Proxy MP Setup questions
Hi All. I just setup a secondary site w/o SQL and would like to set it as a Proxy MP and protected Distribution point. While setting up the site was easy, some of the options seemed ambiguous to me when running the 'Add Role' wizard. Sorry for
all the questions, just that the MS documentation on what to do AFTER you select 'Add Role' for a proxy MP is almost non-existent. We are using SCCM 2007 R3 & SQL 2008 Std.
1. Setting up a ProxyMP on the new site. Asking 'Specify the account used by management points computer account. I selected 'Use the management points computer account.' Correct? Or should I use the SCCM Administrator account, which
is in our Domain Admin AD Group?
2, Should I check 'Allow only Site server initiated data transfers from the site system?'
3. Should I check 'Allow devices to use this management point.' Is this for client pcs, or does it mean mobile phones, etc.
4, 'Specify the account used by the management point to connect with the database.' Default is to use the management points computer account. Or should I use the SCCM Administrator account for this?
5, Perhaps most important, how do I add the new secondary sites computer into SQL for proper permissions? I did not setup SQL on the primary site this one will connect to, and not a 'SQL guy' in any way. Is there a (relatively) easy guide
that will walk me through doing this so the new secondary site ProxyMP can properly connect to the parent SQL db?
March 25th, 2011 6:43pm
#1: you actually can use both. The computer account is the preferred one.
#2: it depends if there's a firewall in place that would require that setting. See
http://technet.microsoft.com/en-us/library/bb694127.aspx
#3: "device" = mobile devices. No need not enable it if there aren't those to be managed.
#4: it depends on your company's security requirements. Using the computer account is easier (no need to handle separate accounts)
#5: ConfigMgr will take care of that when using the console to install the secondary; just make sure that you add the computer account of the siteserver to the local admins group on the primary. See
http://technet.microsoft.com/en-us/library/bb680450.aspxTorsten Meringer | http://www.mssccmfaq.de
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2011 9:29am
#1: you actually can use both. The computer account is the preferred one.
#2: it depends if there's a firewall in place that would require that setting. See
http://technet.microsoft.com/en-us/library/bb694127.aspx
#3: "device" = mobile devices. No need not enable it if there aren't those to be managed.
#4: it depends on your company's security requirements. Using the computer account is easier (no need to handle separate accounts)
#5: ConfigMgr will take care of that when using the console to install the secondary; just make sure that you add the computer account of the siteserver to the local admins group on the primary. See
http://technet.microsoft.com/en-us/library/bb680450.aspx
Torsten Meringer | http://www.mssccmfaq.de
Hi Torsten. This is a GREAT HELP! Thank you.
For #5, the issue is I setup the secondary on the local system and NOT from the Central Site console. So I still need to manually add SQL perms I'm assuming? What do I need to do in the SQL DB on the primary parent site to grant the new secondary
site all necessary SQL access?
BTW, Of our 8 sites, only one of the sites computer account is in the local admin group of the primary parent site. This site is a FSP and a proxy MP. Should all other secondary site system accounts be added to the primary parent site local admin
group?
March 28th, 2011 4:21pm
Anyone have an idea on my SQL question above?
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2011 10:49am
No need to change anything in the SQL DB.
ConfigMgr creates groups from site to site access, SMS_SitetoSite_
Check under Computer Managment on your server
April 3rd, 2011 6:36pm
Hello - See the detailed comments from Mr.Wally below. May be this will help....
Each site's address account (would default to the computer account) would need to be added to the remote site's SMS_SiteToSiteConnection group (so primary site server in secondary site's group and secondary site server in primary site server's group). No
other rights are required. That's all there is to that. See:
http://technet.microsoft.com/en-us/library/bb680457.aspx and http://technet.microsoft.com/en-us/library/bb632811.aspx
and
http://technet.microsoft.com/en-us/library/bb632349.aspx
Then the sites must exchange keys (we default to requiring secure key exchange). It should happen automatically in AD, but I've seen it take over an hour. So you can manually transfer them if needed using Preinst.exe. However before you do this, validate
in the parent site's despool.log that this is the case (there would be entries something like (waiting for keys) if this is needed. See:
http://technet.microsoft.com/en-us/library/bb693690.aspx
Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not
actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2011 11:44pm