Part 7: Software Update Point & SCUP (With HTTPS)

If you’re looking to manage patches with SCCM, and lets face it why wouldn’t you be, then you’ll need to install the software update point role. In this post we’ll install and configure everything you need to get started including the System Center Update Publisher which allows you to deploy non Microsoft updates via SCCM.

In Part 3: Prep & Pre-reqs we installed WSUS, lets get to configuring everything.

Continue reading

Advertisements

Part 6: Upgrading SCCM Current Branch

Now that you have ConfigMgr setup it’s time to upgrade it to the latest version. This is a relatively straight forward process and applies to all versions of current branch from 1511 onward. In the last post I installed 1606 so that’s what we’ll be using.

NB: You must have the Service Connection point installed and configured to upgrade.

At a glance:

  1. Confirm no operational issues with SCCM sites
  2. Review new SCCM version requirements, 1702 for example removes support for 2008 server. So you will need to upgrade these sites to 2012 or 2016 before upgrading.
  3. Patch, patch, patch!
  4. Uninstall any deprecated SCCM Sites system roles before upgrading
  5. Disable DB replicas on all primary sites (if you’re using them)
  6. Disable maintenance tasks
  7. Run Pre-req check for update
  8. Backup DBs (CAS and Primary)
  9. Test DB Backups
  10. Backup any custom .mof files
  11. Restart all Site Systems
  12. Upgrade
  13. Deploy new SCCM Admin Console
  14. Reconfigure DB Replicas
  15. Upgrade Clients
  16. Reconfigure clients

Continue reading

Part 5: Installing SCCM 1606

So far in the series we’ve run up all the infrastructure required and configured all prerequisites for SCCM. So lets set that up now….

  1. Download SCCM 1606 here.
  2. Run pre-req check tool –  M:\SMSSETUP\BIN\X64\Prereqchk.exe /AdminUI
    2017-04-25_19-41-01.png
  3. Run splash.hta
  4. Click Install
    2017-04-25_19-42-38
  5. Click Next
    2017-04-25_19-44-08
  6. Select Install a Configuration Manager Primary Site and click next.
    2017-04-25_19-45-26.png
  7. Enter a serial key if you have one otherwise select eval.
    2017-04-25_19-47-27.png
  8. Accept the terms and click next
    2017-04-25_19-50-35.png
  9. Select a download location and click next
    2017-04-25_19-52-12
  10. Select language and click next
    2017-04-25_20-10-48.png
  11. Select supported languages and click next, i like to check support for all languages on mobile devices.
    2017-04-25_20-11-30.png
  12. Set site code, site name an installation folder which should be the SCCM volume you created earlier.
    1. Site Code – P01
    2. Site name – Primary site 1
    3. Installation folder – D:\Program Files…..
      2017-04-25_20-13-42.png
  13. As this is the first primary site select install standalone primary site
    2017-04-25_20-15-59.png
  14. Define SQL server details, my SQL instance is local.
    2017-04-25_20-17-12.png
  15. Confirm locations are correct and click next
    2017-04-25_20-18-14.png
  16. Specify the FQDN and click next
    2017-04-25_20-19-12.png
  17. Select configure manually, we’ll setup HTTPS communication later.
    2017-04-25_20-20-48.png
  18. Specify server name and click next.
    2017-04-25_20-22-26.png
  19. Review usage data and click next
    2017-04-25_20-23-28.png
  20. Check install service connector and click next
    2017-04-25_20-24-26.png
  21. Review install summary and click next
    2017-04-25_20-25-44.png
  22. Confirm all pre-reqs have been met and click Begin install
    2017-04-25_20-33-17.png
  23. Confirm all features installed successfully
    2017-04-25_21-11-23.png
  24. You’re done for now!
    2017-04-25_21-13-44.png

 

Part 4: Installing SQL 2016

In the previous posts we’ve setup the lab and done the prep work for the SCCM Primary site. In my lab I’m installing SQL on the same server as the Primary Site server (SCCM-P01). There’s a fair bit of healthy debate as to whether it’s better to co-host or have a dedicated standalone SQL server. I’ve done both and can say that in my experience any performance improvement is negligible for the size environments I’ve seen it in.

So let’s get to it, jump on the server you’re going to install SQL on.

  1. Download SQL Server Standard, I’m using 2016. You can use any of the versions listed here.
  2. Run Setup.exe
  3. Click New Installation
    2017-04-24_14-40-43.png
  4. Enter product key details and click next.
    2017-04-24_21-19-39
  5. Accept license terms and click next
  6. Check use microsoft update and click next
    2017-04-24_21-21-47.png
  7. Check all updates and click next
    2017-04-24_21-22-50.png
  8. Review pre-req check and click next
    2017-04-24_21-27-42.png
  9. Check database engine services and reporting services  and change the feature installation directory to the SQL directory, mines ‘E:\’
    2017-04-24_21-32-11.png
  10. Specify an instance, I’m using the default.
    2017-04-24_21-34-19.png
  11. Set all services to start with the service account created for SQL earlier ‘SA_SCCM_SQL’ and automatic except the SQL Server Browser
    2017-04-24_22-32-03.png
  12. Select the collation tab and set it to ‘SQL_Latin1_General_CP1_CI_AS’. This is critical and if it’s configured incorrectly it can lead to a failed installation, unsupported by Microsoft and may prevent updates installing for SCCM.
    2017-04-24_22-37-59.png
  13. Add SCCM Server Admins to administrators list
    2017-04-25_9-19-57.png
  14. Under Data Directories tab change the locations to the below directories.
    2017-04-25_9-23-17.png
  15. Under the TempDB tab change the data directory for the TempDB to your tempDB volume and the log.
    2017-04-25_9-25-17.png
  16. On Reporting Services select install only
    2017-04-25_9-27-29.png
  17. Click Install
  18. Confirm all components installed successfully
    2017-04-25_9-35-08
  19. Set SPN by running the following commands:
    setspn -A MSSQLSvc/SCCM-P01:1433 LAB\SA_SCCM_SQL
    setspn -A MSSQLSvc/SCCM-P01.lab.local:1433 LAB\SA_SCCM_SQL

    2017-04-25_9-40-58.png

  20. SQL 2016 doesn’t install management studio as part of the install so you need to download and install manually. You can download it here.
  21. Click Install
    2017-04-25_15-36-35.png
  22. Click Close
    2017-04-25_15-46-43.png
  23. Configure Memory allocation
  24. Open SQL Server Management Studio (with an account that has admin rights to your SQL instance)
  25. Right click the server in object explorer and select properties
    2017-04-25_17-51-13.png
  26. Select memory and change the minimum to 8192 and the maximum to 12288 (should be 80% of the servers memory)
    2017-04-25_18-41-19.png
  27. Open SQL Server Configuration Manager
  28. Browse SQL Server Network Configuration>Protocols for instance and right click TCP/IP>Properties
    2017-04-25_18-44-34.png
  29. Configure protocol as per the below
    2017-04-25_18-46-55.png
  30. Select IP Addresses tab
  31. Under IP1 set to the below settings
    2017-04-25_18-51-20
  32. All other IP entries and IP All should be configured as per the below
    2017-04-25_18-52-10.png
  33. Dynamic ports should be configured as per the below
    2017-04-25_18-53-27
  34. Restart the SQL Server Service
    2017-04-25_18-54-26.png
  35. Ready for ConfigMgr!

Part 3: Prep & Pre-reqs

In this post I’m going to setup all the prerequisites for SCCM and SQL. I’ll cover off on the install of SQL and configMgr in following articles though.

  1. Create a new Virtual Machine with the below
    • Name: SCCM-P01
    • Generation: 2
    • Startup Memory: 1024
    • Use Dynamic memory for this VM: Yes
    • Connection: vNet External
  2. I’ve allocated 8vCPUs to my SCCM VM.
  3. Add the following disks to the VM:
    • D:\ – SCCM (200GB)
    • E:\ – SQL Databases (50GB)
    • F:\ – SQL TempDB (50GB)
    • G:\ – SQL Logs (50GB)
  4. Install Windows Server 2016 Standard
  5. Set a static IP address, mines 192.168.0.110
  6. Give your server a name, mines SCCM-P01
  7. Join the lab domain
  8. Initialize all of the extra Hard Drives and format the SQL volumes with 64K allocation unit size
  9. Create the following Service Accounts
    • SA_SCCM_SQL
    • SA_SCCM_SQLReporting
    • SA_SCCM_NetworkAccess
    • SA_SCCM_Client
    • SA_SCCM_DomainJoin
  10. Create the following groups in AD
    • SCCM Server Admins
    • SCCM Servers
  11. Add your server to the newly created AD group ‘SCCM Servers’
  12. Delegate Full Control to the SYSTEM Container in Active Directory for the group ‘SCCM Servers’.
  13. Create a GPO for your SCCM server, mines in lab.local\Member Servers\SCCM
  14. Create the following Inbound Firewall rules in the GPO, Computer Configuration>Policies>Windows Settings>Security Settings> Windows Firewall with Advanced Security>Inbound.
    • Port (TCP) – 1433
    • Port (TCP) – 1434
    • Port (TCP) – 4022
    • Port (TCP) – 135
    • Port (TCP) – 2383
    • Port (TCP) – 2382
    • Port (TCP) – 80
    • Port (TCP) – 443
    • Port (TCP) – 1434
  15. Create a new file in sysvol called ‘No_sms_on_drive.sms’ and copy the file using GP Preferences to C:\ with the SCCM GPO.
  16. Extend AD Schema on DC01
    1. Login with an account with Schema Admins rights.
    2. Mount ConfigMgr ISO on
    3. Open PoerWhell as an adminstrator and run  .\SMSSETUP\BIN\X64\extadsch.exe
      2017-03-28_14-32-32.png
    4. Open log C:\Extadsch.log and confirm the schema has been successfully extended.
      2017-03-28_14-34-13.png
  17. Create System Management Container.
    1. Open ADSI Edit
    2. Right Click System container>New>Object
      2017-03-28_14-37-30.png
    3. Select Container and click Next.
      2017-03-28_14-38-18.png
    4. Enter ‘System Management’ exactly and click next.
      2017-03-28_14-39-31.png
    5. Right click on System Management Container and select Properties and then select the Security tab.
    6. Add your Primary SCCM Server and delgate full control.
      2017-03-28_14-46-01.png
    7. Click Advanced
    8. Select the site server and click Edit.
      2017-03-28_14-48-24.png
    9. Under applies to select This object and all descendant objects.
      2017-03-28_14-49-36.png
  18. On you SCCM Primary Site Server open PowerShell and run the following commands to install the prerequisite roles and features.
    Install-WindowsFeature Web-Windows-Auth
    Install-WindowsFeature Web-ISAPI-Ext
    Install-WindowsFeature Web-Metabase
    Install-WindowsFeature Web-WMI
    Install-WindowsFeature BITS
    Install-WindowsFeature RDC
    Install-WindowsFeature NET-Framework-Features -source \\yournetwork\yourshare\sxs
    Install-WindowsFeature Web-Asp-Net
    Install-WindowsFeature Web-Asp-Net45
    Install-WindowsFeature NET-HTTP-Activation
    Install-WindowsFeature NET-Non-HTTP-Activ

    2017-03-28_15-29-10.png

  19. Install Windows Update Service
  20. Install Windows ADK
    1. Download ADK from here
    2. Run ADKsetup.exe
    3. Change installation directory to your SCCM volume and click next.
      2017-04-23_20-05-29.png
    4. Select the below features and click Install.
      2017-04-23_20-07-33.png
    5. Once completed restart your server.

Part 2: Certificate Authority (Server 2016)

Next step is to run up a CA this is optional, some reasons why you might want a CA for SCCM:

  • HTTPS – You need all SCCM communication to be encrypted
  • TDE – You need to encrypt your databases, MBAM for example
  • MDM – You want mobile devices to use certificates to authenticate instead of requiring credentials for company resources like mail and Wi-Fi.

In my lab I’m going to implement a two tier Certificate Authority, an Offline RootCA and a subordinate CA which will be co-hosted on my primary Domain Controller (DC01). For some more details on planning production CA architecture see Securing PKI: Planning a CA Hierarchy.

  1. Create a new Virtual Machine with the below config:
    Name: RootCA
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
    Note: This server MUST NOT be joined to your domain.
  3. Set a static IP address, mines 192.168.0.250
  1. Give your server a name, mines RootCA.
  2. In Server Manger click Manage> Add roles and Features
  3. Under Server Roles tick Active Directory Certificate Services and click Next.
    2017-03-20_16-53-19.png
  4. Click Next until you get to Role Services.
  5. Select Certificate authority and click Next.
    2017-03-20_16-56-08.png
  6. Click Install
  7. Under Server Manager click the flag> Configure Active Directory Certificate Services.
    2017-03-20_16-58-01
  8. Make sure you’re using the administrator account.
    2017-03-20_16-59-11.png
  9. Select Certificate Authority and click Next.
    2017-03-20_17-00-17.png
  10. Select Standalone CA and click Next.
    2017-03-20_17-01-15.png
  11. Select RootCA and click Next.
    2017-03-20_17-02-21
  12. Select create a new private key and click next.
    2017-03-20_17-03-19
  13. Leave the default cryptography and click next. You’ll be fine as long as it’s not SHA-1
    2017-03-20_17-04-30.png
  14. Change the common name, i’m using RootCA and click next.
    2017-03-20_17-06-26.png
  15. Increase validity period to 20 years and click next.
    2017-03-20_17-07-13
  16. Leave the certificate database in the default location and click next.
  17. Click Configure
  18. Confirm configuration successful.
    2017-03-20_17-08-58.png
  19. Open Regedit and increase the REG_DWORD ‘ValidityPeriodUnits’ to ’20’, located here:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\RootCA\ValidityPeriodUnits
  20. Open PowerShell and run the following commands:
    certutil –setreg caDSConfigDN CN=Configuration,DC=lab,DC=local
    certutil -setreg caDSDomainDN “DC=lab,DC=local”
  21. Launch Certificate Authority from Server Manager
  22. Right Click RootCA>Properties
    2017-03-20_17-20-16.png
  23. Browse to the Extensions tab.
    2017-03-20_18-05-41.png
  24. Add a new CRL Distribution Point extension – http://DC01/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl and select the following:
    2017-03-20_18-07-56.png
  25. Select ‘C:\Windows…’ CRL Distribution Point and select Publish CRLs to this location only.
    2017-03-20_18-10-04
  26. Under Select extension change to AIA.
    2017-03-20_18-11-38.png
  27. Add a new AIA – http://DC01/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt and select the following:
    2017-03-20_18-13-59.png
  28. In Certificate Authority right click Revoked Certificates>Properties
    2017-03-20_18-15-13.png
  29. Change CRL interval to 20 years
    2017-03-20_18-16-55.png
  30. In Certificate Authority right click Revoked Certificates>All Tasks>Publish
    2017-03-20_18-18-28.png
  31. Click Next.
    2017-03-20_18-19-48.png
  32. Copy files in C:\Windows\System32\CertSrv\CertEnroll ->  \\DC01\C$\Windows\System32\CertSrv\CertEnroll
  33. Now Jump on DC01 and install Certificate Authority
  34. Under Role Services, select Certificate Authority and Web Enrollment point.
    2017-03-20_18-26-26.png
  35. Install the roles and features.
  36. Under Server Manager click the flag> Configure Active Directory Certificate Services.
    2017-03-20_19-14-56.png
  37. Make sure your using an account with Enterprise Administrator rights and click Next.
  38. Select Certification Authority and Certification Authority Web Enrollment point and click next.
    2017-03-20_19-24-08
  39. Select Enterprise CA and click next.
    2017-03-20_19-25-54
  40. Select Subordinate CA and click next.
    2017-03-20_19-27-06
  41. Select create a new Private Key and click Next.
    2017-03-20_19-28-32
  42. Leave the default cryptography and click next.
    2017-03-20_19-39-40
  43. Give the subordinate CA a common name, mines SubCA.
    2017-03-20_19-41-57
  44. Save a certificate request to the local machine.
    2017-03-20_19-44-16
  45. Finish the Installation with the remaining defaults.
    2017-03-20_19-57-39
  46. Copy the certificate back to RootCA
  47. On RootCA open Certificate Authority and right click on RootCA>All Tasks>Submit new request.
    2017-03-20_19-48-04
  48. Browse to the req file.
  49. Select Pending requests and right click on the pending request>All tasks>Issue
    2017-03-20_19-50-07
  50. Select Issued Certificates and open the certificate just issues
  51. Click Copy file
  52. Select Cryptographic Message Syntax Standard and tick Include all certificates in the certification path if possible.
    2017-03-20_19-54-36
  53. Export file to C:\SubCA.p7b
  54. Copy the file back to Dc01
  55. On DC01 Open Certificate Authority>All Tasks Install CA Certificate and browse to the SubCA.p7b
    2017-03-20_20-00-00
  56. Click Ok to the warning.
    2017-03-20_20-01-16
  57. Start the CA service, you should get a green tick as per below.
    2017-03-20_20-02-54
  58. Export Certificates and deploy via Group Policy.

Part 1: Hyper-V, Networks, DC, DNS

This post will really only be applicable where you are running this up at home or a lab. Please don’t use this as guidance on building a production domain…

Some details on my hypervisor spec –

CPU – Intel Xeon E5-1650 @ 3.5GHz
RAM – 64GB
C:\ – 256GB SSD
V:\ – 1TB SSD

Hypervisor

  1. Install Windows Server 2016 Datacenter, media can be downloaded here.
  2. Set a static IP address, mines 192.168.0.100 as it’s sitting on my home network.
  3. Give your server a name, mines HV01 as in hypervisor 1.
  4. Install Hyper-v, open PowerShell and run the below:
    Install-WindowsFeature –Name Hyper-V -IncludeManagementTools -Restart

    2017-03-13_12-24-54

  5. Open Hyper-V Manager
    2017-03-13_12-44-09
  6. Open Hyper-V Settings
    2017-03-13_12-46-35
  7. Change Virtual Hard Disks to ‘V:\Hyper-V\Virtual Hard Disks’
    2017-03-13_12-52-24
  8. Change Virtual Machines to ‘V:\Hyper-V\Virtual Machines’
    2017-03-13_12-56-22.png
  9. Open Virtual Switch Manager
    2017-03-13_17-55-53.png
  10. Select New virtual network switch, external and click Create Virtual Switch
    2017-03-13_17-53-35
  11. Give it a name and select external network.
    2017-03-13_17-59-32.png
  12. Install data deduplication, open PowerShell and run the below:
    Import-Module ServerManager
    Add-WindowsFeature -name FS-Data-Deduplication

    2017-03-13_15-24-50

  13. In Server Manager browse to File and Storage Services>Volumes
    2017-03-13_15-29-10.png
  14. Right click on the volume you’re storing your VM’s on, ‘V:’ in my case and select ‘Configure data deduplication’.
    2017-03-13_15-35-24
  15. Change Data Deduplication to Virtual Desktop Infrastructure and then click Set Deduplication Schedule.
    2017-03-13_15-39-04.png
  16. Configure an appropriate schedule, mines pretty aggressive because it’s a lab and I’m not fussed when it runs.
    2017-03-13_15-43-55.png
  17. Install all Windows Updates

Domain Controller 1

  1. Create a new Virtual Machine with the below
    Name: DC01
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
  3. Set a static IP address, mines 192.168.0.101
  4. Give your server a name, mines DC01 as in Domain Controller 1
  5. Install Active Directory Domain Services, DNS, open PowerShell and run the below:
    Install-windowsfeature AD-Domain-Services
    Install-Windowsfeature DNS

    2017-03-13_22-05-34.png

  6. In Server Manager click on the flag and run Promote this server to a domain controller.
    2017-03-13_22-06-49
  7. Select Add a new forest and enter a domain name and click Next.
    2017-03-13_22-09-20
  8. Enter a password and click Next.
    2017-03-13_22-12-32
  9. Click Next.
    2017-03-13_22-14-06.png
  10. Set an NetBIOS name and click next.
    2017-03-13_22-15-31.png
  11. Configure locations, I’m using the defaults.
    2017-03-13_22-17-02.png
  12. Review options and click Next.
    2017-03-13_22-18-16.png
  13. Review pre-requisite check and click install.
    2017-03-13_22-24-25
  14. Server will be restarted
  15. Launch DNS from Server Manager
    2017-03-16_17-41-14.png
  16. Select DC01>Forwarders>Edit
    2017-03-16_17-43-23.png
  17. Enter Google or another external DNS server, I’m using 8.8.8.8 then hit enter.
    2017-03-16_17-45-58.png
  18. Confirm you can resolve your new domain with nslookup.
    2017-03-16_17-48-12

Domain Controller 2

  1. Create a new Virtual Machine with the below
    Name: DC02
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
  3. Set a static IP address, mines 192.168.0.102
  4. Give your server a name, mines DC02 as in Domain Controller 2
  5. Join the server to your newly created domain
  6. Install Active Directory Domain Services, DNS, open PowerShell and run the below:
    Install-windowsfeature AD-Domain-Services
    Install-Windowsfeature DNS

    2017-03-13_22-05-34.png

  7. In Server Manager click on the flag and run Promote this server to a domain controller.
    2017-03-16_18-00-20.png
  8. Select Add a domain controller to an existing domain, enter your domain name and click Next.
    2017-03-16_18-02-01.png
  9. Enter a password and click next.
    2017-03-16_18-03-58.png
  10. Click Next
    2017-03-16_18-04-56.png
  11. Click Next
    2017-03-16_18-09-02
  12. Set paths and click Next
    2017-03-16_18-09-59.png
  13. Review config and click next.
    2017-03-16_18-10-19.png
  14. Confirm pre-reqs are met and click install.
    2017-03-16_18-12-00
  15. Confirm you can resolve your new domain with nslookup.
    2017-03-16_17-48-12

References:
Windows Server 2012 Hyper-V Best Practices (In Easy Checklist Form)