SCCM Current Branch comprehensive installation guide – requirements

I begin the series of tutorials about Configuration Manager (SCCM), the part of Microsoft System Center products family. We will talk  about installation and configuration System Center Configuration Manager (SCCM) Current Branch with SQL 2014 Server installed locally, its functions, System Center Endpoint Protection role.

First thing first – the SCCM requirements. If you won’t complete them successfully you can’t even install SCCM. I strongly recommend you to complete all steps from checklist in the same order, it will save your time.

SCCM requirements checklist

 

SCCM service accounts and groups

sccm-admin (account to install or update SCCM)

sccm-sql (sccm SQL server service account)

sccm-rs (account for SQL server reporting services)

sccm-na (account for SCCM network access)

sccm-ClientPush (SCCM client installation)

sccm-admins (group of sccm admins, includes “sccm-admin”, “sccm-sql”, “sccm-rs”, “sccm-na”)

sccm-servers (group includes site servers, includes sccm server itself and SQL server computer accounts)

Add “sccm-admins” and “sccm-servers” into local Administrators group of SCCM server.

Add “sccm-ClientPush” account to Domain Admins group of your AD.

 

Active Directory System Management container

Connect to your AD domain controller, open Active Directory Service Interfaces (ADSI) console and click “Connect”. Then expand the Default Naming Context, right click CN=System, click on New and create an Object.

On the Create Object windows, select the class as container and click on Next

Provide the value “System Management”. Click on Next and click on Finish to close the wizard and ADSI console.

The SCCM computer account must be granted Full Control permissions to the System Management container and all its child objects. To do this, open Active Directory Users and Computers, then cllick on View and click Advanced Features. Expand System, right click System Management and click on Delegate Control.

Click on Add, on select users, computers or groups window click on Object Types and check for Computers as object types. Click on OK. Type the name of the primary site server group (sccm-servers) and click on OK.

On the Tasks to Delegate page, click on Create a custom task to delegate. Click on Next. On the Active Directory Object Type window, select the option This folder, existing objects in this folder and creation of new objects in this folder. Click on Next.

We need to select the permissions to delegate, choose General, Property Specific and Creation/deletion of specific child objects. Under the permissions, click on Full Control. when you check the box for Full Control all the other permissions gets checked automatically. Click on Next and click on Finish to close the wizard. 

We have delegated full permissions to primary site server computer account on System Management container.

 

Active Directory Schema extension

Copy file extadsch.exe from SCCCM D:\SMSSETUP\BIN\X64 to the domain controller. Run it under administrator’s credentials. Check the ExtADSch log.

 

Disks layout

Of course, size of the disks depends on your requirements, roles installed, number of managed systems. My setup designed for the middle size infrastructure – 100-300 systems. If you don’t plan to configure  SCCM with “Software Update Point” role, you can exclude WSUS drive.

Drive letter Purpose Size Allocation unit
 C:\ OS 100GB default
 D:\ SCCM 100GB default
 E:\ SQL DB 40GB 64K
F:\ SQL TEMP DB 40GB 64K
G:\ SQL DB and TEMP DB Logs 40GB 64K
H:\ WSUS 200GB default

 

SQL server installation and configuration

Check with Microsoft what SQL version is supported – Supported SQL Server versions for System Center Configuration Manager

Some versions of SQL server require .net 3.5 is installed. Here is the short command:

dism.exe /online /enable-feature /featurename:NetFX3 /Source:D:\sources\sxs /all (where D: is your Windows OS installation disk)

SQL server components to install: Database engine, Reporting services (Native), Management Tools, Full text search

SQL server Collation: SQL_Latin1_General_CP1_CI_AS

You can choose Default or Named instance. For Named instance enter any desired name for SCCM database.

Configure service accounts:

Database Engine, SQL server agent – domain\sql-admin

Reporting services – domain\sql-rs

Add to SQL administrators: current user, sccm-admins, sccm-servers, Domain admins, sccm-servers

Configure data directories according disk layout.

Reporting services: install and configure.

 

SQL server post-installation tasks.

Set SQL server memory limit. I recommend the value between 50%-80% of physical memory. Do not forget restart SQL server after changing this setting.

If you are decided to use named instance, you have to configure SQL static ports:

  • open “SQL Configuration Manager”, select your instance
  • open the properties for “Named Pipes” and change enabled to “Yes”
  • open the properties for “TCP/IP” and click on “IP Addresses”
  • for every IP interface change the “TCP Port” field to your chosen static port (use default 1433)
  • for the “IPAll” Interface change the value of the “TCP Port” field to your chosen Static Port
  • ensure the “TCP Dynamic Ports” field is blank
  • restart your SQL services for the named instance

 

SPN registration

A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication. The SetSPN utility can be used to register an SPN for the site database server SQL Server service account. The SetSPN utility must be run on a computer that resides in the SQL Server’s domain and it must be run using Domain Administrator credentials. To properly configure an SPN for the SQL Server service account using the SetSPN utility, follow the steps in these procedures.

Two SPNs for the account should be registered:

    1. For NETBIOS name of the SQL Server 

    2. For the FQDN of SQL server.

The procedure to do that is as follows:

  • log on to a domain controller, open a command prompt with administrative privileges
  • type the below commands replacing SQL server name:

setspn -a mssqlsvc/servername:1433 gn-buero\sccm-sql

setspn -a mssqlsvc/fqdn_server:1433 gn-buero\sccm-sql

Verify the registration of SPN by typing the below command:

setspn L  <domain\account>

 

Select disk for SCCM operations

This is quite easy step. You have to put empty text file with the name no_sms_on_drive.sms on each drive which not suppose to use by SCCM.

 

Windows roles and features

IIS, .Net 3.5, 4.5 (enable HTTP activations for both), BITS, Remote Differential Compression.

In IIS add the following role services:

Application Development: ASP.NET 3.5

Security: Windows Authentication.

IIS 6 Management Compatibility

IIS Management Console, IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility, IIS Management Scripts and Tools

WSUS

WSUS role you only need if you are going to deliver updates for your systems using SCCM. It’s optional requirement.

Install WSUS role. WSUS (put the content on dedicated disk, choose SQL server as database server, don’t use WID) and run post-install tasks. Do not run any wizard for now.

Windows Assessment and Deployment Kit (WADK)

Link to download WADK – https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit. You need to select WADK for for Windows 10, version 1607.

Run installer, select to install Deployment Tools, Windows PE, USMT. Other components are optional.

Finally, install latest Windows Updates and reboot server.

In next article I’ll guide you through SCCM server installation.

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *