Secondary Sites vs Branch Distribution Points (BDP). Which is best for me?

Posted on 2010-11-12
Medium Priority
Last Modified: 2013-11-21
Our current configuration consists of our Primary Site server (Black), and 15 REMOTE servers (over a WAN link) setup as "Server Shares".  The "Server Shares" are the DC's at those remote locations. Some of my remote locations have >10 Pc's, while others have <50. The remote site are over a WAN and use a VPN connection that come over Comcast; I also have 2 branches which are a dedicated 1.5Mbps T1, and another branch which is an Verizon Internet 1.5Mbps T1. I've already established SCCM site boundaries based upon my Active Directory IP subnets, defined my IP subnets and sites in Active Directory, and used the AD sites to create boundaries in SCCM.

The issue is that whenever I sync Microsoft Updates or copy new software installation packages to the remote server shares, it KILLS all of our bandwidth; ping responses to our remote locations spike, and things come to a crawl. I have done some research (got some very good help on here) and found out that I should probably be implementing secondary sites or branch distribution points, but I have some questions before I go though the extra work of setting them up. I know I shouldn't be using a "server Share" configuration (even thought this is what Microsoft recomended me to use), but I don't know if I should "convert" my Server Shares" to Secondary Sites, or Branch Distribution Points.

1) Which configuration, Secondary Site or BDP will give me the GREATEST control over network consumption (time frame, data rates, etc)?

2) Which option is best for my enviroment? I would perfer that clients speak to their local site server, and then that site server  speaks to the primary site server. I'm guessing I would need a Secondary Site Server configuration to do this? However, between all my remote locations, I have >300 Pc's; as I said, some locations have >10 Pc's.

3) *IMPORTANT* Can a secondary site or BDP be installed on a Domain Controller? The only server I have available at my locations is also the Domain Controller for that location. Is having a DC running as a secondary site / BDP even supported? All of those DC's are running Windows 2008 R2, they're also the DHCP, DNS, WINS server for their location.  

4) Is it too late to add secondary sites or BDP to my environment since I've already started to use SCCM with just a primary site and server shares?

5) Does anything need to be configured with the Pc clients, or will they pick up the new settings?

If you need anymore informantion, please don't hesistate to ask!
Question by:DonaldWilliams
  • 2
  • 2
  • 2

Expert Comment

ID: 34124166
A secondary site you can configure the sender address to utilize a certain percentage of the network pipe at different times, like a 10% during production hours and much greater after hours.  The secondary site also has more options available to the clients there such as management proxy and ability to set up a PXE service point.  A windows server is required for a secondary site as well.

A BDP on the other hand can be any flavor of Windows (server, XP, 7) as long as it has the SCCM client loaded on it.  The only control you have for throttling a BDP is configuring BITS for the site and is only a straight kb per second limit.

For sites with more than 50 or so clients and you offer other services such as OSD, I'd recommend a secondary site, for less a BDP is good unless a really remote site that you wouldn't want to travel to twice for a workstation reimage.

The best way to make sure clients don't pull files over the WAN is to set up either the secondary or BDP as a protected site and choose as the boundary the subnet in question.  The clients, after checking into your primary/central site, will know to talk to the local DP once their policy gets updated.

You can add secondaries and BDPs at any point in the game, just make sure your boundaries don't overlap or things get all sorts of screwy and you gamble on what exactly happens during a deployment.

Hope that answers all your questions!

Author Comment

ID: 34124445
I'm debating on whether or not to just make all my locations Secondary Sites as that seems to give me more flexability in the futer and more control with bandwidth. I just have a few more questions:

1) Can a secondary site be configured on a DC? Is there any conflict with things like DHCP, DNS, WINS etc?

2) What is the max number of clients a BDP can realistically support? Is there a specific "cutoff"?

3) Can you have a mixed environemnt; primary site, a couple secondary sites, and a couple BDP's? Would there be any "harm" in making even my small sites (>10 Pc's) secondary sites?

4) II we went with BDP; what about the rest of the network traffic that the agents generate? I'm really trying to minimize t he traffic that SCCM generates across my WAN. Am I safe in assumeing that secondary sites generate less traffic?


Accepted Solution

socrates2012 earned 1000 total points
ID: 34124813
The big draw for a BDP is that you can use a power user's workstation as the point, not having to add extra hardware or buying an extra windows server license if none there.  Since you already have servers at each site secondaries would be a better option there IMHO too.

To answer your questions:

1) There are no conflicts putting a secondary site on a device with other roles.  If using as a DP there will be more disk I/O so if it is also that site's Home drive or is servicing a large database, may degrade performance.

2) You can have as many clients talking to a BDP as you want, there is one drawback to a BDP though.  There can only be 10 concurrent transfers going on at once.  All other clients will have to wait their turn for a connection to clear before getting their distribution.

3) Mixed environments is specifically what SCCM is good at.  No harm in making a small site a secondary, and many benefits as if you use the tools other than software distribution.

4) The only other traffic clients generate besides file transfers is policy updates and inventory updates.  By utilizing a secondary site and setting it up as a management point you make it the proxy to which all clients send inventory and retrieve policies from.  The secondary site will then, using the throttled data flow configured, send all the information to the primary.
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

LVL 24

Assisted Solution

Awinish earned 1000 total points
ID: 34126364
The difference between secondary site & primary site is secondary site is very much like primary byt without sql database.

1) The benefit of Branch distribution point is it can be installed on the software,so creating a branch distribution point gives certain benefit like when pkg or update is pushed to client they are availbel to one system in the site which is configured as BDP & all the client in the site contact bdp to download the package. Else BDP doesn't provide any other benefits

If you install BDP on client the max client support is 10 but on server its 2000.

2)  Secondary site can be configured but domain controller is not the server used for installing another role other than dc related to security & the role played with the dc, as all the request of clients process through secondary server in site for policy,inventory retrieval can overload the DC which can slow the login.

3) There is no harm in promoting small site as secondary site,but for secondary site you require a server & for 10 clients i don't think its wise.

4)  BDP will only acts a distribution point nothing else.


You can make use of remote differential compression along with Bits to control traffic. I belive it requires proper planning.
You can use BranchCache which is new feature available with win7 & windows 2008 R2.

Author Closing Comment

ID: 34155842
I'd like to thank you both for the valuable information. I also have a call in with Microsoft just to confirm a few things, but I think I have a decent handle on everything now.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…
Suggested Courses
Course of the Month7 days, 3 hours left to enroll

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question