Building my EMS Lab – Part 2: Setting up the on-premise components
Introduction
This is the second article on how I built my EMS lab. If you are looking for the first part, click here.
In this article, I’ll walk you through setting up the on-premise components,starting with the domain controller, then hooking it up to the cloud using AD Sync and AD Connect and finally installing and configuring Configuration Manager.
Setting up the DC1 VM
In this section we'll make DC1 a domain controller and DNS
- First, we need to give DC1 a static IP (also see here)
- On your laptop (ie not one of the VMs), download and install the Windows Azure Powershell extensions here
- Open PowerShell
- Type "Add-AzureAccount", and log in with the credentials you used to create your Azure account
- Type "Get-AzureVM -ServiceName emdemo -name dc | set-azurestaticvnetip -ipaddress 10.0.0.4 | update-azurevm"
- Promoting the VM to a Domain Controller
- Log on to DC1
- In the Server Manager > Manage > Add Roles & Features
- Add Active Directory Domain Service
- Promote this server to a domain controller
- Add a new forest
- Root name: emdemo.local
NOTE: I chose to have a separate internal (.local) and external (.be) domain, as this is the case with most customers and provides a better view on when things are on the intranet and when they are on the extranet. You are free to set this up differently. - Enter your admininistrator password
- Ignore the DNS warning
- Choose a valid NetBIOS name, I chose EMDEMO
- Click Install and reboot the VM
- Configuring the DNS
- In the Azure console
- Go to the EMDemo Virtual Network
- New > Virtual Network > Register DNS Server
- Name = DC1, IP = 10.0.0.4
- On the EMDemo Virtual Network > Configure
- Ensure DC1 with IP 10.0.0.4 is listed under DNS servers
- New > Virtual Network > Register DNS Server
- Go to the EMDemo Virtual Network
- In the Azure console
- Domain Joining the ADFS and SCCM VM
- NOTE: do not domain join the WAP VM
- Connect to each of the VMs, and domain join them
- Log out of AFDS, DC and SCCM and log in with your domain account (ie DOMAIN\USERNAME). Use this username from now on.
- Continue the DNS setup
- Log on to DC1
- Open the DNS manager (in the Server Manager > Tools > DNS)
- Ensure that there are public DNS servers listed:
- Right click the domain > Properties > Forwarders
- Make sure there are public DNS servers listed there
- You can use 8.8.8.8 and/or 8.8.4.4
- Because of our odd-lab setup, we need to tweak the DNS a bit
- Expand the Domain node > right click "Forward Lookup Zones" > New Zone
- Primary Zone
- Zone name = EMDemo.be, use 8.8.8.8 and 8.8.4.4 as public DNS servers again
- Right click this new zone > New Alias (CNAME)
- Alias = adfs, FQDN = adfs.emdemo.local
- Ensure that there are public DNS servers listed:
- Open the DNS manager (in the Server Manager > Tools > DNS)
- Testing if it works
- Log on to WAP
- Open a command prompt
- Ensure that you can ping emdemo.local (it should resolve to 10.0.0.4)
- Ensure that you can ping adfs.emdemo.be (it should resolve to adfs.emdemo.local)
- Log on to WAP
- Log on to DC1
Exposing the WAP externally
- In the Azure Management console
- Go to the WAP VM
- Choose Endpoints > Add
- Choose "Standalone Endpoint"
- Choose HTTPS
- Repeat this for a HTTP endpoint
- Select the HTTP endpoint and click "manage ACL"
- Description = Authorized Users, Remote subnet = 0.0.0.0/0
- Choose Endpoints > Add
- Go the the EMDemo cloud service > Dashboard
- Locate your Public Virtual (VIP) address and write it down somewhere
- Go to the WAP VM
- With your domain registar (where you can modify the DNS records for emdemo.be)
- Add a CNAME to adfs.emdemo.be to emdemo.cloudapp.net
NOTE: It is a best practice to use an A record to registere ADFS. Because this is a lab environment and because the VIP can change when you shut down all VMs, a CNAME provides a better solution. If you are using this in a production environment, please use an A record.
- Add a CNAME to adfs.emdemo.be to emdemo.cloudapp.net
Setting up ADFS with AD Connect
- Adding the emdemo.be domain to your directory
- In the Azure console, go to the emdemo directory
- Click Domains
- Click Add
- Domain Name = emdemo.be
- Check "I plan to configure this domain for SSO"
- Observe that your domain is added, but with status “Unverified”
- Click Add
- Click Domains
- In the Azure console, go to the emdemo directory
- Log on to ADFS
At the time of writing, AD Connect is still in beta. Please check if there is a newer version. Read about it, download and install it from here.
Run it and follow the instructions, make sure you have your SSL certificate ready on your ADFS VM
- In Azure Tenant, enter your Azure AD admin credentials
- I chose not to go with the express settings, as I wanted single-sign on > Click Customize
- Choose Single AD Forest
- Choose Single Sign On
- Under Options > AD Credentials, enter your on-prem admin credentials
- Under AD FS Farm
- I would like to set up a new farm
- Choose your SSL certificate here
- Subject name prefix = adfs
- Under Federation Server
- Add adfs.emdemo.local
- Under Proxy Servers
- Add wap.emdemo.local
- TROUBLESHOOTING: When this doesn’t work, try here
- Under Credentials
- Enter your on-prem admin credentials
- Under Service Account
- Create a group managed service account for me
- Under Azure Domain
- Your Azure AD domain should be listed there
- Under Execute
- Uncheck "Start the synchronization process…"
- TROUBLESHOOTING: if you run into an "Install Active Directory Powershell" issue, open PowerShell and run "winrm quickconfig"
- TROUBLESHOOTING: if you run into an "Configure Service Account""" issue, open PowerShell on the DC and run "winrm quickconfig"
- Click Install
- Once the installation is complete, click Verify
- The version of AD Sync I downloaded still contains the old "Windows Azure Active Directory Sync" tool. Uninstall this from the control panel.
- Reboot the ADFS VM
Synchronizing with AD Sync
- Log on to ADFS
- Get AD Sync here, install and run it, follow the instructions (it is pretty self-explanatory)
For more information on AD Sync, see here- Under Azure AD Credentials
- Enter your Azure AD admin credentials
- Under AD DS Credentials
- Forest = emdemo.be
- Enter your on-prem admin credentials
- Under User Matching, leave the default
- Under Optional Features
- Ensure Exchange Hybrid Deployment is unchecked
- Ensure Password write-back is checked
- Ensure Azure AD app and attribute filtering is unchecked (unless you want to filter what attributes are synced up)
- Continue the wizard until it starts synchronizing
- Under Azure AD Credentials
- NOTE: If you want to test/force synchronization, open PowerShell and under \Program Files\Microsoft Azure AD Sync\bin, run ".\DirectorySyncClientCmd.exe delta"
- Get AD Sync here, install and run it, follow the instructions (it is pretty self-explanatory)
- Test ADFS
- From within your lab: try browsing to https://adfs.emdemo.be/adfs/ls/idpinitiatedsignon.htm. You should be able to log on succesfully.
- From outside you lab, do the same.
Installing System Center Configuration Manager 2012 R2 (or SCCM for short)
- Log on to SCCM
- Start downloading the SCCM & SQL Server bits (this may take a while)
- In the Server Manager > Manage > Add Roles & Features
- Install the following roles:
- Web Server (IIS)
- Install the following features:
- NET Framework 3.5
- BITS
- Remote Differential Compression
- I Role Services:
- Under Security
- Add Basic Auth
- Add IP and Domain Restrictions
- Add URL Auth
- Add Windows Authentication
- Under Application Development
- Add ASP
- Add ASP.NET 3.5
- Add ASP.NET 4.5
- Under Management Tools
- Add IIS Management Scripts and Tools
- Add Management Services
- Under IIS 6 Management Compatibilitiy
- Add IIS 6 WMI Compatbility
- Finish the installation
- Under Security
- Install the following roles:
- In the mean time, log on to DC1
- Open ADSI Edit (through Search)
- Action > Connect To > OK
- Under CN=System
- Right Click > New > Object
- Container
- Value = System Management
- Open Active Directory Users & Computer (through Search)
- View > Advanced Features
- Under the domain node
- System > System Managemetn > Properties
- Hit the Security tab
- Click Add
- Object Types
- Ensure only "Computers" is checked
- Object Names
- SCCM (ie the computer name)
- Object Types
- Allow "Full Control"
- Click Advanced
- Select SCCM
- Click Edit
- Change "Applies to" to "This object and all descendant objects"
- Hit OK & Apply to close all dialog boxes
- System > System Managemetn > Properties
- Open ADSI Edit (through Search)
- Log back on to SCCM, wait for the download of the SCCM bits to complete
- We’re now going to extend the AD schema for SCCM
- Extract the SCCM bits
- Run SMSSETUP\BIN\X64\extadsch.exe as Administrator
- Installing the prerequisites for SCCM
- Install SQL Server 2012
- Run setup in the root of the installer media
- Click Installation
- Click "New sql server standalone" (top option)
- Enter your (evaluation) product key
NOTE: Microsoft employees, click here - Under "Feature Selection", select the following features
- Database engine services
- Client tools connectivity
- Management tools
- Under the "Server Configuration" section
- Set all stratup types to automatic
- SQL Server Database Engine > Account Name > Browse > "NETWORK SERVICE"
- Under "Database Engine Configuration"
- Add current user
- Install ADK
- Download the bits here
- Run setup
- Select the following features:
- Deployment Tools
- Windows preinstallation Environment
- User State Migration Tools
- Install SQL Server 2012
- Installing SCCM 2012
- Run Setup
- Select "Use typical installation options for a stand-alone primary site"
- Enter the (evaluation key)
NOTE: Microsoft employees, click here - Accept the license terms
- Select "Download required files" and set a temporary path
- Choose a site code (eg. PRI)
- Choose a site name (eg. EMDemo Primary Site)
- Setting up SCCM
- Run the ConfigMgr console
- Under Administration > Hierarchy Configuration > Boundaries > right click > create boundary
- Type: Active Directory Site
- Active Directory Site name: EMDemo Main Site
- OK
- Under Boundary Groups > Create Boundary Group
- Name = Main Boundary
- Click Add
- Select the boundary you just created
- Under Discovery Methods
- Select Active Directory System Discovery > Properties
- Click Enable Active Directory System Discovery
- Click the yellow star
- Click browse
- Select the top node
- Check "Discover Objects within Active Direcotyr Gourps"
- Click OK
- Click OK
- Click No
- Select Active Directory Forest Discovery
- Click Enable
- Click Automatically create Active Directory Site boundaries
- Click OK
- Click No
- Select Active Directory Group Discovery
- Click Enable
- Select Active Directory User Discovery
- Click Enable
- Click the yellow star
- Click Browse
- Select "Users"
- Check "Discover objects within AD Groups"
- Click OK
- Click No
- Click "Run Full Discovery Now"
- Select Active Directory System Discovery > Properties
- Under Overview > Devices > Click Refresh Now
- Under Administration > Hierarchy Configuration > Boundaries > right click > create boundary
- Run the ConfigMgr console
- We’re now going to extend the AD schema for SCCM
That’s it! Click here for the next part.
Comments
- Anonymous
December 03, 2014
It has been some time since my last post, I’ve been on holidays and found a graveyard in my mailbox upon