Part 9: Boundaries & Boundary Groups

Boundaries have got to be one of the most overlooked and difficult to grasp concepts in ConfigMgr. While not overly complex a lot of people don’t really understand how they work, particularly IP Subnets which are unfortunately not an accurate representation of what they are.

What are they

The short answer is a boundary is a network location that a client can identify as being on. These are in turn grouped together so that resources like Distribution Points and site systems can be associated with them.

Why you need them

Without boundaries clients don’t know where to go to get content or what site they should connect to (only if you have multiple sites in your environment). When you configure a boundary, lets call it Boundary A and associate it with Boundary Group ‘Sydney’, Clients that identify as being on Boundary ‘A’ will go to the Distribution Point associated with Boundary group ‘Sydney’.

It’s critical for networks that boundaries be configured so that content distribution can be managed in a way that does not saturate WAN links. This can be particularly a problem for links that are small like 2Mb.

Types

  • IP Subnet – This is a bit of a misnomer, these boundaries are actually subnet ID’s NOT subnets. There is quite a bit of confusion around how these work, suffice it to say that you want to only use /24 subnets when using this type of boundary.
  • Active Directory Site – Imported directly from AD Sites and Services. Requires Forest discovery to be configured.
  • IPv6 Prefix – Like IP Subnets but for IPv6.
  • IP Address Range – Explicit range of IP addresses. Not recommended to be used due to the high SQL performance impact.

Bulk creation

Kaido Järvemets has written an excellent script for completing this, for all the details check it out here.

[Threading.Thread]::CurrentThread.CurrentCulture = 'en-US'
$XLSX = New-Object -ComObject "Excel.Application"

$BoundariesXLSXFile = "C:\Users\Administrator\Desktop\CM_Boundaries.xlsx"
$Path = (Resolve-Path $BoundariesXLSXFile).Path
$SavePath = $Path -replace ".xl\w*$",".csv"

$WorkBook = $XLSX.Workbooks.Open($Path)
$WorkBook.SaveAs($SavePath,6)
$WorkBook.Close($False)
$XLSX.Quit()

$Boundaries = Import-Csv $SavePath

foreach($Item in $Boundaries)
{
Switch($item.'Boundary Type')
{

"IP Subnet" {$Type = 0}
"Active Directory Site" {$Type = 1}
"IPv6" {$Type = 2}
"Ip Address Range" {$Type = 3}

}

$Arguments = @{DisplayName = $Item.'Display Name'; BoundaryType = $Type; Value = $Item.Value}

Set-WmiInstance -Namespace "Root\SMS\Site_PRI" -Class SMS_Boundary -Arguments $Arguments -ComputerName Server100
}

My Recommendation

There’s much to be said about using IP Subnets and how they’re evil. My experience is that if you’ve got them defined and you’re only using /24 addresses then you’ll be fine. Where this is not the case leverage IP Ranges.

Further reading:
ConfigMngrFTW – IP Subnet Boundaries Are Still Evil
TechNet – Planning for Boundaries and Boundary Groups in Configuration Manager

Part 8: Discovery Methods

SCCM has a number of discovery methods which it uses to populate SCCM with resource records. You need these so you can do good stuff like deploy apps, operating systems, software updates, compliance and do reporting. If you choose not to enable these you’ll have a very empty ConfigMgr environment.

  • Active Directory Forest Discovery
    • What: Discovers subnets via sites and services and forests/domains for publishing SCCM
    • Why: Required for SCCM to be published to the forest/domain. Also allows boundaries to automatically be created based on sites and services.
    • Best Practice: Enabled but without auto boundary creation (unless you have immaculate AD sites and services).
  • Active Directory Group discovery
    • What: Discover all AD groups and their members
    • Why: Essential for deploying things to AD groups and also reporting.
    • Best Practice: Enable it!
  • Active Directory System Discovery
    • What: Scans AD for all computer objects
    • Why: Essential for identifying all computers in the organisation before the client has been deployed.
    • Best Practice: Enable it!
  • Active Directory User Discovery
    • What: Scans AD for all user account objects
    • Why: Like computers chances are you’ll want to deploy or advertise software to users.
    • Best Practice: Enable it!
  • Heartbeat Discovery
    • What: Unlike other discovery heartbeat is all about the client sending a packet of info to the primary site server
    • Why: Provides health, client details, network location etc.
    • Best Practice: Don’t turn this off it’s required
  • Network Discovery
    • What: Queries DHCP, ARP Tables on Routers, SNMP and AD
    • Why:  May be useful if you need to discover workgroup compouters
    • Best Practice: Don’t use unless required, my experience has been that turning this on pollutes your DB.

Continue reading

Part 7: Software Update Point & SCUP (With HTTPS)

If you’re looking to manage patches with SCCM, and lets face it why wouldn’t you be, then you’ll need to install the software update point role. In this post we’ll install and configure everything you need to get started including the System Center Update Publisher which allows you to deploy non Microsoft updates via SCCM.

In Part 3: Prep & Pre-reqs we installed WSUS, lets get to configuring everything.

Continue reading

Part 6: Upgrading SCCM Current Branch

Now that you have ConfigMgr setup it’s time to upgrade it to the latest version. This is a relatively straight forward process and applies to all versions of current branch from 1511 onward. In the last post I installed 1606 so that’s what we’ll be using.

NB: You must have the Service Connection point installed and configured to upgrade.

At a glance:

  1. Confirm no operational issues with SCCM sites
  2. Review new SCCM version requirements, 1702 for example removes support for 2008 server. So you will need to upgrade these sites to 2012 or 2016 before upgrading.
  3. Patch, patch, patch!
  4. Uninstall any deprecated SCCM Sites system roles before upgrading
  5. Disable DB replicas on all primary sites (if you’re using them)
  6. Disable maintenance tasks
  7. Run Pre-req check for update
  8. Backup DBs (CAS and Primary)
  9. Test DB Backups
  10. Backup any custom .mof files
  11. Restart all Site Systems
  12. Upgrade
  13. Deploy new SCCM Admin Console
  14. Reconfigure DB Replicas
  15. Upgrade Clients
  16. Reconfigure clients

Continue reading

Part 5: Installing SCCM 1606

So far in the series we’ve run up all the infrastructure required and configured all prerequisites for SCCM. So lets set that up now….

  1. Download SCCM 1606 here.
  2. Run pre-req check tool –  M:\SMSSETUP\BIN\X64\Prereqchk.exe /AdminUI
    2017-04-25_19-41-01.png
  3. Run splash.hta
  4. Click Install
    2017-04-25_19-42-38
  5. Click Next
    2017-04-25_19-44-08
  6. Select Install a Configuration Manager Primary Site and click next.
    2017-04-25_19-45-26.png
  7. Enter a serial key if you have one otherwise select eval.
    2017-04-25_19-47-27.png
  8. Accept the terms and click next
    2017-04-25_19-50-35.png
  9. Select a download location and click next
    2017-04-25_19-52-12
  10. Select language and click next
    2017-04-25_20-10-48.png
  11. Select supported languages and click next, i like to check support for all languages on mobile devices.
    2017-04-25_20-11-30.png
  12. Set site code, site name an installation folder which should be the SCCM volume you created earlier.
    1. Site Code – P01
    2. Site name – Primary site 1
    3. Installation folder – D:\Program Files…..
      2017-04-25_20-13-42.png
  13. As this is the first primary site select install standalone primary site
    2017-04-25_20-15-59.png
  14. Define SQL server details, my SQL instance is local.
    2017-04-25_20-17-12.png
  15. Confirm locations are correct and click next
    2017-04-25_20-18-14.png
  16. Specify the FQDN and click next
    2017-04-25_20-19-12.png
  17. Select configure manually, we’ll setup HTTPS communication later.
    2017-04-25_20-20-48.png
  18. Specify server name and click next.
    2017-04-25_20-22-26.png
  19. Review usage data and click next
    2017-04-25_20-23-28.png
  20. Check install service connector and click next
    2017-04-25_20-24-26.png
  21. Review install summary and click next
    2017-04-25_20-25-44.png
  22. Confirm all pre-reqs have been met and click Begin install
    2017-04-25_20-33-17.png
  23. Confirm all features installed successfully
    2017-04-25_21-11-23.png
  24. You’re done for now!
    2017-04-25_21-13-44.png

 

Part 4: Installing SQL 2016

In the previous posts we’ve setup the lab and done the prep work for the SCCM Primary site. In my lab I’m installing SQL on the same server as the Primary Site server (SCCM-P01). There’s a fair bit of healthy debate as to whether it’s better to co-host or have a dedicated standalone SQL server. I’ve done both and can say that in my experience any performance improvement is negligible for the size environments I’ve seen it in.

So let’s get to it, jump on the server you’re going to install SQL on.

  1. Download SQL Server Standard, I’m using 2016. You can use any of the versions listed here.
  2. Run Setup.exe
  3. Click New Installation
    2017-04-24_14-40-43.png
  4. Enter product key details and click next.
    2017-04-24_21-19-39
  5. Accept license terms and click next
  6. Check use microsoft update and click next
    2017-04-24_21-21-47.png
  7. Check all updates and click next
    2017-04-24_21-22-50.png
  8. Review pre-req check and click next
    2017-04-24_21-27-42.png
  9. Check database engine services and reporting services  and change the feature installation directory to the SQL directory, mines ‘E:\’
    2017-04-24_21-32-11.png
  10. Specify an instance, I’m using the default.
    2017-04-24_21-34-19.png
  11. Set all services to start with the service account created for SQL earlier ‘SA_SCCM_SQL’ and automatic except the SQL Server Browser
    2017-04-24_22-32-03.png
  12. Select the collation tab and set it to ‘SQL_Latin1_General_CP1_CI_AS’. This is critical and if it’s configured incorrectly it can lead to a failed installation, unsupported by Microsoft and may prevent updates installing for SCCM.
    2017-04-24_22-37-59.png
  13. Add SCCM Server Admins to administrators list
    2017-04-25_9-19-57.png
  14. Under Data Directories tab change the locations to the below directories.
    2017-04-25_9-23-17.png
  15. Under the TempDB tab change the data directory for the TempDB to your tempDB volume and the log.
    2017-04-25_9-25-17.png
  16. On Reporting Services select install only
    2017-04-25_9-27-29.png
  17. Click Install
  18. Confirm all components installed successfully
    2017-04-25_9-35-08
  19. Set SPN by running the following commands:
    setspn -A MSSQLSvc/SCCM-P01:1433 LAB\SA_SCCM_SQL
    setspn -A MSSQLSvc/SCCM-P01.lab.local:1433 LAB\SA_SCCM_SQL

    2017-04-25_9-40-58.png

  20. SQL 2016 doesn’t install management studio as part of the install so you need to download and install manually. You can download it here.
  21. Click Install
    2017-04-25_15-36-35.png
  22. Click Close
    2017-04-25_15-46-43.png
  23. Configure Memory allocation
  24. Open SQL Server Management Studio (with an account that has admin rights to your SQL instance)
  25. Right click the server in object explorer and select properties
    2017-04-25_17-51-13.png
  26. Select memory and change the minimum to 8192 and the maximum to 12288 (should be 80% of the servers memory)
    2017-04-25_18-41-19.png
  27. Open SQL Server Configuration Manager
  28. Browse SQL Server Network Configuration>Protocols for instance and right click TCP/IP>Properties
    2017-04-25_18-44-34.png
  29. Configure protocol as per the below
    2017-04-25_18-46-55.png
  30. Select IP Addresses tab
  31. Under IP1 set to the below settings
    2017-04-25_18-51-20
  32. All other IP entries and IP All should be configured as per the below
    2017-04-25_18-52-10.png
  33. Dynamic ports should be configured as per the below
    2017-04-25_18-53-27
  34. Restart the SQL Server Service
    2017-04-25_18-54-26.png
  35. Ready for ConfigMgr!

Part 3: Prep & Pre-reqs

In this post I’m going to setup all the prerequisites for SCCM and SQL. I’ll cover off on the install of SQL and configMgr in following articles though.

  1. Create a new Virtual Machine with the below
    • Name: SCCM-P01
    • Generation: 2
    • Startup Memory: 1024
    • Use Dynamic memory for this VM: Yes
    • Connection: vNet External
  2. I’ve allocated 8vCPUs to my SCCM VM.
  3. Add the following disks to the VM:
    • D:\ – SCCM (200GB)
    • E:\ – SQL Databases (50GB)
    • F:\ – SQL TempDB (50GB)
    • G:\ – SQL Logs (50GB)
  4. Install Windows Server 2016 Standard
  5. Set a static IP address, mines 192.168.0.110
  6. Give your server a name, mines SCCM-P01
  7. Join the lab domain
  8. Initialize all of the extra Hard Drives and format the SQL volumes with 64K allocation unit size
  9. Create the following Service Accounts
    • SA_SCCM_SQL
    • SA_SCCM_SQLReporting
    • SA_SCCM_NetworkAccess
    • SA_SCCM_Client
    • SA_SCCM_DomainJoin
  10. Create the following groups in AD
    • SCCM Server Admins
    • SCCM Servers
  11. Add your server to the newly created AD group ‘SCCM Servers’
  12. Delegate Full Control to the SYSTEM Container in Active Directory for the group ‘SCCM Servers’.
  13. Create a GPO for your SCCM server, mines in lab.local\Member Servers\SCCM
  14. Create the following Inbound Firewall rules in the GPO, Computer Configuration>Policies>Windows Settings>Security Settings> Windows Firewall with Advanced Security>Inbound.
    • Port (TCP) – 1433
    • Port (TCP) – 1434
    • Port (TCP) – 4022
    • Port (TCP) – 135
    • Port (TCP) – 2383
    • Port (TCP) – 2382
    • Port (TCP) – 80
    • Port (TCP) – 443
    • Port (TCP) – 1434
  15. Create a new file in sysvol called ‘No_sms_on_drive.sms’ and copy the file using GP Preferences to C:\ with the SCCM GPO.
  16. Extend AD Schema on DC01
    1. Login with an account with Schema Admins rights.
    2. Mount ConfigMgr ISO on
    3. Open PoerWhell as an adminstrator and run  .\SMSSETUP\BIN\X64\extadsch.exe
      2017-03-28_14-32-32.png
    4. Open log C:\Extadsch.log and confirm the schema has been successfully extended.
      2017-03-28_14-34-13.png
  17. Create System Management Container.
    1. Open ADSI Edit
    2. Right Click System container>New>Object
      2017-03-28_14-37-30.png
    3. Select Container and click Next.
      2017-03-28_14-38-18.png
    4. Enter ‘System Management’ exactly and click next.
      2017-03-28_14-39-31.png
    5. Right click on System Management Container and select Properties and then select the Security tab.
    6. Add your Primary SCCM Server and delgate full control.
      2017-03-28_14-46-01.png
    7. Click Advanced
    8. Select the site server and click Edit.
      2017-03-28_14-48-24.png
    9. Under applies to select This object and all descendant objects.
      2017-03-28_14-49-36.png
  18. On you SCCM Primary Site Server open PowerShell and run the following commands to install the prerequisite roles and features.
    Install-WindowsFeature Web-Windows-Auth
    Install-WindowsFeature Web-ISAPI-Ext
    Install-WindowsFeature Web-Metabase
    Install-WindowsFeature Web-WMI
    Install-WindowsFeature BITS
    Install-WindowsFeature RDC
    Install-WindowsFeature NET-Framework-Features -source \\yournetwork\yourshare\sxs
    Install-WindowsFeature Web-Asp-Net
    Install-WindowsFeature Web-Asp-Net45
    Install-WindowsFeature NET-HTTP-Activation
    Install-WindowsFeature NET-Non-HTTP-Activ

    2017-03-28_15-29-10.png

  19. Install Windows Update Service
  20. Install Windows ADK
    1. Download ADK from here
    2. Run ADKsetup.exe
    3. Change installation directory to your SCCM volume and click next.
      2017-04-23_20-05-29.png
    4. Select the below features and click Install.
      2017-04-23_20-07-33.png
    5. Once completed restart your server.