Moving Microsoft Endpoint Configuration Manager (MECM) (formerly SCCM) to the Cloud

 While there are a couple different methods to move a Configuration Manager Site Server to the cloud, we recommend utilizing the Site Server High Availability approach. This allows the administrator to build a new site server in Passive mode in the cloud (in addition to your existing site server that is in active mode) and then promote it to active to test connectivity. If all connectivity is not functional, the administrator can promote the original site server to active. This approach provides a safe method of continual testing until all connectivity has been validated.

Microsoft provides the following article configuring the Configuration Manager Site Server High Availability : https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/site-server-high-availability

Our experience found a few items missing in the Microsoft article which we will cover in this post.

 Prerequisites for Installing a Passive Primary Site Server

• .NET Framework installed
• Remote Differential Compression installed
• Windows ADK installed
• SQL Server Native Client installed.
• Must have its computer account in the local Administrators group on the site server in active mode.
• Must have its computer account in the local Administrators group on each distribution point.
• Must install using source files that match the version of the site server in active mode.
• Can't have a site system role from any site installed on it before you install the site server in passive mode role.
• The site content library must be on a remote network share. Both site servers need Full Control permissions to the share and its contents. (If the site content library resides on the existing site server, it will have to be moved)

Moving the Site Content Library to a Remote Network Share

Microsoft provides the following article on moving the site content library: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/the-content-library#bkmk_remote

Create a folder in a network share as the target for the content library. For example, \\server\share\folder. (Don't reuse an existing folder with content. For example, don't use the same folder as your package sources. Because, before copying the content library, Configuration Manager removes any existing content from the location you specify.)

1. In the Configuration Manager console, navigate to the Administration workspace. Expand Site Configuration, select the Sites node, and select the site. On the Summary tab at the bottom of the details pane, notice a new column for the Content Library.
   
   
2. Select Manage Content Library on the ribbon.
   
   
3. In the Manage Content Library window, the Current Location field shows the local drive and path. Enter a valid network path for the New Location. This path is the location to which the site moves the content library. It must include a folder name that already exists on the share (for example: \\server\share\folder.) 
   
   
4. Select OK.
   
   
5. Monitor the Status value in the Content Library column on the Summary tab of the details pane. It updates to show the site's progress in moving the content library. While In progress, the Move Progress (%) value displays the percentage complete. (Make a cup of coffee! If you have a large content library, you may see 0% progress in the console for a while - a VERY LONG WHILE. For example, with a 1 TB library, it has to copy 10 GB before it shows 1%. Review distmgr.log, which shows the number of files and bytes copied. Starting in version 1810, the log file also shows an estimated time remaining.) If there's an error state, the status displays the error. Common errors include access denied or disk full.
   
   
6. When complete it displays Complete.

NOTE: We recommend enabling 8DOT3NAMES on the server volume where the Site Content Library will reside as some file names combined with fully qualified server name and temporary directory names may exceed the 255 character limit. For more information, see this article: https://knowledge.kofax.com/Capture/Kofax_Capture/Scan/Enable_8dot3_File_Name_Creation

Preparing the Site Database

Both site servers must use the same site database. The database can be remote from each site server or reside on the original site server.

Both site servers need the sysadmin security role on the instance of SQL Server that hosts the site database. The original site server already has these roles. 

Add them for the new site server. 

Microsoft kindly provides the following SQL script adds these roles for the new site server VM2 in the Contoso domain:

SQL

USE [master]

GO

CREATE LOGIN [contoso\vm2$] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

GO

ALTER SERVER ROLE [sysadmin] ADD MEMBER [contoso\vm2$]

GO

Both site servers need access to the site database on the instance of SQL Server. The original site server should already have this access, so add it for the new site server. For example, the following SQL script adds a login to the CM_ABC database for the new site server VM2 in the Contoso domain:

SQL

USE [CM_ABC]

GO

CREATE USER [contoso\vm2$] FOR LOGIN [contoso\vm2$] WITH DEFAULT_SCHEMA=[dbo]

GO

The site server in passive mode is configured to use the same site database as the site server in active mode. The site server in passive mode only reads from the database. It doesn't write to the database until after it's promoted to active mode.

Adding a Site Server in Passive Mode

1. In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, select the Sites node, and select Create Site System Server in the ribbon.
   
   
2. On the General page of the Create Site System Server Wizard, specify the server to host the site server in passive mode. (Note: The server you specify can't host any site system roles before installing a site server in passive mode.)
   
   The wizard performs the following initial prerequisite checks:
   The selected server isn't a secondary site server
   The selected server isn't already a site server in passive mode
   The site's content library is in a remote location
   
   
3. On the Site Server In Passive Mode page, choose the following option:
   
   Use the source files at the following network location: Specify the path directly to the contents of the CD.Latest folder from the site server in active mode.
   ( \\Server\SMS_ABC\CD.Latest where "Server" is the name of the site server in active mode, and "ABC" is the site code.)
   
   
4. Complete the wizard. Configuration Manager then installs the site server in passive mode on the specified server.
   
   
5. Both site servers will be displayed on the Nodes tab in the Sites node of the console. All Configuration Manager site server components are in standby on the site server in passive mode. The Windows services are still running.

Configure Windows Firewall on the new Site Server in Passive Mode

Windows Firewall will need to be configured to accommodate traffic to the existing site server and to the distribution points 

Recommendation: Export the windows firewall configuration from the existing site server and importing windows firewall configuration into the new passive primary server

Promote the Site Server in Passive Mode to Active Mode

1. In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, and select the Sites node. 
   
   
2. Select the site, and then switch to the Nodes tab. Select the site server in passive mode, and then select Promote to active in the ribbon. Select Yes to confirm and continue.
   
   
3. Refresh the console node. The Status column for the server you're promoting displays in the Nodes tab as Promoting.
   
   
4. Make a cup of coffee this may take up to an hour or more
   
   
5. After the promotion is complete, the Status column shows OK for both the new site server in active mode, and for the new site server in passive mode. 
   
   
6. In the Configuration Manager console, navigate to the Monitoring workspace, select Distribution Point Configuration Status.
   
   Monitor each distribution point by clicking the details tab for each. 
   
   After promoting the new Site Server, each will eventually display:
   "IIS was successfully configured on the distribution point"
   and eventually
   "Distribution Point installation/upgrade successfully completed"
   
   If errors are displayed for failure to communicate with the distribution point, review Windows Firewall settings on the newly created site server and verify the newly created site server's computer account is in the local Administrators group on each distribution point.

Moving the Site Database

After monitoring all services and remediating any issues raised by promoting the new site server, prepare to move the site database from the old site server to the new site server.

The following article outlines this process well: https://www.deploymentresearch.com/moving-the-configmgr-current-branch-database-to-another-server-as-in-back-to-the-primary-site-server/

Stop ConfigMgr Services on the New Site Server

1. Locate preinst.exe in one of the subdirectories under the ConfigMgr installation directory .(for instance: E:\Program Files\Microsoft Configuration Manager\bin\X64\00000409)
2. From an administrator command prompt: preinst.exe /stopsite
3. Grab a cup of coffee as this process took approximately one hour to complete.
4. When Preinst.exe has completed, verify the following services have been stopped:
   AI_UPDATE_SERVICE_POINT
   CONFIGURATION_MANAGER_UPDATE
   SMS_NOTIFICATION_SERVER
   
   by executing the following PowerShell commands:
   Get-Service -Name AI_UPDATE_SERVICE_POINT
   Get-Service -Name CONFIGURATION_MANAGER_UPDATE
   Get-Service -Name SMS_NOTIFICATION_SERVER
   
   If any of these services shows running, stop them by executing the following PowerShell commands:
   Stop-Service -Name AI_UPDATE_SERVICE_POINT
   Stop-Service -Name CONFIGURATION_MANAGER_UPDATE
   Stop-Service -Name SMS_NOTIFICATION_SERVER

Backup the Site Server Database on the Old Site Server

1. On the old site server, open using SQL Server Management Studio, and locate the site server database. (typical naming convention: CM_sitecode) Your mileage may vary. 
   
   
2. Make a full backup of the ConfigMgr database:
   Backup type: FULL
   Destination: DISK (provide a name and provide a file location that can be accessed from both the old and new server)
   
   
3. Once the backup is completed, make note of the database settings by running the following SQL query:
   select name, collation_name, user_access_desc, is_read_only, state_desc, is_trustworthy_on, is_broker_enabled,is_honor_broker_priority_on from sys.databases
   
   
4. Install SQL Server on the New Site Server (it can be the same or newer version as on the old site server)
   
   
6. Run the following query in SQL Server Management Studio to enable CLR Integration:
   sp_configure 'clr enabled', 1
   Reconfigure

Restore the Database Backup on the New Site Server

1. Copy the SQL backup from old site server to a local drive on the new site server
   
   
2. Restore the backup using SQL Server Management Studio.
   
   
3. Once the backup is restored, review the database configuration by running the following query in SQL Server Management Studio:
   select name, collation_name, user_access_desc, is_read_only, state_desc, is_trustworthy_on, is_broker_enabled,is_honor_broker_priority_on from sys.databases
   
   
4. Several database settings are not restored and the database may not be Online. To resolve this, run the following query in SQL Server Management Studio:
   USE master
   ALTER DATABASE (CM_sitecode) ONLINE
   ALTER DATABASE (CM_sitecode) SET ENABLE_BROKER
   ALTER DATABASE (CM_sitecode) SET TRUSTWORTHY ON
   ALTER DATABASE (CM_sitecode) SET HONOR_BROKER_PRIORITY ON  

Setup ConfigMgr to use the Database on the New Site Server

1. Verify .Net Framework 3.5 SP1 is installed on your server. (ConfigMgr setup requires .NET Framework!)
2. Note the SQL Server Logon account on the old site server and set the new site server SQL database login account identically. (NOTE: This process will fail if you leave the logon account set as NTSERVICE\MSSQLSERVER.)
   
   
3. Locate Setup.exe in the cd.latest folder under the ConfigMgr Install Directory (example: E:\Program Files\Microsoft Configuration Manager\cd.latest\smssetup\bin\x64)
   
   
4. Run Setup.exe
   
   
5. On the Available Setup Option page, select the Perform site maintenance or reset this site option, and click Next.
   
   
6.  On the Site Maintenance page, select the Modify SQL Server configuration option, and click Next.
   
   
7. On the Database Information page, type in the NEW Site Server fully qualified name, and click Next.
   
   
8. If the setup fails, review the log (see the convenient button) and review. 
   
   
9. Once setup has completed successfully, reboot both site servers
   
   
10. Once both servers are back online, Monitor Configuration Manager Console to confirm that ConfigMgr has removed the site database role from old site server and the new site server shows the site database role.

Transfer Additional Roles to the New Site Server

Move Reporting Services Role

1. install and configure reporting service in SQL on new server
2. remove reporting services role on old server
3. add reporting services role on new server

Move Asset Intelligence Role

1. remove role on old server
2. add role on new server

Move Endpoint Protection Role

1. remove role on old server
2. add role on new server

Move Service Connection Point Role

1. remove role on old server
2. add role on new server

Move Software Update Point Role

1. configure WSUS on new server
2. remove role on old server
3. add role on new server

Update Preferred Management Point in Boundary Groups if Used

1. Launch Console
2. Navigate to the Administration – Site Configuration – Sites node
3. select Hierarchy Settings from the site server
4. Verify that "Clients prefer to use management points specified in boundary groups option" is enabled from the General tab. 

If "Clients prefer to use management points specified in boundary groups option" is enabled, update the management point specified in each boundary group:

1. Navigate to the Administration –Boundary groups
2. Right click a Boundary group 
3. Click Properties
4. Click the References Tab
5. Replace any existing Management Point server name with the name of the new site server
6. Repeat for each boundary group
   
   Note: This change will take up to 24 hours to update the client machines.
   
   source: https://www.anoopcnair.com/sccm-preferred-management-points-selection/

Move Source Files for Applications, Packages Drivers, Etc

1. Copy Source_File Share From Old Server to New Server
   
   
2. Update the content source locations for Applications, Packages, Drivers, Etc
   
   Recommendation: Utilize the ConfigMgr Content Update Source Tool From MSEndpointMgr.com: 
   https://msendpointmgr.com/2017/02/23/configmgr-content-source-update-tool-version-1-0-2-released/ 
   This tool can copy the files and update the content source locations inside of Config Manager

Perform SCCM Configuration Manager Site Reset

1.  Run Configuration Manager Setup from <SCCM site installation folder>\BIN\X64\setup.exe.
   
   
2. Select Perform Site Maintenance or Reset the Site
   
   
3. Click Next
   
   
4. Select Reset the Site With No Configuration Changes
   
   
5. When prompted "Your Site will be reset with default file and registry permissions. Are you sure? Click YES
   
   
6. Make a cup of coffee as this will take 10-15 minutes while the wizard will perform the following steps: 
   Stopping Configuration Manager services.
   Setting up server accounts.
   Updating directory permissions.
   Upgrading site control information.
   Updating registry.
   Installing site component manager.
   Verifying directory permissions.
   
   
7. Once it displays Core Setup Has Completed, you can review the log file by click View Log or simply click Close

Monitor Content Distribution Until Completion

After changing the source file location for all content, Config Manager will redistribute all content. Depending on the size of the site content, this may take several days. Monitor the content distribution until completed before proceeding to decommission the original site server.

In the Configuration Manager console, navigate to the Monitoring workspace, expand Distribution Status, and select Content Status. 

Decommission Original Site Server

1. Verify all site server roles have been added to the new site server that were on the old site server.
   
   
2. One by one, remove the roles on the old site server and monitor Config Manager for proper operation (including imaging workstations). After confidence is gained that all is well, remove the original site server.
   
   
3. In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, select the Servers and Site System Roles node
   
   
4. Click on the old site server
   
   
5. Right Click on the Site Server Role
   
   
6. Click Remove Role

Remove SMS Provider Role

1. On the new site server, navigate to  \BIN\X64\setup.exe in the Configuration Manager site installation folder.
   
   
2. run Setup.exe
   
   
3. On the Getting Started page, select Perform site maintenance or reset this site.
   
   
4. On the Site Maintenance page, select Modify SMS provider configuration.
   
   
5. On the Manage SMS providers page, select the option Uninstall the specified SMS provider
   
   
6. Select the name of the computer from which you want to remove the SMS provider.

Remove Component Server Role

Once all site system roles have been removed, the Component server role will automatically be removed after all other site system roles are removed. There will be a delay until a scheduled cleanup task is run. 

You can expedite the removal by restarting the Windows service SMS_SITE_COMPONENT_MANAGER on the primary site server.

source: https://rothstein.dev/remove-an-sccm-site-system-server/

Remove Old Site Server

Once the Component Server Role is gone from the old site server's roles, the old site server can be deleted.

1. Right click the old Site Server
   
   
2. Click Delete

Move Content Library to New Site Server (if desired)

In preparing for this migration, we moved the moved the Content Library to a network share (not on either of the site servers) as was required to create a passive site server. If desired, now move the Content Library to the new site server

Microsoft provides the following article on moving the site content library: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/the-content-library#bkmk_remote

1. In the Configuration Manager console, navigate to the Administration workspace. Expand Site Configuration, select the Sites node, and select the site. On the Summary tab at the bottom of the details pane, notice a new column for the Content Library.
   
   
2. Select Manage Content Library on the ribbon.
   
   
3. In the Manage Content Library window, the Current Location field shows the local drive and path. Enter a valid network path for the New Location. This path is the location to which the site moves the content library. It must include a folder name that already exists on the share (for example: \\server\share\folder.) 
   
   
4. Select OK.
   
   
5. Monitor the Status value in the Content Library column on the Summary tab of the details pane. It updates to show the site's progress in moving the content library. While In progress, the Move Progress (%) value displays the percentage complete. (Make a cup of coffee! If you have a large content library, you may see 0% progress in the console for a while - a VERY LONG WHILE. For example, with a 1 TB library, it has to copy 10 GB before it shows 1%. Review distmgr.log, which shows the number of files and bytes copied. Starting in version 1810, the log file also shows an estimated time remaining.) If there's an error state, the status displays the error. Common errors include access denied or disk full.
   
   
6. When complete it displays Complete.

NOTE: We recommend enabling 8DOT3NAMES on the server volume where the Site Content Library will reside as some file names combined with fully qualified server name and temporary directory names may exceed the 255 character limit. For more information, see this article: https://knowledge.kofax.com/Capture/Kofax_Capture/Scan/Enable_8dot3_File_Name_Creation

FOLLOW UP NOTES:

If after completing this process, clients are not reporting into the new management point, review Active Directory for old Management Point records:

1. open Active Directory Users and Computers
2. click View
3. select Advanced Features
4. expand the group SYSTEM
5. expand the group SYSTEM MANAGEMENT
6. delete any records for the old management point(s)
7. Grant the computer account for the new site server Full access to the System Management container

Create a New Root CA Certificate and Import it Into Configuration Manager

1. Create a New Root CA certificate on the new site server
2. Export the new Root CA certificate to a drive\folder accessible for browsing
3. In the Configuration Manager console, navigate to the Administration workspace, expand Site Configuration, and select the Sites node. 
4. Click Properties
5. Click Communication Security tab
6. Click the Set button
7. Click the New Sunburst icon
8. Browse to the new cert
9. Click Add
10. Click OK
11. Delete any old Certs shown in the pane

For more information, see this article: https://azurecloudai.blog/2020/04/03/migrating-sccm-to-use-a-new-certificate-authority/