Deploying SCCM 2016 Current Branch – Part 1

Something that I have been doing a lot more of for the last year or so and I have really gotten back into it. I dipped out when SMS 2.0 went over to SCCM 2003 (yes I am that old :o). I went off and did the RIS (Remote Installation Service)  and later WDS (Windows Deployment Service) for which I have done blogs on in the past and I really enjoyed those technologies and playing with the automation, not obvious to the casual observer is that a good grounding in WSUS (Windows Update Services) and WDS makes life a lot easier when it comes to SCCM, a lot of the batch scripting and PowerShell Scripting comes in handy.

Why do an SCCM 2016 blog in 2019?

Apart from being a MacTard (but for how much longer?), I am also a Linux and Windows Systems engineer/consultant. It’s the Windows side what feeds me from day to day and I get involved in a hell of a lot of projects that involve complex and in depth knowledge of such subjects.

Rolling back 18 months I got involved as a Active Directory and System Centre Configuration Manager 2012 refresh and upgrade of the AD structure (Inc. PKI, VPN and Network) as well as the SCCM Stack from 2012 to SCCM 2016 (17**), so as one does I upped my skillset as I had not touched SCCM for some time (actually 2012/2014) and it’s a monolithic beast of a system, so I was as well to upskill on the new developments of the current SCCM 2016. So I was doing the reading and setting up the labs, destroying them then rinse repeat until I could get it right, the problem I found with every post on this subject is the same, it’s dry and lacks fun and to be honest it bored me to tears, as luck would have it I am able to speed read and I had a good grounding to be able to skim read to get the information I wanted :).

I’m not saying this is bad, but being dry and very professional just needs context as these are for public consumption and you are not robots’ guys, lighten up, when writing HLD/LLD or business proposals go robot but for fun let your personality through.

Look at me moaning about others and boring the reader to death. I thought I had already done that with my last client with a 200+ page handover, right shall we proceed with the initial pre-requisites?. Awesome let’s go.

I kid you not people (14 Chapters of SCCM).

My Setup

So for this, I have a single DC and a Single tier certificate authority, as well as a Server built ready to deploy SCCM. For productions environments I would suggest either a two tier or more depending on your circumstances and/or requirements.

SCCM Setup in VMWare Fusion

Specs of the Servers 

Bearing in mind this is a small production lab, these are set to the bare minimum specs to deploy this out in this situation. If you want the requirements I would suggest either contacting me directly or Microsoft TechNet Documentation –

  • DC
    • 1x Virtual Processor
    • 2Gb Virtual RAM
    • 60Gb Hard Drive
    • 1x Virtual Network Adaptor 
    • Windows Server 2016
      • Active Directory Services
      • Active Directory DNS
  • CA
    • 1x Virtual Processor
    • 2Gb Virtual RAM
    • 60Gb Hard Drive
    • 1x Virtual Network Adaptor
    • Windows Server 2016
      • Active Directory Certificate Services 
        • Root Authority
        • AD integrated
      • Remote AD tools
      • IIS
  • SCCM
    • 4x Virtual Processor
    • 16Gb Virtual RAM
    • 60Gb Root Drive
    • 3Tb WSUS Drive
    • 2Tb SCCM Drive
    • Windows Server 2016
      • Remote Admin Tools

You will notice I have added the Remote Admin tool’s to the SCCM and nothing else as of yet, and that is because you are going to spend a good amount of time in AD and with the Certificate Services and I am far too lazy to keep swapping VM’s or MSTSC screens about ;). 

Regards to the SQL server, in a production environment I would say keep this on a separate box or if your main SQL cluster can handle it then use that, but for our purposes the SCCM server has enough to meet the basic requirements.

So that’s the setup and can be done in 20Gb of RAM without much performance degradation (try doing this on a 2014 Mac Mini), luckily the Mac Pro 2013 I have is a twelve core CPU with 64Gb of RAM, as it also hosts the Unifi SDN and Video controllers over on Parallels which is a beast of a virtual machine in itself with 12Gb of RAM and x4 processors and 6Tb of space (but that is a blog in itself) also notice that I have both VMWare Fusion and Parallels running on the Mac Pro :o.

Parallels Pro 14 on the same Mac Pro as VMware Fusion 10 Pro
(Yep I have lost it)

List of steps before we can install SCCM 2016

What I want to accomplish in this post are the steps we need to be able to successfully install SCCM in the first place. This can be rather laborious and daunting for the first timer. Never fear Seb is here to walk you through it and hopefully show you that I mess it up as well and I do this for a living ;).

  • Setup x3 Service Accounts for SCCM SQL
  • Setup x3 Service Accounts for SCCM
  • Setup x2 Service Groups for SCCM
  • Install Windows Features for SCCM
  • Install SQL Server
  • Install SQL Server Management tools
  • Install SQL Server Reporting tools
  • Set Windows firewall rules up
  • Install (but not configure) WSUS
  • Add AD SCCM Container
  • Extend the AD Schema
  • Install ADK
  • Perform a Baseline AD Health Check
  • Perform a Pre-requisite Check before installing SCCM

Now I know you are thinking why has set left out WDS from the above, simple answer is that SCCM no longer requires WDS to be installed as of 1810 and so I am going to show you this way rather than the old way 🙂 .

Setup the Service Accounts and Groups

For SCCM to be installed successfully, following accounts should be created which are used for different purposes.

For SQL Server and SCCM you will need the following Accounts

  • SQL Specific
    • SVC_SQL_DE
      • This is the DataBase Engine Account when deploying SQL
    • SVC_SQL_RS
      • this is for use with SQL Reporting Services
    • SVC_SQL_SA
      • This is for use with SQL Server Agent


  • SCCM Specific
    • SVC_SCCM_Netwrok Access
      • Used for Network access and should have install rights to Clients
    • SVC_SCCM_ClientPush
      • Used to install the SCCM client on Client Devices must have local admin rights
    • SVC_DomainJoin
      • Used to join client builds to the domain and must have minimal rights to join a machine to the domain

Domain Groups

  • SCCM-Admins
    • Used to add all the accounts you want to be Admins in SCCM
  • SCCM-SiteServers
    • To add all the SCCM Servers into a single group (makes it nice and neat later

So that was easy to create these in the domain, I use a separate OU for Domain Joined applications and keep all the accounts and groups in one location as well as the Site Servers for that application, all within sub OU’s as well for application tracking, but you can design this as your AD Domain dictates.

Showing Test Domain OU’s

Firewall Rules

The firewall settings are only required if the software firewalls are enabled within the environment per server, to speed the deployment time up, you could place the SCCM infrastructure servers within a single container and add these to a group policy object, however it is recommended to run the following from an elevated command prompt or PowerShell environment on each of the SCCM servers.

  • netsh advfirewall firewall add rule name=“SQL Server” dir=in action=allow protocol=TCP localport=1433
  • netsh advfirewall firewall add rule name=“SQL Admin Connection” dir=in action=allow protocol=TCP localport=1434
  • netsh advfirewall firewall add rule name=“SQL Service Broker” dir=in action=allow protocol=TCP localport=4022
  • netsh advfirewall firewall add rule name=“SQL Debugger/RPC” dir=in action=allow protocol=TCP localport=135
  • netsh advfirewall firewall add rule name=“Analysis Services” dir=in action=allow protocol=TCP localport=2383
  • netsh advfirewall firewall add rule name=“SQL Browser” dir=in action=allow protocol=TCP localport=2382
  • netsh advfirewall firewall add rule name=“HTTP” dir=in action=allow protocol=TCP localport=80
  • netsh advfirewall firewall add rule name=“SSL” dir=in action=allow protocol=TCP localport=443
  • netsh advfirewall firewall add rule name=“SQL Browser” dir=in action=allow protocol=TCP localport=1434
  • netsh advfirewall firewall add rule name=“ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

Windows Server Roles and Feature install

These are the Roles and Features that are required for a successful deployment of SCCM, these Roles and Features should be enabled on each of the SCCM servers, to make this as simplistic as possible CDW recommends that and elevated PowerShell environment is used.

Get-Module ServerManager

Install-WindowsFeature Web-Windows-Auth

Install-WindowsFeature Web-ISAPI-Ext

Install-WindowsFeature Web-Metabase

Install-WindowsFeature Web-WMI

Install-WindowsFeature BITS

Install-WindowsFeature RDC

Install-WindowsFeature NET-Framework-Features -source \\servername\source\sxs

Install-WindowsFeature Web-Asp-Net

Install-WindowsFeature Web-Asp-Net45

Install-WindowsFeature NET-HTTP-Activation

Install-WindowsFeature NET-WCF-HTTP-Activation45

For the above, I would copy these and past them into and elevated PowerShell, it will execute the list and enable the minimum features per role/feature (and save you some time).

Extending the Active Directory Schema

This is one of the two major steps in the configuration and deployment of SCCM and care should be taken due to the nature of what is being undertaken, if the domain has not had a version of SCCM installed previously then all prerequisite steps are required to be undertaken, if an SCCM deployment has existed previously then only modifications to the below are required.

  • Log into the SCCM server using an account that is a member of the Schema Admins Security group.
  • Mount the SCCM install media
  • Open PowerShell with elevated privilege’s 
  • Change to the SCCM Media directory
Successful From the execution of the .exe
  • Ensure this is successful by checking the C:\Exadsch.log
Wow, that did not take long on my 3 server domain 🙂

Creation of the System Management Container

This is the second of the major setup changes to the Active Directory, care should be taken in modification of any of the settings within the ADSI Edit Component of Active Directory, within ADSI edit we are about to create a System Management container within Active Directory.

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services.

  • Start ADSI Edit.msc
  • Open the System Container and create a new object
Click in the workspace to get this menu
  • Select Container
  • Name the new container System Management
  • Now set the security permissions on the new container
    • Open the properties of the System Management container
    • On the Security tab, add the site SSCM Server computer account and grant full Control permissions
    • Click add to add the SCCM Site Server account. Change the object types to computers whilst searching for computer accounts
  • Click Advanced, select the site servers computer account, then click edit
  • In the applies to list, select this object and all descendant objects
  • Click on OK and close the ADSI edit console

Installing ADK for Windows 10

As the base OS is Windows Server 2016, we will need to install ADK For Windows 10. You can Install the ADK Setup via command line using Powershell as per below:

.\adksetup.exe /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool OptionId.ImagingAndConfigurationDesigner /q

Alternatively, you can install using the GUI. , To install ADK for Windows 10, double click on “adksetup.exe”, however, you will be required to ensure that the following components are selected in the GUI level, these are as follows;

  • Deployment Tools
  • Windows Pre-installation Environment
  • User state Migration tool
  • Imaging and Configuration Designer (ICD)

For the ADK Setup file, I used this link

PowerShell is starting to look a bit messy now 🙂

Break time

So you have made it this far in the article and now realising that just getting SCCM installed is going to be a mammoth task, so at this point I would suggest that you take a comfort break, grab a drink of choice (based on your locational situation 😉 ) and settle down.
I usually at this point create and save a spreadsheet (or Numbers) with the tasks from the above so that you can tick them off as we go along.

I think we have reached a natural breakpoint in the blog as well so that you can get your three servers setup as well as the Domain and Certificate Server up and running, the Certificate Services are going to be another long blog and even I am struggling to make it fun and I enjoy this stuff 🙂 . So hopefully in Part 2 we should be able to get through the final parts of the pre-requisites.

Leave a comment

Your email address will not be published. Required fields are marked *