How to add primary site computer acc in local administrator user group in domain controller server
I am currently setting up my own SCCM 2012 lab environment. I have managed to get the SCCM primary site server and domain controller server that host AD, DHCP and DNS up and running and now i want to
setup the DP role on the domain controller server.
I know that in a domain controller server doesn't have the local users and groups function. My question is how can I add the primary site computer account in the local administrators group in the DC server before i can proceed to add the DP role in my domain
controller server?
August 17th, 2015 10:09am
Add the account to the Domain Administrators group (which is the "equivalent").
August 17th, 2015 10:52am
ConfigMgr is already running as local system on that system and does not need anything additional to install additional site roles; however, I would strongly advise you to remove ConfigMgr from your DC. Even if this is a lab, you should still try to do
things similar to how they are done in the real world and in the real world installing ConfigMgr or any roles on a DC adds complexity, weakens security, and is highly discouraged. Installing anything on a DC is highly discouraged. Set up a second virtual machine
and install it there.
August 17th, 2015 10:53am
But if You still want to add DP on domain controller then better add the account to Builtin\Administrators group, it has less privileges than Domain Admins
August 17th, 2015 12:37pm
But if You still want to add DP on domain controller then better add the account to Builtin\Administrators group, it has less privileges than Domain Admins
As mentioned though, there's no need to as in this case, the site server is already running as local System and so can do anything that it wants to to the DC.
August 17th, 2015 12:39pm
Why do You think ConfigMgr is running on DC? It is not mentioned that there is ConfigMgr client on DC.
August 17th, 2015 1:28pm
Your case
https://social.technet.microsoft.com/Forums/en-US/1a07fd37-94e4-4085-b3f6-610c7dd53896/sccm-2012-distribution-points-on-domain-controllers?forum=configmanagerdeployment
If you are using the DC as a Distribution point to install clients via Client Push, the "NT Authority\Authenticated Users" group must be added to the local group "Users" to the DC/DP.
Clients are still able to get installed manually, but Client Push fails.
Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401)
Run elevated command prompt (net localgroup users "Authenticated Users" /add)
Test Client Push - Should be successful.
Reason: By default the local groups NT Authority\Interactive Users and
NT Authority\Authenticated Users are removed from the Domain Controller. Clients that are using the DP for content cannot authenticate using the computer account.
August 17th, 2015 1:44pm
It just reads that way to me. I could be wrong though -- being specific and giving details when asking questions helps folks answer them.
August 17th, 2015 3:17pm