While there are a couple different methods to move a Configuration Manager Site Server to the cloud, we recommend utilizing the Site Server High Availability approach. This allows the administrator to build a new site server in Passive mode in the cloud (in addition to your existing site server that is in active mode) and then promote it to active to test connectivity. If all connectivity is not functional, the administrator can promote the original site server to active. This approach provides a safe method of continual testing until all connectivity has been validated.
Microsoft provides the following article configuring the Configuration Manager Site Server High Availability : https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/site-server-high-availability
Our experience found a few items missing in the Microsoft article which we will cover in this post.
Prerequisites for Installing a Passive Primary Site Server
- .NET Framework installed
- Remote Differential Compression installed
- Windows ADK installed
- SQL Server Native Client installed.
- Must have its computer account in the local Administrators group on the site server in active mode.
- Must have its computer account in the local Administrators group on each distribution point.
- Must install using source files that match the version of the site server in active mode.
- Can't have a site system role from any site installed on it before you install the site server in passive mode role.
- The site content library must be on a remote network share. Both site servers need Full Control permissions to the share and its contents. (If the site content library resides on the existing site server, it will have to be moved)
Moving the Site Content Library to a Remote Network Share
- In the Configuration Manager console, navigate to the Administration workspace. Expand Site Configuration, select the Sites node, and select the site. On the Summary tab at the bottom of the details pane, notice a new column for the Content Library.
- Select Manage Content Library on the ribbon.
- In the Manage Content Library window, the Current Location field shows the local drive and path. Enter a valid network path for the New Location. This path is the location to which the site moves the content library. It must include a folder name that already exists on the share (for example: \\server\share\folder.)
- Select OK.
- Monitor the Status value in the Content Library column on the Summary tab of the details pane. It updates to show the site's progress in moving the content library. While In progress, the Move Progress (%) value displays the percentage complete. (Make a cup of coffee! If you have a large content library, you may see 0% progress in the console for a while - a VERY LONG WHILE. For example, with a 1 TB library, it has to copy 10 GB before it shows 1%. Review distmgr.log, which shows the number of files and bytes copied. Starting in version 1810, the log file also shows an estimated time remaining.) If there's an error state, the status displays the error. Common errors include access denied or disk full.
- When complete it displays Complete.
Preparing the Site Database
Adding a Site Server in Passive Mode
- In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, select the Sites node, and select Create Site System Server in the ribbon.
- On the General page of the Create Site System Server Wizard, specify the server to host the site server in passive mode. (Note: The server you specify can't host any site system roles before installing a site server in passive mode.)
The wizard performs the following initial prerequisite checks:
The selected server isn't a secondary site server
The selected server isn't already a site server in passive mode
The site's content library is in a remote location - On the Site Server In Passive Mode page, choose the following option:
Use the source files at the following network location: Specify the path directly to the contents of the CD.Latest folder from the site server in active mode.
( \\Server\SMS_ABC\CD.Latest where "Server" is the name of the site server in active mode, and "ABC" is the site code.) - Complete the wizard. Configuration Manager then installs the site server in passive mode on the specified server.
- Both site servers will be displayed on the Nodes tab in the Sites node of the console. All Configuration Manager site server components are in standby on the site server in passive mode. The Windows services are still running.
Configure Windows Firewall on the new Site Server in Passive Mode
Promote the Site Server in Passive Mode to Active Mode
- In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, and select the Sites node.
- Select the site, and then switch to the Nodes tab. Select the site server in passive mode, and then select Promote to active in the ribbon. Select Yes to confirm and continue.
- Refresh the console node. The Status column for the server you're promoting displays in the Nodes tab as Promoting.
- Make a cup of coffee this may take up to an hour or more
- After the promotion is complete, the Status column shows OK for both the new site server in active mode, and for the new site server in passive mode.
- In the Configuration Manager console, navigate to the Monitoring workspace, select Distribution Point Configuration Status.
Monitor each distribution point by clicking the details tab for each.
After promoting the new Site Server, each will eventually display:
"IIS was successfully configured on the distribution point"
and eventually
"Distribution Point installation/upgrade successfully completed"
If errors are displayed for failure to communicate with the distribution point, review Windows Firewall settings on the newly created site server and verify the newly created site server's computer account is in the local Administrators group on each distribution point.
Moving the Site Database
Stop ConfigMgr Services on the New Site Server
- Locate preinst.exe in one of the subdirectories under the ConfigMgr installation directory .(for instance: E:\Program Files\Microsoft Configuration Manager\bin\X64\00000409)
- From an administrator command prompt: preinst.exe /stopsite
- Grab a cup of coffee as this process took approximately one hour to complete.
- When Preinst.exe has completed, verify the following services have been stopped:
AI_UPDATE_SERVICE_POINT
CONFIGURATION_MANAGER_UPDATE
SMS_NOTIFICATION_SERVER
by executing the following PowerShell commands:
Get-Service -Name AI_UPDATE_SERVICE_POINT
Get-Service -Name CONFIGURATION_MANAGER_UPDATE
Get-Service -Name SMS_NOTIFICATION_SERVER
If any of these services shows running, stop them by executing the following PowerShell commands:
Stop-Service -Name AI_UPDATE_SERVICE_POINT
Stop-Service -Name CONFIGURATION_MANAGER_UPDATE
Stop-Service -Name SMS_NOTIFICATION_SERVER
Backup the Site Server Database on the Old Site Server
- On the old site server, open using SQL Server Management Studio, and locate the site server database. (typical naming convention: CM_sitecode) Your mileage may vary.
- Make a full backup of the ConfigMgr database:
Backup type: FULL
Destination: DISK (provide a name and provide a file location that can be accessed from both the old and new server) - Once the backup is completed, make note of the database settings by running the following SQL query:
select name, collation_name, user_access_desc, is_read_only, state_desc, is_trustworthy_on, is_broker_enabled,is_honor_broker_priority_on from sys.databases - Install SQL Server on the New Site Server (it can be the same or newer version as on the old site server)
- Run the following query in SQL Server Management Studio to enable CLR Integration:
sp_configure 'clr enabled', 1
Reconfigure
Restore the Database Backup on the New Site Server
- Copy the SQL backup from old site server to a local drive on the new site server
- Restore the backup using SQL Server Management Studio.
- Once the backup is restored, review the database configuration by running the following query in SQL Server Management Studio:
select name, collation_name, user_access_desc, is_read_only, state_desc, is_trustworthy_on, is_broker_enabled,is_honor_broker_priority_on from sys.databases - Several database settings are not restored and the database may not be Online. To resolve this, run the following query in SQL Server Management Studio:
USE master
ALTER DATABASE (CM_sitecode) ONLINE
ALTER DATABASE (CM_sitecode) SET ENABLE_BROKER
ALTER DATABASE (CM_sitecode) SET TRUSTWORTHY ON
ALTER DATABASE (CM_sitecode) SET HONOR_BROKER_PRIORITY ON
Setup ConfigMgr to use the Database on the New Site Server
- Verify .Net Framework 3.5 SP1 is installed on your server. (ConfigMgr setup requires .NET Framework!)
- Note the SQL Server Logon account on the old site server and set the new site server SQL database login account identically. (NOTE: This process will fail if you leave the logon account set as NTSERVICE\MSSQLSERVER.)
- Locate Setup.exe in the cd.latest folder under the ConfigMgr Install Directory (example: E:\Program Files\Microsoft Configuration Manager\cd.latest\smssetup\bin\x64)
- Run Setup.exe
- On the Available Setup Option page, select the Perform site maintenance or reset this site option, and click Next.
- On the Site Maintenance page, select the Modify SQL Server configuration option, and click Next.
- On the Database Information page, type in the NEW Site Server fully qualified name, and click Next.
- If the setup fails, review the log (see the convenient button) and review.
- Once setup has completed successfully, reboot both site servers
- Once both servers are back online, Monitor Configuration Manager Console to confirm that ConfigMgr has removed the site database role from old site server and the new site server shows the site database role.
Transfer Additional Roles to the New Site Server
Move Reporting Services Role
- install and configure reporting service in SQL on new server
- remove reporting services role on old server
- add reporting services role on new server
Move Asset Intelligence Role
- remove role on old server
- add role on new server
Move Endpoint Protection Role
- remove role on old server
- add role on new server
Move Service Connection Point Role
- remove role on old server
- add role on new server
Move Software Update Point Role
- configure WSUS on new server
- remove role on old server
- add role on new server
Update Preferred Management Point in Boundary Groups if Used
- Launch Console
- Navigate to the Administration – Site Configuration – Sites node
- select Hierarchy Settings from the site server
- Verify that "Clients prefer to use management points specified in boundary groups option" is enabled from the General tab.
If "Clients prefer to use management points specified in boundary groups option" is enabled, update the management point specified in each boundary group:
- Navigate to the Administration –Boundary groups
- Right click a Boundary group
- Click Properties
- Click the References Tab
- Replace any existing Management Point server name with the name of the new site server
- Repeat for each boundary group
Note: This change will take up to 24 hours to update the client machines.
source: https://www.anoopcnair.com/sccm-preferred-management-points-selection/
Move Source Files for Applications, Packages Drivers, Etc
- Copy Source_File Share From Old Server to New Server
- Update the content source locations for Applications, Packages, Drivers, Etc
Recommendation: Utilize the ConfigMgr Content Update Source Tool From MSEndpointMgr.com:
https://msendpointmgr.com/2017/02/23/configmgr-content-source-update-tool-version-1-0-2-released/
This tool can copy the files and update the content source locations inside of Config Manager
Perform SCCM Configuration Manager Site Reset
- Run Configuration Manager Setup from <SCCM site installation folder>\BIN\X64\setup.exe.
- Select Perform Site Maintenance or Reset the Site
- Click Next
- Select Reset the Site With No Configuration Changes
- When prompted "Your Site will be reset with default file and registry permissions. Are you sure? Click YES
- Make a cup of coffee as this will take 10-15 minutes while the wizard will perform the following steps:
Stopping Configuration Manager services.
Setting up server accounts.
Updating directory permissions.
Upgrading site control information.
Updating registry.
Installing site component manager.
Verifying directory permissions. - Once it displays Core Setup Has Completed, you can review the log file by click View Log or simply click Close
Monitor Content Distribution Until Completion
Decommission Original Site Server
- Verify all site server roles have been added to the new site server that were on the old site server.
- One by one, remove the roles on the old site server and monitor Config Manager for proper operation (including imaging workstations). After confidence is gained that all is well, remove the original site server.
- In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, select the Servers and Site System Roles node
- Click on the old site server
- Right Click on the Site Server Role
- Click Remove Role
Remove SMS Provider Role
- On the new site server, navigate to \BIN\X64\setup.exe in the Configuration Manager site installation folder.
- run Setup.exe
- On the Getting Started page, select Perform site maintenance or reset this site.
- On the Site Maintenance page, select Modify SMS provider configuration.
- On the Manage SMS providers page, select the option Uninstall the specified SMS provider
- Select the name of the computer from which you want to remove the SMS provider.
Remove Component Server Role
Remove Old Site Server
- Right click the old Site Server
- Click Delete
Move Content Library to New Site Server (if desired)
- In the Configuration Manager console, navigate to the Administration workspace. Expand Site Configuration, select the Sites node, and select the site. On the Summary tab at the bottom of the details pane, notice a new column for the Content Library.
- Select Manage Content Library on the ribbon.
- In the Manage Content Library window, the Current Location field shows the local drive and path. Enter a valid network path for the New Location. This path is the location to which the site moves the content library. It must include a folder name that already exists on the share (for example: \\server\share\folder.)
- Select OK.
- Monitor the Status value in the Content Library column on the Summary tab of the details pane. It updates to show the site's progress in moving the content library. While In progress, the Move Progress (%) value displays the percentage complete. (Make a cup of coffee! If you have a large content library, you may see 0% progress in the console for a while - a VERY LONG WHILE. For example, with a 1 TB library, it has to copy 10 GB before it shows 1%. Review distmgr.log, which shows the number of files and bytes copied. Starting in version 1810, the log file also shows an estimated time remaining.) If there's an error state, the status displays the error. Common errors include access denied or disk full.
- When complete it displays Complete.
FOLLOW UP NOTES:
If after completing this process, clients are not reporting into the new management point, review Active Directory for old Management Point records:
- open Active Directory Users and Computers
- click View
- select Advanced Features
- expand the group SYSTEM
- expand the group SYSTEM MANAGEMENT
- delete any records for the old management point(s)
- Grant the computer account for the new site server Full access to the System Management container
Create a New Root CA Certificate and Import it Into Configuration Manager
- Create a New Root CA certificate on the new site server
- Export the new Root CA certificate to a drive\folder accessible for browsing
- In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, and select the Sites node.
- Click Properties
- Click Communication Security tab
- Click the Set button
- Click the New Sunburst icon
- Browse to the new cert
- Click Add
- Click OK
- Delete any old Certs shown in the pane
For more information, see this article: https://azurecloudai.blog/2020/04/03/migrating-sccm-to-use-a-new-certificate-authority/