Part II – Installation
Installing Configuration Manager 2012 R2
In Part I – Infrastructure I walked through my infrastructure needs for my ConfigMgr Deployment at a higher level. We created our Active Directory security groups, services accounts, and users that we will need. We installed WSUS and SQL on our primary site server. We also downloaded all the software we will need to complete the installation of ConfigMgr in Part II.
So I am now ready to start the Configuration Manager installation process for Turner & Son’s Time Travel. (For those that didn’t read Part I this is my fictional company name that I am deploying Configuration Manager 2012 R2 to.) First, I do have to take care of a few prerequisites that are required before I can actually install ConfigMgr. Here is a high level of the items I will be installing and configuring before I can hit the magic start button on the ConfigMgr installer.
- Extend Active Directory
- Create System Management Container and Assign Permissions
- Install needed Server Roles and Features on Site Server
- Install WSUS Management features
- Install Windows ADK 8.1
Extending Active Directory
Since this is a new installation of Configuration Manager and Turner & Sons never had ConfigMgr 2007 deployed I will extend the Active Directory Schema. If they had previously installed ConfigMgr 2007 or even 2012 RTM and would have already extended the schema I wouldn’t need to do this if deploying a production environment. There are no changes needed by ConfigMgr 2012 R2. I highly recommend that you do extend you schema. There should be no reason not to. However, since this is a newly deployed environment I will be extending the AD schema.
Make sure the account that will be running this command under has the proper permissions to extend the schema. I will be running the following command from my Management server with a domain admin account that has the proper permissions.
- I have the ConfigMgr installation media handy. Since I am using Windows Server 2012 R2 and I have the ISO I will mount the ISO as as the next available drive. In my case H is the next available drive.
- Open a PowerShell or CMD prompt with admin privileges. Change the directory to H:\SMSSetup\BIN\x64\
- Execute .\Extadsch.exes
- Verify on c:\ that extadsch.log has been successful. This log will also tell us what has been changed. A good thing to pass off to those AD and Network Admins that may freak out over extending ad in the production network. (wink wink)
I have seen this fail the first time. Run it again and verify with the logs, normally it will work. (This isn’t the technical fix for this)
<03-20-2014 21:15:37> Modifying Active Directory Schema – with SMS extensions.
<03-20-2014 21:15:37> DSRoot:CN=Schema,CN=Configuration,DC=tstt,DC=cloud
<03-20-2014 21:15:37> Defined attribute cn=MS-SMS-Site-Code.
<03-20-2014 21:15:37> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<03-20-2014 21:15:37> Defined attribute cn=MS-SMS-Site-Boundaries.
<03-20-2014 21:15:37> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<03-20-2014 21:15:37> Defined attribute cn=MS-SMS-Default-MP.
<03-20-2014 21:15:37> Defined attribute cn=mS-SMS-Device-Management-Point.
<03-20-2014 21:15:37> Defined attribute cn=MS-SMS-MP-Name.
<03-20-2014 21:15:38> Defined attribute cn=MS-SMS-MP-Address.
<03-20-2014 21:15:38> Defined attribute cn=mS-SMS-Health-State.
<03-20-2014 21:15:38> Defined attribute cn=mS-SMS-Source-Forest.
<03-20-2014 21:15:38> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<03-20-2014 21:15:38> Defined attribute cn=MS-SMS-Ranged-IP-High.
<03-20-2014 21:15:38> Defined attribute cn=mS-SMS-Version.
<03-20-2014 21:15:38> Defined attribute cn=mS-SMS-Capabilities.
<03-20-2014 21:15:38> Defined class cn=MS-SMS-Management-Point.
<03-20-2014 21:15:38> Defined class cn=MS-SMS-Server-Locator-Point.
<03-20-2014 21:15:39> Defined class cn=MS-SMS-Site.
<03-20-2014 21:15:39> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<03-20-2014 21:15:39> Successfully extended the Active Directory schema.
<03-20-2014 21:15:39> Please refer to the ConfigMgr documentation for instructions on the manual
<03-20-2014 21:15:39> configuration of access rights in active directory which may still
<03-20-2014 21:15:39> need to be performed. (Although the AD schema has now be extended,
<03-20-2014 21:15:39> AD must be configured to allow each ConfigMgr Site security rights to
<03-20-2014 21:15:39> publish in each of their domains.)
Create the System Management Container and Assign Permissions
Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services
You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.
To manually create the System Management container
- Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
- Run ADSI Edit, and connect to the domain in which the site server resides.
- Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object.
- In the Create Object dialog box, select Container, and then click Next.
- In the Value box, type System Management, and then click Next.
- Click Finish to complete the procedure.
2. Set Security Permissions on the System Management Container
After you have created the System Management container in Active Directory Domain Services, you must grant the site server’s computer account the permissions that are required to publish site information to the container.
The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.
To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool
- Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool.
- Click View, and then click Advanced Features.
- Expand the System container, right-click System Management, and then click Properties.
- In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.
- Click Advanced, select the site server’s computer account, and then click Edit.
- In the Apply to list, select this object and all descendant objects.
- Click OK and then close the Active Directory Users and Computers administrative tool to complete the procedure.
To apply permissions to the System Management container by using the ADSI Edit console
- Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console.
- If necessary, connect to the site server’s domain.
- In the console pane, expand the site server’s domain, expand DC=<server distinguished name>, and then expand CN=System. Right-click CN=System Management, and then click Properties.
- In the CN=System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.
- Click Advanced, select the site server’s computer account, and then click Edit.
- In the Apply onto list, select this object and all descendant objects.
- Click OK to close the ADSIEdit console and complete the procedure.
NOTE: You can create a Security Group and include all your Site Servers within that security group and assign the group to the above mentioned security settings.
Install needed roles on Site Server
I will now install the Server roles and features needed on my Site Server. These roles and features can be easily installed using a PowerShell script that I will provide below. There are a few things to mention before we install our .NET Framework if we had chosen to install these outside of the required roles and features. If .NET framework had been installed before IIS, then there would be a need to register ASP.net with IIS after in order to continue on with the ConfigMgr install.
From this point on I will always log on to my primary site server as my ConfigMgr Admin account that has the proper rights and permissions. I also add this account to the Domain Admins group but this isn’t necessary as long as this account is a local admin.
On the primary site server I will install the following roles and features using PowerShell. I will list the roles and features that are need to install later if they need to be manually install through Server Manager.
Installing Roles and Features
1. Open a PowerShell prompt as Administrator
Roles and Features for ConfigMgr
Here is a list of roles and features needed to be installed for those that still want to do it the GUI way. Nothing wrong with it, but like I mentioned earlier. PowerShell can be your friend! I recommend buying a book from Don Jones called “Learn PowerShell 3 in a Month of Lunches” I was lucky enough to take a course here in Phoenix at InterfaceTT taught by the ledged himself. It was a very advanced course but I did get a lot out of it. If you have time I suggest looking up videos and articles on a site he helps admin called www.powershell.org. A very useful site for the beginner all the way to someone who can write scripts in their sleep.
I am only going to list the roles and features that we need right now. The link I have provided will give you additional information on additional roles and features that are needed for other ConfigMgr Site System Roles.
Here is a link to the TechNet article where I get most my information from for the following information.
|Site system role||Windows Server Roles and Features|
|Site server with all site system roles installed||Features and Roles:
Please remember these are just the default server roles and features that we need to install in order to get a basic installation of ConfigMgr installed and running with the following site server roles: Site Server, Database Server, SMS Provider, Application Catalog Web Service Point, Application Catalog Website Point, Asset Intelligence Synchronization Point, Distribution Point, End Point Protection Point, Management Point, Reporting Services Point, Software Update Point, and the State Migration Point. There are other Site Server roles that may require other Windows Server Roles and Features to be installed or added to. Please check the link mentioned earlier for that information.
Endpoint Protection Side Note
On a side note. I want to rant about Endpoint protection that is a free solution included in ConfigMgr. This is a great product that I highly recommend clients to move over to once their existing contracts have expired. No, it doesn’t have a lot of the bells and whistles some of the other products may have. However, it does its job and does it well. I recommend you look into this product and compare your current cost. I think I might do a blog here soon just on Endpoint protection and the reasons why you should change.
What is this? This my friend is a very important step when deploying ConfigMgr from the good old SMS days that is still a very valuable step even in the 2012 R2 days. When we deploy a Distribution point and when we install our first Site Server the installation will default to the largest drive you have available. In other words it may deploy to other drives you may or may not want packages and various other ConfigMgr items stored. In order to control this you need to create a simple file called no_sms_on_drive.sms and place it on any drive on your site servers and distribution points that you don’t want data stored.
For my client that I am deploying ConfigMgr to I am going put this file on all site server C drives to start with. On the primary site server I will place this file on all drives except for my drive I created for my ConfigMgr installation and Source files. This is where the Content Library will be installed.
Note: This file must be on the drives before any site server role is installed.
Install Windows ADK 8.1
Windows ADK 8.1 which stands for Windows Assessment and Deployment Kit has many tools that an administrator can use to help deploy images, run application compatibility test on old applications, etc. The only three tools we will be installing are the Deployment Tools, User State Migration Tool (USMT) and the Windows Pre-installation Environment (Windows PE).
On the primary site server I will run adksestup.exe. I have already downloaded and placed in my Install Files directory.
- Install Windows Assessment and Deployment Kit (Windows ADK) 8.1 on Primary Site Server.
- When prompted during the setup process, select the following components to install
- Install to D:\Program Files (x86)\Windows Kits\8.1\ or install to the directory of your choice.
- Click no on CEIP question. (Unless you want to select Yes)
- Select the following features to install:
- User State Migration Tools ( USMT )
- Deployment Tools
- Windows Preinstall Environment (Windows PE)
- Click Install
At this point I am now ready to install Configuration Manager 2012 R2! At this point my infrastructure is in place and all the prerequisites have been installed. We are ready to finally install the product that will one day save the IT Staff at Turner & Sons Time Travel valuable time and help them work smarter.
Installing ConfigMgr 2012 R2
So, I am finally ready to install Configuration Manager. From my installation media which I will have mounted from the ISO located in the Install Files directory I will run the splash.htm file to start the ConfigMgr installer.
At this time I will run the Prerequisite Checker to verify all my settings have been set correctly. I will navigate to my ConfigMgr Installation files. This will run some checks that may fail due to the fact that not all site server roles will be configured on this server. Also beware that the same installation prerequisite check will run during the installation as well.
- Open a PowerShell prompt with Admin rights.
- Navigate to ConfigMgrSourceFiles\SMSSETUP\BIN\X64\
- Run .\prereqchk.exe /local
- If any errors came up that can be fixed please do so before continuing. However, be aware that some of these errors are due to the fact that you are not running all site server roles on this server.
Running the Installation
Now, I can finally click Install. I am ready to deploy ConfigMgr and with all the work I have already completed the process should be a piece of cake and trouble free.
1. Click Install on the Configuration Manager Installation Splash Screen
2. The first window "Before You Begin" is just information. I will click “Next” to continue.
The next window "Getting Started" gives us the available setup options. For larger organizations that have a more complex hierarchy this is where we would install a CAS or better known as a Central Administration Site. For a lab or for most standard ConfigMgr deployments a CAS is not necessary. With ConfigMgr SP1 Microsoft included the ability to add a CAS later which was a very useful change. With my deployment, I will only be installing a Primary site with no CAS and no secondary sites as well.
3. Leave the default bullet selected which should be Install a Configuration Manager primary site and do not check Use typical installation options for a stand-alone primary site. You can click “Next.”
4. This next window "Product Key" is important if we will be using this deployment in production at some point. Since this is my lab I am setting up I will select the bullet next to "Install the evaluation edition of this product." If at any time we wanted to make this a production environment you can change the product key using a PowerShell script.
5. Click Next.
6. I will accept the license terms on the "Microsoft Software License Terms" window and then click “Next”.
7. I will also accept the license terms for SQL Server 2012 Express, SQL Server 2012 Native Client, and Microsoft Silverlight 5 on the "Prerequisite Licenses" window. Click Next.
8. On the "Prerequisite Downloads" window I have given the path to my Install Files directory. I have created a directory called ConfigMgr Download Updates. This can be named anything you want. Just make sure it is named in a way anyone installing ConfigMgr can tell what is in the folder. Click Next.
This process will take some time and can actually be done before we start the install. As of the time of my blog there are about 56 files that this process will download. These are various files that ConfigMgr will use for the install process that have been updated since the media was released. It will also download files that it will need for installing secondary sites and other site server roles.
9. The next window "Server Language Selection" I will leave the default English selected and hit “Next”.
10. I will leave the default English selection on the "Client Language Selection" window and hit “Next”.
The next window "Site and Installation Settings" is very very very very important part of our ConfigMgr planning that most likely should have already been discussed among your internal IT department. These settings cannot be changed without removing ConfigMgr site completely. The first box you will see is called the Site Code.
I will use PHX for my site code. We are doing this just in case the client grows and for some unseen event will need to add additional primary sites. Our company is located fictionally in Glendale, Arizona and we have decided to use airport codes of the closet major airport. Since this is a production system we need to put some thought behind our site code naming, especially if we will have a larger hierarchy with multiple primary sites, secondary sites, and a CAS. There are many site code naming conventions that can be used. Some people may use the three digit airport code in that area like PHX or something a little more to better identify it as a Primary Site such as P01 for Primary Site 01. If you do happen to have a large organization that is spread out across the globe I would consider sitting down and planning out your site code strategy. I myself would recommend airport codes if possible.
The Site Name is important as it will help describe what that site is. Since I have used an airport code for your site code I could have the following site name such as Phoenix Corporate Offices – PHX. I could also have chosen Turner & Sons Corporate Offices which is what I will do.
I also will change the Installation folder to D:\Program Files\Microsoft Configuration Manager\
Also, some people will not install the Configuration Manager console on their primary site servers. I see no issue with installing the console on this server as well as my Management Server that I have created. Since this is a smaller company and performance of the box isn’t going to be hit very hard.
11. Type in our Site Code and our Site Name and Change the Installation Folder
12. Install the Configuration Manager console.
13. On the "Primary Site Installation" Window select the bullet for Install the primary site as a standalone site. We will click “Next”.
14. Click “Yes” to the warning message that you have decided to install a stand-alone primary site.
15. On the "Database Information" window we will type in our SQL server which is our ConfigMgr server.
16. We will leave everything else default and click Next.
You may get one of a few errors at this point. Since we are logged on as the ConfigMgr Admin account or you should be at this point like I mentioned to do earlier then the follow errors may exist if we haven’t done two things. 1. Did we add the ConfigMgr Admin account to the local Administrator group on our SQL Server? Permissions are always fun, are they not?
17. The "SMS Provider Settings" window is where we will designate our SMS Provider location. There are some augments on where the SMS provider should be installed if you don’t have SQL installed on the same site server. If you are using a single site server with SQL installed on the same server then by default you will install the SMS Provider on that server. I suggest just leave the SMS provider installed on your Site Server.
18. Fill in your site servers FQDN and click “Next”.
Now the next window "Client Computer Communication Settings" will also be a good discussion and planning section for both system admins, desktop engineers, security team, and members from the dreaded network team. (Remember, a happy network team is a happy life for us!) By default the bullet "All site systems roles accept only HTTPS communication from clients" is selected. In my previous deployments for clients this has varied on how we have setup the communication settings between clients. If it was up to me each time I would check with the client to make sure they have a healthy and working PKI Infrastructure in place and only have the clients communicate using HTTPS. The good thing is that if you have to choose HTTP over HTTPS this can be easily changed on your Management Points later. So, for most cases selecting the bullet "Configure the communication method on each site system roles" would be the best option along with a check mark in the "Clients will use HTTPS when they have a valid PKI certificate." Turner & Sons Time Travel doesn’t currently have a PKI infrastructure setup. Just a quick note, there are many good reasons why you should have a PKI infrastructure or planning to implement a PKI infrastructure in your environment soon. I can name a few but Direct Access is one of these that can make managing devices that don’t always connect to you physical network a lot easier. However, that is another blog down the road maybe?
19. For this deployment I will select the bullet "Configure the communication method on each site system role" and we will also check the box "Clients will use HTTPS when…." Just in case by the time I get finished writing this blog I have the time to implement PKI. Click Next.
20. Leave the defaults for the "Site System Roles" window. Make sure there are check marks in both "install a management point" and "Install a distribution point” Also change the client connection to HTTP on both. Since again we will not be using PKI in this environment. In my personal home lab/production environment I do have a PKI infrastructure so if you have questions about configuring ConfigMgr to communicate on HTTPS reach out to me. Click Next.
21. Ah, the "Customer Experience Improvement Program" window. I will opt in for this program since this is a fictional company anyway. Click “Next” when you have made your selection.
22. Now we have made it to the "Settings Summary" window. Here I will go over all the settings we have selected to verify everything looks good. Once we have done this click “Next”.
The "Prerequisite Check" window will be next. If I have preinstalled everything correctly I shouldn’t see anything pop up in this window. I will be honest here and say in my experience that no matter how much we prepared we will see something come up as an issue or just a warning. For instance sometimes it will say that permissions need to be applied on the System Management container even though we have correctly added our ConfigMgr Server group. To fix this manually add the site server the same way. For a small organization it is OK and not a big pain to do this. However, if you’re in a larger production environment with multiple Management Points, and multiple site servers you will have to keep adding them to the permissions on the System Management container each time you add one. Also I have seen that permissions to install a site server can be fixed by adding once again the site server computer account directly to the site server’s local administrator password even though it is in the security group ConfigMgr Servers that are already set as local Administrators.
Before you click "Begin Install” button there is one very important tool that you need to have ready and available for you. ConfigMgr is one of the better programs for creating logs for trouble shooting. Yes, logs and a lot of them. However, I always tell my clients have you check the logs yet, or send me this or that log. That should pretty much be the first place you look when you have issues or just curious as to how the internals work within ConfigMgr. So, why do I bring this up? I bring it up because there is a little known tool outside the realm of ConfigMgr geeks like myself that is a life saver when it comes to reading log files. This is by far the best log file reading app that you can buy or get free. It has been around for years and years under different names in the past. The tool is called CMTrace. I use this tool for everything not just System Center logs. I always say, once you gone CMTrace you never go back. Where can I find this awesome tool you are talking about you ask? There are a few ways to get this tool. The first is from the Tools folder located on the installation media. ConfigMgrSource\SMSSETUP\Tools\ the other way is to download the ConfigMgr 2012 R2 Toolkit which I will have you do later. On both your ConfigMgr Site server and your Management server if you created one I suggest you place this tool on your C: drive or some other location. Open it once and select it to be your default viewer for log files. You will thank me later for this. Trust me! So do it now and then continue on with the installation of ConfigMgr 2012 R2.
23. So, from this window, once all the red errors have been fixed and any information or warnings have been looked at, then I will click Begin Install…….
24. Now that I have clicked Begin Install we will see an overall process and a few task like Evaluating setup environment, etc. After a few minutes we will see a long list of task that the installer will perform. Depending on the size of the server and if the SQL server is locally installed or on another system the time to install can be a while. I suggest that you click the view log button on this "Install" window. This will open up the running installation log in CMTrace the tool I just told you about. This way you can get a live look at what is going on in the background during installation. Whatever you do don’t worry about the red and yellow lines that will pop up during installation in the log file if you are monitoring the log. These are normal errors most of the time. The only time you should worry is if the installer fails. Then you would go back and dig through this log and see why it failed.
25. You can click Close once the Core setup has been completed.
Congratulations, we have installed Configuration Manager 2012 R2!!!!
You can now continue on to Part III – Configuration . At this point I have successfully installed ConfigMgr 2012 R2 and will be spending hours of configuration and planning to get the Configuration Manager ready for production.