none
SCCM 2012 cannot create objects in AD RRS feed

  • Question

  • SCCM 2012 Site Hierarhy Manager component cannot publish site information in AD. Error message:

    "Configuration Manager cannot create the object "SMS-Site-QRS" in Active Directory (domain.local)."

    1) Schema was extended. In fact I run the utility many times, including running it in elevated command promt on DC holding Schema Master FSMO role. It keeps telling me that it successfully extended the schema. In AD Schema Management console I can see four object classes related to SCCM.

    2) SCCM server object does have all the required permission to create objects in System Management container. It does have Full Control permissions to the container and all its descendants, including both object and attributes rights. In fact it can successfully create object SMS-MP-QRS-SCCM.DOMAIN.LOCAL of type mSSMSManagementPoint, and it has effective Full control rights to it (although its owner is Domain Admin group).

    In addition I've given Full Control right to that container to Everyone group. Still no luck.

    3) I cannot find the object with that name anywhere in AD.

    Strangely enough, when I just deployed the SCCM server, it created that object in AD. However soon after that it started to tell that it cannot update the object. I deleted it, and now it cannot create it anew.

    Any ideas? Is that activity somehow recorded to some log file?

    Tuesday, July 17, 2012 8:59 AM

Answers

  • My previous installments were all including the "extend schema" step and I never had a problem. Well, after extending the schema finally all those errors gone. But I thought sccm could work without extending the schema. Despite all those errors it could work, right? Thank you.
    Thursday, December 13, 2012 9:10 AM

All replies

  • Hi,

    You need to grant the Primary site serves computer account "Full Control" to the System Management Container (I always create that manually and delegate permissions from there) and you need to make sure that you have selected "This object and all descdedent objects" as SCCM creates sub containers aswell.

    You can watch the Hman.log file for errors, information.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Tuesday, July 17, 2012 9:43 AM
  • Hi

    I agree with Jorgen. However for your convenience please check the following link.. it applies to 2012 as well.

    http://technet.microsoft.com/en-us/library/bb633169.aspx

    Tuesday, July 17, 2012 10:16 AM
  • Jorgen, VenkatSP,

    As I mentioned before, I've given all the permissions needed for the server in the very beginning. Please re-read item number 2 in my post.

    In the log file I can see the following messages:

    Publishing site objects in AD Forest domain.local~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.818-360><thread=3612 (0xE1C)>
       No publishing account defined for this forest, will use the machine account instead ~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.819-360><thread=3612 (0xE1C)>
       Active Directory DS Root:DC=domain,DC=local~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.823-360><thread=3612 (0xE1C)>
       Searching for the System Management Container.~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.825-360><thread=3612 (0xE1C)>
       System Management container exists.~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.826-360><thread=3612 (0xE1C)>
       Searching for SMS-Site-QRS Site Object.~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.843-360><thread=3612 (0xE1C)>
       SMS-Site-QRS doesn't exist, creating it.~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.846-360><thread=3612 (0xE1C)>
       SMS-Site-QRS could not be created, error code = 8205.~  $$<SMS_HIERARCHY_MANAGER><07-17-2012 16:00:17.870-360><thread=3612 (0xE1C)>

    Tuesday, July 17, 2012 10:41 AM
  • 8205 translates to "The specified directory service attribute or value already exists" so it's most likely an AD issue.

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, July 17, 2012 12:02 PM
  • Torsten,

    So it seems that the object SCCM tries to create already exists. Is it possible to find it? I can't see it in ADUC.

    Tuesday, July 17, 2012 12:40 PM
  • You must enable Advanced Features under the view menu in ADUC. Then you can navigate to the System/System Management container.

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Tuesday, July 17, 2012 1:32 PM
    Moderator
  • Jason,

    How could I possibly give the rights to the container if I'm unable to navigate to it? :) Of course I can see the container. I cannot see the object SCCM cannot create/modify.

    Wednesday, July 18, 2012 4:07 AM
  • Maybe you are connected to domain_controller_A, but ConfigMgr tries to update the objects on domain_controller_B? Are there any AD replication issues? (Please use the ConfigMgr 2012 for future postings: http://social.technet.microsoft.com/Forums/en-US/category/systemcenter2012configurationmanager)

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, July 18, 2012 7:43 AM
  • Torsten,

    No, I can't see any replication issues in AD. DCDIAG does not report any significant errors, and no error messages in AD log. All the changes made on one of DCs are replicated to enother one.


    Is it possible to transfer the thread to the correct forum?
    Wednesday, July 18, 2012 8:16 AM
  • Are you using Windows 2000 Domain controller?

    http://support.microsoft.com/kb/894277/en-us

    Wednesday, July 18, 2012 9:36 AM
  • jdulongc

    Nope. Two DCs - Windows Server 2008 R2 SP1. Anyways I cannot reprogram SCCM to make it use different NET Framework routines. :)


    Wednesday, July 18, 2012 10:18 AM
  • Ok, but in this situation you can upgrade DCs to W2K3 instead of reprogram :)

    So maybe a lingering object, did you check on your two DCs that the object didn't exist?

    Use this procedure to verify

    http://technet.microsoft.com/en-us/library/bb693614 on each DC.



    • Edited by jdulongc Wednesday, July 18, 2012 12:41 PM
    Wednesday, July 18, 2012 12:35 PM
  • Yes I've checked the existence of the oblects from the very beginning. There is only one object - SMS-MP-... If I delete it, the server recreates it.

    Wednesday, July 18, 2012 12:47 PM
  • I'm really confused.

    That is the expected outcome.

    Can you please upload a screenshot of what you are seeing because there is communication disconnect going on in this thread about what you are seeing, what your expectations are, and what problems may or mayh not exist.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Wednesday, July 18, 2012 2:23 PM
    Moderator
  • Jason,

    I'll skip the screenshot part, sorry, it requires a lot of time which I do not have.

    I describe my problem one more time:

    1) SCCM cannot create one type of object in AD, but can create enother one. Error message: "Configuration Manager cannot create the object "SMS-Site-QRS" in Active Directory (domain.local)." Error code: 8205.

    2) AD schema was extended.

    3) SCCM server account has Full Control permisstions to System Managment container and all its descendants.

    4) Server was able to create this object immediately after installation, but lost this ability shortly after that.

    5) AD is healthy, no replication problems.

    This is confusing, yes, but trust me: I never ask simple questions. :)

    This is not a major issue in our environment, however I must understand its roots even if it cannot be solved.

    Thursday, July 19, 2012 7:26 AM
  • Are you sure that you have check on your TWO DCs that the object doesn't exist ?
    Thursday, July 19, 2012 7:40 AM
  • You could also delete the entire contents of the System Management container. ConfigMgr will (re-)create all objects then (within 1h).

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, July 19, 2012 8:19 AM
  • Jdulonc,

    Yes, I'm definitely sure that I've checked both the controllers. ADUC permits to select a DC to which you want to connect.

    Torsten,

    I've even deleted and created anew the entire System Management container. As before, SCCM has recreated SMS-MP object, but still cannot create SMS-Site one.

    I suspect that something is wrong with AD schema. Maybe schema extention was a fault. However I did it many times, including running the utility in elevated command prompt on forest Schema Master DC. In addition, judging by content of Schema management MMC snap-in, all needed classes and attributes are defined.

    Thursday, July 19, 2012 8:54 AM
  • Could you try to setup a domain admin account instead of machine account, to publish SCCM in AD, in forest discovery setting you can specify an account.
    Thursday, July 19, 2012 9:01 AM
  • I would try ADSIEDIT (started from AS Administrator command line) instead of ADU&C to see the object and permissions.

    -Alex


    Alex Ignatenko | MCITP:Lync 2010, Messaging, Server 2008 | MCTS:UC Voice, Virtualisation, SCCM, SCOM, OCS | MCSE: Security

    Thursday, July 19, 2012 4:13 PM
  • Could you try to setup a domain admin account instead of machine account, to publish SCCM in AD, in forest discovery setting you can specify an account.

    There is no such setting in AD Forest discovery settings. You can specify an account only in AD Groups discovery settings. Anyways I've tried to give Full Control permissions to Everyone group, and still no luck.

    Friday, July 20, 2012 4:24 AM
  • Alex,

    I've used both ADUC and ADSIEdit tools. The result is the same. Anyways I've deleted System Management container and recreated it, so even if there were some invisible objects, they were deleted.

    Friday, July 20, 2012 4:26 AM
  • Could you try to setup a domain admin account instead of machine account, to publish SCCM in AD, in forest discovery setting you can specify an account.

    There is no such setting in AD Forest discovery settings. You can specify an account only in AD Groups discovery settings. Anyways I've tried to give Full Control permissions to Everyone group, and still no luck.

    You didn't look at the right place. You said you are using SCCM 2012, so you can specify an account for publishing in a forest.

    http://technet.microsoft.com/en-us/library/gg712308#BKMK_ADForestDisc

    Publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified Active Directory Forest Account has permissions to that forest

    • Proposed as answer by JaroslavH Saturday, May 11, 2013 1:28 PM
    Friday, July 20, 2012 6:58 AM
  • You didn't look at the right place. You said you are using SCCM 2012, so you can specify an account for publishing in a forest.

    Ah, yes. Sorry. I've looked in the wrong place indeed.

    I've specified domain's Administrator account for publishing. The object still cannot be created.

    Friday, July 20, 2012 7:33 AM
  • Are Your forest and domain functional level  Windows 2008 R2 as well?
    • Edited by jdulongc Friday, July 20, 2012 9:34 AM
    Friday, July 20, 2012 8:33 AM
  • Jdulong,

    No, this is not required. The current level is Windows Server 2003.

    Friday, July 20, 2012 9:36 AM
  • I am currently experiencing the same exact issue.  Did you ever resolve this?
    Thursday, November 1, 2012 3:55 PM
  • What issue? What are you trying to do? What exactly, step-by-step have you done? What are the results? Do you get a message? An error code? Have you examined the log file?

    Jason | http://blog.configmgrftw.com

    Thursday, November 1, 2012 4:13 PM
    Moderator
  • Same issue here.

    I've done many installations before but this time I'm stuck. I've created the container and give it the full permissions for the site server machine account(including all descendant objects) but SCCM 2012 still cannot create the necessary objects in it. According to hman.log system management container exists but it cannot write to it. AD schema hasn't been extended. My customer is hesitant for now, so we plan to extend it later. And afaik without extending the schema SCCM can also operate without issues. Any idea with the issue?

    Wednesday, December 12, 2012 12:48 PM
  • Publishing to AD without having the schema extended does not make sense. ConfigMgr can work without publishing to AD, but it's easier if the schema is extended and publishing is active. Why is the customer hesitant?

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, December 12, 2012 1:05 PM
  • Torsten is exactly right. Extending the schema creates classes which you can think of as templates for objects that ConfigMgr needs/wants to create. Thus, without these classes, ConfigMgr cannot create these objects.


    Jason | http://blog.configmgrftw.com

    Wednesday, December 12, 2012 2:19 PM
    Moderator
  • My previous installments were all including the "extend schema" step and I never had a problem. Well, after extending the schema finally all those errors gone. But I thought sccm could work without extending the schema. Despite all those errors it could work, right? Thank you.
    Thursday, December 13, 2012 9:10 AM
  • Please re-read my reply and Torsten's. ConfigMgr *can* work without extending the schema. Publishing site information to AD cannot work without extending the schema though. Your error sdirectly stem from the fact that you have AD publishing enabled.

    Jason | http://blog.configmgrftw.com

    Thursday, December 13, 2012 6:48 PM
    Moderator
  • Now I got it! Thank you very much.
    Friday, December 14, 2012 9:00 AM
  • Now I got it! Thank you very much.

    In your original post you said you extended the schema:

    1) Schema was extended. In fact I run the utility many times, including running it in elevated command promt on DC holding Schema Master FSMO role. It keeps telling me that it successfully extended the schema. In AD Schema Management console I can see four object classes related to SCCM


    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Saturday, June 1, 2013 6:22 PM
    Moderator