How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 1

In first part (part 1) of this multi series guides ,we will setup the user accounts and security groups required in Active Directory to install ,configure MBAM server.

Create the Following AD Accounts and security groups in your domain controller (Perform the following steps in Domain controller) under specific OU.In my lab ,I created OU called MBAM .These accounts are used during the installation of SQL server /MBAM server.

All the below steps are performed in my domain controller (DC01).

Database Accounts         User /Group ?
MBAM_DB_RO                  User
MBAM_DB_RW                 User
HelpDesk Accounts
MBAM_HD_Adv                Group
MBAM_HD_AppPool      User
MBAM_HD_DataMig       Group
MBAM_HD_Reports        Group
MBAM_HD_Users             Group
Report Accounts
MBAM_Reports_RO        Group

Test accounts:

MBAM_Report1              User

Add this account (MBAM_Report1) to MBAM_HD_Reports groups so this user can run MABM reports .

You can use the below powershell script to create MBAM User accounts without doing manual procedure:

All you need to do is ,change the csv file ,domain name and password (bold letters)

Import-Module ActiveDirectory
Import-Csv "E:\sources\Scripts\NewUsers.csv" | ForEach-Object {
$userPrincinpal = $_."samAccountName" + "@apac.eskonr.com"
New-ADUser -Name $_.Name `
-Path $_."OU" `
-SamAccountName $_."samAccountName" `
-UserPrincipalName $userPrincinpal `
-AccountPassword (ConvertTo-SecureString "P@ssword2015" -AsPlainText -Force) `
-ChangePasswordAtLogon $false `
-PasswordNeverExpires $true `
-Enabled $true `
}

How does the CSV file looks like ?

Name,samAccountName,OU
MBAM_DB_RO,MBAM_DB_RO,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"
MBAM_DB_RW,MBAM_DB_RW,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"
MBAM_HD_AppPool,MBAM_HD_AppPool,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"
MBAM_Report1,MBAM_Report1,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"

In addition to above user accounts ,create another user account called MBAM_Admin who will be member of (will add later) local admin group on MBAM server and SQL Database. This account is used for all installations in MBAM Server and SQL.

As I already have SCCM account (CM_SRV) used for all installations ,I use this account to install MBAM and SQL database. Where ever I user CM_SRV account.you can replace it with MBAM_Admin.

Once you are done with account/groups creation,we will Register SPNS for the application pool account .(No delegation required in MBAM 2.5 SP1)

SPN Registration is required for MBAM servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal.

so we will now register a Service Principal Name (SPN) for the application pool account .

Note:You must have domain administrative rights to perform this action.

Open the CMD (run as admin) ,run the following commands:

Setspn -s http/mbam01.corp.eskonr.com eskonr\mbam_hd_apppool

mbam01.corp.eskonr.com:FQDN of my MBAM server (This MBAM server is installed server 2012 R2 and joined to domain without any other configurations).
eskonr\mbam_hd_apppool: Domain account used for web Application pool

Check if the account has been registered or not using setspn –L corp.eskonr.com\mbam_hd_apppool

With this,we completed the prerequisites required to install MBAM server in Active Directory.

In next part (part 2),we will install windows roles ,install SQL server,configure the database and permissions etc.