Hi, I am Naveen Kumar Akkugari and I work at Microsoft in the Management Platforms and Service Delivery (MPSD) organization. I work on the Configuration Manager Infrastructure team which provides services to roughly 300,000 client machines at Microsoft. Below I share the process we followed to migrate client machines from Configuration Manager 2007 to Configuration Manager 2012. We currently have a little over 200,000 machines migrated to Configuration Manager 2012 from two different primary sites in Configuration Manager 2007. In this blog post, I focus specifically on our client migration from one primary site (corporate headquarters) which has 120,000 client machines.
After reviewing multiple options for client migration and installation (more info on client migration options can be found here - http://technet.microsoft.com/en-us/library/gg712283.aspx ), we decided to continue using SUP based client installation. We also based GPO assignment on security groups due to some unique scenarios in our infrastructure.
As we prepared to migrate our clients to Configuration Manager 2012, we had several goals for client migration, including:
- Migrate clients within project timeline (effectively and efficiently)
- Avoid any negative end-user impact for the existing services, such as patching and software distribution
- Validate Configuration Manager 2012 client installation options (SWD, CPI, SUP) to provide feedback to the product group
- The client migration approach needed to be simple for client migration testing, implementation , maintenance, and troubleshooting
- Ensure migrated clients remain in Configuration Manager 2012 hierarchy and should not move back to Configuration Manager 2007 hierarchy
- Avoid any client side changes such as domain or OU change for machines as that would have AD and GPO implications
In Configuration Manager 2007, we had a single primary site supporting all corporate headquarters machines (120,000 client machines) in one domain with one AD site. As you know, that scenario is not supported due to exceeding the maximum number of clients per site. We wanted to fix this unsupported scenario in Configuration Manager 2012, so we configured two primary sites and used security groups to split clients between the two sites. We then targeted the Client install command line and Windows Server Update Services (WSUS) settings via Group Policy Objects (GPO). Figure 1, below, shows the details of this approach.
Figure 1 : Policy Process
In order to best manage the migration process and minimize any possible support impact, we decided to migrate systems in phases with approximately 5,000 machines in each phase. Once a phase had completed and we verified the clients were healthy, we would proceed to the next set of machines. This was the process we followed for each phase:
a) Create GPO with client installation settings and WSUS settings, then assign to security group where we moved all machines
b) Publish the client in WSUS (enable the WSUS client install option on site)
c) Identify the list of machines to migrate
d) Populate the machines in a new Security Group (SG)
e) Create a collection on the ConfigMgr 2007 site based on the security group
f) Wait until security group membership replicates across all Domain controllers
g) Once machines added to the security group and replicated to all Domain controllers, deploy packages on them to update the security group membership
h) As the clients updated their local security group membership, they received the assigned GPOs to install the client with the correct install command line and WSUS settings
i) As Configuration Manger client is already published in WSUS, machines will now get the Configuration Manger 2012 client installed automatically
Figure 2 below shows the end-to-end process described above for Client Migration.
Figure 2 : Client Process
The followings tips may be useful to you as you plan your own client migrations.
a. Use the following Criteria to identify the list of machines to migrate.
- Machines should be in the targeted domain, and workstation OU
- Heartbeat should be less than 7 days old
b. Populate the machines in Security group with this VB script
We used the VBS script below to populate the machines to security group (add the domain name in the script).
|
Option Explicit Dim objFile, objGroup, objFSO, strFile, strGroup,VBInfo Dim strNTName, objComputer, strNetBIOSDomain, intCount, input Dim objLogFile, strLogFileName, strScriptFullName
strNetBIOSDomain = "Domain Name"
Const ForReading = 1 Const ForAppending = 8 Const OverWriteExisting = True
strScriptFullName = Wscript.ScriptFullName strLogFileName = Left(strScriptFullName, Len(Wscript.ScriptFullName) - 4) & ".log"
' Check for required arguments. If (Wscript.Arguments.Count < 2) Then MSGBox "Required Argument(s) are missing" & vbCrLf & "Syntax: cscript AddMachinestoSG.vbs MachineList.txt SecGroupName",vbExclamation Wscript.Quit(0) End If strFile = Wscript.Arguments(0) strGroup = Wscript.Arguments(1) ' Open the text file of user names. Set objFSO = CreateObject("Scripting.FileSystemObject") On Error Resume Next Set objFile = objFSO.OpenTextFile(strFile, ForReading) If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "Unable to open file " & strFile WriteToLog("Unable to open file " & strFile) Wscript.Quit(1) End If Set objLogFile = objFSO.OpenTextFile(strLogFileName, ForAppending, True) If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "Unable to open Log file " & strLogFile WriteToLog("Unable to open Log file " & strLogFile) Wscript.Quit(1) End If ' Bind to the group object in Active Directory, using the WinNT provider. On Error Resume Next Set objGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strGroup & ",group") If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "Unable to bind to security group " & vbCrLf & strGroup WriteToLog("Unable to bind to security group " & vbCrLf & strGroup) objFile.Close Wscript.Quit(1) End If On Error GoTo 0 'wscript.echo objGroup.Name ' Read machine names from the text\CSV file, bind to the computers, and add them to the security group. Do Until objFile.AtEndOfStream strNTName = Trim(objFile.ReadLine) If (strNTName <> "") Then On Error Resume Next Set objComputer = GetObject("WinNT://" & strNetBIOSDomain & "/" & strNTName & "$") If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo strNTName & ";" & "ERROR" & ";" & "Machine not found, please ensure the computer account exists" WriteToLog(strNTName & ";" & "ERROR" & ";" & "Machine not found, please ensure the computer account exists") Else If (objGroup.IsMember(objComputer.AdsPath) = False) Then ' Add the computer to the group. objGroup.Add(objComputer.AdsPath) If (Err.Number <> 0) Then 'Wscript.echo Err.Number & " - " & Err.Description On Error GoTo 0 Wscript.Echo strNTName & ";" & "ERROR" & ";" & "Error adding machine to group " & strGroup WriteToLog(strNTName & ";" & "ERROR" & ";" & "Error adding machine to group " & strGroup) Else On Error GoTo 0 Wscript.Echo strNTName & ";" & "SUCCESS" & ";" & "Machine sucessfully added to " & strGroup WriteToLog (strNTName & ";" & "SUCCESS" & ";" & "Machine sucessfully added to " & strGroup) End If Else Wscript.echo strNTName & ";" & "SUCCESS" & ";" & "Machine already in group " & strGroup WriteToLog(strNTName & ";" & "SUCCESS" & ";" & "Machine already in group " & strGroup) End If End If End If Loop
' Clean up. objFile.Close
Sub WriteToLog(Message) '* '* To write messages to the log file or to console if /Debug is passed as command line argument '* On Error Resume Next
If IsObject(objLogFile) Then objLogFile.WriteLine Now & ";" & Message Else End If
On Error GoTo 0
End Sub 'WriteToLog()
|
Here’s how we used the script to populate machines to a Security group:
a. Copy the files from the release folder to any location locally.
b. Create a text file, and populate with required system names (without any prefix/suffix like $) on each line.
c. At command prompt, Run the following command from the location where script is copied.
c:\> cscript AddMachinesToSG.vbs <MachineList.txt> <Security_Group_Name>
ex: cscript AddMachinesToSG.vbs MachineList.txt DOG_Servicesd
d. Use the Klist utility via Software Distribution to minimize client impact for machine reboot and expedite the deployment by forcing the computer to recognize the group policies for the security group:
Commands
- klist.exe -li 0x3e7 purge
- gpupdate.exe /target:computer /force
The graph in Figure 3 below shows the client deployment trend of a more recent site we migrated using this client deployment process.
Figure 3 . Client Deployment Trend
I hope you enjoy this blog entry about how we deployed clients in our environment. Today we’re just past 200,000 clients on Configuration Manager 2012, and we’re looking forward to finishing our client migrations. Any questions on how are migrating to Configuration Manager 2012, please just let us know.