mardi 28 février 2017

[SCCM CB] CAS or not CAS ? Part 1 - The fundamentals

Yes, I know it's a very common question and there are already a lot of articles and discussions about that on the Internet. Even myself, I already wrote an article after the SCCM 2012 SP1 release.
However, I think it's time to provide some pragmatic information and to kill some very common ideas.

1. The Fundamentals

CAS or not CAS ? Part 1 - The Fundamentals


I. Why not using a CAS ?
A CAS doesn't provide any specific feature that you can't have with a standalone primary site.
Even if you install a standalone primary site, you can always install after a CAS (see Expanding a stand-alone primary site).

Never forget that:
About the last point, lot of people ignore site recovery prerequisites:
  • To restore a CAS, all your primary sites must function.
  • To restore a primary site, your CAS must function.
What if you've got a problem with your CAS and you discover that a primary site is also down ? You're stuck and you only have to call Microsoft support. :(

So my 1st recommendation: Keep your SCCM infrastructure as simple as possible and use a CAS only if you need one.

II. Why using a CAS ?
Sometime, there is no other solution but to install a CAS.

1. Because you're above the limits of standone primary site: Saying Microsoft (https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/size-and-scale-numbers), a standalone primary site can manage up to 175.000 devices (150.000 PC + 25.000 mac).

2. Because you need more than 15 Management Point:
You need 1 MP for 25.000 PC (or 10.000 MDM devices / MAC).
You need also 1 MP if you want to manage clients is an untrusted forest (https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/communications-between-endpoints).

If you've got a lot of untrusted forests (for security reason for example), you may require a lot of MP. However, never forget you can also manage clients in untrusted forest as workgroup clients (https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-to-windows-computers#BKMK_ClientWorkgroup).

Quick Case Study : you have :
  • 20.000 computers in your main forest (the forest that contains your site server);
  • 10.000 computers in a two-way trusted forest;
  • 10.000 computers (that you want to manage fully) in an untrusted forest;
  • 50 computers in an untrusted forest that you will manage as workgroup computers.
You need... 3 Management Point
2 Management Point that will manage 30.050 clients (main forest + trusted forest + workgroup)
1 Management Point that will manage the 10.000 clients in the untrusted forest.

3. Because you need to install a MP across a slow link:
A Management Point requires a fast link to the Database server.
Some people uses database replica, but that feature is normally reserved to reduce CPU processing of the site database server, not to provide a "local cache". Moreover, I'd rather to troubleshoot site replications than database replication. Note also that database replica must be disabled during SCCM updates (more maintenance operations).

As a consequence, when you need to install a MP across a slow link, you need to create an additional site. That can be secondary or another primary site with a CAS.

4. Because, you're above the limits a primary site:
  • > 250 secondary sites
  • > 250 Distribution point in the site
  • > 2000 pull-DP
  • > 5000 DP in the site and in the child secondary sites

In the next part, I will discuss about a really common question:
Is it relevant to create several primary site when you have several admin teams ?


Stay tuned!
Julien