Just added a new branch office to our organization and in keeping with the new standards that I have imposed for server operating systems, all servers at this location are running Windows Server 2008 R2. I had read awhile back that there were a few things to be aware of when creating a SCCM Secondary Site in Windows Server 2008 R2. These secondary sites will only be Management Points and Distribution Points. So here’s how I got it all to work.
Remote Differential Compression (RDC)
According to the TechNet articleon this very same topic, “site servers and branch distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. By default, RDC is not installed on Windows Server 2008 or Windows Server 2008 R2 and must be enabled manually.”
- Launch Server Manager. Select Features then Add New Features.
- Select Remote Differential Compression. Click Next then Install.
There are a few things that need to be done in IIS7.5 to get things to work. Even in IIS6 there were/are several configuration steps that needed to be performed in order to get this to work. Some of these steps are similar to what you need to do if running IIS6.
- Launch Server Manager.
- Select Features then Add Features.
- Select Background Intelligent Transfer Service (BITS) which will then require that Web Server (IIS) and Remote Server Administration Tools be installed.
- Select Add Required Role Services.
- Click Next.
- At the Role Services step select WebDAV Publishing, ASP.NET and Add Required Role Services.
- (Optional) I checked ASP just in case I wanted to make this server a Reporting Point in the future.
- Select Windows Authentication under Security.
- Under IIS Management Compatibility select the following: IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility.
- Click Next then Install.
- Once IIS7.5 is installed open the IIS Manager. To keep things simple and to avoid any future problems, I rename the Default Website to SMSWEB. There will be no other websites running off of this particular server so it’s not a problem.
- Select SMSWEB and in the Features View select WebDAV Authoring Rules.
- Once in the screen select Enable WebDAV from the Actions pane then select Add Authoring Rule…
- Allow access to: All Content, Allow access to this content to: All Users, Permissions: Read
- Select WebDAV Settings.
- Set Allow Anonymous Property Queries to True. Set Allow Custom Properties to False. Set Allow Property Queries with Infinite Depth to True. Set Allow Hidden Files to be Listed to True. In the Action pane click Apply.
There is one more thing that needs to be done to prepare for installing the Secondary Site now that we have IIS7.5 and WebDAV configured correctly. You may already be aware that this step needs to be taken, but I’ll list it anyway for those that have no clue or might forget.
- Go to Active Directory Users and Computers.
- From the View menu item in the MMC console select Advanced Features if it’s not already checked.
- Expand the System container and right-click on System Management and select Properties.
- Go to the Security tab and add the Secondary Site server to the list granting it Full Control.
Now you are ready to add this site as a Secondary Site in SCCM. Update (Mar 23, 2012)
- Also be sure to add the computer account of the primary site server to the Local Administrators group of the secondary site server.
Update (Apr 10, 2012)
- Open up IIS Manager.
- Expand the SMSWEB site.
- Right-click on the CCM_CLIENT folder and select Edit Permissions.
- Click the Security tab and grant the Everyone group Read permissions.
Update (Apr 11, 2012)There are a few additional Secondary Site settings that I found need to be made especially if you are using a custom port number for your Management Point. Here we use a custom port number and I ran into an issue with clients not updating correctly. What I discovered was that the Windows Firewall needed to have a custom rule added to it so that clients could communicate properly.
- Launch Server Manager on the Secondary Site server.
- Expand Configuration > Windows Firewall with Advanced Security
- Right-click on Inbound Rules and select New Rule.
- The New Inbound Rule Wizard will launch. Select Port (Rule that controls connections for a TCP or UDP port)
- Select TCP for the protocol and in the Specific local ports: box enter the custom port number for the management point(s) in your environment.
- Allow the connection.
- Set the rule to apply to Domain, Private and Public (or whatever is relevant in your environment).
- Set the name to World Wide Web Services (HTTP Traffic-In) – SCCM or whatever you’d like for it to be.
One other thing that I changed was to add the Default Application Pool account and the application pool for the distribution point (if applicable) to the IIS_IUSRS group. Since these users cannot be found easily using Select Users, Computers, Service Accounts, or Groups dialog box you have to enter them a certain way.
- For the DefaultAppPool enter IIS APPPOOL\DefaultAppPool.
- For the SMS Distribution Points Pool enter IIS APPPOOL\SMS Distribution Points Pool.
- Be sure to change the Location to the local machine.