Deployment Pre-Reqs

DEPLOYMENT PRE-REQSChecklist and Details

CONTENTSDocument Control. 31Checklist . 42Consolidated Prerequisites . 42.1Software . 42.2Active Directory . 42.3Servers . 62.4Anti-Virus Exclusions for Servers . 72.5Firewall Port Requirements . 72.6General Server and Client Internet access requirements . 9

PowerON Kamino CustomerChecklist and DetailsDocument ControlVersion 11/2019Change BySteve BeaumontPeter EgertonJennie PriceInitial ReleaseUpdateQA and releaseCommentsNameSteve BeaumontPeter EgertonJob TitleChief Technology OfficerPrincipal ConsultantIssueRoleAuthorReviewer / ApproverRelated DocumentsDocument NameConfigMgr DesignCommentsTeam InvolvementNameSteve BeaumontPeter EgertonCompanyPowerONPowerONJob TitleChief Technology OfficerPrincipal ConsultantDeployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, LtdPage 3

PowerON Kamino CustomerChecklist and Details1ChecklistPrerequisiteInfrastructure: Setup required servers (Server 2016 only)Infrastructure: Servers Fully Patched with Microsoft UpdatesInfrastructure: Servers have Azure Resource Manager PowerShell ModuleInfrastructure: ConfigMgr PS Servers Security Group is a local admin of all servers in scopeSoftware: Kamino: Run Setup Nodes PowerShell on all ConfigMgr ServersSoftware: PowerON Kamino Installer executed on the Primary SiteActive Directory: User Accounts CreatedActive Directory: Group Accounts CreatedActive Directory: Schema ExtendedNetworking: Anti-Virus ExclusionsNetworking: Firewall/Proxy Exclusions2Completion Status Consolidated Prerequisites2.1SoftwareImportant informationPowerON FastTrack installation will be installed on Windows Server Standard 2016 with all currentWindows Updates applied will be used for all servers in this design along with the following: Servers need Microsoft Azure Resource Manager PowerShell Module.(from an elevated PowerShell run: Install-Module AzureRM) PowerShell remoting enabled and firewall exception in place. From PowerShell run: EnablePSRemoting -Force ConfigMgr Server security group must be added as an administrator to both servers. Servers should be given a final reboot prior to install starting to ensure pending file/rebootoperations are cleared.PowerON utilise an automated deployment platform based on Azure Desired State Configuration (DSC) to deployConfiguration Manager. This requires our installer to be installed on the servers to pull the required media from Azure andperform the installation.A “Setup Nodes” PowerShell script will require executing on the 2 main primary servers in your main datacentre.The script can be downloaded and assessed /ftkaminoinstaller/Setup-Nodes.ps12.22.2.1Active DirectorySchema ChangeExtend the AD Schema guide: ountsFor normal operation of ConfigMgr, several Active Directory accounts are required. It is your organisation's responsibility toDeployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, LtdPage 4

PowerON Kamino CustomerChecklist and Detailscreate the User Accounts and Groups.The following table shows the accounts that are a requirement for the deployment and their purpose and the permissionsrecommendation. The tables column Account Names shows example names for the user accounts and security groups. Itis up to your organisation if you want to change the Accounts Names. The Accounts Names and Passwords requirepopulating into the Kamino Portal under the section System Credentials.These Accounts require creating before the Deployment:Note: Please do not put any of the following symbols within the passwords generated for use during deployment: , AccountPurposePermissions Domain \CMAdminConfigMgr Installation Account Domain \SVC CM ADDiscConfigMgr Active DirectoryForest Discovery Account Local Admin rights to ConfigMgr ServersCan be disabled after installation but recommendedto retain as heavily integrated into security modelduring installation. Read permissions to AD Forest/Domain Write Permissions to the SystemManagement container Permissions to publish DNS records Do not grant this account the right to joincomputers to the domain Domain \SVC CM NAAn AD Discovery account will berequired for each untrusteddomain to be managed to accessresourcesConfigMgr Network AccessAccount Domain \SVC CM DJDomain Joining Account usedwithin task sequences to join theOS to the domain. Domain \SVC CM CPConfigMgr Client Push Account Domain \SVC CM RRAConfigMgr Reporting ServicePoint Account Domain \SVC CM CAPOS Deployment Image CaptureAccount Requires "Access this computer from thenetwork" right on the Distribution Points. Minimum rights to access content on theDistribution Points. Do not grant this account the right to joincomputers to the domain Do not grant the account interactive logonrights.Use Delegate Control in AD:Computer Objects Reset Password Validated write to DNS host name Validated write to service principal name Read/Write Account RestrictionsThis object and all descendant objects Create/Delete Computer Objects Do not grant the account interactive logonrights. Must be local admin on the target devicesyou push clients to.N.B. A client push account will be required for eachdomain to be managed to access resources Account is granted rights if chosen as a newaccount during Reporting Point creationfrom the console. Read and Write permissions to the networkshare specified to store the image captureDeployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, LtdPage 5

PowerON Kamino CustomerChecklist and Details Domain \SVC CM SQLSvr SQL Server Service Account Domain \SVC CM SQLAgtSQL Agent Service Account Domain \SVC CM SQLRSSQL Reporting Service Account2.2.3 Required to register the Service PrincipleName (SPN)Permission to log on as a service.Sysadmin right on SQL databaseReplace a process-level tokenBypass traverse checkingAdjust memory quotas for a processPermission to start SQL WriterPermission to read the Event Log servicePermission to read the Remote ProcedureCall service Permission to log on as a serviceSysadmin right on SQL databaseReplace a process-level tokenBypass traverse checkingAdjust memory quotas for a processPermission to log on as a service.GroupsGroupPurpose Domain \CM.Remote.ToolsGroup containing rights to use the remote tools function Domain \CM.Admins Domain \CM.PSServersGroup containing all ConfigMgr Administrators (PowerON Tier 2 accounts)Group containing all ConfigMgr Site Servers to grant security rights to the SystemManagement ContainerGroup containing all ConfigMgr Distribution Point ServersGroup containing all ConfigMgr WSUS ServersGroup containing Admin accounts that require SQL Administrative permissions tothe ConfigMgr SQL instance. Domain \CM.DPServers Domain \CM.SUPServers Domain \CM.SQL.Admins2.3ServersConfigMgr ServersPrimary Site ServerWSUS & DPRAM32 GB16 GBCPU84HDD 1127 GB127 GBHDD 250 GB1 TBHDD 3600GBHDD 485 GBHDD 522 GBHDD 617GBImportant informationHDD 4,5 & 6 on Server 1 are SQL disks and must be formatted with 64k block allocation sizeSQL Disk Sizes:To calculate the SQL Disks sizes more accurately required for the ConfigMgr deployment please use thefollowing gMgrDatabase-sizing.xlsxDeployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, LtdPage 6

PowerON Kamino CustomerChecklist and Details2.3.1Server RequirementsThe server being used for the Configuration Manager Kamino Deployment require the following: 2.3.2Windows Server 2012 R2 or 2016 (preferred) as the Operating SystemIf using 2012 R2, the Servers need patching with the latest Microsoft Security Updates. Patch KB2919355 andKB2919442 are mandatory installs. KB2919442 may not present itself as available please check manually. Afterthe mandatory KBs are installed you will need to scan again for updates.Windows Management Framework (WMF) 5.1Servers need Microsoft Azure Resource Manager PowerShell Module. (after WMF 5 is install from PowerShellrun: Install-Module AzureRM )PowerShell remoting enabled and firewall exception. From Powershell run: Enable-PSRemoting -ForceConfigMgr Server security group added as an administrator to both servers.Server Node SetupOn all of the Server Nodes in scope, for example, the ConfigMgr Primary site and the WUD Server a setup script is requiredto be run.Use the following link to download the setup nodes PowerShell et/ftkaminoinstaller/Setup-Nodes.ps1Note: This should be run on Each Server from an Elevated (Administrator) PowerShell Console.2.3.3Kamino InstallerTo enable PowerON to automate the deployment of ConfigMgr core infrastructure we need to be able to manage yourConfiguration Manager Primary site. Your organisation will receive a link to the PowerON Kamino installer via yourAccount Manager or Engagement Manager. The Kamino installer must run on the Microsoft Configuration Primary Site.2.42.4.1Anti-Virus Exclusions for ServersPrimary Site ServersLocation driveletter :\Program Files\Configuration Manager\ driveletter :\Program Files\Configuration Manager\Inboxes driveletter :\Program Files\Configuration Manager\\Logs driveletter :\Program Files\SMS CCM\ServiceData driveletter :\Program Files\SMS CCM\LogsSQL Data DirectorySQL Log Directory2.52.5.1File(s)Install.map*.adc, *.box, *.ccr, *.cfg, *.cmn, *.ct0, *.ct1, *.ct2, *.dat,*.dc, *.ddr, *.i*, *.ins, *.ist, *.job, *.lkp, *.lo , *.log,*.mif, *.mof, *.nal, *.ncf, *.nhm, *.ofn, *.ofr, *.p*, *.pcf,*.pck, *.pdf, *.pkg, *.pkn, *.rpl, *.rpt, *.sca, *.scd, *.scu,*.sha, *.sic, *.sid, *.srq, *.srs, *.ssu, *.svf, *.tmp, *.udc*.log*.msg, *.que, *.xml*.log*.mdf*.ldfFirewall Port RequirementsKamino PortsThe following URLs must be whitelisted for proper Kamino communication during installation. 443 outbound only.DescriptionTCPBypass HTTPS inspectionDeployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, LtdPage 7

PowerON Kamino CustomerChecklist and .net443443443443YesYesYesYesTABLE 1 – FIREWALL PORTS – KAMINO COMMUNICATIONImportant Information FollowsIf using a firewall solution which does not support DNS entries, here is a list for Microsoft’s d/details.aspx?id 41653The regions which the Kamino service utilises are: US East US East 2 UK WestThese addresses are only required during installation and can be closed after.2.5.2ConfigMgr PortsServers/Roles referenced below are the two new servers to be created:SourceServer 1DestinationInternetAll WorkstationsAll WorkstationsAll WorkstationsPowerON JumpboxClosestDistributionpoint or fallback DPClosestDistributionpoint or fallback DPServer 2Server 1Server 1All Distribution PointsServer 1Server 2InternetAll WorkstationsServer 2Server 1All WorkstationsServer 1Azure CMGServer 1Azure CMGAll WorkstationsAzure CMGAll WorkstationsDescriptionAsset Intelligence Sync Pointto InternetClient to Distribution PointUDP--TCP443--80 & 443Client to Distribution Point forPXEClient to Fall-back Status PointClient to Management PointConfigMgr Admin Console toSite ServerMP, DP & FSP to Site Server67, 68, 69 &4011--135----Software Update Point toInternetClient to the Software UpdatePointManagement Point to Client--135 & RPC Dynamic& 44580--8530135135,445,RPCDynamic, 10123, 80,443443CMG Deployment & Fallbackprotocol to build CMG channelto only one VM instancePreferred protocol to buildCMG channel and use multipleVM InstancesOnly needed when outside ofthe network or on a specificDeployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, Ltd8080 & 443135 & RPC Dynamic10140-10155443Page 8

PowerON Kamino CustomerChecklist and DetailsLAN segment which isdesignated to use the CMG2.6General Server and Client Internet access 6.1 2.6.2 2.6.3 2.6.4Server com/fwlink/?LinkID oft.comconfig.office.comServer icrosoft.comPowerON bing.comAll WorkstationsThe list is too long for this document, please review this documentation from Microsoft.Deployment Pre-Reqs Publish Date – 07/11/2019 Confidential – PowerONPlatforms UK, LtdPage 9