Deep Dive Into the Content Library, Content Location Request, DPs, IIS in Microsoft SCCM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Justin shelf on I'm the engineering lead at patch my PC we develop a third-party patch management solution that integrates in a Microsoft configuration manager prior to my current role a is also a premier field engineer at Microsoft supporting config manager it's been about three weeks since my last video a little longer than average because me myself and some of my team were on a user group tour in Sweden Norway and Estonia talking about third-party patching and config manager we got to meet some of our customers internationally just a great event David James the director of engineering for config manager is also there so we had some great community insight some things that the product group is doing and just overall an awesome event so that's why it's been a little delayed compared to my average cadence that I was kind of on previously but in this video we are going to be talking about content and config manager so I posted a pull out on Twitter and I asked what the next topic should be and the winner was content lookups in deep dives in config managers so what I'm going to be covering today is how content is stored on your site servers within the content library how the distribution of content works to remote dps and then how clients do their lookups and more importantly how we can troubleshoot issues when clients get the content not found error to understand the flow that happens there and why that might occur so with that said I will go ahead and jump right in this is a pretty complex topic I'm going to try to present it in a way that hopefully makes sense and provide you guys value but the first thing that I want to look at is whenever you add a new application or package or download a software update into config manager it goes into this thing called the content library on your site server so the content library it's a single instant storage for any content that you add to config manager so what that lets you do is that if you've referenced the same files through multiple packages config manager only needs to store that once but in order to make that work there's a few different things within the file structure that has to happen within that content library for things to work so there's three different concepts here for the content library have what's called the package library the data library and then the file library so the package library contains information about what packages are present on a distribution point so if you targeted a package and the content to a remote DP that will contain information about any packages that are on that DP the data library contains information about the original structure of files within content so for example if it's an MSI file whether there are any additional files within the package source folder or the application source folder etc and those files are in an ini file and what that file points to is the actual hash of the actual original files within the file library folder that we see here so this is where most of the content is going to exist this will actually be where the file is like an MSI for example would live in that file library and it would get renamed to whatever the hash of the binary is so that's how it can reference the files from the data library and package library folder and then translate them into what the actual content is that needs to be downloaded that exists in the file library folder and hopefully to make this make more sense of this will kind of review the structure within here but there is a nice diagram I'll be sure to include these Docs so you can quickly jump out and kind of have a good view of what this looks like so to make more sense of this structure what I'm gonna do on my console is we're gonna go look at an application for 7-zip and we're gonna look at the deployment types so the deployment type is where the actual content exists for different deployment things that we have within an application so for example for 7-zip we can see that we have two different deployment types that are msi files we can see that we have the 32 and 64-bit for that deployment but what i'm interested here in what we're going to show you in the file library and the the package library is what how we find content and how that translates into the content library so we have content that ends in five or seven five six and then four to nine so this is for the 32-bit MSI and the 64-bit EMA MSI so on my site server if we go and look at where my content library exists so for me it's on the J drive and then within the content library folder we can see those three different structures for folders that we kind of looked at online so what we're going to be interested in looking at is that data library folder and what we're gonna do is go out and say hey let's go look for the one that ends in seven five six so if we come here and look at this the one that ends in seven five six now we can see that this one does have a period at the end that's just the revision number for that content and it's just the first revision but if we actually look in here this is going to be in the data library where the ini folders that exist for the structure of the way the package looks now within this ini this is what's going to point out to the actual file hash that's gonna live within the file library now the first thing we want to look at here is the first three or the first four characters of this file hash so if we were to copy those four and if we were to go back and look at the file library we can see that all the files start with the first four characters of the hash of the actual binary so in our case it's the MSI file so if we were to come in here and do back slash and paste in those four characters for the hash and click enter this is where we can actually see the files that exist within that MSI so the hash file this is going to be the actual file that is the MSI so this hash the ini is going to contain what packages this file is a part of and then there's just a signature file so if we were to zoom out on that and look at the ini that's going to show us hey this is part of the deployment type for this content that ends in seven five six but if we actually were to copy this hash file and let's just paste that to my desktop and if we go and rename this to dot MSI what we'll be able to see is this is actually the original MSI file that was used for 7-zip so if I go ahead and run this we can see that hey this is just that MSI we could go through and install this but this is how the content gets stored within the content library just to have a general understanding to make sense of what this actually does and how they obtain that single instance for files all right so I think the next thing I want to look at is understanding how the content gets distributed from your content library on your site server so like I mentioned any packager thing that you add goes into the content library on the site server even if that site server is not a distribution point it's still gonna live on that site server within your within your environment but when you start adding remote distribution points the content is going to transfer from your site servers content library to that remote distribution points content library so if we come here and look at my current site systems we can see that we have my site server that's name scope but we can also see that we have this remote distribution point called SCC MDP so in order to make sure that we have some content and show you how the content gets distributed I'm going to go into this Java package and choose to distribute content so I'm going to go ahead and walk through the wizard and I'm going to point out to that remote distribution point for that content and I want to go through and show how we could troubleshoot any type of content distribution issues that you might experience while distributing content so if I open up cm trace and go to the log files of my site server we want to look at two log files the first one's going to be our disk manager dot log so that's our distribution manager log so we're gonna add that one and then there's gonna be a package X let me see if I can find that package X expert manager dot log and I'm going to choose this option down here to merge both of these files so whenever you go out and you distribute content to a remote DP the distribution manager in the package X manager is going to be what actually transfers the content from your primary site service content library into the content library of that remote distribution point so we'll just wait for a minute while that process completes all right so within our log file we can see that as part of the package expert manager log we can actually see it sending the file so for example here's one of the files that got sent to that remote distribution point that we see here so looking at the log we can see it we can see the original MSI file name here that was being added to that remote server so if you ever had issues with content going out to remote dps like for example if you came in here and it was stuck like in this pending state and you just couldn't see anything those two logs will be a good place to start so if we refresh we can now see that that is out on our remote distribution point so for this we have 7-zip deployed to a client so we have that deployed to a collection and we also have a software update group for some third-party updates also targeted to a collection so when a client actually requests for content of a deployment the first thing that you need to have a basic understanding is boundaries so boundaries are how clients determine where to get content so there's this and I do talk about this more in my second video covering some of the basic post installation steps so that would be a good place to look - if you want more detail about boundaries and boundary groups but essentially what a boundary is is it's a network location of your clients so whenever clients are going to request content the first thing the clients going to do is hey am i part of a boundary group that contains a boundary that I'm located in so if I look at my boundary groups that's how we actually assign distribution points the different boundaries as part of this group so for example if I look at this boundary group we can see that I added that boundary that contains 192.168.1.0 through 1.20 as an IP range so any clients within that range would be pointing to this boundary and within this boundary group is where under the references you would you would determine what distribution points clients should use as part of this boundary group so this is pointing to that SCC MDP that we distributed our 7-zip and Java package to so if I jump over to a client I want to talk about how requests are made so here's the - or here's the 7-zip application that I've deployed now this one if we look at our IP address here so ipconfig we can currently see that our IP is 1.2 4 so that means that it would not fall within that boundary of 1.0 - 1.20 so if we went ahead and tried to install this what we're gonna see is we get a content not found error so if we look at the error code we can go ahead and grab that and then if I open up cm trace we go and do a ctrl L we can look up that error code and if we actually look at that error code that's where you can see that hey the content for 7-zip could not be located on any distribution points so if we actually want to look at this at the log level if we break out to our logs for our clients OC windows CCM logs under the content access log which is going to be that Kaz dot log this will contain any location requests for content so if I were to go ahead and open this log file what you're gonna see is the attempt to download content for that package and we can see that 0 distribution points were found so that's why we got the content not found so when the client requests content it's going to make the request up to your management point so if I come back to my site server that also has my management point running and if I look at my log files from my management point so under SMS underscore CCM in my case under the logs this is where you can actually see the location requests coming in from your client so we look at the MP location log this is where the client sends the request and this is the log file on the server side that comes up to our management point that shows information about all our content requests so for example we can see that within this log file it's giving us the client IP address right it's giving us the ad site name that the client is in giving us the forest name the domain name etc and the the management point is going to be what actually reaches out to the database to determine whether this client is part of any boundaries and whether any distribution points within those boundaries and boundary groups contains the content of the client is looking for so at a deep level if you actually want to know what stored procedure the management point is going to look up content I can actually show you what that would look like so if I open up a sequel management studio and if we look at our database and look under our config manager database under the programmability we're gonna have different stored procedures that functions use and things do with then within config manager so the management point has a lot of different stored procedures that it does when it looks up information on the on request it gets from clients for example so some of the stored procedures that happen for content lookups are MP underscore get content location so for example if we look at two of these stored procedures we have the get content DP info so this is what the management point when it gets the parameters from the client like what network IP subnet what IP what ad site it's then gonna run different stored procedures to determine whether there are any boundary groups for that client and whether any of the distribution points within those boundary groups actually contain the content that the client is requesting so the protected would be if you are not allowing fallback for your deployment so that would say this this could only if the content is in the boundary group that a client is located in the unprotected that means that the client could also fall back to like the site content boundary group and it could go to a remote distribution point for example so at the background the stored procedure runs we can see the different parameters that the client would pass to that and that's going to determine whether there are actually any distribution points that contain that content so that's going to run against the database to see if that package exists so that looks good there's a few other stored procedures that we can see that are also getting run here but I think the key point is here if you were troubleshooting content you'd make sure that you see the requests coming in under the MP location and then that would help you verify that the client has connectivity and then if the contents not found we have to start understanding whether it's because the distribution might have felt for the package or application or whether the boundary might not exist or whether there's some other action that we would have to troubleshoot to determine if there's some other cause for that content not being that so for our case this one should be pretty easy to understand so since that client is part of 1.2 for for the IP range and if we look back in our boundaries we can see that the boundary that that group is in only goes up to 120 so the the distribution point that we put that content on is not part of a boundary group that that client is actually requesting from so that would make sense why the content wasn't found so there's a few different scenarios here one might be do you want to allow the clients to be able to fall back to other distribution points if it's not on a local one or maybe the clients not part of a boundary that you've configured in config manager so within applications the way the fallback works is within each deployment type under the content tab you're going to have two different options here whether you want to allow clients to fall back and then whether you want to allow them to fall back to the default site boundary so I'm going to allow them to fall back to the d4 site as well as any neighboring boundaries that the content might exist in that could be associated with their boundary group so I'm gonna do that for the 32-bit MSI as well as the 64-bit MSI here so now if we come back to our client and look at our content if we go ahead and retry this now that we're allowing fallback we'll see what happens here all right so now we can see that the client successfully downloaded the content so if we look at our cache log we can see that when that request came in we did find a matching distribution point and we downloaded that content and it installed that package now one thing I do want to cover is that when you allow fallback you also need to make sure that the distribution point you want to allow clients to fall back to is part of the fallback default boundary group so within here under the references of my default site boundary I assign that distribution point to be a distribution point that we enable for fallback now within that there's also some behavior here so the default value is do not allow fallback until the client could not found the content from a distribution point in its own boundary for up to a hundred and twenty minutes just for this lab I made it one just so the process would be faster when it times out and says let's allow that fallback now that we enable that option within our deployment type of our application so that is the fallback method that allows you to go to the default site boundary you would just need to make sure that you have whatever distribution point you want to be your fallback source so usually this might be a centrally connected location if you're in a large hierarchy to be kind of a site fallback now there is another option that would that the client would prefer before the site boundary and that's if there are any references to the boundary group that that client is in for other boundary groups within there so under this relationships tab this is where you can specify a fallback relationship with another boundary group so for example let's say you had two remote locations that might be closer to each other and better connected than falling back to the main site server one so in that scenario you might want to have the fallback relationship set for those two two different locations and those two groups so they could fall back to each other and this type of relationship would happen as a priority before the main site boundary for falling back so I'll also include some references to the the default priority so here's where we can see the default one would be a distribution point on the same subnet then within the same boundary then within the current boundary and then here's the fallback relationship and then finally the next location that the client would look for is the default site boundary which is what we just saw happen so that looks good we go ahead and zoom out of that now looking back under my software update so if I come back to my client and look in Software Center I do have some third-party updates so just like clients would request content for packages or applications your distribution packages for updates will also exist on your distribution point so for example if I look at my deployment package we can see that this has been distributed to my SCC MDP and it's already out there now the way that you allow fallback for software updates are a little bit different so let's go ahead and request this Google Chrome update so for this one we can see that's kind of stuck at installing and if we come back to the main updates view we can see that it's stuck at this dreaded downloading 0% phase so since this content is not part of our clients boundary group is just going to sit here and keep on doing a request that essentially say that we couldn't find any distribution points for that content so the way that you allow fallback for the software updates is a little different so if we look back in our software update groups you don't do this update like you would do with an applications deployment type to to allow to fall back to your site boundary or even a fallback relationship this is done per software update group deployment so if we look at the deployment tab here and look at the download settings this is where you can determine whether or not you want to allow your clients to fall back to a neighboring boundary that's part of a relationship or even the default site boundary in order to download updates if that client is not part of a boundary group or if the content hasn't got to a distribution point within that client boundary group so if we wanted to go ahead and enable the fallback and go ahead and choose yes if we come back to our client and just see if we can cancel this update all right looks like that was cancelled and then if we go ahead and try again what we should see is after about a minute because that's what we set our fallback timeout to be we should see this download complete so it looks like our Java update actually kicked off and already downloaded a bit before so we can see that that one looks like it's installing now if we look at the cache folder now that that fallback was enabled if we come over here to CCM cache we can see the folder that the Java update got downloaded to so there we are and here in any any minute here we should see that we go from Java 8 update 161 to 191 and finally to jump back on Chrome it looks like it's not fully kicked off yet let's go and show the scenario of us actually changing the boundary group and boundary for to match that IP range that it's in so let's go ahead and extend that so it goes up to 1.25 so that that clients now part of the boundary group so it looks like that patch might have already kicked off before we actually came back in and went ahead and install it from the fallback point so that looks good so that's how software updates would play if they're if they're allowing fallback you would have to do that from the actual deployment within that software update group now let's go ahead and uninstall Java and we'll go ahead and do the app deployment so now that this client is part of a valid bounder group that is in the distribution point associated to it if we come back into our applications and actually deploy Java and if we look at the deployment types for the 64-bit we can see that we don't have that fallback setting enabled but that should work fine because this is now part of a valid boundary so this is how most scenarios should probably work you should probably try to make sure that you have boundaries configured for all your client locations most of the time you probably want one allow a lot of fallback there might be some places where clients aren't in a boundary that you would want to allow fallback but ideally I think if you can get a distribution point of boundary group you would want to make sure those clients are assigned to one of those groups I'm going to go ahead and target a application deployment to this client that does not have fallback enabled but now that we actually configured our boundary correctly in this client that is 1.24 should fall within that range it should still download and enjoy install Java as an application just fine so I'll go ahead and do policy just to have this check in a little faster alright so the policy kicked in and we can now see Java showing as applicable and now that we uninstalled the update so it's no longer there so if we go ahead and request this and look at our cows log things should just work in this scenario because we have our content distributed to a boundary that is part of that boundary group so if we go ahead and do install we can see that it went ahead and copy that content and did everything successfully so if we actually look at that path that was copied we should be able to actually browse out here since our distribution point is not in HTTP so if we actually copy this and open a web browser we can actually see the source file from is that we're actually pulling here so for example if we were to click this this could actually be this is actually the web service that bits is using when it actually downloads that MSI file so at the distribution point level if we were to actually go into our DP and open up is this is where we're actually going to see the web service within is actually translate all that content into our actual content library on our distribution point so if we look under our default web site these are where our packages actually live so if we go ahead and look at that here's the different folder structure that is being pointed to on our clients so for example if we open up that file live folder and Explorer we can see that this is pointing out to our content library that for this remote distribution point is part of our D Drive so for example if we come here and look at that Java update we can see that the first four characters of the hash let me go find that so if we come back to our site server and we look at our application for Java and we look at our 64-bit we can see that the content ends in c seven CA so if we come back to our distribution point and look at our data library and we look for c 7 CA here's the actual ini file and this is where it's pointing out to that hash so if we copy the first four characters of that and go look at the actual file ID and we go into that first four characters of the hash this is where the actual MSI file exists so when that request is being made from your clients to pull that MSI IAS on the back end is sending you this file and then just renaming it to the msi during the actual download path but this is how it's pulling that download through is and bits from the client-side alright so i think that's most of what i had the last tool that i'll show you is a tool that comes in config manager if you look under your installation directory on your site server under the tools folder and server tools there's this tool called the content library explorer so this can be used to allow you to connect to a remote distribution point so in our case we're going to choose that SCCM DP and this will essentially connect into the content library and it will give you a name of all the package that exists on that distribution point so for example here's our 7-zip and java package but if you actually expand that it's going to show you all the different content within that so we can see our two different deployment types and it's going to tell you where the file is so we can see that this is our actual file name from the core package or msi we'll see the size of it what drive that it lists on and then more interestingly we're see where that actual file corresponds with the hash and where it actually lives within the file library folder so just a helpful tool to do troubleshoot if you're maybe having download errors but you think contents there to connect into your remote dps and actually look if all the files actually exist within that path as a troubleshooting method one of the other common things that sometimes happen in task sequences is if a client is using an ad site boundary but it's part of a workgroup sometimes the content lookups don't translate to see that it's within a boundary that actually exists so if you didn't have the fallback enabled on each of your deployment types it's pretty common for applications to just not get installed during a task sequence depending on what boundaries that the clients are part of and whether it can resolve them if they're part of a workgroup for example but that's all I have I hope the video was helpful in the accompanying blog post I am going to include a lot of different resources for the docs website there are a lot of moving parts here and I know I didn't cover thing but I think this should hopefully give a good idea of the way that content stored how its distributed the method that your clients use to do the lookups and what logs involved in the client and the server side as well as some concepts like fallback in case clients aren't part of a boundary that can come be a common issue of why you might get waiting for content or things might not ever happen from a client side if you have any questions leave them in the video post or the accompanying blog post and thank you for watching
Info
Channel: Patch My PC
Views: 14,771
Rating: undefined out of 5
Keywords: SCCM Content Library, ConfigMgr Content, SCCM Content, SCCM DP, ConfigMgr DP, Configuration Manager Content, SCCM Distribution Point, ConfigMgr Distribution Point, SCCM Content Not Found, Application Content SCCM, Update Package SCCM, distmgr.log, pkgxfermgr.log, content distribution, content distribution sccm
Id: A9K9_NPQL_o
Channel Id: undefined
Length: 31min 38sec (1898 seconds)
Published: Sun Oct 21 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.