MDM Server Topologies
10/3/2008
This section provides an overview of the three primary System Center Mobile Device Manager (MDM) server configurations. This section also describes scale considerations and provides an explanation of administrative control in multidomain environments.
Primary MDM Server Topologies
The following illustration shows an overview of the three primary server configurations:
The following describes the primary implementation options for the MDM system:
- Integrated configuration: For the minimal MDM configuration, install the components on two physical 64-bit servers: MDM Gateway Server on a stand-alone or workgroup server in the perimeter network and MDM Enrollment Server, MDM Device Management Server, and Microsoft SQL Server® on a domain-joined server in the company network. Although the integrated option provides a simple implementation, it is not the most secure configuration and because it is not scalable, can restrict an organization that has many Windows Mobile powered devices to manage.
- Distributed configuration: Deploy each MDM component: MDM Gateway Server, MDM Device Management Server, MDM Enrollment Server, and SQL Server, on separate, dedicated physical 64-bit servers. This configuration provides better scalability than the integrated configuration. However, this configuration offers no redundancy nor can you easily add more servers to scale out when the number of managed devices increases and you must add more servers.
- Scaled-out configuration (recommended): Configure MDM Gateway Server and MDM Device Management Server in load-balanced arrays. At first, an array might consist of only one server, but when the initial installation is set up as a scaled-out configuration, you can add more servers easily. We recommend that you have a dedicated computer that is running SQL Server to make software distribution on a larger scale easier. This is the recommended configuration for a production enterprise environment. The scaled-out configuration allows for the greatest scalability and the highest levels of availability for managed mobile devices.
Note
To scale out the MDM Device Management Server or MDM Enrollment Server, you can deploy either hardware or software load balancers. Review the product technical documentation for features and limitations of load balancers. With either software or hardware balancers, affinity must be enabled in the load balancer configuration.
The distributed and scaled-out MDM configurations are described in more detail in MDM Distributed Configuration Topology and MDM Scaled-Out Distributed Configuration Topology.
Capacity and Scale Considerations
As you consider your options to implement MDM, you should forecast your future requirements for managing Windows Mobile powered devices. For more information about Hardware Requirements for all MDM servers, see System Requirements for MDM Servers and Managed Devices in this document. The following shows the capacities achieved in laboratory installations under the indicated test scenarios.
Basic Server Capacities
- An MDM Instance can support up to 30,000 devices.
- An MDM Device Management Server can support up to 10,000 devices.
- An MDM Gateway Server can support up to 5,000 devices.
- An MDM Enrollment Server can support up to 25 concurrent device enrollments.
On an MDM Gateway Server That Has 5,000 Managed Devices
You can manage up to 5,000 devices per MDM Gateway Server:
- 100 percent of the managed devices can have an active virtual private network (VPN) connection
- Up to 60 percent of the devices can have active network sessions through VPN
- Each MDM Gateway Server can support traffic volumes up to 100 megabits per second (Mb/s)
- There may be up to 16 servers running MDM Gateway Server in an MDM instance
On an MDM Device Management Server That Has 10,000 Managed Devices
You can manage up to 10,000 devices per MDM Device Management Server:
- Each managed device contacts MDM Device Management Server up to one time every eight hours
- Policy updates are made daily on all devices
- There may be up to six computers that are running MDM Device Management Server in an MDM instance
Note
The total number of managed devices should not exceed the total capacity for an MDM installation. Therefore, even with more than three computers running MDM Device Management Server, the total capacity for the MDM installation remains at 30,000 devices.
- Use a fast data network for best load reduction results
On a single MDM Enrollment Server
One MDM Enrollment Server may support an entire MDM Instance, because it actively supports devices only during the enrollment process.
- Up to 25 concurrent enrollments can be in progress
- You can have up to two computers that are running MDM Enrollment Server in an MDM instance
Performance Variables
Server capacities will vary per installation and are highly dependent on the frequency of device monitoring sessions, software distribution, policy changes, and installed hardware. The following list provides a summary of the most common variables.
- Server Hardware: processor speed, number of processors, cache, memory, disk I/O subsystem, or network
- SQL Server Hardware: Adherence to SQL Server scalability best practices, particularly around the disk I/O and memory management.
- Frequency of configured device polling
- Frequency, scope, and types of policy changes
- Frequency of sending and detection rules for software distribution packages
- Inventory items which are collected and the frequency of these inventory jobs
- Number of managed device containers against which Group Policy settings are managed. The most MDM resource-intensive model is one in which all the devices are contained within a single root container and all Group Policy settings are applied to this root container.
- Number of distinct software distribution groups and scheduling of distribution to each of these groups. Multiple WSUS-targeted groups on independent schedules create less load than if you include all managed devices in a single targeted group.
- Device wireless network data speeds: faster network speeds lessen the burden on the MDM system.
MDM Administrative Control in Multidomain Environments
The MDM system is to operate as a single instance within one Active Directory® forest. An MDM instance is a collection of MDM servers that connect to a single set of MDM databases. All MDM servers and related components must reside within a single Active Directory domain and site that you can access throughout the forest. When MDM manages devices from multiple domains, there must be at least one domain controller from every domain within MDM.
A single MDM instance enables you to centrally manage Windows Mobile powered devices throughout the forest. You can delegate Group Policy settings and administratively control them based on the default Active Directory container, also known as the organizational unit (OU). However, other MDM tasks, such as wiping devices, blocking devices, enrolling devices, server management, and server configuration, cannot be managed by using OUs.
For example, say you have the following domains: domain1.contoso.com and domain2.contoso.com. If you install MDM servers onto domain1.contoso.com and there are MDM users in domain1.contoso.com and domain2.contoso.com, MDM administrators will be able to issue wipe requests for managed devices for both domain1 and domain2. Additionally, server configuration resides centrally and administrators can set them globally. This affects managed devices in both domain1 and domain2.
By using MDM Administrator Tools, you can manage and administer the MDM system in the Active Directory forest. Grant permissions cautiously because a user assigned to the SCMDM2008DeviceAdministrators group and the SCMDM2008DeviceSupport group can wipe all devices in the forest that MDM manages.