HOW TO GET THE MOST FROM YOUR MICROSOFT · PDF white paper how to get the most from your microsoft configmgr 2012 migration sccm 2012

1E.COM

WHITE PAPER

HOW TO GET THE MOST FROM YOUR MICROSOFT CONFIGMGR 2012 MIGRATION

SCCM2012

1E.COM

THE AUTOMATED MIGRATION: AN ANALYSIS OF OPTIONS

Overview

ConfigMgr 2012 Migration Options

Getting the Most from ConfigMgr 2012

1E Nomad: Enhancing Your ConfigMgr 2012 Infrastructure

How Else Can 1E Help

3

4

5

14

19

Contents

Share this

Abstract

This white paper sets out how you can

expedite your migration to ConfigMgr

2012. When the migration is done, or if

you have already migrated, it also

provides ideas to maximize SCCM 2012’s

benefits and to lower your costs.

The Authors

Several of 1E’s ConfigMgr technical

specialists have contributed to this

document, namely: Shaun Cassells, Troy

Martin, Mike Terrill, and Paul Thomsen.

1E.COM 3

ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?

Microsoft® System Center Configuration Manager 2012 (“ConfigMgr” or “SCCM”) has

been well received by organizations of all types and sizes around the world. Many of

the organizations that 1E works with have moved to it, are moving to it, or have

imminent plans to do so. If you are preparing to upgrade or are in the midst of such a

project, this is the ideal time to expedite your project, minimize your costs, and

maximize the benefits from ConfigMgr. If you’ve already made the move, you can build

on the lessons you’ve learned to make your ConfigMgr implementation even better.

Based on 1E’s many years of experience as Microsoft’s premier ConfigMgr partner, this

document provides you with a wide variety of ideas and options to maximize the

return your organization is getting from your ConfigMgr investment. You can consider

implementing these ideas yourself, and where appropriate talk with 1E about how we

can help.

This document suggests options such as:

• Use industry best practices when using the key SCCM 2012 features

• Keep your ConfigMgr hierarchy as simple as possible (especially since SP1’s

availability) – you can add a Central Administration Site (CAS) or other primaries later

if business developments require them

• Flatten your server infrastructure and cut on-going running costs

• Consider the Intune integration option so that you can manage consumer-oriented

devices in addition to Windows computers (as well as Macintosh and Linux)

• PowerShell support brings a new level of customization and control

In 2012 1E consultants took a deep dive into SCCM and published their tips for success.

Those original observations proved to be very helpful and popular so we were pleased

to update them in 2013 for Service Pack 1 (SP1). Later in this document you will find

updates to the changes that were made in ConfigMgr 2012 R2 and the changed

environment ConfigMgr now serves.

Overview

1E.COM 4


If you are planning to migrate to

ConfigMgr 2012 or are in the midst of your

project, you should consider your

migration options. The benefits include:

• Minimizing your ConfigMgr server

footprint and maximizing reliability

and performance

• Reducing the deployment timeline by

two thirds

• Improving your patching and software

distribution success

Doing the migration with your own staff

and just SCCM might be a viable option if

you are prepared to delay other projects,

often by months. You will need time to

set up a lab, educate the team on the

migration process, build a design and

process, test the process in the lab, plan

for production, and then do the actual

work of the migration itself. There is also

the risk that you will miss lessons that

have been learned elsewhere, given that

this is your first opportunity to actually do

a migration to SCCM 2012. The challenges

and risks increase dramatically if your

organization is fairly large, is very diverse,

or has other unique characteristics.

You should also consider how well the

end state will serve your needs. As long

time partners of Microsoft, 1E is very

impressed by the capabilities of

ConfigMgr 2012 and is very pleased to

specialize in it. However, 1E has worked

with hundreds of organizations where

SCCM could be enhanced to even better

serve the organization. Such

enhancements are why Microsoft so

greatly values its huge partner

ecosystem. Therefore it is prudent to take

time to consider whether additional

software would allow SCCM to work even

better for you. Taking time to read this

whitepaper is a great first step.

The cost of additional services and

software are often a concern and we are

pleased to discuss that with you. Our

experience has been that the benefits are

so dramatic, in hard savings, that the

investment quickly pays for itself. We

have the analysts to help you quantify

those savings and we have the history to

prove that the savings will be realized as

planned. Our large support and

engineering teams ensure the savings

continue to be realized for years, long

after the investment has paid off.

If you see the potential that 1E’s

consultants, software, or partners can

help you, we encourage you to contact

us. We will be pleased to meet at a time

and in a format that works well for you to

explore the possibilities. Our professional

account and technical teams will

carefully listen to your challenges and

requirements and then explain our

solutions to whatever degree you like. If

there are better alternatives we will point

them out and leave you to them. We are

here to help, as we have done with so

many organizations since 1997.

ConfigMgr 2012 Migration Options

1E.COM 5


Getting the Most from ConfigMgr 2012

Whether you are about to migrate to

ConfigMgr 2012 or are already there, you

should investigate how you can get the

most from SCCM. This section highlights

key changes in ConfigMgr 2012 as

compared with ConfigMgr 2007 and

provides an overview of the lessons that

1E has learned in relation to them.

Application Management

The deployment of software is the

primary function of most ConfigMgr

implementations. In ConfigMgr 2007,

software distribution was achieved by

defining packages and programs and

then advertising the programs to

collections of clients or users.

Different installation types (e.g. 32-bit

and 64-bit installation) could require

separate programs. Typically, a collection

would define the target for each

installation type (query-based

collections define the logic that

determines which systems should run

the program).

Those legacy objects are still available in

ConfigMgr 2012, and are in fact still

required for some of the content required

in an operating system deployment task

sequence (such as boot images, OS

images, driver packages and the

ConfigMgr client agent). However

ConfigMgr 2012 introduced a completely

new alternative approach to software

distribution – application management.

For application management, an

application has a number of deployment

types, each defining the required source

files, install and uninstall command lines

and user experience (e.g. whether a user

needs to be logged in), similar to the

properties of the legacy packages and

programs. Deployment types are

deployed through a deployment, which

isn’t all that dissimilar from the concept

of an advertisement.

The most significant difference with

SCCM 2012 application management is

that the deployment type also defines

the targeting logic, which is evaluated on

the client each time the Application

Deployment Evaluation Cycle occurs.

Application management uses the same

‘engine’ as the Compliance Settings, so

the decision whether to install can be

based on values from Windows

Management Instrumentation (WMI), the

local registry, the return code of a script,

the result of a Microsoft SQL Server

database query, or the user (either

logged on at the time, or the primary user

of the device).

The collections targeted by a

deployment can therefore be much more

encompassing – now you needn’t panic

when you accidentally deploy to All

Systems (as long as you have the right

conditions defined in the Deployment

Type requirements).

SP1 extended this model by improving

the App-V support and adding Windows

8 support.

Migrating to ConfigMgr 2012 does not

require migrating to application

management right away, but you should

1E.COM 6


consider doing so when time permits in

order to take advantage of its benefits:

• Applications are state based, so if an

application is uninstalled from a client,

it will be reinstalled automatically in

order to restore the intended state of

the client

• The evaluation as to which clients or

users receive the application is done

on the clients, so the workload on the

servers is reduced (particularly in

terms of collection evaluation)

• Applications can be made available to

users in the Application Catalog, thus

enabling a user-centric service model

Site Hierarchy

ConfigMgr 2012 should keep the

minimalists happy – the architecture is

designed for a much flatter hierarchy,

and in fact, a single site ConfigMgr 2012

hierarchy is used by most organizations

with less than 100,000 clients to manage.

An important change in the SCCM 2012

architecture for those organizations that

do require multiple sites is the Central

Administration Site (CAS), which is in

some ways similar to an SCCM 2007

central site, but no clients can be

managed directly from the CAS.

A key role of the CAS is to coordinate

replication of data throughout a

hierarchy, so it is not required if you are

going to manage your entire

environment with a single primary site.

As of SP1, a standalone site can be

attached to a CAS at a later stage. A CAS

also enables a failed primary site to be

recovered even without a backup. It is

worth noting that only primary sites can

attach to a CAS, and only secondary sites

can be attached to these primary sites, so

effectively your hierarchy will not exceed

three tiers for the core sites (additional

secondary sites can be lower tiers).

Even the role of the secondary site is

somewhat changed in ConfigMgr 2012.

One of the main reasons for deploying

secondary sites in ConfigMgr 2007 was to

be able to manage network bandwidth

for the distribution of content (packages,

updates and OS images).

In ConfigMgr 2012, distribution of

content to remote distribution points can

be scheduled and throttled in the same

manner as site-to-site traffic, so unless

you are concerned about the volume of

traffic going back to the primary site

(inventory, status, software usage, etc.)

you can do without secondary sites. It’s

worth noting that secondary sites require

a SQL database in ConfigMgr 2012,

however the secondary site installation

will install Microsoft SQL Server® Express

if a supported version of SQL Server is not

installed locally.

In ConfigMgr 2012, boundaries are used

to identify network locations and are

available to all Sites in the hierarchy.

Boundaries are then grouped together in

boundary groups, which can be

optionally associated with a particular

site for client site assignment. For

example, each of the LANs in a particular

location, like a branch office or a retail

store, would be added as individual

boundaries, and these boundaries would

1E.COM 7


then be added to a boundary group that

identifies that location. The boundary

group can then be associated with the

primary site that should manage that

location.

Given all these options, you can do a lot to

simplify your SCCM hierarchy and

therefore simplify operations and

increase reliability:

• Don’t include a CAS unless you must

• Only use secondary sites in locations

with a large number of clients and/or if

you expect a very large volume of data

to be frequently reported up the

hierarchy

• If you must have multiple primary

sites, keep the count as low as possible

Site-to-Site Replication

If you have need for a multi-site

ConfigMgr hierarchy, you should be

aware that site-to-site communication

has received a major overhaul in

ConfigMgr 2012. Database replication has

replaced most of the legacy file transfer

in and out of inboxes (content as in

packages, applications and operating

system deployments are still replicated

using the file system).

Most changes in any site will be

replicated globally to all sites in the

hierarchy, not just to the parent or child

sites. To help monitor and resolve

replication issues between the sites there

is a Database Replication node in the

Monitoring section of the console that

shows the status of any links. The

Replication Link Analyzer is an additional

tool that enables further analysis and

remediation of SQL replication issues

between sites.

SP1 improved replication by giving you

more control in terms of what is

replicated and when.

Administration

The administration console was

historically a big pain point for ConfigMgr

2007 administrators. Not only was it

difficult to control (to allow certain users

to only see the features they administer)

but it also crashed too often. The

administration console in ConfigMgr 2012

has been completely redesigned and

rewritten from the ground up. It does not

use Microsoft Management Console

(MMC), and displays only the features the

administrator has rights to.

SP1 enhanced the administrative model

even further. New PowerShell support

extends your administration options so

that you can automate ConfigMgr

operations even more than in previous

versions. The addition of the Client

Operations infrastructure allows you to

initiate Endpoint Protection and client

policy refreshes whenever you require

them.

Managing Clients Over the Internet

The complexities of Native Mode in

ConfigMgr 2007 no longer exist in

ConfigMgr 2012 as the Mixed and Native

Site modes are no more. Instead, the

various Site system roles within the Site

are configured to support HTTP or HTTPS

connections (or both).

1E.COM 8


Within a Site, multiple site systems (e.g.

management points) can be deployed,

allowing one or more servers situated in a

demilitarized zone (DMZ) to host

internet-facing roles using HTTPS, with

the same roles hosted on an internal

server using HTTP.

Use of HTTPS still requires public key

infrastructure (PKI) to enrol client and

server certificates (mutual authentication

is still required), however the Site Server

Document Signing Certificate is now

created by the site as a self-signed

certificate.

By default, if a client has a client

authentication certificate issued by a

trusted Certificate Authority (CA) it will

use HTTPS and will be able to

communicate with all Site systems that

are configured to support HTTPS. If no

such client authentication certificate

exists, the client will use a self-signed

certificate and use HTTP to communicate

only with site systems that are configured

to support HTTP.

New to ConfigMgr 2012 is the possibility

for Internet-based clients to evaluate a

user-based policy (such as application

deployments). In order for this to occur,

either the management point (MP) and

user account must be in the same forest,

or a trust must exist between the forests

in which the MP and the user account

reside. In either case, any perimeter

firewall must allow AD authentication

traffic between the MP and a domain

controller in the user account’s forest.

Exciting SP1 changes include the ability

to use cloud-based (Azure) distribution

points and to enable clients to get

software updates from Microsoft Update

if corporate DPs are not available.

ConfigMgr 2012 SP1 and R2 demonstrate

Microsoft’s commitment to dramatically

improving your internet client

management options. The Intune

integration is much more robust and a

larger variety of clients are supported.

With R2 you can also now manage iOS7

settings, deploy web application

shortcuts, and use Windows 8.1 app

bundles.

Similarly, remote connection, certificate,

VPN, Wi-Fi, and email profiles make it

easy for you to enable mobile user

support, rather than having to implement

your own solution.

As your users increase their expectations

for mobile support, and ConfigMgr

increasingly enables it, you should

consider implementing these features in

your organization.

Scalability

A ConfigMgr 2007 hierarchy could

support a maximum of 200,000 clients

(300,000 with R3). ConfigMgr 2012

supports up to 400,000 clients in a single

hierarchy when the database for the

Central Administration Site is running

SQL Server Enterprise. Each Primary Site

can support up to 100,000 clients if the

database and Primary Site roles are

hosted on separate servers. The SP1

database replication options ensure that

1E.COM 9


you can fine tune it in even the most

challenging environments.

As with ConfigMgr 2007, each

Management Point (MP) can support up to

25,000 clients. However, the concept of a

Default Management Point no longer exists

in ConfigMgr 2012, and neither does

support (or necessity) for Network Load

Balancing (NLB) an MP. Instead, up to four

servers can host the MP role and clients

manage the load balancing in much the

same way as they do with Distribution

Points (DPs). ConfigMgr 2012 also increases

the number of supported DPs per Site from

100 to 250, each supporting up to 4,000

clients.

At first you might think that scalability is

not an issue for you, unless you work for a

very large organization. However, even

medium-sized organizations could have a

very large number of clients when you take

into account the multiple devices that

users often have. So if users typically have a

laptop, tablet, and phone, and you manage

them all, then an organization with 50,000

to 100,000 users could have some scale

concerns. Add in a lot of data-center

servers, point-of-sale systems, robotic

control systems, or similar options and

even current ConfigMgr 2012 scalability is

worth taking seriously.

Distribution Points

There are some notable changes in the role

of the distribution point (DP) in ConfigMgr

2012. The branch distribution point (BDP)

distinction has been dropped in ConfigMgr

2012. Instead, there is a single DP role that

can be installed on servers (2003 upwards)

and workstations (Vista upwards).

Interestingly, the DP role is the only site

system that is supported on both 32- and

64-bit computers; all other site systems

require a 64-bit OS. Distribution of content

to remote DPs (i.e. any DP that is not hosted

on the same LAN as a site server) can use

scheduling and throttling similar to that

defined in our old friend, the site-to-site

address, that has survived since the first

version of SMS.

By default all content is obtained by clients

using HTTP (or HTTPS), which means that

any system (including a workstation)

hosting a DP need Internet Information

Server (IIS) installed.

Although there is the option to establish

content for specific packages on a ‘legacy

style’ DP share (this is in fact necessary if

you want to use OS deployment task

sequences that obtain content directly

from the DP), the HTTP/S server must

always be present. If you currently use

network-attached storage (NAS) devices to

host ConfigMgr 2007 DP shares, you are

going to need a new strategy for ConfigMgr

2012.

The DP role now incorporates the Preboot

Execution Environment (PXE) service as an

optional feature if the DP is hosted on a

server operating system. Windows

Deployment Services (WDS) is still required

for PXE booting in ConfigMgr 2012. Talk to

1E about Nomad, which not only eliminates

the need for any kind of DP in your remote

locations but also enables PXE to be served

1E.COM 10


from a workstation. Nomad 2012

integrates seamlessly with the ConfigMgr

2012 operating system deployment (OSD)

process, using content stored on local

peer workstations to complete a full OS

Deployment without impacting the WAN.

Configuration Manager 2012 SP1 and R2

also introduced and enhanced a new “pull

distribution point” role, or pull DPs. The

benefit of pull DPs is that they offload the

site-to-DP content distribution workload

from the site server to the DPs. They do

not provide any benefit in getting the

content to the clients and they may in

fact complicate that process by adding

more “moving parts”.

Also new are “cloud DPs”, meaning

distribution points hosted on Microsoft

Azure. These can be useful for clients on

the internet but you should pay close

attention to their costs. If used, they are

most appropriate for small critical

deployments to a limited number of

clients.

Users in Control

ConfigMgr 2012 has been built with the

user in mind. The Software Center,

installed on all clients, provides an

interface for the user to manage the

installation of software that has been

made available to them and to view

software that has been installed by

ConfigMgr. The Software Center can also

give the user control over the ConfigMgr

actions that are likely to impact them

most. For example, a user can define their

working day and software deployments

and updates can be configured to respect

these and deploy outside of these hours.

1E Shopping provides a much richer

experience with configurable approval

workflow, support for system as well as

user based deployments, optional

restriction of deployment if insufficient

licenses exist.

It integrates with other service desk

systems and enables users to rent

applications for a fixed period after which

they are automatically put back into the

pool for other users to employ, further

reducing the costs associated with

purchasing unnecessary software

licences.

Note that Shopping allows for quarantine

periods required by some specific

software vendors when reallocating

licensed software.

SP1’s extension of ConfigMgr to the

device and Macintosh environments

allow organizations to empower their

users to use the solutions they want while

ensuring IT control for security and similar

requirements are maintained.

Client Health and Efficiency

There are a number of features in

ConfigMgr 2012 to ensure clients remain

healthy, operational and efficient. The

reality is that once your hierarchy has

been deployed for a year or more,

somewhere between 5% and 15% of your

clients will experience issues and may

stop communicating with ConfigMgr if

you don’t intervene.

ConfigMgr 2012 directly addresses this

problem with ConfigMgr Client Heath

evaluator. This program (which runs as a

1E.COM 11


scheduled task separate from the

ConfigMgr client’s service) detects and

remediates the most common causes of

client failure, reporting its activities to

ConfigMgr.

ConfigMgr 2012 clients can also

automatically upgrade themselves to the

latest version if it is below the specified

version. You enable this from site settings

and you can configure the maximum

number of days before the client must

upgrade. In addition to this you have

control over how the clients’ installation

files are downloaded or not if the

distribution point is on a slow link, and

they can even have a fall-back source

location. (Note: Microsoft recommends

using this as a catch-all after the bulk of

any upgrade has finished.)

To protect clients from malware,

ConfigMgr 2012 has Endpoint Protection

fully integrated, so no more running two

separate infrastructures. The Endpoint

Protection client is installed using

ConfigMgr 2012 client settings, so there is

no need to create any packages or

programs.

Endpoint Protection reports and

dashboard are integrated into the

ConfigMgr console further simplifying

operational tasks. There is even an

out-of-the-box security role for the

Endpoint Protection Administrator,

defining all the necessary rights to enable

the role to be delegated. And with SP1

you can initiate Endpoint Protection

activities when you need them using the

new Client Operations feature.

Keeping up to date with software

updates is an important step for ensuring

the health and functionality of a client. A

significant improvement to management

of software updates in ConfigMgr 2012

comes with the Automatic Deployment

Rules feature. Administrators can ensure

updates are automatically downloaded,

approved and deployed based on specific

criteria, instead of manually carrying out

tasks. For example, this could be used to

automatically deploy all critical updates

for Windows 7, or to automatically deploy

recent signature definitions for System

Center 2012 Endpoint Protection.

If you do not want to deploy

automatically, the rules can be

configured to retrieve compliance

information from client computers for the

software updates without deploying

them.

ConfigMgr 2012 R2 further enhanced

software updating by allowing you to

specify maintenance windows that are

for software updates only. Software

distribution and task sequences can be

done at other times using other

maintenance windows.

Power Management, introduced in

ConfigMgr 2007 R3, is enabled by default

in ConfigMgr 2012 and includes some

minor enhancements. It continues to

enforce the same peak and non-peak

power plan settings for turning off the

display, inducing sleep or hibernate

modes, controlling battery notifications

and button actions and scheduling

desktop computers (deliberately not

1E.COM 12


laptops) to wake from sleep. You can now

copy settings from another Collection so

you only have to tweak the differences.

Also, users can now exclude their PC from

power management which you can

report on and over-ride. NightWatchman

Enterprise from 1E fills in the gaps,

enabling scheduled shutdown and

wake-up for all systems, over-riding

processes that prevent computers from

going to sleep and enabling potential

application issues when resuming, to be

addressed, as well as providing other key

features.

Client Configuration

In previous versions of ConfigMgr, client

settings were configured by site. In

ConfigMgr 2012, the default client

settings (a bit like a ‘profile’ of settings)

are applied to all clients in the hierarchy.

As well as editing the Default Client

Settings, it is also possible to create your

own settings ‘profiles’ that can be applied

to specific Collections. For example, you

may have Installation Permissions

configured globally to allow

Administrators and Primary Users to

initiate software installations, but a

custom client setting can be configured

to allow no users to initiate software

installation for a group of sensitive

computers.

The definition of WMI classes that get

reported through Hardware Inventory is

now managed through the Client

Settings interface in the console. No

more editing SMS_DEF.MOF or

CONFIGURATION.MOF (Microsoft

Operations Framework). What is really

cool with this interface is that new classes

can be added by connecting to WMI on

any computer and browsing to the class

you want to report on. In addition,

custom hardware classes may be

exported to a MOF file and imported in

the same interface. This allows custom

inventory settings to easily be transferred

from a lab environment to your

production environment.

Administrators in Control

Central to simplifying ConfigMgr

hierarchies is removing the need to have

primary sites to manage subsets of

clients. With ConfigMgr 2007 you might

have created a separate SCCM site to

manage datacenter clients, another for

your clients in Europe, and another for

the executives’ computers.

The same logic could have applied to

managing their ConfigMgr objects, such

as packages, task sequences, and

software update deployments. SCCM

2012 gives you new options to put such

controls in place without having to add

primary sites.

The first set of such controls are what

we’ll call “assignment collections”,

meaning collections used to define the

clients and users that the administrators

can manage, and then assigned to them.

When setting up administrators in the

ConfigMgr console you should specify

one or more collections that the

administrators can use.

1E.COM 13


When those administrators are creating

deployments or otherwise managing

clients they can then use those

collections to target the right clients or

users, or use collections that are directly

or indirectly limited to those assigned

collections. Clients or users that are

outside those assigned collections are

not available to them.

The second set of such controls are

“security scopes”. Scopes control which

ConfigMgr objects the administrators can

see in the ConfigMgr objects (except for

collections and the clients and users in

those collections, which are limited as

above). So scopes control which

administrators can see applications,

packages, deployments, task sequences,

sites, distribution points, software

metering rules, configuration items, and a

wide variety of similar objects.

When creating such objects they can

assign them only to scopes that they are

limited to, and thus other administrators

cannot see the objects they have created

unless the other administrators are also

assigned to the same scope.

The third and final set of controls are

“security roles”, meaning the ConfigMgr

permissions that the administrators have.

There are a number of predefined sets of

permissions (roles) and you can easily

create more.

Between these three sets of controls you

can ensure that administrators can do

only what you intend, using only the

objects you want, to the appropriate set

of clients or users. You can be confident

that they won’t do more than intended,

no matter what site they have access to.

However, you should also consider

whether you need a mechanism to

coordinate object creation. For example,

administrators from multiple scopes may

require an Office 2013 application, but the

second administrator to have such a need

might not be able to see that another

administrator has already created one

because they are in different scopes.

With appropriate coordination the

second administrator could ask a senior

administrator to add his scope to the

already existing application, allowing him

to see and use it as well.

1E.COM 14


1E Nomad: Enhancing Your ConfigMgr 2012 Infrastructure

When planning to migrate to ConfigMgr

2012 too many organizations plan to

simply replicate their hierarchy design

from previous versions. That means

duplicating the entire existing

architecture whether it is needed or not.

We’d like to show you how you can avoid

that waste, both in terms of budget and

effort.

1E’s SCCM Migration with Nomad is the

smartest, most cost effective means of

migrating to and running Configuration

Manager. This package of 1E software and

consulting services is built on 1E’s years of

experience deploying and supporting

Nomad at hundreds of organizations, and

on our experience helping organizations

of all sizes deploy various versions of

ConfigMgr.

The power of the software combined

with the strength of the expertise

ensures you get the ultimate migration

experience. And if you’ve already done

the migration we’ll help you to

incorporate the solution into your

hierarchy. Either way you are going to

reduce costs and have an even more

efficient computer management

infrastructure.

With 1E and Nomad you can dramatically

reduce the cost of your SCCM

infrastructure by minimizing your SCCM

server footprint and actively maximizing

reliability and performance. By engaging

1E you can reduce your ConfigMgr 2012

implementation timeline by two thirds

while actually improving your patching

and software distribution success.

Nomad is proven and active across

millions of seats including at the world’s

largest organizations. It is part of 1E’s

suite of products helping around the

world to reduce IT complexity and

achieve dramatic cost efficiencies.

Nomad is a sophisticated software

distribution solution that acts as an

Alternate Content Provider for SCCM. It is

a proven and effective tool in delivering

automated systems management and is

the perfect companion to SCCM 2012.

Nomad offers the smartest, most reliable

and cost effective way to distribute

patches, upgrades, software and

Operating Systems across the enterprise.

Software Distribution

Nomad enables software to be

distributed across the enterprise quickly

and efficiently, from patches and

upgrades to full Operating System (OS)

Images. In most cases clients can find the

content they need on other clients that

have previously needed it.

When that’s not the case the client can

smartly download it from a central

distribution point, as described in the

“Bandwidth Efficiency” section below.

When multiple clients need the content

simultaneously that download is done

only once by a “master” that is elected for

the purpose.

The process of establishing Nomad

communications is entirely automated.

Nomad clients use UDP broadcasts to

intelligently elect the master computer

for each download on each subnet, with

the ability to re-elect should the master

1E.COM 15


become unavailable. Elections are

weighted to ensure that the optimal

client is elected as the master. That

weighting especially favors clients that

already have the needed content, but if

none have it yet then the software is

downloaded from a ConfigMgr

distribution point. As the download

commences, the solution’s peer-to-peer

model immediately fans out the content

to more local clients, enabling fast and

efficient distribution across locations and

subnets.

Nomad’s automated discovery of

network topography enables

administrators to treat multiple subnets

as a single subnet. Nomad has the option

to add a central server role

(ActiveEfficiency) that automatically

maintains a list of subnets at all locations.

If a master on a subnet at a location

requires content that is available on a

Nomad client on another subnet at that

location, the master can find that client

via ActiveEfficiency and obtain that

content directly from it. This eliminates

the need for the master to download its

copy over the WAN from a central DP. For

large content or at locations with

especially constrained WAN network

links, this can be quite beneficial.

Operating System deployment (OSD)

especially benefits from Nomad’s

strengths. Operating System images

themselves are often very large, as in

gigabytes, but at the same time clients

will also need a variety of applications,

device drivers, patches, and possibly

other files. Furthermore, users do not

want to be without their computers for

long, so there is limited time to install all

that software let alone download it.

Therefore Nomad’s ability to reliably

provide the content from the LAN

anywhere in your organization is crucial

to your OSD success. You will usually

want to precache that content so that it is

ready for the first client to be upgraded,

but Nomad readily accommodates

precaching. Nomad also helps with

storing user data (USMT data) and PXE

booting as discussed in the “Server

Reduction” section.

The use of clients for software

distribution is how Nomad can deliver

those enormous reductions in the server

footprint.

Server Reduction

With Nomad, organizations looking to

migrate can design an SCCM 2012

infrastructure with the bare minimum of

distribution points and secondary sites.

Even PXE server roles and state migration

points can be eliminated. Often 95% or

more of those servers can be eliminated.

If you’ve already migrated then you can

consider removing the servers, reusing

them for other purposes in your

organization.

In some cases the servers used for DPs or

even secondary sites are also used for

other purposes, such as file serving or

print sharing. Therefore removing the

need for ConfigMgr does not allow

removal of the servers themselves.

1E.COM 16


However, the fact that you don’t need to

deployment, and then you don’t need to

maintain them, is a considerable saving in

itself.

Not only does Nomad deliver

transformative cost savings in terms of

capital investment; dramatically reducing

the server footprint also results in

ongoing maintenance cost savings as

well as significantly reducing the

manpower and time needed to deploy

SCCM 2012.

Because Nomad uses any or all

ConfigMgr clients and the master

(sharing) role is dynamically elected any

time content is needed, any issues with

Nomad or the computers Nomad is

running on do not prevent Nomad from

functioning. Another computer is elected

and the process continues.

Similarly, any changes in the network do

not affect Nomad because the primary

network activities are local to the subnet

– the subnet address and topology do not

matter to Nomad and thus can change at

any time without adverse effect. If the

content is not available on the subnet

already then Nomad must be able to

contact a distribution point, but that DP

will be one of a small number of DPs,

likely in a central and very stable data

center.

The ConfigMgr PXE functionality is a

DP-specific function and therefore every

PXE server is also a DP. However, a

Windows Server Operating System must

be used. Nomad’s PXE option can run on

any workstation Operating System such

as Windows 7, Windows 8, or even

Windows XP.

State migration points are useful when

migrating users from one computer to

another or in some cases when upgrading

Operating Systems. However, they are

another role that must be configured and

maintained and considerable disk space

must be provisioned and maintained.

Nomad can serve this purpose in a very

similar manner to how it delivers content

– automatically and dynamically.

Many organizations have tried but

struggled to use large numbers of

secondary sites, distribution points, or

branch distribution points. This has often

lead them to come to 1E and Nomad.

Secondary sites and distribution points

can work well enough in small numbers (a

dozen or two), but as the numbers

increase the odds increase even faster

than at any given time a DP or site will be

broken for a variety of reasons.

Therefore your deployments will not be

as successful as they should be, requiring

you to track down those issues and spend

time resolving them. This work can be

very time consuming, and tedious, if you

have a sizable number of servers.

DP and site challenges come in various

forms but often include:

• Hardware issues, including failures, full

disks, or performance limitations

• Operating System issues, including

compatibility issues

1E.COM 17


• Networking issues such as IP address

changes and subnet changes

o Remote SCCM servers are often

“protected” to serve local clients

only by assigning “boundaries” to

those servers. However, the

networking team may not always

remember to coordinate with the

ConfigMgr, leaving ConfigMgr

servers to be assigned the wrong

boundaries

• Coordination issues – the people

responsible for the server may not

coordinate with the ConfigMgr team

when swapping hardware, shutting it

down for maintenance, moving it, etc.

• End-of-life-replacement – even

though this work is predictable, it is

still time consuming to arrange

Bandwidth Efficiency

There is a significant flaw in most

bandwidth throttling techniques: they

involve setting percentage limits for IT

traffic across the network. The problem is

that these thresholds are static and result

in the enterprise either not using all of the

available pipeline, or in slowed delivery as

different functions compete for

bandwidth. With Nomad, content is only

downloaded to a location once and from

then on it is shared locally from peer to

peer.

Nomad’s intelligent bandwidth

monitoring and usage management

reacts in real-time to the existing traffic.

It eliminates the competition between IT

and business traffic without the need for

scheduling or delaying IT tasks until close

of business. As Nomad is downloading it

will monitor for latency in the

downloading.

If any is detected then that is evidence

that there is contention on the network

links somewhere between the master

and the central DP that it is downloading

matter. Access to routers is not needed

and the topology of the network does not

matter – it is sufficient that Nomad sees

latency. In that case it will immediately

reduce its download rate, allowing the

other traffic to take priority on the WAN.

When the latency disappears Nomad will

carefully increase its download rate until

it is downloading as fast as the WAN will

support. In this way the WAN is providing

maximum benefit at all times, either to

the other business traffic (as the first

priority) or to Nomad.

Remote Locations

Nomad is the most reliable way of

distributing software across WANs, even

to poorly-connected and remote

locations, eliminating the need to

establish distribution points everywhere.

Nomad establishes a peer-to-peer

network for distribution of software,

patches, and OS images from SCCM. So

whether the challenge is setting up a new

location or bringing an isolated site into

your network, with Nomad delivery is

easy.

Nomad’s intelligent bandwidth

monitoring and utilization ensures 100

percent reliable content delivery even

where the network quality is poor, such

1E.COM 18


as locations connected via satellite. If you

happen to need to update the software

on an off-shore oil platform you can stand

down the helicopter and rely on Nomad

instead.

1E has even done this for Operating

System deployments. It took a while for

the downloads to complete but the

critical business traffic continued

uninterrupted over the satellite link. The

upgrades then proceeded quickly using

the local copies of the content.

Improved Security

Security and compliance are quite rightly

significant concerns for the enterprise.

Nomad integrates with and builds on the

inherent security provided by SCCM 2012,

introducing no additional risk to

individual PCs or to the network.

It is not just about not adding risk though

– Nomad actively reduces it. The efficient

distribution of content enables IT to

distribute patches and upgrades during

the day, rather than having to wait until

end-of-day. That keeps your computers’

security up-to-date at all times. That

distinction is especially critical for

zero-day exploits but also for computers

that aren’t online afterhours, such as

laptops.

1E.COM 19


How Else Can 1E Help?

Nomad and 1E’s consulting services (including those of our partners) are central to a

successful ConfigMgr 2012 migration but 1E is pleased to offer even more options and

has solution to address the following concerns:

• Will you provide all the same software packages from ConfigMgr 2012 as you did with

ConfigMgr 2007? If not, then which packages should be migrated?

• Do your users here in 2014 have the same expectations as the users had when you

deployed ConfigMgr 2007? We often find that users are much more likely now to

seek out software that will make them more productive and do not understand why

that cannot be an almost instantaneous experience.

• When you have made the investment in the ConfigMgr 2012 migration is your

organization getting new added value that demonstrates to the business that the

project was truly a step forward?

• Are the client computers as available for computer management as much as they

were when you implemented SCCM 2007?

AppClarity

Inevitably some software packages that were useful years ago for business needs at

that time are not so useful now. But which software is that? Of the software in this

case, which is the least used? When migrating packages it seems prudent to start with

the packages that are deployed and used mostly widely, then those that are deployed

widely and fairly well used, and finally those that are not deployed widely nor widely

used. Packages for software that is not used at all should not be migrated no matter

how widely they were previously deployed.

You (or your SCCM administrators) can run reports to identify what software is

deployed and how widely, but determining how well used it is can be challenging.

Enabling software meter rules results in often overwhelming data if done on a large

scale and takes weeks or months to collect. Any other form of software usage data is

hard to relate to specific software products. And with or without usage data, the

reports will be very long, listing tens of thousands of unique software titles, most of

which will be extremely obscure.

1E’s AppClarity addresses these challenges by importing relevant data from

ConfigMgr, applying sophisticated normalization algorithms, and presenting the

results in user-friendly reports that will give you the information you require. You can

dive as deeply as needed into the data but the summarized form will be sufficient for

most migration purposes. Having identified the most used software in your

organization, you can consider which packages should be migrated to SCCM 2012 as

legacy packages or converted to applications.

1E.COM 20


Your software asset management or licensing team will also benefit from AppClarity

in that they can import their licensing data and readily identify license compliance

issues. They can even address compliance issues in many cases by using AppClarity

to automatically de-install software where it is not being used, bringing it into

compliance.

Shopping

Microsoft has anticipated the rise of user expectations for app stores by including an

Application Catalog in ConfigMgr 2012. However, the Application Catalog is a minimal

solution lacking key features such as:

• Offering both applications and legacy packages (the latter are not offered)

• Active Directory security groups changes

• Resource requests, such as for computers or office supplies – only ConfigMgr

objects can be offered

• A robust approval workflow

• Easy integration with ticketing systems or other infrastructure

• Rental of applications, legacy packages, or security group changes, ensuring they

are removed after the user has used them for project-oriented work

• Extensive customization to brand the web site in the same fashion as your other

intranet sites

• License management

1E Shopping offers these and many other features in a very modern web design that

your users will find to be a pleasure to use. The experience is consistent with what

they have with their consumer devices, reflecting well on your IT organization.

NightWatchman

One of 1E’s most popular products is our industry leading power management

solution, NightWatchman. Windows and ConfigMgr have power management

features but real-world complexities often prevent them from enforcing power

management when they should. Reporting on the savings realized is minimal.

Integrating NightWatchman in your ConfigMgr 2012 infrastructure will allow your

organization to maximize power savings and minimize its greenhouse gas impact.

The facilities and sustainability teams in your organization will highly value the added

value that ConfigMgr 2012 brings to the organization when partnered with

NightWatchman.

1E.COM


© Copyright 2014 1E. All rights reserved. The information contained herein is subject to change without notice. 1E shall not be liable for technical or editorial errors or omissions contained herein.

About 1E

1E is the pioneer and global leader in

efficient IT solutions. 1E’s mission is to

identify unused IT, help remove it and

optimize everything else. 1E efficient IT

solutions help reduce servers, network

bandwidth constraints, software licenses

and energy consumption.

Contact us

UK (HQ): +44 20 8326 3880

US: +1 866 592 4214

India: +91 120 402 4000

[email protected]

Share this

WakeUp

Where power management is effective you might find that you cannot manage

computers after-hours because they are in a low power state. To minimize this issue

you should use a Wake-on-LAN (WOL) solution. ConfigMgr includes WOL options,

including a new WOL proxy feature, but technical constraints mean that these options

only work in limited circumstances.

Both Nomad and NightWatchman include WakeUp, a full-featured WOL solution that

does not have technical constraints. You can use WakeUp to maximize the

effectiveness of ConfigMgr 2012’s features. Either automatically or at SCCM

administrator discretion you can use the ConfigMgr console to wake computers for

patch management,

We trust this white paper has raised ideas that will make your experience with

ConfigMgr 2012 even better. If you would like to discuss those ideas further, please

contact us at the numbers below.

Documents

HOW TO GET THE MOST FROM YOUR MICROSOFT · PDF white paper how to get the most from your microsoft configmgr 2012 migration sccm 2012