Clients don’t communicate directly with site servers, so the site server can
remain in Zone 1…does not need to be moved to Zone 2.
What clients do need communicate with are site system servers e.g. MP/SUP/DP.
Question: What is the AD forest design? Is there a separate AD forest in each
Zone, or 1 AD forest across all three Zones, or other?
My recommendation would be:
1. Put a server in Zone 3, joining it to the AD forest in Zone 3
a. Install SQL Server on the server
i.
Create/publish a database replica of the site database to the SQL instance
b. Make server an MP for the ConfigMgr site
i. Enable
“site server initiated communications”
ii. Configure
MP site role to use site database replica (rather than the site database)
2. To publish ConfigMgr site information to AD Forest in Zone 3, (on the
site server) Enable AD Forest Discovery Method on the site server
a. Add AD forest in Zone 3 to the discovery method properties
b. Enable publishing of the AD Forest in Zone 3 by checking the box on
the Publishing tab e.g. the MP in Zone 3 will now be published along with the
site data to AD forest
This will allow clients in Zone 3 to “discover” the ConfigMgr site (and
successfully do client registration), without
1. Moving site server to Zone 2
2. Creating a site in Zone 3
Based on the information you’ve provided (and making some assumptions about
your AD forest and trust scenario), this would be the easiest and most secure
way to achieve your goal.
Troy L. Martin | Product Manager, Endpoint Automation
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
[email protected]<mailto:[email protected]> | www.1e.com<http://www.1e.com/>
Facebook<http://www.facebook.com/1eglobal> |
Twitter<https://twitter.com/1e_global/> |
YouTube<http://www.youtube.com/1enews> | Blogs<http://blogs.1e.com/> |
RSS<http://blogs.1e.com/index.php/feed/>
From: [email protected] [mailto:[email protected]] On
Behalf Of Robert Spinelli
Sent: Thursday, October 8, 2015 3:57 PM
To: [email protected]
Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
Well this is In my lab for some testing I’m doing.
The goal is we have a site that needs to be firewalled off. There are
literally multiple firewall levels in this one site. So Zone 3 can talk to
Zone 2 but Zone 3 can’t talk to Zone 1. The SCCM server will have to be placed
in Zone 2 so the clients in Zone 3 can talk to it. But the problem with this
design is that since the SCCM w/SUP is in this firewalled site other clients
from outside the site don’t care/know not to go to it so they will try to get
to the SUP and not be able to connect. It’s the same thing for the clients in
the firewall’ed site, SCCM will serve them a SUP in some other site they can’t
get to it and won’t be able to connect.
The only permeant solution I can think off is to get some reverse proxy setup
that will allow clients in Zone3 be able to get to our SCCM infrastructure in
Zone1. We’ll use reverse proxy to get to MP/SUP in zone 1 and keep the DP in
Zone 2.
In the meantime to make sure that the firewalled clients only get to the SCCM
server in their site at Zone 2 is to install a primary for them to access.
This is a horrible solution, but can’t think of any other way to ensure I can
service this site and make sure no other clients from some other site try the
access the firewalled site. The primary will be up for 3-4 months until we can
get the reverse proxy solution.
Not thrilled but need to service these clients ASAP.
If anyone wants to prove they are much smarter than me, I’m open to
suggestions.. ha.
Thanks
Rob
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Daniel Ratliff
Sent: Thursday, October 8, 2015 3:32 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
So if that 1 SUP is firewalled off, is it serving clients at all? Remove the
roll if not?
Daniel Ratliff
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Robert Spinelli
Sent: Thursday, October 08, 2015 3:28 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
Yep, the problem with the error switching is that none of the errors below are
presented, so it doesn’t switch. As far as its concerned it’s like you home
and trying to connect but its offline. Being offline isn’t an error. I could
modify as below but then lots of clients who are home on their laptops, etc.
would try to switch, not great.
http://blogs.technet.com/b/umairkhan/archive/2014/10/03/configmgr-2012-r2-multiple-sup-scenario-clients-not-failing-over-to-the-other-sup.aspx
I really wish MS allowed you to assign SUP’s to boundary groups also.
IBCM SUP’s is why you don’t see this. We aren’t doing PKI, so not an option
for us.
Thanks
Rob
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Daniel Ratliff
Sent: Thursday, October 8, 2015 3:11 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
We have our IBCM SUPs in the DMZ and don’t have any issues because they only
service internet clients.
Also remember, if it fails to talk to a SUP, it will retry every 30 minutes,
for a total of 4 times (2 hours). If the error code is an accepted one it will
move to another SUP.
http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx
[cid:[email protected]]
Daniel Ratliff
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Robert Spinelli
Sent: Thursday, October 08, 2015 3:05 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
Have you had any issues with clients not being able to connect to the SUP’s
because of firewall issue?
Long story short, since SUP’s aren’t really assigned to boundary groups like
DP’s and now recently MP’s clients are trying to connect to a SUP that is
firewalled off. If we have 4 SUP’s that are all part of the same forest, but 1
SUP is behind a firewall 1 in 4 chance clients will be served that SUP and not
be able to connect.
Anyone else seen this?
Thanks
Rob
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Daniel Ratliff
Sent: Thursday, October 8, 2015 2:25 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
We just had a case with Microsoft and moved all 6 SUPs at each primary to a
shared DB and content. Works great.
Daniel Ratliff
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Jason Wallace
Sent: Thursday, October 08, 2015 1:49 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary.
You can have 4 SUPs sharing one WSUS database.
The tested number of SUPs in a primary site is 8
On 8 Oct 2015, at 18:37, Robert Spinelli
<[email protected]<mailto:[email protected]>> wrote:
I can’t seem to find how many SUP’s are supported on SCCM 2012 R2 SP1 CU1?
I could of sworn at one point there was something on the website that showed
that a primary supported a maximum of 4 SUP’s.
I don’t see that statement anymore. Is my Google-fu failing? Below is the
section about SUP’s but no longer have a statement of how many it supports.
https://technet.microsoft.com/en-us/library/gg682077.aspx
<image001.png>
Thanks
Rob
The information transmitted is intended only for the person or entity to which
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information
in error,
please contact the sender and delete or destroy the material/information.
The information transmitted is intended only for the person or entity to which
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information
in error,
please contact the sender and delete or destroy the material/information.
The information transmitted is intended only for the person or entity to which
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information
in error,
please contact the sender and delete or destroy the material/information.
________________________________
Legal Notice: This email is intended only for the person(s) to whom it is
addressed. If you are not an intended recipient and have received this message
in error, please notify the sender immediately by replying to this email or
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any
attachments may be privileged and/or confidential. The unauthorized use,
disclosure, copying or printing of any information it contains is strictly
prohibited. The opinions expressed in this email are those of the author and do
not necessarily represent the views of 1E Ltd. Nothing in this email will
operate to bind 1E to any order or other contract.
