Solved

SCCM 2007 - Proper Method To Deploy Software / Updates / Client To Remote Workstations

Posted on 2010-11-16
2
4,070 Views
Last Modified: 2013-11-21
Hello All -

I'm currently setting up and learning SCCM 2007 and have a couple of questions about software deployment.  First, here's the current configuration overview of our system.

Tennessee Server - Comp Server, Dis Point, database server, site system, site server, update, server, etc... (Basically most if not all roles)
Ireland Server - Distribution Point & Site System
Mexico Server - Distribution Point & Site System
San Diego Server - Distribution Point & Site System
(See Attached ScreenShots)

I"m located in TN and have already deployed clients to my workstations via group policy & WMI (through SCCM).  For GPO, I added the ccmsetup.msi plus the two admin templates.  I also added the address of the main SCCM server in the installation variables to one of the GPO templates settings.  The client is all that I have deployed so far.

As you can see above, TN (the main server) is also an update point.  I have installed and set up WSUS on the TN server and have synced it to the point where the console is showing a list of all updates for MS products.  

I have 3 other major locations which we have a decent WAN connection to.  On each I have them only as site systems and a dist point.  

Here are my questions:

1.  To deploy the client to the remote locations, can I use the exact same GPO (except for having the MSI source be a share local to them?)  I wasn't sure if I needed to change any installation variables to make sure it's configured correctly.

2.  To deploy WSUS updates in the remote locations, do I need to assign the update point role to the 3 remote servers and install WSUS on them (as a downstream server perhaps) so that the workstations at those sites pull their updates from a local source instead of over the WAN?

3.  Am I correct to assume that when I create a software package for deployment, it will automatically sync with all dist points and each workstation which it is assigned to install onto will be smart enough to pull it from the closest local dist point or do I have to create packages for each local site?

4.  I currently have Collections set up which includes workstations by site.  What would happen with my current setup if I chose the option to Install Client in one of the remote collections right now?  Would they deploy WMI from TN or from their local dist point?

EDIT: I was just looking around after typing this.  Would enabling the "Use Network Load Balancing..." (See pic below) work to make #3 successful?   If so, would I need more roles (like update points) on each remote server?  Thanks

I guess that's it.  If you only know one answer, it's better than none.  I REALLY appreciate your help!!! - Thanks! Roles For Main SCCM Site Server in Tennessee Remote Servers & Their Current Roles For last question
0
Comment
Question by:BzowK
2 Comments
 
LVL 10

Accepted Solution

by:
JonLambert earned 250 total points
ID: 34149723
1.  Yes you can use the same method, as long as your site boundaries are configured correctly on t he Tennessee server, and the Tennesse server is correctly publishing it's management point information in AD, then the clients will discover their primary site server fine (which is the Tennesse server)
2.  No, they clients will pull the updates from their closest distribution point as long as the software update deployment package is deployed to their DP (and also if the DP's have been setup correctly .. they should set up as protected sites).
3.  Not quite, you need to assign the software update "Deployment Package" to the distribution points you want the updates to be available on.
4.  They would deploy from the TN server, this is a client push scenario .. the client is 'pushed' from the server to the clients.

And that's a no also to the load balancing for the SUP :)

Depending on your WAN connection speeds, you may want to use secondary sites at the 'remote' locations.  As only with secondary sites do you get any form of bandwidth control for sending data to and from the site systems.  If you are happy with the bandwidth (I would recommend that if it's less than 100MB to these sites, use Secondary Sites), then you need to ensure that the remote site systems are setup in 'protected boundaries', as this will stop clients in one remote site from using a distribution point in another remote site
0
 
LVL 4

Assisted Solution

by:fr0nk
fr0nk earned 250 total points
ID: 34212874
Hi,

1.  To deploy the client to the remote locations, can I use the exact same GPO (except for having the MSI source be a share local to them?)  I wasn't sure if I needed to change any installation variables to make sure it's configured correctly.

Please note that if your environment, ALL clients will use the sitecode from your central site! So you will always end up with clients assigning to your central site.
Use http://sourceforge.net/projects/smsclictr/ (freeware) to see if there was a correct assignment for your "ProxyMP". This should be your ConfigMgr Site System with a MP in place at every site.
You can use the exact same GPO. Either use ccmsetup.exe SMSSITECODE=AUTO if you extended your Active Directory scheme, or use ccmsetup.exe SMSSITECODE=<sitecode> if not.
If your Scheme is extended and the assignment fails, please post the ClientLocation.log of the client. The file is located in %windir%\system32\ccm\logs for 32bit machines and %windir%\syswow64\ccm\logs for 64bit machines.

2.  To deploy WSUS updates in the remote locations, do I need to assign the update point role to the 3 remote servers and install WSUS on them (as a downstream server perhaps) so that the workstations at those sites pull their updates from a local source instead of over the WAN?
No.

You don't need software update points in every site. The software update point only handles the .CAB traffic from the clients.
Here's how it works:
1. How does WSUS work with SCCM and my agents?
1.1 Client side:
First of all: When you enable the appropriate software update client component the client will create a LOCAL GPO and tries to apply it. However, if there's any GPO in your domain that is applying any different setting, the client will complain about it in the WUAHandler.log with the string:
Group policy settings were overwritten by a higher authority (Domain Controller). So disable your WSUS GPO!

1.2: WSUS:
The WSUS Server will be configured by SCCM. Don't temper with it. Don't configure or use any computer groups in it. Just never open the console.
The WSUS Server will connect to windowsupdate.microsoft.com and download a .CAB file containing the available updates published by microsoft according to your settings of the Software Update Point. I'll come to that later.
The WSUS server will then notify the SCCM server that a new .CAB file has been received.

The .CAB file contains the following information:
- Which update for which OS / App and wich Platform
- Is this update superseeded by any other update (means: does any other cumulative update contain this very one?
- Where to download the .exe (Win Server 2003 / XP) / .msu (Vista / 2k8)

1.3: Software update point component:
The software update point component is the one that talks with the WSUS server and evaluates the .CAB files provided by WSUS.

2. How does the Updates get to my SCCM?
Inside SCCM you have the appropriate Software Updates-Hive.
Although SCCM is _using_ WSUS to get the .CAB files (and therefore the information which updates are availible), it will use its own deployment mechanism.
That means:
You will have to
- Download the updates
- Assign the Updates to Packages
- Put the Packages on a DP
- Advertise the updates against a collection. The Advertisement in this case is named "Update Deployment" but is basically doing the same as an advertisement: Establishing a connection between the updates (programs) and a collection.

The package replication traffic is being handled by the sender (observe it via sender.log). You can use the traffic shaping mechanisms provided by ConfigMgr here. Always use Remote Differential Compression. To use that first install it on the Servers (minimum required OS is w2k3 R2) and then turn it on in the package.

3.  Am I correct to assume that when I create a software package for deployment, it will automatically sync with all dist points and each workstation which it is assigned to install onto will be smart enough to pull it from the closest local dist point or do I have to create packages for each local site?
No. Nothing is being automatically synced ever. You will have to actively start the deployment of the package to new DPs by right-clicking the "Distribution Points" hive inside the package and select "Manage Distribution Points". There you will have to select "Copy Package to new Distribution Points", and then select the DPs where you want the package to be replicated to.

The location where the clients download the package:
This entirely depends wether you're using protected site systems or not.
In your case: configure the site system as a "protected site system". This forbids clients that are not inside the boundaries of this site to download from its dp. This is exactly the behaviour you want. Otherwise clients from Mexico could end up downloading a office package from Ireland although they have it right in their neighbourhood.


4.  I currently have Collections set up which includes workstations by site.  What would happen with my current setup if I chose the option to Install Client in one of the remote collections right now?  Would they deploy WMI from TN or from their local dist point?
The Client installation process consists of 2 steps:
1. connect to the ADMIN$-Share and place the ccmsetup.exe there. This will always be done from the central site.
2. when ccmsetup.exe runs, it will look inside your AD to find its proxy MP and ask the proxyMP wether it has the rest of the setup. If yes, the setup will be pulled from your proxyMP in the site. If not the seup will be pulled from the central site, as long as you don'T configure it as a protected site system.


EDIT: I was just looking around after typing this.  Would enabling the "Use Network Load Balancing..." (See pic below) work to make #3 successful?   If so, would I need more roles (like update points) on each remote server?  
No. This is entirely not how it works.


Hope that helps, if you're having additional questions, just post.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now