WSUS

SCCM 2012 R2 – Installation & Configuration

As a follow-up to my System Center 2012 R2 Infrastructure Planning post on SCCM, I’ll use this post to consolidate some of the resources that I found for the installation and configuration of Configuration Manager 2012 R2.

My SCCM environment consists of a Stand-Alone Primary Site Server with a remote SQL Server, both running Windows Server 2012 R2, so much of this information will be geared towards similar environments.

First and foremost I highly recommend bookmarking and reading through the System Center 2012 Configuration Manager Survival Guide and the Windows-noob System Center 2012 Configuration Manager Guides. I’ve found both to be invaluable resources as they contain step-by-step guides for installing and configuring most of the major SCCM 2012 features. Since these guides are fairly exhaustive I wont bother reposting most of what they already cover, so if you don’t see something here check them out.

Pre-Installation Tasks

Again, my SCCM environment will consist of two Windows Server 2012 R2 servers:

Server 1 – SCCM Primary Site Server and SQL Reporting Services

Server 2 – SQL Server for Site and Reporting Databases

  1. Extend the Active Directory Schema

Information on deciding if to extend the AD Schema for SCCM and details of the process:

Extending the Schema in System Center 2012 Configuration Manager

Extending the AD Schema for Configuration Manager 2012

Deploying SCCM 2012 Part 2 – Creating Container, Extending the AD Schema 

  1. Create resource accounts in Active Directory

Some good resources on the common accounts needed for SCCM:

Using System Center 2012 Configuration Manager – Part 1. Installation – CAS

System Center 2012 Service Accounts & Permissions

Technical Reference for Accounts Used in Configuration Manager

These sources list a number of accounts but, for a sake of simplicity in a relatively small environment, I created a single SMSAdmin account that I will be using for just about everything in SCCM. All of the resource accounts listed require little more than domain user and local administrative privileges on the Site and SQL servers.  The only additional step that was needed was to delegate permissions for the SMSAdmin account to join computers to the domain for OSD, which I just did to a single test OU for the time being.

Joining a computer to domain by delegating to domain user

  1. Add Server Roles to Server 1

SCCM 2012 Installation Guide

Configuration Manager 2012 Implementation and Administration

Prepare the Windows Environment for Configuration Manager

  • Installed Windows Server Update Services (WSUS)
  • Installed IIS with the following Role Services:
    • Common HTTP Features
      • Default Document
      • Directory Browsing
      • HTTP Errors
      • Static Content
      • HTTP Redirection
    • Health and Diagnostics
      • HTTP logging
      • Logging tools
      • Request Monitor
      • Tracing
    • Performance
      • Static Content Compression
    • Security
      • Request Filtering
      • Basic Authentication
      • URL Authorization
      • IP and Domain Restrictions
      • Windows Authentication
    • Application Development
      • .NET Extensiblity 3.5
      • .NET Extensiblity 4.5
      • ASP.NET 3.5
      • ASP.NET 4.5
      • ASP
      • ISAPI Extensions
      • ISAPI Filters
    • Management Tools
      • IIS Management Console
        • IIS 6 Management Compatibility
          • IIS 6 Metabase Compatibility
          • IIS 6 Management Console
          • IIS 6 Scripting Tools
          • IIS 6 WMI Compatibility
      • IIS Management Scripts and Tools
      • Management Service
  1. Add Features on Server 1

  • .NET Framework 3.5 Features
    • .NET Framework 3.5
    • HTTP Activation
  • .NET Framework 4.5 Features
    • .NET Framework 4.5
    • ASP.NET 4.5
    • WCF Services
      • TCP Port Sharing
  • Background Intelligent Transfer Service (BITS)
    • IIS Server Extension
  • Remote Differential Compression
  • Remote Server Administration Tools
    • Feature Administration Tools
      • BITS Server Extensions Tools
  • SMB 1.0/CIFS File Sharing Support
  • User Interfaces and Infrastructure
    • Graphical Management Tools and Infrastrucure
    • Server Graphical Shell
  • Windows PowerShell
    • Windows PowerShell 4.0
    • Windows PowerShell 2.0
    • Windows PowerShell ISE
  • WoW64 Support
  1. Download and Install Windows ADK for Windows 8.1 on Server 1

Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1

Installed the following:

  • Deployment Tools
  • Windows PE
  • User State Migration Tool (USMT)
  1. Run SCCM Prerequisite Check on Server 1

http://technet.microsoft.com/library/gg712320.aspx#BKMK_PrerequisiteChecker

To ensure my server was fully prepared for SCCM, I ran the prerequisite checker included on the installation media. With the media mounted, browse to and run “SMSSETUP\BIN\x64\prereqchk.exe /local” to run all checks.

The prerequisite check failed for me on the SQL server pass because SQL is not locally installed on the Primary Site Server, but all other checks passed.

  1. Install SQL Server on Server 2

We chose to go with SQL Server 2012, but if you prefer a different version see the requirements chart:

SQL Server versions that are supported by System Center 2012 Configuration Manager

System Center 2012 Configuration Manager Best Practices:

“SQL Collation must be set to ‘SQL_Latin1_General_CP1_CI_AS'”

“Why is it important ? well firstly because it is a setting that most people don’t change (as it’s hidden from view) and secondly it’s set based on your regional settings. When you install SQL Server (which ConfigMgr needs to host it’s database) the SQL Collation is ‘set in stone’ during setup, that’s why knowing what your SQL Collation is and what it should be are important prior to running ConfigMgr setup. To learn how to identify your SQL Collation on a running SQL Server and how to change SQL Collation during SQL Server setup see this post  . Having the wrong SQL Server Collation will require you to reinstall SQL Server from scratch, and that takes time and effort.”

“Best Practices for SQL Server Installation”

“A lot of early adopters of System Center 2012 Configuration Manager are having issues getting SQL Server installed correctly.  Many issues are due to having the wrong supported version or cumulative update applied.  For information on supported versions please see Supported Configurations for Configuration Manager : http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig  
SQL server issues can also be seen when having the wrong certificate applied or by misconfiguring the port.  For SQL Server installation and configuration tips see the support blog http://blogs.technet.com/b/configurationmgr/archive/2012/05/03/fix-unable-to-connect-cas-or-primary-to-the-sql-database-during-the-system-center-2012-configuration-manager-setup.aspx 

SQL Server Installation Guides:

Installing SQL Server for SCCM 2012 SP1

See Step 11 here:

Using System Center 2012 Configuration Manager – Part 1. Installation – CAS

These guides are for SQL Server 2008, but still a good reference for setting up 2012.

I used a custom instance name (e.g. OrgSCCM) to help distinguish the SCCM databases and added my SMSAdmin resource account to the local admin group on Server 2.

  1. Install SQL Server Reporting Services on Server 1

To install SSRS, I just ran the SQL Server 2012 installer and selected only the Reporting feature. I also used a custom instance name e.g. SCCMSRS.

After installation, I then just used the Reporting Services Configuration Manager on Server 1 to point it to the SCCM DB instance on Server 2 for the Reporting Server Database location using the SMSAdmin account.

Install and Configure SCCM on Server 1

Now we’re ready to install Configuration Manager. For the installation and basic setup of SCCM components, I generally referred to the two master guides that I mentioned at the start of this post. Some specific guides:

Using SCCM 2012 RC in a LAB – Part 1. Installation

Using SCCM 2012 RC in a LAB – Part 3. Configuring Discovery and Boundaries

Using SCCM 2012 RC in a LAB – Part 4. Configuring Client Settings and adding roles

Using SCCM 2012 RC in a LAB – Part 2. Add SUP and WDS

Once again, they’re  geared towards lab environments but they proved more than adequate to get me up and running and comfortable enough with the basics to make the customizations I needed.

 

I’ll create additional posts in the coming weeks on SCCM 2012 R2 as I get further into my testing to highlight any issues that I run in to and provide solutions.

-Rick

WSUS Best Practices

Here’s a very good blog post I came across with some WSUS best practices for anyone else looking to implement WSUS for the first time or review your patching strategies.

http://microsoftguru.com.au/2013/07/19/windows-server-patching-best-practices/

Some highlights:

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group. “

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.”

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch. “

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

  • A full backup of all databases on the server.
  • A full backup of transaction log and log backup
  • A system state backup of the server.
  • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating. “

Here are some other useful resources for WSUS:

WSUS Role Installation Fails on Windows Server 2012 R2

I was attempting to add the WSUS role on a Windows Server 2012 R2 system earlier this week and I ran into this error during the installation.

“The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.”

After several subsequent reboots and attempts to add the role I continued receiving this same error, so I started doing some research. I got several hits and this appears to be a fairly common issue with Server 2012, specifically when choosing to use the Windows Internal Database (WID).

The issue is that WID relies on the NT SERVICE\MSSQL$MICROSOFT##WID account to start the service, and this account must have Log on as a service rights on the system.

Generally I don’t think this would be an issue, and if it is you should be able to simply use the local Group Policy editor (gpedit.msc) or a domain GPO to grant this account Log on as a service rights by using the following policy setting:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service

Open the Log on as a service setting, check the box to Define these policy settings, and then add NT SERVICE\MSSQL$MICROSOFT##WID

However, to maintain security compliance as we move to Server 2012 R2, a domain Group Policy was recently created using Microsoft’s Security Compliance Manager (I may write a separate post on SCM later) and applied. As part of the Windows Server 2012 Security Baseline, Microsoft adds NT SERVICE\ALL SERVICES to the Deny log on as a service security policy. So because ALL SERVICES is being denied, even after adding MSSQL$MICROSOFT##WID to the Allow log on as a service policy locally, the WSUS role still failed to install for me.

To finally get the WSUS role installation to complete, I had to modify this new domain Group Policy and remove the ALL SERVICES account from the Deny log on as a service policy first, then add NT SERVICE\MSSQL$MICROSOFT##WID to the Log on as a service policy setting locally on the server.

For some more details and a few screenshots of the initial troubleshooting and resolution to this issue, check out one of the blog posts that I came across during my research. WSUS Role failed on Windows server 2012 with error…

You may notice that the blog I linked as well as many others I came across recommend just adding NT SERVICE\ALL SERVICES to the Log on as a service setting. Since Microsoft’s baseline security settings for Server 212 specifically DENIES log on as a service access to ALL SERVICES, I opted to only add the account explicitly required by WID to avoid opening up any more security vulnerabilities than I had to.

I’ll need to go back and take another look at our Server 2012 security policy to see if there’s another way around this while still denying log on as a service access to unneeded service accounts. I guess the easiest (and maybe best) thing to do would be to avoid using WID all-together and instead use a SQL Server instance.

That also leads me to another interesting topic that I’ll probably write another post about down the road. I’m installing WSUS with WID for now for the sake of time, but I may migrate it over to a SQL Server once I can. For a preview of that job, check out Migrate Windows Internal Database to SQL Server.

Links in this post:

 

-Rick