Installation and Configuration of Configuration Manager ...€¦ · The installation will be on Windows Server 2012 Servers containing two Domain Controllers also acting as file servers

SCCM 2012 How to guide setting up Configuration

Manager 2012

Hans Chr. Andersen

P a g e | 1111

Contents What is Configuration Manager? ...................................................................................................................... 2

Different scenarios ............................................................................................................................................ 3

System Requirements ........................................................................................................................................ 7

System prerequisites ..................................................................................................................................... 7

Distribution Point Requirements: .................................................................................................................. 7

Endpoint Protection Point Requirements: .................................................................................................... 7

Management Point Requirements ................................................................................................................ 8

Software Update Point Requirements .......................................................................................................... 8

State Migration Point Requirements ............................................................................................................. 8

Database Server Role Requirements: ............................................................................................................ 8

Preparing and installing Configuration Manager 2012 SP1 ............................................................................... 9

Creating users and groups for Configuration Manager ............................................................................... 10

Add SCCMClientPush user to local administrator group ............................................................................. 10

Open firewall ports on SCCM Server container in Active Directory ............................................................ 11

Open firewall ports for SCCM Client ............................................................................................................ 11

Add Windows Features on SCCM01 ............................................................................................................ 12

Create System Management Container ...................................................................................................... 13

Delegate permission to the System Management Container ..................................................................... 14

Extending Active Directory Schema ............................................................................................................ 15

Adding SCCMAdmin to Administrators group on SCCM01 server .............................................................. 16

Installing Microsoft SQL Server 2012 .......................................................................................................... 17

Configurering SQL Server 2012 Memory ................................................................................................. 24

Installing Windows Assessment and Deployment Kit (ADK) ................................................................... 26

Installing Configuration Manager 2012 ....................................................................................................... 28

Create PKI Infrastructure for Configuration Manager 2012 ............................................................................ 33

Creating the PKI infrastructure .................................................................................................................... 34

Creating Certificates for Configuration Manager Web Server .................................................................... 38

Adding Certificate to Distribution Point .................................................................................................. 39

Sources ............................................................................................................................................................ 40

P a g e | 2222

What is Configuration Manager? Configuration manager is a client management suite from Microsoft. With Configuration Manager, you can

will be able to control, monitor, secure, deploy and support at vast number of client devices from Windows,

Linux, Mac and Mobile devices. You get at number of reports to help you get an overview of your entire IT

infrastructure. Some of the areas I will be focusing on in this and upcoming guides will be the following:

- Software Updates for Microsoft Products.

- Automatic update of Java and Adobe Reader with Update Publisher.

- Windows Operating System Deployments also called OSD.

- Installation of programs (MSI, EXE, APP-V).

- Compliance configuration.

- Remote Control.

- Reports.

P a g e | 3333

Different scenarios

There are a number of ways to setup Configuration Manager 2012. The way that fits into different

scenarios, all depends on various things.

Scenario 1

If you have a small company with 100-200 users, with no remote locations or with remote location with fast

and reliable connection, you configuration could contain the following:

- 1 server with SQL Server Standard, which will make Configuration Manager Support up to 50.000

devices.

- 1 server running Configuration Manager 2012 SP1 with:

o Software Update Point.

o Management Point.

o Distribution Point.

o Endpoint Protection Point.

o State Migration Point.

o Reporting Services Point.

P a g e | 4444

Scenario 2

Primary Site - HeadquartersSecondary Site – Remote location

Another scenario could be a medium/large company with remote locations with slow 1-10 mbit and

unreliable internet connection, with no IT stab on remote location and with 100 or more users/client

devices.

- 1 server with SQL Server Standard, which will make Configuration Manager Support up to 50.000

devices.

- 1 server running Configuration Manager 2012 SP1 with:


o Management Point.




- 1 server on remote location that has Secondary Site a SQL Server Express

With this setup, you will be able to distribute content to the remote location and control bandwidth.

P a g e | 5555

Scenario 3

Primary Site – London

Central Administration Site - Newyork

Primary Site – CopenhagenPrimary Site – Boston

The third scenario could be medium/large company with remote locations with slow and unreliable

internet connection and with local IT stab and with more than 50.000 users/client devices.

- 1 server with SQL Server Enterprise, which will make Configuration Manager Support up to 400.000

devices.

- 1 or more servers running Configuration Manager 2012 SP1 with:


o Management Point.




- 1 or more servers on remote locations that has a Primary Site Role and SQL Server Standard.

With this configuration you will able to scale-up the environment to 400.000 clients. You can delegate

administration to administrators at remote location and still get central management.

P a g e | 6666

Scenario 4

Distribution point – London

Central Administration Site - Newyork

Distribution point – CopenhagenDistribution point – Boston

The third scenario could be medium/large company with remote locations with fast connection between

sites with over 20 mbit and reliable internet connection and with no local IT stab and with more than

50.000 users/client devices.

- 1 server with SQL Server Enterprise, which will make Configuration Manager Support up to 400.000

devices.

- 1 or more servers running Configuration Manager 2012 SP1 with:


o Management Point.




- 1 server/workstation on remote location that has the Distribution Point Role.

With this configuration, you will able to scale-up the environment to 100.000 clients. This setup is good

is the connection between sites is very good and stable. In addition, if you do not have any IT stab at

remote location.

P a g e | 7777

System Requirements

General System Requirements:

- At least Server 2008 64bit, expect for Distribution Points, which can be installed on 32-bit systems.

System prerequisites

Site Server Role Requirements:

- .NET Framework 3.5

- .NET Framework 4

- Remote Differential Compression

Distribution Point Requirements:


- IIS Configuration:

o Application Development:

� ISAPI Extensions

o Security:

� Windows Authentication

o IIS 6 Management Compatibility:

� IIS 6 Metabase Compatibility

� IIS 6 WMI Compatibility

Endpoint Protection Point Requirements:

- .NET Framework 3.5 SP1

P a g e | 8888

Management Point Requirements

- .NET Framework 4

- BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer

Services (BITS) (and automatically selected options)

- IIS Configuration:

o Application Development:

� ISAPI Extensions

o Security:

� Windows Authentication




Software Update Point Requirements

- .NET Framework 3.5 SP1

- .NET Framework 4

- Requires the default IIS configuration

State Migration Point Requirements

- NET Framework 4

Database Server Role Requirements:

- Minimum SQL Server 2008 SP2 with CUM 9. For all supported SQL version see the following website

-> http://technet.microsoft.com/library/gg682077.aspx

- Minimum of 8GB Ram.

- With SQL Standard Configuration manager supports up to 50.000 clients.

- With SQL Enterprise Configuration manager supports up to 400.000 clients.

P a g e | 9999

Preparing and installing Configuration Manager 2012 SP1

Standalone Site – SCCM 2012DC01 DC02 ClientPC01 ClientPC02

The installation will be on Windows Server 2012 Servers containing two Domain Controllers also acting as

file servers and DHCP. Configuration manager will be installed on Windows Server 2012 server with all

roles. The database version will be SQL Server Enterprise 2012 SP1 with no CUM.

The client systems will be Windows 8 and Windows 7.

The two domain controllers is named DC01 and DC02. The SCCM server is named SCCM01.

P a g e | 10101010

Creating users and groups for Configuration Manager

- Logon to DC01.

- Create the following users in Active Directory:

o SCCMAdmin

o SCCMClientPush

o SCCMDomainJoin

o SCCMReportUser

o SCCMSQLService

- Create the following groups:

o SCCM IIS Web Server:

� Add the SCCM01 server to this group.

o SCCM Servers:

� Add the SCCM01 server to this group.

Add SCCMClientPush user to local administrator group

For Configuration Manager to be able to use client push on client computers, it must be added to the local

administrators group on all client computers.

- Logon to DC01.

- Open Group Policy Editor

- Create a GPO over your Computer OU.

- Edit the GPO and go to Preferences – Control Panel Settings – Local Users and Groups.

- Right click and choose New – Local Group

- In Group Name type Administrators, then click Add, and add SCCMClientPush to group.

- Restart the client pc and verify that SCCMClientPush is added to the Local Administrators group.

P a g e | 11111111

Open firewall ports on SCCM Server container in Active Directory

In Active Directory create a GPO named SCCM Server Policy and place it on the SCCM Servers OU.

In a larger environment with a separate sql server, you would place the GPO on that OU.

Open Group Policy Management Editor, create a new GPO, on the SCCM Server container, and name it

SCCM Server Policy.

Add the following to ports to that are used for SQL Access and Replication:

- Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022.

- Intrasite communication between the SQL Server database engine and various Configuration

Manager Site system roles by default use port TCP 1433. The following site system roles

communicate directly with the SQL Server database:

o Management point

o SMS Provider computer

o Reporting Services point

o Site server

Open firewall ports for SCCM Client

In Active Directory create a GPO named SCCM Client Firewall Policy and place it on the Computer OU.

We do this so SCCM can make Client Push to client

Open Group Policy Management Editor, create a new GPO, on the Computer OU, and name it SCCM Client

Firewall Policy

Open the two following rules and ports

- File and Printer Sharing

- Windows Management Instrumentation (WMI)

- Create a custom rule named SCCM Remote Control for inbound TCP on port 2701

After adding the rules you should have the rules a showed below.

P a g e | 12121212

Add Windows Features on SCCM01

The following features must be installed on the SCCM01 server. Start the Roles and features Wizard and

add the following features:

- .NET Framework 3.5.1

- .NET Framework 4.5

o Include the WCF Services and HTTP Activation. (Used by Application Catalog)

- Background Intelligent Transfer Service.


When you get to the Web Server Role – Role Services point add the following:

- ISAPI Extensions

- Security

o Windows authentication

o Basic Authentication

o URL Authorization

o IP and Domain Restrictions

- Application Development

o ASP.NET 3.5

o ASP.NET 4.5

- Management tools




o IIS Management Scripts and Tools.

o Management Service.

After all the features is installed, run windows update and install all updates.

P a g e | 13131313

Create System Management Container

- Logon to D01 and open ADSI Edit.

- Right Click ADSI Edit and click Connect to. Click OK

- Choose CN=System and Right click Choose New – Object

- Choose container

- Enter System Management in Value

- Click Finish

P a g e | 14141414

Delegate permission to the System Management Container

The following is necessary for Configuration Manager to right various values to Active Directory as

installation properties, client-to-server communication port etc.

- Logon to DC01.

- Start Active Directory Users and Computers.

- Choose your Domain name, then Right click, and click View – Advanced Features.

- Choose System – System Management

- Right click and choose Delegate Control

- Click next.

- Click Add and add the SCCM01 server.

- Click next.

- Choose Create a custom task to delegate.

- Click next

- In the next window choose the following

o Choose Property-specific

o Creation/deletion of specific child objects and in Permission mark Full Control.

o Click next

- Click finish

P a g e | 15151515

Extending Active Directory Schema

The reason for extending the Schema is that Clients can search Active Directory for the following:

- Installation properties.

- Client-to-server communication ports if they are changed.

- If you want to use Network Access Protection feature this is and requirements. Configuration will

publish System Health state references so System Health Validator point can validate a client’s

statement of health.

- Content deployment scenarios. If you deploy content as programs, Software update etc. in one site

and the distribute this to another site. The receiving site must be able to verify the signature of the

signed content data. This requires access to the public key of the source site where you create this

data. When the schema is extended, a site public key is made in Active Directory for all sites in the

hierarchy.

If you want to see, the changes that the schema update process will make you can open the file

ConfigMgr_ad_schema.ldf file from the DVD_Drive:\SMSSETUP\BIN\X64 on the installation DVD. You can

open it in notepad a see the changes that will be made.

- Logon to DC01.

- Insert the SCCM 2012 SP1 DVD.

- Start an elevated command prompt and go to the folder DVD_Drive:\SMSSETUP\BIN\X64

- Run the command extadsch.exe

- When the command has executed you should get a successful message.

P a g e | 16161616

Adding SCCMAdmin to Administrators group on SCCM01 server

- Logon to DC01

- Open Group Policy Editor

- Edit the GPO SCCM Server Policy and go to Preferences – Control Panel Settings – Local Users and

Groups.

- Right click and choose New – Local Group

- In Group Name type Administrators, then click Add, and add SCCMAdmin to group.

- Restart the SCCM01 server and verify that SCCMAdmin is added to the Local Administrators group.

P a g e | 17171717

Installing Microsoft SQL Server 2012

- Logon to SCCM01.

- Insert the SQL Server 2012 DVD.

- Click on New SQL Server stand-alone installation or add features….

- Click on the Setup Support Rules

- Click Next.

P a g e | 18181818

- Click Accept to the license terms and then click Next.

- Click Next to the Product Updates window.

- Wait for the installation of the updates to finish.

P a g e | 19191919

- Click Next. Do not mind the warning as we already opened the ports that is needed.

- Click Next.

- Choose the following Features and the click Next.

o Database Engine Services.

o Reporting Services – Native. (Used for the Reporting Services Point)

o Management Tools – Basic.

P a g e | 20202020

o Management Tools - Complete

- Click Next.

- Change the Instance ID to SCCM and change the root directory to a drive other than the default

system drive. Click Next.

P a g e | 21212121

- Click Next.

- Change the Account name to the SCCMSQLService account and set the password.

- Choose the Collation tab, check that the collation is set to SQL_Latin1_General_CP1_CI_AS, and

then click Next.

P a g e | 22222222

- Add the Current Users and add the SCCMAdmin user.

- Choose the Data Directories tab.

- Make sure that Data root directory and the other directories points to drive other than the system

drive. As a best practice Database, Temp and Backup directory should each have their own drive. In

this setup, they all reside on the same drive.

Click Next.

- Choose Install only and click Next.

P a g e | 23232323

- Click Next.

- Click Next.

- Click Install.

P a g e | 24242424

- Wait for the installation to finish.

- Click Close.

Configurering SQL Server 2012 Memory

- Logon to SCCM01.

- Start the SQL Server Management Studio.

- Connect to the Default Instance.

P a g e | 25252525

- Right click SCCM01 and choose properties.

- Choose Memory.

- Edit the Minimum and Maximum Server memory. I do not have so much memory in this server so it

will only get 4GB. Minimum memory for the SQL Server is 8GB. If you do not set it to a least 8GB,

you will get a warning message when you install Configuration Manager.

Click OK.

- Exit SQL Management Studio.

P a g e | 26262626

Installing Windows Assessment and Deployment Kit (ADK)

- Logon to SCCM01.

- Install Windows Assessment and Deployment Kit (ADK) from the following link �

http://www.microsoft.com/en-us/download/details.aspx?id=30652

- Click Next.

- Choose whether to join the Customer Experience Program. Click Next.

- Click Accept.

P a g e | 27272727

- Choose the following and click Install

Deployment Tools

Windows Preinstallation Environment (Windows PE)

User State Migration Tools (USMT)


- Click Close.

P a g e | 28282828

Installing Configuration Manager 2012

- Logon to SCCM01.

- Insert the Configuration Manager DVD into the server.

- Open a command prompt with elevated rights.

- Go to the folder DVD Drive:\SMSSETUP\BIN\X64

- Run the command PreReqChk.exe /ADMINUI

- You should get a status of Success.

Click OK

- Click Install

- Click Next.

P a g e | 29292929

- Choose Use typical installation options for a stand-alone primary site.

Click Next.

- Click Yes.

- Type in you product key and click Next.

- Accept the license agreements and click Next.

P a g e | 30303030

- Accept all the License Agreements and click Next.

- Create a folder for prerequisite. Type in the in the path and click Next.

- Wait for the download of the prerequisites to finish

- In site code, type C01.

Site name: SCCM – Central Headquarters.

Installation folder: Change it to another drive other than the system drive.

P a g e | 31313131

- Choose whether to join the Customer Experience Program.

- Click Next.

- The warnings is nothing to be worried about. The first is about WSUS on site server, as we have not

setup anything regarding to the Software Update Point we can safely ignore this at this point, as we

will install it later.

The other warning is about memory for the SQL Server that should be at least 8 GB.

Click Begin Install.

P a g e | 32323232


- Click Close

P a g e | 33333333

Create PKI Infrastructure for Configuration Manager 2012

If you want to secure communication between clients and Configuration Manager, you will have to create a

PKI Infrastructure.

In this setup, I will be setting up PKI on one of the Domain Controller and configure Auto Enrollment for

clients.

I will be creating the following certificates for the environment.

Web server certificate This certificate is used to encrypt data and

authenticate the server to the clients.

Client certificate for Windows computers This certificate is used to authenticate Cofiguration

Manager client computers to site systems that are

configures to use HTTPS. It can also be used for

management points and state migration points to

monitor their operational status when they are

configured to use HTTPS.

Client certificate for distribution points This certificate has two purposes:

The certificate is used to authenticate the

distribution point to an HTTPS-enabled

management point before the distribution point

sends status messages.

When the Enable PXE support for client’s

distribution point option is selected, the certificate

is sent to computers that PXE boot so that they can

connect to a HTTPS-enabled management point

during the deployment of the operating system.

P a g e | 34343434

Creating the PKI infrastructure

- Logon to DC01.

- Start the Add Roles and Features Wizard.

- Choose Active Directory Certificate Services and click Add Features.

- Choose default option on remaining setup.

- After installation is finished, click the Configure Active Directory Certificate Services.

- Click Next

P a g e | 35353535

- Choose Certificate Authority

- Choose Enterprise CA

- Choose Root CA

P a g e | 36363636

- Choose Create new private key.

- Choose SHA256.

- Click next.

- Click next.

P a g e | 37373737

- Click next.

- Finally, click configure.

- Click Close

P a g e | 38383838

Creating Certificates for Configuration Manager Web Server

The following steps will be done on DC01 where the Certificate Authority is installed.

Microsoft has made a great guide on how to create the various certificate and how to implement them.

Just follow the guides from Microsoft on how to create, request and configure the Web Server certificate,

Client Certificate and Distribution point certificate from the following link �

http://technet.microsoft.com/en-us/library/gg682023.aspx

- For Web Server Certificate find the section deploying the Web Server Certificate for Site System

that Run IIS.

- For Client Computer Certificate find the section deploying the Client Certificate for Windows

Computers.

- For Distribution point Certificate find the section deploying the Client Certificate for Distribution

Points.

For the Distribution point Certificate the guide from Microsoft does not mention how to import the

certificate to the distribution point.

P a g e | 39393939

Adding Certificate to Distribution Point

- Logon to SCCM01.

- Start Configuration Manager Console.

- Choose Administration – Distribution Points.

- Right click the distribution point and choose properties.

- Choose HTTPS in “Specify how client computers communicate with this distribution point.

Choose Import Certificate and point to the certificate you exported in the guide from Microsoft and

type in the password.

- Click Apply.

- Click OK

P a g e | 40404040

Sources

Windows Noob:

http://www.windows-noob.com/forums/index.php?/topic/4422-using-sccm-2012-rc-in-a-lab-part-1-

installation/

Technet:


Extending schema:


Documents

Installation and Configuration of Configuration Manager ...€¦ · The installation will be on Windows Server 2012 Servers containing two Domain Controllers also acting as file servers