Gatt Posted March 12, 2014 Report post Posted March 12, 2014 Hi folks looking for some help in understanding how the CAS works with regards to Server Roles I work at a University in the UK and we are in the middle of migrating our ailing SCCM 2007 environment to a new SCCM 2012 R2 environment. At present our CM07 environment is a single primary site that covers ALL computers and servers across the campus (Staff, Students, Servers) and we have something like 5000 clients in total and the whole environment is a mess and its common to see software deployed incorrectly (packages for desktops have been assigned to servers as well causing much disruption) So, with the CM12 setup we are looking at implementing a CAS with 2 Primary Sites - one for the Desktop side and One for the Server side - to not only prevent accidental deployments of desktop packages to servers but to also lessen the load being placed on it (CM07 regularly falls over due to the amount of clients talking to it, etc). I know that we technically do not need a CAS, but our environment would benefit more from splitting the Desktop/Server sides into separate sites. Anyway - My query regarding this CAS... Is the CAS a single "All-In-One" site? That is - Is it literally only the CAS Server itself with all appropriate roles installed on it? (Specifically SCEP, SUP and the Asset Intell Sync Point) or can we have a 2nd server with these roles installed on them? Hope someone can help Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted March 12, 2014 Report post Posted March 12, 2014 A CAS will NOT protect you in this situation, there are no, if, and, or, but about it. With 5000 devices you need to stay with a simple primary server and use RBA to preform role separation. Quote Share this post Link to post Share on other sites More sharing options...
Gatt Posted March 12, 2014 Report post Posted March 12, 2014 I understand that a CAS is not technically needed, but in our organisation it is - for a few reasons 1) Reduce the load from the clients - at the moment CM07 gets a right battering from all our clients - desktops and servers - to the point where the log files fill up fast, the inboxes regularly get 50,000 retry entries which then grinds the system to a crawl (first indication is that we cannot refresh collection membership) until we stop CM07, delete the Retries and reboot the server(s) 2) Internal Politics - The "Desktop" team and the "Server" Team are both battling over who has the most control over the system. Mis-management of packages on both sides have caused serious problems across the university These 2 points are both listed here as possible scenarios for a CAS - http://blogs.technet.com/b/server-cloud/archive/2012/02/29/hierarchy-design-in-system-center-2012-configuration-manager.aspx So, for these reasons we are looking at a CAS so that both teams have their own site to deal with, and a select few have access to the CAS itself should there be a need to apply settigns to the entire estate. Nor am I saying it will solve our problems - but it may limit them a bit. So, back to my original query - can there only be ONE server in the "CAS" - ie the CAS site [or role] server itself? From what I've found out, when using a CAS you MUST install SCEP and the Asset Intelligence Sync Point on the CAS, we would also look to install the SUP role here too with more granular control of SUP given the the Server and Desktop sites. So, we NEED two primary sites in order to end the tug-of-war between teams, and for that we NEED a CAS. All I need to know is the query above. Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted March 12, 2014 Report post Posted March 12, 2014 All I do is increase the log file sizes until you get 3-5 days worth of logs. I don't understand your first comment. Retries of what? if you inboxes are overload it sounds like you either have aggressively settings or underpowered server with not enough IOPS. You second comment doesn't make sense when you take about Primary in CM12. Primary site are NOT security boundaries like they are in CM07. Remember that alot of stuff is global data and therefore share between primary site and therefore one group CAN affect the second group even if their are two primary site. Also remember that it is STRONGLY recommend that all administration be done at the CAS not at the Primary sites. ONLY RBA can use to resolve this problem (I have used to several places for this exact reason) OR Two completely different primary sites that don't talk to each other at all, again would be far similar that adding a CAS into the mix. Quote Share this post Link to post Share on other sites More sharing options...
Chris Nackers Posted March 14, 2014 Report post Posted March 14, 2014 Hi folks looking for some help in understanding how the CAS works with regards to Server Roles I work at a University in the UK and we are in the middle of migrating our ailing SCCM 2007 environment to a new SCCM 2012 R2 environment. At present our CM07 environment is a single primary site that covers ALL computers and servers across the campus (Staff, Students, Servers) and we have something like 5000 clients in total and the whole environment is a mess and its common to see software deployed incorrectly (packages for desktops have been assigned to servers as well causing much disruption) So, with the CM12 setup we are looking at implementing a CAS with 2 Primary Sites - one for the Desktop side and One for the Server side - to not only prevent accidental deployments of desktop packages to servers but to also lessen the load being placed on it (CM07 regularly falls over due to the amount of clients talking to it, etc). I know that we technically do not need a CAS, but our environment would benefit more from splitting the Desktop/Server sides into separate sites. Anyway - My query regarding this CAS... Is the CAS a single "All-In-One" site? That is - Is it literally only the CAS Server itself with all appropriate roles installed on it? (Specifically SCEP, SUP and the Asset Intell Sync Point) or can we have a 2nd server with these roles installed on them? Hope someone can help There is absolutely no reason for a 5k organization to have a CAS, not a single valid reason. Separating the server teams and desktop teams is done via RBA, multiple primary sites will not give you separation as the data is global, it will be replicated between the sites. You also should not have any load issues with a 5k client environment if the server is configured properly. You can easily run all the roles including the database on a single primary site as long as it is configured properly. Here is a webcast i did on RBA, i would recommend watching it to learn how to seperate desktops/server teams. http://www.chrisnackers.com/2013/10/27/role-based-administration-tipstricks-replay-is-up/ 1 Quote Share this post Link to post Share on other sites More sharing options...
Gatt Posted March 14, 2014 Report post Posted March 14, 2014 Thanks, I'm now suitable unsure as to CAS or not to CAS to the point where I'm swaying to the latter... I'll take a look at the webcast and take all the comments under advisement with regards to our design. I'll setup a singe test Primary Site and look at the RBA configurations, etc Damn you MS and the CAS!! Quote Share this post Link to post Share on other sites More sharing options...
Robert Marshall Posted March 14, 2014 Report post Posted March 14, 2014 Ping me an email rob @ smsmarshall . com and I can help you with this easily :-) Robert Microsoft MVP - ConfigMgr - @robmvp Quote Share this post Link to post Share on other sites More sharing options...
Gatt Posted March 14, 2014 Report post Posted March 14, 2014 Thanks Rob - will write one up shortly (UK Teatime here!) Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted March 14, 2014 Report post Posted March 14, 2014 Thanks Rob - will write one up shortly (UK Teatime here!) BTW, Rob is in the UK too. ;-) He is (or was) the user group leader for the SCCM user group in London. He is a good guy to know, if you live in the UK. Quote Share this post Link to post Share on other sites More sharing options...
Gatt Posted March 16, 2014 Report post Posted March 16, 2014 Hi folks Sorry not had a chance to email you yet Rob Chris - I've watched through your webcast and its made things a lot clearer now regarding RBA and can see how that can work for us. There is only one more are that I forgot to mention - and its causing us some grief at the moment with CM07 - but I suspect this may be easily remedied with the correct setup And that is this: We have multiple VLANS - two of important note are: Front-End: which is basically all our Desktops and various servers that need to be seen by the Desktops, but not all servers are on this one Management: which ALL our servers are connected to. CM07, when it was installed [not by me I hasten to add!] currently uses the Front-End VLan for communicating to clients and this is causing us great issues with those servers that do not have visibility of of it (IE only have a connection to the Management side) We suspect that it's due to the MP being on the Front End side and not the Management, so would having 2 MP roles installed (one on the Front End, and one on the Management side) or via boundary groups (as they have different IPs) Or does CM12 handle this better anyway? Quote Share this post Link to post Share on other sites More sharing options...