Re: SMS 2003 must use domain admin. to install?
From: Cathy Moya [MS] (camoya_at_online.microsoft.com)
Date: 10/30/04
- Next message: Cathy Moya [MS]: "Re: Unsucessfull 2nd installation of SMS 2003"
- Previous message: Cathy Moya [MS]: "Re: Windows XP SP2"
- In reply to: Raymond: "Re: SMS 2003 must use domain admin. to install?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 29 Oct 2004 17:24:10 -0700
You do NOT need to add the MEMBER_SERVER$ to the local admin group on the
DC.
Just grant MEMBER_SERVER$ full control to the System Management container
*and all child objects*. That really should do it.
-- Cathy Moya, MCSE: Security, MCT Technical Writer, Enterprise Management Content Group Check out the SMS Technical FAQ: http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx This posting is provided AS IS with no warranties and confers no rights. "Raymond" <skytow@gmail.com> wrote in message news:4182013E.463CC00@gmail.com... > >You need to grant AD permissions to the machine account of the site > >server. >>>You need to add the MEMBER_SERVER$ to the local admin group on the DC. > It seems to me too much privilege is given! It is a must to do this, can I > give > lesser privilege to MEMBER_SERVER$? > We want to give minimum privilege to SMS without affect it's operation. > Thanks. > > "Jeff Harbaugh [MSFT]" wrote: > >> You need to add the MEMBER_SERVER$ to the local admin group on the DC. If >> you want to publish in AD you have to give the same account full control >> rights to the system container. Also go to the microsoft.com/sms site to >> download extending the AD Schema. >> -- >> Thanks, >> Jeff Harbaugh [MSFT] >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> "Raymond" <skytow@gmail.com> wrote in message >> news:fdfbcccc.0410272032.13e63046@posting.google.com... >> > Sorry, I am not familier with AD. >> > >> > I want to install SMS2003(including MP) in a member_server with >> > advanced security using the local administrator account, please advice >> > which group should I add the MEMBER_SERVER$ computer account to. >> > >> > MEMBER_SERVER$ --> "Domain Users"? >> > MEMBER_SERVER$ --> "MEMBER_SERVER\Administrators"? >> > >> > >> > "Kerwin Medina [MSFT]" <kerwinm@online.microsoft.com> wrote in message >> > news:<u1eNEtFvEHA.4020@TK2MSFTNGP10.phx.gbl>... >> >> You need to grant AD permissions to the machine account of the site >> >> server. >> >> You need to do the same thing when installing MPs - make the machine >> >> account >> >> of the site as member of the admins group of the MP machine. >> >> >> >> "Raymond" <skytow@gmail.com> wrote in message >> >> news:fdfbcccc.0410270148.3e7f7758@posting.google.com... >> >> > I try to install SMS2003 using advanced security, but I found that I >> >> > am forced to use domain admin. account to do installation?! >> >> > >> >> > Environment: >> >> > domain_controller.domain.com (2003EE, DC w/ AD) >> >> > member_server.domain.com (2003SE member server) >> >> > >> >> > I am installing SMS2003 in the member server. >> >> > >> >> > Install SMS2003 using local admin. account: >> >> > =========================================== >> >> > It can complete successfully. But two problems : >> >> > 1. The "SMS Active Directory Schema" page not appear during the >> >> > installation, so I can't extend the active directory schema during >> >> > the >> >> > installation >> >> > 2. When configurating the discovery using active directory : >> >> > 2.1 If I "Browse" for "Local Domain", it give a blank list!(I expect >> >> > the local domain shown for me to select) >> >> > 2.2 If I "Browse" for "Local forest", it show the error "SMS cannot >> >> > connect to the Active Directory container you specified. Container:" >> >> > >> >> > P.S. I tried the following, but seems not helpful >> >> > 1. Run EXTADSCH.EXE to extend the AD schema >> >> > 2. Add the computer account of memeber server to "Domain Users" >> >> > group >> >> > 3. member_server$ is given full control on "System Management" >> >> > container and apply to all child objects. >> >> > >> >> > Install SMS2003 using domain admin. account: >> >> > ============================================ >> >> > Everything seems working fine, except we find some 5203,5303,5503 >> >> > warning from the active directory discovery. >> >> > >> >> > >> >> > We prefer to install SMS2003 in member server with the local admin >> >> > account using advanced security. I think this should be the best >> >> > practice. But it seems that we are missing something out, anyone can >> >> > help? >
- Next message: Cathy Moya [MS]: "Re: Unsucessfull 2nd installation of SMS 2003"
- Previous message: Cathy Moya [MS]: "Re: Windows XP SP2"
- In reply to: Raymond: "Re: SMS 2003 must use domain admin. to install?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
