Contents

Nomad pre-caching

Summary

Pre-caching lets you pre-load the Nomad caches of particular machines directly from the Configuration Manager console. This enables downloads to be available on the branch prior to a deployment taking place, which can be very useful in large-scale deployment scenarios.


Before you start, ensure the following prerequisites are met:

  • ActiveEfficiency 1.10 or later is accessible. Version 1.10.0 requires the latest accumulated hotfix.
  • Configuration Manager 1802 or above is deployed
  • Nomad 7.0 Configuration Manager console extensions must be installed
On this page:

Architecture and ports

Pre-cache architecture diagram

The Nomad pre-caching uses the following ports in its communications. If a site server is configured to use custom ports, pre-caching will use those ports to communicate with a management or distribution points. To ensure high-availability, pre-caching falls back to next available site server if it fails to communicate with a management or distribution point.

PortsDescription
N/A

Step 1

Choose a package and run the Nomad pre-caching wizard, selecting the target device collection. This step does not require any port configuration but the Nomad Configuration Manager console extensions must be installed in the Configuration Manager Console.
TCP 80 (HTTP)
TCP 443 (HTTPS)

Step 2

The Nomad pre-caching wizard stores the target device and package information in ActiveEfficiency.
TCP 80 (HTTP)
TCP 443 (HTTPS)

Step 3

The Nomad clients, where the pre-cache feature has been enabled, poll ActiveEfficiency every 24 hours to see if they need to pre-cache some content. This takes the form of pre-caching notifications that tell the Nomad clients they need to process a download job to fetch the specified content.
TCP 80 (HTTP)
TCP 443 (HTTPS)

Step 4

The Nomad clients, with pre-caching notifications, contact the Management Point to locate the Distribution Point that holds the content. This may use HTTP or HTTPS depending on how the Management Point is configured.
TCP 80 (HTTP)
TCP 443 (HTTPS)
TCP 139 (SMB)
TCP 445 (SMB over TCP)

Step 5

A Nomad Master election takes place and the elected master processes the job by downloading the pre-cache content using Nomad as provider. This is then distributed locally to the Nomad peers that also require the pre-cached content. This communication depends on how the DP is configured. It may be one of the following:
  • HTTP
  • HTTPS
  • SMB
  • SMB over TCP

For Configuration Manager the default setting is either HTTP or HTTPS.

Using Nomad pre-caching

When you install the Nomad Branch admin extensions, ensure your have the URL for the ActiveEfficiency server as the pre-cache feature relies on ActiveEfficiency to work. You can install these extensions in unattended mode by using the MODULE.NOMAD.PLATFORMURL installer property or by setting the PlatformURL registry value on the machine where the extensions are installed post-installation.

Nomad clients must also be configured to support pre-caching. This is done during installation in the Nomad screen of the 1E Client installer:

SettingDescription
Enable Nomad

Check this box to enable Nomad.

Nomad is used to support efficient content download for Configuration Manager and Tachyon. For Tachyon, its Nomad content download feature is enabled by default but only used if Nomad is enabled.

If Nomad is enabled, when the 1E Client starts it will upgrade any previous installation of the NomadBranch client.

Enable ActiveEfficiency

Check this box to allow enhanced Nomad features to be enabled, such as Single-Site Download (SSD) and WakeUp integration.

To support these features you need to configure the connection between Nomad and ActiveEfficiency and then select the following options:

OptionDescription
ActiveEfficiency URLEnter https://<server_FQDN>/ActiveEfficiency or http://<server_FQDN>/ActiveEfficiency depending on the protocol you are using, where <server_FQDN> is the FQDN of the server or its DNS alias.
Content RegistrationThis configures Nomad to provide details of the content it downloads to ActiveEfficiency and enable Nomad to act as a content provider across subnets using Single Site Download.
Single-Site Download (SSD)

If you check both Single-Site Download and Content Registration then Nomad will make its own content available to other Nomad peers.

If you check Single-Site Download but not Content Registration then Nomad will be able to fetch downloads from registered peers on other subnets but will not make its own content available.

WakeUp integrationIf you check WakeUp integration but not Single Site Download, any attempt to wake-up peers with particular content will only be on the local subnet. If Single Site Download is also checked, Nomad will try to wake peers with particular content in neighboring subnets on the site if peers on the local subnet do not wake.
Use FIPS encryption

Checking Use FIPS Encryption configures the Nomad module to use FIPS encrypted communications.

You must ensure that Nomad is configured with the same FIPS encryption setting on all your 1E Clients.

Although the Single-Site Download option must be enabled in the installer, you can use the Nomad pre-caching feature without using SSD by not configuring the single-site download feature in ActiveEfficiency. If you are already using the SSD feature in your environment, no further Nomad client configuration will be required to enable Nomad pre-caching. 

Enabling the ActiveEfficiency

Nomad pre-caching is directly integrated with the Configuration Manager Console, is fully compliant and works with Role Based Access in Configuration Manager.

To start the pre-cache wizard, right-click any of the following types of content in the Configuration Manger console and from the context menu, choose Pre-cache content using Nomad.

  • Applications
  • Packages
  • Driver packages
  • Operating system images
  • Operating system upgrade packages
  • Boot images
  • Task sequences (please refer to the note in the table under Dynamic pre-caching below) 

Pre-cache content using Nomad context menu item

  1. On the Targeting screen, choose the device collection you want to pre-cache.


  1. On the Summary screen, verify your selection.

    • Click Apply if it is correct 
    • If it is incorrect, click Previous to start again
  2. The Progress screen displays the status while the wizard sets up the pre-cache notification in ActiveEfficiency. 

Pre-cache summary

  1. On the Completion screen, click Finish to close the wizard.

Pre-cache complete

Viewing pre-cached jobs

If you are not a full administrator, you can only view pre-cached jobs provided you have Read permissions on the collection as well as the content.

To view pre-cached jobs:

  1. In Configuration Manager, choose Monitoring.
  2. Expand the 1E Nomad node, and select Nomad pre-caching jobs.
  3. The attributes for the job are displayed in the right-hand pane as follows:
    • Job Id – the ActiveEfficiency identifier of the job
    • Content Id – Configuration Manager identifier for the content referenced by the job
    • Content Name – name of the content referenced by the job
    • Content Version – version of the content referenced by the job
    • Content Type – type of the content referenced by the job (i.e. application, task sequence)
    • Target Collection Id – device collection identifier targeted by the job
    • Target Collection Name – device collection name targeted by the jobs
    • Creation Time – the time the job was created
    • Created By – the person who created the job
    • Content Status (visible only to those with full administrator rights) – displays the status of the content, i.e whether it exists or is deleted
    • Target Collection Status (visible only to those with full administrator rights) – status of the device collection, i.e. whether it exists or is deleted

Viewing pre-cached jobs

Deleting pre-cached jobs

You can only delete pre-cached jobs if you have permissions for a particular content type. If you are not a full administrator, you will need:

  • Read permissions on collections (through a security role)
  • Access to the pre-cached job (i.e. content and the device collection)

To delete a pre-cached job:

  1. In Configuration Manager, choose Monitoring.
  2. Expand the Overview tree and choose Nomad Pre-cache jobs.
  3. In the Nomad Pre-caching jobs list, right-click the pre-cached you want and from the context menu, choose Delete.

Managing pre-cached jobs with Powershell cmdlets

You can also manage pre-cached jobs by using PowerShell cmdlets.

To get all pre-cached jobs from ActiveEfficiency, run:

  • Get-PreCachingJobs [-ActiveEfficiencyUrl <String>] [<CommonParameters>]

To remove pre-cached jobs from ActiveEfficiency run:

  • Remove-PreCachingJobs [-Id] <String> [-ActiveEfficiencyUrl <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]
  • Remove-PreCachingJobs -Before <String> [-ActiveEfficiencyUrl <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]
  • Remove-PreCachingJobs -AgeInDays <UInt32> [-ActiveEfficiencyUrl <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]
  • Remove-PreCachingJobs -All [<SwitchParameter>] [-ActiveEfficiencyUrl <String>] [-Confirm [<SwitchParameter>]] [<CommonParameters>]

The parameters are:

ParameterOptionalityNotes
-IdMandatoryID for the job to delete.
-ActiveEfficiencyURL <string>OptionalLocation of ActiveEfficiency. If not provided, it is retrieved from the NomadAdminUI registry value.
-ConfirmOptionalSuppresses the confirmation prompt for the deletion.
-BeforeMandatoryDelete jobs before a particular date and time where the notation is yyyyMMddHHmmss.
-AgeInDaysMandatoryDelete jobs older than a particular number of days.
-AllMandatoryDelete all jobs. Exercise caution if you use this.
<CommonParameters>
Values are: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable

There is more information about CommonParameters at http://go.microsoft.com/fwlink/?LinkID=113216

Dynamic pre-caching

If the content or membership of a targeted collection changes after a pre-cached job is created, ActiveEfficiency is updated to keep in sync with Configuration Manager. It does this by polling the Configuration Manager database at regular intervals to fetch updated content.

These intervals (you would have defined the intervals when you installed ActiveEfficiency) have the following characteristics:
Setting the ActiveEfficiency sync duration with Configuration Manager

  • The range for the interval is between 5 minutes and 1440 minutes (1 day). By default, ActiveEfficiency synchronizes with the Configuration Database every 30 minutes. If the values are outside the range, for example if the interval is less than 5, it will default to the minimum which is 5 minutes. Similarly, if the interval is greater than 1440, it defaults to the maximum which is 1440 minutes.
  • If a synchronization fails, it is rescheduled to run again in 15 minutes

Each synchronization task fetches the following:

  1. Pre-caching data (device collections and contents).
  2. Dashboard data (status messages).

Pre-cached jobs are affected when these events take place in Configuration Manager, and on the next synchronization with ActiveEfficiency:

Configuration Manager eventsNext ActiveEfficiency synchronization cycle
Device collections
  1. where there is a change in membership for a device collection.
  2. where a device collection is deleted.
  1. the ActiveEfficiency collection is updated to reflect the change in membership for that device.
  2. the ActiveEfficiency pre-cached jobs for that device collection is deleted.
Packages
  1. where a package is updated
  2. where a package is deleted
  1. ActiveEfficiency is updated with the packages
  2. ActiveEfficiency pre-cached jobs for that package as well as any pre-cached jobs referenced in a task sequence is deleted
Applications
  1. where deployment types are added or removed
  2. where an application is deleted
  1. ActiveEfficiency deployment types for that application is updated
  2. ActiveEfficiency pre-cached jobs for that package as well as any pre-cached job referenced in a task sequence is deleted.
Task sequences
If you chose to automatically pre-cache references (as well as those added later)
Automatically pre-caching task sequence references
ActiveEfficiency is updated:
  • when references are added or removed
  • when referenced content is updated or deleted 
  • when a reference is deleted

Applications and packages that will be installed using a dynamic variable list will not be automatically pre-cached.

Also be aware that any other dynamic content will not be pre-cached, for example drivers deployed using Modern Driver Management (http://www.scconfigmgr.com/modern-driver-management/).

Dynamic content needs to be pre-cached independently as separate jobs.

If you chose to selectively pre-cache references:
Selectively pre-caching task sequence references
  • ActiveEfficiency is not updated when references are added or removed
  • ActiveEfficiency is updated when referenced content is updated or deleted
  • ActiveEfficiency is not updated when a reference is deleted

Manually forcing a synchronization from ActiveEfficiency

You can force a synchronization to occur outside its normal cycle. To do this:

  1. Navigate to your ActiveEfficiency installation directory.
  2. Start a command-line prompt.
  3. If you want to refresh all data, run ServiceHost.exe -NomadSyncAll.
  4. If you only want to refresh existing data, run  ServiceHost.exe -NomadSync
  5. Check C:\ProgramData\1E\ActiveEfficiency\service.log for details. All synchronisation activities are logged in ActiveEfficiency's service log C:\ProgramData\1E\ActiveEfficiency\service.log by default.

Disabling synchronization

There may be instances, such as carrying out maintenance on the Configuration Manager server or the SQL Server instance, where you have to disable synchronization. To do this:

  1. Open ServiceHost.exe.config located in the service installation folder, typical in C:\Pogram Files (x86)\1E\ActiveEfficiency\Service by default.

  2. Set EnableNomadSync to false under the AppSettings element. For example:

    <appSettings>
...
<add key="EnableNomadSync " value="false"/>  
......
</appSettings>

Hash validation

Hash validation is used when content is downloaded for pre-cached jobs and for LSZgen requests for these jobs. When a pre-cached job is created:

  • For task sequences, hashes for all referenced packages and applications are posted to ActiveEfficiency
  • For applications, hashes for all its child deployment types are posted to ActiveEfficiency

On the client side:

  • Where a job is queued, the client queries the management point for content locations. The management point returns a hash for application content types only. If it does not return a hash, the client retrieves it from ActiveEfficiency. Hashes from management points take priority over Active Efficiency. 
  • For the ActiveEfficiency server, the client fetches the hash during the pre-cache cycle for that particular content

Nomad clients polling ActiveEfficiency

After running the wizard, Nomad clients that are registered with ActiveEfficiency and that were included in the selected device collection will get a pre-cache notification within 24 hours. This notification tells Nomad that it has to process a download job on the content to be cached. The default number of notifications a client processes in one pre-cache poll cycle is 20 but you can modify this by updating the PrecachePollBatchSize registry value.

When is polling disabled?

Nomad clients normally start their polling cycle when the service starts, with a random delay to minimize the possibility of multiple simultaneous polls from different clients. However, polling will not  start if any of the following is true:

  1. The ActiveEfficiency URL is not set in the Nomad registry.
  2. Nomad is running on a machine using the Win PE operating system.
  3. The Configuration Manager client is not installed on the machine – in order to download pre-cached content, the Nomad service needs to contact the management point and this is only possible if the client is installed locally.

To explicitly turn polling off for a Nomad client set the PrecachePollMinutes registry value to 0.

Nomad pre-caching RBAC support

Nomad pre-caching is tightly integrated into Configuration Manager and honors the permissions and restrictions enforced by role-based access control (RBAC). The following rules are used to determine whether a particular user is allowed to pre-cache a particular content on a particular collection or not:

  1. A user is only allowed to pre-cache a content item if they have the RBAC permissions to deploy it via Configuration Manager.
  2. A user is only allowed to pre-cache to a device collection if they have the RBAC permissions to access that collection.

If an administrator does not have the necessary RBAC permissions, they will not be able to see or access any of the Nomad pre-cache features in the Configuration Manager Admin console. Similarly, if they do not have the right permissions to a device collection, that collection will not be available to them in the Targeting screen of the pre-cache wizard.

Limited RBAC permissions

However, full administrators will see:

The following table provides an overview of the availability of Nomad pre-caching for the built-in Configuration Manager security roles:

Nomad pre-caching support based on the Configuration Manager security role
Built-in Configuration Manager Security RolesSOFTWARE LIBRARY
APPLICATION MANAGEMENTOperating System
ApplicationsPackagesDriver PackagesOperating System ImagesBoot ImagesTask Sequences
Nomad pre-caching Wizard
Application AdministratorPre-caching available
(Access to Collection required)		Not available
Application AuthorPre-caching Not available
(Access to Application Management only)		Not available
Application Deployment ManagerPre-caching available
(Access to Collection required)		Not available
Asset ManagerNo access to Software Library
Company Resource Access Manager
Compliance Settings ManagerPre-caching Not Applicable for Software Updates
(No Access to Application Management & Operating System, Only Software Updates under Software Library available)
Endpoint Protection ManagerNo Access to Software Library
Full AdministratorPre-caching available
(Access to Collection required)
Infrastructure AdministratorPre-caching not available
(Access only to Windows Sideloading Keys in Application Management under Software Library)
Operating System Deployment ManagerPre-caching not available

Pre-caching available
(access to Collection required)

If Package/Application is part of a task sequence, pre-caching does not happen
Operations AdministratorPre-caching available
(Access to Collection required)
Read-only AnalystPre-caching not available
(SCCM Console is in Read-Only mode)
Remote Tools OperatorNo access to Software Library
Security Administrator
Software Update ManagerPre-caching not applicable for Software Updates
(No access to Application Management & Operating System, Only Software Updates under Software Library available)

Limitations

The following limitations are part of the current implementation of the Nomad pre-caching feature:

  1. The Pre-caching (monitoring) screen will only display the job ID and its creation date if you are not running ActiveEfficiency 1.9.100.xx or later.
  2. The creation date for pre-cached jobs may be incorrect if they were created using older versions of ActiveEfficiency.
  3. Pre-cached jobs created with older versions of ActiveEfficiency are only visible to full administrators.
  4. Software Updates are not supported by Nomad Pre-caching.  Instead, make use of the available and mandatory advertisement dates.
  5. Disabling Nomad Content Registration with ActiveEfficiency prevents Nomad clients from fetching further pre-caching notifications after the first batch of 20.
  6. The Nomad Pre-caching Wizard allows packages that do not have content to be selected for pre-caching.
  7. Delays may be seen when processing Pre-caching notifications for devices with many notifications. By default, Nomad clients will poll ActiveEfficiency once a day. Each time a client polls it will fetch a batch of 20 notifications to process, so for a client with 100 outstanding pre-caching notifications, it will take 5 days for all the notifications to be processed. The time between polls depends on the PrecachePollMinutes setting which can be reduced if there are a large number of pre-caching jobs, though the 24-hour default is recommended.
  8. Pre-caching jobs do not support Nomad additional settings (such as those configurable in the Nomad tab in the Package or Task Sequence properties).
  9. Nomad won't re-download a pre-caching job with updated data format (that is compressed/encrypted), if the content has previously downloaded to the cache. The conversion will happen when ACP triggers the same content.
  10. ActiveEfficiency synchronization may cause issues if there is any replication issues between the central administration site and primary site.
  11. Workgroup member clients may not be able to use the Nomad Pre-Caching feature, as it requires ActiveEfficiency registration using their FQDN.

Limitations addressed in Nomad 6.3

  1. The Nomad Pre-caching feature is now able to work when Windows Authentication has been configured for ActiveEfficiency.

Using network access accounts

Prior to this release, when a download is initiated, Nomad only used the credentials from the first Configuration Manager network access account it found to authenticate, and if that failed, the download stopped. From this release, Nomad cycles through all native Configuration Manager network access accounts to authenticate, thereby reducing the risk of failure.

Nomad won't use network access accounts for SMB downloads from Distribution share. It uses the SYSTEM$ account to connect to the package share location.