Absolutely Full of I.T.

Kevin Remde

Subscribe to Kevin Remde: eMailAlertsEmail Alerts
Get Kevin Remde via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, SSL Journal, CMS Journal, Azure Cloud on Ulitzer, Government News, Microsoft Developer, CIO/CTO Update, Java in the Cloud

Blog Feed Post

Cloud-Based SCCM Distribution Point? Why yes! – 20 Key Scenarios with Windows Azure Infrastructure Services

Try Windows Azure for FREEWelcome to another main installment of our “20 Key Scenarios with Windows Azure Infrastructure Services”.  For those of you who are just now starting to follow along, make sure to start your FREE TRIAL of Windows Azure, so that you can follow along.

Those of you who are familiar with System Center 2012, and in particular the Configuration Manager component, are already familiar with the concept of Distribution Points.  But for those of you who are new to it, here is a very brief definition that will make it all clear:
Ahem… :  A Distribution Point is a point from which things are distributed.

“Oh yeah, crystal-clear, Kevin.”

You’re welcome.

Get your free evaluation of System Center 2012 HEREIt’s really not complicated (or at least, the idea isn’t complicated).  In a large organization, with centralized IT Management, and perhaps with many locations around the globe, it’s important to be able to define locations from which those far-flung users are getting their software or updates from.  So System Center 2012 Configuration Manager has

But consider this: What if I were able to use Windows Azure – a cloud-based, highly available and globally scalable service - to act as my distribution points? 

“You mean, give immediate, secured, authenticated global reach to your organization’s operating system deployments and software distributions?  That would be amazing, Kevin.”

I knew you’d like it.  This capability is new in System Center 2012 SP1, and was first announced on the System Center Configuration Manager Team Blog here : New Distribution Points in Configuration Manager SP1.

It is further documented at TechNet here: Install Cloud-Based Distribution Points in Windows AzureNOTE: The cloud-based distribution point is going to be used deployments other than Microsoft updates.  Updates are already available “in the cloud” through Microsoft Update, and it’s just as easy to configure your company’s devices to use Microsoft for operating system and application updates.

For the rest of this article, I’ll break the task of installing and testing this into these steps:

  • Install System Center 2012 SP1 Configuration Manager
  • Certificates
  • Create the Distribution Point
  • Considerations for Client Access
  • and we’ll wrap things up with a Summary

Install System Center 2012 SP1 Configuration Manager

To test creating a cloud-based distribution point, I installed the evaluation of System Center 2012 SP1 Configuration Manager on a local virtual machine in my test domain.  My installation was a new Configuration Manager standalone primary site:

Available Setup Options

(Prior to this installation I had installed the evaluation of SQL Server 2012 on the same machine, but I could have used the “typical installation” option to also install SQL Express to use as the local database.  For a good write-up on installing a test machine like this as a Windows Azure Virtual Machine, read THIS EXCELLENT ARTICLE by Keith Mayer.) 

After installing and configuring the prerequisites, I also just took the defaults from that point on.


Of course to make an authenticated, secured (SSL) connection between your Configuration Manager installation and your Windows Azure subscription, you’re going to need to generate use a management certificate.  And like most situations where we’re just trying new capabilities out that require certificates, there is a simple way, and there is a recommended-for-production way.  The recommended-for-production way is to use a PKI, and use the templates and certificate types for Server and Client authentication as described in this document:
PKI Certificate Requirements for Configuration Manager

For my purposes, just to get the distribution point created and the trust established between my local Configuration Manager site server and the Azure subscription, I exported both a .CER and a .PFX file from the local machine certificate that was created for my SCCM server and its relationship with SQL Server.  It was already of the proper type (from the proper template), so worked fine for my test.  Here’s how I did that…

Open MMC (On the start screen, type MMC and run MMC.EXE).

On the File Menu, choose Add/Remove Snap-in…  then in the left-hand list, select Certificates, and click Add.


When prompted for what your want to manage certificates for, select Computer Account, click Next, and then click Finish.  Click OK to close the Add/Remove Snap-ins form.

Now, in the MMC, navigate to Certificates (Local Computer) –> Personal –> Certificates.  You should find a Server Authentication certificate there with the name of your server in the Issued To column. 


We’re going to do two export operations on this certificate; one to get a .cer file that we’ll upload to Windows Azure, and the other to create a password-protected .pfx file that we’ll use to configure the connection from our local Configuration Manager to create the cloud-based distribution point. 

First we’ll export a .cer file:

  1. Right-click on the certificate, select All Tasks –> Export…
  2. On the Certificate Export Wizard welcome page, click Next.
  3. On the Export Private Key page, leave “No, do not export the private key” selected.  Click Next.
  4. On the Export File Format page, leave “DER encoded binary X.509 (.CER)” selected.  Click Next.
  5. On the File to Export page, browse to and select a file system location that you can easily remember and navigate to later; either your desktop or documents folder, and give your file a name.  Make sure it’s saving as a *.cer file. Click Save, then click Next.
  6. On the Completing the File Export Wizard page, click Finish.  Click OK on the resulting “The export was successful.” message.

Now we’ll export a .pfx file:

  1. Right-click on the certificate, select All Tasks –> Export…
  2. On the Certificate Export Wizard welcome page, click Next.
  3. On the Export Private Key page, change the selection to “Yes, export the private key”.  Click Next.
  4. On the Export File Format page, leave “Personal Information Exchange – PKCS #12 (.PFX)” selected.  Click Next.
  5. On the Security page, check the check-box next to Password, and then enter a password in the Password and Confirm password fields.  Click Next.
  6. On the File to Export page, browse to and select a file system location that you can easily remember and navigate to later; either your desktop or documents folder, and give your file a name.  Make sure it’s saving as a *.pfx file. Click Save, then click Next.
  7. On the Completing the File Export Wizard page, click Finish.  Click OK on the resulting “The export was successful.” message.
  8. You can now close the MMC.  We’re done with it.  We have the exports we need.

Upload the .cer file to our Windows Azure subscription.  (If you don’t have one, it’s easy to START A FREE TRIAL HERE.):

  1. Login to your Windows Azure subscription, and at the bottom of the list on the left, select Settings.
  2. At the bottom of the browser window, click the UPLOAD icon.
  3. In the Upload a management certificate form, click Browse for a file, browse for and select the .cer file that you exported earlier, and then click the check-box at the bottom right. 
  4. You will now see a job running message that says “Uploading…” followed shortly by a “Successfully uploaded..” message, and your certificate now shows up in the Management Certificates list.
  5. Before we move over to Configuration Manager, this is a good opportunity to copy and then paste (maybe in Notepad) the value in the SUBSCRIPTION ID column for your certificate.  It is a very long value that we’ll need later when we’re configuring Configuration Manager.

And there you go.  The certificate for our test is in place.  Now we’re ready to create and connect Configuration Manager to a new cloud-based distribution point.

Create the Distribution Point

  1. Open up Configuration Manager.
  2. On the lower-left, click Administration, and then in the section above under Overview, expand Hierarchy Configuration and select Cloud.  (Yes, Cloud!)
  3. Right-Click on Cloud and then click on Create Cloud Distribution Point.
  4. image 
  5. On the Specify details for this cloud service page, this is where we’ll use the copy/pasted Subscription ID we saved, as well as the .pfx file that we exported earlier.  In the Subscription ID: field, pasted the subscription ID you saved.
  6. Next to the Management Certificate field, click Browse.  Navigate to and select the .pfx file that you saved earlier.  After you select it and click Open, you'll be prompted for the password you used to protect it.  Enter the password and click OK.
  7. Click Next.
  8. On the Specify additional details for this distribution point form, note the various regions of the world where you could put your distribution point.  For your Certificate file, click Browse and again navigate to and select your .pfx file, entering the password.  Notice that this also fills in the Service FQDN value that was found in the certificate. Click Next.
  9. On the Configure alerts for this distribution point page, make note of the different alert thresholds that can be set.  We’ll leave the defaults and click Next.
  10. On the Summary page, review the Details, and then click Next
  11. If all goes as it should, you should quickly see a successful completion.  Click Close.

And now you’ll see your new Cloud Distribution Point listed in the main part of the page, that will have a status of Provisioning.  Eventually that status will change to Ready.


Go back to your browser and to your Windows Azure administration page.  Navigate to the Cloud Services section on the left.  It will take several minutes but eventually you will see a new cloud service with a long-and-ugly name show up. 


Note toward the right that you have a value in the URL column.  That value (which is essentially <your service name>.cloudapp.net) is the DNS name that your clients will use for connecting to the distribution point and getting their software.

Below Cloud Services, find and click on Storage.  Here you’ll see that a new storage account has been created with the same ugly name that the new cloud service has. 


As I’m sure you’ve guessed, this is the storage account that will hold all software and other items that you’ve deployed to your distribution point.

And now you’re ready to distribute some software to your new distribution point in the clouds.  Try it out by distributing the Configuration Manager Client Package up to the your distribution point.

  1. In Configuration Manager, click Software Library on the bottom left.  In the section above, under Overview –> Application Management click Packages.
  2. In the details pane, right-click on Configuration Manager Client Package, and select Distribute Content.
  3. image
  4. On the Review selected content page, click Next.
  5. On the Specify the content destination page, click Add.  In the resulting drop-down list, click Distribution Point
  6. In the Add Distribution Points list of available distribution points, check the box next to your cloud-based distribution point.  Click OK, and then click Next.
  7. On the Summary page, click Next.  The distribution should complete successfully, so click Close.

Now let’s see if that package is being distributed. 

  1. In Configuration Manager, on the bottom left, click and open the Monitoring section.  In the section above, under Overview –> Distribution Status click Content Status.
  2. In the details pane, select your Configuration Manager Client Package, and note below that the completion statistics show that the distribution is In Progress.  Eventually that yellow circle will turn to green when the distribution is complete. 


Another way to show that you’ve succeeded is to go back to your Windows Azure administration page, click on Storage, click on the your storage account, and select the Containers tab.  You’ll see new containers being created that you can drill-down into and actually see the files and their URLs.


Good stuff!

Considerations for Client Access

“So.. is that it?”

Almost, but not quite.  The Planning for Content Management in Configuration Manager document has an important section describing how and when clients will access your cloud based distribution points: Client to Cloud-Based Distribution Point Communication.  Make sure you read and understand the points made there.


System Center 2012 SP1 Configuration Manager adds the ability to configure and use a Windows Azure-base service to hose a Distribution Point as what is now known as a “Cloud-Based Distribution Point”.  Once certificates are in place, the actual creation of the distribution point in your Windows Azure subscription is fairly straight-forward, and for distributing content, it becomes just another option when choosing where to distribute your deployed applications and packages.


What do you think?  Are the wheels turning as you’re now envisioning all of the flexibility that this new capability will give you?  If not, you’d better read this article again.  Smile

Read the original blog entry...

More Stories By Kevin Remde

Kevin is an engaging and highly sought-after speaker and webcaster who has landed several times on Microsoft's top 10 webcast list, and has delivered many top-scoring TechNet events and webcasts. In his past outside of Microsoft, Kevin has held positions such as software engineer, information systems professional, and information systems manager. He loves sharing helpful new solutions and technologies with his IT professional peers.

A prolific blogger, Kevin shares his thoughts, ideas and tips on his “Full of I.T.” blog (http://aka.ms/FullOfIT). He also contributes to and moderates the TechNet Forum IT Manager discussion (http://aka.ms/ITManager), and presents live TechNet Events throughout the central U.S. (http://www.technetevents.com). When he's not busy learning or blogging about new technologies, Kevin enjoys digital photography and videography, and sings in a band. (Q: Midlife crisis? A: More cowbell!) He continues to challenge his TechNet Event audiences to sing Karaoke with him.