Re: SMS 2003 - adding Secondary site... driving me -mental- :-/

Domain controllers DO have local groups, they just work a little differently
on DCs than they do on member servers and workstations. Administrators is a
local group, but it is "local" to all domain controllers. Yes, this opens up
the security a bit. That's why in a high security environment we don't
recommend installing site servers (primary or secondary) on domain
controllers. But if you have to do it, you have to accept the risks for SMS
accounts that require admin rights.

For security procedures, see Appendix E: SMS Security Procedures in
Scenarios and Procedures for Microsoft Systems Management Server 2003:
Security
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/security/spsecsms03/spsec_10.mspx
There is a section of procedures for SMS Account Management near the end.
You want the procedure: Adding Computer Accounts to Groups.

We tried breaking the Concepts, Planning and Depoyment Guide (CPDG) into
something that is more procedural. We've had mixed reaction so far. We're
trying some different approaches in the next version. If you have feedback,
please write to us at smsdocs@xxxxxxxxxxxxxxx We welcome your feedback!

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Windows Enterprise Management Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.

"John Noble" <john.exists@xxxxxxxxx> wrote in message
news:1116669083.877889.118390@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Kim, Sylvain,
>
> I'm running 2003 SP1 on both machines, yes. The machine I'm trying to
> connect to is a DC - no, I haven't added the computer account of the
> Primary server to any groups. As it's a DC, and therefore has no local
> groups, where do I need to add permissions?
>
> Is it just me, or is the Microsoft document (the 700 page deployment
> guide) very heavy on ideas and theories and very light on actually "do
> this, click this, add this"? It doesn't seem all that useful to the
> poor techie having to do the work. :-/
>
> My "browsing" account is a domain admin account.
>


.

Relevant Pages

  • Re: Changing Administrator Password On Server 2003 Domain Controll
    ... you should limit use of Administrator account for logging into domain ... It is in fact the Domain Administrator password I am speaking of. ... the same password will then be required on DC Two and the Member Servers ... on domain controllers there is DSRM ...
    (microsoft.public.windows.server.general)
  • Re: Changing Administrator Password On Server 2003 Domain Controll
    ... you should limit use of Administrator account for logging into domain ... It is in fact the Domain Administrator password I am speaking of. ... the same password will then be required on DC Two and the Member Servers ... on domain controllers there is DSRM ...
    (microsoft.public.windows.server.general)
  • Re: Service failed to start
    ... I have set the GPO at the Domain Controllers OU (since these servers are DCs ... > domain account fail to start. ...
    (microsoft.public.win2000.active_directory)
  • RE: DSAccess Problems
    ... Eight Domain Controllers are here in Brazil and one at ... the two Exchange Servers are using the Domain Controllers from Hongk ... links to view our Domain Controllers Policy and Servers Members ...
    (microsoft.public.exchange.admin)
  • Re: net use and LM / NTLM
    ... Kerberos authentication is used between Windows 2000 machines in a Windows ... verify that all domain controllers for users who log on to ... controllers") MUST have been upgraded to SP4. ... with earlier servers exactly as it did with Service Pack 3. ...
    (Focus-Microsoft)