jason adams, d.c. tardy program manager microsoft
DESCRIPTION
Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and Troubleshooting. Jason Adams, D.C. Tardy Program Manager Microsoft. UD-B403. Session Objectives And Takeaways. Session Objectives Review Design Principles for Configuration Manager Service Pack 1 - PowerPoint PPT PresentationTRANSCRIPT
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and TroubleshootingJason Adams, D.C. TardyProgram ManagerMicrosoft
UD-B403
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Session Objectives And TakeawaysSession Objectives Review Design Principles for Configuration Manager Service Pack 1Discuss optimization and improvements for performance in Configuration Manager Service Pack 1
New SP1 infrastructure supports a smaller deployment footprintFewer sites correlate to a better customer experience
Enabling users to be productive, responsiblyFinding the right balanceDevices & Experiences Users Want
Applications and data across devices, anywhere
Empower User Productivity
Unified Management Infrastructure
Common IdentityAccess and Information Protection
Controlled access to data with seamless authentication
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Unified Device Management
• Single management interface• Integrated security and
compliance• Improve IT efficiency• Reduced infrastructure complexity
Unified Management Infrastructure
+
Empower User Productivity
• Device choice• Application self-service• Personalized application
Experience• Non-intrusive management
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Simplifying Management Across Platforms
Devices & Platforms
IT
Single adminconsole
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
AndroidMac OS X
Windows RT Windows Phone 8
iOSAndroid
Role Based Administration &Collection Limiting
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Administrative Segmentation
Security Roles What types of objects can I see and what can I do to them? Example: the “Software Update Manager” role gives rights to read and deploy software updates to specific collections.
Security ScopesWhich instances can I see and interact with?
CollectionsWhich resources can I interact with?
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Data Segmentation Configuration Manager 2007
France Primary Site
England Primary SiteMeg Collins“Central Admin”
•French collections•Create advertisement for French collections
•English collections•Create advertisement for English collections
Meg wishes to distribute a package to all of her EMEA users in the West region
•Create and distribute package Anthony“English Admin”
Louis“French Admin”
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Segmentation with Configuration Manager 2012
•French collection(s)•Create deployment for French collection(s)•English collection(s)•Create deployment for English collection(s)
Meg wishes to distribute an application to all of her EMEA users in the West region
Meg Collins“Central Admin”
•Create and distribute application
CentralAdmin Site
Louis“French Admin”
Anthony“English Admin”
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Collection Limiting
All Systems
French Systems
French Desktops
French Servers
English Systems
• Meg gives Louis permissions to “French Systems”
Louis • can read French Systems and all
collections limited to French Systems
• cannot see All Systems and English Systems
• can modify and delete French Desktops
• can create new collections limited to French Systems or French Desktops
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Demo
Role Based Access
Boundary Strategy
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Overview
• What is a Boundary?• Analysis of boundary types• Recommendations for designing a
boundary strategy
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
What is a Boundary
A Boundary is a network location that you want to manage with Configuration Manager.A Boundary is assigned to a Boundary group.A Boundary is used for site assignment and content availability for clients.There are three Boundary types:1. AD Site2. IP Subnet3. IP Range
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Analysis: AD Site Boundary
Benefits:• Large container – should match known
network bottlenecks• No issues with assignment or location
requests• Very inexpensive from a performance
perspectiveProblems:• Requires coordination with Active
Directory Admins• Dependency on properly configured AD
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Analysis: IP Subnet Boundary
Benefits:• Least expensive boundary type to run• Should map directly to network topologyProblems:• Outside of networking administrators, concept of IP
subnet is uncommon• Known issues for assignment if AD sites use supernets
• Actual assignment and registration are handled correctly
• Confusion of Supernets vs. Subnets• Networks tend to have a large number of subnets
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Analysis: IP Range Boundary
Benefits:• Easy to understand• No issues with assignment or location
requestsProblems:• Very SQL intensive to evaluate
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Overview
Try to design with the fewest boundaries possibleRevisit design if you average less than 100 clients per boundary
Use fewer sitesUse AD Site boundary types when possible
Investigate the state of AD Sites. If configured correctly, it is the best match for bandwidth issues
If there are going to be a number of boundaries, prefer IP subnet boundary types.Use IP Range boundary types sparingly and only when necessary
Replication Principles
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Replication PrinciplesAs few sites as possibleReplication overheadIncrease site count only to support volume of devicesExceptions to this rule
Geographic presenceNetwork access accounts
Network considerationsSite data replicationSite data schedulingProximity
Replication tax
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
How to avoid the Replication Tax
• Collections• Packages (meta data)• Programs• Deployments• Configuration Items• Software Updates• Task Sequences• OS Images (boot images, driver packages,
etc.)• Site Control File• System Resource List (site servers)• Site Security Objects (Roles, Scopes, etc.)• Client Authentication• Client Discovery
• Collection Membership• Alerts• Hardware Inventory• Software Inventory & Metering• Status Messages• General Site Data
• Asset Intelligence CAL Track Data• Status Messages• Software Distribution Status Details• Software Updates Replicated Site Data• Software Updates Non-Replicated Site Data• Status Summary Data• Component and Site Status Summarizers• Client Health Data• Client Health History• Quarantine Client Restriction History
Global DataSite Data
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
How to avoid the Replication Tax
• CAS is bottleneck for replication
• Global data requires copies throughout hierarchy
• Site data requires receiving data from each primary
Central Administration
Site
Primary Site Primary Site
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
How to avoid the Replication TaxExample: Managing 40,000 systems
Central Administration
Site
Primary Site Primary Site 1
2 3
1 2Stand Alone
Primary
Sites Sends Copies
1 0 1
2 1 2
3 2 3
… … …
10 9 10
Sites Sends Copies
1 0 1
2 1 2
3 2 3
Sites Sends Copies
1 0 1
2 1 2
Sites Sends Copies
1 0 1
Sites Sends Copies
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Design PrinciplesAvoid the Replication Tax
The Math of Replication
Number of sites
Copies in hierarchy
Sends from CAS for global data
Receptions to CAS for site data
1 (SAP) 1 0 (No CAS) 0 (No CAS)
2 2 2 1
3 3 3 1
4 4 4 1
… … … …
10 10 10 1
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Design PrinciplesAvoid the Replication Tax
Lab Observations400K Patch Tuesday Performance BenchesContains 4 primary sitesSimulated Patch Tuesday environment at supported limitsLoad generates 32 million state messages to be processed
4-Site (Narrow)Lab clears all backlogs within 14 hours
10-Site (Wide)Lab clears all backlogs in 26 hours
SQL Best Practices
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
OverviewRebuild Indexes TaskTempDB FilegroupsUpdating statistics
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Rebuild Indexes TaskImproves Speed of QueriesEssential in large scale deploymentsTask must be enabled:• Creates Indexes on columns at least 50% unique• Drops Indexes on columns less than 50% unique• Rebuild existing indexes that meet uniqueness
criteria
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
SQL File GroupsFile groups give you the ability to create multiple filegroups for SQL TempDBMultiple read write heads can be engaged in parallelImproves performance of queries
Role Memory CPU cores
DB Disk arrays
TempDB filegroups
DB size
CAS DB 96GB 16 4 8 150%Primary DB 48GB 12 3 2-4 150%
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Updating StatisticsMost commons source of slow performance in production hierarchies.Auto update should always be enabledSp_updatestats should be used after any SQL maintenance or issue in which SQL has been under load for a prolonged periodCaution! Updating statistics is not a trivial task! There is a trade-off between statistics and overall performance, for day-to-day operations SQL should be allowed to manage statistics
Optimizing replication traffic
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Optimizing replication trafficReplication traffic reportsResearch traffic across linksDetermine which links to optimize site data
Replication alertsDegraded versus failedReasons to change the settingsCaveats; sometimes degradation and back to active
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Customer profiles
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Infrastructure PromisesModernizing ArchitectureMinimizing infrastructure for remote officesConsolidating infrastructure for primary sitesScalability and Data Latency Improvements
Central Administration Site is just for administration and reporting – Other work distributed to the primaries as much as possibleFile processing occurs once at the Primary Site and uses replication to reach other sites (no more reprocessing at each site in the hierarchy)System-generated data (HW Inventory and Status) can be configured to flow to the Central Administration Site directly
Be TrustworthyInteractions with SQL DBA are consistent with Configuration Manager 2007Configuration Manager admin can monitor and troubleshoot new replication approach independently
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Infrastructure DecisionsCentral Administration Site
Primary Site
Secondary Site
Distribution Point
Site Database Server
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Company ProfileHeadquarters in Chicago
Subsidiary in London
2-4 administrators with other IT responsibilities, limited day to day use
125,000 clients
Weekly inventory, deploys software and software updates
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
When Do I Need a Central Administration Site
Headquarters in Chicago
More than one primary site in hierarchyMore than 100K clients in hierarchy
CAS
Primary
Secondary
DP
Subsidiary in London
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
When Do I Need a Primary Site Server74,000 clients 1,000 servers
49,500 clients 500 serversConsolidate
Manage Clients - Consolidate
Scale (100K clients per primary) Reduce impact of primary site failure
Political ReasonsContent RegulationLocal point of administrative connectivity
• Decentralized administration
• Logical data segmentation
• Client settings
• Language
• Content routing for deep hierarchies
Headquarters in Chicago
CAS
Primary
Secondary
DP
Subsidiary in London
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
When Do I Need a Secondary Site Server72,500 clients
1,000 servers
49,500 clients 500 serversConsolidate
Manage Clients - Consolidate
Headquarters in Chicago
Manage upward flow of WAN trafficTiered content routing for deep network topologies
• No local administrator for secondary
1,500 clientsOptimize
CAS
Primary
Secondary
DP
Subsidiary in London
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
When Do I Need a Distribution Point
BITS not enough control for WAN trafficMulticast for Operating System DeploymentApp-V streaming
72,035 clients 1,000 servers
49,500 clients 500 serversConsolidate
Manage Clients - Consolidate
Headquarters in Chicago
Don’t need Distribution Point when:
BITS enough over WAN trafficBranchCache™ deployed
Distribution point on Windows Server 2008 R2Clients running compatible operating systems
Vista SP2 with KB960568 installed
Windows 7450 clients Optimize
15 clients Optimize
CAS
Primary
Secondary
DP
1,500 clientsOptimize Subsidiary in London
Cloud Distribution Point Fallback For App/SWD Packages when local and remote distribution points unavailable.
WU/MU Fallback For Software Updates when local and remote distribution points unavailable.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
In Review: Session Objectives And TakeawaysSession Objectives: Discuss key areas regarding advanced Configuration Manager infrastructure Discuss advanced Configuration Manager architecture options
Key TakeawaysKey design principlesPerformance optimizationCustomer profile options
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
People Centric ITCome to Booth 1 in the Expo Hall for your chance
to win a Surface RT bundle worth $699
Answer four questions correctly and you’ll be entered in our prize draw.
Draw will take place at 4pm on April 10 2013
NO PURCHASE NECESSARY. See Event Booth #1 for Official Rules
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Related ContentBreakout Sessions
UD-B309 Deploying and Configuring Mobile Device Management Infrastructure
UD-B310 Deploying and Managing Windows 8 with Configuration Manager 2012 SP1
UD-B317 Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1
UD-B318 Managing Embedded Devices with Configuration Manager 2012
UD-B325 System Center 2012 Configuration Manager SP1 Overview
UD-B330 System Center 2012 Configuration Manager SP1 and Windows Intune: Unified Modern Device Management
UD-B331 System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1
UD-B332 What’s New with Microsoft Deployment Toolkit 2012 Update 1
UD-B333 What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design
UD-B335 Windows Intune Overview
UD-B403 Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and Troubleshooting
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Related ContentInstructor-led and Hands-on Labs
UD-IL301 Basic Software DistributionUD-IL302 Deploying a Configuration Manager HierarchyUD-IL303 Deploying Configuration ManagerUD-IL304 Deploying Windows 8 to Bare Metal ClientsUD-IL306 Implementing Endpoint ProtectionUD-IL307 Implementing Role-Based AdministrationUD-IL308 Implementing Settings ManagementUD-IL309 Introduction to Configuration ManagerUD-IL310 Managing ApplicationsUD-IL311 Managing ClientsUD-IL312 Managing ContentUD-IL313 Managing Microsoft Software UpdatesUD-IL314 Migrating from Configuration Manager 2007 to Configuration Manager 2012UD-IL315 New for SP1: Deploying Windows 8 Applications in Configuration Manager 2012 SP1UD-IL316 New for SP1: Expanding a Configuration Manager 2012 SP1 HierarchyUD-IL317 New for SP1: Implementing App-V 5.0 in Configuration Manager 2012 SP1UD-IL318 New for SP1: Implementing Database Replication Controls in Configuration Manager 2012 SP1UD-IL319 New for SP1: Implementing Linux Clients in Configuration Manager 2012 SP1UD-IL320 New for SP1: Upgrading from Configuration Manager 2012 to Configuration Manager 2012 SP1UD-IL401 Advanced Software Distribution
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.