Before you install Configuration Manager 2012, plan for the network communications between different sites in a hierarchy, between different site system servers in a site, and between clients and site system servers. These communications might be contained within a single domain or they might span multiple Active Directory forests. You might also need to plan for communications from clients on the Internet that communicate with Internet-based site system servers.
Use the following sections in this topic to help you plan for communications in Configuration Manager 2012.
- Planning
for Inter-Site Communications in Configuration Manager 2012
- Planning
for Intra-Site Communications in Configuration Manager 2012
- Planning
Client Communication in Configuration Manager 2012
- Planning
Communications Across Forests in Configuration Manager 2012
- Planning
for Internet-Based Client Management
- Planning
for Network Bandwidth in Configuration Manager 2012
What’s New in Configuration Manager 2012
The following details are new or updated in Configuration Manager 2012:
- Site-to-site communication now uses database
replication in addition to file-based replication for many
site-to-site data transfers, including configurations and
settings.
- The Configuration Manager 2007 concept of
mixed-mode or native-mode sites to define how clients communicate
to site systems within the site has been replaced by site systems
that can independently support intranet or Internet-based clients
through the use of HTTP or HTTPS communication settings.
- The site system roles that run Internet
Information Services (IIS) and accept client connections, such as
management points and distribution points, support the following
configurations:
- Accept client connections on the intranet
only, on the Internet only, and the intranet and Internet.
- For connections on the intranet, support for
either HTTP or HTTPS communication.
- For HTTP communication, require communication
from clients be encrypted.
- Accept client connections on the intranet
only, on the Internet only, and the intranet and Internet.
- Configuration Manager 2012 can
manage workgroup computers and computers from Active Directory
forests other than the site server’s Active Directory forest. To
help support client computers in other forests,
Configuration Manager 2012 can discover computers in
these forests and publish site information to these forests.
Planning for Inter-Site Communications in Configuration Manager 2012
In a Configuration Manager 2012 hierarchy, each site must be able to communicate with its parent site and all its child sites. In addition, secondary sites might communicate with other secondary sites to route content to remote network locations. Data transfers are by one of two methods: file-based replication; or database replication.
File-based Replication
File-based replication in Configuration Manager 2012 uses senders and addresses to transfer data between sites in the hierarchy. This site-to-site data transfer method is unchanged from Configuration Manager 2007. Communication between sites uses the Server Message Block (SMB) protocol by using TCP/IP port 445. Configurations include bandwidth throttling and pulse mode to control the amount of data transferred across the network, and schedules to control when to send data across the network. Examples of data types that transfer by file-based replication include content distributed to distribution points in child sites, and unprocessed discovery data records.
Senders
Senders manage the network connectivity to other sites. By default, a sender is installed automatically on each site server and supports a limited set of configurations to control the number of concurrent communication threads to transfer data from the local site to a remote site.
A sender requires a site-specific address to communicate with another site.
Addresses
Addresses are used by senders to establish a network connection to the site server of a destination site. By default, when you install a new site as a child of another site, both sites create an address to each other. Addresses must have a Site Address Account defined to connect to a destination site server. By default, this account uses the computer account of the local computer. However, you can specify a user account instead.
You can configure the properties for an address, which includes the network bandwidth usage when Configuration Manager 2012 transfers data to the destination site server.
Database Replication
Configuration Manager 2012 database replication uses SQL Server to transfer data and merge changes made to a sites database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Database replication is automatically configured by all Configuration Manager 2012 sites.
When you install a site, database replication is automatically configured between the new site and its designated parent site. When the site installation finishes, database replication automatically starts.
As part of setup, Configuration Manager uses publication groups to establish and synchronize database replication between sites. After setup, the database replication service synchronizes data in the publication groups between SQL Servers using the SQL Server Service Broker. The database replication service uses SQL Server change tracking to monitor the local site database for changes and then replicates changes to other sites.
Note |
---|
Before Configuration Manager database replication starts, Configuration Manager runs a one-time instance of Configuration Manager database snapshot replication using SQL Server. The snapshot replication uses the snapshot folder that you defined when you installed the site. The new site database is then synchronized with the parent site. |
Configuration Manager 2012 classifies the data that it replicates as either global data or site data. A third data type, named local data, does not replicate to other sites. Local data includes information that is not required by other sites.
Global Data
Global data refers to administrator-created objects that replicate to all sites throughout the hierarchy, although secondary sites receive only a subset of global data. Examples of global data include software deployments, software updates, collections, and role-based administration security scopes. Administrators can create global data at central administration sites and primary sites.
Site Data
Site data refers to operational information created by Configuration Manager primary sites and the clients that report to primary sites. Site data replicates to the central administration site but not to other primary sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only visible at the central administration site and the primary site where the data originates. You can modify site data only at the primary site where it was created.
All site data replicates to the central administration site. This enables the central administration site to perform administration and reporting for the entire hierarchy.
Planning for Intra-Site Communications in Configuration Manager 2012
Each Configuration Manager 2012 site contains a site server and one or more additional site system servers that host site system roles. Configuration Manager requires each site system server to be a member of an Active Directory domain. Configuration Manager does not support changing the computer name or the domain membership while the computer remains a site system.
When Configuration Manager site systems or components communicate across the network to other site systems or Configuration Manager components within the site, they use either server message block (SMB), HTTP, or HTTPS. The communication method depends on the site configuration choices that you make. With the exception of communication from the site server to a distribution point, these server-to-server communications within a site can happen at any time and do not use mechanisms to control the network bandwidth. Because you cannot control the communication between site systems, make sure that you install site system servers in locations that have well-connected and fast networks.
You can use the following options to help you manage the transfer of content from the site server to distribution points:
- Configure the distribution point for network
bandwidth control and scheduling. These controls are similar to the
configurations used by the site-to-site addresses and you can often
use this configuration instead of installing another
Configuration Manager 2012 site when you need to control
the transfer of content to remote network locations.
- You can install a distribution point as a
prestaged distribution point. A prestaged distribution point allows
you to use content that is manually placed on the distribution
point server. This removes the requirement to transfer content
files across the network.
Planning for Client Communication in Configuration Manager 2012
Client communication in Configuration Manager 2012 includes client-to-site-system communications and service location. Service location allows clients to identify the site system servers to use.
Planning for Client Communication to Site Systems
Configuration Manager 2012 clients initiate communication to site system roles, such as management points to download client policy, and distribution points to download content. To communicate, the client must first locate a site system role that is configured to support the protocol (HTTPS or HTTP) that the client can use. By default, clients use the most secure method available. Therefore, a client configured with a PKI certificate will attempt to locate and communicate with a site system role by using HTTPS before it communicates with a site system role that uses HTTP.
For a Configuration Manager 2012 client to use HTTPS, you must have a public key infrastructure (PKI) and install PKI certificates on clients and servers. The client requires a certificate that has client authentication capability for mutual authentication with the site system server.
When you deploy a site system role that uses Internet Information Services (IIS) and supports communication from clients, such as a management point, state migration point, or distribution point, you must specify whether clients will connect to the site system by using HTTP or HTTPS. If you choose HTTP, you can also choose to encrypt HTTP communications to the site system, although this configuration can increase the CPU usage on the site system and the client.
You can also configure the site system to use an intranet fully qualified domain name (FQDN) and an Internet FQDN. When you configure an Internet FQDN, you can then configure the site system role to accept client connections from the Internet. You can configure support for client connections from the Internet only, or clients connections from the intranet and Internet.
You can deploy multiple instances of site system roles in a site that have different communication settings. For example, in a single site, you can have one management point that accepts HTTPS client communication and another management point that accepts HTTP client communication. This allows you to manage clients across different network locations, using different communication protocols and security settings.
Planning for Service Location by Clients
Service location is how Configuration Manager 2012 clients find sites and site system roles. For example, for clients to successfully download client policy, they must first find a management point.
Service location is independent from name resolution, which maps a computer name to an IP address. Name resolution is performed by DNS or WINS. However, DNS and WINS can also be used for service location.
Clients search for a management point by using the following options in the order specified:
- Active Directory Domain Services
- DNS
- Server locator point
- WINS
Planning for Service Location from Active Directory Domain Services
Intranet clients use Active Directory Domain Services as their primary method of service location for site information. Examples of site information include the location of available site system roles and their capabilities, and the security information required by client computers to establish trusted connections with site system servers in the site. Configuration Manager clients can use Active Directory Domain Services for service location when the following conditions are met:
- The Active Directory schema is extended for
Configuration Manager 2007 or
Configuration Manager 2012
- Configuration Manager 2012 sites
publish to Active Directory Domain Services
- The Active Directory forest is enabled for
publishing in Configuration Manager
If any of these conditions cannot be met, clients must have an alternative service location method. In order for clients to find site information, the only alternative is to use a server locator point. In order for clients to find management points, alternatives include DNS, a server locator point, or WINS.
Planning for Service Location by Using DNS Publishing
If you cannot publish site information to Active Directory Domain Services, consider publishing management points to DNS. You can publish this site system role for clients on the intranet and you can publish intranet NLB management points to DNS.
Determine Whether to Publish to DNS
Publishing Configuration Manager 2012 management points to DNS adds a service location resource record (SRV RR) in the DNS zone of the site system server. Make sure that you have a corresponding host entry for the site system server. Consider publishing to DNS when any of the following scenarios apply:
- The Active Directory Domain Services schema is not extended to
support Configuration Manager
- Clients on the intranet are located in a forest that is not
enabled for Configuration Manager publishing
- Clients are on workgroup computers and they are not configured
for Internet-only client management
- You do not use WINS
Client Discovery of Management Points from DNS
For clients to find a management point in DNS you must assign the clients to a specific site rather than use automatic site assignment. Additionally, you must configure these clients to use the site code with the domain suffix of the management point.
Clients use their domain suffix to query DNS for management points from their assigned site. When more than one management point for the site is published to DNS, a client selects the first one that matches its own communication setting for HTTPS or HTTP. A client that can use HTTPS always selects a management point that is configured for HTTPS if one is available.
For more information see How to Configure Clients to Find a Management Point by using DNS Publishing in Configuration Manager 2012.
Publish to DNS
To publish management points to DNS, the following two conditions must be met:
- Your DNS servers support service location
resource records, by using a version of BIND that is at least
8.1.2.
- The specified FQDNs in
Configuration Manager 2012 have host entries (for
example, A records) in DNS.
When your DNS servers support automatic updates, you can configure Configuration Manager 2012 to automatically publish management points on the intranet to DNS, or you can manually publish these records to DNS. When site system roles are published to DNS, their intranet FQDN and port number are published in the SRV record.
Planning for Communications Across Forests in Configuration Manager 2012
Configuration Manager 2012 supports sites and hierarchies that span Active Directory forests that are configured with a forest trust.
Configuration Manager also supports clients that are not in the same Active Directory forest as the site server by using HTTPS client communication. These clients might be on the intranet or on the Internet. For clients to use HTTP client communication, they must be on the intranet and in the same Active Directory forest as the site server. Or, they must be in an Active Directory forest that has a forest trust with the site server’s forest.
When your Configuration Manager 2012 design spans multiple Active Directory domains and forests, plan for the following types of communication:
- Communication between
Configuration Manager 2012 sites that span Active
Directory forests (requires a forest trust)
- Communications within
Configuration Manager 2012 sites that span Active
Directory forests (requires a forest trust)
- Communication between clients and site system
roles when the clients are not in the same Active Directory forest
as their site server
When you install a Configuration Manager site or site system role in a trusted forest rather than the same forest, Configuration Manager 2012 does not require any additional configuration steps. However, make sure that any intervening firewalls and network devices do not block the network packets that Configuration Manager 2012 requires, that name resolution is working between the forests, and that you use an account that has sufficient permissions to install the site or site system role. For more information, see Communications between Configuration Manager 2012 Sites that Cross a Forest Trust and Communications within Configuration Manager 2012 Sites That Cross a Forest Trust.
To support clients from other Active Directory forests, you can publish Configuration Manager 2012 site information to those forests. For more information, see Support for Clients Across Multiple Active Directory Forests.
Communications between Configuration Manager 2012 Sites That Span Active Directory Forests (Requires a Forest Trust)
You must have a forest trust to support any Configuration Manager 2012 sites that are located in remote Active Directory forests. Site-to-site communication in Configuration Manager 2012 uses database replication and file-based transfers. When you install a site you must specify an account to install the site on the designated server. This account also establishes and maintains communication between sites.
By default, when you install a new site as a child of another site, Configuration Manager 2012 creates a site-to-site communication address on each site that uses the site server computer account. Configuration Manager 2012 grants this account sufficient permissions on the destination site to enable the transfer of file-based information. You can configure a domain user account for use in place of the computer account. Configuration Manager 2012 also configures accounts with the permissions to establish and maintain database replication between the sites.
After the site successfully installs and initiates file-based transfers and database replication, you do not need to configure anything else for communication to the site.
Communications within Configuration Manager 2012 Sites That Span Active Directory Forests (Requires a Forest Trust)
Within a site, you can install one or more site system roles to a site system server that is located in another forest. You can install any site system role on the site system server that is supported by the site to which the site system server is assigned. When you install the site system server, you must specify the Site System Installation Account. This account must have sufficient permissions to connect to, and then install site system roles on the specified server. Some site system roles require an account that has permissions to access resources in the local domain, such as the management point that accesses the site database. You must configure an account with sufficient permissions to access these resources.
After the site system server and site system roles install, no further configurations are required to support communication to the site system server.
Communication Between Clients and Site System Roles When the Clients Are Not in the Same Active Directory Forest as Their Site Server
Configuration Manager 2012 supports clients from remote forests regardless of the status of a forest trust between the clients forest and the site servers forest.
Clients in a Trusted Forest
To support clients in a trusted forest, these clients must be able to locate site system servers and resources such as deployment content. For example, clients must be able to locate a management point in their assigned site. The easiest way for a client to locate a management point is to publish site information to Active Directory Domain Services.
To publish site information to another Active Directory forest, you must first specify the forest and then enable publishing to that forest in the Active Directory Forests node of the Administration workspace. Additionally, you must enable each site to publish its data to Active Directory Domain Services. This configuration allows clients in that forest to locate site resources.
Planning for Internet-Based Client Management
To support Internet-based clients you can install site system servers in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet), then configure the Internet-based site system roles for HTTPS client communication and to accept client connections from the Internet. The site system servers must be in an Active Directory domain but the forest can be untrusted by the site server. When the forest is untrusted, Internet-based clients will not receive user-based settings when they download client policy. When the forest is trusted, clients receive user-based and computer-based settings. Configuration Manager clients that are installed on these servers are supported as Internet-based clients.
To support Configuration Manager 2012 clients on these site system servers, install them as Internet-only clients.
Internet-based clients must have a PKI certificate for client authentication and use HTTPS communication. When you want to manage clients that are on the Internet, you must manually assign the client to the site and configure it to use the Internet-based management point because when the client is on the Internet, it will not be able to use service location to find this information.
Planning for Network Bandwidth in Configuration Manager 2012
Configuration Manager 2012 offers several methods to control the network bandwidth that is used by communications between sites, site system servers, and clients. However, not all communication on the network can be managed. Use the following sections to help you understand the methods you can use to control network bandwidth and design you site hierarchy.
When you design the hierarchy and address structure for Configuration Manager 2012, consider the amount of network data that will be transferred from inter-site and intra-site communications.
Note |
---|
Addresses in Configuration Manager 2012 are only used for inter-site communications and are not used for intra-site communications between site servers and site systems |
Controlling Network Bandwidth Usage Between Sites
During file-based data transfers, Configuration Manager will use all of the available network bandwidth when sending data between sites. You can control this by configuring the sender used by an address to increase or decrease site-to-site sending threads. A sending thread is used to transfer one file at a time. Each additional thread can result in additional files being simultaneously transferred resulting in greater bandwidth use. You can configure the number of threads to use for site-to-site transfers by configuring the Maximum concurrent sendings on the Sender tab of the sites properties.
To control network bandwidth usage between sites, schedule when Configuration Manager can use an address to a specific site. You can control the amount of network bandwidth to use, the size of data blocks and the frequency for sending the data blocks. Additional configurations can limit data transfers based on the priority of the data type. For each site in the hierarchy you can set schedules and rate limits for that site to use when transferring data by configuring the properties of the Address for each destination site.
Important |
---|
When you configure rate limits to restrict the bandwidth use on a specific address, Configuration Manager 2012 can only use a single thread to transfer data to that destination site. Use of rate limits for an address overrides the use of multiple threads per site that are configured in the Maximum concurrent sendings. |
When configuring network bandwidth controls, you should also remain aware of the potential for data latency. If site communications have been throttled or configured to only transfer data after normal business hours, administrators at either the parent site or child site might not be able to view certain data until the inter-site communication has taken place. For example, if an important software update package is being sent to distribution points located at child sites, the package might not be available at those sites until all pending inter-site communication completes. Pending communication might include delivery of a package that is very large and that has not yet completed its transfer.
Controlling Network Bandwidth Usage Between Site System Servers
Within a site, communication between site systems uses server message blocks (SMB), can happen at any time, and does not support a mechanism to control network bandwidth. An exception to this is when you configure the site server to use rate limits and schedules to control the transfer of data over the network to a distribution point. You can manage the transfer of content from the site server to distribution points with controls similar to those for site-to-site file-based transfers.
Controlling Network Bandwidth Usage Between Clients and Site System Servers
Clients regularly communicate with different site system servers. For example, they communicate with a site system server that runs a management point when they need to check for client policy, and communicate with a site system server that runs a distribution point when they need to download content to install an application or software update. The frequency of these connections, and the amount of data that is transferred over the network to or from a client, depends on the schedules and configurations that you specify as client settings.
Typically, client policy requests use little network bandwidth. The network bandwidth might be high when clients access content for deployments, or send information such as hardware inventory data to the site.
You can specify client settings that control the frequency of client-initiated network communications. Additionally, you can configure how clients access deployment content, for example, by using Background Intelligent Transfer Service (BITS). To use BITS to download content, the client and the distribution point must be able to use BITS. If the client is configured to use BITS but the distribution point is not, the client uses SMB to transfer the content.
For information about client settings in Configuration Manager 2012, see Planning for Client Settings in Configuration Manager 2012