locked
Client's Management Point Assignment RRS feed

  • Question

  • I need a little clarification regarding the process of how client chooses his MP in SCCM2012 and what MP it actually uses.

    I am now in a phase of migration from old SCCM2007 hierarchy (1 Primary(DTC) + 12 Secondary). I want to rebuild the same hierarchy for SCCM2012. I installed a new primary with new sitecode(CEN), pushed some clients and checked everything is working fine. I then deinstalled secondary site BEL through SCCM2007 console, waited for AD to update container. Then i pushed secondary site installation to that server. After that I assigned the boundary group to that BEL server and unassigned it from CEN site (primary doesn't have boundaries as it was in my SCCM2007 install). The clients are pushed out right, content is flowing from BEL distribution point, not the CEN site.

    But I'm confused how clients communicate with MPs. After 2 days after the boundary group is moved from primary to secondary I see in client logs:
    ClientLocation.log
    Current Proxy Management Point is BEL-SCCM.mydomain.local with Version 7711 and Capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 4/27/2012 11:13:33 AM 22492 (0x57DC)
    Current Assigned Management Point is CEN-SCCM.mydomain.local with Version 7711 and Capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 4/27/2012 11:13:33 AM 22492 (0x57DC)
    These are repeated constantly.

    From DataTransferService.log and some other logs I see the client using primary site's MP for policy download and other stuff. I have about 1200 clients pushed out from BEL site. When I open Resource Monitor - I see many connections to CEN site and very few to BEL site.
    I must say that these site servers are located in one network and primary site falls into boundary group assigned to secondary, but that would not be true with other future secondaries. Anyway, I want to minimize (or better eliminate completely) client traffic to primary site MP.
    Am I doing something wrong in that scenario and why clients use primary MP even having assigned boundary group to secondary?

    Friday, April 27, 2012 7:35 AM

Answers

  • What are the subnets defined in that AD Site. AD Site boundaries don't work exactly how you think they do.

    Using IP Address ranges is always prefered. In fact, forest discovery in 2012 will actually create them for you.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Friday, April 27, 2012 3:36 PM

All replies

  • A client will always be assigned to a primary site, never a secondary site, so your log indicates no error in that matter. The client even uses the proxy MP on the secondary site so everything looks good.

    Since you have overlapping boundaries, which is neither recommended nor supported, you can expect some funny/impredictable behaviour in the way your clients choose their MPs.

    Friday, April 27, 2012 8:18 AM
  • Erik, I know of a client being always assigned to a primary. The log looks good, but in fact I see the clients using primary site MP, that is a piece from DataTransferService.log:

    DTS job {48FD655D-196C-40D3-BDE2-DE4A9451DE50} has completed:
     Status : SUCCESS
     Start time : 04/27/2012 10:09:32
     Completion time : 04/27/2012 10:09:44
     Elapsed time : 12 seconds DataTransferService 4/27/2012 10:09:44 AM 12348 (0x303C)
    UpdateURLWithTransportSettings(): OLD URL - http://CEN-SCCM.mydomain.local/SMS_MP DataTransferService 4/27/2012 11:09:32 AM 6104 (0x17D8)
    UpdateURLWithTransportSettings(): NEW URL - http://CEN-SCCM.mydomain.local:80/SMS_MP DataTransferService 4/27/2012 11:09:32 AM 6104 (0x17D8)
    Added (source=.sms_pol?{523a211e-0766-434d-9a99-b50f99d5eb02}.5_00,dest={FA6D1654-DAEB-4043-80DE-BF2B35A546B4}.tmp) pair from manifest. DataTransferService 4/27/2012 11:09:32 AM 6104 (0x17D8)
    DTSJob {4C8F4A17-4DBA-41B5-8E84-A7735916D65C} created to download from 'http://CEN-SCCM.mydomain.local:80/SMS_MP' to 'C:\Windows\CCM\Temp'. DataTransferService 4/27/2012 11:09:32 AM 6104 (0x17D8)
    DTSJob {4C8F4A17-4DBA-41B5-8E84-A7735916D65C} in state 'PendingDownload'. DataTransferService 4/27/2012 11:09:32 AM 12708 (0x31A4)

    In LocationServices.log I see "Current AD site of machine is BEL". AD Site BEL is the only boundary for boundary group BEL. This boundary group is assigned to ONLY secondary site, not primary. So as you can see I don't have overlapping boundaries - I know of these things and potential problems well enough from SCCM2007. I checked System Management container and the records look fine. No error in hman.log of course (on both site servers).

    I found just few clients having another behaviour. In ClientLocation.log:

    Current Proxy Management Point is BEL-SCCM.mydomain.local with Version 7711 and Capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 4/27/2012 11:13:33 AM 22492 (0x57DC)
    Current Assigned Management Point is CEN-SCCM.mydomain.local with Version 7711 and Capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 4/27/2012 11:13:33 AM 22492 (0x57DC)
    ...These lines repeated constantly... and then:
    Current Resident Management Point is BEL-SCCM.mydomain.local with Version 7711 and Capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
    After that - only one repeating line:
    Current Proxy Management Point is BEL-SCCM.mydomain.local with Version 7711 and Capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 4/26/2012 2:15:24 PM 3732 (0x0E94)

    All clients were installed via push in one batch about 2 days ago, most of them use primary CEN site's MP, only few have "Current Resident point is BEL-SCCM.mydomain.local" in a log. I assume they begin to really use a proxy MP after that line is logged. I just can't figure out what exactly triggers the client to change his MP (Resident MP).
    If in console I open up a collection to which I pushed the client and filter it by "Clent=Yes" and "MP contains ..." I get:

    26 clients for BEL-SCCM MP; 1373 clients for CEN-SCCM.

    And that is exactly what I see from MP's network activities mentioned above. Clients assigned to secondary are with different OS versions and from different subnetworks, different OUs, not having any special GPOs on them - I really can't figure out why only that subset managed by secondary and not others.
    Once again - CEN site system has no boundaries, they are set up only for BEL-SCCM.
    I hope that client uses firstly info from AD for assignment, am I right? I also have DNS-publishing for MPs enabled, CEN site server is located in mydomain.local root DNS zone, while BEL secondary site is registered in bel.mydomain.local zone. DNS-suffix search is set to first look in root DNS zone, then in client's regional zone. All clients are also registered in DNS in their regional second-level zone. Can such settings influence MP assignment somehow?

    Friday, April 27, 2012 9:40 AM
  • Anyway, I want to minimize (or better eliminate completely) client traffic to primary site MP.

    Completely eliminating the traffic will never happen -- secondaries are not gateways and some client to primary MP communication is actually required.

    Do you have any boundaries for the primary at all?

    What exactly do your boundaries look like and contain?


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Friday, April 27, 2012 1:53 PM
  • Jason, thank you for a reply. I understand that I can't eliminate all traffic, at least I need to contact main MP after client install. But it would be good to direct all the other "ordinary" policy requests to secondary MP (I prefer much more frequent police requests than default setting). By the way, clients seem to catch its point for DP and for WSUS scanning source, but appear to be assigned to central MP.

    I have exactly: 1 Boundary group with 1 boundary in it, configured as AD site (I double checked that clients fall into that AD site). When I open up Boundary Group properties - I have only 1 site system in the second pane (Links) - it is seconday site server. No any other systems in any boundary groups. In site assignment I have secondary site because help tip states that it would be the source point for client push (and it actually works right now). Yes, I know that clients then get assigned to primary after deployment.

    Now I have 24 clients for BEL-SCCM MP; 1399 clients for CEN-SCCM. (26 clients for BEL-SCCM MP; 1373 clients for CEN-SCCM 5 hours ago) - info from collection view filtered by MP (I think it counts active MP the client actually talks to).

    It would be nice to get clarifications on these logged events and what exactly they mean and what triggers them:

    Current Proxy Management Point is ...
    Current Assigned Management Point is ...
    Current Resident Management Point is ...

    I can see that clients begin to really talk to secondary/proxy MP after they log the last one, "resident MP".

    Friday, April 27, 2012 3:34 PM
  • What are the subnets defined in that AD Site. AD Site boundaries don't work exactly how you think they do.

    Using IP Address ranges is always prefered. In fact, forest discovery in 2012 will actually create them for you.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Friday, April 27, 2012 3:36 PM
  • I have a long list of subnets contained in that AD Site, mainly /24 networks (about 20). I always thought that the client just queries the AD and the assigned subnets are exactly as listed there. In other way, I thought setting AD site boundary is just a workaround to not make many IP ranges in case they are already in your AD. As for forest discovery, I didn't turn it on as I only have one big domain (but my DNS is splitted into secondary zones by locations).

    When you say "AD Site boundaries don't work exactly how you think they do" - it would be nice to have some article or blog post on it, I'm not sure we are the only company using AD Site boundaries.

    I'll add some IP ranges and check that tomorrow morning, most of the clients are already off now.

    And one more interesting thing - at first I didn't have boundaries, I tried to push a client to collection, SCCM2012 gave me an error that there are no clients in boundaries. Then I added the boundary group to secondary site and updated the collection membership - all clients became from site BEL(secondary) with about 20-30 clients with no site at all (wrong IPs and so on, I know why, that's OK). The client was pushed only from secondary site, no one from primary (ccm.log). So I'm pretty sure that I don't have overlapping and that at least servers estimate boundaries OK. But it seems clients don't.

    • Edited by Speedimon Friday, April 27, 2012 4:19 PM
    Friday, April 27, 2012 4:04 PM
  • When you say "AD Site boundaries don't work exactly how you think they do" - it would be nice to have some article or blog post on it, I'm not sure we are the only company using AD Site boundaries.

    Try these: http://blogs.technet.com/b/configurationmgr/archive/2009/11/04/some-configmgr-2007-clients-never-install-packages-report-status-of-waiting-on-content.aspx

    http://blogs.technet.com/b/configurationmgr/archive/2010/03/22/clarification-on-issues-resulting-from-the-use-of-supernets-in-configmgr-2007.aspx

    Sunday, April 29, 2012 6:41 PM
  • I am actually having the same exact issue with the exception that I am using IP ranges for my site boundaries.  I understand that my clients get assigned to my primary site, and not my secondary site, but all of my clients are getting assigned to the management point located on the primary site.

    I have separate boundary groups for site assignment and content location.  My clients are all getting their content from the right DPs, but all of my clients are reporting their MP as the Primary Site server, not the Secondary Site servers.  I see no mention of the secondary site servers in either locationservices.log or clientlocation.log at all.  I have no overlapping boundaries.  I am only using AD for site discovery, no DNS.  I verified all of the boundaries are present in the System Management container.

    Any advice would be greatly appreciated.

    Tuesday, August 20, 2013 6:09 AM
  • Client's choose to use an MP at a secondary site based on content location boundaries, not site assignment boundaries because they are never actually assigned to a secondary site: http://blog.configmgrftw.com/?p=453

    Discovery has nothing to (directly) do with where client agent's themselves are assigned.


    Jason | http://blog.configmgrftw.com

    Tuesday, August 20, 2013 12:57 PM