none
Multiple AGPM servers in a single domain

    Question

  • I had a question around adding multiple AGPM servers into a single domain. I understand that in the AGPM deployment documentation it says:


    Note   Ensure that each domain is served by only one AGPM Server. Do not let multiple AGPM Servers serve the same domain.

    But what is the actual negative effect of having multiple AGPM servers in a single domain? I assume it is to do with someone attempting to take control of the same GPO from multiple servers? If this is the case, and you run AGPM with least privilege access and they can only control the GPO's you give the service access to, is this still an issue? Or are there other factors which need to be considered?

    Tuesday, January 24, 2017 4:57 AM

All replies

  • Hi,
    I think that you are right and the ownership of the GPO may be the main limitation.
    However, according to Gunter’s reply in a similar thread and he mentioned that it seems to be working if you use different AGPM service accounts for each one, please see details from:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/24f33fc6-d496-457f-a4d3-f697f9b8e085/agpm-in-a-delegated-environment?forum=winserverGP
    But please make sure to test firstly before deploying into production environment, and Microsoft suggested to keep only one AGPM server in a domain.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 24, 2017 8:27 AM
    Moderator
  • Yeah I'm running 3 at the moment without any problems. Each AGPM server has its own service account. Each service account has their own SPN for their respective AGPM server:

    AgpmServer/<server FQDN>/<domain FQDN>

    I haven't see any problems, so I can only assume its to do with people stepping on each others toes accidently.


    Tuesday, January 24, 2017 10:58 AM
  • Am 24.01.2017 um 05:57 schrieb Sir Digby Chicken Caeser:
    > I had a question around adding multiple AGPM servers into a single
    > domain.
     
    Give me one good reason, why I should have more than one?
    Technically it makes completly NO Sense at all.
     
    You want a testsytem to play ar
    ound? use a VM and a testdomain
     
    Mark--
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Proposed as answer by Todd Heron Saturday, January 28, 2017 12:36 PM
    Tuesday, January 24, 2017 6:36 PM
  • Am 24.01.2017 um 05:57 schrieb Sir Digby Chicken Caeser:
    > I had a question around adding multiple AGPM servers into a single
    > domain.
     
    Give me one good reason, why I should have more than one?
    Technically it makes completly NO Sense at all.

    Well, If I have different approver for different GPOs? E.g. separation workstation GPO responsibility to server GPO responsibility.

    If I understand it correct, I can only have one approver role per domain.

    Sunday, February 12, 2017 9:37 PM
  • Am 12.02.2017 um 22:37 schrieb HorstIT:
    > Well, If I have different approver for different GPOs? E.g. separation
    > workstation GPO responsibility to server GPO responsibility.
    > If I understand it correct, I can only have one approver role per domain.
     
    Since years I think GPOs are completly missunderstood, in kind of
    controlling and responsibility.
     
    Sample: You need a software package, customized with a lot of settings.
    Do you have a software development and packaging division for clients,
    servers, sites? No, you have /one/ software division for all packages.
     
    GPO is completly the same. Why should everyone edit GPOs, just because
    they can click it? Do they create their own MSI? No, they do not. Even
    if creating an MSI is really simple. They do not.
     
    GPOs should be maintained by a "GPO team", which should be part of the
    software packaging. The server guys need a setting? The create a
    formular, to get it and then someone build it. The responsibility is
    still at the server guy, but he does not need to care, how the setting
    is deployed. Probably the setting already exist, Why create it a secound
    time, with the probably the secound best technic?
     
    If you use AGPM, you want to centralize GPOs with versioning, history,
    control etc. If you do so, do it right. It does not need more than 5
    persons to rule GPO in a company with 100.000 clients.
    Having this 50+ editors are the reason, why you want AGPM to control
    your zoo ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Privacy and Telemetry on Windows 10 - gp-pack PaT
     
    Monday, February 13, 2017 9:21 AM
  • From technical perspective I agree, but in an enterprise with 100.000+ workstations there are often politics , different skills and business regulations.

    We have a separation of software deployment on workstation and server.

    For GPO we need at least a separation between policy implementation in Europe and US to fulfill regulation requirements.

    As stated, from technical perspective I agree.

    -------------------------------------------------------------------

    Ok.... updated, my information was wrong. You can separate the roles for each GPO.

    My "expert" seems to be no expert, I checked it by installing AGPM in parallel and now I agree, there is no need for a 2nd AGPM.

    Thanks for kicking me to approve !



    • Edited by HorstIT Monday, February 13, 2017 3:29 PM
    Monday, February 13, 2017 9:45 AM