Category Archives: System Center

System Center 2012 R2 Configuration Manager - Configuration Manager console cannot connect to the Configuration Manager site database (SQL Server)

System Center 2012 R2 Configuration Manager – Deploying Endpoint Protection

This guide is in continuation to my guide on deploying system center 2012 r2 configuration manager, as found here.

In this tutorial, we will cover basic deployment/configuration of Endpoint Protection to client workstations. This tutorial is largly based off of user anyweb's guide on windows-noob.com Make sure to give him some credit over on his forum 🙂 Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies

Definition

Per the following Technet article (http://technet.microsoft.com/en-us/library/hh508781.aspx) Endpoint Protection in System Center 2012 Configuration Manager provides security, antimalware, and Windows Firewall management for computers in your enterprise.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Creating Endpoint Protection Hierarchy via Folders

Launch the System Center 2012 R2 Configuration Manager console
On the Assets and Compliance pane, select Device Collections, and then right click and select Create Folder
Enter Endpoint Protection for the folder name and click OK
Select your Endpoint Protection folder under Device Collections and create two more folders called Endpoint Protection Managed Clients and Endpoint Protection Managed Servers

Create Device Collections to categorize devices managed by SCCM

Launch the System Center 2012 R2 Configuration Manager console
On the Assets and Compliance pane, select Device Collections, Endpoint Protection Managed Clients, and right click select Create Device Collection
Enter Endpoint Protection Managed Desktops for the name and then a comment describing what the group will hold (Desktops in this example), and then click Browse...
Select All Systems and click OK
Click Next >
Click Next >
Click OK on the dialog box explaining we have set no rules
Click Next >
Click Close
Repeat steps 2-9 to create another group for Laptops
Select Endpoint Protection Managed Servers and repeat steps 2-9 to create the following groups
1. Note: This step is optional, this i more for organization. If you don't have all of these services/servers deployed in your environment, you don't have to create these Collections.
  1. Endpoint Protection Managed Servers - Configuration Manager
  2. Endpoint Protection Managed Servers - DHCP
  3. Endpoint Protection Managed Servers - Domain Controller
  4. Endpoint Protection Managed Servers - Exchange
  5. Endpoint Protection Managed Servers - File Server
  6. Endpoint Protection Managed Servers - Hyper-V
  7. Endpoint Protection Managed Servers - IIS
  8. Endpoint Protection Managed Servers - Operations Manager
  9. Endpoint Protection Managed Servers - SharePoint
  10. Endpoint Protection Managed Servers - SQL Server

Enable the Endpoint Protection Role

Launch the System Center 2012 R2 Configuration Manager console
Select Administration, Site Configuration, Servers and Site System Roles, and right click on your Primary site and select Add Site System Roles
Click Next >
Click Next >
Check Endpoint Protection point
Click OK on the Configuration Manager dialog
Click Next >
Check I accept the Endpoint Protection license terms and click Next >
Check Advanced membership and click Next >
1. Note: MAPS can be joined with a basic or an advanced membership. Basic member reports contain the information described above. Advanced member reports are more comprehensive and may include additional details about the software Endpoint Protection detects, including the location of such software, file names, how the software operates, and how it has impacted your computer. These reports, along with reports from other Endpoint Protection users who are participating in MAPS, help Microsoft researchers discover new threats more rapidly. Malware definitions are then created for programs that meet the analysis criteria, and the updated definitions are made available to all users through Microsoft Update. See http://technet.microsoft.com/library/hh508835.aspx for full details.
2. My thoughts on this are to go with Advanced. If you are using the AV product, may as well help contribute towards making the product detect anomalies more accurately (I'll turn my Microsoft fan-boyness off now :))
Click Next >
Click Close

Configuring Endpoint Protection Alerting

Email Alerting
Device Collection Alerting

Configure SUP for Endpoint Protection

Launch the System Center 2012 R2 Configuration Manager console
Select Administration, Overview, Site Configurion, Sites and select Settings, Configure Site Components, Software Update Point
Select the Products tab and then check Forefront Endpoint Protection 2010 and click OK
Select Software Library, expand Software Updates and right click on All Software Updates and select Synchronize Software Updates
Click Yes on the Run Synchronization dialog box

Configure SUP to deliver Definition Updates using an Automatic Deployment Rule

Create a new shared folder called EndpointProtection in your WSUS directory
Share the folder with the Everyone group
1. Right click on the folder and select Properties
2. Select the Sharing tab and then click the Share... button
3. Type Everyone and then click Add. Ensure the Permission level is Read and then click Share
Launch the System Center 2012 R2 Configuration Manager console
Select Software Library, Expand Overview, Software Updates, and select Automatic Deployment Rules. Right click and select Create Automatic Deployment Rule
Enter in a Name and Description for your Automatic Deployment Rule and then click on the Browse... button
Select one of the Device Collections we made prior back and then click OK
Click Next >
Click Next >
Check Date Released or Revised and and Product, set Date Released or Revised to Last 1 day and Product to Forefront Endpoint Protection 2010 and click Next >
Check Run the rule on a schedule, click the Customize... button, and then select 1 days at 12:00AM, and click Next >
Set Time based on UTC and set Installation deadline As soon as possible and click Next >
Check Servers on Device restart behavior (this will prevent a server from restarting from an update), and click Next >
Check Generate an alert when the following conditions are met and click Next >
1. NOTE: This is an optional step. If you would like to set an alert to be triggered when X% of your clients do not have the latest virus definitions, use this option. If you do not wish to be alerted leave the box unchecked and click Next > In this particular example, after 15% of the clients have virus definitions out of date will receive an alert.
Check Download software updates from distribution point and install, check Download and install software updates from the fallback content source location, and click Next >
1. Optionally, you can check If software updates are not available on preferred sitribution point or remote distirbution point, download content from Microsoft Update, to always ensure your client has a source to download the latest virus defitions.
Enter Endpoint Protection Definition Updates for the Name, the following Description: This new deployment package will contain our Endpoint Protection defition updates. We will run this automatic deployment rule only once and then retire it. We do this in order to create the Deployment Package. In the next automatic deployment rule we will select this package instead of creating a new deployment package., and type in the share path to your sccm folder (\\sccm\EndpointProtection). Click Next >
Click Add, Distribution Point
Check your site and click OK
Click Next >
Ensure Download software updates from the Internet is checked and click Next >
Check the languages you want to support and then click Next >
Click Save As Template..., click Browse... and enter Endpoint Protection Managed Servers and click Save
Click Next >
Click Close
Right click on your Endpoint Protection rule and select Disable
Repeat steps 3-23, using Endpoint Protection Managed Servers as a template in Step 4 for each of the Device Collection groups we created.

Configure custom antimalware policies

In this section we will configure how Endpoint Protection will function on the client machines.

Launch the System Center 2012 R2 Configuration Manager console
Select Assets and Compliances, Endpoint Protection, and then click the Create Antimalware Policy button
Set a Name and Description for your Endpoint Protection Antimalware Policy, and then check each of the boxes for the options you wish to configure. Go through each of the tabs and customize how you wish the agent to run. Then click OK
Right click on your custom policy and click Deploy
Select the group you wish to target (in this case, configuration manager), and click OK

Configure Custom Device Settings

In this section we will configure the client policy to tell the machine it is managed by Endpoint Protection.

Launch the System Center 2012 R2 Configuration Manager console
Select Administration, Client Settings, and then click on Create Custom Client Device Settings
Enter in a Name (Custom Client Device Settings - Endpoint Protection Managed Servers - Configuration Manager), Description (Custom client device settings for servers related to configuration manager), and check Endpoint Protection
On the Endpoint Protection tab use the following settings and then click OK
1. Manage Endpoint Protection client on client computeres: Yes
  Allow Endpoint Protection client installation and restarts outside maintenance windows. Maintenance windows must be at least 30 minutes long for client installation: Yes
Right click on your new Custom Client Device Settings policy and select Deploy
Select the group of machines you want to deploy the agents to and select OK

Verify the client shows the policy

Open the Endpoint Protection agent and select About
Verify you see your custom antimalware policy

System Center 2012 R2 Configuration Manager - Client Web Service Point and Deploying the SCCM Agent

1 Reply

This guide is in continuation to my guide on deploying system center 2012 r2 configuration manager, as found here.

This guide will go over installing the Application Catalog to allow users to choose software they may wish to download and install (that you have already approved), configuring the SCCM client options, deploying the client, and verifying the client has been installed.

Configuring Application Catalog

Launch the System Center 2012 R2 Configuration Manager console
Click on Administration in the bottom left corner
Expand Site Configuration and select Sites and right click on your site and select Add Site System Roles
Click Next >
Click Next >
Check Application Catalog Web Service Point, Application Catalog Website Point, and click Next >
Click Next >
1. NOTE: If you have a PKI environment, go ahead and check HTTPS and hit Next > to encrypt your network traffic
Click Next >
Enter your Organization name, select a Website theme, and click Next >
Click Next >
Click Close
Verify you can access the website from a remote machine (you will need Silverlight in order to browse the page)
1. https://sccm.mydomain.com/cmapplicationcatalog

Configuring SCCM Agent Settings

Launch the System Center 2012 R2 Configuration Manager console
Click on Administration in the bottom left corner
Click Client Settings, right click on Default Client Settings, select Properties
Select Computer Agent and then click on the Set Website... button near Default Application Catalog website point
Select the value that matches your intranet FQDN and click OK
Select Yes under Add default Application Catalog website to Internet Explorer trusted site zone
Click on Software Updates and schedule software updates to happen every 1 days
1. NOTE: We want software updates to scan every day to deploy Endpoint Protection (antivirus) defitions to all of our clients. If you will not be using Endpoint Protection, you may want to leave this at 7 days or however frequently you wish to push updates.
Click on User and Device Affinity and set Allow user to define their primary devices to Yes
1. NOTE: What is User Device Affinity? User device affinity in Microsoft System Center 2012 Configuration Manager is a method of associating a user with one or more specified devices. User device affinity can eliminate the need to know the names of a user’s devices in order to deploy an application to that user. Instead of deploying the application to all of the user’s devices, you deploy the application to the user. Then, user device affinity automatically ensures that the application install on all devices that are associated with that user. More info can be found here: http://technet.microsoft.com/en-us/library/gg699365.aspx
Click OK

Preparing deployment credentials to install SCCM Agent to clients

Launch the System Center 2012 R2 Configuration Manager console
Click on Administration in the bottom left corner
Select Site Configuration, Sites, and then click Settings->Client Installation Settings->Client Push Installation
Check Enable automatic site-wide client push installation and check all options to under System types to cover all machines in your environment
1. NOTE: This step is optional. If you wish to manually deploy the SCCM client every time you add a machine to your environment, leave this option unchecked.
Select the Accounts tab and then click the yellow star and select New Account
Enter in the SCCMCP user credentials (that have local admin privileges on the remote machines), click the Verify button, and type in the path to one of the shared folders on your machine.
Click Test Connection and hit OK on the Configuration Manager dialog
1. NOTE: If this step failed, ensure your folders are being shared properly. The sharing properties on this folder should have been configured automatically when WSUS was being installed.
Click OK

Deploy the SCCM Agent to clients

Launch the System Center 2012 R2 Configuration Manager console
Select Devices, right click on the client you wish to deploy the agent to and select Install Client
Click Next >
Check Always install the client software optionally check the others and click Next >
1. Note: Since we only have one site, the Install the client software from a specific site option will default to your only site and in this case, since we aren't installing the agent on a domain controller, the first checkbox won't be applicable during installation.
Click Next >
Click Close

After about 5 minutes or so, you should see an entry in your start menu called Software Center. If you see this, you have successfully deployed the SCCM client! 🙂

System Center 2012 R2 Configuration Manager - Discovery Methods and Boundaries

1 Reply

This guide is the 3rd in our deployment of System Center 2012 R2 Configuration Manager, originally starting with this guide here.

Definitions

Discovery Methods - Discovery identifies computer and user resources that you can manage by using Configuration Manager. It can also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered object and stores this information in the Configuration Manager database. These can be through Active Directory Forest, Active Directory Group Discovery, Active Directory System Discovery, Active Directory User Discovery, Heartbeat Discovery, and Network Discovery. You can find more information from the official technet article here: http://technet.microsoft.com/en-us/library/gg712308.aspx

Active Directory Forest Discovery
- Can discover Active Directory sites and subnets, and then create Configuration Manager boundaries for each site and subnet from the forests that you have configured for discovery. When Active Directory Forest Discovery identifies a supernet that is assigned to an Active Directory site, Configuration Manager converts the supernet into an IP address range boundary.
Active Directory Group Discvoery
- Discovers local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as group resources.
Active Directory System Discovery
- Discovers computers from the specified locations in Active Directory Domain Services.
Active Directory User Discvoery
- Discovers user accounts from the specified locations in Active Directory Domain Services.

Boundaries - A boundary is a network location on the intranet that can contain one or more devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range, and the hierarchy can include any combination of these boundary types. To use a boundary, you must add the boundary to one or more boundary groups. Boundary groups are collections of boundaries. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images. You can find more information from the official technet article here: http://technet.microsoft.com/en-us/library/gg712679.aspx

Enabling Discovery

Launch the System Center 2012 R2 Configuration Manager console
Click on Administration in the bottom left corner
Expand Hierarchy Configuration and select Discovery Methods
Configure Active Directory Forest Discovery
1. Right click on Active Directory Forest Discovery and select Properties
2. Check Enable Active Directory Forest Discovery and Automatically create IP address range boundaries for IP subnets when they are discovered
  1. NOTE: Reasons on why we did not select Automatically create Active Directory site boundaries when they are discovered can be found in this blog post: IP Subnet Boundaries are EVIL
3. Click Yes when prompted to run a full discvoery as soon as possible
Configure Active Directory Group Discovery
1. Right click on Active Directory Group Discovery and select Properties
2. Check Enable Active Directory Group Discovery and then click the Add button and select Locations...
  1. Add Location - This will recursively search a container (most often an Organizational Unit) in Active Directory for Groups
  2. Add Group - This will recursively search a group in Active Directory for additional Groups
3. Enter in a Name to describe what we are searching and hit Browse... next to Location to select the container containing the groups you want. Once done, click OK on the Add Active Directory Location screen
4. Select the Options tab and check the options applicable to you
5. Click OK on the Active Directory Group Discovery Properties window and select Yes if prompted to run a full discovery as soon as possible
Configure Active Directory System Discovery
1. Right click on Active Directory System Discovery and select Properties
2. Check Enable Active Directory System Discovery and click the Yellow star to add an Active Directory container
3. Click the Browse button and select a container containing your machines
  1. Most production environments will probably have a custom OU defined to place their computer objects. If in doubt, select the Computers container and click OK
4. Click on the Options tab, check both options, and click OK
5. Click Yes to do a full discovery as soon as possible
Configure Active Directory User Discovery
1. Right click on Active Directory User Discovery and select Properties
2. Check Enable Active Directory User Discovery and click the Yellow star icon to add an Active Directory container
3. Click on the Browse... button and select the container holding your users. Click OK.
4. Click OK on the Active Directory User Discovery Properties window
5. Click Yes if prompted to run a full discovery as soon as possible

Enabling a Network Boundary/Group

Click on Boundary Groups
Right click and select Create Boundary Group
Enter a Name and Description of the Group
1. NOTE: This group should be used grouping related subnets in a geographic area that will receive patches/update/software from a specific server.
Click the Add... button and select any networks you want to assign to this Boundary Group
1. By default, if you enabled the Active Directory Forest Discovery, you should have a network called Default-First-Site-Name in the list. If you are in a larger enterprise, select the subnets relating to the boundary group.
Click on the References tab, check Use this boundary group for site assignment, and click the Add... button
Check your site and click OK
Click OK

System Center 2012 R2 Configuration Manager - Adding a Software Update Point to a Standalone Server

1 Reply

This guide is in continuation to my guide on deploying system center 2012 r2 configuration manager, as found here.

Definition
SUP (Software Update Point) - The software update point interacts with the WSUS services to configure update settings, to request synchronization to the upstream update source, and on the central site, to synchronize software updates from the WSUS database to the site server database. More details on this can be found from the following technet article: http://technet.microsoft.com/en-us/library/bb632674.aspx
WDS (Windows Deployment Services) - Will be used for Operating System deployment.

Launch the System Center 2012 R2 Configuration Manager console
Click on Administration in the bottom left corner
Expand Site Configuration and select Servers and Site System Roles
Right click on your SCCM server and select Add Site System Role
Click Next > on the General section of the wizard
Click Next > on the Proxy section of the wizard
Check Software update point and click Next > on the System Role Selection section of the wizard
Check WSUS is configured to use ports 8530 and 8531 for client communications and click Next > on the Software Update Point screen
1. 1. NOTE: If you have a PKI environment and want everything to be encapsulated by SSL, you can go ahead and check Require SSL communication to the WSUS server to ensure all traffic is encryptioned.
Click Next > on the Proxy and Account Settings screen
Click Next > on the Synchronization Source screen
Check Enable Synchronization on a schedule to set how often the check should run. Click Next > on the Synchronization Schedule screen
1. Optionally, check Alert when synchronization fails on any site in the hierarchy to be notified if a synchronization with Microsoft fails.
Click Next > on the Supersedence Rules screen
If you will be deploying System Center Endpoint Protection (SCEP) (Microsoft's Antivirus Solution), check Definition Updates for WSUS to download those. If you wish to have more frequent updates, check Critical Updates to have those pulled down from Microsoft as well. Click Next >
Expand All Products, Microsoft, on the Products page and check the products you wish to download updates for. Click Next > once done.
On the languages page, select which languages you want to sync and then click Next >
Click Next > on the Summary page if everything looks correct
Click Close if the settings have successfully applied

System Center 2012 R2 Configuration Manager - Error - Event ID 4912 - component SMS_SITE_COMPONENT_MANAGER on computer X cannot update the already existing object

9 Replies

Symptom: Inside of Event Viewer, you see the following Error entry.

On 06/27/14 07:29:39, component SMS_SITE_COMPONENT_MANAGER on computer sccm.mydomain.local reported: Configuration Manager cannot update the already existing object "cn=SMS-MP-LAX-sccm.mydomain.LOCAL" in Active Directory (mydomain.local).

Possible cause: The site server's machine account may not have full control rights for the "System Management" container in Active Directory
Solution: Give the site server's machine account full control rights to the "System Management" container, and all child objects in Active Directory.

Possible cause: The Active Directory object "cn=SMS-MP-LAX-sccm.mydomain.LOCAL" has been moved to a location outside of the "System Management" container, or has been lost.
Solution: Delete the object from its current location, and let the site create a new object.

Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended. The schema can be extended with the tool "extadsch.exe" from the installation media.

Solution: Complete the steps below to ensure that the SCCM computer account has the ability to write to Active Directory.

Add Permission to the System Management Container
1. From the following technet article: http://technet.microsoft.com/en-us/library/bb633169.aspx
  After you have created the System Management container in Active Directory Domain Services, you must grant the site server’s computer account the permissions that are required to publish site information to the container.
  1. On your domain controller navigate to Server Manager -> Tools -> Active Directory Users and Computers
  2. Click View and select Advanced Features
  3. Expand your site, System, System Management and select Properties
  4. On the System Management Properties dialog box select the Security Tab
  5. Click Add.. on the Security Tab
  6. Click the Object Types… button, check Computers, and click OK
  7. Type in the computer’s name and click OK
  8. Check Full Control on the Security Permissions for your SCCM machine
  9. Click the Advanced button, select the computer account, and click Edit
  10. Select This object and all descendant objects in the Applies to section and click OK
  11. Restart the SMS_SITE_COMPONENT_MANAGER and service

System Center 2012 Configuration Manager R2 (SCCM 2012 R2) Standalone Deployment

4 Replies

Recently, I had to install System Center 2012 Configuration Manager R2. I have had no prior experience using this product up to this point, so I thought I would document my notes and findings while giving the installation a whirl.

Prerequisites

Domain Controller
- DNS Role (could be on a seperate machine)
- DHCP Role (could be on a seperate machine)
Server 2012 R2 instance for SCCM
- Should be joined to the domain
- 200GB HDD
  - 40-50GB for OS
  - 150GB for SCCM
Windows 7 Client for Testing
- Should be joined to the domain

If you wish to use a different Operating System version for your server or client, you can find a list of supported configurations from the following technet article: http://technet.microsoft.com/en-us/library/gg682077.aspx

Here are my tutorials on deploying System Center 2012 R2 Configuration Manager Standalone

Tutorial

Manually create the System Management Container in Active Directory Domain Services
1. From the following technet article: http://technet.microsoft.com/en-us/library/bb632591.aspx
  Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services.
  1. Log on to one of your domain controllers
  2. From Server Manager, select Tools -> ADSI Edit
  3. Right click ADSI Edit and select Connect to...
  4. Ensure the Connection Point is set as Default naming Context and click OK
  5. Expand Default naming context <FQDN>, expand <distinguished name>, right-click CN=System, click New, and then click Object
  6. In the Create Object dialog box, select Container, and then click Next
  7. In the Value box, type System Management, and then click Next
  8. Click Finish
Add Permission to the System Management Container
1. From the following technet article: http://technet.microsoft.com/en-us/library/bb633169.aspx
  After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container.
  1. On your domain controller navigate to Server Manager -> Tools -> Active Directory Users and Computers
  2. Click View and select Advanced Features
  3. Expand your site, System, System Management and select Properties
  4. On the System Management Properties dialog box select the Security Tab
  5. Click Add.. on the Security Tab
  6. Click the Object Types... button, check Computers, and click OK
  7. Type in the computer's name and click OK
  8. Check Full Control on the Security Permissions for your SCCM machine
  9. Click the Advanced button, select the computer account, and click Edit
  10. Select This object and all descendant objects in the Applies to section and click OK
Create Service Accounts for System Center in Active Directory
1. SCCMDJ
  1. This service account is actually defined as the Task Sequence Editor Domain Joining Account. The account is used in a task sequence to join a newly imaged computer to a domain. This account is required if you add the step Join Domain or Workgroup to a task sequence, and then select Join a domain. This account can also be configured if you add the step Apply Network Settings to a task sequence, but it is not required.
2. SCCMCP
  1. The Client Push Installation Account is used to connect to computers and install the Configuration Manager client software if you deploy clients by using client push installation. If this account is not specified, the site server account is used to try to install the client software. This account will need to be a local administrator on the machine we want to push software to.
3. SCCMNA
  1. The Network Access Account is used by client computers when they cannot use their local computer account to access content on distribution points. For example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain.
4. SCCMRA
  1. The Reporting Services Point Account is used by SQL Server Reporting Services to retrieve the data for Configuration Manager reports from the site database. The Windows user account and password that you specify are encrypted and stored in the SQL Server Reporting Services database.
5. NOTE: There are other service accounts that can be created for SCCM other than these as well. You can see a full listing from the following technet article (additional note, descriptions for the service accounts above were copied from this same article): http://technet.microsoft.com/en-us/library/hh427337
Download a copy of Microsoft System Center 2012 R2 Configuration Manager and Endpoint Protection from the Volume Licensing Center or the Technet Evaluation Center
1. This is called System Center 2012 R2 Config Mgr Client Mgmt License in the Volume Licensing Center
2. The evaluation copy can be found here: http://technet.microsoft.com/en-us/evalcenter/dn205297.aspx
3. NOTE: In this tutorial, I will be using the ISO distributed from the volume licensing center
Extend the Active Directory schema for Configuration Manager
1. Mount/extract the System Center 2012 R2 Configuration Manager media to your SCCM machine
2. Navigate to D:\SMSSETUP\BIN\X64 (or where ever your installation media is). Right click on a file called extadsch.exe and right click, Run as Administrator
3. You will notice a black command prompt popup and then dissappear. Once it has dissappeared, open the following text document: c:\ExtADSch.txt
4. Verify the schema has been successfully extended
Install Pre-requisits to System Center Configuration Manager 2012 R2
1. Execute the following powershell command
  1. Add-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-App-Dev,Web-Net-Ext,Web-Net-Ext45,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-HTTP-Tracing,Web-Security,Web-Filtering,Web-Performance,Web-Stat-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Mgmt-Compat -Restart
2. Execute the following command
  1. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -r
  2. NOTE: Apparently there was/is? a bug in the .NET framework which causes an error later on. Although optional, I would run this just be sure the .NET framework works properly with two different versions installed. You can read more about this command here: http://msdn.microsoft.com/en-US/library/k6h9cz8h(v=vs.80).ASPX
3. Install Windows Server Update Services
  1. Execute the following commands (ensure you change the values to where you want the WSUS definitions and SQL server locations reside)
    1. Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools
    2. cd "c:\Program Files\Update Services\Tools"
    3. ./wsusutil.exe postinstall CONTENT_DIR=E:\WSUS sql_instance_name=SQLSERVERNAME
4. Install User State Migration Tool (USMT)
  1. Download a copy of the User State Migration Tool (USMT) from Microsoft's website: http://go.microsoft.com/fwlink/?LinkId=301570
  2. Right click and run adksetup.exe as an administrator (Click Yes if prompted by UAC)
  3. Click Next on the Specify Location screen
  4. Click Next on the Join the Customer Experience Imporovement Program (CEIP) screen
  5. Click Accept on the License Agreenment screen
  6. Check Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tool (USMT), and then click Install
  7. Click Close on the Welcome to Windows Assessment and Deployment Kit for Windows 8.1
5. Run Windows Updates to ensure you are fully patched
Install and Configure SQL Server
1. Install SQL Server
  1. This step can vary on how you want to deploy SQL server. In this particular environment, a SQL cluster had already been deployed in the organization, so I will take advantage of that. However, in smaller environments, you can install the SQL Service on the same machine. You can find a compatibility matrix and which versions of SQL Server can be installed: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig
2. If you have a remote SQL server, make sure you add the SCCM computer account as a local administrator of the SQL server. More information on how to do that can be found in this guide: http://jackstromberg.com/2014/06/sccm-2012-r2-site-server-computer-account-administrative-rights-failed/
Install System Center 2012 Configuration Manager R2
1. Navigate to your installation media and double click on splash.hta to launch the installer
  1. NOTE: If you are doing an offline install (no internet), run the setupdl.exe installer from your installation media (example: D:\SMSSETUP\BIN\X64\setupdl.exe)
2. Click on Install (Click Yes if prompted by UAC)
3. Click Next >
4. Ensure Install a Configuration Manager primary site is checked and click Next >
5. Enter your license key or hit Install the evaluation edition of this product and click Next >
6. Accept the license agreemt for the Microsoft Software License Terms
7. Accept the license agreements for SQL Server 2012 Express, SQL Server 2012 Native Client, and Silverlight, then click Next >
8. Check Download required files and put them on your desktop
  1. This will grab the latest copy of SCCM. If you need to do an offline installation, you can manually run the offline installer from your installation media (in my case: D:\SMSSETUP\BIN\X64\setupdl.exe).
9. Select your language to run System Center server in and then click Next >
10. Select your languages to support on your client devices and click Next >
11. Set a site code (I would use an airport code if you only have one office in each office location), enter your site name, and then change the installation folder to use your second partition. Once done, click Next >
12. Check Install the primary site as a stand-alone site and click Next >
13. Click Yes on the Configuration Manager dialog box that explains you can configure SCCM to be in a heirrachy to scale at a later time
14. Enter in the SQL Server Name (FQDN) to your database server and click Next >
  1. If you installed the SQL Server service on this same machine, it should be the FQDN to your SCCM machine. If you have a SQL Server you would like to point to, enter in the FQDN of that server.
15. Click Next > on the Database Information screen
16. Click Next > on the SMS Provider Settings
17. Check Configure the communication method on each site system role and then click Next > if you do not have PKI setup. If you have a PKI implemented in your environment, you may go ahead and choose All site system roles accept only HTTPS communication from clients.
  1. Click Yes to continue if you selected All site system roles accept only HTTPS communication from clients
18. Ensure Install a management point and Install a distribution point are checked and click Next >
19. Click Next > on the Customer Experience Improvement Program
20. Verify the settings you chose on the Settings Summary and then click Next >
21. Click Begin Install on the Prerequisite Check once you have passed all of the potential issues. In this case, I have a few that are false possitives, so I am going to go ahead with the install.
22. Once done installing, hit Close

Try opening up the System Center 2012 R2 Configuration manager console. If it opens, congrats on your newly deployed System Center! 🙂

SCCM 2012 R2 - Warning - IIS HTTPS Configuration for management point

2 Replies

Symptom: When installing System Center 2012 R2 Configuration Manager and requiring all communications to be secure via HTTPS you receive the following Warning on the Prerequisite Check screen of the installation wizard.

Warning: IIS HTTPS Configuration for managment point
Warning: IIS HTTPS Configuration for distribution point

Internet Information Services (IIS) website bindings for HTTPS communication protocol is required for some site roles. If you have selected to install site roles requiring HTTPS, please configure IIS website bindings on the specified server with a valid PKI server certificate.

Solution: You need to add bindings for HTTPS to the Default Website inside of IIS Manager.

Open up Internet Information Services (IIS) Manager
Expand your server and select Default Web Site
Select Bindings... on the right side
Click the Add... button
Select https as the connection type and then select the SSL certificate you wish to use
Click OK

SCCM 2012 R2 - Site server computer account administrative rights failed

13 Replies

Symptom: When trying to deploy System Center Configuration Manager 2012 R2, you receive the following status under the Prerequisite Check of the deployment.