locked
Distribution Point Questions RRS feed

  • Question

  •  

    I have several remote sites where I need to setup an SCCM distribution point for client updates, software deployment, etc. This is a single forest, single domain environment.

     

    Unfortunately, one of the issues here is that the server group and the workstation group are managed seperately, and they require their own seperate SCCM environments. (This situation is not going to change.)  I can get around this by placing SCCM servers in the larger remote offices (with the workstation group owning the servers) but in the smaller sites (can vary from 30-60 clients), I can't justify a new server. There are DCs in most of these sites. The server group will allow us to put a DP or server share on these DCs, but obviously we can't use a BDP since we can't install a client for our SCCM hierarchy.

     

    My question is this. Is it, or is it not a best practice to avoid putting a DP/Server share on a DC, or does that just apply to the Primary/Secondary role?

     

    I know that we have to add the site server computer account to the Administrators group for the DP role to be installed correctly, but is this a requirement for a server share?

     

    Also, is adding the site server computer account to the Administrators group just necessary during setup of the DP/Server share or is it required for ongoing operations, i.e. can we add the account during install, then remove it afterwards.

     

    The documentation wasn't clear on these questions

    Monday, November 26, 2007 9:59 PM

Answers

  • There's nothing wrong with installing a site server, or site system role, on a domain controller. It happens all the time. It's just that the security team may not want you to install additional services on a DC, especially if they require IIS, like some SMS/Configuration Manager roles require.

     

    So yes, you can install a distribution point on a domain controller. However we do require that we have an admin account to access all remote site systems, including a distribution point. And you have to maintain it, you can't remove it after installation. Especially in the case of a DP, as we check drive space for each package you assign to the DP, and require admin rights to do so.

     

    Monday, November 26, 2007 11:29 PM
  • All other site system roles support the client on the site system being assigned to a different site than the site system is a member of, so I'd expect that to be fine for branch distribution points as well to be assigned to a different site than it is a site system for.

     

    You'd just need to ensure that the client on the branch DP would get the policy that says the content is to be hosted locally. If the client is in an entirely different hierarchy, then it wouldn't get the policy to tell it that it is to host the content, as the policy would be in a different hierarchy than the client would pull policies from. So, the more I think about it, I don't know that this would how you want it to. If the two sites were in the same hierarchy, then I think it would work, but not different hierarchies.

     

    Tuesday, November 27, 2007 6:56 PM

All replies

  • There's nothing wrong with installing a site server, or site system role, on a domain controller. It happens all the time. It's just that the security team may not want you to install additional services on a DC, especially if they require IIS, like some SMS/Configuration Manager roles require.

     

    So yes, you can install a distribution point on a domain controller. However we do require that we have an admin account to access all remote site systems, including a distribution point. And you have to maintain it, you can't remove it after installation. Especially in the case of a DP, as we check drive space for each package you assign to the DP, and require admin rights to do so.

     

    Monday, November 26, 2007 11:29 PM
  • OK,

     

    Hewre's an off-the-wall question: Since the Branch Distribution Point requires the prescence of an SCCM client before it can be installed, does it care whether the client reports to a different SCCM hierarchy than the BDP? In other words, the server group will own the SCCM client, and the workstation group will own the BDP. Is this possible?

     

    Tuesday, November 27, 2007 5:02 PM
  • All other site system roles support the client on the site system being assigned to a different site than the site system is a member of, so I'd expect that to be fine for branch distribution points as well to be assigned to a different site than it is a site system for.

     

    You'd just need to ensure that the client on the branch DP would get the policy that says the content is to be hosted locally. If the client is in an entirely different hierarchy, then it wouldn't get the policy to tell it that it is to host the content, as the policy would be in a different hierarchy than the client would pull policies from. So, the more I think about it, I don't know that this would how you want it to. If the two sites were in the same hierarchy, then I think it would work, but not different hierarchies.

     

    Tuesday, November 27, 2007 6:56 PM
  • I want to use a DC as a Distribution point share using computer$ account credentials... I've created the share and given the access, but still cannot via SCCM DP creation or package push.

    Since a DC has no "local admin" accounts, how do I give the site server computer$ account admin access to the DC and/or what should the permission on the DC\smsShare look like??

    Thanks.
    Steve
    Friday, October 30, 2009 3:45 AM
  • Hi,
    We are in the same situation where 2 branch domain controllers have are to be used as PXE Point and distribution point.
    Even if our site server computer object are in the Domain Admins group, we still get the error:

    SMS Site Component Manager could not access site system "Server name". The operating system reported error 2147942405: Access is denied.

    Did you solve this issue?

    Thanks

    Monday, February 8, 2010 2:29 PM
  • You have to reboot a computer after you added it to a AD group. Have you done that?
    Monday, February 8, 2010 2:37 PM
  • arh. I only rebooted the remote domain controllers.
    After I restarted the site server, the roles was installed correctly.

    Thanks for the fast answer :)
    Monday, February 8, 2010 3:54 PM