VMware’s CTO Steve Herrods Keynote–Summary

Now, right-click on the System Management container we just created and click Properties. Click the Security tab, add your SCCM server, give it Full Control permissions. Then click Advanced then set the Apply to: This object and all descendant objects.Then Close ADSI Edit.

Next browse to the System OU and then right-click on System Management > Delegate Control.

You will be prompted on who to Delegate Control to. We want to give the SCCM Server this permission. Make sure you click on Object Types… and select Computers, then search for your server, and click Next.

We want to create a Custom Task.

We want this control to apply to this folder, its contents, and all child objects selected.

Make sure all three boxes are checked here, and then click Full Control.

Finish out the wizard.

While we are in Active Directory, we are going to go ahead and create two SCCM accounts. The SCCM Agent and the SCCM Service accounts. The SCCM Agent will be used to install the SCCM client on remote machines. This account will need administrator permissions to each server where the agent will be installed, so I am going to grant this user account Domain Admin rights. The SCCM Service account will be running the SQL Services on the remote SQL server.

I created a new user named, domain\sccm.agent and added this user to the Domain Admin group. I also created a user named domain\sccm.service. Also make sure that you select Password Never Expires on these accounts you’ll have an issue in the future at some point ;)

Now, we’ll need to extend the Active Directory Schema.

On your System Center Configuration Manager 2012 ISO, navigate to SMSSETUP > BIN > X64. In that directory there is a file named extadsch.exe, right-click that file and Run as Administrator.

Note – This can be ran from any machine on the domain as long as you have access to a Domain Controller. Also, you will need to either be logged in as a user that has Schema Admins permissions, or perform a Run As… as a user account with Schema Admin rights.

A command window will appear briefly and then disappear. Check C:\ExtADSch.log to confirm it completed successfully. Here is a sample of what a successful attempt looks like:

<08-05-2012 15:48:35> Modifying Active Directory Schema – with SMS extensions. <08-05-2012 15:48:35> DS Root:CN=Schema,CN=Configuration,DC=DOMAINNAME,DC=local <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Site-Code. <08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Assignment-Site-Code. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Site-Boundaries. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Roaming-Boundaries. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Default-MP. <08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Device-Management-Point. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-MP-Name. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-MP-Address. <08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Health-State. <08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Source-Forest. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Ranged-IP-Low. <08-05-2012 15:48:36> Defined attribute cn=MS-SMS-Ranged-IP-High. <08-05-2012 15:48:36> Defined attributecn=mS-SMS-Version. <08-05-2012 15:48:36> Defined attribute cn=mS-SMS-Capabilities. <08-05-2012 15:48:37> Defined class cn=MS-SMS-Management-Point. <08-05-2012 15:48:37> Defined class cn=MS-SMS-Server-Locator-Point. <08-05-2012 15:48:37> Defined class cn=MS-SMS-Site. <08-05-2012 15:48:37> Defined class cn=MS-SMS-Roaming-Boundary-Range. <08-05-2012 15:48:37> Successfully extended the Active Directory schema.

<08-05-2012 15:48:37> Please refer to the ConfigMgr documentation for instructions on the manual <08-05-2012 15:48:37> configuration of access rights in active directory which may still <08-05-2012 15:48:37> need to be performed. (Although the AD schema has now be extended, <08-05-2012 15:48:37> AD must be configured to allow each ConfigMgr Site security rights to <08-05-2012 15:48:37> publish in each of their domains.)

If you see error 5’s in the log after attempting the schema extension, go back and make sure your user account is a Schema Admin. Domain Admin permissions will not suffice for this.

Congratulations! At this point, Active Directory is ready for SCCM 2012 installation.

Preparation of the System Center Servers

Before proceeding with my server configuration, it is important to understand what roles I am planning on implementing in my SCCM deployment. Below is a breakdown of how I am going to distribute the roles, note I am not going to be using all of the roles, just the ones I need:

SCCM Server Roles (10 total):

– Application Catalog Web Service Point – Application Catalog Website Point – Asset Intelligence Synchronization Point – Component Server – Distribution Point – Endpoint Protection Point – Fallback Status Point – Management Point – Site Server – Site System

SCCM SQL Server (4 Roles)

– Component Server – Reporting Services Point – Site Database Server – Site System

For more information on the Server Roles, see Microsoft’s .

Here is where we will make sure that our System Center server and backend SQL server are prepared for installation.

SCCM Server:

– Install Roles and Features – Configure WebDAV – Configure local firewall rules

Launch Server Manager, and install the Web Server (IIS) Role.

Make sure that you include all of the following components. I’ve added multiple screenshots here to make this easier to see what is needed.

Once the Web Server (IIS) Role installation has been completed.

You will also need to install the Windows Server Update Service (WSUS) Role. Install this role, but DO NOT configure it at this time. Cancel out of the WSUS Configuration Wizard that comes up after you have installed the role.

Very important, when installing the WSUS Role, make sure you install WSUS to a separate site, as SCCM will utilize the Default Website.

Let’s move on to configuring the local Firewall. Launch the Windows Firewall with Advanced Security utility. (Start > Administrative Tools > Windows Firewall with Advanced Security)

Select Inbound Rules. Make sure that all three default WMI rules are Enabled. By default, these are disabled. WMI communication to the SCCM server is essential. These rules are:

*Note – You can also use SQL 2008 Standard Edition at a specific patch level. Here are the  from Microsoft.

I am going to be using Reporting from within SCCM. If you are going to use the Reporting role for this server, make sure you install, but do not configure, the Report feature during the SQL installation.

Let’s move on to configuring the local Firewall. Launch the Windows Firewall with Advanced Security utility. (Start > Administrative Tools > Windows Firewall with Advanced Security)

Right-click Inbound Rules and select Create New Rule

Select Port

Leave TCP selected, and type in 1433, 4022. These are the two ports we need access to for SCCM, for SQL Server and SQL Server Service Broker respectively.

Allow the connection.

I applied my rule to all profiles, in case of any unforeseen Network Location Awareness NLA service errors.

Give your rule a name. I chose “SCCM_SQL_Ports” for mine.

The last thing we’ll need to configure is adding the SCCM server object to the Local Administrators Group on the SQL server. The SCCM server will need these rights to manipulate SQL Server and the Reporting services in the most efficient way. We also need to add the SCCM Service account to the Local Administrators Group so it can run SQL services.

On the SQL Server open Server Manager and then browse to Configuration > Local Users and Groups > Groups. Double-click the Administrators group, click Add… Then click Object Types… and include Computers. Enter in the SCCM server name and also enter in your SCCM Service user account, then click OK. Then OK again, close the Server Manager console.

Next you will need to set the SQL Services to run as the SCCM Service account. Click Start, then type in services.msc and press enter. You will need to right-click on the SQL Server (MSSQLSERVER) service and click Properties. Select the Log On tab and enter in the information on your SCCM Service user. Then click Apply and OK. You will need to repeat this task for Integration Services (if installed), Reporting Services, and the SQL Agent service.

At this point, Active Directory, the SCCM Server, and SCCM SQL Server are all ready for the System Center Configuration 2012 installation!

In Part II, I will be covering the Certificate Configuration then we’ll move on to the SCCM 2012 installation in Part III.

If you have any questions or comments, feel free to comment below or .

For further information on System Center, you can reference Microsoft’s Official System Center documentation .