point in the central administration site to synchronize with
point
Windows Software Update Services and in all primary sites
that will use the software updates feature.
A state migration point temporally stores user data during

State migration point Site certain OSD processes. You can configure multiple state
migration points in a site.
A System Health Validator point is used with network access

System Health Site or protection. Only one System Health Validator point is required
Validator point hierarchy in the hierarchy; however, multiple System Health Validator
points can be installed for load balancing.
Question: Why would you install a reporting services point in several primary sites and not
just one in the central administration site?
Lab B:
B Installling a Primary
P Site in aan Existting Hie
erarchy
La
ab Setup
Fo
or this lab, you
a virtua
n the lab, you must
co
1.. In Hyper-V Manager, verify that 10748
8A-NYC-DC1- A, and 10748A-NYC-CAS-A
A are still runn
ning.
2.. In Hyper-V Manager, click 10748A-NY

YC-CFG-A, and
d in the Action
ns pane, click S
Start.
3.. In the Actio

ons pane, click
4.. Log on usin

ng the followin
ng credentials:
User na
ame: Adminisstrator
Passwo
ord: Pa$$w0rd
d
Domain: Contoso
5.. Repeat step
ps 2 through 4 for 10748A-L
LON-CFG-A.
La
ab Scenario
o
ou are the network administtrator for Conttoso, Ltd. Conttoso wants to deploy System
Yo m Center 2012
M in a complex
c hierarrchy with a cen
ntral administrration site, two
o primary sitess, and a
econdary site.
se
Thhe central adm
ministration site
e has been already deployed d. You need to o perform the installation of a
Syystem Center 2012
2 Configurration Manage er primary site in the existing
g hierarchy by::
1.. Installing a primary site in

n an existing hierarchy.
h
2.. Validating the
t installation
n.
3.. g the installation of a primarry site.

Automating
Exercise 1: Installing a Primary Site in an Existing Hierarchy

Scenario
You need to install a Configuration Manager 2012 primary site in New York with the site code NYC on the
NYC-CFG.contoso.com server. The primary site will be installed as a child site of the existing central
1. Run the Setup for Configuration Manager 2012.
2. Run Installation Prerequisite Check, and verify that the prerequisites are met.
3. Run the Setup again, and select the option to install a Configuration Manager 2012 primary site in the
existing hierarchy.

1. On NYC-CFG, navigate to the E:\ConfigMgr2012\ folder.
X Task 2: Run Installation Prerequisite Check, and verify that the prerequisites are met
X Task 3: Run Setup to install a Configuration Manager 2012 primary site in the
existing hierarchy
following settings to install a primary site in the existing hierarchy.
On the Getting Started page, select Install a Configuration Manager primary site.
On the Product Key page, select Install this product as an evaluation, and then click Next.
On the Prerequisite Licenses page, under Microsoft SQL Server 2008 R2 Express select I
accept these License Terms, under Microsoft SQL Server 2008 Native Client select I accept
these License Terms, under Microsoft Silverlight 4 select I accept these License Terms and
automatic updates of Silverlight, and then click Next.
specify the E:\ConfigMgr2012\Redist as the location.
Site code: NYC
Site name: New York Primary Site

Install the Configuration Manager console: checked
On the Primary Site Installation page, select Join the primary site to an existing hierarchy,
and then type the name of the central administration site server NYC-CAS.Contoso.com.
On the Site System Roles page, verify that both Install a management point and Install
a distribution point options are selected, and then verify that in both FQDN text boxes,
NYC-CFG.Contoso.com appears.
to join the program at this time.
On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click
Begin Install.
3. Wait for the installation to finish, and then close the Setup Wizard and the System Center 2012
Configuration Manager Setup screen.
Results: At the end of this exercise, you should have installed a System Center 2012 Configuration
Manager primary site in an existing hierarchy.

Scenario
You installed the first primary site in the Contoso Configuration Manager 2012 hierarchy.
You need to validate the installation of the System Center 2012 Configuration Manager primary site
installation.
1. View the Site Status and Component Status.

4. Review the available site system roles.
X Task: View the Site Status and Component Status

2. In the Configuration Manager console, in the Monitoring workspace, under Site Status node, view
the status of each site system role.
3. Under the Component Status node, view the status of each component.
1. Select the Site Status node, and then, in the results pane, select Site server.
3. In the Status Messages: Set Viewing Period dialog box, accept the defaults, and then click OK.
4. In the Configuration Manager Status Message Viewer, double-click on any message, and then
review the details of the status message. Use the Next and Previous buttons to view additional status

1. Navigate to drive C, and then in the root folder in Notepad, open the ConfigMgrPrereq.log file.
Review the file, note any errors or warnings reported by Prerequisite Checker, and then close
Notepad.
2. Open the ConfigMgrSetup.log file in Notepad. Review the file, note any errors or warnings reported
by Setup, and then close Notepad.

1. In the Configuration Manager console, in the Administration workspace, expand Site
Configuration, and then select Servers and Site System Roles.
2. In the results pane, select NYC-CFG.contoso.com, and then in the preview pane, review the roles
installed on the server.
3. In the results pane, right-click on NYC-CFG.contoso.com, and then select Add Site System Roles.
4. On the System Role Selection page, review the roles available for install.
Note When you install certain site system roles, including Asset Intelligence
synchronization point, software update point, and Endpoint Protection point, as part of a
hierarchy, you cannot install them in a primary site but have to install them at the central
5. Cancel the Add Site System Roles Wizard.
Results: At the end of this exercise, you will have validated the installation of System Center 2012
Exercise 3: Automating the Installation of a Primary Site

Scenario
You installed the central administration site and the first primary child site in the Contoso network
environment. You now need to install a second Configuration Manager 2012 primary child site by using
the automated method, which is performing a scripted installation. The site will be installed in London
with the site code LON on the LON-CFG.contoso.com server.
1. Review the content of the installation script.
2. Run the Setup for Configuration Manager 2012, and use the script option.
X Task 1: Review the content of the installation script

1. On LON-CFG, in Windows Explorer navigate to E:\ConfigMgrSetup and open the
ConfigMgrAutoSave_LON.ini file.
2. Review the content of the file, and then close the viewer:
[Identification]
[Options]
ProductID=EVAL
SiteCode=LON
PrerequisiteComp=1
PrerequisitePath=E:\ConfigMgr2012\Redist
AdminConsole=1
JoinCEIP=0
[SQLConfigOptions]
DatabaseName=CM_LON
SQLSSBPort=4022
X Task 2: Run the Setup for Configuration Manager 2012 and use the script option
1. On LON-CFG, open a Command Prompt window.
2. At the command prompt, type the following commands, pressing Enter after each line:
e:
cd ConfigMgr2012\smssetup\bin\X64
setup /script E:\ConfigMgrSetup\ConfigMgrAutoSave_LON.ini
Note The Configuration Manager Setup will run in unattended mode. The installation
process may take up to 30 minutes. You can use Windows Task Manager to keep track of
the progress. When you see CcmExec.exe as a running process, the setup is complete.
Manager primary site in an existing hierarchy using the automated setup method.

Lesson 5
Deploy
ying Secondary
y Sites
If yo
ou have clientss in remote loccations that arre connected t o the primary site servers lo
ocation by loww-
banndwidth netwo m decide to install secondaary sites to maanage the tran
ork links, you may nsfer of client d
data
and deployments. In this lesson, you will revie ew the installattion process fo
or a secondaryy site.

Describe the characteristicss of a secondarry site.
Determine wh
hen you need to install a seccondary site.
Describe the process for insstalling a secon

ndary site.
Describe the site system roles that can be

e installed in a secondary sitee.
What
W Is a Secondary
S Site?
When
W you have
e clients in rem
mote locations and you wantt to manage cl ient-to-server communicatio
on
accross slow netw
work links, you
u have the opttion to install a secondary sitte.
A secondary site
e:
Cannot perrform local adm
ministration ta
asks. A secondaary site does n
not provide connectivity for the
Configuratiion Manager console.
c
Uses SQL Se erver Express oro a local insta

ance of SQL Seerver. Seconda ry sites now use SQL Server to store
information n. If a local SQL Server instannce is not alreaady installed, tthe Create Seccondary Site W
Wizard
can install SQL
S Server Exp press as part of the secondarry site installattion.
Receives a subset
s of glob
bal data from the
t primary sit e using SQL reeplication.
Replicates information
i to
o its primary sitte using file-baased replicatio
on.
Routes file--based content to other seco

ondary sites.
Deploys a management
m point
p nt automaticallly that is manaaged from its parent
and a disstribution poin
primary site
e.
Ea
ach primary sitte can supportt up to 250 seccondary sites.
Ea
ach secondaryy site can support communiccations from up p to 2,500 clieents, however, the total number of
clients assigned
d to a primary site even with multiple child
d secondary sittes cannot be more than 100 0,000
clients.
De
etermining
g When to Install a Secondary
S Site
You
u should installl a secondary site
s only if you u need to man age the transffer of client daata and
dep
ployments bi-d directionally accross low banddwidth networkks. Managing client data transfer includes
mannaging the dow wnload of policies from the management point to the cclient in additio on to managin ng the
uplo
oad of hardwa are and software inventory and other type s of client-gen nerated data frrom the client to
the management point. Managing the client data transfers for clients witthin the bound daries of a
seco
ondary site is possible
p becauuse the management point in nstalled in thee secondary sitte acts as a pro
oxy for
the management point in the parent
p primary site.
Because a secondary site also inncludes a distriibution point o

on its site servver, you can co
ontrol the transsfer of
the deployment-rrelated files inccluding applicaations, packag
ges, software u updates, and ooperating syste
em
images.
A se
econdary site does
d not proviide local conneectivity for thee Configuration Manage con nsoles. You nee
ed to
mannage the seconndary site by connecting
c witth the console to the parent primary site.
In
nstalling a Secondarry Site
Se
econdary sites are installed from
f the prima
ary site that w ill be the secondary sites parent. Once installed,
he parent for a secondary sitte cannot be changed witho ut reinstalling the secondaryy site. Before installing
th
th
he secondary site,
s there are a few preparattion steps thatt need to be co ompleted:
Prepare the
e intended seccondary site se
erver with the aappropriate prrerequisites.
Decide whe ether to use SQ

QL server or SQ using SQL Express, you can p
QL Express. If u preinstall SQL Express
on the intended secondary site server.
Add the priimary site servver computer account
a to thee local Adminisstrators group of the new se
econdary
site server.
The user do
oing the installation requiress:
Local Administrator
A rights
r on the intended secon
ndary site com
mputer.
Local Administrator
A rights
r on the remote
r site dattabase server ffor the primarry site, if it is re
emote.
Infrastrructure Admin
nistrator or Full Administrato
or security role on the parentt primary site.
t account ussed for site to site communiccations. The acccount used fo
Decide on the or site to site
communica ations must haave local admin nt site. By default, the parentt site
nistrator rightss on the paren
computer account
a is used
d.
After the serverr is prepared, you

y start the se econdary site iinstallation fro
om within the C Configuration
Manager
M conso ole by using thee Create Seco ondary Site W
Wizard. After co ompleting the e wizard, you ccan
monitor
m the proogress of the in
nstallation in the
t Configurattion Manager cconsole. With the secondaryy site
se
elected, click on
o the Show In nstall Status button
b on the ribbon to mon nitor the installation progresss.
The following table lists the steps of the Create Secondary Site Wizard, and the information that you input
for each step.
Welcome This page briefly describes the Create Secondary Site Wizard, and lists the
site that will be the parent for this secondary site. There is no input on this
page; however, you should verify the correct parent site is displayed before
continuing.
Site Identity Configure the site code, the FQDN of the intended secondary site server,
the site name, and the installation directory.
Installation Source Files You need to specify where the files will be installed from. You have the
option to copy the files from the parent site to the secondary site, use the
source files from a network location, or use source files that are already
available locally on the secondary site server.
SQL Server Settings You have two choices:

Install and configure a local copy of SQL Express on the secondary site
computer. This choice has the following options:
SQL Server Service port: the default is TCP port 1433, but you can
configure another port.
SQL Server Broker port: the default is TCP port 4022, but you can
configure another port.
Use an existing SQL Server instance. This choice has the following
options:
SQL Server FQDN: the default is the intended secondary site server.
SQL Server instance: the SQL default instance is the default.
ConfigMgr site database name: the default is CM_<site code>.
SQL Server Broker port: the default is TCP port 4022. You must
specify the correct port, or data replication will fail between this
secondary site and the parent site.
Site to Site The default setting is Use this primary site server computer account. You
communication can specify a different user account.
Boundary Groups You should identify the boundary groups on which this distribution point
will be available.
Question: How can you accelerate the installation of a secondary site?

Configuring
C g a Second
dary Site
A secondary sitee in a hierarchy can support a limited num mber of the opptional configu uration manager roles
th
hat are available. The following table showws the optionall roles that youu can install in
n a secondary ssite and
whether
w they prrovide site only functionalityy or hierarchy--wide function
nality.
Site System Role Scope Notes

A distributio on point is insttalled by defau
ult when a seco
ondary
Distribution point
p Site
site is install ed.
A managemment point is in nstalled by default when a

Managementt point Site
secondary siite is installed.
A software u
update point ccan be installed
d in a secondaary site
Software update point Site
when data t ransfer across the network is slow.
A state migrration point caan be installed in a secondarry site to

State migratio
on point Site
support OSDD operations in n a remote loccation.
A System Heealth Validatorr point can be installed in a

System Healthh
Hierarchy secondary siite to support NAP operatioons in a remote e
Validator poin
nt
location.
Question: When
W would you
y install a sta
ate migration point in a seco
ondary site?
Lab C: Installing a Se
econdary
y Site
Lab
b Setup
m enviro
ust
com
M verifyy that 10748A-NYC-DC1-A, 10748A-NYC
C-CAS-A, and
10748A-NYC C-CFG-A are sttill running.
M click 10748A-TOR-
1 -CFG-A, and th
hen in the Acttions pane, clicck Start.
3. If you receive
e a message thhat not enough h memory is avvailable to starrt the virtual m
machine, shut d
down
10748A-LON N-CFG-A if it iss still running.
User nam
me: Administra
ator
Password
d: Pa$$w0rd
Domain: Contoso
Lab
b Scenario
You
u are a network
k administratoor for Contoso,, Ltd. Contoso wants to deplloy System Cen nter 2012
Connfiguration Ma
anager in a com
mplex hierarchhy with a centrral administrattion site, two p
primary sites, aand a
seco
ondary site.
Previously, you installed the central administration site and two primary sites. You need to install a
secondary site under existing New York primary site by:
1. Configuring prerequisites.
2. Installing a secondary site from a primary site.
3. Validating the installation.

Exercise 1: Configuring Prerequisites

Scenario
You need to validate that the prerequisites required for the installation of the secondary site are
configured correctly on the server.
1. Launch Server Manager.
2. Verify that Web Server (IIS) and related role services are installed.
3. Verify that the BITS and Remote Differential Compression features are installed.
4. Add the primary site server computer account to the local Administrators group.
5. Verify that .NET Framework 4.0 is installed.
X Task 1: Launch Server Manager

On TOR-CFG, start Server Manager.
X Task 2: Verify that Web Server (IIS) and related role services are installed
In the Server Manager console, under the Roles node, scroll to the Web Server (IIS) section, and
then verify that the following features are installed:
ASP.NET
X Task 3: Verify that the BITS and Remote Differential Compression features are
installed
In the Server Manager console, under the Features node, verify that the following features are
installed:

X Task 4: Add the primary site server computer account to the local Administrators
group
1. In the Server Manager console, expand Configuration, expand Local Users and Groups, and then
select the Groups node.
2. Add the computer account of the primary site server NYC-CFG to the local Administrators group.
Note During a secondary site installation, SQL Server Express can be installed as part of
the Create Secondary Site Wizard if a SQL instance is not already installed on the server.
Results: At the end of this exercise, you should have validated the prerequisites for installing a System
Center 2012 Configuration Manager secondary site.
Exercise 2: Installing a Secondary Site from a Primary Site

Scenario
You need to perform the installation of the secondary site in the Toronto branch office with the site code
TOR on the TOR-CFG.contoso.com server by running the Secondary Site Installation Wizard from the New
York primary site.
The task for this exercise is to run the Secondary Site Installation Wizard to install a secondary site from a
primary site.
X Task: Run the Secondary Site Installation Wizard

1. On NYC-CFG, start the Configuration Manager console.
2. In the Configuration Manager console, in the Administration workspace, under Site Configuration,
select the Sites node.
3. In the results pane, select NYC --- New York Primary Site, and then, on the ribbon, click Create
Secondary Site.
4. In the Create Secondary Site Wizard, use the following settings to install a secondary site.
On the General page, configure the following options:
Site code: TOR
Site server name: TOR-CFG.Contoso.com
Site Name: Toronto Secondary Site
On the Installation Source Files page, select the option Copy installation source files over the
network from the parent site server.
On the SQL Server Settings page, select the option Install and configure a local copy of SQL
Server Express on the secondary site computer, and then verify that the following information
is specified:
SQL Server service port: 1433
SQL Server Service Broker Port: 4022
On the Distribution Point page, accept the default settings.
On the Drive Settings page, accept the default settings.
On the Content Validation page, accept the default settings.
On the Boundary Groups page, accept the default settings.
Finalize and close the wizard.
Note When the Create Secondary Site Wizard completes, the installation will continue
in the background on the target server. To validate the installation, verify the installation
logs in the next exercise.
5. In the Configuration Manager console, select TOR --- Toronto Secondary Site, and then, on the
ribbon, click the Show Install Status button. Review the progress of installation actions, click Refresh
to monitor status, and then close the dialog box. It takes approximately 15-20 minutes for installation
to complete.
secondary site.

Scenario
You need to validate the installation of the secondary site. You will review the setup log found on the
secondary site server after installation and view the system status of the secondary site using the
Configuration Manager console connected to the parent primary site.
1. View the setup logs.
2. View the system status for the new secondary site.
X Task 1: View the setup logs

On TOR-CFG, open Windows Explorer and navigate to drive C, and then open the
ConfigMgrSetup.log file in Notepad. Review the file, note any errors or warnings reported by Setup,
and then close Notepad.
X Task 2: View the system status for the new secondary site
1. On NYC-CFG, in the Configuration Manager console, in the Monitoring workspace, under Site
Status node, view the status of the site systems for TOR-CFG.
2. Under the Component Status node, view the status of the components for TOR-CFG.
3. Under the Database Replication node, view the status of the replication link between NYC and TOR.
It should show that the link is active.
4. Under the Site Hierarchy node, view the site hierarchy diagram. On the NYC icon, click the plus sign
to view TOR.
Note The secondary site status can be viewed at the parent primary site and at the central
administration site. It may take some time until the installation finishes and the secondary
site status appears in the console.
Results: At the end of this exercise, you should have validated the installation of a System Center 2012
Configuration Manager 2012 secondary site.

following steps:
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-A, and then click Revert.
4. Repeat steps 2 and 3 for 10748A-NYC-CAS-A, 10748A-NYC-CFG-A, 10748A-LON-CFG-A, and

10748A-TOR-CFG-A
Modulle Revie
ew and Takeaw
ways
Rev
view Questiions
1. What roles ca
annot be installed in the cen
ntral administraation site?
2. What roles ca ary site when t he primary site is part of a h

annot be installed in a prima hierarchy?
3. How can you install a secon
ndary site?
Too
ols
The tools in the fo
ollowing table are useful durring the Config
guration Manaager deployme
ent process.
To
ool Use Where to find it
Exxtadsch.exe To extend the Active Dire

ectory schema Configuraation Managerr installation m
media
in the \sm
mssetup\bin\x6
64\ folder
Ld
difde.exe As an altern
native method for extending
g Built in W
Windows tool
the Active Directory
D schem
ma
Se
etupDL.exe To pre-dow wnload updated componentss Configuraation Managerr installation m
media
required forr Configuration Manager in the \sm
mssetup\bin\x6
64\ folder
installation
Prereqchk.exe To verify a system

s is readyy to have Configuraation Managerr installation m
media
Configuratioon Manager in nstalled on it in the \sm
mssetup\bin\x6
64\ folder
5-1
Module 5
Data Replication and Content Management
Contents:
Lesson 1: Introduction to Data Types and Replication 5-3
Lesson 2: Monitoring and Troubleshooting Data Replication 5-17
Lab A: Monitoring and Troubleshooting Data Replication 5-23

Lesson 3: Planning for Content Management 5-28
Lesson 4: Configuring and Monitoring Content Management 5-49
Lab B: Configuring Content Management 5-65

5-2 Data Repliccation and Content Management
M
Module Overrview
In a multiple-site Microsoft Sysstem Center 2012 Configuraation Managerr environment,, data is transfferred
betwween sites to allow
a w data transfer
for centrralized adminisstration and reeporting. Undeerstanding how
worrks helps you monitor
m the daata flow in you
ur Configuratio on Manager hiierarchy and trroubleshoot
repllication issues.
Connfiguration Ma anager 2012 usses database replication and

d file-based traansfer to transffer data betwe
een
sitess. The data transfer method used dependss on the type oof data being ttransferred.
In th
his module, yo
ou will review the
t different tyypes of data trransferred betwween sites, inccluding global data,
site data, and con
ntent. You will also examine where
w data is ccreated and h ow it is replicaated to other ssites
in a Configuration
n Manager hie erarchy. Additio
onally, you willl use the featu
ures in the Con nfiguration
Man nager console to monitor an nd troubleshoo
ot replication.
Connfiguration Maanager 2012 re elies on the disstribution poin

nt infrastructurre to provide ccontent
man nagement funcctionality. In th
his module, yoou will review tthe content m anagement fe eatures, plan th
he
configuration of distribution
d po
oints, and distribute and mon nitor content. You will also pperform content
valid
dation and content prestaging.

Describe site and global data types and how

h data is rep
plicated throug
ghout the hierrarchy.
Monitor and troubleshoot data
d replicatio
on.
Plan for conte

ent manageme
ent.
Configure and monitor con

ntent managem
ment.
Lesson
n1
Introd
duction
n to Datta Typess and Re
eplicatiion
M 2012 data that is trransferred betwween sites is caategorized in tthree data typpes:
global data, site
e data, and con ntent. Dependding on its typee, some data iss copied to all sites; other daata is
coopied to only some
s sites in the
t hierarchy. By B understand ding each dataa type, where itt is created, ho
ow it is
trransferred, and
d where it is ussed, you can effficiently moniitor and troub
bleshoot Config guration Manaager
in
nter-site comm munication.
In
n this lesson, yo
ou will review where each off these types o each is used in a
of data is creatted and how e
M hierarchy.
After completin
ng this lesson, you
y will be able to:
Describe th
he different typ
pes of data use
ed by Configu ration Manageer 2012.
Describe th
he concept of global
g data an
nd how is repliccated through
hout the hierarrchy.
Describe th
he concept of site
s data and how
h is replicateed throughout the hierarchyy.
Describe th
he content type
es and how co
ontent is transfferred between sites and in tthe same site.
M
Ov
verview of Data Type
es
Systtem Center 2012 Configuration Manager uses

u the follow
wing types of d
data to commu
unicate between
sitess:
Global data, which
w consists of objects cre
eated by an ad
dministrator at the central ad
dministration ssite or
at primary sites
Site data, whiich is operational informatio
on automaticallly generated b
by primary site
es and by the cclients
assigned to primary
p sites
Content, whicch consists of content
c files used by deployyments
Deppending on its type, data can n be used in th
he local site on
nly or can be replicated to other sites in th
he
hierrarchy. The admministrator determines wherre content is trransferred by cconfiguring co
ontent distribu ution.
Connfiguration Ma anager 2012 usses different re
eplication metthods, depend ent on the datta type being
repllicated.
The following table summarizess the three datta types, wheree they are creaated, and the rreplication me
ethods
used
d.
Da
ata type Where
W it is cre
eated Where it iss transferred Rep
plication meth
hod
Global data At the central administration To the cen ntral administrration Daatabase replicaation
site and at priimary sites site and a ll primary sitess. A
subset of global data is
transferreed to secondarry sites
Siite data At primary sites To the cen

ntral administrration Daatabase replicaation
site
At secondary sites To the pa rent primary ssite File-based transffer
Content At primary sites and at the Distributioon points in th he same File-based transffer
central adminnistration site site or chiild sites in a hi erarchy
Database Replication
Configuration Manager 2012 database replication is a custom replication method implemented in
Configuration Manager 2012. Traditional replication methods included in SQL Server, such as
transactional replication, are not used in Configuration Manager 2012. You do not need to install
SQL Server replication components.
Configuration Manager database replication uses SQL Server Service Broker to transfer data between
SQL Server databases installed in different sites in a hierarchy.
By default, the Configuration Manager database replication mechanism uses the following ports to
transfer data:
Port 1433 for the SQL Server
Port 4022 for the SQL Server Service Broker
These ports can be changed during site installation in the System Center 2012 Configuration Manager
Setup Wizard.
File-based Replication
File-based replication between Configuration Manager 2012 sites uses the same mechanism as
Configuration Manager 2007 replication, which is based on the Server Message Block (SMB) protocol and
based on senders.
Note A sender is the communication mechanism implemented in Configuration Manager

used to transmit data between sites and control bandwidth usage. The sender uses Server
Message Block (SMB) as the underlying communication protocol. Unlike Configuration
Manager 2007, Configuration Manager 2012 supports only a single type of sender, the
standard sender.
Configuration Manager 2012 secondary sites use file-based replication to transfer site data to their parent
primary site. File-based replication is also used to transfer fallback status point state messages to the
assigned site when only a single fallback status point is in use in a hierarchy and for the initial transfer of
discovery data records to the assigned site.
The following table summarizes data types that are transferred using file-based replication between sites.
Data Destination
Package files used by Sent to distribution points located in primary and secondary sites.
deployments
Secondary site data Sent to the primary site (parent) of the secondary site.
Fallback status point state Forwarded to the assigned site when only a single fallback status
messages point is in use in a hierarchy.
Discovery data records Forwarded to the assigned site when clients are not assigned to the
site that discovered them. The discovery data record is processed
locally at the assigned site, and then the information is replicated
using database replication to other sites in the hierarchy.
Data collected from clients at Transferred via file-based replication to parent primary site.
secondary sites
M
Glo
obal Data
Globbal data consissts of objects created

c by adm ministrators att the central ad
dministration ssite or at primaary
sitess. Administrato
ors can create global data ussing the Config guration Manaager console cconnected to tthe
centtral administraation site or to
o primary sites.
An example
e of glo ollection rules. Collection rulees contain thee membership rules defined by
obal data is co
the administrator for each colle
ection. Collectio
on rules definnitions are repllicated throughout the hieraarchy
and evaluated at each site to deetermine the liist of collection
n members.
In contrast, the lisst of collection members is site data. You ccan see an exp
planation of co
ollection memb
bers
in th
he next topic.
Global data is repplicated automatically from the central adm ministration sitte to all primary sites. A subsset of
globbal data is replicated to secoondary sites. Global data is reeplicated betw ween all primary sites in the
hierrarchy in addittion to the cen
ntral administra ation site. Becaause of this, it is seen in the same way by the
admministrator regardless of the site where an administrator connects with h the Configuration Manage er
console. Using the e example abo ove, a collectio
on definition crreated by an aadministrator aat one of the ssites is
repllicated to and is available in all primary sites in the hieraarchy as well a s the central administration site.
The following table lists some examples of global data.
Global data types Usage
Alert rules Alert rules determine when the administrators will be notified for specific
events by specifying the events for which alerts will be raised and for the
recipients who will receive the alerts.
Collection rules Collection rules determine the membership of each collection. Four types
of collection rules exist: direct, query, include, or exclude. The collection
rules are evaluated independently at each primary site.
Deployments Deployment definitions describe the objects associated in a deployment,

including the application to be deployed and the collection to which it is
deployed.
Package metadata Package metadata contains information about the software and the source
files used in a deployment, platforms on which the software can be
deployed, as well as other information necessary to perform the
deployment.
Program metadata Program metadata contains information about the command line and
parameters used by Configuration Manager to perform a deployment.
Software update Software update deployment definitions contain information about the
deployments objects used in a software update deployment, including the updates to be
deployed, and the collection to which they are deployed.
Software update Software update metadata contains information about the executable files
metadata included in software updates, platforms to which the updates apply, as well
as language and other information about software updates that is useful
for administrators, like the name, date released and sensitivity.
Configuration item Configuration item metadata contain the definition of configuration items
metadata used to determine the compliance of managed systems with configuration
settings defined by the administrator.
Task sequence metadata Task sequence metadata contains the definition of the task sequence as
individual steps that need to be executed.
Site control definition The site control definition in the database contains information about the
site configuration.
Site servers list Site servers list contains the list of servers and corresponding site system
roles installed in each site.
Role-based Security roles are assigned to administrative users to grant permissions on

administration security object types in the Configuration Manager hierarchy. Security scopes limit
roles, security scopes, and administrative permissions to specific objects in the hierarchy.
administrative users Administrative users associate roles, scopes, and collections to the AD DS
users and groups.
Question: How are collection rules used in a Configuration Manager hierarchy, and how are
they replicated?
M
Site Data
Site data is operattional information automaticcally generateed by Configurration Manage er primary sitess and
by Configuration
C Manager clien nts. After site data
d ginating primary site or secondary
is generatted at the orig
site,, it is replicated
d to the centra
al administration site, but noot replicated too other primarry or secondarry
sitess.
For example, primmary sites use collection

c ruless to determinee collection meembership, the e result of which is
the list of membeers. The list of members
m is an ntains clients assigned to a
n example of siite data. It con
prim
mary site, and it replicates to
o the central ad
dministration ssite.
Hardware and sofftware invento ory is generated dded to each primary sites database, and then
d by clients, ad
repllicated to the central
c adminiistration site.
The following table lists some examples

e of site data.
Sitte data types Usag

ge
Alert messages Alerrt messages are generated b

by site systems at each site.
Collection Collection membe ership lists con

ntain the objeccts that are meembers of the
membership
m ressults colle
ection after evvaluating the ccollection ruless at each primaary site.
Hardware inven
ntory Harddware invento
ory data is colleected by hardw
ware inventoryy client agentss from
da
ata the Configuration Manager clie nts.
So
oftware inventtory Softtware inventorry and meterin
ng data is colleected by software inventory and
an
nd metering data
d softwware metering
g client agentss from the Con nfiguration Maanager clients.
(continued)
Site data types Usage
Asset Intelligence data Asset Intelligence data, which contains additional classes and attributes as
compared with the hardware inventory, is collected by the hardware inventory
client agents from Configuration Manager clients.
Status messages and Status messages are generated by site systems and clients to report status
alerts information to the site server. Alerts are generated by the site server when
specific error conditions, configured by administrators, are encountered.
Software distribution Software distribution status details are generated by clients that report the
status details status of a particular deployment.
Component and site Component and site status summarizers aggregate status messages to
status summarizers determine the overall health status of the site systems and components.
Client health data Client health data is determined by Configuration Manager by using
information such as last connection time, hardware inventory, and software
inventory.
Client health history Client health history contains aggregated information about client health. You
can use client health history to obtain reports about client health over a
specific period of time.
Wake On LAN data Wake On LAN data contains the history of all Wake On LAN operations
performed.
Quarantine client Quarantine client restriction history contains the list of clients that are
restriction history restricted by Network Access Protection.
If the Configuration Manager console is connected to a primary site, you will see only the site data that
has originated from that site or any child secondary site. To see site data from all sites and to perform
administration and reporting for the entire hierarchy, use a Configuration Manager console at the central
You can modify site data only at the primary site where it was created.
Question: To which site should an administrator connect the console in order to view
hardware inventory from all sites?
5-10 Data Replication and Content Management
Co
ontent
Conntent is created
d by Configura ation Managerr administratorrs at the centrral administration site or at
prim
mary sites. Conntent is transfe
erred to site servers and distrribution pointss in the hierarcchy according to
distribution settin
ngs that are configured by ad dministrators.
The file-based rep
plication mech hanism that Coonfiguration M
Manager 2007 u
uses to transfe
er content such
h as
packages between n sites is also used
u in Configuration Managger 2012.
Co
ontent Description
Applications Applicationss contain all ob

bjects used to deploy softwaare, including
application metadata,
m sou rce files, definitions for deplloyment types,
requirementts, superseden ce, and other application settings used to
ware using the new applicatiion model.
deploy softw
So
oftware packages Software pacckages containn source files aand definitionss used to deploy
ng the classic software distriibution model.
software usin
So
oftware update packages Software update packagess contain softwware update m
metadata and
update files used to perforrm update maanagement.
Driver
D packagess Driver packaages contain d river metadataa and driver files and are use
ed for
operating syystem deploymments.
Operating
O syste
em images Operating syystem images contain preco onfigured operrating system
installations and are used for operating system deployyments.
(continued)
Content Description
Operating System Installers Operation system installers contain installation files imported from the
installation media and are used for operating system deployments.
Boot Images Boot images contain the Windows PE environment used to boot
computers and initiate the operating system deployment process.
Question: How is content transferred in the Configuration Manager hierarchy?

Replication of
o Global Data
D
Global data consissts of configurration information created b

by administrato
ors and is replicated to all sittes in
the hierarchy.
Cre
eation of Global Data
Adm
ministrators can create globa al data by usin
ng the Configuuration Manager console con nnected at the
e
centtral administra
ation site or at any primary site.
s The types of global dataa that can be ccreated by anyy
speccific administra
ator depend ono the securityy roles and sco pes assigned tto that administrator:
The hierarchyy administrator can typically create global data in any sitte in the hierarchy.
The primary site

s administra ators usually ha
ave permission ns limited by ssecurity scopess, allowing the
em to
manage objects from only their
t primary site.
s Any objeccts created by primary site administrators are
global data and will replicate to the centrral administrattion site and all other primary sites.
Rep
plication of Global Datta
Global data is rep
plicated to the central administration site aand all primaryy sites in the hierarchy using
data
abase replication. A subset of
o global data is replicated too secondary siites using dataabase replicatioon.
For example: Consider a Configuration Manag ger hierarchy tthat consists o

of the central aadministration
site and two primary sites, Site A and Site B. AnA administrattor creates a co ollection in priimary Site A. T The
colle
ection definitioon, which inclu
udes membersship rules, is reeplicated to th he central admministration site e
and to all primaryy sites in the hiierarchy, includ
ding primary SSite B. The colllection membe ership rules are
evaluated at both h primary sites;; both Site A and Site B deteermine the list of collection mmembers for th heir
resp ased on collecttion membership rules. Colleection membeership, howeve
pective sites ba er, is site data.
Question: If an
a administrattor creates a se
ecurity baselin ns several configuration
ne that contain
items, how is this informatio
on replicated to
t other sites??
Replication
R n of Site Da
ata
Siite data is auto

omatically generated as a ressult of site act ivity. Configurration manage
er administrato
ors can
re
eview and dele b depending on how it wass created, it may be generated again.
ete site data, but
Creation
C of Site
S Data
erated by site systems in eacch site or by C
Siite data is gene Manager clients. For example:
Configuration M
A site serve
er can generate
e an alert if the replication b
between sites iis not function
ning correctly.
A client collects hardware

e and software d sends it to itts assigned primary site.
e inventory and
A client sen
nds status messages related to
t a deploymeent to the prim
mary site.
Replication
R of
o Site Data
Siite data can be
e found at the originating prrimary site andd is replicated only to the ce
entral administtration
sitte using datab
base replication
n. Secondary sites
s use file-baased replicatio
on to transfer ssite data to the
eir
paarent primary site.
Accessing
A Sitte Data
Siite data is available in the Co
M conso
ole and throug gh reports. The e administrator can
acccess site data from a primary site or from the entire hieerarchy, depennding on the lo ocation from wwhich
he reports are run. Hierarchyy administratorrs can access ssite data from all sites in the hierarchy by
th
co
onnecting with h the Configurration Manage er console or b
by running rep ports on a repo orting services point in
th
he central adm ministration site
e. Administrato
ors who conneect with the Co onfiguration M Manager conso ole, or
ru
un reports from m a reporting point in a prim hat contain sitte data from only the
mary site, geneerate reports th
lo
ocal site.
For example, consider a hierarchy that contains a central administration site, primary sites named Site A
and Site B, and a secondary site, Site C, which is a child of Site B. In this scenario, the administrator from
Site A can access only site data from Site A, and the administrator from Site B can access site data only
from primary Site B and its secondary Site C. The administrator from the central administration site can
see site data from all the sites in the hierarchy.
Question: If you need to generate reports that contain site data from all the sites in a
hierarchy, in which site in a Configuration Manager hierarchy do you need to install a
Reporting Services point?
Replication
R n of Content
Content is creatted by Configu uration Managger administrattors and distributed using file-based repliccation
to
o site servers and distribution
n points according to distrib
bution settingss configured byy administrato
ors.
When
W planning for distributin
ng content in a Configuratio n Manager hieerarchy, you need to follow your
orrganization co
ontent lifecycle
e and be able to
t answer the following queestions:
Where conttent is created

d?
Where conttent is distribu

uted?
Where conttent is deploye
ed?
Byy answering thhe questions above, you will be able to de sign your distrribution infrasttructure to best fit
yo
our organizatioon needs. Morre details abou
ut planning forr content man nagement are p presented in LLesson 3,
la
ater in this mod
dule.
Content
C Crea
ation
M administrators can create conten
nt at any primaary site or centtral administration
sitte.
ally placed in the content library located o n the site servver. Content lib
Content is initia brary is a new ffeature
in
ncluded in Con nfiguration Ma anager 2012, which
w implemeents single-insttance storage for content.
Content
C Disttribution
After creating content, the ad dministrator caan distribute th
he content to d distribution po
oints located in the
sa
ame site or othher primary sites and second dary sites. To d e distribution points
distribute conteent to multiple
att the same tim
me, administrators can use disstribution poin nt groups. Wh en a package is distributed to a
diistribution point group, the package will beb transferred to all distributtion points thaat are part of that
group. Using th his approach, administrators
a can make the content availaable in locations in the same e
neetwork locatioon as the clientts in which the
e content is de ployed.
Content is transferred between sites using the standard senders and uses the Server Message Block
protocol. Content is transferred in the same site between the site server and distribution points by using
Package Transfer Manager, which also uses file-based replication and the Server Message Block (SMB)
protocol. For this reason, any firewalls located between sites, and between the site servers and distribution
points, must allow SMB traffic.
The administrator can configure content routing between two secondary sites by configuring the content
to be copied from a secondary site to another secondary site instead of directly copying the content from
the primary site server. This process can reduce the network traffic on the link between a secondary site
and parent primary site if the secondary sites are directly connected using a high-speed network
connection.
Content Deployment
Because deployment definitions are global data and are replicated to all sites in the hierarchy, an
administrator from a primary site can reuse the deployments that an administrator creates in a different
primary site. However, to successfully perform the deployment, and so that the clients can locally access
the content, the content should first be distributed to distribution points in the local primary site.
Configuration Manager clients connect to the closest distribution point that has the content available
using HTTP or HTTPS protocol, download the content, and install it on the local system, according to the
deployment settings received in the policy. Because the transfer from the distribution point to the local
system is performed using HTTP or HTTPS, the traffic can usually pass through any firewalls.
Question: In what scenario is content routing used, and what type of connection between
secondary sites is required?
Lesson
n2
Monitoring and
a Tro
oubleshooting Data Re
eplication
When
W you insta
all a primary sitte or a secondary site in an eexisting Config
guration Manaager hierarchyy,
da
atabase replicaation is configured automatically with the parent site. H owever, you ccan configure ssome
se
ettings for use by the new sitte, such as the
e SQL Server po orts and the SQL Server instance.
Yo
ou can monito or Configuratioon Manager da atabase replicaation in the Coonfiguration M
Manager conso
ole. You
ca
an use tools, su
uch as Replication Link Analyyzer, to troublleshoot the rep
plication proce
ess.

ng this lesson, you
Describe avvailable replica

ation configura
ation settings.
Describe re
eplication mon
nitoring feature
es.
Monitor an
nd troubleshoo
ot replication.
Co
onfiguring Replicatio
on
Connfiguration Maanager replicattion is perform

med through D
Data Replication Service (DRSS). DRS is a cusstom
repllication metho
od based on SQQL Server Servvice Broker and
d is built-into C
Because Configuration Manage er does not use QL Server repliication methods, such as
e traditional SQ
tran
nsactional replication, configuration setting
gs for Configu uration Manager database reeplication are n
not
acce
essible in the SQL
S Managem ment Studio console. Becausee of this, databbase administrators have no
ability to see and, therefore, ma
anage the replication of Con nfiguration Maanager data be
etween sites.
Connfiguration Ma anager databasse replication can be monito ored only in th
he Configuratio
on Manager
console.
Wheen you install a primary site in a hierarchy,, replication is configured au

utomatically between the ne
ew
prim
mary site and the
t central adm ministration sitte.
Similarly, replication is configured automatica

ally between e ach secondaryy site and the p
parent primaryy site
usin
ng the followin ng replication mechanisms:
m
A subset of global data is trransferred from
m the primary site to the seccondary site ussing database
replication.
Site data is transferred betw

ween secondarry site and thee parent primary site using fiile-based
replication.
Content is tra
ansferred from m the parent prrimary site to tthe distribution point in the secondary site
e
using file-bassed replication.
By default,
d databaase replication takes place over ports 14333 and 4022. Th hese ports need to be open in
firew
walls before in
nstalling the ne
ew Configuratiion Manager ssites to allow rreplication betw ween sites. Because
portts are configurrable, you can change their settings
s duringg or after instaallation of the new sites. You
u also
need to ensure th hat the site servver can communicate with tthe site databaase if the site ddatabase is hossted
on a separate servver.
You also need to open ports for file-based replication taking place over SMB. In this case, you need to
configure firewalls to allow SMB traffic between site servers and distribution points.
Most database replication and file-based replication configuration is configured automatically. Unless you
decide to change the default ports for SQL Server and SQL Server Service Broker, you do not need to
perform any configuration for replication when you install a Configuration Manager hierarchy.
Mo
onitoring Replicatio
R n
Youu can monitor replication in the

t Configura ation Manage er console, in tthe Monitorin ng workspace, and
in th
he Database Replication
R noode. You can review
r the linkk statuses for aall replication cconnections. A
repllication link can have one off the following statuses:
Link Active. No
N problems have been dete
ected and com
mmunication accross the link iis current.
Link Degrade ed. Replication is functional, but at least on

ne replication object has beeen delayed. Monitor
links in this sttate, and review
w information
n from both sittes involved foor indications that the link might
fail.
Link Failed. Replication is not functional. It is possible th

hat a replicatio
on link will reccover without
further actionn. Consider using Replicationn Link Analyze r to investigatte and help rem mediate replication
on this link.
Whe en a replicatio
on connection is selected in the
t results pan
ne, detailed infformation is avvailable in the
prevview pane, including:
The configura
ation of the pa
arent and child
d site.
The replicatio
on status and link statuses off all replication
n connections..
Add
ditional inform
mation can be obtained
o by saaving a diagno need to select the replication
ostic file. You n n
connection and thhen click the Save
S Diagnosttic File button
n on the ribbon n. The diagnosstic file is a texxt file
containing detaile
ed informationn about the rep
plication and llinks status.
For further troubleshooting, you plication Link Analyzer, whiich performs a series of testss for
u can use Rep
the replication link:
Checking the SMS_EXECUTIVE on the parrent site serverr
Checking the SMS_EXECUTIVE on child site server

Checking network connectivity between sites
Checking replication queue on the local SQL Server
Checking replication queues on the remote SQL Server
Checking connectivity at site between the local site server to the remote SQL Server
Checking connectivity between the local SQL Server and remote SQL Server
Checking replication initialization on sites
Checking computer clock synchronization between site servers
Checking for a valid SQL Server Service Broker certificate on site servers
Checking for a valid SQL Server Service Broker account on site servers
Checking for free disk space on the SQL Server
You can save the test results as an XML file by clicking the Replication Link Analyzer Report link on the
Troubleshooting Report page.
You also can configure alerts to be generated when the replication link is inactive for a specified interval
of time (by default is set to 30 minutes) from the Replication Status Properties dialog box.
Alerts are displayed in the console if the replication link is inactive for the specified period.
Tro
oubleshoo
oting Repliication
Mulltiple Configurration Manage

er componentss are involved in a database replication. W
What
trou
ubleshooting action(s)
a you perform
p depends on the com mponent(s) thaat fails.
You
u can use troub
bleshooting to eplication Linkk Analyzer, to i dentify the isssue and then
ools, such as Re
perfform the appro
opriate actions to resolve the issue.
on actions that you can perfform are listed

Typical remediatio d in the following table.
Isssue Trouble
eshooting metthod
SM
MSExec servicee stopped on If SMSExec
S stopss responding, restart it on th
he sending or
se
ending or target site tarrget site serverr.
Network
N comm
munication dow
wn Ve
erify network aadapter and drrivers.
Ca
all network suppport/external help.
Connection with SQL Server Re

estart SQL Servvice.
ca
annot be estab
blished Re
estart SQL Servver Service Bro
oker.
Siite server clock

ks are not in syync Ve
erify that domaain controllerss are configure
ed to use a
Ne
etwork Time P rotocol (NTP) server.
Seervice accountts or certificate

e Re
eset the passwo
ord for servicee accounts and
d reissue
issues certificates.
Question: What troublesho ooting steps ca

an you perform
m if SQL conneectivity issues are
reported by Replication
R Lin
nk Analyzer?
Lab A:
A Monittoring and
a Tro
oublesho
ooting Data Re
eplicatio
on
La
ab Setup
Fo
or this lab, you
a virtua
n the lab, you must
co

anager.
2.. In Hyper-V Manager, cliick 10748A-NYC-DC1-C, an

nd then in the Actions pane, click Start.
3.. In the Actio

ons pane, click
4.. Log on usin

ng the followin
ng credentials:
User na
ame: Adminisstrator
Passwo
ord: Pa$$w0rd
d
Domain: Contoso
5.. Repeat step

ps two through
h four for the following
f virtu
ual machines:
10748A
A-NYC-CAS-C
C
10748A
A-NYC-CFG-C
C
La
ab Scenario
o
Yoou are the network administtrator for Conttoso, Ltd. Conttoso has deplo oyed System CCenter 2012
M in a complex
c hierarrchy that inclu des the centraal administratio
on site, two prrimary
sittes, and a seco
ondary site. Yo
ou need to usee the Configuraation Manager console to m monitor data
re
eplication betw ween a primaryy site and the central admin istration site aand to troublesshoot the replication.
Exercise 1: Monitoring Replication

Scenario
You need to use the Configuration Manager console to monitor replication between one primary site and
the central administration site.
1. Review the replication information and configuration settings at the central administration site.
2. Create a custom collection.

3. Monitor the replication of the collection to the primary site.
X Task 1: Review the replication information and configuration settings

1. On NYC-CAS, start the Configuration Manager Console, and then select the Monitoring
workspace.
2. In the Database Replication node, select the CAS to NYC replication link. Verify that the Link State
shows Link Active. If it does not, refresh the results pane.
3. Review the information available in the preview pane, under Replication Status area. Verify that, in
the Site Replication Status section, both Parent Site State and Child Site State have the statuses
display Replication Active.
4. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global
State and Child Site to Parent Site Global State display Link Active status and that the Last
Synchronization Time reflects todays date.
Note If the status of Parent Site to Child Site Global State and Child Site to Parent
Site Global State is Link Inactive, verify that both NYC-CAS and NYC-CFG have started.
To refresh the status, click the CAS to NYC replication link and then press F5.
5. In the preview pane, at the Parent Site tab, review the information available in the Replication
Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022.
6. In the preview pane, at the Child Site tab, review the information available in the Replication Status
area.

1. In the Configuration Manager console, click the Assets and Compliance workspace, and then select
the Device Collections node.
2. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts. Create a
device collection with the following attributes:
Name: New York Computers.
Limiting collection: All Systems.

Create a Direct Rule and search for System Resources with the name like NYC%.
Select NYC-CAS and NYC-CFG as direct members.

X Task 3: Monitor the replication of the collection to the primary site

2. In the Configuration Manager console, in the Assets and Compliance workspace, select the Device
Collections node.
3. Verify that the New York Computers collection appears in the list of device collections.
4. Right-click the New York Computers collection and then click Show Members. Notice that a new
node appears in the navigation pane under Devices. Notice also that the members of the collection
appear in the results pane.
Results: At the end of this exercise, you should have verified the replication between the central
administration site and a primary site in a Configuration Manager hierarchy.
Exercise 2: Troubleshooting Replication

Scenario
You need use the Configuration Manager console to troubleshoot the replication between a primary site
and the central administration site.
1. Configure in-console alerts for monitoring replication.
2. Stop the SMS_EXECUTIVE service on NYC-CFG.

3. Troubleshoot the replication issue.
4. Resolve the issue and verify that replication is functioning correctly.
X Task 1: Configure in-console alerts for monitoring replication

1. On NYC-CAS, In the Configuration Manager console, in the Monitoring workspace, select the
Database Replication node.
2. Access the Properties of the CAS to NYC replication link.
3. In the Replication Status Properties dialog box, verify that Generate an alert when this
replication link is not working for a specified period of time is selected.
4. Change the value of the Number of minutes to 3 minutes.
X Task 2: Stop the SMS_EXECUTIVE service on NYC-CFG

1. On NYC-CFG, from Start, Administrative Tools, start the Services console.
2. In the Services console, stop the SMS_EXECUTIVE service.
3. In the Service Control window, wait for the service to stop. Wait at least 3 minutes before continuing
to the next task.
X Task 3: Troubleshoot the replication issue

1. On NYC-CAS, browse to C:\Program Files\Microsoft Configuration Manager\tools\ and then
start CMTRACE.exe. Associate CMTRACE.exe with all log files and then close the tool.
2. On NYC-CAS, in the Configuration Manager console, in the Alerts node, select the alert named
Replication link down between parent site and NYC and then on the ribbon, click Configure.
3. In the Replication link down between parent site and NYC Properties dialog box, verify that
Minutes replication link connectivity down greater than has a value of 3.
4. In the Assets and Compliance workspace, select the Device Collections node.
5. Access the Properties of the New York Computers collection, and change the name of the
collection to New York Servers.
6. In the Monitoring workspace, in the Database Replication node, select the CAS to NYC replication
connection.
7. Verify that the status of the replication link is either Link Degraded or Link Failed. Press F5 if
required to refresh the status.
8. Right-click the CAS to NYC replication link, and then click Save Diagnostics Files.
9. Save the file with the name Replication Diagnostics in drive C.
10. In Windows Explorer, browse to drive C, and then open the file Replication Diagnostics in
Notepad.
11. Review the content of the file. Note that the Parent Site to Child Site Global State shows the status
of Link Failed or Link Degraded. Close Notepad.
X Task 4: Resolve the issue and verify that replication is functioning correctly
1. On NYC-CAS, right-click the CAS to NYC replication link, and then click Replication Link Analyzer.
2. Replication Link Analyzer starts detecting problems.
3. In the Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service on
NYC-CFG.contoso.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation to
finish.
4. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service
on NYC-CFG.contoso.com page, click Continue.
5. Wait for the operation to finish, and then on the Troubleshooting Report page, click the link under
Replication Link Analysis Report. The content of ReplicationAnalysis.xml opens in Internet
Explorer. (Note: based upon timing you may still have issues detected, if issues are detected first click
the Check to see if the problem is fixed link).
6. Review the content of the file, and then close Internet Explorer.
7. In the Replication Link Analyzer window, click the link under Replication Link Analysis Log. The
content of ReplicationLinkAnalysis.log opens in Configuration Manager Trace Log Tool.
8. Review the content of the file, and then close Configuration Manager Trace Log Tool.
9. In the Replication Link Analyzer window, click Close.
Results: At the end of this exercise, you should have performed troubleshooting replication.

When you finish this lab, leave the virtual machines running.
Lesson 3
Planning for Content
C t Manag
gementt
Systtem Center 2012 Configuration Manager provides

p conteent managemeent functionaliity that you caan use
to create,
c distribute, and monito
or content.
Conntent managem ment feature relies on distrib

bution points aas the core commponents of tthe distribution
n
infra
astructure. Disstribution poin
nts in Configura
ation Manageer 2012 includee new featuress such as conte ent
valid
dation and content prestaging. In this lessson, you will reeview these neew features andd learn about
plannning a conten nt-management infrastructure.
You n how to plan for managing network band

u will also learn ou will discuss the prerequisiites
dwidth, and yo
for implementing your content management infrastructuree.
Afte
ou will be able to:
Describe Con
nfiguration Manager 2012 co
ontent manageement featurees.
Describe distrribution point features.

Cache integrattion.
Plan BranchC
Plan Distributtion Point grou

ups.

12 content libraary functionality.
Plan content distribution in ons.
n multiple-site implementatio
Plan content validation and

d content presttaging.
Plan distributtion point placcement and co

onfiguration.
Plan network bandwidth management.
Describe the prerequisites for

f content ma
anagement.
Configurat
C ion Manag
ger 2012 Content
C M
Managemen
nt Feature
es
Compared to previous version

ns, Configuration Manager 22012 includes new or improvved content
management
m fe
eatures that he m content ma nagement tasks more efficie
elp you perform ently.
Feature Use
Single Configuraation Managerr 2012 now haas a single distrribution point type, based o on
distribution Internet Information Se ervices (IIS).
point type on points can be installed o n supported o
Distributio operating syste ems including
workstatioons and serverrs.
Distributio
on points inclu ude new featu ures for schedu uling the file trransfer from sitte
server to distribution po oint and for baandwidth thro ottling.
on points inclu
Distributio ude the abilityy to prestage ccontent in remote locations
connected d by low-band dwidth networrk links.
Distributio
on points inclu ude the PXE seervice point features. Windo ows Deployment
Services (W
WDS) is a requ uired prerequi site.
The same e certificate is used
u for PXE aand distribution point, which h reduces the
configuraation effort.
Content library Content library is the ne

ew file store fo
or all content ffiles, implemen
nted in Config guration
Manager 2012.
Content library is locate
ed on the site server and eacch distributionn point.
Content library implements the singlee instance storre concept, wh here a file that is
included in multiple packages is storeed only once i n the file systeem.
(continued)
Feature Use
Content Distribution points have configuration settings that allow administrators to specify the
storage disk drive(s) to use for content storage.
placement
Content Configuration Manager 2012 distribution points include a content validation feature
validation that is used to verify the integrity of the packages located on the distribution point.
Content validation can be run on a schedule or can be initiated manually.
Pre-staging Content prestaging is used to transfer content form the site server to distribution
content point using an offline transport method to avoid the transfer of content over low-
bandwidth networks.
Administrators create prestaged content files that contain packages, operating system
images, or other types of content, all taken from the site server.
The prestaged content files are then transferred offline and imported on the remote
distribution points.
Content Configuration Manager 2012 includes new features for monitoring content.
monitoring When content is distributed to distribution points, the content status can be
monitored in the Configuration Manager console.
The status of distribution point groups and of distribution point configuration also can
be monitored in the Configuration Manager console.
Bandwidth Distribution points now have settings to control the bandwidth from the site server to
throttling and the distribution points.
scheduling Administrators have the ability to specify a transfer schedule for transferring content.
BranchCache BranchCache can be used as an alternative to distribution points for providing content
integration in remote locations with fewer clients.
Management of BranchCache is now integrated in the Configuration Manager 2012
console.
When distributing a package or an application, use of BranchCache can be configured
as an option on a deployment for the package or deployment type for the
application.
Distribution Distribution point groups are used to logically organize distribution points for
point groups performing content distribution.
When an administrator distributes content to a distribution point group, the content
is copied to all distribution points that are part of the group regardless the site where
they are located.
When an administrator adds a new distribution point to a distribution point group, all
content that is distributed to the group is copied to the new distribution point.
Management Content located on a distribution point is visible in the distribution point properties
of content files dialog box. An administrator can directly perform tasks on the content from
distribution point properties dialog box.
Question: What features can you use to distribute content in remote locations that contain
only workstations?
Distributio
D n Point Fe
eatures
M 2012 uses a single distribution
d pooint type. Configuration Manager 2007 usses
sttandard distrib
bution point, which
w nstalled on serrver operating systems, and branch distribution
can be in
po oint, which can
n be installed on client operrating systems.. Branch distrib bution points are not availab
ble in
M 2012,, which simpliffies distributio n point installaation and man
nagement.
Distribution
D Point Confiiguration Options
O
Yo
ou can configuure distribution point settinggs in Configuraation Manager 2012, includiing configuring
ba g settings, and settings to sc hedule conten
andwidth settiings, throttling nt distribution between the ssite
se
erver and distribution point.
Differing from previous

p versio
ons, the distrib
bution point ro ole in Configurration Manageer 2012 includees the
PX
XE service poinnt functionalityy. Windows De eployment Serrvices is a prerrequisite on the server that h
has the
diistribution point role if you want
w to use the PXE optionss. However, you can use the same certificate for
th
he distribution point and forr PXE, which sim mplifies site syystem role con
nfiguration.
Distribution poiints include coonfiguration se
ettings for mul ticast. You neeed to configurre your networrk
in
nfrastructure fo y want to use this featuree for distributin
or multicast if you ng content. Mu ulticast also re
equires
Windows
W Deplooyment Service es as a prerequ
uisite.
Administrators can specify the e drive(s) wherre content willl be stored, wh

hich was not ppossible in earlier
veersions of Configuration Manager. By defa with most ava ilable space is used. Operatiing
ault, the drive w
syystem reservess also can be co
onfigured.
Th
he distributionn point role is installed
i by de
efault on all Co
onfiguration M Manager 2012 secondary site es,
which
w always include a manag gement point and distributio on point. You need to decid de whether to use a
diistribution point to manage the content distribution for a remote locaation or to insttall a secondarry site to
manage
m upwardd network trafffic from Configuration Manaager clients to o the site serve
er. Secondary ssites are
su
upported only on server ope erating systems. When you d do not have a ccomputer runn ning a server
op
perating system in the remo ote location, yo
ou can only insstall a distributtion point.
Distribution Point Prerequisites

In Configuration Manager 2012, a distribution point can be installed on both client and server operating
systems. You need to install the following operating systems before installing a distribution point:
Windows Vista Service Pack 2 or later
Windows Server 2003 Service Pack 2 or later
Internet Information Services (IIS) is a prerequisite for installing distribution points. IIS can be installed and
configured automatically during the installation process by using the Add Site System Role Wizard
when you install the distribution point role for Windows Vista, Windows 7, or Windows Server 2008. If
you are using Windows Server 2003, you need to configure IIS manually.
Planning for Distribution Points

When you plan to implement distribution points in your infrastructure, take into account the following:
Distribution point placement
Supported operating systems
The need for managing network traffic used for content distribution
Whether you will use PXE for operating system deployments
Whether you will use multicast for content distribution
Disk drives used for content storage
IIS which is a prerequisite
Whether you will deploy distribution points or secondary sites in remote locations
These planning considerations are discussed in greater detail later in this module.
Question: You must decide whether to implement a distribution point or a secondary site in
a remote location. What are two important criteria to consider when making this decision?
BranchCach
B he Integra
ation
BrranchCache is included in th
he Windows 7 and Windows Server 2008 R R2 operating syystems and en
nables
co
ontent from fille and Web servers on a wid
de area networrk (WAN) to bee cached on co
omputers at a local
branch office. BranchCache
B ca
an improve ap
pplication resp
ponse time and
d reduce WAN N traffic.
BrranchCache in Windows Servver 2008 R2 ca
an be configurred to work in two modes:
Distributed cache mode. Cached
C nt is distribute d across peer client computters.
conten
Hosted cachhe mode. Cachhed content is hosted on a seerver. This mo

ode is not supp
ported by
Configuratiion Manager.
BranchCache
B e Support in
n Configuration Manag
ger
M suppo orts BranchCache with Wind dows Server 20 008 R2 and Wiindows 7 clients that
arre configured in BranchCach he distributed cache mode. C Clients runningg a supported version of Windows
Vista, Windows Server 2008 with w SP1, and Windows
W Serveer 2008 with S P2 by using th
he BITS 4.0 rele
ease
also can use Bra anchCache. Ho owever, on the ese operating ssystems, the B ranchCache client functionaality is
no ot supported for
f software diistribution thatt is configuredd to run from tthe network or for SMB file
trransfers. You caan install the BITS
B 4.0 release
e on Configuraation Manageer clients by using software uupdates
orr software disttribution.
BrranchCache management
m is integrated in the Configuraation Managerr console. You can configure
e the
BrranchCache se
ettings on a de
eployment type for applicati ons and softw
ware updates and on the
de
eployment forr a package.
Planning
P to Use BranchC
Cache
When
W you plan to use Branch
hCache for con
ntent distributiion, take into aaccount wheth
her:
Windows Server 2008 R2 is in a central location and is configured iin BranchCach mode.
he distributed m
Workstations situated in remote locatio
ons are runninng a supported d operating sysstem for
BranchCachhe, such as Windows 7, or Windows
W Vista w
with BITS 4.0.
Disstribution Point Gro

oups
Disttribution pointt groups are ussed to organizze distribution points in a log

gical way to simplify contentt
distribution to muultiple distribution points and to manage ccontent on mu ution points as a
ultiple distribu
sing
gle entity.
Admministrators can choose how w content is disstributed whenn performing ccontent distribbution: whethe er to
distribute contentt to individual distribution points or wheth
her to distributte content to a distribution point
group. When you configure con ntent distribution, keep in m
mind the followwing:
When contennt is targeted to a distributio

on point group
p, all distributio
on points that are members of
the group willl receive the content.
c
n point group can contain diistribution poi nts from multiple sites as members, which
A distribution h can
simplify conte
ent distribution to multiple sites.
s
A distribution
n point can be member of on ne or more disstribution poin
nt groups, meaaning the grou ups
can overlap. In this scenario
o, different con
ntent can be taargeted to diffferent distribu
ution point gro
oups.
A distribution
n point receive
es content from m all the group
ps it is a membber of.
When addingg a new distribution point to
o an existing grroup, all conteent targeted to
o the group is
copied autom
matically to the
e new distributtion points.
A distribution point group can beb associated with collection ns. The contennt deployed to o that collection is
copied automatically to all distrribution pointss that are mem
mbers of the grroup. You can use this feature to
perfform automatiic content disttribution whenn content is tarrgeted to a speecific collectio
on.
Planning to Use Distribution Point Groups

When planning your infrastructure to use distribution point groups, you should consider the following
points:
Distribution point groups can contain distribution points from multiple sites.
Distribution point groups cannot contain other distribution point groups, only individual distribution
points.
A distribution point can be a member of multiple distribution point groups.
You can use security roles to configure permissions to control content distribution to distribution
point groups.
You should create distribution point groups based on the content you need to distribute and the
locations to which you need to deploy the content.
Question: If you have a distribution point that is a member of Desktop Applications DP and
Server Applications DP distribution point groups, what content does the distribution point
receive?
Co
ontent Librrary
Con
ntent library is a new file repository for con
ntent used on site servers an
nd distribution points.
Conntent library im gle-instance fille storage, wh ich means that a file include
mplements sing ed in two or m
more
packages is only stored
s once. When
W a new paackage contain ning the same file is added to the content
libra
ary, the corresponding package folder conntains referencces to the existting file.
Con
ntent library ha
as three components:
Data library, which

w containss information about every si ngle file in thee library, such as hash value,,
name, and sizze of the file.
File library, which contains the actual filess included in p

packages. The files in the filee library are
renamed and d stored based on the hash of o the files. Thee file library is stored on the drive with the
e
highest prioriity and can spaan multiple voolumes.
ary, which conttains informatiion stored in .IINI files about the packages-----including th
Package libra he
name and GU UID of the package-----and file
es contained in n the packagee.
Con
ntent library re MSPKGx$ folderr on the site seerver and distrribution pointss and reduces the
eplaces the SM
spacce used for file
e storage by:
Eliminating multiple
m instancces of files and
d older data sttored on the seerver.
Taking a snap
pshot each tim
me a package version
v is updaated.
Con
ntent library re
eplaces the SMMSPKGx$ folderr as the defaullt package store on distributtion points. Yo
ou still
use the SMSPKG folder
f for gene
erating compressed copy an nd for sending content from site to site, bu
ut it is
not enabled by de efault. You can
n use it for mo
ost types of con
ntent except aapplications an
nd software
upd
dates.
Content
C Distribution
Content distribu ution is the pro

ocess for distriibuting conten
nt files from sitte servers to d
distribution points to
en
nable clients too access conteent from a distribution pointt located on th he same high-sspeed networkk.
Compared with previous versions of Config guration Mana ger, the Config guration Manaager 2012 con ntent
diistribution feattures have the
e following imp provements:
Content is distributed
d at a file level. Forr each file inclu
uded in a packkage, a hash iss generated an
nd
information
n about the filee is stored in the
t data libraryy in .INI files.
Drives receive a priority for
f distribution n. Each drive o n the site servver or distribution point rece
eives a
priority for storing contennt files. By default, the drive with the mostt available spaace at the timee when
distribution
n point was insstalled receivess the highest p priority.
Files are wrritten to the drrive with the highest priorityy that has free space. When a drive fills witth
es are written on the drive with
content, file w the next p priority.
Only files not present are

e distributed. Iff a file was inc luded in a preeviously distributed package,, it is
already preesent and doess not need to beb distributed again. In the p previous versioons, a file could have
been distrib e times if it was included in m
buted multiple multiple packaages.
Unique filess are stored on nce per contennt library. By im

mplementing tthe single instance store
functionalitty, a file is storred only once in
i a content lib brary.
Files within packages can T feature is useful for storring large files such as operaating
n span drives. This
system images.
Content is transsferred in a Co
onfiguration Manager 2012 eenvironment u
using the follow
wing methodss:
Using senders between siites
Using Package Transfer Manager

M betwe
een the site seerver and distribution pointss
Planning for Content Distribution

When planning for content distribution in a multiple-site implementation, you need to consider the
following:
The content source location. It is recommended that you configure a centralized content source and
place all content that needs to be distributed in the entire hierarchy in this location. A network share
can be used for this purpose.
Whether you want to distribute content on all distribution points or on a subset of distribution points,
in which case you can use distribution point groups.
Whether the same content is included in multiple packages. Single-instance storage can reduce the
space required for storage when the same files are included in multiple packages.
Whether you need to use content prestaging to avoid transferring content on low-bandwidth
network links.
Whether you need to configure bandwidth throttling and content transfer schedules.
Content
C Va
alidation and Conten
nt Prestaging
M 2012 includes two features
f for m
managing conteent that did noot exist in prevvious
ve
ersions: contennt validation and content pre estaging. You use content validation to vaalidate the inteegrity of
th
he content filess stored on disstribution poin
nts. You use co ging to avoid the transfer of content
ontent prestag
ovver low-bandwwidth network links.
Content
C Validation
Yo
ou can implem
ment content validation
v on any
a distribution
n point. Conteent validation:
Uses hashes to validate th

he content file
es located on d
distribution po
oints.
Can be scheeduled to run as a Windowss scheduled tassk or can be in

nitiated manuaally form the
Configuratiion Manager console.
c
Can use a lo
ower priority for on does not dissturb distribution
f the validatiion process so that validatio
point norm
mal activity.
Can be monitored for sta

atus in the Con
nfiguration Maanager consolee in the Monitoring workspaace.
Content
C Presstaging
ging is a method to transfer and preload ccontent using an offline metthod, such as sshipping
Content prestag
media,
m s server to a distribution point.
from a site p You can use this metho od instead of ffile-based repllication
to
o reduce netwoork traffic betw
ween site serve
er and distribu
ution point. Co
ontent prestagging:
Works with
h all content tyypes.
Works with
h content librarries and packa
age shares.
Registers co
ontent availability with the site
s server wheen you use it to
o extract conte
ent on a distrib
bution
point.
Uses a com
mpressed presta
aged content file
f with the exxtension .pkgxx.
Can be used to prestage multiple content files in a single operation.
Includes a conflict detection mechanism to prevent older versions of content from being prestaged
on a distribution point.
Planning for Content Validation

Consider using content validation when you need to:
Periodically validate the integrity of content on a distribution point. You can configure content
validation for all content on a distribution point to occur on a schedule that you configured
previously in the distribution point properties dialog box.
Troubleshoot the deployment of a package. If you have reason to believe that the integrity of a
package is compromised, you can manually initiate the content validation for all files contained in the
package by selecting the package on the Content tab of the distribution point properties dialog box
and then clicking the Validate button.
Planning for Content Prestaging

Consider using prestaging content for applications and packages when:
There is limited network bandwidth from the site server to distribution point. Consider prestaging the
content on the distribution point when scheduling and throttling do not meet your requirements for
reducing network traffic when distributing content over the network to a remote distribution point.
You need to restore the content library on a site server. When a site server fails, information about
packages and applications contained in the content library is restored to the site database as part of
the restore process; however, the content library files are not included by default in the site backup. If
you do not have a file system backup to restore the content library, you can create a prestaged
content file from another site that contains the packages and applications that you need and then
extract the prestaged content file on the recovered site server.
Planning
P fo
or Distribu
ution Pointts
As part of your planning for distribution

d po
oints, you shou
uld consider th
he placement o
of distribution points
an
nd the number of distributioon points you will
w need.
Determine
D Distribution
D Point Place
ement
At least one distribution point is required att each primaryy or secondaryy site in a Conffiguration Man
nager
hiierarchy. By de
efault, a secondary site serve
er is configured
d as a distributtion point.
When
W you have
e a large numb ber of clients, we
w recommend d that you ass ign this role to
o a remote site
e system
nd then removve it from the site server. Thiis reduces the resource requ
an uirements and improves
pe
erformance on
n the site serve
er.
A distribution point
p site system role is autom
matically conffigured on a seecondary site sserver at installation.
When
W you decid
de on the placcement of distrribution pointss, consider thee physical locattion, the numb
ber of
clients, and the network connnection speed between the d distribution po oint and the sitte server.
Determine
D th
he Number of Distribution Points
Yo u to 250 distrribution pointss per site and up to 5,000 diistribution points per primarry site
ou can install up
with
w secondary sites. Consider the following g inputs to hellp you determine the approp
priate numberr of
diistribution points to install in
n your infrastru
ucture:
The numbe
er of clients tha
at might accesss the distributtion point
The configu
uration of the distribution po
oint, such as P
PXE and multiccast
The networrk bandwidth that

t is available between clieents and distribution points
The size of the content th oint
hat clients retrieve from the distribution po
Whether yo
ou enable Bran
nchCache
Planning for Additional Distribution Point Configurations

When planning for distribution points in your Configuration Manager implementation, you must take into
account the following considerations:
Preferred distribution point. You can assign boundary groups to distribution points to configure them
as preferred for clients that are within the boundary group for the distribution point. The clients use
preferred distribution points as the source location for content. When the content is not available on
a preferred distribution point, the clients use another distribution point for the content source
location. You also can configure a distribution point to allow clients not included in the boundary
groups assigned to that distribution point to use it as a fallback location for content.
Implementing PXE. You can enable the PXE option on a distribution point to enable operating system
deployment for Configuration Manager clients. You can enable PXE only on a server with Windows
Deployment Services installed. When you enable PXE on a distribution point located on a computer
running Windows Server 2008, Configuration Manager automatically installs Windows Deployment
Services if it is not already installed. You need to manually install Windows Deployment Services on
computers running Windows Server 2003.
Implementing multicast. You can enable the multicast option on a distribution point so that it uses
multicast when you distribute operating systems. You can enable multicast only on a Windows
Server 2008 server with Windows Deployment Services installed.
Support for mobile devices. You must configure the distribution point to accept HTTPS
communications to support mobile devices.
Support for Internet-based clients. You must configure the distribution point to accept HTTPS
communications to support Internet-based clients.
Application Virtualization. By default, in Configuration Manager 2012 distribution points can

distribute Application Virtualization (App-V) content. You need to install the Application
Virtualization client on the computers on which you plan to use virtual applications.
Managing
M Network Bandwidth
B h
When
W distributing content in a Configuratio
on Manager 20012 infrastructture, network traffic is generrated:
When the files

f are copiedd from the sou he site server, if the source path is on a diffferent
urce path to th
server than the site server. This traffic can
c be ignored d because it ussually takes plaace on a high-speed
network.
When the files

f are copied
d from the site
e server to the distribution p oints. This trafffic can affect tthe
available ba
andwidth when takes place on o low-speed network links.. This traffic caan be managed d using
content thrrottling and distribution sche
edules.
When the files

f are downloaded by clien nts from the d distribution points. This traffic occurs over HTTP or
HTTPS and uses BITS to liimit the netwo ork traffic. Sincce distribution points are plaaced in the sam
me
location as the clients, this traffic takes place on a hig gh-speed netw work.
Consider the following when configuring co

ontent throttli ng and schedu
ules:
Content disstribution usess an algorithm to detect upd

dated files so t hat only the n
new or updated
d files
uted when content source files are updated
are distribu d.
You can configure a sche edule and set specific

s throttliing settings on
n remote distribution pointss that
determine when
w and howw content distrribution is perfformed. The th hrottling settin
ngs are configu ured on
the Rate Limmits tab, and the
t scheduling g settings are cconfigured on the Schedule tab. The Rate Limits
and Schedu ule tabs are dissplayed only in
n the propertiees for distributtion points thaat are not instaalled on
a site server.
You can configure remote distribution points with di fferent config urations depending on netw work
bandwidth limitations froom the site serrver to the rem
mote distributioon point. Each
h remote distrib
bution
point will use its own thro
ottling settings and schedulee to transfer co
ontent.
Methods Used for Transferring Content

Senders are used to transfer content between sites in a hierarchy. Throttling and scheduling settings
can be configured on the sender properties.
Package Transfer Manager distributes content from a site server to a distribution point installed on a
site system in the same site. The controls used for scheduling and throttling to the remote distribution
point are available on the distribution point properties dialog box and are similar to the settings for a
standard sender address.
Site Addresses and Senders

Configuration Manager uses site addresses to identify a destination site to which file-based data can be
transferred. Each site supports a single address to a specific destination site. Site addresses can be
configured in the Administration workspace, Hierarchy Configuration, Addresses node. For each site
address, you can configure the settings in each of the following tabs:
General. You can configure source site, destination site, and access credentials. Configuration
Manager assigns the site servers computer account as the Site Address Account at the new site and
at its parent site. This account is added to the SMS_SiteToSiteConnection_<Sitecode> group on the
destination site server. You can change this account with a Windows user account to accommodate
multiple AD DS forest scenarios. If you change the account, ensure that you add the new account to
the SMS_SiteToSiteConnection_<Sitecode> group on the destination site server. Secondary sites always
use the computer account of the secondary site server as the Site Address Account.
Schedule. You can configure a schedule to restrict the time when data can transfer to the destination
site. You also can configure priorities for each type of data.
Rate limits. You can configure rate limits for an address to control the network bandwidth that is
being used when transferring data to the destination site. You can configure the bandwith settings to
either: unlimited, pulse mode, or limited to a maximum transfer rate.
Configuration Manager uses a sender to manage the network connection from one site to a destination
site and can be used to establish connections to multiple sites at the same time. Each site has one sender.
The sender can be configured in the Administration workspace under the Hierarchy Configuration,
Sites node. On the Properties for the site, click the Sender tab to change the sender configuration.
Planning for Network Bandwidth Management

When planning for network bandwidth management in Configuration Manager 2012, you need to take
into consideration that network traffic can be reduced by:
Configuring a schedule and bandwidth throttling settings on distribution points and senders.
Using content prestaging to transfer the content offline.
Placing distribution points on the same high-speed networks with clients.
Installing standard applications as part of the operating system images.
Both senders and Package Transfer Manager use file-based replication and the Server Message Block
(SMB) protocol. Any firewalls placed between sites or between the site server and distribution points must
allow SMB traffic.
Prerequisit
P es for Con
ntent Mana
agement
To
o use content management in Configuratiion Manager 22012, you need
d to configure
e the following
g
prerequisites:
Distribution
n points. You need
n to install at least one d istribution poiint to perform
m content
manageme c install and configure a d
ent tasks. You can distribution pooint during thee installation off a
primary site
e, and one is in
nstalled autommatically when you install a ssecondary site..
Distribution
n point groupss. While it is no
ot required to use distributio
on point group
ps, they simplify the
manageme ent of content.
Package acccess accounts.. You can use package

p permissions for the
accesss accounts to set NTFS file p
users and user
u groups tha
at access a con
ntent folder on
n a distribution
n point to dowwnload contennt files.
By default, Configuration
n Manager grants access onlyy to the generric access accoounts Users andd
Administrattors.
Internet Infformation Servvices (IIS). Whe en you install a distribution p

point on a com mputer running g
Windows Server 2008 or Windows 7, Configuration M Manager can i nstall and configure IIS if it iis not
installed. If IIS is already installed, Configuration Man nager will conffigure it to sup
pport required
operations. You must manually install IIS on computeers that run W Windows Serverr 2003 with Service
Pack 2.
Background d Intelligent Trransfer Service nents are required for installing a

e (BITS). BITS seerver compon
distribution
n point and aree automaticallyy installed wheen you install a distribution point on a com
mputer
running Wiindows Server 2008 or Windows 7. You mu ust manually i nstall and configure BITS on
n
computers that run Wind dows Server 20 003 with Servicce Pack 2.
Windows Deployment
D ervices (WDS). When you insttall a distributtion point on a computer run
Se nning
Windows Server 2008, Windows Deployyment Servicees are installed configured au utomatically. Y
You
must manu
ually install WDDS on compute ers running W indows Serverr 2003 with Serrvice Pack 2. W Windows
Deploymen
nt Services are required onlyy if you plan to
o use PXE and multicast.
Certificate for authentication. When you add the distribution point site role to a server, you must
specify a certificate that authenticates the distribution point to management points. Computers use
the same certificate if they PXE boot from the distribution point. You can choose to have
Configuration Manager create a self-signed certificate, or you can import a PKI certificate that is
enabled for client authentication.
Distribution points can be installed on the following operating systems:
Operating system and version Platform Notes
Windows Server 2008 R2 x64 Supports distribution points and secondary

sites.
Windows Server 2008 SP2 x86 or x64 Supports distribution points and secondary
sites.
Windows Server 2003 SP2 x86 or x64 Supports distribution points.
Windows 7 x86 or x64 Supports distribution points without PXE and

multicast. Secondary sites cannot be installed
on this operating system.
Windows Vista SP2 x86 or x64 Supports distribution points without PXE and
multicast. Secondary sites cannot be installed
on this operating system.
Discussion:
D Planning for Distrib
bution Poiints
Scenario
Yo
ou are the admministrator for Contoso Ltd. Contoso has d deployed Systeem Center 201 12 Configuratioon
Manager
M in a coomplex hierarcchy that includ
des the centrall administratio
on site, two primary sites, and
da
se
econdary site.
Th
he current networking enviro des two dataceenters in New York and Lond
onment includ don and addittional
nd New Jersey, as described iin the followin
offfice locations in Toronto an ng table.
Location Sites N
Number of clie
ents Connection to NY
YC
New York CAS, centtral administration site 10,000

0 Lo
ocal Gigabit ne
etwork
NYC, prim
mary site
New Jersey Clients asssigned to NYC

C 1,000 256 kbps
Toronto TOR, seco

ondary site to NYC 3,000 T1
London LON, prim

mary site 5,000 E1
Due to a change in communication provide ers, New Jerseyy is connected d to New York with a slow lin
nk. You
would
w like to offfload the conttent-related trraffic for this n etwork link.
Yo
ou will use you deploy applicaations and softtware updatess to
ur content management infrrastructure to d
ussers and compputers in all the
e locations.
n the offices located in New York, New Jerssey, and Toron

In nto, you also p
plan to use Configuration Maanager
to
o deploy opera ating systems to
t desktop com
mputers.
Activity: Plan for the Placement and Configuration of Distribution Points
You need to plan for distribution points placement and configuration. You also need to decide the type of
operating system you will need to install to support your distribution point role.
In the following table, describe the locations where you would install distribution points and the
corresponding configuration settings.
Location OS type Use PXE Prestaged content
New York
New Jersey
Toronto
London
Lesson
n4
Configuring and Mo
onitorin
ng Conttent Maanagem
ment
Configuring con ntent management begins withw installing aand configurin ng the distribu
ution points. In
n this
le
esson, you will review the pro
ocess for installing a distribu
ution point and
d available con
nfiguration opptions.
Yo
ou can create distribution pooint groups an
nd add distribu
ution points to
o the groups to
o manage the
diistribution of content
c more easily.
e
ng the distribution point infrrastructure, yo u can distributte and manage content, perrform
After configurin
co
ontent validatiion, and use co
ontent prestagging to transfeer content to reemote distribu
ution points.
Yoou can use the e monitoring features availab

ble in the Con figuration Ma nager console
e to monitor co
ontent
sttatus, distribution point grou
up status, and distribution po
oint configuraation.
After completin
ng this lesson, you
y will be able to:
Install distribution points.
Configure distribution
d po
oints.
Create and use distributio
on point group
ps.
Distribute and
a update content.
Configure content
c presta
aging.
Perform content validatio
on.
Monitor co
ontent status.
Insstalling Disstribution Points
The first step in im

mplementing the
t distribution
n infrastructurre is installing tthe distributio
on points. You can
install a distributio
on point on:
A new site sysstem server. Yo

ou run the Creeate Site Syste m Server Wizaard, specify the
e name of the new
server, and th
hen select the distribution po
oint role.
An existing site system servver. You select an existing sitte system, run the Create Ro
oles Wizard, an
nd
then select th
he distribution point role.
With the exceptio
on of the first step
s in the wizard, configuraation options fo
or the distribu
ution point role
e are
the same regardle
ess of the wizaard you are using. The Createe Roles Wizard d has the followwing configuration
step
ps:
General. On this page, you can specify th

he general setttings for the siite system.
System Role Selection. On

n this page, select the distrib
bution point ro
ole.
Distribution Point. On thiss page, you ca

an configure d istribution poiint settings, inccluding:
Install an
nd configure IIS if required d by Configurration Manag ger. Select thiss box to
automatiically install an
nd configure IIS. This can be performed on
nly on Window ws Server 2008,
Windowss Vista, and Wiindows 7 operrating systems..
Configurre client communication and a certificate e. You specify whether clientts will commun nicate
with the distribution po oint using HTTTP or HTTPS. TTo use HTTPS, select the optiion so that
Configuration Manage er creates a selff-signed certifficate or select the option to
o import a PKI client
certificate
e from a file.
Enable this distributio

on point for pre-staged
p ontent. Select this option if yyou want to
co
transfer the
t content to distribution point
p using preestaging.
Drive Settings. On this page, specify the drive settings. These settings cannot be changed after
installation.
Drive space reserve (MB). Specify the amount of free space reserved for operating system.
Content Locations. Specify the drives to be used for content storage. By default, this setting is
configured to Automatic, which means the drive with the most available space is used.
PXE. On this page, enable and configure PXE for performing operating system deployment. Windows
Deployment Services must be installed as a prerequisite to configure this option.
Multicast. On this page, you enable and configure multicast for operating system deployment.
Content Validation. On this page, specify whether to validate the integrity of content files on the
distribution point on a schedule.
Boundary Group. On this page, associate boundary groups to this distribution point. Configuration
Manager clients located in the boundary groups will use the distribution point as the preferred
content location.
Co
onfiguring Distribution Points
Afte
er you install a distribution point,
p you can change the di stribution poin on by perform
nt configuratio ming
the following stepps:

ger console, click the Admin
nistration worrkspace.
2. In the navigattion pane, click the Distribu
ution Points n
node, and then
n select the disstribution poin
nt that
you want to configure.
c
3. On the ribbon
n, click Properrties.
In th n point properties dialog boxx, you can con
he distribution nfigure the setttings shown in
n the following
g
tablle.
Ta
ab Settings
General Configure e how client deevices commu nicate with thee distribution point. You can n
select eith
her HTTP or HT TTPS:
If you u select HTTP, by default, Coonfiguration M Manager create es a self-signed
d
certificate.
If you u select HTTPS, you must im port a PKI-issu ued server certtificate for
autheentication.
If you sele
ect the Enablee this distribu
ution point fo r prestaged ccontent option n,
content will
w not be tran nsferred to thiss distribution p
point using file
e-based replicaation
and will need
n to manuaally import preestaged conten nt on the distriibution point.
(continued)
Tab Settings
PXE Select Enable PXE support for clients to configure the following settings:
Allow this distribution point to respond to incoming PXE requests.
Specifies whether the PXE service point responds to computer requests.
Enable unknown computer support. Specifies whether to enable support for
unknown computers.
Require a password when computers use PXE. Specifies whether a password
is required for clients to start the PXE boot.
User device affinity. Specifies the user device affinity behavior by selecting one
of the following options:
Allow user device affinity with auto-approval. Select this setting if you
want to automatically associate users with the destination computer.
Allow user device affinity pending administrator approval. Select this
setting if you want to associate users with the destination computer only
after approval is granted by the administrator.
Do not allow user device affinity. Select this setting if you do not want to
associate users with the destination computer.
Network interfaces. Specify whether the distribution point responds to PXE
requests on all network interfaces or only on specific network interfaces.
Specify the PXE server response delay (seconds). Specify how long the delay
is for the distribution point before it responds to computer requests when
multiple PXE-enabled distribution points are used.
Multicast Select the Enable multicast to simultaneously send data to multiple clients
check box, and then configure the following settings:
Multicast Connection Account. Specify the account to use when you
configure the Configuration Manager database connections for multicast.
Multicast address settings. Specify the IP addresses that are used to send data
to the destination computers. By default, the IP address is obtained from a
DHCP server that is enabled to distribute multicast addresses.
UDP port range for multicast. Specify the range of the user datagram
protocol (UDP) ports that are used to send data to the destination computers.
Client transfer rate. Select the transfer rate used to download data to the
destination computers.
Maximum clients. Specify the maximum number of destination computers that
can download the operating system from this distribution point.
Enable scheduled multicast. Specifies how Configuration Manager controls
when to start deploying operating systems to destination computers. When
selected, configure the following options:
Session start delay (minutes). The number of minutes that Configuration
Manager waits before it responds to the first deployment request.
Minimum session size (clients). The number of requests that must be
received before Configuration Manager starts the multicast.
(continued)
Tab Settings
Group On this tab, you can manage the distribution point membership in distribution point
Relationships groups by:
Clicking Add to add the distribution point to an existing distribution point
group.
Selecting a distribution point group and then clicking Remove to remove the
distribution point from the distribution point group.
Content On this tab, you can manage the content that has been distributed to the
distribution point. You can initiate the following actions:
Validate. Initiates the process to validate the integrity of the content files in the
package.
Redistribute. Copies the content files in the application or package to the
distribution point.
Remove. Removes the content files from the distribution point for the
application or package.
Content Enable content validation and set a schedule to validate the integrity of content files
Validation on the distribution point.
When you enable content validation on a schedule, Configuration Manager starts
the process at the scheduled time and all content on the distribution point is
verified.
You also can configure the content validation priority. By default, the priority is set
to Lowest.
Boundary Groups Manage the boundary groups for which this distribution point is assigned.
By default, the distribution point is considered protected and can be accessed only
by the clients that are within the boundaries associated with the boundary groups.
To allow clients that are outside of the boundaries associated with the boundary
group to access content, you can select the Allow a client outside these boundary
groups to fall back and use this site system as a source location for content
check box.
Security Specify the administrative users that have permissions to manage the distribution
point.
For the distribution points located on a computer different than the site server, you also can configure the
settings in the following table.
Tab Settings
Schedule On this tab, you configure a schedule that restricts when Configuration Manager can
transfer data to the distribution point. To restrict data, select the time period and then
select one of the following Availability settings:
Open for all priorities. Specifies that Configuration Manager sends data to the
distribution point with no restrictions.
Allow medium and high priority. Specifies that Configuration Manager sends
only medium and high priority data to the distribution point.
Allow high priority only. Specifies that Configuration Manager sends only high-
priority data to the distribution point.
Closed. Specifies that Configuration Manager does not send any data to the
distribution point.
Rate Limits On this tab, you configure rate limits to control the network bandwidth that is used
when transferring content to the distribution point. You can choose from the following
options:
Unlimited when sending to this destination. When this option is chosen,
Configuration Manager sends content to the distribution point with no rate limit
restrictions.
Pulse mode. With this option, you can specify the size of the data blocks that are
sent to the distribution point. You also can specify a time delay between sending
each data block.
Limited to specified maximum transfer rates by hour. With this setting, a site
will send data to a distribution point by using only the percentage of bandwidth
that you configure.
Question: How can you manually initiate the validation of the content files for package
located on a distribution point?
Cre
eating and
d Using Distribution Point Gro
oups
Disttribution pointt groups provid

de a logical grrouping of disttribution pointts and collectio
ons for conten
nt
distribution:
You can add one or more distribution

d pooints from any site in the Con nfiguration Maanager hierarcchy to
the distributio
on point groupp. When you distribute
d conttent to a distrib
bution point g
group, all
distribution points
p that are members of the distribution
n point group receive the co ontent.
You also can add a distribution point to more

m than onee distribution p
point group. T
The distribution
n
point receivess content targeted to all disttribution grou ps.
You
u can perform the following management tasks on distri bution point g
groups:
Create and co
onfigure a new
w distribution point
p group.
d associate collections to an existing distrib
Add distribution points and bution point g
group.
Add selected distribution points

p to a new
w distribution p
point group.
Add selected distribution points

p to existin
ng distribution
n point groupss.
Question: Why would you add a distribu
ution point to m
multiple distrib
bution point g
groups?
Distributing
D g and Upd
dating Con
ntent
Yo
ou can use the e Distribute Content
C Wizarrd to configuree the distributtion of contentt to distributio
on
po
oints. The Disttribute Content Wizard has the
t following ssteps:
General. Ve
erify that the content you wa
ant to distributte is listed, and
d choose whetther to detect
associated content depen ndencies.
Content De
estination. Add
d collections, distribution
d po
oints, or distrib ution point grroups.
Summary. Review
R the setttings for the distribution.
d
Confirmatio
on. Verify that the content was
w successfullyy assigned to tthe points.
To
o update existing content on
n distribution points, you ca n perform thee following actions:
1.. ware Library workspace, select the conten

In the Softw nt you want to
o update.
2.. bon, click Update Distributiion Points.

On the ribb
o update content for applica

To ations:
1.. ware Library workspace, select the appliccation you wan

In the Softw nt to update.
2.. Click the Deployment Ty

ypes tab, click
k the deploymeent type, and tthen on the rib
bbon, click Up
pdate
Content.
Co
onfiguring Content Prestaging
P
Eachh distribution point has an Enable

E this disstribution pooint for presta
aged content setting that
you can configure e in the distribution point prroperties dialo g box. When yyou enable thiis option, the
distribution point is identified as a prestaged distribution p oint, and you can choose hoow to manage e the
content on a per--package basiss.
The following setttings are configurable in the

e property dial og boxes of th
he following:
Applications
Packages
Driver packag
ges
Boot images
Operating sysstem installers
Images
By adjusting
a these
e settings, you can configure
e how contentt distribution iss managed on
n remote
distribution points identified as prestaged. Th
he options ava ilable are as fo
ollows:
Automatically download content when n packages arre assigned too distribution n points. Use tthis
option when you have smaller packages where
w the sch eduling and th
hrottling settin
ngs provide en
nough
control for co
ontent distribution.
Download only content changes to the e distribution

n point. Use thhis option wheen you have an n
initial package that is poten
ntially large bu
ut you expect ffuture updatess to the content in the packaage
to be generallly smaller.
Manually copy the content in this package to the distribution point. Use this option when you
have large packages with content such as an operating system image and you do not want to use the
network to distribute the content to the distribution point. When you select this option, you must
prestage the content on the distribution point.
These options are applicable on a per-package basis and are used only when a distribution point is
identified as prestaged. Distribution points that have not been configured as prestaged will ignore these
settings, and content will always be distributed over the network from the site server to the distribution
points.
To configure content prestaging, you need to perform the following steps:
1. Use Create Prestage Content File to create prestaged content.
2. Configure the distribution points as prestaged distribution points.
3. Use the Distribute Content Wizard to distribute content.
4. Copy the prestaged content file to the target computer.
5. Use the ExtractContent command-line utility from C:\SMS_DP$\SMS\TOOLS on the target

distribution point to import the prestaged files:
To import a single file, type the following at a command prompt:
Cd C:\SMS_dp$\sms\tools
ExtractContent /P:<PrestagedFileLocation>\<PrestagedFileName> /S
To import all prestaged files in the specified folder, type the following at a command prompt:
Cd C:\SMS_dp$\sms\tools
ExtractContent /P:<PrestagedFileLocation> /S.
Performing Content
C Validation
V
The content validation process verifies

v the inttegrity of cont ent files on disstribution poin
nts.
You
u have the follo
owing options for using content validation
n:
e schedule for automatic con

Configure the ntent validatioon on a distrib ution point. In
n the distribution
point propertties dialog boxx, you can conffigure a differeent schedule o
on each distribbution point.
Manually initiate the content validation. You

Y can initiatte the content validation at aany time to ve
erify
the integrity of
o content.
Youu can manuallyy perform the content
c validation from the Configuration nsole by using the
n Manager con
follo
owing methodds:
Initiate content validation for

f all content on a distribut ion point. You
u can initiate th
he content
validation fro
om the distribuution point pro
operties dialog
g box.
f a package. You can initia te the contentt validation fro

Initiate content validation for om the packag
ge
properties.
Monitoring
M g Content Status
Yo
ou can use the
e Configuration Manager console to perfo
orm monitoring
g for:
atus, which inccludes the status of individuaal packages in relation to their distribution
Content Sta n points.
n Point Group Status, which includes the s tatus of conteent assigned to

Distribution o a specific
distribution
n point group.
n Point Configuration Statuss, which includ es the status o

Distribution of the content assigned to a
distribution
n point and sta
atus of the opttional componnents (PXE and d Multicast).
To
o troubleshoott content distrribution you allso can use:
Configuratiion Manager reports.

r
Configuratiion Manager status

s message
es.
Configuratiion Manager lo
ogs.
To
o troubleshoott issues with co
ontent manag
gement, you caan use the follo
owing Configu
uration Manag
ger logs:
SMSProv.lo
og, to troublesh
hoot actions sttarted from UII or SDK (provider).
DistMgr.logg, to troubleshhoot content creation, updatte, deletion, an nd start of distribution. You ccan use
this log on the site serverr from the source site, to val idate that the content is proocessed by
Distribution
n Manager.
og, to see the current statuss of the senderr job. You can use this log on
Scheduler.lo n the site serve
er from
the source site to verify that the conten
nt was queued d for the sendeer.
Sender.log, to troublesho oot the copy of the compresssed content to o the destination site. You caan use
this log on the site serverr from the source site, to dettermine wheth
her the sender has transferreed the
content to a different site
e.
Despooler.log, to troubleshoot the extraction of the compressed copy to the content library on the
destination site. You can use this log on the site server from the destination site to verify that the
content was received and processed by the despooler.
PkgXferMgr.log, to troubleshoot the actual distribution of content from the site server to the
distribution point. You can use this log on the site server to determine whether the content was
processed by Package Transfer Manager and transferred to a distribution point located in the same
site with the site server.
SMSDPProv.log, to troubleshoot addition of content to the content library on the distribution point.
You can use this log on a distribution point to verify that content was added to content library.
SMSPXE.log, to troubleshoot the PXE provider. You can find this log on a distribution point that is
configured to use PXE.
The following Windows logs can be used to troubleshoot distribution point configuration:
u_exYYMMDD.log (where YYMMDD is the year, month, and day). You can use these IIS logs for
troubleshooting issues related to IIS. You can find the IIS logs on the distribution point in the
C:\Inetpub\Logs\LogFiles\W3SVC1\ folder.
WDS.log. You can use the Windows Deployment Services (WDS) log for troubleshooting issues related
to the WDS service.
Demonstra
D ation: Perfo
orming Co
ontent Ma nagementt
In
n this demonsttration, you will see how to distribute
d conttent, monitor ccontent distrib
bution, and perform
co
ontent validatiion.
Demonstrati
D ion Steps
Distribute
D conttent
1.. On NYC-CFFG, start the Co

onfiguration Manager Con
nsole.

nager console, in the Softwaare Library wo
orkspace, expaand Applicatio
on
Manageme ent, and then select the App
plications nodde.
3.. On the ribbbon, click Crea

ate Applicatio
on. The Create wing
e Application Wizard starts. Use the follow
settings to create an application:
On the
e General page
e, verify that in
n the Type bo
ox Windows Innstaller (Nativve) is selected,
browse
e to \\NYC-CF
FG\E$\Software\PPTViewe er\Source, and
d then select p
ppviewer.msi.
Acceptt the default se

ettings for all other
o pages, a nd complete tthe wizard.
4.. In the Conffiguration Man he Microsoft Office PowerrPoint

nager console, in the results pane, select th
Viewer 200 07 (English) application,
a on
n the ribbon, cllick Deployme ent, and then click Distribute
Content. The Distribute Content Wizzard starts. Usee the following g settings to distribute conte
ent:
On the
e Content Desstination page
e, add the \\N YC-CFG.Conttoso.com distrribution point..
Acceptt the default se

ettings for all other
o pages, a nd complete tthe wizard.
Monitor content distribution and validate content
1. In the Configuration Manager console, select the Microsoft Office PowerPoint Viewer 2007
(English) application, and on the ribbon, click Properties.
2. In the Microsoft Office PowerPoint Viewer 2007 (English) Properties, at the Content Locations
tab, in the Distribution points or distribution point groups list, select \\NYC-CFG.Contoso.com,
and then click Validate. Accept all messages, and then close the properties window.
3. In the Configuration Manager console, in the Monitoring workspace, under Distribution Status,
select the Content Status node.
4. In the results pane, select Microsoft Office PowerPoint Viewer 2007 (English), and then review the
information in the preview pane.
5. In the preview pane, click the View Status link. A new node appears in the navigation pane, and in
the results pane, you should see the Content Status for the selected package.
6. In the Configuration Manager console, under the Distribution Point Configuration Status node,
select \\NYC-CFG.Contoso.com, and then in the preview pane, click the Details tab. Review the
status messages related to content distribution.
7. In the Configuration Manager console, in the Administration workspace, select the Distribution
Points node, and then access the Properties of \\NYC-CFG.Contoso.com.
8. In the \\NYC-CFG.Contoso.com Properties dialog box, at the Content tab, in the Deployment
packages list, click Microsoft Office PowerPoint Viewer 2007 (English), and then click Validate.
Accept all messages and close the properties window.
Lab B:
B Config
guring Conten
nt Manaagement
La
ab Setup
Fo
or this lab, you
a virtua
n the lab, you must
co
1.. In Hyper-V Manager, verify that the folllowing virtual machines aree running:
10748A
A-NYC-DC1-C
10748A
A-NYC-CAS-C
10748A
A-NYC-CFG-C
10748A
A-NYC-SVR1-C
C
2.. Log on if ne
ecessary by ussing the follow
wing credential s:
User na
ame: Adminisstrator
Passwo
ord: Pa$$w0rd
d
Domain: Contoso
Scenario
Yoou are the network administtrator for Conttoso, Ltd. Conttoso has deplo oyed System C Center 2012
M in a complex
c hierarrchy that inclu des the centraal administratio
on site, two prrimary
sittes, and a seco
ondary site.
ou need to configure your content

Yo c manag gement infrast ructure by insttalling and con
nfiguring an
ad
dditional distriibution point for
f a remote office,
o creating a distributionn point group aand adding the
a distribute content and p
diistribution points to the groups. You will also perform conten nt validation. Y
You will
usse content pre ansferring packages to the reemote distribu
estaging for tra ution point.
Exercise 1: Create a Distribution Point and a Distribution Point Group

Scenario
You need to install a new distribution point in a remote location on a server named NYC-SRV1. You will
configure the distribution point for content prestaging. Then you will create a distribution point group
and include all distribution points in the New York area in the group.
1. Add the primary site server computer account to the local Administrators group.
2. Create a distribution point.
3. Create a distribution point group, and assign the distribution points to the distribution point group.
X Task 1: Add the primary site server computer account to the local Administrators
group
1. On NYC-SVR1, start Server Manager.
2. In the Server Manager console, under Configuration, Local Users and Groups, select Groups.
3. Add NYC-CFG as a member of Administrators local group.
X Task 2: Create a distribution point

1. On NYC-CAS, start Configuration Manager Console.
2. In the Configuration Manager console, in the Administration workspace, expand Site

Configuration, and select Servers and Site System Roles.
3. On the ribbon, on the Home tab, click Create Site System Server. The Create Site System Server
Wizard starts. Use the following settings to create the new distribution point:
On the General page, browse to select NYC-SVR1 as the new site system server, and then in the
Site Code drop-down list, select NYC --- New York Primary Site.
On the System Role Selection page, select Distribution Point.
On the Distribution Point page, select the options Install and configure IIS if required by
Configuration Manager and Enable this distribution point for prestaged content.
On the Content Validation page, select Validate content on a schedule.
Use default settings for all other pages, and then complete the wizard.
4. In the Configuration Manager console, verify that \\NYC-SVR1.Contoso.com appears in the results
pane.
X Task 3: Create a distribution point group and assign the distribution points to the
distribution point group
1. In the Configuration Manager console, select the Distribution Point Groups node.
2. On the ribbon, click Create Group. In the Create New Distribution Point Group dialog box, use the
following settings:
In the Name box, type New York DP.

In the Description box, type New York Distribution Points.
On the Members tab, add both \\NYC-CFG.Contoso.com and \\NYC-SVR1.Contoso.com

distribution points to the group.
3. In the Configuration Manager console, double-click New York DP.
4. A new node named New York DP appears in the navigation pane. In the results pane, verify that you
see the distribution points that you added to the group.
Results: At the end of this exercise, you should have created a distribution point, created a distribution
point group, and added distribution points to the group.
Exercise 2: Distribute and Monitor Content

Scenario
You need to distribute an application to all users in the New York area. You will create and distribute the
application to the New York DP distribution point group and then monitor content distribution using the
monitoring features available in the Configuration Manager console.
1. Distribute content to the distribution point group.
2. Monitor and validate content distribution.
X Task 1: Distribute content to the distribution point group

2. In the Configuration Manager console, in the Software Library workspace, expand Application
Management, and then select the Applications node.
3. On the ribbon, click Create Application. The Create Application Wizard starts. Use the following
settings to create an application:
On the General page, verify that in the Type box, Windows Installer (Native) is selected,
browse to \\NYC-CFG\E$\Software\PPTViewer\Source, and then select ppviewer.msi.
Accept the default settings for all other pages, and then complete the wizard.
4. In the Configuration Manager console, in the results pane, select the Microsoft Office PowerPoint
Viewer 2007 (English) application, on the ribbon, click Deployment, and then click Distribute
Content. The Distribute Content Wizard starts. Use the following settings to distribute content:
On the Content Destination page, add the New York DP distribution point group.
X Task 2: Monitor and validate content distribution

1. In the Configuration Manager console, select the Microsoft Office PowerPoint Viewer 2007
(English) application, and then on the ribbon, click Properties.
2. In the Microsoft Office PowerPoint Viewer 2007 (English) Properties, at the Content Locations
tab, in the Distribution points or distribution point groups list, select \\NYC-CFG.Contoso.com,
and then click Validate. Accept all messages, and then close the properties window.
3. In the Configuration Manager console, in the Monitoring workspace, under Distribution Status,
select the Content Status node.
4. In the results pane, click Microsoft Office PowerPoint Viewer 2007 (English), and then review the
information in the preview pane. Observe that two distribution points were targeted, but Completion
Statistics show that 1 is reported as success and 1 is in progress.
5. In the preview pane, click the View Status link. A sticky node will appear in the navigation pane, and
in the results pane, you will see the Content Status for the selected package.
6. In the Configuration Manager console, under the Distribution Point Configuration Status node,
select \\NYC-CFG.Contoso.com, and then in the preview pane, click the Details tab. Review the
status messages related to content distribution.
7. In the Configuration Manager console, in the Administration workspace, select the Distribution
Points node, and then access the Properties of \\NYC-CFG.Contoso.com.
8. In the \\NYC-CFG.Contoso.com Properties dialog box, at the Content tab, in the Deployment
packages list, click Microsoft Office PowerPoint Viewer 2007 (English), and then click Validate.
Accept all messages, and then close the properties window.
Results: At the end of this exercise, you should have distributed content and monitored the distribution
process.
Exercise 3: Perform Content Prestaging

Scenario
You previously configured NYC-SRV1 distribution point to use content prestaging. You need to prestage
the content of the package you distributed. You will create the prestage content file, copy it to the remote
server, extract the file on the remote distribution point by using the Extractcontent.exe utility, and then
monitor the prestaged content status.
1. Create a prestaged content file.
2. Extract a prestaged content file on distribution point.
3. Monitor the prestaged content status.
X Task 1: Create a prestaged content file

1. On NYC-CFG, in the Configuration Manager console, in the Software Library workspace, under the
Application node, select Microsoft Office PowerPoint Viewer 2007 (English), and on the ribbon,
click Application, and then click Create Prestage Content File. The Create Prestaged Content File
Wizard starts. Use the following settings to create the prestaged content file:
On the General page, browse to drive C, and then save the file with the name
PowerPointViewer.
On the Content Locations page, add \\NYC-CFG.Contoso.com as a source of content.
2. In Windows Explorer, browse to drive C, and then copy PowerPointViewer.pkgx to

\\NYC-SVR1\C$.
X Task 2: Extract a prestaged content file on distribution point

1. On NYC-SVR1, open a command prompt.
2. At the command prompt, type the following, pressing Enter after each line:
CD C:\SMS_DP$\sms\Tools
extractcontent.exe /P:C:\PowerPointViewer.pkgx /S
X Task 3: Monitor the prestaged content status

1. On NYC-CFG, in the Configuration Manager console, in the Monitoring workspace, expand
Distribution Status, and then select the Content Status node.
information in the preview pane. Observe that two distribution points were targeted and Success is
now listed as 2.
Results: At the end of this exercise, you should have performed content prestaging.

following steps:
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-C and then click Revert.

4. Repeat steps 2 to 3 for the following virtual machines:
10748A-NYC-CAS-C
10748A-NYC-CFG-C
10748A-NYC-SVR1-C
Modulle Revie
ew and Takeaw
ways
Rev
view Questiions
1. What are the two data replication metho ods used by Co onfiguration M
Manager 2012 tto replicate daata
between sitess, and what typ
pes of data are
e replicated byy each method
d?
2. How is hardw
ware inventory transferred fro
om a seconda ry site to the ccentral administration site?
3. How can you save a file tha

at contains diagnostics inform
mation for rep
plication links?
4. How can you use Configura ation Managerr 2012 to transsfer content crreated in a prim
mary site from
m one
location to an
nother within the
t same site or
o between tw wo sites?
6-1
Module 6
Planning and Completing System Center 2012 Configuration
Manager Client Deployment
Contents:
Lesson 1: Introduction to Discovery Methods 6-4
Lesson 2: Introduction to Configuration Manager 2012 Client Deployment 6-21

Lesson 3: Deploying Configuration Manager 2012 Clients 6-42
Lab: Planning and Completing Configuration Manager 2012 Client

Deployment 6-56
Lesson 4: Managing Configuration Manager 2012 Clients 6-66
Lesson 5: Monitoring Configuration Manager 2012 Client Status 6-78

6-2 Planning annd Completing System Center 2012 Configuration Manager Client
C Deployment
Module Overrview
Youu can configure

e the resource discovery metthods availabl e in Configuraation Managerr 2012 to locatte
ources in your network envirronment. In this module, you
reso u will examine the discoveryy methods avaiilable
in Configuration
C Manager
M 2012
2 and consider which of thesse discovery mmethods to use based on the
reso
ources you neeed to manage.
u can use Configuration Man

You nager 2012 to manage comp
puter resourcees by installing the Configuraation
Man
nager 2012 client on the com
mputers you want
w to manag
ge.
Connfiguration Ma anager 2012 prrovides several methods for installing the Configuration n Manager 20112
clien
nt on compute er resources. This
T module co overs various c lient installatio
on methods, and then examines
the advantages an nd disadvantag ges of each method. You wi ll examine how w to choose th
he most appro
opriate
clien
nt installation methods to usse in your orga
anizations envvironment.
Deppending on the e client installa

ation methodss you decide to ght be able to configure client
o use, you mig
installation properties that are applied
a duringg installation. Y gure site servers to publish client
You can config

installation properties in Active Directory Do omain Servicess (AD DS). Configuration Manager clients u use
thesse properties after
a installatio t assigned siite and locate appropriate siite systems. Th
on to identify the his
mod dule discusses how to config gure client insttallation propeerties when usiing the client p
push and Grouup
Policy installation methods.
Thiss module also covers the Clie
ent Health featture used for m
monitoring clients in Configuration Manag
ger
2012, which can perform
p autom
matic remediation for certain n client configu
uration issues.
After completing this module, you will be able to:
Describe resource discovery processes and methods.
Describe the client installation process and client deployment methods.
Plan and complete a typical client deployment.
Describe managing Configuration Manager 2012 clients after installation.
Describe the new Client Health feature in Configuration Manager 2012.

6-4 Planning annd Completing System Center 2012 Configuration Manager Client
C Deployment
Lesson 1
Introduction to
t Disco
overy Methods
M s
Resoource discoverry is the process used by Con

nfiguration Maanager 2012 tto discover maanageable reso ources
in an organization
n infrastructuree such as computers, groupss, user accountts, sites, and IP
P subnets.
Connfiguration Maanager 2012 usses multiple diiscovery methoods to discoveer resources.
The primary sourcce of information for discove

ering resourcees is AD DS. Co
onfiguration M
Manager has se
everal
disccovery method
ds that use AD DS as a sourcee of informatioon.
Connfiguration Maanager can sea

arch the netwo
ork to discoverr devices that h dress and also can
have an IP add
disccover network topology.
Thiss lesson coverss discovery me

ethods, the advvantages and tthe disadvantaages of each m
method, and ho
ow to
decide which metthods are the most
m appropriate to use to ddiscover resources in your en
nvironment.
To detect
d which innstalled clientss are still active ork, Configurattion Manager uses a special
e in the netwo
disccovery method d called Heartb
beat Discoveryy. This method does not disccover new com mputers; instead, it
ng clients that are active in the network.
rediiscovers existin

Describe the role of discove

ery methods fo
or resource disscovery.
Describe the available disco
overy methodss.
Describe the Active Directo

ory discovery methods
m for Syystems, Users aand Groups.
Describe the Active Directo

ory Forest Disco
overy method .
Describe Netw
work Discoverry.
Describe the role of Heartb

beat Discovery..
Overview
O of
o Resource Discoverry
In
n a multiple-sitte Configuratio
on Manager en nvironment, yoou can configu
ure discovery methods at different
le
evels in the hie
erarchy. The following table describes
d discovery met hods available
the d e in Configurattion
Manager
M 2012 and
a where you u can configurre them in a Co
onfiguration M
Manager hierarchy.
Discovery method Su pported locattions
Active Directo
ory Forest Disccovery Central admministration sitte
Primary sitee
Active Directo
ory System Disscovery Primary sitee
Active Directo
ory Group Disccovery Primary sitee
Active Directo
ory User Discovery Primary sitee
Network Disccovery Primary sitee

Secondary ssite
Heartbeat Disscovery Primary sitee
When
W a discoveery method succcessfully disco
overs a resourrce, it creates a file that is refferred to as a
diiscovery data record
r mary site envirronment, DDRss are processed by the site server
(DDR). In a single prim
an
nd entered intto the Configuration Manage er database. Inn a multiple-sitte hierarchy, D DDRs created aat
primary and seccondary sites for
f the newly-d discovered ressources are forrwarded to the e central
ad
dministration site
s for processing. Then, the e information about the disccovered computers is replicaated by
daatabase replica
ation to primaary sites, makin
ng the discove ry data availabble at each site e in the hierarcchy,
re
egardless of whhere it was discovered or proocessed. Subseequent discoveeries for the exxisting resourcces, such
ass DDRs createdd by Heartbeat Discovery, arre processed a t the primary sites.
6-6 Planning and Completing System Center 2012 Configuration Manager Client Deployment
Consider the following for Resource discovery in Configuration Manager 2012:
A DDR is processed only once and then entered into the database at a primary site or central
administration site. After processing, the discovery data record file is deleted.
Discovery information entered into the database at one site is replicated to all primary sites in the
hierarchy by using the Configuration Manager database replication feature.
You can use Active Directory Forest Discovery to discover subnets and Active Directory sites, and then
add them as boundaries for the hierarchy.
When a primary site is in a different AD DS forest, you can enable and configure Active Directory
Forest Discovery at the central administration site, or at primary sites, to accommodate deployment
scenarios.
The Configuration Manager 2007 discovery method Active Directory Security Group Discovery is
called Active Directory Group Discovery in Configuration Manager 2012. It discovers groups and their
membership.
Active Directory System Discovery and Active Directory Group Discovery both support options to filter
out stale computer records based on the timestamp of the last logon or the last password change.
Active Directory System Discovery, Active Directory User Discovery, and Active Directory Group
Discovery all support delta discovery to detect changes performed in AD DS more frequently than by
using the default discovery schedule. Delta discovery differs from the Configuration Manager 2007 R3
version: it can detect when computers or users are added or removed from a group.
You will learn about each of these discovery methods and their available configuration settings in
upcoming topics, enabling you to choose the discovery methods most appropriate for your environment.
Discovery
D Methods
M
Yo
ou can use a variety
v of resou
urce discovery methods withh Configuratio n Manager 20 012 to discoverr
re ur infrastructure, such as com
esources in you ps, user accou nts, and netwo
mputers, group ork infrastructure
to
opology.
Th
he following ta overy method s available and
able describes resource disco d how you use
e them.
Discovery method Usag

ge
Active Directo
ory Forest Disccovery Introduced in Con nfiguration Maanager 2012, tthis method diiscovers
Active Directory ssites and subneets, and can crreate Configurration
Man nager boundaaries for each ssite and IP subnet discovered d.
Active Directo
ory System Disscovery Disccovers computter systems froom AD DS. Add ditionally, it caan
disccover Active D irectory container names, likke the Configu uration
Man nager 2007 Acctive Directoryy System Group p Discovery do oes.
Active Directo
ory Group Disccovery Disccovers local, g lobal, and univversal groups and their
mem mbership from m AD DS.
Active Directo
ory User Discovery Disccovers users frrom the specifiied locations in AD DS.
Network Disccovery Disccovers the netw

work topologyy and devices on your netwo
ork.
Heartbeat Disscovery Upd dates existing C

Configuration Manager client discovery re
ecords
in th
he database.
When you choose which discovery methods to implement, consider what types of resources you need to
discover, such as computers, users, or groups. The following table lists various types of resources in a
typical corporate infrastructure, and the discovery methods that you can use to discover each type of
resource.
Resources Discovery methods
Computers Active Directory System Discovery. Active Directory System Discovery

discovers computer resources from AD DS and provides additional
information about the computer resources, such as the organizational units in
which the computer resources are located.
Network Discovery. Network Discovery provides information about your
network topology that cannot be acquired with other discovery methods.
Note Computer resources must be discovered before you install the
Configuration Manager client using the client push installation method.
You can use Active Directory System Discovery and Network Discovery to
discover computer resources before client installation.
Heartbeat Discovery. If you installed the Configuration Manager clients using
a different method than client push, Heartbeat Discovery forces the discovery
of active clients and creates records in the database. Heartbeat Discovery
collects only limited information about computer resources that might not be
enough to build complex queries or collections.
Users Active Directory User Discovery. User resources can be discovered using
Active Directory User Discovery. This method discovers users from AD DS and
includes basic information about users. You can use this information to build
queries and collections similar to those for computers.
Groups and their Active Directory Group Discovery. Groups and group memberships can be
membership discovered using Active Directory Group Discovery. This discovery method
creates resource records for security groups. Additionally, it identifies the
members of each group, and optionally any nested groups within that group.
Active Directory Group Discovery also discovers limited information about
group members. This does not replace Active Directory System or User
Discovery and is usually insufficient to build complex queries and collections
or serve as the base of a client push installation.
Infrastructure Active Directory Forest Discovery. You can use Active Directory Forest
Discovery to search an Active Directory forest for information about subnets
and Active Directory site configurations. These configurations can then be
automatically imported into Configuration Manager boundaries.
Network Discovery. To discover your network topology, you also can use
Network Discovery which can discover subnets and router topology of your
network in addition to computer resources.
Question: What discovery methods can you use to discover computer resources?
Active
A Dire
ectory Disccovery Metthods for Systems, U
Users, and Groups
Yo
ou can use the
e following thrree Active Dire
ectory discoverry methods in Configuration
n Manager 201
12:
Active Directory System Discovery

D
Active Directory User Disccovery

Active Directory Group Discovery
D
Thhese discoveryy methods are similar in conffiguration and d operation, thhe difference b
being the type of
in
nformation the ey retrieve. Youu can configurre each of thesse discovery m methods to search one or mo ore
Active Directoryy locations in the
t local forestt or in remote forests. If mulltiple instancess of these Activve
Directory discovvery methods are configured d on multiple primary sites i n a Configurattion Manager
hiierarchy, you should
s configuure the source location for eaach discovery method so that the same re esources
arre not discovered more than n once. In smalller environmeents you shoul d consider con nfiguring all A
Active
Directory discovvery methods from the same e location. You
u can configurre each method to perform a full
diiscovery and a delta discove ery, that is, disccover only cha nges, on a schhedule. The deefault schedule e for a
fu
ull discovery is once a week, and the defau ult schedule fo r a delta disco
overy is every ffive minutes. B
Because
deelta discovery only discoverss new resource es, the impact on AD DS and d network trafffic is reduced.
Active
A Directtory System
m Discovery
Active Directoryy System Disco overy searches for computerr resources in tthe administrator-specified A AD DS
lo
ocations. Active er records based on
e Directory Sysstem Discoveryy has the abilitty to filter obssolete compute
th
he lastLogonT TimeStamp an nd pwdLastSe et attributes in AD DS. To im prove the quaality of discove ery you
sh
hould identify old computer records in AD D DS by using a dsquery com mmand, and disable them be efore
coonfiguring disccovery. For a computer
c resource to be disccovered using Active Directo ory System Disscovery
it has to have th
he following:
An enabledd computer acccount in AD DS.

D Disabled co
omputers are ffiltered out by default during
g Active
Directory Syystem Discove
ery.
A computer record in DNS. Active Directory System Discovery tries to resolve the name of each
computer resource to an IP address. If the DNS contains obsolete records, it might cause the
discovery of computers that are no longer active on the network. To avoid this, you should remove
obsolete records in DNS by activating DNS scavenging.
If the computer resource meets the preceding conditions, a DDR is generated for the computer and
populated with information that is used to identify the computer resource.
Active Directory System Discovery discovers basic information about the computer including the
following:
Computer name
Operating system and version
Active Directory container name

IP address
Active Directory site
Last Logon Time Stamp (UTC)
In addition to the basic information, you can configure the discovery of extended attributes from AD DS
in the Active Directory System Discovery Properties dialog box on the Active Directory Attributes
tab.
Active Directory System Discovery includes functionality to discover Active Directory container names,
such as Organizational Units, which is available in Configuration Manager 2007 in Active Directory System
Group Discovery.
Active Directory User Discovery

Active Directory System Discovery searches the specified AD DS location to identify user accounts and
their associated attributes.
Active Directory User Discovery discovers basic information about the user account, including the
following:
User name
Unique user name (includes the domain name)
Domain
Active Directory container names

In addition to this basic information, you can configure the discovery of extended attributes from AD DS
in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab.
Active Directory Group Discovery

Active Directory Group Discovery discovers basic information about the groups and their membership
including the following:
Groups
Groups membership
Limited information about a groups member computers and users

By default, Active Directory Group Discover only discovers security groups. To discover the membership of
distribution groups, you must select the checkbox for the option Discover the membership of
distribution groups in the Active Directory Group Discovery Properties dialog box on the Option
tab.
There are two options when configuring Active Directory Group Discovery searches:
Location. You can search one or more Active Directory containers, that is, a forest, domain, container
or OU. You can use a recursive search of the specified Active Directory container so that all child
containers under the container you specify are searched as well. This process continues until no more
child containers are found.
Groups. You can specify one or more Active Directory groups. When configuring this option you can
use the default domain and forest for the site, or limit the search to an individual domain controller. If
you do not specify at least one group, this method performs a location search of the location
specified.
You can use both of these options more than once and at the same time. For example, you might want to
find all the members of all groups in a particular location (forest, domain, container or OU) plus all the
members of one particular group in a different location.
Active Directory Discovery Log Files

Active Directory Discovery actions are recorded in the following logs, found in the
<InstallationPath>\Logs folder on the site server:
Active Directory System Discovery actions are recorded in the adsysdis.log.

Active Directory User Discovery actions are recorded in the adusrdis.log.
Active Directory Group Discovery actions are recorded in the adsgdis.log.

6-12 Planning and Completing Systtem Center 2012 Connfiguration Manager Client Deployment
Active Directtory Forest Discoverry
Actiive Directory Forest

F Discoverry discovers IP
P subnets and AActive Directo ry sites from A
AD DS, and can n add
them
m to the Confiiguration Man nager hierarchyy as IP addresss range bounddaries or Activee Directory site
e
bou
undaries, respe ectively. You ca
an use these boundaries in bboundary grou ups, which Con nfiguration
Mannager clients use
u for site assiignment or forr content locattion.
Unliike other disco

overy methodss, Active Directtory Forest Disscovery does n
not discover re
esources that ccan be
man
naged, such ass computers, users,
u or groupps.
Actiive Directory Forest

F Discoverry configuratio
on options aree located in thee System Center 2012
Con
nfiguration Ma anager consolee in the Adminnistration workkspace under tthe Hierarchy C
Configuration node:
Discovery Meethods. Here yo ou can enablee Active Directo hierarchy. You also
ory Forest Disccovery in the h
can configuree a simple scheedule to run discovery, and sspecify whetheer it should au
utomatically crreate
boundaries frrom the IP subbnets and Activve Directory sittes discovered
d in the Active Directory Foreest(s).
Active Directo
ory Forest Disccovery cannot be run at a seecondary site. YYou also can trigger a discovvery
cycle on dem
mand.
Active Directo
ory Forests. Heere you configure the additio onal Active Directory forestss that you wannt to
discover, speccify the accounnt to use as the Active Direcctory Forest Acccount for each h forest, and
configure pub blishing to eacch forest. Additionally, you ccan specify thee discovery of IP subnets andd
Active Directo
ory sites.
The following infoormation is published to AD DS when you enable publisshing for an Acctive Directoryy
fore
est if the schem
ma was previouusly extended and configureed for Configu
uration Manager publishing:
SMS-Site-<sitte code>
SMS-MP-<sitte code>-<site system serverr name>

SMS-<site cod
de>-<Active Directory
D site name or subnett>
To publish data into AD DS, each site server must have full permissions on the System Management
container and all descendant objects. Secondary sites always use the secondary site server computer
account to publish to AD DS, so you must ensure that secondary site servers also have full permissions.
You can configure Active Directory Forest Discovery at the central administration site or any primary site
in the hierarchy. To avoid conflicts with discovery data you should not configure multiple sites to discover
the same Active Directory Forest.
Active Directory Forest Discovery actions are recorded in the following logs, found in the
<InstallationPath>\Logs folder on the site server:
All actions, with the exception of actions related to publishing, are recorded in the ADForestDisc.log.
Active Directory Forest Discovery publishing actions are recorded in the hman.log.
Question: How are IP subnets that are discovered by Active Directory Forest Discovery used
by Configuration Manager?
Wh
hat Is Netw
work Disco
overy?
Network Discoverry discovers the topology of your networkk and devices o

on your netwo
ork by searchin
ng for
devices that have IP addresses.
Network Discoverry searches you

ur network forr IP-enabled reesources by qu
uerying:
The Windowss browse list for

f Active Directory domainss.
r a Microsoft implementa
Servers that run ation of DHCP
P.
Address Reso
olution Protoco
ol (ARP) cachess in routers.
SNMP-enable
ed devices.
Network Discoverry must identiffy the IP addre

ess and the sub
bnet mask to ssuccessfully disscover a resou
urce.
Network Discoverry can discoverr resources tha
at cannot supp guration Manaager client softtware,
port the Config
such
h as printers, routers and briidges.
Network Discoverry creates disco

overy records that include th
he following in
nformation (ass appropriate)::
NetBIOS nam
me
IP addresses
Resource dom
main
System roles
SNMP community name
MAC addresses
Network Discoverry and Heartbe

eat discovery are
a the only diiscovery metho
ods that can d
discover compu
uters
in workgroups.
w
To configure Network Discovery, you must specify the level of discovery, as outlined in the following
table.
Level of discovery Details
Topology This level discovers routers and subnets but does not identify a subnet mask
for objects.
Topology and client In addition to topology, this level discovers potential clients such as
computers, and resources such as printers and routers. This level of discovery
attempts to identify the subnet mask of objects it finds.
Topology, client, and In addition to topology and potential clients, this level attempts to discover
client operating system the computer operating system name and version. This level uses Windows
Browser service and Windows Networking calls.
For Network Discovery to discover an object, it must identify the object IP address and then identify its
subnet mask or Active Directory site membership. It then creates a DDR for that object. If Network
Discovery cannot determine the subnet mask or Active Directory site membership of an object, it does not
create a DDR.
To discover computer resources, you must configure at least the Topology and client discovery level.
Network Discovery can be configured to use the following sources of information:
Domains. Network Discovery discovers any computer from the specified domain that is visible when
browsing the network. Network Discovery retrieves the IP address and then uses an Internet Control
Message Protocol echo request to ping each device that it finds to determine which computers are
currently active. It then initiates Windows networking API calls to the resource to discover its
operating system information.
SNMP. Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that
responds to the query. The ipNetToMediaTable value returns arrays of IP addresses that are client
computers or other resources, such as printers, routers, or other IP-addressable devices.
DHCP. Network Discovery queries Microsoft DHCP servers for a list of devices that are registered with
each server. Network Discovery retrieves information by using remote procedure calls to the database
on the DHCP server. Network Discovery supports only DHCP servers that run the Microsoft
implementation of DHCP.
You can limit Network Discovery by specifying the following options:
Subnets. You can configure the subnets that Network Discovery queries when it uses the SNMP and
DHCP options. Only the enabled subnets are searched by these two options.
SNMP community names. You can specify SNMP community names to be used by Network Discovery
to query SNMP devices.
Maximum hops. You limit the number of network segments and routers that Network Discovery can
query by using SNMP.
To identify the subnet mask, Network Discovery uses the following methods:
Router ARP cache. Network Discovery queries the ARP cache of a router to find subnet information.
DHCP. Network Discovery queries each administrator-specified DHCP server to discover the devices
for which the DHCP server has provided a lease.
SNMP device. Network Discovery directly queries a SNMP device, and then makes an additional call
to obtain the subnet mask information.
Question: What level of Network Discovery must you configure to discover computers?
What
W Is He
eartbeat Diiscovery?
Heartbeat Disco overy is a discoovery method included in Co onfiguration M Manager 2012 that rediscove ers
exxisting computters that have the Configura ation Managerr client installeed and are active in the netwwork. It is
ussed by Configu uration Manag ger to maintainn the records o
of active clientts in the datab
base, and to fo
orce
diiscovery of acttive clients that might have been
b removedd from the dataabase or that have been insttalled
an
nd not discove ered by anothe er discovery method.
m
Th
he following list describes th
he functions off Heartbeat Di scovery:
Heartbeat Discovery
D is en
nabled by defaault and runs o
on a schedule on each comp puter client to create a
DDR for He t Heartbeat Discovery reccord, the clientt computer mu
eartbeat Discovvery. To send the ust be
able to con
ntact a manageement point.
being used by the

For mobile device clients,, this DDR is crreated by the management point that is b
mobile devvice client.
The defaultt schedule for Heartbeat Disccovery is set to

o run every sevven days.
Heartbeat Discovery
D provvides details ab
bout the clientt installation sttatus by updatting a system
resource cliient attribute to
t active status.
The following maintenance tasks use discovery inform

mation. If you adjust the heaartbeat intervaal, you
should consider also adju
usting these tasks:
Clear In
nstall Flag. This maintenancee task is not en nabled by defaault. If you enaable this task, tthe
defaultt schedule is 000:00 and 05:00
0 every Sundayy. Any client th hat has not submitted a Heaartbeat
DDR within
w the past 21 days has th g cleared. This forces a reinsttall of the clien
heir install flag nt if the
client push
p installatio
on method is enabled.
e
Delete Aged Discovery Data. By default, this maintenance task is enabled and runs between 00:00
and 05:00 every Saturday. By default, any discovery data that is over 90 days old is removed. If a
DDR for the resource has not added in the past 90 days, everything relevant to that resource is
deleted from the Configuration Manager database.
This task affects all types of resources: systems, users and groups. This task removes from the
database records about discovered computers that have not had the Configuration Manager
client installed during the last 90 days.
Delete Inactive Client Discovery Data. By default, this maintenance task is not enabled. If you
enable this task, the default schedule is 00:00 to 05:00 every Saturday. The Delete Inactive Client
Discovery Data task is similar to the Delete Aged Discovery Data task; however, this task operates
only on resources that are Configuration Manager clients. When you enable this task, records for
inactive clients that have not sent a heartbeat during the last 90 days are removed from the
database.
You cannot configure Heartbeat Discovery on secondary sites, but secondary sites can receive the
Heartbeat DDR from a client and forward it to the primary site.
Question: If you change the default schedule for Heartbeat Discovery, you should ensure
that Heartbeat Discovery runs more frequently than what site maintenance tasks?
Discussion:
D Planning Discovery
y
Only
O the Heartbbeat discovery method is enabled by defauult. You can m
modify this metthod, but you should
no
ot disable it. Depending
D n to manage, yyou can enablee any or all of the Heartbeatt
on what you plan
diiscovery metho ods.
Th
he following ta
able provides a summary of the discovery methods.
Discovery Me
ethod Defa
ault Schedule Desccription
Active Directo
ory Oncce a week fromm when Disccovers computers in AD DS from the speccified
System Discovvery it is enabled and delta
d Forrest(s), Domain
n(s) and contaiiner(s).
discovery every fivve Active Directoryy attributes for the
Disccovers basic A
minutes. com
mputers.
Active Directo
ory Oncce a week fromm when Disccovers users in
n AD DS from the specified
User Discoverry it is enabled and delta
d Forrest(s), Domainn(s), and contaainer(s).
discovery every fivve Disccovers basic A
Active Directoryy attributes for the
minutes. useers.
Active Directo
ory Oncce a week fromm when Disccovers groupss and group memberships in n AD DS
Group Discovvery it is enabled and delta
d from
m the specifiedd Forest(s), Do
omain(s), and
discovery every fivve conntainer(s).
minutes. Disccovers minimaal information about the gro oup
me mbers.
Active Directo
ory Oncce a week from
m when Disccovers the IP SSubnets and A
Active Directoryy Sites
Forest Discovery it is enabled. deffined in a specified Active Diirectory Forestt.
(continued)
Discovery Method Default Schedule Description
Network Discovery Once, running for two Discovers Network Devices that respond to the
hours when it is enabled. configured network discovery method.
Heartbeat Discovery Once a week from when Client systems generate a new DDR to keep their
the client is installed. data active in the Configuration Manager database.
Considering your environment, discuss the following questions with the rest of the class:
Question: Which discovery methods might you enable and why?
Question: For the Discovery methods you would enable, how do you think you would
schedule them?
Question: If you are going to enable Active Directory System Discovery or Active Directory
User Discovery, would you enable additional attributes as well?
Lesson
n2
Introd
duction
n to Con
nfigurattion Maanager 2
2012 Client
Deplooymentt
Yo
ou can install Configuration
C Manager clien
nts by using a variety of metthods. Regardlless of the metthod
yo
ou choose, you u always start the
t installation
n of the Config
guration Manaager clients byy using either
CCMSetup.exe or o CCMSetup.msi, which is a bootstrap forr CCMSetup.exxe.
Th
his lesson cove
ers the client in
nstallation pro
ocess and the C
CCMSetup parrameters that yyou can use w
with
CCMSetup.exe tot control the deployment process.
p
Yoou will examinne typical Conffiguration Mannager client insstallation methhods and Configuration Manager
sitte systems involved in clientt deployment. This lesson alsso discusses th
he role of AD D
DS in client
deeployment.
After completin
ng this lesson, you
y will be able to:
Explain the importance and the role of AD DS in the client deploym
ment process.
Describe th
he site systems used during the
t client depl oyment proceess.
Describe ho ndary groups for client assign

ow to use Configuration Manager boundaaries and boun nment
and contennt location.
ow Configuration Manager clients

Describe ho c onfiguration Manager site systems.
find Co
Describe th
he requirementts for client insstallation.
Describe th on Manager client installatio
he Configuratio on process.
Describe tyypical client de

eployment metthods.
The Role of AD
A DS in Client
C Dep
ployment
Alth
hough it is not mandatory, you can extend d AD DS to sim mplify the man agement of yo our Configurattion
Mannager site. Exte ending the AD D DS schema and publishing Configuration n Manager info ormation in AD DS
nt installation process by auttomatically pro
simplifies the clien oviding the installation paraameters you
configured. You canc use AD DS publishing with any installa tion method tto allow for au utomatic site
assignment. AD DS D publishing also
a enables yo h the name of the managem
ou to provide tthe client with ment
poin
nt it communicates with, and d provide additional informaation to the client.
Con anager publishes client installlation propertties to AD DS iincluding:

nfiguration Ma
The managem
ment point use ad content for the client instaallation.
ed to downloa
The Configuration Manager site code asssigned at the cclient.

The HTTP port used for clie
ent communica
ations.
The HTTPS po
ort used for cliient communiccation.
A setting to in he client must communicatee using HTTPS.

ndicate that th
The fallback status
s point. If the site has multiple
m fallbacck status points, only the first one installed
d is
published to AD DS.
The selection criteria for certificate selection. This migh

ht be required when the clien
nt has more th
han
one valid certtificate.
Installation properties specified in the Insstallation Pro

operties tab off the Client Pu
ush Installatio
on
Properties dialog box.
Add
ditionally, if you use alternate
e ports for you
ur site systemss, clients are au
utomatically updated when you
mak
ke a change.
Extending the Active Directory schema is an irreversible forest-wide action that you only need to perform
once per forest. When deploying Configuration Manager 2012 in a multiple-forest environment, you need
to extend the schema in each forest to which you want to publish information.
If the schema has already been extended for Configuration Manager 2007, you do not need to extend it
again. A future service pack might extend the schema further which would require you to extend the
schema again. Only a member of the Schema Admins group or an administrator that has sufficient
permissions to modify the schema can extend it.
If you extend the schema before installation, Configuration Manager automatically configures the site to
publish site information during installation, and publishes site information to AD DS at the completion of
installation. However, you can extend the schema after installation of Configuration Manager, and then
manually configure the site to publish to AD DS.
Note Extending the Active Directory schema for Configuration Manager 2012 was
discussed in Module 2, Planning and Deploying a Stand-Alone Environment.
Question: How is AD DS used during Group Policy installation?
Question: Are you planning on extending the Active Directory schema in your environment?
Site Systems Used by Client

C Dep
ployment
The process for in

nstalling the Coonfiguration Manager
M clientt involves several different site systems. In
add
dition to the sitte systems that play a direct role in client ddeployment, there are a few w site systems tthat
you might find usseful during a deployment.
d
The following site
e system roles are
a directly invvolved when yyou install clien
nt devices.
Ma
anagement point
A management
m point is required to completee the client insttallation proceess, although yyou can install the
clien
nt componentts successfully without one. The T installation n process is co
ompleted when n the client haas
regiistered with a primary site, iss assigned its initial policy, a nd the client rretrieves the policy. This initiial
policy sets the com mponents to their
t desired sttate. In most innstallation metthods, the clieent downloads the
necessary files fro om a managem ment point; othher installationn methods utilize a distributiion point. Afte er the
installation progra am completes the client con ntacts the man agement poin nt to register ittself and obtain its
site assignment; itt then reports the state of thhe installation. If the client caannot contact the managem ment
poinnt, all the clien
nt componentss show as insta alled instead o of enabled or d disabled.
The client softwarre has several methods

m it can
n use to locatee the managem uses these methods
ment point. It u
in th
he following order:
o
1. Setup Parame
eters. As part of
o the installation command , you can speccify a managem
ment point.
2. AD DS. The client software queries AD DS

S for an appro priate manageement point.
3. DNS. The clie

ent searches fo
or an SRV recorrd type for a mmanagement p
point. To find tthe right SRV rrecord
in DNS, you must
m configure
e the clients with their site co
ode.
4. Windows Inte
ernet Name Se ervice (WINS). A managemen
nt point autom
matically updates its WINS re
ecord
with appropriate informatio
on.
Automatic client assignment is based on boundaries that are members of a boundary group that has
automatic assignment enabled. In previous versions of Configuration Manager, if clients were to fall
outside of all boundaries, automatic site assignment would fail and clients would not be managed. With
Configuration Manager 2012, you can configure a fallback site for client assignment at the hierarchy level.
If you install a client that is outside of any of the configured boundary groups, the automatic site
assignment process uses this site and the installation process completes successfully.

The fallback status point is an optional site system that is used during the client installation process. A
fallback status point is used to monitor client deployment and to identify unmanaged clients that cannot
communicate with a management point. The fallback status point uses unauthenticated connections from
clients over HTTP. To reduce exposure to security risks due to use of unauthenticated connections, you
should use a dedicated system for the fallback status point, and you should not install other site system
roles on the fallback status point server in a production environment.
Additionally, Configuration Manager client deployment reports use data sent by clients through the
fallback status point.
Mobile devices enrolled by Configuration Manager and mobile devices managed by using the Exchange
Server connector do not use a fallback status point.

You can install the Configuration Manager client by using software update point push installations. If you
choose to use this method, you need to configure the software update point on a Windows Server Update
Services (WSUS) server to install the client when computers scan for applicable software updates.
Enrollment point and enrollment proxy point

The enrollment point is used by mobile devices for enrollment with Configuration Manager and the
enrollment proxy point manages the enrollment requests from the mobile devices. These site system roles
are not required if you plan to manage mobile devices only by using the Exchange connector, or if you
install the Configuration Manager client for Windows CE.
Distribution point
Most client installation methods copy the necessary installation files from a management point. In certain
circumstances, the installation process uses a distribution point instead. When you deploy an operating
system by using the Configuration Manager operating system deployment feature, the task sequence
action that installs the client software downloads it from a distribution point. Additionally, if you use a
pre-boot execution environment (PXE) boot in conjunction with operating system deployment, the PXE
server is installed on the distribution point.
When you upgrade the client using software distribution, the installation package is downloaded from a
distribution point. The installation of the Window CE client also uses a distribution point.
Reporting services point

In addition to the required and optional roles that are directly used by client installation, you might find it
useful to install a reporting services point. This enables you to view any reports about the client
installation process or the status of the clients.
Bo
oundaries and
a Bound
dary Group
ps
A booundary is an intranet netwo ork location th

hat can contain
n one or moree devices that yyou want to
mannage. There are multiple wayys to define bo d a hierarchy ccan have boundaries defined
oundaries, and d
usin
ng any combin ods. Boundaryy information is stored as glo
nation of the avvailable metho obal data and, as
suchh, is replicated
d throughout the hierarchy. Boundaries
B muust be added tto boundary ggroups to be used
for Configuration
C Manager ope erations.
Inte
ernet-based clients or clientss that are confiigured as Interrnet-only clien
nts do not use boundary
info
ormation. Because these clien nts cannot usee automatic sitte assignment, when the disttribution pointt is
configured to allo
ow client conne ections from the Internet th ey always dow wnload content from any
distribution point in their assign
ned site.
Bou
undaries
Each
h boundary re epresents a nettwork location located within n your hierarchy. A boundarry does not en nable
you to manage clients at the neetwork location d to identify aavailable netwo
n; it is just used ork locations. T
To
mannage a client, the
t boundary must be a mem mber of a bou undary group.
A bo
oundary can be
b defined usin
ng an:
IP subnet. You can specify an
a IP address and
a subnet maask and Config
guration Manaager calculatess the
subnet ID, or you can proviide the subnett ID.
ory site name. You can speciify any sites deefined in your AD DS environment.
Active Directo
IPv6 Prefix. Yo
ou can use an IPv6 prefix forr a boundary i f you are using
g IPv6 in your environment.
IP address ran
nge. You can specify
s a range
e of IP addressses if you wantt to limit your boundaries.
An administrator
a can manually create bounda aries, or Config
guration Manaager 2012 can automaticallyy
ate IP address range bounda
crea aries by using the
t Active Direectory Forest D Discovery method. Using IP
adddress ranges to
o define bound daries is recom
mmended insteead of using IP P subnets, becaause IP address
rangges do not relyy on the subne
et mask being configured co orrectly at the client.
Boundary Groups
Boundary groups contain one or more boundaries. They allow clients on the intranet to find an assigned
site and locate content.
Boundary groups are functionally equivalent to Configuration Manager 2007 boundaries and are
associated with sites. Clients use them to identify the site to which they are assigned, and use them to
locate content.
Site Assignment
A client can use boundary groups for automatic site assignment by finding an appropriate site to join,
based on the clients current network location. You must enable the Use this boundary group for site
assignment setting to enable automatic site assignment to use a particular boundary. This setting is
located in the boundary groups Properties dialog box, on the References tab. At the same time you
enable a boundary group for automatic site assignment, you also configure the site the clients will be
assigned to. Boundary group information is published into AD DS and queried by the client after
installation. After a client is assigned to a site, the client does not automatically change that site
assignment. For example, if the client roams to a different network location that is represented by a
boundary in a boundary group for a site other than the clients assigned site, the clients assigned site
remains unchanged.
Content location
Clients also use boundary groups to identify available distribution points or state migration points, based
upon the clients current network location. When configuring a boundary group you specify the
distribution points, and state migration points that clients use within one of the boundaries of the
boundary group.
When a client requests content, it retrieves a list of all distribution points that contain the content from all
the boundary groups that the client is in. The client then downloads the content from the distribution
point that is determined to be the best choice, based on the boundary and the speed of the boundary.
Overlapping Boundary Groups

There might be situations where you want a boundary to be in multiple boundary groups. While this
configuration works well with content location you might get unpredictable results if you overlap
boundaries in boundary groups being used for site assignment; therefore, overlapping boundary groups
are not supported for site assignment.
Depending on the complexity of your environment, you might decide to create two sets of boundary
groups-----one for site assignment and one for content location-----so you can configure the boundary
groups used for content location to contain overlapping boundaries and not affect site assignment.
Network connection speed

When you add a distribution point to a boundary group, you specify whether it is considered Fast or
Slow for the boundary group it is being added to. By default, distribution points are designated as Fast.
Clients use this value when determining the distribution point to connect to. The network connection
speed and the deployment configuration determine whether a client can download content from a
distribution point when the client is in an associated boundary group.
Question: After defining a boundary, what should you do next?

Ho
ow Clients Locate Sitte Systemss
Client systems com mmunicate to Configuration n Manager thro ough manageement points: e either Internett-
baseed manageme ent points or in
ntranet manag gement points.. If clients are unable to com
mmunicate with ha
man nagement poin nt they send a message to a fallback statu
us point, if conffigured; howevver, they cann
not
retrieve policy witthout commun nicating with a managementt point.
Because of this, it is imperative that clients loccate and comm municate with a management point for th he site
thatt they are assig
gned to. Clientts communicatte to the manaagement point through eith her HTTP or HT TTPS;
therrefore, any inte
ervening firew
walls must allow w the traffic. T here are severral methods fo or the client
to lo
ocate a manag gement point. It is preferablee to use AD DSS because, bessides providing g the location of
the management point, AD DS also can update the commu unication settinngs for the clie
ents. For instannce, if
the communicatio on ports were changed, the client can retr ieve this inform mation from A AD DS before
atte
empting to com mmunicate. Th he following methods
m are ussed, in the ordeer listed, by th
he clients to loccate
site systems:
AD
D DS
AD DS is the prefeerred method for clients to locate site systtems. To use th
his method, th
he following
prerrequisites musst be met:
The Active Directory schem

ma must be exttended for Con
nfiguration Maanager.
The Configuration Manager site(s) must publish
p inform
mation to AD D
DS.
The client com

mputer must be
b a member of o the Active D Directory foresst where the in
nformation is
published andd have access to a Global Ca
atalog server.
DN
NS
DNS S can be used by clients to lo
ocate a manag gement point, however this method has so ome specific D
DNS
system requireme ally, if you use this as your prrimary method
ents. Additiona d for locating management
poin
nts, the client will
w not be auttomatically updated if you m make changes to the commu unication portss.
This method for locating site systems can be used if:
The AD DS schema is not extended to support Configuration Manager.
Clients on the intranet are located in a forest that is not enabled for Configuration Manager
publishing.
Clients are on workgroup computers and are not configured for Internet-only client management.
To use this method, the following prerequisites must be met:
You must assign the clients to a specific site rather than use automatic site assignment.
You must configure a client property that specifies the domain suffix of the management point.
Your DNS servers must support service location resource records, by using a version of BIND that is at
least 8.1.2.
The intranet FQDNs for the Configuration Manager site systems have corresponding host entries in
DNS.
When your DNS servers support automatic updates, you can configure Configuration Manager 2012 to
automatically publish management points on the intranet to DNS.
WINS
When other service location mechanisms fail, clients can find an initial management point by checking
WINS:
The first management point in the primary site that is configured to accept HTTP client connections is
automatically published to WINS.
When the clients connect to this management point, they download a list of other management
points and can use them for subsequent connections.
If you do not want clients to locate a management point using WINS, configure clients with the
CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS.
Note In Configuration Manager 2007, clients also used the Server Locator Point to locate
site systems. This method is not available in Configuration Manager 2012.
Question: Under what circumstances can you use DNS for service location?
Pre
erequisitess for Installling Clients
You
u should be fam
miliar with the client softwarre prerequisitees necessary fo
or a successful Configuration
n
nager client installation.
Man
Pre
erequisites for
f Computter Clients
Connfiguration Maanager 2012 suupports client computers run nning the Win dows XP Serviice Pack 3 or n
newer
(or Windows
W XP SP2
S or newer iff they are 64-bbit systems) fo r desktop opeerating systemss, or Windows
Servver 2003 SP2 or newer for server
s operatin
ng systems.
The following table lists the softtware prerequisites that musst be installed on the compu uters on which
h you
plan
n to install the Configurationn Manager clie
ent. These softw ware prerequi sites are includ
ded by defaultt in
the operating systtem on all Win ndows versionss supported foor client installation, providin
ng that the
opeerating system is updated to the latest servvice pack versi on. Because thhey are not doownloaded or
installed by CCMS Setup, you must ensure that they are preseent before you u attempt to innstall the
Connfiguration Ma anager client.
So
oftware prereq
quisites extern
nal to
Co
M Description
D
Microsoft
M Backgground Intelliggent Background I ntelligent Tran nsfer Service (B
BITS) is a
Trransfer Service
e (BITS) version
n 2.5 or prerequisite foor installing th
he Configuratioon Manager client.
neewer BITS is includeed by default o on all supported operating
system versio ns for client innstallation; you
u do not need to
download or install it. If BITTS is not presen
nt, you need to
verify the servvice pack version for the ope erating system
m.
Windows
W Installer version 3.1.4000.2435 Required to s upport the usee of Windows Installer update
or newer must be
b installed (.msp) files fo r packages an d software updates.
The following table lists the software prerequisites that are downloaded and installed automatically by
CCMSetup before client installation if they are not already installed on the client computer.
Software prerequisites automatically installed

before client installation Description
Windows Update Agent version 7.0.6000.363 Required by Windows to support update detection
and deployment.
Microsoft Core XML Services (MSXML) version Required to support the processing of XML
6.20.5002 or newer documents in Windows.
Microsoft Remote Differential Compression Required to optimize data transmission over the
network. This is a Windows feature.
Microsoft Visual C++ 2008 Redistributable Required to support client operations.

version 9.0.30729.4148
Microsoft Visual C++ 2005 Redistributable Required to support Microsoft SQL Server Compact
version 8.0.50727.42 operations.
Windows Imaging APIs 6.0.6001.18000 Required to allow Configuration Manager to manage

Windows image (.wim) files.
Microsoft Policy Platform 1.2.3514.0 Enables clients to evaluate compliance settings.
Microsoft Silverlight 4.0.50524.0 Required to support the Application Catalog website

user experience.
Microsoft .NET Framework 4 Client Profile Required to support client operations.
Microsoft SQL Server Compact 3.5 SP2 Required to store information related to client
components operations.
Microsoft Windows Imaging Components Required by Microsoft .NET Framework 4.0 for
Windows Server 2003 or Windows XP SP2 for 64-bit
computers.
To accelerate the Configuration Manager client deployment process, you can pre-deploy some of these
software prerequisites on the target computers before attempting to install the Configuration Manager
client. You can use alternate deployment methods, such as WSUS, or include the software prerequisites in
the images you use to deploy operating systems.
Question: If your environment contained computers that were running Windows XP SP1,
what do you need to be able to install the Configuration Manager client?
Ov
verview of the Clientt Installatio
on Processs
Deppending on the e client installa

ation method you
y use, the c omplexity of cconfiguration ccan vary
sign
nificantly. Howwever, all the in
nstallation metthods use the ssame files and
d essentially co
omplete the
installation in the same way.
The installation prrocess for the Configuration Manager clie nt uses the folllowing files.
CCM
MSetup.exe
e
CCM
MSetup.exe ge
enerally beginss the client insttallation proceess and is run iin all client insstallation meth
hods.
CCM
MSetup performs the followiing actions:
Determine the location from m which to do ownload client prerequisites and installatioon files. If you start
CCMSetup wiithout command-line option ns, and if you h
have extended d the AD DS scchema for
Configuration n Manager, thee setup processs reads the cliient installation properties frrom AD DS to find
an appropriatte management point. If you u have not exttended the Acttive Directory schema, CCMSSetup
searches DNS S or Windows Internet Naming Service (W INS) for a man nagement poin nt to contact.
Alternatively, you can speciify a specific management
m p
point by provid ding the /mp:< <ComputerNa ame>
switch, or a sp
pecific UNC lo
ocation using the /source:paath switch.
Download the e client prereq es include the Client.msi fil e and any of tthe prerequisitte files
quisite files. File
previously disscussed that arre missing.
artup of the Client.msi file. The Client.mssi file installs th

Invoke the sta he Configuration Manager cclient
software on the client.
CCM
MSetup copiess all the files it needs, and cre
eates the ccmssetup.log log ffile, to
%sy
ystemroot%\C CCMSetup.
There are numero ous switches avvailable for mo

odifying the beehavior of CCM
MSetup.exe wh
hich are discusssed
in th
he following to
opic.
Client.msi
After CCMSetup installs the required prerequisites on the intended client, CCMSetup invokes Client.msi.
This Windows Installer file installs the client on the system.
Client.msi creates the client.msi.log log file in the %systemroot%\CCMSetup folder.
You can modify the Client.msi installation behavior by providing specific properties on the CCMSetup.exe
command line. Alternatively, you can specify the properties on the Installation Properties tab of the
Client Push Installation Properties dialog box. These settings are then published to AD DS and used by
several installation methods.
CCMSetup.msi
The Configuration Manager installation process uses the CCMSetup.msi Windows installer file when using
an AD DS Group Policy to publish or assign the Configuration Manager client to computers. This file is
located in the <installation directory>\bin\i386 folder on the Configuration Manager site server.
Client Assignment
After client installation is complete, you must assign the client to a site so that the client can be managed.
You can assign client devices to any primary site; however, you cannot assign client devices to either a
secondary site or a central administration site.
Most clients reside within site assignment boundary groups and are automatically assigned based on the
boundary definition. You can configure a site in the hierarchy settings as a fallback site, so that when a site
is selected, the clients are assigned to it if they are outside the configured boundary groups of all defined
sites. You also can directly assign a client to a site through a client.msi option either directly or through
the Client tab of the Client Push Installation Properties dialog box.
If you have not extended AD DS then you have the following two options for site assignment:
You can specify a site code by using the client.msi property SMSSITECODE=<sitecode>.
You can manually assign a group of clients to a site by using Group Policy.
You also can choose to install a client offline and not immediately assign it to a site. The client cannot be
managed until it is assigned to a site.
After the client is assigned to a site, it remains assigned to that site, even if the client changes its IP
address and roams to another site. Only an administrator can manually assign the client to another site.
If the client auto-assignment fails, the client software remains installed, but it will not be managed by
Configuration Manager until Configuration Manager locates a site. If the client is unassigned, each time
the CCMExec process starts, it attempts to perform auto-assignment.
Question: How is the management point used during the client deployment process?
Question: Which executable determines the location of the source files and then downloads
them to start the Configuration Manager client installation process?
Client Installation Prop

perties
The two main insttaller program

ms used to insta
all the Configuuration Manag ger client are C
CCMSetup.exe and
Client.msi. Both of these progra
ams support multiple
m switchees for customizing their instaallation prope
erties.
If yo he Active Direcctory schema, you can publiish client installation propertties in AD DS. When
ou extended th
you run CCMSetu up.exe without parameters it will try to rea d these propeerties from AD DS.
CCM
MSetup.exe
e Switches
CCM MSetup.exe swwitches allow yoou to specify the n properties off the Configuraation Manager
t installation
clien
nt. These switcches can be supplied in a command line w when using thee manual installation or logo
on
installation methoods or read fro
om AD DS. CCM MSetup.exe alsso can be usedd to provide th
he properties ffor
clien
nt.msi when using these metthods.
The CCMSetup.exxe command line using the following form

mat:
CC
CMSetup.exe /[CCMSetup
/ sw
witch] [clien
nt.msi setup properties]
The following table lists a few ofo the switches supported byy ccmsetup.exee. For a comple ete list of the
avaiilable settings, refer to Abou
ut Configuratio
on Manager C on Properties at
Client Installatio
http
p://go.microso oft.com/fwlink//?LinkID=2477 706.
CC
CMSetup switcch Purposse
/ssource:<Path>
> Speciffies the location from which to download iinstallation filees. You can use
ea
local or
o UNC installa ation path. Filees are downloaaded by using the server
message block (SMB B) protocol. Thhe Windows usser account that is used for cclient
installa
ation must havve Read permiissions to the iinstallation loccation.
(continued)
CCMSetup switch Purpose
/mp:<Computer> Specifies the source management point for downloading installation files. Files
are downloaded over an HTTP or HTTPS connection, depending on the
management configuration for client connections. This download uses Microsoft
Background Intelligent Transfer Service (BITS) throttling, if BITS throttling is
configured. If the management point is configured for HTTPS client connections
only, you must verify that the client computer has a valid public key
infrastructure (PKI) client certificate.
/retry:<Minutes> Specifies the retry interval if CCMSetup.exe fails to download installation files.
The default value is 10 minutes. CCMSetup continues to retry until it reaches the
limit specified in the downloadtimeout installation property.
/forcereboot Specifies that CCMSetup.exe should force the client computer to restart if this is
necessary to complete the client installation. If this option is not specified,
CCMSetup.exe exits when a restart is necessary and then continues after the next
manual restart.
Client.msi Properties
The client.msi file supports options that control the installation behavior as well as the configuration of
the Configuration Manager client. You can specify the options on a command line or if you are using the
client push installation method, you specify the properties in the Client tab of the Client Push
Installation Properties dialog box.
The following table describes a few of the properties that can be used to modify the installation behavior
of client.msi. For a complete list of the available settings, refer to About Configuration Manager Client
Installation Properties at http://go.microsoft.com/fwlink/?LinkID=247706.
Client installation property Used for
SMSMP=<management point> Specifies an initial management point for the Configuration

Manager client to use.
You can specify multiple management points so that if the first one
fails, the next is tried, and so on. When you specify multiple
management points, separate the values by using commas.
SMSSITECODE=<site code> Specifies the Configuration Manager site to assign the Configuration
Manager client to.
This can either be a three-character site code or the word AUTO. If
AUTO is specified, or if this property is not specified, the client
attempts to determine its Configuration Manager site assignment
from AD DS or from a specified management point. Unless you are
using a stand-alone design, you should refrain from using the AUTO
option.
FSP=<fallback status point> Specifies the fallback status point that receives and processes state
messages sent by Configuration Manager client computers.
CCMADMINS Specifies one or more Windows user accounts or groups to be given

access to client settings and policies. This is useful where the System
Center 2012 Configuration Manager administrator does not have
local administrative credentials on the client computer. You can
specify a list of accounts that are separated by semi-colons.
Question: What should you type at a command prompt to install the Configuration
Manager client from a network share, and to specify that the client should use the NYC site
code and NYC-CFG.Contoso.com as the management point after installation?
Overview
O of
o Client Deploymen
nt Method s
To
o efficiently de
eploy the Conffiguration Mannager client co
omponents to potential reso ources, you nee ed to
de
ecide which de eployment me ethod to use. You
Y should con nsider the detaails of each insstallation meth
hod,
an
nd decide whicch is best for your
y environm
ment.
Th
he client deplo
oyment metho
ods are:
Client push
h installation. This
T method pu ushes the Con figuration Manager client so oftware to clie
ent
computers. You can auto omate this deployment meth hod so that clieent installationn occurs on sysstems
that are asssigned to the site,
s or you can
n manually inittiate a client p
push installatio
on to any disco
overed
system thatt is supported for client insta
allation.
Group Policcy installation. This method uses Group Poolicy to publish

h or assign the
e Configuration
Manager cllient to compu uters when the
e Group Policyy Object (GPO)) runs on the ccomputer.
Software up pdate point installation. Youu can use this m method to pub blish the Confiiguration Man nager
client installlation program
m (CCMSetup.exe) as a softw ware update to o a software update point. T This is
useful if WSSUS is already in use in the environment
e a nd especially iif the Window
ws firewall is en
nabled
and not configured to support the othe er installation methods.
Manual insttallation. This method manu ually installs th e Configuratio

on Manager client software o on
computers by using CCM MSetup.exe. Use e this method when there are a small num mber of worksttations
that need the client installed. If the Con
nfiguration Maanager information is publisshed to AD DS, and
you run CCCMSetup.exe without
w any commmand-line p parameters, thee client installaation process rretrieves
the published client instaallation parameeters from AD DS.
Logon scrip pt installation. This method uses

u on script to trigger the client
CCMSetu p.exe in a logo
installation. This method ensures that the Configurattion Manager cclient is installed on all compputers
to which thhe user has local administratoor permissionss.
Upgrade installation (software distribution). This method allows you to upgrade existing client
software on computers to newer versions of Configuration Manager.
Operating System Deployment. When using operating system deployment to deploy a new operating
system, or upgrade an existing one, you include the Configuration Manager client as part of the
operating system deployment process.
Computer imaging. This method allows you to preinstall the Configuration Manager client software
on a master image computer that is used to build your enterprises computers.
The following table outlines the advantages and disadvantages for the various client deployment
methods.
Client deployment
method Advantages Disadvantages
Client push You can use this method to Can cause high network traffic
installation push to a single computer, a when pushing to large
collection, or to the results collections.
from a query. You can use this only on
You can use this method to computers that Configuration
install the client automatically Manager has discovered.
on discovered computers. You must specify a client push
Uses client-installation installation account, which has
properties defined on the administrative rights to the
Installation Properties tab of intended client computer. If you
the Client Push Installation do not configure an account,
Properties dialog box. Configuration Manager tries to
use the site system computer
account, which would then need
to have administrative rights on
the target client.
You must configure the Windows
firewall on client computers and
all firewalls between the clients
and site server with exceptions to
allow client push installation to
complete.
Group Policy Does not require you to Can cause high network traffic if
installation discover computers before a large number of clients are
you can install the client. being installed.
You can use this method for If the Active Directory schema is
new client installations, or for not extended for Configuration
upgrades. Manager, or the site is not
If the Active Directory schema published to AD DS, you must
has been extended, use Group Policy to add client-
computers can read installation properties to
installation properties computers in your site.
published to AD DS. Works only for systems that
Does not require belong to an Active Directory
administrative rights on client domain.
computers. Group Policies are applied to
Does not require firewall computers at reboot only, so
exceptions to be configured. installation might be delayed.
(continued)
Client deployment
Software update- Uses your existing software Requires a WSUS infrastructure

based client updates infrastructure to that is currently being used by
installation manage the client software. the systems.
Installs the client software Must use the same server for
automatically on new client installation and software
computers if WSUS is updates, and this server must
configured correctly. reside in a primary site.
Does not require computers If the Active Directory schema is
to be discovered before you not extended for Configuration
can install the client. Manager, or if the site is not
Reads installation properties published to AD DS, you must
in AD DS. use a GPO to add client
installation properties to your
Reinstalls the client software if
sites computers.
it is removed.
Does not require
administrative rights on client
computers.
Does not require firewall
exceptions to be configured.
Manual installation Does not require computers No automation, therefore it can

to be discovered before the be time-consuming.
client can be installed. Works only for users who are
Can be useful for testing local admins.
purposes.
Supports using command-line
properties for CCMSetup.
Allows you to retrieve
configuration properties from
AD DS.
Logon script Does not require computers Can cause high network traffic if
installation to be discovered before the a large number of clients are
client can be installed. being installed over a short time
Supports using command-line period.
properties for CCMSetup. Requires the logged on user to
Does not require firewall be a local admin for the
exceptions to be configured. computer.
(continued)
Client deployment
Upgrade installation Can leverage the Can cause high network traffic
(software distribution) Configuration Manager when distributing the client to
features to, at a defined time, large collections.
upgrade clients organized by Can only be used to upgrade the
collections. client software on computers
Supports using command-line that have been discovered and
properties for CCMSetup. assigned to the site.
Does not require
administrative rights on client
computers.
Does not require firewall
exceptions to be configured.
Operating System Configuration Manager Can cause high network traffic if

Deployment deployed as part of the a large number of clients are
image. being installed over a short time
Site assignment is automatic. period.
Can use Client.msi options. Requires operating system
deployment infrastructure in
place.
Computer imaging Configuration Manager might Requires specific infrastructure

be preinstalled in the image, considerations for storing and
and does not require a deploying the computer images.
separate deployment task. If the image is not properly
Communication to the prepared and allowed to register
Configuration Manager site with a site, all clients deployed
can begin almost immediately from that image have the same
after the image is deployed. GUID.
Discussion:
D Planning for Client Deployment
Beefore deployinng clients, therre are several decisions

d you nneed to make in addition to o the deployme ent
method
m to use. You must deccide if you are going to exten nd AD DS or u methods for the client
use alternate m
in
nstallation proccess to find thee site systems used in client deployment. Y You also must decide which
su
upporting roles you are goin ng to use and configure
c m in your site. Additionally, yyou need to
them
co
onfigure the boundaries for your site.
Consider your environment

e and discuss the he other students in the classs:
e following queestions with th
Question: Are
A you planning on extending the Activee Directory sch
hema?
Question: Do you plan too use a fallbacck status point in your enviro
onment? If so, are you
going to co
onfigure multip
ple fallback sta
atus points?
Question: What
W w you use to plan your bou
criteria will undaries?
Question: Will
W you use se
eparate bound
daries for site aassignment an
nd content locaation?
Lesson 3
Deploy
ying Co
onfigura
ation Managerr 2012 C
Clients
To install the Configuration Manager client, the target systeems must meeet certain prere equisites. Some of
the prerequisites are
a downloade ed and installeed automatica lly during clien
nt setup, but o
others must bee
installed on the ta
arget system before
b installing the Configu ration Manageer client.
Thiss lesson discusses how to deploy clients byy using the folllowing client d
deployment m
methods:
Client push
Software upd
date point
Group Policy
Login script
Manual installlation
Client upgrad
de
Addditionally, this lesson covers installation

i pre
erequisites, an
nd the advantaages and disad
dvantages for e
each
installation metho od.

ements for installing Configu

Describe the system require uration Manag
ger 2012 clientts.
Describe usin
ng silent push to
t install Confiiguration Man
nager clients.
Describe usin
ng software update point to install Configu
uration Manag
ger clients.
ng Group Policy to install Configuration Maanager clients .

Describe usin
In
nstalling Clients
C by Using
U Client Push
Yo
ou can use thee client push in
nstallation metthod to deployy the Configurration Manageer client to sup
pport
co
omputer systems that have been
b discovere
ed and that haave a discoveryy data record (DDR) registerred in
th
he site databasse.
Yo ent push to insstall the client on domain-baased computers discovered using Active
ou can use clie
Discovery methods, or on workgroup comp puters discoverred using Netw work Discoveryy. You must provide
lo
ocal administraator credentials by configurin ng the client p on method to use an accoun
push installatio nt that
haas local admin
nistrator permissions on the target
t computters.
Yo
ou can automa ate the client push
p installatio ng client push installation site
on for the entiire site by usin
se
ettings. You alsso can manuallly initiate this installation foor individual syystems or for e
entire collectio
ons by
ussing the Clientt Push Installattion Wizard. Th he primary diffference betweeen the autom matic and manu ual
methods
m occurss at the time th he installation is initiated:
When the push

p installatio
on is configure
ed to be autom
matic, the instaallation starts aas soon as a syystem is
discovered and is within a site assignment boundary group.
When the push

p installatio
on is performe
ed manually, yo
ou decide wheen and on which systems the
e client
will be insta
alled.
Whether
W you usse only one of these method
ds or both, certtain client pussh installation properties mu
ust be
co
onfigured.
When
W you perfoorm a client puush installation
n, if the site seerver cannot co ontact the client computer o or start
th
he setup proce ess, it automatically repeats the
t installation n attempt everry hour for up to seven dayss, unless
it succeeds prioor to the seven-day period. To T help track th he client installlation processs, install a fallb
back
sttatus point site
e system before you install clients, which c lients automattically use whe en client push installs
th
hem.
Automatic client push installation

You can configure client push installation at the site level so that client installation occurs automatically
on devices that are discovered and assigned within the sites configured site-assignment boundary group.
If a device has been assigned to the site, and you have enabled the client push installation site setting, the
site server generates a Client Configuration Request for the discovered resource. As long as the discovered
resource matches the configuration criteria you have set for the client push installation method,
Configuration Manager processes the Client Configuration Request and starts the client installation.
You configure automatic client push installation on the General tab of the Client Push Installation
Properties dialog box. After enabling the automatic client push installation, you can choose what types of
systems will be automatically installed. You can configure the following options:
Enable automatic site-wide client push installation. This check box allows you to enable or disable
automatic client push installation.
Servers. This check box allows you to enable or disable automatic push installation to server
systems.
Workstations. This check box allows you to enable or disable automatic push installation to
workstations systems.
Configuration Manager site system servers. This check box allows you to enable or disable
automatic push installation to Configuration Manager site system servers.
You can control automatic installation to domain controllers by using the following options:
Always install the Configuration Manager client on Domain Controllers
Never install the Configuration Manager client on domain controllers unless specified in
the Client Push Installation Wizard
Common settings for client push installation

Both the automatic push and manual push methods involve pushing the client from the site server. The
Client Push Installation Properties dialog box affects both methods. The dialog box is available on the
ribbon in the Settings section when a site is selected, or from the right-click menu of a site. There are two
tabs that you need to configure to use either of the client push installation methods.
Accounts tab
You can use the Accounts tab to list the accounts that are used to attempt a client push installation. The
installation must use an account with Administrative rights on the client system that is targeted. If more
than one account is listed, installation is attempted by using each account starting at the top and working
down the list until the installation can be completed or until all accounts have been tried. If you do not
specify at least one client push installation account, Configuration Manager tries to use the site system
computer account.
Note The password for the client push installation account is limited to 38 characters
or less.
Installation Properties tab

You can use the Installation Properties tab to configure the client.msi settings that you want to use for
your site. If the schema is extended for Configuration Manager, client installation properties specified in
this tab are published to AD DS and read by client installations where CCMSetup.exe is run without
installation properties.
Install Client Wizard

You can launch the Install Client Wizard by selecting one or more discovered devices under the Devices
node of the Assets and Compliance workspace, and then clicking Install Clients in the ribbon. You also
can use the Install Client Wizard from the Device Collections node.
After you have launched the Install Client Wizard, you have the following options:
Allow the Client software to be installed on domain controllers. This check box allows you to
enable of disable the push installation to domain controllers.
Always install the client software. Checking this check box causes the client software, if it is already
present, to be reinstalled, repaired, or upgraded.
Install the client software from a specified site. This check box allows you to specify an alternate
site to use for installing the client software. This does not change the client site assignment.
Firewall settings for client push installation

Client push installation can fail if the client is running a firewall that is blocking the ports being used by
the installation process. To help ensure the success of the installation, you should configure the settings in
the following table for Windows Firewall or any other intervening firewalls.
To successfully use client push to install the Configuration Manager client, you must add the following
exceptions to the Windows Firewall:
File and Printer Sharing

Windows Management Instrumentation (WMI)
In addition to the ports listed in the following table, the client push installation method also uses Internet
Control Message Protocol (ICMP) echo request (PING) messages from the site server to the client
computer to confirm whether the client computer is available on the network.
Description UDP TCP

HTTP from the client computer to a fallback status point. not 80
applicable
Server Message Block (SMB) between the site server and client computer. not 445
applicable
RPC endpoint mapper between the site server and the client computer. 135 135
RPC dynamic ports between the site server and the client computer. not Dynamic
applicable
HTTP from the client computer to an intranet-only management point. not 80

applicable
HTTPS from the client computer to an Internet-capable management point. not 443
applicable
Insstalling Clients by Ussing Softw

ware Updatte Point
If yo
ou use WSUS tot deploy softw ware updates tot client comp puters, you cann then use the same procedu ures
for deploying
d the Configuration n Manager clie pdate. You can
ent as if it weree a software up n use software
e
upd date-based clie
ent installation
n to install new
w clients or to uupgrade existing Configurattion Manager cclients
to newer
n versions.
Onee important ad dvantage of ussing this methood is that it do

oes not requiree administrativve permissionss on
get computers.. With this metthod, you can install the clieent on computters when therre is a firewall iin
targ
placce that prevents you from ussing alternate automated meethods and yo ou cannot conffigure the firewwall
exceeptions for alte
ernate installattion methods.
The following are some of the prerequisite

p co
onfigurations tthat you must perform beforre using the
softtware updates method:
o the Configu ration Manageer client installed and is usin

If a client systtem has a prevvious version of ng the
software update point, no additional
a configuration is n
needed.
If a client systtem does not have
h the Configuration Mannager client insstalled, you mu
ust configure aand
assign a GPO in AD DS. This GPO specifie es the WSUS seerver that is co
onfigured as a software updaate
point from which the comp puter obtains software
s updattes.
You cannot add the CCMSe
etup.exe comm perties to a so
mand-line prop oftware update
e-based client
installation.
The software update metho od uses the co

onfiguration infformation pub blished in AD D
DS, if available
e. If no
configuration
n information is
i published, you should creaate a GPO by u using the
ConfigMgrInsstallation.adm template to provide
p client i nstallation setttings for comp
puters in your site.
Use the Software ed Client Installation dialog

e Update-Base g box to publiish the Configuration Manag ger
nt installation program (CCM
clien MSetup.exe) to o a software uppdate point ass an additionall software upd
date.
The dialog box is available when a site is seleccted on the rib
bbon in the Se
ettings sectionn.
When you use this method of installation, the client is installed during the next software update cycle on
the targeted computer(s).
Firewall Settings for Software Update-Based Client Installation

Software Update-Based Client Installation can fail if the client is running a firewall that is blocking ports
being used by the installation process. To help ensure the success of the installation, configure the port
settings for Windows Firewall or any intervening firewalls listed in the following table.
Processes used in Client Deployment UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to a fallback not 80
status point. applicable
Hypertext Transfer Protocol (HTTP) from the client computer to the software not 80 or
update point. applicable 8530
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to the not 443 or
software update point. applicable 8531
Question: What are some of the benefits of using the software update point installation
method?
Insstalling Clients by Ussing Group

p Policy
You
u can use Group Policy to de eploy the Configuration Man nager client wh
hen you want to use an
auto
omated metho nstallation, but still want to ccontrol when the deploymen
od for client in nt occurs. By using
Group Policy, youu can plan a client roll-out th
hat mirrors thee structure of yyour AD DS organizational u unit
(OU
U) structure. To
o use Group Po olicy for this pu
urpose, consid der the followi ng requiremen
nts:
p Policy installation method for systems th

You can only use the Group hat are membe
ers of the Activve
Directory dom
main.
You must usee the CCMSetu up.msi file that is provided in
n the <Configu uration Managger installation
directory>\bin\I386 folder on
o the site servver. Note that you cannot m modify the commmand line used to
launch the CC Y must use other method
CMSetup.msi. You ds, such as usin
ng the ConfigM
MgrInstallation n.adm
Group Policy template, or by
b publishing properties
p to A
AD DS with thee Client Push Installation
Properties, Installation Prroperties tab.
You should exxtend the AD DS schema to support Confiiguration Man nager and ensu ure that the sitte is
publishing to AD DS. This ensures
e that alll Group Policyy-based clientss find installatio
on properties
published by the client push installation properties
p in AAD DS when th he Configuration Manager cclient
is installed. Additionally if settings such as ports are chaanged at a lateer time, clientss are updated when
they perform AD DS lookup ps for Configuration Manageer systems.
There are two Grooup Policy adm ministrative temmplates suppliied on the Connfiguration Maanager 2012
installation media
a located in TOOOLS\ConfigM MgrADMTempl ates: ConfigMgrInstallation.adm and
ConnfigMgrAssignment.adm. The e ConfigMgrIn nstallation.adm
m template is u
used to provid
de
installation properties to client computers
c if the AD DS scheema has not bbeen extended. The
ConnfigMgrAssignment.adm is used u to assign systems to a s pecific Configuration Manag ger site.
Group Policy provides the following two options for deploying software to network clients:
Assign. You can assign the CCMSetup.msi file, which means that the Configuration Manager client
installs when you start the computer after the policy has been applied.
Publish. If you publish the CCMSetup.msi file, the Configuration Manager client installation displays
when users click the Install a program from the network link in the Programs and Features
interface in Control Panel. Users can then install the client as needed.
Firewall Settings for Group Policy client installation

Group Policy installation can fail if the client is running a firewall that is blocking the ports being used by
the installation process. To help ensure the success of the installation, you should configure the following
settings for Windows firewall or any intervening firewalls.
To successfully use Group Policy to install the Configuration Manager client, you must add the following
exception to Windows Firewall:
File and Printer Sharing
Group Policy installation uses the ports listed in the following table.
Description UDP TCP

HTTP from the client computer to a fallback status point. not 80
applicable
HTTP from the client computer to an intranet-only management point. not 80

applicable
HTTPS from the client computer to an Internet-capable management point. not 443
applicable
SMB between the source server and client computer if you specify an not 445
alternate source server with CCMSetup using /source:<Path>. applicable
Question: Why would you want to assign the Configuration Manager client to a computer
through a GPO?
Question: When do you need to provision the client installation properties in AD DS using
Group Policy?
De
emonstration: Installing Clients by Using
g Group Po
olicy
In th
s how to pro ovision the clieent installation
n properties intto AD DS using
Group Policy, and
d how to assign n or publish th
he Configuratio on Manager client using sofftware installattion in
Group Policy.
Dem
monstration
n Steps
Con
nfigure client installation properties
p by using Group Policy
1. Copy the Con

nfigMgrInstalllation.adm file to the domaain controller.
Note You can find the ConfigMgrInst

C tallation.adm
m file on the Co
onfiguration M
Manager
ation folder in the TOOLS\ConfigMgrADM
2012 installa MTemplates folder.
2. Start the Group Policy Management Co onsole and immport the ConffigMgrInstalla
ation.adm
administrative
e template into a new or exiisting GPO.
3. Access the prroperties of the

e Configure Configuration
C n Manager 20 ployment Setttings,
012 Client Dep
and then clickk Enabled.
4. In the CCMSe
etup box, type
e the required CCMSetup.exxe command-liine switches, fo
or example:
/mp:NYC-CFG.CONTOSO.COM /logon SMS

SSITECODE=NYC
C FSP=NYC-CFG
G.CONTOSO.COM
M
Note For a list of all CCMMSetup.exe co

ommand-line sswitches and p
properties and examples
of their use, see the Config
guration Mana
ager documen
ntation.
5. Assign the GP PO to the com

mputers that yo
ou want to pro
ovision with Co
onfiguration M
Manager 2012 client
installation prroperties.
Install Configuration Manager clients by using Group Policy
1. On the domain controller, start the Group Policy Management Console, and then open a new or
existing GPO.
2. In the navigation pane expand Computer Configuration, expand Policies, and then expand
Software Settings.
3. Right-click Software installation, point to New, and then click Package.
4. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the installer
package, for example \\NYC-CFG\SMS_NYC\bin\i386\Ccmsetup.msi, and then click Open.
5. Click Assigned, and then click OK.
6. The package is listed in the details pane of the Group Policy Management Console window.
Note You must restart the target computers to initiate the installation.
Ad
dditional Client
C Insta
allation Me
ethods
Con anager supportts several addiitional installattion methods tthat you can u
nfiguration Ma use to deploy tthe
Con
nfiguration Ma
anager client components. The following ssections discusss considerations for each of these
add
ditional method
ds.
Ma
anual or Log
gon Script-B
Based Installlations
Even though the manual
m ation method has the most administrativee overhead of aall methods, itt is
installa
usedd frequently foor troubleshoo oting. To use th
his method, th
he logged on uuser must havee administrativve
righ
hts to the client computer. If the user running CCMSetup p.exe does nott have adminisstrative privileg
ges,
the installation wiill not start.
CCMMSetup.exe is located
l in the <Configuratioon Manager In stallation loca tion>\Client fo
older on the siite
servver, which is also shared as <site
< server nam
me>\SMS_<sitte code>\Clien nt.
Youu can specify coommand-line properties for both CCMSettup.exe and Client.msi to mo
odify the behavior
of the client installation. Consid
der the followin
ng command lline example:
CC
CMSetup.exe /mp:MP01.CONT
/ TOSO.COM SMSS
SITECODE=AUTO
O FSP=FP01.CO
ONTOSO.COM
In th
he previous exxample, the clie
ent installation
n uses the pro perties in the ffollowing table.
Property Description
D
/m
mp:MP01.CON
NTOSO.COM Specifies the management
m point MP01 to
o download th
he necessary client
installation files.
SM
MSSITECODE=
=AUTO Specifies that the client sho
ould determinee the Configurration Manage
er site
code to use by
b using AD DSS or the manag gement point..
FS
SP=FP01.CONTOSO.COM Specifies that the fallback sttatus point na med FP01 is u
used to receive
e state
messages sent from the clieent computer rrelated to clien nt deploymentt as
aily managemeent point check.
well as the da
Note For a full list of properties that you can use with CCMSetup.exe, go to About
Configuration Manager Client Installation Properties at
http://go.microsoft.com/fwlink/?LinkID=247706.
The logon script-based installation method is essentially a manual method that uses the /logon
command-line switch and is launched from a script. When you specify the /logon installation property for
CCMSetup.exe, client installation does not occur if any version of the client already exists on the
computer. This prevents the clients reinstallation each time the logon script runs.
Logon script installation uses the same methods as manual client installation and, therefore, you can use
the same command-line switches for logon script-based installations. It also means that the user running
the logon script requires administrative rights. For example, you could modify the preceding command-
line example as shown in the following example to use it in a logon script.
CCMSetup.exe /mp:MP01.CONTOSO.COM /logon SMSSITECODE=AUTO FSP=FP01.CONTOSO.COM
When CCMSetup.exe runs, it copies all necessary installation prerequisites to the client computer and calls
the Windows Installer package (Client.msi) to perform the client installation. You cannot perform the
installation by directly invoking the Client.msi installation file.
Software Distribution-Based Installations

You cannot upgrade Configuration Manager 2007 clients to Configuration Manager 2012 by using
Application Management. Instead, you must uninstall the Configuration Manager 2007 client and install
the Configuration Manager 2012 client by using one of the other client deployment methods. You can
create a package in Configuration Manager 2007 to uninstall the Configuration Manager 2007 client, and
then start a Configuration Manager 2012 client installation.
Operating System Deployment

As part of an operating system deployment task sequence, the Configuration manager client is installed.
This is covered in more detail in Module 11.
Including the Configuration Manager Client in System Images

You can preinstall the Configuration Manager client software on a reference computer image. You can
then deploy that image throughout your network environment.
To prepare the reference computer for imaging, complete the following steps:
1. Manually install the Configuration Manager client software on the reference system computer in an
isolated network segment so that automatic site assignment does not occur. Do not specify the
clients site code in the CCMSetup.exe command-line properties.
2. Ensure that the SMS Agent Host service (CCMExec.exe) is not running on the reference computer, by
typing net stop ccmexec at a command prompt.
3. Remove any certificates that are stored on the reference computer.
4. If you plan to install the clients in a Configuration Manager 2012 hierarchy different from the master
image computer, remove the Trusted Root Key from the master image computer.
5. Run sysprep.exe on the reference computer and use your imaging software to capture the reference
system computers image.
6. Deploy the image to target computers.
Note Failure to follow this procedure results in duplicate clients in the Configuration
Manager database.
Question: How would you install the Configuration Manager client on computers for remote
workers?
Discussion:
D Planning Client Deployment
When
W planning client deploymment in your organization
o yyou can choosee between anyy and all of the
e
de
eployment me ethods. You are not restricted to using a siingle deploym
ment method foor all your clients so
yo uation and determine the beest deploymen
ou should evalluate each situ nt method to u
use.
Considering you
ur environmen
nt, discuss the following queestions with thee class:
Question: Do you have potential

p clientts in remote lo
ocations? If so,, how would yo
ou deploy
these clientts?
Question: Do you have workers

w nfrequently vissit an office? Iff so, how would you deploy
who in
clients to th
heir systems?
Question: Are
A you going g to deploy clie
ents to the serv
rvers in your daatacenter? If yyes, what
method willl you use?
Question: Are
A there syste
ems on which you do not waant to install t he client?
Lab: Pllanning and Co

ompletiing Con
nfigurattion Ma
anager
2012 Client
C Deploym
D ment
Lab
b Setup
m enviro
ust
com

c click
k Start, point to
nd then click H
Hyper-V Manager.
M click
k 10748A-NYC
C-DC1-C, and in the Actionss pane, click Sttart.

User nam
me: Administra
ator
Password
d: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 fo
or 10748A-NY
YC-CAS-C and
d 10748A-NYC
C-CFG-C.
Lab
b Scenario
Youu are the netwoork administra
ator for Contosso, Ltd. Contosso has deployeed Configuratiion Manager 2 2012
in a complex hieraarchy with a ce
entral administration site, tw ndary site. You need
wo primary sitees and a secon
to configure
c the discovery
d methhods and insta
all the Configu ration Manageer clients usingg the client pu
ush
installation methood.
You need to configure the discovery methods and install the Configuration Manager clients by:
1. Configuring Active Directory discovery methods.
2. Using client push to install clients.
3. Verifying the Client Installation.

Exercise 1: Configuring Active Directory Discovery Methods

Scenario
In this exercise, you use the Configuration Manager console to configure Active Directory Forest Discovery
to create a boundary, create a new boundary group and associate the boundary, and configure Active
Directory System Discovery and Active Directory Group Discovery.
1. Create an Active Directory site.
2. Configure Active Directory Forest Discovery to create a new boundary from the Active Directory site.
3. Configure a boundary group and include the new boundary.
4. Configure Active Directory System Discovery.

5. Configure Active Directory User Discovery.
6. Configure Active Directory Group Discovery.
7. Verify that the discovered computers appear in the All Systems collection and are correctly assigned
to the site task.
X Task 1: Create an Active Directory site

1. On NYC-DC1, start the Active Directory Sites and Services console.
2. In the Active Directory Sites and Services console, under the Sites node, create a new site named
NewYork (without a space), and then assign it to the DEFAULTIPSITELINK.
3. Under the Subnets node, create a subnet for 10.10.0.0/24, and then assign it to the NewYork site.
4. Move NYC-DC1 to the NewYork site.
1. On NYC-CAS, open the Configuration Manager Console.
2. In the Configuration Manager console, in the Administration workspace, expand Hierarchy

Configuration, and then select Discovery Methods.
3. In the results pane, identify the Active Directory Forest Discovery methods. You should have three
entries available in the results pane: one for the CAS site, one for the NYC site, and one for the LON
site.
4. Access the properties for Active Directory Forest Discovery for the CAS site, select the Enable
Active Directory Forest Discovery and the Automatically create Active Directory site
boundaries when they are discovered check boxes.
5. In the Configuration Manager console, under the Active Directory Forests node, access the
6. Select Contoso.com and then, on the ribbon, click Show IP Subnets. A new sticky node named IP
Subnets of contoso.com appears in the navigation pane, and in the results pane the IP subnets
discovered from AD DS appears.
7. In the navigation pane, select Active Directory Forests, and in the results pane select Contoso.com
and then on the ribbon, click Show Active Directory Sites. A new node named Active Directory
Sites of Contoso.com appears in the navigation pane, and in the results pane you should see the
sites discovered from AD DS.
8. Under the Boundaries node access the Properties of the NewYork boundary.
On the General tab, review the settings.
On the Site Systems tab, note that you cannot add a site system using this dialog box.
On the Boundary Groups tab, note that the boundary is not yet assigned to a boundary group.

1. In the Configuration Manager console, select the Boundary Groups node, and then on the ribbon,
click Create Boundary Group.
Name of the boundary group: New York Systems
Boundaries: NewYork
Assigned site: NYC-New York Primary Site
Add \\NYC-CFG.contoso.com as the site system server.
Note You created the New York Systems boundary group at the central administration
site; however, you configured the assigned site to be NYC --- New York Primary Site. All
clients in this boundary group are installed and managed by the NYC-CFG.contoso.com site
server.
X Task 4: Configure Active Directory System Discovery

1. On NYC-CFG, open the Configuration Manager Console.
2. In the Configuration Manager console, in the Administration workspace, expand Hierarchy
Configuration, and then select Discovery Methods. Note that you can only see the discovery
methods that can be configured for NYC primary site and TOR secondary site.
3. In the results pane, access the properties for Active Directory System Discovery. In the Active
Directory System Discovery Properties dialog box, use the following settings to configure system
discovery, and then click OK:
At the General tab, select Enable Active Directory System Discovery, and then click the
New ( ) button.
In the Active Directory Container dialog box, browse to select the Contoso domain, and then
close the dialog box.
At the Polling Schedule tab, review the settings.
At the Active Directory Attributes tab, review the settings.

At the Option tab, review the settings.
X Task 5: Configure Active Directory User Discovery

In the results pane, access the properties for Active Directory User Discovery. In the Active
Directory User Discovery Properties dialog box use the following settings to configure user
discovery:
At the General tab, select Enable Active Directory User Discovery, and then click the
New ( ) button.
In the Active Directory Container dialog box, browse to select the Contoso domain, and then
close the dialog box.
At the Active Directory Attributes tab, review the settings.
X Task 6: Configure Active Directory Group Discovery

In the results pane, access the properties for Active Directory Group Discovery. In the Active
Directory Group Discovery Properties dialog box, use the following settings to configure system
discovery:
At the General tab, select Enable Active Directory Group Discovery, click Add, and then click
Location.
In the Add Active Directory Location dialog box, in the Name box, type Contoso domain, and
then browse to select the Contoso domain. Close the dialog box.
At the Option tab, review the settings.
X Task 7: Verify that the discovered computers appear in the All Systems collection and
are correctly assigned to the site
1. In the Configuration Manager console, click the Assets and Compliance workspace, and then select
the Device Collections node.
2. Select the All Systems collection, and on the ribbon, click the Show Members button.
3. A new node called All Systems appears in the navigation pane under the Devices node. In the results
pane, observe the systems that are members of the All Systems collection and their assigned site. On
the Site Code column, you should see NYC for most systems.
Results: At the end of this exercise, you should have configured the Active Directory Discovery methods.
Exercise 2: Using Client Push to Install Configuration Manager 2012 Clients

Scenario
You need to use the Configuration Manager console to install a fallback status point, configure the client
push installation method, and install the clients on two systems using client push.
1. Install a fallback status point.
2. Create a client push installation account.

3. Configure the client push installation method.
4. Install the client using client push.
X Task 1: Install a fallback status point

1. On the NYC-CFG server, in the Configuration Manager console, click the Administration workspace,
and in the navigation pane expand Site Configuration, and then click Servers and Site System
Roles.
System Roles. In the Add Site System Roles Wizard use the following settings to install the site
system roles:
On the System Role Selection page, select Fallback status point.
Complete the wizard accepting the default settings.

5. Select the option Generate alert when the management point is not healthy, and then close the
dialog box.
6. In the navigation pane, under Site Configuration, select the Sites node, and then click the
Hierarchy Settings button on the ribbon.
7. In Site Settings Properties, select the Use a fallback site check box, and then in the Fallback site
list select NYC --- New York Primary Site.
X Task 2: Create a client push installation account

1. On NYC-DC1, start the Active Directory Users and Computers console.
2. In the Active Directory Users and Computers console, in the Users container, create a new user
account with the following settings:
In the First name and User logon name text boxes, type ConfigMgrClientPush.
In the Password and Confirm password text boxes, type Pa$$w0rd.
Clear the User must change password at next logon box.
Select the User cannot change password and Password never expires boxes.
3. In the Active Directory Users and Computers console, access the Properties of the
ConfigMgrClientPush user account, and then add the user to the Domain Admins group.
X Task 3: Configure the client push installation method

1. On NYC-CFG, in the Configuration Manager console, in the Administration workspace, expand Site
Configuration, and then click the Sites node.
2. Right-click NYC --- New York Primary Site, click Client Installation Settings, and then click Client
Push Installation.
3. In the Client Push Installation Properties dialog box, use the following settings to configure the
client push installation method
At the Accounts tab, click the New ( ) button, and then click New Account.
In the Windows User Account dialog box, click the Browse button.
In the Select User dialog box, type ConfigMgrClientPush, click the Check Names button, and
then close the dialog box.
In the Windows User Account dialog box, in both the Password and Confirm password boxes,
type Pa$$w0rd and then click Verify. The Windows User Account dialog box expands.
In the Windows User Account dialog box, in the Network Share box, type \\NYC-DC1\C$, and
then click Test connection. Close the dialog box.
In the Client Push Installation Properties dialog box, at the Installation Properties tab, in the
Installation properties box, after the text SMSSITECODE=NYC type a space, and then type
FSP=NYC-CFG.Contoso.com.
Note The entire line should read SMSSITECODE=NYC FSP=NYC-CFG.Contoso.com.
X Task 4: Install the client using client push

1. On NYC-CFG, in the Configuration Manager console, in the Assets and Compliance workspace,
select the All Systems node.
2. In the results pane, right-click NYC-CFG, and then click Install Client.
3. The Install Configuration Manager Client Wizard starts. Use the following settings to install the
client on NYC-CFG:
In the Installation Options page, check the Install the client software from a specified site
box, and then verify that in the Site list appears NYC --- New York Primary Site.
Complete the wizard using the default settings.
4. In the results pane, right-click NYC-DC1, and then click Install Client.
5. The Install Configuration Manager Client Wizard starts. Use the following settings to install the
client on NYC-DC1:
In the Installation Options page, check the Allow the client software to be installed on
domain controllers box.
Complete the wizard using the default settings.
Results: At the end of this exercise, you should have started the installation of the Configuration Manager
client.
Exercise 3: Verifying Configuration Manager 2012 Client Installation

Scenario
You must verify that the installation has started by searching the CCMSetup process on the target system.
You will review the ccmsetup.log and verify that the Configuration Manager was installed using the
Control Panel applet. You will also verify that the client has reported a successful installation and appears
as Active in the Configuration Manager console.
1. Verify that CCMSetup has started on the domain controller.
2. Review the ccmsetup.log.
3. Verify that the Configuration Manager client was installed.

4. Verify that the client is installed.
X Task 1: Verify that CCMSetup has started on the domain controller

1. On NYC-DC1, start Task Manager.
2. On the Processes tab, verify that ccmsetup.exe appears in the list of processes.
Note If ccmsetup.exe does not appear in the list, repeat the installation ensuring that the
Allow the client software to be installed on domain controllers check box is selected.
After the client installation, CcmExec.exe should appear in the list of processes.
X Task 2: Review the ccmsetup.log

1. Start Windows Explorer and navigate to the C:\Windows\ccmsetup folder.
2. Open the ccmsetup.log file and review the content. If the installation is successful, the following
messages are displayed:
Client.msi installation succeeded

Successfully deleted the ccmsetup service
Sending Fallback Status Point message to NYC-CFG.CONTOSO.COM, STATEID=400
State message with TopicType 800 and TopicId <GUID> has been sent to the FSP
X Task 3: Verify that the Configuration Manager client was installed

1. In Control Panel start Configuration Manager.
2. In the Configuration Manager Properties dialog box:

On the General tab, review the information.
On the Components tab, verify the status of the agents: some of the agents should have the
Status of Enabled.
On the Actions tab, in the Actions list, select Machine Policy Retrieval & Evaluation Cycle and
then click Run Now, to initiate the connection of the Configuration Manager client to the
management point.
Note When running inside a virtual machine, the Configuration Manager client uses
randomization for the initial time interval of connection to the management point. Running
the Machine Policy Retrieval & Evaluation Cycle manually ensures that all components
are updated as needed.
X Task 4: Verify that the client is installed

1. On NYC-CFG, in the Configuration Manager console, click the Assets and Compliance workspace,
and then select the All Systems node.
2. In the results pane, the status on the Client Activity column for NYC-DC1 and NYC-CFG should be
Active.
Note If the status of the clients is not Active, on the ribbon, click the Update
Membership button and then refresh the console. It might take a minute or two for the
Client Activity to show as Active.
3. Select NYC-DC1, and then review the information in the preview pane.
4. Access the Properties for NYC-DC1, and review the information.
Results: At the end of this exercise, you should have installed the Configuration Manager client using the
client push installation method.

following steps:

2. In the Virtual Machines list, right-click 10748A-NYC-DC1-C, and then click Revert.
4. Repeat steps 2 to 3 for 10748A-NYC-CAS-C and 10748A-NYC-CFG-C.

Lesson 4
Manag
ging Co
onfigura
ation Manager 2012 C
Clients
Afteer installing thee Configuratioon Manager cliient, you can b begin managin ng the computter systems in the
site.. There are sevveral tasks thatt can be perforrmed for the cclient systems ffrom within th
he Configuratio
on
Man nager console..
Addditionally, you can configure the client setttings to contro

ol how the clieent behaves byy default in add
dition
to by
b collection.

Describe the available clien

nt managemen
nt tasks.
Explain how to
t configure cllient settings.
Managing
M Clients
When
W a system is discovered, it is displayed d in the Assetss and Complia ance workspacce in the Devicces
noode. The systems also can be e added to collections; the A All Systems an nd All Deskto op and Server
Clients collectioons in the Devvice Collection ns node are au populated. No significant clie
utomatically p ent
management
m caan take place until
u after the Configuration n Manager clieent is installed. When you sellect a
deevice or collecction that contains devices with
w the Config guration Mana ger client instaalled, you can select
va
arious manage ement operatio ons. Additiona management ttasks that involve other workkspaces
ally there are m
in f example client settings that are discusssed in the nextt topic. There are also some task
n the console, for
ta
asks that do no ot use the Connfiguration Manager consolee.
Managing
M Cllients from the Assets and
a Compliiance Worksspace
Management
M ta
asks for individ
dual clients are
e performed in
n the Devices node. The following table lissts the
client managem
ment tasks you can perform in i the Devicess node:
Action
A Desscription
Add Selected Items Use

e this action to
o add the seleccted device to
o a new or existing collection
n.
Install Client Thiis action launcches the Install Configurationn Manager Clieent Wizard thaat
you
u use to installl or reinstall th
he Configuratio
on Manager client to repair it
or to reconfigure e it with new siite configuration options an
nd client
pro
operties.
(continued)
Action Description
Start This menu is used for starting the:

Resource Explorer, which is used to see the hardware and software
inventory information from a client.
Remote Control, which is used to launch the Configuration Manager
Remote Control console to log into the remote system.
Remote Assistance which is used to remotely control a system using
the operating systems remote assistance feature.
Remote Desktop, which launches an RDP session with the client
system.
Approve Use this action to approve the clients that communicate through HTTP
and are using self-signed certificates. By default, the site configuration
automatically approves clients from the same Active Directory forest and
trusted forests. This setting is controlled in the Administration workspace
by selecting the Sites node and clicking the Hierarchy Settings button in
the ribbon.
Block Use this action to block a client that you no longer trust, to prevent it
from receiving client policy and communicating with Configuration
Manager site systems.
Unblock Use this menu option to unblock a client that was previously blocked.
Manage Out of Band This menu allows exposes all the AMT actions. These actions include:
Discover AMT Status
Enable Automatic AMT Provisioning
Power Control
Out of Band Management Console
Enable Audit Log
Disable Audit Log
Clear Audit Log
Update AMT Provisioning Data
Remove AMT Provisioning Data
Endpoint Protection This menu is used to start:

A full malware scan
A quick malware scan
Downloading anti-malware definitions
Clear Required PXE Use this action to redeploy any required PXE deployments for the
Deployments selected computer.
Edit Primary Users Use this action to manage the associations between users and devices.
Refresh Use this action to manually refresh the Devices node.

(continued)
Action Description
Delete Use this action to manually delete the client record from the
Configuration Manager database. This does not uninstall the
Configuration Manager client. If the Configuration Manager client is still
installed and communicating with a management point, Heartbeat
Discovery recreates the client record, which then reappears in the
Configuration Manager console.
Properties Use this action to view the discovery data and deployments targeted for
the client. You also can configure variables for use in task sequences to
deploy an operating system to the device.
Wipe Use this action to wipe mobile devices that have the Configuration
Manager client installed or mobile devices that are managed by using the
Exchange Server connector. This action permanently removes all data on
the mobile device, which includes personal settings and personal data.
Typically, wiping a mobile device resets the mobile device back to factory
defaults.
Managing Clients from the Device Collections Node

Many of the client management tasks that you can perform on a single device also can be performed at
the collection level. This has the advantage of automatically applying the management task to all eligible
devices in the collection. Although this can be a convenient method to manage multiple clients at the
same time, it also can generate a lot of network packets and increase the CPU usage on the site server.
Additionally. there are certain tasks that can only be performed against collections.
Before you perform collection-level client management tasks, consider how many devices are in the
collection, whether they are connected by low-bandwidth network connections, and how long the task
will take to complete for all the devices. When you perform a client management task, you cannot stop it
from the console.
Management tasks for collections are performed in the Device Collections node. The following table lists
the client management tasks you can perform in the Device Collections node.
Action Description
Show Members This action opens a sticky node under the Devices node named the
same as the collection and containing the systems that are in the
collection.
Add Selected Items Use this action to add the devices in the collection to a new or
existing collection.
Install Client This action launches the Install Configuration Manager Client
Wizard that you use to install or reinstall the Configuration Manager
client to repair it or to reconfigure it with new site configuration
options and client properties.
Manage Affinity Requests Use this action to accept or reject affinity requests for client systems.
(continued)
Action Description
Manage Out of Band This menu allows exposes all the AMT actions. These actions include
the following:
Discover AMT Status
Power Control
Clear Audit Log
Clear Required PXE Use this action is used to redeploy any required PXE deployments
Deployments for the selected collection.
Update Membership This action reruns the queries that control the collection
membership.
Endpoint Protection This menu is used to start:

A full malware scan
A quick malware scan
Downloading anti-malware definitions
Export This action allows you to export the collection definition in a

Managed Object Format (MOF) format so that it could be imported
into another site.
Copy This action allows you to copy a collection and create a new
collection with the same queries.
Refresh Use this action to manually refresh the collection membership when
a collection is overlaid with an hourglass to indicate that a refresh
might be necessary.
Delete Use this action to delete the collection. This does not delete the
clients by default.
Simulate Deployment This action allows you to simulate the deployment of an application
without sending the actual files. This allows you to test for issues
with the deployment.
Deploy This menu allows you to deploy Applications, programs,

configuration baselines, task sequences and software updates.
Move This action allows you to move a collection to a different folder.
Properties Use this action to manage the properties of a collection including

removing or adding membership criteria for the collection.
Additional Tasks for Managing the Client

Additional client management actions can be performed either at the client, from a different location in
the Configuration Manager console, or indirectly through other actions. These management actions are
listed in the following table.
Tasks Description
Change the client cache Applications, programs and software updates use the
configuration for Configuration Configuration Manager cache to temporarily store files. The
Manager clients cache is configured during installation; there are client.msi
properties that you can use to configure the client cache
properties. The default location for the Configuration
Manager client cache is %windir%\ccmcache, and the default
disk space is 5,120 megabytes (MB). If you need to change
the size of the Configuration Manager cache after installation
you can do one of the following:
Reinstall the client by using the appropriate installation
options to specify the desired configuration.
Use the Configuration Manager client to change the
settings for a particular client.
Uninstall the Configuration Use the Ccmsetup.exe /uninstall command at the client
Manager client system to uninstall the client from a system. You cannot
uninstall the client from a mobile device.
Manage conflicting records for A hardware ID and GUID are generated for a system when
Configuration Manager clients the Configuration Manager client is first installed.
The hardware ID is not reset when the client is reinstalled. For
example, if you reinstall a computer, the hardware ID would
be the same but the GUID used by Configuration Manager
might be changed.
When database updates are sent to the Configuration
Manager site, if the GUIDS are different but the data uses the
same hardware ID, a conflict occurs.
Configuration Manager attempts to resolve a conflict by
using Windows authentication of the computer account from
the site server or a PKI certificate from a trusted source. If this
is successful then the conflict is automatically resolved for
you.
When Configuration Manager cannot resolve the conflict, it
uses a hierarchy setting that either automatically merges the
records when it detects duplicate hardware IDs (the default
setting), or allows you to decide when to merge, block, or
create new client records. If you decide to manually manage
duplicate records, you must manually resolve the conflicting
records by using the Configuration Manager console.
Initiate policy retrieval for a You can use the Configuration Manager client to initiate
Configuration Manager client policy retrieval on a client computer.
Co
onfiguring Client Setttings
Con
nfiguration Ma anager client se ettings are ma
anaged in the C Configuration Manager con nsole, in the
Admministration workspace
w from
m the Client Settings
S node.. A default clieent settings obbject is created
d
wheen Configuratio on Manager iss installed. You
u can modify t he default clieent settings, bu ut you cannot
dele
ete them, beca ause these setttings are applieed to all clientts in the hierarrchy. You also can configure
custtom client setttings that overrride the defau
ult client settin gs when you aassign them to o collections.
You u can create multiple custom m clients settinggs that are appplied in an ord
der that is baseed on the priorities
assigned to the client settings. The
T default clie of 10,000 and are always applied
ent settings haave a priority o
firstt. Custom policcies have priorrities beginning
g at one and i ncreasing incrrementally as tthey are createed.
You u can change the priority of custom
c setting
gs to change t he order in wh hich they are aapplied. When
mulltiple custom settings
s adjust the same settting value, the last value app plied is the effe
ective value.
Manny of the client settings are self-explanato

s ry. Refer to thee following tables for more information about
the client settingss.
Client Settings for Devices

The following table lists the categories and individual client settings that apply to devices.
Category Setting Default Value
Background Limits the maximum network bandwidth for BITS background False
Intelligent transfers
Transfer
Throttling window start time 09:00
Throttling window end time 17:00
Maximum transfer rate during throttling window (KBps) 1000
Allow BITS downloads outside the throttling window False
Maximum transfer rate outside the throttling window (Kbps) 9999
Client Policy Client policy polling interval (minutes) 60
Enable user policy polling on clients True
Enable user policy requests from Internet clients False
Compliance Enable compliance evaluation on clients True

Settings
Schedule compliance evaluation Every 7 days
Computer Deployment deadline greater than 24 hours, remind user every 48

Agent (hours)
Deployment deadline less than 24 hours, remind user every 4

(hours)
Deployment deadline less than 1 hour, remind users every 15

(minutes
Default Application Catalog website point (none)
Add default Application Catalog website to Internet Explorer False

trusted sites zone
Organization name displayed in Software Center blank
Install permissions All users
Suspend BitLocker PIN entry on restart Never
Agent extensions manage the deployment of applications and False

software updates
PowerShell execution policy Restricted
Show notifications for new deployments True

(continued)
Computer Display a temporary notification to the user that indicates the 90

Restart interval before the user is logged off or the computer restarts
(minutes)
Display a dialog box that the user cannot close, which displays 15
the countdown interval before the user is logged off or the
computer restarts (minutes)
Endpoint Manage Endpoint Protection client on client computers False

Protection
Note The Endpoint Protection client cant be enabled
until an Endpoint Protection role is added to the
hierarchy.
Install Endpoint Protection client on clients True
Automatically remove previously installed antimalware software True

before Endpoint Protection is installed
Suppress any required computer restarts after the Endpoint True

Protection client is installed
Allowed period of time users can postpone a required restart to 24

complete the Endpoint Protection installation (hours)
Disable alternate sources (such as Microsoft Windows Update, True

Microsoft Windows Server Update Services, or UNC shares) for
the initial definition update on client computers
Hardware Enable hardware inventory on clients True

Inventory
Hardware inventory schedule Every 7 days
Maximum custom MIF file size (KB) 250
Hardware inventory classes Set Classes

Note The Set Classes buttons allows you to specify the
classes collected, there are many classes specified by
default. This setting replaces the SMS_DEF.MOF file used
in previous versions of Configuration Manager.
Collect MIF files None
Mobile Polling interval 8 Hours

Devices
(continued)
Network Enable Network Access Protection on clients False

Access
Protection Use UTC (Coordinated Universal Time) for evaluation time True
(NAP)
Require a new scan for each evaluation False
NAP re-evaluation schedule Every 1 day
Power Allow power management of devices True

Management
Allow users to exclude their device from power management False
Remote Enable Remote Control on clients Disabled

Tools
Note Use the Configure button to configure remote
control and set the firewall exception properties.
Firewall exception profiles Disabled

Note You set the firewall exception profiles when you
enable remote control on clients.
Users can change policy or notification settings in Software False

Center
Allow Remote Control of an unattended computer True
Prompt user for Remote Control permission True
Grant Remote Control permission to local Administrators group True
Access level allowed Full Control
Permitted viewers of Remote Control and Remote Assistance (none)
Show session notification icon on taskbar True
Show session connection bar True
Play a sound on client Beginning and

end of session
Manage unsolicited Remote Assistance settings False
Manage solicited Remote Assistance settings False
Level of access for Remote Assistance None
Manage Remote Desktop settings False
Allow permitted viewers to connect by using Remote Desktop False

connection
Require network-level authentication on computers that run True

Windows Vista operating system and later versions
(continued)
Software Schedule re-evaluation for deployments Every 7 days

Deployment
Software Enable software inventory on clients True

Inventory
Schedule software inventory and file collection Every 7 days
Inventory reporting detail Full Details
Inventory these file types (none)

Note Configured using the Set Types button
Collect files (none)

Note Configured using the Set Files button
Configure the display names for manufacturer or product Microsoft

Corporation
Note Configured using the Set Names button
Software Enable software metering on clients True

Metering
Schedule data collection Every 7 days
Software Enable software updates on clients True

Updates
Software update scan schedule Every 7 days
Schedule deployment re-evaluation Every 7 days
When any software update deployment deadline is reached, False

install all other software update deployments with the deadline
coming within a specified period of time
Period of time for which all pending deployments with deadline 1 hour
in this time will also be installed
State State message reporting cycle (minutes) 15

Messaging
User and User device affinity usage threshold (minutes) 2880

Device
Affinity User device affinity usage threshold (days) 30
Automatically configure user device affinity from usage data False

Client Settings for Users

The following table lists the categories and individual client settings that apply to users.
Mobile Devices Allows users to enroll mobile devices False
Mobile device enrollment profile (none)

Note There are no default mobile device enrollment
profiles. These can be created once the enrollment roles
have been installed and configured.
User and Device Allows users to define their primary devices False
Affinity
Question: How do you configure classes so that they are collected by hardware inventory?
Lesson 5
Monito
oring Configur
C ration Manage
M er 2012 Client S
Status
Client Health is a feature introduced in Config guration Manaager 2012. Adm ministrators caan use Client H Health
to determine
d the overall health status of clien
nts and to iden
ntify individuall client issues ssuch as missing
g
prerrequisites, WMMI issues, and non-functiona
n l clients.
Client Health builds on the Client Status Repo

orting feature included Conffiguration Man
nager 2007 byy
ering client status monitoring
offe g and automatic remediatio n for client isssues.

Describe the Client Health feature

f in Con
nfiguration Maanager 2012.
Describe whicch information nt Health uses to determine the health of a client.

n sources Clien
w automatic remediation works, and which
Describe how h types of clien
nt issues are re
emediated.
Overview
O of
o Client Sttatus
In
n previous verssions of Config
guration Mana ager, assessing client health ccould present a challenge to o
ad
dministrators. However, iden ntifying and re
emediating unh healthy clientss is crucial to e
ensuring the su
uccess
off configuration
n managemen nt operations. Thus,
T administtrators often need to answerr the following g
quuestions:
How many clients in my hierarchy

h are healthy?
h
How many clients in my hierarchy

h are inactive becau se they have b
been powered off for a long time or
because the
e Configuratio
on Manager cliient is uninstallled?
What is the e of unhealthyy clients in my hierarchy?

e primary cause
Frrom the site syystems perspe

ective, an active
e client is heallthy when it co
onnects to management poiints to
doownload policcies and upload d data such as hardware and d software inveentory; howevver, whether a client is
acctive might noot adequately explain
e its health. To get an accurate determination of tthe clients heaalth,
ad b performed on the client.
dditional local checks must be
If a client is inacctive, it might be because it has been pow wered off for a long time or b because the
M clientt is uninstalled or is not funcctioning. Whenn the client is inactive, the sitte
syystems cannot evaluate the clients
c not connecting to the manaagement
health status becausee the client is n
pooint. The only way to evalua ate the clients health is to peerform validation checks dire ectly on the client
coomputer to de etermine that:
The necessa
ary prerequisittes and dependencies are prresent.
The Configuration Manag
ger client is insstalled correcttly.
The Configuration Manager 2012 client runs a scheduled task to evaluate its client health status, and then
sends the evaluation results to the site as a state message to the management point. If there is any
change in the evaluation result since the most recent state message, the health status is sent back by
using a state message. By default the task runs between midnight and 01:00.
Similar to the initial installation process, if the client fails to send its state message to a management
point, it then sends the state message to a fallback status point, if one exists in your hierarchy. If a fallback
status point is not installed in your hierarchy, some evaluation results might not be received by the site
server. The site server summarizes the client health evaluation results and activities, and then displays
these in the Configuration Manager console, in the Client Status folder located in the Monitoring
workspace.
The following items are new or have changed for client status reporting (now Client Status) since
Configuration Manager 2007 Client Status Reporting:
Client health and client activity information are integrated into the Configuration Manager console.
Typical client problems that are detected are automatically remediated.

The Ping tool from Configuration Manager 2007 R2 Client Status Reporting is not used by
When you click the Client Status node, the results pane displays a dashboard showing a summary of the
Client Activity and Client Check nodes. The information available is organized differently than in either the
Client Activity or Client Check nodes because it displays results that are based on both monitors. The
following links are available in the Client Status dashboard:
Active clients that passed client check or no results
Active clients that failed client check
Inactive clients that failed client check

Inactive clients that passed client check or no results
No configuration Manager Client Installed
Additionally, there is a graph showing the Most Frequent Client Check Errors.
If you click the links available, a sticky node is created under the Devices node in the Assets and
Compliance workspace, and the console automatically changes to the newly created sticky node. Sticky
nodes remain in the Configuration Manager console until you manually remove them, or until the console
is closed. For example, when you click the Active clients that failed client check link, which denotes the
clients that failed the Client Health checks, a sticky node for these unhealthy clients is created and then is
automatically selected.
Note By default, client status information is updated once a day. You can modify this
interval in the Schedule Client Status Update dialog box or force summarization on
demand.
Question: What are some of the causes of an unhealthy and active client?
Question: How does Client Status improve client monitoring compared with previous
versions of Configuration Manager?
Overview
O of
o the Conffiguration Manager Health Evvaluation T
Task
Client Status in the Configura ation manager console receivves its informaation from the Client Health
evvaluation engine running on T Client Hea lth evaluation engine is the executable file
n each client. The e
CCMEval.exe. CCMEval.exe is installed with the Configuraation Managerr client and run ns on compute ers. It is
noot part of the mobile device client. When the Configura tion Manager client is installed, the install process
crreates the sche
eduled task Co onfiguration Manager
M Heaalth Evaluatio n. This task runs CCMeval.exxe at a
time between midnight
m and 01:00.
0 The resuults are then reeported as a sttate message tto the clients
management
m point, or to a fa
allback status point
p if the maanagement po oint is unavailable. The
M Healtth Evaluation process
p can bee run on demaand as required d by running
CCMEval.exe.
Too view the clie

ent health ruless that the Clien uator engine iis using, you caan look in the <client
nt Health evalu
lo
ocation>\ccme eval.xml file; however
h you cannot make ch hanges to thiss file.
If the computerr is not running

g when the schheduled Confi guration Manager Health Evvaluation task is due
to a possible, fo r example, wh
o run, the task automatically runs as soon as hen the operatting system is lloaded
orr is brought ou
ut of sleep mo
ode.
Th
he following ta
able lists the health
h evaluatio
on rules and reemediation acctions.
Health Check Rem ediation
Verify WMI se
ervice exists No aautomatic rem
mediation
Verify/Remed
diate WMI servvice startup typ
pe Set sservice startup
p to automaticc
Verify/Remed
diate WMI servvice status Start service
WMI Reposito
ory Integrity Test Rein
nstall Client
(continued)
Health Check Remediation
WMI Repository Read/Write Test Reset WMI Repository and Reinstall

Client
Verify BITS exists No automatic remediation
Verify/Remediate BITS startup Type Set service startup to automatic
Verify/Remediate client and client prerequisites installation Reinstall Client
Verify SMS Agent Host service exists No automatic remediation
Verify/Remediate SMS Agent Host service startup type Set service startup to automatic
Verify/Remediate SMS Agent Host service status Start service
Verify/Remediate Lantern service startup type Set service startup to manual
Verify/Remediate Antimalware service startup type Set service startup to automatic
Verify/Remediate Antimalware service status Start service
Verify/Remediate Network Inspection service startup type Set service startup to manual
Verify/Remediate Windows Update service startup type Set service startup to automatic
Verify/Remediate Windows Update service status Start service
Verify/Remediate Configuration Manager Remote Control Set service startup to automatic

service startup type
Verify/Remediate Configuration Manager Remote Control Start service

service status
Verify/Remediate SQL CE database is healthy Sets the database to ccmstore.sdf
Automatic remediation might not be desirable on all systems, for example mission critical servers where
the remediation activities might be disruptive. By installing the Configuration Manager client with the
client.msi property NotifyOnly=True or by changing the HKEY_LOCAL_MACHINE\Software\Microsoft
\CCM\CcmEval\NotifyOnly registry value to True you can disable automatic remediation.
Question: Why would you disable automatic remediation on servers?

Monitoring
M g Client Acctivity
On
O the server siide, the admin
nistrator can de
efine the frequ uency of clientt-server comm
munications thaat
de
etermine whetther the client has an active or inactive staatus.
Th
he client commmunication thrresholds can be configured iin the Client S
Status Setting
gs Properties dialog
bo
ox. The following table lists the
t settings fo
ound there, and
d their defaultt values.
Setting Default vaalue
Client policy requests

r durin
ng the followin
ng days 7 days
Heartbeat disscovery during

g the following
g days 7 days
Hardware invventory during the following days 7 days
Software inve
entory during the
t following days
d 7 days
Status messag
ges during the
e following dayys 7 days
Retain client status

s history for
f the following number off days 31 days
Yoou can use the e Configuration Manager console to view interactions beetween the client and the
management
m syystem, which helps
h the admiinistrator distin
nguish betweeen unhealthy cclients and clie
ents that
arre just offline. Configuration Manager 201 12 retrieves infformation from
m AD DS to ide entify the inacttive
clients based on n the LastLogoonTimeStamp p.
When you click on the Client Activity node, the results pane becomes divided into two sections showing
you information based on the client activity monitors you have configured.
Client activity for all devices. Displays a chart showing active computers, inactive computers and
computers with no Configuration Manager client installed. Click a section of the pie chart to create a
sticky node showing a list of computers with the status you selected. You can view activity detail for
each of the clients in the node to determine why they the displayed status.
Client activity trend for all devices. Displays a graph showing client activity over a specified period.
You can configure the time period that you want to view from 5 to 90 days from the Client activity
period drop-down list.
Using
U Clien
nt Check to
o Monitorr Configuraation Man
nager Clien
nts
When
W you click on the Client Check node, the
t results panne becomes divvided into the
e following two
o
se
eparate section
ns that displayy information based
b Configuration Manager Health Evaluation task:
on the C
Client checck results for all devices displays a chart showing computers that paassed client che eck,
computers that failed clie ent check, commputers that haave not reportted results and d computers wwith no
Configuratiion Manager client
c installed.. Click a sectio hart to create a sticky node showing
on of the pie ch
mputers with the status you selected. You can click the C
a list of com Client Check DDetail tab in the
results for individual syste
ems to discove er any remediaation actions tthat Configuration Manager took.
Client checck trend for all

a active clien nts displays a g
graph showing g client compuuters that passed
client check
k over a speciffied period. Yo
ou can configu re the time peeriod (from 5 tto 90 days) thaat you
want to view from the Client activity peeriod drop-dow wn list.
Using Reports to View

w Client Sta
atus
In addition to the Client Check and Client Acttivity informat ion in the Con nfiguration Maanager console e, you
also
o can use the Client
C Status re
eports. After yo
ou install and cconfigure a reeporting services point role, tthe
Client Status repoorts become avvailable in the Client Status ffolder in the CConfiguration M Manager conso ole or
in th
he ConfigMgr_<site code>\\Client Status path in the reeporting websiite. The follow wing table lists the
repoorts that are avvailable.
Re
eport Desscription
Client Remediattion Details This report proviides client rem

mediation detaails for a given
collection.
Client Remediattion Summaryy This report proviides remediatiion summary information fo

or a
givven collection..
Client Status History This report proviides a historicaal view of the overall client
sta
atus in the envvironment.
Client Status Su
ummary This report proviides administrrators with the current
ercentages of h
pe healthy and acctive clients forr a given
Co
ollection.
Client Time to Request

R Policyy This report showws the percentaage of clients tthat have
req
quested policyy as least once in the last 30 days. Each day
rep
presents a perccentage of thee total clients tthat have
req
quested policyy since day 1 in
n the cycle. Thhis informationn is
use
eful to help deetermine the time it takes too distribute a
po
olicy update too your client po
opulation. Clieent deploymen nts
or changes in cli ent count can affect the acccuracy of the
rep
port.
(continued)
Report Description
Clients with Failed Client Check This report displays details about clients that client check
Details failed for a specified collection.
Inactive Clients Details This report provides a detailed list of inactive clients for a
given Collection.
Question: Which reports can you use to view information about client status?
Modulle Revie
ew and Takeaw
ways
Rev
view Questiions
1. What discove
ery method can n you use to create boundarries in Configu
uration Manag
ger 2012, and h
how
are the bound
daries determiined?
2. In what situattion would you
u need to provvision client prroperties by ussing Group Po
olicy?
3. In what situattion would you

u need to conffigure DNS forr locating site systems?
4. What is the difference

d betw
ween an inactivve client and aan unhealthy cclient?
7-1
Module 7
Maintaining and Monitoring System Center 2012
Contents:
Lesson 1: Overview of Configuration Manager 2012 Site Maintenance 7-3
Lesson 2: Performing Backup and Recovery of a Configuration Manager 2012 Site 7-13
Lesson 3: Monitoring Configuration Manager 2012 Site Systems 7-30
Lab: Maintaining and Monitoring System Center 2012 Configuration Manager 7-36
7-2 Maintainingg and Monitoring Sysstem Center 2012 Coonfiguration Manager
Module Overrview
Microsoft System m Center 2012 Configuration n Manager arcchitecture inclu udes multiple ccomponents oon the
site server, site sysstems and client devices. Altthough you ca n design the aarchitecture off the solution tto be
resilient to failures by implemen nting multiple site systems, uusing clusterin
ng for the dataabase, or
impplementing mu ultiple primary sites to beneffit from the rep
plication of glo
obal data, you
u must configuure
and perform regu ular site mainteenance tasks to o ensure that tthe solution yo
ou implementt is functional aand
effe
ective.
Perfforming regula
ar backups is ana important maintenance
m aactivity that you implement iin your
Con nfiguration Ma
anager environ nment. Perform ming regular b backups is even n more importtant if you havve a
stannd-alone primaary site so thatt you can reco
over the site coonfiguration orr the site datab
base in case eiither
failss.
If yo
ou have a multtiple-site envirronment, data is replicated tto other sites in the hierarchy. However, w we still
recoommend that youy perform backup
b for the
e site servers an
nd databases iin the central aadministration n site
and the primary sites
s to protectt your impleme entation in casse of operatingg system or sitte failure. The
dataabase replication mechanism m helps you in the recovery p process by repplicating the m
most recent glo obal
dataa from other sites in the hierrarchy.
In addition to regular site backu

ups, you should perform reg gular monitorin ng activities to
o determine th
he
health of your Configuration Manager implem mentation. You u use the mon nitoring capabilities includedd in
the Configurationn Manager con nsole to monito
or the status o
of the site systeems and repliccation. You cann use
exteernal monitorin
ng tools such as System Cennter 2012 Operrations Manag ger to automatte monitoring and
alerrting.

Describe Con
nfiguration Manager 2012 sitte maintenancce tasks.
Back up and recover a Configuration Man
nager 2012 sitte.
Monitor Conffiguration Man

nager 2012 site systems.
Lesson
n1
Overv
view of Configuration
n Manag
ger 2012 Site
Mainttenance
e
M 2012 includes built-in maintenan nce tasks that yyou can enable
e and then configure
to edule. After installing your Configuration
o run on a sche C Manager envirronment, you must review the
M
bu
uilt-in mainten
nance tasks annd decide whicch ones to ena ble and when they should run.
A crucial part off your site maiintenance setu ould make a p

up that you sho part of every C
Configuration
Manager
M designn is a site main n, you should include
ntenance plan.. When you creeate a site ma intenance plan
co
onfiguration details for the following:
f
Built-in site
e maintenance tasks
Maintenancce activities pe
erformed manually on a dail y, weekly, or m
monthly sched
dule
Configuratiion of the status alert and status monitorin

ng systems acccessed from th on
he Configuratio
Manager coonsole
External mo
onitoring toolss used in the site, such as Sysstem Center 2
2012 Operation
ns Manager
After completin
ng this lesson, you
y will be able to:
Provide an overview of Configuration Manager
M 20122 site maintenaance.
Describe tyypical tasks use

ed to maintain a Configurati on Manager 2
2012 site.
Describe th d content of a site maintenaance plan.

he purpose and
Ov
verview of Configura
ation Mana
ager 2012
2 Site Main
ntenance
Site maintenance and monitorin

ng for Configu
uration Manag
ger 2012 includ
des the followiing types of
activvities:
Performing siite maintenancce tasks. You can

c configure tthe built-in sitte maintenancee tasks, such aas the
Backup Site Server
S mainten
nance task, and d perform otheer regular mai ntenance activvities.
Monitoring th on. You can usse the monitoring features included in the
he site systemss and replicatio e
Configurationn Manager con nsole to view the
t status of thhe site systemss, evaluate the
e health of the
client, and mo
onitor site replication.
Monitoring byb using System

m Center 2012 2 Operations M
Manager. You ccan monitor th he Configuration
Manager 201 12 environmennt by using System Center 20012 Operation ns Manager to import the
Configurationn Manager 201 12 manageme ent pack, and tthen configurin
ng the alerts aand performan
nce
collection rule
es.
Con nfiguring the Backup

B Site Serrver maintenance task, and eensuring the b backup is perfo
ormed correctly, is
the most important action you need to perform in your Co nfiguration Manager 2012 e environment. B
By
doinng so, you will be able to reccover the site server
s and thee database in ccase of operatiing system or site
failu
ure. Backup annd recovery is covered
c in greeater detail in tthe next lesson
n, Performing
g Backup and
Reco overy of a Con
nfiguration Maanager 2012 Sitte.
Question: De ols that you can use to monittor the health of Configurattion
escribe the too
Manager 20112 site systems.
Site Mainte
enance Tassks
M 2012 includes built-in maintenannce tasks that yyou can enablee and configure to
ru
un on a schedu hese tasks are enabled by deefault and perfform required cleanup activities,
ule. Some of th
su
uch as deleting
g aged informaation from thee database, en suring that ob
bsolete informaation is removved and
th
hat reports sho
ow up-to-date information.
Yo
ou can view th
he site mainten
nance tasks byy performing th
he following steps:
1.. Open the Configuration

C Manager
M console.
2.. nager console, in the Admin

In the Conffiguration Man nistration worrkspace, expan
nd Site
Configurattion, and thenn click the Sites node.
3.. Select the site

s you want to bon, click Settings, and then click
t view the tassks for, and theen on the ribb
the Site Maaintenance Ta
asks button.
4.. In the Site Maintenance

e dialog box, cllick the mainteenance task yo
ou want to con
nfigure, and th
hen click
Edit.
Th
he following ta
able lists the siite maintenancce tasks and th
heir purposes.
Site maintena
ance task Purpose
Backup Site Server Backs up

p a Configurattion Manager 2012 site, inclu uding the site
database, files, registryy keys, and sysstem configuraation informattion.
Rebuild Indexxes Rebuildss the site datab

base table ind exes to speed up data retrie
eval.
Monitor Keys Monitorrs the primary keys from thee site database tables.
Delete Aged Inventory History Deletes aged inventorry history from

m the site datab
base.
7-6 Maintaining and Monitoring System Center 2012 Configuration Manager
(continued)
Site maintenance task Purpose
Delete Aged Status Messages Deletes aged status message data from the site database.
Delete Aged Discovery Data Deletes aged client discovery data from the site database.
Delete Aged Collected Files Deletes aged collected files data from the site database and from the
site server folder structure.
Delete Aged Software Deletes aged software metering data from the site database.
Metering Data
Delete Aged Software Deletes aged software metering summary data from the site database.
Metering Summary Data
Summarize Software Metering Summarizes software metering file usage data from multiple records
File Usage Data into one general record.
Summarize Software Metering Summarizes monthly software metering usage data from multiple
Monthly Usage Data records into one general record.
Clear Install Flag Clears the install flag in the database for clients whose Heartbeat
Discovery data records have not been updated in the specified interval,
so that the Configuration Manager client is reinstalled automatically
using Client Push.
Delete Inactive Client Deletes inactive client discovery data from the site database.
Discovery Data
Delete Obsolete Client Deletes obsolete client discovery data from the site database.
Discovery Data
Delete Aged Computer Deletes aged user-device affinity data from the site database.
Association Data
Evaluate Provisioned AMT Evaluates provisioned Active Management Technology (AMT)

Computer Certificates computer certificates.
Delete Obsolete Alerts Deletes alerts that had been closed for a specific period of time.
Delete Unused Application Deletes unreferenced application revisions.

Revisions
Delete Aged Log Data Deletes aged data from the replication logs, and also cleans up object
lock requests.
Delete Aged Replication Deletes aged replication tracking data.

Tracking Data
Delete Aged Application Deletes application requests that are cancelled or denied, which are
Request Data older than the specified period of time.
(continued)
Site maintenance task Purpose
Delete Aged Devices managed Deletes all the obsolete records in the Exchange partnership properties
by the Exchange Server table that have LastSuccessSyncTimeUTC earlier than the specified
Connector period of time. It also deletes the system records that correspond to
the obsolete partnership entries if they are managed solely by
Exchange.
Delete Aged Device Wipe Deletes aged device wipe records from the site database.
Record
Delete Obsolete Forest Deletes obsolete discovery data created by Active Directory Forest
Discovery Sites and Subnets Discovery by trying to find, and then remove, sites/subnets that have
not been discovered for a period of time via forest discovery.
Check Application Title with Checks that the correct application title is displayed in the Asset
Inventory Information Intelligence catalog. It does this by matching the installed software
data with catalog data, which it achieves by calculating the Software
Properties Hash based on the Product Name, the Publisher, and the
Product Version.
Summarize Installed Software Summarizes installed software data.

Data
Delete Aged Enrolled Devices Deletes aged enrolled devices from the site database.
Delete Aged Threat Data Deletes aged Endpoint Protection threat data from the database.
Delete Aged Endpoint Deletes aged Endpoint Protection health status history data from the
Protection Health Status site database.
History Data
Delete Aged Client Operations Deletes aged Endpoint Protection scan requests.
Evaluate Collection Members Evaluates the collection members incrementally, every five minutes by
default.
Update Application Catalog Synchronizes the Application Catalog website database cache with the
Tables latest application information.
Delete Aged Delete Detection Deletes old data change information used by external systems
Data extracting data from database.
Delete Aged User Device Deletes aged information about user device affinity.
Affinity Data
Question: Why should you delete aged inventory history data?

Ma
aintaining a Configu
uration Ma
anager Sitee
Site maintenance for Configuration Manager 2012 involvess several types of activities yo
ou need to perform
to ensure
e that youur Configuratio
on Manager immplementation
n is working p
properly, and to o ensure that yyou
can recover in casse of hardware
e or software fa
ailure.
The first step you can take to co onfigure site maintenance
m fo
or your installaation is to creaate a site
maintenance plan n. This plan listts the configurration of the b uilt-in site maintenance taskks, describes
add
ditional mainteenance activitie es such as mon nitoring the sitte systems and d clients, and ddescribes recovvery
proccedures in case of a site failu
ure.
Built-in site mainttenance tasks include

i typicall maintenancee features, but you should coomplement the
em
with
h additional toools for end-to
o-end maintenance and mon nitoring of youur Configuratio
on Manager
imp
plementation.
Typical activities for

f maintaining
g and monitorring a Configu ration Manageer 2012 enviro
onment include:
Create a site maintenance plan.

p In a site maintenance
m p
plan, you desc ribe:
The configuration of th
he built-in site maintenance tasks.
Daily, we er periodic activities you neeed to perform.

eekly, and othe
d custom external maintenan

Required nce tasks.
The configuration of th
he status system.
The configuration of allerting feature

es.
Recoveryy procedures in
n case of site failure.
Create any necessary custom maintenance tasks that are external to Configuration Manager. Custom
maintenance tasks perform activities that are not included in the built-in tasks, and are sometimes
implemented as scripts that are then run automatically by the Task Scheduler. You can use batch files
or a scripting language, such as Windows PowerShell, to implement these tasks.
Review, configure, and enable/disable site maintenance tasks. Review the built-in site maintenance
tasks, configure them, and then enable or disable each task according to your site maintenance plan.
Configure the status summarizers. Configure the status summarizers to evaluate the health of the site
systems and components based on the number and importance of status messages.
Use the monitoring features included in Configuration Manager console. Use the Configuration
Manager console features to monitor the status of the site systems and to monitor replication.
Configure alerts. Configure alerts to be generated for errors or for specific thresholds.
Consider using System Center 2012 Operations Manager. You can use System Center 2012
Operations Manager to monitor your Configuration Manager environment.
7-10 Maintaining and Monitoring System
S Center 2012 Configuration
C Managger
Cre
eating a Siite Mainte
enance Plan
To ensure
e that you do not overlook importan nt maintenancee activities, you should creatte a site
maintenance plann. Typically, you create a site maintenance plan during th he implementation of your
Con
nfiguration Maanager environ nment. It shoulld reflect your particular imp
plementation aarchitecture an
nd
your organization operations requirements.
ns specific IT-o
The site maintenaance plan shouuld be part of your

y Configuraation Manager implementattion
doccumentation, along
a with the implementatio on design, and
d procedures ffor installation
n, configuration
n, and
erations. The site maintenancce plan should
ope mmendations for typical maaintenance activities
d contain recom
suchh as:
Configuring and
a verifying site
s backups.
Checking for file backlog on site servers and
a site system
ms.
Reviewing sta
atus messages for site system
ms and compo
onents.
Configuring and
a reviewing alerts in the console.
Checking for failed replication communiccation.
Reviewing errror and warnin

ng messages generated
g by SSystem Center 2012 Operatio
ons Manager, if
applicable.
Site maintenance plans can con ntain activities that are perfo
ormed on a sch
hedule. You caan schedule the
e
task
ks to happen daily,
d weekly, or
o over a longe er period.
The following table lists typical maintenance tasks and the suggested frequency of the tasks.
Frequency Typical maintenance tasks
Daily Maintenance Verify that built-in daily maintenance tasks are running successfully.
Tasks Check Configuration Manager site database status.
Check site server status.
Check Configuration Manager site system inboxes for backlogs.
Check site systems status.
Check client status and health.
Check the operating system event logs on site systems.
Check the SQL Server error log.
Check system performance.
Weekly Maintenance Verify that built-in weekly maintenance tasks are running successfully.
Tasks Delete unnecessary files from site systems.
Produce and distribute end user reports, if required.
Back up and then clear application, security, and system-event logs.
Check the site database size, and verify that the site database has enough
available disk space to enable growth.
Perform SQL Server database maintenance on the site database according
to your SQL Server maintenance plan.
Check available disk space on all site systems.
Run disk defragmentation tools on all site systems.
Periodic Maintenance Review the security plan for any required changes.
Tasks Change accounts and passwords if necessary, according to your security
plan.
Review the maintenance plan to verify that scheduled maintenance tasks
are scheduled properly and effectively depending on configured site
settings.
Review the design of the Configuration Manager hierarchy for any
changes.
Check network performance to ensure changes have not been made that
affect site operations.
Verify that Active Directory Domain Services (AD DS) settings affecting site
operations have not changed. For example, you should ensure that no
changes have been made to subnets that are assigned to Active Directory
sites, and that a Configuration Manager site is using Active Directory
Forest Discovery to create site boundaries.
Review the disaster recovery plan for any required changes.
Perform a site recovery in a test lab according to the disaster recovery plan
by using a backup copy of the most recent backup snapshot that the
Backup Site Server maintenance task created.
Check hardware for any errors or hardware updates available.
For each maintenance task listed in the site maintenance plan, you should assign an owner who is
responsible for performing that task. Most of the daily or weekly maintenance tasks can be performed by
administrative users who are assigned the Infrastructure Administrator or Operations Administrator
security roles.
When configuring the built-in site maintenance tasks, you must ensure that you are not scheduling the
maintenance tasks too aggressively, which can create additional processing load on your site server and
database; or too passively, which may result in obsolete information not being deleted. In most
implementations, you should use the default schedules for the built-in maintenance tasks.
Lesson
n2
Perfo
orming Backup
B and Re
ecoveryy of a Co
onfigura
ation
Manaager 201
12 Site
Configuring the e Backup Site Server

S task and
d ensuring thaat backups are performed regularly and
su
uccessfully, you
u can ensure that in case the
e site server orr the site datab
base fails you ccan recover yo
our site
co
onfiguration.
Thhe Backup Site

e Server task only backs up the
t site databaase, certain fold
ders, and certaain registry keys from
yo
our site server.. To completelly recover your Configuratio
on Manager im mplementation, you may nee ed to
in
nclude addition ur backup, such as custom reeports, conten
nal data in you nt files, and cusstom updates. You
also need to runn the planned recovery proccedures in a teest environmen nt to ensure th hat you can reccover all
he necessary data from the site.
th s
If the AfterBack
kup.bat batch file
f is present, the Backup Sitte Server task attempts to ru
un it immediattely
affter performing
g the site back
kup. This lesson examines ho ow to use the AAfterBackup.b
bat to perform
addditional back
kup operationss. This lesson also explains ho
ow to troublesshoot your bacckup procedurre and
re
esults, and how
w to perform a site recovery from your bacckup.
After completin
ng this lesson, you
y will be able to:
he backup and recovery proccesses for Conffiguration Manager 2012.

Describe th
Describe th
he resources th
hat need to be backed up.
t Backup Site Server task.
Configure the
Describe th
he resources th
hat can be used
d to troublesh
hoot the backu
up.
Perform site recovery.

C Managger
Ov
verview of Backup an
nd Recove
ery
Plannning the Conffiguration Mannager backup and recovery processes enaables you to reecover from sitte
failu
ure. Backup an
nd recovery proocesses must be
b part of you r site maintenance plans to ensure that sittes
and hierarchies arre recovered quickly
q with miinimal data losss.
Bacckup Site Se
erver mainte
enance task
k
The Backup Site Server
S mainten nance task runss on a schedulle and backs u up the site dataabase, specific
regiistry keys, and specific folderr and files. Nott all files are b acked up; how
wever, you cann create the
AfteerBackup.bat file to automattically perform post-backup actions after tthe backup maaintenance tassk
finisshes, such as copying additioonal files from your site servver and archivin ng the backupp snapshot to a
secuure location.
Reccovery featu
ures
In case of hardware or softwaree failure, you need to restoree the site with minimal or noo data loss.
Site recovery inclu
udes potentially replacing fa
ailed hardwaree, reinstalling t he operating ssystem and
Connfiguration Maanager 2012, and restoring the site databaase from a bac kup.
Connfiguration Ma anager 2012 ha as recovery feaatures that difffer from previo
ous versions. FFor example,
in Configuration
C Manager
M 20122, recovery is in
ntegrated in th
he Configuration Manager SSetup Wizard, aand
therre is support fo
or multiple reccovery optionss, as outlined in
n the followingg table.
Re
ecovery option
n for: Recovery op
ption availablee
Th
he site server Recoveer the site serv er from a backkup
Reinsta
all the site servver
Th
he site database Recoveer the site dataabase from a b
backup
Create a new site dattabase
Use a site
s database t hat has been m manually recovered
Skip da
atabase recoveery
If you have a multiple-site implementation of Configuration Manager, you can benefit from data
replication, which can minimize data loss after recovery. When recovering a site that is part of a hierarchy,
Configuration Manager uses database replication to retrieve the most current global data created by the
failed site before it failed. This process minimizes data loss even when no backup is available.
When you need to recover a site, you can initiate an unattended site recovery by configuring an
unattended installation script and then using the Setup /script command.
Volume Shadow Copy Service

The Backup Site Server maintenance task uses the Volume Shadow Copy Service (VSS) to create the
backup snapshot. By using VSS shadow copies when you run the Backup Site Server maintenance task,
you can minimize the time site servers are offline. VSS must be available on both the site server and the
database server for the Backup Site Server maintenance task to complete successfully.
Question: How do you perform a recovery of your entire site if your site server fails?
C Managger
Backing Up a Configurration Man

nager 2012 Site
Con
nfiguration Ma
anager 2012 sttores data in thhe Microsoft SQL Server siite database, in the files locaated
on the
t site server computer, andd in registry ke
eys.
To ensure
e that you can recover your entire Coonfiguration M
Manager enviroonment should d you have a ssite
failu d configure the Backup Site Server mainteenance task forr the central administration site
ure, you should
mary site in your hierarchy.
and for every prim
The Backup Site Server

S maintennance task runss automaticallyy, on a schedu
ule that you coonfigure. When n it
runss, it stops the Configuration
C Manager servvices and then performs a baackup snapsho ot of your site. This
snappshot containss all the data necessary
n to pe
erform a comp plete recovery,, including the
e site databasee,
certtain folders fro
om your Configguration Mana ager installatio
on path, and th
he registry setttings that are
related to Configu uration Managger.
Bacckup and Re
ecovery Sce
enarios
Deppending on your implementa ation, you migght not need too have a site b
backup to avoiid data loss. In
n
y might succcessfully recovver a primary ssite by reinstalling the site, and
mulltiple-site implementations you
then
n using databa ase replication to retrieve the configuratio use before the failure.
on settings in u
The need for a site backup depe

ends on the sitte implementaation scenario,, such as the fo
ollowing scenaarios
for:
A stand-alone
e primary site. To avoid data
a loss when a sstand-alone prrimary site fails, you must haave a
Configuration
n Manager bacckup.
Secondary sittes. You have no
n built-in feattures for the bbackup and reccovery of seco
ondary sites. W
When a
secondary site fails, you mu
ust reinstall it from
f the primaary site server.
A central administration site with child primary sites. You can configure the Backup Site Server task
and perform recovery of the central administration site and all primary sites. Because database
replication is used in the hierarchy, the data required for recovery can be retrieved from another site
in the hierarchy, which means that you can recover a primary site even when you do not have a site
backup. The benefit of having a backup is that you can restore the data using the most recent
backup, and replication only needs to retrieve changes to the data since the last backup, which
reduces the amount of data transferred over your network.
Configuring the Backup Site Server task

To back up Configuration Manager sites, you must configure the Backup Site Server maintenance task to
run on a specific schedule, or the task will not run. The Backup Site Server can be configured on central
administration site and primary sites only; there is no backup support for secondary sites or site system
servers.
The Backup Site Server task is implemented as a Windows service called SMS_SITE_BACKUP, which is
configured for manual startup. The service is configured to run on a schedule on the site server and
database server, and is started by the Scheduler when you have configured a backup to begin. You also
can manually start the service to initiate an unscheduled backup.
When the backup service starts, it follows the instructions predefined in the backup control file
smsbkup.ctl, located in the <ConfigMgrInstallationFolder>\Inboxes\smsbkup.box\. You can modify
the backup control file to change the behavior of the backup service, such as changing the account which
the service uses. Site backup status information is written by the Backup Site Server task to the
smsbkup.log file, which is automatically created in the folder that you specify in the property window of
the Backup Site Server maintenance task.
Using the AfterBackup.bat file

You use the AfterBackup.bat file to copy additional files from your site server, archive the backup
snapshot at the end of every backup operation, and perform other post-backup tasks that are not
performed by the Backup Site Server maintenance task.
After successfully backing up the site, the Backup Site Server task automatically attempts to run a file
named AfterBackup.bat. If an AfterBackup.bat file already exists, and is stored in the correct folder, the
file automatically runs after the backup task has completed. The AfterBackup.bat file needs to be created
manually by the administrator in the <ConfigMgrInstallationFolder>\Inboxes\smsbkup folder.
To verify that the site backup task successfully ran the AfterBackup.bat file, open the Configuration
Manager console, and then click the Component Status node in the Monitoring workspace. In the
results pane, review the status messages for SMS_SITE_BACKUP. If the task successfully initiated the
AfterBackup.bat batch file, the message ID 5040 is visible.
Question: What tool can you use to configure archiving of backup files that begins
automatically after the site backup completes?
C Managger
Co
onfiguring the Site Backup Tassk
The configuration
n options you choose
c for the
e Backup Site SServer task dep
pend on your site architecture.
You
u need to configure the apprropriate option
ns in the Back
kup Site Serve er dialog box.
To configure
c the Backup Site Se
erver task, perfform the follow
wing steps:

ger console, click the Admin
nistration worrkspace.
2. In the Admin
nistration worrkspace, expan guration, and tthen click the Sites node.
nd Site Config
3. Select the site

e for which you are configurring the Backu p Site Server ttask.
4. On the ribbon
n, in the Settin
ngs group, clicck the Site Maaintenance Ta
asks button.
5. In the Site Maintenance dialog box, click Backup Site

e Server, and tthen click Editt.
6. Select Enable
e this task, and then click Se n. You have the
et Paths to sp ecify the backkup destination
following opttions:
Local driive on site serrver for site data

d and dataabase. You speecify a folder o on the site servvers
local drivve where the backup
b u must create this
files forr the site and ssite database aare stored. You
local fold
der before the backup task ru uns, and the siite servers commputer accoun nt must have w write
access too the folder.
Network k path (UNC name)

n for site
e data and daatabase. You s pecify a shared folder in the e
network by using the UNC
U path where both the baackup files for the site and thhe site database are
stored. You must create this network k shared folderr before the baackup task run
ns, and the site
e
servers computer
c acco
ount must have e write access to the share.
Local drives on site server and SQL Server. You specify a path on the site servers local drive
where the backup files for the site server are stored. You also specify a path on the site database
servers local drive where the backup files for the site database are stored. You must create these
local folders before the backup task runs, and the site servers computer account must have write
access to both folders. This option is available only when the site database is on a remote site
system server.
7. Configure an appropriate schedule for the site backup task. As a best practice, consider a backup
schedule that is outside of active business hours.
8. Select the Enable alerts for backup task failures check box, click OK, and then click OK. When this
check box is selected, Configuration Manager creates a critical alert for the backup failure that you
can review from the Alerts node in the Monitoring workspace.
What is backed up?

The site backup includes the following files:
The Configuration Manager site database files

The following Configuration Manager installation folders:
<ConfigMgrInstallationPath>\inboxes
<ConfigMgrInstallationPath>\Logs
<ConfigMgrInstallationPath>\data
<ConfigMgrInstallationPath>\srvacct
<ConfigMgrInstallationPath>\install.map file
The ..\HKEY_LOCAL_MACHINE\Software\Microsoft\SMS registry key
What is not backed up?

The Backup Site Server task does not back up all Configuration Manager files. The backup is performed
only on the site server and the site database, and not on other site system roles.
Configuration Manager site systems and secondary sites. There is no need to back up data from site
systems such as distribution points and management points. These site systems can easily be
reinstalled by the site server if they fail. There is no backup support for secondary sites; they must be
reinstalled from the parent primary site in case of failure.
Custom Reporting Services reports. You must back up any custom reports that you created by using
Reporting Services and the report server database files, so that you can recover them in case of a site
failure. You should include the following in the report server backup:
Source files for reports and models
Encryption keys
Custom assemblies or extensions
Configuration files
Custom SQL Server views used in custom reports
Custom stored procedures

Content library. You must back up the content library so that you can restore and redistribute content
to distribution points. When you initiate content redistribution, Configuration Manager copies the
files from the content library on the site server to the distribution points. The content library for the
site server is in the SCCMContentLib folder that usually is located on the drive that had the most free
disk space when the site was installed.
Package source files. You must maintain a copy of the package source files so that you can restore
them after a site failure, and then update the content on distribution points. When you initiate a
content update, Configuration Manager copies new or modified files from the package source to the
content library, which then copies the files to associated distribution points.
Windows Server Update Services (WSUS) database. You need to back up the WSUS database if you
want to recover the metadata about software updates. An alternative in case of failure, you can
reinstall the software update point on a new WSUS instance, but you would need to reconfigure the
synchronization settings.
Backup custom software updates. You must include the System Center Updates Publisher 2011
database in your backup if you have used System Center Updates Publisher 2011 to do any of the
following activities:
Publish custom software updates to WSUS

Synchronize the software updates to Configuration Manager
Assess software updates compliance
Deploy the custom software updates to clients
Performing Unscheduled Backups

You should perform unscheduled backups whenever you make changes to your Configuration Manager
environment, for example, when you add new sites or site system roles.
An unscheduled backup can be performed by starting the SMS_SITE_BACKUP service on the site server.
Demonstra
D ation: Back
king Up a Primary
P Sitte
In
c the B
Backup Site Seerver task, and how to trigge
er and
monitor
m a backu
up.
Demonstrati
D ion Steps
Configure
C th
he Backup Site Server ta
ask
nsole.

nager console, click the Adm
ministration w
workspace, exp
pand Site
Configurattion, and thenn select Sites.
3.. C --- New York Primary Site, and on the rib

Select NYC en click Site
bbon, click Setttings, and the
Maintenannce.
4.. In the Site Maintenance

e dialog box, edit the Backup
p Site Server task.
5.. In the Backkup Site Serve

er Properties dialog box, seelect the Enablle this task ch
heck box, and tthen
click Set Pa
aths.
6.. In the Set Backup

B Paths dialog box, ve
erify the optio
on Local drive on site serve
er for site data
a and
d then browse to select a fol der.
database iss selected, and
7.. On drive E, create a folde

er called Backu
up, and then cclick Select Fo
older.
8.. In the Set Backup

B Paths dialog box, ve
erify that E:\Baackup appearrs in the box, aand then click O
OK.
9.. In the Back

kup Site Serveer Properties dialog box, in the Start afte er box, set the time to start tthree
om now, verifyy that the Latest start time iis at least one hour after now
minutes fro w, and then click OK.
10
0. In the Site Maintenance
e dialog box, ve
erify that the B
Backup Site S
Server task is e
enabled.
Trigger and monitor the backup

1. From Administrative Tools, start the Services console.
2. In the Services console, start the SMS_SITE_BACKUP service.
3. Navigate to the C:\Program Files\Microsoft Configuration Manager\Logs, and then open the
smsbkup.log file in Notepad.
4. If the backup completes successfully, at the end of the smsbkup.log file, the text Backup completed
appears, and then on the next line, the text STATMSG: ID=5035 appears.
5. Navigate to the E:\Backup\NYCBackup\SiteDBServer folder and verify that it contains the database
files.
6. Navigate to the E:\Backup\NYCBackup\SiteServer\SMSServer folder, double-click on the

SMSServer folder to open it, and note that it contains the data, inboxes, Logs and srvacct folders.
7. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and
then select the Component Status node.
8. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages and click All.
9. Accept the default of 1 day ago.
10. In Configuration Manager Status Message Viewer, search for a message with a Message ID of
5035.
Troublesho
T ooting a Site Backup
p
Yo
ou can use the
e logs and monitoring featurres included in
n Configuration Manager to ensure that th he
Ba
ackup Site Server task started according to
o the backup sschedule and tthat the backu
up operations
pe
erformed succcessfully.
To
o verify that th
he Backup Site
e Server mainte ompleted succcessfully, you can:
enance task co
Review the smsbkup.log g located in <C

ConfigMgrInstaallationFolder>>\Logs, or in yyour backup
destination folder, for anyy warnings and errors. When
n the site backkup completess successfully, yyou will
see the message Backup completed with w a timestam mp, and STAT MSG: ID=503 35.
Review the timestamp on n the files in th he Backup Site Server

he backup desttination folderr created by th
maintenancce task. Verify that the timesstamp is the saame as the lastt scheduled Baackup Site Servver
maintenancce task run tim
me.
Navigate too the Component Status nod de in the Moniitoring worksp

pace, and thenn review the staatus
messages fo BACKUP. If the backup has sttarted, you willl see the messsage ID 5055. When
or SMS_SITE_B
the site bacckup complete
es successfully, message ID 5
5035 appears, indicating thaat the site backkup
completed without any errors.
e
Configure the
t Backup Site Server mainttenance task t o create an aleert when a bacckup fails. You
u can
check the Alerts
A node in the Monitoring workspace ffor these backuup failure alertts.
Review the Event Viewer logs for accouunt and accesss violations. Ensure that the sservice accoun nt for
SMS_SITE_B BACKUP can acccess any remo ote locations tthat are speciffied in the SMSS Backup control file
and that the service account has the ap
ppropriate privvileges to perfo orm the tasks in the Configu
uration
Manager Backup control file in the [Tassks] section. Byy default, the SSMS_SITE_BACCKUP runs und der the
local system
m account.
Archiving multiple backup snapshots

Every time the Backup Site Server maintenance task runs, it creates a backup snapshot, and overwrites the
previous snapshot, if one exists. Only one backup snapshot-----the most recent one-----is in the backup
destination folder at any one time. As a mitigation measure, we recommend that you archive multiple
versions of the backup snapshot, so that you can use a previous version if the most recent version
becomes corrupted.
Question: What tasks can you perform to verify that the backup was successful?
Site Recove
ery
Yoou must recovver a System Ce enter 2012 Coonfiguration M Manager site wh henever the site fails or dataa
lo
oss occurs in th nning the Systtem Center 2012
he site databasse. You can initiate the site r ecovery by run
M Setup with the Setup /script
p Wizard or byy using an una ttended installation script w
co
ommand. Yourr recovery options depend on o whether yo u have a back up of the System Center 201 12
M site and the site database.
To
o start the site
e recovery proccess, perform the
t following ssteps:
1.. Start the Microsoft

M Syste
em Center 20012 Configuraation Manageer Setup Wiza
ard by running
g
<Configura ation Manage er 2012 Insta
allation Sourcee Path>\SMS
SSETUP\BIN\XX64\setup.exee.
2.. On the Beffore You Begin page, click Next.

N
3.. On the Gettting Started page, select Recover a site,, and then clickk Next.
When
W performing the site reccovery in Syste
em Center 201 2 Configuratioon Manager, yyou must recovver the
sitte server and the
t site databa ase. If you wan
nt just to perfo
orm site mainteenance or a sitte reset, start tthe
se
etup from the installation pa ath.
Site server re
ecovery opttions
Yo
ou have the fo
ollowing recovery options for the failed sit e server:
Recover th he site server using an exissting backup. Use this optio on when you h have a backup of the
Configuratiion Manager site
s server creaated before thee site failure. TThe site is reinsstalled and the
e site
settings con
nfigured as theey were when the site was b
backed up.
Reinstall this site server. Use this option when you do not have a backup of the site server. The site
server is reinstalled, and you must specify the site settings. You must use the same site name, site
code and configurations as the failed site, to be able to successfully recover the site.
Note When Setup detects an existing System Center 2012 Configuration Manager site on
the server, the recovery options for the site server are disabled, and the existing
Configuration Manager site files and registry keys are used.
Site database recovery options

At various steps during the Site Recovery Wizard, you can choose from the following recovery options for
the site database:
Recover the site database using the backup set at the following location. Use this option when
you have a backup of the Configuration Manager site database created before the site database
failure. When you have a hierarchy, the changes made to the site database after the last site database
backup are retrieved from other sites through replication. When you recover the site database for a
stand-alone primary site, you lose any changes made to the site since the last backup.
Note If you select to restore the site database by using a backup set but the site database
already exists, the recovery will fail. You must manually delete the existing database files
before attempting recovery.
Create a new database for this site. Use this option when you do not have a backup of the
Configuration Manager site database. When you have a hierarchy, a new site database is created and
data is recovered by using replication from other sites in the hierarchy. This recovery option is not
available when you are recovering a stand-alone primary site or a central administration site with no
primary sites.
Use a site database that has been manually recovered. Use this option when you recover the
Configuration Manager site database by using a method other than the Backup Site Server
maintenance task. When you have a hierarchy, a new site database is created and data is recovered
by using replication from other sites in the hierarchy. When you recover the site database for a stand-
alone primary site, you lose any changes made to the site since the last backup.
Skip database recovery. Use this option when the site failure did not cause data loss in the
Configuration Manager site database, and you recover only the site server.
Post-Recovery Tasks
There are several post-recovery tasks that you may need to perform to complete the site recovery process:
Re-enter user account passwords. You must re-enter user account passwords for the user accounts
specified for the site, because all passwords are reset during the site recovery. The accounts for which
you must reset passwords are listed on the Finished page of the Setup Wizard after site recovery
completes and are saved on the recovered site server in the C:\ConfigMgrPostRecoveryActions.html
file.
Reinstall hotfixes on the recovered site server. You must reinstall any hotfixes that were applied to the
site server. A list of any previously-installed hotfixes is located on the Finished page of the Setup
Wizard after the site recovery completes, and is saved to C:\ConfigMgrPostRecoveryActions.html on
the recovered site server.
Recover custom reports. You must re-import any custom reports you have created on Reporting
Services.
Recover content files. You must restore the content library and package source files to their original
locations. The site database contains information about the content files storage locations on the site
server, but the content files are not backed up or restored as part of the backup and recovery process.
You can restore these files from a file system backup of the site server.
Question: How do you recover a stand-alone primary site when the database becomes
corrupted?
C Managger
De
emonstration: Recov
vering a Primary Sitee
In th
s how to run n the System CCenter 2012 Co onfiguration MManager Setup
p
Wizzard, and see th
he Setup Wizaard options ava
ailable during the site recov ery process.
Dem
monstration
n Steps
Perrform a site server and site

s database
e recovery
1. Run E:\ConfigMgr2012\SMMSSETUP\BIN
N\X64\setup..exe. The Syste 012 Configura
em Center 20 ation
Manager Settup Wizard starts.
Note To perform site reccovery, you ne eed to start thee setup prograam from the innstallation
media. If youu want to perfform only a site reset, you neeed to start the setup from tthe
installation path.
p
2. In the Microssoft System Center

C 2012 Configuration
C Manager Settup Wizard usse the followin
ng
settings to restore the site:
On the Getting
G Starte
ed page, at Ava
ailable Setup Options, clickk Recover a siite.
On the Site Server and

d Database Recovery Optio ons page, click Recover the e site databasse
using the backup set at the follow
wing location, and then browwse to the fold
der where the
backup iss stored.
On the Site Recovery Information page, verify th

hat the option Recover prim
mary site is
selected.
On the Product
P Key page select Insttall this prod uct as an evaluation.
On the Microsoft Software License Terms page, select the I accept the license terms check
box.
On the Prerequisite Licenses page, accept all prerequisite components.
On the Prerequisite Downloads page, select Use previously downloaded files. In the path
box, type E:\ConfigMgr2012\Redist.
In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite
validation to finish.
On the Site and Installation Settings page, click Next.

On the Database Information page, click Next.
to join the program at this time, and then click Next.
On the Prerequisite Check page, click Cancel. For a real system recovery you would click Begin
Install, but for this demonstration you cancel the wizard.
C Managger
Lesson 3
Monito
oring Configur
C ration Manage
M er 2012 Site Sysstems
Connfiguration Maanager 2012 in ncludes monito oring and alertting features that you can usse to detect annd
trou
ubleshoot criticcal conditions related to the
e site systems aand clients. Yo
ou can configure the status ssystem
to determine
d the overall health of your Config guration Manaager environm ment based on status messag ges.
For further monitooring capabilitties, you can im

mplement Systtem Center 20 012 Operationss Manager, wh hich
provvides proactive
e server and applications mo onitoring and alerting. You ccan use the infformation provided
by these
t features to detect and resolve critica
al issues.

Describe the new features included in the

e Configuratio
on Manager co
onsole for mon
nitoring the
database replication.
Configure ale
erts.
Configure the
e status system
m and status su
ummarizers.
Describe the features of Sysstem Center 2012 Operation
ns Manager that you can use
e to monitor
Configuration
n Manager 201 12 site systemss.
Monitoring
M g Configurration Man
nager Dataabase Replication
Yo
ou can use the e monitoring features included in the Conffiguration Ma nager console
e to monitor daatabase
eplication in a multiple-site Configuration
re C Manager enviironment.
Yo
ou can monito or replication in the Configuration Manageer console, in tthe Monitoringg workspace, u under
th
he Database Reeplication nodde. Here you find the replicattion links, and you can view the status of tthe
eplication and of the associated componen
re nts for each sitte server.
Fo
or each replica
ation link you can ollowing infor mation:
c view the fo
Summary. Shows
S the ove
erall site replica
ation status an
nd information
n about global data and site data
replication status.
Parent Site.. Shows the sta

atus of the com
mponents invo
olved in database replication
n at the parentt site.
Child Site. Shows

S the stattus of the components involvved in databasse replication at the child sitte.
ou can use the Hierarchy Diagram to view the overall rep

Additionally, yo plication statuss throughout tthe site
hiierarchy. You can
c view the Hierarchy
H Diagram in the Con nfiguration Maanager console in the Monittoring
workspace
w undeer the Site Hierarchy node. Here
H you see a graphical diaagram containiing all the sites and all
th
he replication links
l in your hierarchy. Pointting the mousee over the rep plication link caauses a messagge to
ap
ppear, which shows
s the statuus of the repliccation link.
C Managger
Co
onfiguring Alerts
Con
nfiguration Ma
anager 2012 in
ncludes an alerrting system th
hat generates aalerts in the Co
onfiguration
Man
nager console when specific conditions aree encounteredd.
Alerrts can be conffigured for:
The site datab

base. Generate
es an alert whe
en the free dissk space on thee site database
e server is low..
The managem
ment point. Ge
enerates an ale
ert when the m
management p
point is not healthy.
Replication. Generates
G an alert
a n for more time than the inte
if replicatiion link conne ctivity is down erval
in the specificcations.
Alerrts are generatted every 30 minutes

m ditions includeed in the alert rrules evaluate to true. You can
if cond
view
w all configure
ed alert rules in
n the Configurration Manageer console in th he Monitoring workspace un nder
the Alerts node.
You
u can create ale
ert subscriptions only for Endpoint Protecttion so that yo
ou can receive alert informattion
by email.
e You must specify:
1. The subscripttion name.
2. The e-mail ad
ddresses.
3. The alert rule

es for which yo
ou want to rece
eive e-mail meessages.
Configuring
C g the Statu
us System
M 2012 generates status messages aabout actions performed byy various
M compponents, and about
a site systeems and clientt status. All Co
co
omponents ge enerate status messages.
Sttatus messages are stored in n the Configuraation Managerr database and d can be vieweed individuallyy using
th
he Configurattion Manager Status Messa age Viewer. Sttatus messagees also are agggregated usingg
ummarizers to determine the
su e health of the omponents and
e Configuratio n Manager sit e system or co
ob ation deployment. There aree four types of summarizers:
btain statistics about applica
Application
n Deployment Summarizer. Summarizes
S th
he status messaages related to
o application
deploymen nts.
Applicationn Statistics Sum mation about tthe installed deployment pro
mmarizer. Summarizes inform ocess to
create statistics.
Component Status Summ marizer. Summarizes the stat us messages rrelated to Conffiguration Man
nager
componentts to determine their health.
Site System
m Status Summ marizer. Summa arizes the statu
us messages reelated to Conffiguration Man
nager
site systemss to determine
e their health.
To
o configure the status summ
marizers, perforrm the followi ng steps:
1.. nager console, click the Adm

In the Conffiguration Man ministration w
workspace.
2.. gation pane, expand Site Co

In the navig onfiguration, click Sites, an d then in the rresults pane, select
the site.
3.. On the ribb

bon, in the Setttings group, click
c Status Su
ummarizers.
4.. In the Statu ers dialog boxx, select the su mmarizer you want to configure, and then
us Summarize n click
Edit.
You can view the aggregated health information for site systems and components that are calculated by
summarizers in the Configuration Manager console, in the Monitoring workspace, under the System
Status node. Here you can find the aggregated health status under the Site Status and Component Status
nodes.
You can configure status filter rules to detect critical conditions based on specific status messages, and
perform automated actions based on the conditions detected. The built-in status filter rules create events
in the Windows event logs when specific status messages are detected. You also can create custom status
filter rules to control how status messages are processed.
To configure the status filter rules perform the following steps:
1. In the Configuration Manager console, click the Administration workspace.
2. In the navigation pane, expand Site Configuration, click Sites, and then in the results pane, select
the site.
3. On the ribbon, in the Settings group, click Status Filter Rules.
4. In the Status Filter Rules dialog box, select the rule you want to configure, and then click Edit. You
can also create new status filter rules in this dialog box.
Status reporting
By configuring status reporting, you can modify how the server and client components report status
messages to the Configuration Manager status system, and configure the location where status messages
are sent. By default all status messages for All Milestones are sent without details to Configuration
Manager, and the information is not written to event logs.
To configure the status reporting perform the following steps:
2. In the navigation pane expand Site Configuration, click Sites, and then in the results pane, select the
site.
3. On the ribbon, in the Settings group, click Configure Site Components, and then click Status
Reporting.
4. In the Status Reporting Component Properties dialog box, select the level of details for Server
component status reporting and for Client component status reporting.
Note The default reporting settings are appropriate for most environments and should be
changed with caution. When you increase the level of status reporting by choosing to
report all status details you can increase the amount of status messages processed, which
increases the processing load on the site server and on the site database.
Monitoring
M g by Using
g System Center
C 2012 Operatio
ons Manag
ger
Syystem Center 2012

2 Operatio
ons Manager provides
p proacttive server and
d applications monitoring th hat you
caan use to identtify the condittions for poten
ntial issues befo
ore they affectt your environ
nment. It also p
provides
trroubleshootingg information that is specificc for the detectted issue that can help you resolve issues faster.
Syystem Center 2012

2 ons Manager uses agents ins talled on the m
Operatio monitored servvers to evaluatte the
heealth of appliccations and serrvices, and to monitor
m perforrmance. The ru g which components
ules describing
arre monitored are
a included in n management packs.
Th
2 Managem ment Pack for Operations M anager helps aadministratorss
manage
m and addminister Configuration Man nager 2012 serrvers, computeers, databases, services, diskss,
pplications, or any other kind
ap d of object tha
at requires mo
onitoring.
Th t Management Pack delivers improved capabilities fo r Configuratio

his release of this on Manager 20
012
monitoring,
m including the following:
Monitoring
g the availabilitty status of all server roles.
Monitoring
g the health sta
atus of key serrvices.
Monitoring
g SQL replicatio
on health statu
us.
Monitoring
g general CPU, Memory, and
d Disk system rresource usagee.
Providing a topology diagram of the Configuration M
Manager 2012
2 site hierarchyy.
Monitoring
g the performa
ance trends of some Configu
uration Manag
ger performancce counters.
Byy using System

m Center 2012 Operations Manager,
M you ccan monitor ph
hysical hardwaare, the operatting
syystem compon nents, and coree network servvices, such as D DNS, DHCP and AD DS. Additional management
pa able in the ma nagement pacck catalog on tthe Microsoft website.
acks for monittoring applicattions are availa
C Managger
Lab: Maintain
M ning and
d Monittoring SSystem Center 2012
Config
guration
n Managger
Lab
b Setup
m enviro
ust
com

c click
k Start, point to
nd then click H
Hyper-V Manager.
M click C-DC1-C, and then in the Acctions pane, click Start.
k 10748A-NYC

User nam
me: Administra
ator
Password
d: Pa$$w0rd
Domain: Contoso
5. Repeat steps two through four
f for 10748
8A-NYC-CAS- C and 10748A
A-NYC-CFG-C
C.
Lab
b Scenario
You
u are the netwo
ork administraator for Contosso, Ltd. Contosso has deployeed System Cen nter 2012
Connfiguration Ma
anager in a com
mplex hierarchhy with a centrral administrattion site, two p
primary sites and a
seco
ondary site.
You need to configure the Backup Site Server task, recover the site from a backup, and use monitoring
features to evaluate the health of your Configuration Manager environment by:
1. Configuring the Site Backup Task.
2. Recovering the Site from a Backup.
3. Monitoring Configuration Manager.

Exercise 1: Configuring the Site Backup Task

Scenario
You need to configure the Backup Site Server task, trigger the backup, and then verify that the backup
completed successfully.
1. Configure the Backup Site Server task.
2. Trigger the backup of the site and verify its completion.
X Task 1: Configure the Site Backup task

Configuration, and then select Sites.
3. Select NYC --- New York Primary Site, and on the ribbon, click Settings, and then click Site
Maintenance.
4. In the Site Maintenance dialog box, edit the Backup Site Server task.
5. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then
click Set Paths.
6. In the Set Backup Paths dialog box, verify that the option Local drive on site server for site data
and database is selected, and then browse to select a folder.
Note In practice, you should use either Network path (UNC name) for site data and
database to save backup on a network share, or you should use Local drives on site
server and SQL Server if the database is installed on a separate server.
7. Create a new folder called Backup in the Local Disk (C:) drive, and then click Select Folder.
8. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK.
9. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start 3
minutes from now, and then click OK.
10. In the Site Maintenance dialog box, verify that the Backup Site Server task is enabled.
X Task 2: Trigger the backup of the site and verify its completion
1. From Administrative Tools, start the Services console.
2. In the Services console, start the SMS_SITE_BACKUP service.
4. If the backup is performed successfully, in the smsbkup.log file, the text Backup completed appears,
and then, on the next line, the text STATMSG: ID=5035 appears.
5. Navigate to the C:\Backup\NYCBackup\SiteDBServer folder, and then verify that it contains the
database files.
6. Navigate to the C:\Backup\NYCBackup\SiteServer\SMSServer folder, double-click on the

SMSServer folder to open it, and then note that it contains the data, inboxes, Logs and srvacct
folders.
7. In the Configuration Manager console, in the Monitoring workspace, expand System Status, and
then select the Component Status node.
8. Select the SMS_SITE_BACKUP component, and, on the ribbon, click Show Messages and click All.
9. Accept the default of 1 day ago.
10. In the Configuration Manager Status Message Viewer, search for a message with a Message ID of
5035.
Note When site backup completes successfully, message ID 5035 appears, which indicates
that the site backup completed without any errors.
11. Close the Configuration Manager Status Message Viewer.
Results: At the end of this exercise, you should have performed a backup for the Configuration Manager
site.
Exercise 2: Recovering the Site from a Backup

Scenario
You need to use the Site Recovery Wizard to recover the site from a backup.
The main task for this exercise is to use the Site Recovery Wizard to recover the site from backup.
X Task: Use the Site Recovery wizard to recover the site from backup
1. On NYC-CFG, run E:\ConfigMgr2012\SMSSETUP\BIN\X64\setup.exe. The System Center 2012
Configuration Manager Setup Wizard starts.
2. In the Microsoft System Center 2012 Configuration Manager Setup Wizard use the following
settings to restore the site:
On the Getting Started page at Available Setup Options, click Recover a site.
On the Site Server and Database Recovery Options page, click Recover the site database
using the backup set at the following location, and then browse to select the
C:\Backup\NYCBackup folder where the backup you performed in the previous exercise is
located.
On the Site Recovery Information page, verify that the option Recover primary site is
selected.
On the Product Key page select Install this product as an evaluation, and then click Next.
On the Microsoft Software License Terms page, click the I accept these license terms check
box, and then click Next.
On the Prerequisite Licenses page, accept all prerequisite components.
specify E:\ConfigMgr2012\Redist as the location.
On the Site and Installation Settings page, click Next.

to join the program at this time, and then click Next.
Complete the wizard using the default options. At the Prerequisite Check step, click Cancel, and
then click Yes. It takes time to restore the site, and so for this lab, you cancel the restoration
process.
Results: At the end of this exercise, you should have recovered the Configuration Manager 2012 primary
site
Exercise 3: Monitoring Configuration Manager

Scenario
You need to configure the status summarizers and use the monitoring tools included in the Configuration
Manager console to monitor the site replication.
1. Configure the status summarizers.
2. Monitor replication.
X Task 1: Configure the status summarizers

1. On NYC-CAS, start the Configuration Manager Console.
Configuration, click Sites, and then click the site CAS --- Contoso Central Administration Site.
3. On the ribbon, in the Settings group, click Status Summarizers.
4. In the Status Summarizers dialog box, edit the Component Status Summarizer:
On the General tab of the Component Status Summarizer Properties dialog box, verify that
Enable status summarization is selected.
On the Thresholds tab, in the Message type box, click Error status Messages, and then in the
Thresholds list, double-click the SMS_SITE_BACKUP component.
In the Status Threshold Properties dialog box, review the warning and the critical thresholds to
the following values, and then close the dialog box.
Warning (messages): 100

Critical (messages): 500
Close the Component Status Summarizer Properties dialog box.
5. In the Status Summarizers dialog box, edit the Site System Status Summarizer:
On the General tab of the Site System Status Summarizer Properties dialog box, verify that
Enable status summarization is selected. For primary sites, you also can configure the
replication and schedule in this dialog box.
On the Thresholds tab, review the values for the Default thresholds.
Click any object from the Specific thresholds list, and then click the Properties button. Review
the storage objects warning and critical thresholds, and then close the dialog box.
Close the Site System Status Summarizer Properties dialog box.
6. Close the Status Summarizers dialog box.
X Task 2: Monitor replication

1. In the Configuration Manager console, in the Monitoring workspace, click Site Hierarchy to open
the Hierarchy Diagram view.
2. Briefly rest the mouse pointer over the line between the CAS and NYC sites to view the status of
global and site data replication for these sites.
3. In the navigation pane, click Database Replication, and then in the results pane, click the CAS to
NYC replication link.
4. In the preview pane, review the information found at the Summary, Parent Site, and Child Site tabs
about the replication status, site configuration and SQL Server details for the parent and child sites.
Results: At the end of this exercise, you should have used the In-Console Monitoring features.

following steps:

Modu
ule Reviiew and
d Takeaw
ways
Review
R Quesstions
1.. What do yo
ou use the Afte
erBackup.Bat file
f for?
2.. What factors determine how

h frequentlyy you should p
perform a backkup?
3.. Under whatt circumstance

es should you perform unsch
heduled backu
ups?
4.. ou minimize data loss when backups are n

How can yo not performed?
8-1
Module 8
Migrating from System Center Configuration Manager 2007
to System Center 2012 Configuration Manager
Contents:
Lesson 1: Overview of the Migration Process 8-3
Lesson 2: Preparing Configuration Manager 2007 Sites for Migration 8-11

Lesson 3: Configuring Migration Settings 8-18
Lesson 4: Migrating Objects 8-27
Lab: Migrating from System Center Configuration Manager 2007 to

System Center 2012 Configuration Manager 8-37
8-2 Migrating from System Center Configuration Manager 2007 to System Center
C 2012 Configuuration Manager
Module Overrview
Microsoft Systemm Center 2012 Configuration n Manager pro ovides a rich feeature set thatt you can use tto
miggrate objects frrom System Ceenter Configurration Manageer 2007 to Con nfiguration Maanager 2012, aand to
restructure your site hierarchy during
d migratioon.
Differences in the e site architectu

ure between Configuration
C MManager 2007 7 and Configurration
Man nager 2012 ma ay require youu to perform site consolidatio on when perfo orming migrattion. Using thee
built-in migration n functionality, you can selecct to migrate oobjects from an ny source site in the
Con nfiguration Ma anager 2007 hiierarchy to the e central admin nistration site in the Configu
uration Manag ger
2012 hierarchy. Frrom the centra al administratio
on site, the miigrated objects are replicateed as global daata to
all sites
s in the hierrarchy.
ng the Migration Job wizard, you can migrrate different ttypes of objects such as collections,
Usin
advertisements, so
oftware packages, software updates,
u Assett Intelligence ccustomizationss, operating syystem
dep
ployment objeccts, Desired Co
onfiguration Management
M o
objects, and software meterin ng rules.
Afte
y will be able to:
Describe the migration process from Con o Configuration Manager 20

nfiguration Maanager 2007 to 012.
Prepare Conffiguration Man

nager 2007 site
es for migratio
on.
Configure migration setting

gs.
Migrate objeccts.
Lesson
n1
Overv
view of the Mig
gration Processs
Th
he migration process
p from Configuration
C Manager
M 20077 to Configuration Manager 2012 includess
co
onfiguring thee source hierarcchy, configurin
ng additional ssource sites, co
onfiguring shaared distributio
on
po
oints, migratin
ng collections, migrating objects by type, mmonitoring thee migration prrocess, and mig grating
M clientts. When the migration
m proccess is completted, you perform the cleanup of
migration
m data by removing thet configuration of the sou rce hierarchy.
In ou will review the migration process, revieew the types of objects that can be migratted,
n this lesson, yo
grating collecttions, and anallyze consolidation requirements when mig
diiscuss the restrrictions for mig grating
primary sites.
After completin
ng this lesson, you
y will be able to:
he migration process.
Describe th
he types of objects that can be

Describe th b migrated.
Describe th
he restrictions imposed
i on co
ollections.
Describe th
he need for con
nsolidating priimary sites.
Ov
verview of the Migra
ation Proce
ess
Whe en migrating a Configuration Manager 20 007 hierarchy tto a Configuraation Manager 2012 hierarch hy,
you always perforrm a side-by-side migration. You install a ffully-functionaal Configuratio on Manager 20 012
hierrarchy in the sa
ame network environment
e as
a the Configu ration Manageer 2007 hierarchy, select and d
miggrate objects inn batches, and migrate clientts last. By usin g this approacch, you minimize the risks
ociated with a migration com
asso mpared to the risks you mayy encounter wh hen performinng an in-place
upggrade. Addition 12 installation fails, you can easily discard the new installation and revvert
nally, if the 201
back to the previo ous source hierarchy.
By performing
p a side-by-side
s migration,
m you also
a have the o opportunity to o consolidate ssites since the
Connfiguration Ma anager 2012 hiierarchy can have a maximu m of three sitee levels made up of the centtral
admministration site e, one level off primary sites below that, an nd a level of seecondary sites below the primary
sitess. If you have primary
p sites that are child sites of primaryy sites in the C
Configuration MManager 2007 7
hierrarchy, you nee ed to restructuure your hierarrchy when mig grating to Con nfiguration Maanager 2012,
because primary sites
s cannot be e the child site
es of other prim
mary sites in CConfiguration MManager 2012 2 as
theyy could be in previous
p versio
ons.
Seco ondary sites ca

annot be migrrated in-place. If you want to
o reuse the sam
me server harddware, you mu ust
firstt uninstall seco
ondary sites fro
om Configurattion Manager 22007 before innstalling them in Configuration
Man nager 2012. Yo ou can also convert seconda Configuration Manager 2007
ary sites from C 7 to distributio
on
poin nts in Configurration Manage er 2012.
You
u can upgrade clients by usin ng any of the client
c installati on methods in
ncluding Client Push, Group
Policy installation, logon script, or manual installation. Wheen upgraded, tthe Configurattion Manager cclients
maintain the execcution history for
f advertisemments.
The typical migration process has the following steps:
1. Configure the source hierarchy. In the first step of the migration process, you configure the source
hierarchy by specifying the top-level site in the Configuration Manager 2007 implementation. This
site also becomes a source site for migrating Configuration Manager objects.
2. Configure additional source sites. You can specify additional source sites that contain objects you
want to migrate. You can only configure source sites that are below the top-level site that you
configured in the previous step.
3. Configure distribution point sharing. In this optional step, you configure a Configuration Manager
2007 distribution point so that it is visible to Configuration Manager 2012 clients after migration. You
use this approach to make packages available to Configuration Manager 2012 clients without
distributing the content to the Configuration Manager 2012 distribution points.
4. Migrate collections and associated objects. You create a migration job to migrate collections and
associated objects such as advertisements or packages.
5. Migrate objects by type. You select the types of objects to migrate, including boundaries, Asset
Intelligence customizations, software updates, operating system deployment objects, Desired
Configuration Management baselines and configuration items, and software metering rules.
6. Migrate Configuration Manager clients. You can use any of the client installation methods to upgrade
the client in place to the Configuration Manager 2012 version. This process maintains the client
execution history.
7. Convert secondary sites to distribution points. In this optional step, you can convert Configuration
Manager 2007 secondary sites to Configuration Manager 2012 distribution points. The Upgrade
Shared Distribution Point wizard uninstalls the secondary site and then configures the server as a
distribution point in Configuration Manager 2012 while maintaining the content on the distribution
point.
After migration, you should:
1. Remove distribution point sharing. When all Configuration Manager clients are migrated to the
Configuration Manager 2012 version, you can remove the distribution point sharing.
2. Remove the source hierarchy configuration and decommission the old hierarchy. The last step in the
migration process, after you ensure that all the necessary objects have been migrated, is to remove
the source hierarchy configuration and then decommission the Configuration Manager 2007
hierarchy.
Note Site codes cannot be reused. You need to provide unique site codes across
Configuration Manager 2007 and Configuration Manager 2012 hierarchies.
Question: How do you begin the migration process from Configuration Manager 2007 to
Configuration Manager 2012?
Typ
pes of Objjects You Can
C Migra
ate
The majority of obbject types are

e supported fo
or migration fro
om Configura tion Manager 2007 to
Con
nfiguration Ma Y can select which objects you want to m
anager 2012. You migrate when you create a
gration job. You can migrate the types of objects
mig o listed in
n the following
g table.
Ob
bject Wh
hat is migrated
d
Collections You can migrate query-based or direct mem mbership collecctions with thee
following restricttions:
Mixed collecctions (which ccontain both u users and devicces) cannot bee
migrated.
Collections that
t have the m
membership liimited to anotther collections are
migrated as individual col lections with aadditional inclu
usion rules.
Advertisementss You can migrate existing adve rtisements forr packages, sofftware updatess, or
Tassk Sequences so
s that the Co
onfiguration MManager 2012 cclients receive them.
Bo
oundaries You can migrate the existing b
boundaries to C
You need to assign the boundaaries to bound o use them for client
dary groups to
asssignment or co
ontent lookup..
So
oftware distrib
bution You can migrate software distrribution packaages. We recom
mmended thatt you
pa
ackages nfigure the package source using a Univerrsal Naming C
con Convention (UN
NC)
patth to minimize
e the need for reconfiguring
g the package source after
migration.
Virtual application You can migrate the virtual appplication packkages to Config guration Manaager
ackages
pa ns. Any existing
2012 application g advertisemen nts of virtual aapplication
pacckages are nott migrated.
(continued)
Object What is migrated
Software updates To migrate software updates related objects, first you need to configure a
software update point in Configuration Manager 2012 and then synchronize
software-update metadata with the same sync source as the source hierarchy
uses. After you do this, you can migrate the following types of objects:
Deployments
Deployment packages
Templates
Software update lists
Asset Intelligence You can migrate any customizations you made to the Asset Intelligence
customizations catalog, including custom categories, software families, labels, hardware
requirements, and software lists.
Operating System You can migrate the following types of objects used in operating system
Deployment deployment:
Boot images
Driver packages
Drivers
Images
Packages
Task sequences
Desired Configuration You can migrate configuration baselines and configuration items you have
Management previously created in Configuration Manager 2007.
Software metering rules You can migrate software metering rules but not the metering history.
The following types of objects cannot be migrated:
Queries
Security rights and instances for the site and objects
Configuration Manager 2007 web reports or SQL Server Reporting Services reports
Client inventory and history data (from the site database); however clients maintain execution history
AMT client provisioning information
Files in the client cache

Co
ollection Re
estrictionss
Whe en you migrate collections that are linked to other colleections or that have sub-colle ections,
Connfiguration Ma anager 2012 crreates a folder under the Useer Collections or Device Colllections node in
adddition to the lin
nked collection
ns and sub-colllections. Colleections that contain a referen
nce to a collecction
of a different resoource type cannot be migrated.
In Configuration
C Manager
M 20077, empty collecctions (collectio
ons that have no associated resources) are e used
to organize
o other collections. When
W migrating g an empty co ollection, it is cconverted to an organization
nal
fold
der that contains no users or devices.
Because mixed co ollections that contain both users

u and deviices are not su
upported in Coonfiguration
Mannager 2012, yo ou cannot migrate them. To migrate mixed d collections, yyou must create individual
colle
ections that co
ontain only use ers or only devvices.
Emp nager 2007 for organizing otther

pty collections with no rules were typicallyy used in Confiiguration Man
colle
ections. In Con
nfiguration Maanager 2012, empty
e collectio
ons are migratted as folders.
The collections ne
eed to be indeependent of on
ne another in C
Configuration Manager 2012 to avoid circcular
refe
erences becausse collections are a all primary sites in the hieerarchy.
a evaluated at
For example, if yoou have a colle

ection called New
N York that ccontains all clients from New
w York, with tw
wo
sub-collections caalled Servers an
nd Desktops, and
a you migraate all of them to Configurattion Manager 2 2012,
the result are thre
ee independen nt collections.
Additional inclusion rules are added to the Servers and Desktops collection to ensure that they have the
same membership after migration. If the top-level collection does not have any membership rules and has
no advertisements targeted to it, the New York collection will be migrated to a folder in Configuration
Manager 2012, and the sub-collections Servers and Desktops will be migrated as collections with
additional inclusion rules in the New York folder.
Question: You have a collection in Configuration Manager 2007 that contains both users
and devices. What do you need to do to migrate the collection to Configuration Manager
2012?
8-10 Migratingg from System Centeer Configuration Mannager 2007 to System
m Center 2012 Configguration Manager
Co
onsolidatio
on Require
ements forr Primary SSites
In Configuration
C Manager
M 20122, a primary site cannot be th he child of anoother primary site; it can only be
a ch
hild of a centraal administratio on site. Similarrly, the only tyype of site thatt a secondary ssite can have aas a
pare e to these restrictions, the hiierarchy modeel in Configuraation Manager 2012
ent site is a priimary site. Due
can have a maxim mum of three le evels:
nistration site. Situated at th

Central admin he top-level of the hierarchy,, the central ad
dministration ssite
maintains the
e configurationn for the entire
e hierarchy.
Primary sites. Primary sites are used to manage clients.
Secondary sittes. Secondary sites are used to manage cl ient communiication traffic o
on slow wide aarea
network (WAN) links.
A Configuration Manager
M 2007 hierarchy can have more th han three levels. Additionallyy, primary sitess are
allowed to have another
a primarry site as a parent. When you u migrate to C
Configuration M Manager 2012 2, any
prim
mary sites that are a child of another primaary site need t o be consolidaated.
Clients assigned to central primary sites in Co
onfiguration M Manager 2007 ccannot be assigned to the ce
entral
admministration site ation Manager 2012 becausee the central administration site cannot haave
e in Configura
assigned clients. The
T clients assiigned to the ceentral site in C
Configuration M
Manager 20077 need to be
reasssigned to anoother primary site
s in the Con nfiguration Ma nager 2012 hiierarchy.
Secoondary sites caannot be migrrated directly to

t Configuratioon Manager 20 012. For any e
existing second
dary
sitess in the Config
guration Mana
ager 2007 hiera archy you nee d to perform o
one of the following actionss:
Uninstall the sites, and then

n reinstall them
m as new secon Configuration Manager 201
ndary sites in C 12.
Convert the sites

s to distribu
ution points in the new Conffiguration Man
nager 2012 insstallation.
Lesson
n2
Prepa
aring Co
onfigura
ation Manager
M r 2007 SSites for
Migra
ation
To
o migrate obje
ects from Conffiguration Man
nager 2007 to Configurationn Manager 201 12, you need tto
en
nsure that both the source and
a destinationn hierarchies m
meet certain p rerequisites.
In
n this lesson, yo
ou will review the preparatio
on steps you n
need to perform
m on Configurration Manage
er 2007
sittes to ensure successful
s migration of objeccts.
Also, you will re

eview the prere
equisites for co
onfiguring sou
urce sites and rrunning migraation jobs.
After completin
ng this lesson, you
y will be able to:
Describe th
he steps for pre
eparing Config
guration Manaager 2007 sitess for migration
n.
Describe th
he prerequisite
es for migration from Config uration Manag
ger 2007 to Co
onfiguration
Manager 20 012.
Pre
eparing Co
onfiguratio
on Manager 2007 Siites for Miigration
To ensure
e a succe
essful migration, you should review your C Configuration M
Manager 2007 7 hierarchy setttings
and make change es as required. Not all of the changes desc ribed below are required to perform the
gration; however, they help streamline
mig s the migration pro
ocess.
Con
nsider the follo
owing points when
w reviewing
g your Configu ger 2007 hierarchy settings:
uration Manag
All the source

e sites must ha
ave the Configuration Manag ger 2007 SP2 vversion installe
ed. All
Configurationn Manager 200 07 sites in the source hierarcchy need to bee upgraded to Configuration n
Manager 200 07 SP2. Additio
onally, if you in
nstalled Config
guration Manaager 2007 R2 o or R3, you can also
migrate App--V packages.
Migration is an
a opportunityy to restructure e the hierarchyy configuratio
on, because Co onfiguration
Manager 201 12 hierarchy ca an have a maxiimum of threee levels. Becausse primary site es cannot havee
other primaryy sites as child sites in Config
guration Manaager 2012, if yo ou have that cconfiguration in
your current Configuration Manager 2007 hierarchy yo ou must migrate all the obje ects in your
Configurationn Manager 200 07 hierarchy frrom the multipple primary sittes that are in a parent-child
d
relationship to a single prim
mary site in your new Config guration Mana ger 2012 hieraarchy.
Configuration n Manager 201 12 requires Wiindows Server 2008, SQL Seerver 2008, and 64-bit systems.
While it is nott necessary to upgrade the source
s hy to use thes e versions, you
hierarch u need to test them
to ensure theey are supporte ed in your organization enviironment, befoore installing tthe new
Configuration n Manager 201 12 hierarchy.
Consider imp plementing BraanchCache in Configuration

n Manager 200 07 R2 as an altternative to ussing
distribution points.
p You can
n use BranchCa
ache after mig
grating to Con figuration Manager 2012.
Acquiring add ditional serverr hardware to implement

i ur Configurati on Manager 2
you 2012 hierarchyy is a
long process in some organ nizations. You can speed up the migration
n process by ussing server
virtualization technologies, which enables the rapid creeation of new vvirtual servers..
Mixed and sub-collections may require changes to their collection definitions to enable migration to
All software packages should be configured with an UNC path to reduce the need for reconfiguration
after you migrate them.
All site codes need to be unique throughout source and destination hierarchies.
Co
onfiguratio
on Manage
er 2007 Prerequisitees for Migrration
To perform
p migra ation, ensure th
hat Configurattion Manager 2007 sites com
mply with the ffollowing
prerrequisites by:
Updating Con
nfiguration Ma
anager 2007 at all source sittes with Servicee Pack 2.
Configuring the
t following two
t user accou
unts in Configu
uration Manag
ger 2012 with permissions in
n each
source site th
hat you want to
o migrate:
The Sourrce Site SMS Prrovider Accoun

nt. This accoun
nt requires Reaad permission to all source ssite
objects.
The Sourrce Site SQL Seerver Account. This account rrequires Read and Execute p
permissions to the
source sitte database.
Note Use thet computer account for th he Source Site SMS Provider Account and the Source
Site SQL Servver Account ra
ather than a usser account.
Opening the following netwwork protocolss and ports in the firewalls b

between the Co
onfiguration
Manager 20007 site and the Configuration
n Manager 20112 site:
NetBIOS//SMB, 445 (TCP)
RPC (WM
MI), 135 (TCP)
SQL Server, 1433 (TCP))

Configurat
C ion Manag
ger 2012 Prerequisit
P tes for Mig
gration
In
n-place upgrad de of an existin
ng Configuration Manager 22007 infrastruccture to System
m Center 2012 2
M is nott supported. In
nstead, you mu migration by installing
ust perform a side by side m
a Configuration n Manager 201 12 hierarchy on mputers than tthe Configurattion Manager 2007
n different com
sitte installation.
To
o perform miggration, you ne
eed to install and configure yyour Configuration Manage
er 2012 hierarcchy in
th
he same netwoork environment as your exissting Configurration Manageer 2007 implem
mentation prioor to
migration.
m The new hierarchyy can be one off the following
g:
Multiple sitte. Install a cen ation site and then install att least one prim
ntral administra mary site in the
e
hierarchy.
Stand-alone primary site.. Install a single primary site which will be the only primaary site in the
hierarchy.
Be
efore migratin
ng, ensure thatt the following
g Configuration
n Manager 20 12 migration p
prerequisites aare
co
omplete:
Use an acco ount in the Co
onfiguration Manager 2012 h hierarchy that has the Full A
Administrator ssecurity
role so thatt you can creatte objects in any site in the C
Configuration Manager 2012 hierarchy.
Configure a software upd
date point in your
y Configuraation Managerr 2012 hierarchhy, and synchronize
the softwarre update meta
adata using th
he same sourcee as the existin
ng software up
pdate point in your
2 hierarchyy. This enables you to migratte software up
pdates.
Configure at
a least one Co
M 2012 primary site, oor the central aadministration
n site, to
use the sam
me port numbe ers as the original Configuraation Managerr 2007 source ssite. This allow
ws client
requests to be directed and use shared distribution p points from thee Configuratio
on Manager 20 007 site.
Assign Site Delete permisssions to the Source Site Acccess Account o
on the source ssite to automaatically
remove the e distribution points
p from the
e Configuratio
on Manager 20 007 site during
g migration.
Disscussion: Planning
P fo
or Migration
You
u are the admin
nistrator for Co
ontoso Ltd. Coontoso has dep ployed System
m Center Configuration
Man
nager 2007 in a multiple-site he existing envvironment includes the follow
e hierarchy. Th wing sites:
Sitte code Site name

n Type
e Paren
nt Descriiption
CEN Centtral Site Prim

mary Not Centrral site, located
d in New York,, used for repo
orting
applicable purpooses. It has 2,0000 assigned clients.
NYO
N New
w York Prim
mary CEN Primaary site, located in New Yorkk. It has 10,000
0
assign
ned clients.
CHI Chiccago Prim

mary NYO
O Primaary site, located in Chicago. It has 5,000
assign
ned clients.
DEN
D Denvver Seco
ondary CHI Secon ndary site, locaated in Denverr. It has 1,000
clientts which are asssigned to CHI.
CA
AN Cana
ada Prim
mary CEN Primaary site, located in Toronto. It has 500 assig
gned
clientts and is managed from New w York, since th
here
are no o administrativve personnel.
EH
HQ Lond
don Prim
mary CEN Primaary site, located in London w
where Contoso o has
the Eu uropean headquarters. It haas 4,000 assigned
clientts.
PA
AR Pariss Prim
mary LON Primaary site, located in Paris, which is managed
d from
Londoon. It has 1,000 assigned clieents.
LY
YO Lyon
n Seco
ondary PAR Secon
ndary site, locaated in Lyon. Itt has 500 clien
nts
which
h are assigned to PAR.
Contoso uses a variety of server operating system versions for the site servers, including the following:
Windows Server 2003 Service Pack 2, 32-bit
Windows Server 2008, 32 bit
Windows Server 2008 R2
The Configuration Manager 2007 databases are hosted on either SQL Server 2005 or SQL Server 2008.
Contoso also uses multiple versions of service packs for Configuration Manager 2007 including:
Configuration Manager 2007 Service Pack 2 and R3, which are used in all locations in North America
and Canada.
Configuration Manager 2007 Service Pack 1 and R2, which are used in all locations in Europe.
Contoso wants to take advantage of the new hierarchy model from Configuration Manager 2012 and
consolidate the existing environment by installing site servers in the two datacenters located in New York
and London. For other locations, they want to use either secondary sites or distribution points.
You need to plan for migration to Configuration Manager 2012. Use the following table to describe your
proposed architecture for the Configuration Manager 2012 hierarchy.
Site
code Location Site type Parent site Managing clients from:
Question: What components of the existing Configuration Manager 2007 hierarchy need to
be upgraded to enable migration?
Lesson 3
Config
guring Migratio
M on Settiings
Youur first step in the

t migration process is to configure
c the ssource hierarch
hy by specifyin
ng the top-levvel site
in your Configuration Manager 2007 hierarch hy.
Afte
er you have co
onfigured the source
s hierarchhy, the migrat ion data gatheering process b begins. It colle
ects
info
ormation about the sites, andd objects withiin those sites, iin the Configu
uration Manag ger 2007 hierarrchy
starting from the top-level site you
y specified. The top-level site also is con nfigured as a ssource site thaat
contains objects to
t be migrated d.
You
u can configuree additional sittes from the Configuration
C M
Manager 2007 7 hierarchy as ssource sites, w
which
mak
kes it possible to migrate obj
bjects from theese sites to Con
nfiguration Maanager 2012.
Afte
ou will be able to:
Describe the process of con

nfiguring a sou
urce hierarchy..
Describe the data gathering

g process.
Describe how
w multiple-source hierarchiess can be used in the migratio
on process.
Describe the process for co

onfiguring distrribution point sharing.
Describe how grated to distri bution points in the Configu

w secondary sittes can be mig uration Manag
ger
2012 hierarch
hy.
Configuring
C g the Sourrce Hierarcchy
Th
he source hierarchy is the se
et of Configura
ation Managerr 2007 sites thaat contain obje
ects you want to
migrate
m to Conffiguration Man nager 2012.
To
o configure the source hiera
archy you mustt input the folllowing information in the Sp
pecify Source
Hierarchy dialog
g box:
The Fully Qualified

Q Doma
ain Name (FQD
DN) of the top
p-level Configu
uration Manag
ger 2007 site se
erver.
The Source Site Account used to conne

ect to the SMSS Provider of th
he source site.
The Source Site Database
e Account used
d to connect to
o the site dataabase of the so
ource site.
When
W you configure a Config guration Manager 2007 site aas the top-leveel site, you cann migrate obje ects
from it and anyy child primary sites. You cann only migrate objects from tthe site that yo ou selected in
adddition to sitess that are belo
ow the source site,
s so it is reccommended to
o select the sitte located at th
he top
off the Configuration Manager 2007 hierarchy, which is caalled a central site.
M 2012 uses these setttings to retrieeve informationn about objectts and distribu
ution
po
oints from the
e source site. During
D the data
a gathering prrocess, child sittes in the Conffiguration
Manager
M 2007 hierarchy are identified,
i which you can theen configure aas source sites for migration..
Yoou can configu ure multiple in

nstances of sou urce hierarchiees, however on nly one source hierarchy cann be
acctive at a given
n time. If you configure
c an additional
a sourrce hierarchy bbefore you commplete migration
from the active source hierarcchy, it cancels any active mig gration jobs an nd postpones any scheduled d
migration
m jobs. The newly-configured sourcce hierarchy beecomes the acctive source hierarchy, and yyou can
co
onfigure conne he current active source hierarchy.
ection credenttials, source sittes, and migrattion jobs for th
8-20 Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager
To configure a source hierarchy, perform the following steps:
2. In the navigation pane, expand Migration, and then click the Source Hierarchy node.
3. On the ribbon, click Specify Source Hierarchy.
4. In the Specify Source Hierarchy dialog box:
Select New source hierarchy for the active source hierarchy.
Type the name of the top-level Configuration Manager 2007 site server.
Configure the Source Site Account.

Configure the Source Site Database Account.
Demonstra
D ation: Conffiguring th
he Source Hierarchy
In
c the ssource hierarchy.
Demonstrati
D ion Steps
Configure the Source Hierarchy
nsole.

nager console, in the Adminnistration worrkspace, underr the Migratioon node,
select the Source
S Hierarcchy node, and
d then on the rribbon, click Specify Source
e Hierarchy.
3.. In the Speccify Source Hiierarchy dialog box, use thee following setttings to config
gure the sourcce
hierarchy:
In the Top-level
T Con
nfiguration Manager
M 2007
7 site server b
box, type
NYC-C CM7.Contoso..com.
Under Specify the Source Site Acccount to use to access the e SMS Provide er for the sou urce site
server. This account required Re ead permissio ons to all sourrce site objectts, verify that U
User
Account is selected, and use Set to
o configure a new account w wing information:
with the follow
Usser name box, type Contoso

o\Administrattor.
Pa
assword and Confirm
C passw
word boxes, tyype Pa$$w0rd
d.
Usse Verify and Test

T connection to validatee the credentiaals and connecction to source
e site.
Under Specify the Source Site Da atabase Accou QL Server for the
unt to use to access the SQ
sourcee site server. This
T account requires
r Read
d and Executee permissionss to the source site
databa me account as the Source S ite SMS Proviider Account is
ase, verify thatt Use the sam
selecte
ed.
4.. After you have

h configured the source hierarchy,
h the D ng Status process will start. Wait
Data Gatherin
for the data
a collection to complete, and
d then click Cllose.
Migration Da
ata Gatherring
The Migration datta gathering process

p collectss information aabout the source hierarchy cconfiguration and
obje
ects that can be
b migrated froom source site
es.
The migration datta gathering process

p starts after:
a
You specify an active source hierarchy.
You configure
e credentials for an addition
nal source site in an active so
ource hierarchyy.
You share the

e distribution points
p for a source site with Configuration
n Manager 201
12.
The migration datta gathering process
p then re
epeats on a simmple schedule to maintain syynchronization
n with
any changes to da
ata in the sourrce sites. By de
efault, the proccess repeats evvery four hourrs.
You
u can modify th he schedule fo or this cycle byy editing the p roperties of th
he source site iin the Configu
uration
Man nager console.. The initial data-gathering process
p must rreview all objects in the Configuration Manager
2007 database an nd can take mo ore time to finish than subseequent data-gaathering proce esses that iden
ntify
onlyy changes to the data.
To gather
g data, th
he Configuratioon Manager 2012 top-level site connects tto the SMS Pro ovider and to the
he source site and then retrieves a list of o
site database of th objects and disstribution poin
nts.
You
u can use the Gather
G Data Noow action in thhe Configuratiion Manager cconsole to imm mediately startt the
mig
gration data ga ess and to reset the start timee of the next ccycle. Data gatthering runs on the
athering proce
configured schedule until you change
c the acttive source hieerarchy or until you use the SStop Gatheringg
Data action to end
d the data gatthering processs for that site.
You
u can use the Stop
S Gathering t end the dat a gathering prrocess for a so
g Data action to ource site when
n you
no longer want Coonfiguration Manager
M 2012 to identify neew or changed objects from that site.
Configuring
C g Addition
nal Source
e Sites
So
ource sites are
e sites in the acctive source hierarchy that h ave data that you migrate to Configuratio
on
Manager
M 2012.
When
W you configure a source e hierarchy, you must specifyy the top-level site of the hie
erarchy first, w
which is
co he first source site for that so
onfigured as th ource hierarch
hy.
After the initial data is gatherred for the top

p-level site of t he source hierrarchy, any chiild sites of thatt site
arre visible in the
e Configuratio
on Manager co onsole. You mu ust configure tthe child sites as source sitess to
migrate
m objectss from those sites. You must specify creden ntials for each additional sou urce site for
migration.
m
When
W you configure additionnal source sitess, you must co nfigure sourcee sites from the
e top down, and
co
onfigure the bottom-tier site
es last.
Yo
ou do not havve to configuree additional source sites befo migration jobs. However, you
ore creating m u can
on ata from source sites that you have configu
nly migrate da ured, and the migration data-gathering process
must
m have succeessfully gatherred data from these sites.
To
o configure ad
dditional sourcce sites in the active
a source h
hierarchy, perfform the follow
wing steps:

nager console, click the Adm
ministration w
workspace.
2.. gation pane, expand Migrattion, and then

In the navig n click Source Hierarchy.
3.. In the results pane, click the

t site that yo
ou want to con
nfigure as a so
ource site.
4.. On the ribb

bon, in the Sou
urce Site grou
up, click Config
gure Credenttials.
5.. In the Sourrce Site Crede

entials dialog box, for the so
ource site acceess accounts, sp
pecify accountts that
have Read permission to the SMS Provider and to thee SQL Server d database in thee specified site
e, and
then click OK.
O
Co
onfiguring Distribution Point Sharing
S
You
u can share Configuration Manager 2007 distribution
d po
oints with Conffiguration Man nager 2012. Thhis
makkes the conten nt that is distrib
buted to Confiiguration Man nager 2007 dis tribution points immediatelyy
avaiilable to the clients in the Coonfiguration Manager
M 2012 hierarchy. By u using this approach, you cann
ensu
ure that the sa ame content re emains availab
ble for clients i n both hierarcchies and ensuure that you caan
maintain this conttent until you stop gathering g data and com mplete the migration.
Disttribution pointt sharing is a siite-wide settin
ng that, when eenabled, configures all eligib ble distribution
n
poinnts in a Config
guration Manager 2007 prim mary site and a ll its secondaryy sites as share
ed distributionn
poinnts. You cannoot select individdual distributioon points to sh
hare when you u enable distribution point
sharring.
Whe
en planning fo
or distribution point sharing,, consider the following prerrequisites:
Distribution points
p must be
e configured with
w a FQDN to
o be eligible fo
or sharing.
At least one Configuration

C Manager 2012 2 primary site or the central administration site must use
e the
same port numbers for client requests as the Configuraation Managerr 2007 site usees.
Configurationn Manager 201 12 clients can receive contennt location info

ormation for ppackages that are
installed on shared distribution points in the Configuraation Managerr 2007 hierarch hy, including b
branch
distribution points,
p distribution points onn server shares,, and standard
d distribution p
points.
When you share a protecte ed distribution point, Configu

uration Managger 2012 creattes a boundaryy
group that includes the pro
otected network locations off the Configuraation Manager 2007 distribuution
point.
You need to ensure

e that the package version for packaages that you m
migrate is the same in the so
ource
hierarchy andd in Configurattion Manager 2012 so that tthe Configurattion Manager 2012 clients caan
retrieve the content from thhe shared distribution point .
u shared distribution point to host packaages for Microsoft Applicatio

You cannot use on Virtualizatio
on
(App-V). You must migrate and convert the
t App-V pacckages for Con nfiguration Maanager 2012 clients.
Shared distribution points can be upgraded in-place to Configuration Manager 2012 distribution points,
thereby preserving their content. Distribution points can be one of the following:
Stand-alone distribution points, which can be upgraded in place to Configuration Manager 2012
Secondary site servers, which can be converted to stand-alone distribution points in Configuration
Manager 2012
When you no longer have to support clients in your Configuration Manager 2007 environment, you can
upgrade a shared distribution point in your Configuration Manager 2012 hierarchy. When you upgrade
the distribution points in-place, you do not have to re-deploy content to new distribution points.
To upgrade a distribution point, the Configuration Manager 2007 site system server must meet the
following conditions:
The Configuration Manager 2007 site system server must have only the distribution point role
assigned to it. You cannot upgrade a Configuration Manager 2007 distribution point that has any
additional site system roles.
The site system server must have sufficient disk-space for the content to be converted from the
Configuration Manager 2007 content storage format to the single instance store format. This requires
available free space equal to two times the existing data on the distribution point.
The site system server must run an operating system version that is supported as a distribution point
in Configuration Manager 2012.
You can also choose to uninstall the existing distribution points from the Configuration Manager 2007
hierarchy and reuse the same hardware by installing the servers as distribution points in the Configuration
Manager 2012 hierarchy. In this case, you need to redeploy the content to the new distribution points.
Migrating Se
econdary Sites
S to Disstribution Points
You
u can convert secondary
s sitess in Configurattion Manager 2007 to distrib
bution points in Configuration
Mannager 2012. Thhe conversion process is the same as the d distribution pooint upgrade process, with an
n
add
ditional step to
o uninstall the secondary
s site
e.
The upgrade proccess first uninstalls the Configguration Manaager 2007 seco ondary site, an
nd then waits u
until
the next data gathhering cycle before upgradin ng the distribu
ution point in--place to a Connfiguration
Man nager 2012 disstribution poin he default setttings for the data gathering cycle, the waitt time
nt. If you use th
mayy be up to four hours. This sttep ensures that the secondaary site was su uccessfully unin
nstalled before
e the
distribution point upgrade startts.
Whe
en converting a secondary site to a distrib
bution point, co
onsider the following restricctions:
The secondarry site must no

ot have any Co onfiguration M
Manager site syystem roles asssigned to the sserver
except for the
e managemen nt point, to be able to upgrad
de.
Any content that

t is presentt on the distrib
bution point w
will be converteed to a Configu
uration Manag ger
nstance store. Because of this, you must e nsure that avaailable free spaace is equal to two
2012 single-in
times the size
e of existing co
d po
oint.
Before upgrading a second dary site to a distribution poiint, ensure thaat you have uppgraded all exissting
remote distribbution points at
a that site. Affter the second
dary site is uninnstalled during
g the distributtion
point upgrade, the remaining remote distribution poin nts will becomee orphaned an nd will not be
eligible for up
pgrade.
Lesson
n4
Migra
ating Objects
Too migrate objeects from Conffiguration Mannager 2007 sitees to Configurration Manage er 2012, you neeed to
crreate migration jobs. You can use these jobs to migrate collections an d associated oobjects or to m
migrate
obbjects by type. You can also choose to miggrate objects tthat were prevviously migrate
ed if they have
e
ch
hanged after migration
m to Configuration Manager
M 2012 .
In
n this lesson, yo
ou will review the steps requ
uired to createe migration job
bs, review the migrated obje
ects, and
usse the migratioon reports.
After completin
ng this lesson, you
y will be able to:
Create migration jobs.

Describe th t migrate collections.
he steps used to
Describe th
he steps used to
t migrate obje
ects by object type.
Review mig
grated objects in the console
e.
Use the mig
gration reports to validate th
he migration.
Migration Jo
obs
Youu need to creatte migration jo

obs to migrate
e objects from Configuration n Manager 200 07 sites to
Connfiguration Maanager 2012. A migration jobb lists the objeects that are m
migrated, includ
des migration
settings, and can be scheduled to run at a spe
ecific time. You migration jobs to perform the
u can create m
follo
owing types off migrations:
Collection migration
By selecting the collecttion migration option you caan migrate colllections and o
objects that are
e
related to
o selected collections, such as
a advertisemeents and softw
ware packages.
By default, all objects associated

a h members of the collection are selected ffor migration. You
with
can deselect the objectts that you do not want to m
migrate.
You can exclude individ
dual object insstances from m
migration, suchh as excluding migrating som
me
object instances to mig
grate them at a later time ussing object mig
gration.
Object migration
By selecting the object migration opttion you can sselect individuaal objects type
es and object
instancess to migrate th
hem.
By default, object typess and instance

es are not seleccted. You need
d to select the specific data tthat
you wantt to migrate.
Objects modiified after migration
By selecting the Objectts modified aftter migration o

option, you caan migrate agaain any objectss that
you havee previously migrated but haave since been n updated in thhe source hieraarchy.
Migrating
M Collection
C s
Yo
ou can migrate collection de
efinitions and associated objjects, such as p
packages and advertisementts, from
M 2007 to Configurattion Manager 22012.
To
o migrate colle
ections, use the Create Migrration Job wizaard and select the following options:
General. Tyype a name fo
or the migration job and seleect the Collectiion migration option.
Select Collections. Selecct individual co
ollections to m
migrate.
Select Objeects. Select pa
ackages, advertisements, and
d other objectss that are asso
ociated with
collections to migrate the
em to Configuuration Manag er 2012.
Content Ownership. Select the Config
guration Mana ger 2012 site tthat will get th
he ownership ffor the
migrated objects content.
Security Sccope. Associatte the migrated
d objects with an existing seecurity scope o
or create a new
w scope.
This helps limit the admin
nistrative perm
missions to thee migrated objeects.
Collection Limiting. You
u can configure e how collectioon limiting setttings from Co
onfiguration
Manager 20007 are transla
ated to inclusio
on rules in Co nfiguration M anager 2012
Site Code Replacement
R . On this page, you can conffigure site cod e replacementt in the collecttion
queries. This is required iff you have queery rules that aare based on tthe Configurattion Manager site
code, becauuse you are migrating to a newn site with a new site codee.
Review Infformation. Yo ou can review the
t objects and
d information about the mig
gration of thosse
objects included in the migration
m job.
Settings. You
Y can run the
e migration job immediatelyy, or schedule it for a later time. Also, you can:
Configure whether previously
p migrrated objects ccan be overwrritten.
Transfe
er the organiza
ation folder strructure for objjects to the deestination site.
Enable programs for deployments after advertiseements are miigrated.
Migrating Objects by Type

T
You
u can migrate objects
o of diffe
erent types fro
om Configurat ion Manager 2
2007 to Config
guration
Man
nager 2012, including:
Boundaries
Software distribution packa

ages
Virtual application package

es
Software upd
date objects
Operating sysstem deployment objects
Desired Configuration Man

nagement conffiguration item
ms
Configuration
n baselines
Asset Intellige
ence customizations
Software mettering rules
To migrate
m objectts by type, use the Create Migration Job w
wizard and seleect the followin
ng options:
General. Type a name for the

t migration job migration option.
j and selectt the Object m
Select Objects. Select obje

ects types and individual objeects to migrate.
Content Own nership. Selecct the Configurration Manageer 2012 site wh

hich will get th
he ownership ffor
the migrated objects conte
ent.
Security Scope. Associate thet migrated objects

o with an
n existing secu
urity scope or ccreate a new sscope.
This helps lim
mit the adminisstrative permisssions to the m
migrated objeccts.
Review Information. You can review the objects and information about the migration of the objects
included in the migration job.
Settings. You can run the migration job immediately or schedule it for a later time. You can also
configure whether previously-migrated objects can be overwritten, and whether to transfer the
organization folder structure for objects to the destination site.
Question: Why do you need to associate migrated objects with a security scope?
De
emonstration: Creating Migrattion Jobs
In th
s how to mig
grate collectio
ons and migratte objects by ttype.
Dem
monstration
n Steps
Mig
grate collectio
ons and assocciated objectss
1. On NYC-CFG, in the Config

guration Manager console, seelect the Migrration Jobs no
ode.
2. On the Ribbo on, click Creatte Migration Job.

J The Creatte Migration Job Wizard sstarts. Use the
following setttings to config
gure the migra
ation job:
On the General
G page, configure the following opt ions:
Nam
me: Collectionss and associatted objects
nal): Migrate collections an

Desccription (option nd associated
d objects
In th
he Job type bo
ox select Colle
ection migratiion
ect Contoso S ervers (this also selects New

On the Select Collections page, sele w York Serverrs and
ConfigM a verify the Migrate objeects that are a
Mgr Servers), and associated witth the specifie
ed
collectio
ons option is se
elected.
On the Select Objects page:
Selecct Advertisem
ments and clea
ar the ConfigM
Mgr 2007 SP2
2 KB977384 to
o New York
Serv
vers check boxx.
Selecct Software Distribution

D ackages, and then clear thee KB977384 --- Advanced Client
Pa
Hotffix --- CM7 che
eck box.
Selecct Virtual App
plication Pack
kages, verify th
hat the Excel V
Viewer is seleccted, and then
n click
Nextt.
On the Content Ownership page, observe that content ownership is assigned to

NYC --- Contoso Primary Site.
On the Security Scope page, select Default.
Complete the wizard and choose the default settings. Select the Run the migration job now
option so that the migration job will run automatically after the wizard completes.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, click
Refresh.
Migrate objects by type

1. In the Configuration Manager console, in the Administration workspace, under the Migration node,
select the Migration Jobs node.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts. Use the
following settings to configure the migration job:
Name: Migrate objects by type
Description (optional): Migration of specific objects
In the Job type box select Object migration
On the Select Objects page, under Object types, select the following types of objects:
Boundaries
Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of
configuration items.
Asset Intelligence Catalog
On the Content Ownership page, click Next.
On the Security Scope page, select Default, and then click Next.
Complete the wizard and choose the default settings. Select the Run the migration job now
option so that the migration job will run automatically after the wizard completes.
Refresh.
Rev
viewing Migrated
M Objects
O
Youu can review th

he progress and status of Configuration M anager 2012 m migration actio
ons in the
Connfiguration Maanager consolee, in the Adminnistration workkspace, under the Migration n node. You can
view
w summary infformation for each
e migration
n job, includin g identifying o
objects that m
migrated and thhose
thatt have not yet migrated, the number of ob bjects excludedd from the mig gration, and details about an
ny
miggration problemms.
To view
v the progrress of object migration
m for a migration jo b, select a mig
gration job, an
nd then in the
Objjects in Job ta
ab, select the objects
o for which you want to o view the sum mmary informaation.
Miggration actions are recorded in the migmcctrl.log file in tthe <Installatio

onPath>\Logss folder on the
e site
servver.
er migration is performed, th
Afte he administrator can review migrated objeects and their p
properties, and
d
mpare them with the objects in the source site.
com
Viewing
V Migration Reports
M 2012 includes several reports for reviewing mig gration jobs, o objects include
ed in
migration
m jobs, objects that fa
ailed to migratte, collections that used coll ection limiting
g, and Configuuration
Manager
M 2007 clients
c exclude ed from the uppgrade to Con nfiguration Ma nager 2012.
To gration reportss, perform the following step

o view the mig ps:

nager console, click the Mon
nitoring worksspace.
2.. gation pane, expand Reportting, expand R

In the navig Reports, and tthen click the M
Migration fold
der.
3.. In the results pane, click Migration

M Job
b properties, and then on tthe ribbon, clicck Run.
4.. After Migra me, click Values.

ation Job Nam
5.. Under Migration Job Na

ame, click a migration
m job, aand then click OK.
6.. Click View Report.
7.. Close the Migration

M Job properties
p win
ndow.
8.. In the results pane, click Migration

M job
bs, and then o n the ribbon, cclick Run.
9.. Close the Migration

M jobs window.
Migrating Cllients
You
u can use any supported
s client deployment method to m
migrate clients. When CCMSe etup detects a
Connfiguration Maanager 2007 client on the tarrget computerr, the existing client software
e is uninstalled
d, and
the new client sofftware is installed.
You ects the clientss will use in thee new environ
u need to ensure that all obje nment, such ass collections orr
packages, are alre
eady migrated before migratting the clientss.
Youu can migrate clients

c in any order.
o We reco ommend, howeever, that you migrate them m in phases to limit
the impact on nettwork bandwid dth. This distrib with the client installation an
butes the trafffic associated w nd
initial inventory cyycle across a lo
onger period of o time.
The following info

ormation is rettained on the client:
c
The unique id
dentifier (GUID
D). The GUID associates a clieent with its infformation in th
he Configuration
Manager dataabase.
The advertise
ement history. The advertisem
ment history p
prevents clients from unnece
essarily rerunning
advertisemennts.
The following info
ormation is not preserved:
he client cache. If these files are
The files in th a necessary to install a pacckage, the clie
ent downloads them
again from a distribution point.
Information about
a any adve
ertisements th
hat have not yeet run. If the a dvertisementss have not been run,
they are deletted. You then need to migra
ate or re-creat e the advertiseements in the new Configurration
Manager 201 12 hierarchy.
Inventory datta. Clients perfform an inventtory cycle afterr upgrading, aand then send the new data to the
managementt point.
Compliance data.
d Clients evvaluate compliance against tthe baselines aassigned in the
e new environment,
and then send
d the compliance data to the managemen nt point.
Lab: Migratin
M ng from
m System
m Centeer Conffiguratio
on
Mana ager 200
07 to Sy
ystem Center
C 2
2012 Coonfiguraation
Mana ager
La
ab Setup
Fo
or this lab, you
a virtua
n the lab, you must
co
anager.
2.. In Hyper-V Manager, cliick 10748A-NYC-DC1-B, an

nd in the Actio
ons pane, click Start.
3.. In the Actio

ons pane, click
4.. Log on usin

ng the followin
ng credentials:
User na
ame: Adminisstrator
Passwo
ord: Pa$$w0rd
d
Domain: Contoso
5.. Repeat step

ps two through
h four for 10748A-NYC-CM
M7-B and 1074
48A-NYC-CFG
G-B.
La
ab Scenario
o
Yoou are the network administtrator for Conttoso, Ltd. Conttoso has Configuration Manager 2007 and
d
Syystem Center 2012
2 Configurration Manage er, both deployyed as stand-aalone primary ssites.
Yo
ou need to perform the mig
gration of Conffiguration Man
nager objects by:
1.. Configuring
g the source hierarchy.
2.. Creating a migration job and performin

ng migration.
Exercise 1: Configuring the Source Hierarchy

Scenario
You need to examine the source hierarchy and review the objects that need to be migrated. Then you will
configure the source hierarchy by specifying the name of the site server and credentials to connect to the
SMS Provider and site database.
1. Review the objects that need to be migrated.
2. Configure the source hierarchy.
X Task 1: Review the objects that need to be migrated

1. On NYC-CM7, start the ConfigMgr Console.
2. In the ConfigMgr Console, under Site Database, select the Site Management node, and verify that
version of the site is 4.00.6487.2000 which means the site is running Configuration Manager 2007
Service Pack 2.
3. Under Site Database, Site Management, CM7-New York Configuration Manager 2007, Site
Settings, select the Boundaries node, and then review the Properties of the existing IP subnet
boundary.
4. Under Computer Management, Collections, access the Properties of the Contoso Servers
collection.
5. In the Contoso Servers Properties dialog box, at Membership Rules, observe that there are no
membership rules defined.
Note Contoso Servers collection does not have any members and serves as a container for
the other two collections.
6. Under Contoso Servers, access the Properties of the New York Servers collection.
7. Review the Membership rules for the New York Servers collection, and then examine the query
used to determine the membership of the collection.
Note New York Servers collection uses a query rule to include all computers with a name
starting with NYC.
8. Under Contoso Servers, access the Properties of the ConfigMgr Servers collection.
9. Review the Membership rules for the ConfigMgr Servers collection, and then observe the direct
membership rule created for NYC-CM7.
Note The ConfigMgr Servers collection uses a direct membership rule to include NYC-
CM7 as a member.
10. Under Software Distribution, select the Packages node.

11. Access the Properties of the ConfigMgr 2007 Toolkit V2 package, and then review its settings.
Note that this is an MSI package.
12. Access the Properties of the Excel Viewer package, and then review its settings. Note that this is an
App-V package.
13. Under the Advertisements node, review the existing advertisements.
14. Under Asset Intelligence, Customize Catalog, select the Software Categories node, and then
review the Contoso Software custom category.
15. Under the Software Families node, review the Contoso LOB Applications custom family.
16. Under the Custom Labels node, review the Contoso Application custom label.
17. Under Desired Configuration Management, select the Configuration Items node.
18. Access the Properties of the Windows Firewall Enabled configuration item, review the properties,
and then at the Settings tab, review the settings of the configuration item. Note that this
configuration item is using a WQL query to check the status of the Windows Firewall.
19. Under the Configuration Baselines node, access the Properties of the Contoso Security Policy
Validation baseline, and then review the settings.
X Task 2: Configure the source hierarchy

2. In the Configuration Manager console, in the Administration workspace, under the Migration node,
select the Source Hierarchy node, and then on the ribbon, click Specify Source Hierarchy.
3. In the Specify Source Hierarchy dialog box, use the following settings to configure the source
hierarchy:
In the Top-level Configuration Manager 2007 site server box, type NYC-CM7.Contoso.com.
Under Specify the Source Site Account to use to access the SMS Provider for the source site
server. This account required Read permissions to all source site objects, verify that User
Account is selected, and then click the Set button to configure a new account with the following
information:
User name box, type Contoso\Administrator
Password and Confirm password boxes, type Pa$$w0rd
Click Verify and Test connection to validate the credentials and connection to source site.
Under Specify the Source Site Database Account to use to access the SQL Server for the
source site server. This account requires Read and Execute permissions to the source site
database, verify that Use the same account as the Source Site SMS Provider Account is
selected.
4. After you have configured the source hierarchy, the Data Gathering Status process starts. Wait for
the data collection to complete, and then click Close.
5. Under the Source Hierarchy node, select the CM7 source site, and then in the ribbon, click
Properties.
6. In the NYC-CM7.contoso.com Properties window, notice that the Data gathering interval setting is
set to 4 hours.
7. In the preview pane, click the Shared Distribution Points tab, and, on the ribbon, click Share
Distribution Points.
8. In the Share Distribution Points dialog box, select Enable distribution point sharing for this
Configuration Manager 2007 site server.
9. In the Data Gathering Status dialog box, wait for the data collection to complete.
10. On the ribbon, click Refresh, and then on the Shared Distribution Points tab, verify that
\\NYC-CM7.CONTOSO.COM appears.
Note By configuring the Shared Distribution Points option, both the Configuration
Manager 2007 clients and Configuration Manager 2012 clients will have access to the
packages during migration.
Results: At the end of this exercise, you should have reviewed the configuration of the Configuration
Manager 2007 site and configured the source hierarchy in Configuration Manager 2012.
Exercise 2: Creating a Migration Job and Performing Migration

Scenario
You need to create a collection migration job to migrate custom collections and associated
advertisements and packages. Next, you will create another migration job and migrate objects by type.
You will validate the successful migration by running the migration reports.
1. Create a collection migration job.
2. Review migrated objects.
3. Migrate objects by type.
4. Review migrated objects.

5. View migration reports.
6. Decommission the source hierarchy.
X Task 1: Create a collection migration job

1. On NYC-CFG, in the Configuration Manager console, select the Migration Jobs node.

Name: Collections and associated objects
Description (optional): Migrate collections and associated objects
In the Job type box, select Collection migration

On the Select Collections page, select Contoso Servers (this also selects New York Servers and
ConfigMgr Servers), and then verify that the Migrate objects that are associated with the
specified collections option is selected.
On the Select Objects page:
Select Advertisements, and then clear the ConfigMgr 2007 SP2 KB977384 to New York
Servers check box.
Select Software Distribution Packages, and then clear the KB977384 --- Advanced Client
Hotfix --- CM7 check box.
Select Virtual Application Packages, verify that Excel Viewer is selected, and then click
Next.
On the Content Ownership page, observe that content ownership is assigned to

NYC ---Contoso Primary Site.
On the Security Scope page, select Default.
Continue the wizard and choose the default settings, and then on the Settings page, select the
Run the migration job now option.
Refresh.
X Task 2: Review migrated objects

1. In the Configuration Manager console, select the Collections and associated objects migration job,
and then review the objects included in the migration job.
2. In the Assets and Compliance workspace, under Device Collections, select the Contoso Servers
node, and then observe the migrated ConfigMgr Servers and New York Servers collection. If you
do not see the Contoso Servers folder, select the Overview node and then press F5 on your
keyboard to refresh the navigation pane.
3. Access the Properties of the New York Servers collection, and then review the Membership rules.
4. In the Software Library workspace, under Application Management, select the Packages node.
5. Select the migrated ConfigMgr 2007 Toolkit V2 package, and then in the preview pane, review the
information in the Deployments tab.
6. Under the Applications node, select the migrated Excel Viewer virtual application package, and
then in the preview pane, review the information in the Deployment Types tab.
X Task 3: Migrate objects by type

1. In the Configuration Manager console, in the Administration workspace, under Migration node,
select the Migration Jobs node.
Name: Migrate objects by type
Description (optional): Migration of specific objects
In the Job type box select Object migration
On the Select Objects page, under Object types, select the following types of objects:
Boundaries
Configuration Baselines. In the Included Objects dialog box, confirm the inclusion of
configuration items.
Asset Intelligence Catalog
On the Content Ownership page, click Next.
On the Security Scope page, select Default, and then click Next.
Continue the wizard choosing the default settings, and then on the Settings page, select the Run
the migration job now option.
3. In the results pane, verify that the status of the migration job is Completed. If necessary, select the
Migrate objects by type object, and then click Refresh.

1. In the Configuration Manager console, in the Assets and Compliance workspace, under the Asset
Intelligence node, select the Catalog node, and then review the User Defined objects.
2. Under the Compliance Settings node, select the Configuration Items node, and then review the
migrated configuration items.
3. Select the Configuration Baselines node, and then review the migrated baseline.
4. In the Administration workspace, under the Hierarchy Configuration node, select the Boundaries
node, and then review the migrated boundary.
5. Select the Boundary Groups node, and then review the boundary groups created for the
Configuration Manager 2007 site and for the distribution points.
X Task 5: View migration reports

1. In the Configuration Manager console, in the Monitoring workspace, under the Reporting node,
expand the Reports node.
2. Click the Migration folder.
3. From the results pane, run the Migration Job properties report.
4. In the report window, select the first migration job as a parameter, and then click View Report.
Review the results, and then close the report window.
5. Close the Migration Job properties window.
6. In the results pane, run the Migration jobs report. Review the results, and then close the report
window.
X Task 6: Decommission the source hierarchy

1. In the Configuration Manager console, in the Administration workspace, expand the Migration
node, and then click the Source Hierarchy node.
2. In the results pane select CM7, and then, on the ribbon, click Stop Gathering Data. Click Yes the
Configuration Manager dialog box.
3. In the results pane verify that CM7 has the status Have not gathered data, and then, on the ribbon,
click Clean Up Migration Data.
4. In the Clean Up Migration Data dialog box, verify that in the Source hierarchy box appears CM7
(NYC-CM7.contoso.com) and then click OK. Click Yes in the Configuration Manager dialog box.
5. In the results pane, note that source hierarchy has been removed.
Results: At the end of this exercise, you should have created migration jobs, performed object migration,
and viewed the migration reports.
X To prepare for the course finish

following steps:
4. Repeat steps 2 and 3 for 10748A-NYC-CFG-B and 10748A-NYC-CM7-B.

Modulle Revie
ew and Takeaw
ways
Rev
view Questiions
1. What are the restrictions fo
or migrating co
ollections?
2. Why would you need to co

onsolidate prim
mary sites?
3. What are the restrictions fo
or site codes du
uring migratio
on?
4. What additional configurattions do you need to perform

m when migraating software update-related
objects?
Coursse Evalu
uation
Yo
our evaluation
n of this course
e will help Microsoft understtand the qualitty of your learning experience.
Pllease work with your training

g provider to access
a the cou
urse evaluation
n form.
Microsoft
M will ke
eep your answ nd confidentiall and will use yyour responsess to
wers to this surrvey private an
im
mprove your fu uture learning experience. Yo our open and honest feedbaack is valuable e and appreciaated.
L2-1
Module 2: Planning and Deploying a Stand-Alone Primary

Site
Lab A: Installing a Configuration Manager
2012 Primary Site
Exercise 1: Configuring the Prerequisites for Configuration Manager 2012
Deployment
X Task 1: Start Server Manager
1. On NYC-CFG, click Start, point to Administrative Tools, and then click Server Manager.
2. In the navigation pane of the Server Manager console, click Roles.
X Task 2: Verify the installation of Web Server (IIS) and related role services
In the results pane of the Server Manager console, in the Roles pane, scroll to the Web Server (IIS)
section, and then verify that the following features are installed:
ASP.NET
X Task 3: Verify the installation of the required features

1. In the navigation pane of the Server Manager console, click Features.
2. In the results pane, verify that the following features are installed:

X Task 4: Verify that .NET Framework 4.0 and SQL Server 2008 R2 are installed
1. Click Start, and then click Control Panel.
2. In the Control Panel window, click View by: Large Icons.
3. Click Programs and Features.
4. Verify that Microsoft .NET Framework 4 Extended and Microsoft SQL Server 2008 R2 (64-bit)
are installed.
5. Close the Programs and Features window.
Results: After this exercise, you should have validated the prerequisites for installing System Center 2012
L2-2 Module 2: Planning and Deploying a Stand-Alone Environment

1. On NYC-DC1, open Windows Explorer, navigate to \\NYC-CFG\E$\ConfigMgr2012
\SMSSETUP\BIN\X64 folder, and then locate extadsch.exe.
2. Double-click extadsch.exe.
3. Browse to the drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
4. Close Notepad and the Local Disk (C:) window.

5. On NYC-DC1, click Start, click Run, type adsiedit.msc, and then click OK.
6. In the ADSI Edit console, right-click ADSI Edit, and then click Connect to.
7. In the Connection Settings dialog box, accept the defaults, and then click OK.
8. In the ADSI Edit console tree, expand Default naming context, expand the
DC=CONTOSO,DC=COM container, right-click the CN=System container, click New, and then click
Object.
9. In the Create Object page, select container, and then click Next.
10. In the Create Object page, in the Value text box, type System Management, click Next, and then
click Finish.
11. In the ADSI Edit console, click the CN=System container, verify that CN=System Management
container appears in the results pane, and then close the console.
the site server
1. On NYC-DC1, click Start, click Administrative Tools, click Active Directory Users and Computers
console, and then from the View menu, select Advanced Features.
2. In the navigation pane, expand Contoso.com, expand the System container, right-click the System
Management container, and then select Properties.
3. In the System Management Properties dialog box, select the Security tab, and then click Add.
4. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
5. In the Object Types dialog box, select Computers, and then click OK.
6. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select text box, type NYC-CFG, click Check Names, and then click OK.
7. In the System Management Properties dialog box, select NYC-CFG (Contoso\NYC-CFG$), and in
the Allow column, select the Full Control permission check box (all checkboxes are selected), and
then click Advanced.
Lab A: Installing a Configuration Manager Primary Site L2-3
8. In the Advanced Security Settings for System Management dialog box, select
NYC-CFG (Contoso\NYC-CFG$) from the permission entry list, and then click Edit.
9. In the Permission Entry for System Management dialog box, in the Apply to dropdown list, select
This object and all descendant objects, and then click OK.
10. In the Advanced Security Settings for System Management dialog box, click OK.
11. In the System Management Properties dialog box, click OK.
Note After the installation, the Configuration Manager 2012 site server publishes
information in this container to enable clients to determine the assigned site and locate the
management point.
System Management container, and assigned permissions to the Configuration Manager server.
Exercise 3: Installing a Configuration Manager 2012 Stand-Alone Primary

Site
X Task 1: Run the setup for Configuration Manager 2012
1. On NYC-CFG, click Start, and then select Computer.
2. In Windows Explorer, navigate to the E:\ConfigMgr2012\ folder.
for the installation
1. In the System Center 2012 Configuration Manager Setup screen, click Assess server readiness.
2. Installation Prerequisite Check starts and evaluates the server for installed prerequisites.
X Task 3: Run the System Center 2012 Configuration Manager Setup Wizard and select
the option to install a Configuration Manager 2012 stand-alone primary site
2. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. On the Before
You Begin page, click Next.
3. On the Getting Started page, under Available Setup Options, select Install a Configuration
Manager primary site, and then click Next.
4. On the Product Key page, select Install this product as an evaluation, and then click Next.
5. On the Microsoft Software License Terms page, select the I accept these license terms check box,
and then click Next.
6. On the Prerequisite Licenses page, under Microsoft SQL Server 2008 R2 Express, select I accept
these License Terms, under Microsoft SQL Server 2008 Native Client, select I accept these
License Terms, under Microsoft Silverlight 4, select I accept these License Terms and automatic
updates of Silverlight, and then click Next.
7. On the Prerequisite Downloads page, select Use previously downloaded files, and then click
Browse.
8. In the Browse For Folder dialog box, select the E:\ConfigMgr2012\Redist folder, and then click OK.
9. On the Prerequisite Downloads page, click Next.
10. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to
finish.
11. On the Server Language Selection page, click Next.

Lab A: Installing a Configuration Manager Primary Site L2-5
12. On the Client Language Selection page, click Next.
13. On the Site and Installation Settings page, type the following information, and then click Next.
Site code: NYC
Install the Configuration Manager console check box: selected
14. On the Primary Site Installation page, select Install the primary site as a stand-alone site, and
then click Next.
15. In the Configuration Manager dialog box, click Yes.
16. On the Database Information page, verify that the SQL server name is NYC-CFG.Contoso.com and
the database name is CM_NYC, and then click Next.
17. On the SMS Provider Settings page, verify that the server name is NYC-CFG.Contoso.com, and
then click Next.
18. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role, and then click Next.
19. On the Site System Roles page, verify that both Install a management point, and Install a
distribution point check boxes are selected, verify that that NYC-CFG.Contoso.com appears in both
FDQN text boxes, and then click Next.
20. On the Customer Experience Improvement Program Configuration page, select I dont want to
join the program at this time, and then click Next.
21. On the Settings Summary page, review your selected settings, and then click Next.
22. On the Prerequisite Check page, wait until Prerequisite Check validates the server readiness to host
the selected roles, and then click Begin Install.
23. In the Install window, wait for the installation to finish, and then click Close.
24. In the System Center 2012 Configuration Manager Setup screen, click Exit.
25. Close all open windows on NYC-CFG.
in a stand-alone primary site.

Lab B: Performing Post-Setup Configuration

Tasks
Exercise 1: Validating the Installation of the Primary Site
1. On NYC-CFG, click Start, click All Programs, click Microsoft System Center 2012, click
Configuration Manager, and then click Configuration Manager Console.
2. In the Configuration Manager console, click the Monitoring workspace.
3. In the navigation pane, expand System Status, and then click Site Status.
4. View the status of each site system.
5. In the navigation pane, click Component Status.

6. View the status of each component.
X Task 2: View the status messages related to the Configuration Manager 2012
installation
1. In the navigation pane, click Site Status.
2. In the results pane, select Site server.

4. In the Status Messages: Set Viewing Period dialog box, verify that in the Select date and time
drop list, 1 day ago is selected, and then click OK. Configuration Manager Status Message Viewer
opens.
5. Double-click on any message, and then in the Status Message Details dialog box, review the details
of the status message. Use the Next and Previous buttons to view additional status messages.
6. Click OK to close the Status Message Details dialog box.

Lab B: Performing Post-Setup Configuration Tasks L2-7

1. Open Windows Explorer and navigate to drive C.
2. In the root folder, double-click the ConfigMgrPrereq.log file. Review the file and note any errors or
warnings reported by Prerequisite Checker.
3. Close Notepad.
4. In the root folder, double-click the ConfigMgrSetup.log file. Review the file and note any errors or
warnings reported by Setup.
5. Close Notepad, and then close Windows Explorer.
Note In addition, in the root folder is ConfigMgrSetupWizard.log. If you installed the

console, you should see ConfigMgrAdminUISetup.log.
Exercise 2: Performing the Initial Configuration of the Primary Site

X Task 1: Create a new Active Directory site
1. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Sites and
Services.
2. In the Active Directory Sites and Services console tree, expand the Sites folder, and then select
Default-First-Site-Name.
3. Right-click Default-First-Site-Name, and then click Rename.
4. Type NewYork (without a space), and then press Enter.

5. In the Active Directory Sites and Services console tree, expand Sites, right-click the Subnets folder,
and then select New Subnet.
6. In the New Object --- Subnet dialog box, in the Prefix text box, type 10.10.0.0/24.
7. In the Select a site object for this prefix list, select the NewYork site, and then click OK.
1. On NYC-CFG, in the Configuration Manager console, select the Administration workspace.
2. In the navigation pane, expand Hierarchy Configuration, and then select Discovery Methods.
3. In the results pane, select the Active Directory Forest Discovery, and then on the ribbon, click
Properties.
4. In the Active Directory Forest Discovery Properties dialog box, select Enable Active Directory
Forest Discovery, select the Automatically create Active Directory site boundaries when they
are discovered check boxes, and then click OK.
5. In the Configuration Manager dialog box, click Yes to initiate full discovery.
6. In the navigation pane, click Active Directory Forests.
7. In the results pane, select Contoso.com, and then on the ribbon, click Properties.
8. In the Contoso.com Properties dialog box, review the settings, and then click the Publishing tab.
9. On the Publishing tab, review the settings, and then click Cancel.
10. In the navigation pane, click Boundaries.

11. In the results pane, select NewYork, and then on the ribbon, click Properties.
12. In the NewYork Properties dialog box, review the settings, and then click Cancel.

1. In the navigation pane, click Boundary Groups.
2. On the ribbon, click Create Boundary Group.
3. In the Create Boundary Group dialog box, on the General tab, in the Name text box, type New
York Clients, and then click Add.
Lab B: Performing Post-Setup Configuration Tasks L2-9
4. In the Add Boundaries dialog box, select the NewYork boundary, and then click OK.
5. In the Create Boundary Group dialog box, click the References tab, and then select the Use this
boundary group for site assignment check box.
6. Under the Site system servers section, click Add.
7. In the Add Site Systems dialog box, select the \\NYC-CFG.Contoso.com check box, and then
click OK.
8. In the Create Boundary Group dialog box, click OK.
X Task 4: Install additional site system roles: Fallback Status Point and Reporting
Services Point
1. In the Configuration Manager console, in the navigation pane, expand Site Configuration, and then
click Servers and Site System Roles.
2. In the results pane, select \\NYC-CFG.Contoso.com, and on the ribbon, select the Home tab, and
then click Add Site System Roles.
3. The Add Site System Roles Wizard starts. On the General page, verify that the Name for the site
server is NYC-CFG.Contoso.com, and then click Next.
4. On the System Role Selection page, select Fallback status point and Reporting services point,
5. On the Fallback Status Point page, review the settings, and then click Next.
6. On the Reporting Services Point page, verify that the Site database server name is
NYC-CFG.contoso.com and the Database name is CM_NYC, and then click Verify. Wait for the
message Successfully verified to appear.
7. Click the Set button next to User name, and then click New Account.
8. In the Windows User Account dialog box, specify the following credentials, and then click OK:
Password: Pa$$w0rd
9. On the Reporting Services Point page, click Next.
10. On the Summary page, review the settings, and then click Next.
11. On the Completion page, click Close.
X Task 5: Configure the management point and the distribution point

1. In the Configuration Manager console, in the results pane, select \\NYC-CFG.Contoso.com.
2. In the preview pane, right-click the Management point, and then click Properties.
3. In the Management point Properties dialog box, review the settings, select the Generate alert
when the management point is not healthy check box, and then click OK.
4. In the Site System Roles pane, right-click the Distribution point, and then click Properties.
5. In the Distribution point Properties dialog box, review the settings on each of the following tabs:
General
PXE
Multicast
Content Validation
6. In the Distribution point Properties window, click the Boundary Groups tab, verify that the New
York Clients boundary group you have created previously appears in the list, and then click Cancel.
Results: At the end of this exercise, you should have performed the initial configuration of a System
Center 2012 Configuration Manager stand-alone primary site.

Lab C: Configuring PKI for Configuration Manager L2-11
Lab C: Configuring PKI for Configuration

Manager
Exercise 1: Creating Certificate Templates for Configuration Manager
X Task 1: Create a Configuration Manager IIS servers group
1. On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
2. In the navigation pane, expand Contoso.com, and then select the Users container.
3. Right-click the Users container, point to New, and then click Group.
4. In the New Object --- Group dialog box, in the Group name box, type Configuration Manager IIS
Servers, and then click OK.
5. Double-click Configuration Manager IIS Servers.
6. In the Configuration Manager IIS Servers Properties dialog box, on the Members tab, click Add.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, and in the Object Types dialog box, select the Computers check box, and then click OK.
8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select box, type NYC-CFG, click Check Names, and then click OK.
9. In the Configuration Manager IIS Servers Properties dialog box, click OK.
X Task 2: Create a Configuration Manager Web server certificate template

1. On NYC-DC1, click Start, click Administrative Tools, and then click Certification Authority.
2. In the Certification Authority console, expand ContosoCA, and then click Certificate Templates.
3. Right-click the Certificate Templates folder, and then click Manage. The Certificate Templates
Console opens.
4. In the results pane, right-click Web Server, and then click Duplicate Template.
5. In the Duplicate Template dialog box, ensure that the Windows Server 2003 Enterprise option is
selected, and then click OK.
6. In the Properties of New Template dialog box, on the General tab, in the Template display name
box, type Configuration Manager Web Server Certificate.
7. Click the Subject Name tab, and then ensure that the Supply in the request option is selected.
8. On the Security tab, under Group or user names, click Domain Admins, and under Permissions
for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll
check box.
9. On the Security tab, click Add. In the Select Users, Computers, Service Accounts or Groups dialog
box, in the Enter the object names to select box, type Configuration Manager IIS Servers, click
Check Names and then click OK.
10. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK.
X Task 3: Create a Configuration Manager client certificate template

1. In the Certificate Templates Console, in the results pane, right-click Workstation Authentication,
and then click Duplicate Template.
box, type Configuration Manager Client Certificate.
4. On the Security tab, click Domain Computers, select the Read check box, select the Autoenroll
check box, and then click OK. Do not clear the Enroll check box.
X Task 4: Create a Configuration Manager client distribution point certificate template

1. In the Certificate Templates Console, in the results pane, right-click Workstation Authentication,
and then click Duplicate Template.
box, type Configuration Manager Client Distribution Point Certificate.
4. On the Request Handling tab, select Allow private key to be exported.
5. On the Security tab, under Group or user names, click Domain Admins, and under Permissions
for Domain Admins, clear the Enroll check box, click Enterprise Admins, and then clear the Enroll
check box.
6. On the Security tab, click Add, and in the Select Users, Computers, Service Accounts or Groups
dialog box, in the Enter the object names to select box, type Configuration Manager IIS Servers,
click Check Names, and then click OK.
7. Click Configuration Manager IIS Servers, select the Enroll check box, and then click OK. Do not
clear the Read permission.
Note This certificate template is based on Workstation Authentication template, the

same template used by the Configuration Manager client certificate, but requires the
private key to be exportable because you must import the certificate as a file rather than
select it from the certificate store.
X Task 5: Create a Configuration Manager mobile device certificate template

1. In the Certificate Templates Console, in the results pane, right-click Authenticated Session, and
then click Duplicate Template.
box, type Configuration Manager Mobile Device Certificate.
4. Click the Subject Name tab, and then ensure that the Build from this Active Directory
information option is selected.
5. In the Subject name format list, select Common name, and under Include this information in
alternate subject name, clear the User principal name (UPN) check box, and then click OK.
6. Close the Certificate Templates Console.
X Task 6: Enable the Configuration Manager certificate templates

1. In the Certification Authority console, in the navigation pane, verify that you are still in the Certificate
Templates folder.
2. Right-click the Certificate Templates folder, point to New, and then click Certificate Template to
Issue.
3. In the Enable Certificate Templates dialog box, click Configuration Manager Client Certificate,
keep the Ctrl key pressed, and then click Configuration Manager Client Distribution Point
Certificate, Configuration Manager Mobile Device Certificate, and Configuration Manager Web
Server Certificate.
4. In the Enable Certificate Templates dialog box, click OK, and then close the Certification Authority
console.
Results: After this exercise, you should have created a group for the Configuration Manager servers and
created the templates for Configuration Manager certificates.
Exercise 2: Deploying Certificates for Configuration Manager

X Task 1: Create an auto enrollment GPO
1. Click Start, click Administrative Tools, and then click Group Policy Management.
2. In Group Policy Management console, expand Forest:Contoso.com, expand Domains, right-click

Contoso.com, and then click Create a GPO in this domain, and Link it here.
3. In the New GPO dialog box, in the Name box, type Enable Autoenrollment of Certificates and
then click OK.
4. Right-click Enable Autoenrollment of Certificates and then click Edit.

5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, and then click Public Key Policies.
6. Right-click Certificate Services Client --- Auto-enrollment and then click Properties.
7. In the Configuration Model list, select Enabled, select the Renew expired certificates, update
pending certificates, and remove revoked certificates check box, select the Update certificates
that use certificate templates check box, and then click OK.
8. Close the Group Policy Management Editor window and the Group Policy Management console.
X Task 2: Request a Configuration Manager IIS certificate on the site server

1. On NYC-CFG, click Start, and then click Restart to restart the server.
2. In the Shut Down Windows dialog box, under Option, select Operating System: Reconfiguration
(Planned), and then click OK.
3. Wait for the virtual machine to restart and then logon as domain Administrator.
4. On NYC-CFG, click Start, click Run, and in the Open box, type mmc.exe and then click OK.
5. In the Console 1 - [Console Root] console, click File, and then click Add/Remove Snap-in.
6. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and
then click Add.
7. In the Certificates snap-in wizard, click Computer account, and then click Next.
8. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is
running on) option is selected, and then click Finish.
9. In the Add or Remove Snap-ins dialog box, click OK.
10. In the Console 1 - [Console Root] console, expand Certificates (Local Computer), and then click
Personal.
11. Under Object Type, right-click Certificates, point to All Tasks, and then click Request New
Certificate.
12. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
13. On the Select Certificate Enrollment Policy page, click Next.

14. On the Request Certificates page, select the Configuration Manager Web Server Certificate
check box, and then click the More information is required to enroll for this certificate. Click
here to configure settings link.
15. In the Certificate Properties dialog box, on the Subject tab, under the Alternative name area, in
the Type list, select DNS.
16. In the Value box, type NYC-CFG.Contoso.com and then click Add.
17. Click the General tab, in the Friendly name box, type Configuration Manager Web Services and
then click OK.
18. On the Request Certificates page, click Enroll.
19. On the Certificates Installation Results page, wait until the certificate is installed, and then click
Finish.
X Task 3: Request a Configuration Manager client distribution point certificate

1. In the Console 1 - [Console Root] console, expand Certificates (Local Computer), and then click
Personal.
2. Under Object Type, right-click Certificates, point to All Tasks and then click Request New
Certificate.
3. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
4. On the Select Certificate Enrollment Policy page, click Next.
5. On the Request Certificates page, select the Configuration Manager Client Distribution Point
Certificate check box, and then click Enroll.
6. On the Certificates Installation Results page, wait until the certificate is installed, and then click
Finish.
7. In the Console 1 - [Console Root] console, expand Personal, and then click Certificates.
8. In the results pane, right-click the certificate that has Configuration Manager Client Distribution
Point Certificate on the Certificate Template column, point to All Tasks, and then select Export.
The Certificate Export Wizard opens.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, select Yes, export the private key, and then click Next.
11. On the Export File Format page, ensure Personal Information Exchange --- PKCS #12 (.PFX)
option is selected, and then click Next.
12. On the Password page, type Pa$$w0rd in both Password and Type and confirm password
(mandatory) text boxes, and then click Next.
13. On the File to Export page, in the File name text box, type C:\ConfigMgrClientDPCertificate.pfx
14. On the Completing the Certificate Export Wizard page, click Finish.
15. In the Certificate Export Wizard dialog box, click OK.
16. Close the Console 1 --- [Console Root] console, and in the Microsoft Management Console dialog
box, click No.
X Task 4: Assign the Configuration Manager IIS certificate to Web services

1. On NYC-CFG, click Start, click All Programs, click Administrative Tools, and then click Internet
Information Services (IIS) Manager.
2. Expand NYC-CFG (CONTOSO\Administrator), expand Sites, right-click Default Web Site, and then
click Edit Bindings.
3. In the Site Bindings dialog box, click https, and then click Edit.
4. In the Edit Site Binding dialog box, in the SSL certificate list, select Configuration Manager Web
Services, and then click OK.
5. In the Site Bindings dialog box, click Close.

6. Close Internet Information Services (IIS) Manager.
X Task 5: Configure HTTPS for Configuration Manager roles

2. In the Configuration Manager console, select the Administration workspace.
3. In the navigation pane expand Site Configuration, and then click Servers and Site System Roles.
4. In the results pane, click \\NYC-CFG.contoso.com, and in the preview pane, right-click Site system,
and then click Properties.
5. In the Site system Properties dialog box, select Specify an FQDN for this site system for use on
the Internet.
6. In the Internet FQDN text box, type NYC-CFG.contoso.com and then click OK.
7. In the preview pane, right-click Distribution point and then click Properties.
8. In the Distribution point Properties dialog box, on the General tab, select Import certificate, and
then click Browse.
9. In the Open dialog box, browse to select the C:\ConfigMgrClientDPCertificate.pfx certificate file,
and then click Open.
10. On the General tab, in the Password text box, type Pa$$w0rd.
11. On the General tab, click HTTPS, and then under Requires computers to have a valid PKI client
certificate, select Allow intranet and Internet connections, and then click OK.
12. In the preview pane, click Management point, and then click Properties.
13. In the Management point Properties dialog box, on the General tab, click HTTPS, and then under
This option requires client computers to have a valid PKI client certificate for client
authentication, select Allow intranet and Internet connections.
14. Select the Allow mobile devices to use this management point check box, and then click OK.
Results: After this exercise, you should have issued the Configuration Manager certificates and configured
HTTPS communication for Configuration Manager roles.

following steps:
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-A and then click Revert.

4. Repeat steps 2 to 3 for 10748A-NYC-CFG-A.
L3-19
Module 3: Planning and Configuring Role-Based

Administration
Lab: Planning and Configuring Role-Based
Administration
Exercise 1: Reviewing Built-in Security Roles and Scopes
X Task 1: Review the default security roles and scopes
3. In the navigation pane, expand the Security node, and then click Security Roles.
4. Review the list of roles available in the results pane. Note that there are 14 built-in roles.
5. In the navigation pane, click Security Scopes.
6. Review the list of scopes available in the results pane. Note there are two built-in scopes: All and
Default.
7. In the navigation pane, click Administrative Users.
8. In the results pane, select CONTOSO\Administrator and review the information presented in the
preview pane. By default, the user who performed the Configuration Manager setup is assigned the
Full Administrator role, the All security scope, and the All Systems and All Users and User Groups
collections.
X Task 2: Review the default permissions for a security role

1. In the Configuration Manager console, in the navigation pane, click the Security Roles node.
2. In the results pane, select Application Administrator, and then, on the ribbon, click Properties.
3. In the Application Administrator Properties dialog box, on the General tab, examine the role
description.
4. Click the Administrative Users tab and note there are no users associated with this role. In addition,
note that you cannot add users from this property window.
5. Click the Permissions tab, and then examine the permissions associated with this role. Expand each
category, and then review the individual permissions. Note that you cannot modify the permissions
for built-in roles.
6. Click Cancel to close the Application Administrator Properties dialog box.
Results: At the end of this exercise, you will have reviewed the built-in roles, including their associated
permissions, and the built-in security scopes.
L3-20 Module 3: Planning and Configuring Role-Based Administration
Exercise 2: Creating Custom Security Roles and Scopes

X Task 1: Create a new user and group for application administrators and add the user
to the group
1. On NYC-DC1, click Start, click All Programs, click Administrative Tools, and then click Active
Directory Users and Computers.
2. In the Active Directory Users and Computers console, expand Contoso.com, right-click the Users
container, point to New, and then select User.
3. In the New Object --- User dialog box, in both the First name and User logon name text boxes, type
NewYorkAdmin and then click Next.
4. In the New Object --- User dialog box, in both the Password and Confirm password text boxes, type
Pa$$w0rd, clear the User must change password at next logon box, and then click Next.
5. In the New Object --- User dialog box, click Finish.

6. In the Active Directory Users and Computers console, right-click the Users container, point to New,
and then click Group.
7. In the New Object --- Group dialog box, in the Group name text box, type New York Application
Admins as the group name, and then click OK.
8. Click the Users container, and then in the details pane, right-click the newly created New York
Application Admins group, and then click Properties.
9. In the New York Application Admins Properties dialog box, click the Members tab, and then click
Add.
the object names to select field, type NewYorkAdmin, click Check Names, and then click OK.
11. In the New York Application Admins Properties dialog box, click OK.
X Task 2: Create a custom scope for the New York application administrators
1. On NYC-CFG, in the Configuration Manager console, verify that you are still in the Administration
workspace.
2. In the navigation pane, expand the Security node, and then click Security Scopes.
3. On the ribbon, click Create Security Scope.
4. In the Create Security Scope dialog box, in the Security scope name text box, type New York and
then click OK.
5. In the Configuration Manager console, in the navigation pane, click Distribution Points.
6. In the results pane, select \\NYC-CFG.Contoso.com, and then on the ribbon, click Set Security
Scopes.
7. In the Set Security Scopes dialog box, leave the Default scope selected, select New York, and then
click OK.
Lab: Planning and Configuring Role-Based Administration L3-21

1. In the Configuration Manager console, click the Assets and Compliance workspace.
2. In the navigation pane, expand the Overview node, and then click Device Collections.
3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts.
4. On the General page, in the Name box, type New York Servers, and then next to Limiting
collection, click Browse.
5. In the Select Collection dialog box, select All Systems, and then click OK.
6. On the General page, click Next.
7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct
Membership Rule Wizard starts.
8. On the Welcome page, click Next.
9. On the Search for Resources page in the Resource class list, verify that System Resource is
selected, and in the Value text box, type NYC%, and then click Next.
10. On the Select Resources page, select NYC-CFG, and then click Next.
11. On the Summary page, click Next.
13. In the Create Device Collection Wizard, on the Membership Rules page, verify that NYC-CFG was
added to the list, and then click Next.
X Task 4: Create a custom security role for application administrators

2. In the navigation pane, expand the Security node, and then select Security Roles.
3. In the results pane, select Application Administrator, and then on the ribbon, click Copy.
4. In the Copy Security Role dialog box, in the Name text box, type Application and Update
Administrator
5. In the Copy Security Role dialog box, in the Customize the permissions for this copy of the
security role area, in the Permissions box, configure the following permissions by expanding each
permission group and selecting Yes next to each individual permission:
All permissions under Software Update Group
All permissions under Software Update Package

All permissions under Software Updates
6. In the Copy Security Role dialog box, click OK.

L3-22 Module 3: Planning and Configuring Role-Based Administration
X Task 5: Add a new group of administrative users, and assign a custom role and a
custom scope
1. In the Configuration Manager console, in the navigation pane, under the Security node, click
Administrative Users.
2. On the ribbon, click Add User or Group.
3. In the Add User or Group dialog box, next to User or group name, click Browse.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select text
box, type New York Application Admins, click Check Names, and then click OK.
5. In the Add User or Group dialog box next to the Assigned security roles list box, click Add.
6. In the Add Security Role dialog box, select the Application and Update Administrator role, and
then click OK.
7. In the Add User or Group dialog box, under Assigned security scopes and collections, verify that
the Only the instances of objects that are assigned to the specified scopes or collections option
is selected. In the list box, select each collection and security scope, and then click Remove.
8. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and
then click Security Scope.
9. In the Add Security Scope dialog box, select New York, and then click OK.
10. In the Add User or Group dialog box, in the Security scopes and collections area, click Add, and
then select Collection.
11. In the Select Collections dialog box, select Device Collections, select New York Servers, and then
click OK.
12. In the Add User or Group dialog box, click OK.

13. In the Configuration Manager console in the results pane, select the Contoso\New York Application
Admins, and then review the information from the preview pane.
Note The users added to the New York Application Admins group will have access to only
the Configuration Manager objects associated with the New York scope and resources in
the New York Servers collection.
Results: At the end of this exercise, you will have created a custom security scope, a custom collection,
and a custom security role.
Lab: Planning and Configuring Role-Based Administration L3-23
Exercise 3: Testing the Permissions of the New Role

X Task 1: Start the Configuration Manager console by using the application
administrator account
Configuration Manager, press the Shift key, right-click Configuration Manager Console, and then
click Run as a different user.
2. In the Windows Security dialog box, in the Username box, type NewYorkAdmin and in the
Password box, type Pa$$w0rd, and then click OK.
3. The Configuration Manager console starts.
X Task 2: Verify the permissions assigned to the new security role

2. In the navigation pane, under the Overview node, click Device Collections.
3. In the results pane, verify that you can see only the New York Servers collection.
4. In the navigation pane, click on the Devices node.
5. In the results pane, verify that you can see only the resources associated to your collection.
7. In the navigation pane, under the Overview node, click Distribution Points.
8. In the results pane, verify that you can see the \\NYC-CFG.Contoso.com server.
9. In the navigation pane, expand the Security node.

10. Verify that you do not have access to Administrative Users, the Security Roles, or the Security
Scopes nodes.
Results: At the end of this exercise, you will have tested the new role permissions.

following steps:
4. Repeat steps 2 to 3 for 10748A-NYC-CFG-B.

L4-25

Lab A: Installing a Central Administration
Site
1. On NYC-DC1, open Windows Explorer, navigate to the \\NYC-CAS\E$\ConfigMgr2012
\SMSSETUP\BIN\X64 folder, and then locate extadsch.exe.
2. Double-click extadsch.exe.
3. Browse to the drive C, open the ExtADSch.log file created in the root of drive C, and then verify the
4. Close Notepad and the Local Disk (C:) window.

1. On NYC-DC1, click Start, click Run, type adsiedit.msc, and then click OK.
2. In the ADSI Edit console, right-click ADSI Edit, and then click Connect to.
3. In the Connection Settings dialog box, accept the defaults, and then click OK.
4. In the ADSI Edit console tree, expand Default naming context, expand DC=CONTOSO,DC=COM
container, right-click the CN=System container, click New, and then click Object.
5. On the Create Object page, select container, and then click Next.
6. In the Create Object page, in the Value text box, type System Management, and then click Next.
7. In the Create Object page, click Finish.
8. In the ADSI Edit console, click the CN=System container, verify that CN=System Management
container appears in the results pane, and then close the console.
X Task 3: Create a group for the Configuration Manager servers in Active Directory
Users and Computers
1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2. In the navigation pane, expand Contoso.com, and then select the Users container.
3. Right-click the Users container, point to New, and then click Group.
4. In the New Object --- Group dialog box, in the Group name text box, type ConfigMgrServers as the
group name, and then click OK.
5. In the details pane, right-click the ConfigMgrServers group, and then click Properties.
6. In the ConfigMgrServers Properties dialog box, select the Members tab, and then click Add.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types.
L4-26 Module 4: Planning and Deploying a Multiple-Site Hierarchy
the object names to select text box, type NYC-CAS; NYC-CFG; LON-CFG; TOR-CFG, click Check
Names, and then click OK.
10. In the ConfigMgrServers Properties dialog box, click OK.
the group
1. In the Active Directory Users and Computers console, click View, and then select Advanced
Features.
2. In the navigation pane, expand the System container, right-click the System Management
container, and then select Properties.
3. In the System Management Properties dialog box, select the Security tab, and then click Add.
4. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select text box, type ConfigMgrServers, click Check Names, and then click OK.
5. In the System Management Properties dialog box, select ConfigMgrServers

(Contoso\ConfigMgrServers), in the Allow column, select the Full control permission check box
(all checkboxes are selected), and then click Advanced.
6. In the Advanced Security Settings for System Management dialog box, select ConfigMgrServers
from the permission entry list, and then click Edit.
7. In the Permission Entry for System Management dialog box, in the Apply to dropdown list, select
This object and all descendant objects, and then click OK.
8. In the Advanced Security Settings for System Management dialog box, click OK.
9. In the System Management Properties dialog box, click OK.
10. Close Active Directory Users and Computers.
Note After the installation, Configuration Manager 2012 site servers publish information
in the System Management container to enable clients to determine the assigned site and
locate the management point.
System Management container, and assigned permissions to the group of Configuration Manager servers.
Lab A: Installing a Central Administration Site L4-27
Exercise 2: Installing a Central Administration Site

1. On NYC-CAS, click Start, and then select Computer.
2. Prerequisite Checker starts and evaluates the server for installed prerequisites.
X Task 3: Run Setup to install a Configuration Manager 2012 central administration site
3. On the Getting Started page, at Available Setup Options, select Install a Configuration Manager
central administration site, and then click Next.
5. On the Microsoft Software License Terms page, select I accept these license terms, and then click
Next.
Browse.
8. In the Browse For Folder window, select the E:\ConfigMgr2012\Redist, and then click OK.
9. On the Prerequisite Downloads page, click Next. Configuration Manager Setup Downloader
starts to verify the prerequisites. Wait for the operation to finish.
12. On the Site and Installation Settings page, configure the following options, and then click Next.
Site code: CAS
Site name: Contoso Central Administration Site
Install the Admin Configuration Manager console: checked
13. On the Database Information page, verify that the SQL server name is NYC-CAS.Contoso.com and
that the database name is CM_CAS, and then click Next.
14. On the SMS Provider Settings page, verify that the server name is NYC-CAS.Contoso.com, and
then click Next.
17. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click Begin
Install.
18. On the Install page, wait for the installation to complete, and then click Close.
19. In the System Center 2012 Configuration Manager Setup screen, click Exit. Close Windows
Explorer.
in a central administration site.
Lab A: Installing a Central Administration Site L4-29

1. On NYC-CAS, click Start, click All Programs, click Microsoft System Center 2012, click
2. In the Configuration Manager console, in the navigation pane, select the Monitoring workspace.
4. View the status of each site systems and site system roles.
5. In the navigation pane, select Component Status.

1. In the navigation pane, select Site Status.

3. On the ribbon, click on the Show Messages button, and then select All.
4. In the Status Messages: Set Viewing Period dialog box, verify Select date and time is selected and,
in the corresponding drop-list, verify that 1 day ago is selected, and then click OK.
5. In the Configuration Manager Status Message Viewer for <CAS> <Contoso Central Administration
Site> window, double-click any status message, and then review the details. Click OK to close the
Status Message Details box.
6. Close the Configuration Manager Status Message Viewer for <CAS> <Contoso Central Administration
Site> window.

1. Open Windows Explorer, and then navigate to drive C.
2. In the root folder, open the ConfigMgrPrereq.log file. The file is displayed in Notepad.
3. Note any errors and warnings reported by Prerequisite Checker. Close Notepad.
4. In the root folder, open the ConfigMgrSetup.log file. The file is displayed in Notepad.
5. Note any errors and warnings reported by the setup. Close Notepad and then close Windows
Explorer.

1. In the Configuration Manager console, in the navigation pane, select the Administration workspace.
2. In the navigation pane, expand Site Configuration, and then select Servers and Site System Roles.
3. In the results pane, select NYC-CAS.contoso.com, and then in the preview pane, review the roles
installed on the server, including:
Component server
Site database server
Site server
Site system
4. In the results pane, right-click NYC-CAS.contoso.com and then select Add Site System Roles. The
Add Site System Roles Wizard starts.
6. On the System Role Selection page, review the available roles. The list includes:

System Health Validator point
Note The site system roles directly related to client management cannot be installed in a
central administration site. This includes the following roles:
Application Catalog web service point

Application Catalog website point
Distribution point
Management point
Enrollment point
7. In the Add Site System Roles Wizard, click Cancel.
8. In the Configuration Manager message box, click Yes.

Lab B: Installing a Primary Site in an Existing Hierarchy L4-31
Lab B: Installing a Primary Site in an Existing

Hierarchy
Exercise 1: Installing a Primary Site in an Existing Hierarchy
1. On NYC-CFG, click Start, and then select Computer.
2. Installation Prerequisite Check starts and evaluates the server for installed prerequisites.
X Task 3: Run Setup to install a Configuration Manager 2012 primary site in the
existing hierarchy
3. On the Getting Started page, at Available Setup Options, select Install a Configuration Manager
primary site, and then click Next.
5. On the Microsoft Software License Terms page, select I accept these license terms, and then click
Next.
Browse.
8. In the Browse For Folder dialog box, select the E:\ConfigMgr2012\Redist, and then click OK.
9. On the Prerequisite Downloads page, click Next. Configuration Manager Setup Downloader
starts to verify the prerequisites. Wait for the operation to finish.

12. On the Site and Installation Settings page, type the following settings, and then click Next.
Site code: NYC
Site name: New York Primary Site
Install the Configuration Manager console: checked
13. On the Primary Site Installation page, select the Join the primary site to an existing hierarchy
option.
14. In the Central administration site server (FQDN) text box, type NYC-CAS.Contoso.com, and then
click Next.
15. On Database Information page, verify that the server name is NYC-CFG.Contoso.com and that the
database name is CM_NYC, and then click Next.
16. On the SMS Provider Settings page, verify that the server name is NYC-CFG.Contoso.com, and
then click Next.
17. On the Client Computer Communication Settings page, select Configure the communication
method on each site system role, and then click Next.
18. On the Site System Roles page, verify that both Install a management point and Install a
distribution point options are selected, verify that NYC-CFG.Contoso.com appears in both FQDN
text boxes, and then click Next.
21. On the Prerequisite Check page, wait for the prerequisite checking to finish, and then click Begin
Install.
22. In the Install window, wait for the installation to complete, and then click Close.
23. In the System Center 2012 Configuration Manager Setup screen, click Exit.
24. Close the Windows Explorer window.
Manager primary site in an existing hierarchy.

2. In the Configuration Manager console, select the Monitoring workspace.
4. View the status of each site system and site system roles.
5. In the navigation pane, select Component Status.

1. In the navigation pane, select Site Status.

3. On the ribbon, click on the Show Messages button, and then select All.
4. In the Status Messages: Set Viewing Period dialog box, verify Select date and time is selected, and
that in the corresponding drop-list, 1 day ago is selected, and then click OK.
5. In the Configuration Manager Status Message Viewer for <NYC> <New York Primary Site> window,
double-click any status message, and then review the details. Click OK to close the Status Message
Details box.
6. Close the Configuration Manager Status Message Viewer for <NYC> <New York Primary Site>
window.

1. In Windows Explorer, navigate to drive C.
2. In the root folder, open the ConfigMgrPrereq.log file. The file is displayed in Notepad.
3. Note any errors and warnings reported by Prerequisite Checker. Close Notepad.
4. In the root folder, open the ConfigMgrSetup.log file. The file is displayed in Notepad.
5. Note any errors and warnings reported by the setup. Close Notepad.

1. In the Configuration Manager console, select the Administration workspace.
2. In the navigation pane, expand Site Configuration, and then select Servers and Site System Roles.
3. In the results pane, select NYC-CFG.contoso.com, and then in the preview pane, note the roles
installed on the server, including:
Component server
Distribution point
Management point
Site database server
Site server
Site system
4. In the results pane right-click on NYC-CFG.contoso.com, and then select Add Site System Roles.

6. On the System Role Selection page, note the available roles, including:
Application Catalog Web Service Point
Application Catalog Website Point
Enrollment point


System Health Validator point
7. In the System Role Selection window, click Cancel.
Note When installed as part of a hierarchy, some of the site system roles cannot be
installed in a primary site. Instead, these roles are installed at the central administration site.
These roles include:
Endpoint protection point
Exercise 3: Automating the Installation of a Primary Site

X Task 1: Review the content of the installation script
1. On LON-CFG, in Windows Explorer, navigate to E:\ConfigMgrSetup, and then open the
ConfigMgrAutoSave_LON.ini file.
2. Review the content of the file, and then close the viewer:
[Identification]
[Options]
ProductID=EVAL
SiteCode=LON
PrerequisiteComp=1
PrerequisitePath= E:\ConfigMgr2012\Redist
AdminConsole=1
JoinCEIP=0
[SQLConfigOptions]
DatabaseName=CM_LON
SQLSSBPort=4022
X Task 2: Run the Setup for Configuration Manager 2012 and use the script option
1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following commands, each followed by pressing Enter:
e:
cd ConfigMgr2012\smssetup\bin\X64
setup /script E:\ConfigMgrSetup\ConfigMgrAutoSave_LON.ini
Note The Configuration Manager Setup runs in unattended mode. The installation
process may take up to 30 minutes. You can use Windows Task Manager to keep track of
the progress. When you see CcmExec.exe as a running process, the setup is complete.
Manager primary site in an existing hierarchy using the automated setup method.

Lab C: Installing a Secondary Site L4-37
Lab C: Installing a Secondary Site

Exercise 1: Configuring Prerequisites
X Task 1: Launch Server Manager
1. On TOR-CFG, click Start, point to Administrative Tools, and then click Server Manager.
2. In the navigation pane of the Server Manager console, click Roles.
X Task 2: Verify that Web Server (IIS) and related role services are installed
In the results pane of the Server Manager console, in the Roles pane, scroll to the Web Server (IIS)
section, and then verify that the following features are installed:
ASP.NET
X Task 3: Verify that the BITS and Remote Differential Compression features
are installed
1. In the navigation pane of the Server Manager console, click Features.
2. In the results pane, verify that the following features are installed:

X Task 4: Add the primary site server computer account to the local
Administrators group
1. In the navigation pane of the Server Manager console, expand Configuration, expand Local Users
and Groups, and then click Groups.
2. In the results pane, double-click the Administrators group.
3. In the Administrators Properties dialog box, click Add.
4. In the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types.
6. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select text box, type NYC-CFG, click Check Names and then click OK.
7. In the Administrators Properties dialog box, click OK.
Note During a secondary site installation, SQL Server Express can be installed as part of
the Create Secondary Site Wizard if a SQL instance is not already installed on the server.
Results: At the end of this exercise, you should have validated the prerequisites for installing a System
Center 2012 Configuration Manager secondary site.
Lab C: Installing a Secondary Site L4-39
Exercise 2: Installing a Secondary Site from a Primary Site

X Task 1: Run the Secondary Site Installation Wizard
1. On NYC-CFG, click Start menu, click All Programs, click Microsoft System Center 2012, click
3. In the navigation pane, expand Site Configuration, and then select Sites.
4. In the results pane, select NYC --- New York Primary Site, and then on the ribbon, click Create
Secondary Site. The Create Secondary Site Wizard starts.
5. On the Before You Begin page, click Next.
6. On the General page, configure the following options, and then click Next:
Site code: TOR
Site server name: TOR-CFG.Contoso.com
Site Name: Toronto Secondary Site
7. On the Installation Source Files page, select the option Copy installation source files over the
network from the parent site server, and then click Next.
8. On the SQL Server Settings page, select the option Install and configure a local copy of SQL
Server Express on the secondary site computer, verify that the following information is specified,
and then click Next:
SQL Server service port: 1433
SQL Server Service Broker Port: 4022
9. On the Distribution Point page, accept the default settings, and then click Next.
10. On the Drive Settings page, accept the default settings, and then click Next.
11. On the Content Validation page, click Next.
12. On the Boundary Groups page, click Next.
13. In the Summary page, review your selected settings, and then click Next.
14. In the Completion page, click Close.
Note When the Create Secondary Site Wizard finishes, the installation continues in the
background on the target server. To validate the installation, verify the installation logs in
the next exercise.
15. In the Configuration Manager console, in the results pane, select TOR --- Toronto Secondary Site,
and then on the ribbon, click the Show Install Status button.
16. In the Secondary Site Installation Status dialog box, review the progress of installation actions, click
Refresh to monitor status, and then click OK. It takes approximately 15-20 minutes for installation to
complete.
secondary site.
Exercise 3: Validating the installation

X Task 1: View the setup logs
1. On TOR-CFG, open Windows Explorer, and navigate to drive C.
2. In the root folder, open the ConfigMgrSetup.log file. In the Open with box, select Notepad, and
then click OK.
3. Note any errors and warnings reported by Setup. Close Notepad.
X Task 2: View the system status for the new secondary site
1. On NYC-CFG, in the Configuration Manager console, in the navigation pane, select the Monitoring
workspace.
2. In the navigation pane, expand System Status, and then select Site Status.
3. View the status of the site systems for TOR-CFG.
4. In the navigation pane, click the Database Replication node.
5. In the results pane, view the status of the replication link between NYC and TOR. It should show that
the link is active.
6. In the navigation pane click the Site Hierarchy node

7. In the results pane, view the site hierarchy diagram. On the NYC icon, click the plus sign to view TOR.
Note The secondary site status can be viewed at the parent primary site or at the central
administration site. It may take some time until the installation finishes and the secondary
site status appears in the console.
Results: At the end of this exercise, you should have validated the installation of a System Center 2012
Configuration Manager 2012 secondary site.

following steps:
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-A and then click Revert.
4. Repeat steps 2 to 3 for 10748A-NYC-CAS-A, 10748A-NYC-CFG-A, 10748A-LON-CFG-A, and

10748A-TOR-CFG-A.
L5-41

Lab A: Monitoring and Troubleshooting
Data Replication
Exercise 1: Monitoring Replication
X Task 1: Review the replication information and configuration settings
2. In the Configuration Manager Console, click the Monitoring workspace.
3. In the navigation pane, click the Database Replication node, and then in the results pane, select the
CAS to NYC replication link. Verify that the Link State shows Link Active. If it does not, refresh the
results pane.
4. Review the information available in the preview pane under the Replication Status area. In the Site
Replication Status section, verify that both Parent Site State and Child Site State have the status of
Replication Active.
5. In the Global Data Replication Status section, verify that both Parent Site to Child Site Global
State and Child Site to Parent Site Global State display the Link Active status and that the Last
Synchronization Time reflects todays date.
Note If the status of Parent Site to Child Site Global State and Child Site to Parent
Site Global State are Link Inactive, verify that both NYC-CAS and NYC-CFG have started.
To refresh the status, click the CAS to NYC replication link, and then press F5.
6. In the preview pane, click the Parent Site tab. Review the information available in the Replication
Status area. Note that SQL Server port is 1433 and SQL Server service broker port is 4022.
7. In the preview pane, click the Child Site tab. Review the information available in the Replication
Status area.

2. In the navigation pane, click the Device Collections node.
3. On the ribbon, click Create Device Collection. The Create Device Collection Wizard starts.
4. On the General page, in the Name text box, type New York Computers and then click Browse.
5. In the Select Collection dialog box, select All Systems, and then click OK.
7. On the Membership Rules page, click Add Rule, and then click Direct Rule. The Create Direct
Membership Rule Wizard starts.
8. On the Welcome page, click Next.

L5-42 Module 5: Data Replication and Content Management
9. On the Search for Resources page, in Resource Class, verify that System Resource is selected, in
the Value text box, type NYC% and then click Next.
10. On the Select Resources page, select both NYC-CAS and NYC-CFG, and then click Next.

13. In the Create Device Collection Wizard, on the Membership Rules page, verify that both
NYC-CAS and NYC-CFG were added in the list, and then click Next.
X Task 3: Monitor the replication of the collection to the primary site

1. On NYC-CFG, click Start, click All Programs, Microsoft System Center 2012, Configuration
Manager, and then click the Configuration Manager Console.
2. In the Configuration Manager console, verify you are in the Assets and Compliance workspace.
4. In the results pane, verify that the New York Computers collection appears in the list of device
collections.
5. Right-click the New York Computers collection and then click Show Members. Notice that a new
node appears in the navigation pane under Devices. Notice also that the members of the collection
appear in the results pane.
Results: At the end of this exercise, you should have verified the replication between the central
administration site and a primary site in a Configuration Manager hierarchy.
Lab A: Monitoring and Troubleshooting Replication L5-43
Exercise 2: Troubleshooting Replication

X Task 1: Configure in-console alerts for monitoring replication
1. On NYC-CAS, in the Configuration Manager console, click the Monitoring workspace.
2. In the navigation pane, click the Database Replication node, and then in the results pane, click the
CAS to NYC replication link.
3. Right-click the CAS to NYC replication link, and then click Properties.
4. In the Replication Status Properties dialog box, verify that Generate an alert when this
replication link is not working for a specified period of time checkbox is selected.
5. In the Replication Status Properties dialog box, in the Number of minutes box, change the value
to 3 minutes, and then click OK.
X Task 2: Stop the SMS_EXECUTIVE service on NYC-CFG

1. On NYC-CFG, click Start, click Administrative Tools, and then click Services.
2. In the Services console, click the SMS_EXECUTIVE service, and then, on the ribbon, click the Stop
Service button.
3. In the Service Control window, wait for the service to stop. Wait at least 3 minutes before continuing
to the next task.
X Task 3: Troubleshoot the replication issue

1. On NYC-CAS, browse to C:\Program Files\Microsoft Configuration Manager\tools\ and then
double-click CMTRACE.exe.
2. In the Configuration Manager Trace Log Tool dialog box, click Yes to make the program the
default viewer for all log files and then close the tool.
3. In the Configuration Manager console, in the navigation pane, click the Alerts node.
4. In the results pane, select the alert named Replication link down between parent site and NYC,
and then on the ribbon, click Configure.
5. In the Replication link down between parent site and NYC Properties dialog box, verify that
Minutes replication link connectivity down greater than has a value of 3, and then click OK.
6. In the navigation pane, click the Assets and Compliance workspace, and then click the Device
Collections node.
7. Right-click the New York Computers collection and then click Properties.
8. In the New York Computers Properties dialog box, in the Name text box, change the name of the
collection to New York Servers and then click OK.
9. In the navigation pane, click the Monitoring workspace.
10. In the navigation pane, click the Database Replication node, and then in the results pane, click the
CAS to NYC replication connection.
11. Verify that the status of the replication link is either Link Degraded or Link Failed. Press F5, if
necessary, to refresh the status.
12. Right-click the CAS to NYC replication link and then click Save Diagnostic Files.
13. In the Save As dialog box, in the File name box, type Replication Diagnostics, in the navigation
pane, select Local Disk (C:), and then click Save.
14. From the taskbar, start Windows Explorer.
15. In Windows Explorer, navigate to the C: drive, and then open the file Replication Diagnostics in
Notepad.
16. Review the content of the file. Note that the Parent Site to Child Site Global State shows the status
of Link Failed or Link Degraded. Close Notepad.
X Task 4: Resolve the issue and verify that replication is functioning correctly
1. On NYC-CAS, right-click the CAS to NYC replication link and then click Replication Link Analyzer.
2. Replication Link Analyzer starts detecting problems. Wait for the operation to finish.
3. In the Replication Link Analyzer window, on the Restart the SMS_EXECUTIVE service on
NYC-CFG.contoso.com page, click Restart the SMS_EXECUTIVE service. Wait for the operation to
finish.
4. In the Replication Link Analyzer window, on the Successfully restarted the SMS_EXECUTIVE service
on NYC-CFG.contoso.com page, click Continue.
5. In the Replication Link Analyzer window, on the Troubleshooting Report page, click the link under
Replication Link Analysis Report. The content of ReplicationAnalysis.xml opens in Internet
Explorer. (Note: based upon timing you may still have issues detected, if issues are detected first click
the Check to see if the problem is fixed link)
6. Review the content of the file, and then close Internet Explorer.
7. In the Replication Link Analyzer window, click the link under Replication Link Analysis Log. The
content of ReplicationLinkAnalysis.log opens in Configuration Manager Trace Log Tool.
8. Review the content of the file and then close Configuration Manager Trace Log Tool.
9. In the Replication Link Analyzer window, click Close.
Results: At the end of this exercise, you should have performed troubleshooting replication.
Lab B: Configuring Content Management L5-45
Lab B: Configuring Content Management

Exercise 1: Create a Distribution Point and a Distribution Point Group
X Task 1: Add the primary site server computer account to local Administrators group
1. On NYC-SVR1, on the taskbar, click Server Manager.
2. In the navigation pane of the Server Manager console, expand Configuration, expand Local Users
and Groups, and then click Groups.
3. In the results pane, double-click the Administrators group.
4. In the Administrators Properties dialog box, click Add.
5. In the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types.
7. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select text box, type NYC-CFG, click Check Names, and then click OK.
8. In the Administrators Properties dialog box, click OK.
X Task 2: Create a distribution point

3. In the navigation pane, expand Site Configuration, and then click Servers and Site System Roles.
4. On the ribbon, click the Home tab, and then click Create Site System Server. The Create Site
System Server Wizard starts.
5. On the General page, click Browse.

6. In the Select Computer dialog box, in the Enter the object name to select box, type NYC-SVR1,
click Check Names, and then click OK.
7. On the General page, in the Site Code drop-down list, select NYC --- New York Primary Site, and
then click Next.
8. On the System Role Selection page, select Distribution point, and then click Next.
9. On the Distribution Point page, select the Install and configure IIS if required by Configuration
Manager and Enable this distribution point for prestaged content options, and then click Next.
10. On the Drive Settings page, review the default settings, and then click Next.
11. On the PXE Settings page, click Next.
12. On the Multicast page, click Next.
13. On the Content Validation page, select Validate content on a schedule, and then click Next.
14. On the Boundary Groups page, click Next.

15. On the Summary page, review the settings, and then click Next.

17. In the Configuration Manager console, verify that \\NYC-SVR1.Contoso.com appears in the results
pane.
X Task 3: Create a distribution point group and assign the distribution points to the
distribution point group
1. In the Configuration Manager console, in the navigation pane, click the Distribution Point Groups
node.
2. On the ribbon, click Create Group.
3. In the Create New Distribution Point Group dialog box, in the Name box type New York DP, and
in the Description box, type New York Distribution Points and then click the Members tab.
4. On the Members tab, click Add.
5. In the Add Distribution Points dialog box, select both \\NYC-CFG.Contoso.com and
\\NYC-SVR1.Contoso.com, and then click OK.
6. In the Create New Distribution Point Group dialog box, click OK.
7. In the Configuration Manager console, in the results pane, double-click New York DP.
8. A new node named New York DP appears in the navigation pane. In the results pane, verify that you
see the distribution points that you added to the group.
Results: At the end of this exercise, you should have created a distribution point, created a distribution
point group, and added distribution points to the group.
Exercise 2: Distribute and Monitor Content

X Task 1: Distribute content to the distribution point group
2. In the Configuration Manager console, click the Software Library workspace.
3. In the navigation pane, expand Application Management, and then click the Applications node.
4. On the ribbon, click Create Application. The Create Application Wizard starts.
5. On the General page, verify that in the Type box Windows Installer (Native) is selected, and then
click Browse.
6. In the Open dialog box, navigate to \\NYC-CFG\E$\Software\PPTViewer\Source and select

ppviewer.msi, and then click Open.
8. On the Import Information page, click Next.
9. On the General Information page, click Next.
12. In the Configuration Manager console, in the results pane, click the Microsoft Office PowerPoint
Viewer 2007 (English) application, on the ribbon, click Deployment, and then click Distribute
Content. The Distribute Content Wizard starts.

14. On the Content page, click Next.
15. On the Content Destination page, click Add, and then click Distribution Point Group.
16. In the Add Distribution Point Groups dialog box, select New York DP, and then click OK.
17. On the Content Destination page, click Next.
X Task 2: Monitor and validate content distribution

1. In the Configuration Manager console, in the results pane, click the Microsoft Office PowerPoint
Viewer 2007 (English) application, and then on the ribbon, click Properties.
2. In the Microsoft Office PowerPoint Viewer 2007 (English) Properties window, click the Content
Locations tab.
3. In the Distribution points or distribution point groups list, select \\NYC-CFG.Contoso.com, and
click Validate.
4. In the Configuration Manager message box, click OK.

6. In the Microsoft Office PowerPoint Viewer 2007 (English) Properties window, click OK.
7. In the Configuration Manager console, click the Monitoring workspace.

8. In the navigation pane, expand Distribution Status, and then click the Content Status node.
information in the preview pane. Observe that two distribution points were targeted, but Completion
Statistics show that 1 is reported as success and 1 is in progress.
10. In the preview pane, click the View Status link. A sticky node appears in the navigation pane, and in
the results pane, you should see the Content Status for the selected package.
11. In the navigation pane, click the Distribution Point Configuration Status node.
12. In the results pane, click \\NYC-CFG.Contoso.com, and in the preview pane, click the Details tab.
Review the status messages related to content distribution.
14. In the navigation pane, click the Distribution Points node.
15. In the results pane, select \\NYC-CFG.Contoso.com, and then on the ribbon, click Properties.
16. In the \\NYC-CFG.Contoso.com Properties dialog box, click the Content tab.
17. In the Deployment packages list, click Microsoft Office PowerPoint Viewer 2007 (English), and
then click Validate.
20. In the \\NYC-CFG.Contoso.com Properties dialog box, click OK.
Results: At the end of this exercise, you should have distributed content and monitored the distribution
process.
Exercise 3: Perform content prestaging

X Task 1: Create prestaged content file
1. On NYC-CFG, in the Configuration Manager console, click the Software Library workspace, and then
verify you are in the Applications node.
2. In the results pane, click Microsoft Office PowerPoint Viewer 2007 (English), and then on the
ribbon, click Create Prestage Content File. The Create Prestaged Content File Wizard starts.
3. On the General page, click Browse.
4. In the Prestaged content file dialog box, navigate to the Local Disk (C:) folder, in the File name
box, type PowerPointViewer and then click Save.
6. On the Content page, click Next.
7. On the Content Locations page, click Add.
8. In the Add Distribution Points dialog box, select \\NYC-CFG.Contoso.com, and then click OK.
9. On the Content Locations page, click Next.
12. On the taskbar, click Windows Explorer.

13. Browse to the Local Disk (C:) folder, right-click PowerPointViewer.pkgx and then click Copy.
14. In the address bar, type \\NYC-SVR1\C$ and then press Enter.
15. Right-click in the results pane and click Paste.
X Task 2: Extract prestaged content file on distribution point

1. On NYC-SVR1, click Start, click All Programs, click Accessories, and then click Command Prompt.
2. At the command prompt, type the following, pressing Enter after each line:
CD C:\SMS_DP$\sms\Tools
extractcontent.exe /P:C:\PowerPointViewer.pkgx /S
X Task 3: Monitor prestaged content status

1. On NYC-CFG, in the Configuration Manager console, click the Monitoring workspace.
2. In the navigation pane, expand Distribution Status, and then click the Content Status node.
information in the preview pane. Observe that two distribution points were targeted, and Success is
now listed as 2.
Results: At the end of this exercise, you should have performed content prestaging.

following steps:

4. Repeat steps 2 to 3 for 10748A-NYC-CAS-C, 10748A-NYC-CFG-C, and 10748A-NYC-SVR1-C.
L6-51
Module 6: Planning and Completing System Center 2012

Configuration Manager Client Deployment
Lab: Planning and Completing
Configuration Manager 2012 Client
Deployment
Exercise 1: Configuring Active Directory Discovery Methods
X Task 1: Create an Active Directory site
1. On the NYC-DC1 server click Start, click Administrative Tools, and then click Active Directory
Sites and Services.
2. In the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then
click New Site.
3. In the New Object --- Site dialog box, in the Name box, type NewYork.
4. Under Link Name, click DEFAULTIPSITELINK, and then click OK.
5. In the Active Directory Domain Services message box, click OK.

6. In the navigation pane, expand Sites, right-click Subnets, and then click New Subnet.
7. In the New Object --- Subnet dialog box, in the Prefix box, type 10.10.0.0/24.
8. Under Select a site object for this prefix, click NewYork, and then click OK.
9. In the navigation pane, expand Default-First-Site-Name, and then select Servers.
10. In the results pane, right-click NYC-DC1, and then click Move.
11. In the Move Server dialog box, click NewYork, and then click OK.
12. In the navigation pane expand NewYork, and then select Servers.
13. Verify that NYC-DC1 is present in the results pane.
1. On the NYC-CAS server click Start, click All Programs, expand Microsoft System Center 2012,
expand Configuration Manager, and then click Configuration Manager Console.
2. In the Configuration Manager Console, click the Administration workspace.
3. In the navigation pane, expand Hierarchy Configuration, and then click Discovery Methods.
4. In the results pane, identify the Active Directory Forest Discovery methods. You should have three
entries available in the results pane: one for the CAS site, one for the NYC site and one for the LON
site.
L6-52 Module 6: Planning and Completing System Center 2012 Configuration Manager Client Deployment
5. In the results pane, select the Active Directory Forest Discovery for the CAS site, and then on the
ribbon, click Properties.
6. In the Active Directory Forest Discovery Properties dialog box, select Enable Active Directory
Forest Discovery, select Automatically create Active Directory site boundaries when they are
discovered, and then click OK.
8. In the navigation pane, select Active Directory Forests.
9. In the results pane, select Contoso.com, and then on the ribbon, click Properties.
10. In the Contoso.com Properties dialog box, on the General tab, review the settings, and then click
the Publishing tab.
11. In the Publishing tab, review the settings, and then click Cancel.
12. In the results pane, select Contoso.com, and then on the ribbon, click Show IP Subnets.
13. A new node named IP Subnets of Contoso.com should appear in the navigation pane, and then in
the results pane, you should see the IP subnets discovered from Active Directory.
14. In the navigation pane, select Active Directory Forests, in the results pane select Contoso.com, and
then on the ribbon, click Show Active Directory Sites.
15. A new node named Active Directory Sites of Contoso.com appears in the navigation pane, and
then in the results pane, you should see the sites discovered from Active Directory.
16. In the navigation pane, click Boundaries.
17. In the results pane, select the NewYork boundary, and then on the ribbon, click Properties.
18. In the NewYork Properties dialog box, review the settings on the General tab, and then click the
Site Systems tab.
19. On the Site Systems tab, note that you cannot add a site system using this dialog box, and then click
the Boundary Groups tab.
20. On the Boundary Groups tab, note that the boundary is not yet assigned to a boundary group, and
then click Cancel.

1. In the navigation pane, select Boundary Groups.
2. On the ribbon, click Create Boundary Group.
3. In the Create Boundary Group dialog box, on the General tab, in the Name: box, type New York
Systems and then click Add.
4. In the Add Boundaries dialog box, check the box next to NewYork, and then click OK.
5. In the Create Boundary Group dialog box, select the References tab.
6. On the References tab, check the Use this boundary group for site assignment box.
7. Next to Assigned site, click the dropdown menu, and then select NYC-New York Primary Site.
8. Under Site system servers section, click Add.

Lab: Planning and Completing System Center 2012 Configuration Manager Client Deployment L6-53
9. In the Add Site Systems dialog box, check the box next to \\NYC-CFG.Contoso.com, and then click
OK.
10. In the Create Boundary Group dialog box, click OK.
Note You have created the New York Systems boundary group at the central
administration site, however, configured the assigned site to be NYC --- New York Primary
Site. All clients in this boundary group are installed and managed by the
NYC-CFG.contoso.com site server.
X Task 4: Configure Active Directory System Discovery

1. On the NYC-CFG server click Start, click All Programs, expand Microsoft System Center 2012,
3. In the navigation pane, expand Hierarchy Configuration, and then click Discovery Methods. Note
that you can only see the discovery methods that can be configured for NYC primary site and TOR
secondary site.
4. In the results pane, select the Active Directory System Discovery, and then on the ribbon, click
Properties.
5. In the Active Directory System Discovery Properties dialog box, select Enable Active Directory
System Discovery, and then click the New ( ) button.
6. In the Active Directory Container dialog box, click Browse.

7. In the Select New Container dialog box, select Contoso, and then click OK.
8. In the Active Directory Container dialog box, click OK.
9. In the Active Directory System Discovery Properties dialog box, select the Polling Schedule tab,
and then review the settings.
10. In the Active Directory System Discovery Properties dialog box, select the Active Directory
Attributes tab, and then review the settings.
11. In the Active Directory System Discovery Properties dialog box, select the Option tab, review the
settings, and then click OK.
X Task 5: Configure Active Directory User Discovery

1. In the results pane, select Active Directory User Discovery, and then on the ribbon, click Properties.
2. In the Active Directory User Discovery Properties dialog box, select Enable Active Directory User
Discovery, and then click the New ( ) button.
3. In the Active Directory Container dialog box, click Browse.
5. In the Active Directory Container dialog box, click OK.

6. In the Active Directory User Discovery Properties dialog box, select the Polling Schedule tab, and
then review the settings.
7. In the Active Directory User Discovery Properties dialog box, select the Active Directory
Attributes tab, review the settings, and then click OK.
X Task 6: Configure Active Directory Group Discovery

1. In the results pane, select the Active Directory Group Discovery, and then on the ribbon, click
Properties.
2. In the Active Directory Group Discovery Properties dialog box, select Enable Active Directory
Group Discovery, click Add, and then click Location.
3. In the Add Active Directory Location dialog box, in the Name box, type Contoso domain and then
click Browse.
5. In the Add Active Directory Location dialog box, click OK.
6. In the Active Directory Group Discovery Properties dialog box, select the Polling Schedule tab,
and then review the settings.
7. In the Active Directory Group Discovery Properties dialog box, select the Option tab, review the
settings, and then click OK.
X Task 7: Verify that the discovered computers appear in the All Systems collection and
are correctly assigned to the site
1. In the Configuration Manager Console, click the Assets and Compliance workspace.

3. In the results pane, select the All Systems collection, and then on the ribbon, click the Show
Members button.
4. A new sticky node called All Systems appears in the navigation pane under the Devices node. In the
results pane, observe the systems that are members of the All Systems collection and their assigned
site. On the Site Code column, you should see NYC for most systems.
Results: At the end of this exercise, you should have configured the Active Directory discovery methods.
Exercise 2: Using Client Push to Install Configuration Manager 2012 Clients

X Task 1: Install a fallback status point
1. On the NYC-CFG server, in the Configuration Manager console, click the Administration workspace,
in the navigation pane expand Site Configuration, and then click Servers and Site System Roles.
2. In the results pane, right-click \\NYC-CFG.Contoso.com, and then click Add Site System Roles. The
Add Site System Roles Wizard starts.
3. In the General page, verify that the Name for the site server is NYC-CFG.Contoso.com, and then
click Next.
4. In the System Role Selection page, select Fallback status point, and then click Next.
5. In the Fallback Status Point page, review the settings, and then click Next.
6. In the Summary page, review the settings, and then click Next.
8. In the results pane, select \\NYC-CFG.Contoso.com, and then in the preview pane, right-click the
Management point role, and then click Properties.
9. Select the Generate alert when the management point is not healthy check box, and then click
OK.
10. In the navigation pane, under Site Configuration, select the Sites node, and then click the
Hierarchy Settings button on the ribbon.
11. In Site Settings Properties, select the Use a fallback site check box, in the Fallback site list, select
NYC --- New York Primary Site, and then click OK.
X Task 2: Create a Client Push installation account

1. On the NYC-DC1 server, click Start, click All Programs, click Administrative Tools, and then click
Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the navigation pane, right-click the Users
container, and then click New, User.
3. In the New Object --

- User window, in both the First name and User logon name text boxes, type
ConfigMgrClientPush and then click Next.
- User window, in both the Password and Confirm password text boxes, type
Pa$$w0rd, clear the User must change password at next logon box, select the User cannot
change password and Password never expires boxes, and then click Next.
- User window, click Finish.
6. In the Active Directory Users and Computers console, right-click the newly created
ConfigMgrClientPush user, and then click Properties.
7. In the ConfigMgrClientPush Properties dialog box, click the Member Of tab.
8. At the Member Of tab, click the Add button.
9. In the Select Groups dialog box, in the Enter the object names to select text box, type Domain
Admins, click the Check Names button, and then click OK.
10. In the ConfigMgrClientPush Properties dialog box, click OK.
X Task 3: Configure the Client Push installation method

1. On NYC-CFG, in the Configuration Manager Console, verify you are in the Administration
workspace.
2. In the navigation pane, expand Site Configuration, and then click the Sites node.
3. In the results pane, right-click NYC --- New York Primary Site, click Client Installation Settings, and
then click Client Push Installation.
4. In the Client Push Installation Properties dialog box, click the Accounts tab.
5. At the Accounts tab, click the New ( ) button, and then click New Account.
6. In the Windows User Account dialog box, click the Browse button.
7. In the Select User dialog box, in the Enter the object name to select text box, type
ConfigMgrClientPush, click the Check Names button, and then click OK.
8. In the Windows User Account dialog box, in both the Password and Confirm password boxes,
type Pa$$w0rd and then click Verify. The Windows User Account dialog box expands.
9. In the Windows User Account dialog box, in the Network Share box, type \\NYC-DC1\C$, and
then click Test connection.

11. In the Windows User Account dialog box, click OK.
12. In the Client Push Installation Properties dialog box, click the Installation Properties tab.
13. At the Installation Properties tab, in the Installation properties box, after the text
SMSSITECODE=NYC type a space, and then type FSP=NYC-CFG.CONTOSO.COM.
Note The entire line should read SMSSITECODE=NYC FSP=NYC-CFG.Contoso.com.
14. In the Client Push Installation Properties dialog box, click OK.
X Task 4: Install the client using Client Push

1. On NYC-CFG, in the Configuration Manager Console, click the Assets and Compliance workspace.
2. In the navigation pane, click the All Systems node.
3. In the results pane, right-click NYC-CFG, and then click Install Client. The Install Configuration
Manager Client Wizard starts.
4. In the Before You Begin page, click Next.
5. In the Installation Options page, check the Install the client software from a specified site box,
verify that in the Site list appears NYC --- New York Primary Site, and then click Next.
6. In the Summary page, click Next.

8. In the results pane, right-click NYC-DC1, and then click Install Client. The Install Configuration
Manager Client Wizard starts.
9. In the Before You Begin page, click Next.
10. In the Installation Options page, check the Allow the client software to be installed on domain
controllers box, and then click Next.
11. In the Summary page, click Next.
Results: At the end of this exercise, you should have started the installation of the Configuration Manager
client.
Exercise 3: Verifying Configuration Manager 2012 Client Installation

X Task 1: Verify that CCMSetup has started on the domain controller
1. On the NYC-DC1 server, right-click the taskbar, and then click Start Task Manager.
2. In the Windows Task Manager window, click the Processes tab.
3. At the Processes tab, verify that ccmsetup.exe appears in the list of processes.
Note If ccmsetup.exe does not appear in the list repeat the installation ensuring that the
Allow the client software to be installed on domain controllers check box is selected.
After the client installation, CcmExec.exe should appear in the list of processes.
X Task 2: Review the ccmsetup.log

1. Start Windows Explorer.
2. Navigate to the C:\Windows\ccmsetup folder.
3. Open the ccmsetup.log file and review the content.

4. If the installation succeeds, you see the following messages:
Client.msi installation succeeded

Successfully deleted the ccmsetup service
Sending Fallback Status Point message to NYC-CFG.CONTOSO.COM, STATEID=400
State message with TopicType 800 and TopicId <GUID> has been sent to the FSP
X Task 3: Verify that the Configuration Manager client was installed

1. Click Start, and then click Control Panel.
2. In the Control Panel window, next to View by, select Large icons.
3. In the Control Panel window, click Configuration Manager.
4. In the Configuration Manager Properties dialog box, on the General tab, review the information.
5. In the Configuration Manager Properties dialog box, click the Components tab, and then verify
the status of the agents. Some of the agents should have the Status of Enabled.
6. In the Configuration Manager Properties dialog box, click the Actions tab.
7. In the Actions list, select Machine Policy Retrieval & Evaluation Cycle, and then click Run Now to
initiate the connection of the Configuration Manager client to the management point.
Note When running inside a virtual machine, the Configuration Manager client uses
randomization for the initial time interval of connection to the management point. Running
the Machine Policy Retrieval & Evaluation Cycle manually ensures that all components are
updated as required.
8. In the Machine Policy Retrieval & Evaluation Cycle message box, click OK.
9. In the Configuration Manager Properties dialog box, click OK.

X Task 4: Verify that the client is installed

1. On NYC-CFG, in the Configuration Manager Console, verify you are in the Assets and Compliance
workspace.
2. In the navigation pane, click the All Systems node.
3. In the results pane, the status on the Client Activity column for NYC-DC1 and NYC-CFG should be
Active.
Note If the status of the clients is not Active, on the ribbon, click the Update
Membership button and then refresh the console. It may take a minute or two for the
Client Activity to show as Active.
4. In the results pane, select NYC-DC1, and then review the information in the preview pane.
5. In the results pane, right-click NYC-DC1, and then click Properties.
6. In the NYC-DC1 Properties dialog box, review the information, and then click OK.
Results: At the end of this exercise, you should have installed the Configuration Manager client using the
Client Push installation method.

following steps:

L7-61
Module 7: Maintaining and Monitoring System Center 2012

Lab: Maintaining and Monitoring System
Center 2012 Configuration Manager
Exercise 1: Configuring the Site Backup Task
X Task 1: Configure the Site Backup task
1. On the NYC-CFG server, click Start, click All Programs, expand Microsoft System Center 2012,
3. In the navigation pane, expand Site Configuration, and then click Sites.
4. In the results pane, click NYC --- New York Primary Site.
5. On the ribbon, click Settings, and then click Site Maintenance.
6. In the Site Maintenance dialog box, click Backup Site Server, and then click Edit.
7. In the Backup Site Server Properties dialog box, select the Enable this task check box, and then
click Set Paths.
8. In the Set Backup Paths dialog box, verify the option Local drive on site server for site data and
database is selected, and then click Browse.
Note In practice, you should use either Network path (UNC name) for site data and
database to save backup on a network share, or, if the database is installed on a separate
server, use Local drives on site server and SQL Server.
9. In the Select Folder dialog box, navigate to drive C, create a new folder called Backup, and then click
Select Folder.
10. In the Set Backup Paths dialog box, verify that C:\Backup appears in the box, and then click OK.
11. In the Backup Site Server Properties dialog box, in the Start after box, set the time to start 3
minutes from now, and then click OK. You may need to adjust the Latest start time, so it is at least
one hour after the time you entered in the Start after box.
12. In the Site Maintenance dialog box, on the Enabled column, next to the Backup Site Server task,
verify that the word Yes is displayed. Click OK.
X Task 2: Trigger the backup of the site and verify its completion
1. Click Start, click All Programs, expand Administrative Tools, and then click Services.
2. In the Services console, in the details pane, click the SMS_SITE_BACKUP service, and then on the
toolbar, click the Start Service button. Close the Services window.
L7-62 Module 7: Maintaining and Monitoring System Center 2012 Configuration Manager
4. If the backup is performed successfully, at the end of the smsbkup.log file, the text Backup
completed appears, and then on the next line, the text STATMSG: ID=5035 appears.
5. Navigate to the C:\Backup\NYCBackup\SiteDBServer folder and verify that it contains the database
files.
6. Navigate to the C:\Backup\NYCBackup\SiteServer\SMSServer folder, double-click on the

SMSServer folder to open it, and then note that it contains the data, inboxes, Logs and srvacct
folders.
8. In the navigation pane, expand System Status, and then click the Component Status node.
9. In the results pane, click the SMS_SITE_BACKUP component.
10. On the ribbon, click Show Messages and click All.
11. In the Status Messages: Set Viewing Period dialog box, accept the default of 1 day ago, and then
click OK.
12. In Configuration Manager Status Message Viewer, search for a message with a Message ID of
5035.
Note When site backup completes successfully, message ID 5035 appears, which indicates
that the site backup completed without any errors.
13. Close Configuration Manager Status Message Viewer.
14. Close the Configuration Manager Console.
Results: At the end of this exercise, you should have performed a backup for the Configuration Manager
site.
Lab: Maintaining and Monitoring System Center 2012 Configuration Manager L7-63
Exercise 2: Recovering the Site from a Backup

X Task: Use the Site Recovery wizard to recover the site from backup
1. On NYC-CFG, run E:\ConfigMgr2012\SMSSETUP\BIN\X64\setup.exe.
2. The Microsoft System Center 2012 Configuration Manager Setup Wizard starts. In the Before
You Begin window, click Next.
3. On the Getting Started page at Available Setup Options, click Recover a site, and then click Next.
4. On the Site Server and Database Recovery Options page, click Recover the site database using
the backup set at the following location, and then click Browse.
5. In the Browse For Folder dialog box, select the C:\Backup\NYCBackup folder, and then click OK.
6. On the Site Server and Database Recovery Options page, click Next.
7. On the Site Recovery Information page, verify that the option Recover primary site is selected,
9. On the Microsoft Software License Terms page, click the I accept these license terms check box,
Browse.
12. In the Browse For Folder dialog box, select the E:\ConfigMgr2012\Redist folder, and then click OK.
13. On the Prerequisite Downloads page, click Next.

14. In the Configuration Manager Setup Downloader dialog box, wait for the prerequisite validation to
finish.
15. On the Site and Installation Settings page, click Next.

16. On the Database Information page, click Next.
18. On the Settings Summary page, click Next.
19. In the Prerequisite Check dialog box, click Cancel, and then click Yes. It takes time to restore the
site, and so for this lab, cancel the restoration process.
Results: At the end of this exercise, you should have reviewed the recovery process for the Configuration
Manager 2012 primary site.
L7-64 Module 7: Maintaining and Monitoring System Center 2012 Configuration Manager
Exercise 3: Monitoring Configuration Manager

X Task 1: Configure the status summarizers
1. On the NYC-CAS server, click Start, click All Programs, expand Microsoft System Center 2012,
3. In the navigation pane expand Site Configuration, click Sites, and then in the results pane, click the
CAS --- Contoso Central Administration Site site.
4. On the ribbon, in the Settings group, click Status Summarizers.

5. In the Status Summarizers dialog box, select Component Status Summarizer, and then click Edit.
6. On the General tab of the Component Status Summarizer Properties dialog box, verify that
Enable status summarization is selected.
7. On the Thresholds tab, in the Message type box, click Error status Messages, and then in the
Thresholds list, double-click the SMS_SITE_BACKUP component.
8. In the Status Threshold Properties dialog box, change the warning and the critical threshold to the
following values, and then click OK.
Warning (messages): 100
Critical (messages): 500

9. In the Component Status Summarizer Properties dialog box, click OK.
10. In the Status Summarizers dialog box, select Site System Status Summarizer, and then click Edit.
11. On the General tab of the Site System Status Summarizer Properties dialog box, verify that
Enable status summarization is selected. For primary sites, you also can configure the replication
and schedule in this dialog box.
12. On the Thresholds tab, review the values for the Default thresholds.
13. Click any object from the Specific thresholds list, and then click the Properties button. Review the
storage objects warning and critical thresholds, and then click OK.
14. In the Site System Status Summarizer Properties dialog box, click OK.
15. In the Status Summarizers dialog box, click OK.
X Task 2: Monitor replication

2. In the navigation pane, click Site Hierarchy to open the Hierarchy Diagram view.
3. Briefly rest the mouse pointer over the line between the CAS and NYC sites to view the status of
global and site data replication for these sites.
4. In the navigation pane, click Database Replication, and then in the results pane, click the CAS to
NYC replication link.
5. In the preview pane, click the Summary tab to view details about the replication link status.
Lab: Maintaining and Monitoring System Center 2012 Configuration Manager L7-65
6. In the preview pane, click the Parent Site tab to view details about the site configuration and SQL
Server details for the parent site.
7. In the preview pane, click the Child Site tab to view details about the site configuration and SQL
Server details for the child site.
Results: At the end of this exercise, you should have used the In-Console Monitoring features.

following steps:

L8-67
Module 8: Migrating from System Center Configuration

Manager 2007 to System Center 2012 Configuration
Manager
Lab: Migrating from System Center
Configuration Manager 2007 to System
Center 2012 Configuration Manager
Exercise 1: Configuring the Source Hierarchy
X Task 1: Review the objects that need to be migrated
1. On NYC-CM7, click Start, click All Programs, click Microsoft System Center, click Configuration
Manager 2007, and then click ConfigMgr Console.
2. In the navigation pane, expand Site Database, and then click Site Management. In the results pane,
verify that on the Version column appears 4.00.6487.2000 which means the site is running
Configuration Manager 2007 Service Pack 2.
3. In the navigation pane under Site Database, expand Site Management, expand CM7-New York
Configuration Manager 2007, expand Site Settings, and then click Boundaries.
4. In the results pane, right-click the IP subnet boundary and then click Properties.
5. In the Properties dialog box, review the configuration of the boundary, and then click Cancel.
6. In the navigation pane, expand Computer Management, expand Collections, right-click Contoso
Servers collection, and then click Properties.
7. In the Contoso Servers Properties dialog box, click the Membership Rules tab. Observe that there
are no membership rules defined, and then click OK.
Note Contoso Servers collection does not have any members and serves as a container
for the other two collections.
8. In the navigation pane, expand Contoso Servers, click the New York Servers collection, and then in
the results pane, observe that NYC-CM7 is the only member of the collection.
9. In the navigation pane, right-click the New York Servers collection and then click Properties.
10. In the New York Servers Properties dialog box, click the Membership Rules tab.
11. Under Membership rules, select New York Servers, and then click the Properties button.
12. In the Query Rule Properties dialog box, click Edit Query Statement.
13. In the New York Servers Query Statement Properties dialog box, click Show Query Language.
L8-68 Module 8: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager
14. In the New York Servers Query Statement Properties dialog box, examine the query, and then
click Cancel.
Note New York Servers collection uses a query rule to include all computers with a name
starting with NYC.
15. In the Query Rule Properties dialog box, click Cancel.
16. In the New York Servers Properties dialog box, click Cancel.
17. In the navigation pane, click the ConfigMgr Servers collection, and then in the results pane, observe
that NYC-CM7 is the only member of the collection.
18. In the navigation pane, right-click the ConfigMgr Servers collection and then click Properties.
19. In the ConfigMgr Servers Properties dialog box, click the Membership Rules tab.
20. Under Membership rules, observe the direct membership rule created for NYC-CM7.
Note ConfigMgr Servers collection uses a direct membership rule to include NYC-CM7 as
a member.
21. In the ConfigMgr Servers Properties dialog box, click Cancel.
22. In the navigation pane, expand Software Distribution, and then click Packages.
23. In the results pane, right-click the ConfigMgr 2007 Toolkit V2 package and then click Properties.
Note this is a MSI package.
24. Review the properties of the package, and then click Cancel.
25. In the results pane, right-click the Excel Viewer package and then click Properties. Note this is an
App-V package.
26. Review the properties of the package, and then click Cancel.
27. In the navigation pane, click Advertisements.
28. In the results pane, review the existing advertisements.
29. In the navigation pane, expand Asset Intelligence, expand Customize Catalog, and then click
Software Categories. Review the Contoso Software custom category.
30. In the navigation pane, click Software Families. Review the Contoso LOB Applications custom
family.
31. In the navigation pane, click Custom Labels. Review the Contoso Application custom label.
32. In the navigation pane, expand Desired Configuration Management, and then click Configuration
Items.
33. In the results pane, right-click the Windows Firewall Enabled configuration item and then click
Properties.
Lab: Migrating from System Center Configuration Manager 2007 to System Center 2012 Configuration Manager L8-69
34. In the Windows Firewall Enabled Properties dialog box, at the General tab review the properties,
click the Settings tab.
35. At the Settings tab, select Windows Firewall is running setting, and then click Edit.
36. In the Windows Firewall is running Properties dialog box, review the settings, and then click
Cancel. Note this configuration item is using a WQL query to check the status of the Windows
Firewall.
37. In the Windows Firewall Enabled Properties dialog box, click Cancel.
38. In the navigation pane, click Configuration Baselines.

39. In the results pane, right-click the Contoso Security Policy Validation baseline and then click
Properties.
40. In the Contoso Security Policy Validation Properties dialog box, review the settings, and then click
Cancel.
X Task 2: Configure the source hierarchy

1. On NYC-CFG, click Start, click All Programs, expand Microsoft System Center 2012, expand
3. In the navigation pane, expand the Migration node, and then click Source Hierarchy.
4. On the ribbon, click Specify Source Hierarchy.
5. In the Specify Source Hierarchy dialog box, in the Top-level Configuration Manager 2007 site
server box, type NYC-CM7.contoso.com.
6. In the Specify Source Hierarchy dialog box, under Specify the Source Site Account to use to
access the SMS Provider for the source site server. This account required Read permissions to
all source site objects, verify that User Account is selected, click Set, and then click New Account.
7. In the Windows User Account dialog box, in the User name box, type Contoso\Administrator.
8. In the Windows User Account dialog box, in the Password and Confirm password boxes, type
Pa$$w0rd and then click Verify.
9. In the Windows User Account dialog box, click Test connection.
10. In the Configuration Manager message, click OK.
11. In the Windows User Account dialog box, click OK.
12. In the Specify Source Hierarchy dialog box, under Specify the Source Site Database Account to
use to access the SQL Server for the source site server. This account requires Read and Execute
permissions to the source site database, verify that Use the same account as the Source Site
SMS Provider Account is selected, and then click OK.
13. In the Data Gathering Status dialog box, wait for the data collection to complete, and then click
Close.
14. In the navigation pane, verify Source Hierarchy is selected. In the results pane, select CM7, and then
on the ribbon, click Properties.
15. In the NYC-CM7.contoso.com Properties window, review the Data gathering interval setting that is
set to 4 hours, and then click Cancel.
16. In the preview pane, click the Shared Distribution Points tab.
17. On the ribbon, click Share Distribution Points.
18. In the Share Distribution Points dialog box, click Enable distribution point sharing for this
Configuration Manager 2007 site server, and then click OK.
19. In the Data Gathering Status dialog box, wait for the data collection to complete, and then click
Close.
20. On the ribbon, click Refresh, and then verify that \\NYC-CM7.CONTOSO.COM appears in the
preview pane on the Shared Distribution Points tab.
Note By configuring the Shared Distribution Points option, both the Configuration
Manager 2007 clients and Configuration Manager 2012 clients will have access to the
packages during migration.
Results: At the end of this exercise, you should have reviewed the configuration of the Configuration
Manager 2007 site and configured the source hierarchy in Configuration Manager 2012.
Exercise 2: Creating a Migration Job and Performing Migration

X Task 1: Create a collection migration job
1. On NYC-CFG, in the navigation pane, click Migration Jobs.
2. On the ribbon, click Create Migration Job. The Create Migration Job Wizard starts.
3. On the General page, in the Name box, type Collections and associated objects and then in the
Description (optional) box, type Migrate collections and associated objects.
4. On the General page, in the Job type box, select Collection migration, and then click Next.
5. On the Select Collections page, select Contoso Servers (this also selects New York Servers and
ConfigMgr Servers), verify the Migrate objects that are associated with the specified collections
option is selected, and then click Next.
6. On the Select Objects page, under Object types, verify that Advertisements is selected.
7. Under Available objects, click to clear the ConfigMgr 2007 SP2 KB977384 to New York Servers
check box.
8. Under Object types, select Software Distribution Packages.

9. Under Available objects, click to clear the KB977384 --- Advanced Client Hotfix --- CM7 check box.
10. Under Object types, select Virtual Application Packages.
11. Under Available objects, verify that Excel Viewer is selected, and then click Next.
12. On the Content Ownership page, observe that content ownership is assigned to NYC ---Contoso
Primary Site, and then click Next.
13. On the Security Scope page, select Default, and then click Next.
14. On the Collection Limiting page, click Next.
15. On the Site Code Replacement page, click Next.
16. On the Review Information page, review the objects to be migrated, and then click Next.
17. On the Settings page, verify that Run the migration job now is selected, review the other settings,
20. On the ribbon, click Refresh.
21. In the results pane, verify the status of the migration job is Completed. If necessary, click Refresh.

1. In the results pane, select the Collections and associated objects migration job.
2. In the preview pane, click the Objects in Job tab, and then review the objects included in the
migration job.
4. In the navigation pane, expand Device Collections, and then select the Contoso Servers node. If
you do not see the Contoso Servers folder, select the Overview node, and then press F5 on your
keyboard to refresh the navigation pane.
5. In the results pane, observe the ConfigMgr Servers and New York Servers collections.
6. Right-click the New York Servers collection and then select Properties.
7. In the New York Servers Properties dialog box, click the Membership Rules tab.
8. Under Membership rules, select the New York Servers rule, and then click Edit.
9. In the Query Rule Properties dialog box, review the query, and then click Cancel.
10. In the New York Servers Properties dialog box, click Cancel.
11. In the Configuration Manager Console, click the Software Library workspace.
12. In the navigation pane, expand Application Management, and then select the Packages node.
13. In the results pane, select ConfigMgr 2007 Toolkit V2, and then in the preview pane, click the
Deployments tab.
14. In the navigation pane, select the Applications node.

15. In the results pane, select the migrated Excel Viewer virtual application package, and then in the
preview pane, click the Deployment Types tab.
X Task 3: Migrate objects by type

2. In the navigation pane, expand the Migration node, and then click the Migration Jobs node.
3. On the ribbon, click Create Migration Job.
4. In the Name box, type Migrate objects by type and then in the Description (optional) box, type
Migration of specific objects.
5. On the General page, in the Job type box, select Object migration, and then click Next.
6. On the Select Objects page, under Object types, click to select Boundaries.
7. Under Object types, select Configuration Baselines.
8. In the Included Objects dialog box, click Continue.
9. Under Object types, select Asset Intelligence Catalog.
10. On the Select Objects page, click Next.
11. On the Content Ownership page, click Next.
12. On the Security Scope page, select Default, and then click Next.
13. On the Review Information page, review the objects to be migrated, and then click Next.
14. On the Settings page, verify that Run the migration job now is selected, review the other settings,

17. On the ribbon, click Refresh.
18. In the results pane, verify that the status of the migration job is Completed. If necessary, select the
Migrate objects by type object, and then click Refresh.

2. In the navigation pane, expand Asset Intelligence, and then click Catalog.
3. In the results pane, locate the User Defined objects.
4. In the navigation pane, expand Compliance Settings, and then click Configuration Items.
5. In the results pane, review the migrated configuration items.
6. In the navigation pane, click Configuration Baselines.
7. In the results pane, review the migrated baseline.

9. In the navigation pane, expand Hierarchy Configuration, and then click Boundaries.
10. In the results pane, review the migrated boundary.
11. In the navigation pane, click Boundary Groups.
12. In the results pane, review the boundary groups created for the Configuration Manager 2007 site and
for the distribution points.
X Task 5: View migration reports

2. In the navigation pane, expand Reporting, and then expand Reports.
3. Click the Migration folder.
4. In the results pane, click Migration Job properties, and then on the ribbon, click Run.
5. After Migration Job Name, click Values.
6. Under Migration Job Name, click the first migration job, and then click OK.
7. Click View Report.
8. Close the Migration Job properties window.
9. In the results pane, click Migration jobs, and then on the ribbon, click Run.
10. Close the Migration jobs window.
X Task 6: Decommission the source hierarchy

2. In the navigation pane, expand the Migration node, and then click the Source Hierarchy node.
3. In the results pane select CM7, and then, on the ribbon, click Stop Gathering Data.
5. In the results pane verify that CM7 has the status Have not gathered data, and then, on the ribbon,
click Clean Up Migration Data.
6. In the Clean Up Migration Data dialog box, verify that in the Source hierarchy box appears CM7
(NYC-CM7.contoso.com) and then click OK.
8. In the results pane, note that source hierarchy has been removed.
Results: At the end of this exercise, you should have created migration jobs, performed object migration,
and viewed the migration reports. You have also decommissioned the source hierarchy.
X To prepare for the course finish

following steps:
2. In the Virtual Machines list, right-click 10748A-NYC-DC1-B and then click Revert.
4. Repeat steps 2 to 3 for 10748A-NYC-CFG-B and 10748A-NYC-CM7-B.

10748A-ENU-Deploying System Center 2012 Configuration Manager

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

10748A-ENU-Deploying System Center 2012 Configuration Manager

Hochgeladen von

Copyright:

Verfügbare Formate

MCT USE ONLY.

STUDENT USE PROHIBITED

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

Product Number: 10748A

Part Number: X18-40576

a. If you are a Authorized Learning Center:

b. If you are a MPN Member.

c. If you are an End User:

2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

13. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous

Revised December 2011

Adrian Stoian --- Subject Matter Expert

Conan Kezema --- Subject Matter Expert

David Susemiehl --- Content Developer

Bob Lawler --- Technical Reviewer

Module 2: Planning and Deploying a Stand-Alone Primary Site

Module 3: Planning and Configuring Role-Based Administration

Module 4: Planning and Deploying a Multiple-Site Hierarchy

Module 5: Data Replication and Content Management

Module 6: Planning and Completing System Center 2012

Module 7: Maintaining and Monitoring System Center 2012

Module 8: Migrating from System Center Configuration Manager 2007 to

Appendix: Lab Answer Keys

About This Course

Networking fundamentals, including TCP/IP and Domain Name System (DNS)

Active Directory principles and management

Microsoft Windows client fundamentals

Deployment, configuration, and troubleshooting for Windows-based personal computers

Microsoft SQL Server 2008 including Reporting Services

Basic Public Key Infrastructure (PKI) concepts

Desired: Have a base-level understanding of System Center Configuration Manager 2007

Plan and deploy a stand-alone primary site.

Perform maintenance tasks and monitor site systems.

Module 1: Overview of System Center 2012 Configuration Manager

Module 2: Planning and Deploying a Stand-Alone Primary Site

Module 3: Planning and Configuring Role-Based Administration

Module 4: Planning and Deploying a Multiple-Site Hierarchy

Module 5: Data Replication and Content Management

Module 7: Maintaining and Monitoring System Center 2012 Configuration Manager

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Student Course Files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the

Virtual Machine Environment

Virtual Machine Configuration

2. In the Revert dialog box, click Yes.

Virtual machine Role

10748A-NYC-CFG Configuration Manager 2012 primary site in New York

10748A-NYC-CAS Configuration Manager 2012 central administration site

10748A-LON-CFG Configuration Manager 2012 primary site in London

10748A-TOR-CFG Configuration Manager 2012 secondary site

10748A-NYC-CM7-B Configuration Manager 2007 primary site

10748A-NYC-SVR1-C Member server in the Contoso domain

Windows Server 2008 R2 SP1

Course Hardware Level

Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor

8 GB random access memory (RAM)

Microsoft mouse or compatible pointing device

Sound card with amplified speakers

Lesson 2: Overview of the Configuration Manager 2012 Server Default

Lesson 3: Overview of the Configuration Manager 2012 Server Optional

Lesson 4: Overview of Configuration Manager 2012 Deployment Scenarios 1-43

After completing this module, you will be able to:

Describe the System Center 2012 Configuration Manager architecture.