This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1902 as of April the 10th 2019. I blogged how to upgrade to 1902 here. This guide is aimed a new installations of SCCM. Baseline media is used to install new ConfigMgr sites or to upgrade from supported versions, for more information about baseline media please see my blog post here.
Note: The SCCM 1902 Current Branch media is not yet available on MSDN or VLSC. When the new baseline media is released I'll update this note.
This series is broken down into the following parts:-
You can use this multi-part guide to get a hierarchy up and running on Windows Server 2019 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager.
I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell.
Method #1 - Do it manually
Method #2 - Automate it with PowerShell
Downloads
The scripts used in this part of the guide are available for download here. Unzip to C:\Scripts. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (DC01 or CM01).
Note: Perform the following on the ConfigMgr server (CM01) as Local Administrator
Method #1 - Do it manually
To join the domain manually, login to CM01. Start Windows File Explorer. Right-click on This-PC and choose Properties. The System screen will appear. Click on Change settings to the right of Computer name. For the option To rename this computer or change its domain or workgroup, click Change, click Change and for Member of select Domain, enter the Domain details used in Part 1 of this series and then clickOK.
and enter domain join credentials as appropriate when prompted. Once done you'll get notification that you've joined the domain.
Click OK and click Restart Now when prompted.
Method #2 - Automate it with PowerShell
To join the domain automatically, use the joindomain.ps1 PowerShell script.
1. Copy the script to C:\Scripts on CM01
2. Edit the variables (lines 16-18) as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
Step 2. Add Users to Active Directory
Method #1 - Do it manually
To create users manually, click on Start and choose Windows Administrative Tools and then select Active Directory Users and Computers. In Active Directory Users and Computers, add new users by expanding <domain name>, select Users and right click, choose New then select User.
In the wizard that appears fill in the New Object user details
enter the Password details using password P@ssw0rd
and click Finish when done.
Repeat the above process to add remaining users as appropriate for your environment
Testuser, used for testing stuff
CM_BA, used for building ConfigMgr created images
CM_JD, used for joining computers to the domain
CM_RS, used for reporting services.
CM_CP, used when installing the Configuration Manager Client for Client Push.
CM_NAA, (Network Access Account) used during OSD
Keep in mind that if you create users manually, and if you don't run the PowerShell script to automatically create users and OU's, that you'll have to do that manually otherwise other steps may not make sense in later parts of this guide. For example, when configuring discovery the screenshots point to OU's created by this PowerShell script, so you'll either need to create those OU's manually or modify the discovery settings.
Note: The PowerShell script creates users and in addition makes a user a local admin on the CM01 server. To facilitate the local administrator creation, you'll need to (optionally) create a GPO manually on AD01 called Allow Inbound File and Printer sharing exception which sets Windows Firewall: Allow inbound file and printer sharing exception to Enabled.
To Create the GPO on AD01, click the Start menu and choose Windows Administrative Tools, then select Group Policy Management. Expand Group Policy Objects and Right click, choose New and give it a Name: Allow Inbound File and Printer Sharing Exception. In the GPO settings, expand Computer Configuration, Policies, Administrative Templates, then select Network, Network Connections, Windows Defender Firewall and select the Domain Profile. Locate the Windows Defender Firewall: Allow inbound file and printer sharing exception and set it to Enabled. Apply the changes.
After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting
Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object (eg: CM01$) that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission. Finally, you need to Link the GPO, to do that, right click on your Domain (in this example it's windowsnoob.lab.local) and select Link an existing GPO.
Note: Once the above is completed, please update Group Policy on CM01 using gpupdate /force prior to running the PowerShell script below.
Method #2 - Automate it with PowerShell
To create users automatically, use the Create Users Usergroups and OUs in AD.ps1 PowerShell script.
Tip: You should edit the script and adjust the variables to your liking, for example if you want to change the default password. You may also want to rem out the MDT and MBAM user/groups that are created and change some of the user names within the script. To rem out a line place a # in front of it.
1. Copy the script to C:\scripts on AD01, see the notes above about the GPO creation.
2. Edit the variables [lines 79-100] as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
Step 3. Create the System Management Container
Note: Perform the following on the Active Directory Domain Controller server (DC01) as Local Administrator
Open ADSI Edit, click on Action, then Connect To and click Ok, Double Click on Default Naming Context and the DC= that appears below it. Click on the > and scroll down to CN=System. Right Click on CN=System and choose New, Object
choose Container from the options, click Next
enter
System Management
as the value then click Next and then click Finish.
The System Management container is created.
Click OK and click Restart Now when prompted.
Method #2 - Automate it with PowerShell
To join the domain automatically, use the Create system management container.ps1 PowerShell script.
1. Copy the script to C:\Scripts on DC01
2. Edit the variables (lines 18-23) as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
Step 4. Delegate Permission
Note: Perform the following on the Active Directory Domain Controller server (DC01) as Local Administrator
Method #1 - Do it manually
Open Active Directory Users and Computers. Click on view, select Advanced Features. Select the System Management Container under System. Right click the System Management container that you just created, choose All Tasks and Delegate Control.
When the Welcome to Delegation of Control Wizard appears click next, then click Add. click on Object Types, select Computers. Type in your Configuration Manager server name (CM01) and click on Check Names, it should resolve. Click Ok.
Click Next then select Create a Custom Task to Delegate, click Next, make sure This folder, existing objects in this folder and creation of new objects in this folder is selected.
Click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in Full Control.
Click Next then click Finish.
Tip: Repeat the above process for each site server that you install in a Hierarchy.
Method #2 - Automate it with PowerShell
To join the domain automatically, use the Delegate Permissions.ps1 PowerShell script.
1. Copy the script to C:\Scripts on DC01
2. Edit the variable (line 24) as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
That's it for this part, please join me in Part 3 where we'll configure the ConfigMgr server with Roles and Features and get Windows ADK and WDS setup.
Introduction
This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1902 as of April the 10th 2019. I blogged how to upgrade to 1902 here. This guide is aimed a new installations of SCCM. Baseline media is used to install new ConfigMgr sites or to upgrade from supported versions, for more information about baseline media please see my blog post here.
Note: The SCCM 1902 Current Branch media is not yet available on MSDN or VLSC. When the new baseline media is released I'll update this note.
This series is broken down into the following parts:-
You can use this multi-part guide to get a hierarchy up and running on Windows Server 2019 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager.
I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell.
Downloads
The scripts used in this part of the guide are available for download here. Unzip to C:\Scripts. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (DC01 or CM01).
Scripts.zip
Step 1. Join CM01 to the domain
Note: Perform the following on the ConfigMgr server (CM01) as Local Administrator
To join the domain manually, login to CM01. Start Windows File Explorer. Right-click on This-PC and choose Properties. The System screen will appear. Click on Change settings to the right of Computer name. For the option To rename this computer or change its domain or workgroup, click Change, click Change and for Member of select Domain, enter the Domain details used in Part 1 of this series and then click OK.
and enter domain join credentials as appropriate when prompted. Once done you'll get notification that you've joined the domain.
Click OK and click Restart Now when prompted.
To join the domain automatically, use the joindomain.ps1 PowerShell script.
1. Copy the script to C:\Scripts on CM01
2. Edit the variables (lines 16-18) as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
Step 2. Add Users to Active Directory
To create users manually, click on Start and choose Windows Administrative Tools and then select Active Directory Users and Computers. In Active Directory Users and Computers, add new users by expanding <domain name>, select Users and right click, choose New then select User.
In the wizard that appears fill in the New Object user details
enter the Password details using password P@ssw0rd
and click Finish when done.
Repeat the above process to add remaining users as appropriate for your environment
Keep in mind that if you create users manually, and if you don't run the PowerShell script to automatically create users and OU's, that you'll have to do that manually otherwise other steps may not make sense in later parts of this guide. For example, when configuring discovery the screenshots point to OU's created by this PowerShell script, so you'll either need to create those OU's manually or modify the discovery settings.
Note: The PowerShell script creates users and in addition makes a user a local admin on the CM01 server. To facilitate the local administrator creation, you'll need to (optionally) create a GPO manually on AD01 called Allow Inbound File and Printer sharing exception which sets Windows Firewall: Allow inbound file and printer sharing exception to Enabled.
To Create the GPO on AD01, click the Start menu and choose Windows Administrative Tools, then select Group Policy Management. Expand Group Policy Objects and Right click, choose New and give it a Name: Allow Inbound File and Printer Sharing Exception. In the GPO settings, expand Computer Configuration, Policies, Administrative Templates, then select Network, Network Connections, Windows Defender Firewall and select the Domain Profile. Locate the Windows Defender Firewall: Allow inbound file and printer sharing exception and set it to Enabled. Apply the changes.
After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting
Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object (eg: CM01$) that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission. Finally, you need to Link the GPO, to do that, right click on your Domain (in this example it's windowsnoob.lab.local) and select Link an existing GPO.
Note: Once the above is completed, please update Group Policy on CM01 using gpupdate /force prior to running the PowerShell script below.
To create users automatically, use the Create Users Usergroups and OUs in AD.ps1 PowerShell script.
Tip: You should edit the script and adjust the variables to your liking, for example if you want to change the default password. You may also want to rem out the MDT and MBAM user/groups that are created and change some of the user names within the script. To rem out a line place a # in front of it.
1. Copy the script to C:\scripts on AD01, see the notes above about the GPO creation.
2. Edit the variables [lines 79-100] as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
Step 3. Create the System Management Container
Note: Perform the following on the Active Directory Domain Controller server (DC01) as Local Administrator
For details of why you are doing this see https://docs.microsoft.com/en-us/sccm/core/plan-design/network/extend-the-active-directory-schema
Method #1 - Do it manually
Open ADSI Edit, click on Action, then Connect To and click Ok, Double Click on Default Naming Context and the DC= that appears below it. Click on the > and scroll down to CN=System. Right Click on CN=System and choose New, Object
choose Container from the options, click Next
enter
as the value then click Next and then click Finish.
The System Management container is created.
Click OK and click Restart Now when prompted.
To join the domain automatically, use the Create system management container.ps1 PowerShell script.
1. Copy the script to C:\Scripts on DC01
2. Edit the variables (lines 18-23) as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
Step 4. Delegate Permission
Note: Perform the following on the Active Directory Domain Controller server (DC01) as Local Administrator
Open Active Directory Users and Computers. Click on view, select Advanced Features. Select the System Management Container under System. Right click the System Management container that you just created, choose All Tasks and Delegate Control.
When the Welcome to Delegation of Control Wizard appears click next, then click Add. click on Object Types, select Computers. Type in your Configuration Manager server name (CM01) and click on Check Names, it should resolve. Click Ok.
Click Next then select Create a Custom Task to Delegate, click Next, make sure This folder, existing objects in this folder and creation of new objects in this folder is selected.
Click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in Full Control.
Click Next then click Finish.
Tip: Repeat the above process for each site server that you install in a Hierarchy.
To join the domain automatically, use the Delegate Permissions.ps1 PowerShell script.
1. Copy the script to C:\Scripts on DC01
2. Edit the variable (line 24) as desired before running.
3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.
That's it for this part, please join me in Part 3 where we'll configure the ConfigMgr server with Roles and Features and get Windows ADK and WDS setup.
Share this post
Link to post
Share on other sites