none
Systems Management Server cannot create the object

    Soru

  • Hello

     

    I been starting doing a side by side instalation of SCCM and it been going pretty well except two errors in the component status

     

    Systems Management Server cannot create the object "cn=SMS-MP-ACM-ACU-SVSCS02" in Active Directory.

    Systems Management Server cannot create the object "SMS-Site-ACM" in Active Directory.

     

    Do I need to modify any Schema permissions for SCCM and if so what rights do I need to add?

    What account does SCCM use ?

    Is there any documentation that address my problem?

     

    The ExtAdSch looks like this

     

     

    <11-16-2007 08:38:30> Modifying Active Directory Schema - with SMS extensions.
    <11-16-2007 08:38:30> DS Root:CN=Schema,CN=Configuration,DC=acumed,DC=local
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-Site-Code already exists.
    <11-16-2007 08:38:30> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-Site-Boundaries already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-Default-MP already exists.
    <11-16-2007 08:38:30> Attribute cn=mS-SMS-Device-Management-Point already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-MP-Name already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-MP-Address already exists.
    <11-16-2007 08:38:30> Attribute cn=mS-SMS-Health-State already exists.
    <11-16-2007 08:38:30> Attribute cn=mS-SMS-Source-Forest already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
    <11-16-2007 08:38:30> Attribute cn=MS-SMS-Ranged-IP-High already exists.
    <11-16-2007 08:38:30> Attribute cn=mS-SMS-Version already exists.
    <11-16-2007 08:38:30> Attribute cn=mS-SMS-Capabilities already exists.
    <11-16-2007 08:38:30> Class cn=MS-SMS-Management-Point already exists.
    <11-16-2007 08:38:30> Located LDAP://cn=MS-SMS-Management-Point,CN=Schema,CN=Configuration,DC=acumed,DC=local
    <11-16-2007 08:38:31> Successfully updated class LDAP://cn=MS-SMS-Management-Point,CN=Schema,CN=Configuration,DC=acumed,DC=local.
    <11-16-2007 08:38:31> Class cn=MS-SMS-Server-Locator-Point already exists.
    <11-16-2007 08:38:31> Located LDAP://cn=MS-SMS-Server-Locator-Point,CN=Schema,CN=Configuration,DC=acumed,DC=local
    <11-16-2007 08:38:31> Successfully updated class CN=Schema,CN=Configuration,DC=acumed,DC=local.
    <11-16-2007 08:38:31> Class cn=MS-SMS-Site already exists.
    <11-16-2007 08:38:31> Located LDAP://cn=MS-SMS-Site,CN=Schema,CN=Configuration,DC=acumed,DC=local
    <11-16-2007 08:38:32> Successfully updated class LDAP://cn=MS-SMS-Site,CN=Schema,CN=Configuration,DC=acumed,DC=local.
    <11-16-2007 08:38:32> Class cn=MS-SMS-Roaming-Boundary-Range already exists.
    <11-16-2007 08:38:32> Located LDAP://cn=MS-SMS-Roaming-Boundary-Range,CN=Schema,CN=Configuration,DC=acumed,DC=local
    <11-16-2007 08:38:32> Successfully updated class LDAP://cn=MS-SMS-Roaming-Boundary-Range,CN=Schema,CN=Configuration,DC=acumed,DC=local.
    <11-16-2007 08:38:33> Successfully extended the Active Directory schema.

    <11-16-2007 08:38:33> Please refer to the SMS documentation for instructions on the manual
    <11-16-2007 08:38:33> configuration of access rights in active directory which may still
    <11-16-2007 08:38:33> need to be performed.  (Although the AD schema has now be extended,
    <11-16-2007 08:38:33> AD must be configured to allow each SMS Site security rights to
    <11-16-2007 08:38:33> publish in each of their domains.)

     

     

    Thanks for a really exiting product

     

    ~Jorgen

     

    16 Kasım 2007 Cuma 19:19

Yanıtlar

  • Well, technically you do NOT need to create the System Management container. In fact, many customers don't create it. They let the site server create it when it attempts to publish.

     

    If you don't want to create the container manually, just give the site server computer account Full Control rights to the System container, and all child objects. Otherwise, you can manually create the System Management container and give Full Control rights to it and all child objects.

    18 Kasım 2007 Pazar 22:40
    Sahip

Tüm Yanıtlar

  • I found this for SMS 2003 but I did what it said and SCCM is now working

     

    1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
    2. On the View menu, click Advanced Features.
    3. Expand your domain tree, expand System, right-click the System Management container, and then click Delegate Control.
    4. Click Next, and then click Add.
    5. Click Object Types. If SMS 2003 is configured to use Advanced Security, make sure that the Computers check box is selected. If SMS 2003 is configured to use Standard Security, make sure that the Groups and Users check boxes are selected. Click OK.
    6. If Advanced Security is turned on, type the name of the site server's machine account, click Check Names, and then click OK. If Standard Security is turned on, type the name of the SMS service account, click Check Names, and then click OK.
    7. Click Next, click Create a custom task to delegate, and then click Next.
    8. Click This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
    9. Click to select the Full Control check box, and then click Next.
    10. Make sure that the information is correct, and then click Finish.

    • Yanıt Olarak Öneren yehia zakaria 20 Temmuz 2011 Çarşamba 09:44
    16 Kasım 2007 Cuma 19:49
  • Two key articles to fix this issue.  I've run into this and this did the trick.  You need to create the System Management container in AD and assign the correct permissions to the computer account(s) for your SCCM servers.

     

    http://technet.microsoft.com/en-us/library/bb632591.aspx

     

    http://technet.microsoft.com/en-us/library/bb633169.aspx

     

    Dustin

    16 Kasım 2007 Cuma 22:25
  •  

    Usually I create a group and put the site servers in it and assign the group the rights instead of the Site Servers them self. To keep administration more dynamic.
    18 Kasım 2007 Pazar 16:38
  • Well, technically you do NOT need to create the System Management container. In fact, many customers don't create it. They let the site server create it when it attempts to publish.

     

    If you don't want to create the container manually, just give the site server computer account Full Control rights to the System container, and all child objects. Otherwise, you can manually create the System Management container and give Full Control rights to it and all child objects.

    18 Kasım 2007 Pazar 22:40
    Sahip
  • I am *WAY* confused now! TWO MS articles contradict each other - the 33169.aspx mentioned above says to use the "Properties, Security, Add" and does not specify to 'uncheck' the "Inherit Parent permissions" tab.

    Yet, elsewhere in these forums, yet another MS article is mentioned, and it says to use "Delegate Control" and then do a "Custom Task" and make sure you DON'T inherit.

    Is "Security tab" same as "Delegate Control?"

    Should we Inherit or not?

    And should be "apply to this container and all subs?" (I don't think this is needed - ones below Systems Management container should already inherit)

    Thanks in advance!


    tnjman

    14 Mart 2012 Çarşamba 15:18