How can I install System Center Configuration Manager (Current Branch) version 1902 on Windows Server 2019 with SQL Server 2017 - Part 2

[anyweb]

Introduction

This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1902 as of April the 10th 2019. I blogged how to upgrade to 1902 here. This guide is aimed a new installations of SCCM. Baseline media is used to install new ConfigMgr sites or to upgrade from supported versions, for more information about baseline media please see my blog post here.

Note: The SCCM 1902 Current Branch media is not yet available on MSDN or VLSC. When the new baseline media is released I'll update this note.

This series is broken down into the following parts:-

• Part 1 - Get the lab ready, configure ADDS
• Part 2 - Join CM01 to Domain, add users, create the Systems Management container, delegate permission (this part)
• Part 3 - Role and Feature installation, installation of WDS and ADK
• Part 4 - Configure and install SQL Server 2017
• Part 5 - Configure and install SCCM 1902 Current Branch
• Part 6 - Create device collections
• Part 7 - Configuring discovery
• Part 8 - Configuring boundaries

You can use this multi-part guide to get a hierarchy up and running on Windows Server 2019 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager.

I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell.

•         Method #1 - Do it manually
•         Method #2 - Automate it with PowerShell

Downloads

The scripts used in this part of the guide are available for download here. Unzip to C:\Scripts. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (DC01 or CM01).

Scripts.zip

Step 1. Join CM01 to the domain

Note: Perform the following on the ConfigMgr server (CM01) as Local Administrator

•         Method #1 - Do it manually

To join the domain manually, login to CM01. Start Windows File Explorer. Right-click on This-PC and choose Properties. The System screen will appear.  Click on Change settings to the right of Computer name. For the option To rename this computer or change its domain or workgroup, click Change, click Change and for Member of select Domain, enter the Domain details used in Part 1 of this series and then click OK.

and enter domain join credentials as appropriate when prompted. Once done you'll get notification that you've joined the domain.

Click OK and click Restart Now when prompted.

• Method #2 - Automate it with PowerShell

To join the domain automatically, use the joindomain.ps1 PowerShell script.

1. Copy the script to C:\Scripts on CM01

2. Edit the variables (lines 16-18) as desired before running. 

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

Step 2. Add Users to Active Directory

•         Method #1 - Do it manually

To create users manually, click on Start and choose Windows Administrative Tools and then select Active Directory Users and Computers. In Active Directory Users and Computers, add new users by expanding <domain name>, select Users and right click, choose New then select User.

In the wizard that appears fill in the New Object user details

enter the Password details using password P@ssw0rd

and click Finish when done.

Repeat the above process to add remaining users as appropriate for your environment

• Testuser, used for testing stuff
• CM_BA, used for building ConfigMgr created images
• CM_JD, used for joining computers to the domain
• CM_RS, used for reporting services.
• CM_CP, used when installing the Configuration Manager Client for Client Push.
• CM_NAA, (Network Access Account) used during OSD

Keep in mind that if you create users manually, and if you don't run the PowerShell script to automatically create users and OU's, that you'll have to do that manually otherwise other steps may not make sense in later parts of this guide. For example, when configuring discovery the screenshots point to OU's created by this PowerShell script, so you'll either need to create those OU's manually or modify the discovery settings.

Note: The PowerShell script creates users and in addition makes a user a local admin on the CM01 server. To facilitate the local administrator creation, you'll need to (optionally) create a GPO manually on AD01 called Allow Inbound File and Printer sharing exception which sets Windows Firewall: Allow inbound file and printer sharing exception to Enabled.

To Create the GPO on AD01, click the Start menu and choose Windows Administrative Tools, then select Group Policy Management. Expand Group Policy Objects and Right click, choose New and give it a Name: Allow Inbound File and Printer Sharing Exception. In the GPO settings, expand Computer Configuration, Policies, Administrative Templates, then select Network, Network Connections, Windows Defender Firewall and select the Domain Profile. Locate the Windows Defender Firewall: Allow inbound file and printer sharing exception and set it to Enabled. Apply the changes.

After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting

Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object (eg: CM01$) that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission. Finally, you need to Link the GPO, to do that, right click on your Domain (in this example it's windowsnoob.lab.local) and select Link an existing GPO.

Note: Once the above is completed, please update Group Policy on CM01 using gpupdate /force prior to running the PowerShell script below.

• Method #2 - Automate it with PowerShell

To create users automatically, use the Create Users Usergroups and OUs in AD.ps1 PowerShell script.

Tip: You should edit the script and adjust the variables to your liking, for example if you want to change the default password. You may also want to rem out the MDT and MBAM user/groups that are created and change some of the user names within the script. To rem out a line place a # in front of it.

1. Copy the script to C:\scripts on AD01, see the notes above about the GPO creation.

2. Edit the variables [lines 79-100] as desired before running.

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

 

Step 3. Create the System Management Container

Note: Perform the following on the Active Directory Domain Controller server (DC01) as Local Administrator

For details of why you are doing this see https://docs.microsoft.com/en-us/sccm/core/plan-design/network/extend-the-active-directory-schema

        Method #1 - Do it manually

Open ADSI Edit, click on Action, then Connect To and click Ok, Double Click on Default Naming Context and the DC= that appears below it. Click on the > and scroll down to CN=System. Right Click on CN=System and choose New, Object

choose Container from the options, click Next

enter

System Management

as the value then click Next and then click Finish.

The System Management container is created.

Click OK and click Restart Now when prompted.

• Method #2 - Automate it with PowerShell

To join the domain automatically, use the Create system management container.ps1 PowerShell script.

1. Copy the script to C:\Scripts on DC01

2. Edit the variables (lines 18-23) as desired before running. 

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

Step 4. Delegate Permission

Note: Perform the following on the Active Directory Domain Controller server (DC01) as Local Administrator

•         Method #1 - Do it manually

Open Active Directory Users and Computers. Click on view, select Advanced Features. Select the System Management Container under System. Right click the System Management container that you just created, choose All Tasks and Delegate Control.

When the Welcome to Delegation of Control Wizard appears click next, then click Add. click on Object Types, select Computers. Type in your Configuration Manager server name (CM01) and click on Check Names, it should resolve. Click Ok.

Click Next then select Create a Custom Task to Delegate, click Next, make sure This folder, existing objects in this folder and creation of new objects in this folder is selected.

Click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in Full Control.

Click Next then click Finish.

Tip: Repeat the above process for each site server that you install in a Hierarchy.

• Method #2 - Automate it with PowerShell

To join the domain automatically, use the Delegate Permissions.ps1 PowerShell script.

1. Copy the script to C:\Scripts on DC01

2. Edit the variable (line 24) as desired before running. 

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

 

That's it for this part, please join me in Part 3 where we'll configure the ConfigMgr server with Roles and Features and get Windows ADK and WDS setup.

[maiker2k3]

Good afternoon! I study these cool manuals, Very cool! My question is, I do not quite understand what the goal is being pursued? 
what are we doing this for? when we create GPO "Allow inbound File and Printer Sharing Exception"

Please explain

[anyweb]

Good afternoon! I study these cool manuals, Very cool! 

thanks !

the goal is to learn how to setup ConfigMgr in a lab from start to finish, either using manual methods or automated using PowerShell, the goal of the GPO is simply to allow you to automate the making of a user as a local admin on the ConfigMgr server, it's optional

[Suganya]

Hi, I am getting below error after making some changes in the script 

Create Users Usergroups and OUs in AD.ps1 cannot be loaded. The file C:\Scripts\Create Users  Usergroups and OUs in AD.ps1 is not digitally signed. You cannot run this script on the current system.For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:0 char:0

Kindly help me what would be reason or any mistakes I have made.

[anyweb]

did you try

 

set-executionpolicy unrestricted 

?

[Suganya]

Thanks for your response.. I will give a try this..

[Suganya]

Hi , while installing SQL server I am getting this error 

The credentials you provided for the 'SQLAgent$SCCMSQL' service is invalid.. Please help me on this ..

Virtual Account 'NT Service\SQLSERVERAGENT' provided for 'SQLAgent$SCCMSQL' is either not a valid account or cannot be used for this service

[cheerful_pleb]

Hello! I think I set up the GPO and user accounts correctly, but when I try to log in as local admin, I am met with an error: "The logon method you are using is not allowed on this computer"

What do you think I have done wrong here?

 

[NoobChris]

Sorry, I have done all parts, but there was a manual missing so far.
Here, you forgot to tell us, how to add Root OU (in your case: OU=windowsnoob) and Child OU's, so I have error in part 7 - no connection found.
Am I right?

[anyweb]

hi @noobchris that is done in part 2 in the PowerShell script to create users. You can of course do it manually by creating the OU structure in Active Directory Users and Computers.