It’s based on the DP and the client being in the same AD site same with the subnet and yes this is still applicable. This is a preference ordering of the DPs associated with the boundary groups that the client falls into.
If the DPs are in different AD sites, then the clients will prefer the DP in the same AD site that they are in. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Thursday, May 4, 2017 9:34 AM To: mssms@lists.myitforum.com Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Is there any chance Microsoft has an updated flow chart that they are haven’t released yet? I noticed it says AD Site in there right under subnet. This is referring to choosing the DP based on the DP being within the same AD site or that AD Site being within the Boundary itself that is assigned to the DP? I may be able to use aD Site to get force clients to pick the DP in their site as we do have an AD site for each of the regional boxes. [cid:image001.png@01D2C4D5.41110BC0] From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-03-17 5:30 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 For the preference, no, I mean subnet. Just as is depicted in that older flowchart. The client will order all DPs in all of its boundary groups by certain things and the first is subnet. We weren’t 100% sure on removing the DP from the secondary site server. I thought it couldn’t be done in a supported way and he thought it could be. I’m not sure which is the correct answer here. I now an MP can’t be removed. Never tried a DP though. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Wednesday, May 3, 2017 2:35 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Thanks for the info Jason, could you clarify these though, just so im sure? * * Since DPs in the same subnet are preferred, the remote DP could be placed in the same subnet as the clients at that same remote location. – You mean boundary Group here I hope? We have 1000s of subnets across multiple forests. The remote dp’s are in the same boundary group – but that has a few 100 ip range boundaries. 2007 we used to use AD sites but Microsoft told us not to mix and to go with IP Ranges now. Remove the DP from the secondary site server and use an additional site system for the DP role at the same location as the secondary site server. – So Dev confirmed this config would be supported? “You cannot remove the DP or MP role from a secondary site server (at least not in a supported way).” From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-03-17 3:25 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 So I just talked to one of the devs and he confirmed what I’ve said. Today, there is no way to separate the DP from the MP when specifying the site system associated with a boundary group. Thus, this is a shortcoming in the current design. You have two potential ways to address this scenario today: * Since DPs in the same subnet are preferred, the remote DP could be placed in the same subnet as the clients at that same remote location. * Remove the DP from the secondary site server and use an additional site system for the DP role at the same location as the secondary site server. We talked through the scenario though and the dev understood it and why they can’t do anything else today. *Today* of course is a keyword here though and he feels that planned improvements in near future releases will address this. No guarantees and no specifics of course (as that’s all NDA). As for documentation, you can suggest (and even contribute to) all of the current branch documentation hosted on docs.microsoft.com. For lots more details and fun with boundary groups (more fun than fun with flags even) come to our session (Kerim and myself) at MMS on Boundary Groups. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Wednesday, May 3, 2017 8:54 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Thanks. I think Microsoft needs to get some updated documents similar to those you provided but updated. The flow chart one would be fantastic. I see now way to get it working properly without throwing out the entire design. So we did set up a secondary site because we wanted MOST of the traffic to flow to the secondary site. That was the entire reason we went with a secondary site. We then set up a bunch of DP’s across multiple wan areas that we wanted to flow to that server (even though I know it sends a few things up to the primary MP Most traffic went to our secondary site) So just before this update – we had 1 Secondary server MP + DP. Then we had 3 other servers setup across fairly well connected wans (Each in their own boundary group with 1 server + relationship) that serviced a few 1000 pc’s. The Systems all used those DPs’ locally and the Secondary Sites Server was set up as a fallback. This worked really well and when you went to the console – you could see all those clients withint that boundary group was set to that Secondary Site MP. Example – Atlantic Secondary Site Boundary group – 1 server no relationship - all atlantic boundaries –ip ranges New Brunswick boundary group – 1 server 1 relationshp to atlantic – NB Ip ranges Nova Scotia boundary group - 1 server 1 relationshp to atlantic – NS Ip ranges Newfoundland boundary group -1 server 1 relationshp to atlantic – NL Ip ranges Now after the change it seems no matter what we do – the clients all show up with our primary site MP (and it seems all traffic around policy and inventory and status messages is going there) When we created a new boundary group – added all the boundaries and added the Secondary site to that – then poof – we now have NO WAY to really control which DP the clients in those 3 other wans use. That flow chart is nice and very clear but it’s also talking about the days when it all made sense – and we had Protected DP’s and so on. If I could set that option it would be fantastic because I’d just tick that off and it the clients would all be happy. I can’t find any documentation that tells me it will prefer the DP’s in those in the remote region boundary groups. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-02-17 4:52 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 > “I’ve been told by our network folks that the clients are all going up to our > primary MP UNLESS we add the proxy management point – secondary site – within > the boundary group.” Correct. Clients use a secondary site based upon content location boundary groups: https://home.configmgrftw.com/secondary-sites-and-boundary-groups/ Site assignment has nothing to do with the use of roles within a secondary site. Do keep in mind though that *all* clients must always be able to access an MP within the primary site whether or not they are part of a secondary site. > ” This will likely mean all my regional boxes will end up also using it as a > DP unfortunately” Not necessarily. I can’t find a specific reference in the [current] documentation, not that there isn’t one, I just can’t it right now, but clients do order DPs in the list returned from the MP based upon IP Subnet and AD Site. This is an older flowchart that depicts this: https://technet.microsoft.com/en-us/library/bb932150.aspx You cannot remove the DP or MP role from a secondary site server (at least not in a supported way). J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Tuesday, May 2, 2017 10:01 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Short term I had to go to my boundary group for my secondary site and I added all those subnets. This will likely mean all my regional boxes will end up also using it as a DP unfortunately Unless the clients somehow know to use the other boundary group DP they are assigned to because of the relationship pointing up to the secondary site server MP DP. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: May-02-17 10:25 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Proxy Management Point and Boundary behavior post 1610 Hi, We upgraded from 1606 to 1610 to 1702 and trying to get a handle on the boundary changes. I’ve been told by our network folks that the clients are all going up to our primary MP UNLESS we add the proxy management point – secondary site – within the boundary group. We wanted to have systems in an area use DP’s in their local area first, and fall back to secondary site server DP for software AND go the secondary site server MP for policy vs going all the way to primary server. That doesn’t seem to be happening though. In order for us to have clients get policy and We currently have an Assignment Boundary group for our Secondary site that has all the boundaries within it but NO site System count on it. That has no relationships. We have the secondary site boundary group that has no subnets or boundaries assigned, and no relationships. Our MP has the DP role too. Then we have our regional local DPs with boundaries assigned and the local dps plus relationships to the above secondary site boundary group. I was hoping this setup would allow all our clients in those local boundary group to use the local DP for all the software and go to the secondary site server MP for policy and only use the DP on that MP for fallback. I figured maybe if we enabled preferrned management points but then we can’t specify oNLY use it for MP and not DP? DO we need to uninstall the DP role from our MP (not even sure you can do that)?