Once all the prerequisites have been installed and the Active Directory schema has been extended for the ConfigMgr 2012 SP1 installation (see this blog post), we need to prepare the environment before kicking off with the installation.
- Create a ConfigMgrAdmins group and a CMAdmin user
- Create a Restricted Groups GPO
- Create the System Management container
- Open Windows Firewall ports on Primary Site server and SQL Server
Create a ConfigMgrAdmins group and a CMAdmin user
In this step we’ll be creating a ConfigMgr 2012 SP1 Administrators group called ConfigMgrAdmins and the ConfigMgr Administrator account called CMAdmin. I’ll assume that you have basic knowledge of creating users and groups in Active Directory, so this part will not be a deep dive into each required step.
1. Open Active Directory Users and Computers.
2. Right-click on a OU of your choice (in my case Contoso.com/Users) and select New -> User.
3. Type CMAdmin under First name and User logon name. Click Next and complete the wizard.
4. Right-click on an OU of your choice (in this case Contoso.com/Groups) and select New -> Group.
5. Type ConfigMgrAdmins in the Group name field and click OK.
6. Open the newly created ConfigMgrAdmins group and add CMAdmin as a member.
Create a Restricted Groups GPO
In this step we’ll be creating a GPO that will take care of adding the ConfigMgrAdmins group to the local Administrators group on all ConfigMgr 2012 servers (initially you’ll only have one server, but that will increase in the future most likely).
1. Open the Group Policy Management console.
2. Right-click on the OU where the ConfigMgr servers are located (in this case Contoso.com/Servers/ConfigMgr Servers) and select Create a GPO in this domain, and Link it here.
3. Name the GPO ConfigMgr Local Admins and click OK.
4. Right-click the newly created GPO and select Edit.
5. Expand Computer Configuration – Policies – Windows Settings – Security Settings, right-click on Restricted Groups and select Add Group.
6. Type ConfigMgrAdmins in the Add Group window and click OK.
7. Click on Add next to Members of this group.
8. Type ConfigMgrAdmins and click OK.
9. Click on Add next to This group is a member of.
10. Type BUILTIN\Administrators and click OK.
11. Click OK and close Group Policy Management Editor and Group Policy Management.
12. On your soon-to-be ConfigMgr 2012 SP1 server, open a command prompt and type gpupdate /force.
13. In the Server Manager Tools tab, open Computer Management.
14. Expand Local Users and Groups – Groups. Open Administrators. You should now see that the CONTOSO\ConfigMgrAdmins group has been added to the local Administrators group.
Create the System Management container
In this step we’ll create the System Management containter in Active Directory for ConfigMgr 2012 SP1 to store e.g. Boundaries data.
1. Open ADSI Edit and connect to the Default naming context.
2. Expand Default naming context and then your domain (in this case DC=contoso,DC=com).
3. Right-click on System and select New -> Object.
4. In the Create Object window, select container and click Next.
5. In the Value field type System Management. Click Next and then Finish. Note: It’s really important that you get the spelling correct, otherwise you’ll not be able to install ConfigMgr 2012 SP1.
6. Select System in the left pane, right-click on System Management in the right pane and select Properties.
7. Click on the Security tab and click Add.
8. Click on Object Types, select Computers and click OK.
9. In the Enter the object names to select field, type the name of your soon-to-be ConfigMgr 2012 SP1 server (in this case CM01) and click OK.
10. In Permissions for CM01$, select Full Control in the Allow column and click OK.
Note: You’ll have to add each new site server that you install in your hierarchy with Full Control permissions to the System Management container.
Open Windows Firewall ports on Primary Site server and SQL Server
Open an elevated PowerShell console and run the following command on your soon-to-be Primary Site server and SQL server:
New-NetFirewallRule -Profile Domain -DisplayName "SQL Ports" -Direction Inbound -Action Allow -LocalPort 1433,4022 -Protocol TCP
That’s it! Now you can go ahead and run the installation of ConfigMgr 2012 SP1.