Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent

Recommended Posts

In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).

In Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups.

In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.

Now we will install the WSUS server role (it is required for the Software Update Point role). We will then install the Software Update Point role on our CAS and Primary servers and we will configure the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent.

Recommended Reading
Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx
Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx

Planning for Client Deployment in Configuration Manager - http://technet.micro...y/gg682136.aspx
Prerequisites for Client Deployment in Configuration Manager - http://technet.micro...y/gg682042.aspx
Best Practices for Client Deployment in Configuration Manager - http://technet.microsoft.com/en-us/library/gg681994.aspx


Step 1. Add the WSUS Update Services 3.0 SP2 role
Note: Perform the following on the CAS server as SMSadmin

Before starting this step create a folder on D:\ called sources and share it as sources, give Everyone Read access.

sources share.png

The share is created, click done when ready.

cas sources share.png

Note: Repeat the above on the Primary server P01.

p01 sources.png

Start Server Manager and click on Roles. Click on Add Roles to Add the WSUS Server Role.

add roles.png

the Select Server Roles wizard appears, place a checkmark in Windows Server Update Services (WSUS)

Select Server roles.png

when prompted to add role services required for Windows Server Update Services click on Add Required Role Services to continue

add role services required for Windows Server Update Services.png

now you can see WSUS is selected, click next..

wsus selected.png

click next at the introduction to Web Server (IIS)

introduction to Web Server (IIS).png

the IIS Role services will already be selected, click next

role services already selected.png

click next through the wizard and click Install to start installing the WSUS role, the role will be downloaded from the Internet so make sure you are connected to the internet before doing this step.

Tip: If you cannot connect to the Internet then try downloading WSUS30-KB972455-x64 from here and installing that instead.

install wsus.png

after downloading the role, the Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard appears
Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard.png

click next to start install the role, accept the EULA to continue

i accept the license agreement.png

when prompted to Select Update Source, change the path to D:\Sources\WSUS, also make sure the Store Updates Locally option is selected.

Tip: In Production, as a best practice, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

d sources wsus.png

change the database option to Use and Existing Database on this computer and click next

use an existing database on this server.png

click next and watch it connecting to SQL Server Instance

Tip: In Production, as a best practice consider using a different SQL Server instance for the Configuration Manager database and WSUS database. This will make It easier to troubleshoot and diagnose resource usage issues that might occur for each application.

connecting to SQL Server Instance.png

In web site selection select Create a Windows Server Update Services 3.0 SP2 Web Site

Tip: In Production, as a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTP and you must configure your Active Software Update Point accordingly.

web site preference.png

click next at the ready to install screen

ready to install wsus.png

Click Finish when done.

finish WSUS installation.png

The Windows Server Update Services Configuration Wizard will appear after a few moments, Cancel it.

cancel.png

and then you can finally close the add roles wizard

close wsus wizard.png

Note: Repeat the above (installation of the WSUS server role) on your Primary server P01.

Step 2. Add the Software Update Point role
Note: Perform the following on the CAS server as SMSadmin

In a Configuration Manager hierarchy, install and configure the software update point on the central administration site before you install it on any other site. The software update point at the central administration site is typically configured to synchronize with Microsoft Update, retrieving the software updates metadata based on the criteria that you specify in the software update point properties. Before you install the software update point site system role, you must verify that the server meets required dependencies and determine the software update point infrastructure on the site. For more information about planning for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager.

In the Administration workspace, select Site Configuration and select our CAS site server, right click and choose Add Site System roles.

add site system roles.png

The Add Site System Roles Wizard appears, if you want to change accounts do so now otherwise click next

add site role wizard.png

on the Specify Roles for this server screen, select Software Update Point

software update point.png

on the specify software update point settings screen you can specify a proxy and connection account if you are using one.

specify software update point settings.png

select Use this server as the Active Software Update Point and then select WSUS is configured to use a custom website as per the screenshot below

wsus is configured to use a custom website.png

select Synchronize from Microsoft Update

synchronize from microsoft update.png

set the Synchronization Schedule to Run every 1 days as you want to synchronize daily for Endpoint Protection definition updates, and select the Alert checkbox as per the screenshot below.

synchroization schedule.png

set your Supersedence Rules as you wish

Supersedence Rules.png

choose your Classifications, if you want to use Endpoint Protection then select Definition Updates otherwise none will appear when you synchronize

Classifications.png

select the Products you wish to support, don't worry about making any choices here at this point as some products won't appear in this list until after you've completed your first successful sync.

Tip: you may want to remove all current selections in Products like Operating System and Office versions otherwise your first sync will take quite some time to complete.

products.png

select your Languages

Languages.png

and click through to completion of the wizard.

Add Site System  Roles Wizard completed successfully.png

Note: Repeat the above on the Primary Site server P01

p01 site role added.png

Tip: the difference you'll note when adding the SUP role on the Primary is that you cannot select to synchronize from Microsoft Update as it will automatically select to synchronize from an upstream server. This is expected as it will synchronize from the CAS server.

synchronize from an upstream server.png

Step 3. Configure Active Directory GPO
Note: Perform the following on the Active directory server AD1 as a Domain Admininstrator

Software update-based client installation publishes the System Center 2012 Configuration Manager client to a software update point as an additional software update. This method of client installation can be used to install the System Center 2012 Configuration Manager client on computers that do not already have the client installed or to upgrade existing System Center 2012 Configuration Manager clients.

Note: To use software update-based installation, you must use the same Windows Server Update Services (WSUS) server for client installation and software updates. This server must be the active software update point in a primary site (in other words, our Primary site P01). For more information, see Configuring Software Updates in Configuration Manager.

 

Tip: If you would prefer to use Client Push to install the Configuration Manager client agent, see Step 3 of this post.

Open Group Policy Managment, right click and choose create a GPO in this domain and link it here

create a GPO in this domain and link it here.png

give it a suitable name like Configuration Manager Client Installation

Configuration Manager Client Installation.png

Right click your newly created GPO, select Edit, select and expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click on Windows Update

windows update.png

select Specify intranet Microsoft update service location, and set it to Enabled, and enter the fully qualified domain name (FQDN) and port of our primary server Software Update Point (SUP) as per the screenshot below:

Specify Intranet Microsoft update service location.png


Step 4. Configure Client Installation Settings on P01
Note: Perform the following on the Primary server P01 as SMSAdmin

Navigate to the Administration workspace, select Site Configuration, Sites, and select the P01 site, click on Settings in the ribbon.

P01 selected.png

Select Client Installation Settings and then select Software Update-Based Client Installation

Software Update-Based Client Installation.png

place a checkmark in Enable software update based client installation and click apply

Enable Software-update based client installation.png

Step 5. Monitor Client installation on your computers
Note: Perform the following on your LAB computers as SMSAdmin

Now everything is in place for receiving the ConfigMgr client installation via the Software Update Point, except that your computers will probably have Windows Update disabled if they are servers. How you enable that is up to you (GPO etc). Below is a sample setting for configuring Automatic Updates via a GPO.

configure automatic updates.png

Once you have enabled Windows Update you'll see the following appear on your clients, 1 important update is available:-

1 important update is available.png

if you wait it will get installed via the schedule set in your GPO or if you are impatient you can click on Install Updates and you'll see what the locally published packages actually is, it's the Configuration Manager Client.

locally published packages.png

if you check task manager you'll see CCMSETUP.EXE is running,

ccmsetup is running.png

you can also monitor the C:\Windows\CCMSetup\ccmsetup.log file to see how the installation is progressing..

c windows ccmsetup log.png

Tip: The Ccmsetup command line used to install is revealed in the ccmsetup.log file at the beginning of the LOG, and should reveal that the ccmsetup.exe file was started from C:\Windows\SoftwareDistribution\Download\Install\ccmsetup.exe, and this is because it was a Critical Windows Update.

and after a while you should see that CCMSetup installation succeeded

installation succeeded.png

and that means you can open Software Center via the start menu and it'll appear like this

software center.png

click on the Application Catalog link in Software Center and you'll see the Application Catalog appear !

application catalog.png

job done !


Troubleshooting

Once you have configured the above correctly, and your clients are installed the WUAHandler.log file on each client computer should reveal the following, look for a line that reads

 

Added Update Source ({.....}) of content type: 2.

wuahandler log working.png

If there is any misconfiguration of your GPO or SUP address then you'll see a lot of RED error warnings in that log, and you'll find the following lines repeated over and over, in the screenshot below the FQDN is not defined and this causes failures

 

Group policy settings were overwritten by a higher authority (Domain Controller) to Server http://xxxx and Policy ENABLED. Failed to Add Update Source for WUAgent of type (2) and id ({.....}). Error = 0x87d00692

Failed to Add Update Source for WUAgent of type (2) and id.png

 

In addition, verify that the client is assigned to the site. Software Update installs will not work for systems that are not assigned to the site (you will see Error code 1 when it try's to install the client). If you get this error, verify your boundaries for the client and for site assignment. Further troubleshooting can be done via System log in Event Viewer and windowsupdate.log on the client.

The next part in this series is: Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.

Share this post


Link to post
Share on other sites

Great tutorial, thanks this has saved me hours of work...

 

I do have an issue with this part though, I am only installing onto one server which already has WSUS installed on it so skipped the install part of the WSUS server. I have added the role to SCCM 2012 and ticked the software update-based client installation and reran "check for updates" on my test machine (i have configured it to a group with only one computer in so far) and it finds the update but it fails to install with the error "No valid source or MP locations can be identified to download content from. cmSetup cannot continue..

 

Any ideas where I need to look to rectify this?

 

Cheers

Drac

Share this post


Link to post
Share on other sites

Great tutorial, thanks this has saved me hours of work...

 

I do have an issue with this part though, I am only installing onto one server which already has WSUS installed on it so skipped the install part of the WSUS server. I have added the role to SCCM 2012 and ticked the software update-based client installation and reran "check for updates" on my test machine (i have configured it to a group with only one computer in so far) and it finds the update but it fails to install with the error "No valid source or MP locations can be identified to download content from. cmSetup cannot continue..

 

Any ideas where I need to look to rectify this?

 

Cheers

Drac

 

Hey there. Have a read through the recommended MS material relating to the client deployment. I think The Software Update based client install requires a fresh/clean/dedicated (whatever) WSUS server. If you're using an older WSUS catalogue, I don't think it'll work and may account for your problems.

Share this post


Link to post
Share on other sites

HI,

 

Can the WSUS role be installed in another standalone server???

 

sure if you want to host the SUP role on that server

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.