Difference between revisions of "Cool Solution - Installation of Microsoft SCCM"
From Univention Wiki
Revision as of 10:22, 7 April 2014
- 1 Introduction
- 2 System Status
- 3 Schema extension
- 4 Windows Installation
- 5 Prerequisits
- 6 SCCM Installation
- 7 SCCM Configuration
- 8 Sources
This Article describes the installation of the Microsoft SCCM 2007 using the Univention Corporate Server Version 3 with Samba 4. The important difference from an installation using an Active Directory is the application of the SCCM schema extension to the samba 4 schema.
The installation of the SCCM is not different from the installation done in an Active Directory domain, only the inclusion of the schema differs.
Alternatives to SCCM
There are different OS and software deployment solutions certified for UCS, the first one was OPSI from UIB. More Informations can be found at http://www.univention.de/en/products/ucs/certified-solutions/
Before starting the installation of the SCCM ensure that your Windows Server has joined your Samba 4 Domain. Also ensure that both systems are up to date.
Modifying the LDIF
To extend the schema of your Samba 4 installation you have to edit the ldif file provided by Microsoft. The file
can be located in your SCCM installation DVD under
or in the Microsoft techbase  This file has to be split in several ways. First you have to remove the schema update symbols including the blank lines between the statements
dn: changetype: modify replace: schemaupdatenow schemaupdatenow: 1
from every add and modify command. Please node that the dash "-" at the end of every command has to remain. Afterwards the
has to be replaced with your Samba's LDAP base. To determine the correct LDAP base issue the following command on your Domaincontroller Master:
ucr get samba4/ldap/base
After applying these changes the resulting ldif has to be split into modify and add statements. The modify statements can be found below the comment:
# ========================================================================= # SMS Schema Classes - Modifications # =========================================================================
and can be distinguished by the changetype.
shows modifications while
We assume that the adds are saved in add.ldif and the modifications are saved in modify.ldif.
Applying the LDIF
The schema modifications can be applied on any Samba DC. Therefore schema extensions have to been enabled by setting the following variable:
ucr set samba4/schema/update/allowed=yes /etc/init.d/samba4 restart
First the add statements need to be applied. As there are interdependencies between the objects you will get error messages on applying the add statements. It is sufficient to apply the adds twice to include all changes. The following commands can be used to apply the resulting files:
ldbadd -H ldapi:///var/lib/samba/private/ldap_priv/ldapi add.ldif ldbadd -H ldapi:///var/lib/samba/private/ldap_priv/ldapi add.ldif ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi modify.ldif
Afterwards schema extensions should be disabled again to prevent the inclusion of untested extensions. Therefore reset the variable:
ucr set samba4/schema/update/allowed=no /etc/init.d/samba4 restart
For the Installation two System users should be created using the UMC. Both need Samba and Kerberos accounts. One is for the SCCM client distribution, not covered here, and one for the SQL server. The Passwords should relatively complex. You do not need to remember the one for the SQL Server user. The one for the SCCM client distribution needs to be entered during the Configuration of SCCM.
Creating the System Management Container
For the following please log into a Windows System using an account which is a member of the group "Domain Admins".
Install the AD Management Tools from the Feature Management Konsole.
Open ADSI EDIT and connect to your Domain Controller. Here move into the container
and select "new"->"Object" from the context menu. Select
as the object to add and name it
then confirm the dialog. Select the new container and open its properties page from the context menu. Select the securities tab and add your SCCM server as a security principle. Grant full control to the server and click apply. Next press the "Advanced" button, again select your SCCM server and press "Edit…". In the new menu select for "Apply to" the entry
This object and all descendant objects
confirm all dialogs and close the ADSI Editor.
This allows the SCCM Host to distribute the information regarding the Distribution Points.
Client & Software Distribution Groups
To distribute Software the SCCM Host to be added to the local Administrators Group. In addition the SCCM Client Distribution user needs to be in the local Administrators Group if the Push Installation is to be used.
Open the "Active Directory Users and Computers" and navigate to the container
Here select "Administrators" and add both the SCCM Host and the SCCM Client Distribution user in the Members Tab.
Alternatively you can add the User and the SCCM Host to the "Domain Admins" group in the Univention Directory Manager, but while being more comfortable this grants many more rights then needed.
From here on the installation of SCCM is equal to the installation in a pure Microsoft domain. We only present a very basic installation here. For a more complex scenario please refer to the Microsoft documentation.
This part covers the installation of all prerequisites. Therefore we assume that you have installed your Samba 4 Domain and extended its schema. We further assume that you are installing the SCCM 2007 on a clean and newly installed Windows 2008 R2 Server which already has joined your UCS Domain.
After installing any of the prerequisites you should make Windows check for updates.
Windows Deployment Service
The first prerequisite to install is the WDS. One can simply install it using the roles service from your Windows Server Managment Console.
After the installation open the WDS managment console. You can find it in the start menu in "Administrative Tools". In the Console right click on the newly installed server and select "Configure Server".
Here select a folder according to your preference, the folder should be on a local disk and not on a network share. Preferably it is different from your System Partition/Disk.
The next important point are the PXE settings. Here you should select that the server is responding to known and unknown clients if you are Planning to use WDS for PXE rollouts. If you are using Thin Client Services you should restrict it to known clients only.
Finally unselect "Add image" and Press finish.
Afterwards select "Properties" by right click on the server. In the "PXE Response" Tab select a timeout from 1 to 5 seconds.
Finally you need to ensure that the WDS is performing a delayed startup. This can be done in the service menu of the Administration Console.
Internet Information Service
Next we need to install Windows IIS. This can be done out of the server consols roll menu. Select the following items out of the menu:
|Common HTTP Features||Installed|
|Web Dav Publishing||Installed|
|Server Side Includes||Not installed|
|Health and Diagnostics||Installed|
|Custom Logging||Not installed|
|ODBC Logging||Not installed|
|Digest Authentication||Not installed|
|Client Certificate Mapping Authentication||Not installed|
|IIS Client Certificate Mapping Authentication||Not installed|
|IP and Domain Restriction||Installed|
|Static Content Compression||Installed|
|Dynamic Content Compression||Not installed|
|IIS Management Console||Installed|
|IIS Management Scripts and Tools||Installed|
|IIS 6 Management Compatibility||Installed|
|IIS 6 Metabase Compatibility||Installed|
|IIS 6 WMI Compatibility||Installed|
|IIS 6 Scripting Tools||Installed|
|IIS 6 Management Console||Installed|
|FTP Publishing Service||Not installed|
|FTP Server||Not installed|
|FTP Management Console||Not installed|
To enable Webdav open the Windows cmd, change to the directory
and issue the following command:
@ECHO OFF Echo Enabling WebDAV AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /enabled:true /commit:apphost Echo Configuring WebDAV Echo Creating and configure a WebDAV authoring rule AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /+[users='*',path='*',access='Read'] /commit:apphost Echo Allowing anonymous property queries AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /properties.allowAnonymousPropfind:true /commit:apphost Echo Allowing Custom Properties AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /properties.allowCustomProperties:false /commit:apphost Echo Allowing property queries with infinite depth AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /properties.allowInfinitePropfindDepth:true /commit:apphost Echo Allowing hidden files to be listed AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost Echo Allowing access to hidden files AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost pause @ECHO ON exit
Further in the IIS magement Console enable the Windows Authentication in the Authentication menu.
Insert the CD and install the SQL Server. Choose Windows Authentication and set the SQL user for all non system services. This tests were done using the 2008 R2 Version of the Microsoft SQL.
Windows Server Update Service
Install WSUS from the roll menu of the server managment console. It is sufficient to use the default settings. When done with the Installation the Configuration Wizard will open. Do not configure the WSUS right now, but close the wizard. The configuration should be done later from inside the SCCM which is not part of this guide.
To ease the deployment over lossy or slow links SCCM requires the usage "BITS" and "RDC". These can be found in the features console of the Microsoft Server.
Insert the CD and install the SCCM. When selecting the standard Installation instead of the quick install, you will be prompted for the server names enter the respective fqdn.
SCCM provides countless options to configure its behavior. Currently the only known restrictions are that Samba 4 is not supporting any Forest scenarios.
See Microsoft's Technet for an introduction to the Configuration.