SCCM 2012 R2: Pre-Requisites for installing in a domain
Create some active directory objects
Create the System Management container.
Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes a Configuration Manager Site server that will publish site information to Active Directory Domain Services.
NOTE: Because domains controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager Site
- Go to a domain controller / Start / Administrative tools / ADSI Edit / Action / connect to / leave everything on its defaults / OK.
- Expand the Default naming context / Expand your domain name / Right click "system" / New / Object / Container / Next.
- Call it "System Management" / Next / Finish / Close ADSI Edit.
- Still on the domain controller / Start / dsa.msc {enter} / View / Advanced.
- Expand "system" / locate the container you created "System Management" / right click it and select properties / Security Tab / Add / Object Types / Tick Computers / OK.
- Click Advanced / Find Now / Locate and add the SCCM-ADMIN group you created earlier / also add the SCCM Server itself / OK.
- Grant allow "Full Control" to both the SCCM admin group and the SCCMserver.
- Now click advanced / Select the SCCM-ADMIN group > Edit.
- Change the "Apply to" section from "This object only" to "This object and all descendant objects" / OK / Apply / OK
- Repeat the above for the SCCM-Server object.
Using Domain Admin Credentials ( with require permitions ) Configure Below in SCCM Server
To find the below Document in Microsoft site click here
Prepare Active Directory for Configuration Manager
When you extend the Active Directory schema, this action is a forest-wide configuration that you must do one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after Setup. For information to help you decide whether to extend the Active Directory schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager.
Tip
If the Active Directory schema was extended with the Configuration Manager 2007 schema extensions, you do not have to extend the schema for System Center 2012 Configuration Manager. The Active Directory schema extensions are unchanged from Configuration Manager 2007.
Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
- Extend the Active Directory schema.
- Create the System Management container.
- Set security permissions on the System Management container.
- Enable Active Directory publishing for the Configuration Manager site
Extend the Active Directory Schema
Configuration Manager supports two methods to extend the Active Directory schema. The first is to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema extension information by using the ConfigMgr_ad_schema.ldf file.
Note
Before you extend your Active Directory schema, test the schema extensions for conflicts with your current Active Directory schema. For information about how to test the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts in the Active Directory Domain Services documentation.
Extend the Active Directory Schema by Using ExtADSch.exe
You can extend the Active Directory schema by running the extadsch.exe file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. The extadsch.exe file does not display output when it runs but does provide feedback when you run it from a command console as a command line. When extadsch.exe runs, it generates a log file in the root of the system drive named extadsch.log, which indicates whether the schema update completed successfully or any problems that were encountered while extending the schema.
Tip
In addition to generating a log file, the extadsch.exe program displays results in the console window when it is run from the command line.
The following are limitations to using extadsch.exe:
- Extadsch.exe is not supported when run on a Windows 2000–based computers. To extend the Active Directory schema from a Windows 2000–based computer, use the ConfigMgr_ad_schema.ldf.
- To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista computer, you must be logged onto the computer with an account that has local administrator permissions.
** **
To extend the Active Directory schema by using Extadsch.exe
Create a backup of the schema master domain controller’s system state.
Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.
Important: You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail.
Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema.
Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.
If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.
Note
To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.
** **
Extend the Active Directory Schema by Using an LDIF File
You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services by using LDAP Data Interchange Format (LDIF) files.
For greater visibility of the changes being made to the Active Directory schema than the extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager Installation media.
Note
The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with Configuration Manager 2007.
** **
To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file
- Create a backup of the schema master domain controller’s system state.
- Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUP\BIN\X64 directory of the Configuration Manager installation media and edit the file to define the Active Directory root domain to extend. All instances of the text DC=x in the file must be replaced with the full name of the domain to extend.
For example, if the full name of the domain to extend is named widgets.microsoft.com, change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com.
- Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file into Active Directory Domain Services.
For example, the following command line will import the schema extensions into Active Directory Domain Services, turn on verbose logging, and create a log file during the import process: ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>
- To verify that the schema extension was successful, you can review the log file created by the command line used in step 3.
- If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.
Note
To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.
** **
Create the System Management Container
Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services
Tip
You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.
Use ADSI Edit to create the System Management container in Active Directory Domain Services. For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active Directory Domain Services documentation.
** **
To manually create the System Management container
- Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
- Run ADSI Edit, and connect to the domain in which the site server resides.
- Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object.
- In the Create Object dialog box, select Container, and then click Next.
- In the Value box, type System Management, and then click Next.
- Click Finish to complete the procedure.
** **
Set Security Permissions on the System Management Container
After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container.
** **
Important
The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.
You can grant the necessary permissions by using the Active Directory Users and Computers administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc).
Note
The following procedures are provided as examples of how to configure Windows Server 2008 R2 computers. If you are using a different operating system version, like Windows Server 2012 R2, refer to that operating system’s documentation for information about how to make similar configurations.
** **
To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool
- Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool.
- Click View, and then click Advanced Features.
- Expand the System container, right-click System Management, and then click Properties.
- In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.
- Click Advanced, select the site server’s computer account, and then click Edit.
- In the Apply to list, select This object and all descendant objects.
- Click OK and then close the Active Directory Users and Computers administrative tool to complete the procedure.
** **
To apply permissions to the System Management container by using the ADSI Edit console
- Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console.
- If necessary, connect to the site server's domain.
- In the console pane, expand the site server's domain, expand DC=<server distinguished name>, and then expand CN=System. Right-click CN=System Management, and then click Properties.
- In the CN=System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.
- Click Advanced, select the site server’s computer account, and then click Edit.
- In the Apply onto list, select This object and all descendant objects.
- Click OK to close the ADSIEdit console and complete the procedure.
** **
Enable Active Directory publishing for the Configuration Manager site
In addition to extending the Active Directory schema, creating the System Management container, and setting permissions for that container, you must enable Configuration Manager to publish site data to Active Directory Domain Services. For information about how to publish site data, see Planning for Publishing of Site Data to Active Directory Domain Services.
Configure Windows-Based Servers for Configuration Manager Site System Roles
Before you can use a Windows Server with System Center 2012 Configuration Manager, you must ensure that the computer is configured to support Configuration Manager operations. Use the information in the following sections to configure Windows servers for Configuration Manager. For more information about site system role prerequisites, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.
Note
The procedures in the following sections are provided as examples of how to configure Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a different operating system version, like Windows Server 2012 R2, refer to that operating system’s documentation for information about how to make similar configurations.
** **
Remote Differential Compression
Site servers and distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. If RDC is not enabled, you must enable it on these site system servers.
Use the following procedure as an example of how to enable Remote Differential Compression on Windows Server 2008 and Windows Server 2008 R2 computers. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.
** **
To configure Remote Differential Compression for Windows Server 2008 or Windows Server 2008 R2
- On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.
- On the Select Features page, select Remote Differential Compression, and then click Next.
- Complete the wizard and close Server Manager to complete the configuration.
** **
Internet Information Services (IIS)
Several site system roles require Internet Information Services (IIS). If IIS is not already enabled, you must enable it on site system servers before you install a site system role that requires IIS. In addition to the site system server, the following site systems roles require IIS:
- Application Catalog web service point
- Application Catalog website point
- Distribution point
- Enrollment point
- Enrollment proxy point
- Fallback status point
- Management point
- Software update point
The minimum version of IIS that Configuration Manager requires is the default version that is supplied with the operating system of the server that runs the site system.
For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7 computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0 for distribution point that runs Windows 7.
Use the following procedure as an example of how to install IIS on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.
** **
To install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 computers
- On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.
- On the Select Features page of the Add Features Wizard, install any additional features that are required to support the site system roles you install on this computer. For example, to add BITS Server Extensions:
-
- For Windows Server 2008, select the BITS Server Extensions check box. For Windows Server 2008 R2, select the Background Intelligent Transfer Services (BITS) check box. When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role, and then click Next.
- Tip
If you are configuring computer that will be a site server or distribution point, ensure the check box for Remote Differential Compression is selected.
- On the Web Server (IIS) page of the Add Features Wizard, click Next.
- On the Select Role Services page of the Add Features Wizard install any additional role services that are required to support the site system roles you install on this computer. For example, to add ASP.NET and Windows Authentication:
- In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next.
- On the Confirmation page, click Install, complete the wizard, and close Server Manager to complete the configuration.
-
- For Application Development, select the ASP.NET check box and, when prompted, click Add Required Role Services to add the dependent components.
- For Security, select the Windows Authentication check box.
** **
Request Filtering for IIS
By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If your package source files contain extensions that are blocked in IIS, you must configure the requestFiltering section in the applicationHost.config file on distribution point computers.
The following file name extensions are used by Configuration Manager for packages and applications. Allow the following file name extensions on distribution points:
- .PCK
- .PKG
- .STA
- .TAR
For example, you might have source files for a software deployment that include a folder named bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering blocks access to these elements. When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment.
Important
Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager.
Use the following procedure as an example of how to modify requestFiltering on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.
To configure request filtering for IIS on distribution points
- On the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory.
- Search for the <requestFiltering> section.
- Determine the file name extensions and folder names that you will have in the packages on this distribution point. For each extension and folder name that you require, perform the following steps:
- Save and close the applicationHost.config file to complete the configuration.
-
If it is listed as a fileExtension element, set the value for allowed to true.
For example, if your content contains a file with an .mdb extension, change the line <add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb" allowed="true" />.
Allow only the file name extensions required for your content.
If it is listed as a <hiddenSegments> element, delete the entry that matches the file name extension or folder name from the file.
For example, if your content contains a folder with the label of bin, remove the line <add segment=”bin” /> from the file.
Check list of where IIS features installed:
Role service |
Status |
---|---|
Web Server |
Installed |
Common HTTP Features |
Installed |
Static Content |
Installed |
Default Document |
Installed |
Directory Browsing |
Installed |
HTTP Errors |
Installed |
HTTP Redirection |
Installed |
Web Dav Publishings |
Installed |
Application Development |
Installed |
ASP.NET |
Installed |
.NET Extensibility |
Installed |
ASP |
Installed |
CGI |
Not installed |
ISAPI Extensions |
Installed |
ISAPI Filters |
Installed |
Server Side Includes |
Not installed |
Health and Diagnostics |
Installed |
HTTP Logging |
Installed |
Logging Tools |
Installed |
Request Monitor |
Installed |
Tracing |
Installed |
Custom Logging |
Not installed |
ODBC Logging |
Not installed |
Security |
Installed |
Basic Authentication |
Installed |
Windows Authentication |
Installed |
Digest Authentication |
Not installed |
Client Certificate Mapping Authentication |
Not installed |
IIS Client Certificate Mapping Authentication |
Not installed |
URL Authorization |
Installed |
Request Filtering |
Installed |
IP and Domain Restriction |
Installed |
Performance |
Installed |
Static Content Compression |
Installed |
Dynamic Content Compression |
Not installed |
Management Tools |
Installed |
IIS Management Console |
Installed |
IIS Management Scripts and Tools |
Installed |
Management Service |
Installed |
IIS 6 Management Compatibility |
Installed |
IIS 6 Metabase Compatibility |
Installed |
IIS 6 WMI Compatibility |
Installed |
IIS 6 Scripting Tools |
Installed |
IIS 6 Management Console |
Installed |
FTP Publishing Service |
Not installed |
FTP Server |
Not installed |
FTP Management Console |
Not installed |
** **
Download & Install ADK 8.1
Click Here for ADK 8.1
Install SQL Server:
- From the SQL install media run setup.exe \ Installation \ "New Installation or add features to an existing Installation" \ OK.
- Enter product Key if applicable \ Next \ "I accept..." \ Next \ Install \ Next \ Next.
- Tick Database Engine Services \ Tick Management Tools (Basic and Complete) \ Next
- Next \ Accept the defaults \ Next \ Next.
- On the Server configuration Page \ Select "Use the same account for all SQL Server services \Select the User you created originally (sqladmin) \ Set the SQL Server Agent and SQL Server Database Engine Startup type to "Automatic" \ Next.
- Accept "Windows Authentication" \ Add in your SCCM-ADMIN group and SQL-ADMIN group \ Next \ Next \ Next \ Install.
- When it's completed click close.
Prepare Active Directory for SCCM
- Extend the schema \ From the install media \ SMSSETUP \ BIN \ 1386 \ extadsch.exe
- Check the above was successful by opening the c:\extADsch.txt file it should say ""successfully extended the Active Directory Schema".