System Center 2012 Configuration Manager uses
site system roles to support operations at each site. Computers
that host the Configuration Manager site are named site servers,
and computers that host the other site system roles are named site
system servers. The site server is also a site system server.
Site system servers within the same site communicate with each
other by using server message block (SMB), HTTP, or HTTPS,
depending on the site configuration selections that you make.
Because these communications are unmanaged and can occur at any
time without network bandwidth control, review your available
network bandwidth before you install site system servers and
configure the site system roles.
At each site, you can install available site system roles on the
site server or install one or more site system roles on another
site system server. Configuration Manager does not limit the number
of site system roles that you can run on a single site system
server. However, Configuration Manager does not support site system
roles from different sites on the same site system server.
Additionally, Configuration Manager supports some site system roles
only at specific sites in a hierarchy, and some site system roles
have other limitations as to where and when you can install
them.
Use the following sections to help you plan for site
systems:
What’s New in Configuration Manager
SP1
With Configuration Manager SP1, you can configure
a proxy server on each site system server for use by all site
system roles installed on that computer. This is not a new site
system role, but a configuration for site system server
computers.
Site System Roles in Configuration
Manager
When you install a site, several site system roles
automatically are installed on the servers that you specify during
Setup. After a site is installed, you can install additional site
system roles on those servers or on additional computers that you
decide to use as site system servers. The following sections
identify the default site system roles and the optional site system
roles that are available in Configuration Manager.
Default Site System Roles
When you install a Configuration Manager site, several
default site system roles are automatically installed for the site.
These site system roles are required for the core operation of each
site and although some default site system roles can be moved to
other servers, they cannot be removed from the site. Additionally,
some default site system roles are installed on additional site
system servers when you install optional site system roles.
The default site system roles are described in the
following table.
| Site system role |
Description |
|
Configuration Manager site server
|
The site server role is automatically installed on the server
from which you run Configuration Manager Setup when you install a
central administration site or primary site. When you install a
secondary site, the site server role is installed on the server
that you specify as the secondary site server.
|
|
Configuration Manager site system
|
Site systems are computers that provide Configuration Manager
functionality to a site. Each site system hosts one or more site
system roles. Most site system roles are optional, and you install
them only if you have to use them for specific management tasks.
Other site system roles are automatically installed on a site
system and cannot be configured.
This role is assigned during Configuration Manager site
installation or when you add an optional site system role to
another server.
|
|
Configuration Manager component site system role
|
Any site system that runs the SMS Executive service also
installs the component site system role.
This role is required to support other roles, such as a
management point, and it is installed and removed with the other
site system roles.
This role is always assigned to the site server when you install
Configuration Manager.
|
|
Configuration Manager site database server
|
The site database server is a computer that runs a supported
version of Microsoft SQL Server, and it stores information for
Configuration Manager sites, such as discovery data, hardware and
software inventory data, and configuration and status
information.
Each site in the Configuration Manager hierarchy contains a site
database and a server that is assigned the site database server
role. You can install SQL Server on the site server, or you
can reduce the CPU usage of the site server when you install
SQL Server on a computer other than the site server. Secondary
sites can use SQL Server Express instead of a full
SQL Server installation.
The site database can be installed on the default instance of
SQL Server or on a named instance on a single computer that is
running SQL Server. It can be installed on a named instance on
a SQL Server cluster.
Typically, a site system server supports site systems roles from
a single Configuration Manager site only; however, you can use
different instances of SQL Server on clustered or
non-clustered servers running SQL Server to host the database
for different Configuration Manager sites. For this configuration,
you must configure each instance of SQL Server to use
different ports.
This role is installed when you install Configuration
Manager.
|
|
SMS Provider
|
The SMS Provider is the interface between the Configuration
Manager console and the site database. This role is installed when
you install a central administration site or primary site.
Secondary sites do not install the SMS Provider. You can
install the SMS Provider on the site server, the site database
server (unless the site database is hosted on a clustered instance
of SQL Server), or on another computer. You can also move the
SMS Provider to another computer after the site is installed,
or install multiple SMS Providers on additional computers. To
move or install additional SMS Providers for a site, run
Configuration Manager Setup, select the option Perform site
maintenance or reset the Site, click Next , and then on
the Site Maintenance page, select the option Modify
SMS Provider configuration.
 Note |
| The SMS Provider is only supported on computers that are
in the same domain as the site server. |
|
Optional Site System Roles
Optional site system roles are site system roles that
are not required for the core operation of a Configuration Manager
site. However, by default, the management point and distribution
point, which are optional site system roles, are installed on the
site server when you install a primary or secondary site. Although
these two site system roles are not required for the core operation
of the site, you must have at least one management point to support
clients at those locations. After you install a site, you can move
the default location of the management point or distribution point
to another server, install additional instances of each site system
role, and install other optional site system roles to meet your
business requirements.
The optional site system roles are described in the
following table.
| Site system role |
Description |
|
Application Catalog web service point
|
A site system role that provides software information to the
Application Catalog website from the Software Library.
|
|
Application Catalog website point
|
A site system role that provides users with a list of available
software from the Application Catalog.
|
|
Asset Intelligence synchronization point
|
A site system role that connects to Microsoft to download Asset
Intelligence catalog information and upload uncategorized titles so
that they can be considered for future inclusion in the catalog.
This site system role can only be installed on the central
administration site or a stand-alone primary site. For more
information about planning for Asset Intelligence, see Prerequisites for Asset
Intelligence in Configuration Manager.
|
|
Distribution point
|
A site system role that contains source files for clients to
download, such as application content, software packages, software
updates, operating system images, and boot images. You can control
content distribution by using bandwidth, throttling, and scheduling
options. For more information, see Planning for Content
Management in Configuration Manager.
|
|
Fallback status point
|
A site system role that helps you monitor client installation
and identify the clients that are unmanaged because they cannot
communicate with their management point.
|
|
Management point
|
A site system role that provides policy and service location
information to clients and receives configuration data from
clients.
You must install at least one management point at each primary
site that manages clients, and at each secondary site where you
want to provide a local point of contact for clients to obtain
computer and user polices.
|
|
Endpoint Protection point
|
A site system role that Configuration Manager uses to accept the
Endpoint Protection license terms and to configure the default
membership for Microsoft Active Protection Service.
|
|
Enrollment point
|
A site system role that uses PKI certificates for Configuration
Manager to enroll mobile devices and Mac computers, and to
provision Intel AMT-based computers
|
|
Enrollment proxy point
|
A site system role that manages Configuration Manager enrollment
requests from mobile devices and Mac computers.
|
|
Out of band service point
|
A site system role that provisions and configures Intel
AMT-based computers for out of band management.
|
|
Reporting services point
|
A site system role that integrates with SQL Server
Reporting Services to create and manage reports for Configuration
Manager. For more information, see Planning for Reporting
in Configuration Manager.
|
|
Software update point
|
A site system role that integrates with Windows Server
Update Services (WSUS) to provide software updates to Configuration
Manager clients. For more information, see Planning for Software
Updates in Configuration Manager.
|
|
State migration point
|
A site system role that stores user state data when a computer
is migrated to a new operating system. For more information about
storing user state when you deploy an operating system, see
How to Manage
the User State in Configuration Manager.
|
|
System Health Validator point
|
A site system role that validates Configuration Manager Network
Access Protection (NAP) policies. It must be installed on a NAP
health policy server.
|
|
Windows Intune connector
|
A site system role in Configuration Manager SP1 that uses
Windows Intune to manage mobile devices in the Configuration
Manager console.
|
Planning for Proxy Servers
Configurations for Site System Roles
For Configuration Manager SP1 only:
During normal operation, several Configuration Manager
site system roles require connections to the Internet. Typically,
this connection is made in the system context of the computer where
the site system role is installed and cannot use a proxy
configuration for typical user accounts. When a proxy server is
required to complete a connection to the Internet, you must
configure the computer to use a proxy server. For Configuration
Manager with no service pack, you must manually configure the proxy
server for the system context outside of Configuration Manager.
With Configuration Manager SP1, you can use the Configuration
Manager console to configure each site system server to use a proxy
server. This proxy server configuration is used by each applicable
site system role that is installed on that computer. For example, a
software update point might connect to Microsoft to download
updates, and with Configuration Manager SP1 when you use a
cloud-based distribution point, the primary site server that
manages the cloud-based distribution point must connect to Windows
Azure.
The following table identifies the site system roles
that can use a proxy server:
| Site system role |
Configuration Manager version |
Details |
|
Asset Intelligence synchronization point
|
- Configuration Manager with no service
pack
- Configuration Manager with SP1
|
This site system role connects to Microsoft and will use a proxy
server configuration on the computer that hosts the Asset
Intelligence synchronization point.
|
|
Cloud-based distribution point
|
- Configuration Manager with SP1
|
When you use a cloud-based distribution point, the primary site
that manages the cloud-based distribution point must be able to
connect to Windows Azure to provision, monitor, and distribute
content to the distribution point.
If a proxy server is required for this connection, you must
configure the proxy server on the primary site server. You cannot
configure a proxy server on the cloud-based-distribution point in
Windows Azure.
For more information see the
Configure Proxy Settings for Primary Sites that Manage Cloud
Services section in the Install and Configure
Site System Roles for Configuration Manager topic.
|
|
Exchange Server connector
|
- Configuration Manager with no service
pack
- Configuration Manager with SP1
|
This site system role connects to an Exchange Server and will
use a proxy server configuration on the computer that hosts the
Exchange Server connector.
|
|
Software updates point
|
- Configuration Manager with no service
pack
- Configuration Manager with SP1
|
This site system role can require connections to Microsoft
Update to download patches and synchronize information about
updates. With Configuration Manager with no service pack you can
configure proxy server settings for the active software update
point. With Configuration Manager SP1, proxy server options
are only available for the software update point when there is
already a proxy configured for the site system server.
For more information about proxy servers for software update
points, see the Proxy Server Settings section in the Configuring Software
Updates in Configuration Manager topic.
|
|
Windows Intune connector
|
- Configuration Manager with SP1
|
This site system role connects to Windows Intune and will use a
proxy server configuration on the computer that hosts the Windows
Intune connector.
|
With Configuration Manager SP1 you can configure
the proxy server for a site system server when you install a site
system role by using the Add Site System Roles Wizard or the Create
Site System Server Wizard. After you have installed a site system
server, you can configure a proxy server by editing the properties
for the site system server. Each site system server supports only a
single proxy server configuration. If you configure a new proxy
server when you install site system role or edit the site system
server properties, the new proxy server configuration replaces the
previously configured proxy server for that site system server.
The proxy server configuration is shared by all site
system roles that run on a computer. There is no support for
individual site system roles that run on the same computer to use
different proxy server configurations. If you require different
site system roles to use different proxy servers, you must install
the site system roles on different site system server
computers.
Typically, when you configure the proxy server, each
site system role on that computer that supports using the proxy
server will use the proxy server with no additional configuration
required. An exception to this is the software update point. By
default, a software update point does not use an available proxy
server unless you also enable the following options when you
configure the software update point:
- Use a proxy server when synchronizing
software updates
- Use a proxy server when downloading
content by using automatic deployment rules
 Tip |
| A proxy server must be configured on the site system server
that hosts the software update point before you can select either
option. The proxy server is only used for the specific options you
select. |
Because each site system server supports a single proxy
server configuration, if you add a new site system role to a
computer and specify a different proxy server configuration than is
already configured, the new replaces the previous proxy server
configuration. Similarly, after you configure a proxy server for a
site system server, if you edit the properties of the site system
and change the proxy server configuration, this new configuration
replaces the previous proxy server configuration.
For procedures about configuring the proxy server for
site system roles, see the Install and Configure
Site System Roles for Configuration Manager topic.
Planning Where to Install Sites
System Roles in the Hierarchy
Before you install site system roles, identify the site
types that can or cannot support specific site system roles, and
how many instances of each site system role you can install at a
site or across a hierarchy.
You can install some site system roles at only the
top-level site in a hierarchy. A top-level site can be a central
administration site of a multi-primary site hierarchy or a
stand-alone primary site if your hierarchy consists of a single
primary site with one or more secondary child sites.
Additionally, some site system roles support only a
single instance per hierarchy. However, most site system roles
support multiple instances across the hierarchy and at individual
sites.
Site System Role Placement in the
Hierarchy
Use the following table to identify the site system
roles that you can install at each type of site in a
System Center 2012 Configuration Manager hierarchy,
and whether the site system role provides functionality for its
site only, or for the entire hierarchy. You can install any
supported site system role on the site server computer or on a
remote site system server at a central administration site or
primary site. At a secondary site, only the distribution point is
supported on a remote site system server.
| Site system role |
Central administration site |
Child primary site |
Stand-alone primary site |
Secondary site |
Site-specific or hierarchy-wide option |
|
Application Catalog web service point
|
No
|
Yes
|
Yes
|
No
|
Hierarchy
|
|
Application Catalog website point
|
No
|
Yes
|
Yes
|
No
|
Hierarchy
|
|
Asset Intelligence synchronization point1
|
Yes
|
No
|
Yes
|
No
|
Hierarchy
|
|
Distribution point2, 5
|
No
|
Yes
|
Yes
|
Yes
|
Site
|
|
Fallback status point
|
No
|
Yes
|
Yes
|
No
|
Hierarchy
|
|
Management point2, 3, 5
|
No
|
Yes
|
Yes
|
Yes
|
Site
|
|
Endpoint Protection point
|
Yes
|
No
|
Yes
|
No
|
Hierarchy
|
|
Enrollment point
|
No
|
Yes
|
Yes
|
No
|
Site
|
|
Enrollment proxy point
|
No
|
Yes
|
Yes
|
No
|
Site
|
|
Out of band service point
|
No
|
Yes
|
Yes
|
No
|
Site
|
|
Reporting services point
|
Yes
|
Yes
|
Yes
|
No
|
Hierarchy
|
|
Software update point 4, 5
|
Yes
|
Yes
|
Yes
|
Yes
|
Site
|
|
State migration point5
|
No
|
Yes
|
Yes
|
Yes
|
Site
|
|
System Health Validator point
|
Yes
|
Yes
|
Yes
|
No
|
Hierarchy
|
|
Windows Intune connector
|
Yes
|
No
|
Yes
|
No
|
Hierarchy
|
1 Configuration Manager supports only a
single instance of this site system role in a hierarchy.
2 By default, when you install a secondary
site, a management point and a distribution point are installed on
the secondary site server.
3 This role is required to support clients
in Configuration Manager. Secondary sites do not support more than
one management point and this management point cannot support
mobile devices that are enrolled by Configuration Manager. For more
information about the site system roles that support clients in
Configuration Manager, see Determine the Site
System Roles for Client Deployment in Configuration
Manager.
4 When your hierarchy contains a central
administration site, install a software update point at this site
that synchronizes with Windows Server Update Services (WSUS) before
you install a software update point at any child primary site. When
you install software update points at a child primary site,
configure it to synchronize with the software update point at the
central administration site.
5 At a secondary site, all site system roles
must be located on the site server computer. The only exception is
the distribution point. Secondary sites support installing
distribution points on the site server computer and on remote
computers.
Considerations for Placement of Site
System Roles
Use the following table to help you decide where to
install the site system roles.
| Site system role |
Considerations |
|
Application Catalog website point
|
When the Application Catalog supports client computers on the
Internet, as a security best practice, install the Application
Catalog website point in a perimeter network and the Application
Catalog web service point on the intranet.
|
|
Asset Intelligence synchronization point
|
Configuration Manager supports a single instance of this site
system role in a hierarchy and only at the top-level site in the
hierarchy.
|
|
Endpoint Protection point
|
Configuration Manager supports a single instance of this site
system role in a hierarchy and only at the top-level site in the
hierarchy.
|
|
Enrollment point
|
If a user enrolls mobile devices by using Configuration Manager
and their Active Directory account is in a forest that is untrusted
by the site server's forest, you must install an enrollment point
in the user’s forest so that the user can be authenticated.
|
|
Enrollment proxy point
|
When you support mobile devices on the Internet, as a security
best practice, install the enrollment proxy point in a perimeter
network and the enrollment point on the intranet.
|
|
Fallback status point
|
Although you can install more than one fallback status point in
a primary site, clients can be assigned to only one fallback status
point and this assignment occurs during client installation:
- If you install clients by using client push
installation, the first fallback status point that is installed for
the site is automatically assigned to clients.
- If you have two fallback status points in the
site so that one fallback status point accepts client connections
from the Internet (for example, it is in a perimeter network), and
the other fallback status point accepts client connections on the
intranet only, assign the Internet-based clients to the
Internet-based fallback status point.
|
|
Management point
|
You cannot install a System Center 2012
Configuration Manager management point on a server that has a
Configuration Manager 2007 client installed. You must first
uninstall the Configuration Manager 2007 client.
|
|
Out of band service point
|
Install this site system to support out of band management for
Intel AMT-based computers. In Configuration Manager, this site
system must be installed in a primary site that also contains the
enrollment point.
The out of band service point cannot provision AMT-based
computers in a different forest.
|
|
Software update point
|
Install this site system in the central administration site to
synchronize with Windows Server Update Services and in all primary
sites that use the Software Updates feature. Also consider
installing a software update point in secondary sites when data
transfer across the network is slow.
|
|
State migration point
|
Install this site system role in either a primary site or a
secondary site. Consider installing a state migration point in
secondary sites when data transfer across the network is slow.
|
|
Reporting services point
|
Install this site system role in the central administration site
and at any primary site.
| Note |
| A reporting services point installed in a primary site rather
than a central administration site can display data from that
primary site only. |
|
|
Distribution point
|
Install this site system role in primary sites and secondary
sites to distribute software to clients by using Background
Intelligent Transfer Service (BITS), Windows BranchCache, multicast
for operating system deployment, and streaming for application
virtualization.
| Note |
| When the distribution point is offline or in sleep mode from a
power management policy, for example, software deployments might
fail. |
|
|
Windows Intune connector
|
Configuration Manager supports a single instance of this site
system role in a hierarchy and only at the top-level site in the
hierarchy.
|
Planning for Database Servers in
Configuration Manager
The site database server is a computer that runs a
supported version of Microsoft SQL Server that stores
information for Configuration Manager sites. Each site in a
System Center 2012 Configuration Manager hierarchy
contains a site database and a server that is assigned the site
database server role. For central administration sites and primary
sites, you can install SQL Server on the site server, or you
can install SQL Server on a computer other than the site
server. For secondary sites, you can use
SQL Server Express instead of a full SQL Server
installation; however, the database server must be co-located with
the site server.
You can install the site database on the default
instance of SQL Server, a named instance on a single computer
running SQL Server, or on a named instance on a clustered
instance of SQL Server.
Typically, a site system server supports site system
roles from only a single Configuration Manager site; however, you
can use different instances of SQL Server, on clustered or
non-clustered servers running SQL Server, to host a database
from different Configuration Manager sites. To support databases
from different sites, you must configure each instance of
SQL Server to use unique ports for communication.
SQL Server Configurations for
Database Servers
To successfully configure a SQL Server
installation for use as a Configuration Manager site database
server, ensure that the following required SQL Server
configurations are specified. Also, be familiar with the optional
configurations and planning for service principal names (SPNs),
database server location planning, and how to modify the database
configuration after a site has completed installation.
Prerequisites for Database Servers
Database Server Locations
At a central administration site and at primary sites,
you can co-locate the database server on the site server, or place
it on a remote server. At secondary sites, the database server is
always co-located on the secondary site server.
If you use a remote database server computer, ensure
the intervening network connection is a high-availability,
high-bandwidth network connection. This is because the site server
and some site system roles must constantly communicate with the
SQL Server that is hosting the site database.
Consider the following when you select a remote
database server location:
- The amount of bandwidth required for
communications to the database server depends upon a combination of
many different site and client configurations; therefore, the
actual bandwidth required cannot be adequately predicted.
- Each computer that runs the SMS Provider
and that connects to the site database increases network bandwidth
requirements.
- The computer that runs SQL Server must
be located in a domain that has a two-way trust with the site
server and all computers running the SMS Provider.
- You cannot use a clustered SQL Server
for the site database server when the site database is co-located
with the site server.
SQL Server Service Principal
Names
A Service Principal Name (SPN) for the Configuration
Manager site database server must be registered in Active Directory
Domain Services for the SQL Server service account. The
registered SPN lets SQL clients identify and authenticate the
service by using Kerberos authentication.
When you configure SQL Server to use the local
system account to run SQL Server services, the SPN is
automatically created in Active Directory Domain Services. When a
local domain user account is in use, you must manually register the
SPN for the account. Without registering the SPN for the
SQL Server service account, SQL clients and other site systems
are not able to perform Kerberos authentication, and communication
to the database might fail.
 Important |
| Running the SQL Server service by using the local system
account of the computer running SQL Server is not a
SQL Server best practice. For the most secure operation of
SQL Server site database servers, configure a low-rights
domain user account to run the SQL Server service. |
For information about how to register the SPN when you
use a domain user account, see How
to Manage the SPN for SQL Server Site Database Servers in this
documentation library.
About Modifying the Database
Configuration
After you install a site, you can manage the
configuration of the site database and site database server by
running Setup on a central administration site server or primary
site server. It is not supported to manage the database
configuration for a secondary site.
For more information about modifying the site database
configuration, see
Modify the Site Database Configuration in this documentation
library.
About Modifying the Database Server Alert
Threshold
By default, Configuration Manager generates alerts when
free disk space on a site database server is low. The defaults are
set to generate a warning when there is 10 GB or less of free disk
space, and a critical alert when there is 5 GB or less of free disk
space. You can modify these values or disable alerts for each
site.
To change these settings:
- In the Administration workspace, expand Site
Configuration, and then click Sites.
- Select the site that you want to configure and open that site’s
Properties.
- In the site’s Properties dialog box, select the
Alert tab, and then edit the settings.
- Click OK to close the site properties dialog box.
Planning for the SMS Provider in
Configuration Manager
The SMS Provider is a Windows Management
Instrumentation (WMI) provider that assigns read and write access
to the Configuration Manager database at a site. The SMS
Admins group provides access to the SMS Provider and
Configuration Manager automatically creates this security group on
the site server and on each SMS Provider computer. You must
have at least one SMS Provider in each central administration
site and primary site. These sites also support the installation of
additional SMS Providers. Secondary sites do not install the
SMS Provider.
The Configuration Manager console, Resource Explorer,
tools, and custom scripts use the SMS Provider so that
Configuration Manager administrative users can access information
that is stored in the database. The SMS Provider does not
interact with Configuration Manager clients. When a Configuration
Manager console connects to a site, the Configuration Manager
console queries WMI on the site server to locate an instance of the
SMS Provider to use.
The SMS Provider helps enforce Configuration
Manager security. It returns only the information that the
administrative user who is running the Configuration Manager
console is authorized to view.
| Important |
| When each computer that holds an SMS Provider for a site
is offline, Configuration Manager consoles cannot connect to that
site’s database. |
Use the following sections in this topic to plan for
the SMS Provider. For information about how to manage the
SMS Provider, see Manage
the SMS Provider Configuration for a Site.
SMS Provider Prerequisites
Before you install the SMS Provider on a computer,
ensure that the computer meets the following prerequisites:
- The computer must be in a domain that has a
two-way trust with the site server and the site database site
systems.
- The computer cannot have a site system role
from a different site.
- The computer cannot have an SMS Provider
from any site.
- The computer must run an operating system
that is supported for a site server.
- The computer must have at least 650 MB of
free disk space to support the Windows Automated Installation Kit
(Windows AIK) components that are installed with the
SMS Provider. For more information about Windows AIK and
the SMS Provider, see the Operating System Deployment Requirements for
the SMS Provider section in this topic.
About SMS Provider Locations
When you install a site, the installation automatically
installs the first SMS Provider for the site. You can specify
any of the following supported locations for the
SMS Provider:
- The site server computer
- The site database computer
- A server-class computer that does not hold an
SMS Provider, or a site system role from a different site
Each SMS Provider supports simultaneous
connections from multiple requests. The only limitations on these
connections are the number of server connections that are available
on the SMS Provider computer, and the available resources on
the SMS Provider computer to service the connection
requests.
After a site is installed, you can run Setup on the
site server again to change the location of an existing
SMS Provider, or to install additional SMS Providers at
that site. You can install only one SMS Provider on a
computer, and a computer cannot install an SMS Provider from
more than one site.
Use the following table to identify the advantages and
disadvantages of installing an SMS Provider on each supported
location.
| Location |
Advantages |
Disadvantages |
|
Configuration Manager site server
|
- The SMS Provider does not use the system
resources of the site database computer.
- This location can provide better performance
than an SMS Provider located on a computer other than the site
server or site database computer.
|
- The SMS Provider uses system and network
resources that could be dedicated to site server operations.
|
|
SQL Server that is hosting the site database
|
- The SMS Provider does not use site
system resources on the site server.
- This location can provide the best
performance of the three locations, if sufficient server resources
are available.
|
- The SMS Provider uses system and network
resources that could be dedicated to site database operations.
- This location is not an option when the site
database is hosted on a clustered instance of SQL Server.
|
|
Computer other than the site server or site database
computer
|
- SMS Provider does not use site server or
site database computer resources.
- This type of location lets you deploy
additional SMS Providers to provide high availability for
connections.
|
- The SMS Provider performance might be
reduced due to the additional network traffic that is required to
coordinate with the site server and the site database computer.
- This server must be always accessible to the
site database computer and all computers with the Configuration
Manager console installed.
- This location can use system resources that
would otherwise be dedicated to other services.
|
To view the locations of each SMS Provider that is
installed at a site, view the General tab of the site
Properties dialog box.
About SMS Provider Languages
The SMS Provider operates independently of the
display language of the computer where it is installed.
When an administrative user or Configuration Manager
process requests data by using the SMS Provider, the
SMS Provider attempts to return that data in a format that
matches the operating system language of the requesting computer.
The SMS Provider does not translate information from one
language to another. Instead, when data is returned for display in
the Configuration Manager console, the display language of the data
depends on the source of the object and type of storage.
When data for an object is stored in the database, the
languages that will be available depend on the following:
- Objects that Configuration Manager creates
are stored in the database by using support for multiple languages.
The object is stored by using the languages that are configured at
the site where the object is created when you run Setup. These
objects are displayed in the Configuration Manager console in the
display language of the requesting computer, when that language is
available for the object. If the object cannot be displayed in the
display language of the requesting computer, it is displayed in the
default language, which is English.
- Objects that an administrative user creates
are stored in the database by using the language that was used to
create the object. These objects display in the Configuration
Manager console in this same language. They cannot be translated by
the SMS Provider and do not have multiple language
options.
About Multiple SMS Providers
After a site completes installation, you can install
additional SMS Providers for the site. To install additional
SMS Providers, run Configuration Manager Setup on the site
server. Consider installing additional SMS Providers when any
of the following is true:
- You will have a large number of
administrative users that run a Configuration Manager console and
connect to a site at the same time.
- You will use the Configuration Manager SDK,
or other products, that might introduce frequent calls to the
SMS Provider.
- You want to ensure high availability for the
SMS Provider.
When multiple SMS Providers are installed at a
site and a connection request is made, the site
non-deterministically assigns each new connection request to use an
installed SMS Provider. You cannot specify the
SMS Provider location to use with a specific connection
session.
| Note |
| Consider the advantages and disadvantages of each
SMS Provider location and balance these considerations with
the information that you cannot control which SMS Provider
will be used for each new connection. |
For example, when you first connect a Configuration
Manager console to a site, the connection queries WMI on the site
server to non-deterministically identify an instance of the
SMS Provider that the console will use. This specific instance
of the SMS Provider remains in use by the Configuration
Manager console until the Configuration Manager console
session ends. If the session ends because the SMS Provider
computer becomes unavailable on the network, when you reconnect the
Configuration Manager console the site will non-deterministically
assign an SMS Provider computer to the new connection session.
It is possible to be assigned to same SMS Provider computer
that is not available. If this occurs, you can attempt to reconnect
the Configuration Manager console until an available
SMS Provider computer is assigned.
About the SMS Admins Group
You use the SMS Admins group to provide administrative
users access to the SMS Provider. The group is automatically
created on the site server when the site installs, and on each
computer that installs an SMS Provider. Additional information
about the SMS Admins group:
- When the computer is a member server, the SMS
Admins group is created as a local group.
- When the computer is a domain controller, the
SMS Admins group is created as a domain local group.
- When the SMS Provider is uninstalled
from a computer, the SMS Admins group is not removed from the
computer.
Before a user can make a successful connection to an
SMS Provider, their user account must be a member of the SMS
Admins group. Each administrative user that you configure in the
Configuration Manager console is automatically added to the SMS
Admins group on each site server and to each SMS Provider
computer in the hierarchy. When you delete an administrative user
from the Configuration Manager console, that user is removed from
the SMS Admins group on each site server and on each
SMS Provider computer in the hierarchy.
After a user makes a successful connection to the
SMS Provider, role-based administration determines what
Configuration Manager resources that user can access or manage.
You can view and configure SMS Admins group rights and
permissions by using the WMI Control MMC snap-in. By default,
Everyone has Execute Methods, Provider Write,
and Enable Account permissions. After a user connects to the
SMS Provider, that user is granted access to data in the site
database based on their role-based administrative security rights
as defined in the Configuration Manager console. The SMS Admins
group is explicitly granted Enable Account and Remote
Enable on the Root\SMS namespace.
About the SMS Provider Namespace
The structure of the SMS Provider is defined by
the WMI schema. Schema namespaces describe the location of
Configuration Manager data within the SMS Provider schema. The
following table contains some of the common namespaces that are
used by the SMS Provider.
| Namespace |
Description |
|
Root\SMS\site_<site code>
|
The SMS Provider, which is extensively used by the
Configuration Manager console, Resource Explorer, Configuration
Manager tools, and scripts.
|
|
Root\SMS\SMS_ProviderLocation
|
Provides the location of the SMS Provider computers for a
site.
|
|
Root\CIMv2
|
Location inventoried for WMI namespace information during
hardware and software inventory.
|
|
Root\CCM
|
Configuration Manager client configuration policies and client
data.
|
|
root\CIMv2\SMS
|
Location of inventory reporting classes that are collected by
the inventory client agent. These settings are compiled by clients
during computer policy evaluation and are based on the client
settings configuration for the computer.
|
Operating System Deployment Requirements
for the SMS Provider
The SMS Provider requires the following external
dependency be installed on the computer that runs the
SMS Provider to enable you to use operating system deployment
task functions by using the Configuration Manager console:
- For Configuration Manager with no service
pack: Automated Installation Kit (Windows AIK)
- For Configuration Manager SP1: Windows
Assessment and Deployment Kit (Windows ADK)
For Configuration Manager with no service pack, the
Windows AIK installs as a component of the SMS Provider. For
Configuration Manager with SP1, you must manually install the
Windows ADK on a computer before you can install the
SMS Provider.
When you manage operating system deployments, the
Windows AIK or Windows ADK allows the SMS Provider to complete
various tasks, which include the following:
- View WIM file details
- Add driver files to existing boot images
- Create boot .ISO files
The Windows AIK or Windows ADK installation can require
up to 650 MB of free disk space on each computer that installs the
SMS Provider. This high disk space requirement is necessary
for Configuration Manager to install the Windows PE boot
images.
Planning for Custom Websites with
Configuration Manager
Configuration Manager site system roles that require
Microsoft Internet Information Services (IIS) also require a
website to host the site system services. By default, site systems
use the IIS website named Default Web Site on a site system
server. However, you can use a custom website that has the name of
SMSWEB. This option might be appropriate if you must run
other web applications on the same server and their settings are
either incompatible with Configuration Manager, or you want the
additional resilience of using a separate website. In this
scenario, these other applications continue to use the default IIS
website, and Configuration Manager operations use the custom
website.
| Important |
| When you run other applications on a Configuration Manager site
system, you increase the attack surface on that site system. As a
security best practice, dedicate a server for the Configuration
Manager site systems that require IIS. |
You can use custom websites on all primary sites. When
you use a custom website at a site, all client communications
within the site are directed to use the custom website named
SMSWEB on each site system instead of the default website on
IIS. Additionally, site system roles that use IIS but do not accept
client connections, such as the reporting services point, also use
the SMSWEB website instead of the default website. For more
information about which site systems require IIS, see Supported Configurations
for Configuration Manager.
Before you configure a Configuration Manager site to
use a custom website, you must manually create the custom website
in IIS on each site system server that requires Internet
Information Services (IIS) at that site. Because secondary sites
are automatically configured to use a custom website when you
enable this option on the parent site, you must also create a
custom website in IIS on each secondary site system server that
requires IIS.
If you enable custom websites for one site, consider
using custom websites for all sites in your hierarchy to ensure
that clients can successfully roam within the hierarchy.
| Note |
When you select or clear the check box to use a custom website
for a site, the following site system roles that are installed on
each site system server in the site are automatically uninstall and
reinstalled:
- Management point
- Distribution point
- Software update point
- Fallback status point
- State migration point
|
Site System Roles That Can Use Custom
Websites
The following Configuration Manager site system roles
require IIS and use the default or custom website on the site
system server:
- Application Catalog web service point
- Application Catalog website point
- Distribution point
- Enrollment point
- Enrollment proxy point
- Fallback status point
- Management point
- Software update point
- State migration point
Custom Website Ports
When you create a custom website, you must assign port
numbers to the custom website that differ from the port numbers
that the default website uses. The default website and the custom
website cannot run at the same time if both sites are configured to
use the same TCP/IP ports.
After the site system roles are reinstalled, verify
that the TCP/IP ports configured in IIS for the custom website
match the client request ports for the site.
For information about how to configure ports for client
communication, see How to Configure Client
Communication Port Numbers in Configuration Manager.
Switching Between Default Websites and
Custom Websites
Although you can select or clear the check box to use a
custom website at any time, if possible, configure this option as
soon as the site is installed to minimize any disruptions to
service continuity. When you make this site configuration change,
plan for the site system roles that are automatically uninstalled
and reinstalled with the new website and port configuration. You
must also plan to manually uninstall and reinstall any site system
roles that are not automatically reinstalled to use the new website
and port configuration.
When you change from using the default website to use a
custom website, Configuration Manager does not automatically remove
the old virtual directories. If you want to remove the files that
Configuration Manager used, you must manually delete the virtual
directories that were created under the default website.
If you change the site option to use a custom website,
clients that are assigned to the site must be configured to use the
client request port that matches the new website port. For
information about how to configure ports for client communication,
see How to
Configure Client Communication Port Numbers in Configuration
Manager.
How to Create the Custom Website in
Internet Information Services (IIS)
To use a custom website for a site, you must perform
the following actions before you enable the option to use a custom
website in Configuration Manager:
- Create the custom web site in IIS for each
site system server that requires IIS in the primary site and any
child secondary sites.
- Name the custom website SMSWEB.
- Configure the custom website to respond to
the same port that you configure for Configuration Manager client
communication.
| Important |
| When you change from using the default website and use a custom
website, Configuration Manager adds the client request ports that
are configured on the default website to the custom website.
Configuration Manager does not remove these ports from the default
website, and the ports are listed for both the default and custom
website. IIS cannot start both websites when they are configured to
operate on the same TCP/IP ports, and clients cannot contact the
management point. |
Use the information in the following procedures to help
you configure the custom websites in IIS.
| Note |
| The following procedures are for Internet Information Services
(IIS) 7.0 on Windows Server 2008 R2. If you cannot use these
procedures because your server has a different operating system
version, refer to the IIS documentation for your operating system
version. |
To create a custom website in Internet
Information Services (IIS)
-
On the computer that runs the Configuration Manager
site system, click Start, click Administrative Tools,
and then click Internet Information Services (IIS)
Manager.
-
In the Internet Information Services (IIS)
Manager console, in the Connections pane, right-click
the Sites node to select Add Web Site.
-
In the Add Web Site dialog box, enter
SMSWEB in the Site name box.
| Important |
| SMSWEB is the required name for Configuration Manager
custom websites. |
-
In the Physical path box, specify the physical
path to use for the website folder.
-
Specify the protocol and custom port for this
website.
- After you create the website, you can edit it
to add additional website bindings for additional protocols.
- When you configure the HTTPS protocol,
you must specify a SSL certificate before you can save the
configuration.
-
Click OK to create the custom website.
Remove the custom website ports from
the default website in Internet Information Services (IIS)
-
In the Internet Information Services (IIS)
Manager, edit the Bindings of the IIS website that has
the duplicate ports (Default Web Site). Remove the ports
that match the ports that are assigned to the custom website
(SMSWEB).
-
Start the website (SMSWEB).
-
Restart the SMS_SITE_COMPONENT_MANAGER service
on the site server.
See Also
