Join David M. Franklyn for an in-depth discussion in this video Performing post-setup configuration tasks, part of Microsoft System Center Configuration Manager Essential Training.
- [Instructor] So now we've installed the actual site, the primary site, known as North American Primary, on the computer North Am-CFG2, we're going to go ahead and do our post setup configuration tasks. We'll start off by going to the start menu and bring up the console for the first time. So as you see, recently added we have the Configuration Manager Console, so let's click on that to bring it up. We will get a message that tells us that we can't check for updates because we don't have a service connection point role and we did that under the expressed purpose of having that later on, on our Central Administration site.
So that's fine we'll just say okay to that. And now we are just going to go to one other thing, and this is just a tip for you, you might want to, in the taskbar, right-click the Configuration Manager Console and pin it to taskbar. Then later on, you can always bring it up from there and it makes it easier. Since you are going to be administering the entire site, from this computer, this is the tool you'll most often go to on this computer. So, let's start off and talk about the configuration manager console.
We have this area down in the lower right, which is known as workspace area. Configuration manager has four distinct workspaces, when we select any of these, then we will see in the console tree a number of different items that are part of that work space. So if you will, if I go to the Administration work space and click that, you will see a whole new list of items and folders in the console tree for Administration.
And we want to start off there, by going to our Site Configuration item, and expanding that, and then go into Servers and Site System Roles. So now when we're in, we've selected Server and Site System Roles, we see our site. So we see the name of our site, it's UNC, universal naming convention name, //NorthAm-CFG2.Dave.NCT.com, or it's fully qualified domain name.
We see the site code, and we see the number of roles that are installed in the system. When we look at the lower details pane, we see the Site System Roles themselves, and that would be the six roles that we have up there. Another way to see it is to right-click that server, and go to properties, and then we have it right in front in the general page and properties. In this case, that's all we're going to check here for now, the roles that we have, and now we're going to go to the Monitoring workspace.
So we can see in the Monitoring workspace the various items that we have in the console tree. We have Alerts, Queries, Reporting, all the information you need to find out what's going on with your entire site, with the different site roles you have with even clients and other things, operating system deployments, the status of the various roles and components that we have. It's just a treasure of information for us. In this case, we're going to expand the System Status. And the first item we have here is Site Status, so let's go ahead and select that, and what this has is the different site system roles, and their status and we can see in our case all of them are OK.
They're looking good, there's no particular issues. If we go up, if we select one of them, say the Distribution point for example, and go to Show Messages in the ribbon, and then select All, we get a Set Viewing Period window that will always show here. In this case we can actually go in and look at a small slice of time, the status that this particular component has, in this case the Distribution point role, in a small slice of time which we can specify, or we can just look at the past day.
Since we just installed this, there's not going to be much in there and the past day is appropriate. So click OK to that and then it comes up with all the different messages. Now, as you see, while the status was OK, there are a couple of messages we're getting here that are red, or red arrows. And one of them is it says it detected that the firewall ports, for port 1433 and 4022 are not active as a firewall exception and this is, both of them, are actually pointing that out to us.
So the one at the top, or the last ones. So we can rectify that right now. So let's go down to our Start menu, and in the search box let's type in wf.msc and that will bring up the Windows Firewall Console. And in the Windows Firewall Console, we want to go ahead and add both inbound and outbound rules for those two ports. So if I go to inbound rules, it lists all the inbound rules that are available by default, whether they are turned on and green, that is enabled.
And if we look at the enabled column, you will see those that are enabled show a green check in then left-hand side, those that are not enabled simply show no check. In our case, we don't particularly have one for these ports that already exist, so we're going to go ahead and create one. So, here in the Actions menu, I can click the New Rule button, or New Rule link, and this brings up the New Inbound Rule Wizard. So as we mentioned before, and the error showed, it was Port 1433 and 4022 that it reported as an error to us, we need to rectify.
So I'm going to select a Port Rule and then click Next. And the Specific port, the first case is going to be 1433, and I could do them together here but I'm not, I'm going to do them just separately so we can define them succinctly by a title for what they're actually doing for us. So in this case, with 1433 typed in, I'll click next, and we're allowing the connection, so I'll click next. We're going to apply to all of the profile, Domain, Private, and Public, however, using the Configuration Manager prescribes that we're in a domain.
If we have any activity that takes place out of the domain, the firewall rule will simply still apply. Even though we're not necessarily going to have clients that are not in the domain until we do the mobile device management. So I'll click Next on this page, and I'm going to give this a name, and I'm going to call it the SQL Server Allow Port 1433 Inbound Rule. And that name is very distinct and it let's us know right off the bat when we read it what it's for, what it's doing.
So click Finish on that, and now we see the rule at the top and it's enabled. So let's make one more here for the 4022 port. And the 4022 port allows the SQL server broker to connect to other SQL servers especially when you have multiple sites, or a central administration site, or secondary sites underneath a primary site, then you want the databases to be able to talk to each other and they do that through the SQL broker service.
So we'll once more, in the New Inbound Rule Wizard, click Port and then Next. The port in this case is going to be 4022, click Next, we're going to Allow the connection, click Next, we're going to apply it to all profiles, click Next, and we're going to name this, the SQL Broker Service Allow Port 4022 Inbound Rule.
Now we need to do the same thing for our Outbound rules. So I've clicked on the Outbound Rules in the console tree, and now in the actions area I'm going to click New Rule, which brings up the New Outbound Rule Wizard. It is a Port, so I'm going to select that radio button and then click Next. In the specific port I'm going to put 1433 and now click next. Now note something interesting on the Outbound Rule Wizard.
The Outbound Rule Wizard, by default, blocks connections. So these are things coming out of this computer rather than coming in. But in our case we want to allow this, so we need to change that here to Allow, and then click Next. It is going to apply to all three profiles, and the name is going to be, very similar, SQL Server Allow Port 1433 Outbound Rule. That's the only difference, this is an outbound rule.
And then Finish. And now we're going to do the same thing for the 4022 port, so it is a Port rule, we select that first, then Next. The port is 4022, and then click Next, and once again it defaults to a block, but we need to change that to an Allow, and Next. All three profiles, and Next, and the name is going to be SQL Broker Service Allow Port 4022 Outbound Rule, and then say Finish to that.
Now, we can close the Firewall because we're done here, and go back to where we were in the Status Messages and see that we're still sitting on those same errors because they were a few minutes ago. But what we want to do at this time is let's close it and refresh it, and go back in and take another look. And they're both a distribution point so I'm going to show the messages for both of these, the same time period. Okay so it hasn't really refreshed here yet but it does sometimes take some time.
By the way I should show this since it just appeared, when you mouse over one of the various items that you have here, it will populate a pop-up menu with all kinds of possible causes and solutions. By all means, read these carefully. Very often in the past I've had issues and the information that I needed to do to fix it was right here in the message. So right here in the pop-up message it gave me a very good clue on what was wrong and things can go wrong here, and also, even if it didn't, when I put in the information in, for example, the Bing search engine, spelled out exactly the same way, then it was also able to take me to pages that showed me what further steps I could do to rectify the problem, so it's very useful information.
But because we're on a limited time factor, these things should refresh themselves after a period of time. But in this case we're just going to have to wait for that to happen. I'm going to close, then, the Status Message Viewer here and go now to the next area which is the Component Status in the console tree. And we'll click on that, and we see we do have a critical error here for the component called SMS Hierarchy Manager. And if you had noticed this before, and if I didn't point it out, the issue we were having with the Firewall rules not in place, were coming from this component, SMS Hierarchy Manager, so let's go ahead and look at what specific message is here.
So we'll click Show Message, and then All. And then the same Status Time Period. And we see the issue right here, and we can see it's the exact same message idea, 1353 that it detected that the ports are not active as a firewall exception, but now look. It tells me the server ports detected that configuration manager SQL server ports on NorthAm-CFG2.DaveMCT.com are still active on Firewall exception.
And it shows that as a blue information i. So it's recognizing now that the issue has been repaired, the 3351 message, and by and by, we can then proceed on. So what I'm going to do now is go ahead and close this Message Viewer, and I'm going to refresh, and I'm also going to do a Restart Counts here for all. And what will eventually happen is the red X will go away, try one more refresh here.
Sometimes you might have to close the console and open it up again, so let's try that. And again, in a normal environment you wouldn't necessarily be expecting things to immediately show as in a correct status after you fix them. In our case, since we're doing a course, we want to see it as soon as possible. So let's go ahead now and open the console again. Say OK to this message, and again we're going to the Monitoring workspace, and to Site Status, and then to Component Status, and look, and let's put these in alphabetical order.
The SMS Hierarchy Manager, right here, you can see we no longer have the red X 'cause it cleared. Another issue we have right here is a warning on the SMS Database Notification, so let's go ahead and take a look at what's going on here by showing again all the messages and finding what the warning was. Okay, so it tells us the Delete Aged Console Connection Data is configured to run today, but it could not run within the scheduled time, and in this case we just installed, we just installed Configuration Manager.
So some of the things that were set to run, it just missed. We need to monitor this, if tomorrow, 'cause it runs once a day, or in many cases things run once a week, but we need to monitor the next time and ensure that we don't get the same error again. If we get the same error again, then we need to go in and find out why it didn't run. But to have these type of issues right in the beginning of an installation is quite normal, so this we can ignore at this point in time. The important thing to note is we fixed the error, the one error we were having for our site roles, more specifically from Site Status, which was the Hierarchy Manager and the Windows Firewall Ports.
- Planning and deploying a standalone primary site
- Ensuring domain and site server prerequisites
- Planning and expanding a standalone primary site
- Planning and deploying a multiple-site hierarchy
- Planning resource discovery and client deployment
- Managing content and replicating data in Configuration Manager
- Configuring Internet and cloud-based client management
- Advanced monitoring
- Upgrading to Configuration Manager current branch