Building a CM Lab Collection - Recast Software

Building a ConfigMgr Lab from Scratch: Series Intro

Gary Blok — Thu, 21 May 2020 16:17:32 +0000

Building a ConfigMgr Lab from Scratch

In this series, I’ll be walking through how I’ve setup our Dev ConfigMgr Lab. There is one physical server running Server 2019 DataCenter Edition, then several Virtual Machines setup for the Lab itself. This post will give the basic overview, and then link to all posts in the Building a ConfigMgr Lab Series.

Post Layout

Lab & VM Setup
Blog Post List

Assumptions

You already know how to setup a virtual environment and virtual networking
You already know how to install Windows Server on a VM

Lab Info & VMs

The Lab will have a separate IP Subnet, completely separated from the host’s network.
Domain Name: dev.recastsoftware.com

Virtual Machines

Gateway Server
- Name: GATEWAY.dev.recastsoftware.com
- LAN 1: DHCP (External Network)
- LAN 2: Static IP (Internal Lab Network) 192.168.1.1
- Windows Roles: RAS [MS Docs]
- C Drive = 100GB (1 Virtual Disk)
- Memory = 1GB
- CPU = 2 Cores
Domain Controller
- Name: DC.dev.recastsoftware.com
- LAN 1: Static IP (Internal Lab Network) 192.168.1.199
- Windows Roles: Domain Controller, DHCP, DNS
- C Drive = 100GB (1 Virtual Disk)
- Memory = 2GB
- CPU = 2 Cores‍
- Additional Roles: Certificate Authority.

ConfigMgr Server – Current Branch
- Name: MEMCM.dev.recastsoftware.com
- LAN 1: Static IP (Internal Lab Network) 192.168.1.200
- C Drive = 100GB (1 Virtual Disk)
- D Drive = 50GB (1 Virtual Disk) Used for SQL Database
- E Drive = 500GB (1 Virtual Disk) Used for DP Content Source Server
- Memory = 8GB
- CPU = 4 Cores

ConfigMgr Server – Tech Preview
- Name: MEMCMTP.dev.recastsoftware.com
- LAN 1: Static IP (Internal Lab Network) 192.168.1.201
- C Drive = 100GB (1 Virtual Disk)
- D Drive = 50GB (1 Virtual Disk) Used for SQL Database
- E Drive = 200GB (1 Virtual Disk) Used for DP Content
- Memory = 4GB
- CPU = 4 Cores
Recast Management Server
- Name: RecastMS.dev.recastsoftware.com
- LAN 1: Static IP (Internal Lab Network) 192.168.1.3
- C Drive = 100GB (1 Virtual Disk)
- Memory = 2GB

Active Directory Accounts

Configuration Manager Admin (CMAdmin)
Network Access (CM_NA)
Domain Join (CM_DJ)
Workstation Client Push Account (CM_CP_Workstations)
Server Client Push Account (CM_CP_Servers)
Several Co-Workers (Mark, Bryan, Chris..)

Active Directory Groups

CM_Servers
CM_Admins
SQL_Admins
Server_LocalAdmins
Workstation_LocalAdmins
CM_App_DeployUsers (Contains the Co Worker Users, used as my )
Certificate Admins (Allows users to enroll in the Web Server we’ll set up)
Web Server Cert Enrollment (Contains any Webservers)

Building a ConfigMgr Lab from Scratch Series

Right Click Tools Community is just a download away.

A free, limited, and powerful add-on, Right Click Tools Community offers a taste of the full suite of tools.

Download Here!t

The post Building a ConfigMgr Lab from Scratch: Series Intro appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 1 – Domain Controller VM

Gary Blok — Wed, 20 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 1

Setting up the Domain Control, with DNS & DHCP

This post will be going over creating the Domain Controller for the Lab. This will be the basic setup, as we’ll be revisiting the Domain Controller later when we need to extend the schema and start adding additional users and groups into the mix. For now, we’re just going to get it functional, with DNS & DHCP. This post is 99% pictures, not much text. If you have questions along the way, reach out via twitter.

Overview

Domain Controller
- Name: DC.dev.recastsoftware.com
- LAN 1: Static IP (Internal Lab Network) 192.168.1.199
- Windows Roles: Domain Controller, DHCP, DNS
- C Drive = 100GB (1 Virtual Disk)
- Memory = 2GB
- CPU = 2 Cores

Installed the ADDS via PowerShell: Install-windowsfeature -name AD-domain-services – IncludeManagementTools [MS Docs]

Once installed, you can run the Domain Controller Wizard [MS Docs]

Since this is a new domain, I’m picking Add a new forest.

I choose to install DNS as well at this time, as this will be the DNS server for my lab. I then pick a password and save it.

This is expected.

This field will auto populate based on your forest name

These are the defaults.

Prereq check passed and Install is now getting clicked.

Once Complete, open the DNS Manager and setup my DNS Forwarders [MS Docs PowerShell].

I then add DHCP, while I could have done this with PowerShell, I didn’t look up the code, so I’m just using the Wizard this time. If you want to dig in, more in in [MS Docs PowerShell].

Confirmation… sure.

One Complete, it shows the results, you can then click on “Complete DHCP configuration”

I use the Admin Account that I’m currently logged on with to authorize the DHCP.

It then setups up DHCP.

Now that DHCP is installed, we need to setup a Scope. Right click on Ipv4 and setup new Scope [MS Docs].

Name it something meaningful to you.

You then setup your range for DHCP and your subnet mask.

If you have any machines that use Static IPs in that range, make sure you exclude them

I left the default here.

There are several DHCP options, only a few you must have, but others like PXE you can setup later

I added the IP for my Gateway PC.

I also make sure it has the domain name and the IP of the domain controller.

I don’t bother with WINS.

Heck yes I want to activate the scope.

And now I have the scope setup, as you bring machines online, and they get address from DHCP, they will start to populate here.

On the DC, you also need to install the C++ Runtime which will allow you to extend the schema for CM. You can grab the C++ you need from the ConfigMgr Disc.

DiscSMSSETUPBINX64vcredist_x64.exe – If you don’t have that installed, you’ll get errors when you try to extend schema.

Conclusion – Domain Controller VM

So that is the fundamentals of setting up the DC. We’ll get into the Group Policy, Users and Groups in an upcoming post. If you’re following a long, at this point, you should have your gateway and domain controller. You’ll want to go back and add your gateway server into the domain if you did create that before the DC.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

‍

The post Building a ConfigMgr Lab from Scratch: Step 1 – Domain Controller VM appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 2 – Gateway Virtual Machine (VM)

Gary Blok — Tue, 19 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 2

Setting up the Gateway Virtual Machine, a virtual router

If we have a lab and we want to keep it separate from rest of our environment, we need a gateway. You can do this with a Linux VM, another physical router, or several other options. For our lab, we decided to use Microsoft Windows Server to be our gateway. After setting this up, looking back, it would have been easier to setup the DC first, so I’d recommend doing that, then setting this up.

Gateway Server

Name: GATEWAY.dev.recastsoftware.com
LAN 1: DHCP (External Network)
LAN 2: Static IP (Internal Lab Network) 192.168.1.1
Windows Roles: RAS [MS Docs]

At this point, I’ve installed Windows Server 2019, set the Name, the IP Address, ran MS Updates and installed the RAS Role by running a PowerShell commands:

Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools

Install-WindowsFeature Routing

Once that finishes, you can go ahead and setup the “Router” feature.

With Remote Access Highlighted, click “More” which will then launch the details and you can launch the wizard.

Deploy VPN Only Option.

Routing and Remote Access will Open, right click on the computer name (GATEWAY) and choose “Configure and Enable Routing and Remote Access.”

Choose the “NAT” Option.

Pick the External NIC for your public interface.

I’m choosing “Setup later” because these services will be on my DC.

Nearly instantly my DC gained internet access by being able to use the router function on the gateway PC.

This is probably the easiest server you’ll be setting up. If you run into any issue, don’t worry, go ahead and setup the DC. Once you setup the DC, you need to remember to come back to the GATEWAY and join it to the domain.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 2 – Gateway Virtual Machine (VM) appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 3 – Certificate Authority

Gary Blok — Mon, 18 May 2020 17:58:49 +0000

Building a ConfigMgr Lab from Scratch: Step 3

Adding a Certificate Authority

This post is completely optional for your environment.

You can do everything you want in your lab without this feature, but guess what, if you’re going to do anything that needs HTTPS, having your own Certificate Authority (CA) makes this so much slicker.

Creating a CA is straight forward. You pick the role and click next a few times. I’m adding it to my DC, as it’s an easy place to put it.

You’ll check the box “Active Directory Certificate Services, which will then pop up this dialog, click “Add Features.”

This is default.

At this point, click “Configure AD CS on the destination server.

Defaults.

I left the defaults here.

Ok, so now we have setup our CA & had it configured. Now let’s create a Cert Template. In this example, I’ll be creating a certificate template to be used with our Recast Management Server Web Server, which will basically be the same for any web server.

Launch Certification Authority from the Tools Menu.

Right Click on Certificate Templates and choose Manage.

We’re going to make a duplicate of the Web Server Template to use.

I’m going to name it Recast Web Server.

Under Security I added an AD Group “Web Server Cert Enrollment” and checked the boxes “Enroll & Autoenroll.”

In AD, this is the group, and the members. I’ve added several servers that might need the cert and one that I know does for sure. Eventually all of these servers will automatically get the certificated because they are set to auto enroll.

I also added Certificate Admins and checked the box for Enroll.

The Certificate Admins Group, anyone in this group has the ability to enroll this new certificate.

Now that this is done, you’ll have to Add these certs to “Certificate Templates” – Otherwise you might get this error:

“The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.”

This drove me crazy for a bit, then realized I forgot a step. Any Templates you’ve duplicated and created that you want this CA to be able to give out, you’ll need to add here: [More Info]

Sorry, the names changed. I noticed this after the original post and am appending this from my personal lab.

Now, on the server, you can enroll and add the certificate.

In this example I’ll be having the certificate enrolled on the Recast Management Server which hosts our Recast Enterprise Server Web Service.

Currently it’s using it’s self-issued certificate which causes clients to get a warning when you try to connect.

You can see here that while it’s HTTPS, it gives a “Not Secure” Warning.

Go to “Manage Computer Certificates”. On Personal, right click and choose “All Tasks”, then “Request New Certificate.”

At this point you should see the “Recast Web Server” cert available.

It enrolled successfully.

Now in the Certificates, you’ll see the cert that was issued by our CA.

Now that we have the Cert available, let’s tell our Recast Server’s Site to use our new cert. Open up IIS, choose the Recast Management Server, click Bindings, then click “Edit” and choose the cert that was issued.

And now, from the client, you can see the error is gone and no more prompts.

‍
So now we have a CA setup and used it to improve the experience on our Recast Management Server. Long term plan is to use it to enable HTTPS only on our CM Server. We’ll get to that in a future post.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 3 – Certificate Authority appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 4 – ConfigMgr Server Pre-Reqs

Gary Blok — Sun, 17 May 2020 15:46:13 +0000

Building a ConfigMgr Lab from Scratch: Step 4

ConfigMgr Server Pre-Reqs

This is the big one. This is our ConfigMgr server, so much is happening to set up this server it’s going to take a few posts. This post is covering some basics, and the prereqs, we’ll move into SQL & the actual CM Install in upcoming posts.

Overview:

ConfigMgr Server – Current Branch
Name: MEMCM.dev.recastsoftware.com
LAN 1: Static IP (Internal Lab Network) 192.168.1.200
C Drive = 100GB (1 Virtual Disk)
D Drive = 50GB (1 Virtual Disk) Used for SQL Database
E Drive = 500GB (1 Virtual Disk) Used for DP Content Source Server
Memory = 8GB
CPU = 4 Cores

Drive Layout. NO_SMS_ON_DRIVE.SMS on all drives except the drive that I’m planning to hold the CM Content.

The first thing I’m going to do is save myself a bunch of time and use ConfigMgrPrerequisites Tool – MSEndpointMgr to get my server ready. Because this is my lab server, I’m comfortable installing Microsoft Edge and using that to connect to the internet when I need to download things like this. I would not recommend this in production, and honestly, once this is set up and I’ve created an “Admin Workstation”, I’ll probably remove it as I’ll barely ever connect to the server again.

Once I launched the Tool, I installed the Primary Site Pre Reqs.

Once this is completed, I go ahead and install the prereqs for the MP & DP roles.

On this screen above, I choose Management Point and click Install, then when complete, I choose Distribution Point and click Install. For now, that’s all I plan to set up in my lab, if you have additional roles you want to use, you can add the prereqs now.

Now using this tool, I’m going to extend the AD Schema. The Account I’m logged in with doesn’t have this right, so I need to add an account that does.

Using the Directory / Schema tool, I have it detect my DC, then I browse to where I have the file. I’ve mounted the ConfigMgr ISO as drive F. The tool then so nicely shows me where to browse to so I can connect to the required exe. I also then check the box to use the alternate credentials I created in the last step.

BUMMER… ok, so apparently trying to use an account with less privilege is just making it harder on me. New Plan, add my current account (CMAdmin) into Domain Admins while I do the CM Install, then take it back out. I can do this because it’s a lab… OR you can run this tool directly on the DC using the domain admin account that you used to set up DNS / DHCP. That might be easier still. Same steps, just done on the DC directly.

No surprise there, making my account domain admin resolved the issue!… but still recommend just doing this on the DC instead of remotely from the CM Server.

Now we’ll create the AD Container, avoiding the need to open ADSI Editor and do this manually.

‍

Now I’m going to ad my configmgr_servers AD Group to the with full rights.

It says success, but can we trust it?

Yes, apparently we can. Everything is here.

So let’s finish up the prereqs with the ADK – You also have to choose the WinPE addon for 1903!

ConfigMgr Support for ADK [MS Docs] More info about the ADK [MS Docs]

Alright, we’ve got our server in a good place for doing the next thing… setting up SQL.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 4 – ConfigMgr Server Pre-Reqs appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 5 – Configuration Settings (AD / GPO)

Gary Blok — Sat, 16 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 5

Configuration Settings (AD / GPO)

Along the way when you setup your lab, you’ll need to create accounts, groups, gpos, and other things to make life easier. While you want to keep it fairly clean and lean, if you plan to keep this lab around while, you’ll want a few of this setup.

AD Accounts – MS DOCS

ConfigMgr Admin (Both Admin in ConfigMgr & on ConfigMgr Servers)
CM_DJ (Domain Join Account, I followed these instructions to create it.
CM_NA (Network Access Account, depending on your setup, you might not need this. I’m hoping to leverage Enhanced HTTP)
CM_CP_Workstations & CM_CP_Servers (Client Push Accounts, added to the groups below to be local admins on respective devices)
CM_SSRS (add to SQL_Admins, used for the Reporting Services Role)

AD Groups

ConfigMgr_Servers (This will contain a list of all ConfigMgr Servers you build, for now just the MEMCM server, used for targeting GPO & Security Rights)
SQL_Admins. (Used during the SQL Install to specify the admin rights to the SQL install)
ConfigmgrAdmins (This group will be added to the Local Administrators group of all CM Servers)
Workstation_LocalAdmins (This group will be added to the Local Administrator group on all Workstations)
Server_LocalAdmins (This group will be added to the local Administrators group on all Servers
CM_App_DeployUsers (This group is used as my default group I deploy Apps to. Any users who are added to this will then see these apps in their software center)
I typically add all normal user accounts to this, skipping service accounts.

Group Policies

Domain Machine Policy (Applies to all Machines in Domain)
Currently used to enable ICMP (Ping) on all Machines
Enable Remote Desktop & Open Corresponding Firewall Ports (See Below)
ConfigMgr Servers
Used to add ConfigMgrAdmins to Local Administrator Group
Used to add the file to C & D Drives NO_SMS_ON_DRIVE.SMS
All Servers
Used to add Server_LocalAdmins to Local Administrator Group
All Workstations
Used to add Workation_LocalAdmins to Local Administrator Group

‍

Sample of how the GPOs look and how a couple of basic settings are scoped to the CM Server Group

You’ll want to confirm that the ConfigMgr_Servers have full Control of the System Management OU (and that your CM Server is in this group)

Enable Remote Desktop & Firewall Ports for RDC

Computer Configuration -> Admin Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> Allow users to connect remotely using Remote Desktop Services = Enabled

Computer Configuration -> Windows Settings -> Security Settings -> Windows Defender Firewall… -> Inbound Rules: Right Click New Rule -> Predefined: Remote Desktop

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 5 – Configuration Settings (AD / GPO) appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 6 – ConfigMgr Source Share

Gary Blok — Fri, 15 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 6

We’re still setting up Pre-Reqs, but we’re getting closer.

This short post will explain how I’ve setup the Source Share on the Server. The Source Share is were all content sources for Apps / Packages / Updates / Operating Systems / Drivers, etc will go. It is not the content in the DP, but it’s the content that supplies the DP.

In my Lab, I have the Primary Server host all of the roles, including the Source File Server. I have one large 500GB Drive (Drive E) which will host the DP content and the source share.

The first thing I’m going to do is setup an Alias for my CM Server, so if I ever need to move the source share to another server, I can re-point the alias and all is well. To do this, I use the netdom command, a little handy thing that was blogged about HERE.

So on my server, oddly enough I got access denied, yet it seems to have worked.

So, I see that it is working with either name, and I also notice that I’m using the wrong IP Address.. so I’ll update that and lets test again that both SRC & MEMCM are the same machine

So that’s good, still works!

‍

So now that we have our alias, lets setup our Source Share. I created a folder in the root of the E Drive called “SRC”. I then share it with “Advanced Sharing” Since this is my LAB, I open it up to all Domain Users, same with Security. This is something you should be locking down much more in production and working with other teams that will need access to grant only what is needed.

Once again, this is a lab, don’t do this in production.

Now that we have the share and “Security” setup on it, we can test from another machine, and confirm the alias is working.

‍

Alright, then I like to start to build out the file structure so I can be organized as I start adding content

This concludes the Source Share Post, one of many in this series.

Just a quick follow-up, in our Right Click Tools, we have several tools to help manage and keep track of Content. [More Info] I often use the ability to right-click on a package, or application and launch explorer right to the source files.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 6 – ConfigMgr Source Share appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 7 – Installing SQL for ConfigMgr

Gary Blok — Thu, 14 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 7

Installing SQL for ConfigMgr

This is the “favorite” part of setting up your CM Server, Installing SQL. I dislike it so much that I’ve stolen a script to make it less painful.

So far, we’ve got our Gateway, DC, and started to set up our ConfigMgr Lab Server, in this installment, I’ll be going over the SQL install for CM… on the box.

So to make this process easier and shinier, I’m stealing a page out of Johan’s book, well it’s actually an unattended file from his blog, but you get it. Step by step, you can follow this process based on SQL 2016.
Please note, that depending on the version of SQL you install, it’s going to be different. I’m using 2019, which does not have Report Services, and will do a future post talking about Report Services Setup for CM.

I copied his unattended file, changed several of the paths from the drive letters he had to drive D:, and then replaced the group viamonstraadministrators to devSQL_Admins

That worked so nicely, quickest way to install SQL I’ve ever done.. here are the parts I changed:

And after the process finished, which felt so fast I didn’t think it ran… but when I checked…

Look, it’s all there.. just need to download and install SSMS

So I’ve downloaded SQL Server Management Studio from HERE, Lets get it installed.

Well, that was easy.

Now back to the wonderful prereq tool to do a couple of additional items. We can use this tool to confirm that SQL is up and running and set a few settings.

First we point at the server with SQL installed, which happens to be the local host

I’m using the tool to set the DB to 8GB, adjust for your environment.

And success!

‍

Confirming the Collation we set in the unattended, we’re good.

Now at this point, things are progressing nicely, lets’s install WSUS. We needed to have SQL installed first, and now we can install WSUS to use the SQL Database.

The WSUS Tab

‍

And now WSUS is installed.

After you’ve done the WSUS setup in PreReq Tool, you can finish the setup on the Server

I’ve placed the WSUSContent onto my E (Storage) Drive.

‍

Ok, so now we have everything ready to install ConfigMgr on this Server. Overall, not bad, pretty easy thanks to the community. Next we’ll start installing MEMCM!

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 7 – Installing SQL for ConfigMgr appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 8 – ConfigMgr Install

Gary Blok — Wed, 13 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 8

ConfigMgr Install

We’ve been building up to this one, all the ground work has been laid. Let install ConfigMgr.

Troubleshooting… when I went to install ConfigMgr I found that my Schema was NOT extended, even through I thought It was. So I did it manually on the DC itself following the directions on Docs

The latest version that was available when I wrote this post was 1910, however the download available was 1902… so we’ll install 1902 and then update it.

For my Lab, This is my first CM Server and it is the Primary

Directing the PreReqs that CM Downloads to my storage drive.

Pick your 3 digit site code. Do NOT use 000… Start with a Letter, and make is “Flow” on your keyboard as you’ll be typing it a lot in the future. Select your Site Name, just something that makes sense. Feel free to direct the install to a custom location, I’m using the default here.

You’ll want to set this up, as this will be how we update it to 1910

This is good, you don’t want it to find anything. If it does, you’ll need to resolve them first.

This can take awhile..

And you’re done. Your CM Server should be setup to the point it’s operational to launch the console.

Checking out the Monitoring Tab, you can see how it’s going.

So I ran the 1910 upgrade under Administration -> Updates and Servicing, now to run the HotFix Rollup

I’d recommend not doing a bunch of the settings until you’ve setup 1910 and hotfix. I had started to configure things, just to have the changes lost, or new features popup that I needed to reconfigure.

In the next post, I’ll go into getting things setup now that you have a CM Primary Site.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 8 – ConfigMgr Install appeared first on Recast Software.

Building a ConfigMgr Lab from Scratch: Step 9 – ConfigMgr Settings Setup

Gary Blok — Tue, 12 May 2020 18:53:41 +0000

Building a ConfigMgr Lab from Scratch: Step 9

ConfigMgr Settings Setup

We now have CM installed, and we need to get some basic settings configured to make it work.

Things we need to do now that we have a server

Setup Site & Hierarchy settings.
Discovery Settings (to find clients / users / groups)
Distribution Point Settings (And DP Groups)
Setup Boundaries
Setup Client Settings
Setup Accounts

Hierarchy Settings

I didn’t change much, but I did check to Use a fallback site, Consent to pre-release features, and Enable admin service. Probably won’t need the fallback set in this small lab, but doesn’t hurt. The other two are for future testing/dev in the lab

On the Client Upgrade tab, I’ve checked the box to upgrade all clients automatically (ACU)

In the Site Settings:

I’ve checked the box for using CM-generated certs. (Enhanced HTTP)

Discovery Settings

I’m picking these 4 methods and pointing them to my “DEV” OU

For Groups, this will pull in any custom groups I’ve created in the DEV OU

Systems in the DEV OU (Servers & Workstations)

Users in the DEV OU

Distribution Point Settings (And DP Groups)

In Administration, Site Configuration, Servers, and Site System Roles, get the properties of the DP Role

I’ve enabled BranchCache & LEDBAT because they are great. I’ve also enabled Connected Cache (Previously DOINC)

I’ve enabled “Allow clients to connect anonymously”. If you don’t have a Network Access account you’ll need this. I personally also don’t have any private/sensitive business data that ever goes to a DP, so I’m not worried about it.

With a DP, you’ll want to add it to a DP Group. Makes life easier in the future if you add DPs, Replace DPs, or just generally during deployments.

I’ve created a DP Group called “Lab DPs”

Added my DP Server (currently my only CM Server) to the DP Group

Boundaries and Boundary Groups

By default, you’ll have the Default Site Boundary Group. Machines in this Group will be assigned your Site Code (DEV). By default, there are also no servers servicing this group, so I’ve added our server. At this point for OSD, I did not need to make any additional boundaries or groups, however, when I went to install apps, I had trouble until I created a boundary and group.

I’ve left this default blank

I’ve added the CM Server

I left these the default. For now, this is fine, and rarely in a lab would you need to change this.

By default there are no Boundaries, which worked fine for OSD for me, but not so well on my Apps.

‍

Created a Subnet Boundary Group based on my lab’s IP Subnet

I then created a Boundary Group and selected my new Boundary. On the next screen, I add our CM Server

As you can see the Group I’ve created has 1 Member & 1 Site System.

I check the box for “Use this boundary group for site assignment” and also confirm my CM Server is there

Client Settings

This is very basic and just enough to get you going and add a little pretty to the experience.

I’m having CM Configure BC & Enabling it. However, for more control and tuning I’d recommend using the 2Pint Software FREE downloads which will do this for you.

I’ve set up a few of these things including the “Branding” of our Company, and also set PowerShell to Bypass

In Software Center, I’ve continued to add additional branding

That’s actually it, for now, I’ll come back later and set up Remote Control among other things. But just to get this lab going, I don’t care as much about those for now.

Accounts

I’ve set up a Network Account. This account only has rights to the Source Share. It is also blocked from interactive logon on any machines (set in ADUC) Personally, I’d NOT create this account until you run into a situation where you need it.
I was trying to apply a WIM Directly from the DP (Without downloading during OSD), and that seemed to not work until I did this. However, since that isn’t the normal way for OSD, I’d suggest you see how far you can go without adding this.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

The post Building a ConfigMgr Lab from Scratch: Step 9 – ConfigMgr Settings Setup appeared first on Recast Software.