Pete Hinchley: Install Microsoft SCCM 2012 R2 SP1

In this article I will outline the steps required to perform a single-server installation of Microsoft SCCM 2012 R2 SP1 via the command line.

Version Clarification

Let's start by clearing up a common point of confusion: Microsoft SCCM 2012 R2 SP1 is identical (at the binary level) to Microsoft SCCM 2012 SP2. i.e. R2 SP1 = SP2. The "R2" simply means additional product capabilities have been unlocked.

Requirements

This article assumes the following:

Assuming you have access to the Volume License Service Center, you can obtain the media required for installing SCCM by searching for System Center 2012 R2 Config Mgr Client Mgmt License with Service Pack 1 and then downloading System Center 2012 Configuration Manager and Endpoint Protection With Service Pack 2 Multilanguage (1158 MB), and System Center 2012 R2 Configuration Manager Client Management License With Service Pack 1 Multilanguage (5 MB).

Microsoft .NET Framework 3.5

A prerequisite for the installation of SCCM 2012 is Microsoft .NET Framework 3.5. I explained how to install this feature in a previous post.

Microsoft ADK 10

The following components of the ADK are required by SCCM 2012: Deployment Tools, Windows PE, and the User State Migration Tool. We will also install the Imaging and Configuration Designer. However, before we can install these components, we need to download the required ADK setup files. From an elevated PowerShell prompt, run:

cd C:\Media\Microsoft ADK 10
.\adksetup.exe /quiet /layout .

We can now install the necessary components using the following command:

.\adksetup.exe /quiet /installpath "C:\Program Files (x86)\Windows Kits\10" /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool OptionId.ImagingAndConfigurationDesigner /ceip off

Microsoft IIS

Another requirement for the installation of SCCM 2012 is Microsoft IIS. The following PowerShell command can be used to enable the required features:

Add-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-App-Dev,Web-Net-Ext,Web-Net-Ext45,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-HTTP-Tracing,Web-Security,Web-Filtering,Web-Performance,Web-Stat-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Mgmt-Compat

Use the following commands to register IIS with .NET Framework 4:

cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319
.\aspnet_regiis.exe -r

Although not necessary, we will use a dedicated IIS web site for SCCM called SMSWEB (listening on HTTP port 7080). Use the following command to create the web site:

New-Website -Name "SMSWEB" -ApplicationPool "DefaultAppPool" -PhysicalPath "C:\inetpub\wwwroot" -Port "7080" -Force

Firewall Rules

The following PowerShell commands will enable inbound WMI and SMB connections to the site server; both are necessary for the operation of SCCM.

Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)" -confirm:$false
Enable-NetFirewallRule -DisplayName "File and Printer Sharing (NB-Name-In)" -confirm:$false
Enable-NetFirewallRule -DisplayName "File and Printer Sharing (NB-Session-In)" -confirm:$false
Enable-NetFirewallRule -DisplayName "File and Printer Sharing (SMB-In)" -confirm:$false

The following command will allow inbound connections to the SMSWEB web site over HTTP (7080) and HTTPS (7443), and enable use of the Client Notification Service (10123):

netsh advfirewall firewall add rule name="SCCM Management Point" dir=in action=allow profile=domain localport="7080,7443,10123" protocol=TCP

Microsoft SQL Server 2012

I provided instructions on how to install Microsoft SQL Server 2012 in a previous article. In the article I describe how to configure an AlwaysOn availability group, but as this configuration isn't supported by SCCM 2012, you should just follow the steps required to install and configure a standalone instance of SQL Server (i.e. refer to the Prerequisites, Installation, and Ports and Firewall sections).

In addition to the steps outlined in the referenced article, you will also need to open TCP port 4022 on the SQL Server (required by the SQL Broker):

netsh advfirewall firewall add rule name="SQL Broker" dir=in action=allow profile=domain localport="4022" protocol=TCP

In addition to the broker port, we also require a number of additional ports on the SQL Server during the installation of SCCM. These ports can be removed once the installation is complete. To add the rules, open a PowerShell prompt on the SQL Server and run the following:

New-NetFirewallRule -Group SCCM -DisplayName "SCCM - File Share - TCP - 445" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Allow -Profile Domain | Out-Null
New-NetFirewallRule -Group SCCM -DisplayName "SCCM - File Share - UDP - 137-138" -Direction Inbound -Protocol UDP -LocalPort "137-138" -Action Allow -Profile Domain | Out-Null
New-NetFirewallRule -Group SCCM -DisplayName "SCCM - RPC - TCP - 135" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Allow -Profile Domain | Out-Null
New-NetFirewallRule -Group SCCM -DisplayName "SCCM - NetBIOS - TCP - 139" -Direction Inbound -Protocol TCP -LocalPort 139 -Action Allow -Profile Domain | Out-Null
New-NetFirewallRule -Group SCCM -DisplayName "SCCM - Dynamic Ports - TCP - 49154-49157" -Direction Inbound -Protocol TCP -LocalPort "49154-49157" -Action Allow -Profile Domain | Out-Null
New-NetFirewallRule -Group SCCM -DisplayName "SCCM - UDP - 5355" -Direction Inbound -Protocol UDP -LocalPort "5355" -Action Allow -Profile Domain | Out-Null

To disable the rules after the installation is complete (i.e. at the end of this article) use the following commands:

Get-NetFirewallRule -Group SCCM | Disable-NetFirewallRule

One further step is required on the SQL Server - we must enable the Remote Registry service:

Get-Service RemoteRegistry | Set-Service -StartupType Automatic -PassThru | Start-Service

Active Directory Security Group

From a computer with the Active Directory PowerShell Module installed, use the following command to create an Active Directory security group named sccm-servers, adding the SCCM server as a member (in my lab the server is named BORIS).

New-ADGroup -Name "sccm-servers" -GroupScope Global -Path "OU=Groups, DC=lab, DC=hinchley, DC=net" -PassThru | Add-ADGroupMember -Members "BORIS$"  

Local Administrators Group

To install SCCM 2012, the site server computer must have administrator privileges on both the SQL Server and the server hosting the management point (in this case, the local SCCM server). To add the sccm-servers global security group we just created into the local administrators group on both servers:

([ADSI]"WinNT://./Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://LAB/sccm-servers").path)
([ADSI]"WinNT://EDWARD/Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://LAB/sccm-servers").path)

At this point, reboot the SCCM server to ensure the group membership changes take effect.

System Container

To enable the registration of the SCCM management point in Active Directory, it is necessary to create a System Management container. From a computer with the Active Directory PowerShell Module installed, use the following command to create the container, and assign the sccm-servers security group the Full Control permission:

$container = New-ADObject -Name "System Management" -Type "container" -Path "CN=System,DC=lab,DC=hinchley,DC=net" -PassThru
$container = [ADSI]"LDAP://$($container.DistinguishedName)"
$group = Get-ADGroup sccm-servers
$sid = [System.Security.Principal.SecurityIdentifier] $group.SID
$identity = [System.Security.Principal.IdentityReference] $sid
$rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $rights, $type, $inheritance
$container.psbase.ObjectSecurity.AddAccessRule($ace)
$container.psbase.CommitChanges()

Extend the Active Directory Schema

To enable the creation of SCCM-related objects in Active Directory, it is necessary to extend the schema to support the required classes and attributes. To perform this task, open an elevated PowerShell prompt as a user who is a member of the Schema Admins group, mount the SCCM media, and run the schema extension utility:

$mount = Mount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgr_and_Endpnt_Prtctn_2012w_SP2_MultiLang_MLF_X20-21849.iso" -PassThru
$drive = ($mount | Get-Volume).DriveLetter + ':'

Set-Location $drive\SMSSETUP\BIN\I386
.\extadsch.exe

A message should be displayed stating: Successfully extended the Active Directory schema.

Note: We leave the SCCM media mounted, as we will use it again later.

SCCM 2012 Prerequisites

Before we begin the installation of SCCM 2012, it is necessary to download the required prerequisites. From our existing PowerShell prompt, use the following commands to download the installation dependencies to C:\Media\Microsoft SCCM 2012\Prereqs:

cd $drive\SMSSETUP\BIN\X64
.\setupdl.exe "C:\Media\Microsoft SCCM 2012\Prereqs"

Install SCCM 2012 SP2

We will now create a configuration script for performing the silent installation of SCCM 2012. The following script will deploy a new primary site named LAB on the server named BORIS. The site database will be stored on a SQL Server named EDWARD.

Please note the following:

[Identification]
Action=InstallPrimarySite

[Options]
AdminConsole=1
ClientsUsePKICertificate=0
DistributionPoint=BORIS.LAB.HINCHLEY.NET
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=0
JoinCEIP=0
ManagementPoint=BORIS.LAB.HINCHLEY.NET
ManagementPointProtocol=HTTP
MobileDeviceLanguage=0
PrerequisiteComp=1
PrerequisitePath=C:\Media\Microsoft SCCM 2012 R2 SP1\Prereqs
ProductID=
RoleCommunicationProtocol=HTTPorHTTPS
SDKServer=BORIS.LAB.HINCHLEY.NET
SMSInstallDir=C:\Program Files\Microsoft Configuration Manager
SiteCode=LAB
SiteName=PRIMARY SITE

[SQLConfigOptions]
DatabaseName=SQL01\CM_LAB
SQLServerName=EDWARD.LAB.HINCHLEY.NET

[HierarchyExpansionOption]

To validate that we have all the prerequisites in place, run the following command from our existing PowerShell prompt:

.\prereqchk.exe /NOUI /PRI /SQL EDWARD.LAB.HINCHLEY.NET\SQL01 /SDK BORIS.LAB.HINCHLEY.NET /MP BORIS.LAB.HINCHLEY.NET /DP BORIS.LAB.HINCHLEY.NET

Review the log C:\ConfigMgrPrereq.txt and confirm the word "error" does not appear. Note: Ignore the error shown below; the prerequisite checker incorrectly reports this condition when permissions to the System Management container are delegated via group membership.

ERROR: Site server does not have create child permission on AD 'System Management'.

Provided the prerequisite check passed, and assuming the configuration script is saved as C:\Scripts\SCCM.ini, we can now use the following command from our existing PowerShell prompt to initiate the installation of SCCM 2012.

.\setup.exe /script C:\scripts\SCCM.ini

At this point I suggest you take a 20 minute break while waiting for SCCM to install. When the process completes, use the following command (from our existing PowerShell prompt) to eject the installation media:

DisMount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgr_and_Endpnt_Prtctn_2012w_SP2_MultiLang_MLF_X20-21849.iso"

Install R2

The final step is to enable "R2" features in SCCM (i.e. to transition from SCCM 2012 SP2 to SCCM 2012 R1 SP1). This requires we

$mount = Mount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgrClt_ML_2012_R2w_SP1_MultiLang_ConfMgr2_MLF_X20-21853.iso" -PassThru
$drive = ($mount | Get-Volume).DriveLetter + ':'

Set-Location $drive\SMSSETUP\BIN\X64
msiexec /i Configmgr2012R2SP1.msi /qb
Set-Location C:\

DisMount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgrClt_ML_2012_R2w_SP1_MultiLang_ConfMgr2_MLF_X20-21853.iso"

Install SCCM 2012 R2 SP1 CU1

To install Cumulative Update 1 (CU1) for SCCM 2012 R2 SP1, download the hotfix to C:\Media\Microsoft SCCM 2012\CU1\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe. To install the update silently:

cd C:\Media\Microsoft SCCM 2012\CU1\
CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe /unattended

You can confirm the update was installed successfully by checking the CULevel value in the registry. The following command should return 1:

(Get-ItemProperty -Path HKLM:SOFTWARE\Microsoft\SMS\Setup -Name CULevel).CULevel

PowerShell Cmdlet Library

To ensure compatibility with SCCM 2012 R2 SP1, we should update the SCCM PowerShell Cmdlet Library. Download the latest version and copy the MSI to C:\Media\Microsoft SCCM 2012\Cmdlet Library. To install the update, close all open PowerShell sessions and run:

msiexec /i "C:\Media\Microsoft SCCM 2012\Cmdlet Library\ConfigMgr2012PowerShellCmdlets.msi" /qb

Custom Web Site

The final step (at least for this tutorial) is to change the ports used by SCCM for client communication (which are configured on the custom SMSWEB web site we previously created). Let's do this by opening an elevated PowerShell prompt and running the following commands:

Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1"
Set-Location LAB:
Get-CMSite | Set-CMSite -UseCustomWebSite $true -AddClientRequestServiceType ClientRequestHttpTcpDefault -PortForClientRequestServiceType 7080 -ClientComputerCommunicationType HttpsOrHttp

Final Words

There is still much to do... We need to configure boundaries and boundary groups; create collections, packages and deployments; update boot images, create task sequences, and configure software updates. I'll try and cover these steps in future articles, but for now, at least, we have a working and patched installation of SCCM 2012 R2 SP1.