CM2012 site topology 3 questions RRS feed

  • Question

  • Currently running a SCCM 2007 sp2 R3 Primary site with four DPs, two of them remote. with just over 10k clients total. The two remote sites (500+ clients each) are really wanting to be able to use SCCM, but I really don't want them even looking at the entire site. Plus since bandwidth is a issue between the three sites, I'd like to setup Primary sites at each of the two remote locations with a CAS and Primary site at the central location. Is that a good idea considering the politics and location issues?

    Second question, is there a down side to internet enable all clients? my CM2007 site is in native mode with auto-enrollment GPO working fine. Imaging works well using the unknown systems with a boot disk (waiting for Altris to die to get PXE)

    Last question, I read somewhere that DPs are limited to 4k clients, is that correct? If so, I'll need to two more DPs and I was wondering if setting up two ESX VMs as DPs that are internet facing would work?

    Monday, October 1, 2012 9:10 PM


All replies

  • #1: a standalone Primary plus 2 secondaries will also work
    #2: no
    #3: yes, 4k per DP http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SiteAndRoleScale. Why do you want al 4k clients to connect to the Internet facing DP?

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by JBark Tuesday, October 2, 2012 1:40 PM
    Monday, October 1, 2012 9:19 PM
  • For #1, I'd say no, this is not just not a good idea, it's a bad idea.

    If you have a distributed administration model, then use role based administration -- using multiple primaries will not/does not limit what admins have permissions to. For bandwidth constraints, you should use secondary sites. For 500, I might even opt for just stand-alone DPs.

    Jason | http://blog.configmgrftw.com

    Monday, October 1, 2012 10:37 PM
  • Thanks for the quick replies!

    Torsten, I think I worded that a bit vaguely, I need to have at  least one DP that offsite systems can get updates from. I just figured that the VM servers with just the DP role would be better suited for that than my primary site server.

    Jason, I have DPs at both remote locations now and thats not working for the staff at those sites. I will look at secondary sites again. Thanks!

    Tuesday, October 2, 2012 12:40 PM
  • Can you expand on why that's not working please so we can better understand your requirements and possibly tweak our suggestions?

    Jason | http://blog.configmgrftw.com

    Tuesday, October 2, 2012 3:37 PM
  • Hi Jason, I'm reading up on RBAC after finding one of your posts from earlier this year;


    And reviewing Kent's blog leads me to think I do need two remote secondary sites rather than just DPs.


    • More than 500 clients in a remote location (right at this now, will need room to grow)
    • Need a local Management Point (needed)
    • Need a local Software Update Point (needed)
    • Need a local State Migration Point (needed)

    Getting back to RBAC, so essentially, I create collections for the remote systems and setup the remote IT admins with whatever roles they want. i.e. Reporting, then use security scopes to limit what they can see. Which should keep them out of my main site.

    I also just ordered two books.

    "Microsoft System Center 2012 Configuration Manager: Administration Cookbook" and "Mastering System Center 2012 Configuration Manager"

    Do you have any other suggestions? Thanks!

    Tuesday, October 2, 2012 4:02 PM
  • The secondary vs. remote DP is a very subjective discussion and depends not just on client count but also on available bandwidth and connectivity. There isn't necessarily a wrong answer unless the connectivity to the site is suspect or severely limited for the number of clients that are across the link -- then a secondary is clearly called for.

    The reason I personally shy away from secondaries is that they offer no recourse when they fail or are offline; the clients are essentially orphaned until the secondary is restored to online status again (whatever that takes depending on what the problem was).

    Jason | http://blog.configmgrftw.com

    Tuesday, October 2, 2012 4:10 PM
  • Agreed on the orphan status if a secondary fails, which was why I leaned towards a CAS with Primary sites in the first place since you could restore from the CAS quickly. I'm still not 100% sure which topology to setup yet, but I have several months before I need to decide as I'll wait till SP1 is slippedstreamed into CM2012 on the MVL. Thanks again!
    Tuesday, October 2, 2012 4:21 PM
  • Handling primary sites for availability is much easier, you simply add multiple MPs, DPs, and (in SP1) SUPs. Adding multiple primary sites just adds multiple single points of failure with a lot of extra complexity to boot.

    Using stand-alone DPs also completely eliminates SQL replication from the picture.

    Jason | http://blog.configmgrftw.com

    Tuesday, October 2, 2012 4:51 PM