Introduction
Really short post, just to illustrate the possible privileges of being a Configuration Manager admin and having the ConfigMgr client installed on a Domain Controller.
While this might be stating the obvious for some people, I think it deserves a mention regardless.
This dictates a proper tiering model, especially around your Domain Controllers, making sure that Configmgr Admins does not have access to Domain Controllers and vice versa, but also to treat your ConfigMgr environment as tier0.