Cool Solution - Installation of Microsoft SCCM
From Univention Wiki
This Article describes the installation of the Microsoft System Center Configuration Manager Version 1702 (further referred to as "SCCM") on a Windows 2016 Server with a Microsoft SQL Server 2016 SP1 using the Univention Corporate Server Version 4 with Samba 4. The important difference from an installation using an Active Directory is the application of the SCCM schema extension to the Samba 4 schema.
The installation of the SCCM is not different from the installation done in an Active Directory domain.
Alternatives to SCCM
There are different OS and software deployment solutions certified for UCS, the first one was OPSI from UIB. More Informations can be found at http://www.univention.com/products/ucs/certified-solutions/
Before starting the installation of the SCCM, ensure that your Windows Server has joined your Samba 4 Domain. Also ensure, that both systems are up to date.
Modifying the LDIF
To extend the schema of your Samba 4 installation, you have to edit the ldif file provided by Microsoft. The file named
can be located in your SCCM installation DVD / extracted installation folder under
First, the file has to be converted to Unix-style line terminators:
sed -i s/\\x0D$// ConfigMgr_ad_schema.ldf
Then, the file has to be adjusted in several ways. First, you have to remove the schema update symbols, including the blank lines above them, from every add and modify command:
dn: changetype: modify replace: schemaupdatenow schemaupdatenow: 1
Please note, that the dash "-" at the end of every command has to remain.
Afterwards, in all lines starting with "dn: ", the trailing
has to be replaced with the Samba/AD LDAP base fo your UCS domain. To determine the correct LDAP base, issue the following command on your Domaincontroller Master:
ucr get samba4/ldap/base
After applying these changes, the resulting ldif has to be split into LDAP attribute extensions and LDAP objectclass extensions. The attribute extensions have to be added first, before the objectclass extensions can be added. The attribute extensions can be found below the comment:
# ========================================================================= # SMS Schema Attributes - Additions # =========================================================================
and can be distinguished by the objectClass:
Likewise, the objectclass extensions can be found below the comment:
# ========================================================================= # SMS Schema Classes - Additions # =========================================================================
and can be distinguished by the objectClass:
We assume that the attribute definitions are saved in "attributeSchema.ldf" and the modifications are saved in "classSchema.ldf".
Applying the LDIF
The schema modifications can be applied on any Samba DC. Therefore schema extensions have to been enabled by setting the following variable: To apply the schema extension, you first have to temporarily enable the following UCR variable to allow schema updates on your Samba Domain:
ucr set samba4/schema/update/allowed=yes systemctl restart samba.service
First, the add statements need to be applied. As there are interdependencies between the objects you will get error messages on applying the add statements. It is sufficient to apply the adds twice each to include all changes. The following commands can be used to apply the resulting files: Use the following commands to apply the schemas. Note that you will have to execute these commands multiple times, as there are interdependencies between the objects.
ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi attributeSchema.ldf ldbmodify -H ldapi:///var/lib/samba/private/ldap_priv/ldapi classSchema.ldf
Afterwards, schema updates should be disabled again to prevent the inclusion of untested extensions:
ucr set samba4/schema/update/allowed=no systemctl restart samba.service
Two system users should be created using the UMC for this installation. Both need to be Samba, Posix and Kerberos accounts. One is for the SCCM client distribution, not covered here, and one for the SQL server. The Passwords should be kept complex. You do not need to remember the one for the SQL Server user. The one for the SCCM client distribution needs to be entered once during the Configuration of SCCM.
Creating the System Management Container
For the following, you will need to connect to the Domain using the Remote Server Administration Tool "ADSI Edit". Use the following link for informations on how to install it: Remote Server Administration Tools (RSAT) for Windows operating systems
After opening ADSI Edit and connecting to your Domain Controller, move into the container
and select "new"->"Object" from the context menu. Select
as the object type and name it
then confirm the dialog. Select the new container and open its properties page from the context menu. Select the securities tab and add your SCCM server as a security principle. Grant full control to the server and click apply. Next press the "Advanced" button. Again select your SCCM server and press "Edit…". In the new menu select for "Apply to" the entry
This object and all descendant objects
confirm all dialogs and close the ADSI Editor.
This allows the SCCM Host to distribute the information regarding the Distribution Points.
Client & Software Distribution Groups
To distribute Software, the SCCM Host needs to be added to the local Administrators Group. In addition, the SCCM Client Distribution user needs to be in the local Administrators Group, if the Push Installation is to be used.
Open the "Active Directory Users and Computers" Tool and navigate to the container
Here select "Administrators" and add both the SCCM Host and the SCCM Client Distribution user in the Members Tab.
Alternatively you can add the User and the SCCM Host to the "Domain Admins" group in the Univention Directory Manager, but while being more comfortable this grants many more rights than needed.
From here on the installation of SCCM is equal to the installation in a pure Microsoft domain.
Note that you have to choose Windows Authentication and set your created SQL user for all non system services during the Database Engine Configuration of your Microsoft SQL Server.
We recommend following the official Microsoft Documentation for installing a System Center Configuration Manager site