How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 - Part 1

[anyweb]

Introduction

UPDATE: please use the newer version of this guide here.

This multi-part guide will show you how to install the latest  baseline version of Configuration Manager from Microsoft. The latest available baseline version is  System Center Configuration Manager (Current Branch) version 1802 as of March 29th 2018.

How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 1
How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 2
How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 3
How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 4

You can use this multi-part guide to get a hierarchy up and running on Windows Server 2016 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager.

I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell.

•     Method #1 - Do it manually
•     Method #2 - Automate it with PowerShell

Get your lab ready

In this guide I assume you have already installed two WorkGroup joined servers with Windows Server 2016 installed, how you install the operating system is up to you. When installing the servers please choose Windows Server 2016 Standard (Desktop Experience). The servers used in this guide are configured as listed below, the SmoothWall (NAT) is optional.

Server name: AD01

Server function: Domain Controller
Server status: Workgroup joined

• IPv4 Address: 192.168.9.1
• Subnet Mask: 255.255.255.0
• Default Gateway: 192.168.9.199
• DNS: 192.168.9.1

Server name: CM01

Server function: Configuration Manager Primary site
Server status: Workgroup joined

• IPv4 Address: 192.168.9.2
• Subnet Mask: 255.255.255.0
• Default Gateway: 192.168.9.199
• DNS: 192.168.9.1

Server name: Smoothwall

Server function:Linux firewall
Server status: 2 legacy nics

• eth0: 192.168.9.199
• eth1: x.x.x.x (internet facing ip)

Step 1. Configure Active Directory Domain Services (ADDS)

Note: Perform the following steps on the AD01 server as a Local Administrator.

To setup Active Directory Domain Services you could manually click your way through the appropriate wizard in Server Manager or automate it using PowerShell. For your benefit I'll show you both methods below, all you have to do is choose which one suits you.

Method #1 - Do it manually

Open Server Manager. Click on Add roles and features

On the Before You Begin screen click Next

For Installation Type select Role-based or Feature-based installation

For Server Selection select Select a server from the server pool and choose AD01

For Server Roles select Active Directory Domain Services, when prompted to add features that are required for Active Directory Domain Services select Add Features

Select DNS Server, when prompted to add features that are required for DNS Server, accept the changes by clicking on Add Features

Continue the the wizard by clicking Next

On the Features screen click Next

On the AD DS screen click Next

On the DNS Server screen click Next

On the Confirmation screen click Install

and then click on Close

After it's finished, perform the Post Deployment Configuration by clicking on Promote this server to a domain controller

select the Add a new forest option, give it a root domain name such as windowsnoob.lab.local

Next, depending on your requirements set the Forest functional level and Domain functional level, I've selected the default options below however you may want to configure it differently for your hierarchy,

For the password field use P@ssw0rd,

Click Next when ready, for DNS options, click Next,

Next verify the NetBIOS name and click Next

To specify the location of the AD DS database, log files and so forth, either accept the defaults, or change them to something that suits your hierarchy and click Next.

Next you can review the options (clicking view script will save your actions to a PowerShell script for use later if you wish). Click Next when done.

Next, click Install to begin

Once it is complete making the changes it will automatically reboot the server

 

Method #2 - Automate it with PowerShell

To configure ADDS and DNS automatically, use the ConfigureADDS.ps1 PowerShell script.

1. Copy the script to C:\scripts on AD01

2. Edit the variables in lines 17-24 as desired before running.

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

Once the script is run, it will automatically reboot.

 

Step 2. Join CM01 to the domain

Note: Perform the following on the ConfigMgr server (CM01) as Local Administrator

Method #1 - Do it manually

To join the domain manually, login to CM01. Start Windows File Explorer. Right-click on This-PC and choose Properties. The System screen will appear.

Click on Change settings to the right of Computer name. For the option To rename this computer or change its domain or workgroup, click Change, click Change and for Member of select Domain, enter the Domain details used in Step 1 and click OK

when prompted for credentials, enter them and click OK

You'll be welcomed to the Domain. Click OK.

And prompted to reboot the computer, Click OK.

In the Computer Name/Domain changes screen, click Close then click Restart now when prompted.

Method #2 - Automate it with PowerShell

To join the domain automatically, use the joindomain.ps1 PowerShell script.

1. Copy the script to C:\Scripts on CM01

2. Edit the variables (lines 16-18) as desired before running.

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

Note: If DNS is not set correctly on the CM01 Network Properties, then the Domain Join process will fail. The script checks for success and reports an error if one occurs. If successful it will automatically restart the computer after the Domain Join process is complete.

Step 3. Create users (optional)
Note: Perform the following on the Active Directory Domain Controller server (AD01) as Administrator

Method #1 - Do it manually

To create users manually, click on Start and choose Windows Administrative Tools and then select Active Directory Users and Computers.

In Active Directory Users and Computers, add new users by expanding <domain name>, select Users and right click, choose New then select User.

In the wizard that appears fill in the New Object user details

enter the Password details using password P@ssw0rd

and click Finish when done

Repeat the above process to add remaining users as appropriate for your environment

• Testuser, used for testing stuff
• CM_BA, used for building ConfigMgr created images
• CM_JD, used for joining computers to the domain
• CM_RS, used for reporting services.
• CM_CP, used when installing the Configuration Manager Client for Client Push.
• CM_NAA, (Network Access Account) used during OSD

Note: The PowerShell script creates users and makes a user a local admin on the CM01 server. To facilitate the local administrator creation, you'll need to (optionally) manually create a GPO on AD01 called Allow Inbound File and Printer sharing exception which sets Windows Firewall: Allow inbound file and printer sharing exception to Enabled.

To Create the GPO on AD01, click the Start menu and choose Windows Administrative Tools, then select Group Policy Management. Expand Group Policy Objects and Right click, choose New and give it a Name: Allow Inbound File and Printer Sharing Exception.

In the GPO settings, expand Computer Configuration, Policies, Administrative Templates, then select Network, Network Connections, Windows Firewall and select the Domain Profile. Locate the Windows Firewall: Allow inbound file and printer sharing exception and set it to Enabled. Apply the changes.

Here you can see the path to the GPO setting.

After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting

Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission as shown here.

Finally, you need to Link the GPO, to do that, right click on your Domain (in this example it's windowsnoob.lab.local) and select Link an existing GPO

and then select the newly created GPO

Note: Once the above is completed, please update Group Policy on CM01 using Gpupdate /force prior to running the PowerShell script below.

Method #2 - Automate it with PowerShell

To create users automatically, use the Create Users Usergroups and OUs in AD.ps1 PowerShell script.

Tip: You should edit the script and adjust the variables to your liking, for example if you want to change the default password. You may also want to rem out the MDT and MBAM user/groups that are created and change some of the user names within the script. To rem out a line place a # in front of it.

1. Copy the script to C:\scripts on AD01

2. Edit the variables [lines 79-100] as desired before running.

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

Once the script is complete you can browse Active Directory Users and Groups to see the Users and Groups it created.

 

Step 4. Create the System Management Container
Note: Perform the following on the Active Directory Domain Controller server (AD01) as Local Administrator

For details of why you are doing this see https://docs.microsoft.com/en-us/sccm/core/plan-design/network/extend-the-active-directory-schema

Method #1 - Do it manually

Open ADSI Edit, click on Action, then Connect To and click Ok, Double Click on Default Naming Context and the DC= that appears below it. Click on the > and scroll down to CN=System. Right Click on CN=System and choose New, Object

choose Container from the options, click Next

enter System Management as the value.

Click Next and then click Finish.

Method #2 - Automate it with PowerShell

Note: Perform the following on the Active Directory Domain Controller server (AD01) as Local Administrator

To create the System Management container automatically, use the Create System Management container.ps1 PowerShell script.

 

Step 5. Delegate Permission

Note: Perform the following on the Active Directory Domain Controller server (AD01) as Local Administrator

Method #1 - Do it manually

Open Active Directory Users and Computers. Click on view, select Advanced Features. Select the System Management Container under System

Right click the System Management container, choose All Tasks and Delegate Control.

When the Welcome to Delegation of Control Wizard appears click next, then click Add. click on Object Types, select Computers. Type in your Configuration Manager server name (CM01) and click on Check Names, it should resolve. Click Ok

Click Next then select Create a Custom Task to Delegate, click Next, make sure This folder, existing objects in this folder and creation of new objects in this folder is selected.

Click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in Full Control.

Tip: Repeat the above process for each site server that you install in a Hierarchy.

Method #2 - Automate it with PowerShell

To delegate permissions to the System Management container automatically, use the Delegate Permissions.ps1 PowerShell script on AD01. Edit line 24 to point to the ConfigMgr server if you are using a different computer name than CM01.

Note: You need to start Windows PowerShell ISE as a user that has Administrative Permissions in AD on the AD01 server.

 

Downloads

The scripts used in this guide are available for download here. Unzip to C:\Scripts on both servers. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (AD01 or CM01).

Scripts.zip

Summary

Using PowerShell to automate things leaves more time for yourself and it's fun. Please join me in Part 2 of this multi-part guide where you will configure Windows Server 2016 roles and features and then install SQL Server 2017.

Continue to Part 2 of this guide > https://www.windows-noob.com/forums/topic/16116-how-can-i-install-system-center-configuration-manager-current-branch-version-1802-on-windows-server-2016-with-sql-server-2017-part-2/

 

[osti]

On 3/30/2018 at 6:19 AM, anyweb said:

Server function:Linux firewall
Server status: 2 legacy nics

• eth0: 192.168.9.199
• eth1: x.x.x.x (internet facing ip)

Hey great write up, had a quick question about giving internet access to the CM12 box for updates, is it easy to setup a linux firewall? Is that a separate Hyper V machine.

 

Thanks

[anyweb]

it's very easy just install smoothwall on a legacy (gen 1) hyperv vm and configure two nics, one for Green (lan) and one for Red (wan),

[GeeJay]

This is brilliant step by step guide to follow, are you able to provide easy links to the next parts please. 

 

[anyweb]

thanks, part 2 is linked at the bottom of the post, and you can see the other parts here

[kukubau]

The following paragraph could benefit of some tweaking and a screenshot:

 

"After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting

Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission as shown here."

 

Where one adds the user (in this case the Configmgr Server), the "Add Group or User" pops out with Read, Edit . It is important to mention here that one should click next and not to change the set 'Read" permission.

 

kukubau