SCCM 2007 Active Directory system management container RRS feed

  • Question

  • Hi all,


    I did some searching before posting this to try and avoid multiple posts on the same issue. Here is what is going on and what I'm curious about.


    We  currently have one SMS 2003 primary site on a server 2003 machine with SQL 2005. We are moving to SCCM 2007 which we have on a new server Windows 2008 server. We are not moving anything over from the old site except of course the clients, which we will just do by discovering them in the new site and installing the client.

    As of now we are still using the SMS 2003 primary site for production, although I have the SCCM 2007 primary site (it will only be a primary site) partially setup. I have discovered one test group, which a lab that we have. I can see the machines from this lab in the "all systems collection". As of now I am going to move over clients group by group before decommissioning the old site. I do not have the boundaries turned on yet for the new site and I should also point out that these sites have different site codes.

    So on to my final question. I pushed the client install to one of these machines. It installed fine, I can see the system configuration icon in the control panel and the old system management console in the control panel is gone. Opening up the system config icon in the control panel, it still has the old site as the site code (by the way I used AD system discovery to find the machines in this test group).

    I wanted to make sure you had all of the info, but to get to my question, after some research the issue of why the SCCM console is not seeing the client as assigned or installed has to do with the system management container. Our service account and/or SCCM server machine account do not have full access to it. So my question is even though SMS 2003 uses this container as well, is it going to harm anything for me to give full permission to the SCCM 2007 service account to this container and allow objects to be put into there, or is this normal practice?

    Looking at the status messages in the SCCM console, this is how I figured out it is the issue.

    Message id 4913

    Systems Management Server cannot create the object "System Management" in Active Directory

    Thank you for any help you can give me.
    Thursday, July 21, 2011 8:50 PM


  • It won't harm anything, the new site will simply create its own objects. I hope you used a different site code though.

    Jason | | Twitter @JasonSandys
    Thursday, July 21, 2011 11:28 PM

All replies

  • To add to this a little bit, right now in our system management container we have 3 objects.


    SMS-MP-***-servername                       Type-MSSMSManagementPoint

    SMS-Site-***                                       Type-mSSMSSite

    SMS-SLP-***-servername                     Type-mSSMSServerLocatorPoint


    I realize all of these are from the SMS 2003 site. Pretty much to boil it down, is it normal for SCCM 2007 to use this container and put objects of it's own in it as well. From the research I have done, yes, but I wanted to do some more checking before I actually give the service account access to make similar objects for the new site in this container.


    Thanks again.

    Thursday, July 21, 2011 9:00 PM
  • It won't harm anything, the new site will simply create its own objects. I hope you used a different site code though.

    Jason | | Twitter @JasonSandys
    Thursday, July 21, 2011 11:28 PM
  • Thank you for the reply Jason.


    Yes, we did use a different site code, so no issue there.


    One last question that came to mind. For the SMS 2003 primary site we use a service account, I will call it "test". This account has full rights to the system management container. Is it OK for me to use that same account, "test" as the service account for our new SCCM 2007 primary site. I'm pretty sure of these answers from what I know, but I just want to ensure.  Will that cause any interaction issues or is that supported?


    Thanks again.



    Friday, July 22, 2011 2:12 PM
  • ConfigMgr does not use a formal service account. It uses the computer account of the site server to perform all of its work across the network including accessing AD. It is this account that needs permissions in AD:
    Jason | | Twitter @JasonSandys
    Friday, July 22, 2011 5:47 PM
  • Good info to know. I will add the new site server with full permissions that container and all of the child objects. Thanks again for the help.
    Friday, July 22, 2011 6:41 PM