Written by Paul Hill on June 6, 2020
Paul Hill is the founder of ServerAcademy.com and IT instructor to over 500,000 students online!
This tutorial will show you how you can install SCCM 1902 in your production or test network at home. We are going to keep things as simple as possible while still explaining all of the details that you need to successfully complete the installation.
Version of the ADK
It’s important to know that Configuration Manager (AKA SCCM) is only compatible with certain versions of the ADK (along with other things like SQL Server). You can refer to the chart below if you are installing a different version of SCCM or the ADK to see if it will work:
Download Installation Files
In order to install SCCM version 1902 you will need to download the following files:
Note: This is only a requirement if you’re setting up your own IT lab and not using the ServerAcademy IT Labs
In this lecture we are going to download the required software to install SCCM version 1902 with Endpoint Protection. Most of the time you cannot directly install the latest available version of SCCM, but instead need to install a version or two before the lastest and then complete an in-console upgrade.
This is the software that we will be using:
- ADK for Windows 10 version 1809, 10.1.17763.1
- ADK PE Add-Ons for Windows 10 version 1809, 10.1.17763.1
- SQL Server 2017
- SQL Server Management Studio
- SQL Server Reporting Services for SQL Server 2017
- SCCM with Endpoint Protection version 1902
Download all of these files on to your SCCM server for installation in the following lectures.
Installing the ADK
Now we need to install the ADK on our SCCM server. You should already have downloaded the adksetup_1903.exe and adkwinpesetup_1903.exe.
Let’s start by launching the adksetup_1903.exe installer file.
Click Next and and then decide whether or not you want to send anonymous usage data to Microsoft then click Next
Click Accept on the license terms…
Select the Deployment Tools and User State Migration Tool (USMT) and click Install.
Click Close when the installation is complete.
Next launch the adkwinpesetup_1903.exe installation:
This will be the exact same presses before. Click Next until you get to the install page, then click Install.
Click Close when the installation is complete.
Now we are done installing the ADK and ADK PE.
Create the System Management Container
We are going to create the System Management Container that System Center Configuration Manager is going to use to store information important to SCCM like:
- Client computer installation and site assignment
- Port configuration for client-to-server communication
- Network Access Protection
- Content deployment scenarios
You may refer to this article for more information about the System Management Container.
Log in to your Domain Controller and click the Windows button then search for and launch ADSI Edit.
In the ADSI Edit console, right-click ADSI Edit at the top and select Connect to then click OK to connect to your domain. Usually the default settings are correct, but if you need to specify an alternate server you can before clicking OK.
Within the left pane, left-click the “Default naming context”, then expand your domain name (in my case, serveracademy.com), right-click CN=System and select New > Object.
Select the container class and click Next. Under the Value textbox, enter the name “System Management”.
Click Next, then click Finish.
Alternatively, we can create the container with the Windows PowerShell commands below when we run the PowerShell console as an administrator:
Import-Module ActiveDirectory # Import AD module
$Container=”CN=System,”$((Get-ADDomain).DistinguishedName)” # Get container DN
New-ADObject -Name “System Management” –Type Container -Path $Container # Create Container
Grant Full Container Permissions to SCCM Server
Now we need to grant full control permissions of the System Management container to the SCCM computer account.
To do this we need to right-click our System Management folder and click Properties
Go to the Security tab and click Add
We need to include computer accounts in our search so we can find the SCCM computer. Click Object Types:
Select the checkbox next to Computers:
Now search for SASCCM01 and click Check Names, and then click OK:
Click the Full control checkbox, then click OK.
Next click Advanced, select the SCCM server and click Edit:
Change the Applies to drop down box to This object and all descendant objects:
Click OK on both Security Settings windows and close ADSI edit:
And that’s it!
Creating Domain User Accounts for SCCM
Log in to your domain controller (in my case SADC01) and within Server Manager, click Tools > Active Directory Users and Computers:
Next, navigate to where you would like to store the domain user accounts for our SCCM installation. For my scenario, I am going to place everything under ServerAcademy.com > ServerAcademy:
Inside of the Service Accounts OU, create the following user:
I am going to configure the users password to never expire. This is generally a bad security practice and in a real production network you should be constantly cycling secure passwords. If you don’t check this checkbox and the account password expires then the service that uses the service account will be broken until you fix the password.
I am going to use “Pa$$w0rd” as the password and I will create the user account.
Inside of the Groups OU, create the following groups:
- SQL Admins
- SCCM Admins
Next, open the “SQL Admins” group and add the appropriate members that you wish to be able to administrate your SQL server. I am going to include the following user accounts I have in my domain:
Next do the same for the “SCCM Admins” security group. In my case I am going to use the same two accounts since I am in my lab environment:
In theory we could use a single group for SCCM and SQL, but in a real production network you might have database admins that ONLY need access to the SQL server databases and SCCM admins that do not need to access the SQL server database.
Configure Service Account GPO settings
Next we need to grant the “Log on as a service” right to our SQLService account. There are a couple of methods we could use to accomplish this task:
- Group Policy from our AD Server
- Local Group Policy on our SCCM Server (gpedit.msc)
We are going to use method #2…here’s why. If we configure the settings from our domain group policy using method #1, those settings will take precedence over our local group policy which will overwrite the automatically configured user accounts.
When we install the IIS roles on our SCCM, it will automatically configured the “Log on as a service” local group policy setting with a few IIS user accounts as shown in the photo below:
If we configure our domain Group Policy to include “ServerAcademy.com\SQLService”, that GPO setting will take precedence over (overwrite) these locally configured settings which will break things on your server. One example issue you might experience is the inability to install server roles and features.
Now let’s open the local group policy on the server by clicking the Windows button and typing “gpedit.msc”.
Navigate to the path below and right-click Log on as a service, then choose Properties:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service
Next click Add User or Group
Search for and add the SQLService user account we created earlier then click OK
As an FYI – Once we install all the server roles for SCCM, this setting will be updated the show those listed below:
And that’s it! We are done creating and configuring the domain accounts that we need to install SCCM and SQL server.
Extending the Active Directory Schema
Extending the Active Directory Schema involves creating new structures to Active Directory that Configuration Manager sites use to store important data that clients need to access. This data simplifies client deployment and configuration and helps clients locate SCCM site resources.
While it is possible to avoid extending the Active Directory schema by using DNS and WINS, this method is generally avoided in favor of simply extending the Active Directory Schema with the automated script that is provided in the SCCM installation files.
Locating your Schema Master Server
To get started, first log in to your Active Directory Domain Controller that has the Schema Master FSMO role. If you’re unsure of how to find your locate your domain Schema Master server, open PowerShell or Command Prompt as an administrator on any Windows Server in your domain and execute the command below:
netdom query fsmo
Based on the output of the command above I can see that my Schema Master server is SADC01 – so I will log in to that server to extend the Active Directory Schema.
Copy extadsch.exe to Schema Master Server
Now that we have located the Schema Master Server, let’s copy the utility that will extend our AD schema over to our Schema Master Server.
On the SCCM server, log in and locate your installation file “SC_Configmgr_SCEP_1902.exe”. Running that will extract the installation files to the C drive by default. Click Unzip and wait for it to complete.
On the C:\ drive, create a new folder and name it “Share”. Next navigate to “C:\SMSSETUP\BIN\X64” and copy the files listed below to C:\Share
Now let’s go back to the C drive, right-click the new “Share” folder and click Properties. Navigate to the Sharing tab and click Advanced Sharing:
Click the Share this folder checkbox, then click Permissions and grant Full Control to the SERVERACADEMY\Administrator account:
Click OK to close all of the windows then log back in to your Schema Master server. Open Windows Explorer and navigate to “\\SASCCM01\Share”. Here you should see the extadsch.exe script that we just copied from the SCCM install files to the new shared folder:
Copy those three files to the C:\ drive. Next hold shift, right-click the file and select Copy as path:
Open Command Prompt as an administrator, right-click in the console to paste the path and press enter:
The process should be relatively quick, and once it completes we want to review the log that is generated (in our case on the C drive) when it is complete. Look for ExtADSch.txt which should contain the line below:
“Successfully extended the Active Directory Schema.”
And now we are done extending the schema and are ready to move on to the next step.
Installing SQL Server 2017
In our lab we are going to install SQL Server 2017 Cumulative Update 2. Feel free to use an update newer than CU2, but that is the minimum you must install in order for it to be compatible with SCCM. Below is a table that you may reference for a list of supported versions of SCCM 1902 and SQL:
|SQL Server||Edition||Min Cumulative Update|
|SQL Server 2017||Standard, Enterprise||CU2|
|SQL Server 2016 SP1, SP2||Standard, Enterprise||Not CU Required|
|SQL Server 2016||Standard, Enterprise||Not CU Required|
|SQL Server 2014 SP1,SP2,SP3||Standard, Enterprise||No CU Required|
You should have already downloaded the SQL Server 2017 executable, so at this point launch the installation file.
This will prompt use to extract the installation files. I am going to place them on the C:\ drive.
Also keep in mind that we will need to immediately update to cumulative update 2, so you may begin that download now while you wait from https://catalog.update.microsoft.com (search SQL 2017 Cumulative Update 2) if you have not downloaded it already. Please keep in mind for lab users this is pre-downloaded to the lab VM.
Once the SQL Server Installation Center opens, click New SQL Server stand-alone installation text:
If you have a product key, you may enter it now or choose to use the free evaluation edition and click Next. Agree to the license terms and click Next again. On the Microsoft Update page, click the checkbox next to Use Microsoft Update to check for updates, and click Next:
There will be a prerequisite check completed and you may see a warning about the Windows Firewall, this is ok and is generated when you have the Windows Firewall enabled (as it should be).
Click Next. Check the Database Engine Services checkbox and If you are installing a version older than SQL Server 2017, select the Reporting Services – Native checkbox as show below:
In version 2017+, SQL Server Reporting Services can only be installed through a separate installer file which we will install later on. For now, check the Database Engine Services checkbox and click the Download it from the web link to being the Reporting Services installer download.
Important: If you’re using the ServerAcademy.com lab, we have already downloaded the installer file and placed it on the SCCM server under C:\SCCM Install Files\SQL Server 2017\SQLServerReportingServices.exe
Alternatively you can download it from this URL: https://www.microsoft.com/en-us/download/details.aspx?id=55252
If you download it now you can skip downloading it after the SQL installation is complete. We will install the Reporting Services immediately following the SQL Server 2017 installation.
Click Next. You may change the instance name or ID if you’d like – but we will use the defaults and click Next:
Click the drop-box next to the account names and click Browse. Note that you MUST change the account for the SQL Server Agent away from the default NT Service account.
We are going to use the SQLService account we created earlier. Make sure you enter the passwords for the accounts.
Next click the Collation tab and verify that your database engine is using the SQL_Latin1_General_CP1_CI_AS collation setting.
Note: The default server collation setting SQL_Latin1_General_CP1_CI_AS is based upon your Windows Server Locale Settings. Simply stated if you are from the United States and you have your Windows Server Locale set correctly (United States -English), when you install SQL server your Server Collation settings by default will reflect SQL_Latin1_General_CP1_CI_AS. If you are from a Non-US English or even UK-English speaking country please verify this setting.
Click Next. On Database Engine Configuration page you can set up your authentication to the server.
Note: Be SURE you add the local administrator account (SASCCM01\Administrator) as well as the domain administrator user and the SQL Admins group:
If you need to change the authentication mode, data directories or any other settings you can do so now – but for our needs the default will work fine. Click Next to continue.
The next screen is a summary of everything that will be installed. Click Install to begin the installation.
Just wait for the installation progress to reach 100%:
Installing SQL Server Reporting Services
If you haven’t already downloaded Reporting Services, you need to download it now. If you’re using our IT labs, you may find the files pre-downloaded in the SCCM installation folder under the C drive. If not and you haven’t downloaded the installer yet, go back to the SQL Installation Center and selecting Install SQL Server Reporting Services:
This will take you to the Microsoft Download page where you can download the installation file:
Download and launch the installation:
Choose the correct edition or select Evaluation and click Next:
Agree to the license terms and click Next:
The next page will state that we must have first installed SQL Server. Click Next to continue:
Click Install to begin the installation:
This should be a pretty quick installation. Once complete, click the Restart button to complete the installations:
The server will now reboot.
Installing SQL Server 2017 Cumulative Update 2
If you did not chose to install the latest updates when you install SCCM, then you’ll need to at least install Cumulative Update 2.
If you think you may already have a newer version than CU 2 installed, you can verify the update number by connecting to the server with SQL Server Management Studio. Connect with the Object Explorer. This will show the version information in parentheses along with the username you used to connect to the database intance.
Once the initial extraction is complete, you may begin the installation. Accept the license terms and click Next until you reach the Check Files in Use::
The Check Files in Use will alert you if you need to stop services to avoid having to reboot your server. In my case, I need to stop the following processes:
Search for and launch the Services console:
Locate and right-click the SQL Server Reporting Services service and select Stop:
Go back to the installation and select Refresh check and there should be no more warnings:
Click Next to continue, and finally click Update. The update will now begin and we just need to wait for it to complete:
Once the update is complete, make sure all the status’ read Succeeded and click Close:
Go ahead and start the SQL Server Reporting Services service from the Services console:
Installing the Microsoft SQL Server Management Studio
Launch the SSMS-SetupENU.exe and click Install:
This will begin the installation so we just need to wait for it to complete:
Once the installation is complete, you will need to reboot the server again. Click the Restart button to complete the restart:
Configure Windows Firewall to Accept SQL Traffic
SCCM will need to communicate to our SQL server over TCP port 1433. If you chose to install SQL Server on the same server as SCCM, you may disregard this section.
If however, you installed SQL Server on a different server than you plan to install SCCM (like in our case and in our lab), you need to open TCP port 1433 on the SQL server (SASQL01) so it can accept network traffic on that port from SASCCM01.
To allow this traffic over TCP 1433 we will create a new GPO just like we did for the “SQLService Logon as a Service” GPO. Log in to a domain controller and within Server Manager, open Group Policy Management:
My SQL server is located inside of the ServerAcademy.com > ServerAcademy > Member Servers OU, so I am going to right-click this OU and select Create a GPO in this domain, and Link it here…
I am going to name my GPO SQL Server TCP 1433 Exception Rule and I’ll click OK:
We only want this GPO to apply to our SQL Server and not other member servers. We can accomplish this by editing the Security Filtering of the GPO. Left-click the GPO, and under Security Filtering select Authenticated Users and Remove. Click OK when you are prompted.
Now click Add. Click Object Types and add Computers before searching for SASQL01 and clicking Check Names:
Click OK to and now we can see this GPO will only apply to SASQL01.
Now right-click the GPO and select Edit:
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows Defender Firewall with Advanced Security and right-click Inbound Rules and select new rule:
On the first screen, chose Port and click Next:
Enter port 1433 and click Next:
Click Next until you get to the Name page:
Enter the name “SQL Server 2017 1433 TCP Inbound” and click Finish. Close out of the Group Policy Management Editor.
Log back into the SQL Server and open Command Prompt by click the Windows button and searching for CMD:
Run “gpupdate /force” and wait for it to complete
Next, execute the command “gpresult /r /scope computer” to look under Applied Group Policy Objects to see if the new SQL Server Firewall GPO is applied:
In server manager, click the blue text next to Windows Defender Firewall:
Next click Advanced settings
Now click Inbound Rules and we can see the new rule is applied.
Verify Connectivity from SCCM server to SQL server
We can test the connectivity by running the following PowerShell command from our SCCM server:
Test-NetConnection -ComputerName “SASQL01” -Port 1433
If this command fails then that means we need to configure the firewall to accept TCP connections from the SCCM server on port 1433.
Installing SCCM Dependent Windows Server Roles
Now we are going to install the Windows Server Roles that SCCM requires before installation. Log in to your SCCM server and open Server Manager.
Click Manage > Add Roles and Features:
Click Next until you get to the Server Roles page, then select Web Server IIS and Windows Server Update Services.
Select Web Service (IIS) and Windows Server Update Services roles. Be sure to click Add Features when you get the popup
Click Next. On the Features page, enable the following features:
- Net Framework 3.5/4.5 Features (all sub features)
- BITS (all sub features)
- Remote Differential Compression
Now click Next. Depending on which Role you selected first, you might get to the IIS or WSUS page first. When on the Web Server (IIS) Role Services page, be sure the following role services are enabled:
- ASP.NET 3.5 / 4.5 / 4.7
Management Tools > IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- IIS 6 Management Console
- IIS 6 Scripting Tools
- IIS 6 WMI Compatibility
Click Next until you get to the WSUS Role Services page. Uncheck the WID Connectivity and select the SQL Server Connectivity and click Next:
Place the WSUS content in the “C:\wsus_content” folder and click Next:
For the DB Instance enter the name of your SQL server (mine is the localhost, SASCCM01) and click Check connection:
Now click Next and Install:
This installation will take a few moments so we just need to wait for the installation to complete.
Once the installation is complete, click the Close button. Disregard the triangle In the top right hand corner of Server Manager.
It’s the prompt to complete the WSUS installation. We will be allowing SCCM to configure and manage the WSUS role.
Installing System Center Configuration Manager
To install SCCM, we want to be sure we are logged in to the SCCM server as a domain administrator user account.
Do NOT attempt this installation by using the local admin account (SASCCM01\Administrator).
We previously ran SC_Configmgr_SCEP_1902.exe and extracted the installation files to the C drive. Open that folder and run splash.hta to begin the install:
Click the Install button to get started with the installation”
Here we are going to have a few notes about tasks we should have completed before we attempt to install SCCM. Click Next:
On the next screen we need to select one of the available setup options. Check the checkbox next to Use typical installation options for stand-alone primary site. Click Yes at the popup.
A Configuration Manager central administration site (CAS) and all the other options are only appropriate when we have other SCCM servers created – which we currently do not. Click Next to proceed to the next page.
You will see a popup like this when you click Next, simlpy click Yes to confirm your choice. Now you may enter your license key or chose to install the evaluation edition and click Next.
Accept the license terms and click next:
Now specify a download path for the SCCM prerequisite files. I am using “C:\sccm_prerequisite_files”.
Note: if you’re using the ServerAcademy IT labs, we have predownloaded the files to the c:\SCCM Install Files folder:
Keep in mind that you need to create the folder if it does not exist just yet so go ahead and do that now. Click Next.
The download will now begin and we need to wait for it to complete:
Once the download is complete you we need to define some site information. I am going to use “SA1” as the site code and site name of “Server Academy Site” and click Next.
Click next again through the Diagnostic and Usage Data window:
Leave these settings at default and click Next:
Click Next again:
Now the setup is going to run through a prerequisite check before completing the install.
NOTE: I am getting these errors:
If you get a failed message about the SQL Server Tcp Port, this is an easy problem to fix.
To fix this, launch the SQL Server 2017 Configuration Manager:
Navigate to SQL Server Network Configuration > Protocols for MSSQLSERVER. Right-click TCP/IP and select Enable.
You will receive a message stating that you ned to restart the service before it will take effect.
Navigate to SQL Server Services and right-click SQL Server (MSSQLSERVER) and select Restart.
Go back to the SCCM installation and click Run Check and the error will be gone:
Next click Begin Install. Once the installation launches it is just a waiting game. You’ll notice that in the image below it shows 3 hours in the elapsed time – don’t worry – that was just because I paused the IT lab after starting the install so it appears to have been running longer than it actually did.
Click the Windows button and right-click the Configuration Manager Console, then pin it to the taskbar.
And now we are done! The SCCM console will open and you can start getting to work with SCCM.
If you’re looking for more training on SCCM you should consider joining our platform as we have an entire module dedicated to SCCM administration!
Free trial to boost your IT skills
Learn from over 220 video lessons, interact with the Server Academy community!