none
Site hierarchies with CAS

    Question

  • I wonder how to work with site hierarchies with CAS.

    I have read about global data, site data etc. but still have questions.

    Let's say we have an environment with a central administration site (CAS) and two underlying primary sites.

    Clients belong to the respective primary site but if you want to share applications, collections, management of Software Updates, OSD, reports etc. how to accomplish that?

    Will objects created in a primary site available in the other primary site set or should we to be in order to achieve this functionality, create them in the Central Administration site?

    If the opposite way we NOT want to share things between the primary the sites, would you then have to configure security with security scopes?

    I've been looking for information about this but haven’t found so much so it would be nice to get some tips where to read about this.

    Interesting to hear how others solved the design of larger SCCM environments with central administration site involved

    Thursday, October 10, 2013 7:28 AM

Answers

  • 44k (even if this is just 50% of the total amount) clients does not require a CAS. This *might* not have been the best decision, but there are a lot of things to consider when it comes to a hierarchy design.
    Security scopes cannot be used to control security between sites: they are also replicated. Plus - as I already mentioned - sites are no longer security boundaries. Just think of domain controllers: you will see the same objects on each DC. The same is true for multiple primaries under a CAS.
    What separation do you want to achieve?

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, October 10, 2013 10:11 AM
    Moderator

All replies

  • Step one: avoid a CAS if possible. Only use it if you have to manage more then 100k clients.
    CAS = "central administration site". The name implies that all administration should be done there. Applications etc are global data; it does not matter where they are created - they will be replicated to and be available on all sites.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, October 10, 2013 7:56 AM
    Moderator
  • The SCCM hierarchy is already designed and installed by consultant from Microsoft Services so CAS is a fact :)

    So applications and other things are global data that means if we NOT want to share objects between underlying primary sites we have to use security scopes?

    An application deployed to a collection are global data and will be usable between the different primary sites, whats when the difference if you created the objects with SCCM-console connected to CAS or some primary site? No difference?

    Thursday, October 10, 2013 8:10 AM
  • Just out of curiosity: how many clients will there be in total?

    Sites are no longer security boundaries (as they were in CM07). Security scopes will also be replicated to all sites. Why do you want to "hide" (not meant in a negative way) things? What's the business reason or use case?

    It does not make a difference where an application or collection will be created.


    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, October 10, 2013 8:20 AM
    Moderator
  • I'm not sure how many clients it'll be at last but in one of the primary sites we now have 44 000 clients.

    Security scopes will be replicated but still can, or should be used, to control security between sites?

    I don't have the background right now to the design but I can imagine that there will be different administrators and that the communication between sites are controlled by firewalls and so on.

    I have to install a site structure with CAS and two primary sites in a lab to get this clear I think :)

    Thursday, October 10, 2013 9:42 AM
  • 44k (even if this is just 50% of the total amount) clients does not require a CAS. This *might* not have been the best decision, but there are a lot of things to consider when it comes to a hierarchy design.
    Security scopes cannot be used to control security between sites: they are also replicated. Plus - as I already mentioned - sites are no longer security boundaries. Just think of domain controllers: you will see the same objects on each DC. The same is true for multiple primaries under a CAS.
    What separation do you want to achieve?

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, October 10, 2013 10:11 AM
    Moderator
  • We wanted to keep the network communication between SCCM clients and servers in the same zone, one SCCM site per zone in the network. To accomplish this the only way where to have one SCCM site per network zone. It was okay to let the primary site servers communicate with each another using IPsec tunnels. In this way we got one point of administration.

    Friday, November 29, 2013 8:29 PM