System Center 2012 Configuration Manager Best Practices
These are "best practices" for Configuration Manager. Since "best practices" come from your experiences with Configuration Manager we'd really like to hear from you, so please add any you have encountered.
Best Practices Before Installation
New! SQL Collation must be set to "SQL_Latin1_General_CP1_CI_AS"
Why is it important ? well firstly because it is a setting that most people don't change (as it's hidden from view) and secondly it's set based on your regional settings. When you install SQL Server (which ConfigMgr needs to host it's database) the SQL Collation is 'set in stone' during setup, that's why knowing what your SQL Collation is and what it should be are important prior to running ConfigMgr setup. To learn how to identify your SQL Collation on a running SQL Server and how to change SQL Collation during SQL Server setup see this post. Having the wrong SQL Server Collation will require you to reinstall SQL Server from scratch, and that takes time and effort.
Best Practices for SQL Server Installation
A lot of early adopters of System Center 2012 Configuration Manager are having issues getting SQL Server installed correctly. Many issues are due to having the wrong supported version or cumulative update applied. For information on supported versions please see Supported Configurations for Configuration Manager : http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig
SQL server issues can also be seen when having the wrong certificate applied or by misconfiguring the port. For SQL Server installation and configuration tips see the support blog http://blogs.technet.com/b/configurationmgr/archive/2012/05/03/fix-unable-to-connect-cas-or-primary-to-the-sql-database-during-the-system-center-2012-configuration-manager-setup.aspx
Best Practices for Client Deployment
Extend the Active Directory schema and publish the site so that you can run CCMSetup without command-line options
When you extend the Active Directory schema for Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. Because this information is automatically generated, the risk of human error associated with manually entering installation properties is eliminated. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.
When you have many clients to deploy, plan a phased rollout outside business hours
Minimize the effect of the CPU processing requirements on the site server by planning a phased rollout of clients over a period of time. Deploy clients outside business hours so that critical business services have more available bandwidth during the day and users are not disrupted if their computer slows down or requires a restart to complete the installation.
Enable automatic upgrade after your main client deployment has finished
Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade deployment. You then use this method to upgrade the client on these computers when they are next active. For more information about client deployment method, the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the How to Install Clients on Computers in Configuration Manager topic.
Use SMSMP and FSP if you install the client with client.msi properties
The SMSMP property specifies the initial management point for the client to communicate with and removes the dependency on service location solutions such as Active Directory Domain Services, DNS, and WINS.
Use the FSP property and install a fallback status point so that you can monitor client installation and assignment, and identify any communication problems. For more information about these options, see About Client Installation Properties in Configuration Manager.
If you want to use client languages other than English, install the client language packs before you install the clients
If you install client language packs on a site after you install clients, you must reinstall the clients before they can use the additional languages. For mobile device clients, this means you must wipe the mobile device and enroll it again. For more information about how to add support for additional client languages, see Install Sites and Create a Hierarchy for Configuration Manager.
Best Practices for Collections
Do not use incremental updates for a large number of collections
When you enable the Use incremental updates for this collection option, this configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections. The exact number depends on the following factors:
- The total number of collections
- The frequency of new resources being added and changed in the hierarchy
- The number of clients in your hierarchy
- The complexity of collection membership rules in your hierarchy
Do not modify the built-in collections and instead, copy and then modify the pasted collection
If a default collection (such as All Desktop and Server Clients) does not meet your business requirements, do not modify the collection. Instead, copy and paste the collection, and then modify the new collection. This practice helps to troubleshoot collection queries and safeguards against the possibility that future upgrades might overwrite and change the built-in collections.
Best Practices for Endpoint Protection
Configure custom client settings for Endpoint Protection
When you configure client settings for Endpoint Protection, do not use the default client settings because they apply settings to all computers in your hierarchy. Instead, configure custom client settings and assign these settings to collections of computers in your hierarchy.
When you configure custom client settings, you can do the following:
- Customize antimalware and security settings for different parts of your organization.
- Test the effects of running Endpoint Protection on a small group of computers before you deploy it to the entire hierarchy.
- Add more clients to the collection over time to phase your deployment of the Endpoint Protection client.
Distribute definition updates by using software updates
If you are using Configuration Manager software updates to distribute definition updates, consider placing definition updates in a package that does not contain other software updates. This keeps the size of the definition update package smaller which allows it to replicate to distribution points more quickly.
Best Practices for Hardware Inventory
Enable MIF file collection only when required
MIF files could contain large amounts of data and collecting this data could negatively affect the performance of your site. Enable MIF file collection only when required and configure the option Maximum custom MIF file size (KB) in the hardware inventory client settings. For more information, see How to Configure Hardware Inventory in Configuration Manager.
Best Practices for Power Management
Perform the monitoring phase at a representative time
The monitoring phase of power management provides you with information about the power consumption, activity, power management capabilities, and environmental impact of computers in your organization. Ensure that you choose a representative time to perform the monitoring phase. For example, performing the monitoring phase over a public holiday does not provide a realistic report on computer power usage.
Create a control collection of computers with no power plans applied
After you have created a collection of computers to which you want to apply power management settings, split this collection into two sub collections. One sub collection should contain the majority of the computers to which you want to apply power settings and the other sub collection (the control collection) should contain the remaining computers. Apply the required power management plan to the sub collection containing the majority of computers. You can then run reports to compare the power cost, power usage and environmental impact of the computers to which you have applied power settings and the control collection that you have not applied power settings to.
Run the Power Settings report before you apply a power management plan
Before you apply a power management plan to a collection of computers, run the Power Settings report to help you understand the power management settings that are already configured on computers in the collection. If you apply new power management settings to computers without first examining the existing settings, this might lead to an increase in power consumption.
Exclude computers that you do not want to manage
If you have computers that you do not want to manage with power management, add these to a collection and ensure that the collection is excluded from power management.
Examples of computers you might want to exclude from power management include:
- Computers that must remain turned on.
- Computers that users need to connect to by using Remote Desktop Connection.
- Computers that cannot use power management.
- Server computers that must remain available at all times.
- Public computers such as kiosk computers, information displays or monitoring consoles where the computer and the monitor must always be turned on.
First, apply power plans to a test collection of computers
Always test the effect of applying a power management plan on a test collection of computers before you apply the power plan to a larger collection of computers.
Power settings applied to computers running Windows XP or Windows Server 2003 are not reverted to their original values even if you exclude the computer from power management. On later versions of Windows, excluding a computer from power management causes all power settings to be reverted to their original values. You cannot revert individual power settings to their original values.
Apply power plan settings individually
Monitor the effect of applying each power setting before you apply the next one to ensure each setting has the required effect. For more information about power plan settings, see Available Power Management Plan Settings in the topic How to Create and Apply Power Plans in Configuration Manager.
Regularly monitor computers to see if they have multiple power plans applied
Power management includes a report that displays computers that have more than one power plan applied.
If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken:
- Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used.
- Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight will be used.
Save or export power management information during the monitoring and planning phase of power management
Power management information used by daily reports is retained in the Configuration Manager site database for 31 days.
Power management information used by monthly reports is retained in the Configuration Manager site database for 13 months.
When you run reports during the monitoring and planning and compliance phases of power management, save or export the results from any reports for which you want to retain the data for later comparison in case they are later removed by Configuration Manager.
Best Practices for Reporting
For best performance, install the reporting services point on a remote site system server
Although you can install the reporting services point on the site server or a remote site system, performance is increased when you install the reporting services point on a remote site system server.
New! Read the forum topic: Installing the Reporting Point role with a cluster.
Optimize SQL Server Reporting Services queries
Typically, any reporting delays are because of the time it takes to run queries and retrieve the results. If you are using Microsoft SQL Server, tools such as Query Analyzer and Profiler can help you optimize queries.
Schedule report subscription processing to run outside standard office hours
Whenever possible, schedule report subscription processing to run outside normal office standard hours to minimize the CPU processing on the Configuration Manager site database server. This practice also improves availability for unpredicted report requests.
Best Practices for Software Updates
When Configuration Manager and WSUS use the same SQL Server, configure one of these to use a named instance and the other to use the default instance of SQL Server
When the Configuration Manager and WSUS databases use the same SQL Server and share the same instance of SQL Server, you cannot easily determine the resource usage between the two applications. When you use a different SQL Server instance for Configuration Manager and WSUS, it is easier to troubleshoot and diagnose resource usage issues that might occur for each application.
Use a custom website for the WSUS installation
When you install WSUS 3.0, you can specify whether to use the default Internet Information Services (IIS) website or create a WSUS 3.0 website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the active software update point for the site.
Specify the Store updates locally setting for the WSUS installation
When you install WSUS 3.0, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.
Create a new software update group each time an automatic deployment rule runs for “Patch Tuesday” and for general deployment
There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs. When you specify criteria in an automatic deployment rule that results in many software updates, and the rule runs on a recurring schedule, choose to create a new software update group each time the rule runs to prevent the deployment from surpassing the limit of 1000 software updates per deployment.
Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates
Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, hundreds of software update groups will be created over time. Typically, definition update publishers set definition updates to be expired when they are superseded by 4 newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than 4 definition updates for the publisher (1 active and 3 superseded).
Do not deploy software updates that require multiple reboots via task sequence
Exclude updates that require multiple reboots from your operating system deployment collection if you are using the software update step in task sequences. Deploy these updates separately or add them to your images. If software updates that require multiple reboots are installed via task sequence installation will fail. See Microsoft KB2894518 for an updated list of software updates that require multiple reboots.
Other Languages
This article is also available the following languages: