ConfigMgr (SP1) Setup Guide
Step by Step guide for Installing and Configuring SCCM 20007 and Applying SP1 Build
Extend the Active Directory Schema – There is no reason not to!
Four actions need to be taken in order to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
· Extend the Active Directory schema.
· Create the System Management container.
· Set security permissions on the System Management container.
· Enable Active Directory publishing for the Configuration Manager site.
To extend the AD schema using ExtADSch.ext
1. With Windows Server support tools installed – netdom query fsmo – to identify the schema master role;
2. Backup system state on schema master DC;
3. Disconnect the Schema Master DC from the network;
4. Logon to the schema master DC with an account that is a member of the Schema Admins Security group.
5. run extadsch.exe, located at \smssetup\bin\i386
6. verify that the schema extension was successful by reviewing the extadsch.log located at c:\
After the schema has been extended with the classes and attributes required for configuration manager, you must create the System Management container within the System container in the site server's domain partition in Active Directory Domain Services:
Because domains controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager Site.( We are one domain forest!)
(Grant the site server's computer account full control to the System container, allow it to create the System Management container when it first publishes site information to AD – not very secure!)
The ADSIEdit MMC console will be used to create the System Management container in AD – you must first install the Windows Server Support tools, run suptools.msi from \Support\Tools on the Windows installation media.
To create the ADSIEdit MMC console
1. On the taskbar, click Start, and then click Run.
2. Type mmc and click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Add.
5. Under Snap-in, select ADSI Edit.
6. Click Close.
7. Click OK.
To manually create the System Management container
1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
2. Open the ADSIEdit MMC console, and connect to the domain in which the site server resides.
3. In the console pane, expand Domain [computer fully qualified domain name], expand <distinguished name>, and right-click CN=System. On the context menu, click New and then click Object.
4. In the Create Object dialog box, select Container and click Next.
5. In the Value field, type System Management and click Next
6. Click Finish
After you have created the System Management container in Active Directory® Domain Services, you must grant the primary site server's computer account the permissions necessary to publish site information to the container.
To apply permissions to the System Management container using the Active Directory Users and Computers administrative tool
1. Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool.
2. Click View, and then click Advanced Features.
3. Expand the System container.
4. Right-click System Management. On the context menu, click Properties.
5. In the System Management Properties dialog box, click the Security tab.
6. Click Add to add the site server computer account and grant the account Full Control permissions.
7. Click Advanced, select the site server's computer account, and click Edit.
8. In the Apply onto list, select This object and all child objects.
9. Click OK.
To enable a Configuration Manager site to publish site information to Active Directory Domain Services
1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name>.
2. Right-click <site code> - <site name>, and click Properties.
3. On the Advanced tab of site properties, select the Publish this site in Active Directory Domain Services check box.
When Configuration Manager site information is published to Active Directory Domain Services, Configuration Manager clients can automatically detect server locator points and management points without generating Windows Internet Name Service (WINS) traffic. If Configuration Manager site information is not published to Active Directory Domain Services, you must manually add Configuration Manager site role information in WINS.(I don't see a reason why you don't want to publish the site information to AD!)
The First Site Server (Central Site) Setup
1. Install Windows Server 2003 R2 Std 64 bit SP2
2. Install IIS + BITS and Allow WebDAV in IIS Manager (Required by MP)
3. Install SQL 2005 Std 64bit
Service Account – Select Local system
Choose Windows Authentication Mode in next screen…
4. Install SQL SP2 - reboot
ConfigMgr 2007 Prerequistes:
· MMC 3.0 already installed as SP2
· MS06-030 already installed
· Install IE 7.0 (Not required) and other critical updates
· Windows Server 2003-based schannel hotfix
o Configuration Manager out of band service point requires Windows Server 2003-based schannel hotfix. The schannel hotfix is available for download at:
· Windows Remote Management (WinRM) v1.1
o WinRM v1.1 is required to run the out of band console and must be installed before primary site or Configuration Manager console installations or upgrades. WinRM 1.1 is available for download at:
· MMC updates for Configuration Manager (Software Updates)?
o This software update addresses several MMC errors that may occur when running the Configuration Manager console. This update should be applied if any of the following occur: Configuration Manager console stops responding when the host computer is low on available memory, context menu errors on console home pages, or inconsistent display after drag-and-drop operations do not succeed. More information about this update is available at: http://go.microsoft.com/fwlink/?LinkId=98349.
5. Install WSUS SP1 for SUP – check Store updates locally (Choose a Separate Drive)
Select Use an existing database server on this computer
Select - Create a Windows Server Update Service 3.0 SP1 Web Site
Click Next, Next to Finish the setup
6. Install ConfigMgr Site Server and Site System Roles;
Select Install Configuration Manager Site Server in the first setup screen and follow through the below screenshots
In the next screen – type in your site code and site name
Type in your SQL server name and database name in the next screen
Then type the SMS Provider location – which should be the site server name
In the next screen, you can choose "Install a management point" or "Do not install a management point"
Follow through the next few screenshots..
You will see the "Settings Summary" page next followed by Installation Prerequisite Check. Most likely you will see a few yellow "Warning" but you should be able to Click "Begin Install" here.
After about 30 minutes – everything turns green
You can click view log or you can check the ConfigMgrSetup.log in C:\
Click Next – you should see "Setup completed all operations successfully. Click Finish to close the wizard.
Go to Start – ConfigMgr Console (wait for a couple of minutes for it to load)
Expand Site Management, then xy0 – Central Site, Site Settings, Site Systems, right click on your Site Server name and click New Roles
This will start New Site Role Wizard, leave the default, click Next
We are going to create a SUP – select Software Update Point and click Next
Leave it as is if you don't have Proxy server, click Next
Check Use this server as the active software update point, Since we created WSUS custom Web site when we setup WSUS, change the port to 8530 for TCP and 8531 for SSL as above.
An active software update point is configured on the central site so that software updates can be centrally managed and monitored. Many of the software updates synchronization settings are configured at the central site and not available at child sites. The active software update point on the central site synchronizes with Microsoft Updates.
The software update point on the central site should always be configured to synchronize from Microsoft Update. When any other setting is selected, synchronization will not succeed on the central site.
Keep the default setting Do not create WSUS reporting events, and then click Next
Check Enable synchronization on a schedule and leave the default Simple schedule, then click Next
Leave the default Update classifications, Click Next
Select the above products for now, click Next
In the Languages page, only leave English checked and uncheck all the other languages, click Next
Review Summary page, Click Next
When setup is done, click close – We successfully added SUP!
Next we are going to add Reporting Point and Failback Status Point
Start the New Site Role Wizard as before and select Reporting point and Failback status point
Leave default for the next three screens and click Next and you will get to the Wizard Completed page and click close.
Use the reporting users group to control access to the reporting point - By default, all members of the Administrators and Reporting Users groups have access to the reporting point Web site. If users need access to reports on the reporting point, add them to the Reporting Users local groups on each required reporting point. The Reporting Users group does not have any members by default.
The Reporting Users group does not have Configuration Manager 2007 object security rights configured by default. This group needs Read security rights on the Report SMS class or members of the group are not able to access reports, even though they do have access to the reporting Web site.
Congratulations – by now, we have the Central site setup with RP, FSP and SUP!
Next we are going to build a Primary Site with three separate boxes, Primary Site, MP and SUP.
Since we just went through the above drill, the rest should be easy
· Install Windows Server 2003 R2 64 Bit SP2 on all three boxes with latest updates! (turn off automatic updates!)
· Add Server2 (New Primary Site server) to System Management Container in AD – Grant full control permission
· Install IIS on Server2
· Install SQL 2005 + SP2 on Server2
· Run Prerequisite check on Server2 and satisfy the appropriate Prerequisites!
· Install WSUS SP1 administration console on Server2
· Download and install Microsoft Report Viewer Redistributable 2005 (requirement for WSUS admin console)
· Install Site Server on server2 and choose custom, Do not install a management point
Configure the communication between Central Site and Primary Site
· On Server1 – Open ConfigMgr Admin Console – Right click xy0 – Central Site, then click Set Parent Site – Select Central Site!
· Add Server1 to SMS_SiteToSiteConnection_xy1 group on Server2
· Add Server2(Computer account) to SMS_SiteToSiteConnection_xy0 group on server1
You do NOT need to make the site server computer account a local admin. All you have to do is to have the account you specify in the site address a member of the target site's SMS_SiteToSiteConnection group. You'd do that at each site for the account the other site is using to push data down to the local site.
To configure primary-site-to-primary-site communications, you must manually create the addresses that will be used.
Create New Standard Sender Address, see my blog
Add Site server computer account to local admin on all site systems!!! – Then follow the below steps
Setup the default MP on Server3
· Install IIS + BITS + WEBDAV on Server3(New MP)
· Run Prerequisite check on Server3 and satisfy the appropriate Prerequisites!
On Server2, Start ConfigMgr Console and Expand Site Management, then xy0 – Primary site, Site Settings, Site Systems, right click on your Site Server name and click New – Server, then go through the "New Site System Server Wizard". You shouldn't go wrong here.
By default, the Configuration Manager 2007 site server role component installation files are installed on the first available Configuration Manager 2007 will not install site role component files on a drive that contains a file named no_sms_on_drive.sms. NTFS formatted disk drive with the most available free disk space.
You can create a no_sms_on_drive.sms file in the root folder of all drives except for drives that you have specified as server share site systems.
Since MP is on a different box, need to grant full control permission for Server3 computer account to System Management container in AD.
Setup SUP/WSUS o Server4
· Install IIS
· Install WSUS SP1 (of course install Report Viewer 2005 Redistributable first)
· Select Create a Windows Server Update Services 3.0 SP1 Web Site
ADD new site system on Server2 and add Server4 for SUP – Similar like we did for Server3 (MP)
Congratulations again – by now we have a fully functional Central Site and a Primary Site. Next you could configure the Site boundaries, enable agents, discover method and tune the schedules etc.
For client installation methods – I prefer Software Update Point Client Installation
Remember, FSP are not stored in AD so has to specify in GPO for the client to locate FSP!