Re: Changing Site Boundaries
- From: Galen <Galen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Sep 2007 08:46:09 -0700
I was asked to document this problem for another co-worker to review and I'm
going to post it because I feel it's more in depth. Please let me know if
you have any thoughts.
SMS has been working great. I’m pushing out software patches and the
helpdesk group is pushing out software. Life is good. Here’s what’s gone on.
SMS Configuration
SMS 2003 SP2
On W2k3 Server
Site Boundaries are setup using IP Subnets. The subnets are based on the
floor number. We have floors 3-8 in our building. We also have a separate
subnet for all servers. Site boundaries look like this. There are more but
this is the standard and represents enough for the sake of this question.
10.3.0.0
10.4.0.0
10.5.0.0…etc…
10.10.0.0 – This is the subnet for servers
Problem
The helpdesk group identified four workstations that need to be excluded
from all patches. These machines cannot get any updates or it will impact
their production. Instead of fixing the software limitations they want me to
exclude them from SMS. My first thoughts focus on site boundaries.
Proposed Resolution
The workstations at our company all get an IP address associated with their
floor. This IP address either begins with 10.x.1 or 10.x.2. X is the floor
number. In order to keep this simple I’ll focus on the 4th floor. The
workstations on this floor will either have IP’s that start with 10.4.1 or
10.4.2. Remember, everything is working at this time.
Then, I think….solution…change the site boundaries. The site boundary for
the 4th floor should change from 10.4.0.0 to 10.4.1.0 and 10.4.2.0. This
will still include all workstations with IP’s beginning with 10.4.1 or
10.4.2. If I want to exclude any workstations from SMS I can assign them a
static IP Address of 10.4.20.x.
Results
I changed the site boundaries for all subnets from the originals (listed
above) 10.4.0.0, 10.5.0.0, 10.10.0.0, etc… to 10.4.1.0, 10.4.2.0, 10.10.1.0,
10.10.2.0, etc…. Remember all of our machines will get an IP starting with
10.x.1 or 10.x.2 unless we assign a static IP.
Then the helpdesk group discovered that they could no longer push out
applications through software distribution. They were trying to rollout
Office using a known good package but the clients could not Locate the DP.
(Error Message in the CAS.log reads No matching DP Location found)
I discovered that I could not update a package to the DP. Also, I could not
create a package and push it to the DP. I also noticed that the Microsoft
Updates Tool hasn’t synced the catalog since the day before I made these
changes.
Odd
I can still discover clients and push the client out. But this other
functionality is gone.
Do you have any suggestions on how to fix this? If I should set the
configuration back to the way it was then do you have any suggestions on how
I should restrict communication between SMS and this handful of workstations?
"Galen" wrote:
This makes much more sense, thank you. I have done some testing sense you.
responded.
I changed my site boundaries for the fourth floor to 10.4.1.0 and 10.4.2.0.
I removed the SMS agent from some clients, then discovered them and
successfully pushed the SMS agent to the clients.
When I look at the properties of the clients from within the SMS console the
IP Subnet says 10.4.0.0. It does not say 10.4.1.0 or 10.4.2.0.
Do you know where it gets this IP Subnet information? Our subnets are
defined in AD. Is that where it's getting this data?
"Kim Oppalfens [MVP]" <""Kim dot Oppalfen" wrote:
First thing to remember when using subnets is that sms is doing nothing
more than string comparison so you can't use 10.4.0.0 to be able to
assign 10.4.1.0 and 10.4.2.0 clients. You need to add the 2 subnets to
the site boundaries to have clients in both subnets assigned.
Now as to your concern about subnet 10.4.5.0, in your suggested
configuration SMS would never push the agent to any of the systems in
this subnet. But if you right-clicked a collection or a computer and
selected to install the client from the context menu, then SMS might
install the client assuming you deselected the checkbox to only push to
assigned resources (which is on by default).
Does that make more sense?
As to
Galen wrote:
Can you clarify this for me? As an example, I had configured the previous
site boundary for our 4th floor to correspond to the subnet, 10.4.0.0. All
clients on this floor have IP's beginning with either a 10.4.1.x or 10.4.2.x
address.
I'd like to not allow SMS to communicate with machines on the 10.4.5.x
subnet.
I assumed I could change the site boundaries to 10.4.1.0 and 10.4.2.0 thus
blocking access to 10.4.5.x addresses.
I understand now that this is incorrect. Can you help me understand this
better?
Thanks again for your time.
"Kim Oppalfens [MVP]" <""Kim dot Oppalfen" wrote:
Galen wrote:
I have SMS 2003 SP2 setup on a W2k3 platform. I have one site with onlySoftware distribution is affected because that is looking for a local
advanced clients. This site has been functioning for some time.
I setup the site boundaries by VLan. In this case it's been 10.x.0.0. The
"x" is the floor number the machine is on. I receivied a request to modify
this configuration so that the boundaries would now be 10.x.1.0 ro 10.x.2.0.
The reason being is that there are machines on two other VLans that should
not be a in communication with SMS.
I've implemented this change and I have noticed some problems that I'm
having a hard to resolving.
1. Software Distribution - The CAS logs on the client error out because
with No Matching DP Location Found
I have updated the DP successfully.
I can also push out the client successfully.
I am receiving all hardware/software inventories
I'm puzzled as to why only software distribution has been affected.
I sure appreciate your time in responding.
Thanks
resource. The clients now fall outside of the boundaries of your site,
but are Manually assigned to it at install, so they find the resources
to do everything else.
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx
- Follow-Ups:
- Re: Changing Site Boundaries
- From: Galen
- Re: Changing Site Boundaries
- References:
- Re: Changing Site Boundaries
- From: Kim Oppalfens [MVP]
- Re: Changing Site Boundaries
- From: Kim Oppalfens [MVP]
- Re: Changing Site Boundaries
- From: Galen
- Re: Changing Site Boundaries
- Prev by Date: windows 2003 service pack 2
- Next by Date: Re: Changing Site Boundaries
- Previous by thread: Re: Changing Site Boundaries
- Next by thread: Re: Changing Site Boundaries
- Index(es):
Relevant Pages
|
Loading
