Pages

SCCM Site Boundary Types and its Advantages and Disadvantages


Boundaries for System Center Configuration Manager define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure.

Types of Boundary's in SCCM.

  • IP Subnet
  • Active Directory Site
  • IPv6 Prefix
  • IP Range

Clients on the intranet evaluate their current network location and then use that information to identify boundary groups to which they belong.
Clients use boundary groups to:
  • Find an assigned site: Boundary groups enable clients to find a primary site for client assignment (automatic site assignment).
  • Find certain site system roles they can use: When you associate a boundary group with certain site system roles, the boundary group provides clients that list of site systems for use during content location and as preferred management points.
Clients that are on the Internet or configured as Internet-only clients do not use boundary information. These clients cannot use automatic site assignment and can always download content from any distribution point from their assigned site when the distribution point is configured to allow client connections from the Internet.

Best practices for boundaries and boundary groups:

  • Use a mix of the fewest boundaries that meet your needs
  • Avoid overlapping boundaries for automatic site assignment
Site Boundary Type
Advantage
Disadvantage
IP Subnets
Using IP subnets to define the boundaries of Configuration Manager sites allows you to be very specific about which clients will be assigned to which Configuration Manager 2007 sites based on their individual subnets. This also allows you to assign computers residing in the same Active Directory sites, but on different subnets, to different Configuration Manager sites.
NOTE: When adding IP subnets as boundaries for a site, you should ensure that the IP subnet being added as a boundary has not been added to an existing Active Directory site defined as a boundary for a different Configuration Manager site.
Each IP subnet you want to be part of your Configuration Manager boundaries must be entered individually in the Configuration Manager console. IP subnet changes or additions will require additional Configuration Manager boundary administration.
Active Directory Sites
Because Active Directory sites are based on physical network segments, the easiest method of defining Configuration Manager boundaries is to base them on Active Directory sites. This allows Configuration Manager administrators to split up or combine IP subnet boundaries based on logical, not physical, criteria. One advantage to using Active Directory sites as Configuration Manager boundaries is that subnet changes to Active Directory sites are automatically reflected within Active Directory boundaries.
NOTE:Active Directory discovery methods can only be used to discover computers located within the boundaries defined by Active Directory site names.
Before assigning clients using Active Directory sites, you must ensure that the Active Directory administrators have included all of the subnets you expect to be present in the Active Directory site. If the Active Directory sites are not properly configured, and you use them for Configuration Manager boundaries, you will have unmanaged clients on those subnets.
IPv6 Prefix
IPv6 allows for many more addresses to be assigned and many current and future operating system releases will support its use.
IPv4-only systems cannot communicate directly with IPv6 computers and may require IP translation, such as NAT, to communicate.
IP Ranges
In some cases, you may not want to add an entire IP subnet as a boundary. In these cases it may be advantageous to specify only an IP range to use for client site assignment.
Entering IP ranges can result in more planning to ensure that the IP ranges used are not configured as part of an IP subnet boundary for a different Configuration Manager site.

Automatic Deployment Rule (ADR) in SCCM

To use the Create Automatic Deployment Rule Wizard to create the Automatic Deployment Rule for your Patch Tuesday updates. Here are the steps:
1.     In the SCCM 2012 administrator console, navigate to the Software Library workspace.
2.     Select Software Updates, and choose Automatic Deployment Rules. Click the Create Automatic Deployment Rule option on the ribbon to launch the Create Automatic Deployment Rule Wizard.
3.     On the General page, which is shows in below screenshot, specify Patch Tuesday in the Name field and a description in the Description field. In the Collection field, enter or browse to the (Ex:SUM WRK Pilot I) collection you created in your environment. For the Each time the rule runs and finds new updates option, select Create a new Software Update Group. Although adding updates to an existing software update group is useful when creating an Automatic Deployment Rule for Endpoint Protection definition updates, it's not useful for regular software updates. Here you'll create a new group every month. Otherwise, you'll end up having too many updates in the group. (A software update group has a limit of 1,000 updates.) Clear the Enable the deployment after this rule is run check box. Click Next
       Specifying the General Information for the Automatic Deployment Rule
4.     On the Deployment Settings page, click Next.

5.     On the Software Updates page, select the following filters and add the specified search criteria: Date Released or Revised: Last 3 weeks; Update Classification: "Critical Updates" OR "Security Updates" OR "Updates Rollups" OR "Updates"; Title: -as below.
Confirm that your page looks like the one in below screenshot, then click Next.
Specifying the Filters and Search Criteria
6.     On the Evaluation Schedule page, select Enable rule to run on a schedule and click the Customize button. Configure the rule to run the second Tuesday of every month at a time of your choosing. Click OK, then click Next.

7.     On the Deployment Schedule page, configure the following settings. In the Time based on drop-down list, select Client local time. In the Software available time and Installation deadline sections, select As soon as possible. You don't have to worry about this deadline being too aggressive because this setting is being applied only to the devices in your pilot group. For the production workstations, I recommend making the updates available two days prior to the company-decided deadline. Updates will start downloading in the background when they become available and will install when the deadline is reached. Click Next.
8.     On the User Experience page, select Display in Software Center and show all notifications in the User notifications drop-down list. In addition, suppress the system restart on both servers and workstations, as shown in below screenshot. Click Next.
       Configuring the User Experience Settings for the Automatic Deployment Rule
9.     On the Alerts page, you can configure SCCM to send an alert when the compliance level drops below a certain percentage. To do this, select the Generate an alert when the following conditions are met check box. Then, in the Client compliance is below the following percent drop-down list, select 95. Finally, set the Offset from the deadline option to 35 days. This means that SCCM will generate an alert if the compliance level isn't at 95 percent 35 days after the specified deadline. Click Next.
10.  On the Download Settings page, configure the following settings. Select Download software updates from distribution point and install as the deployment option for the preferred distribution point. Select Download and install software updates from the fallback content source location as the deployment option to use when updates aren't available on any preferred distribution pointSelect the Allow clients to share content with other clients on the same subnet check box. Select the If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft Updates check box. This is a new SP1 feature that allows clients to fall back and use Windows Update to download the content. The client will only download content for the updates you have approved. After making sure that your settings look like those in Figure 4, click Next.
      Figure 4: Specifying How to Download the Updates
11.  On the Deployment Package page, you can either select an existing deployment package or create a new one. For this example, create a new one, specifying a name and description for it. In the Package Source field, enter or browse to the folder containing the software update binary files. Leave the sending priority at the default of medium. Click Next.
12.  On the Distribution Points page, specify the distribution points or distribution point groups to which you want to distribute the package and click Next.
13.  On the Download Location page, select Download software updates from the Internet and click Next.
14.  On the Language Selection page, select the languages supported in your organization and click Next.
15.  On the Summary page, click Save As Template. In the Save As Template dialog box that appears, type Pilot Deployment I in the Name field and click Save.
16.  Click Next to have the wizard create the Automatic Deployment Rule. When it completes, click Close.
You'll now see the Patch Tuesday rule in the list of Automatic Deployment Rules. Manually run that rule by selecting it and clicking the Run Now option on the ribbon, as shown in below screenshot. Click Yes to start the process.

Running the Automatic Deployment Rule Manually


Windows Update (Client) Troubleshooting in SCCM

SCCM includes an integrated WSUS server in it. You can set this Software Update Point (SUP) to manage your environment windows updates. However, there most likely will some problems along the way, below are the steps on how to check the issue.
Client Side

Software update Components involved are:
1.Windows update agent (WUA)
2.Software update client agent (from SCCM)
3.Windows management instrumentation (WMI)

The Software Update process from the ConfigMgr client

image

In the client side first thing we need to check is the locationservices.log to make sure that the correct SUP point is detected by the client, else make sure that the client is correctly reporting to the SCCM server and that the software update is enabled. Make sure that the server name and the port is specified correctly.

Locationservices.log
================
Calling back with the following WSUS locations LocationServices              4/29/2010 10:39:40 AM  2844 (0x0B1C)
WSUS Path='https://SCCMCEN.SCS.IN:443', Server='SCCMCEN', Version='2'         LocationServices              4/29/2010 10:39:40 AM         2844 (0x0B1C)
Calling back with locations for WSUS request {10066528-1C1B-4A0C-958B-F29ACBEDBBDF}          LocationServices                4/29/2010 10:41:31 AM  2844 (0x0B1C)
Calling back with the following distribution points          LocationServices              4/29/2010 11:27:23 AM  2552 (0x09F8)
Distribution Point='\\SCCMCEN.SCS.IN\SMSPKGC$\CEN00003\4ea80bd5-c8ac-4f98-be8a-1c18f24a34e4', Locality='LOCAL', DPType='SERVER', Version='6487', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/></Capabilities>', Signature=''         LocationServices              4/29/2010 11:27:23 AM  2552 (0x09F8)

Now once the policy agent triggers the scan cycle the windows update agent in the client will contact the WSUS server which in our case is also the SUP point. Once the scan is successfully completed this information is send as state message to the SCCM server. This can be checked in windowsupadte.log or you can check WUAhandler.log under SCCM client log.

WUAHandler.log
==============
Async searching of updates using WUAgent started.       WUAHandler     4/29/2010 10:42:20 AM  3488 (0x0DA0)
Async searching completed.       WUAHandler     4/29/2010 11:24:21 AM  1496 (0x05D8)
Successfully completed scan.    WUAHandler     4/29/2010 11:24:25 AM  2752 (0x0AC0)
Its a WSUS Update Source type ({D4F72DDB-F6C4-4B05-835F-A8C23098857A}), adding it.              WUAHandler     4/29/2010 11:25:24 AM       2752 (0x0AC0)
Existing WUA Managed server was already set (https://SCCMCEN.SCS.IN:443), skipping Group Policy registration.                WUAHandler     4/29/2010 11:25:25 AM  2752 (0x0AC0)
Added Update Source ({D4F72DDB-F6C4-4B05-835F-A8C23098857A}) of content type: 2                WUAHandler     4/29/2010 11:25:25 AM       2752 (0x0AC0)
Async searching of updates using WUAgent started.       WUAHandler     4/29/2010 11:25:25 AM  2752 (0x0AC0)
Async searching completed.       WUAHandler     4/29/2010 11:26:28 AM  2396 (0x095C)
Successfully completed scan.    WUAHandler     4/29/2010 11:26:32 AM  3756 (0x0EAC)


Now when the policy agent triggers the software update deployment cycle the scan result is compared with the catalogue and then it downloads only the required updates and install on schedule. You can check the updatestore.log, updatedeploymemt.log for more details. You can also check windowsupdate.log for more details.

Updatedeployment.log
==================

Service startup system task                 UpdatesDeploymentAgent                   4/28/2010 7:49:39 PM  3468 (0x0D8C)
Software Updates client configuration policy has not been received.          UpdatesDeploymentAgent                   4/28/2010 7:49:39 PM  3468 (0x0D8C)
Software updates functionality will not be enabled until the configuration policy has been received. If this issue persists please check client/server policy communication.                       UpdatesDeploymentAgent                   4/28/2010 7:49:39 PM  3468 (0x0D8C)
Software Updates feature is disabled                       UpdatesDeploymentAgent                   4/28/2010 7:49:39 PM  3468 (0x0D8C)
Software Updates client configuration policy has not been received.          UpdatesDeploymentAgent                   4/28/2010 7:49:39 PM  3468 (0x0D8C)
Software updates functionality will not be enabled until the configuration policy has been received. If this issue persists please check client/server policy
communication.                UpdatesDeploymentAgent                   4/28/2010 7:49:39 PM  3468 (0x0D8C)
………………….
…………………
Evaluation initiated for (1) assignments.                 UpdatesDeploymentAgent                   4/29/2010 10:39:20 AM                       336 (0x0150)
Deadline received for assignment ({3B1C5820-953D-4EFB-BDB7-3ABEE4C9788D})      UpdatesDeploymentAgent                   4/29/2010 10:39:20 AM                       3344 (0x0D10)
Enforcement trigger will be effective when the current action completes UpdatesDeploymentAgent                   4/29/2010 10:39:20 AM                       3344 (0x0D10)
Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssignments'><UseCachedResults>True</UseCachedResults></SoftwareUpdatesMessage>'      UpdatesDeploymentAgent                   4/29/2010 10:39:30 AM                        3940 (0x0F64)
Evaluation initiated for (0) assignments.                 UpdatesDeploymentAgent                   4/29/2010 11:01:55 AM                       4064 (0x0FE0)
……………………………….
DetectJob completion received for assignment ({3B1C5820-953D-4EFB-BDB7-3ABEE4C9788D})     UpdatesDeploymentAgent                   4/29/2010 11:26:59 AM                       3856 (0x0F10)
……………………..
Added update (Site_D4F72DDB-F6C4-4B05-835F-A8C23098857A/SUM_9fb3050e-26f2-4ccc-b9b0-b453ff58aaa9) to the targeted list UpdatesDeploymentAgent                   4/29/2010 11:26:59 AM                      3856 (0x0F10)
Added update (Site_D4F72DDB-F6C4-4B05-835F-A8C23098857A/SUM_de919dec-2021-474a-8a7f-d632c2068146) to the targeted list                      UpdatesDeploymentAgent                        4/29/2010 11:26:59 AM                       3856 (0x0F10)
Added update (Site_D4F72DDB-F6C4-4B05-835F-A8C23098857A/SUM_d2e84b36-f0fd-4434-825d-a753a338b0bd) to the targeted list                      UpdatesDeploymentAgent                        4/29/2010 11:26:59 AM                       3856 (0x0F10)
……………………
Update (Site_D4F72DDB-F6C4-4B05-835F-A8C23098857A/SUM_de919dec-2021-474a-8a7f-d632c2068146) Progress: Status = ciStateDownloading, PercentComplete = 83, Result = 0x0                       UpdatesDeploymentAgent                   4/29/2010 11:27:36 AM                       1068 (0x042C)
Progress received for assignment ({3B1C5820-953D-4EFB-BDB7-3ABEE4C9788D})      UpdatesDeploymentAgent                   4/29/2010 11:27:38 AM                       12 (0x000C)
DownloadJob completion received for assignment ({3B1C5820-953D-4EFB-BDB7-3ABEE4C9788D})                      UpdatesDeploymentAgent                   4/29/2010 11:27:38 AM                       12 (0x000C)
EnumerateUpdates for action (UpdateActionInstall) - Total visible updates = 3               UpdatesDeploymentAgent                   4/29/2010 11:27:38 AM                       2960 (0x0B90)
Starting install for assignment ({3B1C5820-953D-4EFB-BDB7-3ABEE4C9788D})              UpdatesDeploymentAgent                   4/29/2010 11:27:38 AM                       12 (0x000C)
 ………………….
Update (Site_D4F72DDB-F6C4-4B05-835F-A8C23098857A/SUM_de919dec-2021-474a-8a7f-d632c2068146) Progress: Status = ciStateInstalling, PercentComplete = 100, DownloadSize = 0, Result = 0x0                         UpdatesDeploymentAgent                   4/29/2010 11:31:26 AM                       440 (0x01B8)
Update (Site_D4F72DDB-F6C4-4B05-835F-A8C23098857A/SUM_de919dec-2021-474a-8a7f-d632c2068146) Progress: Status = ciStatePendingSoftReboot, PercentComplete = 0, DownloadSize = 0, Result = 0x0           UpdatesDeploymentAgent                   4/29/2010 11:31:31 AM                       3568 (0x0DF0)
CTargetedUpdatesManager - Job completion received.           UpdatesDeploymentAgent                   4/29/2010 11:31:32 AM                       496 (0x01F0)
Job Id = {A807D023-9E41-4FE5-A528-6120C46C1134}              UpdatesDeploymentAgent                   4/29/2010 11:31:32 AM                       496 (0x01F0)
No pending install assignment             UpdatesDeploymentAgent                   4/29/2010 11:31:33 AM                       440 (0x01B8)
EnumerateUpdates for action (UpdateActionInstall) - Total visible updates = 3               UpdatesDeploymentAgent                   4/29/2010 11:31:33 AM                       2236 (0x08BC)
No installations in pipeline, notify reboot.               UpdatesDeploymentAgent                   4/29/2010 11:31:33 AM                       440 (0x01B8)
Notify reboot with deadline = Thursday, Apr 29, 2010. - 11:31:33, Ignore reboot Window = False                        UpdatesDeploymentAgent                   4/29/2010 11:31:33 AM                       440 (0x01B8)


Update Deployment attempts to install updates, Service Window Manager blocks the installation (C:\Windows\CCM\Logs\UpdatesDeployment.log)

UpdatesDeployment.log
===================

SNAGHTMLad0f073

Service Window Manager blocking the installation

ServiceWindowManager.log
=======================

clip_image002
And when the window opens, the updates should install. Check the UpdatesDeployment.log
The execution manager will have the following entries.
Execmgr.log
==========
Mandatory execution requested for program Software Updates Program and advertisement {3D49D216-341B-4456-B52C-A0A480C06BEC}           execmgr       4/29/2010 11:27:50 AM                        2188 (0x088C)
Creating mandatory request for advert {3D49D216-341B-4456-B52C-A0A480C06BEC}, program Software Updates Program, package {3D49D216-341B-4456-B52C-A0A480C06BEC}                        execmgr      4/29/2010 11:27:50 AM                       2188 (0x088C)
CExecutionRequest::Overriding Service Windows as per policy.                   execmgr       4/29/2010 11:27:50 AM                       2188 (0x088C)
Execution Manager timer has been fired.              execmgr       4/29/2010 11:27:50 AM                       3256 (0x0CB8)
Executing program  in Admin context                       execmgr       4/29/2010 11:27:50 AM                       2188 (0x088C)
Execution Request for package {3D49D216-341B-4456-B52C-A0A480C06BEC} program Software Updates Program state change from NotExist to NotifyExecution                 execmgr                        4/29/2010 11:27:50 AM                       2188 (0x088C)
Executing program as an update.      execmgr       4/29/2010 11:27:51 AM                       2188 (0x088C)
Executing Update Program                   execmgr       4/29/2010 11:27:51 AM                       2188 (0x088C)
Updates Installation started for the passed command line       execmgr       4/29/2010 11:27:51 AM                       2188 (0x088C)
Looking for MIF file to get program status             execmgr       4/29/2010 11:31:31 AM                       440 (0x01B8)
Script for  Package:{3D49D216-341B-4456-B52C-A0A480C06BEC}, Program: Software Updates Program succeeded with exit code 0   execmgr       4/29/2010 11:31:31 AM                       440 (0x01B8)
Execution is complete for program Software Updates Program. The exit code is 0, the execution status is Success                 execmgr       4/29/2010 11:31:31 AM                       440 (0x01B8)
The user has logged off.                        execmgr       4/29/2010 11:38:13 AM                       2788 (0x0AE4)

Once update is installed, then depending on the reboot setting the system will be rebooted. This information is tracked using RebootCoordinator.log

Also check the WindowsUpdate.log for update installation success message
WindowsUpdate.log
=======================

image 
And reboot if required (and scheduled)
RebootCoordinator.log

==================
Shutdown is already in progress        RebootCoordinator          4/29/2010 11:38:10 AM                       3792 (0x0ED0)
Reboot initiated                 RebootCoordinator          4/29/2010 11:38:10 AM                       3792 (0x0ED0)
User logoff notification received         RebootCoordinator          4/29/2010 11:38:13 AM                       2788 (0x0AE4)
Shutdown is already in progress        RebootCoordinator          4/29/2010 11:38:17 AM                       2788 (0x0AE4)
Reboot initiated                 RebootCoordinator          4/29/2010 11:38:17 AM                       2788 (0x0AE4)