Difference between revisions of "Cool Solution - Installation of Microsoft SCCM"

From Univention Wiki

Jump to: navigation, search
(Updated to UCS 4.2)
Line 1: Line 1:
{{Version|UCS=3.0}}
+
{{Version|UCS=4.2}}
{{Cool Solutions Disclaimer|Repository=no}}
+
{{Cool Solutions Disclaimer}}
{{Samba 4 Cool Solution}}  
+
{{Samba 4 Cool Solution}}
 
{{#seo:
 
{{#seo:
 
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 
<!--|description=-->
 
<!--|description=-->
 
}}
 
}}
 +
{{Review-Status}}
  
This Article describes the installation of the Microsoft SCCM 2007 using the Univention Corporate Server Version 3 with Samba 4. The important difference from an installation using an Active Directory is the application of the SCCM schema extension to the samba 4 schema.  
+
This Article describes the installation of the Microsoft System Center Configuration Manager Version 1702 (further referred to as "SCCM") on a Windows 2016 Server with a Microsoft SQL Server 2016 SP1 using the Univention Corporate Server Version 4 with Samba 4. The important difference from an installation using an Active Directory is the application of the SCCM schema extension to the Samba 4 schema.
  
The installation of the SCCM is not different from the installation done in an Active Directory domain, only the inclusion of the schema differs.  
+
The installation of the SCCM is not different from the installation done in an Active Directory domain.
  
 
=== Alternatives to SCCM ===
 
=== Alternatives to SCCM ===
 
 
There are different OS and software deployment solutions certified for UCS, the first one was OPSI from UIB. More Informations can be found at http://www.univention.com/products/ucs/certified-solutions/
 
There are different OS and software deployment solutions certified for UCS, the first one was OPSI from UIB. More Informations can be found at http://www.univention.com/products/ucs/certified-solutions/
  
 
== System Status  ==
 
== System Status  ==
 
+
Before starting the installation of the SCCM, ensure that your Windows Server has joined your Samba 4 Domain. Also ensure, that both systems are up to date.
Before starting the installation of the SCCM ensure that your Windows Server has joined your Samba 4 Domain. Also ensure that both systems are up to date.  
 
  
 
== Schema extension  ==
 
== Schema extension  ==
 
 
=== Modifying the LDIF  ===
 
=== Modifying the LDIF  ===
 +
To extend the schema of your Samba 4 installation, you have to edit the ldif file provided by Microsoft. The file named
 +
<pre>
 +
ConfigMgr_ad_schema.ldf
 +
</pre>
 +
can be located in your SCCM installation DVD / extracted installation folder under
 +
<pre>
 +
SMSSETUP\BIN\X64
 +
</pre>
  
To extend the schema of your Samba 4 installation you have to edit the ldif file provided by Microsoft. The file
+
First, the file has to be converted to Unix-style line terminators:
  
ConfigMgr_ad_schema.ldf
+
<pre>
 +
sed -i s/\\x0D$// ConfigMgr_ad_schema.ldf
 +
</pre>
  
can be located in your SCCM installation DVD under
+
Then, the file has to be adjusted in several ways. First, you have to remove the schema update symbols, including the blank lines above them, from every add and modify command:
 
 
SMSSETUP\BIN\I386
 
 
 
or in the Microsoft techbase [http://technet.microsoft.com/en-us/library/bb680568.aspx].
 
 
 
First the file has to be converted to Unix-style line terminators. This can be done with the tool ''dos2unix'':
 
 
 
ucr set repository/online/unmaintained='yes'
 
univention-install dos2unix
 
ucr set repository/online/unmaintained='no'
 
dos2unix ConfigMgr_ad_schema.ldf
 
 
 
Then the file has to be adjusted in several ways. First you have to remove the schema update symbols including the blank lines between the statements
 
 
<pre>
 
<pre>
 
 
 
dn:
 
dn:
 
changetype: modify
 
changetype: modify
Line 49: Line 42:
 
schemaupdatenow: 1
 
schemaupdatenow: 1
 
</pre>
 
</pre>
 +
Please note, that the dash "-" at the end of every command has to remain.
  
from every add and modify command. Please node that the dash "-" at the end of every command has to remain. Afterwards in all lines starting with "dn: " the trailing
+
Afterwards, in all lines starting with "dn: ", the trailing
 +
<pre>
 +
DC=x
 +
</pre>
 +
has to be replaced with the Samba/AD LDAP base fo your UCS domain. To determine the correct LDAP base, issue the following command on your Domaincontroller Master:
 +
<pre>
 +
ucr get samba4/ldap/base
 +
</pre>
  
DC=some,DC=thing
+
After applying these changes, the resulting ldif has to be split into LDAP attribute extensions and LDAP objectclass extensions. The attribute extensions have to be added first, before the objectclass extensions can be added. The attribute extensions can be found below the comment:
 
+
<pre>
has to be replaced with the Samba/AD LDAP base fo your UCS domain. To determine the correct LDAP base issue the following command on your Domaincontroller Master:
+
# =========================================================================
 
 
ucr get samba4/ldap/base
 
 
 
After applying these changes the resulting ldif has to be split into LDAP attribute extensions and LDAP objectclass extensions. The attribute extensions have to be added first before the objectclass extensions can be added. The attribute extensions can be found below the comment:
 
<pre># =========================================================================
 
 
#                      SMS Schema Attributes - Additions
 
#                      SMS Schema Attributes - Additions
 
# =========================================================================
 
# =========================================================================
</pre>  
+
</pre>
and can be distinguished by the objectClass:  
+
and can be distinguished by the objectClass:
 +
<pre>
 +
objectClass: attributeSchema
 +
</pre>
  
objectClass: attributeSchema
+
Likewise, the objectclass extensions can be found below the comment:
 
+
<pre>
Likewise the objectclass extensions can be found below the comment:
+
# =========================================================================
<pre># =========================================================================
 
 
#                      SMS Schema Classes - Additions
 
#                      SMS Schema Classes - Additions
 
# =========================================================================
 
# =========================================================================
</pre>  
+
</pre>
and can be distinguished by the objectClass:  
+
and can be distinguished by the objectClass:
 +
<pre>
 +
objectClass: classSchema
 +
</pre>
  
objectClass: classSchema
+
We assume that the attribute definitions are saved in "attributeSchema.ldf" and the modifications are saved in "classSchema.ldf".
 
 
We assume that the attribute definitions are saved in attributeSchema.ldif and the modifications are saved in classSchema.ldif.
 
  
 
=== Applying the LDIF  ===
 
=== Applying the LDIF  ===
 +
The schema modifications can be applied on any Samba DC. Therefore schema extensions have to been enabled by setting the following variable:
 +
To apply the schema extension, you first have to temporarily enable the following UCR variable to allow schema updates on your Samba Domain:
 +
<pre>
 +
ucr set samba4/schema/update/allowed=yes
 +
systemctl restart samba.service
 +
</pre>
  
The schema modifications can be applied on any Samba DC. Therefore schema extensions have to been enabled by setting the following variable:  
+
First, the add statements need to be applied. As there are interdependencies between the objects you will get error messages on applying the add statements. It is sufficient to apply the adds twice each to include all changes. The following commands can be used to apply the resulting files:
 +
Use the following commands to apply the schemas. Note that you will have to execute these commands multiple times, as there are interdependencies between the objects.
 +
<pre>
 +
ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi attributeSchema.ldf
 +
ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi classSchema.ldf
 +
</pre>
  
ucr set samba4/schema/update/allowed=yes
+
Afterwards, schema updates should be disabled again to prevent the inclusion of untested extensions:
/etc/init.d/samba restart
+
<pre>
 
+
ucr set samba4/schema/update/allowed=no
First the add statements need to be applied. As there are interdependencies between the objects you will get error messages on applying the add statements. It is sufficient to apply the adds twice to include all changes. The following commands can be used to apply the resulting files:
+
systemctl restart samba.service
 
+
</pre>
ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi attributeSchema.ldif
 
ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi classSchema.ldif
 
 
Afterwards schema extensions should be disabled again to prevent the inclusion of untested extensions. Therefore reset the variable:  
 
 
 
ucr set samba4/schema/update/allowed=no
 
/etc/init.d/samba restart
 
  
 
=== SCCM Users ===
 
=== SCCM Users ===
For the Installation two System users should be created using the UMC. Both need Samba and Kerberos accounts. One is for the SCCM client distribution, not covered here, and one for the SQL server. The Passwords should relatively complex. You do not need to remember the one for the SQL&nbsp;Server user. The one for the SCCM&nbsp;client distribution needs to be entered during the Configuration of SCCM.
+
Two system users should be created using the UMC for this installation. Both need to be Samba, Posix and Kerberos accounts.  
 +
One is for the SCCM client distribution, not covered here, and one for the SQL server. The Passwords should be kept complex.  
 +
You do not need to remember the one for the SQL Server user. The one for the SCCM client distribution needs to be entered once during the Configuration of SCCM.
  
 
=== Creating the System Management Container  ===
 
=== Creating the System Management Container  ===
For the following please log into a Windows System using an account which is a member of the group "Domain Admins".
+
For the following, you will need to connect to the Domain using the Remote Server Administration Tool "ADSI Edit".
 +
Use the following link for informations on how to install it: [https://support.microsoft.com/en-us/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems Remote Server Administration Tools (RSAT) for Windows operating systems]
  
Install the [[AD Management Tools]] from the Feature Management Konsole.
+
After opening ADSI Edit and connecting to your Domain Controller, move into the container
 
+
<pre>
Open ADSI EDIT and connect to your Domain Controller. Here move into the container
+
CN=System
CN=System
+
</pre>
 
and select
 
and select
 
"new"->"Object"
 
"new"->"Object"
from the context menu. Select  
+
from the context menu. Select
Container
+
<pre>
as the object to add and name it
+
Container
System Management
+
</pre>
then confirm the dialog. Select the new container and open its properties page from the context menu. Select the securities tab and add your SCCM server as a security principle. Grant full control to the server and click apply. Next press the "Advanced"
+
as the object type and name it
button, again select your SCCM server and press "Edit…". In the new menu select for "Apply to" the entry
+
<pre>
This object and all descendant objects
+
System Management
 +
</pre>
 +
then confirm the dialog. Select the new container and open its properties page from the context menu. Select the securities tab and add your SCCM server as a security principle. Grant full control to the server and click apply. Next press the "Advanced" button.
 +
Again select your SCCM server and press "Edit…". In the new menu select for "Apply to" the entry
 +
<pre>
 +
This object and all descendant objects
 +
</pre>
 
confirm all dialogs and close the ADSI Editor.
 
confirm all dialogs and close the ADSI Editor.
  
Line 119: Line 131:
  
 
=== Client & Software Distribution Groups ===
 
=== Client & Software Distribution Groups ===
To distribute Software the SCCM Host to be added to the local Administrators Group. In addition the SCCM Client Distribution user needs to be in the local Administrators Group if the Push Installation is to be used.  
+
To distribute Software, the SCCM Host needs to be added to the local Administrators Group. In addition, the SCCM Client Distribution user needs to be in the local Administrators Group, if the Push Installation is to be used.
  
Open the "Active Directory Users and Computers" and navigate to the container
+
Open the "Active Directory Users and Computers" Tool and navigate to the container
CN=Builtin
+
<pre>
 +
CN=Builtin
 +
</pre>
 
Here select "Administrators" and add both the SCCM Host and the SCCM Client Distribution user in the Members Tab.
 
Here select "Administrators" and add both the SCCM Host and the SCCM Client Distribution user in the Members Tab.
  
Alternatively you can add the User and the SCCM Host to the "Domain Admins" group in the Univention Directory Manager, but while being more comfortable this grants many more rights then needed.
+
Alternatively you can add the User and the SCCM Host to the "Domain Admins" group in the Univention Directory Manager, but while being more comfortable this grants many more rights than needed.
  
 
== Windows Installation  ==
 
== Windows Installation  ==
  
From here on the installation of SCCM is equal to the installation in a pure Microsoft domain. We only present a very basic installation here. For a more complex scenario please refer to the Microsoft documentation.
+
From here on the installation of SCCM is equal to the installation in a pure Microsoft domain.
 
 
== Prerequisits  ==
 
 
 
This part covers the installation of all prerequisites. Therefore we assume that you have installed your Samba 4 Domain and extended its schema. We further assume that you are installing the SCCM 2007 on a clean and newly installed Windows 2008 R2 Server which already has joined your UCS Domain.
 
 
 
After installing any of the prerequisites you should make Windows check for updates.  
 
  
=== Windows Deployment Service  ===
+
Note that you have to choose Windows Authentication and set your created SQL user for all non system services during the Database Engine Configuration of your Microsoft SQL Server.
  
The first prerequisite to install is the WDS. One can simply install it using the roles service from your Windows Server Managment Console. [[Image:WDS.png|thumb|right|WDS.png]]
+
We recommend following the official Microsoft Documentation for [https://docs.microsoft.com/en-us/sccm/core/servers/deploy/start-using installing a System Center Configuration Manager site]
 
 
After the installation open the WDS managment console. You can find it in the start menu in "Administrative Tools". In the Console right click on the newly installed server and select "Configure Server".&nbsp; [[Image:WDS Services.png|thumb|right|WDS Services.png]]<br>
 
 
 
Here select a folder according to your preference, the folder should be on a local disk and not on a network share. Preferably it is different from your System Partition/Disk.
 
 
 
The next important point are the PXE settings. Here you should select that the server is responding to known and unknown clients if you are Planning to use WDS for PXE rollouts. If you are using Thin Client Services you should restrict it to known clients only. [[Image:WDS PXE.png|thumb|right|WDS PXE.png]]
 
 
 
Finally unselect "Add image" and Press finish.
 
 
 
Afterwards select "Properties" by right click on the server. In the "PXE Response" Tab select a timeout from 1 to 5 seconds.
 
 
 
Finally you need to ensure that the WDS is performing a delayed startup. This can be done in the service menu of the Administration Console.
 
 
 
=== Internet Information Service  ===
 
 
 
==== Installation  ====
 
 
 
Next we need to install Windows IIS. This can be done out of the server consols roll menu. Select the following items out of the menu:
 
 
 
{|
 
|-
 
! Role service
 
! Status
 
|-
 
| Web Server
 
| Installed
 
|-
 
| Common HTTP Features
 
| Installed
 
|-
 
| Static Content
 
| Installed
 
|-
 
| Default Document
 
| Installed
 
|-
 
| Directory Browsing
 
| Installed
 
|-
 
| HTTP Errors
 
| Installed
 
|-
 
| HTTP Redirection
 
| Installed
 
|-
 
| Web Dav Publishing
 
| Installed
 
|-
 
| Application Development
 
| Installed
 
|-
 
| ASP.NET
 
| Installed
 
|-
 
| .NET Extensibility
 
| Installed
 
|-
 
| ASP
 
| Installed
 
|-
 
| CGI
 
| Not installed
 
|-
 
| ISAPI Extensions
 
| Installed
 
|-
 
| ISAPI Filters
 
| Installed
 
|-
 
| Server Side Includes
 
| Not installed
 
|-
 
| Health and Diagnostics
 
| Installed
 
|-
 
| HTTP Logging
 
| Installed
 
|-
 
| Logging Tools
 
| Installed
 
|-
 
| Request Monitor
 
| Installed
 
|-
 
| Tracing
 
| Installed
 
|-
 
| Custom Logging
 
| Not installed
 
|-
 
| ODBC Logging
 
| Not installed
 
|-
 
| Security
 
| Installed
 
|-
 
| Basic Authentication
 
| Installed
 
|-
 
| Windows Authentication
 
| Installed
 
|-
 
| Digest Authentication
 
| Not installed
 
|-
 
| Client Certificate Mapping Authentication
 
| Not installed
 
|-
 
| IIS Client Certificate Mapping Authentication
 
| Not installed
 
|-
 
| URL Authorization
 
| Installed
 
|-
 
| Request Filtering
 
| Installed
 
|-
 
| IP and Domain Restriction
 
| Installed
 
|-
 
| Performance
 
| Installed
 
|-
 
| Static Content Compression
 
| Installed
 
|-
 
| Dynamic Content Compression
 
| Not installed
 
|-
 
| Management Tools
 
| Installed
 
|-
 
| IIS Management Console
 
| Installed
 
|-
 
| IIS Management Scripts and Tools
 
| Installed
 
|-
 
| Management Service
 
| Installed
 
|-
 
| IIS 6 Management Compatibility
 
| Installed
 
|-
 
| IIS 6 Metabase Compatibility
 
| Installed
 
|-
 
| IIS 6 WMI Compatibility
 
| Installed
 
|-
 
| IIS 6 Scripting Tools
 
| Installed
 
|-
 
| IIS 6 Management Console
 
| Installed
 
|-
 
| FTP Publishing Service
 
| Not installed
 
|-
 
| FTP Server
 
| Not installed
 
|-
 
| FTP Management Console
 
| Not installed
 
|}
 
 
 
==== Configuration  ====
 
 
 
To enable Webdav open the Windows cmd, change to the directory
 
C:\Windows\System32\inetsrv
 
and issue the following command:
 
<pre>@ECHO OFF
 
Echo Enabling WebDAV
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /enabled:true /commit:apphost
 
Echo Configuring WebDAV
 
Echo Creating and configure a WebDAV authoring rule
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /+[users='*',path='*',access='Read'] /commit:apphost
 
Echo Allowing anonymous property queries
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /properties.allowAnonymousPropfind:true /commit:apphost
 
Echo Allowing Custom Properties
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /properties.allowCustomProperties:false /commit:apphost
 
Echo Allowing property queries with infinite depth
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /properties.allowInfinitePropfindDepth:true /commit:apphost
 
Echo Allowing hidden files to be listed
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost
 
Echo Allowing access to hidden files
 
AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost pause
 
@ECHO ON
 
exit
 
</pre>
 
Further in the IIS magement Console enable the Windows Authentication in the Authentication menu. [[Image:IIS Auth.png|thumb|right]]
 
 
 
=== SQL Server  ===
 
 
 
Insert the CD and install the SQL Server. Choose Windows Authentication and set the SQL user for all non system services. This tests were done using the 2008 R2 Version of the Microsoft SQL.
 
 
 
=== Windows Server Update Service  ===
 
 
 
Install WSUS from the roll menu of the server managment console. It is sufficient to use the default settings. When done with the Installation the Configuration Wizard will open. Do not configure the WSUS right now, but close the wizard. The configuration should be done later from inside the SCCM which is not part of this guide.
 
 
 
=== Additional Features  ===
 
 
 
To ease the deployment over lossy or slow links SCCM requires the usage "BITS" and "RDC". These can be found in the features console of the Microsoft Server.
 
 
 
== SCCM Installation  ==
 
 
 
Insert the CD and install the SCCM. When selecting the standard Installation instead of the quick install, you will be prompted for the server names enter the respective fqdn.
 
 
 
== SCCM Configuration  ==
 
 
 
SCCM provides countless options to configure its behavior. Currently the only known restrictions are that Samba 4 is not supporting any Forest scenarios.
 
 
 
See Microsoft's [http://technet.microsoft.com/en-us/library/bb693806 Technet] for an introduction to the Configuration.
 
  
 
== Sources  ==
 
== Sources  ==
 
+
*[https://docs.microsoft.com/en-us/sccm/core/understand/introduction Introduction to System Center Configuration Manager]
*[http://technet.microsoft.com/library/bb680651.aspx Microsoft Technet]  
+
*[https://docs.microsoft.com/en-us/sccm/core/servers/deploy/start-using Start using System Center Configuration Manager]
*[http://www.ahmedgroup.co.uk/articles/47/1/Step-by-step-guide-installing-SCCM-2007-Part-1/Page1.html Step by Step Guide to Installing SCCM Guide by Huzaifah Ahmad]  
+
*[https://support.microsoft.com/en-us/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems]
  
 
[[Category:Samba_4_Howtos]]
 
[[Category:Samba_4_Howtos]]

Revision as of 13:17, 29 September 2017

Produktlogo UCS Version 4.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Important Note: The article goes through the installation of software that utilizes features of Active Directory (AD) subsituting the AD functionality using UCS with Samba 4.

Please note that Univention does not provide support for the software, nor does Univention offer the described software or parts of it, e.g. the Active Directory schema. Licenses for the software described have to be obtained through the sales channels offered by the software vendor. Also regard the legal notes at Terms of Service.

Please acknowledge that "cool solution" tutorials are created with best intentions. It is provided as is, without any warranty and might not work in all given situations.
Note: This article is not yet reviewed.


This Article describes the installation of the Microsoft System Center Configuration Manager Version 1702 (further referred to as "SCCM") on a Windows 2016 Server with a Microsoft SQL Server 2016 SP1 using the Univention Corporate Server Version 4 with Samba 4. The important difference from an installation using an Active Directory is the application of the SCCM schema extension to the Samba 4 schema.

The installation of the SCCM is not different from the installation done in an Active Directory domain.

Alternatives to SCCM

There are different OS and software deployment solutions certified for UCS, the first one was OPSI from UIB. More Informations can be found at http://www.univention.com/products/ucs/certified-solutions/

System Status

Before starting the installation of the SCCM, ensure that your Windows Server has joined your Samba 4 Domain. Also ensure, that both systems are up to date.

Schema extension

Modifying the LDIF

To extend the schema of your Samba 4 installation, you have to edit the ldif file provided by Microsoft. The file named 

ConfigMgr_ad_schema.ldf

can be located in your SCCM installation DVD / extracted installation folder under 

SMSSETUP\BIN\X64

First, the file has to be converted to Unix-style line terminators: 

sed -i s/\\x0D$// ConfigMgr_ad_schema.ldf

Then, the file has to be adjusted in several ways. First, you have to remove the schema update symbols, including the blank lines above them, from every add and modify command: 

dn:
changetype: modify
replace: schemaupdatenow
schemaupdatenow: 1

Please note, that the dash "-" at the end of every command has to remain.

Afterwards, in all lines starting with "dn: ", the trailing 

DC=x

has to be replaced with the Samba/AD LDAP base fo your UCS domain. To determine the correct LDAP base, issue the following command on your Domaincontroller Master: 

ucr get samba4/ldap/base

After applying these changes, the resulting ldif has to be split into LDAP attribute extensions and LDAP objectclass extensions. The attribute extensions have to be added first, before the objectclass extensions can be added. The attribute extensions can be found below the comment: 

# =========================================================================
#                       SMS Schema Attributes - Additions
# =========================================================================

and can be distinguished by the objectClass: 

objectClass: attributeSchema

Likewise, the objectclass extensions can be found below the comment: 

# =========================================================================
#                       SMS Schema Classes - Additions
# =========================================================================

and can be distinguished by the objectClass: 

objectClass: classSchema

We assume that the attribute definitions are saved in "attributeSchema.ldf" and the modifications are saved in "classSchema.ldf".

Applying the LDIF

The schema modifications can be applied on any Samba DC. Therefore schema extensions have to been enabled by setting the following variable: To apply the schema extension, you first have to temporarily enable the following UCR variable to allow schema updates on your Samba Domain: 

ucr set samba4/schema/update/allowed=yes
systemctl restart samba.service

First, the add statements need to be applied. As there are interdependencies between the objects you will get error messages on applying the add statements. It is sufficient to apply the adds twice each to include all changes. The following commands can be used to apply the resulting files: Use the following commands to apply the schemas. Note that you will have to execute these commands multiple times, as there are interdependencies between the objects. 

ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi attributeSchema.ldf
ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi classSchema.ldf

Afterwards, schema updates should be disabled again to prevent the inclusion of untested extensions: 

ucr set samba4/schema/update/allowed=no
systemctl restart samba.service

SCCM Users

Two system users should be created using the UMC for this installation. Both need to be Samba, Posix and Kerberos accounts. One is for the SCCM client distribution, not covered here, and one for the SQL server. The Passwords should be kept complex. You do not need to remember the one for the SQL Server user. The one for the SCCM client distribution needs to be entered once during the Configuration of SCCM.

Creating the System Management Container

For the following, you will need to connect to the Domain using the Remote Server Administration Tool "ADSI Edit". Use the following link for informations on how to install it: Remote Server Administration Tools (RSAT) for Windows operating systems

After opening ADSI Edit and connecting to your Domain Controller, move into the container 

CN=System

and select "new"->"Object" from the context menu. Select 

Container

as the object type and name it 

System Management

then confirm the dialog. Select the new container and open its properties page from the context menu. Select the securities tab and add your SCCM server as a security principle. Grant full control to the server and click apply. Next press the "Advanced" button. Again select your SCCM server and press "Edit…". In the new menu select for "Apply to" the entry 

This object and all descendant objects

confirm all dialogs and close the ADSI Editor.

This allows the SCCM Host to distribute the information regarding the Distribution Points.

Client & Software Distribution Groups

To distribute Software, the SCCM Host needs to be added to the local Administrators Group. In addition, the SCCM Client Distribution user needs to be in the local Administrators Group, if the Push Installation is to be used.

Open the "Active Directory Users and Computers" Tool and navigate to the container 

CN=Builtin

Here select "Administrators" and add both the SCCM Host and the SCCM Client Distribution user in the Members Tab.

Alternatively you can add the User and the SCCM Host to the "Domain Admins" group in the Univention Directory Manager, but while being more comfortable this grants many more rights than needed.

Windows Installation

From here on the installation of SCCM is equal to the installation in a pure Microsoft domain.

Note that you have to choose Windows Authentication and set your created SQL user for all non system services during the Database Engine Configuration of your Microsoft SQL Server.

We recommend following the official Microsoft Documentation for installing a System Center Configuration Manager site

Sources

Retrieved from "https://wiki.univention.de/index.php?title=Cool_Solution_-_Installation_of_Microsoft_SCCM&oldid=13275"
Personal tools