This account establishes communications and transfers data between Microsoft System Center Configuration Manager 2007 parent and child sites, including grandchild sites. Parent sites use this account to transfer administrative data (such as package or collection data) to the child or grandchild site. Child sites use this account to transfer data (such as inventory data, discovery records, or status messages) to the parent site.
A Site Address Account is not always required. Within the same forest, you should use the site server's computer account as the Site Address Account. If you must connect to a site in a different forest, you must configure a Site Address Account because even with a trust between the forests, the computer account cannot access the site server across the forest boundary.
|Secondary sites must be in the same forest as the parent site, so you cannot configure a Site Address Account between a secondary child and a primary parent.|
Required Rights and Permissions
This account must have Read, Write, Execute, and Delete permissions on the SMS\Inboxes\Despoolr.box\Receive folder on the destination site server.
Add the Site Address Account to the Site to Site Connection group on the destination site server, which has the appropriate permissions on the SMS_Site shared folder. The Site Address Account does not have to be granted permissions to the SMS_Site shared folder directly.
Also, your security policy must allow the Site Address Account Access this computer from the network permissions on the destination site server. For more information about setting the Microsoft Windows security policy, see Windows Help.
Account and Password Creation
The administrator creates the account and password, and then configures Configuration Manager 2007 to use the account when creating an address between sites. The account must be verifiable on the destination site server. It does not have to be verified on the originating site server where the address is defined.
This account can be created wherever the administrator wants to create it. A single account can be used for multiple sites and domains if it has the required permissions.
The administrator performs all account and password maintenance. If you modify the account in the account database, you must also update the configuration in the Configuration Manager 2007 console.
|If you specify a Site Address Account for an address and then later decide you want to use the computer account as the Site Address Account, you must either delete the address and re-create it, or use the Manage Site Accounts tool (MSAC.exe). Changing the account name is not sufficient when switching from a user account to the computername$ account.|
Security Best Practices
Use the site server's computer account unless you must access a remote forest so that the password is managed by the operating system and is less vulnerable to discovery and misuse.
If you have many domain controllers and this account will be used across domains, verify that the account has replicated before configuring it in Configuration Manager 2007.