in Part I, I will be detailing the necessary steps to lay the foundation needed to install System Center Configuration Manager 2012 in your environment. I will be assuming a couple of things here. This series of blog posts assumes:

– You have a 2003/2008 Active Directory Domain in place
– You have Domain Admin rights to your domain
– You can install SQL Server without instructions
– You will be using a Primary Standalone Configuration
– You will be setting up or utilizing PKI for HTTPS communication

Here is what we will be covering in Part I:

– Preparation of Active Directory for SCCM installation
– Preparation of the System Center Servers

Preparation of Active Directory

The first thing that we need to is create the System Management object in ADSI.

Login to a Domain Controller and launch ADSI Edit (Start > Administrative Tools > ADSI) once the console loads, right-click on ADSI Edit, leave the defaults and click OK. Then navigate down to the CN=System object, right-click then select New > Object…

Select container, click Next.

At the next screen, enter System Management as the container Value.

Perform a quick refresh on the console (F5) and click on System. You’ll see that the container was created successfully.

Now, right-click on the System Management container we just created and click Properties. Click the Security tab, add your SCCM server, give it Full Control permissions. Then click Advanced then set the Apply to: This object and all descendant objects.Then Close ADSI Edit.

Next, we’ll need to Delegate Control of this container to the Computer Account of the SCCM server.

Open up AD Users and Computers (Start > Administrative Tools > Active Directory Users and Computers). Click View and then select Advanced Features. We’ll need this enabled for us to view the System Management container we just created.

Next browse to the System OU and then right-click on System Management > Delegate Control.

This will activate the Delegation Control Wizard, click Next.

You will be prompted on who to Delegate Control to. We want to give the SCCM Server this permission. Make sure you click on Object Types… and select Computers, then search for your server, and click Next.

We want to create a Custom Task.

We want this control to apply to this folder, its contents, and all child objects selected.

Make sure all three boxes are checked here, and then click Full Control.

Finish out the wizard.


While we are in Active Directory, we are going to go ahead and create two SCCM accounts. The SCCM Agent and the SCCM Service accounts. The SCCM Agent will be used to install the SCCM client on remote machines. This account will need administrator permissions to each server where the agent will be installed, so I am going to grant this user account Domain Admin rights. The SCCM Service account will be running the SQL Services on the remote SQL server.

I created a new user named, domain\sccm.agent and added this user to the Domain Admin group. I also created a user named domain\sccm.service. Also make sure that you select Password Never Expires on these accounts you’ll have an issue in the future at some point ;)

Now, we’ll need to extend the Active Directory Schema.

On your System Center Configuration Manager 2012 ISO, navigate to SMSSETUP > BIN > X64. In that directory there is a file named extadsch.exe, right-click that file and Run as Administrator.

Note – This can be ran from any machine on the domain as long as you have access to a Domain Controller. Also, you will need to either be logged in as a user that has Schema Admins permissions, or perform a Run As… as a user account with Schema Admin rights.

A command window will appear briefly and then disappear. Check C:\ExtADSch.log to confirm it completed successfully. Here is a sample of what a successful attempt looks like:

<08-05-2012 15:48:35> Modifying Active Directory Schema – with SMS extensions.
<08-05-2012 15:48:35> DS Root:CN=Schema,CN=Configuration,DC=DOMAINNAME,DC=local
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Site-Code.
<08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Site-Boundaries.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Default-MP.
<08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Device-Management-Point.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-MP-Name.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-MP-Address.
<08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Health-State.
<08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Source-Forest.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Ranged-IP-High.
<08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Version.
<08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Capabilities.
<08-05-2012 15:48:37> Defined class cn=MS-SMS-Management-Point.
<08-05-2012 15:48:37> Defined class cn=MS-SMS-Server-Locator-Point.
<08-05-2012 15:48:37> Defined class cn=MS-SMS-Site.
<08-05-2012 15:48:37> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<08-05-2012 15:48:37> Successfully extended the Active Directory schema.

<08-05-2012 15:48:37> Please refer to the ConfigMgr documentation for instructions on the manual
<08-05-2012 15:48:37> configuration of access rights in active directory which may still
<08-05-2012 15:48:37> need to be performed. (Although the AD schema has now be extended,
<08-05-2012 15:48:37> AD must be configured to allow each ConfigMgr Site security rights to
<08-05-2012 15:48:37> publish in each of their domains.)

If you see error 5’s in the log after attempting the schema extension, go back and make sure your user account is a Schema Admin. Domain Admin permissions will not suffice for this.

Congratulations! At this point, Active Directory is ready for SCCM 2012 installation.

Preparation of the System Center Servers

Before proceeding with my server configuration, it is important to understand what roles I am planning on implementing in my SCCM deployment. Below is a breakdown of how I am going to distribute the roles, note I am not going to be using all of the roles, just the ones I need:

SCCM Server Roles (10 total):

– Application Catalog Web Service Point
– Application Catalog Website Point
– Asset Intelligence Synchronization Point
– Component Server
– Distribution Point
– Endpoint Protection Point
– Fallback Status Point
– Management Point
– Site Server
– Site System

SCCM SQL Server (4 Roles)

– Component Server
– Reporting Services Point
– Site Database Server
– Site System

For more information on the Server Roles, see Microsoft’s SCCM 2012 Role Wiki.

Here is where we will make sure that our System Center server and backend SQL server are prepared for installation.

SCCM Server:

– Install Roles and Features
– Configure WebDAV
– Configure local firewall rules

Launch Server Manager, and install the Web Server (IIS) Role.

Make sure that you include all of the following components. I’ve added multiple screenshots here to make this easier to see what is needed.

Once the Web Server (IIS) Role installation has been completed.

You will also need to install the Windows Server Update Service (WSUS) Role. Install this role, but DO NOT configure it at this time. Cancel out of the WSUS Configuration Wizard that comes up after you have installed the role.

Very important, when installing the WSUS Role, make sure you install WSUS to a separate site, as SCCM will utilize the Default Website.

Next, we’ll need to install some Features we need.

From Server Manager, click Add Features. You will need to ensure all of the following are installed. If they are not, add them.:

-.NET Framework 3.5.1 Fetaures and ALL child objects, including WCF Activation and its child objects.
– Background Intelligent Transfer Service (BITS) and BOTH child objects
– Remote Differential Compression

Next, we’ll need to go into IIS Manager and configure WebDAV (Start > Administrative Tools > IIS).

Navigate to the Default Website, Select WebDAV Authoring Rules. On the WebDAV Authoring Rules page, click Enable WebDAV. Then you will need to click Add Authoring Rule…

Create a rule that allows Read access to All Content, for All Users and click OK.

Now you can close IIS Manager, as the IIS and WebDAV setup is complete.

Let’s move on to configuring the local Firewall. Launch the Windows Firewall with Advanced Security utility. (Start > Administrative Tools > Windows Firewall with Advanced Security)

Select Inbound Rules. Make sure that all three default WMI rules are Enabled. By default, these are disabled. WMI communication to the SCCM server is essential. These rules are:

– Windows Management Instrumentation (ASync-In)
– Windows Management Instrumentation (DCOM-In)
– Windows Management Instrumentation (WMI-In)

To Enable these rules, select them all, right-click and click Enable Rule… Once enabled, they will turn green.

Now we have everything we need on the SCCM server, we’ll move on to the SQL server.

SCCM SQL Server:

– Install SQL Server
– Configure local firewall ports
– Add SCCM MP to Local Administrators Group

The SQL Server will need to have Microsoft SQL Server 2008 R2 Standard Edition SP1 with at least CU4 installed minimum. I installed CU7, here is a link to where you can request the CU7 hotfix for download:

http://support.microsoft.com/kb/2507770

*Note – You can also use SQL 2008 Standard Edition at a specific patch level. Here are the Supported Configurations for Configuration Manager from Microsoft.

I am going to be using Reporting from within SCCM. If you are going to use the Reporting role for this server, make sure you install, but do not configure, the Report feature during the SQL installation.

Let’s move on to configuring the local Firewall. Launch the Windows Firewall with Advanced Security utility. (Start > Administrative Tools > Windows Firewall with Advanced Security)

Right-click Inbound Rules and select Create New Rule

Select Port

Leave TCP selected, and type in 1433, 4022. These are the two ports we need access to for SCCM, for SQL Server and SQL Server Service Broker respectively.

Allow the connection.
 

I applied my rule to all profiles, in case of any unforeseen Network Location Awareness NLA service errors.

Give your rule a name. I chose “SCCM_SQL_Ports” for mine.

The last thing we’ll need to configure is adding the SCCM server object to the Local Administrators Group on the SQL server. The SCCM server will need these rights to manipulate SQL Server and the Reporting services in the most efficient way. We also need to add the SCCM Service account to the Local Administrators Group so it can run SQL services.

On the SQL Server open Server Manager and then browse to Configuration > Local Users and Groups > Groups. Double-click the Administrators group, click Add… Then click Object Types… and include Computers. Enter in the SCCM server name and also enter in your SCCM Service user account, then click OK. Then OK again, close the Server Manager console.

Next you will need to set the SQL Services to run as the SCCM Service account. Click Start, then type in services.msc and press enter. You will need to right-click on the SQL Server (MSSQLSERVER) service and click Properties. Select the Log On tab and enter in the information on your SCCM Service user. Then click Apply and OK. You will need to repeat this task for Integration Services (if installed), Reporting Services, and the SQL Agent service.

At this point, Active Directory, the SCCM Server, and SCCM SQL Server are all ready for the System Center Configuration 2012 installation!

In Part II, I will be covering the Certificate Configuration then we’ll move on to the SCCM 2012 installation in Part III.

If you have any questions or comments, feel free to comment below or contact me.

For further information on System Center, you can reference Microsoft’s Official System Center documentation here.

 

10 Comments

  1. Pingback: System Center Configuration Manager and Endpoint Protection Manager 2012 | Gabe's Blog

  2. Rocky

    Reply

    Thanks a lot for the nice document.
    Once you have provided Full Control on the systems management container for the SCCM computer object, is it necessary to run the delegate contraol wizard, if so kindly let me know why.

    • Gabriel

      Reply

      Yes it is necessary, but cannot remember why, it’s been a while since I completed this. I don’t believe these steps are redundant, though the only way to know for sure is to try installation without it see what happens. I believe I did this per TechNet docs.

    • Gabriel

      Reply

      Thanks for the kind words! I’m very glad you’ve been able to benefit from this documentation.


      Gabe

  3. Testimies

    Reply

    Hi, you don’t need Webdav or Webdav Configuration with SCCM 2012 anymore. That devil was only with SCCM 2007

  4. Piyush Lal

    Reply

    I was running around the issue of adding the SQL Server machine under Domain rights for 4 days.. Finally, this article helped me a lot.. Totally worth reading this.. Now I’ve installed the SCCM 2012..

    Thank you Gabe..

    • Gabriel

      Reply

      Hi Piyush, very happy to hear about your success! Hopefully the rest of your deployment went smoothly.

      Sorry for the delay in a reply, I somehow missed your comment.

      Gabe

  5. Irfan Sharif

    Reply

    Best SCCM Installation & Configuration with PKI article.
    I had issue with Web Enrollment not been published to Clients, turn out .Net 3.5 needs ALL Child Objects..
    Thanks Gabriel, for posting all the steps in detail.

  6. Pingback: Learning SCCM - What server roles do I need?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.