Yeah sorry for confusing. It was a half rant. I meant that they seem to be wishy washy in their direction. It’s as if they want to force everyone to abandon secondary sites but when asked directly about it you get half answers.
I’m old, so I guess I prefer to use secondary sites across regions and wan connections and have all the client traffic his the secondary site and flow up from there. I also have a firewall team that generally has issues punching holes for all pc’s. The removal of DP should work. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-12-17 12:22 PM To: mssms@lists.myitforum.com Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Design is rarely easy because every scenario is unique. Not sure who you paid huge amounts of money to but I’d ask for a refund if they put in something that doesn’t work for you and contradicts what Microsoft supports and how the product works. Do something like what? Having remote DPs handing off of a secondary site isn’t flattening. It’s also not very common. Flattening would be getting rid of the secondary site and using PullDPs instead. Without knowing all of the details of your topology and requirements, I wouldn’t make any actual suggestions here about what you should do though. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Friday, May 12, 2017 8:46 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Microsoft got back to us and removing the DP IS SUPPORTED. I wish Microsoft would be straight forward with this design stuff now like it used to be. Not getting clear answers around Secondary Sites even though that is in the design we paid huge amount of money for. In my mind (likely because I’m old) is that the clients should all communicate with secondary site MP – for inventory and policy and generally all things and then that should flow up to primary. They seem to be half saying it’s BEST to flatten it so there is no need to use Proxy Management Sites – but then they turn around and do something like this. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-04-17 6:32 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Step 1: The MP returns DPs based upon boundary group. Step 2: The client orders those DPs returned by the MP and prefers those that are in its own subnet and its own AD site. Thus, if the DP isn’t referenced by a boundary group that the client falls into, it’ll never be considered. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Thursday, May 4, 2017 4:10 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Sorry 1 more silly question – the Client and DP being in the same aD site – The AD site doesn’t have to be used to define the boundary group within SCCM? It will use the AD site regardless? I ask because for Atlantic I can use AD sites as we did in 2007 but apparently that is not an option for central or western areas without some changes. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-04-17 2:52 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 It’s based on the DP and the client being in the same AD site same with the subnet and yes this is still applicable. This is a preference ordering of the DPs associated with the boundary groups that the client falls into. If the DPs are in different AD sites, then the clients will prefer the DP in the same AD site that they are in. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Thursday, May 4, 2017 9:34 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Is there any chance Microsoft has an updated flow chart that they are haven’t released yet? I noticed it says AD Site in there right under subnet. This is referring to choosing the DP based on the DP being within the same AD site or that AD Site being within the Boundary itself that is assigned to the DP? I may be able to use aD Site to get force clients to pick the DP in their site as we do have an AD site for each of the regional boxes. [cid:image001.png@01D2CFC2.1A3239F0] From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-03-17 5:30 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 For the preference, no, I mean subnet. Just as is depicted in that older flowchart. The client will order all DPs in all of its boundary groups by certain things and the first is subnet. We weren’t 100% sure on removing the DP from the secondary site server. I thought it couldn’t be done in a supported way and he thought it could be. I’m not sure which is the correct answer here. I now an MP can’t be removed. Never tried a DP though. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Wednesday, May 3, 2017 2:35 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Thanks for the info Jason, could you clarify these though, just so im sure? * * Since DPs in the same subnet are preferred, the remote DP could be placed in the same subnet as the clients at that same remote location. – You mean boundary Group here I hope? We have 1000s of subnets across multiple forests. The remote dp’s are in the same boundary group – but that has a few 100 ip range boundaries. 2007 we used to use AD sites but Microsoft told us not to mix and to go with IP Ranges now. Remove the DP from the secondary site server and use an additional site system for the DP role at the same location as the secondary site server. – So Dev confirmed this config would be supported? “You cannot remove the DP or MP role from a secondary site server (at least not in a supported way).” From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-03-17 3:25 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 So I just talked to one of the devs and he confirmed what I’ve said. Today, there is no way to separate the DP from the MP when specifying the site system associated with a boundary group. Thus, this is a shortcoming in the current design. You have two potential ways to address this scenario today: * Since DPs in the same subnet are preferred, the remote DP could be placed in the same subnet as the clients at that same remote location. * Remove the DP from the secondary site server and use an additional site system for the DP role at the same location as the secondary site server. We talked through the scenario though and the dev understood it and why they can’t do anything else today. *Today* of course is a keyword here though and he feels that planned improvements in near future releases will address this. No guarantees and no specifics of course (as that’s all NDA). As for documentation, you can suggest (and even contribute to) all of the current branch documentation hosted on docs.microsoft.com. For lots more details and fun with boundary groups (more fun than fun with flags even) come to our session (Kerim and myself) at MMS on Boundary Groups. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Wednesday, May 3, 2017 8:54 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Thanks. I think Microsoft needs to get some updated documents similar to those you provided but updated. The flow chart one would be fantastic. I see now way to get it working properly without throwing out the entire design. So we did set up a secondary site because we wanted MOST of the traffic to flow to the secondary site. That was the entire reason we went with a secondary site. We then set up a bunch of DP’s across multiple wan areas that we wanted to flow to that server (even though I know it sends a few things up to the primary MP Most traffic went to our secondary site) So just before this update – we had 1 Secondary server MP + DP. Then we had 3 other servers setup across fairly well connected wans (Each in their own boundary group with 1 server + relationship) that serviced a few 1000 pc’s. The Systems all used those DPs’ locally and the Secondary Sites Server was set up as a fallback. This worked really well and when you went to the console – you could see all those clients withint that boundary group was set to that Secondary Site MP. Example – Atlantic Secondary Site Boundary group – 1 server no relationship - all atlantic boundaries –ip ranges New Brunswick boundary group – 1 server 1 relationshp to atlantic – NB Ip ranges Nova Scotia boundary group - 1 server 1 relationshp to atlantic – NS Ip ranges Newfoundland boundary group -1 server 1 relationshp to atlantic – NL Ip ranges Now after the change it seems no matter what we do – the clients all show up with our primary site MP (and it seems all traffic around policy and inventory and status messages is going there) When we created a new boundary group – added all the boundaries and added the Secondary site to that – then poof – we now have NO WAY to really control which DP the clients in those 3 other wans use. That flow chart is nice and very clear but it’s also talking about the days when it all made sense – and we had Protected DP’s and so on. If I could set that option it would be fantastic because I’d just tick that off and it the clients would all be happy. I can’t find any documentation that tells me it will prefer the DP’s in those in the remote region boundary groups. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: May-02-17 4:52 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 > “I’ve been told by our network folks that the clients are all going up to our > primary MP UNLESS we add the proxy management point – secondary site – within > the boundary group.” Correct. Clients use a secondary site based upon content location boundary groups: https://home.configmgrftw.com/secondary-sites-and-boundary-groups/ Site assignment has nothing to do with the use of roles within a secondary site. Do keep in mind though that *all* clients must always be able to access an MP within the primary site whether or not they are part of a secondary site. > ” This will likely mean all my regional boxes will end up also using it as a > DP unfortunately” Not necessarily. I can’t find a specific reference in the [current] documentation, not that there isn’t one, I just can’t it right now, but clients do order DPs in the list returned from the MP based upon IP Subnet and AD Site. This is an older flowchart that depicts this: https://technet.microsoft.com/en-us/library/bb932150.aspx You cannot remove the DP or MP role from a secondary site server (at least not in a supported way). J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Tuesday, May 2, 2017 10:01 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Proxy Management Point and Boundary behavior post 1610 Short term I had to go to my boundary group for my secondary site and I added all those subnets. This will likely mean all my regional boxes will end up also using it as a DP unfortunately Unless the clients somehow know to use the other boundary group DP they are assigned to because of the relationship pointing up to the secondary site server MP DP. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: May-02-17 10:25 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Proxy Management Point and Boundary behavior post 1610 Hi, We upgraded from 1606 to 1610 to 1702 and trying to get a handle on the boundary changes. I’ve been told by our network folks that the clients are all going up to our primary MP UNLESS we add the proxy management point – secondary site – within the boundary group. We wanted to have systems in an area use DP’s in their local area first, and fall back to secondary site server DP for software AND go the secondary site server MP for policy vs going all the way to primary server. That doesn’t seem to be happening though. In order for us to have clients get policy and We currently have an Assignment Boundary group for our Secondary site that has all the boundaries within it but NO site System count on it. That has no relationships. We have the secondary site boundary group that has no subnets or boundaries assigned, and no relationships. Our MP has the DP role too. Then we have our regional local DPs with boundaries assigned and the local dps plus relationships to the above secondary site boundary group. I was hoping this setup would allow all our clients in those local boundary group to use the local DP for all the software and go to the secondary site server MP for policy and only use the DP on that MP for fallback. I figured maybe if we enabled preferrned management points but then we can’t specify oNLY use it for MP and not DP? DO we need to uninstall the DP role from our MP (not even sure you can do that)?