SCCM Client Boundary

anaconda1442 96 Reputation points

Hi SCCM or MECM technet community,

We have multiple SCCM servers, one main primary site server in location A has 4 DP Servers and 1 MP, location B has 1 DP, location C has 1MP, 1DP, 1 SUP

Our network team has found in the network switch logs that several sccm clients (about 50-70) in location A and B are trying to connect to MP/DP/SUP server in location C

All the network boundary groups have IP ranges that serve clients in the local network segment only, for example sccm client ip ranges in location A are set for DP servers in that network segment only, same goes for the other locations mentioned above.

In addition under boundary group option "Allow peer downloads in this boundary group" is not checked.

So not sure what else I can check, I'll appreciate any help from the community.


Microsoft Configuration Manager
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Jason Sandys 31,151 Reputation points Microsoft Employee

    First, why do you have an MP and SUP in location C? MPs generally should be located close, network-wise, to the primary site server and the primary site's DB; this also generally means in the same datacenter. There's no hard and fast rule for SUPs, but there is very little advantage in having a SUP at a remote location.

    Next, have you enabled MP affinity? By default, MP affinity is not enabled and so clients will choose MPs at random.

    0 comments No comments

  2. anaconda1442 96 Reputation points

    Hi Jason,

    Thanks for the quick response, first of all I forgot to mention the primary sccm server in location A has a SUP role with WSUS and SQL server. Second the reason why we have a SUP out in location C is because the distance between location A and C is over 3,000 miles and we have a site to site vpn connection between the two. To avoid location C sccm clients (about 250+ computers) network traffic to location A for SUP access, we added a SUP in location C

    We learned in sccm design class (@mounika Horizons) :) that a MP/DP/SUP server can be placed on a distant remote location without needing to set up a secondary site.

    I have not enabled MP affinity, is it setup in the sccm client registry?
    like this example-
    reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM /v AllowedMPs /t REG_MULTI_SZ /d

    I got the above from this web site-

    0 comments No comments

  3. Jason Sandys 31,151 Reputation points Microsoft Employee

    3,000 miles

    Physical distance is irrelevant. It's all about bandwidth and latency.

    to location A for SUP access

    You do know that the SUP is only used for the update catalog correct and only a delta is transferred to the client when needed?

    We learned in sccm design class (@mounika Horizons) :) that a MP/DP/SUP server can be placed on a distant remote location without needing to set up a secondary site.

    "Can" and "should" are two very different things. If you are concerned over bandwidth, a remote MP has zero benefits and multiple drawbacks; a secondary site 100% should be for remote locations where bandwidth is a concern.

    The AllowedMPs registray value is the old school way of hard-coding an MP, it's not the preferred path for MP affinity. See

    0 comments No comments

  4. anaconda1442 96 Reputation points

    I know there is latency between location A and location C which has a site to site VPN. When I was originally planning this 2 years ago I wanted to create a secondary site on location C. Now that I remember correctly, another advice from my school mentioned if there are less than 500 computers on a distant remote location a secondary site is not needed. In addition there was no SUP hard or fast rules that I was able to find at that time. I am aware clients use SUP to determine what software updates it needs. So therefore in location C, I created a server with MP/DP/SUP roles. So far in the two years of operation in production we haven't had any issues. However since you mentioned there are "zero benefits" and "multiple drawbacks" in having a remote MP, please elaborate on what exactly are those drawbacks. If you have any links that explain the drawbacks that will be helpful. I'll certainly re-consider a secondary site if the existing current server roles in location C can be migrated over to a new secondary site in that same location.

    I saw your link on the MP affinity, I checked the console (btw we're running MECM version 2103) and see that I already have it enabled (see screenshot below)- "under enable Clients prefer to use management points specified in boundary groups in Hierarchy Settings"

    So I'll double check the client IP ranges in the boundary group and see if it's correct.

    0 comments No comments

  5. Jason Sandys 31,151 Reputation points Microsoft Employee

    if there are less than 500 computers on a distant remote location a secondary site is not needed

    This is incorrect. There is no hard and fast number although if you feel you didn't need a secondary site at the location, why put an MP there? Conceptually, they would fill the same purpose so the same criteria would apply. Either you need remote infrastructure for policy, inventory, etc. or you don't. As noted though, MPs are not meant to be remote from the primary site server and site database. The drawback is in latency, testing, and design. We just never designed for this and so "things" happen that we do not and cannot control for as the design assumes they are close network wise to the primary site server and database and that the connection is high-speed and low-latency.

    0 comments No comments