SETTING UP A VIRTUAL SCCM TESTLAB - PART 3

Computers, Powershell, Servers, Technology

This post picks up after part 1 and part 2. I suggest you read both parts first to understand what is happening here in part 3.

Anyway, this has been long overdue :-)

In this part, we will be looking at setting up some initial group policies, setting up firewall rules, installing SCCM prerequisites, and finally installing SCCM.

Well, lets get started then

Initial Group Policies

We want to create an initial group policy for user settings. This is more for convenience and you do not actually have to set this up. However, it makes is easier to add any user settings later.

User Settings Policy

Launch gpmc.msc

Create new group policy Object called Default User Settings

NewGPO-01

Edit the policy.

First we want to show extensions of file type. By default, Windows hides known file extensions (like .txt or .docx). This is a possible security risk, and also makes changing file extensions much harder.

  1. Expand User Configuration > Preferences > Control Panel Settings > Folder Options

  2. Right click and add new Folder Option (Vista)
    Uncheck “Hide extensions for known file types”

    NewGPO-02

We also want to change the Windows 10 default Explorer location to “This Computer” instead of the default “Quick Access”. You can read more about this here.

  1. Expand User Configuration > Preferences > Windows Settings > Registry

  2. Right click and create new registry item

    1. Hive: HKEY_CURRENT_USER

    2. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

    3. Value Name:LaunchTo

    4. Value Type: REG_DWORD

    5. Value Data:1

NewGPO-03

There could be other user settings you may want to configure now, as you wish. But this is sufficient to make life easier for our users.

Workstation Policy

Now we will want to create a Workstation policy. This will later contain the firewall rules to enable SCCM to communicate properly with client machines. We also want to limit this to only desktop machines, so we will filter this group policy to only apply for desktop OSes.

Note, in our test lab here, we only use Windows Firewall. If you are planning for any other firewall, you need to ensure the ports below are allowed as well.

  1. Create new WMI Filter

  2. Click add and enter the following query: Select \* from Win32\_OperatingSystem WHERE ProductType=1

    NewGPO-05

  3. Save this as filter as “Desktops”

  4. Create new Workstation Policy

    NewGPO-04

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.

  6. Expand Windows Firewall with Advanced Security and select Inbound Rules

    NewGPO-06

  7. Right Click on Inbound Rules and select New Rule

  8. Select Predefined rule type and choose File and Printer Sharing. Click Next

    NewGPO-Firewall-01

  9. Check all the predefined rules. Click next

    NewGPO-Firewall-02

  10. Choose action Allow the connection

    NewGPO-Firewall-03

  11. Repeat the same action for Outbound Rules

  12. Close

  13. For our workstation policy, from the WMI Filtering drop down, choose Desktops WMI filter

  14. Drag both Workstation Policy and User Default Settings to domain root (to link Policy to domain)

  15. Click OK when the prompt appears

    NewGPO-07PNG

Ok, that should be all we need for now. To test the policy out, start or restart your client machine and see if the policies have been applied. Open Windows Firewall with Advanced Security on the client machine (you need to use admin credentials to open this). Look for any File and Printer Sharing rule with a green tick. Double click it.

ClientFirewall-Enabled

The message This rule has been applied by the system administrator and cannot be modified" indicates the rule was applied using group policy. So we know the rule was applied by group policy successfully. You can shutdown your client machine for now.

SCCM prerequisites

We now need to install several prerequisites before we install SCCM.

Add Server Roles

There are several Windows Server roles and feature you need to install as well. This can be fun to do manually, you can use a bit of powershell to get this done, which is what i’m going to do today

Open a powershell window and type the following commands:

Import-Module ServerManager

Add-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-App-Dev,Web-Net-Ext,Web-Net-Ext45,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-HTTP-Tracing,Web-Security,Web-Filtering,Web-Performance,Web-Stat-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Mgmt-Compat -Restart -Source D:\sources\sxs

The last bit, -Source D:\sources\sxs, tells Windows to look for the .NET Framework files from this location. This would be the same location as our Windows Server installation disk. Make sure the Windows Server ISO is mounted or loaded in VirtualBox.

Give it a few minutes to run. Once done, you should restart, but I’m going to shutdown instead. I’m going to add a new hard disk to the server vm, to serve as a data drive.

Add Data Drive

  1. Add a new hard disk, 500GB, called DataDisk

    DataDisk-01

  2. Start up server

  3. In Server Manager, select Files and Storage Servers > Volumes > Disks

    DataDisk-02

  4. Right click on the new disk and click Initialize

  5. Click Yes when the warning appears.

    DataDisk-03

  6. Right click on the new disk again and choose New Volume

  7. Go through all the prompts and select drive letter (I’m going with G: drive) and choose NTFS format

  8. On your data drive, create 4 new folder

    1. Apps - To install applications

    2. Data - Data files, basically for our database

    3. REPO - Repository for SCCM files

    4. Sources - Installation source files and media

With our data disk ready, you may want to copy some of the files from your VirtualBox share to the local server drive (G:\Sources)

Install Windows 10 ADK

We downloaded Windows 10 ADK in part 1, and saved the files on our workstation. Use the downloaded files to install Windows 10 ADK.

  1. Run adksetup.exe

  2. Change installation folder to G:\Apps\Windows Kits\10\

    ADK-02

  3. Click Next

  4. No to participate in CEIP

  5. Accept License Agreement

  6. Select

    1. Deployment Tools

    2. Windows Preinstallation Environment (Windows PE)

    3. User State Migration Tool (USMT).

      ADK-01

  7. Click Install

Install SQL Server 2016

  1. Change VM settings, DVD Drive to SQL Server 2016 ISO file

  2. Run Setup.exe from the DVD drive.

  3. Choose Installation and select New SQL Server stand-alone installation or add features to an existing installation

    SQLInstall-01

  4. Click next through the prompts until you reach Install Rules

  5. There may be a few warnings, but it is safe to proceed. Click Next

    SQLInstall-02

  6. Select Database Engine Services and Reporting Services - Native

  7. Change the installation path to our data drive

    SQLInstall-03

  8. We will use the default instance name. Click Next

  9. Change all the services to run using the NT AUTHORITY\NETWORK SERVICE account, except for reporting services and SQL Server Browser (leave this as the default)

    SQLInstall-04

  10. In the Collation tab, change the collation to SQL_Latin1_General_CP1_CI_AS. Click OK

    SQLInstall-05

  11. Click Next

  12. Click to Add Current User as administrator of the server

    SQLInstall-06

  13. In the Data Directories tab, change the data paths to G:\Data

    SQLInstall-07

  14. Click Next through the next steps and finally click Install

Close install after is is done.

Highly recommended, but optional, you can also install the SQL Server Management Studio on the server. Get the download files from here.

Install SCCM

We have got all our prerequisites installed, now it is time to install SCCM. Congratulations if you have made it this far :-)

  1. Double click SCCM ISO file to mount it.

  2. Launch splash.hta

  3. Click Install

    SCCMInstall-01

  4. Proceed through the steps, selecting to install an evaluation version.

  5. Select the first option to install a Primary site and tick use typical installation options.

    SCCMInstall-02

  6. Accept all the license agreements. For the prerequisite download, choose to use previously downloaded file.

  7. I have mine on a mapped path on my VirtualBox host. Click next and wait as the setup verifies the downloaded files.

    SCCMInstall-03

  8. Enter your site details. I’ll be using TL1 for my lab, and install to the Data drive setup earlier.

    SCCMInstall-04

  9. I also do not plan to use any cloud services (no internet access in my test lab anyway), so I’ll skip this step.

    SCCMInstall-05

  10. Click next on the summary page. SCCM setup will perform some prerequisite checks, to ensure all requirements are met.

    SCCMInstall-06

There will be a few warnings found, which is fine in most cases. However 2 of these, we want to fix.

Extend AD schema

In the mounted ISO drive, browse to the folder SMSSETUP\BIN\X64. Run the file ExtADSch.exe. This generates no output, but the log file ExtADSch.log in generated in the root of your C: drive.

SCCMInstall-07

Permission to publish to AD

There are 2 things we need to do here. First, we need to create the System Management container, and then change the permission of the container. The detailed steps and explanations are available from TechNet, but the simple steps below should be fine.

  1. Launch ADSIEdit.msc

  2. If this is the first time launching ADSIEdit.msc, you will need to choose Action > Connect To

  3. The default naming context appears, and click OK

  4. Expand the node and select CN=System (System Container)

    SCCMInstall-08

  5. Right click on System and choose New > Object

  6. Select Class of Container and click Next

  7. Enter value of System Management and click Next. Then click finish

    SCCMInstall-09

We also need to change the permissions of this new container.

  1. Right click on System Management and choose Edit

  2. In the Security Tab, click Add

  3. Search for the server computer account. You need to change the Object Type to include or only select Computers.SCCMInstall-10

  4. Enter Lab-DC and click Check Names. Click OK

  5. In the Security tab, check Full control. Click OK

    SCCMInstall-11

Go back to the SCCM setup screen and click Run Check again.
The 2 items should now be off the list. Click Begin install

This will take a while (about 45 minutes for me), so sit back and wait.

SCCMInstall-12

We will conclude part 3 for now, and continue with the rest of the post installation setup in part 4.

Refer to other parts