locked
Installing SCCM Client on Domain Controllers RRS feed

  • Question

  • Can anyone provide me with some input as to if this is a good idea or not?  We have 2, 2k3 domain controllers in our environment and ran into issues tonight.  We dont know for certain if our problem was caused by the config manager client or not but it was the only real major change except for our monthly patching that we did.  our problem was that our domain controllers locked up and it appears to of happened when we did site discoverys from other servers with the client also installed.  If we look in the event logs on the DC's we see issues with dns corruption and registry issues without being to specific.  Moral of the story is we removed the client from the DC's and havnt had the issue again(knock on wood).  Does this sound plausible at all?

    Thanks for any help, Andrew
    Friday, March 13, 2009 3:11 AM

Answers

  • Hi,

    I have deployed several clients to domain controllers and haven't had any issues. In my opinion things like DNS corruption and registry errors is not something the SCCM client could cause.

    You mentioned that also some patches have been deployed, a patch can have a huge impact and it's more likely that a wrong patch is the cause of the issues you mentioned.
    Please mark posts as Answered if appropriate.
    Friday, March 13, 2009 8:09 AM
  • I can also confirm that having the ConfigMgr client installed on DCs does not cause problems.
    Friday, March 13, 2009 10:17 AM
  • The client is definitely supported on domain controller. The issues you're seeing are very likely not related to the client being on there.
    Friday, March 13, 2009 10:15 PM

All replies

  • Hi,

    I have deployed several clients to domain controllers and haven't had any issues. In my opinion things like DNS corruption and registry errors is not something the SCCM client could cause.

    You mentioned that also some patches have been deployed, a patch can have a huge impact and it's more likely that a wrong patch is the cause of the issues you mentioned.
    Please mark posts as Answered if appropriate.
    Friday, March 13, 2009 8:09 AM
  • I can also confirm that having the ConfigMgr client installed on DCs does not cause problems.
    Friday, March 13, 2009 10:17 AM
  • check the patches you installed and go through the KB articles.which will help you.this is not because of CCM client.

    sanka
    Friday, March 13, 2009 6:09 PM
  • The client is definitely supported on domain controller. The issues you're seeing are very likely not related to the client being on there.
    Friday, March 13, 2009 10:15 PM
  • Is there any special configuration required when installing the SCCM client on a domain controller?

    The reason I ask is that the SCCM client service runs as a local system account.  I've been able to use the Netuser command to create accounts (through a package deployment) on SCCM clients.  However, I noticed that when I accidentally targeted a domain controller, the account got created in the domain. 

    In short, the SCCM admin was able to create domain user accounts (and could have - I think- added the account to the domain admins group.) 

    This seems to be a bit of a problem... is there a workaround or document on how to better secure the SCCM client on a domain controller?  Maybe change the service account?

    Wednesday, May 29, 2013 12:56 PM
  • Changing the service account is unsupported.

    This is certainly a potential risk that must be managed -- it is far from the worst thing a ConfigMgr admin can do though. There is always a certain amount of trust implied with any administrator on any system.


    Jason | http://blog.configmgrftw.com

    Wednesday, May 29, 2013 2:46 PM