Client Migration from Configuration Manager 2007 to Configuration Manager 2012
Published Mar 19 2019 06:00 PM 1,739 Views
First published on TECHNET on Jan 13, 2012

Hi, I am Naveen Kumar Akkugari and I work at Microsoft in the Management Platforms and Service Delivery (MPSD) organization. I work on the Configuration Manager Infrastructure team which provides services to roughly 300,000 client machines at Microsoft.  Below I share the process we followed to migrate client machines from Configuration Manager 2007 to Configuration Manager 2012. We currently have a little over 200,000 machines migrated to Configuration Manager 2012 from two different primary sites in Configuration Manager 2007.  In this blog post, I focus specifically on our client migration from one primary site (corporate headquarters) which has 120,000 client machines.

After reviewing multiple options for client migration and installation (more info on client migration options can be found here - ), we decided to continue using SUP based client installation. We also based GPO assignment on security groups due to some unique scenarios in our infrastructure.

As we prepared to migrate our clients to Configuration Manager 2012, we had several goals for client migration, including:

  1. Migrate clients within project timeline (effectively and efficiently)

  2. Avoid any negative end-user impact for the existing services, such as patching and software distribution

  3. Validate Configuration Manager 2012 client installation options (SWD, CPI, SUP) to provide feedback to the product group

  4. The client migration approach needed to be simple for client migration testing, implementation , maintenance, and troubleshooting

  5. Ensure migrated clients remain in Configuration Manager 2012 hierarchy and should not move back to Configuration Manager 2007 hierarchy

  6. Avoid any client side changes such as domain or OU change for machines as that would have AD and GPO implications

In Configuration Manager 2007, we had a single primary site supporting all corporate headquarters machines (120,000 client machines) in one domain with one AD site. As you know, that scenario is not supported due to exceeding the maximum number of clients per site. We wanted to fix this unsupported scenario in Configuration Manager 2012, so we configured two primary sites and used security groups to split clients between the two sites. We then targeted the Client install command line and Windows Server Update Services (WSUS) settings via Group Policy Objects (GPO).  Figure 1, below, shows the details of this approach.

Figure 1 : Policy Process

In order to best manage the migration process and minimize any possible support impact, we decided to migrate systems in phases with approximately 5,000 machines in each phase. Once a phase had completed and we verified the clients were healthy, we would proceed to the next set of machines. This was the process we followed for each phase:

a)      Create GPO with client installation settings and WSUS settings, then assign to security group where we moved all machines

b)      Publish the client in WSUS (enable the WSUS client install option on site)

c)       Identify the list of machines to migrate

d)      Populate the machines in a new Security Group (SG)

e)      Create a collection on the ConfigMgr 2007 site based on the security group

f)       Wait until security group membership replicates across all Domain controllers

g)      Once machines added to the security group and replicated to all Domain controllers, deploy packages on them to update the security group membership

h)      As the clients updated their local security group membership, they received the assigned GPOs to install the client with the correct install command line and WSUS settings

i)        As Configuration Manger client is already published in WSUS, machines will now get the Configuration Manger 2012 client installed automatically

Figure 2 below shows the end-to-end process described above for Client Migration.

Figure 2 : Client Process

The followings tips may be useful to you as you plan your own client migrations.

a. Use the following Criteria to identify the list of machines to migrate.

      • Machines should be in the targeted domain, and workstation OU

      • Heartbeat should be less than 7 days old

b. Populate the  machines in Security group with this VB script

We used the VBS script below to populate the machines to security group (add the domain name in the script).

Option Explicit

Dim objFile, objGroup, objFSO, strFile, strGroup,VBInfo

Dim strNTName, objComputer, strNetBIOSDomain, intCount, input

Dim objLogFile, strLogFileName, strScriptFullName

strNetBIOSDomain = "Domain Name"

Const ForReading = 1

Const ForAppending = 8

Const OverWriteExisting = True

strScriptFullName = Wscript.ScriptFullName

strLogFileName = Left(strScriptFullName, Len(Wscript.ScriptFullName) - 4) & ".log"

' Check for required arguments.

If (Wscript.Arguments.Count < 2) Then

MSGBox "Required Argument(s) are missing" & vbCrLf & "Syntax:  cscript AddMachinestoSG.vbs MachineList.txt SecGroupName",vbExclamation


End If

strFile = Wscript.Arguments(0)

strGroup = Wscript.Arguments(1)

' Open the text file of user names.

Set objFSO = CreateObject("Scripting.FileSystemObject")

On Error Resume Next

Set objFile = objFSO.OpenTextFile(strFile, ForReading)

If (Err.Number <> 0) Then

On Error GoTo 0

Wscript.Echo "Unable to open file " & strFile

WriteToLog("Unable to open file " & strFile)


End If

Set objLogFile = objFSO.OpenTextFile(strLogFileName, ForAppending, True)

If (Err.Number <> 0) Then

On Error GoTo 0

Wscript.Echo "Unable to open Log file " & strLogFile

WriteToLog("Unable to open Log file " & strLogFile)


End If

' Bind to the group object in Active Directory, using the WinNT provider.

On Error Resume Next

Set objGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strGroup & ",group")

If (Err.Number <> 0) Then

On Error GoTo 0

Wscript.Echo "Unable to bind to security group " & vbCrLf & strGroup

WriteToLog("Unable to bind to security group " & vbCrLf & strGroup)



End If

On Error GoTo 0

'wscript.echo objGroup.Name

' Read machine names from the text\CSV file, bind to the computers, and add them to the security group.

Do Until objFile.AtEndOfStream

strNTName = Trim(objFile.ReadLine)

If (strNTName <> "") Then

On Error Resume Next

Set objComputer = GetObject("WinNT://" & strNetBIOSDomain & "/" & strNTName & "$")

If (Err.Number <> 0) Then

On Error GoTo 0

Wscript.Echo strNTName & ";" & "ERROR" & ";" & "Machine not found, please ensure the computer account exists"

WriteToLog(strNTName & ";" & "ERROR" & ";" & "Machine not found, please ensure the computer account exists")


If (objGroup.IsMember(objComputer.AdsPath) = False) Then

' Add the computer to the group.


If (Err.Number <> 0) Then

'Wscript.echo Err.Number & " - " & Err.Description

On Error GoTo 0

Wscript.Echo strNTName & ";" & "ERROR" & ";" & "Error adding machine to group " & strGroup

WriteToLog(strNTName & ";" & "ERROR" & ";" & "Error adding machine to group " & strGroup)


On Error GoTo 0

Wscript.Echo strNTName & ";" & "SUCCESS" & ";" &  "Machine sucessfully added to " & strGroup

WriteToLog (strNTName & ";" & "SUCCESS" & ";" &  "Machine sucessfully added to " & strGroup)

End If


Wscript.echo strNTName & ";" & "SUCCESS" & ";" & "Machine already in group " & strGroup

WriteToLog(strNTName & ";" & "SUCCESS" & ";" & "Machine already in group " & strGroup)

End If

End If

End If


' Clean up.


Sub WriteToLog(Message)


'*  To write messages to the log file or to console if /Debug is passed as command line argument


On Error Resume Next

If IsObject(objLogFile) Then

objLogFile.WriteLine  Now & ";" & Message


End If

On Error GoTo 0

End Sub 'WriteToLog()

Here’s how we used the script to populate machines to a Security group:

a. Copy the files from the release folder to any location locally.

b. Create a text file, and populate with required system names (without any prefix/suffix like $) on each line.

c. At command prompt, Run the following command from the location where script is copied.

c:\> cscript AddMachinesToSG.vbs <MachineList.txt> <Security_Group_Name>

ex: cscript AddMachinesToSG.vbs MachineList.txt DOG_Servicesd

d. Use the Klist utility via Software Distribution to minimize client impact for machine reboot and expedite the deployment by forcing the computer to recognize the group policies for the security group:


    • klist.exe -li 0x3e7 purge

    • gpupdate.exe /target:computer /force

The graph in Figure 3 below shows the client deployment trend of a more recent site we migrated using this client deployment process.

Figure 3 . Client Deployment Trend

I hope you enjoy this blog entry about how we deployed clients in our environment.  Today we’re just past 200,000 clients on Configuration Manager 2012, and we’re looking forward to finishing our client migrations. Any questions on how are migrating to Configuration Manager 2012, please just let us know.

Version history
Last update:
‎Mar 19 2019 06:00 PM
Updated by: