TechEd 2013: Configuration Manager 2012 SP1 Lessons Learned

TechEd 2013 Welcome to Microsoft TechEd 2013 live blogging! I started off the conference by attending the all-day Microsoft System Center Configuration Manager 2012 SP1 session. Since this was a pre-con, it ran all day so a TON of content was presented. You can find tweets about this session at #TEPRC05. The speakers were Kent Agerlund and Johan Arwidmark. Both were excellent, and presented a lot of real-world deployment information and lessons learned.

There were a few major take-aways that anyone looking at SCCM 2012 SP1 should understand:

  • SQL server design and architecture is hugely critical. You can’t just do a click next install of SQL server and expect SCCM to perform within your expectations. You need to have a detailed understanding of SQL server best practices, including TempDB settings. It’s is also strongly recommended to combine SQL server and your primary site roles onto a single server/VM, unless you are a huge organization (sizing details are below). Yes, let me state that again, don’t use a remote SQL instance that is hosting other databases. Use a dedicated local SQL server instance for SCCM.
  • Once SQL server is installed, it needs regular maintenance to keep it performing well. Backups, re-indexing, and other jobs must be run regularly or performance can tank. Session notes have a lot more details and links to some free tools.
  • If you are using SCCM 2007 or older with multiple primary sites, they should all be collapsed down to a single site. Yes, even for large multi-national companies with 100K clients. Do NOT do multiple primary sites.
  • Use MDT 2012 SP1 to build all of your Windows golden images. The resulting WIM file can then be used by any deployment tool on the market, including SCCM or third-party tools. It will sequence and fully automate the injection of patches, software, and other tweaks. Do not build your OS images in SCCM, or you won’t be able to use them with other deployment solutions.
  • The importance of creating intelligent collections cannot be understated. Read up on the SCCM 2012 collection options (include/exclude, etc.) and do a lot of research before just jumping in and creating a bazillion to manage your environment. You will pay for the lack of planning down the road.
  • Use a third-party program to scan for and patch non-MS updates, such as Java and Adobe products. Solarwinds or Secunia are the only two you should consider. A majority of vulnerablities are now in third-party products, not the MS OS. So if you aren’t properly patching third party software, you are just asking to get hacked.

Session Notes

Configuration Manager 2012 Goals:

  • Empower Users
  • Unify Infrastructure
  • Simplify Administration – Most can consolidate to a single primary site.

System Requirements

  • WS2008 x64 or later (strongly recommend WS2012)
  • At least 16-24 GB RAM for primary site with SQL local. 24-32GB is more typical.
  • 8GB RAM for secondary site
  • Dedicated disk arrays (Disk IO is HUGE. Poor performance is likely due to storage being slow).

Typical disk layout: C: OS, D: Program, E: content library, F: DB files (100GB), G: TempDB (50 GB), H DB Logs (50GB). NTFS allocation size 64KB for SQL volumes.

SQL Guidelines:

  • Recommend LOCAL SQL install on SCCM server (STRONG RECOMMENDATION!!!! Strongly Microsoft recommended.)
  • Minimum SQL versions: SQL server 2008 SP2 CU9, 2008 R2 SP1 and CU6, 2012 CU3, 2012 SP1
  • SQL 2012 Always On is NOT supported.
  • Don’t use SQL mirroring (may appear to work, but SP upgrades will break)
  • Pre-create the SQL database so you can control the layout. Don’t let SCCM create it, as performance will not be good.
  • Estimate 3-5MB per client for database storage
  • Not a traditional SQL database. Very high SQL load from constant queries from all clients.
  • Site server 1: DB – Site System; Server 2 – DP/SUP/MP
  • Do NOT combine databases from other system center products. Don’t build a giant SQL cluster for all system center products.
  • MUST carefully consider TempDB. 1 file per core, with no more than 8 files.
  • 1 TempDB file per vCPU for VMs
  • Need to manually configure SQL memory usage so OS/SCCM has memory to use. Don’t leave to the default of infinite.
  • Cap SQL log file size in SQL manager to what you think is the max
  • Turn off auto-growth
  • Don’t use full recovery model for Reporting Services database. Use simple for Reporting services.
  • VM snapshots are NOT backups. Use SQL server backup feature. Uses compression for much smaller backups.

Site Sizing:

  • Less than 2000 clients, just install everything on a single VM (including SQL)
  • Less than 20000 clients, Server #1: SQLDB, primary site, SMS provider, endpoint protection, #2: MP, Software Update, DP, app catalog
  • 100K clients: #1: SQL DB, primary site, SMS, endpoint; #2-4: MP, software update, DP, app catalog

Hydration Kit for ConfigMgr 2012 SP1 is here: Automates provisioning AD, SCCM deployment via scripts. If using Hyper-V don’t use dynamic memory for the VM during deployment. You can configure it to use dynamic memory after. Can create a huge bootable ISO and it automates the installation following best practices. Great for creating labs, then deploying in production exactly like the lab. Works on Hyper-V, VMware and physical servers.

Other good tools located at: DeploymentResearch and Deploymentbunny.com.

IMPORTANT: Site maintenance tasks: Rebuild Indexes (always enable it; runs every 7 days). Use a third-party solution as the build-in job is NOT reliable. Use the DB maintennace script from Ola.hallengren.com. Just enter the site code, and use on WSUS database as well. This is a MUST HAVE. USE THE SCRIPT. Microsoft internally uses this script, so you should too.

Strongly recommend only a single primary site. For secondary sites, consider them when you have 500 to 1000 or more clients.

Migrating from ConfigMgr 2007 SP1

  • Don’t need to configure boundary sites since you should only have one primary site
  • Co-existence is perfectly acceptable. Don’t do a big bang migration.
  • SCCM 2012 can pull config data from 2007 SP1, so they are sync’d.
  • DP migration can take many hours or even a week, if you have huge amount of content
  • Migrating collections: Consider security, folders, users & devices. Limit collections. Create a base collection, then use include/exclude to customize the rules.
  • Decide on role based access controls
  • Configure collection refresh cycle after migration
  • Limit use of folders – They are evil as you cannot assign permissions. Good folder name is “Software Updates”.
  • Setup role based administration in 2012 prior to migration

Software Distribution

  • Software and OS packages are so big these days, you should use DPs at branch offices
  • Use WS2012 for DP points. DPs are usually long lived, so start with the new OS. Create PowerShell automation features.
  • You can inject software updates/patches into Win7/Win8 images
  • You can now pre-provision BitLocker with SCCM 2012 SP1, so it starts encryption prior to OS deployment.
  • Make sure server firmware is up to date, since WinPE 4.0 won’t boot on servers with older firmware
  • PXE performance is creaming on WS2012. Can boot a WS2012 WDS image in 4 seconds via PXE.
  • Strongly urge users to add MDT 2012 SP1 to SCCM OS deployment
  • Use Lite Touch mode to create master images
  • Use Zero Touch for added features – 280 new features from MTD 2012 SP1 add-on (free)
  • Dynamic deployments are a HUGE value-add. Can customize OS deployments based on various parameters.
  • New hardware uses UEFI so you need to boot into WinPE 4.0
  • Boot off memory sticks using FAT32, not NTFS, for UEFI support
  • OSD deployment supports new App model
  • You can set primary user of a machine prior to deployment, so its customized for that user
  • User device affinity in CM2012
  • New to CM2012 SP1: WS2012 and Win8 OS deployment
  • Use MDT 2012 Update 1 Lite Touch to create a reference image. Creates images that works with anything. Don’t create your image in SCCM. Image will be compatible with any other deployment solution you have when using MDT 2012. It’s also 2x faster creating an image. You can copy the admin default profile, easy to delegate, and you can suspend deployment if needed.
  • Take a look at the MDT Database admin tool here.
  • MDT needs a separate WSUS instance (not the one you use for ConigMgr) for update approval
  • “Request State Store” task must be added if you want to perform a machine backup
  • You can use WMI queries to insert specific drivers instead of relying on PnP
  • Never share an application between OSD and CM deployment. Create an OSD security role, and limit the permissions to the OSD pacakges to the OSD team.
  • Look at iconarchive.com for application icons

Software Update Management

  • Vulnerabilty intelligence + vulnerability scanning + patch creation + patch deployment
  • Define the update process: pilots, servers with auto restart, servers with manual restart, logically grouped servers, workstations in prod, excluded devices.
  • Can use MS SC Orchestrator to orchestrate SCCM patching
  • Define your SLAs, collection design is #1 (HUGE!!), maintenance windows
  • Create a custom report (computer uptime in days). Can color code uptimes to see most recent reboots.
  • Cortech Update Manager freebie tool
  • Don’t organize software updates by OS. Control everything through maintenance windows.
  • Run a regulary query for expired updates and remove them from ALL deployments.
  • Remember to still do the WSUS DB cleanup and re-index on a regular database
  • Solarwinds patch manager and Secunia are the only two you should consider using. Excellent third party support.

Related Posts

Subscribe
Notify of
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
lorengordon
August 2, 2013 5:51 am

I think this might be the Cortech utility mentioned…
http://blog.coretech.dk/jgs/coretech-sccm-manager

comeon
January 29, 2014 9:56 am

Just to clarify, installing sql on the same instance as the server is not recommended by MS. As a security best practice, yes they recommend it since most admins do not have the ability to properly secure their infrastructure, especially when you start introducing remote sql. If you're supporting a large network of users 50k – 100k, you'll be crying about your db performance. source? common sense well tell you this, but for the naysayers, here's the MS tech doc IPD – System Center Configuration Manager 2007 R3 and Forefront Endpoint Protection version 2.0 – http://www.microsoft.com/en-ca/download/details.a… refer to: Task 9:… Read more »