All the setting in this guide is for lab use and might not be applicable in a production enviroment!
I’m running the lab in a VMware environment.
Install 3 virtual machines. One gateway, one DC server and one MEM server. With the following config:
Gateway (pfSense)
See this post how to set it up:
https://www.deploymentresearch.com/using-pfsense-community-edition-as-a-virtual-router-for-your-lab-environment/
CPU: 1
Memory: 512 MB
Disk:
1. C drive: 100 GB
Network:
1. Network (VM Network)
2. Network (SCCM-New York)
3. Network (SCCM-Chicago)
DC
Name: DC01
CPU: 2
Memory: 4 GB
Disk:
1. C drive: 100 GB (Windows)
Network:
1. Network (SCCM-New York): 192.168.5.2
Microsoft Endpoint Manager
Name: MEM01
CPU: 4
Memory: 20 GB
Disk:
1. C drive: 100 GB (Windows)
2. D drive 200 GB (MEM)
3. E drive: 40 GB (SQL Database (64K))
4. F drive: 40 GB (SQL TempDB (64K))
5. G drive: 40 GB (SQL Transaction Logs (64K), SQL TempDB Logs)
Network:
1. Network (SCCM-New York)
In the wmware config on each machine you can add:
isolation.tools.copy.disable FALSE
isolation.tools.paste.disable FALSE
isolation.tools.setGUIOptions.enable TRUE
in the configuration If you want to enable copy/paste.
If you run backup of your virtual machines to a ex. a Synology box, you should also add:
ctkEnabled TRUE
sata0:0.ctkEnabled TRUE
Setup DC01
- Set static IP:
IP: 192.168.5.2
Subnet: 255.255.255.0
Gateway: 192.168.5.1
DNS: 8.8.8.8 - Install server 2019 or another version. Install all avaliable update. Reboot if requered.
- Rename the server to “DC01”
- Start an powershell cmd in admin mode and run:
Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools - Reboot the server
- When it is up and running again start a PowerShell ISA in admin. Paste and run:
Install-ADDSForest `
-DomainName “memlab.local” `
-CreateDnsDelegation:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainMode “7” `
-DomainNetbiosName “memlab” `
-ForestMode “7” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$True `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true - Logon to the server and create an adm account for you and logoff
- Logon with a user that is a member of Schema Admins security group
- From SCCM ISO run .\SMSSETUP\BIN\X64\extadsch.exe in a PowerShell admin console.
9. Verify in the logfile, C:\ExtADsch, that AD was extended with success:
10. Reboot the server.
Click “Add roles and features” in the server manager
Click “Next >“
Click “Next >“
Click “Next >“
Mark “Active Directory Certificate Service“
Click “Add Features“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Install“
Click “Close“
Click “Configure Active Derictory……….“
Click “Next >“
Mark “Certification Authority” and click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Configure“
Click “Close“
28. Reboot the server
Click “Add roles and features” in the server manager
Click “Next >“
Click “Next >“
Click “Next >“
Select “DHCP Server” -> Click “Add Features“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Install“
Click “Close“
Click “Complete DHCP configuration“
Click “Next >“
Click “Commit“
Click “Close“
Reboot DC01
Logon to DC01
Open DHCP
Right click “IPv4” -> “New scope”
Click “Next >“
Give it a name -> Click “Next >“
Enter start and end IP -> Click “Next >“
Add exclusions -> Click “Next >“
Click “Next >“
Click “Next >“
Add default gateway -> Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Finish“
Setup MEM01 server
1. Install server 2019 or another version. Install all available update. Reboot if requered.
2. Rename it to MEM01
3. Configure IP settings:
– IP: 192.168.5.3
– Subnet: 255.255.255.0
– Gateway: 192.168.5.1
– DNS: 192.168.5.2
4. Join the MEM01 server to the domain
Creating “System Management” container
Open “ADSI Edit” on DC01
Right click “ADSI edit” -> “Connect to“
Click “OK“
Click “Default naming…..” -> “DC=sccmlab……” -> “CN=System“
Right click “CN=System” -> “New” -> “Object“
Choose “container” -> Click “Next >“
Enter “System Management” in Value -> Click “Next >“
Click “Finish“
Access rights to “System Management Container” in AD
Advanced features should be turned on in “Active Directory Users and Computers” before you can see the “System Management” container.
Go to: “Domain” -> “System” -> Right click “System Management” -> “All tasks” -> “Delegate Control“
Click “Next >“
Click “Object Types“
Mark “Computers” and click “OK“
Type mem01 -> “Check Names” -> Click “OK“
Click “Next >“
Mark “Create a custom…..” -> Click “Next“
Click “Next“
Mark everything -> Click “Next“
Click “Finish“
Groups and users on DC01
- Logon to DC01
- Open “Active directory users and computer“
- Create a Organization OU called MEMusers
- Create a Organization OU called MEMgroups
- Create the following groups in the OU MEMgroups:
SEC-MEMUsers (Global security group)
SEC-MEMServers (Global security group)
SEC-MEMAdmins (Global security group)
SEC-MEM_IIS_Servers (Global security group) - Create the following users in the OU MEMusers:
SVC-MEM_SQLService (Run SQL service) – Member of “Domain Users”
SVC-MEM_BA (Built images) – Member of “Domain Users”
SVC-MEM_JD (Join domain) – Member of “Domain Admins”
SVC-MEM_SR (Reporting Services) – Member of “Domain Users”
SVC-MEM_CP (Client Push) – Member of “The local Administrators group on the target client computers”
SVC-MEM_NAA (Network Access Acount) – Member of “SEC-MEMAdmins” - Join ALL MEM servers in the group “SEC-MEMServers“
- Add SEC-MEMServers and SEC-MEMAdmins in the local administrator groups on all the MEM servers
- Add MEM01 to the security group “SEC-MEM_IIS_Servers“
- Create a folder “D:\Source” and share it:
Click “Advanced Sharing“
Select “Share this folder” -> Name: Source$ -> Permissions
Select “Full Control” for Everone -> Click “OK“
Click “OK“
Click “Security” tab -> Edit
Add “SEC-MEMAdmins” with Full control -> Click “OK“
Click “Close“
MEM01 config
- Logon to MEM01
- Open “Disk management“
Click “OK“
Right click Disk 1 and choose “New Simple Volume“
Click “Next >“
Click “Next >“
Click “Next >“
Giv it a name and click “Next >“
Click “Finish“
Do the above for disk 1 + 2 + 3 + 4
The final disk layout should look something like this.
3. Create a file called “no_sms_on_drive.sms” on drive C + E + F + G
4. Open a CMD in admin and run this to open the firewall:
@echo ========= SQL Server Ports =================== @echo Enabling SQLServer default instance port 1433 netsh advfirewall firewall add rule name=”SQL Server” dir=in action=allow protocol=TCP localport=1433 @echo Enabling Dedicated Admin Connection port 1434 netsh advfirewall firewall add rule name=”SQL Admin Connection” dir=in action=allow protocol=TCP localport=1434 @echo Enabling conventional SQL Server Service Broker port 4022 netsh advfirewall firewall add rule name=”SQL Service Broker” dir=in action=allow protocol=TCP localport=4022 @echo Enabling Transact-SQL Debugger/RPC port 135 netsh advfirewall firewall add rule name=”SQL Debugger/RPC” dir=in action=allow protocol=TCP localport=135 @echo ========= Analysis Services Ports ============== @echo Enabling SSAS Default Instance port 2383 netsh advfirewall firewall add rule name=”Analysis Services” dir=in action=allow protocol=TCP localport=2383 @echo Enabling SQL Server Browser Service port 2382 netsh advfirewall firewall add rule name=”SQL Browser” dir=in action=allow protocol=TCP localport=2382 @echo ========= Misc Applications ============== @echo Enabling HTTP port 80 netsh advfirewall firewall add rule name=”HTTP” dir=in action=allow protocol=TCP localport=80 @echo Enabling SSL port 443 netsh advfirewall firewall add rule name=”SSL” dir=in action=allow protocol=TCP localport=443 @echo Enabling port for SQL Server Browser Service’s ‘Browse’ Button netsh advfirewall firewall add rule name=”SQL Browser” dir=in action=allow protocol=TCP localport=1434 @echo Allowing Ping command netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow
5. Copy the sxs folder from Windows server2019 DVD to d:\Install\sxs
6. Open a PowerShell ISA in admin mode and run the following script:
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features -source \\mem01\d$\Install\sxs
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ
7. Reboot the server
8. Download and install report builder: Download Microsoft® Report Builder from Official Microsoft Download Center
9. Download Windows ADK from: https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install
10. Install ADK
Click “Next >“
Choose “No” and click “Next >“
Click “Accept“
Mark the above and Click “Install“
Click “Close“
Install ADK for WinPE
Click “Next >“
Click “Next >“
Click “Accept“
Click “Install“
Click “Close“
11. Reboot the server
SQL 2019 installation
Click “Installation” -> Click “New SQL Server stand-alone……….“
Click “Next >“
Click “I accept………” -> Click “Next >“
Dont mind the windows firewall message. Click “Next >“
Select “Database Engine Services” and change the installation drive to “D“. Click “Next >“
Click “Next >“
Add the SQL account that you created earlier. Click “Next >“
Click “Collation” fane and change the Database engine to “Latin1_General_CI_AS“. Click “Next >“
Select “SQL_Latin1_General_CP1_CI_AS“. Click “OK“
Add “Administrator” + “SEC-MEMadmins” + “Domain Admins“
Change “User database directory” to “E:\SQL_Database“. Change “User database log directory” to “G:\SQL_Logs“
Set the settings as above. Click “Next >“
Click “Yes“
Click “Install“
Click “Close“
Click “Install SQL Server Management Tools” and download it
Change the drive to D and click “Install“
Click “Close“
Click “Install SQL Server Reporting Services” and download the installation file.
Click “Install Reporting Services“
Choose “Developer” and click “Next >“
Accept the license terms and click “Next >“
Click “Next >“
Change the drive to “D” and click “Install“.
Click “Close“
Reboot the server.
Create SPN
When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account.
Run:
setspn -A MSSQLSvc/DC01:1433 memlab\SQLSA
setspn -A MSSQLSvc/memlab.local:1433 memlab\SQLSA
To verify, run:
setspn –L memlab\SQLSA
SQL server config
Start SQL management Studio and click “Connect“
Right click on “MEM01………” -> click “Memory” -> change min and max values as above -> Click “OK“
Find the DB size in this blog post: https://blog.ctglobalservices.com/configuration-manager-sccm/kea/system-center-2012-configuration-manager-sql-recommendations/
Create the following folders:
– E:\MEMDB
– G:\MEMLogs
– F:\MEMTempDB
Run the following script in Management studio to create the MEM DB:
USE master
CREATE DATABASE CM_MEM
ON
( NAME = CM_MEM_1,FILENAME = ‘E:\MEMDB\CM_MEM_1.mdf’,SIZE = 1405, MAXSIZE = Unlimited, FILEGROWTH = 464)
LOG ON ( NAME = MEM_log, FILENAME = ‘G:\MEMLogs\CM_MEM.ldf’, SIZE = 1855, MAXSIZE = 1855, FILEGROWTH = 512)
ALTER DATABASE CM_MEM
ADD FILE ( NAME = CM_MEM_2, FILENAME = ‘E:\MEMDB\CM_MEM_2.mdf’, SIZE = 1405, MAXSIZE = Unlimited, FILEGROWTH = 464)
Run the following sql script in management studio:
use master
go
alter database tempdb modify file (name=’tempdev’, filename=’F:\MEMTempDB\tempDB.MDF’, SIZE= 1686, MAXSIZE = Unlimited, FILEGROWTH = 512)
go
alter database tempdb modify file (name=’templog’, filename=’G:\MEMLogs\templog.LDF’, SIZE= 843, MAXSIZE = Unlimited, FILEGROWTH = 512)
go
Make sure that it ran with success
Open “Sql Server Configuration Manager” -> Protocols for MSSQLSERVER -> Right click “TCP/IP” -> change “Listen All” to “No“
Click on the “IP Adresses” fane -> Find the IP of your server -> Set “Enabled” to “Yes” – Click “OK“
Click “OK“
Reboot the server
Install WSUS
Click “Add roles and features“
Click “Next >“
Click “Next >“
Click “Next >“
Mark “Windows Server Update Service” -> Click “Add Features“
Click “Next >“
Click “Next >“
Click “Next >“
Remove the check mark in “WID Connectivity” and add the “SQL Server Connectivity” -> Click “Next >“
Type “D:\WSUS” and click “Next >“
Type “mem01” in the textbox -> click “Check connection” -> Click “Next >“
Click “Install“
Click “Close“
Click “Launch Post-Installation task“
Wait for the config to finish
Open SQL management studio
Go to “Databases” -> SUSDB -> Properties
Change Owner to SA -> Change the Autogrowth value to 512MB -> click “Ok” -> close SQL MS
Reboot the server
MEM Installation
Open the installation DVD and run “splash.hta“
Click “Install“
Click “Next >“
Click “Next >“
Enter your serial no -> Click “Next >“
Accept the terms -> Click “Next >“
Add a path to save the pre-req files -> Click “Next >“
Click “Next >“
Click “Next >“
Type:
Stie code: MEM
Site name: MEM – MEMLab
Install dir “D:\Pro………” NOTICE IT IS INSTALL ON DRIVE D:
Click “Next >“
Choose “Install the primary………………” -> Click “Next >“
Click “Yes“
Click “Next >“
Change the paths as above -> Click “Next >“
Click “Next >“
Click “Next >“
Click “Yes“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Next >“
You can Ignore the warnings for now. Click “Begin Install“. Please note that the installation will take a while!
Reboot the server when the installation is done
Certificate creation
Logon to DC01
open a cmd in admin context
Enter “certutil -ca.cert c:\RootCA_mem.car” -> Hit “Enter“
The certificate have been saved with success
Copy the certificate
Paste it into \\mem01\source$\cert
Open “Certification Authority“
Right click “Certificate Template” -> Click “Manage“
MEM Web server certificate
Right click “Web Server” -> Click “Duplicate Template“
Make sure the setting is like the screenshot above.
Change the name to “MEM Web Server Certificate“
Click on the “Security” blade -> remove “Enroll” check mark for “Domain Admins“
Remove “Enroll” check mark for “Enterprise Admins“
Add “SEC-MEM_IIS_Servers” -> enable “Enroll” -> Click “OK“
Close the “Certificate Templates Console” console
Right click “Certificate Template” -> New -> “Certificate Template to Issue“
Select the new template that you have just created “MEM Web Server Certificate” -> Click OK.
Client Certificate for Distribution Points
Right click “Certificate Template” -> Click “Manage“
Right click “Workstation Authentication” -> Click “Duplicate Template“
Make sure the setting is like the screenshot above.
Click the General tab -> Give the certificate a name -> change the validity periode to 3 years
In the Request Handling tab -> select “Allow private key to be exported“
Click the “Security” tab, and remove the “Enroll” permission from the Enterprise Admins security group
Add “SEC-MEM_IIS_Servers” -> select “Enroll” -> Click “OK“
Right click “Certificate Templates” -> New -> Vertificate Template to Issue
Select “MEM Client Distribution Point Certificate” -> Click “OK“
Certificate for Workstation Authentication
Right click “Certificate Template” -> Click “Manage“
Right click “Workstation Authentication” -> Click “Duplicate Template“
Make sure the setting is like the screenshot above.
Select the General tab -> enter a name for the certificate -> Validity period: 3 years
Select the Security tab -> select Domain Computers -> enable “Read” -> -> enable “Autoenroll“
Add “Domain controllers” -> enable “Read” -> -> enable “Autoenroll“-> Click “OK“
Right click “Certificate Template” -> New -> Certificate Template to Issue
Select “MEM Client Certificate” -> Click “OK“
Close the “certsrv” console
Configuring Auto enrollment of the Workstation
Open “Group policy management” on DC01
Navigate to your domain ->MEMcomputers -> right-click MEMcomputers -> select “Create a GPO in this domain, and Link it here“
Give it a name -> Click “OK“
In the results pane, on the “Linked Group Policy Objects” tab, right-click the new Group Policy, and then click “Edit.”
In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings > Security Settings > Public Key Policies. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties
From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK. Close the GPMC.
Adding certificate to MEM01
Logon to MEM01
Type “mmc” in the start menu and a MMC will open.
Click “File” -> “Add/Remove Snap-in“
Mark “Certificates” -> Click “Add >”
Mark “Computer account” -> Click “Next >“
Click “Finish“
Click “OK“
Go to Certificates -> Personal -> Certificates -> Right click -> All Tasks -> Request New Certificate
Click “Next>“
Click “Next >“
click “More information is required to enroll for this certificate. Click here to configure settings“
Change “Alternative name” to “DNS” -> add “mem01.memlab.local” and “mem01“
Add “MEM Web Server Certificate” in the name box -> Click “OK“
Select “MEM Web Server Certificate” -> Click “Enroll“
Click “Finish“
Configuring IIS to Use the Web Server Certificate
Open Internet Information Services (IIS) Manager-> MEM01 -> Sites -> Default Web Site -> Right click -> Edit Bindings
Select “https” -> Click “Edit“
Click “Select“
Select your cert -> Click “OK“
Click “OK“
Click “Close“
Deploying the Client Certificate for Distribution Points
Logon to MEM01
Type “mmc” in the start menu and a MMC will open.
Click “File” -> “Add/Remove Snap-in“
Mark “Certificates” -> Click “Add >”
Mark “Computer account” -> Click “Next >“
Click “Finish“
Click “OK“
Go to Certificates -> Personal -> Certificates -> Right click -> All Tasks -> Request New Certificate
Click “Next >“
Click “Next >“
Select “MEM DPoint Certificate” -> Click “Enroll“
Click “Finish“
Exporting the Client Certificate for Distribution Points
Right click “MEM DP Certificate” -> All Tasks -> Export
Click “Next >“
Select “Yes, export the private key” -> Click “Next >“
Unselect “Enable certificate privacy” -> Click “Next >“
Enter a password -> Click “Next >“
Choose where to save the cert -> Click “Next >“
Click “Finish“
Click “OK“
Deploying the Client Certificate for Distribution Points
Open the MEM console -> Administration -> Site Configuration -> Servers and Site System Roles -> Right click “Distribution Point” -> Click “Properties“
Click on the “Communication” tab -> Import certificate -> browse to your cert and enter the password -> Click “OK“
Go to Administration -> Site Configuration -> Sites -> right click “MEM – MEM – MEMLab -> Proberties
Click “Communication Security” tab -> Click “Set“
Click “Yellow star“
Browse to “\\mem01\source$\cert” -> choose “RootCA_mem.cer -> Click “Open“
Click “OK“
Click “OK“
Reboot DC01 and MEM01
Certificate and Verifying Its Installation on Computers
Logon to MEM01
Type “mmc” in the start menu and a MMC will open.
Click “File” -> “Add/Remove Snap-in“
Mark “Certificates” -> Click “Add >”
Mark “Computer account” -> Click “Next >“
Click “Finish“
Click “OK“
In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that SCCM Client Certificate is displayed in the Certificate Template column. Close the console.
Logon to MEM01
Open the MEM console
Add the ”SEC-MEMAdmins” group to Administration -> Security -> Administrative Users.
Go to Administration -> Site Configuration -> Sites -> Configure Site Components -> Software distribution
Click -> Network Access Acount -> mark “Specify the account……..” -> “Yellow star” -> New Account
Add the user “SVC-MEM_NAA” and enter the password for the account -> Click “OK“
Click “OK“
Go to Administration -> Site Configuration -> Sites -> Client Installation Settings -> Client Push Installation
Select -> “Enable automatic……” -> select “Configuration Manager……….“
Click “Accounts” tab -> “Yellow star” -> New Account
Add the user “SVC-MEM_CP” and enter the password for the account -> Click “OK“
Click “OK“
Open “Report Server Configuration Manager” from the start menu on MEM01
Click “Connect“
Click “Database” -> Change Database
Click “Next“
Click “Test Connection“
Click “OK“
Click “Next“
Click “Next“
Click “Next“
Click “Next“
Click “Finish“
Click “Web Service URL” -> Apply
Click “Web Portal URL” -> Apply
Click “Encryption Keys” -> Backup
Choose a place to save it and enter a password. Click “OK“
Click “Exit“
ADD REPORTING SERVICES POINT ROLE IN SCCM
Open the SCCM console.
Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles
Click “Next >“
Click “Next >“
On the Site System Role, select Reporting Services Point, Click Next
Click Verify
Click “OK“
Click “Set” -> New Account. (This account needs to have access to the SCCM DB)
Add userbane and password -> Click “OK“
Click “Next >“
Click “Next >“
Click “Close“
SOFTWARE UPDATE POINT INSTALLATION
Install SOFTWARE UPDATE POINT
Open the MEM console
Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles
Click “Next >“
Click “Next >“
Select “Software update point” -> Click “Next >“
Select “Require SSL………” and “Allow Configuration M………..” and “Allow Internet and ………….” -> Click “Next>“
Click “Next>“
Click “Next>“
Check the Enable synchronization on a schedule checkbox and select your desired schedule. 1 day is usually enough but it can be lowered if you’re synchronizing Endpoint Protection definition files, click Next
On the Supersedence Rules tab, select Immediately expire a superseded software update and Immediately expire a superseded feature update, click Next
Select “Decline expired updates……………….” and “Add non-clustered………” and “Remove obsolite……..” -> Click “Next >“
Click “Next >“
Click “Next >“
Click “OK“
Select “All Classifications” -> Click “Next >“
Select the products that you want to patch -> Click “Next >“
Click “Next >“
Click “Next >“
Click “Close“
Reboot MEM
After the first sync, then you have to go into the classification and product again. Because new config option have created after the first sync.
Configure WSUS in SSL
Logon on to MEM01
CONFIGURE WSUS ADMINISTRATION WEBSITE TO USE SSL
Open “Internet Information Services (IIS) Manager“
Right click “Wsus Administration” -> Edit bindings
Mark “Https” -> Click “edit“
Click “Select“
Select “MEM Web Server Certificate -> Click “OK“
Click “OK“
Click “Close“
select API Remoting30 -> select SSL settings
Check the box Require SSL and hit Apply on the right side of the consoleRepeat this step for the following components
Repeat this step for the following components
ClientWebService
DssAuthWebService
ServerSyncWebService
SimpleAuthWebService
Open a command prompt as admin, browse to the C:\Program Files\Update Services\Tools ->run: WSUSUTIL configuressl mem01.memlab.local
Configure Distribution Point on primary site
Open the SCCM console
Navigate to Administration -> Site Configuration -> Servers and Site System Roles -> Right-click your Site System -> mark “Distribution Point” and right click it -> Proberties
Select “Enable and conf………..” + “Adjust the download……..“
Select “Enable PXE support for clients” -> Click “Yes“
Select “Enable unknown computer support” -> Click “OK“
Select “Enable a PXE responder…….” -> Click “Yes“
Click “OK“
If you want to setup a DP on another server, you have to prepare the server before installing the DP:
Firewall DP:
Site Server — > Distribution Point
SMB 445 TCP
RPC Endpoint Mapper 135 UDP and TCP
RPC dynamic TCP
Site Server < — > Site Server
SMB 445 TCP
Point to Point Tunneling Protocal (PPTP) 1723 TCP
Printer and File sharing need to be enabled in the firewall
Open PowerSHell ISA in admin mode and run on the DP server.
Run “Set-ExecutionPolicy Unrestricted –Force” before you run the rest of the script.
#Set-ExecutionPolicy Unrestricted –Force
#Add SEC-SCCMServers to local admin group
([adsi]”WinNT://./Administrators,group”).Add(“WinNT://DOMAIN/GROUP,group”)
#Install server roles for SCCM 2012 R2 distribution point
Import-Module Servermanager
Add-WindowsFeature Web-Server,Web-ISAPI-Ext,Web-Windows-Auth,Web-Metabase,Web-WMI,RDC
#PowerSHell 3.0 (Server 2012)
New-NetFirewallRule -DisplayName “SCCM 2012 R2 TCP” -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80,443,10123
New-NetFirewallRule -DisplayName “SCCM 2012 R2 UDP” -Direction Inbound -Action Allow -Protocol UDP -LocalPort 67,68,69,4011
#Install AD PowerShell integration
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
#Find hostname
$SCCM2012DP = hostname
#Add computer account to SEC-SCCMServers
Get-ADComputer $SCCM2012DP | Add-ADPrincipalGroupMembership -MemberOf SEC-SCCMServers
#Copy NO_SMS_ON_DRIVE.SMS to C drive
New-Item C:\NO_SMS_ON_DRIVE.SMS -type file
Restart-Computer
Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles
Click “Next >“
Click “Next >“
Select the DP roll and follow the rest of the wizard. Remember that it should run HTTPS.
You can follow the installation in this log file: on the DP server: D:\SMS_DP$\sms\logs\smsdpprov.log
Navigate to Administration -> Distrubution Point Group -> click Create Group
Give it a name -> Clic “Add“
Select the DP -> Click “OK“
Click “OK“
In this lab I wont install an additional DP.
Endpoint Protection Point
Open the MEM console
Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles
Click “Next >“
Click “Next >“
Click “OK“
Click “Next >“
Click “Next >“
Click “Next >“
Click “Close“
FALLBACK STATUS POINT
Open the MEM console
Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles
Click “Next >“
Click “Next >“
Mark “Fallback status point” -> Click “Next >“
Click “Next >“
Click “Next >“
Click “Close“
Navigate to Administration / Site Configuration / Site -> Click the Client Installation Setting icon on the ribbon -> Select Client Push Installation -> Installation Properties tab
Enter “mem01.memlab.local” in the FSP properties -> Click “OK“
RECOVERY MODEL
Using the simple recovery model improves performance and saves your server hard drive and possibly a large transaction log file.
Open SQL Management Studio
Right-click on the ReportServer database and select Properties
Go to the Options page -> Under Recovery model select Simple -> Click OK
Boundaries
Open admin console -> Administration -> Hierarchy Configuration -> Boundaries Groups -> Click “Create Boundary Group“
Give it a name -> Click “References” tab
Select “Use this boundary…..” -> Click “Add“
Mark the MEM01 server -> Click “OK“
Click “OK“
Click “Boundaries“
Click “Create Boundary“
Enter “New York” in description -> choose “IP address range” -> Enter the IP address -> Click “Boundary Groups“
Click “Add“
Select “New York” -> Click “OK“
Click “OK“
Discovery
Go to Administration / Hierarchy Configuration / Discovery Methods
Right-Click Active Directory Group Discovery and select Properties
Select “Enable Active……” Click “Add” -> Location
Click “Browse“
Mark “MEMgroups” -> Click “OK“
Give it a name -> Click “OK“
Click “OK“
Click “Yes“
Right-Click Active Directory System Discovery and select Properties
Select “Enable Active Di……..” -> Click “Yellow star“
Click “Browse“
Select “MEMcomputers” -> Click “OK“
Click “OK“
Click “OK“
Click “Yes“
Right-Click Active Directory User Discovery and select Properties
Select “Enable Active Dir…….” -> Click “Yellow star“
Click “Browse“
Mark “MEMusers” -> Click “OK“
Click “OK“
Click “OK“
Click “Yes“
Site Maintenance
Create a folder D:\MEMBackup and share it as “MEMBackup$“. Add SEC-MEMServers with Modify Rights
Navigate to -> Administration -> Site configuration -> Sites -> mark “MEM -MEM – MEMLAB” -> Click “Site Maintenence
Select “Enable this task” -> Click “Set Paths“
Select “Network path…..” add “\\mem01\membackup$” as backup destination -> Click “OK“
Click “OK“
Click “Enable this task” -> Click “OK“
Click “Enable this task” -> type “30” in Delete data that has been inactive for (days) -> Click “OK“
Click “Enable this task” -> type “1” in Delete data that has been inactive for (days) -> Click “OK“
type “14” in Delete data that has been inactive for (days) -> Click “OK“
Click “OK“
Client Settings
Go to Administration / Client Settings -> Right click “Default Client Settings” -> Properties
Client Cache Settings:
Client Policy:
Compliance settings:
Hardware inventory:
Software inventory: