none
SCCM RRS feed

  • Question

  • I am not able to see the sccm site details in the container "system management" which I created in ADSI edit before installing sccm and had followed  the delegate control steps now how to troubleshoot this issue?
    Thursday, April 20, 2017 10:28 AM

All replies

  • are you publishing to that domain?
    Sunday, January 28, 2018 7:04 AM
  • I am not able to see the sccm site details in the container "system management" which I created in ADSI edit before installing sccm and had followed  the delegate control steps now how to troubleshoot this issue?

    You need to set the permissions on the container as well.

    1. Create the "System Management" Container.
    2. Create an AD group called "SCCM Servers"
    3. Add the SCCM Site Servers to the AD Group
    4. Grant "Full Control" permissions on the "System Management" Container to "SCCM Servers". Make sure that you grant it for "This object and all descendent objects"
    5. Extend the AD Schema

    Here is some code that you can use to set those permissions...

    Param(
        [Parameter(Mandatory=$True)][String]$ServerGroup,
        [Parameter(Mandatory=$True)][String]$ADServer,
        [Parameter(Mandatory=$False)][String]$DomainName,
        [Parameter(Mandatory=$True)][String]$Container
    )
    
    Function Set-CMSysMgtPerm{
        $CMSvrGrpObj = Get-ADGroup -Filter * -Properties * | ? {$_.Name -eq "$ServerGroup"} | Select *
        $SysManObj = [ADSI]("LDAP://CN=$($Container),CN=System,$($DomainDN)")
        $CMSvrGrp = $CMSvrGrpObj.Name
        $CMNTAccount = New-Object System.Security.Principal.NTAccount("$Domain\$CMSvrGrp")
        $ActiveDirectoryRights = "GenericAll"
        $AccessControlType = "Allow"
        $Inherit = "SelfAndChildren"
        $nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
        $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $CMNTAccount, $ActiveDirectoryRights, $AccessControlType, $Inherit, $nullGUID
        $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
        $SysManObj.psbase.commitchanges()
    }
    
    Function Create-CMSysMgtCntr{
        #Create the 'System Management' Conainer in the 'System' Container
        $SystemCN = "CN=System,$($DomainDN)"
        $NewCNPath = "CN=$($Container),$($SystemCN)"
        $NewCN = New-ADObject -Name "$($Container)" -Type Container -Path "$($SystemCN)" -Server "$($ADServer)"
        If (Test-Path "AD:\CN=$($Container),CN=System,$($DomainDN)"){
            Write-Host "   '$($Container)' was created..." -ForegroundColor Green
        }
    }
    
    Function Check-CMPermissions{
        #Get the current permissions that are currently set on the new container
        $SystemCN = "CN=System,$($DomainDN)"
        $ContainerPath = "CN=$($Container),$($SystemCN)"
        $CNPath = "AD:\$($ContainerPath)"
        $Perms = Get-Acl "$($CNPath)" | Select-Object -ExpandProperty Access
    
        #Check if the SCCM Server or Server Group has permissions on the new container
        $CheckPerm = $Perms.IdentityReference -contains "$Domain\$ServerGroup"
        If ($CheckPerm){
            $PermSet = $true
            #return if valid permissions already set
            Write-Host "   '$($Container)' permissions are set..." -ForegroundColor Green
            }
        Else{
            $PermSet = $false
            #Set Permissions if needed
            Write-Host "   '$($Container)' permissions are NOT set, setting permissions..." -ForegroundColor Red -BackgroundColor White
            Set-CMSysMgtPerm
        }
    #    Return $PermSet
    }
    
    #Import the AD PSModule for the current PSSession
    Import-Module ActiveDirectory
    
    If ($ServerGroup -contains "`""){
        $ServerGroup = $ServerGroup.Replace("`"","")
    }
    
    If (-not($DomainName)){
        $Domain = $env:USERDOMAIN
        }
    Else{
        $Domain = $DomainName
    }
    $DomainDN = (Get-ADDomain -Identity $Domain).DistinguishedName
    
    #Check if Container Exists and do appropriate actions
    If (-not(Test-Path "AD:\CN=$($Container),CN=System,$($DomainDN)")){
        Write-Host "   '$($Container)' does NOT exist, creating container..." -ForegroundColor Red -BackgroundColor White
        #Create Container if not exists
        Create-CMSysMgtCntr
        #Set Permissions
        Set-CMSysMgtPerm
        #Check Permissions
        Check-CMPermissions
        }
    Else{
        Write-Host "   '$($Container)' already exists" -ForegroundColor Green
        #Check Permissions
        Check-CMPermissions
    }

    This code will extend the AD Schema...

    Param(
        [Parameter(Mandatory=$True)][String]$ExtADSchPath
    )
    
    $SchemaMaster = (Get-ADDomainController | ? {$_.OperationMasterRoles -like "*Schema*"}).Name
    
    
    $SchemaPath = (Get-ADRootDSE -Server $SchemaMaster).schemaNamingContext
    $CMSchemaExt = Get-ADObject -Filter * -SearchBase $SchemaPath -Properties * -Server $SchemaMaster | ? {$_.lDAPDisplayName -eq "mSSMSSite"}
    
    If (-not($CMSchemaExt)){
        Write-Host "AD Schema has not been extended for Configuration Manager..." -ForegroundColor Red -BackgroundColor White
        Write-Host " Extending Schema..." -ForegroundColor Gray
        Start-Process -FilePath ('$ExtADSchPath') -Wait
        Start-Sleep 20
        Get-ADObject -Filter * -SearchBase $SchemaPath -Properties * -Server $SchemaMaster | ? {$_.lDAPDisplayName -eq "mSSMSSite"}
        }
    Else{
        $ExtName = $CMSchemaExt.Name
        $ExtDate = $CMSchemaExt.whenCreated
        Write-Host "   AD Schema extension '$ExtName' was applied on '$ExtDate'" -ForegroundColor Green
    }

    • Proposed as answer by Phil Pritchett Tuesday, February 13, 2018 8:31 PM
    Saturday, February 10, 2018 2:43 AM