I am attempting to create the scripted install for the secondary sites for our SCCM deployment am having a issue setting the SMS_SiteSystemToSiteServerConnection_XXX group to a single group. This environment has more the 1024 secondary sites (and all domain controllers) and means that I will experience authentication issue due to size limit of the access token. See here for more info http://support.microsoft.com/kb/328889/en-us and http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability%28WS.10%29.aspx#BKMK_Groups This was a issue we encountered in with SMS2003 as well but where able to use the site System group option in the scripted ini file to use a single group rather then creating one for each site. [SiteSystemGroup] Name=SMS_MYGROUP Is there a way to set this for the sccm install or will I have to change the registry entry after the install and cleanup the groups? Thanks Jon Warnken

I don't fully understand your question and I assume others do not either since it's been out here 4 hours with no replies. When you install SCCM on a domain controller the groups that would normally be created as local groups are instead created as domain local groups. This much I get. What is it that you are trying to script? I tried to hit the article you mentioned but I got page not found error. Now that I have given the "I'm trying to help" reply can I also mention how much I disagree with having over 1000 secondary sites and how much worse it is that they are all located on domain controllers? I'd advise you to A.) Do not share your server, especially with domain controllers B.) Move to Windows 7 clients and use branch cache or C.) Invest in OneSite from Adaptiva or Nomad from 1E. In an extremely small environment with very little resources I can see someone trying to scrape by and install SCCM on a DC but not on 1000 of them. That's simply poor security practices. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

A night of sleep may have caused an moment of clarity. In SMS2K3 we used domain accounts for all of the access (Senders, Service, etc). This caused all of the parent sites for the secondary sites to use the same accounts. With SCCM we will be using the computer accounts for the site communicates and for performance reasons are limiting each parent site to ~300 secondary sites. That would only cause each parent site's computer account to be added to about 600 groups. (SiteSytemTo SiteServer and SiteToSite) That leaves plenty of room for all of the other access groups. While this would still be a concern if we reduce the number of parent sites or increase the number of secondary sites on each it is not a pressing issue for the deployment. John, Thanks for your response. See even a "I am trying to help but do not understand the question" response has some value. At least it did for me because I was forced to rethink through the issue.

I'm glad you figured it out cause I am still confused. Maybe I wouldn't be had I been able to get to your link. I am assuming there's a technical limitation that's preventing you from simply placing all 1024+ servers into a single AD group? That's usually what I do but I've never had that many servers. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |