Jump to content


  • 0
anyweb

how can I create the System Management Container in Active Directory

Question

Using Adsiedit Create a container in AD, CN=System called System Management by right clicking on CN=System and choose New Object, scroll down to container from the list, click next, give it a value of System Management.

 

adsiedit.jpg

 

In Active Directory Users and Computers expand the System container, and right click click on System Management

 

choose delegate control, click next, click add, click object types, add computers, click ok, advanced, find now.

 

highlight the SCCM servername and click ok.

 

click OK again, click Next in the Delagation of control Wizard page, choose 'create a custom task to delegate'

 

click next, make sure 'this folder, existing objects in this folder and creation of new objects in this folder is selected

 

click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in FULL CONTROL

 

and click next then Finish.

 

Failure to do the above will mean that the System Management Container in AD will NOT POPULATE with SCCM specific info and you will see many errors in SCCM site status

 

Once the permissions are granted correctly, it will look like this

 

container_privs.jpg

 

done !

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

I know this thread is a bit old, but we just got SCCM 07 / FEP 2010 installed in our environment and I am having a heck of a time configuring it. Up until recently, I wasn't able to see any PCs in the configmgr console. Now they show up under "All Systems" and the "All Users" but when I go to push the client to them, nothing happens. The field that shows if they have the client or not says "No" and I can't find out what's wrong here. I'm under the impression I'm missing a lot of the underlying connections that need to be made here. I get stuck halfway through the OP's solution on the first page.

 

I tested the installation of ConfigMgr. client on my PC and it does show up in the control panel. Once in CfgMgr under the Actions tab I only see two actions:

 

 

Machine Policy Retrieval & Evaluation Cycle

 

User Policy Retrieval & Evaluation Cycle

 

 

I had manually run the ccmsetup.exe from my command line but was hoping to do this by pushing from the SCCM server. Is this even possible? Our solution is hosted and SCCM & FEP reside on a virtual machine. It is still on the same domain but for some reason none of the collections update with any PCs.

 

Also, when I go to the Advanced tab and attempt to discover the site code, it fails.

 

Over the weekend I was looking at the event viewer/log and it was chock full of errors. I tried weeding through them but this is my first experience with SCCM/FEP in general. I may be way in over my head here but I'd really like to see if I can configure this myself before resorting to requesting help from our vendor as they may charge through the roof, claiming that this implementation was new to them.

 

I'm not sure if it will be much help but I've attached a screenshot of the property sheet for my machine specifically. There are a lot of <null> fields. This can't be normal? Where are the log files I can look at and post if need be?

 

 

Thanks in advance for any guidance. It's very much appreciated.

post-11064-0-11159000-1312466962_thumb.png

Share this post


Link to post
Share on other sites

  • 0

Hi,

I've been following through all the instructions throughout various posts in the thread but seem to be stuck getting the System Management container to populate with data. I'm running Win2k8 R2 on both the SCCM machine and AD and I'm attempting to install SCCM2012 RC1 new into the environment (e.g. no prior 2k7 installation).

 

I successfully updated the AD schema for SCCM from a SCCM2k7 disc we have, also tried the 2012 build, both times read successful:

<02-07-2012 10:14:01> Successfully extended the Active Directory schema.

 

Effectively the error I'm getting during the pre req check for SCCM2012 is this:

<02-07-2012 11:04:09> ERROR: Site server does not have create child permission on AD 'System Management'

<02-07-2012 11:04:09> WARN: Site server does not have delete child permission on AD 'System Management'

<02-07-2012 11:04:11> scm01pa.local; Site server has permissions to publish to Active Directory.; Warning; The site server is unable to publish to Active Directory. Check that you have granted the site server's computer account full permissions to the System Management container in its Active Directory domain.

 

The System Management container has been created and has the appropriate permissions from everything I can see:

 

 

sccm2012_ad.png

 

 

The server name is obviously scm01pa and as you can see it's been delegated control of the System Management container. Any help would be greatly appreciated as this one's got me stumped.

Share this post


Link to post
Share on other sites

  • 0

Fixed. It was Mircosoft and their bloody wording in the error message :) I never proceeded with the install past the pre req as I figured there was no point if it was going to fail populating the System Management container with data. I noticed after my post above RC2 has been released so I thought I'd give that whirl instead thinking it was probably going to be a longshot but you never know.

 

Anyway, it all comes down to the way Microsoft worded their error between RC1 and RC2.

RC1 error:

-----------------------------------------

Warning; The site server is unable to publish to Active Directory. Check that you have granted the site server's computer account full permissions to the System Management container in its Active Directory domain.

-----------------------------------------

 

RC2 error:

-----------------------------------------

Warning; The site server might be unable to publish to Active Directory. The computer account for the site server must have Full Control permissions to the System Management container in its Active Directory domain.

-----------------------------------------

I decided to proceed anyway and hey presto, all good, the System Management container populated with data.

Share this post


Link to post
Share on other sites

  • 0

well in both cases it's not an Error it's a warning, and you can always continue with warnings but not with Errors, good point though and good to see Microsoft is listening to bugs/dcr's filed and acting on them.

Share this post


Link to post
Share on other sites

  • 0

Yeah, what threw me was that even though the installer said it was a warning, when I jumped into ConfigMgrPrereq.log to take a closer look at the problem, that's where I noticed it was spitting out an error with creating child permissions which I thought was directly related to the warning.

Share this post


Link to post
Share on other sites

  • 0

Do the Computer$ account really need FULL CONTROL on the container System Management?

Or can the Computer$ account have FULL CONTROL at installation and then later change it to just FULL CONTROL for the selfcreated sub-containers?

 

Why this questions takes place is because we are gonna have a customer in another "main Domain" and will Only have FULL CONTROL over one small "OU".

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.