Nomad Pre-caching

Pre-caching lets you preload the Nomad caches of particular machines directly from the Configuration Manager console. This enables downloads to be available on the branch prior to a deployment taking place, which can be very useful in large-scale deployment scenarios.

Before you start, ensure the following prerequisites are met:

  • 1E Platform is accessible, with Nomad features enabled.

  • Nomad Configuration Manager console extensions must be installed.

Refer to Using Nomad with Operating System Deployment OSD for example scenarios about how to use Nomad to maximize the efficiency of distributing large OS content across the network and how you can monitor those deployments using the Nomad app.

Architecture and ports

The Nomad pre-caching uses the following ports in its communications. If a site server is configured to use custom ports, pre-caching will use those ports to communicate with a management or distribution points. To ensure high-availability, pre-caching falls back to next available site server if it fails to communicate with a management or distribution point.

Ports

Description

N/A

Step 1

Choose a package and run the Nomad pre-caching wizard, selecting the target device collection. This step does not require any port configuration but the Nomad Configuration Manager console extensions must be installed in the Configuration Manager Console.

TCP 80 (HTTP)

TCP 443 (HTTPS)

Step 2

The Nomad pre-caching wizard stores the target device and package information in 1E.

TCP 80 (HTTP)

TCP 443 (HTTPS)

Step 3

The Nomad clients, where the pre-cache feature has been enabled, poll 1E every 24 hours to see if they need to pre-cache some content. This takes the form of pre-caching notifications that tell the Nomad clients they need to process a download job to fetch the specified content.

TCP 80 (HTTP)

TCP 443 (HTTPS)

Step 4

The Nomad clients, with pre-caching notifications, contact the Management Point to locate the Distribution Point that holds the content. This may use HTTP or HTTPS depending on how the Management Point is configured.

TCP 80 (HTTP)

TCP 443 (HTTPS)

TCP 139 (SMB)

TCP 445 (SMB over TCP)

Step 5

A Nomad Master election takes place and the elected master processes the job by downloading the pre-cache content using Nomad as provider. This is then distributed locally to the Nomad peers that also require the pre-cached content. This communication depends on how the DP is configured. It may be one of the following:

  • HTTP

  • HTTPS

  • SMB

  • SMB over TCP

For Configuration Manager the default setting is either HTTP or HTTPS.

Enabling Nomad pre-caching

When you consider how to install the Nomad Branch Tools (refer to Installing Nomad Branch Tools), you can also install them in unattended mode by using the MODULE.NOMAD.PLATFORMURL installer property or by setting the PlatformURL registry value on the machine where the extensions are installed post-installation.

If you have an existing Nomad 7.0.200 installation, and you upgrade to 1E Platform 8.1 you should also upgrade your Nomad Configuration Manager console extensions to the current version, doing this ensures you can view your pre-existing Nomad pre-cache jobs. When you upgrade from earlier versions of Nomad to 1E Platform, ActiveEfficiency is upgraded to Content Distribution. As a result, if you have an earlier version of the Nomad Configuration Manager console extensions, you may not be able to view your existing Nomad pre-cache jobs until you upgrade.

Nomad clients must also be configured to support pre-caching. This is done during installation in the Nomad screen of the 1E Client installer, for more details refer to Deploying 1E Client on Windows.

Setting

Description

Enable Nomad

Check this box to enable Nomad.

Nomad is used to support efficient content download for Configuration Manager and 1E. For 1E, its Nomad content download feature is enabled by default but only used if Nomad is enabled.

If Content Distribution is enabled, when the 1E Client starts it will upgrade any previous installation of the NomadBranch client.

Enable 1E Platform features

Check this box to let you configure the Single-Site Download (SSD) options and WakeUp integration.

Options

Enabled

Content Registration only

This configures Nomad to use Single Site Download to provide content to peers by registering the content it has in its cache in Content Distribution on the 1E Platform. In the registry SSDEnabled is set to 2 and ContentRegistration is set to 1.

This also allows content to be reported in Nomad app dashboards and Device View.

Typically, content registration should be enabled, unless there is a specific reason for a computer not to be a master. Content Registration is automatically disabled in WinPE.

Single-Site Download (SSD) only

This configures Nomad to use Single Site Download and consume content which has been registered in Content Distribution on the 1E Platform. SSD is used as a fallback if the client is unable to find content on the local subnet. In the registry SSDEnabled is set to 1 and ContentRegistration is set to 1.

Nomad queries Content Distribution on the 1E Platform asking for peers that have registered content.

Both enabled

This configures Nomad to use Single Site Download so that it can both consume and provide content, as well as reporting in the Nomad app and Device View. In the registry SSDEnabled is set to 3 and ContentRegistration is set to 1.

This is the recommended configuration unless there is a specific reason for a computer not to be a master. Content Registration is automatically disabled in WinPE.

Neither enabled

The client does not participate in Single Site Download activities, and does not report content details to Content Distribution. In the registry SSDEnabled is set to 0 and ContentRegistration is set to 0.

Enable 1E Platform features has no effect, and is ignored.

If you need to enable reporting but prevent the Nomad client acting as an SSD provider, then use installer properties or mst transform files to configure MODULE.NOMAD.SSDENABLED and MODULE.NOMAD.CONTENTREGISTRATION.

For more information about SSD, please refer to Single Site Download.

Options

Enabled

WakeUp integration

If you check WakeUp integration but not Single Site Download (SSD), any attempt to wake-up peers with particular content will only be on the local subnet. If Single Site Download (SSD) is also checked, Nomad will try to wake peers with particular content in neighboring subnets on the site if peers on the local subnet do not wake.

The Platform settings are only available if you have enabled 1E.

These settings do not affect other Platform features such as Pre-caching.

Use FIPS encryption

Checking Use FIPS Encryption configures the Nomad module to use FIPS encrypted communications.

You must ensure that Nomad is configured with the same FIPS encryption setting on all your 1E Clients.

Although the Single-Site Download option must be enabled in the installer, you can use the Nomad pre-caching feature without using SSD by not configuring the Single Site Download feature. If you are already using the SSD feature in your environment, no further Nomad client configuration will be required to enable Nomad pre-caching.

Using Nomad pre-caching

Nomad pre-caching is directly integrated with the Configuration Manager Console, is fully compliant and works with Role Based Access in Configuration Manager, refer to Nomad pre-caching RBAC support for details.

To start the pre-cache wizard, right-click any of the following types of content in the Configuration Manger console and from the context menu, choose Pre-cache content using Nomad.

  • Applications.

  • Packages.

  • Driver packages.

  • Operating system images.

  • Operating system upgrade packages.

  • Boot images.

  • Task sequences.

For task sequences, please refer to the note in the table under Dynamic pre-caching below:

  1. On the Targeting screen, choose the device collection you want to pre-cache.

  2. On the Summary screen, verify your selection.

    • Click Apply if it is correct.

    • If it is incorrect, click Previous to start again.

  3. The Progress screen displays the status while the wizard sets up the pre-cache notification in ContentDistribution.

    From Nomad 8.1 there is support for providing alternate credentials to authenticate with the 1E Platform. If your 1E Platform instance resides in another domain or the cloud, you will be prompted to enter alternate credentials for that location, which get stored in the credential store for any future requests.

  4. On the Completion screen, click Finish to close the wizard.

Viewing pre-cached jobs

If you are not a full administrator, you can only view pre-cached jobs provided you have Read permissions on the collection as well as the content.

To view pre-cached jobs:

  1. In Configuration Manager, choose Monitoring.

  2. Expand the 1E Nomad node and select Pre-caching Jobs.

The attributes for the job are displayed in the right-hand pane as follows:

Column title

Attribute definition

Job Id

The ContentDistribution identifier of the job.

Content Id

Configuration Manager identifier for the content referenced by the job.

Content Name

Name of the content referenced by the job.

Content Version

Version of the content referenced by the job.

Content Type

Type of the content referenced by the job (i.e. application, task sequence).

Target Collection Id

Device collection identifier targeted by the job.

Target Collection Name

Device collection name targeted by the jobs.

Creation Time

The time the job was created.

Created By

The person who created the job.

Content Status

(Visible only to those with full administrator rights) – displays the status of the content, i.e whether it exists or is deleted.

Target Collection Status

(Visible only to those with full administrator rights) – status of the device collection, i.e. whether it exists or is deleted.

Deleting pre-cached jobs

You can only delete pre-cached jobs if you have permissions for a particular content type. If you are not a full administrator, you will need:

  • Read permissions on collections (through a security role).

  • Access to the pre-cached job (i.e. content and the device collection).

To delete a pre-cached job:

  1. In Configuration Manager, choose Monitoring.

  2. Expand the Overview tree and choose Nomad Pre-cache jobs.

  3. In the Nomad Pre-caching jobs list, right-click the pre-cached you want and from the context menu, choose Delete.

Managing pre-cached jobs with Powershell cmdlets

You can also manage pre-cached jobs by using PowerShell cmdlets.

To get all pre-cached jobs from ContentDistribution, run:

Copy
Get-PreCachingJobs [-PlatformURL <String>] [<CommonParameters>]

To remove pre-cached jobs from ContentDistribution run:

Copy
Remove-PreCachingJobs [-Id] <String> [-PlatformURL <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]
Copy
Remove-PreCachingJobs -Before <String> [-PlatformURL <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]
Copy
Remove-PreCachingJobs -AgeInDays <UInt32> [-PlatformURL <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]
Copy
Remove-PreCachingJobs -All [<SwitchParameter>] [-PlatformURL <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]

The parameters are:

Parameter

Optionality

Notes

-Id

Mandatory

ID for the job to delete.

-PlatformURL <string>

Optional

Location of ContentDistribution. If not provided, it is retrieved from the NomadAdminUI registry value.

-Confirm

Optional

Suppresses the confirmation prompt for the deletion.

-Before

Mandatory

Delete jobs before a particular date and time where the notation is yyyyMMddHHmmss.

-AgeInDays

Mandatory

Delete jobs older than a particular number of days.

-All

Mandatory

Delete all jobs. Exercise caution if you use this.

<CommonParameters>

 

Values are: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable

There is more information about CommonParameters at http://go.microsoft.com/fwlink/?LinkID=113216

Dynamic pre-caching

If the content or membership of a targeted collection changes after a pre-cached job is created, Nomad is updated to keep in sync with Configuration Manager. It does this by polling the Configuration Manager database at regular intervals to fetch updated content.

These intervals (you would have defined the intervals when you installed 1E Platform) have the following characteristics:

Each synchronization task fetches the following:

  • Pre-caching data (device collections and contents).

  • Dashboard data (status messages).

Pre-cached jobs are affected when these events take place in Configuration Manager, and on the next synchronization with Nomad:

Configuration Manager events

Next Nomad synchronization cycle

 

Device collections

  • Where there is a change in membership for a device collection.

  • Where a device collection is deleted.

  • Nomad collection is updated to reflect the change in membership for that device.

  • Nomad pre-cached jobs for that device collection is deleted.

Packages

  • Where a package is updated.

  • Where a package is deleted.

  • Nomad is updated with the packages.

  • Nomad pre-cached jobs for that package as well as any pre-cached jobs referenced in a task sequence is deleted.

Applications

  • where deployment types are added or removed.

  • where an application is deleted.

  • Nomad deployment types for that application is updated.

  • Nomad pre-cached jobs for that package as well as any pre-cached job referenced in a task sequence is deleted.

Task sequences

If you chose to automatically pre-cache references (as well as those added later).

Nomad is updated when:

  • References are added or removed.

  • Referenced content is updated or deleted.

  • A reference is deleted.

Applications and packages that will be installed using a dynamic variable list will not be automatically pre-cached.

Also be aware that any other dynamic content will not be pre-cached, for example drivers deployed using Modern Driver Management (http://www.scconfigmgr.com/modern-driver-management/).

Dynamic content needs to be pre-cached independently as separate jobs.

If you chose to selectively pre-cache references:

  • Nomad is not updated when references are added or removed.

  • Nomad is updated when referenced content is updated or deleted.

  • Nomad is not updated when a reference is deleted.

 

Hash validation

Hash validation is used when content is downloaded for pre-cached jobs and for LSZgen requests for these jobs. When a pre-cached job is created:

  • For task sequences, hashes for all referenced packages and applications are posted to Content Distribution.

  • For applications, hashes for all its child deployment types are posted to Content Distribution.

On the client side:

  • Where a job is queued, the client queries the management point for content locations. The management point returns a hash for application content types only. If it does not return a hash, the client retrieves it from Content Distribution. Hashes from management points take priority over Content Distribution.

  • For the 1E server hosting Content Distribution, the client fetches the hash during the pre-cache cycle for that particular content.

Nomad clients polling the ContentDistribution database

After running the wizard, Nomad clients that are registered with the ContentDistribution database, and that were included in the selected device collection, will get a pre-cache notification within 24 hours. This notification tells Nomad that it has to process a download job on the content to be cached. The default number of notifications a client processes in one pre-cache poll cycle is 20, but you can modify this by updating the PrecachePollBatchSize registry value.

When is polling disabled?

Nomad clients normally start their polling cycle when the service starts, with a random delay to minimize the possibility of multiple simultaneous polls from different clients. However, polling will not start if any of the following is true:

  1. The 1E Platform URL is not set in the Nomad registry.

  2. Nomad is running on a machine using the Win PE operating system.

  3. The Configuration Manager client is not installed on the machine – in order to download pre-cached content, the Nomad service needs to contact the management point and this is only possible if the client is installed locally.

To explicitly turn polling off for a Nomad client set the PrecachePollMinutes registry value to 0.

Nomad pre-caching RBAC support

Nomad pre-caching is tightly integrated into Configuration Manager and honors the permissions and restrictions enforced by role-based access control (RBAC). The following rules are used to determine whether a particular user is allowed to pre-cache a particular content on a particular collection or not:

  1. A user is only allowed to pre-cache a content item if they have the RBAC permissions to deploy it via Configuration Manager.

  2. A user is only allowed to pre-cache to a device collection if they have the RBAC permissions to access that collection.

Configuration Manager (CM) administrators will need to be a member of the Nomad Administrators group, so they can manage Configuration Manager collections, for example create, view and delete pre-cache and paused collections. Refer to Nomad roles and permissions for details.

If an administrator does not have the necessary RBAC permissions, they will not be able to see or access any of the Nomad pre-cache features in the Configuration Manager Admin console. Similarly, if they do not have the right permissions to a device collection, that collection will not be available to them in the Targeting screen of the pre-cache wizard.

However, full administrators will see:

The following table provides an overview of the availability of Nomad pre-caching for the built-in Configuration Manager security roles:

Nomad pre-caching support based on the Configuration Manager security role

 

 

 

 

 

Built-in Configuration Manager Security Roles

SOFTWARE LIBRARY

 

 

 

 

APPLICATION MANAGEMENT

Operating System

 

 

 

 

Applications

Packages

Driver Packages

Operating System Images

Boot Images

Task Sequences

Nomad pre-caching Wizard

 

 

 

 

 

Application Administrator

Pre-caching available

(Access to Collection required)

Not available

 

 

 

Application Author

Pre-caching Not available

(Access to Application Management only)

Not available

 

 

 

Application Deployment Manager

Pre-caching available

(Access to Collection required)

Not available

 

 

 

Asset Manager

No access to Software Library

 

 

 

 

Company Resource Access Manager

 

 

 

 

 

Compliance Settings Manager

Pre-caching Not Applicable for Software Updates

(No Access to Application Management & Operating System, Only Software Updates under Software Library available)

 

 

 

 

Endpoint Protection Manager

No Access to Software Library

 

 

 

 

Full Administrator

Pre-caching available

(Access to Collection required)

 

 

 

 

Infrastructure Administrator

Pre-caching not available

(Access only to Windows Sideloading Keys in Application Management under Software Library)

 

 

 

 

Operating System Deployment Manager

Pre-caching not available

Pre-caching available.

(access to Collection required).

If Package/Application is part of a task sequence, pre-caching does not happen

 

 

 

Operations Administrator

Pre-caching available

(Access to Collection required)

 

 

 

 

Read-only Analyst

Pre-caching not available

(Configuration Manager console is in Read-Only mode)

 

 

 

 

Remote Tools Operator

No access to Software Library

 

 

 

 

Security Administrator

 

 

 

 

 

Software Update Manager

Pre-caching not applicable for Software Updates

(No access to Application Management & Operating System, Only Software Updates under Software Library available)

 

 

 

 

Limitations

The following limitations are part of the current implementation of the Nomad pre-caching feature:

  1. Software Updates are not supported by Nomad Pre-caching. Instead, make use of the available and mandatory advertisement dates.

  2. Disabling Nomad Content Registration with the ContentDistribution database prevents Nomad clients from fetching further pre-caching notifications after the first batch of 20.

  3. The Nomad Pre-caching Wizard allows packages that do not have content to be selected for pre-caching.

  4. Delays may be seen when processing Pre-caching notifications for devices with many notifications. By default, Nomad clients will poll the ContentDistribution database once a day. Each time a client polls it will fetch a batch of 20 notifications to process, so for a client with 100 outstanding pre-caching notifications, it will take 5 days for all the notifications to be processed. The time between polls depends on the PrecachePollMinutes setting which can be reduced if there are many pre-caching jobs, though the 24-hour default is recommended.

  5. Pre-caching jobs do not support Nomad additional settings (such as those configurable in the Nomad tab in the Package or Task Sequence properties).

  6. Nomad won't re-download a pre-caching job with updated data format (that is compressed/encrypted), if the content has previously downloaded to the cache. The conversion will happen when ACP triggers the same content.

  7. Nomad synchronization may cause issues if there is any replication issues between the central administration site and primary site.

  8. Workgroup member clients may not be able to use the Nomad Pre-Caching feature, as it requires ContentDistribution registration using their FQDN.

Using network access accounts

Prior to this release, when a download is initiated, Nomad only used the credentials from the first Configuration Manager network access account it found to authenticate, and if that failed, the download stopped. From this release, Nomad cycles through all native Configuration Manager network access accounts to authenticate, thereby reducing the risk of failure.

Nomad won't use network access accounts for SMB downloads from Distribution share. It uses the SYSTEM$account to connect to the package share location.