␡
- Sample Organization
- Configuring Installation Prerequisites
- Implementing the Central Administration Site
- Deploying the Primary Sites
- Deploying the Secondary Sites
- Configuring the Hierarchy
- Configuring Sites
- Configuring Client Settings
- Implementing Internet-Based Client Management
- Summary
- Best Practices
< Back
Page 11 of 11
This chapter is from the book
Best Practices
The following are best practices from this chapter:
- It is important to fully understand the architectural design before Configuration Manager 2012 server infrastructure servers and roles are deployed.
- If communication issues are a problem, make sure the settings on the local firewall have been configured correctly. For troubleshooting purposes, disable the local firewall temporarily.
- Status messages will still be sent to the Fallback Status Point, even if the client system has become orphaned due to certificate configuration issues. It is important to deploy the Fallback Status Point before deploying clients.
- Do not move domain controllers from the default OU. Moving domain controllers out of the default Domain Controllers OU is not supported. When an Enterprise Root CA is deployed, all domain controllers automatically receive a Domain Controller certificate. This certificate can be used for both client and server authentication.
- Provisioning certificates with unnecessary OIDs is not recommended. Only provision the minimum requirements needed by the client to communicate with Configuration Manager.
- The Windows Server 2008 Enterprise certificate option is not compatible with System Center Configuration Manager 2012. Choosing Windows Server 2008 Enterprise results in a version 3 template. To create a version 2 template, select Windows Server 2003 Enterprise.
- When a computer object is added to a group, it can take a long time for the setting to take effect. This is because the Kerberos ticket takes seven days to renew. The renewal time is governed by the Maximum Lifetime for User Ticket Renewal setting located in the Default Domain Policy GPO. It is not recommended to change this setting. Instead, restart the computer to refresh the Kerberos ticket.
- Make sure the subject name of the Site Servers’ Document Signing certificate is set to: The site code of this Site Server is <SITE CODE>. The <SITE CODE> represents the site code that will be entered during the Configuration Manager implementation.
- Review the ExtADSch.log file for any errors after the AD schema has been extended. This log file is located in the root of drive C on the server used to execute the schema extensions. The log file should show 14 attributes and four classes have been defined.
- Do not bother with the WSUS Configuration Wizard. When the wizard opens after WSUS is successfully installed, click the Cancel button. The Configuration Manager console provides the interface to configure synchronization with Microsoft.
- Make sure the Configuration Manager Site Server Computer Account is in the local administrators group on all component servers and other Site Servers; this includes the Site Database server. The computer account of the Site Server is used to access and manage the remote server by default.
- The status summarizer for the different components is not automatically changed from red or yellow to green if the component that experienced the problem is fixed. The component summarizer simply counts the number of warning and error status messages that have been received. Manually reset the counts of status messages to clear the error or warning status.
- The cmtrace.exe log viewer provides a real-time view of the Configuration Manager status logs. This tool is invaluable when troubleshooting problems and understanding the environment.
- When deploying Site System roles to either the Site Server or a remote server, it is important to note the component installation wizard doesn’t actually do the installation. Check the Site Status container from within the console along with the local installation logs for details on role installation.
- Increase the number of messages allowed per hour by the FSP to support large client deployments. This prevents a backlog of status messages from occurring.
- Never configure overlapping boundaries. This can cause managed systems to use the wrong Site Server or Distribution Point. This often happens when using a combination of IP and Active Directory boundaries.
- Define the Network Access Account on the Computer Client Agent when managing non–domain members. This account is provided as a way for non–domain members to authenticate to Configuration Manager. This account should be a Domain User without additional permissions.
- The default list of “Products” supported by the Software Update Point is refreshed and updated during the synchronization process. This adds things like Windows 7 and Windows Server 2008 R2 to the Windows section. Because the entire Windows product was selected, new operating systems will automatically be enabled as they are made available on the Windows Update site and through WSUS.
- Configuring Client Agents with a “simple” schedule allows the distribution of load placed on the system. Unless the server and environment have been sized to receive and process data from all clients simultaneously, care should be taken to distribute the load over a longer period.
< Back
Page 11 of 11