Hi All. I just setup a secondary site w/o SQL and would like to set it as a Proxy MP and protected Distribution point. While setting up the site was easy, some of the options seemed ambiguous to me when running the 'Add Role' wizard. Sorry for all the questions, just that the MS documentation on what to do AFTER you select 'Add Role' for a proxy MP is almost non-existent. We are using SCCM 2007 R3 & SQL 2008 Std. 1. Setting up a ProxyMP on the new site. Asking 'Specify the account used by management points computer account. I selected 'Use the management points computer account.' Correct? Or should I use the SCCM Administrator account, which is in our Domain Admin AD Group? 2, Should I check 'Allow only Site server initiated data transfers from the site system?' 3. Should I check 'Allow devices to use this management point.' Is this for client pcs, or does it mean mobile phones, etc. 4, 'Specify the account used by the management point to connect with the database.' Default is to use the management points computer account. Or should I use the SCCM Administrator account for this? 5, Perhaps most important, how do I add the new secondary sites computer into SQL for proper permissions? I did not setup SQL on the primary site this one will connect to, and not a 'SQL guy' in any way. Is there a (relatively) easy guide that will walk me through doing this so the new secondary site ProxyMP can properly connect to the parent SQL db?

#1: you actually can use both. The computer account is the preferred one. #2: it depends if there's a firewall in place that would require that setting. See http://technet.microsoft.com/en-us/library/bb694127.aspx #3: "device" = mobile devices. No need not enable it if there aren't those to be managed. #4: it depends on your company's security requirements. Using the computer account is easier (no need to handle separate accounts) #5: ConfigMgr will take care of that when using the console to install the secondary; just make sure that you add the computer account of the siteserver to the local admins group on the primary. See http://technet.microsoft.com/en-us/library/bb680450.aspxTorsten Meringer | http://www.mssccmfaq.de

#1: you actually can use both. The computer account is the preferred one. #2: it depends if there's a firewall in place that would require that setting. See http://technet.microsoft.com/en-us/library/bb694127.aspx #3: "device" = mobile devices. No need not enable it if there aren't those to be managed. #4: it depends on your company's security requirements. Using the computer account is easier (no need to handle separate accounts) #5: ConfigMgr will take care of that when using the console to install the secondary; just make sure that you add the computer account of the siteserver to the local admins group on the primary. See http://technet.microsoft.com/en-us/library/bb680450.aspx Torsten Meringer | http://www.mssccmfaq.de Hi Torsten. This is a GREAT HELP! Thank you. For #5, the issue is I setup the secondary on the local system and NOT from the Central Site console. So I still need to manually add SQL perms I'm assuming? What do I need to do in the SQL DB on the primary parent site to grant the new secondary site all necessary SQL access? BTW, Of our 8 sites, only one of the sites computer account is in the local admin group of the primary parent site. This site is a FSP and a proxy MP. Should all other secondary site system accounts be added to the primary parent site local admin group?

Anyone have an idea on my SQL question above?

No need to change anything in the SQL DB. ConfigMgr creates groups from site to site access, SMS_SitetoSite_ Check under Computer Managment on your server

Hello - See the detailed comments from Mr.Wally below. May be this will help.... Each site's address account (would default to the computer account) would need to be added to the remote site's SMS_SiteToSiteConnection group (so primary site server in secondary site's group and secondary site server in primary site server's group). No other rights are required. That's all there is to that. See: http://technet.microsoft.com/en-us/library/bb680457.aspx and http://technet.microsoft.com/en-us/library/bb632811.aspx and http://technet.microsoft.com/en-us/library/bb632349.aspx Then the sites must exchange keys (we default to requiring secure key exchange). It should happen automatically in AD, but I've seen it take over an hour. So you can manually transfer them if needed using Preinst.exe. However before you do this, validate in the parent site's despool.log that this is the case (there would be entries something like (waiting for keys) if this is needed. See: http://technet.microsoft.com/en-us/library/bb693690.aspx Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.