Manage VM Servers in the Azure IaaS space with ConfigMgr 2012
Do you have Off-Premise Virtual Servers that are stored in a Microsoft Data Center under an IaaS configuration? Tired of remote connecting to them and applying patches or installing software? Want to utilize that On-Prem ConfigMgr 2012 environment you have to manage those servers as well? Below you will find reference links and steps to do just that.
Reference Links:
1. ConfigMgr 2012 Support for Azure Virtual Machines: https://support.microsoft.com/kb/2889321
2. About Secure Cross-Premises Connectivity: https://msdn.microsoft.com/library/azure/dn133798.aspx
3. Determine the ConfigMgr Client installation method to use: https://technet.microsoft.com/en-us/library/gg682191
4. Prerequisites for Computer Clients: https://technet.microsoft.com/en-us/library/gg682042
5. Deploying the ConfigMgr Client to Windows Based Computers: https://technet.microsoft.com/en-us/library/gg682132#BKMK_DeployClientComputers
6. Client Installation Properties in ConfigMgr: https://technet.microsoft.com/en-us/library/gg699356.aspx
7. ConfigMgr 2012 Discovery Methods: https://blogs.technet.com/b/elie/archive/2012/05/10/system-center-2012-configuration-manager-part2-discovery-methods.aspx
8. ConfigMgr 2012 Boundaries and Boundary Groups: https://blogs.technet.com/b/elie/archive/2012/05/14/system-center-2012-configuration-manager-part3-boundaries-and-boundary-groups.aspx
The Windows VM Servers in the Off-Premises Microsoft Data Center that are a part of the Azure IaaS, break down to the following areas of ownership:
(IaaS: Infrastructure as a Service)
□ Applications (Organization)
□ Data (Organization)
□ Runtime (Organization)
□ Middleware (Organization)
□ OS (Organization)
□ Virtualization (Vendor)
□ Servers (Vendor)
□ Storage (Vendor)
□ Networking (Vendor)
With Azure IaaS, you can use an existing on-premises Configuration Manager infrastructure to manage Microsoft Azure Virtual Machines that are running Windows Server or Linux through a secure site-to-site connection.
Use a site-to-site connection when:
• You want to create a branch office solution.
• You want a connection between your on-premises location and your virtual network that’s available without requiring additional client-side configurations.
You can get more information on Site-to-Site connections here: https://msdn.microsoft.com/library/azure/dn133798.aspx
Using the On-Premises ConfigMgr you can perform the following functions by placing installing ConfigMgr client on the VM Servers that are a part of the Azure IaaS:
For Windows Server:
•Application Management
•Compliance Settings
•Endpoint Protection
•Inventory – Software, Hardware, and Asset Intelligence
•Network Access Protection
•Software Updates Deployment
•Software Metering
•Remote Control
•Reporting
For Linux:
•Software Distribution
•Endpoint Protection
•Inventory – Hardware, Software
•Reporting
If the VM Servers that are a part of the Azure IaaS are a part of your domain, you should be able to verify that they are being picked up by ConfigMgr AD Discovery. You can validate this by the following steps:
(In the ConfigMgr 2012 environment):
1. Open the ConfigMgr 2012 Console
2. Navigate to Assets and Compliance \ Devices
3. Enter the Server Names in question in the Search dialog box in the right side pane
4. The results of the search should present the machine object in the ConfigMgr console
If not located in the ConfigMgr Console:
If you cannot locate the devices you may want to validate they are a part of the domain, if they are not, then you will need to either join them to the domain or treat them as workgroup managed devices with ConfigMgr 2012.
You can get information for deploying Workgroup clients here:
How to install Configuration Manager Clients on Workgroup Computers: https://technet.microsoft.com/en-us/library/gg712298.aspx
Managing System Center Configuration Manager clients in a workgroup: https://blogs.technet.com/b/configurationmgr/archive/2010/03/01/managing-system-center-configuration-manager-clients-in-a-workgroup.aspx
If located in the ConfigMgr Console:
From this point you will need to assure that the Microsoft ConfigMgr 2012 Client Push Account that is a Domain Account is also in a Domain Security group that will place it into the local Administrators group on the 4 servers in the Off-Premises IaaS Azure environment. To verify what account you are using for the Client Push Account perform the following steps:
(In the ConfigMgr 2012 environment):
1. Open the ConfigMgr 2012 Console
2. Navigate to Administrators \ Site Configuration \ Sites
3. Select in the right pane the Site Server, right click and select Client Installation Settings -> Client Push Installation
4. On the Client Push Installation Properties, select the Accounts tab
5. Verify the Client Push Installation Account name and domain and make note of it
*6. Verify the account is also in a Domain Group that is located in the Local Administrators group on the target VM servers in the Azure IaaS
* If you need assistance in making a domain user the local administrator for all PCs, you can find steps here: https://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
Now that you have your Site-to-Site secure connection in place and the ConfigMgr Client Push Installation Account in the Local Administrators Group on the target VM Servers in the Azure IaaS. You will need to assure that the IP Subnets for the target VM Servers in the Azure IaaS are in ConfigMgr and assigned to a Boundary Group. Depending on how you are discovering your Site Boundaries there are different processes to go about this. For this Advisory guide we are going to manually add the Site Boundaries to the ConfigMgr Console and then assign them to a Boundary Group.
The reason that a Boundary needs to exist and needs to be assigned to a Boundary Group in ConfigMgr, is because content is pulled from Distribution Points in ConfigMgr 2012. When a client attempts to connect and gather the content it requires from a Distribution Point ConfigMgr needs to know where to send it for the content. A Boundary is used to provide ConfigMgr with knowledge of a subnet and a Boundary Group is used to organize the Boundaries and to direct them to Distribution Points assigned to subnets in designated groups.
To add the Boundaries to ConfigMgr 2012 for the VM Servers in the Azure IaaS follow the steps below:
(On the VM Servers in the Azure IaaS):
1. Verify the IP address by opening a Command Prompt (Run as Administrative)
2. Perform a IPConfig /All
3. Note the IPv4 IP Address and Subnet
(In the ConfigMgr 2012 environment):
1. Open the ConfigMgr 2012 Console
2. Navigate to Administrator \ Hierarchy Configuration \ Boundaries
3. Verify if the Boundaries for the target VM Servers in the Azure IaaS already exist
If they do not:
4. Right click Boundaries and select Create Boundary
4.a Enter the description
4.b Select IP Subnet
4.c Enter the IP Address that you documented from the VM Server in the Azure IaaS with the last octet set to 0 (Example: 192.168.1.0)
4.d Enter the Subnet Mask you documented from the VM Server in the Azure IaaS exactly as it was
4.e The Subnet ID should automatically fill out
4.f Click the Apply and then OK button
4.g Repeat the process for each of the subnets that you require
If they do:
5. In the ConfigMgr 2012 Console navigate to Administrator \ Hierarchy Configuration \ Boundary Groups
6. Right click Boundary Groups and select Create Boundary Group
6.a Name the Boundary something meaningful for the support and identification of the Azure IaaS environment
6.b Click the Add button in the lower section of the Create Boundary Group dialog under Boundaries section
6.c Place a check mark next to the Boundaries you wish to add, click the OK button
6.d Click the References tab on the Create Boundary Group dialog
6.e Click the Add button on the Create Boundary Group dialog under the Site System Servers section
6.f Place a check mark next to the Site Server you wish to provide as the Distribution Point for this Boundary Group, click the OK button
6.g Click the Apply button and then the OK button
You can now push the ConfigMgr client to the VM Servers in the Azure IaaS Off-Premise Datacenter.
To perform this follow the steps below:
(In the ConfigMgr 2012 environment):
1. Open the ConfigMgr 2012 Console
2. Navigate to Assets and Compliance \ Devices
3. Enter the Server Names in question in the Search dialog box in the right side pane
4. The results of the search should present the machine object in the ConfigMgr console
5. Right click the machine objet in the results pane, select Install Client
5.a On the Install Configuration Manager Client Wizard click Next
5.b On the Specify Client Push Options, select "Always install the client software'
5.c On the Specify Client Push Options, select "Install the client software from a specific site", select the site from drop down
5.d Click the Next button
5.e On the Confirm The Settings, click the Next button
5.f On the Completion Dialog, click the Close button
(Monitor and Confirm):
After you push the client installation to the target VM Server in the Azure IaaS, you can monitor the install by following the steps below:
1. Connect to the target VM Server in the Azure IaaS space
2. Open the Explorer once connected and navigate to C:\Windows\CCMSetup\Logs
3. Using CMTrace (Which you can get from the ConfigMgr site Server under the installation directory\tools) open the following log:
3.a CCMSetup.log
Once the installation completes, please note that if you open the ConfigMgr client from the Control Panel on the server, when you go to the Actions Tab you will only see two actions until the ConfigMgr client pulls policy for the first time. The other actions will then be populated once that policy is pulled and processed by the client from the Management Point.
If you are having issues with installing the client, please refer to the following Troubleshooting Client link: