Jump to content


Photo

using System Center 2012 Configuration Manager - Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent


  • Please log in to reply
138 replies to this topic

#1 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,935 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 03 June 2012 - 07:10 PM

In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).

In Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups.

In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.

Now we will install the WSUS server role (it is required for the Software Update Point role). We will then install the Software Update Point role on our CAS and Primary servers and we will configure the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent.

Recommended Reading
Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx
Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx

Planning for Client Deployment in Configuration Manager - http://technet.micro...y/gg682136.aspx
Prerequisites for Client Deployment in Configuration Manager - http://technet.micro...y/gg682042.aspx
Best Practices for Client Deployment in Configuration Manager - http://technet.microsoft.com/en-us/library/gg681994.aspx


Step 1. Add the WSUS Update Services 3.0 SP2 role
Note: Perform the following on the CAS server as SMSadmin

Before starting this step create a folder on D:\ called sources and share it as sources, give Everyone Read access.

sources share.png

The share is created, click done when ready.

cas sources share.png

Note: Repeat the above on the Primary server P01.

p01 sources.png

Start Server Manager and click on Roles. Click on Add Roles to Add the WSUS Server Role.

add roles.png

the Select Server Roles wizard appears, place a checkmark in Windows Server Update Services (WSUS)

Select Server roles.png

when prompted to add role services required for Windows Server Update Services click on Add Required Role Services to continue

add role services required for Windows Server Update Services.png

now you can see WSUS is selected, click next..

wsus selected.png

click next at the introduction to Web Server (IIS)

introduction to Web Server (IIS).png

the IIS Role services will already be selected, click next

role services already selected.png

click next through the wizard and click Install to start installing the WSUS role, the role will be downloaded from the Internet so make sure you are connected to the internet before doing this step.

Tip: If you cannot connect to the Internet then try downloading WSUS30-KB972455-x64 from here and installing that instead.

install wsus.png

after downloading the role, the Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard appears
Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard.png

click next to start install the role, accept the EULA to continue

i accept the license agreement.png

when prompted to Select Update Source, change the path to D:\Sources\WSUS, also make sure the Store Updates Locally option is selected.

Tip: In Production, as a best practice, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

d sources wsus.png

change the database option to Use and Existing Database on this computer and click next

use an existing database on this server.png

click next and watch it connecting to SQL Server Instance

Tip: In Production, as a best practice consider using a different SQL Server instance for the Configuration Manager database and WSUS database. This will make It easier to troubleshoot and diagnose resource usage issues that might occur for each application.

connecting to SQL Server Instance.png

In web site selection select Create a Windows Server Update Services 3.0 SP2 Web Site

Tip: In Production, as a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTP and you must configure your Active Software Update Point accordingly.

web site preference.png

click next at the ready to install screen

ready to install wsus.png

Click Finish when done.

finish WSUS installation.png

The Windows Server Update Services Configuration Wizard will appear after a few moments, Cancel it.

cancel.png

and then you can finally close the add roles wizard

close wsus wizard.png

Note: Repeat the above (installation of the WSUS server role) on your Primary server P01.

Step 2. Add the Software Update Point role
Note: Perform the following on the CAS server as SMSadmin

In a Configuration Manager hierarchy, install and configure the software update point on the central administration site before you install it on any other site. The software update point at the central administration site is typically configured to synchronize with Microsoft Update, retrieving the software updates metadata based on the criteria that you specify in the software update point properties. Before you install the software update point site system role, you must verify that the server meets required dependencies and determine the software update point infrastructure on the site. For more information about planning for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager.

In the Administration workspace, select Site Configuration and select our CAS site server, right click and choose Add Site System roles.

add site system roles.png

The Add Site System Roles Wizard appears, if you want to change accounts do so now otherwise click next

add site role wizard.png

on the Specify Roles for this server screen, select Software Update Point

software update point.png

on the specify software update point settings screen you can specify a proxy and connection account if you are using one.

specify software update point settings.png

select Use this server as the Active Software Update Point and then select WSUS is configured to use a custom website as per the screenshot below

wsus is configured to use a custom website.png

select Synchronize from Microsoft Update

synchronize from microsoft update.png

set the Synchronization Schedule to Run every 1 days as you want to synchronize daily for Endpoint Protection definition updates, and select the Alert checkbox as per the screenshot below.

synchroization schedule.png

set your Supersedence Rules as you wish

Supersedence Rules.png

choose your Classifications, if you want to use Endpoint Protection then select Definition Updates otherwise none will appear when you synchronize

Classifications.png

select the Products you wish to support, don't worry about making any choices here at this point as some products won't appear in this list until after you've completed your first successful sync.

Tip: you may want to remove all current selections in Products like Operating System and Office versions otherwise your first sync will take quite some time to complete.

products.png

select your Languages

Languages.png

and click through to completion of the wizard.

Add Site System  Roles Wizard completed successfully.png

Note: Repeat the above on the Primary Site server P01

p01 site role added.png

Tip: the difference you'll note when adding the SUP role on the Primary is that you cannot select to synchronize from Microsoft Update as it will automatically select to synchronize from an upstream server. This is expected as it will synchronize from the CAS server.

synchronize from an upstream server.png

Step 3. Configure Active Directory GPO
Note: Perform the following on the Active directory server AD1 as a Domain Admininstrator

Software update-based client installation publishes the System Center 2012 Configuration Manager client to a software update point as an additional software update. This method of client installation can be used to install the System Center 2012 Configuration Manager client on computers that do not already have the client installed or to upgrade existing System Center 2012 Configuration Manager clients.

Note: To use software update-based installation, you must use the same Windows Server Update Services (WSUS) server for client installation and software updates. This server must be the active software update point in a primary site (in other words, our Primary site P01). For more information, see Configuring Software Updates in Configuration Manager.

 

Tip: If you would prefer to use Client Push to install the Configuration Manager client agent, see Step 3 of this post.

Open Group Policy Managment, right click and choose create a GPO in this domain and link it here

create a GPO in this domain and link it here.png

give it a suitable name like Configuration Manager Client Installation

Configuration Manager Client Installation.png

Right click your newly created GPO, select Edit, select and expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click on Windows Update

windows update.png

select Specify intranet Microsoft update service location, and set it to Enabled, and enter the fully qualified domain name (FQDN) and port of our primary server Software Update Point (SUP) as per the screenshot below:

Specify Intranet Microsoft update service location.png


Step 4. Configure Client Installation Settings on P01
Note: Perform the following on the Primary server P01 as SMSAdmin

Navigate to the Administration workspace, select Site Configuration, Sites, and select the P01 site, click on Settings in the ribbon.

P01 selected.png

Select Client Installation Settings and then select Software Update-Based Client Installation

Software Update-Based Client Installation.png

place a checkmark in Enable software update based client installation and click apply

Enable Software-update based client installation.png

Step 5. Monitor Client installation on your computers
Note: Perform the following on your LAB computers as SMSAdmin

Now everything is in place for receiving the ConfigMgr client installation via the Software Update Point, except that your computers will probably have Windows Update disabled if they are servers. How you enable that is up to you (GPO etc). Below is a sample setting for configuring Automatic Updates via a GPO.

configure automatic updates.png

Once you have enabled Windows Update you'll see the following appear on your clients, 1 important update is available:-

1 important update is available.png

if you wait it will get installed via the schedule set in your GPO or if you are impatient you can click on Install Updates and you'll see what the locally published packages actually is, it's the Configuration Manager Client.

locally published packages.png

if you check task manager you'll see CCMSETUP.EXE is running,

ccmsetup is running.png

you can also monitor the C:\Windows\CCMSetup\ccmsetup.log file to see how the installation is progressing..

c windows ccmsetup log.png

Tip: The Ccmsetup command line used to install is revealed in the ccmsetup.log file at the beginning of the LOG, and should reveal that the ccmsetup.exe file was started from C:\Windows\SoftwareDistribution\Download\Install\ccmsetup.exe, and this is because it was a Critical Windows Update.

and after a while you should see that CCMSetup installation succeeded

installation succeeded.png

and that means you can open Software Center via the start menu and it'll appear like this

software center.png

click on the Application Catalog link in Software Center and you'll see the Application Catalog appear !

application catalog.png

job done !


Troubleshooting

Once you have configured the above correctly, and your clients are installed the WUAHandler.log file on each client computer should reveal the following, look for a line that reads
 

 

Added Update Source ({.....}) of content type: 2.

wuahandler log working.png

If there is any misconfiguration of your GPO or SUP address then you'll see a lot of RED error warnings in that log, and you'll find the following lines repeated over and over, in the screenshot below the FQDN is not defined and this causes failures
 

 

Group policy settings were overwritten by a higher authority (Domain Controller) to Server http://xxxx and Policy ENABLED. Failed to Add Update Source for WUAgent of type (2) and id ({.....}). Error = 0x87d00692

Failed to Add Update Source for WUAgent of type (2) and id.png

The next part in this series is: Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.


Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#2 moustafafafa

moustafafafa

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 17 June 2012 - 07:09 AM

can not access Appication catalog access denied
Any idea

#3 Draccusfly

Draccusfly

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 21 June 2012 - 10:36 AM

Great tutorial, thanks this has saved me hours of work...

I do have an issue with this part though, I am only installing onto one server which already has WSUS installed on it so skipped the install part of the WSUS server. I have added the role to SCCM 2012 and ticked the software update-based client installation and reran "check for updates" on my test machine (i have configured it to a group with only one computer in so far) and it finds the update but it fails to install with the error "No valid source or MP locations can be identified to download content from. cmSetup cannot continue..

Any ideas where I need to look to rectify this?

Cheers
Drac

#4 Rash

Rash

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 10 July 2012 - 11:03 AM

Great tutorial, thanks this has saved me hours of work...

I do have an issue with this part though, I am only installing onto one server which already has WSUS installed on it so skipped the install part of the WSUS server. I have added the role to SCCM 2012 and ticked the software update-based client installation and reran "check for updates" on my test machine (i have configured it to a group with only one computer in so far) and it finds the update but it fails to install with the error "No valid source or MP locations can be identified to download content from. cmSetup cannot continue..

Any ideas where I need to look to rectify this?

Cheers
Drac


Hey there. Have a read through the recommended MS material relating to the client deployment. I think The Software Update based client install requires a fresh/clean/dedicated (whatever) WSUS server. If you're using an older WSUS catalogue, I don't think it'll work and may account for your problems.

#5 Yassein Subratty

Yassein Subratty

    Member

  • Members
  • PipPip
  • 12 posts
  • Gender:Male
  • Location:Mauritius
  • Interests:System Center Suite

Posted 01 August 2012 - 11:11 AM

HI,

Can the WSUS role be installed in another standalone server???

#6 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,935 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 07 August 2012 - 02:24 PM

HI,

Can the WSUS role be installed in another standalone server???


sure if you want to host the SUP role on that server
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#7 edgar_11

edgar_11

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 10 September 2012 - 05:24 PM

Hi

#8 edgar_11

edgar_11

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 10 September 2012 - 05:32 PM

hi!

I see that at the primary site updates are downloaded directly from the CAS, however I want to download through Windows Update, what do I have to do? is this possible?

Thanks and regards

#9 glen0200

glen0200

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 14 September 2012 - 04:04 PM

Hey Niall,
Great GREAT tutorial so far.

I've ran into a snag i can't figure out. No matter how hard i try i can't get the Config Manager Client to be pushed to Wsus.
I've looked in the logs and it says it published successfully, but dont see it anywhere in WSUS.

WCM logs on P01


WSUS Server settings are correctly configured and Upstream Server is set to CAS0.DOMAIN.com SMS_WSUS_CONFIGURATION_MANAGER 9/12/2012 8:22:43 PM 1468 (0x05BC)
Successfully connected to server: P02.DOMAINcom, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 9/12/2012 8:22:43 PM 1468 (0x05BC)
Successful published and approved package 7da1560d-a721-47a2-a110-2f6e6b248822 - 0 for Install to a0a08746-4dbe-4a37-9adf-9e7652c0b421, Deadline UTC time= 9/12/2012 3:28:56 PM SMS_WSUS_CONFIGURATION_MANAGER 9/12/2012 8:24:38 PM 1468 (0x05BC)
Successfully connected to server: P02.DOMAIN.com, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 9/12/2012 8:24:38 PM 1468 (0x05BC)
completed unpublishing previous clients SMS_WSUS_CONFIGURATION_MANAGER 9/12/2012 8:24:38 PM 1468 (0x05BC)
completed checking for client deployment SMS_WSUS_CONFIGURATION_MANAGER 9/12/2012 8:24:38 PM 1468 (0x05BC)


Any idea's on what's happening? Thanks!

#10 glen0200

glen0200

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 14 September 2012 - 04:58 PM

Ummm, crap. Might have solved it. If anyone else has the problem, i pointed my GP for WSUS to CAS not my Primary site.

#11 Babakip

Babakip

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 24 September 2012 - 01:54 PM

Thank you very much that you did a great job as before.

I thought that I configured my server exact like this step by step procedure (just I do not have a CAS) and Client agents installed correctly but when I click on "Find additional application from the Application Catalog" a user name & password window appear !
I tried to uninstall the Roles and run the following command (aspnet_regiis.exe /iru) and install them again but the windows still appear. Although after enter the username&password everything looks well but I think it is not normal to face such an authentication window !?

Thanks,
Bab

#12 aengel80

aengel80

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 25 September 2012 - 03:20 AM

First off, absolutely awesome tutorials!

With that said, I'm having an issue installing the SUP role on my Primary (Standalone) Site that is running Server 2012. Everything has went flawlessly up until this point thanks to your guides.

The issue I am having is I error out at, *see log below.
<09-24-2012 19:56:01> ====================================================================
<09-24-2012 19:56:01> SMSWSUS Setup Started....
<09-24-2012 19:56:01> Parameters: D:\Program Files\Microsoft Configuration Manager\bin\x64\rolesetup.exe /install /siteserver:FCSCCM SMSWSUS 0
<09-24-2012 19:56:01> Installing Pre Reqs for SMSWSUS
<09-24-2012 19:56:01>		 ======== Installing Pre Reqs for Role SMSWSUS ========
<09-24-2012 19:56:01> Found 1 Pre Reqs for Role SMSWSUS
<09-24-2012 19:56:01> Pre Req SqlNativeClient found.
<09-24-2012 19:56:01> SqlNativeClient already installed (Product Code: {C79A7EAB-9D6F-4072-8A6D-F8F54957CD93}). Would not install again.
<09-24-2012 19:56:01> Pre Req SqlNativeClient is already installed. Skipping it.
<09-24-2012 19:56:01>		 ======== Completed Installation of Pre Reqs for Role SMSWSUS ========
<09-24-2012 19:56:01> Installing the SMSWSUS
<09-24-2012 19:56:01> Supported WSUS Server version is not installed. Please install WSUS 3.0 SP1 Server or above.
<09-24-2012 19:56:01> Installation Failed. Error Code: 136
<09-24-2012 19:56:01> ~RoleSetup().

I correctly configured WSUS on the Windows 2012 server (service started and I can even open the WSUS Manager) but SCCM seems to not find it.

I know this is a rather unsupported question, just curious if anyone has ran across this yet or not?

On a side note, if this isn't possible to setup the SUP my Primary, should I create a Secondary Site to house the SUP?

Thank you in advance!

#13 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,935 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 25 September 2012 - 06:21 PM

so is your primary server running Server 2012 ?
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#14 aengel80

aengel80

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 25 September 2012 - 08:08 PM

Yes Sirree!

Primary Site Server using Server 2012 (No CAS)

And thank you in advance. I know this is on Server 2012, just curious if you ran into this during your testing.

#15 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,451 posts
  • Gender:Male
  • Location:The Netherlands

Posted 26 September 2012 - 06:45 PM

To install the SUP role on Windows Server 2012 (and WSUS 4.0), you need ConfigMgr 2012 SP1 (BETA)
  • aengel80 likes this

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude


#16 aengel80

aengel80

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 26 September 2012 - 07:34 PM

Ah, thank you Peter. I'll give that a try!

#17 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,935 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 27 September 2012 - 06:53 AM

currently SP1 BETA is NOT supported in production, so only do this in your LAB, or use the supported OS and you'll be just fine.
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#18 sstalon

sstalon

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 02 October 2012 - 06:20 PM

Awesome tutorial!.. I have run into a problem with the wsus part.. I followed your instructions, but only added a Primary with no CAS, I using sccm2012 with server 2008r2..

i tried to have it push the sccm manger app, but when it tries. it gets the following error.

Fault bucket 3031434095, type 5
Event Name: WindowsUpdateFailure
Response: Not available
Cab Id: 0

The wsus is on the sccm2012.....

to add.. the test machine does find the update, and it says 1 of 1 update, and it does try to download, and than it gets stuck at installing updates (Configuration Manager Client Installation).. it stays there for a long time, and times out...

#19 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,935 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 05 October 2012 - 09:06 PM

Awesome tutorial!..


thanks !

to add.. the test machine does find the update, and it says 1 of 1 update, and it does try to download, and than it gets stuck at installing updates (Configuration Manager Client Installation).. it stays there for a long time, and times out...



can you attach the windowsupdate.log file from that client ?
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#20 sstalon

sstalon

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 09 October 2012 - 12:16 PM

thanks !

can you attach the windowsupdate.log file from that client ?


I PM you the log.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Locations of visitors to this page