The purpose of this series of posts is to explore and use Workspace ONE AirLift into a Lab environment to migrate devices, applications, and policies (GPOs) from ConfigMgr and Active Directory Domain Services (ADDS) to Modern Management with Workspace ONE.

Table of Content:

Part 1 - AirLift Introduction and Diagram Overview. [Click here]
Part 2 - Servers and Computer Global Configuration. [Click here]
Part 3 - Active Directory Configuration and Domain Join. [Click here]
Part 4 - Hard Disks Configuration and prerequisite Sources Preparation. [Click here]
Part 5 - Roles and Features Installation. SPN Creation. [You are Here]
Part 6 - SQL Server, SSRS and SSMS Installation. [Coming Soon !]
Part 7 - WSUS Installation and Configuration. ADK And WinPE Installation. [Coming Soon !]
Part 8 - ConfigMgr prerequsisites: System Management Container creation, AD Schema Extension and Database Creation. [Coming Soon !]
Part 9 - Installation, Overview and Update of ConfigMgr. [Coming Soon !]
Part 10 - ConfigMgr Configuration: Discovery methods Activation, Boundaries creation, Software Center personalization, VLC app configuration. [Coming Soon !]
Part 11 - Airlift Installation, Configuration and Overview. [Coming Soon !]

1 - Add Roles And Features

The following manipulation have to be done on MOB-SRV-MECM-01 Server.

According to Microsoft Documentation, I created a script to install all Roles and Features needed. This way, to install Roles and Features:

1. Click on Start menu.
2. Search for Powershell ISE.
3. Right click on Powershell ISE
4. Click on Run as administrator.

3. Click on New Script icon.
4. Copy Past the following script:

Import-Module ServerManager

Clear-Host

[array]$features = @(
    # .NET FRAMEWORK 3.5 FEATURES
    [pscustomobject]@{displayName='.NET Framework 3.5 (includes .NET 2.0 and 3.0)';name='NET-Framework-Core'}
    # .NET FRAMEWORK 4.7 FEATURES
    [pscustomobject]@{displayName='.NET Framework 4.7';name='NET-Framework-45-Core'}
    [pscustomobject]@{displayName='ASP.NET 4.7';name='NET-Framework-45-ASPNET'}
    [pscustomobject]@{displayName='HTTP Activation';name='NET-WCF-HTTP-Activation45'}
    [pscustomobject]@{displayName='TCP Port Sharing';name='NET-WCF-TCP-PortSharing45'}
    # IIS FEATURES
    ### WEB SERVER (IIS)
    ###### COMMON HTTP FEATURES
    [pscustomobject]@{displayName='Default Document';name='Web-Default-Doc'}
    [pscustomobject]@{displayName='Directory Browsing';name='Web-Dir-Browsing'}
    [pscustomobject]@{displayName='HTTP Errors';name='Web-Http-Errors'}
    [pscustomobject]@{displayName='Static Content';name='Web-Static-Content'}
    [pscustomobject]@{displayName='HTTP Redirection';name='Web-Http-Redirect'}
    ###### HEALTH AND DIAGNOSTICS
    [pscustomobject]@{displayName='HTTP Logging';name='Web-Http-Logging'}
    [pscustomobject]@{displayName='Logging Tools';name='Web-Log-Libraries'}
    [pscustomobject]@{displayName='Request Monitor';name='Web-Request-Monitor'}
    [pscustomobject]@{displayName='Tracing';name='Web-Http-Tracing'}
    ### PERFORMANCE
    [pscustomobject]@{displayName='Static Content Compression';name='Web-Stat-Compression'}
    [pscustomobject]@{displayName='Dynamic Content Compression';name='Web-Dyn-Compression'}
    ### SECURITY
    [pscustomobject]@{displayName='Request Filtering';name='Web-Filtering'}
    [pscustomobject]@{displayName='Basic Authentication';name='Web-Basic-Auth'}
    [pscustomobject]@{displayName='Client Certificate Mapping Authentication';name='Web-Client-Auth'}
    [pscustomobject]@{displayName='IP and Domain Restrictions';name='Web-IP-Security'}
    [pscustomobject]@{displayName='URL Authorization';name='Web-Url-Auth'}
    [pscustomobject]@{displayName='Windows Authentication';name='Web-Windows-Auth'}
    ### APPLICATION DEVELOPMENT
    [pscustomobject]@{displayName='.NET Extensibility 3.5';name='Web-Net-Ext'}
    [pscustomobject]@{displayName='.NET Extensibility 4.7';name='Web-Net-Ext45'}
    [pscustomobject]@{displayName='ASP';name='Web-ASP'}
    [pscustomobject]@{displayName='ASP.NET 3.5'; name='Web-Asp-Net'}
    [pscustomobject]@{displayName='ASP.NET 4.7'; name='Web-Asp-Net45'}
    [pscustomobject]@{displayName='ISAPI Extensions'; name='Web-ISAPI-Ext'}
    [pscustomobject]@{displayName='ISAPI Filters';name='Web-ISAPI-Filter'}
    [pscustomobject]@{displayName='Server Side Includes';name='Web-Includes'}
    ### FTP SERVER
    [pscustomobject]@{displayName='FTP Service';name='Web-Ftp-Service'}
    ### MANAGEMENT TOOLS
    [pscustomobject]@{displayName='IIS Management Console';name='Web-Mgmt-Console'}
    [pscustomobject]@{displayName='IIS Management Scripts and Tools';name='Web-Scripting-Tools'}
    [pscustomobject]@{displayName='Management Service';name='Web-Mgmt-Service'}
    ###### IIS 6 MANAGEMENT COMPATIBILITY
    [pscustomobject]@{displayName='IIS 6 Metabase Compatibility'; name='Web-Metabase'}
    [pscustomobject]@{displayName='IIS 6 Management Console';name='Web-Lgcy-Mgmt-Console'}
    [pscustomobject]@{displayName='IIS 6 Scripting Tools';name='Web-Lgcy-Scripting'}
    [pscustomobject]@{displayName='IIS 6 WMI Compatibility'; name='Web-WMI'}
    # BACKGROUND INTELLIGENT TRANSFER SERVICE (BITS)
    [pscustomobject]@{displayName='IIS Server Extension'; name='BITS-IIS-Ext'}
    # REMOTE SERVER ADMINISTRATION TOOLS
    ### FEATURE ADMINISTRATION TOOLS
    [pscustomobject]@{displayName='BITS Server Extensions Tools';name='RSAT-Bits-Server'}
    # REMOTE DIFFERENTIAL COMPRESSION
    [pscustomobject]@{displayName='Remote Differential Compression'; name='RDC'}
)

[int]$total = $features.count
[int]$count = 0

ForEach ($feature in $features) {
    [string]$installState = $null
    [System.Object]$installResult = $null
    $count += 1

    Write-Host "$count/$total - Installation of [$($feature.displayName)] Feature:"
    $installState = (Get-WindowsFeature -Name $feature.name).InstallState
    If ($installState -eq "Installed") {
        Write-Host "`tFeature [$($feature.displayName)] is already Installed" -ForegroundColor Green
    } Else {
        $installResult = Install-WindowsFeature -Name $feature.name
        If ($installResult.ExitCode -eq "Success") {
            Write-Host "`tFeature [$($feature.displayName)] Installation Succeed" -ForegroundColor Green
        } Else {
            Write-Host "`tFeature [$($feature.displayName)] Installation Failed" -ForegroundColor Red
        }
    }
}

5. Here is the result once the script has been ran:

6. Close all windows.

1.1 - Verification

1. Click on Start Menu.
2. Search for Powershell.
3. Right click on Powershell.
4. Click on Run as administrator.

5. Execute the following command:

Get-WindowsFeature | Where installstate -eq installed

6. Here is the result:

1.2 - Post-Installation

Restart MOB-SRV-MECM-01 Server.

2 - Share Folder Creation

The following manipulation have to be done on MOB-SRV-MECM-01 Server.

1. Open File Explorer.
2. Navigate to Content_Library folder.
3. Create a new folder named Sources.
4. Right click on Sources folder.

On Source Properties window:
5. Click on Sharing tab.
6. Click on Advanced Sharing...

On Advanced Sharing window:
7. Check Share this folder.
8. Click on Permissions.

On Permissions for Sources window:
9. Click Add...

On Select Users, Computers, Service Accounts, or Groups Window:
10. Under Enter the object names to select, enter Domain Users.
11. Validate by clicking on Check Names.
12. Close Select Users, Computers, Service Accounts, or Groups Window by clicking on OK.

Back on Permissions for Sources window
13. Verify Domain Users Group permissions. Only Read must be Allow.
14. Click on Apply.
15. Close Permissions for Sources window by clicking on OK.

Back on Advanced Sharing window:
16. Click on Apply.
17. Close Advanced Sharing window by clicking on OK.

Back on Source Properties window:
18. Click on Apply.
19. Close Source Properties window by clicking on Close.

3 - Local Admins GPO Policy Configuration

The following manipulation have to be done on MOB-SRV-DC-01 Server.

1. Open Server Manager.
2. Click Tools located on the upper right corner.
3. Click Group Policy Management.

On Group Policy Management:
4. Expand Forest: ad.mobinergy.com node.
5. Expand Domains node.
6. Expand ad.mobinergy.com node.
7. Right click on Mobinergy Computers OU.
8. Click on Create a GPO in this domain, and Link it here...

On New GPO Window:
9. Under Name Property, enter MECM Local Admins.
10. Click on OK.

11. Edit MEMC Local Admins GPO.

On Group Policy Management Editor window:
12. Expand Computer Configuration node.
13. Expand Policies node.
14. Expand Windows Settings node.
15. Expand Security Settings node.
16. Right click on Restricted Groups node.
17. Click on Add Group...

On Add Group window:
18. Click on Browse...

On Select Groups window:
19. Enter MOBINERGY Local Admins.
20. Validate by clicking on Check Names.
21. Close Select Groups window by clicking on OK.
22. Close Add Group window by clicking on OK.

On MOBINERGY\MOBINERGY Local Admins Property window:
23. Under This group is member of section, click Add...

On Group Membership window:
24. Click on Browse...

On Select Groups window:
25. Enter Administrators.
26. Validate by clicking on Check Names.
27. Close Select Groups window by clicking on OK.
28. Close Group Membership window by clicking on OK.
29. Close MOBINERGY\MOBINERGY Local Admins Property window by clicking on Apply then OK.

On Group Policy Management Editor window:
30. Expand Computer Configuration node.
31. Expand Policies node.
32. Expand Windows Settings node.
33. Expand Security Settings node.
34. Right click on Local Policies node.
35. Click on User Rights Assignment
36. Edit Deny log on locally.
37. Click on Security Policy Setting tab.
38. Check Define these policy settings.
39. Add MOBINERGY Local Admins Group by clicking on Add Users or Group...
40. Click Apply.
41. Click OK.

42. Close Group Policy Management Editor window.

These policies are part of Microsoft recommendation:

4 - Local Admins Configuration

4.1 - mcrouzet user

The following manipulation have to be done on MOB-DKT-AIRLIFT-01 Computer.

1. Log in on a windows session with an admin account.
2. Right click on Start menu.
3. Click on Computer Management.

4. Under Computer Management (local) section, expand System Tools node.
5. Expand Local Users and Groups node.
6. Click on Groups
7. Right click on Administrators.
8. Click on Add to Group...

9. Click on Add...
10. Add MOBINERGY\mcrouzet user.
11. Click on Apply.
12. Click on OK.

13. Close all windows.
14. Log out.
15. Log in with mcrouzet User Domain account.

4.2 - MOB-SRV-MECM-01 Computer

The following manipulation have to be done on MOB-SRV-MECM-01 Server.

1. Right click on the Start menu.
2. Click on Computer Management.
3. Expand System Tools node.
4. Expand Local Users and Groups node.
5. Click on Groups.

6. Right click on Administrators.
7. Click on Properties.

8. Click on Add...
9. Click on Object Types...
10. Check only Computers object.
11. Enter MOB-SRV-MECM-01 Server.
12. Verify the object name by clicking on Check Names.
13. Click on OK.
14. Click on Apply
15. Click on OK.

16. Close all windows.

5 - Firewall Rules for SQL Server

The following manipulation have to be done on MOB-SRV-MECM-01 Server.

1. Click on Start menu.
2. Search for Windows Defender Firewall with Advanced Security.
3. Click on Windows Defender Firewall with Advanced Security.

4. Right click on Inbound Rules
5. Click on New Rule...

5.1 - Inbound Rule Type Step

1. Select Port.
2. Click on Next >.

5.2 - Inbound Protocol and Ports Step

1. Next to Specific local ports, enter 1433, 4022.
2. Click on Next >.

Why should the ports 1433 and 4022 opened on Firewall?

• Port 1433 – SQL Server listens for incoming connections on a particular port. The default port for SQL Server is 1433. It applies to routine connections to the default installation of the Database Engine, or a named instance that is the only instance running on the computer.
• Port 4022 – This is SQL Service Broker, although there is no default port for SQL Server Service Broker, but this is the port we allow in on our firewall.
  
  
  Source: Microsoft Documentation
  

5.3 - Inbound Action Step

1. Leave default value.
2. Click on Next >.

5.4 - Inbound Profile Step

1. Uncheck either Private and Public.
2. Click on Next >.

5.5 - Inbound Name Step

1. Add a Name, for example Allow SQL Server Ports.
2. Click on Finish.

6 - Firewall Rules for MECM Client

The following manipulation have to be done on MOB-SRV-DC-01 Server.

1. Open Server Manager.
2. Click on Tools located on the upper right corner.
3. Click on Group Policy Management.

On Group Policy Management:
4. Expand Forest: ad.mobinergy.com node.
5. Expand Domains node.
6. Expand ad.mobinergy.com node.
7. Right click on Mobinergy Computers OU.
8. Click on Create a GPO in this domain, and Link it here...

On New GPO Window:
9. Under Name Property, enter MECM Client Rules.
10. Click on OK.

11. Edit MEMC Client Rules GPO.

On Group Policy Management Editor window:
12. Expand Computer Configuration node.
13. Expand Policies node.
14. Expand Windows Settings node.
15. Expand Security Settings node.
16. Expand Windows Defender Firewall with Advanced Security node.
17. Expand Windows Defender Firewall with Advanced Security node.
18. Right click on Inbound Rules node.
19. Click on New Rule...

20. On New Inbound Rule Wizard, make the following configuration:

21. Again, right click on Inbound Rules node.
22. Click on New Rule...
23. On New Inbound Rule Wizard, make the following configuration:

24. Again, right click on Inbound Rules node.
25. Click on New Rule...
26. On New Inbound Rule Wizard, make the following configuration:

27. Now, right click on Outbound Rules node.
28. Click on New Rule...
29. On New Outbound Rule Wizard, make the following configuration:

30. Again, right click on Outbound Rules node.
31. Click on New Rule...
32. On New Outbound Rule Wizard, make the following configuration:

7 - SPN Registration

The following manipulation have to be done on MOB-SRV-DC-01 Server.

To use Kerberos authentication with SQL Server requires both the following conditions to be true:

• The client and server computers must be part of the same Windows domain, or in trusted domains.
• A Service Principal Name (SPN) must be registered with Active Directory, which assumes the role of the Key Distribution Center in a Windows domain. The SPN, after it's registered, maps to the Windows account that started the SQL Server instance service. When the services run with a domain local user account, we have to manually register the SPN.

1. Open a Powershell terminal as administrator.
2. Create the SPN for the NetBIOS name by entering the following command:

   setspn -A MSSQLSvc/MOB-SRV-MECM-01:1433 ad.mobinergy.com\SVC_SQL
   

   Where
   
   As a result:
   
3. Create the SPN for the FQDN by entering the following command:

   setspn -A MSSQLSvc/MOB-SRV-MECM-01.ad.mobinergy.com:1433 ad.mobinergy.com\SVC_SQL
   

   As a result:
   
4. To verify if everything is OK, enter the following command:

   setspn -L ad.mobinergy.com\SVC_SQL
   

   As a result:
   

8 - Update Architecture Diagram

Regarding modifications, here is the updated Architecture Diagram:

9 - Conclusion

This is the end of the Part 5 for this series of posts. In this post we have done the following manipulations:

• Installation of .NET and WCF Roles and Features.
• Installation of BITS, IIS and RDC Roles and Features.
• Creation of SPN.

See you in Part 6 to continue the configuration.