Once all the prerequisites have been installed and the Active Directory schema has been extended for the ConfigMgr 2012 SP1 installation (see this blog post), we need to prepare the environment before kicking off with the installation.

Overview

  • Create a ConfigMgrAdmins group and a CMAdmin user
  • Create a Restricted Groups GPO
  • Create the System Management container
  • Open Windows Firewall ports on Primary Site server and SQL Server

Create a ConfigMgrAdmins group and a CMAdmin user

In this step we’ll be creating a ConfigMgr 2012 SP1 Administrators group called ConfigMgrAdmins and the ConfigMgr Administrator account called CMAdmin. I’ll assume that you have basic knowledge of creating users and groups in Active Directory, so this part will not be a deep dive into each required step.

1. Open Active Directory Users and Computers.
2. Right-click on a OU of your choice (in my case Contoso.com/Users) and select New -> User.
3. Type CMAdmin under First name and User logon name. Click Next and complete the wizard.

31_2

4. Right-click on an OU of your choice (in this case Contoso.com/Groups) and select New -> Group.
5. Type ConfigMgrAdmins in the Group name field and click OK.

31_1

6. Open the newly created ConfigMgrAdmins group and add CMAdmin as a member.

Create a Restricted Groups GPO

In this step we’ll be creating a GPO that will take care of adding the ConfigMgrAdmins group to the local Administrators group on all ConfigMgr 2012 servers (initially you’ll only have one server, but that will increase in the future most likely).

1. Open the Group Policy Management console.
2. Right-click on the OU where the ConfigMgr servers are located (in this case Contoso.com/Servers/ConfigMgr Servers) and select Create a GPO in this domain, and Link it here.

31_3

3. Name the GPO ConfigMgr Local Admins and click OK.
4. Right-click the newly created GPO and select Edit.
5. Expand Computer ConfigurationPoliciesWindows SettingsSecurity Settings, right-click on Restricted Groups and select Add Group.

31_4

6. Type ConfigMgrAdmins in the Add Group window and click OK.
7. Click on Add next to Members of this group.
8. Type ConfigMgrAdmins and click OK.
9. Click on Add next to This group is a member of.
10. Type BUILTIN\Administrators and click OK.

31_5

11. Click OK and close Group Policy Management Editor and Group Policy Management.
12. On your soon-to-be ConfigMgr 2012 SP1 server, open a command prompt and type gpupdate /force.
13. In the Server Manager Tools tab, open Computer Management.
14. Expand Local Users and GroupsGroups. Open Administrators. You should now see that the CONTOSO\ConfigMgrAdmins group has been added to the local Administrators group.

31_6

Create the System Management container

In this step we’ll create the System Management containter in Active Directory for ConfigMgr 2012 SP1 to store e.g. Boundaries data.

1. Open ADSI Edit and connect to the Default naming context.
2. Expand Default naming context and then your domain (in this case DC=contoso,DC=com).
3. Right-click on System and select New -> Object.

31_7

4. In the Create Object window, select container and click Next.
5. In the Value field type System Management. Click Next and then FinishNote: It’s really important that you get the spelling correct, otherwise you’ll not be able to install ConfigMgr 2012 SP1.
6. Select System in the left pane, right-click on System Management in the right pane and select Properties.
7. Click on the Security tab and click Add.
8. Click on Object Types, select Computers and click OK.
9. In the Enter the object names to select field, type the name of your soon-to-be ConfigMgr 2012 SP1 server (in this case CM01) and click OK.
10. In Permissions for CM01$, select Full Control in the Allow column and click OK.

Note: You’ll have to add each new site server that you install in your hierarchy with Full Control permissions to the System Management container. 

Open Windows Firewall ports on Primary Site server and SQL Server

Open an elevated PowerShell console and run the following command on your soon-to-be Primary Site server and SQL server:

New-NetFirewallRule -Profile Domain -DisplayName "SQL Ports" -Direction Inbound -Action Allow -LocalPort 1433,4022 -Protocol TCP

That’s it! Now you can go ahead and run the installation of ConfigMgr 2012 SP1.

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows deployments and Automation. In 2015 Nickolaj was awarded as PowerShell Hero by the community for his script and tools contributions. Author of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService and a frequent speaker at user groups.

(42)

There are no comments.

Leave a Reply