Configuration Manager in Multiple Active Directory Forests

From MSLink

 

Configuration Manager primary sites can be configured to span multiple Active Directory forests. It is not supported to install secondary sites in a remote Active Directory forest from their parent primary site. It is supported for a Configuration Manager 2007 site hierarchy to have primary sites or clients in a remote Active Directory forest.

When deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:

• Communications within a Configuration Manager 2007 site
  
• Communications between Configuration Manager 2007 sites
  
• Support for clients across forests
  
  • Configuring clients across Active Directory forests
    
  • Approving clients (mixed mode) across Active Directory forests
    
  • Roaming support across Active Directory forests
    

Cross-Forest Communications within a Configuration Manager Site

There are only two supported scenarios in which site systems within a single site are supported across Active Directory forests:

• The System Health Validator point, used with Network Access Protection.
  
• Internet-based client management, which supports the following site systems installed in a separate forest to the site server:
  
  • Management point
    
  • Distribution point
    
  • Software update point
    
  • Fallback status point
    

  In either supported scenario, even if there is a two-way trust between the two forests, or external trusts between the site server's domain and the site system domain, you must specify a Windows user account for installation and configuration of the site system.

  There is an additional cross-forest configuration that applies to the site systems that support Internet-based client management. When these site systems are installed in a different forest than the site server, and you want to ensure that communication is only ever initiated from the site server to the site systems, and never from the site systems to the site server, enable the site system option Allow only site server initiated data transfers from this site system. In an Internet-based client management scenario where these site systems are installed in a perimeter network, this configuration ensures that all connections between these site systems and the intranet are only initiated from the intranet, and not from the untrusted network. It is therefore a more secure solution than accepting connections into the intranet that are initiated from the perimeter network. However, if you choose this cross-forest configuration, be aware of the following considerations:

  • You must configure a Windows user account for installation, even if there is a trust relationship between the two forests.
    
  • This configuration results in some latency in sending status messages to the site, with a decrease in performance on the site server.
    

  Important
  All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server which must all reside in the same domain.

  Cross-Forest Communications between Configuration Manager Sites

  Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure inter-site communication.

  When one or more primary sites in the Configuration Manager 2007 site hierarchy are located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are properly configured in the sender address properties for each site. If you do not configure domain user accounts as site address accounts in the sender address properties of each site, the site server computer accounts will be used. If the site server computer accounts are used as the site address accounts, all Active Directory forests must be configured for the Windows Server 2003 forest functional level and have a two-way trust to enable site-to-site communication to succeed.

  Cross-Forest Client Support

  If you have clients that are in a different forest than their assigned site server's forest, use the following information to ensure that they are configured correctly.

  Configuring Clients across Active Directory Forests

  Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server.

  For these clients to be managed, you must ensure that alternative methods are available for the following:

  • Site compatibility check to complete site assignment
    
  • Service location for management points, and the server locator point if this is not directly assigned
    
  • Native mode configuration
    

  Configure these clients as if Active Directory Domain Services is not extended for Configuration Manager 2007. The information that these clients will need, together with additional configuration steps is listed in the section "Feature and Function Considerations for Extending the Active Directory Schema for Configuration Manager" in the following topic: Decide If You Should Extend the Active Directory Schema.

  Approving Clients (Mixed Mode) Across Active Directory Forests

  If the site is in mixed mode and you are using the site configuration of Automatically approve computers in trusted domains, you must configure the management point with an intranet fully qualified domain name (FQDN).

  For more information about approval, see About Client Approval in Configuration Manager and for procedural information about how to specify the management point's FQDN, see How to Configure the Intranet FQDN of Site Systems.

  Roaming Support across Active Directory Forests

  Clients can perform global roaming within the forest of their assigned site if all sites within the hierarchy publish site information to Active Directory Domain Services. Roaming allows clients to download software distribution package content from distribution points closest to them when they roam within the boundaries of a sibling site, a site higher in the hierarchy than their assigned site, or are otherwise not within the boundaries of their assigned site.

  If the Active Directory schema has not been extended for Configuration Manager 2007, or sites are not publishing site data to Active Directory Domain Services, clients can use a server locator point to perform regional roaming. Regional roaming allows clients to find local software distribution package content when the site that they roam into is lower in the hierarchy than their assigned site. If a server locator point is not deployed, regional roaming is supported if all management points are registered in WINS or DNS.

  See Also

  Tasks

  How to Configure Internet-Based Site Systems to Allow Only Site Server Initiated Data Transfers
  How to Automatically Publish the Default Management Point to DNS
  

  Concepts

  About Network Access Protection and Multiple Active Directory Forests
  Determine If You Need a Server Locator Point for Configuration Manager Clients
  Determine Server Placement for Internet-Based Client Management
  Overview of Internet-Based Client Management
  
  -------------------
  Thanks,
  http://paddymaddy.blogspot.com/
  

Configuration Manager in Multiple Active Directory Forests

From MSLink

 

Configuration Manager primary sites can be configured to span multiple Active Directory forests. It is not supported to install secondary sites in a remote Active Directory forest from their parent primary site. It is supported for a Configuration Manager 2007 site hierarchy to have primary sites or clients in a remote Active Directory forest.

When deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:

• Communications within a Configuration Manager 2007 site
  
• Communications between Configuration Manager 2007 sites
  
• Support for clients across forests
  
  • Configuring clients across Active Directory forests
    
  • Approving clients (mixed mode) across Active Directory forests
    
  • Roaming support across Active Directory forests
    

Cross-Forest Communications within a Configuration Manager Site

There are only two supported scenarios in which site systems within a single site are supported across Active Directory forests:

• The System Health Validator point, used with Network Access Protection.
  
• Internet-based client management, which supports the following site systems installed in a separate forest to the site server:
  
  • Management point
    
  • Distribution point
    
  • Software update point
    
  • Fallback status point
    

  In either supported scenario, even if there is a two-way trust between the two forests, or external trusts between the site server's domain and the site system domain, you must specify a Windows user account for installation and configuration of the site system.

  There is an additional cross-forest configuration that applies to the site systems that support Internet-based client management. When these site systems are installed in a different forest than the site server, and you want to ensure that communication is only ever initiated from the site server to the site systems, and never from the site systems to the site server, enable the site system option Allow only site server initiated data transfers from this site system. In an Internet-based client management scenario where these site systems are installed in a perimeter network, this configuration ensures that all connections between these site systems and the intranet are only initiated from the intranet, and not from the untrusted network. It is therefore a more secure solution than accepting connections into the intranet that are initiated from the perimeter network. However, if you choose this cross-forest configuration, be aware of the following considerations:

  • You must configure a Windows user account for installation, even if there is a trust relationship between the two forests.
    
  • This configuration results in some latency in sending status messages to the site, with a decrease in performance on the site server.
    

  Important
  All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server which must all reside in the same domain.

  Cross-Forest Communications between Configuration Manager Sites

  Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure inter-site communication.

  When one or more primary sites in the Configuration Manager 2007 site hierarchy are located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are properly configured in the sender address properties for each site. If you do not configure domain user accounts as site address accounts in the sender address properties of each site, the site server computer accounts will be used. If the site server computer accounts are used as the site address accounts, all Active Directory forests must be configured for the Windows Server 2003 forest functional level and have a two-way trust to enable site-to-site communication to succeed.

  Cross-Forest Client Support

  If you have clients that are in a different forest than their assigned site server's forest, use the following information to ensure that they are configured correctly.

  Configuring Clients across Active Directory Forests

  Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server.

  For these clients to be managed, you must ensure that alternative methods are available for the following:

  • Site compatibility check to complete site assignment
    
  • Service location for management points, and the server locator point if this is not directly assigned
    
  • Native mode configuration
    

  Configure these clients as if Active Directory Domain Services is not extended for Configuration Manager 2007. The information that these clients will need, together with additional configuration steps is listed in the section "Feature and Function Considerations for Extending the Active Directory Schema for Configuration Manager" in the following topic: Decide If You Should Extend the Active Directory Schema.

  Approving Clients (Mixed Mode) Across Active Directory Forests

  If the site is in mixed mode and you are using the site configuration of Automatically approve computers in trusted domains, you must configure the management point with an intranet fully qualified domain name (FQDN).

  For more information about approval, see About Client Approval in Configuration Manager and for procedural information about how to specify the management point's FQDN, see How to Configure the Intranet FQDN of Site Systems.

  Roaming Support across Active Directory Forests

  Clients can perform global roaming within the forest of their assigned site if all sites within the hierarchy publish site information to Active Directory Domain Services. Roaming allows clients to download software distribution package content from distribution points closest to them when they roam within the boundaries of a sibling site, a site higher in the hierarchy than their assigned site, or are otherwise not within the boundaries of their assigned site.

  If the Active Directory schema has not been extended for Configuration Manager 2007, or sites are not publishing site data to Active Directory Domain Services, clients can use a server locator point to perform regional roaming. Regional roaming allows clients to find local software distribution package content when the site that they roam into is lower in the hierarchy than their assigned site. If a server locator point is not deployed, regional roaming is supported if all management points are registered in WINS or DNS.

  See Also

  Tasks

  How to Configure Internet-Based Site Systems to Allow Only Site Server Initiated Data Transfers
  How to Automatically Publish the Default Management Point to DNS
  

  Concepts

  About Network Access Protection and Multiple Active Directory Forests
  Determine If You Need a Server Locator Point for Configuration Manager Clients
  Determine Server Placement for Internet-Based Client Management
  Overview of Internet-Based Client Management
  
  -------------------
  Thanks,
  http://paddymaddy.blogspot.com/
  

SCCM Patch Management Enterprise Compliancy Report

SCCM Patch Management Enterprise Compliancy Report ---originally available in http://myitforum.com/cs2/blogs/cstauffer/archive/2008/10/17/sccm-patch-management-enterprise-compliancy-report.aspx

As most of you know if you have read any of the reports that I have posted in the past, here at the Commonwealth we use collections to track agencies. This report will show you an overall status and then a breakdown of each agency. This is done by grabbing the parent collection and listing each agency.

**********************************************************

Note: You will need to change your ScopeID to match your location and the Collection ID in the last Select statement to your parent Collection.

**********************************************************

--AuthListID=ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B
--CollID=SMS00001

declare @CI_ID int; select @CI_ID=CI_ID from v_ConfigurationItems where CIType_ID=9 and CI_UniqueID='ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B'

declare @CollCount int, @NumClients int; select @CollCount = count(*), @NumClients=isnull(sum(cast(IsClient as int)), 0) from v_ClientCollectionMembers ccm where ccm.CollectionID='SMS00001'

Select
    CollectionName=vc.Name,
    NumberInCollection=@CollCount,
    NonClients=@CollCount-@NumClients, 
    PComputers=convert(numeric(5,2), (@CollCount-@NumClients)*100.00 / isnull(nullif(@CollCount, 0), 1))
from v_Collection vc
where vc.CollectionID='SMS00001'

SELECT   v_Collection.Name
, sn.StateName AS Status, COUNT(*) AS NumberOfComputers
, CONVERT(numeric(5, 2)
, ISNULL(COUNT(*), 0)* 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS PComputers
, 'ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B' AS AuthListID

FROM         v_ClientCollectionMembers AS cm INNER JOIN
                      v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
                      v_Collection ON cm.CollectionID = v_Collection.CollectionID LEFT OUTER JOIN
                      v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0)
WHERE     (cm.CollectionID = 'SMS00001')
GROUP BY sn.StateName, v_Collection.Name
ORDER BY NumberOfComputers DESC

SELECT     v_Collection.Name, sn.StateName AS Status, COUNT(*) AS NumberOfComputers, CONVERT(numeric(5, 2), ISNULL(COUNT(*), 0)
                      * 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS PComputers
FROM         v_ClientCollectionMembers AS cm INNER JOIN
                      v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
                      v_Collection ON cm.CollectionID = v_Collection.CollectionID INNER JOIN
                      v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0) AND cm.CollectionID IN
                          (SELECT     subCollectionID
                            FROM          v_CollectToSubCollect
                            WHERE      (parentCollectionID = 'PA100043'))
GROUP BY sn.StateName, v_Collection.Name
ORDER BY v_Collection.Name DESC

-------------------
Thanks,
http://paddymaddy.blogspot.com/

SCCM Patch Management Enterprise Compliancy Report

SCCM Patch Management Enterprise Compliancy Report ---originally available in http://myitforum.com/cs2/blogs/cstauffer/archive/2008/10/17/sccm-patch-management-enterprise-compliancy-report.aspx

As most of you know if you have read any of the reports that I have posted in the past, here at the Commonwealth we use collections to track agencies. This report will show you an overall status and then a breakdown of each agency. This is done by grabbing the parent collection and listing each agency.

**********************************************************

Note: You will need to change your ScopeID to match your location and the Collection ID in the last Select statement to your parent Collection.

**********************************************************

--AuthListID=ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B
--CollID=SMS00001

declare @CI_ID int; select @CI_ID=CI_ID from v_ConfigurationItems where CIType_ID=9 and CI_UniqueID='ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B'

declare @CollCount int, @NumClients int; select @CollCount = count(*), @NumClients=isnull(sum(cast(IsClient as int)), 0) from v_ClientCollectionMembers ccm where ccm.CollectionID='SMS00001'

Select
    CollectionName=vc.Name,
    NumberInCollection=@CollCount,
    NonClients=@CollCount-@NumClients, 
    PComputers=convert(numeric(5,2), (@CollCount-@NumClients)*100.00 / isnull(nullif(@CollCount, 0), 1))
from v_Collection vc
where vc.CollectionID='SMS00001'

SELECT   v_Collection.Name
, sn.StateName AS Status, COUNT(*) AS NumberOfComputers
, CONVERT(numeric(5, 2)
, ISNULL(COUNT(*), 0)* 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS PComputers
, 'ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B' AS AuthListID

FROM         v_ClientCollectionMembers AS cm INNER JOIN
                      v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
                      v_Collection ON cm.CollectionID = v_Collection.CollectionID LEFT OUTER JOIN
                      v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0)
WHERE     (cm.CollectionID = 'SMS00001')
GROUP BY sn.StateName, v_Collection.Name
ORDER BY NumberOfComputers DESC

SELECT     v_Collection.Name, sn.StateName AS Status, COUNT(*) AS NumberOfComputers, CONVERT(numeric(5, 2), ISNULL(COUNT(*), 0)
                      * 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS PComputers
FROM         v_ClientCollectionMembers AS cm INNER JOIN
                      v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
                      v_Collection ON cm.CollectionID = v_Collection.CollectionID INNER JOIN
                      v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0) AND cm.CollectionID IN
                          (SELECT     subCollectionID
                            FROM          v_CollectToSubCollect
                            WHERE      (parentCollectionID = 'PA100043'))
GROUP BY sn.StateName, v_Collection.Name
ORDER BY v_Collection.Name DESC

-------------------
Thanks,
http://paddymaddy.blogspot.com/

How to Configure the Client Policy Polling Interval for a Specific Collection

 

How to Configure the Client Policy Polling Interval for a Specific Collection

 

for clients to have a more frequent polling interval. To achieve this, configure a collection-specific policy polling interval, which will then apply to members of that collection.

To configure a collection-specific policy polling interval

1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Collections.

2. In the results pane, right-click the collection you want to modify, and then click Modify Collection Settings.

3. In the Advanced tab of the Collection Properties dialog box, select Enable collection specific policy polling interval, and then specify the required policy polling interval in minutes.

4. Click OK to close the Collection Properties dialog box.

 

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/

How to Configure the Client Policy Polling Interval for a Specific Collection

 

How to Configure the Client Policy Polling Interval for a Specific Collection

 

for clients to have a more frequent polling interval. To achieve this, configure a collection-specific policy polling interval, which will then apply to members of that collection.

To configure a collection-specific policy polling interval

1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Collections.

2. In the results pane, right-click the collection you want to modify, and then click Modify Collection Settings.

3. In the Advanced tab of the Collection Properties dialog box, select Enable collection specific policy polling interval, and then specify the required policy polling interval in minutes.

4. Click OK to close the Collection Properties dialog box.

 

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/

Patch Management for SCCM Doc

Patch Deployment Documentation

 

 

http://myitforum.com/cs2/blogs/cstauffer/attachment/124095.ashx

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/

Patch Management for SCCM Doc

Patch Deployment Documentation

 

 

http://myitforum.com/cs2/blogs/cstauffer/attachment/124095.ashx

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/

For Systems are in respected Collection Names

For Systems are in respected Collection Names

SELECT    
v_Collection.Name as [Collection Name],
v_FullCollectionMembership.Name as [Client Name]
FROM        
v_Collection
INNER JOIN
v_FullCollectionMembership
ON v_Collection.CollectionID = v_FullCollectionMembership.CollectionID

where v_FullCollectionMembership.Name in ('system1','System2')
-------------------
Thanks,
http://paddymaddy.blogspot.com/

For Systems are in respected Collection Names

For Systems are in respected Collection Names

SELECT    
v_Collection.Name as [Collection Name],
v_FullCollectionMembership.Name as [Client Name]
FROM        
v_Collection
INNER JOIN
v_FullCollectionMembership
ON v_Collection.CollectionID = v_FullCollectionMembership.CollectionID

where v_FullCollectionMembership.Name in ('system1','System2')
-------------------
Thanks,
http://paddymaddy.blogspot.com/

SQL Query to find List of Systems that part of what all collections

SQL Query to find List of Systems that part of what all collections :--

Select * from v_fullcollectionmembership Where Name in ('System1','System1')

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/

SQL Query to find List of Systems that part of what all collections

SQL Query to find List of Systems that part of what all collections :--

Select * from v_fullcollectionmembership Where Name in ('System1','System1')

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/

Step by Step guide for Installing and Configuring SCCM 20007 and Applying SP1 Build

ConfigMgr (SP1) Setup Guide

 

Step by Step guide for Installing and Configuring SCCM 20007 and Applying SP1 Build

Extend the Active Directory Schema – There is no reason not to!

Four actions need to be taken in order to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

·         Extend the Active Directory schema.

·         Create the System Management container.

·         Set security permissions on the System Management container.

·         Enable Active Directory publishing for the Configuration Manager site.

To extend the AD schema using ExtADSch.ext

1.     With Windows Server support tools installed – netdom query fsmo – to identify the schema master role;

2.     Backup system state on schema master DC;

3.     Disconnect the Schema Master DC from the network;

4.     Logon to the schema master DC with an account that is a member of the Schema Admins Security group.

5.     run extadsch.exe, located at \smssetup\bin\i386

6.     verify that the schema extension was successful by reviewing the extadsch.log located at c:\

After the schema has been extended with the classes and attributes required for configuration manager, you must create the System Management container within the System container in the site server's domain partition in Active Directory Domain Services:

Because domains controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager Site.( We are one domain forest!)

(Grant the site server's computer account full control to the System container, allow it to create the System Management container when it first publishes site information to AD – not very secure!)

The ADSIEdit MMC console will be used to create the System Management container in AD – you must first install the Windows Server Support tools, run suptools.msi  from  \Support\Tools on the Windows installation media.

To create the ADSIEdit MMC console

1.     On the taskbar, click Start, and then click Run.

2.     Type mmc and click OK.

3.     On the File menu, click Add/Remove Snap-in.

4.     Click Add.

5.     Under Snap-in, select ADSI Edit.

6.     Click Close.

7.     Click OK.

To manually create the System Management container

1.     Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.

2.     Open the ADSIEdit MMC console, and connect to the domain in which the site server resides.

3.     In the console pane, expand Domain [computer fully qualified domain name], expand <distinguished name>, and right-click CN=System. On the context menu, click New and then click Object.

4.     In the Create Object dialog box, select Container and click Next.

5.     In the Value field, type System Management and click Next

6.     Click Finish

After you have created the System Management container in Active Directory® Domain Services, you must grant the primary site server's computer account the permissions necessary to publish site information to the container.

To apply permissions to the System Management container using the Active Directory Users and Computers administrative tool

1.     Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool.

2.     Click View, and then click Advanced Features.

3.     Expand the System container.

4.     Right-click System Management. On the context menu, click Properties.

5.     In the System Management Properties dialog box, click the Security tab.

6.     Click Add to add the site server computer account and grant the account Full Control permissions.

7.     Click Advanced, select the site server's computer account, and click Edit.

8.     In the Apply onto list, select This object and all child objects.

9.     Click OK.

To enable a Configuration Manager site to publish site information to Active Directory Domain Services

1.     In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name>.

2.     Right-click <site code> - <site name>, and click Properties.

3.     On the Advanced tab of site properties, select the Publish this site in Active Directory Domain Services check box.

When Configuration Manager site information is published to Active Directory Domain Services, Configuration Manager clients can automatically detect server locator points and management points without generating Windows Internet Name Service (WINS) traffic. If Configuration Manager site information is not published to Active Directory Domain Services, you must manually add Configuration Manager site role information in WINS.(I don't see a reason why you don't want to publish the site information to AD!)

The First Site Server (Central Site) Setup

1.     Install Windows Server 2003 R2 Std 64 bit SP2

2.     Install IIS + BITS and Allow WebDAV in IIS Manager (Required by MP)

3.     Install SQL 2005 Std 64bit

Service Account – Select Local system

Choose Windows Authentication Mode in next screen…

4.     Install SQL SP2 - reboot

ConfigMgr 2007 Prerequistes:

·         MMC 3.0 already installed as SP2

·         MS06-030 already installed

·         Install IE 7.0 (Not required) and other critical updates

·         Windows Server 2003-based schannel hotfix

o    Configuration Manager out of band service point requires Windows Server 2003-based schannel hotfix. The schannel hotfix is available for download at:

http://support.microsoft.com/kb/942841/en-us.

·         Windows Remote Management (WinRM) v1.1

o    WinRM v1.1 is required to run the out of band console and must be installed before primary site or Configuration Manager console installations or upgrades. WinRM 1.1 is available for download at:

http://support.microsoft.com/kb/KB936059.

·         MMC updates for Configuration Manager (Software Updates)?

o    This software update addresses several MMC errors that may occur when running the Configuration Manager console. This update should be applied if any of the following occur: Configuration Manager console stops responding when the host computer is low on available memory, context menu errors on console home pages, or inconsistent display after drag-and-drop operations do not succeed. More information about this update is available at: http://go.microsoft.com/fwlink/?LinkId=98349.

5.     Install WSUS SP1 for SUP – check Store updates locally (Choose a Separate Drive)

 

Select Use an existing database server on this computer

Select - Create a Windows Server Update Service 3.0 SP1 Web Site

Click Next, Next to Finish the setup

6.     Install ConfigMgr Site Server and Site System Roles;

Select Install Configuration Manager Site Server in the first setup screen and follow through the below screenshots

In the next screen – type in your site code and site name

Type in your SQL server name and database name in the next screen

Then type the SMS Provider location – which should be the site server name

In the next screen, you can choose "Install a management point" or "Do not install a management point"

Follow through the next few screenshots..

You will see the "Settings Summary" page next followed by Installation Prerequisite Check. Most likely you will see a few yellow "Warning" but you should be able to Click "Begin Install" here.

After about 30 minutes – everything turns green

You can click view log or you can check the ConfigMgrSetup.log in C:\

Click Next – you should see "Setup completed all operations successfully. Click Finish to close the wizard.

Go to Start – ConfigMgr Console (wait for a couple of minutes for it to load)

Expand Site Management, then xy0 – Central Site, Site Settings, Site Systems, right click on your Site Server name and click New Roles

This will start New Site Role Wizard, leave the default, click Next

We are going to create a SUP – select Software Update Point and click Next

Leave it as is if you don't have Proxy server, click Next

Check Use this server as the active software update point, Since we created WSUS custom Web site when we setup WSUS, change the port to 8530 for TCP and 8531 for SSL as above.

An active software update point is configured on the central site so that software updates can be centrally managed and monitored. Many of the software updates synchronization settings are configured at the central site and not available at child sites. The active software update point on the central site synchronizes with Microsoft Updates.

 

 

 

The software update point on the central site should always be configured to synchronize from Microsoft Update. When any other setting is selected, synchronization will not succeed on the central site.

Keep the default setting Do not create WSUS reporting events, and then click Next

Check Enable synchronization on a schedule and leave the default Simple schedule, then click Next

Leave the default Update classifications, Click Next

 

Select the above products for now, click Next

In the Languages page, only leave English checked and uncheck all the other languages, click Next

Review Summary page, Click Next

When setup is done, click close – We successfully added SUP!

Next we are going to add Reporting Point and Failback Status Point

Start the New Site Role Wizard as before and select Reporting point and Failback status point

Leave default for the next three screens and click Next and you will get to the Wizard Completed page and click close.

Use the reporting users group to control access to the reporting point  -  By default, all members of the Administrators and Reporting Users groups have access to the reporting point Web site. If users need access to reports on the reporting point, add them to the Reporting Users local groups on each required reporting point. The Reporting Users group does not have any members by default.

The Reporting Users group does not have Configuration Manager 2007 object security rights configured by default. This group needs Read security rights on the Report SMS class or members of the group are not able to access reports, even though they do have access to the reporting Web site.

Congratulations – by now, we have the Central site setup with RP, FSP and SUP!

Next we are going to build a Primary Site with three separate boxes, Primary Site, MP and SUP.

Since we just went through the above drill, the rest should be easy

·          Install Windows Server 2003 R2 64 Bit SP2 on all three boxes with latest updates! (turn off automatic updates!)

·          Add Server2 (New Primary Site server) to System Management Container in AD – Grant full control permission

·          Install IIS on Server2

·          Install SQL 2005 + SP2 on Server2

·          Run Prerequisite check on Server2 and satisfy the appropriate Prerequisites!

·          Install WSUS SP1 administration console on Server2

·          Download and install Microsoft Report Viewer Redistributable 2005 (requirement for WSUS admin console)

·          Install Site Server on server2 and choose custom, Do not install a management point

Configure the communication between Central Site and Primary Site

·          On Server1 – Open ConfigMgr Admin Console – Right click xy0 – Central Site, then click Set Parent Site – Select Central Site!

·          Add Server1 to SMS_SiteToSiteConnection_xy1 group on Server2

·          Add Server2(Computer account) to SMS_SiteToSiteConnection_xy0 group on server1

You do NOT need to make the site server computer account a local admin. All you have to do is to have the account you specify in the site address a member of the target site's SMS_SiteToSiteConnection group. You'd do that at each site for the account the other site is using to push data down to the local site.

To configure primary-site-to-primary-site communications, you must manually create the addresses that will be used.

Create New Standard Sender Address, see my blog

http://myitforum.com/cs2/blogs/yli628/archive/2008/06/09/how-to-establish-primary-site-to-primary-site-communications-in-configmgr-sccm.aspx

Add Site server computer account to local admin on all site systems!!! – Then follow the below steps

Setup the default MP on Server3

·          Install IIS + BITS + WEBDAV on Server3(New MP)

·          Run Prerequisite check on Server3 and satisfy the appropriate Prerequisites!

On Server2, Start ConfigMgr Console and Expand Site Management, then xy0 – Primary site, Site Settings, Site Systems, right click on your Site Server name and click New – Server,  then go through the "New Site System Server Wizard". You shouldn't go wrong here.

By default, the Configuration Manager 2007 site server role component installation files are installed on the first available Configuration Manager 2007 will not install site role component files on a drive that contains a file named no_sms_on_drive.sms. NTFS formatted disk drive with the most available free disk space.

You can create a no_sms_on_drive.sms file in the root folder of all drives except for drives that you have specified as server share site systems.

Since MP is on a different box, need to grant full control permission for Server3 computer account to System Management container in AD.

Setup SUP/WSUS o Server4

·          Install IIS

·          Install WSUS SP1 (of course install Report Viewer 2005 Redistributable first)

·          Select Create a Windows Server Update Services 3.0 SP1 Web Site

ADD new site system on Server2 and add Server4 for SUP – Similar like we did for Server3 (MP)

 

Congratulations again – by now we have a fully functional Central Site and a Primary Site. Next you could configure the Site boundaries, enable agents, discover method and tune the schedules etc.

For client installation methods – I prefer Software Update Point Client Installation

http://technet.microsoft.com/en-us/library/bb633194(TechNet.10).aspx

http://sccmnap.com/blogs/rgotnap/archive/2008/06/09/details-for-obtaining-100-configmgr-client-installation-amp-reach.aspx

Remember, FSP are not stored in AD so has to specify in GPO for the client to locate FSP!

            

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-------------------
Thanks,
http://paddymaddy.blogspot.com/