Using Client Push Installation on UNTRUSTED FOREST systems with ConfigMgr 2012

Last week my post was about using the Client Push Installation on WORKGROUP systems and this week my post will be a sort of follow-up on that. This week my post will be about using the Client Push Installation on UNTRUSTED FOREST systems. The method of last week will also work on UNTRUSTED FOREST systems, but the nice thing about ConfigMgr 2012 is that there are now better options for UNTRUSTED FOREST systems! The systems and domain(s) of the UNTRUSTED FOREST can be discovered AND to make it even better, it is even possible to write information to the Active Directory!

Prerequisites

Before it is possible to use the Client Push Installation on UNTRUSTED FOREST systems, there are a few things to keep in mind. The following points are a prerequisite and, besides the Active Directory Forest and the Active Directory System Discovery, they are not further explained in this post:

  • The FQDN of the Management Point system can be resolved on the UNTRUSTED FOREST systems.
  • The UNTRUSTED FOREST can be resolved on the site server (and domain).
  • The Active Directory of the UNTRUSTED FOREST is extended.
  • The Client Push Installation Account has administrative rights.
  • The UNTRUSTED FOREST is added as an Active Directory Forest.
  • The Active Directory System Discovery is enabled to find the UNTRUSTED FOREST systems.

Pre-configuration

Normally I leave the prerequisites for what they are, but in this case it all stands-or-falls with the configuration of the Active Directory Forest and the Active Directory System Discovery. So I will first show in two steps how to pre-configure the Active Directory Forest and the Active Directory System Discovery, before I will show how to configure the Client Push Installation.

The first step is to add the UNTRUSTED FOREST as a Active Directory Forest, so it can also write the site information to that Active Directory, and that can be done by following the next steps:

  • ADFPropNavigate to Administration > Overview > Hierarchy Configuration > Active Directory Forests.
  • In the Home tab, click Add Forest and the Add Forest –popup will show.
  • On the General tab, fill in with Domain suffix <aDomainSuffix>, select Use a specific account and Set <aAccount>.
    • Note: <aAccount> needs to have the appropriate security rights to write to the System Management container in the Active Directory of the UNTRUSTED FOREST.
  • On the Publishing tab, select <aSite> and click OK.

The second step is to configure the Active Directory System Discovery, so it can discover the systems from the UNTRUSTED FOREST, and that can be done by following the next steps:

  • ADSD_ADContNavigate to Administration > Overview > Hierarchy Information > Discovery Methods and select Active Directory System Discovery.
  • In the Home tab, click Properties and the Active Directory System Discovery Properties will show.
  • On the General tab, click <YellowStar> and the Active Directory Container popup will show.
  • Fill in with Path <aLDAPPath>, select Specify an account, Set <aAccount> and click OK.
    • Note: <aAccount> needs to have the appropriate security rights to discover objects in the Active Directory of the UNTRUSTED FOREST.

Configuration

Now let’s start with the real configuration! After doing all the discoveries it is possible to configure the Client Push Installation for UNTRUSTED FOREST systems. The configuration of the Client Push Installation is actually the easiest part this post. To configure Client Push Installation for UNTRUSTED FOREST systems follow the next steps:

  • CPIP_AccoNavigate to Administration > Overview > Site Configuration > Sites and select the site.
  • In the Home tab, click Settings > Client Installation Settings > Client Push Installation and the Client Push Installation Properties will show.
  • On the Accounts tab, click <YellowStar> > New Account and the Windows user Account popup will show.
  • Fill in with User name <DOMAINNAME>\<USERNAME> with the corresponding password in the appropriate fields and click OK.

Results

After the configuration is done it is time to take a look at the results. The best place to look at the results is still the CCM.log, but as I showed that last week already I will now show a snippet of the ccmsetup.log. This log shows that it successfully retrieves information from the Active Directory during the client installation. After the installation was successful the client will show up in the console as an active client with as Domain <DOMAINNAME>.CCMSetupLogHTSystem

Using Client Push Installation on WORKGROUP systems with ConfigMgr 2012

This week my post will be about using the Client Push Installation on WORKGROUP systems. We all know that a manual installation will work on WORKGROUP systems, but wouldn’t it be easier to just use the Client Push Installation? In my opinion the answer would be, YES! And as long as the WORKGROUP systems are configured the same, the configuration is actually quite easy.

Prerequisites

Before it is possible to use the Client Push Installation on WORKGROUP systems, there are a few things to keep in mind. The following points are a prerequisite and are not further explained in this post:

  • The FQDN of the Management Point system can be resolved on the WORKGROUP system.
  • The Network Discovery is enabled to find the WORKGROUP systems.
  • The Client Push Installation Account has administrative rights.

Configuration

Now let’s start with the configuration! It is possible to configure the Client Push Installation for WORKGROUP systems, because it is possible to use a variable in the accounts used for a Client Push Installation. So this makes it possible to also configure local accounts. To configure Client Push Installation for WORKGROUP systems follow, at least, the following steps:

  • CPIP_AccountsNavigate to Administration > Overview > Site Configuration > Sites and select the site.
  • In the Home tab, click Settings > Client Installation Settings > Client Push Installation and the Client Push Installation Properties will show.
  • On the Accounts tab, click <YellowStar> > New Account and the Windows user Account popup will show.
  • Fill in with User name %COMPUTERNAME%\<USERNAME> with the corresponding password in the appropriate fields and click OK.
  • On the Installation Properties tab, fill in as Installation Properties, at least, SMSSITECODE=XXX SMSMP=<FQDN_MP>. 

Results

After the configuration is done it is time to take a look at the results. The best place to look at the results is in the CCM.log after a Client Push Installation on a WORKGROUP system is performed. This log shows that it first tried my domain credentials. After the domain credentials failed it used the local credentials, which are configured via the COMPUTERNAME variable, as second. After the installation was successful the client will show up in the console as an active client with as Domain WORKGROUP.CCMLogWGSystem

ConfigMgr 2007, Client Push Installation – The server-side story

Sometimes its good to freshen-up some “hidden” knowledge. Its somewhere in your head, but it just needs to be freshened. One of these things is the Client Push Installation. In this post I will try to tell the story of the server side.

Prerequisites for Client Push Installation

To be able to do a successful Client Push Installation, the following prerequisites need to be met:

  • There must be a Client Push Installation –account defined in the Accounts tab of the Client Push Installation Properties.
  • The Client Push Installation –account must be a member of the local Administrators group on the targeted computer.
  • The targeted computer must have been discovered a ConfigMgr discovery method.
  • The targeted computer must have an ADMIN$ share.
  • The targeted computer must be able to contact a management point in order to download supporting files. See for more information my previous post about the ports used by a Client Push Installation.

Install the ConfigMgr Client using Client Push Installation

There a two methods of installing a ConfigMgr Client using Client Push Installation and I will described them both here, automatic and manual installation.

Method 1: Automatic Client Push InstallationClientPushInstallProp

  1. Open the Configuration Manager Console and browse to System Center Configuration Manager > Site Database > Site Management > <YourSiteName> > Site Settings > Client Installation Methods.
  2. Select Client Push Installation and click in the Actions pane Properties to open the Client Push Installation Properties.
  3. On the General tab select Enable Client Push Installation to Assigned Resources.
  4. (Prerequisite) On the Accounts tab specify an account to use when connecting to the targeted computer to install the client software.
  5. (Optional) On the Client tab specify any additional installation properties and click Ok.

Important (!): The specified installation properties, on the Client tab, must be for the client.msi. Also, the specified installation properties are published to the Active Directory if the schema is extended. These properties are used by client installations where the ccmsetup is run with no installation properties.

Method 2: Manual Client Push Installationimage

  1. (Prerequisite) On the Accounts tab (of the Client Push Installation Properties) specify an account to use when connecting to the targeted computer to install the client software.
  2. (Optional) On the Client tab (of the Client Push Installation Properties) specify any additional installation properties.
  3. Navigate to System Center Configuration Manager > Site Database > Computer Management > Collections.
  4. Select the collection or computer in a collection you want to push the client to. Right-click the computer or collection and then select Install Client to launch the Client Push Installation wizard and click Next.
  5. On the Installation options page, specify the client installation options that should be used and click Next.
  6. Review the installation settings, and click Finish to close the wizard

The Client Push Installation server-side –process

  • After a Client Push Installation is initiated a Client Configuration Request (CCR) –record gets created for each targeted computer. These records are created in <InstallationDirectory>\inboxes\ccr.box.
  • As soon as the CCR –record gets processed it will be moved to <InstallationDirectory>\inboxes\ccr.box\inproc. 
  • Based on the information of the CCR –record there will be a connection to the ADMIN$ share on the  targeted computer.
  • After the connection with the ADMIN$ was successful there will be a connection with the registry (IPC$), of the targeted computer, to gather information. 
  • Now the file copying will start. The MobileClient.tcf (from <InstallationDirectory>\bin\I386), the ccmsetup.exe and any needed updates (from <InstallationDirectory>\Client) are downloaded to ADMIN$\ccmsetup on the targeted computer.
  • After this the last thing that happens from the server-side is the verification whether the ccmsetup service is started successfully or not. When the ccmsetup –service is started successfully the CCR –record will be deleted and when the ccmsetup –service is not started (or created) successfully the CCR –record will be moved to <InstallationDirectory>\inboxes\ccrretry.box. Standard behavior is that those records get evaluated every hour.

Extra: If a installation fails and you want to prevent it from retrying every hour, just delete the corresponding CCR –record from the ccrretry.box.

ConfigMgr 2007, Client Push Installation and (a) Firewall(s)

One of the most common problems with Client Push Installation is (are) the (Windows) Firewall(s). As I had some questions about this (again) lately, I will post here all the open ports/ firewall exceptions needed for a Client Push Installation.

Exceptions for the Windows Firewall

To be able to do a Client Push Installation you need the following exceptions in the Windows Firewall:

  • File and Printer Sharing
  • Windows Management Instrumentation (WMI)
  • TCP Port 80 (for HTTP from the client computer to a MP (Mixed Mode))
  • TCP Port 443 (for HTTPS from the client computer to a MP (Native Mode))

Specific ports for other Firewalls

To be able to do a Client Push Installation you need to open the following ports in the Firewall:

Description UDP TCP
SMB between the Site Server and client computer. 445
RPC endpoint mapper between the Site Server and the client computer. 135 135
RPC dynamic ports between the Site Server and the client computer. Dynamic*
HTTP from the client computer to a MP (Mixed Mode). 80
HTTPS from the client computer to a MP (Native Mode).   443

*The dynamic RPC ports are until Windows XP and Windows Server 2003 (R2) 1025-5000 and from Vista and Windows Server 2008 (and later) 49152-65535.

More information about the Windows Firewall Settings for ConfigMgr Clients:
http://technet.microsoft.com/en-us/library/bb694088.aspx
More information about the Ports used during ConfigMgr Client Deployment:
http://technet.microsoft.com/en-us/library/ff189805.aspx
More information about the Dynamic Port Ranges:
http://support.microsoft.com/kb/929851/nl