You can install one or more optional site system roles at each
System Center 2012 Configuration Manager site to
extend the management functionality of the site. You can specify a
new server as a site system server and add the site system roles,
or install the site system roles to an existing site system server
in the site.
 Tip |
| When a site system server is a computer other than the site
server, it is referred to as a remote site system because it is
remote from the site server in the site. Similarly, any site system
role on that server is referred to as remote. For example, a remote
distribution point is a site system server on a computer other than
the site server, and which has installed on it the distribution
point role. |
 Note |
| When you install a site system role on a remote computer
(including an instance of the SMS Provider), the computer account
of the remote computer is added to a local group on the site
server. When the site is installed on a domain controller, the
group on the site server is a domain group instead of a local
group, and the remote site system role is not operational until
either the site system role computer restarts, or the Kerberos
ticket for the remote computers account is refreshed. |
Use one of the following wizards to install new site system
roles:
- Add Site System Roles Wizard: Use this
wizard to add site system roles to an existing site system server
in the site.
- Create Site System Server Wizard: Use
this wizard to specify a new server as a site system server, and
then install one or more site system roles on the server. This
wizard is the same as the Add Site System Roles Wizard,
except that on the first page, you must specify the name of the
server to use and the site in which you want to install it.
| Note |
| Configuration Manager does not support site system roles for
multiple sites on a single site system server. |
By default, when Configuration Manager installs a site system
role, the installation files are installed on the first available
NTFS formatted disk drive that has the most available free disk
space. To prevent Configuration Manager from installing on specific
drives, create an empty file named no_sms_on_drive.sms and
copy it to the root folder of the drive before you install the site
system server.
Use the following sections to help you install and configure
site system roles for System Center 2012
Configuration Manager:
Install Site System Roles
How you install a site system role depends on whether
you add the site system role to an existing site system server or
install a new site system server for the site system role. Use one
of the following procedures.
To install site system roles on an
existing site system server
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, click Servers and Site System Roles, and
then select the server that you want to use for the new site system
roles.
-
On the Home tab, in the Server group,
click Add Site System Roles.
-
On the General page, review the settings, and
then click Next.
| Tip |
| To access the site system role from the Internet, ensure that
you specify an Internet FQDN. |
-
For Configuration Manager SP1 only:
On the Proxy page, specify settings for a proxy
server if site system roles that run on this site system server
require a proxy server to connect to locations on the Internet, and
then click Next.
-
On the System Role Selection page, select the
site system roles that you want to add, and then click
Next.
-
Complete the wizard.
| Tip |
| The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs
the same function as this procedure. For more information, see
New-CMSiteSystemServer in the
System Center 2012 Configuration Manager SP1
Cmdlet Reference documentation. |
To install site system roles on a new
site system server
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, and click Servers and Site System
Roles.
-
On the Home tab, in the Create group,
click Create Site System Server.
-
On the General page, specify the general
settings for the site system, and then click Next.
| Tip |
| To access the new site system role from the Internet, ensure
that you specify an Internet FQDN. |
-
For Configuration Manager SP1 only:
On the Proxy page, specify settings for a proxy
server if site system roles that run on this site system server
require a proxy server to connect to locations on the Internet, and
then click Next.
-
On the System Role Selection page, select the
site system roles that you want to add, and then click
Next.
-
Complete the wizard.
| Tip |
| The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs
the same function as this procedure. For more information, see
New-CMSiteSystemServer in the
System Center 2012 Configuration Manager SP1
Cmdlet Reference documentation. |
Install Cloud-Based Distribution
Points in Windows Azure
| Note |
| For Configuration Manager SP1 only: |
Before you install a cloud-based distribution point,
make sure that you have the required certificate files:
- A Windows Azure management certificate that
is exported to a .cer file and to a .pfx file.
- A Configuration Manager cloud-based
distribution point service certificate that is exported to a .pfx
file.
For more information about these certificates, see the
section for cloud-based distribution points in the PKI Certificate
Requirements for Configuration Manager topic. For an example
deployment of the cloud-based distribution point service
certificate, see the Deploying
the Custom Web Server Certificate for Cloud-Based Distribution
Points in the Step-by-Step Example
Deployment of the PKI Certificates for Configuration Manager:
Windows Server 2008 Certification Authority topic.
After you install the cloud-based distribution point,
Windows Azure automatically generates a GUID for the service and
appends this to the DNS suffix of cloudapp.net. Using this
GUID, you must configure DNS with a DNS alias (CNAME record) to map
the service name that you define in the Configuration Manager
cloud-based distribution point service certificate to the
automatically generated GUID.
If you use a proxy web server, you might have to
configure proxy settings to enable communication with the cloud
service that hosts the distribution point.
Use the following sections and procedures to help you
install a cloud-based distribution point.
Configure Windows Azure and Install
Cloud-Based Distribution Points
Use the following procedures to configure Windows Azure
to support distribution points, and then install the cloud-based
distribution point in Configuration Manager.
To configure a cloud service in
Windows Azure for a distribution point
-
Open a web browser to the Windows Azure Management
Portal, at https://windows.azure.com, and access your Windows Azure
account.
-
Click Hosted Services, Storage Accounts &
CDN, and then select Management Certificates.
-
Right-click your subscription, and then select Add
Certificate.
-
For Certificate file, specify the .cer file that
contains the exported Windows Azure management certificate to use
for this cloud service, and then click OK.
The management certificate is loaded in Windows Azure,
and you can now install a cloud-based distribution point.
To install a cloud-based distribution
point for Configuration Manager
-
Complete the steps in the preceding procedure to
configure a cloud service in Windows Azure with a management
certificate.
-
In the Administration workspace of the
Configuration Manager console, expand Hierarchy
Configurations, expand Cloud, and then click Create
Cloud Distribution Point.
-
On the General page of the Create Cloud
Distribution Point Wizard, configure the following:
- Specify the Subscription ID for your
Windows Azure account.
| Tip |
| You can find your Windows Azure subscription ID in the Windows
Azure Management Portal. |
- Click Browse to specify the .pfx file
that contains the exported Windows Azure management certificate,
and then enter the password for the certificate.
-
Click Next, and Configuration Manager connects
to Windows Azure to validate the management certificate.
-
On the Settings page, complete the following
configurations, and then click Next:
- For Region, select the Windows Azure
region where you want to create the cloud service that hosts this
distribution point.
- For Certificate file, specify the .pfx
file that contains the exported Configuration Manager cloud-based
distribution point service certificate, and then enter the
password.
| Note |
| The Service FQDN box is automatically populated from the
certificate Subject Name and in most cases, you do not have to edit
it. The exception is if you are using a wildcard certificate in a
testing environment, where the host name is not specified so that
multiple computers that have the same DNS suffix can use the
certificate. In this scenario, the certificate Subject contains a
value similar to CN=*.contoso.com and Configuration Manager
displays a message that you must specify the correct FQDN. Click
OK to close the message, and then enter a specific name
before the DNS suffix to provide a complete FQDN. For example, you
might add clouddp1 to specify the complete service FQDN of
clouddp1.contoso.com.Wildcard certificates are supported for
testing environments only. |
-
On the Alerts page, configure storage quotas,
transfer quotas, and at what percentage of these quotas you want
Configuration Manager to generate alerts, and then click
Next.
-
Complete the wizard.
The wizard creates a new hosted service for the
cloud-based distribution point. After you close the wizard, you can
monitor the installation progress of the cloud-based distribution
point in the Configuration Manager console, or by monitoring the
CloudMgr.log file on the primary site server. You can also
monitor the provisioning of the cloud service in the Windows Azure
Management Portal.
| Note |
| It can take up to 30 minutes to provision a new distribution
point in Windows Azure. The following message is repeated in the
CloudMgr.log file until the storage account is provisioned:
Waiting for check if container exists. Will check again in 10
seconds. Then, the service is created and configured. |
You can identify that the cloud-based distribution
point installation is completed by using the following methods:
- In the Windows Azure Management Portal, the Deployment
for the cloud-based distribution point displays a status of
Ready.
- In the Administration workspace, Hierarchy
Configuration, Cloud node of the Configuration Manager
console, the cloud-based distribution point displays a status of
Ready.
- Configuration Manager displays a status message ID 9409
for the SMS_CLOUD_SERVICES_MANAGER component.
Configure Name Resolution for Cloud-Based
Distribution Points
Before clients can access the cloud-based distribution
point, they must be able to resolve the name of the cloud-based
distribution point to an IP address that Windows Azure manages.
Clients do this in two stages:
- They map the service name that you provided with the
Configuration Manager cloud-based distribution point service
certificate to your Windows Azure service FQDN. This FQDN contains
a GUID and the DNS suffix of cloudapp.net. The GUID is
automatically generated after you install the cloud-based
distribution point. You can see the full FQDN in the Windows Azure
Management Portal, by referencing the SITE URL in the
quick glance section of the dashboard. An example site URL
is http://d1594d4527614a09b934d470.cloudapp.net.
- They resolve the Windows Azure service FQDN to the IP address
that Windows Azure allocates. This IP address can also be
identified in the same section of the Windows Azure portal, in the
PUBLIC VIRTUAL IP ADDRESS (VIP) section.
To map the service name that you provided with the
Configuration Manager cloud-based distribution point service
certificate (for example, clouddp1.contoso.com) to your
Windows Azure service FQDN (for example,
d1594d4527614a09b934d470.cloudapp.net), DNS servers on the
Internet must have a DNS alias (CNAME record). Clients can then
resolve the Windows Azure service FQDN to the IP address by using
DNS servers on the Internet.
Configure Proxy Settings for Primary
Sites that Manage Cloud Services
When you use cloud services with Configuration Manager,
the primary site that manages the cloud-based distribution point
must be able to connect to the Windows Azure Management Portal by
using the System account of the primary site computer. This
connection is made by using the default web browser on the primary
site server computer.
On the primary site server that manages the cloud-based
distribution point, you might have to configure the proxy settings
to enable the primary site to access the Internet and
Windows Azure.
Use the following procedure to configure the proxy
settings for the primary site server in the Configuration Manager
console.
| Tip |
| You can also configure the proxy server when you install new
site system roles on the primary site server by using the Add
Site System Roles Wizard. |
To configure proxy settings for the
primary site server
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, click Servers and Site System Roles, and
then select the primary site server that manages the cloud-based
distribution point.
-
In the details pane, right-click Site system,
and then click Properties.
-
In Site system Properties, select the
Proxy tab, and then configure the proxy settings for this
primary site server.
-
Click OK to save the new proxy server
configuration.
Configuration Options for Site
System Roles
Many of the configuration options for the site system
roles are self-explanatory or display additional information in the
wizard or dialog boxes. Use the following tables for the settings
that might require some information before you configure them.
Application Catalog Website Point
For information about how to configure the Application
Catalog website point for the Application Catalog, see Configuring the
Application Catalog and Software Center in Configuration
Manager.
| Configuration option |
Description |
|
Client connections
|
Select HTTPS to connect by using the more secure setting
and to determine whether clients connect from the Internet.
This option requires a PKI certificate on the server for server
authentication to clients and for encryption of data over Secure
Socket Layer (SSL). For more information about the certificate
requirements, see PKI Certificate
Requirements for Configuration Manager.
For an example deployment of the server certificate and
information about how to configure it in Internet Information
Services (IIS), see the
Deploying the Web Server Certificate for Site Systems that Run
IIS section in the Step-by-Step Example
Deployment of the PKI Certificates for Configuration Manager:
Windows Server 2008 Certification Authority topic.
|
|
Add Application Catalog website to trusted sites zone
|
This message displays the value in the default client settings
whether the client setting Add Application Catalog website to
Internet Explorer trusted sites zone is currently set to
True or False. If you have configured this setting by
using custom client settings, you must check this value
yourself.
If this site system is configured for a FQDN, and the website is
not in the trusted sites zone in Internet Explorer, users are
prompted for credentials when they connect to the Application
Catalog.
|
|
Organization name
|
Type the name that users see in the Application Catalog. This
branding information helps users to identify this website as a
trusted source.
|
Application Catalog Web Service
Point
Distribution Point
For information about how to configure the distribution
point for content deployment, see Configuring Content
Management in Configuration Manager.
For information about how to configure the distribution
point for PXE deployments, see How to Deploy Operating
Systems by Using PXE in Configuration Manager.
For information about how to configure the distribution
point for multicast deployments, see How to Manage Multicast
in Configuration Manager.
| Configuration |
Description |
|
Install and configure IIS if required by Configuration
Manager
|
Select this option to let Configuration Manager install and
configure IIS on the site system if it is not already installed.
IIS must be installed on all distribution points, and you must
select this setting to continue in the wizard.
|
|
Create a self-signed certificate or import a PKI client
certificate
|
This certificate has two purposes:
- It authenticates the distribution point to a
management point before the distribution point sends status
messages.
- When Enable PXE support for clients is
selected, the certificate is sent to computers that perform a PXE
boot so that they can connect to a management point during the
deployment of the operating system.
When all your management points in the site are configured for
HTTP, create a self-signed certificate. When your management points
are configured for HTTPS, import a PKI client certificate.
To import the certificate, browse to a Public-Key Cryptography
Standards #12 (PKCS #12) file that contains a PKI certificate with
the following requirements for Configuration Manager:
- Intended use must include client
authentication.
- The private key must be configured to be
exported.
| Note |
| There are no specific requirements for the certificate Subject
name or Subject Alternative Name (SAN), and you can use the same
certificate for multiple distribution points. |
For more information about the certificate requirements, see
PKI Certificate
Requirements for Configuration Manager.
For an example deployment of this certificate, see the
Deploying the Client Certificate for Distribution Points
section in the Step-by-Step Example
Deployment of the PKI Certificates for Configuration Manager:
Windows Server 2008 Certification Authority topic.
|
|
Enable this distribution point for prestaged content
|
Select this check box to enable the distribution point for
prestaged content. When this check box is selected, you can
configure distribution behavior when you distribute content. You
can choose whether you always prestage the content on the
distribution point, prestage the initial content for the package,
but use the normal content distribution process when there are
updates to the content, or always use the normal content
distribution process for the content in the package.
|
|
Boundary groups
|
You can associate boundary groups to a distribution point.
During content deployment, clients must be in a boundary group that
is associated with the distribution point to use it as a source
location for content.
You can select the Allow fallback source location for
content check box to allow clients outside these boundary
groups to fall back and use the distribution point as a source
location for content when no other distribution points are
available.
|
Enrollment Point
Enrollment points are used to install Mac computers
(Configuration Manager SP1 only), enroll mobile devices, and
provision AMT-based computers. For more information, see the
following:
Enrollment Proxy Point
Fallback Status Point
| Configuration option |
Description |
|
Number of state messages and Throttle interval (in
seconds)
|
Although the default settings for these options (10,000 state
messages and 3,600 seconds for the throttle interval) are
sufficient for most circumstances, you might have to change them
when both of the following conditions are true:
- The fallback status point accepts connections
only from the intranet.
- You use the fallback status point during a
client deployment rollout for many computers.
In this scenario, a continuous stream of state messages might
create a backlog of state messages that causes high central
processing unit (CPU) usage on the site server for a sustained
period of time. In addition, you might not see up-to-date
information about the client deployment in the Configuration
Manager console and in the client deployment reports.
| Note |
| These fallback status point settings are designed to be
configured for state messages that are generated during client
deployment. The settings are not designed to be configured for
client communication issues, such as when clients on the Internet
cannot connect to their Internet-based management point. Because
the fallback status point cannot apply these settings just to the
state messages that are generated during client deployment, do not
configure these settings when the fallback status point accepts
connections from the Internet. |
Each computer that successfully installs the
System Center 2012 Configuration Manager client
sends the following four state messages to the fallback status
point:
- Client deployment started
- Client deployment succeeded
- Client assignment started
- Client assignment succeeded
Computers that cannot be installed or assign the Configuration
Manager client send additional state messages.
For example, if you deploy the Configuration Manager client to
20,000 computers, the deployment might create 80,000 state messages
sent to the fallback status point. Because the default throttling
configuration allows for 10,000 state messages to be sent to the
fallback status point each 3600 seconds (1 hour), state messages
might become backlogged on the fallback status point because of the
throttling configuration. You must also consider the available
network bandwidth between the fallback status point and the site
server, and the processing power of the site server to process many
state messages.
To help prevent these issues, consider increasing the number of
state messages and decreasing the throttle interval.
Reset the throttle values for the fallback status point if
either of the following conditions is true:
- You calculate that the current throttle
values are higher than required to process state messages from the
fallback status point.
- You find that the current throttle settings
create high CPU usage on the site server.
 Warning |
| Do not change the settings for the fallback status point
throttle settings unless you understand the consequences. For
example, when you increase the throttle settings to high, the CPU
usage on the site server can increase to high, which slows down all
site operations. |
|
Out of Band Service Point
The default settings for the out of band service point
are sufficient for most circumstances. Change them only if you have
to control the CPU usage for the out of band service point and the
network bandwidth when Intel AMT-based computers are configured for
scheduled wake-up activities and for power-on commands.
For information about how to configure an out of band
service point for AMT-based computers, see How to Provision and
Configure AMT-Based Computers in Configuration Manager.
| Configuration option |
Description |
|
Retries
|
Specify the number of times a power-on command is sent to a
destination computer.
After a power-on command is sent to all destination computers,
the transmission is paused for the Delay period. If this
retry value is greater than 1, a second power-on command is sent to
the same computers, and the process is repeated until the retry
value is reached. The second and subsequent power-on commands are
sent only if the destination computer did not respond.
Unlike wake-up packets, power-on commands create an established
session with the destination computer. Therefore, retries are less
likely to be necessary. However, retries might be necessary if the
site transmits many packets (for example, also sending wake-up
packets), and the power-on commands cannot reach a destination
computer because of the high network bandwidth consumption.
The default setting is 3 retries. Values can range from 0–5.
|
|
Delay (minutes)
|
The time in minutes that power-on commands pause between
retries.
The default setting is 2 minutes. Values can range from 1–30
minutes.
|
|
Transmission threads
|
The number of threads that the out of band service point uses
when it sends power-on commands.
When you increase the number of threads, you are more likely to
make full use of the available network bandwidth, especially when
the out of band service point site system server computer has
multiple cores or processors. However, when you increase the number
of threads, the increased thread count might also produce a
significant increase in CPU usage.
The default setting is 60 transmission threads. Values can range
from 1–120 threads.
|
|
Transmission offset
|
The time in minutes that a power-on command is sent before a
scheduled activity that is enabled for wake-up packets.
Set a value that gives sufficient time before the scheduled
activity so that computers have completed startup, but not so much
time that the computer returns to a sleep state before the
scheduled activity.
The default setting is 10 minutes. Values can range from 1–480
minutes.
|
Configure the Proxy Server for Site
System Servers
You can configure a site system server to use a proxy
server for connections to the Internet that site system roles that
run on that computer make. For information about the site system
roles that can use the proxy server configuration, see the
Planning for Proxy Servers Configurations for Site System Roles
section in the Planning for Site
Systems in Configuration Manager topic.
Use the following procedure to edit the proxy server
configuration of a site system server.
To configure the proxy server for a
site system server
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, and then click Servers and Site System
Roles.
-
Select the site system server that you want to edit,
and then in the details pane, right-click Site system, and
then click Properties.
| Tip |
| You cannot configure the proxy server on a cloud-based
distribution point in Windows Azure. Instead, you configure the
proxy server on the primary site that manages the cloud-based
distribution point. |
-
In Site system Properties, select the
Proxy tab, and then configure the proxy settings for this
primary site server.
-
Click OK to save the new proxy server
configuration.
See Also
