[Today’s post is provided by Carol Bailey]
I see a lot of confusion about how and when native mode clients use a server locator point, so let’s take a look at this for clarification. The product documentation tells you when and how to configure native mode clients for a server locator point, but this post includes the why element, which might help you to understand it better and therefore remember it.
Before we dive into this, let’s recap what the server locator point is: The server locator point is an intranet-based site system and is used to locate site information to complete site assignment, and to find management points on the intranet.
There are 3 scenarios to consider for native mode clients:
- The native mode client is configured with an Internet-based management point, and is configured as Internet-only. This client will never contact a server locator point.
Note: Do not specify the CCMSetup properties CCMALWAYSINF=1 and SMSSLP=<servername> for the same client. When CCMALWAYSINF=1 is specified, the client will never contact a server locator point. Although specifying these two together shouldn’t break anything, they were not designed to be used together. I often see customers using this combination and because it is not a supported configuration, I always advise them to delete the SMSSLP option.
- The native mode client is configured with an Internet-based management point, and is configured for intranet and Internet management (it can move between the intranet and Internet). This client will never contact a server locator point for site assignment, but could contact a server locator point to find management points on the intranet.
- The native mode client is not configured with an Internet-based management point. This client might contact a server locator point for site assignment, and it might contact a server locator point to find management points on the intranet.
Server Locator Points to Complete Site Assignment
When a client is configured for an Internet-based management point, it does not need site information to complete site assignment. Internet-based clients must be directly assigned to their site – they cannot use auto-site assignment. Additionally, they skip the site compatibility check that would normally check that they were not trying to assign to an SMS 2003 site and that they are not running Windows 2000 – so you must make these checks yourself to ensure that the client doesn’t become unmanaged. This is why both an Internet-only client and a client configured for intranet and Internet management will never contact a server locator point for site assignment.
Conversely, a native mode client that isn’t configured with an Internet-based management does need site information to complete site assignment – it always needs this for the site compatibility check (and will also need this if it’s using auto-site assignment). When the Active Directory schema has been extended for Configuration Manager 2007, and the client can read site information published to Active Directory Domain Services (the site is successfully published, the client is domain-joined and belongs to the same forest as its site), the client doesn’t need a server locator point to complete site assignment. Instead, it gets the site information from Active Directory.
However, if any of these conditions are not true and the client can’t get site information from Active Directory Domain Services – then the client must use a server locator point. You might think that this also applies to workgroup clients, but in fact workgroup clients are not supported for intranet and Internet management, and must be configured for Internet-only.
Server Locator Points to Find Management Points
The Internet-based management point is always directly assigned to clients, so clients never have to locate these themselves – only management points on the intranet. It’s easy to work out why an Internet-only client will never contact a server locator point to find management points!
Native mode clients that are configured for intranet management do need to find management points on the intranet, and there are several mechanisms for doing this. They try in this order: Active Directory, DNS, server locator point. Only if the preferred methods fail do native mode clients use a server locator point to find management points. You will note that this list doesn’t include WINS for native mode.
The funny thing about this requirement, is that you don’t really need to worry about it, because the right decision has already been made for site assignment:
- If the client can read site information in Active Directory Domain Services for site assignment, it can also find management points in Active Directory Domain Services.
- If the client cannot read site information in Active Directory Domain Services for site assignment, it must be configured with a server locator point – and this can also be used to find management points. However, if clients can use DNS to find management points, the server locator point will not be used.
Configuring Native Mode Clients to Use a Server Locator Point
By default, native mode clients do not contact server locator points, even if the server locator point is specified on the command line. The reason for this default setting is because the communication uses an HTTP rather than HTTPS connection, which means that information passed to the client is not encrypted. This is not ideal from a security point of view, but bear in mind that this communication is on the intranet only (never on the Internet). That’s why a client that is configured with an Internet-based management point does not need site information to complete site assignment – in case it is on the Internet.
If a native mode client needs to communicate with a server locator point, you can enable this behavior in 2 different ways:
- Install the client manually, using CCMSetup and the /native:FALLBACK option (if you are using certificate revocation, use /native:CRLANDFALLBACK).
- Configure the site property Allow HTTP communication for roaming and site assignment. Then use Client Push, or run CCMSetup.exe without any options or properties. This site option is published to Active Directory Domain Services, both as site information and CCMSetup information.
As the full site property name implies, this configuration actually does double-duty. It also allows native mode clients to successfully communicate with mixed mode site systems. In most scenarios, you wouldn’t want this – and certainly not when the client is on the Internet. However, if your hierarchy has mixed mode sites and your native mode client might roam into them, this setting allows it to communicate with the resident mixed mode management point and resident mixed mode distribution points to download packages locally rather than over a WAN. This means that this setting might be appropriate for native mode clients on the intranet that can read site information from Active Directory Domain Services – for roaming scenarios but not for site assignment.
In addition to configuring the native mode client to communicate over HTTP, you then have to ensure that it can find the server locator point – just as if it were a mixed mode client. You can either specify it as a CCMSetup property (SMSSLP) or publish it in WINS. Although native mode clients cannot use WINS to locate management points, they can use WINS to locate server locator points.
Checking Configuration for Native Mode Clients
If you need to check the native mode settings of a client to see whether it can contact a server locator point (and mixed mode site systems for roaming), see the procedure: How to Identify Client Configuration Details for Native Mode and Internet-Based Client Management.
Use the site assignment flowchart for a quick cheat-sheet on this behavior for all scenarios. Concentrate on site assignment, and (as explained above) management point location will work itself out.
Additionally, the following links have more information about the server locator point and native mode clients:
This posting is provided “AS IS” with no warranties, and confers no rights.