Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Altiris Client install on domain controllers

Created: 01 Mar 2010 • Updated: 16 Sep 2010 | 4 comments

Hi all,

we have Altiris 6.0 in our environment and I'd like to know what are the points to take into considerations when installing the Altiris Client on production domain controllers and, for that matter, if this is a good practice.  Do you install the client on your domain controllers?  If so, have you experienced any issues?  I do not install any software on production domain controllers and I am concerned about installing the client as it may introduce possible issues, security concerns, etc.  For instance, who can do what on domain controllers once the client is installed? I'd appreciate if you had any suggestions regarding this matter.

Thanks in advance

Stefano

Comments 4 CommentsJump to latest comment

AndyDrew's picture

Stefano

I don't foresee any issues installing the Altiris Agent on a Domain Controller and can be seen as a good idea with regards to completeness of your CMDB.

Your security concerns can be addressed using Role and Scope Based security from within the Altiris Console. In other words, make sure that only certain people are allowed to manage the Domain Controllers.

AS 

telegon's picture

Your post highlights one of the many challenges with deploying Server Management in an enterprise-level deployment.  Our NT team had similar concerns to yours around managing the domain controllers, and rightly so - patching could potentially reboot a server, and, if incorrectly timed, affect network availability.

If you are moving forward with DC agent deployment, ensure that those particular servers live off in an isolated secure collection.  If you're creating Asset identities for them in the CMDB, limit availability to manage or change the status of those assets to your Domain Management team.

If your administrative team is resistant to the idea of installing the agent, offer the manual, script based inventory gathering as a possible alternative to keep your CMDB data current.

Hope that helps.

dfrancis's picture

We have the client on all of our DC's with no problems -- in fact, several DC's at smaller sites actually do double-duty and also function as package servers.  The only issues we have is that the DC's are locked down to the point that not even the Altiris administrators can get into the DC's without working with the team that manages them, which makes troubleshooting fun sometimes.

--Dave

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.

datadrudge's picture

We have been running the Altiris agent on DCs without issue for years. We too run Package Services on our remote DCs, even though it is *not* a supported configuration. We are now in a mixed mode 2008 Active Directory and have not seen any problems. We are even running several 2008 64-bit DCs as package servers (remember, not supported --we just can't cost justify running another server or always-on workstation at these sites while these Domain Controllers are running bored with lots of storage space, processor power, and memory...). Only problem we have seen is that we cannot run tasks on our 2008 DCs, even though task runs find on non-DC 2008 64-bits.  We are at 6 SP3 R11. Note that we are not running task services out in the field; we have a central task server in a 2003 Server VM.