SETTING UP A VIRTUAL SCCM TESTLAB – PART 3

This post picks up after part 1 and part 2. I suggest you read both parts first to understand what is happening here in part 3.

Anyway, this has been long overdue 🙂

In this part, we will be looking at setting up some initial group policies, setting up firewall rules, installing SCCM prerequisites, and finally installing SCCM.

Well, lets get started then

Initial Group Policies

We want to create an initial group policy for user settings. This is more for convenience and you do not actually have to set this up. However, it makes is easier to add any user settings later.

User Settings Policy

Launch gpmc.msc

Create new group policy Object called Default User Settings

Edit the policy.

First we want to show extensions of file type. By default, Windows hides known file extensions (like .txt or .docx). This is a possible security risk, and also makes changing file extensions much harder.

1. Expand User Configuration > Preferences > Control Panel Settings > Folder Options
2. Right click and add new Folder Option (Vista)
   Uncheck “Hide extensions for known file types”

We also want to change the Windows 10 default Explorer location to “This Computer” instead of the default “Quick Access”. You can read more about this here.

1. Expand User Configuration > Preferences > Windows Settings > Registry
2. Right click and create new registry item
   1. Hive: HKEY_CURRENT_USER
   2. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   3. Value Name:LaunchTo
   4. Value Type: REG_DWORD
   5. Value Data:1

There could be other user settings you may want to configure now, as you wish. But this is sufficient to make life easier for our users.

Workstation Policy

Now we will want to create a Workstation policy. This will later contain the firewall rules to enable SCCM to communicate properly with client machines. We also want to limit this to only desktop machines, so we will filter this group policy to only apply for desktop OSes.

1. Create new WMI Filter
2. Click add and enter the following query: Select * from Win32_OperatingSystem WHERE ProductType=1
3. Save this as filter as “Desktops”
4. Create new Workstation Policy
5. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
6. Expand Windows Firewall with Advanced Security and select Inbound Rules
7. Right Click on Inbound Rules and select New Rule
8. Select Predefined rule type and choose File and Printer Sharing. Click Next
9. Check all the predefined rules. Click next
10. Choose action Allow the connection
11. Repeat the same action for Outbound Rules
12. Close
13. For our workstation policy, from the WMI Filtering drop down, choose Desktops WMI filter
14. Drag both Workstation Policy and User Default Settings to domain root (to link Policy to domain)
15. Click OK when the prompt appears

Ok, that should be all we need for now. To test the policy out, start or restart your client machine and see if the policies have been applied. Open Windows Firewall with Advanced Security on the client machine (you need to use admin credentials to open this). Look for any File and Printer Sharing rule with a green tick. Double click it.

The message This rule has been applied by the system administrator and cannot be modified” indicates the rule was applied using group policy. So we know the rule was applied by group policy successfully. You can shutdown your client machine for now.

SCCM prerequisites

We now need to install several prerequisites before we install SCCM.

Add Server Roles

There are several Windows Server roles and feature you need to install as well. This can be fun to do manually, you can use a bit of powershell to get this done, which is what i’m going to do today

Open a powershell window and type the following commands:

[powershell]Import-Module ServerManager

Add-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-App-Dev,Web-Net-Ext,Web-Net-Ext45,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-HTTP-Tracing,Web-Security,Web-Filtering,Web-Performance,Web-Stat-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Mgmt-Compat -Restart -Source D:\sources\sxs[/powershell]

Import-Module ServerManager

Add-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-App-Dev,Web-Net-Ext,Web-Net-Ext45,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-HTTP-Tracing,Web-Security,Web-Filtering,Web-Performance,Web-Stat-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Mgmt-Compat -Restart -Source D:\sources\sxs

The last bit, -Source D:\sources\sxs, tells Windows to look for the .NET Framework files from this location. This would be the same location as our Windows Server installation disk. Make sure the Windows Server ISO is mounted or loaded in VirtualBox.

Give it a few minutes to run. Once done, you should restart, but I’m going to shutdown instead. I’m going to add a new hard disk to the server vm, to serve as a data drive.

Add Data Drive

1. Add a new hard disk, 500GB, called DataDisk
2. Start up server
3. In Server Manager, select Files and Storage Servers > Volumes > Disks
4. Right click on the new disk and click Initialize
5. Click Yes when the warning appears.
6. Right click on the new disk again and choose New Volume
7. Go through all the prompts and select drive letter (I’m going with G: drive) and choose NTFS format
8. On your data drive, create 4 new folder
   1. Apps – To install applications
   2. Data – Data files, basically for our database
   3. REPO – Repository for SCCM files
   4. Sources – Installation source files and media

With our data disk ready, you may want to copy some of the files from your VirtualBox share to the local server drive (G:\Sources)

Install Windows 10 ADK

We downloaded Windows 10 ADK in part 1, and saved the files on our workstation. Use the downloaded files to install Windows 10 ADK.

1. Run adksetup.exe
2. Change installation folder to G:\Apps\Windows Kits\10\
3. Click Next
4. No to participate in CEIP
5. Accept License Agreement
6. Select
   1. Deployment Tools
   2. Windows Preinstallation Environment (Windows PE)
   3. User State Migration Tool (USMT).
7. Click Install

Install SQL Server 2016

1. Change VM settings, DVD Drive to SQL Server 2016 ISO file
2. Run Setup.exe from the DVD drive.
3. Choose Installation and select New SQL Server stand-alone installation or add features to an existing installation
4. Click next through the prompts until you reach Install Rules
5. There may be a few warnings, but it is safe to proceed. Click Next
6. Select Database Engine Services and Reporting Services – Native
7. Change the installation path to our data drive
8. We will use the default instance name. Click Next
9. Change all the services to run using the NT AUTHORITY\NETWORK SERVICE account, except for reporting services and SQL Server Browser (leave this as the default)
10. In the Collation tab, change the collation to SQL_Latin1_General_CP1_CI_AS. Click OK
11. Click Next
12. Click to Add Current User as administrator of the server
13. In the Data Directories tab, change the data paths to G:\Data
14. Click Next through the next steps and finally click Install

Close install after is is done.

Install SCCM

We have got all our prerequisites installed, now it is time to install SCCM. Congratulations if you have made it this far 🙂

1. Double click SCCM ISO file to mount it.
2. Launch splash.hta
3. Click Install
4. Proceed through the steps, selecting to install an evaluation version.
5. Select the first option to install a Primary site and tick use typical installation options.
6. Accept all the license agreements. For the prerequisite download, choose to use previously downloaded file.
7. I have mine on a mapped path on my VirtualBox host. Click next and wait as the setup verifies the downloaded files.
8. Enter your site details. I’ll be using TL1 for my lab, and install to the Data drive setup earlier.
9. I also do not plan to use any cloud services (no internet access in my test lab anyway), so I’ll skip this step.
10. Click next on the summary page. SCCM setup will perform some prerequisite checks, to ensure all requirements are met.

There will be a few warnings found, which is fine in most cases. However 2 of these, we want to fix.

Extend AD schema

In the mounted ISO drive, browse to the folder SMSSETUP\BIN\X64. Run the file ExtADSch.exe. This generates no output, but the log file ExtADSch.log in generated in the root of your C: drive.

Permission to publish to AD

There are 2 things we need to do here. First, we need to create the System Management container, and then change the permission of the container. The detailed steps and explanations are available from TechNet, but the simple steps below should be fine.

1. Launch ADSIEdit.msc
2. If this is the first time launching ADSIEdit.msc, you will need to choose Action > Connect To
3. The default naming context appears, and click OK
4. Expand the node and select CN=System (System Container)
5. Right click on System and choose New > Object
6. Select Class of Container and click Next
7. Enter value of System Management and click Next. Then click finish

We also need to change the permissions of this new container.

1. Right click on System Management and choose Edit
2. In the Security Tab, click Add
3. Search for the server computer account. You need to change the Object Type to include or only select Computers.
4. Enter Lab-DC and click Check Names. Click OK
5. In the Security tab, check Full control. Click OK

Go back to the SCCM setup screen and click Run Check again.
The 2 items should now be off the list. Click Begin install

This will take a while (about 45 minutes for me), so sit back and wait.

We will conclude part 3 for now, and continue with the rest of the post installation setup in part 4.

Refer to other parts

• Part 1
• Part 2
• Part 3
• Part 4
• Part 5