locked
Multiple Primary Sites connected to a CAS RRS feed

  • Question

  • On a global deployment of SCCM 2012 we are planning on deploying a CAS in the global domain and Primary Sites in the sub domains and Secondary Site in the smaller subsidiaries where needed.

    I understand that all collections, clients and packages come through to the CAS but could an administrator connected to Primary Site A see the collections and packages in Primary Site B? Are they independent of each other with the exception of the CAS or do all sites in the hierarchy show everything from all sites?

    If that is the case then ideally we would want administrators of Site A to not even be able to connect to Site B but am struggling to understand how this could be achieved?


    • Edited by Isnips Monday, December 1, 2014 3:32 PM
    Monday, December 1, 2014 3:30 PM

Answers

  • You need to define access based on roles and scopes. In the role you define the level of access and om the scope you define the objects the access is limited to. Have a good read at the link I mentioned earlier as it will help you out with working a good role based access model.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Jörgen NilssonMVP Monday, December 1, 2014 4:08 PM
    • Marked as answer by Isnips Wednesday, December 3, 2014 10:25 AM
    Monday, December 1, 2014 3:48 PM
  • There are two schools of thought around folders.  Option #1: accept the fact that folders will be visible to all, and people just learn to accept that.  Option #2:  strongly encourage people NOT to use folders at all, but instead come up with a naming standard for any objects, so that it is easily search-able in the search window at the top.

    My company went with Option #2.  I know some other companies just can't handle the fact that CM12 console simply isn't folder-aware (it's not a File System, :).  I've also heard of some customizations and automations done around folders; i.e., there's a folder called "Pilot" and a folder called "Production".  As soon as an admin moves something from pilot to production folder... automation happens in the back end so that it's no longer modify-able by the pilot team. 

    Since we went with Option #2; no folders anywhere ever, I just don't get people's need for folders.  We simply have none and it's great.


    Standardize. Simplify. Automate.

    • Marked as answer by Isnips Wednesday, December 3, 2014 10:25 AM
    Tuesday, December 2, 2014 5:28 PM

All replies

  • Why are you using a CAS (Central Administration Site) and multiple primaries? I hope it's not because you want to delegate permissions... That whole design has changed with ConfigMgr 2012. You should use security roles and scopes to define the permissions and access of users, as all the information will sync between the CAS and primaries.

    For more information about scopes and roles see: http://technet.microsoft.com/en-us/library/hh427332.aspx#BKMK_ConfigureRBA


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Monday, December 1, 2014 3:37 PM
  • The use of a CAS was made due to the scale of the deployment.

    I am just struggling to get my head around the RBA. We want to ensure that each geographical location can for example: create and deploy there own applications without the other locations having any access to it what so ever. Essentially, what they do in there site is completely isolated from the rest of the environment with the exception of the CAS for obvious global reporting reasons.

    Monday, December 1, 2014 3:44 PM
  • You need to define access based on roles and scopes. In the role you define the level of access and om the scope you define the objects the access is limited to. Have a good read at the link I mentioned earlier as it will help you out with working a good role based access model.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Jörgen NilssonMVP Monday, December 1, 2014 4:08 PM
    • Marked as answer by Isnips Wednesday, December 3, 2014 10:25 AM
    Monday, December 1, 2014 3:48 PM
  • "The use of a CAS was made due to the scale of the deployment."

    So you mean you have more than 100k devices.  Regardless of having a CAS and multiple primaries or having only 1 primary, if you have (let's say) a total of 3,000 devices; split up into 1k silos of responsibility. 

    you Essentially create 3 Collections, and those 3 silos get rights to their collection of devices.  Connecting to the primary sites' for the console really isn't "normal" in CM12--it's called the Central Administration Site for a reason--it really makes it less confusing for those people that need to use the console.  You may not think so initially (coming from a CM07 point of view); but it really is the best in a CM12 world.  If you have people in different locations which need console rights, the easiest, IMO, is to have a Citrix-hosted console; and people just connect to that console remotely; where the citrix host is in the same data center as the Central Administration Site.

    Now, if you do NOT have 100k devices, or you are nowhere near that number, please please please, I beg you, PLEASE rethink your perceived need for a cas and primary sites.  T-shooting replication issues is no fun, no joy to be had there at ALL.  you need to setup RBA correctly regardless of a CAS and primaries, or just 1 primary--so having a CAS and primaries when there is ZERO NEED for it due to scale--well, all I can say is I sincerely hope you are a contractor, and are just setting this up and then bailing never ever to return, and leaving the mess behind for the poor day to day admins to deal with.


    Standardize. Simplify. Automate.

    Monday, December 1, 2014 8:22 PM
  • Thanks for all the advice.

    I think I have figured out the best approach, the only irritation is that if there are folders for either collections or applications that they still appear even if the user has no rights and there for no view of anything within them.

    I can appreciate your comments regarding the use of a CAS and although currently the total clients is not quite at the 100k mark the organisation made the decision to use one to allow them for further expansion without the need for potential reconfiguration. I'm just putting the skeleton structure in and leaving it with them.  

    Tuesday, December 2, 2014 8:46 AM
  • I think I have figured out the best approach, the only irritation is that if there are folders for either collections or applications that they still appear even if the user has no rights and there for no view of anything within them.

    That's correct and you can't change that as you can't set security scopes on folders.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Tuesday, December 2, 2014 9:01 AM
  • There are two schools of thought around folders.  Option #1: accept the fact that folders will be visible to all, and people just learn to accept that.  Option #2:  strongly encourage people NOT to use folders at all, but instead come up with a naming standard for any objects, so that it is easily search-able in the search window at the top.

    My company went with Option #2.  I know some other companies just can't handle the fact that CM12 console simply isn't folder-aware (it's not a File System, :).  I've also heard of some customizations and automations done around folders; i.e., there's a folder called "Pilot" and a folder called "Production".  As soon as an admin moves something from pilot to production folder... automation happens in the back end so that it's no longer modify-able by the pilot team. 

    Since we went with Option #2; no folders anywhere ever, I just don't get people's need for folders.  We simply have none and it's great.


    Standardize. Simplify. Automate.

    • Marked as answer by Isnips Wednesday, December 3, 2014 10:25 AM
    Tuesday, December 2, 2014 5:28 PM
  • Thanks Sherry,

    I agree with your thoughts. The customer has got used to the folder structure side of things.

    Personally I quite like it and keeps things nice and tidy. The package/application source structure matches the packages and applications structure and the collection structure.

    Any who, thanks for all your help. Really appreciate it.

    Wednesday, December 3, 2014 10:29 AM