Jaa


Configuring Site Components in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

You configure site components to control the behavior of site system roles at a site, and to control the sites status reporting behavior. Configurations for site system roles apply to each instance of a site system role at a particular site. These configurations must be made at each site individually, and do not apply to multiple sites.

Configure Site Components for Configuration Manager

You configure site components to control the behavior of site system roles at a site, and to control the sites status reporting behavior. Configurations for site system roles apply to each instance of a site system role at a particular site. These configurations must be made at each site individually, and do not apply to multiple sites.

Use the following procedure to select the site component you will configure at a specific site.

To edit the site components at a site

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and click Sites.

  3. Select the site that has the site components you will configure.

  4. On the Home tab, in the Settings group, click Configure Site Components and then select the site component you want to configure.

Configuration Options for Site Components

Many of the configuration options for the site components are self-explanatory or display additional information in the dialog boxes. Use the following sections for more information about the settings that might require some information before you configure them:

System Health Validator Point Component Properties

Configure these configuration options only if you will install System Health Valdiator points in the site to use Network Access Protection for software updates.

Configuration Option

Description

Query interval (minutes)

Specifies in minutes how often System Health Validator points retrieve and cache Configuration Manager health state references from Active Directory Domain Services. The information is retrieved with a Lightweight Directory Access Protocol (LDAP) call to a global catalog server.

The lower the value, the more quickly the System Health Validator will detect changes to the Configuration Manager NAP policies; however clients are more likely to be found non-compliant even though they have all the required software updates specified in the Configuration Manager NAP policies. In this scenario, if policies on the Network Policy Server are configured to give noncompliant clients limited network access, in this scenario, clients will not have full network access until they have download their Configuration Manager NAP policies, re-evaluated their compliance, and then send a new statement of health to the System Health Validator point. This process can take a few minutes.

The higher the value, the less likely clients will be found noncompliant when they have all the required software updates specified in the Configuration Manager NAP policies. In this scenario, clients will not risk having limited network access to download their Configuration Manager NAP policies and re-evaluate compliance. However, a higher value might mean that clients are deemed compliant when they haven't evaluated compliance with the latest Configuration Manager NAP policies.

A setting to reduce the likelihood of clients that have the selected software updates having limited network access, but to ensure that compliance results are based on the latest Configuration Manager NAP policies, is to configure this option to be twice the value specified for the client setting Client policy polling interval (by default, the client policy polling interval is once an hour).

This setting can be between 1 and 10080 minutes, and the default value is 120 minutes.

Validity period (hours)

Specifies the length of time in hours for which a cached client statement of health will be accepted as compliant by System Health Validator points.

If the client statement of health is older than the validity period, the System Health Validator point returns a health state of noncompliant to the Network Policy Server. In this scenario, if policies on the Network Policy Server enforce compliance, the client is forced to re-evaluate its compliance status and present a new statement of health. Therefore, a longer validity period results in quicker processing (and connecting times), but the compliance information might not be up to date.

This setting can be between 1 and 168 hours, and the default value is 26 hours.

Important

If you change the default validity period, ensure that you configure a value that is higher than the configured NAP re-evaluation schedule client setting. If the compliance evaluation on the client occurs less frequently than the validity period, clients will be found noncompliant by the System Health Validator point.

In this scenario, remediation will instruct clients to re-evaluate their compliance and produce a current statement of health. This process might take a few minutes to complete, so if policies on the Network Policy Server are configured to limit network access for non-compliant computers, computers will not be able to access network resources on the full network during this re-evaluation time.

Date created must be after (UTC)

Specifies whether you want to ensure a client statement of health is created after a specified date and time (in Coordinated Universal Time). After selecting this option, select the date and time. The date and time cannot be set to a future value but must be the current or a previous date and time.

Setting this option is appropriate if you have just configured a new Configuration Manager Network Access Protection (NAP) policy and it is imperative that the software update selected in the policy is included in the evaluation, regardless of the validity period.

This option is not enabled by default.

Designate an Active Directory forest

Specifies that the site server and System Health Validator points for this site are not in the same Active Directory forest. To configure the System Health Validator Point Component for this environment, you must identify which forests the System Health Validator points reside in, identify whether trust relationships exist between them, and decide which forest will publish the Configuration Manager health state references

The Active Directory forest that publishes the health state references must be extended with the Configuration Manager schema extensions, the site servers must be publishing to Active Directory, and permissions must be set appropriately on the System Management container in Active Directory. These Active Directory dependencies might affect your decision on which forest will be used to publish the Configuration Manager health state references.

The following scenarios identify four basic configurations when Network Access Protection in Configuration Manager spans multiple Active Directory forests. Use these scenarios to help you decide which Active Directory forest will publish the health state references.

  • Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to the forest that contains the site servers. Choose this option if you can extend Active Directory Domain Services for Configuration Manager, and if the System Health Validator points reside in a perimeter network

  • Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to the forest that contains the System Health Validator points. Choose this option if you cannot extend Active Directory Domain Services for Configuration Manager, but you can extend the schema of the second forest.

  • Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to a third Active Directory forest that has trust relationships with the other two forests (either a forest trust or external domain trusts). Choose this option if you cannot extend Active Directory Domain Services for either forest, but you can extend the schema of a new or existing forest.

  • Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to a third Active Directory forest that has no trust relationships with the other two forests (neither a forest trust nor external domain trusts). Choose this option if you cannot extend Active Directory Domain Services for either forest, but you can extend the schema of a new or existing forest that cannot have any trust relationships with the other two forests.

Health state reference publishing account

Specifies a Microsoft Windows user account in the designated Active Directory forest if any of the following apply:

  • The designated forest is not the same forest as the site server.

  • There is no trust relationship between the site server's domain and the Domain suffix.

  • There is a trust relationship between the site server's domain and the Domain suffix, but Full Control permission has not be granted to the System Management Active Directory container for the site server's computer account.

Health state reference querying account

Specifies a Windows user account in the designated Active Directory forest if any of the following apply:

  • The designated forest is not the same forest as the System Health Validator points.

  • There is no trust relationship between the System Health Validator points and the Domain suffix.

Software Distribution Component Properties

Configuration Option

Description

Network Access Account

Specify a Windows user account for the Network Access Account when client computers from workgroups or non-trusted domains require access to network resources.

Important

The Network Access account is never used as the security context to run applications and programs, install software updates, or run task sequences. It is used only for accessing resources on the network.

Although Configuration Manager client computers use the Local System account to perform most Configuration Manager client operations on the computer, the Local System account cannot access network resources. For example, the Local System account cannot authenticate a computer to distribution points, so that the computer can make a connection and download software. In these scenarios, clients from trusted domains use the <computername>$ account to access network resources. Computers that cannot use the <computername>$ for computer authentication can use a specified Windows user account for the Network Access Account.

You might also have to specify a Windows user account for the Network Access Account when you deploy an operating system. This is because the computer that receives the operating system does not have a security context it can use to access content on the network.

Note

When you specify a Windows user account, configure it to have the minimum appropriate permissions on the content that it must access to download the software. The account must have Access this computer from the network user right on the distribution point or other server that holds the package content.

Do not grant this account the interactive logon user right or the user right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.

For System Center 2012 R2 Configuration Manager and later: You can now specify multiple network access accounts for a site. When clients try to access content and cannot use their local computer account, they will first use the last network access account that successfully connected. Configuration Manager supports adding up to ten network access accounts.

Software Update Point Component Properties

For more information about the configuration options for the software update point component, see Configuring Software Updates in Configuration Manager.

Management Point Component Properties

Configuration Option

Description

Management points

Specifies the management points in the Configuration Manager site to publish to Active Directory Domain Services.

Configuration Manager clients use management points for service location: to find site information such as boundary group membership and PKI certificate selection options; and to find other management points in the site and distribution points from which to download software. Clients also use management points to complete site assignment and download client policy and upload their client information.

Because the most secure method for clients to find management points is to publish them in Active Directory Domain Services, you will typically always select all functioning management points to publish to Active Directory Domain Services. However, this service location method requires that the schema is extended for Configuration Manager, there is a System Management container with appropriate security permissions for the site server to publish to this container, that the Configuration Manager site is configured to publish to Active Directory Domain Services, and that clients belong to the same Active Directory forest as the site server’s forest.

When clients on the intranet cannot use Active Directory Domain Services to find management points, use DNS publishing.

Publish selected intranet management points in DNS

Specify this option when clients on the intranet cannot find management points from Active Directory Domain Services, but they can use a DNS service location resource record (SRV RR) to find a management point in their assigned site.

For Configuration Manager to publish intranet management points to DNS, all the following conditions must be met:

  • Your DNS servers have a version of BIND that is 8.1.2 or later.

  • Your DNS servers are configured for automatic updates and support service location resource records.

  • The specified FQDNs for the management points in Configuration Manager have host entries (A or AAA records) in DNS.

Warning

For clients to find management points that are published in DNS, you must assign the clients to a specific site (rather than use automatic-site assignment) and configure these clients to use the site code with the domain suffix of their management point. For more information, see How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager.

If Configuration Manager clients cannot use Active Directory Domain Services or DNS to find management points on the intranet, they fall back to using WINS. The first management point that is installed for the site is automatically published to WINS when it is configured to accept HTTP client connections on the intranet.

Out of Band Management Point Component Properties

Important

You cannot save configuration options for the out of band management component unless the site has at least one enrollment point installed.

For more information about the configuration options for the out of band management point component, see Step 5: Configuring the Out of Band Management Component.

Collection Membership Evaluation

Note

For System Center 2012 Configuration Manager SP1 and later:

Use this task to change how often collection membership is incrementally evaluated. Incremental evaluation updates a collection membership with only new or changed resources.

In Configuration Manager with no service pack, you configure collection membership evaluation as a site maintenance task. For information, see the section Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic.