SMS MP on Domain Controllers

[sobak]

I’ve inherited a troubled SMS2003 network. I’m receiving the dreaded 5436 Error on my SMS_MP_CONTROL_MANAGER.

Out of 50 secondary sites 13 of those are receiving the error. All of the ones receiving the error are Domain Controllers, all are running 2003 except two of them, they are running 2000. SMS was originally setup using standard security.

I’ve read on the internet that Microsoft Advises against installing SMS2003 MP on a Domain Controller. I’ve searched Microsoft’s web site and can’t find anything with regards to this statement.

The article that I saw told me that if SMS is installed on a DC then there is a chance that the IIS security rights and groups can be overwritten during the Domain replication process.

The root of my 5436 errors is IIS security, on my 2003 boxes; SMS creates three application pools, the CCM Frameworks and the SMS Management Point. If I check the application pools on each of the systems that are not responding they are stopped, and attempt to start them fails. I receive 1009 and 1002 errors in the event log when I attempt to start them.

I have found a work around to this issue that is to remove the SMS Secondary site, remove IIS the install everything from the ground up (IIS and SMS). I tried this procedure two weeks ago on three sites and they are still up and responding today.

I need to know if installing my SMS MP’s on Domain Controllers is a good deployment practice, if it’s not I need documentation showing it’s not recommended. I have to justify the expense of placing member’s servers at each of my sites to handle SMS traffic.

Thanks


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[tbrennans]

all MP acounts made on a dc are not local but domain, and if you ever uninstall sms from a dc that it deletes all groups and accounts made by that install (nightmare), thus forcing you to remake all other MP accounts
Also...installing/reinstalling IIS on ANY DC in the environment will destroy the IIS_WPG group and all its contents at well.

There are those that do it, but I wouldnt if I didnt have to....they don't prevent a SMS client from going on a dc by default for no reason

 

[globalstrata]

I would download the SMS toolkit and run the MP troubleshooter first. It may give you the answers you need before attempting anything else more drastic


Gladys Rodriguez
GlobalStrata Solutions

http://www.globalstrata.com

 

[sobak]

Gladys,

Guess I should have mentioned that I did run the Post-Installation and it bounced back two failures.

MPLIST HTTP request functionality
MPCERT HTTP request functionality.

MPLIST Error: The remote server returned an error: (503) Server Unavailable)

I believe these two errors are related to the application pools not being started.

Everything else in the test passed without any problems. Now on the three sites that I reinstalled IIS and SMS on those report fine.

If I test a site that I have not done anything with and is up and responding it tests fine (as it should).

tbrennans, in your note you told me that removing IIS distroy's the IIS_WPG group and it's contents. I checked and sure enough all my IWAM accounts have been dropped and only the last system that I installed was a member. I went ahead and added all the other IWAM accounts into the group in hopes that this may correct my problem but...I'm not going to hold my breath. I would think that if the IIS_WPG group was the problem then my other MP's would also show signs of failing. I have some MP's that have been up and running 100% and I've never touched them.

I was thinking the problem was only with my 2003 boxes but that's not the case as I have two 2000 boxes that are showing the same problems.

Any help you guys can lend me I would appreciate it.


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[redmeteor]

What is your identity set to on the following application pools

MP pool
CCMServer Framework

 

[sobak]

The following identities are set on the two application pools.

Nonworking site
CCM Server Framwork: IWAM_servername
MP Pool: IWAM_servername

Working site:
CCM Server Framwork: IWAM_servername
MP Pool: IWAM_servername

In both cases each pool Identity are set to configurable.

On the troubled MP if I attempt to start the MP pool I receive two errors in the event log.

[red]A process serving application pool 'SMS Management Point Pool' terminated unexpectedly. The process id was '5232'. The process exit code was '0xffffffff'.[/red]

[red]A process serving application pool 'SMS Management Point Pool' terminated unexpectedly. The process id was '5612'. The process exit code was '0xffffffff'.[/red]

Out of a total of 50 different MP's I'm receiving this same error on 12 of them.


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[redmeteor]

Test on one DC changing the two mentioned application pools(CCM, MP) to PREDIFINED: local_system