Secondary Sites vs Branch Distribution Points (BDP). Which is best for me?

Our current configuration consists of our Primary Site server (Black), and 15 REMOTE servers (over a WAN link) setup as "Server Shares".  The "Server Shares" are the DC's at those remote locations. Some of my remote locations have >10 Pc's, while others have <50. The remote site are over a WAN and use a VPN connection that come over Comcast; I also have 2 branches which are a dedicated 1.5Mbps T1, and another branch which is an Verizon Internet 1.5Mbps T1. I've already established SCCM site boundaries based upon my Active Directory IP subnets, defined my IP subnets and sites in Active Directory, and used the AD sites to create boundaries in SCCM.

The issue is that whenever I sync Microsoft Updates or copy new software installation packages to the remote server shares, it KILLS all of our bandwidth; ping responses to our remote locations spike, and things come to a crawl. I have done some research (got some very good help on here) and found out that I should probably be implementing secondary sites or branch distribution points, but I have some questions before I go though the extra work of setting them up. I know I shouldn't be using a "server Share" configuration (even thought this is what Microsoft recomended me to use), but I don't know if I should "convert" my Server Shares" to Secondary Sites, or Branch Distribution Points.

1) Which configuration, Secondary Site or BDP will give me the GREATEST control over network consumption (time frame, data rates, etc)?

2) Which option is best for my enviroment? I would perfer that clients speak to their local site server, and then that site server  speaks to the primary site server. I'm guessing I would need a Secondary Site Server configuration to do this? However, between all my remote locations, I have >300 Pc's; as I said, some locations have >10 Pc's.

3) *IMPORTANT* Can a secondary site or BDP be installed on a Domain Controller? The only server I have available at my locations is also the Domain Controller for that location. Is having a DC running as a secondary site / BDP even supported? All of those DC's are running Windows 2008 R2, they're also the DHCP, DNS, WINS server for their location.  

4) Is it too late to add secondary sites or BDP to my environment since I've already started to use SCCM with just a primary site and server shares?

5) Does anything need to be configured with the Pc clients, or will they pick up the new settings?

If you need anymore informantion, please don't hesistate to ask!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A secondary site you can configure the sender address to utilize a certain percentage of the network pipe at different times, like a 10% during production hours and much greater after hours.  The secondary site also has more options available to the clients there such as management proxy and ability to set up a PXE service point.  A windows server is required for a secondary site as well.

A BDP on the other hand can be any flavor of Windows (server, XP, 7) as long as it has the SCCM client loaded on it.  The only control you have for throttling a BDP is configuring BITS for the site and is only a straight kb per second limit.

For sites with more than 50 or so clients and you offer other services such as OSD, I'd recommend a secondary site, for less a BDP is good unless a really remote site that you wouldn't want to travel to twice for a workstation reimage.

The best way to make sure clients don't pull files over the WAN is to set up either the secondary or BDP as a protected site and choose as the boundary the subnet in question.  The clients, after checking into your primary/central site, will know to talk to the local DP once their policy gets updated.

You can add secondaries and BDPs at any point in the game, just make sure your boundaries don't overlap or things get all sorts of screwy and you gamble on what exactly happens during a deployment.

Hope that answers all your questions!
DonaldWilliamsAuthor Commented:
I'm debating on whether or not to just make all my locations Secondary Sites as that seems to give me more flexability in the futer and more control with bandwidth. I just have a few more questions:

1) Can a secondary site be configured on a DC? Is there any conflict with things like DHCP, DNS, WINS etc?

2) What is the max number of clients a BDP can realistically support? Is there a specific "cutoff"?

3) Can you have a mixed environemnt; primary site, a couple secondary sites, and a couple BDP's? Would there be any "harm" in making even my small sites (>10 Pc's) secondary sites?

4) II we went with BDP; what about the rest of the network traffic that the agents generate? I'm really trying to minimize t he traffic that SCCM generates across my WAN. Am I safe in assumeing that secondary sites generate less traffic?

The big draw for a BDP is that you can use a power user's workstation as the point, not having to add extra hardware or buying an extra windows server license if none there.  Since you already have servers at each site secondaries would be a better option there IMHO too.

To answer your questions:

1) There are no conflicts putting a secondary site on a device with other roles.  If using as a DP there will be more disk I/O so if it is also that site's Home drive or is servicing a large database, may degrade performance.

2) You can have as many clients talking to a BDP as you want, there is one drawback to a BDP though.  There can only be 10 concurrent transfers going on at once.  All other clients will have to wait their turn for a connection to clear before getting their distribution.

3) Mixed environments is specifically what SCCM is good at.  No harm in making a small site a secondary, and many benefits as if you use the tools other than software distribution.

4) The only other traffic clients generate besides file transfers is policy updates and inventory updates.  By utilizing a secondary site and setting it up as a management point you make it the proxy to which all clients send inventory and retrieve policies from.  The secondary site will then, using the throttled data flow configured, send all the information to the primary.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

The difference between secondary site & primary site is secondary site is very much like primary byt without sql database.

1) The benefit of Branch distribution point is it can be installed on the software,so creating a branch distribution point gives certain benefit like when pkg or update is pushed to client they are availbel to one system in the site which is configured as BDP & all the client in the site contact bdp to download the package. Else BDP doesn't provide any other benefits

If you install BDP on client the max client support is 10 but on server its 2000.

2)  Secondary site can be configured but domain controller is not the server used for installing another role other than dc related to security & the role played with the dc, as all the request of clients process through secondary server in site for policy,inventory retrieval can overload the DC which can slow the login.

3) There is no harm in promoting small site as secondary site,but for secondary site you require a server & for 10 clients i don't think its wise.

4)  BDP will only acts a distribution point nothing else.

You can make use of remote differential compression along with Bits to control traffic. I belive it requires proper planning.
You can use BranchCache which is new feature available with win7 & windows 2008 R2.
DonaldWilliamsAuthor Commented:
I'd like to thank you both for the valuable information. I also have a call in with Microsoft just to confirm a few things, but I think I have a decent handle on everything now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.