Microsoft Configuration Manager
An integrated solution for for managing large groups of personal computers and servers.
4,104 questions
ConfigMgr CMG Classic Cloud Service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Stewart Pollock
11
Reputation points
Hi
We're about to remove the Central Admin Site from our ConfigMgr 2103 environment. We currently have a single CMG deployed with cloud service classic.
I had been informed here that it should be possible to remove the existing CMG then reinstall at the Primary Site Server using the same CName and certificate and internet clients would just reconnect to the new CMG without us having a requirement for them to be back on the intranet at some point.
I've noticed that the cloud service classic has just been deprecated this month however. What I'd like to know is if this means it won't be possible to reinstall the CMG at the Primary Site via this method. Does anybody know if the deprecation notice now means this isn't possible?
Thanks
{count} votes
-
Jason Sandys 31,171 Reputation points Microsoft Employee2021-09-24T04:26:04.483+00:00 What I'd like to know is if this means it won't be possible to reinstall the CMG at the Primary Site via this method.
Deprecated doesn't mean not available anymore. The functionality won't be removed until next year so you'll be able to set up a new CMG on the primary site using either the classic cloud service or the VMSS scale set. As long as you used a PKI cert from a public CA, then there's really no difference as you can simply point the CName to the new VMSS name. If you used an internal PKI cert, well then you are stuck and must use a classic CMG for now but you will need to acquire a new cert and deploy a new parallel CMG sometime in the next 9 months or so.
PSA: Using a cert from your internal PKI for your CMG and pointing to cloudapp.net or any domain you don't own is just not a good idea even if it works and is supported.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 70%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Stewart Pollock 11 Reputation points2021-09-24T10:56:28.71+00:00 Hi Jason, thanks as always for the comprehensive answer.
It's a public cert so no problem on that front. I had however assumed there was a better chance of successfully switching clients to the new CMG instance at the primary site if it was deployed as classic service in the same fashion as the original. My plan was to then upgrade to 2107 and convert the new CMG to VMSS.
IYou also answered my previous question around this scenario here. You mentioned that it wasn't something you'd tested at the time but saw no reason it wouldn't work. Out of interest, are you aware of anybody having done this successfully since?
-
Jason Sandys 31,171 Reputation points Microsoft Employee
2021-09-24T15:00:30.343+00:00 My plan was to then upgrade to 2107 and convert the new CMG to VMSS.
This will work as well. I don't think there's any advantage to doing this though.
Out of interest, are you aware of anybody having done this successfully since?
Off-hand, no I don't know of any.
-
Stewart Pollock 11 Reputation points
2021-09-24T15:10:43.337+00:00 Thanks Jason.
As one final question, when removing and reinstalling the CMG, do I need to do anything with the Web and Native Client Apps in Azure? I can see some articles mentioning an error when trying to reinstall a CMG due to the apps already existing such as here with a recommendation to delete the tenant from ConfigMgr but this seems OTT. I was expecting I'd just be able to reuse the apps that were created when I originally installed the CMG from the CAS.
-
Jason Sandys 31,171 Reputation points Microsoft Employee
2021-09-24T19:31:31.297+00:00 I don't think I've tested what happens when you remove a CMG gracefully. This may (or may not) remove the app registrations -- I'm leaning towards it not doing so. You can definitely reuse existing app registrations as long as they are connected to another CMG instance.
-
Stewart Pollock 11 Reputation points
2021-10-07T08:28:46.65+00:00 I wanted to gain some clarity around this so logged a ticket with MS Premier Support. They're telling me that because the CMG Connection Point is installed on the Primary Server and not the CAS there's actually no requirement to remove the CMG at all prior to removing the CAS.
This is great news if so but have to say the docs here are pretty poor in that regard as it makes no mention of this and even has a note highlighted stating "If you enabled the CMG for content, plan to redistribute the content after you recreate the CMG on the primary site."
Sign in to comment