Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Site and Roaming Boundaries

1 view
Skip to first unread message

rykkim

unread,
Sep 22, 2004, 1:17:03 PM9/22/04
to
I have a computer configured for our domain. I have set the Active Directory
sie as a local boundary in Site Boundaries and have also setup our VPN
connections as a remote boundary in the Roaming Boundaries. When I create an
advertisement and set it NOT to install the program for the remote boundary,
users still get the package installed even though they are connected through
a VPN connection. What is going wrong?

David Randall [MS]

unread,
Sep 22, 2004, 1:22:33 PM9/22/04
to
Are your clients in the VPN boundary still in the same AD site, or have you
left those subnets out of the AD site you're using for your local boundary?

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"rykkim" <ryk...@discussions.microsoft.com> wrote in message
news:7E6D0ED0-37D4-4587...@microsoft.com...

rykkim

unread,
Sep 22, 2004, 1:31:02 PM9/22/04
to
The clients in the VPN boundary are still in the same AD site.

Kim Oppalfens

unread,
Sep 22, 2004, 5:20:03 PM9/22/04
to

Which effectively answers your own question.
Just remove the vpn boundaries from the boundaries associated with the
Active Directory Site.

Kim Oppalfens
In article <D0AC25DF-AA7D-4EAE...@microsoft.com>,
ryk...@discussions.microsoft.com says...

--
Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default
.mspx

rykkim

unread,
Sep 22, 2004, 5:41:09 PM9/22/04
to
Can't do that. There are times when I do want the users to receive the
package that connect through VPN and I would also like to be able have these
clients receive the download first before running the installation.

"Kim Oppalfens" wrote:

> ..mspx
>

Kim Oppalfens

unread,
Sep 23, 2004, 2:01:49 AM9/23/04
to

What is stopping you from adding the VPN Subnets to a new Active
Directory Site, Remove them from the current site, and define the New AD
Site as a remote roaming boundary.

This should accomplish everything you want to do, you can still have
them receive packages when they are remote, and you can specify to
download & execute.

Kim oppalfens
In article <4A7E03CC-9D81-4417...@microsoft.com>,
ryk...@discussions.microsoft.com says...

.mspx

rykkim

unread,
Sep 23, 2004, 10:23:03 AM9/23/04
to
How do you exactly add VPN subnets to a new Active Directory Site? I thought
all I needed to do was add the VPN IP ranges to the roaming boundaries and
classify it as remote. I am soooo confused???

"Kim Oppalfens" wrote:

> ..mspx
>

David Randall [MS]

unread,
Sep 23, 2004, 12:15:30 PM9/23/04
to
You need to use the AD Sites and Services administrative tool to define a
new AD Site in AD itself (not in SMS yet) for your VPN subnets.

Then, in SMS, specify both AD sites as roaming boundaries.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"rykkim" <ryk...@discussions.microsoft.com> wrote in message

news:EAB7DD3A-31D1-49CF...@microsoft.com...

LasvegasOps

unread,
Sep 25, 2004, 1:23:02 AM9/25/04
to
David, I have some similar issues - getting a bit confuse,
the previous tech who set up the SMS servers had the same AD Sites on both
the site boundaries and the roaming boundaries - this does not seem right to
me,
I don't really have an issue sending jobs, etc. but was wondering if this is
OK to do
for some reason it was setup like this. Here is the write up that I was
given by the other techs configuring the sites :

I understand that Roaming Boundaries are for when you have advance clients

Site Boundaries are for Legacy clients.

So in practice, I only need to define the Roaming Boundaries using AD site
names

and don't need to have the same sites on the Site Boundaries tab right ?

for example, I have 4 Primary Site Servers as follows :

CU0 - Primary Central Site In Florida

the central site has the following AD Sites configured in site
boundaries and roaming boundaris : Florida, New York, New Jersey

CU1 - Primary Site In Illinois

Chicago, Nevada, Utah

CU2 - Primary Site In California

San Diego, Los Angeles, Seattle

CU3 - Primary Site Hiwaii

Kona, Oahou


or assining sites: the following AD Sites configured in site boundaries and
roaming boundaris.

Others have told me I just need them on the Site Boundaries, some other guys

told me to leave them on the Roaming Boundaries.. so I am more confuse as
some of the books seem to say the same thing.

If machines roam around from say site CU0 to CU1 etc, do I also put the AD
Sites from CU1 into CU0, or does SMS figure out that the sites in CU1 if not
connected and assigned to the site code for the site go and pick up the
distributions from another site ?

Were should the AD sites or IP Ranges sit ? Site Boundaries or Romaing
boundaries or both, it seems like when I put it only on the Roaming
boundaries the site code assignments dissapears.

Any help you can provide will be most help full, I this is driving me nuts

cl...@faqshop.com

David Randall [MS]

unread,
Sep 28, 2004, 12:34:46 PM9/28/04
to
Think of it this way:

When a client goes into a roaming boundary, it will get packages from a DP
whose site has that roaming boundary listed.


So, in your case, clients who are assigned to CU0 normally get packages from
CU0's DPs. If they roam to Nevada AD site, they should now get the DP's
from CU1.

If you added Nevada as a roaming bouandary to CU0, then all clients in
Nevada would get their packages from EITHER CU0 or CU1's distribution
points. NOT GOOD!

So, to make it simple, make sure that the site boundaries contain only the
AD sites that you want serviced by that site's distribution points. Then,
enable the checkbox on the roaming boundaries tab that says "Include site
boundaries within the local roaming boundaries of this site". That way, SMS
picks up your site boundaries and uses them for advanced clients too.

Also, you might want to check out the following resources. They can help
clarify this and more:

Roaming Animated Demo:
http://www.microsoft.com/smserver/techinfo/productdoc/media/acr.htm
Roaming Whitepaper:
http://www.microsoft.com/downloads/details.aspx?FamilyID=37ac2246-453a-4418-b026-f7140a6fce3c&DisplayLang=en

Let us know how it goes.

Dave Randall
SMS Team


--
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"LasvegasOps" <Lasve...@discussions.microsoft.com> wrote in message
news:EB58DC62-F7E4-4E7A...@microsoft.com...

LasvegasOps

unread,
Sep 28, 2004, 1:27:04 PM9/28/04
to
David, that's makes it clear, thanks excellent explanation.

To bug you for a minute, was just told to setup 5 VPN Clients ip ranges for
users who will be loging in either via 56K modems who are on the road or
cable, would these go in the Roaming Boundary as a remote roaming boundary
or local remote boundary in the Roaming Boundary or should it go on the Site
Boundaries tab ?

Thanks, I think I am finally getting this down but any help will keep me from
going spasticcc.. :)

Laslo

Cliff Hobbs [MVP SMS]

unread,
Sep 28, 2004, 3:37:25 PM9/28/04
to
Any reason why you are quoting my email address at the end of this message?

--------------


"LasvegasOps" <Lasve...@discussions.microsoft.com> wrote in message
news:EB58DC62-F7E4-4E7A...@microsoft.com...

Cathy Moya [MS]

unread,
Sep 28, 2004, 8:04:29 PM9/28/04
to
OK, let's walk through the question. First, are they Advanced Clients or
Legacy Clients dialing in? If they are Advanced Clients, then the site
boundaries won't do anything for them and if they are Legacy Clients then
roaming boundaries won't do anything for them.

I'm going to assume Advanced Clients because there are some ways you can
tweak the Legacy Client to make sure it won't be uninstalling every day or
so, but that doesn't really help much for installing clients across that
modem when they are on the road.

If they are in fact Advanced Clients, think about your largest package that
you will be pushing. Do you want a way to make them not install that large
package when they are dialed in? Or a way to make it install differently
(maybe download and execute when they are dialed in vs. run from server when
they are in the office?) If so, designate the ranges as remote roaming
boundaries. If you don't care, just leave them as local roaming boundaries.

--
Cathy Moya, MCSE: Security, MCT
Technical Writer, Enterprise Management Content Group

Check out the SMS Technical FAQ:

http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.

"LasvegasOps" <Lasve...@discussions.microsoft.com> wrote in message

news:739CB5DF-A9F1-4F92...@microsoft.com...

LasvegasOps

unread,
Sep 28, 2004, 8:35:03 PM9/28/04
to
Hi Cathy,

They will all be Advance Clients, the big issue is we have about 2000 users
who dial in and are Road Warriors, always on the road, some do connect via
Cable in hotels, but 'most' dial up from customer sites at 56K.

So just to clarify - Advance Client over 56k modems using vpn will go on the
Roaming Boundaries as remote roaming boundaries right ?

Thanks for the clarification,

Laslo

David Randall [MS]

unread,
Sep 29, 2004, 11:35:48 AM9/29/04
to
Yes, remote roaming boundaries.

Also, when you set up your advertisements, make sure to change the settings
on the Advanced Client tab. You'll probably want to set the "when no
distribution point is available locally" setting to: Download program from a
remote distribution point.

That will enable the BITS transfer of data down to the client, and when the
entire package has finally downloaded (even if the person dropped their VPN
connection in the middle of download), it will run from their hard drive.

Dave

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"LasvegasOps" <Lasve...@discussions.microsoft.com> wrote in message

news:0F84D3A8-D7CF-4A25...@microsoft.com...

LasvegasOps

unread,
Sep 29, 2004, 1:45:13 PM9/29/04
to
Cliff, must have been part of a copy and paste that pickup your entry from a
previous
post..

LasvegasOps

unread,
Sep 29, 2004, 2:05:05 PM9/29/04
to
David,

Thanks for the clarification and outstanding definition of the issue.

Cliff Hobbs [MVP SMS]

unread,
Sep 29, 2004, 2:47:53 PM9/29/04
to
Thanks.

Very interesting seeing as I've never posted on this topic. Oh well bit of
hiccup somewhere in the system then.

"LasvegasOps" <Lasve...@discussions.microsoft.com> wrote in message

news:5C2927A7-567D-40C6...@microsoft.com...

BDerr

unread,
Oct 1, 2004, 3:33:02 PM10/1/04
to
Good discussion here on Roaming.

Got a question though, as I am still confused on Remote Roaming Boundaries.

A company has VPN/Dial Up clients, and that site is defined as an AD site
There is no SMS site for that AD site
The company wants clients to receive software distributions from their
assigned MP and DPs.

Would the answer be No Remote Roaming Boundaries?

And

A company has VPN/Dial Up clients, and that site is defined as an AD site
There is a SMS site and DPs for that AD site
The company wants clients to run software distributions from the DPs local
to the SMS Site.

Would the answer be no Remote Roaming Boundaries?

I guess the main question is: Under what scenarios would you use remote
roaming boundaries?

BDerr


"LasvegasOps" <Lasve...@discussions.microsoft.com> wrote in message

news:A4308126-9827-4563...@microsoft.com...

Cathy Moya [MS]

unread,
Oct 1, 2004, 4:54:54 PM10/1/04
to
Let's start with your first question, to establish the ground rules:

"Under what scenarios would you use remote roaming boundaries?"
Remote roaming boundaries should only be assigned to clients that have slow
network connections back to the distribution point from where they will be
installing. That allows the administrator to control how clients process
advertisements when they are "remote" to that distribution point. We say you
usually want roaming boundaries for clients that connect:
1) over dial up
2) over VPN
3) over wireless
4) from a branch office that doesn't have a local DP

So let's look at your first scenario. Let's say I have my AD site Redmond. I
have SMS but I haven't included the Redmond site nor any of its IP addresses
in any SMS site or roaming boundaries. This is covered in the Most Excellent
whitepaper on roaming that is on microsoft.com. It says:
"Roaming Outside the SMS Site Hierarchy
In the event that a client computer roams to a network location that is not
in the boundary list for any SMS site, it will not be able to find a
resident or proxy management point and will revert to its assigned
management point. Any distribution points returned for a content location
request will always be the assigned site distribution points and will be
considered remote. In this situation, all packages will be distributed
according to the settings under When no distribution point is available
locally for each advertisement. This is also called a fallback scenario, or
fallback state."

Now, think about deploying something big like Office. The Advanced Clients
in your Redmond site would fallback to wherever your SMS site is, but since
they are remote, you can configure the advertisement NOT to install office
(or to download and execute). If they happen to travel to the SMS site, they
would be connected locally to the distribution point and could process the
advertisement differently.

So far, so good?

Let's look at your second scenario. Now they have an AD site named Redmond,
and they also have an SMS site SEA with DP1 an DP2 as the distribution
points. You say they have VPN/Dial up clients, but I'm assuming only some of
the client computers are connecting remotely and then only some of the time.
For example, let's say they have a mobile sales force that comes into the
office every week or two for meetings but otherwise they are home-based or
on the road. In that case, you would want to configure the VPN or Dial Up
subnets and/or address ranges as remote, but leave all the other subnets,
the ones for the clients plugged into the LAN, as local roaming boundaries.
Then when they come into the office, they can run that whole Office package
from the distribution point (if you like) but when they dial in, they won't
get it at all (if you like.)

Does that make sense? If you haven't read that roaming whitepaper, please do
so. It's really good. (No, I didn't write it but I know the folks who did
and they put a lot of effort into that). Get it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=37ac2246-453a-4418-b026-f7140a6fce3c&DisplayLang=en

Hope that helps


--
Cathy Moya, MCSE: Security, MCT
Technical Writer, Enterprise Management Content Group

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.


"BDerr" <bd...@nospam.com> wrote in message
news:expYZ0%23pEH...@tk2msftngp13.phx.gbl...

BDerr

unread,
Oct 2, 2004, 7:07:47 PM10/2/04
to
I think I almost have it. I've read through the whitepaper several times
before I posted, but was still confused.

Anyway, last questions:

I would "typically" use Remote Roaming boundaries if I wanted to include a
site (branch office) that had a slow link to the site where the DPs sit, if
there was no DP out there. That way, all clients in that location would use
whatever I specified in the package for remote clients (Download and
Execute, run from DP, do not run package).
If I put a DP out there, I would use a protected DPs in the site to keep
clients from accessing DPs across the slow link (both ways).

Now, if I had a SMS site that had DPs close to the Dialup\VPN clients, I
could choose to either make those Dialup/VPN clients remote roaming, or
local roaming boundaries, depending on what I was going to distribute to
those clients. The advantage with making them remote roaming is that I
could use different settings for advertisements than the clients in the
local roaming boundaries (local vs. remote).

When a client roams, the client will query AD, find the resident MP if one
exists, and query that MP for DPs that have the package content that the
client needs to run. It still goes back to the assigned MP to get policy
info, and submit inventory, status, etc. I understand the MP usage, I was
just confused on the remote roaming boundary information.

Thanks again.

BDerr

"Cathy Moya [MS]" <cam...@online.microsoft.com> wrote in message
news:%236JTpj$pEHA...@TK2MSFTNGP14.phx.gbl...

Cathy Moya [MS]

unread,
Oct 4, 2004, 2:22:49 PM10/4/04
to
***Inline:

"BDerr" <bd...@nospam.com> wrote in message

news:eH8NDRNq...@TK2MSFTNGP12.phx.gbl...


> I think I almost have it. I've read through the whitepaper several times
> before I posted, but was still confused.

***OK, fair enough. If you can give us specific feedback about things we
could change in the whitepaper to make it less confusing, please email us at
sms...@microsoft.com.

> Anyway, last questions:
>
> I would "typically" use Remote Roaming boundaries if I wanted to include a
> site (branch office) that had a slow link to the site where the DPs sit,
if
> there was no DP out there. That way, all clients in that location would
use
> whatever I specified in the package for remote clients (Download and
> Execute, run from DP, do not run package).

***Yes, exactly.


> If I put a DP out there, I would use a protected DPs in the site to keep
> clients from accessing DPs across the slow link (both ways).

***Just to clarify, if you protect the DP in RemoteSite1 but do not protect
the DP in MainSite1, Advanced Clients in RS1 could still use the DP in MS1.
Protecting the DP in RS1 just means no one outside RS1 can use that DP. When
you say "both ways", I'm not sure if you mean protecting the DP in RS1 AND
the DP in MS1, but that is what it would take to make them stay in their own
sites. The downside of doing this is, you lose fault tolerance. If the DP in
RS1 goes down, and all of the DPs at MS1, RS2, RS3 are all protected, there
is no where else for clients to go. But it's a valid design choice, if you
understand the implications.

> Now, if I had a SMS site that had DPs close to the Dialup\VPN clients, I
> could choose to either make those Dialup/VPN clients remote roaming, or
> local roaming boundaries, depending on what I was going to distribute to
> those clients. The advantage with making them remote roaming is that I
> could use different settings for advertisements than the clients in the
> local roaming boundaries (local vs. remote).

***Yes, you have the advantage part right. Now, some other things: You might
not need to "make them" local roaming boundaries. If you already set those
boundaries as site boundaries, the default is to make all site boundaries
local roaming boundaries and no further action is required. If you did not
make them site boundaries, then yes, you could make them local roaming
boundaries or in any case you could make them remote roaming boundaries.
Remote is recommended in this case because even if they have DSL at home,
that client really isn't very close to the DP. Maybe if they have T1 to
their home, yeah, that's a fat enough pipe. Of course another common
scenario is they have DSL, but then at home they connect to the DSL over
wireless. That's how I do it and it would be painful to receive a big
package over my DLS trickled down to my often very slow wireless connection.

> When a client roams, the client will query AD, find the resident MP if one
> exists, and query that MP for DPs that have the package content that the
> client needs to run. It still goes back to the assigned MP to get policy
> info, and submit inventory, status, etc. I understand the MP usage, I was
> just confused on the remote roaming boundary information.

***Yup. The remote roaming boundary has no impact whatsoever on how the
Advanced Client finds the MP or what type of information it gets from
resident or assigned MPs. The remote roaming boundary ONLY affects how it
processes a package from a distribution point.
> Thanks again.
You're welcome!

0 new messages