Re: Preventing Users who travel from switching SMS sites

I will read the document this weekend. Thank you. Just for clarification, we
have one Central site (which only manages a few servers in our AD Forest
Root) and two primaries, each reporting up to the Central. Each primary has
2-3 additional DPs. There are no secondary site servers.

Thanks

"Cathy Moya [MS]" wrote:

Have your read the Roaming white paper yet? If not, start there. I think a
lot of your questions are answered in there.
SMS 2003 Configuration and Operation of Advanced Client Roaming
http://www.microsoft.com/downloads/details.aspx?FamilyID=37ac2246-453a-4418-b026-f7140a6fce3c&DisplayLang=en

Even though the IP address changes, Advanced Clients should never be
changing site membership just because they show up in a different site's
boundaries. (That's one of the reasons you don't want overlapping
boundaries, ever, so the client can't get confused about which site it
belongs to.)

Just trying to noodle this through (and not get confused with what I see in
SMS v4 Network Access Protection scenarios.) Hm. What is the relationship
between primary 1 and primary 2? Is there a parent/child thing going on? are
they in any type of hierarchical relationship? I'm assuming by the naming
that neither is a secondary site. If they are in separate hierarchies, there
would definitely be a problem. If Primary 2 is below Primary 1 in the
hiearchy, it should work. If Primary 2 is a sibling site or higher in the
hierarchy, you would have to have schema extensions enabled for global
roaming, but with that in place, "global" roaming should work.

I'm going to assume for a minute that primary 1 is the central site and
Primary 2 is a child primary to Primary 1. I roam from Primary 1 to Primary
2. My IP address changes, but I know that I am still in the boundaries for
an SMS site in this hierarchy. I still go back and get my policy from my
assigned site, which is Primary 1. Ah, maybe that's the problem. When I am
in quarantine, am I allowed to reach the management point for Primary 1? Or
am I totally blocked? See, I will never get policy from Primary 2. I am
never managed by Primary 2. If a package exists on a distribution point in
primary 2, I can ask my assigned management point (in Primary 1) for a
content location request, and it can tell me if there is a distribution
point with the package I need in my resident site (Primary 2). If my
resident site (Primary 2) does not have a distribution point with the
package I need, I would fall back to my assigned site (Primary 1). But
again, all this assumes I can reach my assigned site for the content request
and for the fallback package distribution.

I'm not an expert on roaming, but if you don't have overlapping boundaries,
this is my second guess. Read the white paper and make sure I'm not
committing logical errors in how this scenario would play out.

We have a lot of interesting issues with all this as we move forward with
Network Access Protection, the next generation of "quarantining" clients.
But that's in SMS v4 and there's been a lot of design discussion to make it
all work.
--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Windows Enterprise Management Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.

"Chris Elder" <ChrisElder@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6DD64713-2992-4491-86CD-5872F449D2B0@xxxxxxxxxxxxxxxx

There is no overlap. We have multiple VLANs for our Corporate
headquarters.
All of the VLAN subnets for Corp HQ are in one AD site, which is assigned
to
Primary1. We have RRAS for remote access/VPN. When we take a laptop home
from
corporate and connect through RRAS, we get an IP address assigned from a
pool
of addresses on the RRAS subnets. These subnets are in a different AD Site
and are assigned to Primary2.

If the SMS client is not supposed to move from site to site, how does it
handle this situation? On RRAS the client has an IP that is not defined
within the site boundaries of Primary1. So should the client say "I guess
I
am no longer managed by SMS since my IP is not in the site boundaries" or
should it say "I now have an IP that is in the site boundary of Primary2.
I
will let this site manage me now". Or is there another way for it to
handle
this? (Roaming boundaries, perhaps?)

The thing is, we use SMS to patch clients that connect through RRAS and
fail
quarantine. If they are not up to patch level, then they are on a
"limited"
network with access only to the SMS Site. This is so SMS can deliver the
necessary patches and reboot them. Then they can reconnect via RRAS, pass
quarantine, and get down to business. However, the client appears to be
having issues with the site assignments and can therefor not get mandatory
updates. In affect, they are no longer allow on our network via RRAS/VPN.

Thanks

"Cathy Moya [MS]" wrote:

Advanced Clients should never switch sites. But if you are seeing
weirdness,
the first thing to do is make sure you do NOT have overlapping
boundaries.
No boundary (IP Subnet or AD site) should be configured in two different
SMS
sites, even if you have secondary sites.

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Windows Enterprise Management Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.


"Chris Elder" <ChrisElder@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:24EFA730-D712-4627-B2E7-22E800189F60@xxxxxxxxxxxxxxxx
SMS 2003 SP1 advanced clients. We have never had SMS 2.0 in this
environment.
The clients are XP SP2 mostly. We have one central site in our AD
forest
root, two primary SMS site servers that are splitting the client load
(about
2000 on each site), and 6 DPs.

Thanks.

"David Tyra" wrote:

Is this SMS 2.0 or SMS 2003? If this is SMS 2003, are these legacy
clients
or advanced clients? If this is SMS 2.0 or SMS 2003 legacy clients,
you
will
need to enable travel mode on these clients so they won't switch
sites.
If
these are advanced clients, they shouldn't be switching site
assignments.

Regards,

David Tyra

"Chris Elder" <ChrisElder@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F00F341D-EB45-49C6-9F0C-0C339B1ABC9A@xxxxxxxxxxxxxxxx
Good morning. We have users at a Corporate site who are managed by
Primary
SMS site server A. When they go home or travel and connect to the
corp.
LAN
via RRAS VPN, they are assigned an IP address from a VLAN subnet
that
is
assigned to Primary SMS site server B. We are facing issues where
they
are
not immediately manageable via SMS because they are switching sites.
This
is
a problem since our Quarantine/RRAS solution depends upon SMS to
deliver
updates to a client who doesn't meet mimimum criteria for access to
our
network. Our site boundaries are defined by both AD sites and by IP
subnets.
We need to keep the Corporate subnets on PrimaryA and the RRAS/VPN
subnets
on
PrimaryB for load balancing.

Any assistance with this issue would be greatly appreciated. We
cannot
go
into production with our RRAS/Quarantine solution (based on SMS)
until
this
issue is resolved. Thank you for your time.









.

Relevant Pages

  • Re: SMS Advance Client not assigned to the site
    ... added 3 subnets individually on top of that. ... In the Roaming Boundaries tab, ... all clients in our network are XPs so I don't need to worry ... Sms 2003 has 2 types of clients: ...
    (microsoft.public.sms.admin)
  • Re: Preventing Users who travel from switching SMS sites
    ... SMS 2003 Configuration and Operation of Advanced Client Roaming ... boundaries, ever, so the client can't get confused about which site it ... the next generation of "quarantining" clients. ... within the site boundaries of Primary1. ...
    (microsoft.public.sms.admin)
  • Re: SMS Advanced Clients not seeing protected Distribution Point - Using the wrong Distribution
    ... If so then its IP addresses should be defined as belonging to SMS ... If it's a Primary have the clients been reassigned or do they still ... How are you defining the Roaming boundaries of Site 2? ... Check out the client boundaries at Site2, ...
    (microsoft.public.sms.admin)
  • Re: Preventing Users who travel from switching SMS sites
    ... SMS 2003 Configuration and Operation of Advanced Client Roaming ... Even though the IP address changes, Advanced Clients should never be ... boundaries, ever, so the client can't get confused about which site it ... within the site boundaries of Primary1. ...
    (microsoft.public.sms.admin)
  • Re: Secondary Site Clients
    ... This will at least allow you to be confident that your SMS advanced clients ... are picking up the name of the resident secondary site. ... That has nothing to do with boundaries. ...
    (microsoft.public.sms.setup)
Loading