✪ Install Microsoft SCCM 2012 R2 SP1
In this article I will outline the steps required to perform a single-server installation of Microsoft SCCM 2012 R2 SP1 via the command line.
Let's start by clearing up a common point of confusion: Microsoft SCCM 2012 R2 SP1 is identical (at the binary level) to Microsoft SCCM 2012 SP2. i.e. R2 SP1 = SP2. The "R2" simply means additional product capabilities have been unlocked.
This article assumes the following:
- Access to a server running Windows Server 2012 R2 (Full GUI).
- Access to another server running Windows Server 2012 R2 with a configured instance of SQL Server 2012. Refer to the Prerequisites, Installation, and Ports and Firewall sections of this blog post for instructions on how to install SQL Server.
- A copy of the SCCM 2012 SP2 media.
- A copy of the SCCM 2012 R2 SP1 media.
- A copy of Microsoft Application Development Toolkit (ADK) 10.
- The account used to perform the installation is a domain administrator (with administrator privileges on both the SCCM and SQL servers).
Assuming you have access to the Volume License Service Center, you can obtain the media required for installing SCCM by searching for System Center 2012 R2 Config Mgr Client Mgmt License with Service Pack 1 and then downloading System Center 2012 Configuration Manager and Endpoint Protection With Service Pack 2 Multilanguage (1158 MB), and System Center 2012 R2 Configuration Manager Client Management License With Service Pack 1 Multilanguage (5 MB).
Microsoft .NET Framework 3.5
A prerequisite for the installation of SCCM 2012 is
Microsoft .NET Framework 3.5. I explained how to install this feature in a previous post.
Microsoft ADK 10
The following components of the ADK are required by SCCM 2012: Deployment Tools, Windows PE, and the User State Migration Tool. We will also install the Imaging and Configuration Designer. However, before we can install these components, we need to download the required ADK setup files. From an elevated PowerShell prompt, run:
cd C:\Media\Microsoft ADK 10 .\adksetup.exe /quiet /layout .
We can now install the necessary components using the following command:
.\adksetup.exe /quiet /installpath "C:\Program Files (x86)\Windows Kits\10" /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool OptionId.ImagingAndConfigurationDesigner /ceip off
Another requirement for the installation of SCCM 2012 is Microsoft IIS. The following PowerShell command can be used to enable the required features:
Use the following commands to register IIS with .NET Framework 4:
cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 .\aspnet_regiis.exe -r
Although not necessary, we will use a dedicated IIS web site for SCCM called SMSWEB (listening on HTTP port 7080). Use the following command to create the web site:
New-Website -Name "SMSWEB" -ApplicationPool "DefaultAppPool" -PhysicalPath "C:\inetpub\wwwroot" -Port "7080" -Force
The following PowerShell commands will enable inbound WMI and SMB connections to the site server; both are necessary for the operation of SCCM.
Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)" -confirm:$false Enable-NetFirewallRule -DisplayName "File and Printer Sharing (NB-Name-In)" -confirm:$false Enable-NetFirewallRule -DisplayName "File and Printer Sharing (NB-Session-In)" -confirm:$false Enable-NetFirewallRule -DisplayName "File and Printer Sharing (SMB-In)" -confirm:$false
The following command will allow inbound connections to the SMSWEB web site over HTTP (7080) and HTTPS (7443), and enable use of the Client Notification Service (10123):
netsh advfirewall firewall add rule name="SCCM Management Point" dir=in action=allow profile=domain localport="7080,7443,10123" protocol=TCP
Microsoft SQL Server 2012
I provided instructions on how to install Microsoft SQL Server 2012 in a previous article. In the article I describe how to configure an AlwaysOn availability group, but as this configuration isn't supported by SCCM 2012, you should just follow the steps required to install and configure a standalone instance of SQL Server (i.e. refer to the Prerequisites, Installation, and Ports and Firewall sections).
In addition to the steps outlined in the referenced article, you will also need to open TCP port 4022 on the SQL Server (required by the SQL Broker):
netsh advfirewall firewall add rule name="SQL Broker" dir=in action=allow profile=domain localport="4022" protocol=TCP
In addition to the broker port, we also require a number of additional ports on the SQL Server during the installation of SCCM. These ports can be removed once the installation is complete. To add the rules, open a PowerShell prompt on the SQL Server and run the following:
New-NetFirewallRule -Group SCCM -DisplayName "SCCM - File Share - TCP - 445" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Allow -Profile Domain | Out-Null New-NetFirewallRule -Group SCCM -DisplayName "SCCM - File Share - UDP - 137-138" -Direction Inbound -Protocol UDP -LocalPort "137-138" -Action Allow -Profile Domain | Out-Null New-NetFirewallRule -Group SCCM -DisplayName "SCCM - RPC - TCP - 135" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Allow -Profile Domain | Out-Null New-NetFirewallRule -Group SCCM -DisplayName "SCCM - NetBIOS - TCP - 139" -Direction Inbound -Protocol TCP -LocalPort 139 -Action Allow -Profile Domain | Out-Null New-NetFirewallRule -Group SCCM -DisplayName "SCCM - Dynamic Ports - TCP - 49154-49157" -Direction Inbound -Protocol TCP -LocalPort "49154-49157" -Action Allow -Profile Domain | Out-Null New-NetFirewallRule -Group SCCM -DisplayName "SCCM - UDP - 5355" -Direction Inbound -Protocol UDP -LocalPort "5355" -Action Allow -Profile Domain | Out-Null
To disable the rules after the installation is complete (i.e. at the end of this article) use the following commands:
Get-NetFirewallRule -Group SCCM | Disable-NetFirewallRule
One further step is required on the SQL Server - we must enable the Remote Registry service:
Get-Service RemoteRegistry | Set-Service -StartupType Automatic -PassThru | Start-Service
Active Directory Security Group
From a computer with the Active Directory PowerShell Module installed, use the following command to create an Active Directory security group named sccm-servers, adding the SCCM server as a member (in my lab the server is named BORIS).
New-ADGroup -Name "sccm-servers" -GroupScope Global -Path "OU=Groups, DC=lab, DC=hinchley, DC=net" -PassThru | Add-ADGroupMember -Members "BORIS$"
Local Administrators Group
To install SCCM 2012, the site server computer must have administrator privileges on both the SQL Server and the server hosting the management point (in this case, the local SCCM server). To add the sccm-servers global security group we just created into the local administrators group on both servers:
At this point, reboot the SCCM server to ensure the group membership changes take effect.
To enable the registration of the SCCM management point in Active Directory, it is necessary to create a System Management container. From a computer with the Active Directory PowerShell Module installed, use the following command to create the container, and assign the sccm-servers security group the Full Control permission:
$container = New-ADObject -Name "System Management" -Type "container" -Path "CN=System,DC=lab,DC=hinchley,DC=net" -PassThru $container = [ADSI]"LDAP://$($container.DistinguishedName)" $group = Get-ADGroup sccm-servers $sid = [System.Security.Principal.SecurityIdentifier] $group.SID $identity = [System.Security.Principal.IdentityReference] $sid $rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll" $type = [System.Security.AccessControl.AccessControlType] "Allow" $inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All" $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $rights, $type, $inheritance $container.psbase.ObjectSecurity.AddAccessRule($ace) $container.psbase.CommitChanges()
Extend the Active Directory Schema
To enable the creation of SCCM-related objects in Active Directory, it is necessary to extend the schema to support the required classes and attributes. To perform this task, open an elevated PowerShell prompt as a user who is a member of the Schema Admins group, mount the SCCM media, and run the schema extension utility:
$mount = Mount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgr_and_Endpnt_Prtctn_2012w_SP2_MultiLang_MLF_X20-21849.iso" -PassThru $drive = ($mount | Get-Volume).DriveLetter + ':' Set-Location $drive\SMSSETUP\BIN\I386 .\extadsch.exe
A message should be displayed stating: Successfully extended the Active Directory schema.
Note: We leave the SCCM media mounted, as we will use it again later.
SCCM 2012 Prerequisites
Before we begin the installation of SCCM 2012, it is necessary to download the required prerequisites. From our existing PowerShell prompt, use the following commands to download the installation dependencies to
C:\Media\Microsoft SCCM 2012\Prereqs:
cd $drive\SMSSETUP\BIN\X64 .\setupdl.exe "C:\Media\Microsoft SCCM 2012\Prereqs"
Install SCCM 2012 SP2
We will now create a configuration script for performing the silent installation of SCCM 2012. The following script will deploy a new primary site named LAB on the server named BORIS. The site database will be stored on a SQL Server named EDWARD.
Please note the following:
- You will need to set ProductID to a valid license key.
- The SCCM database (named CM_LAB) will be created on the SQL01 instance on the SQL Server.
[Identification] Action=InstallPrimarySite [Options] AdminConsole=1 ClientsUsePKICertificate=0 DistributionPoint=BORIS.LAB.HINCHLEY.NET DistributionPointProtocol=HTTP DistributionPointInstallIIS=0 JoinCEIP=0 ManagementPoint=BORIS.LAB.HINCHLEY.NET ManagementPointProtocol=HTTP MobileDeviceLanguage=0 PrerequisiteComp=1 PrerequisitePath=C:\Media\Microsoft SCCM 2012 R2 SP1\Prereqs ProductID= RoleCommunicationProtocol=HTTPorHTTPS SDKServer=BORIS.LAB.HINCHLEY.NET SMSInstallDir=C:\Program Files\Microsoft Configuration Manager SiteCode=LAB SiteName=PRIMARY SITE [SQLConfigOptions] DatabaseName=SQL01\CM_LAB SQLServerName=EDWARD.LAB.HINCHLEY.NET [HierarchyExpansionOption]
To validate that we have all the prerequisites in place, run the following command from our existing PowerShell prompt:
.\prereqchk.exe /NOUI /PRI /SQL EDWARD.LAB.HINCHLEY.NET\SQL01 /SDK BORIS.LAB.HINCHLEY.NET /MP BORIS.LAB.HINCHLEY.NET /DP BORIS.LAB.HINCHLEY.NET
Review the log
C:\ConfigMgrPrereq.txt and confirm the word "error" does not appear. Note: Ignore the error shown below; the prerequisite checker incorrectly reports this condition when permissions to the System Management container are delegated via group membership.
ERROR: Site server does not have create child permission on AD 'System Management'.
Provided the prerequisite check passed, and assuming the configuration script is saved as
C:\Scripts\SCCM.ini, we can now use the following command from our existing PowerShell prompt to initiate the installation of SCCM 2012.
.\setup.exe /script C:\scripts\SCCM.ini
At this point I suggest you take a 20 minute break while waiting for SCCM to install. When the process completes, use the following command (from our existing PowerShell prompt) to eject the installation media:
DisMount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgr_and_Endpnt_Prtctn_2012w_SP2_MultiLang_MLF_X20-21849.iso"
The final step is to enable "R2" features in SCCM (i.e. to transition from SCCM 2012 SP2 to SCCM 2012 R1 SP1). This requires we
$mount = Mount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgrClt_ML_2012_R2w_SP1_MultiLang_ConfMgr2_MLF_X20-21853.iso" -PassThru $drive = ($mount | Get-Volume).DriveLetter + ':' Set-Location $drive\SMSSETUP\BIN\X64 msiexec /i Configmgr2012R2SP1.msi /qb Set-Location C:\ DisMount-DiskImage -ImagePath "C:\Media\Microsoft SCCM 2012\SW_DVD5_Sys_Ctr_ConfigMgrClt_ML_2012_R2w_SP1_MultiLang_ConfMgr2_MLF_X20-21853.iso"
Install SCCM 2012 R2 SP1 CU1
To install Cumulative Update 1 (CU1) for SCCM 2012 R2 SP1, download the hotfix to
C:\Media\Microsoft SCCM 2012\CU1\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe. To install the update silently:
cd C:\Media\Microsoft SCCM 2012\CU1\ CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe /unattended
You can confirm the update was installed successfully by checking the CULevel value in the registry. The following command should return 1:
(Get-ItemProperty -Path HKLM:SOFTWARE\Microsoft\SMS\Setup -Name CULevel).CULevel
PowerShell Cmdlet Library
To ensure compatibility with SCCM 2012 R2 SP1, we should update the SCCM PowerShell Cmdlet Library. Download the latest version and copy the MSI to
C:\Media\Microsoft SCCM 2012\Cmdlet Library. To install the update, close all open PowerShell sessions and run:
msiexec /i "C:\Media\Microsoft SCCM 2012\Cmdlet Library\ConfigMgr2012PowerShellCmdlets.msi" /qb
Custom Web Site
The final step (at least for this tutorial) is to change the ports used by SCCM for client communication (which are configured on the custom SMSWEB web site we previously created). Let's do this by opening an elevated PowerShell prompt and running the following commands:
Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1" Set-Location LAB: Get-CMSite | Set-CMSite -UseCustomWebSite $true -AddClientRequestServiceType ClientRequestHttpTcpDefault -PortForClientRequestServiceType 7080 -ClientComputerCommunicationType HttpsOrHttp
There is still much to do... We need to configure boundaries and boundary groups; create collections, packages and deployments; update boot images, create task sequences, and configure software updates. I'll try and cover these steps in future articles, but for now, at least, we have a working and patched installation of SCCM 2012 R2 SP1.