This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 85%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Morning people!
My company will soon be transitioning from one SCCM site to a newly built site. We have several offices scattered across the globe and would like to ask a question about the best way to locate site servers in each location. Here's the layout
Site1 (Primary Site, Site DB, MP, DP, SUP)
Site2 (DP)
Site3 (DP)
Site4 (DP)
Site5 (DP)
Site6 (DP + MP)
Site7 (DP)
Site8 (DP)
So here's the problem. Since our main site server with Management Point is in the US and our satellite offices are in Europe, Asia and Australia, I was trying to figure out how to minimise the network traffic for clients. Currently each remote site has only DistributionPoint role installed for local content distribution. However I noticed that if I don't associate our Primary Site server with each boundary group, machines in that boundary can't talk to the SUP and fail to get patches information. Also if I don't associate the server with MP role (Site1 or Site6) the machines will just use MPs are random, generating WAN traffic. And to make matters worse, if I associate Site6 with any other boundary, I get clients say from Europe downloading content from Australia, because the site server that has the MP role is also a Distribution Point.
The end result I want is to have each site only download content from its local DistributionPoint server. Do I need to set up MP and SUP role on each server as well? And only associate that server with boundary group local to the site?
Appreciate feedback!
Jakub
Just as a clarification, my boundaries are all IP ranges. I have IP ranges for each site where clients are connected and all of those IP range boundaries are grouped inside a boundary group that has a site system assigned. So like this:
Boundary Group 1 (Boundary 1)
Boundary 1 (IP range 1, IP range 2)
IP range 1
IP range 2
Now I have Site3 associated with that boundary group 1 which hosts only the DistributionPoint role. I have to associate a site server that hosts MP in order for my clients to use that MP (I have option to prefer MPs in boundaries turned ON). I also have to associate that boundary group with Site1 so clients can find the SUP on it. But I don't want those clients to use the DP and MP installed on Site1 site server...Is it even possible? I know if previous SCCM it was possible to specify the link speed to fast or slow...but not anymore :(
If you can move the dp role to another server at site 1 then i think all your scenarios can get addressed.
Hey,
Thanks, that is what I'll do.
Hi, @Jakub Fuczek
Thank you for posting in Microsoft Q&A forum.
I also have to associate that boundary group with Site1 so clients can find the SUP on it. But I don't want those clients to use the DP and MP installed on Site1 site server...Is it even possible?
Yes, we can assign software update points to the default site boundary group, so if a client in a boundary group without a SUP associated will select the SUP in the default site boundary group and use it.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This is perfect, I did not take DSB into consideration. Thank you!
This will not work for you because you got MP, SUP and DP running on the same server. Clients will get a list of the available site servers and pick at random, especially DP which I understood you didn't want. Unless I understood your requirement wrong.
So this means even if I only have my DP server added to the boundary group and my SUP,DP,MP server added only to the default site boundary, it will still get a full list of all available servers from both boundary and default site boundary? And choose from? Or will it try to get all necessary stuff from the boundary group (DP and MP) and if can't find SUP, it will go to the default site boundary? And skip using DP and MP from the default site boundary assigned server?
What I did I moved the DP role from Site1 and put it on a different server in the same location. So now I only have MP and SUP on Site1. So can I now use Default Site Boundary and add Site1 to it so all machines in my network can get information about that SUP on Site1?
All boundary groups are part of the default boundary group. You just need to have all the site servers added to the Default Boundary group. However, this is not what you want since you want to segregate the management of the sites with different site roles. You should reference the site roles based on your requirement. If I understand your requirement correctly, you should possibly do something like this -
Site1 (Primary site MP, SUP, NEW Local DP)
Site2 (Primary site MP, SUP, Local DP)
Site3 (Primary site MP, SUP, Local DP)
Site4 (Primary site MP, SUP, Local DP)
Site5 (Primary site MP, SUP, Local DP)
Site6 (Local MP, Primary site SUP, Local DP)
Site7 (Primary site MP, SUP, Local DP)
Site8 (Primary site MP, SUP, Local DP)
A couple of other comments here:
First, by "site" do you really mean location? "Site" means something specific in ConfigMgr so unless you actually mean a ConfigMgr site, you shouldn't use the word site.
Next, MPs should not be placed in remote locations. They are designed to work best and do in fact work best when located in close proximity (network-wise) to the primary site server and primary site DB. If you feel you need to have an MP closer to clients to deliver policy, then you should use a secondary site.
A somewhat similar comment on SUPs. This is not a strictly based on product design but is instead based on overall simplicity as having a SUP at a remote location is only marginally beneficial but adds overhead and complexity.
Finally, I strongly recommend moving the client-facing site roles (DP, MP, SUP) off of the primary site server and on to their own site systems that are co-located in the same location as the primary site server. This provides separation as well as easy scalability and availability by simply duplicating this/these siste system(s) in configuration.
Hey Jason,
First - you are right of course. I had location in mind. I understand site is a ConfigMgr term and what I used it for was not accurate.
The reason behind using MP in a remote location is that I have two Cloud Management Gateways set up in two data centers - in US and EU. Clients in EU connect to the CMG in EU and therefore I require an MP that will handle it. Having a secondary site to support around 300 clients would be an overkill. Primary Site server handles around 1000k and with one site being able to support 100k of clients, I saw no value adding a secondary site in my EU location.
I never wanted, nor will I want, to have more than just one SUP. In our old ConfigMgr site we used only one SUP for the entire organization and clients scattered across the globe and we did not have issues. I was asking for potential SUP in more than just one location to cover all possibilities.
As for moving the roles off of the primary site, I might consider it. I already have a second
server in that location that servers as a DP so it might make sense to go ahead with it. I would only need to hook it up to the existing WSUS DB I used for my primary site server where I set up WSUS initially.
Thanks
Clients in EU connect to the CMG in EU
There is no way to control or configure this. Clients will randomly choose between all available Internet-facing roles including those hosted by a CMG. The use of CCMHOSTNAME during installation only configures an initial CMG to connect to, it does not configure an affinity for that CMG.
Having a secondary site to support around 300 clients would be an overkill.
I completely agree on this assuming the location has a consistent connection that's anything better than dial-up.
SQL across a WAN is not generally recommended -- this has nothing to do with WSUS. I rarely (if ever) recommend using remote SUPs (remote from the site server and never remote from the DB. If you do feel the need for a remote SUP, use a local DB exactly as WSUS was designed for and then manipulate the SUP assigned to the clients at that location or better yet, if you feel you need a remote SUP, then you should just use a secondary site.