Share via


SCCM 2012 R2: Pre-Requisites for installing in a domain

  

Create some active directory objects

Create the System Management container.

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes a Configuration Manager Site server that will publish site information to Active Directory Domain Services.

NOTE: Because domains controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager Site

  • Go to a domain controller / Start / Administrative tools / ADSI Edit / Action / connect to / leave everything on its defaults / OK.
  • Expand the Default naming context / Expand your domain name / Right click "system" / New / Object / Container / Next.
  • Call it "System Management" / Next / Finish / Close ADSI Edit.
  • Still on the domain controller / Start / dsa.msc {enter} / View / Advanced.
  • Expand "system" / locate the container you created "System Management" / right click it and select properties / Security Tab / Add / Object Types / Tick Computers / OK.
  • Click Advanced / Find Now / Locate and add the SCCM-ADMIN group you created earlier / also add the SCCM Server itself / OK.
  • Grant allow "Full Control" to both the SCCM admin group and the SCCMserver.
  • Now click advanced / Select the SCCM-ADMIN group > Edit.
  • Change the "Apply to" section from "This object only" to "This object and all descendant objects" / OK / Apply / OK
  • Repeat the above for the SCCM-Server object.

 

Using Domain Admin Credentials ( with require permitions ) Configure Below in SCCM Server

To find the below Document in Microsoft site click here

 

Prepare Active Directory for Configuration Manager

When you extend the Active Directory schema, this action is a forest-wide configuration that you must do one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after Setup. For information to help you decide whether to extend the Active Directory schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager.

Tip

If the Active Directory schema was extended with the Configuration Manager 2007 schema extensions, you do not have to extend the schema for System Center 2012 Configuration Manager. The Active Directory schema extensions are unchanged from Configuration Manager 2007.

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

  • Extend the Active Directory schema.
  • Create the System Management container.
  • Set security permissions on the System Management container.
  • Enable Active Directory publishing for the Configuration Manager site

 

Extend the Active Directory Schema

Configuration Manager supports two methods to extend the Active Directory schema. The first is to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema extension information by using the ConfigMgr_ad_schema.ldf file.

Note

Before you extend your Active Directory schema, test the schema extensions for conflicts with your current Active Directory schema. For information about how to test the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts in the Active Directory Domain Services documentation.

 

Extend the Active Directory Schema by Using ExtADSch.exe

You can extend the Active Directory schema by running the extadsch.exe file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. The extadsch.exe file does not display output when it runs but does provide feedback when you run it from a command console as a command line. When extadsch.exe runs, it generates a log file in the root of the system drive named extadsch.log, which indicates whether the schema update completed successfully or any problems that were encountered while extending the schema.

Tip

In addition to generating a log file, the extadsch.exe program displays results in the console window when it is run from the command line.

The following are limitations to using extadsch.exe:

  • Extadsch.exe is not supported when run on a Windows 2000–based computers. To extend the Active Directory schema from a Windows 2000–based computer, use the ConfigMgr_ad_schema.ldf.
  • To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista computer, you must be logged onto the computer with an account that has local administrator permissions.

** **

To extend the Active Directory schema by using Extadsch.exe

  1. Create a backup of the schema master domain controller’s system state.

  2. Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.

    Important: You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail.

  3. Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema.

  4. Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.

  5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

Note

To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

** **

Extend the Active Directory Schema by Using an LDIF File

You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services by using LDAP Data Interchange Format (LDIF) files.

For greater visibility of the changes being made to the Active Directory schema than the extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager Installation media.

Note

The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with Configuration Manager 2007.

** **

To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file

  1. Create a backup of the schema master domain controller’s system state.
  2. Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUP\BIN\X64 directory of the Configuration Manager installation media and edit the file to define the Active Directory root domain to extend. All instances of the text DC=x in the file must be replaced with the full name of the domain to extend.

For example, if the full name of the domain to extend is named widgets.microsoft.com, change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com.

  1. Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file into Active Directory Domain Services.

For example, the following command line will import the schema extensions into Active Directory Domain Services, turn on verbose logging, and create a log file during the import process: ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>

  1. To verify that the schema extension was successful, you can review the log file created by the command line used in step 3.
  2. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

Note

To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

** **

Create the System Management Container

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services

Tip

You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.

Use ADSI Edit to create the System Management container in Active Directory Domain Services. For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active Directory Domain Services documentation.

** **

To manually create the System Management container

  1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
  2. Run ADSI Edit, and connect to the domain in which the site server resides.
  3. Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object.
  4. In the Create Object dialog box, select Container, and then click Next.
  5. In the Value box, type System Management, and then click Next.
  6. Click Finish to complete the procedure.

** **

Set Security Permissions on the System Management Container

After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container.

** **

Important

The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

You can grant the necessary permissions by using the Active Directory Users and Computers administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc).

Note

The following procedures are provided as examples of how to configure Windows Server 2008 R2 computers. If you are using a different operating system version, like Windows Server 2012 R2, refer to that operating system’s documentation for information about how to make similar configurations.

** **

To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool

  1. Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool.
  2. Click View, and then click Advanced Features.
  3. Expand the System container, right-click System Management, and then click Properties.
  4. In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.
  5. Click Advanced, select the site server’s computer account, and then click Edit.
  6. In the Apply to list, select This object and all descendant objects.
  7. Click OK and then close the Active Directory Users and Computers administrative tool to complete the procedure.

** **

To apply permissions to the System Management container by using the ADSI Edit console

  1. Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console.
  2. If necessary, connect to the site server's domain.
  3. In the console pane, expand the site server's domain, expand DC=<server distinguished name>, and then expand CN=System. Right-click CN=System Management, and then click Properties.
  4. In the CN=System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.
  5. Click Advanced, select the site server’s computer account, and then click Edit.
  6. In the Apply onto list, select This object and all descendant objects.
  7. Click OK to close the ADSIEdit console and complete the procedure.

** **

Enable Active Directory publishing for the Configuration Manager site

In addition to extending the Active Directory schema, creating the System Management container, and setting permissions for that container, you must enable Configuration Manager to publish site data to Active Directory Domain Services. For information about how to publish site data, see Planning for Publishing of Site Data to Active Directory Domain Services.

 

Configure Windows-Based Servers for Configuration Manager Site System Roles

Before you can use a Windows Server with System Center 2012 Configuration Manager, you must ensure that the computer is configured to support Configuration Manager operations. Use the information in the following sections to configure Windows servers for Configuration Manager. For more information about site system role prerequisites, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Note

The procedures in the following sections are provided as examples of how to configure Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a different operating system version, like Windows Server 2012 R2, refer to that operating system’s documentation for information about how to make similar configurations.

** **

Remote Differential Compression

Site servers and distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. If RDC is not enabled, you must enable it on these site system servers.

Use the following procedure as an example of how to enable Remote Differential Compression on Windows Server 2008 and Windows Server 2008 R2 computers. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

** **

To configure Remote Differential Compression for Windows Server 2008 or Windows Server 2008 R2

  1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.
  2. On the Select Features page, select Remote Differential Compression, and then click Next.
  3. Complete the wizard and close Server Manager to complete the configuration.

** **

Internet Information Services (IIS)

Several site system roles require Internet Information Services (IIS). If IIS is not already enabled, you must enable it on site system servers before you install a site system role that requires IIS. In addition to the site system server, the following site systems roles require IIS:

  • Application Catalog web service point
  • Application Catalog website point
  • Distribution point
  • Enrollment point
  • Enrollment proxy point
  • Fallback status point
  • Management point
  • Software update point

The minimum version of IIS that Configuration Manager requires is the default version that is supplied with the operating system of the server that runs the site system.

For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7 computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0 for distribution point that runs Windows 7.

Use the following procedure as an example of how to install IIS on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

** **

To install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 computers

  1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.
  2. On the Select Features page of the Add Features Wizard, install any additional features that are required to support the site system roles you install on this computer. For example, to add BITS Server Extensions:
    • For Windows Server 2008, select the BITS Server Extensions check box. For Windows Server 2008 R2, select the Background Intelligent Transfer Services (BITS) check box. When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role, and then click Next.
  1. Tip

If you are configuring computer that will be a site server or distribution point, ensure the check box for Remote Differential Compression is selected.

  1. On the Web Server (IIS) page of the Add Features Wizard, click Next.
  2. On the Select Role Services page of the Add Features Wizard install any additional role services that are required to support the site system roles you install on this computer. For example, to add ASP.NET and Windows Authentication:
  3. In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next.
  4. On the Confirmation page, click Install, complete the wizard, and close Server Manager to complete the configuration.
    • For Application Development, select the ASP.NET check box and, when prompted, click Add Required Role Services to add the dependent components.
    • For Security, select the Windows Authentication check box.

** **

Request Filtering for IIS

By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If your package source files contain extensions that are blocked in IIS, you must configure the requestFiltering section in the applicationHost.config file on distribution point computers.

The following file name extensions are used by Configuration Manager for packages and applications. Allow the following file name extensions on distribution points:

  • .PCK
  • .PKG
  • .STA
  • .TAR

For example, you might have source files for a software deployment that include a folder named bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering blocks access to these elements. When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment.

Important

Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager.

Use the following procedure as an example of how to modify requestFiltering on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

To configure request filtering for IIS on distribution points

  1. On the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory.
  2. Search for the <requestFiltering> section.
  3. Determine the file name extensions and folder names that you will have in the packages on this distribution point. For each extension and folder name that you require, perform the following steps:
  4. Save and close the applicationHost.config file to complete the configuration.
    • If it is listed as a fileExtension element, set the value for allowed to true.

      For example, if your content contains a file with an .mdb extension, change the line <add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb" allowed="true" />.

      Allow only the file name extensions required for your content.

    • If it is listed as a <hiddenSegments> element, delete the entry that matches the file name extension or folder name from the file.

      For example, if your content contains a folder with the label of bin, remove the line <add segment=”bin” /> from the file.

Check list of where IIS features installed:

 

Role service

Status

Web Server

Installed

Common HTTP Features

Installed

Static Content

Installed

Default Document

Installed

Directory Browsing

Installed

HTTP Errors

Installed

HTTP Redirection

Installed

Web Dav Publishings

Installed

Application Development

Installed

ASP.NET

Installed

.NET Extensibility

Installed

ASP

Installed

CGI

Not installed

ISAPI Extensions

Installed

ISAPI Filters

Installed

Server Side Includes

Not installed

Health and Diagnostics

Installed

HTTP Logging

Installed

Logging Tools

Installed

Request Monitor

Installed

Tracing

Installed

Custom Logging

Not installed

ODBC Logging

Not installed

Security

Installed

Basic Authentication

Installed

Windows Authentication

Installed

Digest Authentication

Not installed

Client Certificate Mapping Authentication

Not installed

IIS Client Certificate Mapping Authentication

Not installed

URL Authorization

Installed

Request Filtering

Installed

IP and Domain Restriction

Installed

Performance

Installed

Static Content Compression

Installed

Dynamic Content Compression

Not installed

Management Tools

Installed

IIS Management Console

Installed

IIS Management Scripts and Tools

Installed

Management Service

Installed

IIS 6 Management Compatibility

Installed

IIS 6 Metabase Compatibility

Installed

IIS 6 WMI Compatibility

Installed

IIS 6 Scripting Tools

Installed

IIS 6 Management Console

Installed

FTP Publishing Service

Not installed

FTP Server

Not installed

FTP Management Console

Not installed

 ** **

Download & Install ADK 8.1

Click Here for ADK 8.1

Install SQL Server:

  • From the SQL install media run setup.exe \ Installation \ "New Installation or add features to an existing Installation" \ OK.
  • Enter product Key if applicable \ Next \ "I accept..." \ Next \ Install \ Next \ Next.
  • Tick Database Engine Services \ Tick Management Tools (Basic and Complete) \ Next
  • Next \ Accept the defaults \ Next \ Next.
  • On the Server configuration Page \ Select "Use the same account for all SQL Server services \Select the User you created originally (sqladmin) \ Set the SQL Server Agent and SQL Server Database Engine Startup type to "Automatic" \ Next.
  • Accept "Windows Authentication" \ Add in your SCCM-ADMIN group and SQL-ADMIN group \ Next \ Next \ Next \ Install.
  • When it's completed click close.

Prepare Active Directory for SCCM

  • Extend the schema \ From the install media \ SMSSETUP \ BIN \ 1386 \ extadsch.exe
  • Check the above was successful by opening the c:\extADsch.txt file it should say ""successfully extended the Active Directory Schema".