Peter Hinchley

Learning in Public

✪ Post-Installation Configuration of Microsoft SCCM 2012 R2 SP1

This post is a continuation of a previous article that described how to install Microsoft SCCM 2012 R2 SP1. In this post I will briefly outline several important post-deployment configuration activities.

Before starting on the SCCM-related tasks, I will rename the default Active Directory site in my home lab from Default-First-Site-Name to LAB (to match the name of the boundary I will create later). This command, and any other Active Directory related commands in this post, will need to be executed from an elevated PowerShell prompt on a system with the Active Directory PowerShell module installed.

Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -Filter "Name -eq 'Default-First-Site-Name'" | Rename-ADObject -NewName LAB

And confirm the name change as follows:

Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -Filter "ObjectClass -eq 'Site'"

Ok, with that out of the way, let's initialise the environment by opening an elevated PowerShell prompt on the site system server, and running the following commands:

Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1"
Set-Location LAB:

$site = Get-CMSite
$sitecode = $site.SiteCode

Now let's create a new SCCM boundary and a new boundary group named LAB, and add the boundary to the group:

New-CMBoundary -Type ADSite -DisplayName LAB -Value LAB
New-CMBoundaryGroup -Name LAB -DefaultSiteCode LAB
Add-CMBoundaryToGroup -BoundaryGroupName LAB -BoundaryName LAB

To configure SCCM discovery methods, use the following script:

$Domain       = 'DC=lab,DC=hinchley,DC=net'
$Servers      = "LDAP://OU=Servers,$Domain"
$Workstations = "LDAP://OU=Workstations,$Domain"
$Groups       = "LDAP://OU=Groups,$Domain"
$Users        = "LDAP://OU=User Accounts,$Domain"

# Configure Forest Discovery
Set-CMDiscoveryMethod -ActiveDirectoryForestDiscovery `
  -EnableActiveDirectorySiteBoundaryCreation $true `
  -EnableSubnetBoundaryCreation $false `
  -Enabled $true

# Configure System Discovery
$SystemDiscoverySchedule = New-CMSchedule -Start '2015/01/01 00:00:00' -RecurInterval Days -RecurCount 1

Set-CMDiscoveryMethod -ActiveDirectorySystemDiscovery `
  -EnableDeltaDiscovery $true `
  -DeltaDiscoveryIntervalMinutes 5 `
  -EnableFilteringExpiredLogon $true `
  -TimeSinceLastLogonDays 90 `
  -EnableFilteringExpiredPassword $true `
  -TimeSinceLastPasswordUpdateDays 90 `
  -PollingSchedule $SystemDiscoverySchedule `
  -Enabled $true

$SystemDiscovery = Get-CimInstance `
  -Namespace "root/sms/site_$sitecode" `
  -ClassName SMS_SCI_Component `
  -Filter 'ComponentName = "SMS_AD_SYSTEM_DISCOVERY_AGENT"'

$SystemDiscoveryProps = $SystemDiscovery.PropLists |
  Where-Object {$_.PropertyListName -eq 'AD Containers'}

# 0 = recursive, 1 = do not include groups
$SystemDiscoveryProps.Values  = $Servers, 0, 1
$SystemDiscoveryProps.Values += $Workstations, 0, 1

$SystemDiscovery | Set-CimInstance -Property @{PropLists = $SystemDiscovery.PropLists}

# Configure Group Discovery
$GroupDiscoverySchedule = New-CMSchedule -Start '2015/01/01 00:00:00' -RecurInterval Days -RecurCount 7

Set-CMDiscoveryMethod -ActiveDirectoryGroupDiscovery `
  -EnableDeltaDiscovery $true `
  -DeltaDiscoveryIntervalMinutes 5 `
  -EnableFilteringExpiredLogon $true `
  -TimeSinceLastLogonDays 90 `
  -EnableFilteringExpiredPassword $true `
  -TimeSinceLastPasswordUpdateDays 90 `
  -PollingSchedule $GroupDiscoverySchedule `
  -Enabled $true

$GroupDiscovery = Get-CimInstance `
  -Namespace "root/sms/site_$sitecode" `
  -ClassName SMS_SCI_Component `
  -Filter 'ComponentName = "SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT"'

$GroupDiscoveryProps = $GroupDiscovery.PropLists |
  Where-Object {$_.PropertyListName -eq 'AD Containers'}

# 0 = location (not group), 0 = recursive, 1 = not used
$GroupDiscoveryProps.Values = "Groups", 0, 0, 1

$NewGroupProp = New-CimInstance `
  -ClientOnly `
  -Namespace "root/sms/site_$sitecode" `
  -ClassName SMS_EmbeddedPropertyList `
  -Property @{PropertyListName='Search Bases:Groups';Values=[string[]]$Groups}

$GroupDiscovery.PropLists += $NewGroupProp

$GroupDiscovery | Set-CimInstance -Property @{PropLists = $GroupDiscovery.PropLists}

# Configure User Discovery
$UserDiscoverySchedule = New-CMSchedule -Start '2015/01/01 00:00:00' -RecurInterval Days -RecurCount 1

Set-CMDiscoveryMethod -ActiveDirectoryUserDiscovery `
  -EnableDeltaDiscovery $true `
  -DeltaDiscoveryIntervalMinutes 5 `
  -PollingSchedule $UserDiscoverySchedule `
  -Enabled $true

$UserDiscovery = Get-CimInstance `
  -Namespace "root/sms/site_$sitecode" `
  -ClassName SMS_SCI_Component `
  -Filter 'ComponentName = "SMS_AD_USER_DISCOVERY_AGENT"'

$UserDiscoveryProps = $UserDiscovery.PropLists |
  Where-Object {$_.PropertyListName -eq 'AD Containers'}

$UserDiscoveryProps.Values  = $Users, 0, 1

$UserDiscovery | Set-CimInstance -Property @{PropLists = $UserDiscovery.PropLists}

# Restart SMS_SITE_COMPONENT_MANAGER Service
Get-Service -Name SMS_SITE_COMPONENT_MANAGER | Restart-Service

The following command will configure the distribution point, add it to the LAB boundary group, enable PXE support (without password), include support for unknown computers, and enable content validation on the default schedule:

Get-CMDistributionPoint | Set-CMDistributionPoint -EnablePXESupport $true -AllowRespondIncomingPxeRequest $true -EnableUnknownComputerSupport $true -EnableValidateContent $true -AddBoundaryGroupName LAB -ClientCommunicationType HTTP

Let's create a network access service account for retrieving content from the distribution point:

$account = "sccm-nac"

New-ADUser -Name $account -SamAccountName $account -DisplayName $account -UserPrincipalName "$account@lab.hinchley.net" -Path "ou=Service Accounts,dc=lab,dc=hinchley,dc=net" -AccountPassword ($password = Read-Host "Password" -AsSecureString) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true

Now let's configure the network access account:

$username = "LAB\$account"

New-CMAccount -Name $username -Password $password -SiteCode $sitecode
Set-CMSoftwareDistributionComponent -NetworkAccessAccount $username -SiteCode $sitecode

In a similar manner, we will create and assign a push installation service account, and in the process, enable automatic site-wide deployment of the client to all device types, including to site system servers and domain controllers. Note: The latter requires the service account, at least in the short term, to be added to the Domain Admins group.

$account = "sccm-push"
$username = "LAB\$account"

New-ADUser -Name $account -SamAccountName $account -DisplayName $account -UserPrincipalName "$account@lab.hinchley.net" -Path "ou=Service Accounts,dc=lab,dc=hinchley,dc=net" -AccountPassword ($password = Read-Host "Password" -AsSecureString) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true -PassThru  | Add-ADPrincipalGroupMembership -MemberOf "Domain Admins"
New-CMAccount -Name $username -Password $password -SiteCode $sitecode
Set-CMClientPushInstallation -EnableAutomaticClientPushInstallation $true -EnableSystemTypeConfigurationManager $true -InstallClientToDomainController $true -ChosenAccount $username -SiteCode $sitecode

To deploy the Application Catalog web service point with default values to the primary site server:

Add-CMApplicationCatalogWebServicePoint -SiteCode $sitecode -SiteSystemServerName $site.ServerName

And to deploy the Application Catalog website point, with a NetBIOS name of SOFTWARE, and branded as Home Lab, use the following command:

Add-CMApplicationCatalogWebsitePoint -SiteCode $sitecode -SiteSystemServerName $site.ServerName -NetbiosName "SOFTWARE" -OrganizationName "Home Lab" -SiteSystemServerNameConfiguredForApplicationCatalogWebServicePoint $site.ServerName -ConfiguredAsHttpConnection

Now let's create a CNAME record in DNS for SOFTWARE (referencing the site server). This command will need to be executed on a system with the DnsServer PowerShell module.

$domain = Get-ADDomain
$suffix = $domain.DNSRoot

Add-DnsServerResourceRecordCName -Name "SOFTWARE" -HostNameAlias "BORIS.$suffix" -ZoneName $suffix -ComputerName $domain.PDCEmulator

We will now update the Computer Agent settings of the Default Client Settings object to add the Application Catalog web site to the trusted sites zone and to set the name of the Software Centre:

Set-CMClientSetting -Name "Default Client Agent Settings" -ComputerAgent -AddPortalToTrustedSiteList $true -BrandingTitle "Home Lab"

Finally, we will create a new device collection for Windows Server 2012 R2 servers:

$Name = "All Windows Server 2012 R2"
New-CMDeviceCollection -Name $name -LimitingCollectionName "All Systems"  -RefreshType ConstantUpdate
Add-CMDeviceCollectionQueryMembershipRule -CollectionName $name -QueryExpression "select *  from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion = 'Microsoft Windows NT Server 6.3'" -RuleName $name