locked
Primary Site Deployment on Same Subnet RRS feed

  • Question

  • Can two Primary Sites be installed on the same subnet or is there an issue then with overlapping boundaries?   I know it is  a strange question but I have an infrastructure (very small in number of nodes <1000 but multiple forests).  The client wants to contain SCCM client traffic with the forest.  There are currently no two-way trusts in place to support Primary Sites cross forest (which I consider an even greater security risk than the current concern for opening the 2 ports (80, 8530) to support cross forest client communication.) BUT, I am about to hit the MP limitation and the only option is to add a CAS and another Primary.  The forest that contains the recommended Stand-alone Primary has only 2 subnets.  I can add a Primary to the second subnet but can I add multiple Primaries to one subnet?  I appreciate the help.  Thank you.
    Monday, May 19, 2014 11:27 AM

Answers

  • It does not matter where the primary is placed. It's only a matter of ConfigMgr's configuration (i.e. boundary / group setup).
    Not allowing 80/8530 traffic will result in setting up two *separate* primary sites thus doubling the administrative effort.

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by AMRDC Monday, May 19, 2014 12:42 PM
    Monday, May 19, 2014 12:31 PM
  • I am still trying to help them see the reason (benefit) for going with the recommended "Stand-alone Primary" Design.  :)  Thanks for your quick response and helpful information. 
    • Marked as answer by AMRDC Monday, May 19, 2014 12:42 PM
    Monday, May 19, 2014 12:42 PM

All replies


  • There's no trust required to manage clients in other forests. A standalone primary can handle that.
    Why do you have to keep the ConfigMgr client traffic within the same forest?
    Do not use a CAS! It's only needed if you want to manage more that 100.000 clients and it requires a two-way trust. Multiple primaries is not the best option, but they can live in the same subnet/forest as long as site assignment boundary/groups do not overlap.

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, May 19, 2014 11:33 AM
  • I understand that clients can be managed without a Trust.  I have recommended a very simple Stand-alone Primary Site design (which reduces the number site systems significantly)  but the networking team does not want to open the ports required to allow all the clients in an untrusted forest to communicate with the Site Servers cross forest (which in this case are only MP. DP and SUP traffic--ports 80, 8530 (please correct me if I am wrong on the ports). 

    If I install a second Primary on the same subnet, in order to avoid an overlapping boundary, the 2nd Primary Site server would actually then belong to another site.  Is that correct?  Thanks

    Monday, May 19, 2014 11:51 AM
  • It does not matter where the primary is placed. It's only a matter of ConfigMgr's configuration (i.e. boundary / group setup).
    Not allowing 80/8530 traffic will result in setting up two *separate* primary sites thus doubling the administrative effort.

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by AMRDC Monday, May 19, 2014 12:42 PM
    Monday, May 19, 2014 12:31 PM
  • I am still trying to help them see the reason (benefit) for going with the recommended "Stand-alone Primary" Design.  :)  Thanks for your quick response and helpful information. 
    • Marked as answer by AMRDC Monday, May 19, 2014 12:42 PM
    Monday, May 19, 2014 12:42 PM