I begin the series of tutorials about Configuration Manager (SCCM), the part of Microsoft System Center products family. We will talk about installation and configuration System Center Configuration Manager (SCCM) Current Branch with SQL 2014 Server installed locally, its functions, System Center Endpoint Protection role.
First thing first – the SCCM requirements. If you won’t complete them successfully you can’t even install SCCM. I strongly recommend you to complete all steps from checklist in the same order, it will save your time.
SCCM requirements checklist
- SCCM service accounts and groups
- Active Directory System Management container
- Active Directory Schema extension
- Disks layout
- SQL server installation and configuration
- SPN registration
- Select disk for SCCM operations
- Windows roles and features
- Windows Assessment and Deployment Kit (WADK)
sccm-admin (account to install or update SCCM)
sccm-sql (sccm SQL server service account)
sccm-rs (account for SQL server reporting services)
sccm-na (account for SCCM network access)
sccm-ClientPush (SCCM client installation)
sccm-admins (group of sccm admins, includes “sccm-admin”, “sccm-sql”, “sccm-rs”, “sccm-na”)
sccm-servers (group includes site servers, includes sccm server itself and SQL server computer accounts)
Add “sccm-admins” and “sccm-servers” into local Administrators group of SCCM server.
Add “sccm-ClientPush” account to Domain Admins group of your AD.
Connect to your AD domain controller, open Active Directory Service Interfaces (ADSI) console and click “Connect”. Then expand the Default Naming Context, right click CN=System, click on New and create an Object.
On the Create Object windows, select the class as container and click on Next
Provide the value “System Management”. Click on Next and click on Finish to close the wizard and ADSI console.
The SCCM computer account must be granted Full Control permissions to the System Management container and all its child objects. To do this, open Active Directory Users and Computers, then cllick on View and click Advanced Features. Expand System, right click System Management and click on Delegate Control.
Click on Add, on select users, computers or groups window click on Object Types and check for Computers as object types. Click on OK. Type the name of the primary site server group (sccm-servers) and click on OK.
On the Tasks to Delegate page, click on Create a custom task to delegate. Click on Next. On the Active Directory Object Type window, select the option This folder, existing objects in this folder and creation of new objects in this folder. Click on Next.
We need to select the permissions to delegate, choose General, Property Specific and Creation/deletion of specific child objects. Under the permissions, click on Full Control. when you check the box for Full Control all the other permissions gets checked automatically. Click on Next and click on Finish to close the wizard.
We have delegated full permissions to primary site server computer account on System Management container.
Copy file extadsch.exe from SCCCM D:\SMSSETUP\BIN\X64 to the domain controller. Run it under administrator’s credentials. Check the ExtADSch log.
Of course, size of the disks depends on your requirements, roles installed, number of managed systems. My setup designed for the middle size infrastructure – 100-300 systems. If you don’t plan to configure SCCM with “Software Update Point” role, you can exclude WSUS drive.
|Drive letter||Purpose||Size||Allocation unit|
|F:\||SQL TEMP DB||40GB||64K|
|G:\||SQL DB and TEMP DB Logs||40GB||64K|
Check with Microsoft what SQL version is supported – Supported SQL Server versions for System Center Configuration Manager
Some versions of SQL server require .net 3.5 is installed. Here is the short command:
dism.exe /online /enable-feature /featurename:NetFX3 /Source:D:\sources\sxs /all (where D: is your Windows OS installation disk)
SQL server components to install: Database engine, Reporting services (Native), Management Tools, Full text search
SQL server Collation: SQL_Latin1_General_CP1_CI_AS
You can choose Default or Named instance. For Named instance enter any desired name for SCCM database.
Configure service accounts:
Database Engine, SQL server agent – domain\sql-admin
Reporting services – domain\sql-rs
Add to SQL administrators: current user, sccm-admins, sccm-servers, Domain admins, sccm-servers
Configure data directories according disk layout.
Reporting services: install and configure.
SQL server post-installation tasks.
Set SQL server memory limit. I recommend the value between 50%-80% of physical memory. Do not forget restart SQL server after changing this setting.
If you are decided to use named instance, you have to configure SQL static ports:
- open “SQL Configuration Manager”, select your instance
- open the properties for “Named Pipes” and change enabled to “Yes”
- open the properties for “TCP/IP” and click on “IP Addresses”
- for every IP interface change the “TCP Port” field to your chosen static port (use default 1433)
- for the “IPAll” Interface change the value of the “TCP Port” field to your chosen Static Port
- ensure the “TCP Dynamic Ports” field is blank
- restart your SQL services for the named instance
A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication. The SetSPN utility can be used to register an SPN for the site database server SQL Server service account. The SetSPN utility must be run on a computer that resides in the SQL Server’s domain and it must be run using Domain Administrator credentials. To properly configure an SPN for the SQL Server service account using the SetSPN utility, follow the steps in these procedures.
Two SPNs for the account should be registered:
1. For NETBIOS name of the SQL Server
2. For the FQDN of SQL server.
The procedure to do that is as follows:
- log on to a domain controller, open a command prompt with administrative privileges
- type the below commands replacing SQL server name:
setspn -a mssqlsvc/servername:1433 gn-buero\sccm-sql
setspn -a mssqlsvc/fqdn_server:1433 gn-buero\sccm-sql
Verify the registration of SPN by typing the below command:
setspn –L <domain\account>
This is quite easy step. You have to put empty text file with the name no_sms_on_drive.sms on each drive which not suppose to use by SCCM.
IIS, .Net 3.5, 4.5 (enable HTTP activations for both), BITS, Remote Differential Compression.
In IIS add the following role services:
Application Development: ASP.NET 3.5
Security: Windows Authentication.
IIS 6 Management Compatibility
IIS Management Console, IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility, IIS Management Scripts and Tools
WSUS role you only need if you are going to deliver updates for your systems using SCCM. It’s optional requirement.
Install WSUS role. WSUS (put the content on dedicated disk, choose SQL server as database server, don’t use WID) and run post-install tasks. Do not run any wizard for now.
Link to download WADK – https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit. You need to select WADK for for Windows 10, version 1607.
Run installer, select to install Deployment Tools, Windows PE, USMT. Other components are optional.
Finally, install latest Windows Updates and reboot server.
In next article I’ll guide you through SCCM server installation.