AD Integration and DCs

Why Domain Controllers can’t be used with AD Integration.

Good response from Marc Reyhner (Microsoft Developer).

“To control which agents go in to what management groups we set an ACL on the object in AD representing the management group.  Computers which should have access to the management group are granted read permissions to the SCP (service connection point) object for the management group.  When an agent with AD integration is turned on it looks for all the SCPs it has read access to and learns what AD integrated management groups it should be a member of from this.  This happens as part of the Health Service which is running as local system.  On a domain controller local system has access to pretty much everything in AD so it can read the SCP for every management group whether or not you really wanted that DC to be in that management group.  The consequence of having AD integration turned on for an agent on a domain controller then is that it tries to join every AD integrated management group.  Since this isn’t desirable behavior we disable AD integration on domain controllers.”


Comments are closed.

%d bloggers like this: