System Center 2012 R2 Update Rollup 2

I’ve created a toll for downloading the bits for Update Rollup 2, as well as extracting the .cab files. This keeps it a bit more organized and is quicker than navigating through windows update. Enjoy!


<#
.SYNOPSIS
Downloads all of UR2 (english only)   
.DESCRIPTION   
All prereqs are downloaded and unpacked   
.INPUTS  
 -DestinationFoler      
used to define the location where everything is stored.  Default is C:\SysCen2012R2UR2  
 -Cleanup     
true/false used to delete cab files after expanding.  Default is $true   
.OUTPUTS   
None    
.NOTES   
Author:         Daniel Kucinski   
Date:           June 2014   
Purpose/Change: Initial creation    
.EXAMPLE   
.\SCUR2downloader.ps1 -DestinationFolder c:\UpdateRollup2 -CleanUp $true -Verbose 
.EXAMPLE   
...just right-click and run   enjoy! 
#>

    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='High')]
    param(
    [Parameter(position=0)]
    [string]$DestinationFolder = "C:\SysCen2012R2UR2",

    [Parameter(position=1)] #Mandatory=$true
    [bool]$CleanUp = $true
    )

$erroractionpreference = "SilentlyContinue"
$error.clear()
$download = New-Object System.Net.WebClient

function Expand-ZIPFile($file, $destination) {
    $shell = New-Object -ComObject shell.application
    $zip = $shell.NameSpace($file)
        ForEach ($item in $zip.items())
        {
            $shell.NameSpace($destination).CopyHere($item,0x14)
        } #foreach
    } #function

# create dir and download prereqs from MS
[array]$components = @("VMM","SCSM","SCO","SCOM","SPF","SMA","DPM")
    New-Item -Type directory -path $DestinationFolder | Out-Null
        ForEach ($item in $components) {
            New-Item -Type directory -Path $DestinationFolder\$item | Out-Null
        } #foreach
    Write-Verbose "created  directories - continuing..."

# SCSM
IF (Test-Path "$DestinationFolder\SCSM\SCSM2012R2_CU_KB2904710_AMD64_7.5.3079.61.exe") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCSM components"
        $source = "http://download.microsoft.com/download/1/6/A/16A55195-AA6A-4210-A780-0403D7F7D6EE/SCSM2012R2_CU_KB2904710_AMD64_7.5.3079.61.exe"
        $destination = "$DestinationFolder\SCSM\SCSM2012R2_CU_KB2904710_AMD64_7.5.3079.61.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SCOM
#management server
IF (Test-Path "$DestinationFolder\SCOM\kb2929891-amd64-server_efa0a2029f892ab08b3b5c869fe57f8c267dc6e6.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2929891-amd64-server_efa0a2029f892ab08b3b5c869fe57f8c267dc6e6.cab"
        $destination = "$DestinationFolder\SCOM\kb2929891-amd64-server_efa0a2029f892ab08b3b5c869fe57f8c267dc6e6.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#gateway
IF (Test-Path "$DestinationFolder\SCOM\kb2929891-amd64-gateway_6c78f8fcacf5e679d6ef63398fb6538322c92e98.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2929891-amd64-gateway_6c78f8fcacf5e679d6ef63398fb6538322c92e98.cab"
        $destination = "$DestinationFolder\SCOM\kb2929891-amd64-gateway_6c78f8fcacf5e679d6ef63398fb6538322c92e98.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#webconsole
IF (Test-Path "$DestinationFolder\SCOM\kb2929891-amd64-enu-webconsole_f459a18aa85e98d6270fe6bbbeb26ed29ebab466.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2929891-amd64-enu-webconsole_f459a18aa85e98d6270fe6bbbeb26ed29ebab466.cab"
        $destination = "$DestinationFolder\SCOM\kb2929891-amd64-enu-webconsole_f459a18aa85e98d6270fe6bbbeb26ed29ebab466.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SMA
IF (Test-Path "$DestinationFolder\SMA\kb2904689_powershellmoduleinstaller_x64_d57fd83f3066ad603201e3d42630cbd00bc28e67.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_powershellmoduleinstaller_x64_d57fd83f3066ad603201e3d42630cbd00bc28e67.cab"
        $destination = "$DestinationFolder\SMA\kb2904689_powershellmoduleinstaller_x64_d57fd83f3066ad603201e3d42630cbd00bc28e67.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SPF
IF (Test-Path "$DestinationFolder\SPF\kb2932939_microsoft.systemcenter.foundation.setup_x64_0a38ef61d7850cfb903492670e3fa3cf6c8471f3.cab") {
    Write-Verbose "SPF Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2932939_microsoft.systemcenter.foundation.setup_x64_0a38ef61d7850cfb903492670e3fa3cf6c8471f3.cab"
        $destination = "$DestinationFolder\SPF\kb2932939_microsoft.systemcenter.foundation.setup_x64_0a38ef61d7850cfb903492670e3fa3cf6c8471f3.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# VMM
#adminconsole x64
IF (Test-Path "$DestinationFolder\VMM\kb2932942_adminconsole_amd64_5dd291de44899042205ec70eecb8555f1c2c10d0.cab") {
    Write-Verbose "VMM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading VMM components"
        $source = "http://download.windowsupdate.com/c/msdownload/update/software/uprl/2014/04/kb2932942_adminconsole_amd64_5dd291de44899042205ec70eecb8555f1c2c10d0.cab"
        $destination = "$DestinationFolder\VMM\kb2932942_adminconsole_amd64_5dd291de44899042205ec70eecb8555f1c2c10d0.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#VMM server
IF (Test-Path "$DestinationFolder\VMM\kb2932926_vmmserver_amd64_ebd2c3f90127efa11f750f1464cb44bd1b0108bc.cab") {
    Write-Verbose "VMM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading VMM components"
        $source = "http://download.windowsupdate.com/c/msdownload/update/software/uprl/2014/04/kb2932926_vmmserver_amd64_ebd2c3f90127efa11f750f1464cb44bd1b0108bc.cab"
        $destination = "$DestinationFolder\VMM\kb2932926_vmmserver_amd64_ebd2c3f90127efa11f750f1464cb44bd1b0108bc.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SCO
#webservice
IF (Test-Path "$DestinationFolder\SCO\kb2904689_webserviceinstaller_x64_fa0016be99b73e5738d9a30068ca93566d26a622.cab") {
    Write-Verbose "VMM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading VMM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_webserviceinstaller_x64_fa0016be99b73e5738d9a30068ca93566d26a622.cab"
        $destination = "$DestinationFolder\SCO\kb2904689_webserviceinstaller_x64_fa0016be99b73e5738d9a30068ca93566d26a622.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#runbook server
IF (Test-Path "$DestinationFolder\SCO\kb2904689_runbookserver_x86_4cfc6f108fc6432d251ab861401ceeb6c93acd8a.cab") {
    Write-Verbose "SCO Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCO components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_runbookserver_x86_4cfc6f108fc6432d251ab861401ceeb6c93acd8a.cab"
        $destination = "$DestinationFolder\SCO\kb2904689_runbookserver_x86_4cfc6f108fc6432d251ab861401ceeb6c93acd8a.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#runbook designer
IF (Test-Path "$DestinationFolder\SCO\kb2904689_runbookdesigner_x86_55fa0a511b6def5b80e72f7edb162277b32b9ae9.cab") {
    Write-Verbose "SCO Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCO components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_runbookdesigner_x86_55fa0a511b6def5b80e72f7edb162277b32b9ae9.cab"
        $destination = "$DestinationFolder\SCO\kb2904689_runbookdesigner_x86_55fa0a511b6def5b80e72f7edb162277b32b9ae9.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# DPM
#central console server
IF (Test-Path "$DestinationFolder\DPM\dpmcentralconsoleserver-kb2963543_ce185cdaad05fb7f5df55a6b14883eede2c031b2.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dpmcentralconsoleserver-kb2963543_ce185cdaad05fb7f5df55a6b14883eede2c031b2.exe"
        $destination = "$DestinationFolder\DPM\dpmcentralconsoleserver-kb2963543_ce185cdaad05fb7f5df55a6b14883eede2c031b2.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

#dpm
IF (Test-Path "$DestinationFolder\DPM\dataprotectionmanager2012r2-kb2963543_a975a99c79b2c1267f3087dc34af68398994849d.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dataprotectionmanager2012r2-kb2963543_a975a99c79b2c1267f3087dc34af68398994849d.exe"
        $destination = "$DestinationFolder\DPM\dataprotectionmanager2012r2-kb2963543_a975a99c79b2c1267f3087dc34af68398994849d.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

#management shell 1
IF (Test-Path "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_015ac9652a3cbb3fef17496fdaf90a0b64feeb95.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dpmmanagementshell-kb2963543_015ac9652a3cbb3fef17496fdaf90a0b64feeb95.exe"
        $destination = "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_015ac9652a3cbb3fef17496fdaf90a0b64feeb95.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

#management shell 2
IF (Test-Path "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_7e533fb1e095022cb8a4298af77c139ae0c34bd7.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dpmmanagementshell-kb2963543_7e533fb1e095022cb8a4298af77c139ae0c34bd7.exe"
        $destination = "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_7e533fb1e095022cb8a4298af77c139ae0c34bd7.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

# unzip cab files
$Cabs = Get-ChildItem -Path $DestinationFolder -Recurse -Filter *.cab

    foreach ($cab in $cabs) {
        #$FriendlyName =
        Write-Verbose "Expanding $Cab.BaseName"
        Expand-ZIPFile –File $Cab.FullName –Destination $Cab.DirectoryName
        Write-Verbose "done..."
    } #foreach

# cleanup
IF ($CleanUp -eq $true) {
    foreach ($cab in $cabs) {
        #$FriendlyName =
        Write-Verbose "Deleting $Cab.BaseName"
        Remove-Item $Cab.FullName -Force
        Write-Verbose "done..."
    } #foreach
} #IF

Advertisements

Configuring SCCM 2012 for PKI and SSL: Managing Apple Computers

Now that our site is running in HTTPS, we’re ready to setup and enroll our first Mac clients.  This requires some additional infrastructure, as well as another cert, which we’ll walk through here.

Enrollment Point Role

Managing Macs requires the Enrollment point and Enrollment proxy point roles.  That’s pretty easy, just install them same as other roles.  There really aren’t any special configurations that need to be done, so just follow through the wizard.

2014-03-20 11_53_08-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Continue reading

Configuring SCCM 2012 for PKI and SSL: Setting up HTTPS communication

Recently, I’ve begun a rather large and complex SCCM implementation for a customer here in Seattle.  One of the requirements that they have is managing their rather extensive fleet of Apple laptops.  As you know, SP1 introduced OS X support, and that has expanded with R2.  However, I have never implemented this, and I was worried doing so might be a bit tricky.

This is my attempt at a soup-to-nuts guide at setting it up. As you know, PKI is a requirement for managing macs, but you should be using SCCM in SSL-mode anyway. But why? I often here people state that they don’t need encryption on a bunch of info about Windows patches etc. While this is true, it misses the point, and encryption is only a by-product of what we’re really after: authentication. SCCM is a very powerful tool, used to manage the configuration of your entire environment. Authenticating the servers that are doing the managing to the systems that are being managed is important.

Enough on that. For starters, I’ll assume the following:

  • A windows domain
  • SCCM 2012 R2 installed and basic configurations completed
  • Active Directory Certificate Services is installed and configured

If you’ve not set up a domain or installed ADCS before, good luck with that.  I’ll try to look around for a good guide and post, but that is beyond the scope of this guide.  You can review the basic of ADCS here: http://technet.microsoft.com/en-us/library/hh831740.aspx

If you’ve not installed SCCM before, I highly recommend you check out MVP Niall Brady’s guides here: http://www.windows-noob.com/forums/index.php?/topic/4045-system-center-2012-configuration-manager-guides/

Clear?  Great!  Let’s get started.  We’ll need a few certs to put our site into HTTPS mode, so we’ll start by creating those here:

Workstation Client Certificate

Continue reading

McAfee Access Protection Prevents creation of boot disk in SCCM 2012 SP1

This has been driving me crazy the past couple of days:

https://kc.mcafee.com/corporate/index?page=content&id=KB76867&actp=search&viewlocale=en_US&searchid=1357907921573

Last week I started on an install for SCCM 2012 SP1 for a customer who has McAfee as the main security solution in their environment.  I have some previous experience with McAfee, and i hadn’t previously experienced any issues with it.  All of the previous clients I had that used McAfee were on 2012 RTM, and this was the first one I had done with SP1.  Sp1 uses the ADK, instead of the AIK, of course, and all has not gone smoothly.

The first problem I encountered was with the site installation itself: the site seemed to install fine, but no boot images were created.  This seemed a bit odd, so I checked the ConfigMgrSetup.log file located on the root of C:\

mcafee-1

The boot images were not created properly during setup.  The boot image files were both at their default location (\\server\SMS_sitecode\osd\boot) but they weren’t in the console.  I decided to try and import them manually:

bootimageerror

A bit of an odd error message, however, the DISM log file showed that SCCM was unable to insert the OSD binaries into the WIM.  Now we’re getting somewhere.  I figured I’d try creating one from scratch with MDT.  That was also unsuccessful.

MDT

Searching around the web was not very helpful  as most people seemed to be reporting problems related to permissions.  Given the access denied error that others reported, and the fact that my permissions were fine, I believed the culprit would be McAfee.  Since the logs didn’t show McAfee blocking or deleting anything, I didn’t have much to go on.  I talked to the security team and got them to allow me to temporarily disable McAfee, and like clockwork, I was able to create a boot image.  My first thought was to exclude C:\Windows\Temp\BootImages from McAfee, but the customer’s security team wanted specific justification before adding any exclusions.  We tried it as a troubleshooting step, but once Access Protection was reactivated, the problem returned.

Earlier today I came across the article above from McAfee, hopefully they’ll come to a more permanent solution, but for the time being, we need to turn off Access Protection whenever we update or edit any boot image, or perform offline servicing on a WIM.  I’ve been in other environments with SCCM 2012 SP1 and other AV solutions, such as Symantec Endpoint Protection, Kaspersky, and of course SCEP, but haven’t experienced this issue yet.

AV White-list Considerations

This issue has prompted me to review some of the community resources concerning AV policy on an SCCM site server.  My personal feeling is to exclude these locations from any AV client:

  • %programfiles%\Microsoft Configuration Manager\Inboxes\*
  • %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*
  • <C:>\ConfigMgr_OfflineImageServicing – defaults to the same drive the site is installed on
  • C:\Windows\TEMP\BootImages

You may want to review the following links for more information:

http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx

http://www.systemcenterblog.nl/2012/05/09/anti-virus-scan-exclusions-for-configuration-manager-2012/

SCCM 2007:  http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx

-easy

SCCM 2012 SP1 CU1

http://support.microsoft.com/kb/2817245

Cumulative Update 1 is now available from Microsoft, and it fixes, amongst other things, the obnoxious problem with the MicrosoftPolicyPlatformSetup.msi file that prevents client installs from working out of the box.

Luckily, the install is quite simple, after you download the hotfix, begin by extracting the hotfix, then launch the executable.

Image

Image

cu1-3

cu1-4

cu1-5

cu1-6

cu1-7

cu1-8

cu1-9

cu1-10

During the setup, SMS services will shutdown and be unavailable, so be sure to schedule an outage if your company policy dictates it.  The whole process only takes about 5 to 10 minutes.

cu1-11

cu1-packages

These packages, which we selected during the installation, are automatically created for you, with programs ready for deployment.

Deploying the updates

cu1-collections

After verifying the update is successful, and testing each of the packages, you’re ready to roll it out to your environment.

To do that, I’ve created 3 collections, and then just set mandatory advertisements to each of them.  I turned off client notifications and set the program to “rerun if failed previous attempt”.  From that point, it was mostly just monitoring.

Here are the collections, ready for import into your environment.

http://sdrv.ms/10Zi0b8

-easy

Java as an Application in SCCM 2012

The new application model in SCCM 2012 quickly became one of my favorite features, and has remained so across every deployment I work on. With its comparatively advanced deployment and detection methods, it is extremely useful for applications of all sorts, even those that require frequent updates.
In SCCM 2007, everytime a new version of Java or Adobe Reader came out, you’d have to create a new package and advertisement, and then turn around and update all of your task sequences. This was at best tedious. Sure, there are tools like SCUG that can help with this, but they are not always available to all organizations, and they had their own problems and limitations.
By making use of the new application model, administrators can much more easily keep up on these updates.

Source Files:

Begin by downloading the bits:  http://java.com/en/download/manual.jsp

The 64-bit version is for 64-bit browsers. So you’ll probably still need the 32-bit version for 64-bit Windows.

Get the MSI:

Launch the executable. Once the splash screen appears, the files will have been extracted. Navigate, for the 32-bit version to

%appdata%\..\LocalLow\Sun\Java\jre1.7.0_17

and for the 64-bit version to

%appdata%\..\LocalLow\Sun\Java\jre1.7.0_17_x64

Copy the files to your source location for SCCM packages.

Make the transform:
Next, use Orca to edit any custom settings you need. Some of the most common ones can be found under the Property table. In this example, I’ve changed AUTOUPDATECHECK, JAVAUPDATE, and JU all to 0 to prevent any kind of updating. I’ll also change IEEXPLORER and MOZILLA to 1 to enable java in browsers.
java-orca

You may have other changes to make, such as a custom install location, all of those kinds of changes can be made into a transform with Orca.  Once finished, I then save the custom transform in the application source directory and create it in SCCM.

javasource

Deployment Type:

Be sure to edit the installation method to include your new custom transform file:

msiexec /i “jre1.7.0_17.msi” TRANSFORMS=custom.mst /q

Now, you can set this application to supersede the previous version of Java you are using.  Or, if this is the first version of Java your placing into SCCM, then you can use this method to keep your Java clients up to date.  When a new version comes out, build it this way and have it supersede the old version.  You’re now one your way to automating that much more of your environment.

You may also want to look into removing old versions of Java if you’re trying to get old versions out of your environment.

-easy

Setting up a SPN for SQL

Kerberos authentication uses an identifier called the “Service Principal Name” or SPN.  Basically, the SPN acts as a domain or forest unique identifier of some instance in a server resource.  There can be an SPN for a web service, for an SQL service, or for an SMTP service.  There can also be multiple web service instances on the same physical computer that has a unique SPN.

This becomes abundantly clear at almost every client I install SCCM for.  Most DBAs seem to stick with the well-established best practice of running the SQL services under seperate domain accounts, and rightly so.  And most companies seem to want to grant service accounts the least privileges needed: another best practice indeed.  As a result, the SPN can fail to be created for the SQL instance for ConfigMan:

spnerror

Why does this happen?  By default, if you run the SQL Server service under the LocalSystem account, the SPN is automatically registered and Kerberos authentication interacts successfully with the computer that is running SQL Server.  However, if you run the SQL Server service under a domain account or under a local account, the attempt to create the SPN can often fail in most cases because the domain or local accounts do not have the rights to set their own SPNs. When the SPN creation is not successful, it can prevent you from using Kerberos authentication when connecting to the SQL server instance.  If this were done with a domain administrator account as the SQL Server service account, the SPN would be successfully created because the domain administrator-level credentials that you must have to create an SPN are present.

Most people will opt not to use a domain administrator account to run the SQL Server service and therefore, you must manually create an SPN for your computer that is running SQL Server if you want to use Kerberos authentication when you connect to it.  The SPN you create must be assigned to the service account of the SQL Server service on that particular computer.  The SPN cannot be assigned to the computer container unless the computer that is running SQL Server starts with the local system account.  There must be one and only one SPN, and it must be assigned to the appropriate container.  Typically, this is the current SQL Server service account.

To configure the SQL Server service to create SPNs dynamically, follow these steps:
1. Click Start, click Run, type Adsiedit.msc, and then click OK.

2. In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName, and then click Properties.

3. In the CN= AccountName Properties dialog box, click the Security tab.

4. On the Security tab, click Advanced.

5. In the Advanced Security Settings dialog box, make sure that SELF is listed under Permission entries.If SELF is not listed, click Add, and then add SELF. 

6. Under Permission entries, click SELF, and then click Edit. 

7. In the Permission Entry dialog box, click the Properties tab.

8. On the Properties tab, click This object only in the Apply onto list, and then make sure that the check boxes for the following permissions are selected under Permissions:
Read servicePrincipalName
Write servicePrincipalName

9. Click OK three times, and then exit the ADSI Edit snap-in.

To Create an SPN from the command line:

1. Open a Command Prompt or PowerShell from and account with Domain Admin priveleges

2. Type 

 setspn -A MSSQLSvc/server:instance domain\account 

spn

3. After the command completes, type 

  setspn -Q MSSQLSvc/server:instance 

to verify the SPN is successfully created and present.

spn2

Word.