1 / 55

Simplifying Configuration Manager Infrastructure with Azure Cloud | Rob York & Kerim Hanif

Discover how to ease Configuration Manager operations with Azure hosting and simplification strategies. Learn about moving to the cloud, site high availability, peer-to-peer options, and more. Gain insights into leveraging Azure services for a streamlined approach.

barbaraf
Download Presentation

Simplifying Configuration Manager Infrastructure with Azure Cloud | Rob York & Kerim Hanif

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deep dive into Configuration Manager infrastructure simplification with the cloud Rob York @robdotyork Kerim Hanif @kerimhanif Configuration Manager BRK3007

  2. Product Themes • Cloud Value • Get Current Stay Current • Simplification • Customer Voice

  3. Agenda • Running Configuration Manager in Azure – a recap • Options for moving to Azure • Site HA to move your on prem ConfigMgr into Azure hosting • CMG and CDP to simplify Internet management • Peer-to-peer – reducing DP count

  4. Configuration Manager and Azure

  5. Azure hosting of ConfigMgr is just another datacentre in your environment

  6. Azure by numbers • Over 4000 Cloud DP and CMG • 20,000 Site Systems in Azure IaaS

  7. Three main routes to Azure hosted Configuration Manager New Lift and shift Hybrid

  8. Options for moving existing infrastructure to Azure Site Restore x2V Site Server HA Reference Restore

  9. Site Server High Availability (HA)

  10. ConfigMgr Site Server High Availability • Why? • Many customers consider ConfigMgr a mission critical service • Enables simplification for customers that chose hierarchy for fault tolerance • Easy move to Azure, to a new hardware/OS • How? • SQL Always On Availability Groups (recommended) • Shared content library • No dependency on Windows or hardware-based clustering • Future Goals • Hierarchy support • Active/active site servers

  11. Architecture SQL AOAG SQL AOAG Primary2 Primary1 Active mode Passive mode SQL AOAG Site Server Site Server SCP MP Passive mode SMP Site Server Shared Content Library

  12. Demo Site Server High Availability – Part 1

  13. Cloud Management

  14. Windows Update Scenario 1 – Road Warriors Corporate Network Internet Site MP DP SUP AD CA DMZ Azure Firewall Firewall

  15. Windows Update Internet-based Client Management Corporate Network Internet Site SUP DP MP MP DP SUP AD CA DMZ AD CA Azure Firewall Firewall

  16. Manage traditional clients that roam on the Internet Easily Configured through the ConfigMgr Console Without exposing internal resources to the Internet Support Key ConfigMgr client features Without additional infrastructure

  17. Windows Update Cloud Management Gateway Corporate Network Internet DP MP SUP CDP Site CMG AD CA DMZ Azure Outbound port 443 Logical data flow CMGConnectionPoint Firewall Firewall

  18. Windows Update Scenario 2 – Branch Offices Site Corporate Network Internet Datacentre CDP DP MP DP SUP MP DP SUP DP AD CA HQ Azure Branch Branch

  19. Scaling CMG Corporate Network Azure CMG CMG APAC Site NA Site East US East Asia Standard A2 VM Standard A2 VM Standard A2 VM Standard A2 VM CMGConnectionPoint CMGConnectionPoint ~6,000 ~6,000

  20. Internet Cloud Management Gateway Azure Server Authentication “Service” Certificate Corporate Network Client Authentication Certificate AAD Device Registration Certificate MP SUP DP Site CMG Issued and signed by public provider (recommended) -OR- Issued by Company PKI Trusted Root Certificate Corresponding to PKI issued client cert -OR- n/a if only using AAD authentication AD CA Client Authentication Certificate Issued by Company PKI -OR- AAD Device Registration Certificate CMGConnectionPoint Firewall

  21. Internet Cloud Management Gateway Azure Corporate Network MP DP SUP CMG Site Management Point Server Authentication Certificate AD CA CMGConnectionPoint Firewall

  22. Enhanced HTTP Replaces the need for Management Point Server Authentication certificates Allows HTTP Management Point to secure sensitive traffic with SSL All other, normal traffic uses standard HTTP No need for additional on premise infrastructure No need for internal PKI and certificate deployment

  23. Enhanced HTTP Replaces the need for Management Point Server Authentication certificates Allows HTTP Management Point to secure sensitive traffic with SSL All other, normal traffic uses standard HTTP No need for additional on premise infrastructure No need for internal PKI and certificate deployment

  24. Best Practices and FAQs • Use public certificate provider • Supports Azure US Government • Unsupported features

  25. Demo Site Server High Availability – Part 2

  26. Peer-to-Peer and SCCM

  27. Peer-to-Peer Options in SCCM • BranchCache • Client Peer Cache • Delivery Optimization • Products created by our Alternate Content Provider (ACP) partners

  28. Comparison Chart

  29. Why 3 peer-to-peer technologies? • Complex network topologies requiring peer-to-peer to extend beyond the subnet • Support for Windows 7, 8 and Windows Server 2008, 2012, 2016 products • Air-gapped / offline environment support I’m not using Peer-to-Peer yet, which technology should I consider? • Using a Modern Management tool? Implement Delivery Optimization • Using SCCM? Or Co-management? – look at a combination of PeerCache and Delivery Optimization (PeerCache for DP hosted scenarios, Delivery Optimization for cloud scenarios). • Already have BranchCache implemented? You can use all 3 technologies in parallel, leverage PeerCache and DO for scenarios that are not supported by BranchCache

  30. Highlights and What’s Coming Soon • General • Boundary group options tab (new changes in 1810) • Ability for Pull DPs to use Cloud DP as a source DP (in 1806) • Moving site server content library to a remote location (in 1806) • Client Peer Cache • Partial content download support (in 1806, for SCCM generated content) • Will see WAN usage reduction as a result of this change • Utilize Windows LEDBAT between DP to Client (in 1806) • Delivery Optimization • SCCM boundary group integration (in 1802) • More DO configuration control in SCCM client agent settings (future) • DO supporting SCCM content (future)

  31. New Boundary Group Options Tab Coming soon

  32. WAN Usage Reduction HQ Boundary Group Two boundary groups, boundary group fallback is set to 30 min, content (contoso.exe) only exists on DP on HQ • t0: Content is distributed to all the clients in the branch office • t5: Download Contoso.exe, it is available on DP on HQ, wait 30 min • t6: Download Contoso.exe part 1 from DP. PCS1 starts downloading part 1 immediately. • t7: Download part2 from DP. PCS2 starts downloading part 2 immediately. • t9:PCS1 finishes downloading part 1, notifies MP of successful completion. MP says, now download part 3 from DP on HQ. • t10: PCS2 finishes downloading part 2, notifies MP of successful completion. MP says, download part 1 from PCS1 and part 4 from DP on HQ. • t25: This continues until all peer sources have all the parts • t30: C1 finishes 30 min waiting, talks to MP before downloading from DP, MP says download Contoso.exe, it is available in both PCS1, PCS2 and DP. Clients always prefer peers. Management Point (MP) Distribution Point (DP) Contoso.exe t0 t25 t10 Fallback 30 min t6 t9 t7 t5 t30 Branch Office Boundary Group Client 1 (C1) Peer Cache Source 1 (PCS1) Client 2 (C2) Peer Cache Source 2 (PCS2)

  33. Default Settings X Default Settings Background Intelligent Transfer Client Cache Settings Client Policy Cloud Services Compliance Settings Computer Agent Computer Restart Delivery Optimization Endpoint Protection Enrollment Hardware Inventory Metered Internet Connections Power Management Remote Tools Software Center Software Deployment Software Inventory Software Metering Software Updates User and Device Affinity Windows Analytics 1802 Use Configuration Manager Boundary Groups for Delivery Optimization Group ID Download mode: OK OK Cancel Cancel Group ID Maximum cache size (percentage): Maximum cache size (GB, overrides percentage): Group Yes Minimum file size to cache (MB): Minimum background speed (KB/sec): Maximum download bandwidth (KB/sec): ……… ……… ……… and others….. Planned

  34. Windows LEDBAT Integration • Windows LEDBAT is a TCP congestion module • Windows LEDBAT transfers data in the background and does not interfere with other TCP connections. • LEDBAT does this by consuming unused bandwidth on the network • SCCM version needs to be • 1806+hotfix rollup (ETA end of October, fixes a perf issue) • DP needs to be running on • Windows Server 2016+ • Windows Server, version 1709+

  35. Today Future Infrastructure Simplification Directory Sync Corporate Network Active Directory Azure IaaS Azure Active Directory ExpressRoute CAS Azure PaaS CMG CDP SQL AlwaysOn EMEA LATAM NA2 NA1 APAC ? DP DP DP DP DP DP DP DP DP DP DP DP DP DP DP Branch Office 1 Branch Office 1 Branch Office 1 Branch Office 1 Branch Office 1 HQ1 Branch Office 2 Branch Office 2 Branch Office 2 Branch Office 2 Branch Office 2 SUP SUP SUP SUP SUP Internet-roaming devices

  36. Site Server HA Reference

  37. Content Library Move • Prerequisite for site server HA • New UI to view and move content library on the site server • All locations with SMB shares are supported • Consider disks to be HA (RAID etc..) • Site server’s computer account needs to have full permission to the share • Distmgr.log will show details • We’ll show the progress in the UI

  38. Content Library Move Flowchart

  39. Content Library Move Flowchartcont..

  40. Required Share Permissions

  41. Required SQL permissions on SCCM DB

  42. Required SQL permissions on SCCM DB

  43. Required SQL Permissions on SCCM DB

  44. Required SQL permissions on SCCM DB

  45. Things to Pay Attention in 1806 • Before site server installation, server allocated for site server in passive mode shouldn’t have any other roles • You can add roles after installation • Service Connection Point (SCP) role limitation • You need to recreate in case of a disaster • Manual failover • No hierarchy support

  46. Installation • What to expect after installation • All the site server duties on passive site will be on standby • Install SCCM console on the Passive site server (if needed, not installed automatically) • Promotion • Action is on the passive site server (in case active is not available) • We let know all the existing roles that the site server is changing • FailoverMgr.log (passive), SiteComp.log (active and passive) • Future plans • Hierarchy support, active/active mode • Prereqs runs on the active site server to see if it is ok to install a site server on passive • Machine account permissions on VM2 • net localgroup administrators /add vm1$ • Machine account permissions on VM1 • net localgroup administrators /add vm2$ • SQL permissions • Site server will kick off the installation on the passive site server • FailoverMgr.log (active) • ConfigMgrSetup.log (passive) • Creates a new component SMS_FAILOVER_MANAGER

  47. Installation Flowchart

  48. Installation Flowchart cont…

More Related