Blog Post

Core Infrastructure and Security Blog
55 MIN READ

Install ConfigMgr CB 1902 using PowerShell

John_Clyburn's avatar
John_Clyburn
Icon for Microsoft rankMicrosoft
Dec 16, 2019

 

Contents

1 - INTRODUCTION
2 - PREPARE FOR SCCM INSTALLATION
2.1 - SOFTWARE REQUIREMENTS
2.2 - HARDWARE AND DISK LAYOUT REQUIREMENT
2.3 - IP CONFIGURATION
2.4 - SCCM NAMING CONVENTION
2.4.1 - Server Naming Convention
2.4.2 - Site Naming Convention
2.5 - CREATE SCCM VMS
3 - CREATE SCCM ACCOUNTS AND GROUPS
3.1 - CREATE SCCM ACCOUNTS
3.2 - CREATE SCCM GROUPS
3.3 - CREATE SCCM SERVER OU
4 - PREPARE THE FOREST
4.1 - WHY EXTEND THE ACTIVE DIRECTORY SCHEMA FOR SCCM
4.2 - EXTEND THE SCHEMA (MANUALLY)
4.2.1 - Identify Schema Admins Account
4.2.2 - Identify Forest Root Domain Controller Schema Master
4.2.3 - Log on to Forest Root Domain Schema Master
4.2.4 - Extend the Schema for SCCM 2019
4.2.5 - Verify Successful Schema Extension
4.2.6 - Verify DOMAIN Replication to Domain Controllers
5 - SYSTEM MANAGEMENT CONTAINER
5.1.1 - Create the System Management Container (Manaully)
5.1.2 - Set Security on the System Management Container (Manually)
6 - BUILD PRIMARY SCCM CB 1902 SITE (VP1)
6.1 - PRIMARY SITE SERVER NAMES AND ROLES
6.2 - PREP FOR SCCM AUTOMATED INSTALLATION
6.2.1 - Overview of SCCM PowerShell Install Script
6.2.2 - Create SCCM Staging Folders for Automated Deployment
6.2.3 - Create SCCMShare Folder
6.2.4 - Set Windows Firewall ports for SQL
6.2.5 - Create SQL Configuration file
6.2.6 - Create the SQL 2017 Reporting Service PS Scripts
6.2.7 - Create the Set Service Acct PS Scripts
6.2.8 - Create Report Server Encryption Key
6.2.9 - Download the Windows ADK 10 Files for Offline Use
6.2.10 - Download Windows PE_1903 as Separate Add-on
6.2.11 - Download SCCM CB v1902 Prerequisite Files
6.2.12 - Create the SCCM Setup.ini File for The Unattended Install
6.3 - INSTALL SCCM USING POWERSHELL
6.4 - INSTALL THE SCCM REPORTING SERVICES POINT
6.4.1 - Test SCCM Reports and SSRS Web site
6.4.2 - Configure Reporting Server Database Recovery Model

 

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

 

1             INTRODUCTION

 

The document outlines the steps required to install SCCM CB 1902 with SQL 2017 using PowerShell. These steps can be used on a disconnected network. The scripts included in this document can also be added to MDT to automate the install of SCCM CB 1902.

 

2             Prepare for SCCM Installation

2.1               Software Requirements

The following table outline the server specification that will be used to build the SRV-CM-01 server.

Application

Where

System Center Config Mgr (current branch 1902)

From DVD or files on network share

https://www.microsoft.com/Licensing/servicecenter/Downloads/DownloadsAndKeys.aspx

SQL Server Enterprise Edition 2017 64 Bit

From DVD or files on network share

Cumulative Update Package 16 for SQL Server 2017 - KB4508218

 

https://www.microsoft.com/en-us/download/details.aspx?id=56128

 

SQL Server Management Studio release (SSMS 18.3)

https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms

 

 

 

Microsoft Windows Server 2019, Standard

From DVD or files on network share

SCCM2019_PrereqCompFiles

From URL…. From DVD or files on network share

Visual C++ 2013 Redistributable Package

Visual C++ Redistributable Packages for Visual Studio 2013

latest supported Visual C++ downloads

https://support.microsoft.com/en-us/help/4032938/update-for-visual-c-2013-redistributable-package

https://www.microsoft.com/en-us/download/details.aspx?id=40784

 

 

Windows Assessment and Deployment Kit (WADK v1903)

https://go.microsoft.com/fwlink/?linkid=2086042

MDT 8456

Download the ADK from the following link:

https://www.microsoft.com/en-us/download/details.aspx?id=54259

 

 

2.2               Hardware and Disk Layout Requirement

 

Supported Configurations for Configuration Manager

https://technet.microsoft.com/en-us/library/gg682077.aspx

 

Note virtual servers will be used in the CONTOSO environment but the settings below applies to physical and virtual machines. The configuration below of a RAID 1 configuration is only a recommendation.

 

In this document ALL SCCM ROLES will be installed on a Single Server. The example below is for demonstration purposes only. The hardware used is outlined in the table below. Refer to SCCM hardware requirements for the best hardware configuration for your installation.

 

ROLES: ALL - (SRV-CM-01)

Component

Specification

CPU

(4) 64 bit Single Processor 2.0 Ghz or Higher

System Class

VM/Server

Memory

16 GB or higher

Network

2 x Gigabit Ethernet network adapter (redundant)

CD-ROM/DVD-ROM

1 x CD-ROM/DVD-ROM

Operating System

Microsoft Windows Server 2019, Enterprise

Disk

(C:)(60gb+) RAID 1 for OS, page file (4k, NTFS)

(D:)(100gb+) RAID 1 SCCM Inboxes, SCCMContentlib, (4k, NTFS)

(E:)(150gb+) DP Content, SUP/WSUS, MDT, SCCMShare, WADK (4k, NTFS)

(F:)(40gb+) RAID 5 for SQL DB (64k BlockSize, ReFS)

(G:)(50gb+) RAID 1 for transaction logs,UserDBlog, SQL TempDB logs, SCCMBackup (64k BlockSize, ReFS)

 

 

2.3               IP Configuration

 

SCCM IP Configuration

 

Server Name

IP Numbers

SRV-CM-01

192.168.x.x

 

2.4               SCCM Naming Convention

 

2.4.1          Server Naming Convention

 

The following SCCM server naming convention will be used in the CONTOSO:

 

<TYPE>-<ROLE>-<INSTANCE>

 

Example: SRV-CM-01

 

2.4.2          Site Naming Convention

 

Site Naming Conventions

In the CONTOSO ConfigMgr hierarchy, a standard site naming convention will be used to ensure proper sorting of sites in the management console as well as to make troubleshooting processes faster and simpler. 

 

Note if there are no current plans to have a central site, label the site as a primary (P) site.

The following SCCM server naming convention will be used in the CONTOSO:

<Network>-<Site>-<Instance>

 

Note the Central Administration Site name will be CAS.

 

Primary Site Naming conventions

 

Network:

·         B=BALTIMORE

·         C=CHICAGO

·         N=NEWYORK

·         V=VIRGINIA

 

Site:

·         P=PRIMARY

 

Instance:

·         The instance number

 

Examples:

·         CAS=CAS SCCM site for organization

·         VP1=First Primary SCCM site in Virginia

·         CP1=First Primary SCCM site in Chicago

·         CP2=Second Primary SCCM site in Chicago

·         NP2=Second Primary SCCM site in New York

 

2.5         Create SCCM VMs

 

Server Name

SRV-CM-01

 

Create the VM for SCCM based on the specification above under Hardware and Disk Layout Requirement section.

 

3                     Create SCCM Accounts and Groups

 

3.1               Create SCCM Accounts

 

Ensure that the following accounts have been created.

Account Name

Location

Description

SVC-CM-Install

Accounts\Install

SCCM Install Account

SVC-CM-CliPush

 

Accounts\Service

Client pus account that can be used to install the SCCM client.

SVC-CM-RSP

Accounts\Service

Reporting Service Point SRS Execution account will be used to support the SCCM Reporting Services Point and SRS

SVC-CM-NAA

Accounts\Service

SCCM Network Access account will be used to support OSD.

SVC-SQLSC-01

Accounts\Service

Account used as SQL service account for the SQL database that supports the SCCM server.

 

3.2               Create SCCM Groups

 

Ensure that the following groups have been created and that the members listed are present in the listed groups.

Group Name

Group Type

Purpose

Members

ADM-SQL-ADMINS

Domain Local

Grants members SQL Administrative permission to SQL database

TBD

 

3.3               Create SCCM Server OU

 

Create the OU for The SCCM servers.

 

1.       On a domain controller, create the following OU:

a.       <CONTOSO.LOCAL\SERVERS\CM>

2.       All SCCM servers will be located in the OU above.

 

4                     Prepare the Forest

 

4.1               Why Extend the Active Directory Schema for SCCM

 

When installing System Center Configuration Manager (ConfigMgr) you have to decide whether to extend the AD Schema or not.

 

ConfigMgr uses the Windows Active Directory (AD) environment to support many of the features it provides and can publish information to AD about sites and services. In this manner, the AD clients of ConfigMgr have this information easily accessible, but in order to use this feature the AD schema has to be extended in order to create the objects and the classes specific to ConfigMgr. Extending the schema is not required for the installation of ConfigMgr but it is recommended.

 

Extending the Active Directory Schema for ConfigMgr allows clients to retrieve many types of information related to Configuration Manager from a trusted source. In some cases, there are workarounds for retrieving the necessary information if the Active Directory schema is not extended, but they are all less secure than querying Active Directory Domain Services directly. Additionally, not extending the schema might incur significant workload on other administrators who might need to create and maintain the workaround solutions such as logon scripts and Group Policy objects (GPO) for computers and users in your organization. The Active Directory schema can be extended before or after running ConfigMgr Setup, however as a best practice, it’s best to extend the schema before you run Configuration Manager Setup. You have to extend the Active Directory schema only once for the forest that contains site servers; you do not have to extend the schema again if you upgrade the operating systems on the domain controllers or after you raise the domain or forest functional levels. Similarly, if you extended the schema for ConfigMgr with no service pack, you do not have to extend the schema again for ConfigMgr.

 

Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup. Only after the schema is AD extended and the steps needed to publish the ConfigMgr 2012 site information to AD, ConfigMgr can publish information to AD.

 

You can extend the AD Schema using either the extadsch.exe tool or the ConfigMgr_ad_schema.ldf file. When using the ldf file you will need to edit and configure this file. The extadsch.exe is easier to use and just needs a double click. The result of the extadsch.exe will write a log file in the root of C:\ of the computer from where the command was launched. You need to be a Schema Admin in order to make these changes and it is recommended to check with the AD administrator for permissions before extending the schema. If you need to see what happens and what changes are being made you can look at the ConfigMgr_ad_schema.ldf file.

While some Configuration Manager features depend on extending the schema, such as Network Access Protection in Configuration Manager and global roaming, there are workarounds for not extending the schema to enable other Configuration Manager features.

 

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

·         Extend the Active Directory schema.

·         Create the System Management container.

·         Set security permissions on the System Management container.

·         Enable Active Directory publishing for the Configuration Manager site.

 

When extending the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, you must consider the network traffic that might be generated.

 

 In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. For Windows 2003 forests, Windows 2008 forests, and Windows 2008 R2 forests, only the newly added attributes are replicated. You should plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes.

 

You can extend the Active Directory schema for ConfigMgr by running the ExtADSch.exe tool or by using the LDIFDE command-line tool to import the contents of the ConfigMgr_ad_schema.ldf LDIF file. Both the tool and the LDIF file are located in the SMSSETUP\BIN\i386 directory of the Configuration Manager installation files. Regardless of the method that you use to extend the schema, two conditions must be met:

 

·         The Active Directory schema must allow updates. On domains that are running Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, by default the schema is enabled for updates. For domains that are running Windows 2000 Server, you must manually enable updates on the schema master for the Active Directory forest.

·         The account that is used to update the schema must be either a member of the Schema Admins group or have been delegated sufficient permissions to modify the schema.

 

Using an LDIF file to extend the Active Directory schema instead of the ExtADSch.exe tool provides greater transparency about the changes being made to the Active Directory schema and also makes it easier to diagnose any problems encountered during the schema extension process.

 

You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services using LDAP Data Interchange Format (LDIF) files. For greater visibility of the changes being made to the Active Directory schema than the ExtAdSch.exe utility provides, you can use the LDIFDE utility to import schema extension information using the ConfigMgr_ad_schema.ldf file is included on the Configuration Manager installation media in the .\SMSSETUP\BIN\i386 directory.

 

4.2               Extend the Schema (Manually)

 

Note PowerShell will not be used to extend the Schema.

 

SCCM uses AD to publish information about its sites and services, making it easily accessible to Active Directory clients. To leverage AD, we must extend the schema to create classes of objects specific to SCCM.

Client installation properties are published to Active Directory Domain Services if the schema is extended for Configuration Manager and read by client installations where CCMSetup is run without installation properties.

The System Management container is used to grant SCCM Permissions to Publish to the Active Directory.  Each SCCM site requires explicit permissions to publish to the Active Directory.  Child sites do not inherit permissions to the System Management container. Advanced clients use SCCM published information in active directory to find DPs, SLPs, and MPs. 

 

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes any Configuration Manager site server that will publish site information to Active Directory Domain Services.

 

4.2.1                 Identify Schema Admins Account

1.       Log on a domain controller in the forest root domain.

2.       Select Start, Run.

3.       In the Run dialog box, type [dsa.msc].

4.       In Active Directory Users and Computers, select the view menu, then activate (toggle) the Advanced Features.

5.       Select the Users OU.

6.       Right-click the Schema Admins global group icon.

7.       Select Properties from the pop-up menu

8.       Select the Members tab.

9.       Double-click on the Domain Admins group to display the Properties screen.

10.   Click on the Members tab.

11.   Identify an account that is a member of Schema Admins and Domain Admins.

 

4.2.2                 Identify Forest Root Domain Controller Schema Master

1.       Log on a domain controller in the forest root domain.

2.       Select Start, Run.

3.       In the Run dialog box, type [cmd].

4.       In the Command window, type dsquery server –forest –hasfsmo schema.  The output displays the distinguished name of the server with the schema master role.

4.2.3                 Log on to Forest Root Domain Schema Master

1.       Locate the domain controller in the forest root domain with the Schema Master Role.

2.       Log on with an account that is a member of Schema Admins and Domain Admins.

3.       Verify Inbound Replication

4.       Select Start, Run.

5.       In the Run dialog box, type cmd.

6.       In the Command window, type

 

                                                              i.      repadmin /showreps

 

                                                            ii.      Note The output displays replication status in the INBOUND NEIGHBORS area of the screen.

7.       Install the Active Directory Schema Snap-in

8.       At the command prompt, type regsvr32 schmmgmt.dll to register the snap-in.

a.       Note although the regsvr32 command shows that it is a 32-bit based command, it does run properly in the 64-bit versions of the supported operating systems.

9.       Click OK.

10.   At the command prompt, type mmc.

11.   From the File menu, select Add/Remove Snap-in

12.   From the Add/Remove Snap-in screen, click the Active Directory Schema icon.

13.   Click Add…then OK.

14.   From the File menu, click Save to save the console.

15.   From the Save in dropdown menu, locate the C:\WINNT\System32 directory.

16.   In the File name field, type [schmmgmt.msc].

17.   Click Save.

18.   Close the Schema Management Console.

 

4.2.4                 Extend the Schema for SCCM 2019

SCCM uses AD to publish information about its sites and services, making it easily accessible to Active Directory clients. To leverage AD, we must extend the schema to create classes of objects specific to SCCM.

 

Client installation properties are published to Active Directory Domain Services if the schema is extended for Configuration Manager and read by client installations where CCMSetup is run without installation properties.

 

The System Management container is used to grant SCCM Permissions to Publish to the Active Directory.  Each SCCM site requires explicit permissions to publish to the Active Directory.  Child sites do not inherit permissions to the System Management container. Advanced clients use SCCM published information in active directory to find DPs, SLPs, and MPs. 

 

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes any Configuration Manager site server that will publish site information to Active Directory Domain Services.

 

Note:  Only use the extadsch.exe file from the SCCM CD. If you use the extadsch.exe from active directory it will not create the proper attributes in Active Directory. 

 

Schema extension must be done before any SCCM installation.

 

Note: ensure that the account used to extend the schema is in the Schema Admins group.

 

1.       Locate the domain controller in the forest root domain with the Schema Master Role.

2.       Logon to a domain controller as an account that is a member of the Schema Admins and domain admins.

3.       Copy the following files to a folder on the local drive:

a.       \\SCCMShare\SCCM_InstallFiles\ SCCM_2019\SMSSETUP\BIN\<x64>

b.       Note you must copy the entire …\x64 folder to the domain controller to successfully run the extadsch.exe command. Coping the extadsch.exe along will fail.

4.       At the command prompt, change directory to the local files

5.       At the command prompt, type extadsch.exe and press Enter. 

6.       The following message displays:
  Microsoft Systems Central xxx vX.00 (Build xxxx)
  Copyright (C) 2011 Microsoft Corp
.

 

a.       Successfully extended the Active Directory Schema.

 

7.       Finished.

 

4.2.5                 Verify Successful Schema Extension

1.       Review the Extadsch.log file located in the root of the C:\ drive on the Schema Master.

2.       The output should be similar to the following:

<08-18-2012 14:20:19> Modifying Active Directory Schema - with SCCM extensions.

<08-18-2012 14:20:19> DS Root:CN=Schema,CN=Configuration,DC=rko,DC=com

<08-18-2012 14:20:20> Defined attribute cn=MS-SMS-Site-Code.

<08-18-2012 14:20:20> Defined attribute cn=MS- SMS -Assignment-Site-Code.

<08-18-2012 14:20:20> Defined attribute cn=MS- SMS -Site-Boundaries.

<08-18-2012 14:20:20> Defined attribute cn=MS- SMS -Roaming-Boundaries.

<08-18-2012 14:20:20> Defined attribute cn=MS- SMS -Default-MP.

<08-18-2012 14:20:21> Defined attribute cn=mS- SMS -Device-Management-Point.

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS -MP-Name.

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS -MP-Address.

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS –Health-State.

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS –Source-Forest

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS -Ranged-IP-Low.

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS -Ranged-IP-High.

<08-18-2012 14:20:22> Defined class cn=MS- SMS -Management-Point.

<08-18-2012 14:20:22> Defined class cn=MS- SMS -Server-Locator-Point.

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS –Version

<08-18-2012 14:20:21> Defined attribute cn=MS- SMS -Capabilities

<08-18-2012 14:20:22> Defined class cn=MS- SMS -Site.

<08-18-2012 14:20:22> Defined class cn=MS- SMS -Roaming-Boundary-Range.

<08-18-2012 14:20:22> Successfully extended the Active Directory schema.

  1. Locate the entry Successfully extended the Active Directory Schema.
  2. If errors were reported, these should be resolved and the utility should be run again.

Verify SCCM Classes in the Active Directory

1.       Open the Run dialog box by selecting Start, Run.

2.       In the Run dialog box, type [schmmgmt.msc] then press [Enter].

Verify mSSMSSite Class

5.       Expand the Active Directory Schema tree by clicking on the + symbol in the left pane.

6.       Select the Classes folder to display the classes in the right pane.

7.       From the right pane, locate the mSSMSSite class icon.

8.       Right-click mSSMSSite icon, and select Properties from the pop-up menu.

9.       From the mSSmSSite Properties screen, select the Attributes tab.

10.   From the Attributes tab, verify the following attributes in the Optional area of the screen.

 

cn

mSSMSAssignmentSiteCode

mSSMSHealthState

mSSMSRoamingBoundaries

mSSMSSiteBoundaries

MSSMSSiteCode

mSSMSSourceForest

serviceBindingInformation

3.        

4.       Click the Cancel button to close the screen.

Verify mSSMSManagementPoint Class

  1. From the right pane, locate the mSSMSManagementPoint class icon.
  2. Right-click mSSMSManagementPoint class and select Properties from the pop-up menu.
  3. From the mSSMSManagementPoint  Properties screen, select the Attributes tab.
  4. From the Attributes tab, verify the following attributes in the Optional area of the screen.

cn

dNSHostName

mSSMSCapabilities

mSSMSDefaultMP

mSSMSDeviceManagementPoint

mSSMSMPAddress

mSSMSMPName

mSSMSSiteCode

mSSMSSourceForest

mSSMSVersion

  1. Select Cancel.

Verify mSSMSServerLocatorPoint Class

  1. In the right pane, locate the mSSMSServerLocatorPoint class icon.
  2. Right-click mSSMSServerLocatorPoint class and select Properties from the pop-up menu.
  3. From the mSSMSServerLocatorPoint Properties screen, select the Attributes tab.
  4. From the Attributes tab, verify the following attributes in the Optional area of the screen.

cn

dNSHostName

mSSMSMPName

mSSMSSiteCode

mSSMSSourceForest

  1. Select Cancel.

Verify mSSMSRoamingBoundaryRange Class

  1. In the right pane, locate the mSSMSRoamingBoundaryRange class icon.
  2. Right-click mSSMSRoamingBoundaryRange class and select Properties from the pop-up menu.
  3. Right-click mSSMSRoamingBoundaryRange class and select Properties from the pop-up menu.
  4. From the Attributes tab, verify the following attributes in the Optional area of the screen.

cn

mSSMSAssignmentSiteCode

mSSMSRangedIPHigh

mSSMSSiteRangedIPLow

mSSMSSiteCode

mSSMSSourceForest

  1. Select Cancel.

Verify SCCM Attributes in Active Directory Schema Snap-In

  1. In the left pane, click the Attributes folder.
  2. From the right pane, verify the following SCCM attributes are listed.

mSSMSAssignmentSiteCode

mSSMSCapabilities

mSSMSDefaultMP

mSSMSDeviceManagementPoint

mSSMSHealthState

mSSMSMPAddress

mSSMSMPName

mSSMSRangedIPHigh

mSSMSRangedIPLow

mSSMSRoamingBoundaries

mSSMSSiteBoundaries

mSSMSSiteCode

mSSMSSourceForest

mSSMSVersion

  1. Close the schmmgmt Console screen.

4.2.6                 Verify DOMAIN Replication to Domain Controllers

  1. Login to another domain controller.
  2. In the elevated Command window, type [adsiedit.msc].
  3. In the ADSI Edit window, right-click on the ADSI Edit node icon.
  4. From the pop-up menu, click Connect to…
  5. In the Connection Settings screen, in the Select a well known Naming Context, select Schema and click Ok.
  6. From the ADSI Edit screen, expand Schema under the replication partner.
  7. Select the Schema folder.
  8. In the right pane, click the Class column to display the classSchema entries.
  9. Verify the following four SCCM schema classes are listed:

MS-SMS-Management-Point

MS-SMS-Roaming-Boundary-Range

MS-SMS-Server-Locator-Point

MS-SMS-Site

  1. Close the ADSI Edit window.

 

 

 

5                     System Management Container

 

5.1.1                 Create the System Management Container (Manaully)

The System Management container is used to grant SCCM Permissions to Publish to the Active Directory.  Each SCCM site requires explicit permissions to publish to the Active Directory.  Child sites do not inherit permissions to the System Management container. Advanced clients use SCCM published information in active directory to find DPs, SLPs, and MPs. 

 

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes any Configuration Manager site server that will publish site information to Active Directory Domain Services.

 

Each domain maintains its own System Management container in Active Directory in its own domain partition.  A domain controller does not replicate its System Management container to other domains in the forest.

In an Active Directory environment, the client queries Active Directory for a resident management point. It does this by searching the Active Directory global catalog for a site code, which has been registered (by a site server) with a matching Active Directory site name or IP address range.

 

NOTE

Remember that you create system management container one time in each domain that has a primary or secondary site. This will be used to publish data to Active Directory.

 

1.      Logon to domain controller with an account that has permissions to create an Active Directory container.

2.      Open the elevated command prompt.

3.      Type adsiedit.msc, then press Enter.

4.      Select Start, Run.

5.      In the Run box, type adsiedit.msc.

6.      Right click ADSI Edit and click Connect to.

7.      On the Connection Settings window, the Name should be Default Naming Context. Click OK.

8.      From the left pane, expand the Default naming context, expand Domain container <DC=CONTOSO,DC-COM>.

9.      Right-click on CN=System.

10.  Select New-Object from the pop-up menu.

11.  From the Create Object screen, select container, then click Next.

12.  From the next Create Object screen, in the Value text field type:

a.       System Management.

13.  Click Next.

14.  Click Finish.

15.  From the ADSI Edit screen, expand the CN=System node and visually verify that CN=System Management has been created.

16.  Close the ADSI Edit screen.

 

5.1.2          Set Security on the System Management Container (Manually)

 

After you create System Management container, you must delegate SCCM server full permissions on System Management container.

 

For each site to create its site object, the System Management container must exist.  The SCCM site server computer account must be granted full rights to the System Management container.  After the site has generated its Active Directory site object, full rights to the Systems Management container can be removed and full permissions set only to the site object and all child objects, such as Management Points and Server Locator Points.  Any time a secondary site is installed, the parent site will again need full permissions to the Systems Management container in order to create the secondary site’s site object.

 

Note:  The SCCM Site server computer account will retain full control permission after the site object has been created to support the creation of subsequent SCCM secondary sites.

 

Note the ConfigMgr prerequisite checker displayed a warning when Verify site server permissions to Publish to Active Directory. Note the warning can be ignored. This is a warning, not an error, I’ve seen it on most of my SCCM installation. The setup application has no way to know if the site server can or cannot write to AD, so it throws the warning so you the admin should go and check to be sure. Confirm that the permissions are set promperly using a AD Group or the Site server compter account (It doesn’t matter which you use) and AD publishing works fine.

 

Note you can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.

 

Details:

  1. Logon to domain controller and launch  Active Directory Users and Computers.
  2.  From the Active Directory Users and Computers screen, select Advanced Features from the View menu.
  3. In the left pane, expand the Domain node (e.g., domain.com).
  4. Expand the System container.
  5. Right-click on the System Management container and select Properties from the pop-up menu.
  6. From the System Management Properties screen, select the Security tab.
  7. Click Add.
  8. In the Select Users, Computers, or Groups screen, type SRV-CM-01 in the Enter the object names to select text box.
  9. Click Check Names to verify the typed entry.
  10. Click OK.
  11. In the Permissions for SRV-CM-01, click the Full Control checkbox in the Allow column.
  12. Click the Advanced button.
  13. From the Advanced Security Settings for System Management screen, select SRV-CM-01.
  14. Click Edit.
  15. From the Permission Entry for System Management screen, click the Apply to: dropdown box.
  16. From the dropdown list, select This object and all desendant objects.
  17. In the Permissions pane under the Allow column, verify the Full Control checkbox is checked.
  18. At the Permission Entry for System Management screen, click OK.
  19. At the Advanced Security Settings for System Management screen, click OK.
  20. At the System Management Properties screen, click OK.
  21. Close the Active Directory Users and Computers screen.

==============================

Alternative Method of setting Permissions:

 

  1. Launch Active Directory Users and Computers.
  2. Click View and click Advanced Features.
  3. Expand System, right click System Management and click Delegate Control.
  4. On the Welcome page, click Next.
  5. Click Add.
  6. On select users, computers or groups window click on Object Types and check for Computers as object types. Click OK.
  7. Type the name of the primary site server computer account (SRV-CM-01) and click OK.
    1. This add primary site server computer account
  8. Click Next.
  9. On the Tasks to Delegate page, click Create a custom task to delegate. Click Next.
  10. On the Delegae Control Of  page, Select This folder, existing objects in this folder and creation of new objects in this folder.
  11. Click Next.
  12. On the Permission page, Select General, Property Specific and Creation/deletion of specific child objects.
    1. Under Permissions, click Full Control. When you check the box Full Control, all the other permissions gets checked automatically.
  13. Click Next and click Finish to close the wizard.

6                     BUILD PRIMARY SCCM CB 1902 SITE (VP1)

 

ALL SCCM ROLES will be install on One Server. This installation will be performed semi-automatically using PowerShell scripts.

 

6.1         Primary Site Server Names and Roles

SCCM Primary Site Server Names:

 

ROLES: ALL on One Server - (SRV-CM-01)

SCCM ROLE

Server Name

Site Server

SRV-CM-01

Site Server Database

SRV-CM-01

Reporting Point

SRV-CM-01

Management Point

SRV-CM-01

Distribution Point

SRV-CM-01

PXE Service Point

SRV-CM-01

Software Update Point

SRV-CM-01

Fallback Status Point

SRV-CM-01

EndPoint Protection Point

SRV-CM-01

Application Catalog web service point

SRV-CM-01

Application Catalog website point

SRV-CM-01

 

6.2         Prep for SCCM Automated Installation

 

6.2.1          Overview of SCCM PowerShell Install Script

 

These scripts will be used to install SQL and SCCM on the SCCM Site server.

 

There will be two PowerShell script used:

·         SCCM_CB_1902_PREP-11-15-2019.ps1

o   The SCCM_CB_1902_PREP-11-15-2019.ps1 script will be use to create folders and set folder permission needed for the SCCM site server installation.

·         SCCM_CB_1902_INSTALL-11-15-2019.ps1

o   Use to install SCCM site server on local server.

 

The scripts will be running on the SCCM site server and will do the following:

 

  1. Set Folders permissions…
  2. Create the staging folders.
  3. Create the SQL folders.
  4. Grant the SVC-SQLSC-01 service account full control to these folders.
  5. Create the folders for the automated deployment of SCCM 2019.

6.       Install IIS, BITS and .NET Framework 3.5.1

7.       Install SQL Server 2017 Enterprise Edition.

a.       Set SQL Service Accounts SPN

                                                              i.      SVC-SQLSC-01 (VP1)

b.       Install SQL Cummulative updates

c.       Install SQL SSMS 18.3

                                                              i.      **************

                                                            ii.      Note the SQLCMD is included in the:

1.       Microsoft ODBC Driver 13.1/17 for SQL Server

                                                          iii.      Find out if it was installed with SQL 2017 or with SQL SSMS 18.3

                                                           iv.      I believe its part of the SQL SSMS 18.3 install…Need to confirm

                                                             v.      ***********************

d.       *** REBOOT THE SERVER ***

e.       Configure SQL Memory

f.        Install SQL 2017 Reporting Service

g.       Set SQL 2017 Reporting Service Account

h.       *** REBOOT THE SERVER ***

i.        Configure SQL 2017 Reporting Service and Set Service Acct

8.       *** REBOOT THE SERVER ***

9.       Install ADK for Windows 1903

a.       Install Windows ADK for Windows 10_1903

b.       Install Windows PE_1903 as Separate Add-on

10.   *** REBOOT THE SERVER ***

11.   Configure NO_SMS_ON_DRIVE.SMS Files

12.   Copy CMTrace

13.   Install Remote Differential Compression

14.   Install Microsoft Report Viewer 2012

a.       Note Report Viewer 2012 is still needed for WSUS reports on a Windows 2019/2016 server.

15.   Install and configure WSUS for SCCM (Unattended)

16.   *** REBOOT THE SERVER ***

17.   Run SCCM CB Prechecks

18.   Install SCCM CB 1902 on Primary Site Server (VP1 Site)

  1. Finish.

Use the portions of the scripts when called for below.

 

===============================================

 

SCCM_CB_1902_PREP-11-15-2019.ps1

 

===========================================

 

1.       See script below:

 

## Use the commands below to Install and Configure SCCM 2019 on a single server/PC.

##

## Create folders for the automatic deployment of SCCM 2019

## On the site server ensure these drives are present:

# (C:)(60gb+) RAID 1 for OS, page file (4k, NTFS)

# (D:)(100gb+) RAID 1 SCCM Inboxes, SCCMContentlib (4k, NTFS)

# (E:)(150gb+) DP Content, SUP/WSUS, MDT, SCCMShare (4k, NTFS)

# (F:)(40gb+) RAID 5 for SQL DB (64k BlockSize, ReFS)

# (G:)(50gb+) RAID 1 for transaction logs,UserDBlog, SQL TempDB logs, SCCMBackup (64k BlockSize, ReFS)

 

 

## On the Site server create the following folders on the outlined drives:

## Note copy the binary of all software that will be automated to this folder (SCCM,SQL, ADK Etc.. binaries):

#              C:\SCCM_STAGING

#                              W2019\Sources\Sxs

#                              SCCM_CB_1902

#                              SQL_2017_ENT

#                              SSMS_18.3

#                              Visual C++ 2013 Redistributable

#                              WADK_10_1809

#                              WINPE_FOR_ADK

 

 

## Create local folders for SCCM

 

### Create the SCCM Staging folder

New-Item C:\SCCM_STAGING –Type Directory

New-Item C:\SCCM_STAGING\W2019\Sources\Sxs –Type Directory

New-Item C:\SCCM_STAGING\SCCM_CB_1902 –Type Directory

New-Item C:\SCCM_STAGING\SQL_2017_ENT –Type Directory

New-Item C:\SCCM_STAGING\SQL_2017_CU16 –Type Directory

New-Item C:\SCCM_STAGING\SQL_2017_RS –Type Directory

New-Item C:\SCCM_STAGING\REPORT_VIEWER_2012 –Type Directory

New-Item C:\SCCM_STAGING\SSMS_18.3 –Type Directory

New-Item 'C:\SCCM_STAGING\Visual C++ 2013 Redistributable' –Type Directory

New-Item C:\SCCM_STAGING\WADK_10_1903 –Type Directory

New-Item C:\SCCM_STAGING\WADK_10_WINPE_1903 –Type Directory

 

### STOP STOP STOP ... Populate the above folders with the proper binaries ########

 

###############################################################################

### **** STOP ensure that folder above have been created and populated before proceeding ****

###############################################################################

 

# Create Folders for SQL Install:

# Grant the SQL service account (SVC-SQLSC-01) full control to the below folders.

# Note if SQL will be installed on a single storage/LUNS, then the folders can all be on the same drive letter.

# Note if this will be a multi-SQL instance, and all the SQL files will be place on a single storage/LUNS,

# -then create one drive letter per SQL instance. Meaning if you will have a SCCM and SCOM SQL instance then create a D:\MSSQL and an E:\MSSQL folder/VHDX.

# After folder creation, Grant the SQL service account (SVC-SQLSC-01) full control to the above folders.

 

New-Item F:\MSSQL –Type Directory

New-Item F:\MSSQL\TempDB –Type Directory

New-Item F:\MSSQL\UserDB –Type Directory

New-Item G:\MSSQL –Type Directory

New-Item G:\MSSQL\UserDBLOG –Type Directory

New-Item G:\MSSQL\TempDBLogs –Type Directory

New-Item G:\MSSQLBackup –Type Directory

New-Item D:\SRSReportKeys –Type Directory

 

 

###############################################################################

### **** STOP ensure that folder above have been created before proceeding to script #2 ****

###############################################################################

 

================================================

 

SCCM_CB_1902_INSTALL-11-15-2019.ps1

 

## Use the commands below to Install and Configure SCCM 2019 on a single server/PC.

##

## Do Not Proceed unless you have ran script # 1

 

###############################################################################################

############# Install SCCM 2019 Prerequisites #############################################

#### The script below assumes all SCCM and Prereqs files have been copied to the D:\SCCM_STAGING folders.

 

# Install .NET Framework 3.5.1

# Ensure you copy the Windows 2019 DVD\Sources\Sxs folder in the staging folder

Dism /online /enable-feature /featurename:NetFx3 /All /Source:C:\SCCM_STAGING\W2019\Sources\Sxs /LimitAccess

 

# Install BITS and IIS

# Bits is needed for the Distribution Point and  Management Point.

Install-WindowsFeature BITS

Install-WindowsFeature Web-WMI

 

 

############# Install SQL 2017 #############################################

#### The script below assumes all SQL files have been copied to the D:\SCCM_STAGINGSQL_2017_ENT\ folders.

 

# Set SQL Service Accounts SPN

# Run on the Site Server or domain controller

setspn -A MSSQLSvc/SRV-CM-01.JCTECH.NET:1433  SVC-SQLSC-01

setspn -A MSSQLSvc/SRV-CM-01:1433  SVC-SQLSC-01

 

# Install SQL 2017 using SQL Configuration file

# Take a Snapshot/Checkpoint of VM.

#

# C:\SCCM_STAGING\SQL_2017_ENT\Setup.exe /QS /IACCEPTSQLSERVERLICENSETERMS /SQLSVCPASSWORD="Password" /AGTSVCPASSWORD="Password" /ASSVCPASSWORD="Password" /ConfigurationFile=C:\SCCM_STAGING\SQL_2017_ENT\SQL2017ForSCCM1903.ini

C:\SCCM_STAGING\SQL_2017_ENT\Setup.exe /QS /IACCEPTSQLSERVERLICENSETERMS /SQLSVCPASSWORD="Password" /AGTSVCPASSWORD="Password" /ConfigurationFile=C:\SCCM_STAGING\SQL_2017_ENT\SQL2017ForSCCM1903.ini

 

# Install Latest Cumulative Update Package for SQL Server 2017

C:\SCCM_STAGING\SQL_2017_CU16\SQLServer2017-KB4508218-x64.exe /ACTION=INSTALL /QUIETSIMPLE /ALLINSTANCES /ENU /IACCEPTSQLSERVERLICENSETERMS /INDICATEPROGRESS

 

# Install SQL SSMS 18.3

# Note I install SSMS without the /norestart and it did not prompt for a restart. Need to determine if a reboot is required.

C:\SCCM_STAGING\SSMS_18.3\SSMS-Setup-ENU.exe /install /passive

 

# ******* Reboot the server here ******

 

# Configure SQL Memory

# Note you must reboot the server after the SSMS 18.3 install in order for the SQLCMD command to work.

# Note it is included in the Microsoft ODBC Driver 13/17 for SQL Server

# Set MAX to 8gb. Set MIN to 4gb

sqlcmd -S SRV-CM-01 -i C:\SCCM_STAGING\SCRIPTS\SetSQLMem.sql -o C:\SCCM_STAGING\SCRIPTS\SetSQLMem.log

 

 

# Install SQL 2017 Reporting Service

 

C:\SCCM_STAGING\SQL_2017_RS\SQLServerReportingServices.exe /passive /norestart /IAcceptLicenseTerms /PID=6GPYM-VHN83-PHDM2-Q9T2R-KBV83

 

# Configure SQL 2017 Reporting Service

& C:\SCCM_STAGING\SCRIPTS\Configure-SQL2017RS.ps1

 

# Set SQL 2017 Reporting Service Account

& C:\SCCM_STAGING\SCRIPTS\SetReportServiceAcct.ps1

 

# ******* Reboot the server here ******

 

# Install Windows ADK for Windows 10_1903

# The command below will install Windows ADK version 1903 required features for SCCM.

# It will install the following features:

# •            Deployment Tools

# •            User State Migration Tool

C:\SCCM_STAGING\WADK_10_1903\adksetup.exe /quiet /installpath E:\ADK /features OptionId.UserStateMigrationTool OptionId.DeploymentTools

 

# Sleep for 60 seconds to allow ADK for Windows 10_1903 to install

Start-Sleep -Seconds 60

 

 

# Install Windows ADK PE_1903

# Reboot the server after installation.

C:\SCCM_STAGING\WADK_10_WINPE_1903\adkwinpesetup.exe /quiet /ceip off /installpath E:\ADK /Features OptionId.WindowsPreinstallationEnvironment /norestart

 

# Sleep for 60 seconds to all WINPE ADK PE_1903 to install

Start-Sleep -Seconds 60

 

# ******* Reboot the server here ******

 

############# Install SCCM 1902 #############################################

#### The script below assumes all SSCCM files have been copied to the D:\SCCM_STAGING\SCCM_CB_1902\ folders.

 

# Configure NO_SMS_ON_DRIVE.SMS Files

# Only configure on drive you DON’T want SCCM to install on. (C, F, G).

 

New-Item C:\NO_SMS_ON_DRIVE.SMS -ItemType file

New-Item F:\NO_SMS_ON_DRIVE.SMS -ItemType file

New-Item G:\NO_SMS_ON_DRIVE.SMS -ItemType file

 

 

# Copy CMTrace

 

Copy C:\SCCM_STAGING\SCCM_CB_1902\SMSSETUP\TOOLS\CMTrace.exe C:\

 

# Remote Differential Compression for Windows Server 2019.

Install-WindowsFeature RDC

 

 

# Install REPORT VIEWER 2012 RUNTIME and Microsoft System CLR Types for Microsoft SQL Server 2012

# These are needed to read WSUS Reports.

 

msiexec /passive /norestart /i C:\SCCM_STAGING\REPORT_VIEWER_2012\SQLSysCLRTypes.msi

msiexec /passive /norestart /i C:\SCCM_STAGING\REPORT_VIEWER_2012\ReportViewer.msi

 

############# Install WSUS ##########################################

## When using a WID database for WSUS

## Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

## & ‘C:\Program Files\Update Services\Tools\WsusUtil.exe’ postinstall content_dir=E:\WSUS

 

## When using a SQL database for WSUS

Install-WindowsFeature -Name Updateservices-Services,UpdateServices-DB -IncludeManagementTools

 

# If SQL server is installed on the default SQL instance (MSSQLSERVER) on the local server...run this:

& ‘C:\Program Files\Update Services\Tools\WsusUtil.exe’ postinstall SQL_INSTANCE_NAME="SRV-CM-01\" content_dir=E:\WSUS

 

# If SQL server is installed on a remote SQL server instance (MSSQLSERVER or SCCM) include the remote server name and SQL instance:

# & ‘C:\Program Files\Update Services\Tools\WsusUtil.exe’ postinstall SQL_INSTANCE_NAME="SRV-CM-01\" content_dir=E:\WSUS

 

# ******* Reboot the server here ******

 

# Run SCCM Precheck to confirm all prerequisites are in place

C:\SCCM_STAGING\SCCM_CB_1902\SMSSETUP\BIN\X64\Prereqchk.exe /LOCAL

 

# Install SCCM unattended

C:\SCCM_STAGING\SCCM_CB_1902\SMSSETUP\BIN\X64\Setup.exe /NOUSERINPUT /Script C:\SCCM_STAGING\SCCM_CB_1902\SCCM_CB_1902_ALLROLES.ini

 

6.2.2          Create SCCM Staging Folders for Automated Deployment

 

These folders will be used to automate the SCCM installation. The PowerShell code below can be found in the SCCM_CB_1902_PREP-11-15-2019.ps1 script.

 

1.      On the SCCM server create the following folders on the outlined drives by running this PowerShell command:

                                                               i.      New-Item C:\SCCM_STAGING –Type Directory

                                                             ii.      New-Item C:\SCCM_STAGING\W2019\Sources\Sxs –Type Directory

                                                            iii.      New-Item C:\SCCM_STAGING\SCCM_CB_1902 –Type Directory

                                                            iv.      New-Item C:\SCCM_STAGING\SQL_2017_ENT –Type Directory

                                                              v.      New-Item C:\SCCM_STAGING\SQL_2017_CU16 –Type Directory

                                                            vi.      New-Item C:\SCCM_STAGING\SQL_2017_RS –Type Directory

                                                          vii.      New-Item C:\SCCM_STAGING\REPORT_VIEWER_2012 –Type Directory

                                                         viii.      New-Item C:\SCCM_STAGING\SSMS_18.3 –Type Directory

                                                            ix.      New-Item 'C:\SCCM_STAGING\Visual C++ 2013 Redistributable' –Type Directory

                                                              x.      New-Item C:\SCCM_STAGING\WADK_10_1903 –Type Directory

                                                            xi.      New-Item C:\SCCM_STAGING\WADK_10_WINPE_1903 –Type Directory

  1. *** STOP STOP STOP ****
  2. *** IMPORTANT copy the binaries to the folders above before prceeding.

 

*** BIG NOTE Populate the folders above with the proper binaries before proceeding.***

 

6.2.3          Create SCCMShare Folder

 

These folders will be used for files needed to operate SCCM. The PowerShell code below can be found in the SCCM_CB_1902_PREP-11-15-2019.ps1 script.

 

1.       Logon to the server that will be used  to house the files needed to support SCCM.

2.       On the SCCM server create the following folders on the outlined drives by running this PowerShell command:

# Create the SCCM Share Folders

# These folders will be used for files needed to operate SCCM.

# This script creates the SCCM SHARE folder, Shares the folder and sets the NTFS and share permissions.

# Note the SVC-CM-NAA account is used for OSD.

# The SRV-CM-01$ computer account is optional and used to grant the server access to the share.

 

### Create the SCCM SHARE folder

New-Item D:\SCCMSHARE –Type Directory

Get-Acl D:\SCCMSHARE | Format-List

 

$acl = Get-Acl D:\SCCMSHARE

$acl.SetAccessRuleProtection($True, $False)

 

# Applied to This Folder, Subfolders and Files

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

$acl.AddAccessRule($rule)

 

# Applied to This Folder, Subfolders and Files

# This group is used to grant the SVC-CM-NAA permissions to the SCCM folders.

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SVC-CM-NAA","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

$acl.AddAccessRule($rule)

 

# Applied to This Folder, Subfolders and Files

# Run these lines on a remote server (SRV-SC-01) that has the SCCM Share on it.

# These line grant the SCCM site server permission to the SCCM Share on a remote server.

# These line grant the SRV-CM-01$ computer account permissions to the SCCM folders on a remote server(SRV-SC-01).

# Remark these line out if the SCCM Share will be on the site server.

# $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SRV-CM-01$","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

# $acl.AddAccessRule($rule)

 

# Applied to This Folder, Subfolders and Files

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("System","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

$acl.AddAccessRule($rule)

 

# Apply the permision to the folder

Set-Acl D:\SCCMSHARE $acl

 

### Share the folder...

# Use the method below to add multiple users/groups with the same permissions to the share

# Note do not add/include the domain name when setting the variables ($FullAccessAccts, $CHGAccessAccts, etc..)

# $CHGAccessAccts = (“SALEDPT”,”LOCALGRP”)

# $READAccessAccts=(“MARKGRP”,”BARKGRP”)

$FullAccessAccts = (“Administrators”,”SVC-CM-NAA”,"SRV-CM-01$")

#New-SMBShare –Name “Shared” –Path “C:\Shared” –FullAccess $FullAccessAccts –ChangeAccess $CHGAccessAccts –ReadAccess $READAccessAccts

#New-SMBShare –Name “Shared” –Path “C:\Shared” –FullAccess “Administrators”

New-SMBShare –Name “SCCMSHARE” –Path “D:\SCCMSHARE” –FullAccess $FullAccessAccts

 

# Create the SCCM Share sub Folders

# New-Item D:\SCCMSHARE –Type Directory

New-Item D:\SCCMShare\Images –Type Directory

New-Item D:\SCCMShare\OSDDrivers –Type Directory

New-Item D:\SCCMShare\SCCM_InstallFiles –Type Directory

New-Item D:\SCCMShare\SMS_PkgSource –Type Directory

 

6.2.4          Set Windows Firewall ports for SQL

 

The default instance of SQL Server listens on Port 1433. Port 1434 is used by the SQL Browser Service which allows connections to named instances of SQL Server that use dynamic ports with out having to know what port each named instance is using, especially since this can change between restarts of the named instance.

 

Note the ports below open the firewall for SQL and SQL Reporting Services.

 

To Open the ports using PowerShell:

  1. Logon to the Site sever (SRV-CM-01).
  2. Open an administrative PowerShell prompt.
  3. Set Inbound Rules:
    1. New-NetFirewallRule -DisplayName “SQL TCP Ports” -Direction Inbound –Protocol TCP -Profile Domain –LocalPort 80,443,2382,2383,1433,1434,4022 -Action allow
    2. New-NetFirewallRule -DisplayName “SQL UDP Ports” -Direction Inbound –Protocol UDP -Profile Domain –LocalPort 1434,4022 -Action allow
  4. Confirm ports has been opened in the firewall console.

 

6.2.5          Create SQL Configuration file

 

These steps are for SQL Server versions 2017 and later.

 

SQL Server Setup provides the ability to generate a configuration file based upon the system default and run-time inputs. You can use the configuration file to deploy SQL Server throughout the enterprise with the same configuration. You can also standardize manual installations throughout the enterprise, by creating a batch file that launches Setup.exe.

 

Set the following in the SQL Conifig INI File:

·         SQL Service = CONTOSO\SVC-SQLSC-01

·         SQL Agent = CONTOSO\SVC-SQLSC-01

·         Do not install Analysis Service, it is not needed for SCCM.

 

Use the selections in the article below as a reference when selecting options for the SQL INI file.

Reference:

·         Step 9 – Install SQL Server 2017

o   https://www.prajwaldesai.com/sccm-1902-install-guide-using-baseline-media/#Step_9_Install_SQL_Server_2017

·         Supported SQL Server versions for Configuration Manager

o   https://docs.microsoft.com/en-us/configmgr/core/plan-design/configs/support-for-sql-server-versions

·         Install SQL Server using a configuration file

o   https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server-using-a-configuration-file?view=sql-server-2017

·          

How to generate a configuration file

  1. Insert the SQL Server installation media. From the root folder, double-click Setup.exe.
    1. Note to install from a network share, locate the root folder on the share, and then double-click Setup.exe.
    2. Note SQL Server Express Edition setup does not create a configuration file automatically. The following command will start setup and create a configuration file.

c.       SETUP.exe /UIMODE=Normal /ACTION=INSTALL

  1. Follow the wizard through to the Ready to Install page.
    1. The path to the configuration file is specified in the Ready to Install page in the configuration file path section.
  2. Cancel the setup without actually completing the installation, to generate the INI file.

a.       The setup infrastructure writes out all the appropriate parameters for the actions that were run, with the exception of sensitive information such as passwords.

b.       The /IAcceptSQLServerLicenseTerms parameter is also not written out to the configuration file and requires either a modification of the configuration file or a value to be supplied at the command prompt.

c.       For more information, see Install SQL Server from the Command Prompt. In addition, a value is included for Boolean parameters where a value is usually not supplied through the command prompt.

4.       SQL Progress NOTE - Edit the new SQL configuration file with notepad. Comment out the UIMODE = “NORMAL” line.

a.       Note with the UIMODE = NORMAL, the SQL install stops on each setup page. It is not automated.

b.       Note we will use the /QS switch on the SQL Setup.exe command line so we can see the progress.

5.       Copy the SQL Configuration file to the C:\SCCM_STAGING\SQL_2017_ENT\<SQL2017ForSCCM1903.ini> folder.

 

SQL2017ForSCCM1903.ini

 

;SQL Server 2017 Configuration File

[OPTIONS]

; By specifying this parameter and accepting Microsoft R Open and Microsoft R Server terms, you acknowledge that you have read and understood the terms of use.

IACCEPTPYTHONLICENSETERMS="False"

; Specifies a Setup work flow, like INSTALL, UNINSTALL, or UPGRADE. This is a required parameter.

ACTION="Install"

; Specifies that SQL Server Setup should not display the privacy statement when ran from the command line.

SUPPRESSPRIVACYSTATEMENTNOTICE="False"

; By specifying this parameter and accepting Microsoft R Open and Microsoft R Server terms, you acknowledge that you have read and understood the terms of use.

IACCEPTROPENLICENSETERMS="False"

; Use the /ENU parameter to install the English version of SQL Server on your localized Windows operating system.

ENU="True"

; Setup will not display any user interface.

QUIET="False"

; Setup will display progress only, without any user interaction.

QUIETSIMPLE="False"

; Parameter that controls the user interface behavior. Valid values are Normal for the full UI,AutoAdvance for a simplied UI, and EnableUIOnServerCore for bypassing Server Core setup GUI block.

; UIMODE="Normal"

; Specify whether SQL Server Setup should discover and include product updates. The valid values are True and False or 1 and 0. By default SQL Server Setup will include updates that are found.

UpdateEnabled="False"

; If this parameter is provided, then this computer will use Microsoft Update to check for updates.

USEMICROSOFTUPDATE="False"

; Specify the location where SQL Server Setup will obtain product updates. The valid values are "MU" to search Microsoft Update, a valid folder path, a relative path such as .\MyUpdates or a UNC share. By default SQL Server Setup will search Microsoft Update or a Windows Update service through the Window Server Update Services.

 

UpdateSource="MU"

; Specifies features to install, uninstall, or upgrade. The list of top-level features include SQL, AS, IS, MDS, and Tools. The SQL feature will install the Database Engine, Replication, Full-Text, and Data Quality Services (DQS) server. The Tools feature will install shared components.

FEATURES=SQLENGINE,CONN

; Displays the command line parameters usage

HELP="False"

; Specifies that the detailed Setup log should be piped to the console.

INDICATEPROGRESS="False"

; Specifies that Setup should install into WOW64. This command line argument is not supported on an IA64 or a 32-bit system.

X86="False"

; Specify a default or named instance. MSSQLSERVER is the default instance for non-Express editions and SQLExpress for Express editions. This parameter is required when installing the SQL Server Database Engine (SQL), or Analysis Services (AS).

INSTANCENAME="MSSQLSERVER"

; Specify the root installation directory for shared components.  This directory remains unchanged after shared components are already installed.

INSTALLSHAREDDIR="F:\MSSQL"

; Specify the root installation directory for the WOW64 shared components.  This directory remains unchanged after WOW64 shared components are already installed.

INSTALLSHAREDWOWDIR="F:\MSSQL\x86"

; Specify the Instance ID for the SQL Server features you have specified. SQL Server directory structure, registry structure, and service names will incorporate the instance ID of the SQL Server instance.

INSTANCEID="MSSQLSERVER"

; TelemetryUserNameConfigDescription

SQLTELSVCACCT="NT Service\SQLTELEMETRY"

; TelemetryStartupConfigDescription

SQLTELSVCSTARTUPTYPE="Automatic"

; Specify the installation directory.

INSTANCEDIR="F:\MSSQL"

; Agent account name

AGTSVCACCOUNT="CONTOSO\svc-sqlsc-01"

; Auto-start service after installation. 

AGTSVCSTARTUPTYPE="Automatic"

; CM brick TCP communication port

COMMFABRICPORT="0"

; How matrix will use private networks

COMMFABRICNETWORKLEVEL="0"

; How inter brick communication will be protected

COMMFABRICENCRYPTION="0"

; TCP port used by the CM brick

MATRIXCMBRICKCOMMPORT="0"

; Startup type for the SQL Server service.

SQLSVCSTARTUPTYPE="Automatic"

; Level to enable FILESTREAM feature at (0, 1, 2 or 3).

FILESTREAMLEVEL="0"

; Set to "1" to enable RANU for SQL Server Express.

ENABLERANU="False"

; Specifies a Windows collation or an SQL collation to use for the Database Engine.

SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"

; Account for SQL Server service: Domain\User or system account.

SQLSVCACCOUNT="CONTOSO\svc-sqlsc-01"

; Set to "True" to enable instant file initialization for SQL Server service. If enabled, Setup will grant Perform Volume Maintenance Task privilege to the Database Engine Service SID. This may lead to information disclosure as it could allow deleted content to be accessed by an unauthorized principal.

SQLSVCINSTANTFILEINIT="False"

; Windows account(s) to provision as SQL Server system administrators.

SQLSYSADMINACCOUNTS="CONTOSO\administrator" "BUILTIN\Administrators" "CONTOSO\svc-sqlsc-01" "CONTOSO\ADM-SQL-ADMINS"

; The number of Database Engine TempDB files.

SQLTEMPDBFILECOUNT="2"

; Specifies the initial size of a Database Engine TempDB data file in MB.

 

SQLTEMPDBFILESIZE="8"

; Specifies the automatic growth increment of each Database Engine TempDB data file in MB.

SQLTEMPDBFILEGROWTH="64"

; Specifies the initial size of the Database Engine TempDB log file in MB.

SQLTEMPDBLOGFILESIZE="8"

; Specifies the automatic growth increment of the Database Engine TempDB log file in MB.

SQLTEMPDBLOGFILEGROWTH="64"

; Default directory for the Database Engine backup files.

SQLBACKUPDIR="G:\MSSQLBackup"

; Default directory for the Database Engine user databases.

SQLUSERDBDIR="F:\MSSQL\UserDB"

; Default directory for the Database Engine user database logs.

SQLUSERDBLOGDIR="G:\MSSQL\UserDBLOG"

; Directories for Database Engine TempDB files.

SQLTEMPDBDIR="F:\MSSQL\TempDB"

; Directory for the Database Engine TempDB log files.

SQLTEMPDBLOGDIR="G:\MSSQL\TempDBLogs"

; Provision current user as a Database Engine system administrator for %SQL_PRODUCT_SHORT_NAME% Express.

ADDCURRENTUSERASSQLADMIN="False"

; Specify 0 to disable or 1 to enable the TCP/IP protocol.

TCPENABLED="1"

; Specify 0 to disable or 1 to enable the Named Pipes protocol.

NPENABLED="0"

; Startup type for Browser Service.

BROWSERSVCSTARTUPTYPE="Disabled"

 

 

 

6.2.6          Create the  SQL 2017 Reporting Service PS Scripts.

 

After installing SSRS 2017, it will be completely unconfigured. Configuration can be done using the Reporting Service Configuration Manager GUI. In the steps below we will use a PowerShell script to automate the configuration of the reporting service.

 

Downloaded from Github:

https://gist.github.com/SvenAelterman/f2fd058bf3a8aa6f37ac69e5d5dd2511

 

The Configure-Sql2017RS.ps1 PowerShell Script

 

The Configure-Sql2017RS.ps1 script itself has comments that will hopefully allow you to follow the flow, but here is a quick overview of the different steps:

  1. Get a WMI object with the configuration settings for the SSRS 2017 instance.
  2. Get a SQL script to create the ReportServer and ReportServerTempDB databases.
  3. Establish a connection to the default SQL Server instance on the same machine.
  4. Execute the SQL script.
  5. Get and execute a second SQL script, this time to set the permissions for the SSRS 2017 service account.
  6. Set the SSRS database connection to this newly created database.
  7. Configure the virtual directory name and URL of the web service.
  8. Configure the virtual directory name and URL of the report manager web app.
  9. Initialize the report server with encryption for sensitive data.
  10. Restart the service.
  11. Output the new configuration.

Details:

1.       Create a PowerShell script name Configure-Sql2017RS.ps1 using the code below.

2.       After creating the script, copy the script to the following folder on the SQL Reporting Service server:

a.       C:\SCCM_STAGING\SCRIPTS\Configure-Sql2017RS.ps1

3.       Note this script will be called from the SCCM_CB_1902_INSTALL-11-15-2019.ps1 script below.

4.       Finish.

 

=========== POWERSHELL SCRIPTS ==================

 

Configure-Sql2017RS.ps1

 

<#

#>

function Get-ConfigSet()

{

                return Get-WmiObject –namespace "root\Microsoft\SqlServer\ReportServer\RS_SSRS\v14\Admin" `

                                -class MSReportServer_ConfigurationSetting -ComputerName localhost

}

 

# Allow importing of sqlps module

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

 

# Retrieve the current configuration

$configset = Get-ConfigSet

 

$configset

 

If (! $configset.IsInitialized)

{

                # Get the ReportServer and ReportServerTempDB creation script

                [string]$dbscript = $configset.GenerateDatabaseCreationScript("ReportServer", 1033, $false).Script

 

                # Import the SQL Server PowerShell module

                Import-Module sqlps -DisableNameChecking | Out-Null

 

                # Establish a connection to the database server (localhost)

                $conn = New-Object Microsoft.SqlServer.Management.Common.ServerConnection -ArgumentList $env:ComputerName

                $conn.ApplicationName = "SSRS Configuration Script"

                $conn.StatementTimeout = 0

                $conn.Connect()

                $smo = New-Object Microsoft.SqlServer.Management.Smo.Server -ArgumentList $conn

 

                # Create the ReportServer and ReportServerTempDB databases

                $db = $smo.Databases["master"]

                $db.ExecuteNonQuery($dbscript)

 

                # Set permissions for the databases

                $dbscript = $configset.GenerateDatabaseRightsScript($configset.WindowsServiceIdentityConfigured, "ReportServer", $false, $true).Script

                $db.ExecuteNonQuery($dbscript)

 

                # Set the database connection info

                $configset.SetDatabaseConnection("(local)", "ReportServer", 2, "", "")

 

                $configset.SetVirtualDirectory("ReportServerWebService", "ReportServer", 1033)

                $configset.ReserveURL("ReportServerWebService", "http://+:80", 1033)

 

                # For SSRS 2016-2017 only, older versions have a different name

                $configset.SetVirtualDirectory("ReportServerWebApp", "Reports", 1033)

                $configset.ReserveURL("ReportServerWebApp", "http://+:80", 1033)

 

                $configset.InitializeReportServer($configset.InstallationID)

 

                # Re-start services?

                $configset.SetServiceState($false, $false, $false)

                Restart-Service $configset.ServiceName

                $configset.SetServiceState($true, $true, $true)

 

                # Update the current configuration

                $configset = Get-ConfigSet

 

                # Output to screen

                $configset.IsReportManagerEnabled

                $configset.IsInitialized

                $configset.IsWebServiceEnabled

                $configset.IsWindowsServiceEnabled

                $configset.ListReportServersInDatabase()

                $configset.ListReservedUrls();

 

                $inst = Get-WmiObject –namespace "root\Microsoft\SqlServer\ReportServer\RS_SSRS\v14" `

                                -class MSReportServer_Instance -ComputerName localhost

 

                $inst.GetReportServerUrls()

}

 

6.2.7          Create the Set Service Acct PS Scripts

 

Create the SetReportServiceAcct.ps1 PowerShell Script

 

This script will be used to:

·         Set the Reporting Service Service Account to a specific domain account:

 

Downloaded from Github:

https://stackoverflow.com/questions/34769856/change-ms-sql-reporting-service-account-to-built-in-network-service

 

Note run this after you have configured the Reporting Service above.

 

1.       Login to the SQL reporting service server.

2.       Create a PowerShell script name SetReportServiceAcct.ps1 using the code below.

3.       Edit the script and set the following variables for your environment:

a.       $serviceAccount = <"CONTOSO\svc-cm-rsp">

b.       $servicePW = <"PASSWORD99">

4.       After downloading script, copy the script to the following folder on the SQL Reporting Service server:

a.       C:\SCCM_STAGING\SCRIPTS\SetReportServiceAcct.ps1

5.       Note this script will be called from the SCCM_CB_1902_INSTALL-11-15-2019.ps1 script below.

6.       Finish.

 

=========== POWERSHELL SCRIPTS ==================

 

SetReportServiceAcct.ps1

 

$ns = "root\Microsoft\SqlServer\ReportServer\RS_SSRS\v14\Admin"

$RSObject = Get-WmiObject -class "MSReportServer_ConfigurationSetting" -namespace "$ns"

# Set service account

$serviceAccount = "CONTOSO\svc-cm-rsp"

$servicePW = "PASSWORD99"

 

$useBuiltInServiceAccount = $false

$RSObject.SetWindowsServiceIdentity($useBuiltInServiceAccount, $serviceAccount, $servicePW) | out-null

 

# Need to reset the URLs for domain service account to work

$HTTPport = 80

$RSObject.RemoveURL("ReportServerWebService", "http://+:$HTTPport", 1033) | out-null

$RSObject.RemoveURL("ReportServerWebApp", "http://+:$HTTPport", 1033) | out-null

$RSObject.SetVirtualDirectory("ReportServerWebService", "ReportServer", 1033) | out-null

$RSObject.SetVirtualDirectory("ReportServerWebApp", "Reports", 1033) | out-null

$RSObject.ReserveURL("ReportServerWebService", "http://+:$HTTPport", 1033) | out-null

$RSObject.ReserveURL("ReportServerWebApp", "http://+:$HTTPport", 1033) | out-null

 

# Restart SSRS service for changes to take effect

$serviceName = $RSObject.ServiceName

Restart-Service -Name $serviceName -Force

 

6.2.8          Create Report Server Encryption Key

 

  1. Click on Encryption Keys, then click on Restore.
    1. File Location: D:\SRSReportKeys
    2. File name: SRSReportkey2017.snk
    3. Password: xxxxxx

6.2.9          Download the Windows ADK 10 Files for Offline Use

Note if you’re installing the ADK files to a system that does not have Internet access, you’ll need to download the files to a system that has Internet access first.

 

Note the step below will make the ADK files available for an offline PC so it does not download 1-3 GB every time.

 

Download the ADK v1903 from the following link:

https://go.microsoft.com/fwlink/?linkid=2086042

 

What's new in ADK tools for Windows 10, version 1903

https://docs.microsoft.com/en-us/windows-hardware/get-started/what-s-new-in-kits-and-tools

 

Make the ADK files available for an offline PC so it does not download 1-3 GB every time:

  1. On an Internet connected PC, Download the executable for Windows Assessment and Deployment Kit (ADK for Windows 10_v1903) from:
    1. https://go.microsoft.com/fwlink/?linkid=2086042
  2. Open an administrative command prompt and type:
    1. adksetup /quiet /layout D:\WADK_10_1903_Offline
    2. Note this download the required files, and can take a while depending on internet connection as it is a 1.1GB download.
    3. Note the above command downloads it to:

                                                              i.      (D:\WADK_10_1903_Offline)

3.       After downloading the files, copy the downloaded Windows Kit files to the following folder on the SCCM server:

    1. C:\SCCM_STAGING\WADK_10_1903
  1. Finish.

6.2.10       Download Windows PE_1903 as Separate Add-on

Note as you realize the Windows PE feature is not in Windows ADK 1903. You must download a separate add-on to install.

 

Download the Windows PE add-on for the ADK

https://go.microsoft.com/fwlink/?linkid=2087112

 

DOWNLOAD:

  1. On the SCCM Primary site server, run the following file (Run as Administrator):
    1. adkwinpesetup.exe /quiet /layout D:\WADK_10_WINPE_1903_Offline
    2.  
    3. Note this download the required files, and can take a while depending on internet connection as it is a 3.1GB download.
    4. Note the above command downloads it to:

                                                              i.      (D:\WADK_10_WINPE_1903_Offline)

2.       After downloading the files, copy the downloaded Windows PE files to the following folder on the SCCM server:

    1. C:\SCCM_STAGING\WADK_10_WINPE_1903
  1. Finish

 

6.2.11             Download SCCM CB v1902 Prerequisite Files

In order to install SCCM on a network not connected to the Internet you first need to download the SCCM Updated Prerequisite Files. The files can only be downloaded from a machine connected to the Internet.

Ensure that the directory used to store prerequisite update files does not contain previously downloaded files. Previous prereq downloads cannot be used for current site installations.

To download the files:

1.       On a machine which has connection to the internet insert the SCCM CB v1902 source media.

2.       Run the following command:

a.       “<sccm source media>\SMSSETUP\BIN\x64\setupdl.exe <path to be stored>”

                                                              i.      Note:  Where is <path to be stored> you could use a network share if that is an option. Otherwise USB storage media's

b.       Example:

                                                              i.       X:\ SMSSETUP\BIN\x64\setupdl.exe D:\SCCM_CB_1902_PREQCOMP

3.        Note if you receive an error about prerequisite can’t be downloaded check IE settings as follows:

a.       Go into Internet Explorer-Tools-Connections-LAN Settings.

b.       Check the "Automatically Detect Settings".

c.       Try the download again..

4.       After downloading the files, copy the downloaded files to the following folder on the SCCM SITE server:

    1. C:\SCCM_STAGING\SCCM_CB_1902_PREQCOMP

5.       Finish.

 

6.2.12       Create the SCCM Setup.ini File for The Unattended Install

 

The installation script is automatically created when you run Setup to install a site using the user interface. When you confirm the settings on the Summary page of the wizard, the following happens:

  • Setup creates the script %TEMP%\ConfigMgrAutoSave.ini. You can rename this file before you use it, but it must retain the .ini file extension.
  • The unattended installation script contains the settings that you selected in the wizard.
  • After the script is created, you can modify the script to install other sites in your hierarchy.
  • You can then use this script to perform an unattended setup of Configuration Manager.

 

This script file provides the same information that the Setup Wizard prompts for, except that there are no default settings.


You must specify all values for the Setup keys that apply to the type of installation that you are using.

 

Note we will not install SCCM. We are only walking through these steps to capture the settings to the .INI file. We will not click Begin Install on the last screen.

 

Note after creating the SCCM unattend file (setup.ini) below, you can further customize it using the following link:

·         Use the following information to configure scripts or to install Configuration Manager from a command line.

·         Command-line options for Configuration Manager setup

o   https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/command-line-options-for-setup

o   https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/use-a-command-line-to-install-sites

 

Create Setup.ini File:

1.       Log on to the site server (SRV-CM-01) with the ConfigMgr install account(SVC-CM-Install). The account must have local administrator permissions on the system and Full Control within the SCCM database upon installation of SCCM.

2.       Launch the ConfigMgr CB 1902 installation program.

a.       Note the install files are located at C:\SCCM_STAGING\SCCM_CB_1902

  1. Launch the splash.hta file.
    1. Note If presented with an Internet Explorer Script Error then click Yes.
  2. Click Install on the Configuration Manager Setup Splash screen.
  3. On the Before You Begin screen make sure you have done the listed steps and click Next.
  4. On the Getting Started -Available Setup Options screen select:
    1. Install a Configuration Manager primary Site
  5. Click Next.
  6. On the Product Key screen, enter the product key. then select:
    1. Note I did not select a Software Assurance Date.
  7. Click Next.
  8. On the Product License Terms screen check the boxes I accept the terms and click Next.
  9. On the Prerequisite Downloads screen, click Use Previously downloaded files, then click Browse and select:
    1. C:\SCCM_STAGING\SCCM_CB_1902_PRECOMP
  10. On the Server Language Selection screen click Next.
    1. Note English is installed/selected by default.
    2. Note you can modify the server languages if you run setup again and select the Site Maintenance option.
  11. On the Client Language Selection screen click Next.
    1. Note English is installed/selected by default.
    2. Note you can modify the client languages if you run setup again and select the Site Maintenance option.
  12. On the Site and Installation Settings screen:

a.       In the Site Code box:

                                                              i.      <VP1>

b.       In the Site Name box, type:

                                                              i.      SCCM CB <VP1> Site

c.       In the Installation Folder box, type:

                                                              i.      D:\SCCM.

d.       Select the Install the Configuration Manager console box.

  1. Click Next.
  2. On the Primary Site Installation page, select:
    1. Install the primary site as a standalone.
    2. Note on the pop up dialog box that says ….expand this site into a hierarch at a later time by installing central administration…click Yes.
  3. Click Next.
  4. On the Database Information screen, enter the following:
    1. SQL Server Name (FQDN): SRV-CM-01.JCTECH.LOCAL

                                                              i.      Note if SQL on a remote system:

1.      SQLSC-01.contoso.local

    1. Instance Name:

                                                              i.      If SQL is local:

1.      Leave blank for default local SQL Instance

                                                            ii.      If SQL is Remote:

1.      Instance Name: SCCM

    1. Database name: CM_VP1
    2. Service Broker Port: 4022

                                                              i.      Note specify the information for the site database server and the SQL Server Service Broker (SSB) port used by the SQL Server

  1. Click Next.
  2. On the next Database Information screen, enter:
    1. Path to the SQL Server data file:

                                                              i.      F:\MSSQL\UserDB\

                                                            ii.      Note these path are on the remote SQL server

    1. Path to the SQL Server log file:

                                                              i.      G:\MSSQL\UserDBLogs

                                                            ii.      Note these path are on the remote SQL server.

  1. Click Next.
  2. On the SMS Provider Settings page, type:
    1. SMS Provider (FQDN): SRV-CM-01.JCTECH.LOCAL
  3. Click Next.
  4. On the Client Computer Communication Settings page, select:
    1. Configure the communication method on each site system role.
    2. Note do not select Clients will use HTTPS when they have a valid PKI….
  5. Click Next.
  6. On the Site System Roles page,
    1. For a all role on one SCCM server:

                                                              i.      Select the Install a management point

                                                            ii.      Select the Install a distribution point

  1. On the Diagnostic and Usage Data page, click Next.
  2. On the Service Connection Point Setup page, click:
    1. Yes, lets’get connected (Recommended)
    2. Select a server to use as the service connection point (Requires Internet Access)
    3. Note selecting this option works on a disconnected network install of SCCM CB 1902. After the installation is complete you can change the SCP Mode to Offline. On-demand connection.
    4. Setting this option prevents the SCP error message when opening the SCCM console on an disconnected network.
  3. Click Next.
  4. On the Settings Summary screen review the summary of the settings click Next.
  5. On the Prerequisite Check screen, ensure that all tests have passed:
    1. WSUS on site Server … Warning

                                                              i.      This can be ignored for now if you’re planning to install WSUS on this server later.

    1. Verify site server permissions to publish to Active Directory…Warning

                                                              i.      Note the ConfigMgr prerequisite checker displayed a warning when Verify site server permissions to Publish to Active Directory. Note the warning can be ignored. This is a warning, not an error, I’ve seen it on most of my SCCM installation. The setup application has no way to know if the site server can or cannot write to AD, so it throws the warning so you the admin should go and check to be sure. Confirm that the permissions are set promperly using a AD Group or the Site server compter account (It doesn’t matter which you use) and AD publishing works fine.

                                                            ii.      I’ve noticed that you can not avoid this message regardless if you use the Site server computer account or an AD group.

    1. SQL Server process memory allocatonWarning

                                                              i.      Note this warning is because the Minimum amount of memory set on the SQL server is less than 8gb. To clear this error set the minimum memory setting in SQL to a minimum of 8gb. If you have less than 8gb you can ignore this warning.

  1. DO NOT click Begin Install.
  2. Collect the SCCM Installation Setup.ini file:
    1. Navigate to %TEMP% or C:\Users\<LOGINUSER>\AppData\Local\Temp\

                                                              i.      Note the installation script is automatically created when you run Setup to install a site using the user interface. When you confirm the settings on the Summary page of the wizard, the following happens:

1.      Setup creates the script %TEMP%\ConfigMgrAutoSave.ini. You can rename this file before you use it, but it must retain the .ini file extension.

  1. Copy the ConfigMgrAutoSave.ini file to:
    1. C:\SCCM_STAGING\SCCM_CB_1902\SCCM_CB_1902_ALLROLES.ini
  2. Cancel the SCCM Install.
  3. Follow steps in the next section to launch SCCM installation.

SCCM_CB_1902_ALLROLES.ini

 

[Identification]

Action=InstallPrimarySite

 

 

[Options]

ProductID=xxxx-xxxx-xxx-xxx-xxx

SiteCode=VP1

SiteName=VP1 Site

SMSInstallDir=D:\SCCM

SDKServer=SRV-CM-01.CONTOSO.LOCAL

RoleCommunicationProtocol=HTTPorHTTPS

ClientsUsePKICertificate=0

PrerequisiteComp=1

PrerequisitePath=C:\SCCM_STAGING\SCCM_CB_1902_PRECOMP

MobileDeviceLanguage=0

ManagementPoint=SRV-CM-01.CONTOSO.LOCAL

ManagementPointProtocol=HTTP

DistributionPoint=SRV-CM-01.CONTOSO.LOCAL

DistributionPointProtocol=HTTP

DistributionPointInstallIIS=0

AdminConsole=1

JoinCEIP=0

 

[SQLConfigOptions]

SQLServerName=SRV-CM-01.CONTOSO.LOCAL

SQLServerPort=1433

DatabaseName=CM_VP1

SQLSSBPort=4022

SQLDataFilePath=F:\MSSQL\UserDB\

SQLLogFilePath=G:\MSSQL\UserDBLOG\

 

[CloudConnectorOptions]

CloudConnector=0

CloudConnectorServer=SRV-CM-01.CONTOSO.LOCAL

UseProxy=0

ProxyName=

ProxyPort=

 

[SystemCenterOptions]

SysCenterId=QQ08RZLD2hnzmBTdavcwZl4Yjpv6vJZOrNN4rOfEpLg=

 

[SABranchOptions]

SAActive=1

CurrentBranch=1

 

[HierarchyExpansionOption]

 

 

6.3         Install SCCM Using PowerShell

 

Use this script to install the SCCM site server.

The SCCM_CB_1902_INSTALL-11-15-2019.ps1 script will be ran on the local SCCM Site server and will do the following:

 

1.       Install IIS, BITS and .NET Framework 3.5.1

2.       Install SQL Server 2017 Enterprise Edition.

a.       Set SQL Service Accounts SPN

                                                              i.      SVC-SQLSC-01 (VP1)

b.       Install SQL Cummulative updates

c.       Install SQL SSMS 18.3

3.       *** REBOOT THE SERVER ***

a.       Configure SQL Memory

4.       Install SQL 2017 Reporting Service

a.       Set SQL 2017 Reporting Service Account

5.       *** REBOOT THE SERVER ***

6.       Configure SQL 2017 Reporting Service and Set Service Acct

7.       *** REBOOT THE SERVER ***

8.       Install ADK for Windows 1903

a.       Install Windows ADK for Windows 10_1903

b.       Install Windows PE_1903 as Separate Add-on

9.       *** REBOOT THE SERVER ***

10.   Configure NO_SMS_ON_DRIVE.SMS Files

11.   Copy CMTrace

12.   Install Remote Differential Compression

13.   Install Microsoft Report Viewer 2012

a.       Note Report Viewer 2012 is still needed for WSUS reports on a Windows 2019/2016 server.

14.   Install and configure WSUS for SCCM (Unattended)

15.   *** REBOOT THE SERVER ***

16.   Run SCCM CB Prechecks

17.   Install SCCM CB 1902 on Primary Site Server (VP1 Site)

18.   *** REBOOT THE SERVER ***

 

DETAILS:

 

The SCCM_CB_1902_INSTALL-11-15-2019.ps1 script has all the commands in it to install SCCM CB. Reboots are required after certain steps in the script. Review the script before running it to determine when to reboot the server. Run the script a portion at a time. Ensure that you reboot the server when mentioned.

 

On the SCCM Site Server, run the SCCM_CB_1902_INSTALL-11-15-2019.ps1:

1.       On the SCCM Site server, open a PowerShell command prompt with administrative permissions.

2.       Open the script and review its content. Pay attention to REBOOT SERVER entries.

3.       Run the following PowerShell script a portions at a time honoring the server reboots:

a.       SCCM_CB_1902_INSTALL-11-15-2019.ps1

4.       Vertify the Install:

a.       Option#1) Verify verson SCCM CB v1902

                                                              i.      View the C:\ConfigMgrSetup.log check for the following line:

1.       === Completed Configuration Manager Server Setup ===

b.       (Option#2) Verify verson SCCM CB v1902

                                                              i.      Launch the SCCM console.

                                                            ii.      In the upper left corner, click the dropdown arrow and select About Configuration Manager.

                                                          iii.      The Console versions should be: 5.1902.1085.1700

                                                           iv.      The Site version should be: 5.0

5.       See script content below:

 

SCCM_CB_1902_INSTALL-11-15-2019.ps1

 

## Use the commands below to Install and Configure SCCM 2019 on a single server/PC.

##

## Do Not Proceed unless you have ran script # 1

 

###############################################################################################

############# Install SCCM 2019 Prerequisites #############################################

#### The script below assumes all SCCM and Prereqs files have been copied to the D:\SCCM_STAGING folders.

 

# Install .NET Framework 3.5.1

# Ensure you copy the Windows 2019 DVD\Sources\Sxs folder in the staging folder

Dism /online /enable-feature /featurename:NetFx3 /All /Source:C:\SCCM_STAGING\W2019\Sources\Sxs /LimitAccess

 

# Install BITS and IIS

# Bits is needed for the Distribution Point and  Management Point.

Install-WindowsFeature BITS

Install-WindowsFeature Web-WMI

 

############# Install SQL 2017 #############################################

#### The script below assumes all SQL files have been copied to the D:\SCCM_STAGINGSQL_2017_ENT\ folders.

 

# Set SQL Service Accounts SPN

# Run on the Site Server or domain controller

setspn -A MSSQLSvc/SRV-CM-01.JCTECH.NET:1433  SVC-SQLSC-01

setspn -A MSSQLSvc/SRV-CM-01:1433  SVC-SQLSC-01

 

# Install SQL 2017 using SQL Configuration file

# Take a Snapshot/Checkpoint of VM.

#

# C:\SCCM_STAGING\SQL_2017_ENT\Setup.exe /QS /IACCEPTSQLSERVERLICENSETERMS /SQLSVCPASSWORD="Password" /AGTSVCPASSWORD="Password" /ASSVCPASSWORD="Password" /ConfigurationFile=C:\SCCM_STAGING\SQL_2017_ENT\SQL2017ForSCCM1903.ini

C:\SCCM_STAGING\SQL_2017_ENT\Setup.exe /QS /IACCEPTSQLSERVERLICENSETERMS /SQLSVCPASSWORD="Password" /AGTSVCPASSWORD="Password" /ConfigurationFile=C:\SCCM_STAGING\SQL_2017_ENT\SQL2017ForSCCM1903.ini

 

# Install Latest Cumulative Update Package for SQL Server 2017

C:\SCCM_STAGING\SQL_2017_CU16\SQLServer2017-KB4508218-x64.exe /ACTION=INSTALL /QUIETSIMPLE /ALLINSTANCES /ENU /IACCEPTSQLSERVERLICENSETERMS /INDICATEPROGRESS

 

# Install SQL SSMS 18.3

# Note I install SSMS without the /norestart and it did not prompt for a restart. Need to determine if a reboot is required.

C:\SCCM_STAGING\SSMS_18.3\SSMS-Setup-ENU.exe /install /passive

 

# ******* Reboot the server here ******

 

# Configure SQL Memory

# Note you must reboot the server after the SSMS 18.3 install in order for the SQLCMD command to work.

# Note it is included in the Microsoft ODBC Driver 13/17 for SQL Server

# Set MAX to 8gb. Set MIN to 4gb

sqlcmd -S SRV-CM-01 -i C:\SCCM_STAGING\SCRIPTS\SetSQLMem.sql -o C:\SCCM_STAGING\SCRIPTS\SetSQLMem.log

 

# Install SQL 2017 Reporting Service

 

C:\SCCM_STAGING\SQL_2017_RS\SQLServerReportingServices.exe /passive /norestart /IAcceptLicenseTerms /PID=6GPYM-VHN83-PHDM2-Q9T2R-KBV83

 

# Configure SQL 2017 Reporting Service

& C:\SCCM_STAGING\SCRIPTS\Configure-SQL2017RS.ps1

 

# Set SQL 2017 Reporting Service Account

& C:\SCCM_STAGING\SCRIPTS\SetReportServiceAcct.ps1

 

# ******* Reboot the server here ******

 

# Install Windows ADK for Windows 10_1903

# The command below will install Windows ADK version 1903 required features for SCCM.

# It will install the following features:

# •            Deployment Tools

# •            User State Migration Tool

C:\SCCM_STAGING\WADK_10_1903\adksetup.exe /quiet /installpath E:\ADK /features OptionId.UserStateMigrationTool OptionId.DeploymentTools

 

# Sleep for 60 seconds to allow ADK for Windows 10_1903 to install

Start-Sleep -Seconds 60

 

# Install Windows ADK PE_1903

# Reboot the server after installation.

C:\SCCM_STAGING\WADK_10_WINPE_1903\adkwinpesetup.exe /quiet /ceip off /installpath E:\ADK /Features OptionId.WindowsPreinstallationEnvironment /norestart

 

# Sleep for 60 seconds to all WINPE ADK PE_1903 to install

Start-Sleep -Seconds 60

 

# ******* Reboot the server here ******

 

############# Install SCCM 1902 #############################################

#### The script below assumes all SSCCM files have been copied to the D:\SCCM_STAGING\SCCM_CB_1902\ folders.

 

# Configure NO_SMS_ON_DRIVE.SMS Files

# Only configure on drive you DON’T want SCCM to install on. (C, F, G).

 

New-Item C:\NO_SMS_ON_DRIVE.SMS -ItemType file

New-Item F:\NO_SMS_ON_DRIVE.SMS -ItemType file

New-Item G:\NO_SMS_ON_DRIVE.SMS -ItemType file

 

# Copy CMTrace

 

Copy C:\SCCM_STAGING\SCCM_CB_1902\SMSSETUP\TOOLS\CMTrace.exe C:\

 

# Remote Differential Compression for Windows Server 2019.

Install-WindowsFeature RDC

 

# Install REPORT VIEWER 2012 RUNTIME and Microsoft System CLR Types for Microsoft SQL Server 2012

# These are needed to read WSUS Reports.

 

msiexec /passive /norestart /i C:\SCCM_STAGING\REPORT_VIEWER_2012\SQLSysCLRTypes.msi

msiexec /passive /norestart /i C:\SCCM_STAGING\REPORT_VIEWER_2012\ReportViewer.msi

 

############# Install WSUS ##########################################

## When using a WID database for WSUS

## Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

## & ‘C:\Program Files\Update Services\Tools\WsusUtil.exe’ postinstall content_dir=E:\WSUS

 

## When using a SQL database for WSUS

Install-WindowsFeature -Name Updateservices-Services,UpdateServices-DB -IncludeManagementTools

 

# If SQL server is installed on the default SQL instance (MSSQLSERVER) on the local server...run this:

& ‘C:\Program Files\Update Services\Tools\WsusUtil.exe’ postinstall SQL_INSTANCE_NAME="SRV-CM-01\" content_dir=E:\WSUS

 

# If SQL server is installed on a remote SQL server instance (MSSQLSERVER or SCCM) include the remote server name and SQL instance:

# & ‘C:\Program Files\Update Services\Tools\WsusUtil.exe’ postinstall SQL_INSTANCE_NAME="SRV-CM-01\" content_dir=E:\WSUS

 

# ******* Reboot the server here ******

 

# Run SCCM Precheck to confirm all prerequisites are in place

C:\SCCM_STAGING\SCCM_CB_1902\SMSSETUP\BIN\X64\Prereqchk.exe /LOCAL

 

# Install SCCM unattended

C:\SCCM_STAGING\SCCM_CB_1902\SMSSETUP\BIN\X64\Setup.exe /NOUSERINPUT /Script C:\SCCM_STAGING\SCCM_CB_1902\SCCM_CB_1902_ALLROLES.ini

 

6.4         Install the SCCM Reporting Services Point

 

In this step you will install the SCCM Reporting service point on the site server.

 

1.       Log on to the site server  (SRV-CM-01) with the ConfigMgr 2019 install account (SVC-CM-Install).

2.       Configure NO_SMS_ON_DRIVE.SMS Files

a.       Start Windows Explorer.

                                                              i.      Note Only configure on drive you DON’T want SCCM to install on. (C, D, E).

b.       Select drive letter:

c.       C, D, E

d.       From the root of the drive, select File, New, Text Document.

e.       Name the file NO_SMS_ON_DRIVE.SMS.

f.        At the Rename screen, click Yes

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles
  3. Right click SRV-CM-01 and select Add Site System Role.
    1. The Add Site System Roles Wizard opens.
    2. If this is a new site system, On the Home tab, select Create Site System Server.
  4. On the General page, specify the general settings for the site system server. Click Next.
    1. Note when you add the reporting services point to an existing site system server, verify the values that you previously configured.
  5. On the Proxy page, click Next.
  6. On the System Role Selection page, select Reporting Services Point in the list of available roles, and then click Next.
  7. On the Reporting Services Point page, configure the following settings:
    1. Site database server name: SRV-CM-01.CONTOSO.NET\

                                                              i.      Specify the name of the server that hosts the Configuration Manager site database. Typically, the wizard automatically retrieves the fully qualified domain name (FQDN) for the server. To specify a database instance, use the format <Server Name>\<Instance Name>.

    1. Database name: CM_VP1

                                                              i.      Specify the Configuration Manager site database name, and then click Verify to confirm that the wizard has access to the site database.

                                                            ii.      Security Note The user account that is creating the reporting services point must have Read access to the site database. If the connection test fails, a red warning icon appears. Move the cursor over this icon to read details of the failure. Correct the failure, and then click Test again.

                                                          iii.      Click Verify.

    1. Folder name: ConfigMgr_VP1

                                                              i.      Specify the folder name that is created and used to host the Configuration Manager reports in Reporting Services.

    1. Reporting Services server instance: SSRS

                                                              i.      Select in the list the instance of SQL Server for Reporting Services. When there is only one instance found, by default, it is listed and selected. When no instances are found, verify that SQL Server Reporting Services is installed and configured, and that the SQL Server Reporting Services service is started on the site system.

                                                            ii.      Security Note configuration Manager makes a connection in the context of the current user to Windows Management Instrumentation (WMI) on the selected site system to retrieve the instance of SQL Server for Reporting Services. The current user must have Read access to WMI on the site system, or the Reporting Services instances cannot be retrieved.

    1. User Name

                                                              i.      CONTOSO\SVC-CM-RSP

 

                                                            ii.      Note Select an account that is used when SQL Server Reporting Services on the reporting services point connects to the Configuration Manager site database to retrieve the data displayed in a report.

                                                          iii.      Note Select Existing account to specify a Windows user account that has previously been configured as a Configuration Manager account, or select New account to specify a Windows user account that is not currently configured as a Configuration Manager account. Configuration Manager automatically grants the specified user access to the site database. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the ConfigMgr Reporting Services Point account name. The specified Windows user account and password is encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password.

    1. Click Next.
  1. On the Summary page, verify the settings and click Next to install the reporting services point.

11.   After the wizard is completed, report folders are created, and the Configuration Manager reports are copied to the specified report folders. When report folders and reports are copied to the report server, they are copied in the same language as the operating system that is running on the report server.

a.       To monitor the installation progress for the reporting services point, on the Reporting Service Point (SRV-CM-01) open in <F:>\SMS\Logs\ or <F:>\SCCM\Logs

1.       SRSRPSETUP.log

2.       SRSRP.log.

3.       SRSRPMSI.log

                                                            ii.      Note in the SRSRP.log you should see the SCCM reports being copied to the SRS database.

                                                          iii.      Note if you see the following in the SRSRP.LOG:

1.       ERROR:

a.        Failure reported during periodic health check by the SRS Server SRV-CM-01.contoso.local

b.       Error: SRS not detected as running

2.       FIX:

a.       When configuring SQL Server 2017 Reporting Services for SCCM, on the Database page, if using a SQL NAMED Instance (JCT-SQLSC-01\SCCM) make sure the SQL Server Name includes the SQL instance:

                                                                                                                                      i.      SQL Server Name: JCT-SQLSC-01\SCCM

                                                           iv.      Note the reports should be written to D:\SMS_SRSRP\Reports

b.       When the installation completes, you should see in the SRSRP.LOG:

                                                              i.      Successfully checked that the SRS web service is healthy on server <SRV-CM-01>

c.       Note: you can verify that the role installs successfully navigate to Monitoring-System Status-Component Status. Right click on the following and select Show Messages-All-1 Day Ago.

                                                              i.      SMS_SRS_REPORTING_POINT

                                                            ii.      Look for Message ID 1015 which indicates that the Reporting Services point was successfully installed

12.   Done.

 

6.4.1                 Test SCCM Reports and SSRS Web site

 

  1. On SRV-CM-01, in the Configuration Manager console, navigate to Monitoring, Reporting.
  2. Click Reports.
    1. You should see reports in the right window.

3.       (After Installation) On the SRV-CM-01 server launch IE.

4.       Type in the following URL:

a.       http:// SRV-CM-01/reports_SCCM

b.       Or

c.       http:// SRV-CM-01/reports

                                                              i.      Note if prompted for credentials

1.       Launch Server Manager.

2.       Click Local Server. To the right of IE Enhanced Security Configuration click the ON hyperlink/option.

3.       Under Administrators click Off. Click Ok to save.

4.       For IE8, navigate to the Tools-Internet Options-Security-Local intranet-Sites.

5.       Add the add the following:

a.       Http://SRV-CM-01

                                                            ii.      Note this will display the SQL Server Reporting Services home page

                                                          iii.      Note you should see the ConfigMgr_VP1

d.       http:// SRV-CM-01/Reportserver_SCCM

e.       Or

f.        http:// SRV-CM-01/Reportserver

g.        

                                                              i.      Note this should return the Microsoft SQL Server Reporting Services Version 13.0.4001.0.

5.       Done.

 

6.4.2          Configure Reporting Server Database Recovery Model

 

Set the Reporting server database recovery model to Simple. In the step you will set the database recovery Model to Simple. This is done to allow the database transaction logs to be shrink after the database is backed up.

 

Note if you don’t change this or backup the Reporting server database on a regular basis, the ReportServer_log.ldf file will grow extremely large.

 

1.       On the SQL database server (JCT-SQLSC-01), Launch SQL Studio Manager 18.3.

2.       Expand Databases and right click ReportServer and select properties.

3.       Click Options.

4.       Set the Recovery model to Simple.

5.       Click Ok to save the setting.

 

 

 

Updated Dec 12, 2019
Version 1.0
No CommentsBe the first to comment