- Sample Organization
- Configuring Installation Prerequisites
- Implementing the Central Administration Site
- Deploying the Primary Sites
- Deploying the Secondary Sites
- Configuring the Hierarchy
- Configuring Sites
- Configuring Client Settings
- Implementing Internet-Based Client Management
- Best Practices
Configuring Installation Prerequisites
Before implementing SCCM 2012, several prerequisite steps need to be taken to prepare Active Directory and the Site Servers. These steps ensure that the SCCM implementation goes smoothly.
The required SCCM prerequisites are as follows:
- Extending the Active Directory schema
- Configuring the System Management container in Active Directory
- Adding Windows roles and features on Site Servers
These prerequisites prepare the environment for Configuration Manager 2012.
These installation prerequisites are in addition to the hardware and software requirements covered in Chapter 2, “Configuration Manager 2012 Design and Planning.” The software requirements include the following:
- Windows Server 2008 64-bit SP2 or Windows Server 2008 R2 operating system
- Windows Active Directory domain
- .NET Framework 3.51 SP1
- .NET Framework 4.0
- SQL Server 2008 SP2 with Cumulative Update 7 or SQL Server 2008 R2 SP1 with Cumulative Update 4 (can be on a separate server)
- Opened TCP port 1433 and 4022 for SQL replication
The hardware and software requirements for all prospective Site Servers must be met before the installation prerequisites can be configured.
Extending the Active Directory Schema
The Active Directory schema should be extended to support dynamic client assignment during Configuration Manager agent deployment and to assist clients with the location of Configuration Manager server infrastructure. When the Active Directory schema is extended, clients can use the values provided through Active Directory to locate regional Site Servers and Distribution Points for package and content delivery.
To extend the Active Directory schema, execute the following steps:
- Log on to a domain controller with an administrative account that is a member of the Schema Admins group.
- Copy the EXTADSCH.exe from \SMSSETUP\BIN\x64\ on the Configuration Manager installation media to a local folder on the Active Directory domain controller with the schema master FSMO role.
- Open a command window as an administrator and execute the EXTADSCH.exe command with a Schema Admin account.
The command should report, “Successfully extended the Active Directory schema” when complete (as shown in Figure 3.3).
Figure 3.3 Successful Active Directory schema extension.
Review the ExtADSch.log file for any errors. This log file is located in the root of drive C on the server used to execute the schema extensions. The log file should show 14 attributes and four classes have been defined.
Configuring the System Management Container
When the Active Directory schema has been extended, Configuration Manager Site Servers store information about the hierarchy in special Active Directory objects. These objects are kept in a specific folder in the System container of the domain partition. The location for these objects doesn’t exist by default, and must be manually created and configured.
In a distributed Configuration Manager hierarchy, it is considered best practice to place the Configuration Manager Site Servers in a custom security group, and delegate this security group’s permissions to the System Management container in Active Directory. The following tasks assume the Configuration Manager Site Servers (CM1, CM2, CM3, CM4, and CM5) are members of the “SCCM Site Servers” universal security group. If this group doesn’t exist, create it before continuing.
The System Management container holds the Configuration Manager objects in Active Directory. This container can be created with the ADSI Edit console on the DC1 domain controller.
To create the System Management container with ADSI Edit, complete the following steps:
- Run ADSI Edit from DC1.
- Right-click the ADSI Edit node and select Connect To.
- Type Domain in the Name field.
- Select Default Naming Context from the list of well-known naming contexts.
- Click OK.
- Expand Default Naming Context.
- Expand DC=companyxyz,DC=com.
- Select the CN=System container.
- Right-click CN=System, click New, and then click Object.
- Select Container from the list and click Next.
- Enter System Management for the CN attribute value, and then click Next.
- Click Finish to complete the change.
The permissions for the System Management container need to be configured before the first Site Server is implemented.
To set the System Management container permission with ADSI Edit, complete the following steps:
- Right-click the System Management container and select Properties.
- Select the Security tab.
- Click Advanced.
- Click Add.
- Type SCCM Site Servers and click OK.
- Continue with the default selection of This Object and All Descendant Objects from Apply To.
- Choose Allow in front of Full Control in the Permissions field and then click OK.
- Click OK two times to commit all the changes and then close ADSI Edit.
As Configuration Manager Site Servers are added to the hierarchy, be sure to add them to the custom Site Servers security group (SCCM Servers). This ensures they can create the required Active Directory objects.
Adding Windows Roles and Features on Site Servers
The majority of client communications is over HTTP or HTTPS, which is serviced by the Windows IIS web server. IIS is a key component of many Configuration Manager Site Systems roles. This includes the Site Server itself in the following optional roles:
- Application Catalog Web Service Point
- Application Catalog Website Point
- Distribution Point
- Enrollment Point
- Enrollment Proxy Point
- Fallback Status Point
- Management Point
- Software Update Point
It is important to make sure that IIS is installed correctly on each of the Site Systems; otherwise, SCCM will not operate correctly.
To implement IIS on the Site Server and Component Servers on a Windows Server 2008 R2–based system, complete the following steps:
- Open Server Manager on the Site/Component Server.
- Select the Features node.
- Click the Add Features action.
- Enable Background Intelligent Transfer Service (BITS).
- When prompted, click Add Required Role Services.
- Enable the Remote Differential Compression feature and click Next.
- On the Web Server Overview page, click Next.
- Enable the ASP.NET role service, and click Add Required Role Services.
- Enable the ASP role service.
- Enable the Windows Authentication role service.
- Enable the IIS 6 WMI Compatibility role service and the IIS 6 Metabase Compatibility if they are not already, and then click Next.
- Review the components selected and click Install.
- Close the wizard when the installation completes.
During this process, a number of roles, role services, and features get enabled automatically. If the preparation is being done on a system with some of these enabled or disabled, it can be confusing to know which ones need to be added.
To install using the command line, open Windows PowerShell as an administrator and enter the following commands:
Import-Module ServerManager Add-WindowsFeature Net-Framework,BITS,RDC,Web-ASP-Net,Web-ASP,Web-Windows-Auth, Web-WMI,Web-Metabase
When the preparation process is completed, at minimum the Web Server (IIS) role should be installed with the following list of role services:
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- .NET Extensibility
- ISAPI Extensions
- ISAPI Filters
- HTTP Logging
- Logging Tools
- Request Monitor
- Windows Authentication
- Request Filtering
- Static Content Compression
- Dynamic Content Compression
- IIS Management Console
- IIS 6 Metabase Compatibility
- IIS 6 WMI compatibility
In addition, the following Windows features should be installed:
- Background Intelligent Transfer Service (BITS)
- Remote Differential Compression
- Web Server (IIS) Tools
- BITS Server Extensions Tools
In preinstalled systems, ensure that the preceding role services and features are installed.