All the setting in this guide is for lab use and might not be applicable in a production enviroment!

I’m running the lab in a VMware environment.
Install 3 virtual machines. One gateway, one DC server and one MEM server. With the following config:

Gateway (pfSense)

See this post how to set it up:
https://www.deploymentresearch.com/using-pfsense-community-edition-as-a-virtual-router-for-your-lab-environment/

CPU: 1
Memory: 512 MB
Disk:
1. C drive: 100 GB
Network:
1. Network (VM Network)
2. Network (SCCM-New York)
3. Network (SCCM-Chicago)

DC

Name: DC01
CPU: 2
Memory: 4 GB
Disk:
1. C drive: 100 GB (Windows)
Network:
1. Network (SCCM-New York): 192.168.5.2

Microsoft Endpoint Manager

Name: MEM01
CPU: 4
Memory: 20 GB
Disk:
1. C drive: 100 GB (Windows)
2. D drive 200 GB (MEM)
3. E drive: 40 GB (SQL Database (64K))
4. F drive: 40 GB (SQL TempDB (64K))
5. G drive: 40 GB (SQL Transaction Logs (64K), SQL TempDB Logs)
Network:
1. Network (SCCM-New York)

In the wmware config on each machine you can add:

isolation.tools.copy.disable FALSE
isolation.tools.paste.disable FALSE
isolation.tools.setGUIOptions.enable TRUE

in the configuration If you want to enable copy/paste.
If you run backup of your virtual machines to a ex. a Synology box, you should also add:

ctkEnabled TRUE
sata0:0.ctkEnabled TRUE

Setup DC01

  1. Set static IP:
    IP: 192.168.5.2
    Subnet: 255.255.255.0
    Gateway: 192.168.5.1
    DNS: 8.8.8.8
  2. Install server 2019 or another version. Install all avaliable update. Reboot if requered.
  3. Rename the server to “DC01”
  4. Start an powershell cmd in admin mode and run:
    Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
  5. Reboot the server
  6. When it is up and running again start a PowerShell ISA in admin. Paste and run:
    Install-ADDSForest `
    -DomainName “memlab.local” `
    -CreateDnsDelegation:$false `
    -DatabasePath “C:\Windows\NTDS” `
    -DomainMode “7” `
    -DomainNetbiosName “memlab” `
    -ForestMode “7” `
    -InstallDns:$true `
    -LogPath “C:\Windows\NTDS” `
    -NoRebootOnCompletion:$True `
    -SysvolPath “C:\Windows\SYSVOL” `
    -Force:$true
  7. Logon to the server and create an adm account for you and logoff
  8. Logon with a user that is a member of Schema Admins security group
  9. From SCCM ISO run .\SMSSETUP\BIN\X64\extadsch.exe in a PowerShell admin console.

9. Verify in the logfile, C:\ExtADsch, that AD was extended with success:

10. Reboot the server.

Click “Add roles and features” in the server manager

Click “Next >

Click “Next >

Click “Next >

Mark “Active Directory Certificate Service

Click “Add Features

Click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Install

Click “Close

Click “Configure Active Derictory……….

Click “Next >

Mark “Certification Authority” and click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Configure

Click “Close

28. Reboot the server

Click “Add roles and features” in the server manager

Click “Next >

Click “Next >

Click “Next >

Select “DHCP Server” -> Click “Add Features

Click “Next >

Click “Next >

Click “Next >

Click “Install

Click “Close

Click “Complete DHCP configuration

Click “Next >

Click “Commit

Click “Close

Reboot DC01

Logon to DC01

Open DHCP

Right click “IPv4” -> “New scope”

Click “Next >

Give it a name -> Click “Next >

Enter start and end IP -> Click “Next >

Add exclusions -> Click “Next >

Click “Next >

Click “Next >

Add default gateway -> Click “Next >

Click “Next >

Click “Next >

Click “Next >

Click “Finish

Setup MEM01 server

1. Install server 2019 or another version. Install all available update. Reboot if requered.
2. Rename it to MEM01
3. Configure IP settings:
– IP: 192.168.5.3
– Subnet: 255.255.255.0
– Gateway: 192.168.5.1
– DNS: 192.168.5.2
4. Join the MEM01 server to the domain

Creating “System Management” container

Open “ADSI Edit” on DC01

Right click “ADSI edit” -> “Connect to

Click “OK

Click “Default naming…..” -> “DC=sccmlab……” -> “CN=System

Right click “CN=System” -> “New” -> “Object

Choose “container” -> Click “Next >

Enter “System Management” in Value -> Click “Next >

Click “Finish

Access rights to “System Management Container” in AD

Advanced features should be turned on in “Active Directory Users and Computers” before you can see the “System Management” container.
Go to: “Domain” -> “System” -> Right click “System Management” -> “All tasks” -> “Delegate Control

Click “Next >

Click “Object Types

Mark “Computers” and click “OK

Type mem01 -> “Check Names” -> Click “OK

Click “Next >

Mark “Create a custom…..” -> Click “Next

Click “Next

Mark everything -> Click “Next

Click “Finish

Groups and users on DC01

  1. Logon to DC01
  2. Open “Active directory users and computer
  3. Create a Organization OU called MEMusers
  4. Create a Organization OU called MEMgroups
  5. Create the following groups in the OU MEMgroups:
    SEC-MEMUsers (Global security group)
    SEC-MEMServers (Global security group)
    SEC-MEMAdmins (Global security group)
    SEC-MEM_IIS_Servers (Global security group)
  6. Create the following users in the OU MEMusers:
    SVC-MEM_SQLService (Run SQL service) – Member of “Domain Users”
    SVC-MEM_BA (Built images) – Member of “Domain Users”
    SVC-MEM_JD (Join domain) – Member of “Domain Admins”
    SVC-MEM_SR (Reporting Services) – Member of “Domain Users”
    SVC-MEM_CP (Client Push) – Member of “The local Administrators group on the target client computers”
    SVC-MEM_NAA (Network Access Acount) – Member of “SEC-MEMAdmins”
  7. Join ALL MEM servers in the group “SEC-MEMServers
  8. Add SEC-MEMServers and SEC-MEMAdmins in the local administrator groups on all the MEM servers
  9. Add MEM01 to the security group “SEC-MEM_IIS_Servers
  10. Create a folder “D:\Source” and share it:

Click “Advanced Sharing

Select “Share this folder” -> Name: Source$ -> Permissions

Select “Full Control” for Everone -> Click “OK

Click “OK

Click “Security” tab -> Edit

Add “SEC-MEMAdmins” with Full control -> Click “OK

Click “Close

MEM01 config

  1. Logon to MEM01
  2. Open “Disk management

Click “OK

Right click Disk 1 and choose “New Simple Volume

Click “Next >

Click “Next >

Click “Next >

Giv it a name and click “Next >

Click “Finish

Do the above for disk 1 + 2 + 3 + 4

The final disk layout should look something like this.

3. Create a file called “no_sms_on_drive.sms” on drive C + E + F + G

4. Open a CMD in admin and run this to open the firewall:
@echo ========= SQL Server Ports =================== @echo Enabling SQLServer default instance port 1433 netsh advfirewall firewall add rule name=”SQL Server” dir=in action=allow protocol=TCP localport=1433 @echo Enabling Dedicated Admin Connection port 1434 netsh advfirewall firewall add rule name=”SQL Admin Connection” dir=in action=allow protocol=TCP localport=1434 @echo Enabling conventional SQL Server Service Broker port 4022 netsh advfirewall firewall add rule name=”SQL Service Broker” dir=in action=allow protocol=TCP localport=4022 @echo Enabling Transact-SQL Debugger/RPC port 135 netsh advfirewall firewall add rule name=”SQL Debugger/RPC” dir=in action=allow protocol=TCP localport=135 @echo ========= Analysis Services Ports ============== @echo Enabling SSAS Default Instance port 2383 netsh advfirewall firewall add rule name=”Analysis Services” dir=in action=allow protocol=TCP localport=2383 @echo Enabling SQL Server Browser Service port 2382 netsh advfirewall firewall add rule name=”SQL Browser” dir=in action=allow protocol=TCP localport=2382 @echo ========= Misc Applications ============== @echo Enabling HTTP port 80 netsh advfirewall firewall add rule name=”HTTP” dir=in action=allow protocol=TCP localport=80 @echo Enabling SSL port 443 netsh advfirewall firewall add rule name=”SSL” dir=in action=allow protocol=TCP localport=443 @echo Enabling port for SQL Server Browser Service’s ‘Browse’ Button netsh advfirewall firewall add rule name=”SQL Browser” dir=in action=allow protocol=TCP localport=1434 @echo Allowing Ping command netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

5. Copy the sxs folder from Windows server2019 DVD to d:\Install\sxs

6. Open a PowerShell ISA in admin mode and run the following script:
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features -source \\mem01\d$\Install\sxs
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ

7. Reboot the server

8. Download and install report builder: Download Microsoft® Report Builder from Official Microsoft Download Center

9. Download Windows ADK from: https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

10. Install ADK

Click “Next >

Choose “No” and click “Next >

Click “Accept

Mark the above and Click “Install

Click “Close

Install ADK for WinPE

Click “Next >

Click “Next >

Click “Accept

Click “Install

Click “Close

11. Reboot the server

SQL 2019 installation

Click “Installation” -> Click “New SQL Server stand-alone……….

Click “Next >

Click “I accept………” -> Click “Next >

Dont mind the windows firewall message. Click “Next >

Select “Database Engine Services” and change the installation drive to “D“. Click “Next >

Click “Next >

Add the SQL account that you created earlier. Click “Next >

Click “Collation” fane and change the Database engine to “Latin1_General_CI_AS“. Click “Next >

Select “SQL_Latin1_General_CP1_CI_AS“. Click “OK

Add “Administrator” + “SEC-MEMadmins” + “Domain Admins

Change “User database directory” to “E:\SQL_Database“. Change “User database log directory” to “G:\SQL_Logs

Set the settings as above. Click “Next >

Click “Yes

Click “Install

Click “Close

Click “Install SQL Server Management Tools” and download it

Change the drive to D and click “Install

Click “Close

Click “Install SQL Server Reporting Services” and download the installation file.

Click “Install Reporting Services

Choose “Developer” and click “Next >

Accept the license terms and click “Next >

Click “Next >

Change the drive to “D” and click “Install“.

Click “Close

Reboot the server.

Create SPN

When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account.

Run:
setspn -A MSSQLSvc/DC01:1433 memlab\SQLSA
setspn -A MSSQLSvc/memlab.local:1433 memlab\SQLSA

To verify, run:
setspn –L memlab\SQLSA

SQL server config

Start SQL management Studio and click “Connect

Right click on “MEM01………” -> click “Memory” -> change min and max values as above -> Click “OK

Find the DB size in this blog post: https://blog.ctglobalservices.com/configuration-manager-sccm/kea/system-center-2012-configuration-manager-sql-recommendations/

Create the following folders:
– E:\MEMDB
– G:\MEMLogs
– F:\MEMTempDB

Run the following script in Management studio to create the MEM DB:

USE master
CREATE DATABASE CM_MEM
ON
( NAME = CM_MEM_1,FILENAME = ‘E:\MEMDB\CM_MEM_1.mdf’,SIZE = 1405, MAXSIZE = Unlimited, FILEGROWTH = 464)
LOG ON ( NAME = MEM_log, FILENAME = ‘G:\MEMLogs\CM_MEM.ldf’, SIZE = 1855, MAXSIZE = 1855, FILEGROWTH = 512)
ALTER DATABASE CM_MEM
ADD FILE ( NAME = CM_MEM_2, FILENAME = ‘E:\MEMDB\CM_MEM_2.mdf’, SIZE = 1405, MAXSIZE = Unlimited, FILEGROWTH = 464)

Run the following sql script in management studio:

use master
go
alter database tempdb modify file (name=’tempdev’, filename=’F:\MEMTempDB\tempDB.MDF’, SIZE= 1686, MAXSIZE = Unlimited, FILEGROWTH = 512)
go
alter database tempdb modify file (name=’templog’, filename=’G:\MEMLogs\templog.LDF’, SIZE= 843, MAXSIZE = Unlimited, FILEGROWTH = 512)
go

Make sure that it ran with success

Open “Sql Server Configuration Manager” -> Protocols for MSSQLSERVER -> Right click “TCP/IP” -> change “Listen All” to “No

Click on the “IP Adresses” fane -> Find the IP of your server -> Set “Enabled” to “Yes” – Click “OK

Click “OK

Reboot the server

Install WSUS

Click “Add roles and features

Click “Next >

Click “Next >

Click “Next >

Mark “Windows Server Update Service” -> Click “Add Features

Click “Next >

Click “Next >

Click “Next >

Remove the check mark in “WID Connectivity” and add the “SQL Server Connectivity” -> Click “Next >

Type “D:\WSUS” and click “Next >

Type “mem01” in the textbox -> click “Check connection” -> Click “Next >

Click “Install

Click “Close

Click “Launch Post-Installation task

Wait for the config to finish

Open SQL management studio

Go to “Databases” -> SUSDB -> Properties

Change Owner to SA -> Change the Autogrowth value to 512MB -> click “Ok” -> close SQL MS

Reboot the server

MEM Installation

Open the installation DVD and run “splash.hta

Click “Install

Click “Next >

Click “Next >

Enter your serial no -> Click “Next >

Accept the terms -> Click “Next >

Add a path to save the pre-req files -> Click “Next >

Click “Next >

Click “Next >

Type:
Stie code: MEM
Site name: MEM – MEMLab
Install dir “D:\Pro………” NOTICE IT IS INSTALL ON DRIVE D:

Click “Next >

Choose “Install the primary………………” -> Click “Next >

Click “Yes

Click “Next >

Change the paths as above -> Click “Next >

Click “Next >

Click “Next >

Click “Yes

Click “Next >

Click “Next >

Click “Next >

Click “Next >

You can Ignore the warnings for now. Click “Begin Install“. Please note that the installation will take a while!

Reboot the server when the installation is done

Certificate creation

Logon to DC01

open a cmd in admin context

Enter “certutil -ca.cert c:\RootCA_mem.car” -> Hit “Enter

The certificate have been saved with success

Copy the certificate

Paste it into \\mem01\source$\cert

Open “Certification Authority

Right click “Certificate Template” -> Click “Manage

MEM Web server certificate

Right click “Web Server” -> Click “Duplicate Template

Make sure the setting is like the screenshot above.

Change the name to “MEM Web Server Certificate

Click on the “Security” blade -> remove “Enroll” check mark for “Domain Admins

Remove “Enroll” check mark for “Enterprise Admins

Add “SEC-MEM_IIS_Servers” -> enable “Enroll” -> Click “OK

Close the “Certificate Templates Console” console

Right click “Certificate Template” -> New -> “Certificate Template to Issue

Select the new template that you have just created “MEM Web Server Certificate” -> Click OK.

Client Certificate for Distribution Points

Right click “Certificate Template” -> Click “Manage

Right click “Workstation Authentication” -> Click “Duplicate Template

Make sure the setting is like the screenshot above.

Click the General tab -> Give the certificate a name -> change the validity periode to 3 years

In the Request Handling tab -> select “Allow private key to be exported

Click the “Security” tab, and remove the “Enroll” permission from the Enterprise Admins security group

Add “SEC-MEM_IIS_Servers” -> select “Enroll” -> Click “OK

Right click “Certificate Templates” -> New -> Vertificate Template to Issue

Select “MEM Client Distribution Point Certificate” -> Click “OK

Certificate for Workstation Authentication

Right click “Certificate Template” -> Click “Manage

Right click “Workstation Authentication” -> Click “Duplicate Template

Make sure the setting is like the screenshot above.

Select the General tab -> enter a name for the certificate -> Validity period: 3 years

Select the Security tab -> select Domain Computers -> enable “Read” -> -> enable “Autoenroll
Add “Domain controllers” -> enable “Read” -> -> enable “Autoenroll“-> Click “OK

Right click “Certificate Template” -> New -> Certificate Template to Issue

Select “MEM Client Certificate” -> Click “OK

Close the “certsrv” console

Configuring Auto enrollment of the Workstation

Open “Group policy management” on DC01

Navigate to your domain ->MEMcomputers -> right-click MEMcomputers -> select “Create a GPO in this domain, and Link it here

Give it a name -> Click “OK

In the results pane, on the “Linked Group Policy Objects” tab, right-click the new Group Policy, and then click “Edit.”

In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings > Security Settings > Public Key Policies. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties

From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK. Close the GPMC.

Adding certificate to MEM01

Logon to MEM01

Type “mmc” in the start menu and a MMC will open.

Click “File” -> “Add/Remove Snap-in

Mark “Certificates” -> Click “Add >”

Mark “Computer account” -> Click “Next >

Click “Finish

Click “OK

Go to Certificates -> Personal -> Certificates -> Right click -> All Tasks -> Request New Certificate

Click “Next>

Click “Next >

click “More information is required to enroll for this certificate. Click here to configure settings

Change “Alternative name” to “DNS” -> add “mem01.memlab.local” and “mem01

Add “MEM Web Server Certificate” in the name box -> Click “OK

Select “MEM Web Server Certificate” -> Click “Enroll

Click “Finish

Configuring IIS to Use the Web Server Certificate

Open Internet Information Services (IIS) Manager-> MEM01 -> Sites -> Default Web Site -> Right click -> Edit Bindings

Select “https” -> Click “Edit

Click “Select

Select your cert -> Click “OK

Click “OK

Click “Close

Deploying the Client Certificate for Distribution Points

Logon to MEM01

Type “mmc” in the start menu and a MMC will open.

Click “File” -> “Add/Remove Snap-in

Mark “Certificates” -> Click “Add >”

Mark “Computer account” -> Click “Next >

Click “Finish

Click “OK

Go to Certificates -> Personal -> Certificates -> Right click -> All Tasks -> Request New Certificate

Click “Next >

Click “Next >

Select “MEM DPoint Certificate” -> Click “Enroll

Click “Finish

Exporting the Client Certificate for Distribution Points

Right click “MEM DP Certificate” -> All Tasks -> Export

Click “Next >

Select “Yes, export the private key” -> Click “Next >

Unselect “Enable certificate privacy” -> Click “Next >

Enter a password -> Click “Next >

Choose where to save the cert -> Click “Next >

Click “Finish

Click “OK

Deploying the Client Certificate for Distribution Points

Open the MEM console -> Administration -> Site Configuration -> Servers and Site System Roles -> Right click “Distribution Point” -> Click “Properties

Click on the “Communication” tab -> Import certificate -> browse to your cert and enter the password -> Click “OK

Go to Administration -> Site Configuration -> Sites -> right click “MEM – MEM – MEMLab -> Proberties

Click “Communication Security” tab -> Click “Set

Click “Yellow star

Browse to “\\mem01\source$\cert” -> choose “RootCA_mem.cer -> Click “Open

Click “OK

Click “OK

Reboot DC01 and MEM01

Certificate and Verifying Its Installation on Computers

Logon to MEM01

Type “mmc” in the start menu and a MMC will open.

Click “File” -> “Add/Remove Snap-in

Mark “Certificates” -> Click “Add >”

Mark “Computer account” -> Click “Next >

Click “Finish

Click “OK

In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that SCCM Client Certificate is displayed in the Certificate Template column. Close the console.

Logon to MEM01

Open the MEM console

Add the ”SEC-MEMAdmins” group to Administration -> Security -> Administrative Users.

Go to Administration -> Site Configuration -> Sites -> Configure Site Components -> Software distribution

Click -> Network Access Acount -> mark “Specify the account……..” -> “Yellow star” -> New Account

Add the user “SVC-MEM_NAA” and enter the password for the account -> Click “OK

Click “OK

Go to Administration -> Site Configuration -> Sites -> Client Installation Settings -> Client Push Installation

Select -> “Enable automatic……” -> select “Configuration Manager……….

Click “Accounts” tab -> “Yellow star” -> New Account

Add the user “SVC-MEM_CP” and enter the password for the account -> Click “OK

Click “OK

Open “Report Server Configuration Manager” from the start menu on MEM01

Click “Connect

Click “Database” -> Change Database

Click “Next

Click “Test Connection

Click “OK

Click “Next

Click “Next

Click “Next

Click “Next

Click “Finish

Click “Web Service URL” -> Apply

Click “Web Portal URL” -> Apply

Click “Encryption Keys” -> Backup

Choose a place to save it and enter a password. Click “OK

Click “Exit

ADD REPORTING SERVICES POINT ROLE IN SCCM

Open the SCCM console.

Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles

Click “Next >

Click “Next >

On the Site System Role, select Reporting Services Point, Click Next

Click Verify

Click “OK

Click “Set” -> New Account. (This account needs to have access to the SCCM DB)

Add userbane and password -> Click “OK

Click “Next >

Click “Next >

Click “Close

SOFTWARE UPDATE POINT INSTALLATION

Install SOFTWARE UPDATE POINT

Open the MEM console

Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles

Click “Next >

Click “Next >

Select “Software update point” -> Click “Next >

Select “Require SSL………” and “Allow Configuration M………..” and “Allow Internet and ………….” -> Click “Next>

Click “Next>

Click “Next>

Check the Enable synchronization on a schedule checkbox and select your desired schedule. 1 day is usually enough but it can be lowered if you’re synchronizing Endpoint Protection definition files, click Next

On the Supersedence Rules tab, select Immediately expire a superseded software update and Immediately expire a superseded feature updateclick Next

Select “Decline expired updates……………….” and “Add non-clustered………” and “Remove obsolite……..” -> Click “Next >

Click “Next >

Click “Next >

Click “OK

Select “All Classifications” -> Click “Next >

Select the products that you want to patch -> Click “Next >

Click “Next >

Click “Next >

Click “Close

Reboot MEM

After the first sync, then you have to go into the classification and product again. Because new config option have created after the first sync.

Configure WSUS in SSL

Logon on to MEM01

CONFIGURE WSUS ADMINISTRATION WEBSITE TO USE SSL

Open “Internet Information Services (IIS) Manager

Right click “Wsus Administration” -> Edit bindings

Mark “Https” -> Click “edit

Click “Select

Select “MEM Web Server Certificate -> Click “OK

Click “OK

Click “Close

select API Remoting30 -> select SSL settings

Check the box Require SSL and hit Apply on the right side of the consoleRepeat this step for the following components

Repeat this step for the following components
ClientWebService
DssAuthWebService
ServerSyncWebService
SimpleAuthWebService

Open a command prompt as admin, browse to the C:\Program Files\Update Services\Tools ->run: WSUSUTIL configuressl mem01.memlab.local

Configure Distribution Point on primary site

Open the SCCM console
Navigate to Administration -> Site Configuration -> Servers and Site System Roles -> Right-click your Site System -> mark “Distribution Point” and right click it -> Proberties

Select “Enable and conf………..” + “Adjust the download……..

Select “Enable PXE support for clients” -> Click “Yes

Select “Enable unknown computer support” -> Click “OK

Select “Enable a PXE responder…….” -> Click “Yes

Click “OK

If you want to setup a DP on another server, you have to prepare the server before installing the DP:

Firewall DP:
Site Server — > Distribution Point
SMB 445 TCP
RPC Endpoint Mapper 135 UDP and TCP
RPC dynamic TCP
Site Server < — > Site Server
SMB 445 TCP
Point to Point Tunneling Protocal (PPTP) 1723 TCP

Printer and File sharing need to be enabled in the firewall

Open PowerSHell ISA in admin mode and run on the DP server.

Run “Set-ExecutionPolicy Unrestricted –Force” before you run the rest of the script.

#Set-ExecutionPolicy Unrestricted –Force
#Add SEC-SCCMServers to local admin group
([adsi]”WinNT://./Administrators,group”).Add(“WinNT://DOMAIN/GROUP,group”)
#Install server roles for SCCM 2012 R2 distribution point
Import-Module Servermanager
Add-WindowsFeature Web-Server,Web-ISAPI-Ext,Web-Windows-Auth,Web-Metabase,Web-WMI,RDC
#PowerSHell 3.0 (Server 2012)
New-NetFirewallRule -DisplayName “SCCM 2012 R2 TCP” -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80,443,10123
New-NetFirewallRule -DisplayName “SCCM 2012 R2 UDP” -Direction Inbound -Action Allow -Protocol UDP -LocalPort 67,68,69,4011
#Install AD PowerShell integration
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
#Find hostname
$SCCM2012DP = hostname
#Add computer account to SEC-SCCMServers
Get-ADComputer $SCCM2012DP | Add-ADPrincipalGroupMembership -MemberOf SEC-SCCMServers
#Copy NO_SMS_ON_DRIVE.SMS to C drive
New-Item C:\NO_SMS_ON_DRIVE.SMS -type file
Restart-Computer

Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles

Click “Next >

Click “Next >

Select the DP roll and follow the rest of the wizard. Remember that it should run HTTPS.

You can follow the installation in this log file: on the DP server: D:\SMS_DP$\sms\logs\smsdpprov.log

Navigate to Administration -> Distrubution Point Group -> click Create Group

Give it a name -> Clic “Add

Select the DP -> Click “OK

Click “OK

In this lab I wont install an additional DP.

Endpoint Protection Point

Open the MEM console

Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles

Click “Next >

Click “Next >

Click “OK

Click “Next >

Click “Next >

Click “Next >

Click “Close

FALLBACK STATUS POINT

Open the MEM console

Navigate to Administration/Site/Configuration/Servers and Site System Roles -> Right-click on your Site Server and click Add system Roles

Click “Next >

Click “Next >

Mark “Fallback status point” -> Click “Next >

Click “Next >

Click “Next >

Click “Close

Navigate to Administration / Site Configuration / Site -> Click the Client Installation Setting icon on the ribbon -> Select Client Push Installation -> Installation Properties tab

Enter “mem01.memlab.local” in the FSP properties -> Click “OK

RECOVERY MODEL

Using the simple recovery model improves performance and saves your server hard drive and possibly a large transaction log file.

Open SQL Management Studio

Right-click on the ReportServer database and select Properties

Go to the Options page -> Under Recovery model select Simple -> Click OK

Boundaries

Open admin console -> Administration -> Hierarchy Configuration -> Boundaries Groups -> Click “Create Boundary Group

Give it a name -> Click “References” tab

Select “Use this boundary…..” -> Click “Add

Mark the MEM01 server -> Click “OK

Click “OK

Click “Boundaries

Click “Create Boundary

Enter “New York” in description -> choose “IP address range” -> Enter the IP address -> Click “Boundary Groups

Click “Add

Select “New York” -> Click “OK

Click “OK

Discovery

Go to Administration / Hierarchy Configuration / Discovery Methods

Right-Click Active Directory Group Discovery and select Properties

Select “Enable Active……” Click “Add” -> Location

Click “Browse

Mark “MEMgroups” -> Click “OK

Give it a name -> Click “OK

Click “OK

Click “Yes

Right-Click Active Directory System Discovery and select Properties

Select “Enable Active Di……..” -> Click “Yellow star

Click “Browse

Select “MEMcomputers” -> Click “OK

Click “OK

Click “OK

Click “Yes

Right-Click Active Directory User Discovery and select Properties

Select “Enable Active Dir…….” -> Click “Yellow star

Click “Browse

Mark “MEMusers” -> Click “OK

Click “OK

Click “OK

Click “Yes

Site Maintenance

Create a folder D:\MEMBackup and share it as “MEMBackup$“. Add SEC-MEMServers with Modify Rights

Navigate to -> Administration -> Site configuration -> Sites -> mark “MEM -MEM – MEMLAB” -> Click “Site Maintenence

Select “Enable this task” -> Click “Set Paths

Select “Network path…..” add “\\mem01\membackup$” as backup destination -> Click “OK

Click “OK

Click “Enable this task” -> Click “OK

Click “Enable this task” -> type “30” in Delete data that has been inactive for (days) -> Click “OK

Click “Enable this task” -> type “1” in Delete data that has been inactive for (days) -> Click “OK

type “14” in Delete data that has been inactive for (days) -> Click “OK

Click “OK

Client Settings

Go to Administration / Client Settings -> Right click “Default Client Settings” -> Properties

Client Cache Settings:

Client Policy:

Compliance settings:

Hardware inventory:

Software inventory:

twitterlinkedin

By Claus