Install and Configure Site System Roles for Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

You can install one or more optional site system roles at each System Center 2012 Configuration Manager site to extend the management functionality of the site. You can specify a new server as a site system server and add the site system roles, or install the site system roles to an existing site system server in the site.

Tip

When a site system server is a computer other than the site server, it is referred to as a remote site system because it is remote from the site server in the site. Similarly, any site system role on that server is referred to as remote. For example, a remote distribution point is a site system server on a computer other than the site server, and which has installed on it the distribution point role.

Note

When you install a site system role on a remote computer (including an instance of the SMS Provider), the computer account of the remote computer is added to a local group on the site server. When the site is installed on a domain controller, the group on the site server is a domain group instead of a local group, and the remote site system role is not operational until either the site system role computer restarts, or the Kerberos ticket for the remote computers account is refreshed.

Use one of the following wizards to install new site system roles:

  • Add Site System Roles Wizard: Use this wizard to add site system roles to an existing site system server in the site.

  • Create Site System Server Wizard: Use this wizard to specify a new server as a site system server, and then install one or more site system roles on the server. This wizard is the same as the Add Site System Roles Wizard, except that on the first page, you must specify the name of the server to use and the site in which you want to install it.

Note

Configuration Manager does not support site system roles for multiple sites on a single site system server.

Just prior to installing the site system role, Configuration Manager checks the destination computer to ensure it meets the prerequisites for the site system roles you have selected.

By default, when Configuration Manager installs a site system role, the installation files are installed on the first available NTFS formatted disk drive that has the most available free disk space. To prevent Configuration Manager from installing on specific drives, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before you install the site system server.

Configuration Manager uses the Site System Installation Account to install site system roles. You specify this account when you run the applicable wizard to create a new site system server or add site system roles to an existing site system server. By default, this account is the local system account of the site server computer, but you can specify a domain user account for use as the Site System Installation Account. For more information about this account, see the Site System Installation Account in the Technical Reference for Accounts Used in Configuration Manager topic.

Use the following sections to help you install and configure site system roles for System Center 2012 Configuration Manager:

  • Install Site System Roles

    • To install site system roles on an existing site system server

    • To install site system roles on a new site system server

  • Install Cloud-Based Distribution Points in Microsoft Azure

    • Configure Microsoft Azure and Install Cloud-Based Distribution Points

    • Configure Name Resolution for Cloud-Based Distribution Points

    • Configure Proxy Settings for Primary Sites that Manage Cloud Services

  • Configuration Options for Site System Roles

    • Application Catalog Website Point

    • Application Catalog Web Service Point

    • Certificate Registration Point

    • Distribution Point

    • Enrollment Point

    • Enrollment Proxy Point

    • Fallback Status Point

    • Out of Band Service Point

  • Configure the Proxy Server for Site System Servers

Note

For planning information, such as where to install site system roles in the hierarchy, see Planning for Site Systems in Configuration Manager.

Install Site System Roles

How you install a site system role depends on whether you add the site system role to an existing site system server or install a new site system server for the site system role. Use one of the following procedures.

Note

Configuration Manager lists the site system roles that are available for you to install. This list depends on your hierarchy configuration and whether you have already installed an instance of the site system role. For more information about the available placement of site system roles, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic.

To install site system roles on an existing site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for the new site system roles.

  3. On the Home tab, in the Server group, click Add Site System Roles.

  4. On the General page, review the settings, and then click Next.

    Tip

    To access the site system role from the Internet, ensure that you specify an Internet FQDN.

  5. For System Center 2012 Configuration Manager SP1 and later:

    On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next.

  6. On the System Role Selection page, select the site system roles that you want to add, and then click Next.

  7. Complete the wizard.

Tip

The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same function as this procedure. For more information, see New-CMSiteSystemServer in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

To install site system roles on a new site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles.

  3. On the Home tab, in the Create group, click Create Site System Server.

  4. On the General page, specify the general settings for the site system, and then click Next.

    Tip

    To access the new site system role from the Internet, ensure that you specify an Internet FQDN.

  5. For System Center 2012 Configuration Manager SP1 and later:

    On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next.

  6. On the System Role Selection page, select the site system roles that you want to add, and then click Next.

  7. Complete the wizard.

Tip

The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same function as this procedure. For more information, see New-CMSiteSystemServer in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

Install Cloud-Based Distribution Points in Microsoft Azure

Note

For System Center 2012 Configuration Manager SP1 and later:

Before you install a cloud-based distribution point, make sure that you have the required certificate files:

  • A Microsoft Azure management certificate that is exported to a .cer file and to a .pfx file.

  • A Configuration Manager cloud-based distribution point service certificate that is exported to a .pfx file.

For more information about these certificates, see the section for cloud-based distribution points in the PKI Certificate Requirements for Configuration Manager topic. For an example deployment of the cloud-based distribution point service certificate, see the Deploying the Service Certificate for Cloud-Based Distribution Points in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

After you install the cloud-based distribution point, Microsoft Azure automatically generates a GUID for the service and appends this to the DNS suffix of cloudapp.net. Using this GUID, you must configure DNS with a DNS alias (CNAME record) to map the service name that you define in the Configuration Manager cloud-based distribution point service certificate to the automatically generated GUID.

If you use a proxy web server, you might have to configure proxy settings to enable communication with the cloud service that hosts the distribution point.

Use the following sections and procedures to help you install a cloud-based distribution point.

Configure Microsoft Azure and Install Cloud-Based Distribution Points

Use the following procedures to configure Microsoft Azure to support distribution points, and then install the cloud-based distribution point in Configuration Manager.

To configure a cloud service in Microsoft Azure for a distribution point

  1. Open a web browser to the Microsoft Azure Management Portal, at https://windows.azure.com, and access your Microsoft Azure account.

  2. Click Hosted Services, Storage Accounts & CDN, and then select Management Certificates.

  3. Right-click your subscription, and then select Add Certificate.

  4. For Certificate file, specify the .cer file that contains the exported Microsoft Azure management certificate to use for this cloud service, and then click OK.

The management certificate is loaded in Microsoft Azure, and you can now install a cloud-based distribution point.

To install a cloud-based distribution point for Configuration Manager

  1. Complete the steps in the preceding procedure to configure a cloud service in Microsoft Azure with a management certificate.

  2. In the Administration workspace of the Configuration Manager console, expand Cloud Services, select Cloud Distribution Points, and then on the Home tab, click Create Cloud Distribution Point.

    Note

    Beginning with Configuration Manager SP1, Create Cloud Distribution Point is located in the Cloud node under Hierarchy Configurations.

  3. On the General page of the Create Cloud Distribution Point Wizard, configure the following:

    - Specify the **Subscription ID** for your Microsoft Azure account.
    
      <div class="alert">
    
    
      > [!TIP]
      > <P>You can find your Microsoft Azure subscription ID in the Microsoft Azure Management Portal.</P>
    
    
      </div>
    
    - Specify the **Management certificate**. Click **Browse** to specify the .pfx file that contains the exported Microsoft Azure management certificate, and then enter the password for the certificate. Optionally, you can specify a version 1 .publishsettings file from the Microsoft Azure SDK 1.7
    
  4. Click Next, and Configuration Manager connects to Microsoft Azure to validate the management certificate.

  5. On the Settings page, complete the following configurations, and then click Next:

    - For **Region**, select the Microsoft Azure region where you want to create the cloud service that hosts this distribution point.
    
    - For **Certificate file**, specify the .pfx file that contains the exported Configuration Manager cloud-based distribution point service certificate, and then enter the password.
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>The <STRONG>Service FQDN</STRONG> box is automatically populated from the certificate Subject Name and in most cases, you do not have to edit it. The exception is if you are using a wildcard certificate in a testing environment, where the host name is not specified so that multiple computers that have the same DNS suffix can use the certificate. In this scenario, the certificate Subject contains a value similar to <STRONG>CN=*.contoso.com</STRONG> and Configuration Manager displays a message that you must specify the correct FQDN. Click <STRONG>OK</STRONG> to close the message, and then enter a specific name before the DNS suffix to provide a complete FQDN. For example, you might add <STRONG>clouddp1</STRONG> to specify the complete service FQDN of <STRONG>clouddp1.contoso.com</STRONG>. The Service FQDN must be unique in your domain and not match any domain joined device.</P>
      > <P>Wildcard certificates are supported for testing environments only.</P>
    
    
      </div>
    
  6. On the Alerts page, configure storage quotas, transfer quotas, and at what percentage of these quotas you want Configuration Manager to generate alerts, and then click Next.

  7. Complete the wizard.

The wizard creates a new hosted service for the cloud-based distribution point. After you close the wizard, you can monitor the installation progress of the cloud-based distribution point in the Configuration Manager console, or by monitoring the CloudMgr.log file on the primary site server. You can also monitor the provisioning of the cloud service in the Microsoft Azure Management Portal.

Note

It can take up to 30 minutes to provision a new distribution point in Microsoft Azure. The following message is repeated in the CloudMgr.log file until the storage account is provisioned: Waiting for check if container exists. Will check again in 10 seconds. Then, the service is created and configured.

You can identify that the cloud-based distribution point installation is completed by using the following methods:

  • In the Microsoft Azure Management Portal, the Deployment for the cloud-based distribution point displays a status of Ready.

  • In the Administration workspace, Hierarchy Configuration, Cloud node of the Configuration Manager console, the cloud-based distribution point displays a status of Ready.

  • Configuration Manager displays a status message ID 9409 for the SMS_CLOUD_SERVICES_MANAGER component.

Configure Name Resolution for Cloud-Based Distribution Points

Before clients can access the cloud-based distribution point, they must be able to resolve the name of the cloud-based distribution point to an IP address that Microsoft Azure manages. Clients do this in two stages:

  1. They map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate to your Microsoft Azure service FQDN. This FQDN contains a GUID and the DNS suffix of cloudapp.net. The GUID is automatically generated after you install the cloud-based distribution point. You can see the full FQDN in the Microsoft Azure Management Portal, by referencing the SITE URL in the dashboard of the cloud service. An example site URL is http://d1594d4527614a09b934d470.cloudapp.net.

  2. They resolve the Microsoft Azure service FQDN to the IP address that Microsoft Azure allocates. This IP address can also be identified in the dashboard for the cloud service in the Microsoft Azure portal, and is named PUBLIC VIRTUAL IP ADDRESS (VIP).

To map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate (for example, clouddp1.contoso.com) to your Microsoft Azure service FQDN (for example, d1594d4527614a09b934d470.cloudapp.net), DNS servers on the Internet must have a DNS alias (CNAME record). Clients can then resolve the Microsoft Azure service FQDN to the IP address by using DNS servers on the Internet.

Configure Proxy Settings for Primary Sites that Manage Cloud Services

When you use cloud services with Configuration Manager, the primary site that manages the cloud-based distribution point must be able to connect to the Microsoft Azure Management Portal by using the System account of the primary site computer. This connection is made by using the default web browser on the primary site server computer.

On the primary site server that manages the cloud-based distribution point, you might have to configure the proxy settings to enable the primary site to access the Internet and Microsoft Azure.

Use the following procedure to configure the proxy settings for the primary site server in the Configuration Manager console.

Tip

You can also configure the proxy server when you install new site system roles on the primary site server by using the Add Site System Roles Wizard.

To configure proxy settings for the primary site server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the primary site server that manages the cloud-based distribution point.

  3. In the details pane, right-click Site system, and then click Properties.

  4. In Site system Properties, select the Proxy tab, and then configure the proxy settings for this primary site server.

  5. Click OK to save the new proxy server configuration.

Configuration Options for Site System Roles

Many of the configuration options for the site system roles are self-explanatory or display additional information in the wizard or dialog boxes. Use the following tables for the settings that might require some information before you configure them.

Application Catalog Website Point

For information about how to configure the Application Catalog website point for the Application Catalog, see Configuring the Application Catalog and Software Center in Configuration Manager.

Configuration option

Description

Client connections

Select HTTPS to connect by using the more secure setting and to determine whether clients connect from the Internet.

This option requires a PKI certificate on the server for server authentication to clients and for encryption of data over Secure Socket Layer (SSL). For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment of the server certificate and information about how to configure it in Internet Information Services (IIS), see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Add Application Catalog website to trusted sites zone

This message displays the value in the default client settings whether the client setting Add Application Catalog website to Internet Explorer trusted sites zone is currently set to True or False. If you have configured this setting by using custom client settings, you must check this value yourself.

If this site system is configured for a FQDN, and the website is not in the trusted sites zone in Internet Explorer, users are prompted for credentials when they connect to the Application Catalog.

Organization name

Type the name that users see in the Application Catalog. This branding information helps users to identify this website as a trusted source.

Application Catalog Web Service Point

For information about how to configure the Application Catalog web service point for the Application Catalog, see Configuring the Application Catalog and Software Center in Configuration Manager.

Configuration option

Description

HTTPS

Select HTTPS to authenticate the Application Catalog website points to this Application Catalog web service point.

This option requires a PKI certificate on the servers running the Application Catalog website point for server authentication and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Certificate Registration Point

For information about how to configure the certificate registration point, see Configuring Certificate Profiles in Configuration Manager.

Distribution Point

For information about how to configure the distribution point for content deployment, see Configuring Content Management in Configuration Manager.

For information about how to configure the distribution point for PXE deployments, see How to Deploy Operating Systems by Using PXE in Configuration Manager.

For information about how to configure the distribution point for multicast deployments, see How to Manage Multicast in Configuration Manager.

Configuration

Description

Install and configure IIS if required by Configuration Manager

Select this option to let Configuration Manager install and configure IIS on the site system if it is not already installed. IIS must be installed on all distribution points, and you must select this setting to continue in the wizard.

Site System Installation Account

For distribution points that are installed on a site server, only the computer account of the site server is supported for use as the Site System Installation Account.

Create a self-signed certificate or import a PKI client certificate

This certificate has two purposes:

  • It authenticates the distribution point to a management point before the distribution point sends status messages.

  • When Enable PXE support for clients is selected, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

When all your management points in the site are configured for HTTP, create a self-signed certificate. When your management points are configured for HTTPS, import a PKI client certificate.

To import the certificate, browse to a Public-Key Cryptography Standards #12 (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager:

  • Intended use must include client authentication.

  • The private key must be configured to be exported.

Note

There are no specific requirements for the certificate Subject name or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Enable this distribution point for prestaged content

Select this check box to enable the distribution point for prestaged content. When this check box is selected, you can configure distribution behavior when you distribute content. You can choose whether you always prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package.

Boundary groups

You can associate boundary groups to a distribution point. During content deployment, clients must be in a boundary group that is associated with the distribution point to use it as a source location for content.

You can select the Allow fallback source location for content check box to allow clients outside these boundary groups to fall back and use the distribution point as a source location for content when no other distribution points are available.

Enrollment Point

Beginning with Configuration Manager SP1, enrollment points are used to install Mac computers, enroll mobile devices, and provision AMT-based computers. For more information, see the following:

Configuration option

Description

Allowed connections

The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to the enrollment proxy point and the out of band service point, and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Enrollment Proxy Point

For information about how to configure an enrollment proxy point for mobile devices, see How to Install Clients on Windows Mobile and Nokia Symbian Devices Using Configuration Manager.

Configuration Option

Description

Client connections

The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to mobile devices and Mac computers (Configuration Manager SP1 and later) enrolled by Configuration Manager, and for encryption of data over Secure Sockets Layer (SSL). For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Fallback Status Point

Configuration option

Description

Number of state messages and Throttle interval (in seconds)

Although the default settings for these options (10,000 state messages and 3,600 seconds for the throttle interval) are sufficient for most circumstances, you might have to change them when both of the following conditions are true:

  • The fallback status point accepts connections only from the intranet.

  • You use the fallback status point during a client deployment rollout for many computers.

In this scenario, a continuous stream of state messages might create a backlog of state messages that causes high central processing unit (CPU) usage on the site server for a sustained period of time. In addition, you might not see up-to-date information about the client deployment in the Configuration Manager console and in the client deployment reports.

Note

These fallback status point settings are designed to be configured for state messages that are generated during client deployment. The settings are not designed to be configured for client communication issues, such as when clients on the Internet cannot connect to their Internet-based management point. Because the fallback status point cannot apply these settings just to the state messages that are generated during client deployment, do not configure these settings when the fallback status point accepts connections from the Internet.

Each computer that successfully installs the System Center 2012 Configuration Manager client sends the following four state messages to the fallback status point:

  • Client deployment started

  • Client deployment succeeded

  • Client assignment started

  • Client assignment succeeded

Computers that cannot be installed or assign the Configuration Manager client send additional state messages.

For example, if you deploy the Configuration Manager client to 20,000 computers, the deployment might create 80,000 state messages sent to the fallback status point. Because the default throttling configuration allows for 10,000 state messages to be sent to the fallback status point each 3600 seconds (1 hour), state messages might become backlogged on the fallback status point because of the throttling configuration. You must also consider the available network bandwidth between the fallback status point and the site server, and the processing power of the site server to process many state messages.

To help prevent these issues, consider increasing the number of state messages and decreasing the throttle interval.

Reset the throttle values for the fallback status point if either of the following conditions is true:

  • You calculate that the current throttle values are higher than required to process state messages from the fallback status point.

  • You find that the current throttle settings create high CPU usage on the site server.

Warning

Do not change the settings for the fallback status point throttle settings unless you understand the consequences. For example, when you increase the throttle settings to high, the CPU usage on the site server can increase to high, which slows down all site operations.

Out of Band Service Point

The default settings for the out of band service point are sufficient for most circumstances. Change them only if you have to control the CPU usage for the out of band service point and the network bandwidth when Intel AMT-based computers are configured for scheduled wake-up activities and for power-on commands.

For information about how to configure an out of band service point for AMT-based computers, see How to Provision and Configure AMT-Based Computers in Configuration Manager.

Configuration option

Description

Retries

Specify the number of times a power-on command is sent to a destination computer.

After a power-on command is sent to all destination computers, the transmission is paused for the Delay period. If this retry value is greater than 1, a second power-on command is sent to the same computers, and the process is repeated until the retry value is reached. The second and subsequent power-on commands are sent only if the destination computer did not respond.

Unlike wake-up packets, power-on commands create an established session with the destination computer. Therefore, retries are less likely to be necessary. However, retries might be necessary if the site transmits many packets (for example, also sending wake-up packets), and the power-on commands cannot reach a destination computer because of the high network bandwidth consumption.

The default setting is 3 retries. Values can range from 0–5.

Delay (minutes)

The time in minutes that power-on commands pause between retries.

The default setting is 2 minutes. Values can range from 1–30 minutes.

Transmission threads

The number of threads that the out of band service point uses when it sends power-on commands.

When you increase the number of threads, you are more likely to make full use of the available network bandwidth, especially when the out of band service point site system server computer has multiple cores or processors. However, when you increase the number of threads, the increased thread count might also produce a significant increase in CPU usage.

The default setting is 60 transmission threads. Values can range from 1–120 threads.

Transmission offset

The time in minutes that a power-on command is sent before a scheduled activity that is enabled for wake-up packets.

Set a value that gives sufficient time before the scheduled activity so that computers have completed startup, but not so much time that the computer returns to a sleep state before the scheduled activity.

The default setting is 10 minutes. Values can range from 1–480 minutes.

Configure the Proxy Server for Site System Servers

You can configure a site system server to use a proxy server for connections to the Internet that site system roles that run on that computer make. For information about the site system roles that can use the proxy server configuration, see the Planning for Proxy Servers Configurations for Site System Roles section in the Planning for Site Systems in Configuration Manager topic.

Use the following procedure to edit the proxy server configuration of a site system server.

To configure the proxy server for a site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. Select the site system server that you want to edit, and then in the details pane, right-click Site system, and then click Properties.

    Tip

    You cannot configure the proxy server on a cloud-based distribution point in Microsoft Azure. Instead, you configure the proxy server on the primary site that manages the cloud-based distribution point.

  4. In Site system Properties, select the Proxy tab, and then configure the proxy settings for this primary site server.

  5. Click OK to save the new proxy server configuration.