System Center Configuration Manager, formerly named Systems Management Server, is a Microsoft product that is a part of the System Center Suite. It provides management capabilities for large groups of different device types such as workstations, servers, laptops, and mobile devices. These devices can run on different operating systems such as Windows, Windows Embedded, Linux, UNIX, Mac OS X, Windows Phone, iOS, Symbian OS, and Android. Not only does it provide management of such device types, but it also provides these features: remote control for some of the devices' OSes, software distribution, patches and patch management, operating system deployment, and creating devices' software and hardware inventory. So, System Center Configuration Manager provides both efficient and effective IT services with the help of scalable software deployment, devices compliance management, as well as the asset management of discovered hardware and software resources.
System Center Configuration Manager helps with the control of its IT infrastructure and assets. The asset management functionality provides IT engineers with a detailed image of the software and hardware inventory, which clients are using them, and where they are located in the infrastructure. This asset management functionality provides reports that help enterprises to optimize their hardware and software usage and take better strategic decisions regarding software licenses and compliance with these licenses.
System Center Configuration Manager has multiple requirements that you need to take into consideration before executing any deployment of System Center Configuration Manager 2012 R2. The following are the requirements:
Site systems cannot be installed on Server Core installations for the following operating systems:
Windows Server 2008 or Windows Server 2008 R2
Windows Server 2008 Foundation or Windows Server 2008 R2 Foundation
Windows Server 2012 or Windows Server 2012 R2; an exception to this is that starting with System Center 2012 R2 Configuration Manager, these operating systems support the distribution point site system role, without PXE or multicast support
Windows Server 2012 Foundation or Windows Server 2012 R2 Foundation
After a site system server is installed, you cannot change the following:
The domain name of the domain where the site system server is located
The domain membership of the server
The name of the server
Configuration Manager Site system roles cannot be installed on an instance of a Windows Server Failover Cluster. You can only install the site database server on Windows Server Failover Cluster.
For the full list of requirements, take a look at the following link:
http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSiteSystemReq
Before you start deploying System Center Configuration Manager, you must make sure that your infrastructure meets all of the prerequisites. What follows is a list and a step-by-step guide that shows you how to meet these prerequisites.
When the Active Directory schema is extended, the System Management container in Active Directory is not created by default. The container has to be created in all Active Directory domains that contain a primary site server or a secondary site server that publishes site information to Active Directory. In order to create the System Management container, take a look at the following steps:
You have to log on to your Domain Controller and open ADSI Edit. You can also do this from any other machine that has ADSI Edit installed on it and connect to the Domain Controller. The account that you use to connect to the Domain Controller must have permissions to modify objects in ADSI Edit. You can open ADSI Edit from Server Manager Console, from the
Control Panel\System
andSecurity\Administrative Tools
locations or by opening Run under the Start icon and typingadsiedit.msc
:In the Connection Settings window, make sure that the Name field is set to Default naming context. Leave everything else as it is and click on OK:
In the ADSI Edit console, expand Default naming context in the folder pane, right-click on CN=System, click on New, and then click on Object…:
When the Create Object window appears, select container and click on Next:
Enter
System Management
in the Value textbox and click on Next to finish:
With this, the System Management container is created in Active Directory. Next, we have to join the site server to the Active Directory domain and give computer account permissions to the site server to publish the site information to the container. A primary site server computer account must have full control permissions on the System Management container. To do this, perform the following steps:
Open the Active Directory Users and Computers console or open Run under the Start icon and type
dsa.msc
.Navigate to the System Management container, right-click on it, and select Delegate Control…. When you click on Delegate Control…, a wizard starts, which guides you through the process:
In the first window, just click on Next.
When a new window appears, go to Object Types and make sure that Computers is checked:
Then, add your primary site server's computer account and click on OK:
In the next window, select Create a custom task to delegate:
Select This folder, existing objects in this folder, and creation of new objects in this folder and click on Next:
In the next window, select all the three options under Show these permissions and select Full Control under Permissions. Then, click on Next:
We have now delegated full permissions to the primary site server's computer account on the System Management container. To find out how to create the System Management container in a different way, check this link:
https://gallery.technet.microsoft.com/scriptcenter/Create-SCCM-System-91fee476
In order to extend the Active Directory Schema for System Center Configuration Manager 2012 R2, you need to use a tool that is located in the installation media of System Center Configuration Manager 2012 R2. You can also use the ldif
file. This file will enable you to import or export information to or from Active Directory.
Open the installation media, go to SMSSETUP, then open BIN, and go to x64; you will find extadsch.exe. You can either click on this or copy the path and run it from the command prompt. To run extadsch.exe
, you have to use an account with Schema Admin permissions.
When it finishes, you should see the following message in the command prompt:
Before you can install the required Windows Server roles and features for System Center Configuration Manager 2012 R2, you need to make sure you have done the following:
Created the System Management container
Assigned permissions to the primary site server or multiple primary, secondary, and a CAS server
Extended the Active Directory schema
You can use the prerequisites checker tool that is provided with the System Center Configuration Manager 2012 R2 installation media, which is located in \SMSSETUP\BIN\x64\prereqchk.exe
. You can also use PowerShell or the tool from the following link to install all the prerequisites:
https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd
The following is a list of the Windows Server roles, features, and role services required by System Center Configuration Manager 2012 R2:
Windows Server role
Web Server
Windows Server features
.NET Framework 3.5 (with all subfeatures)
.NET Framework 4.5 (with all subfeatures)
BITS
Remote Differential Compression
The Windows Assessment and Deployment Kit (ADK) is a set of tools that allow you to customize, assess, and deploy Windows operating systems to new machines. The installation process is simple and straightforward. You can download the ADK from the following location:
http://www.microsoft.com/en-US/download/details.aspx?id=39982
The only thing that you need to keep in mind is feature selection. Proceed with the following steps:
In the first step, choose the Install Path tab and click on Next:
Next, select whether you want to join the customer experience improvement program and click on Next:
Next, you have to accept the license agreement by clicking on Accept:
Now, you have to choose which of the features should be installed. Only select the ones that are selected in the following screenshot. Click on Install to start the installation process:
After fulfilling all the requirements and installing the prerequisites for System Center Configuration Manager 2012 R2, you need to install MS SQL Server. There are two different deployment scenarios for MS SQL Server. You can deploy it locally, on the same machine as System Center Configuration Manager 2012 R2, or you can deploy it on a remote server. Deploying MS SQL Server locally requires less administration and better performance. Deploying it on a remote server requires specific firewall ports to be opened in order to allow communication between System Center Configuration Manager 2012 R2 and the database server. Use the following link to see which firewall ports need to be open in order for System Center Configuration Manager 2012 R2 to function normally:
http://technet.microsoft.com/en-us/library/hh427328.aspx
When you set up MS SQL Server for System Center Configuration Manager and if you choose to go with a remote database server, you need to choose whether you will use Windows Server Failover Clustering. System Center Configuration Manager 2012 R2 cannot be deployed on a Windows Server Failover Cluster, but MS SQL Server can. If you use Windows Server Failover Cluster for the database server, it will give you high availability and resilience in case of an equipment malfunction. This is not a requirement, and it is totally up to you to decide whether to use it or not. Use the following link to see how to create a MS SQL Server failover cluster:
For the purpose of the book, I will demonstrate how to install MS SQL Server locally on the server, where later I will install System Center Configuration Manager 2012 R2:
Insert the installation media and double-click on it or run the setup.
Click on Installation from the left-hand side pane and select New SQL Server stand-alone installation or add features to an existing installation, as shown in the following screenshot:
After all the rules under Setup Support Rules have been checked, click on Next:
In the Setup Role window, select SQL Server Feature Installation and click on Next:
In the Feature Selection window, select all the features that you will need. System Center Configuration Manager 2012 R2 only requires Database Engine Services and Reporting Services – Native. You can also install the SQL Management tools so that you can connect to this server and administer it. After you have selected the options, click on Next:
Now, you need to configure the SQL Server instance. You can choose between the default or a named instance. For the purpose of the book, I will choose Default instance. After this, click on Next:
In this step, you have to select the run as account for the MS SQL Server Services and the collation. If you are running an English OS, you can use the default collation type; if not, you have to choose another collation type. For the run as account, you can select the default, local accounts, or domain account. After you have input the accounts and their respective passwords, click on Next:
In this step, you have to configure the authentication mode. You can choose between Windows authentication mode and Mixed Mode. Also, click on Add Current User to add the current logged-on user as a SQL administrator. Then, click on Next:
In this step, you have to specify the Reporting Services Configuration mode. Select Install and configure and click on Next:
The final step is to review all the settings. You can also download and install additional MS SQL Server updates and service packs that are not required. Go through them and click on Next to start the installation:
The final prerequisite for System Center Configuration Manager 2012 R2 is WSUS. This is a standalone product used to distribute updates to systems running the Windows operating system. To install WSUS using a PowerShell command, you have to open PowerShell and type Install-WindowsFeature -Name UpdateServices-Services, UpdateServices-DB -IncludeManagementTools
.
To use an alternative database server, use the following command:
.\wsusutil.exe postinstall SQL_INSTANCE_NAME="servername" CONTENT_DIR="D:\ WSUS"
In this section, we will go through the installation process for System Center Configuration Manager 2012 R2. So far, we have gone through the requirements, prerequisites, and MS SQL Server installation. The next step is to install System Center Configuration Manager 2012 R2 itself:
Insert the installation media and when the wizard starts, click on Install:
Then, just click on Next:
Now, you have to choose an option from the Available Setup Options window. You can select any one of the following options:
Install a Configuration Manager primary site
This is an option for small- and medium-sized organizations that run less than 100,000 clients.
Install a Configuration Manager central administration site
This is an option for large organizations that run more than 100,000 clients. You can install a central administration site and have multiple primary sites under it.
Select your option and click on Next:
In this step, you can either download the required files or use the previously downloaded files. In the Prerequisites for System Center Configuration Manager 2012 R2 section, two tools have been explained, which can be used to predownload these files. If the files are predownloaded, you have to choose the path to the location of the files. Choose your option and click on Next:
In this step, you have to choose the languages you want to install. This will be the language displayed in the System Center Configuration Manager 2012 R2 console and reports:
In this step, you have to enter values for the following fields:
Site code
This is the code that uniquely identifies your site and can consist of numbers and letters.
Site name
This is the name that uniquely identifies your site.
Installation folder
This is the location of System Center Configuration Manager 2012 R2 in the filesystem. You can find more guidelines on installation folder recommendations for production environments at the following link:
http://technet.microsoft.com/en-us/library/hh846235.aspx#BKMK_ReqDiskSpace
Select Install the Configuration Manager console and click on Next:
In this step, you can choose from the following options:
In this step, you have to enter your MS SQL Server's name. If you are using MS SQL Server Cluster, enter your MS SQL Server cluster's name for SQL Server name (FQDN). Enter the instance's name and the database's name and click on Next:
In this step, you have to enter your SMS provider (FQDN). The SMS provider is used by the System Center Configuration Manager console and Resource Explorer, and it uses WMI to read and write to the site database. Enter your primary site server's name in the SMS Provider (FQDN) field and click on Next:
In this step, select Configure the communication method on each site system role and click on Next:
In this step, check the Install a management point and Install a distribution point checkboxes. These site system roles are used for content distribution and management with configuration data from clients:
Run a prerequisite check, and if it is completed without errors, click on Begin Install:
After installing System Center Configuration Manager 2012 R2, the next step in the configuration process is to design your System Center Configuration Manager site hierarchy. You have to go through the entire content of this topic in order to have a more efficient and scalable environment.
Site system roles specify the support operations at each site. Machines that host Configuration Manager sites are named site servers, and machines that host other site system roles are called site system servers. Servers within one site communicate with each other using SMB, HTTP, or HTTPS, depending on the site's configuration. So, review your available network bandwidth before installing a site system server and configure your site system roles. Within each site, you can install site system roles on the site server or you can install site system roles on other site system servers. There is no limit to the number of site system roles on a site system server. The only limitation is that you cannot install a site system role from a different site. Some specific roles are only available to some sites in a hierarchy. In order to install site system roles, you can use the account of the site server or create a Site System Installation account. This account can be a local system account or a domain account. Here is a list of some of the site system roles:
Site system role: A machine that provides some of the core functionality for the site. Any machine that hosts a site system role is called a site system server.
Site database server: A site database server hosts the MS SQL Server database, which stores information about the site.
Component server: This is a machine running the Configuration Manager Executive service.
Management point: This role provides information to clients and receives configuration data from them. This site role manages the communication between a client and a site server.
Distribution point: This site system role contains all the source files enabled for download by clients, such as applications, software packages and updates, OS images, and their respective boot images.
Reporting services point: This role is required if you are using reporting. It integrates with the MS SQL Server Reporting Service instance.
State migration point: This role is used to store the user's state when a computer migration is performed.
Software update point: This role provides software updates for System Center Configuration Manager clients by integrating with Windows Server Update Services.
System health validator point: This is a necessary role if you use Configuration Validation performed by Network Access Protection, and it is installed only on a NAP-enabled server.
Endpoint Protection point: This is an optional site system role that Configuration Manager uses to enable Endpoint Protection on your site.
Fallback status point: This role provides an alternative location for clients to send messages to during installation when they cannot reach their management point. This role monitors client installation and identifies clients that are unmanaged because they cannot reach their management point.
Out-of-band service point: This role is used for the provisioning and configuration of Intel AMT-based computers.
Asset intelligence synchronization point: This connects to System Center Online in order to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog.
Application Catalog web service point: This role provides information on the Application Catalog website from Software Library.
Application Catalog website point: This role provides clients with a list of the available software from Application Catalog.
Enrollment proxy point: This role intercepts enrollment requests from mobile devices so that they can be managed by System Center Configuration Manager.
Enrollment point: This role provides PKI certificates to mobile devices to finish the enrollment of mobile devices. It also enrolls Mac computers. It is also used to provision AMT-based computers.
You can find the full list of site system roles at the following link:
http://technet.microsoft.com/en-us/library/gg712282.aspx
Site administration activities include planning, analysis, installation, management, and monitoring of the System Center Configuration Manager 2012 R2 site hierarchy. There are three scenarios with respect to site hierarchy, and they are as follows:
Different configurations apply to different parts in the site hierarchy. This means that some site system roles are only available in the central administration site and some are only available at a child primary or a standalone site. When you have a single standalone primary site, you have all of the site system roles at your disposal.
Deploying your first site defines the entire structure of your hierarchy. This primary site supports secondary sites, and it can be extended with a central administration site. You can get more information on how to extend a primary site with a central administration site at the following link:
http://technet.microsoft.com/en-us/library/jj591551.aspx
Deploying the central administration site as the first site will provide the flexibility to expand the hierarchy as your business needs and company grow.
More information about planning and deploying sites and defining the site hierarchy can be found at the following link:
http://technet.microsoft.com/en-us/library/gg712681.aspx
If you plan to use certificates in your System Center Configuration Manager hierarchy, you need to plan the dependencies for PKI in your infrastructure. You can read more about PKI certificate requirements for System Center Configuration Manager at the following link:
http://technet.microsoft.com/en-us/library/gg699362.aspx
For each site that you install, you have to install and configure site system roles for management. You have to review all the site system roles and see how to deploy them. For example, some roles require only one instance in the hierarchy and some roles require instances in each site. Finally, there are site system roles that can have multiple instances within a site.
If you deploy a central administration site, you can deploy site system roles that are used to monitor the entire hierarchy or roles that provide services for the entire hierarchy, such as the Endpoint Protection point. For primary sites, you need system roles for client communication, such as the software update point and the management point.
In order to plan your Configuration Manager's infrastructure better and deploy the site system roles in the most appropriate places, read the instructions at the following link:
http://technet.microsoft.com/en-us/library/gg712282.aspx#Plan_Where_to_Install_Sites
After you deploy the first site, you can start configuring settings for hierarchy-wide operations and settings that are site-specific. Both configurations affect how sites operate and how clients function. The following is a list of some of the hierarchy-specific configurations:
Role-based authentication: You can create administrative users who manage System Center Configuration Manager and give them specific roles and scopes.
Resource discovery: You can discover active directory forests, groups, systems, users, network discovery, and heartbeat discovery.
Boundaries and boundary groups: These groups control client site assignment and site system servers from which clients obtain an application and other content.
Client settings: These settings specify how System Center Configuration Manager clients perform different tasks on the client machine. These tasks can check for new applications, check the hardware and software inventory, and so on.
Here are some site-specific settings:
The summarization of status messages collected from the clients
Maintenance tasks
Site components that control how site system roles work in a site
Monitoring and maintaining the status of the hierarchy is very important. The status can change over time and changes need to be addressed. To keep all the systems in prime condition, you must monitor the hierarchy for problems and take actions in order to prevent problems.
You can perform the monitoring tasks for the hierarchy by using the Monitoring section in the System Center Configuration Manager console and also configure maintenance tasks at each site to help maintain efficiency. System Center Configuration Manager provides built-in tasks that can be used to monitor and maintain the following:
Reports that inform about the failure of tasks and operational status
Receive alerts for current or upcoming problems
Client statuses, which can show which clients are active
View status of endpoint protection clients
This chapter was all about the initial setup of Configuration Manager 2012 R2. It showed you how to install and set up all of the prerequisites and requirements. After that, it explained the benefits of using Windows Server Failover Cluster on a database level and how to set up the database on a single server or on a Windows Server Failover Cluster. Then, the entire process of System Center Configuration Manager 2012 R2 installation was explained. In the end, there was an explanation on System Center Configuration Manager sites and site hierarchy as well as of the site features and functionalities.
In the next chapter, we will take a look at the Assets and Compliance section of System Center Configuration Manager 2012 R2 and learn how to configure it and use its functionalities, such as compliance management and configuring Endpoint Protection.