September 3, 2011 
Figure: Ports Required
Technical Details
To support this initiative we employ the use of shadow accounts (mirrored local accounts). In our test case we created local accounts named “localTfsBuild” on the Team Build Server and Team Foundation Server Application Tier using identical passwords. A host entry was also added on the Team Build Server with the TCP/IP address and host name of the Team Foundation Server Application Tier.
Using the Team Foundation Server Administration Console on the TFS Application Tier we add the local account created above into the “Project Collection Build Service Accounts” group.
The Build Service is installed but not configured initially, with the Project Collection information added later. In the build configuration wizard don’t select a project collection just leave it blank, then use network service and get to the end.
Steps (performed on the Build Server)
Run the Team Foundation Server 2010 Setup
Click on the Team Foundation Build Service Checkbox
On the last install dialog uncheck the Launch Team Foundation Server Configuration Tool Checkbox and click Finish
Install TFS 2010 SP1
Install TFS 2010 SP1 Cumulative Update
Launch the Team Foundation Administration Console
Click on Build Configuration
Click Configure Installed Features
Click Start Wizard
Click Next
Do not select a team project collection and Click Next
Click Next
Click Verify
Click Configure
Click Next
Click Close
Click Close
Click Stop to stop the Build Service, then Click Properties
Click Browse
Click Servers…
Enter the Name or URL of your Team Foundation Server and Click OK
Enter the credentials of a user (like DOMAIN\_tfsInstaller) with Admin permissions on TFS 2010 and click OK
Click Close
Select the Team Project Collection you want to add the Build Service and click Connect (You may be prompted again for credentials – just enter them a second time)
In the Credentials section select This account and enter the credentials of the build account .\localTfsBuild and the password.and click Start
If you made it here then the service should be running and configured, if you received an error connecting verify the localTfsBuild account is the same on both machines and that the passwords match, do not specify an alias for the TFS server use the real machine name and if a DNS lookup is not available make sure the name and IP address of the TFS server is defined in the local HOSTS file of the build server.
Click New Agent…
Click OK (unless you want to change any of the default settings)
The Agent should be started (indicated by the Green color)
If the Agent does not start, you must make sure your build server resolves from the TFS side of the network (try PING) if the HOST name does not resolve to an IP then add it to the DNS.
Use the Test Connection on the Build Agent Properties dialog to test communications between the Build Agent, TFS Server and Build Controller.
If you have still have connection issues verify the Windows Firewall is not causing your problem, verify the network connection shown in Network and Sharing Center is either Private Network or Domain Network otherwise inbound traffic will fail.
Below is an example of a FIREWALL issue blocking communications on TCP Port 9191
Default Agent – Not Really Ready (indicated by the Red color)
Clicking Build Agent Properties shows status as Build Agent Unavailable
Azure DevOps and Visual Studio Awesomeness 
Wes, thanks for your post.
After reading this, we could configure build agent as workgroup envrn.
However, it only works for those machine that running as server 2k3, but for window server 2008 R2.
We could register the build service to TeamProject collection, but when creating an agent, it’s always stopped or at unknown state.
What operating system that your build server running on?
LikeLike
I did the walkthrough on Windows Server 2008 w/SP2 (x32). It should not matter though, what error are you receiving when you try to create the agent?
LikeLike
I don’t get any error. The build service create ok but the agent staying at unknown or stop state somehow. I don’t see any error from event viewer thou.
How’s strange…..
LikeLike
I would check three things: Disable the firewall on the build agent to see if the agent works, then make sure the NIC connection is either set to Private or Domain so the firewall exclusions work properly. Make sure you can ping the build agent by name from the controller and application tier and the build agent can see the controller and application tier. Check the TFS Application Tier and the Build Controller for errors.
LikeLike
Does that trick work for TFS11?
LikeLike
It should, while I have no tried it I see no reason it wouldn’t work.
LikeLike
Mac,
I found your blog again. I end up leave all our build agents in Window Server 2003. However, now it’s time we’re upgrade to TFS 2012 then realize they don’t support for 2003 anymore. Then we have to upgrade our agents to Window Server 2008 (this is already alot of work for us to upgrade and rebuild build server)
I’m assuming TFS 2012 still works for workgroup environment?
Also, by reading online, it’s not really recommended from MS???
LikeLike
Hi,
Correct, 2003 is not supported any longer. The current supported server platforms are as follows:
Windows Server 2008 x64
Windows Server 2008 R2
Windows Server 2012
TFS 2012 still works in workgroup mode (using local accounts) but if your build controller and/or agent is on a separate server you’ll have to use mirrored/shadow accounts like you did in 2010 (it is this configuration that is not supported).
Cheers,
Wes
LikeLike
Mac,
I still have the problem with shadow account on window 2008 that I would like to show you the screenshot:
https://skydrive.live.com/view.aspx?resid=329EF5592FBAB099!130&app=Word
And my post:
http://social.msdn.microsoft.com/Forums/en-US/tfsbuild/thread/6aeeafc0-4ba5-408c-90be-33447f09e05c
LikeLike
Mac,
I was looking for just the same info and lucky to find yours.
We have Development server where We installed both TFS 2010 Application tier and also TFS build server. And this server OS is Windows Server 2008 R2 and lets say located in domain X. I followed the steps mentioned as,
1. created a local account (localtfsbuild) on this server.
2. I added the user localtfsbuild into Project Collection Build Service Accounts.
3. I did build configuration first not selecting any project collection and initially ran under NT Authority\SYSTEM credentials. Then added project collection(residing on the same server) and now changed credentials to run under localtfsbuild.
We have workstation running Windows XP and in other domain lets say ‘Y’.
we wanted this to be our BuildMachine so we installed TFS 2010 Build Service and now trying to configure with mirror account as you mentioned.
1. Created localtfsbuild a local account.
2. Initially without selecting any project collection, configured with NT AUTHORITY\SYSTEM credentials. Now when I try selecting Project Collection created on TFS Server and trying to use localtfsbuild credentials but it NOT started and I am seeing the following message in eventviewer log,
Build Service received Stop command and will be stopped. Details: Could not open http channel
when I was using NT AUTHORITY\NETWORK SERVICE in both Build Server and Build Machine we are running into sgen.exe errors.
any information on this will be greatly appreciated.
Thanks
Bug
LikeLike
Problem here doing this configuration for two different domains. When I set the user for the build service to “.\localTfsBuild” and press start I receive the following error:
“Cannot register Team Foundation Build Service: User account TFS\localTfsBuild not found”
I don’t know from where the “TFS\” came from.
If a change my username to “TFSES\localTfsBuild” (where TFSES is my TFS Application Tear) the message changes:
“Cannot register Team Foundation Build Service: Failed to grant TFSES\TfsBuilds access to the IIS configuration and other directories used by ASP.NET. Details: aspnet_regiis.exe failed with code 1.”
I supposed this is due to the “TFSES\”… Any help here? Any information on this will be greatly appreciated.
LikeLike
Hi,
Are you trying this with TFS 2010 or 2012?
1. You created local accounts on both the build server and tfs application tier and the passwords match.
2. Make sure the machines have name resolution for each other on both sides (using the HOSTS file)
3. If you have a firewall between the machines ensure port 9191 is open
Let me know if you’re still stuck. TFS 2012.2 supports TFS 2010 Build Servers, see the following blog post: http://blogs.msdn.com/b/visualstudioalm/archive/2013/04/04/10407416.aspx
Wes
LikeLike
Hi Wes,
I’m trying this with TFS2010. My Application Tier is inside my corporate network but I want to configure the Build Controller/Agent in my client network, so I have different domain and networks and the connection to my client network is through Juniper Terminal Services, so I’m not able to open ports nor map my client IP Address through the HOSTS file.
Maybe this is the problem. This scenario maybe not supported…. 😦
Any help would be very appreciated.
Regards,
LikeLike
Hi,
That scenario you describe is not supported. The build agent has to be able to contact the TFS Application Tier directly which is not possible over Terminal Services.
Wes
LikeLike
Followed all the steps, however when trying to setup the agent, the “Controller” drop down is not being populate. Could this be a firewall issue?
LikeLike
Yes it could be. If you’ve opened TCP port 9191 in your firewall appliance for the Build Agent and Controller you may also have to open TCP port 9192.
LikeLike