Tuesday, December 1, 2009

Second Site Saver

System Center Configuration Manager 2007 is a multitalented animal for distributing software, and with the branch distribution point option you may not need a secondary site server in branch offices

Microsoft’s System Center Configuration Manager 2007 (ConfigMgr) introduces many site server roles. In this article, we look at the branch distribution point.

First, we need to define the term “branch office”. Microsoft defines it as a location with fewer than 10 workstations. When managing clients at remote locations connected via wide area network (WAN) links with Microsoft’s Systems Management Server (SMS), you had a choice of four options:
  • Do nothing Simply let SMS use bandwidth as required. This wasn’t a good choice as the SMS-related traffic would be sent uncompressed and at random times with no control. This could impact other applications and users’ ability to do their job.
  • Use Background Intelligent Transfer Services (BITS) Better than doing nothing, a Group Policy Object (GPO) was defined to control how much bandwidth was used by BITS and during what hours.
  • Install a distribution point at the branch office The benefit of this was that the package content was only sent once across the WAN rather than each time a client requested it. The problem was, an SMS site assumed that any of its site systems were installed on machines with LAN-speed connections to the site server. As a result you had no control over when SMS sent the packages and the traffic was not compressed in any way.
  • Install a secondary site Microsoft’s recommendation whenever you had clients to manage over a WAN. Installing a secondary site allowed the SMS-related traffic to be controlled in terms of the amount of bandwidth used and during which hours. And any traffic sent between SMS sites was compressed to further reduce bandwidth consumption.
Out of all these options, installing a secondary site was typically the best solution for managing branch office clients. However, many companies questioned why in such small locations they needed to go to the expense of installing and managing a secondary site where there wasn’t space to physically secure it or to house local IT support staff.

With ConfigMgr you still have the same four options as you had with SMS, plus a fifth option in the shape of a branch distribution point (BDP).

The prime purpose of a BDP is to reduce the need to install a secondary site server in branch office locations. To achieve this, a workstation (or server) can be configured to host the BDP role. The BDP downloads any ConfigMgr packages in a controlled manner and then makes them available to any clients in its location, thus eliminating the need for a secondary site.
At a high level, a BDP functions in the same way as a standard DP but with some key differences, as shown in Table 1. Although it directly communicates with the site server, a BDP isn’t like all other site system roles. The BDP relies on a standard DP to provide its content (Figure 1).

For a standard DP, the Distribution Manager component is responsible for creating the DP and managing its content on an ongoing basis. In the case of a BDP, all Distribution Manager does is to initiate the creation of a policy that tells the BDP it has content to copy. At the next Policy refresh cycle, the BDP connects to a BITS-enabled standard DP in the same ConfigMgr site and initiates a pull via BITS of the relevant package(s).

Second Site Saver 01
Figure 1: Branch distribution point overview

It’s important to note that the package files are not compressed before the BDP pulls them from the standard DP (unlike when traffic is sent between ConfigMgr sites); the files are simply pulled using BITS. Even though BITS is used, you have control over when and how much bandwidth is used because a GPO for BITS exists.

Under Computer Configuration | Administrative Templates | Network | Background Intelligent Transfer Service select “Maximum network bandwidth that BITS uses” (for BITS 2.0) or “Maximum network bandwidth for BITS background transfers” (for BITS 3.0). Set the transfer rate value (in kilobits per second) you want BITS to use (10 by default), and the times during which you want this limit to apply (set at 08:00 – 17:00 by default). Limits that apply outside of these hours can also be set (the default being to “Use all available unused bandwidth”).
Table 2 highlights the bandwidth control options available for various package-sending scenarios.

Standard DP vs BDP
Bandwidth Control

It’s important to understand the process clients go through to determine which BDP/DP to use to pull their content from (the process is the same whether it’s a BDP or DP), as this can have serious implications for your design. Once a client receives a policy to inform it to download content, the client sends a content location request to a management point (MP). The MP then runs through various checks before returning a list of available BDPs/DPs to the client.

On receipt of the list, the client first looks at those flagged as “local” (based on the client’s location), giving preference to BDPs/DPs on the same subnet first, then those in the same AD site, and finally any others. If no local BDPs/DPs are available, the client will run through the same process for any remote BDPs/DPs. In all cases, the client will prefer to connect to a BITS-enabled BDP/DP.

Once the client determines which BDP(s)/DP(s) are the best to retrieve the content from, it chooses one at random which gives a degree of load balancing. The client then attempts a connection. If the connection is successful, but the client experiences any transient errors at any time, it will keep retrying the connection for up to eight hours, after which it will move onto the next BDP/DP on the list.

If the connection is unsuccessful, the client tries the next BDP/DP on the list. If there is only one BDP/DP on the list, the client will retry for up to eight hours before it fails.
Any client that is running SMS 2003 SP2 or later that is assigned to a ConfigMgr site can access any BDPs contained within that site. In the same way, any SMS 2003 SP2 or later client that roams to a ConfigMgr site can access any BDPs contained within that site.

Once you’ve configured at least one BITS-enabled standard DP in the same ConfigMgr site as that where you want to create the BDP, the machine you wish to become a BDP has to be:
  • A ConfigMgr client The BDP software is integrated into the ConfigMgr client as standard.
  • A member of a domain Although the machine needs to be a member of a domain, it is possible for machines that are not a member to retrieve content from the BDP.
  • Running Windows XP SP2 or a later operating system
  • The BDP doesn’t necessarily have to run a workstation OS and in some cases you may decide you don’t want the limit that these operating systems have of only allowing 10 simultaneous incoming connections. Nominating a machine running a server-class OS such as Windows Server (Standard, Advanced or Enterprise) with SP1 or a later OS is fully supported.
To install a BDP, first load the ConfigMgr Administrator console. Navigate to System Center Configuration Manager | Site Database | Site Management | | Site Settings. Right-click Site Systems and select New | Server from the Context menu. (Remember a BDP cannot be installed on a server share in the same way a standard DP can.)

Next run through the New Site System Server Wizard to create the BDP. On the System Role Selection page, you need to select the Distribution Point checkbox; there is no checkbox for a BDP. Select the “Enable as a branch distribution point” radio button on the Distribution Point page (Figure 2). On this page you can also set the drive to host the BDP content and to reserve a specific amount of disk space for non-BDP content on the target machine.

Second Site Saver 02
Figure 2: Configuring a branch distribution point

If the “Enable as a branch distribution” radio button is not available (ie greyed out), make sure there is a matching client record for the target machine in the ConfigMgr site database.
Once you’ve installed the BDP, you’ll probably want to determine which clients on which boundaries can use it (see the “How do I Protect a DP?” article on FAQShop for details of how to do this).

Microsoft does not recommend creating a BDP (or DP for that matter) on any Internet-based clients as doing so increases your risk of surface attack.

Once the BDP is installed and running, the next task is to manage the packages you send to it. (Once installed, a BDP appears under System Status where you can monitor its status.)
Content that can be provisioned (in other words, loaded onto) a BDP is the same as a regular DP (in other words, software distribution packages, patches, Operating System Deployment images and task sequences, and the like).

There are three key ways of actually provisioning the content onto a BDP:

  • Administrator provisioned
  • “On-demand” package distribution
  • Manual content provisioning
Administrator provisioned
This is the typical way content is distributed whereby the ConfigMgr administrator selects the BDP on which the content is to be copied in exactly the same way as for a standard DP:
  • From within the ConfigMgr console go to System Center Configuration Manager | Site Database | Computer Management | Software Distribution | Packages.
  • Right-click on the package you want to distribute to the BDP and select “Manage Distribution Points” to run the Manage Distribution Points wizard.
  • Choose the target BDP.
Once a BDP is added to a package, a policy is sent to the BDP telling it to download the content. During the next policy update cycle (60 minutes by default), the BDP retrieves the policy and automatically starts downloading the package from a BITS-enabled standard DP in the same ConfigMgr site.

If you have lots of packages you need to send to the BDP, rather than having to go to each package to manually add the BDP, from within the ConfigMgr console go to System Center Configuration Manager | Site Database | Computer Management | Software Distribution. Right-click Packages. Select Copy Packages which will start the Copy Packages Wizard. The wizard allows you to choose which DP/BDP to copy to and the package(s) you want to copy.

Note that by default the Copy Packages functionality only copies the node type that you right-clicked, so if you right-clicked on an item under the Software Distribution node, you can only copy software distribution packages. If you want to copy other package types, such as Software Updates or Operating System Deployment, you need to right-click on the relevant folder in the ConfigMgr console and run the wizard from there.

“On-demand” package distribution
This is a new ConfigMgr content provisioning method that applies to BDPs only. Rather than having to send all of your packages to all of your DPs just in case a client needs it, you can now decide not to distribute packages to your BDPs; in other words, you don’t add the BDP to the list of DPs in the relevant package(s).

The first time a client connects to a BDP and requests a package that has not been distributed to that BDP, the BDP contacts a standard DP in the same ConfigMgr site and automatically starts downloading the package (the process is almost the same as when you add a BDP to the list of DPs for a package). “On demand” package distribution works through the properties of the package and is controlled using package creation or post-package creation.

With package creation, at the time you create a package using the New Package wizard, you select the “Make this package available on protected distribution points when requested by clients within the protected boundaries” checkbox on the Distribution Settings page (rather than the default option, “Branch distribution points automatically download this package when they receive the advertisement”).

You use post-package creation if you add a new BDP but decide you don’t want to automatically host the content there. In this case you need to go to the Properties of the package and click the Distribution Settings tab. From there make sure you’ve clicked both the radio button titled “Branch distribution points automatically download this package when they receive the advertisement” and the checkbox titled “Make this package available on protected distribution points when requested by clients within the protected boundaries”.

Manual content provisioning
With this method, rather than copying content across the WAN to get it to the BDP, you might decide to manually copy it there. To do this, first ensure you have configured the target machine as a BDP (otherwise the rest of this process will fail).

Create the SMSPKG $ directory and share it on the BDP. For example, if you want the BDP content to be hosted on the D: drive of the target machine you’d create and share the SMSPKGD$ directory.

Copy the Packages from the source DP to the SMSPKG $ directory on the BDP (for example, copy them to CD, transfer the CD to the BDP’s location and load them into the same directory on the BDP).

On the BDP go to Control Panel | Configuration Manager and click on the Actions tab. Select the “Branch Distribution Maintenance Task” then click the Initiate Action button. This task verifies that the pre-staged package is valid and then updates the list of DPs for the package on the source site server to include the BDP.

The contents of a BDP are not backed up automatically by ConfigMgr (which applies to standard DPs as well). To back up a BDP, first disconnect any users from the SMSPKG$ share. Then back it and its contents up to backup media.
To restore a BDP:

  • Reinstall the ConfigMgr client and reconfigure the machine as a BDP if it has been rebuilt.
  • Create the SMSPKG $ directory and share it.
  • Restore the packages to the SMSPKG$ directory.
  • Go to Control Panel | Configuration Manager and click the Actions tab.
  • Select the “Branch Distribution Maintenance Task” then click the Initiate Action button. This task verifies that the restored packages are valid, re-downloading any that aren’t.
As with anything ConfigMgr-related, whether you actually implement BDPs in your environment depends on a number of things that are unique to each environment and need to be considered carefully.

If the current level of service you offer to your branch offices is acceptable, maybe you don’t need to install a BDP. You need to weigh up the cost of procuring, installing and managing a BDP versus the cost of simply upgrading the WAN link. If there are other applications using the WAN link, maybe the owners of those apps would be open to sharing the cost of upgrading the WAN link for mutual benefit versus you installing a BDP.
Although installing a BDP may negate the need to install a secondary site, a BDP does not give you as much bandwidth control as a secondary site does. Sure, you can limit the amount of data and times during which data is copied from the standard DP to the BDP using a GPO, but you lose the benefit of content being compressed before it is sent which you have when data is sent between ConfigMgr sites.

Loss of control
Also bear in mind that if you decide to install one or more BDPs in a location with a couple of hundred machines, you only have control over the software distribution traffic. Again, what you lose by not having a secondary site is compression and the ability to control all ConfigMgr-related traffic, not just software distribution-related (for example, all the data that needs to be sent up the hierarchy from the client to its site server, such as inventory data, status messages, etc). OK, most of this traffic is small in nature, but when it’s multiplied over a couple of hundred machines and then sent totally randomly across a saturated WAN link, it could present problems.

Note also that protected boundaries only control which clients can access DP/BDP content; they play no part in determining which standard DP a BDP will obtain its content from.
BDPs cannot be installed on server shares like regular DPs, although when you create the BDP you do have the option (which I’d strongly recommend you take advantage of), of specifying which drive should be used to host the BDP and its content.

Choose wisely
Remember also that workstation operating systems such as XP can only accept 10 simultaneous incoming connections. If you have more than 10 machines at a BDP location that will need to simultaneously download content, either consider installing more than one BDP or use a server OS on the BDP to overcome this limit.

Ensure you have sufficient disk space to accommodate your packages. Disk space is typically more abundant (and easier to expand) on a server than a workstation.

Don’t install the BDP on a laptop. It may sound obvious, but there is little point installing a BDP on a machine that is likely to go off-site from the branch office and impact software distribution there.

Don’t install BDPs on Internet-based clients. Although you can do this, Microsoft strongly advises against it as it greatly increases your attack surface. Only create BDPs on machines inside your intranet or perimeter network.
If you decide to host the BDP on a user’s workstation make sure they are aware that if they switch off their machine it could affect their colleagues’ ability to receive content. This could be disastrous if you have service level agreements in place for distributing software.

BDP content (like standard DP content) is not encrypted. If the user has local admin rights, they can access the BDP content directly, which is not desirable.

You might want to consider creating more than one BDP at each location to provide failover in the event of a BDP failing. Distribution
Although “on-demand” package distribution may sound wonderful, the biggest drawback is that the user will need to wait for the package to be downloaded to the BDP before they can install it. This may be fine for small packages/patches, but if the package is something large or urgent, there will be a delay while it is downloaded. (Also bear in mind that if the package request is made during the day, you may not want a large amount of network traffic traversing your WAN links, or because of limits you’ve set for BITS a download during restricted hours could take significantly longer than one during unrestricted hours.)
Remember also:
  • On-demand provisioning is controlled on a per-package basis.
  • For on-demand provisioning to work, the BDP needs to be protected and the target client needs to be within the protected boundaries of the BDP. If either of these isn’t true, it won’t work.
  • If you have multiple BDPs in the same protected boundary, when a client requests a package that has been configured for on-demand provisioning, it will be downloaded to all BDPs in that boundary, not just the BDP the requesting client has contacted. Again this could have a severe impact on your WAN link.
If you decide to host a BDP at a location, I’d recommend investing in a dedicated machine for this purpose that is physically secured as if it were a server to avoid as many of these potential issues as possible.

With the new Branch Distribution Point Site System role in ConfigMgr 2007, you no longer need to either install a secondary site or have to rely on other methods to limit the impact of your clients on your WAN when it comes to software distribution.

It is now possible and supported to configure a workstation machine in a remote location and use this to host content to service local ConfigMgr client needs.
System Center Configuration Manager is an ever-increasing beast in terms of both functionality and complexity. However, with an understanding of how BDPs work and the potential issue and gotchas they present, BDPs can be a valuable addition to any ConfigMgr solution.

Configuration Manager and Content Location (Package Source Files) http://technet.microsoft.com/en-us/library/bb632366.aspx

How do I protect a DP? http://www.faqshop.com/configmgr2007/instconfig/idps/how%20protect%20dp.htm

Why is the “Enable as a branch distribution point” checkbox greyed out/unavailable? http://www.faqshop.com/configmgr2007/trobshoot/bdps/enable%20as%20bdp%20unavail.htm

How to configure on-demand package distribution to a BDP http://technet.microsoft.com/en-us/library/bb632933.aspx

How to prestage packages on a branch distribution point http://technet.microsoft.com/en-us/library/bb681046.aspx