Apart from native agent support for Mac OS X, another of the big features of Configuration Manager 2012 SP1 is the ability to deploy “Cloud” Distribution Points on Windows Azure.
Why is this a big deal? Well, if you need to rapidly provision a DP but don’t have the present ability to scale your current environment or can’t provide server infrastructure to remote sites, a Cloud DP will allow you quickly set up a content location accessible from anywhere at a very low cost. Cloud DPs also allow businesses to service internet-connected clients without having to set up internet-facing Configuration Manager server roles, and also to rapidly provision DPs which are catered for within operational expenditure rather than capital expenditure. They offer new flexibility to the management story which is quite exciting.
Setting up a Cloud DP is actually very straightforward, and there are only a few things needed before you begin.
- A current Windows Azure subscription. Obviously – otherwise this isn’t going to get off the ground 🙂 If you are an MSDN subscriber (or you have access via a company subscription) then you have access to a limited Azure subscription – activate it via the MSDN Subscriber Benefits page;
- Your Windows Azure subscription ID. Once the Azure account is activated, you can get the Subscription ID by logging into the Management Portal and navigating to “Hosted Services, Storage Accounts & CDN”, then “Affinity Groups”. The Subscription ID is on the right-hand side of the screen;
- A Management Certificate. This is a locally-generated certificate which is uploaded to Windows Azure AND used by Configuration Manager to establish secure communications;
- A Configuration Manager hierarchy running Configuration Manager 2012 SP1 Beta (build 7782) or later.
There are a number of ways you can create the management certificate. At present there isn’t much guidance on the best approach, so this section explains how I did it in my own lab environment, which is configured for PKI with an Enterprise CA.
- On the CA, open the Certification Authority management snap-in, right-click on Certificate Templates and select Manage;
- Right-click the “ConfigMgr Web Server Certificate” template (or whichever template you prefer to use for HTTPS communications) and select “Duplicate Template”;
- Give the new template a name like “Windows Azure Authentication Certificate” and make the following changes: In “Request Handling” tick “Allow private key to be exported”, In “Subject Name” select “Supply in the request” and in “Security” ensure that the AD computer account for the primary site server has Read and Enroll permissions, either explicitly or via an AD group;
- Save the template, exit the Certificate Templates Console, then right-click on Certificate Templates, select “New” –> “Certificate Template to Issue” and choose the newly-created template for Windows Azure;
- Next, go to the Certificates MMC snap-in on the Configuration Manager site server and load the Certificates for the Computer Account;
- Expand Personal –> Certificates, then right-click Certificates and select “All Tasks” –> “Request New Certificate”;
- Select the Windows Azure certificate from the list of available certificates and click on “More information is required…”;
- In the Certificate Properties window, in the “Subject” tab add in the Subject Common Name and the DNS Alternative Name of the name of this hosted service. For example, if you want to call the Cloud DP “cm12clouddp1” then the full name is “cm12clouddp1.cloudapp.net”;
- Finish the enrolment and the certificate will populate the snap-in;
- Next, right-click the newly-enrolled certificate and select “All Tasks” –> “Export”;
- The Export process needs to be run through twice: the first time select “No, do not export the private key” and then export the certificate as a “DER encoded binary X.509” .CER file. The second time select “Yes, export the private key” and export it as a “Personal Information Exchange” .PFX file. You will need both exports later.
Upload the Management Certificate
- Open the Windows Azure Management Portal and navigate to “Hosted Services, Storage Accounts & CDN”, then “Management Certificates”;
- Click on “Add Certificate” and then select the appropriate subscription and browse to the exported CER file created earlier;
- Wait for the console to refresh and ensure that the Management Certificate has been uploaded correctly.
Creating and Configuring the Cloud DP
Now that the prerequisites are taken care of, we can create the Cloud DP.
- Open the CM Console and navigate to Administration –> Hierarchy –> Cloud and then click on “Create Cloud Distribution Point”;
- Type in the Windows Azure Subscription ID and browse for the exported PFX;
- In Settings, the service name will be automatically created by Azure. Select the desired Azure global region (eg: Southeast Asia) and which site the Cloud DP is going to be associated with;
- In Alerts, specify the quotas in terms of the amount of available storage and the monthly transfer quota;
- Complete the wizard (that’s all the information it needs) and open up the CloudMgr.log file located in the Microsoft Configuration ManagerLogs folder;
- The SMS_CLOUD_SERVICES_MANAGER component will initially connect to Windows Azure and create a new storage service – you can watch this in action via the “Storage Accounts” section in the Windows Azure Management Portal;
- This bit can take some time – the log file will probably show a series of entries like “Skipping safe exception Microsoft.WindowsAzure.StorageClient.StorageServerException. Will check again in 10 seconds.” and “Waiting for check if container exists. Will check again in 10 seconds.”. Eventually it may time out with an entry “ERROR: Timed out after 00:05:00 minutes waiting for check if container exists.”. Don’t stress, things are still happening;
- In my case, around 15 minutes after the timeout entry (with no further input from me), CloudMgr.log updated with “Uploading file ContentWebRole.cspkg to container deploymentcontainer with blob name xxx”. Behind the scenes, the storage account has been provisioned and Configuration Manager has taken all the information provided in the Cloud DP wizard and bundled it into a .CSPKG file. Windows Azure will now use that to provision a full hosted service into production;
- Keep following the logfile and within around 20 minutes (approximately) the service will be provisioned. Refresh the Cloud section in the Configuration Manager console, and the new Cloud DP will have a “Status Description” of “Provisioning Complete”;
- Navigate to Administration –> Distribution Points, and the Cloud DP will be there along with your on-premise
Distributing content to a Cloud DP is exactly the same as for a traditional DP. In the example of using an AppModel-type Application:
- Right-click the Application and select “Distribute Content”;
- For the content destination, select “Distribution Point” from the Add drop-down (or “Distribution Point Group” if the Cloud DP is a member of a DP Group) and select the Cloud DP from the list of DPs;
- Open up the distmgr.log and watch Configuration Manager deploy the content to the Cloud DP;
- Navigate back to Administration –> Distribution Points. Right-click the Cloud DP and select “Content” – the recently-deployed content should now be visible.
If you want to verify that the content really is there, I recommend a free tool called Azure Storage Explorer, which is available here via CodePlex. To add a Storage Account to view, you will need the name of the Storage Account as well as the Primary Access Key, both of which are accessible in the Windows Azure Management Console under “Storage Accounts”.
Once connected, under the “blobs” section should be a folder called “content-PKGID” where PKGID is the Package ID of the content you just distributed to Azure (eg: S0100001). Select that and you’ll see the actual files which have been uploaded and are now available for clients.
So, you now have a Distribution Point up in the cloud ready to distribute content to clients. In the next blog post, we’ll look at how clients will access that data 🙂