What's wrong? The SCCM cannot publish the manangement point information in Active Directory. This is the message that's show on log file.. The container is created on Active Directory I extend the schema using the ExtADSchm The permission it's already set up But the information it's not publish on the container. The Active Directory was already extended to support the SMS 2003, and then I read that I have to change the ldf file and use the ldifde tool .. but the tool don't update the schema because it's already updated. So I use the -k switch to ignore the Already Exists messages .. I've check the Schema and all the attributes are OK ... what's wrong with my environment? Thanks

My guess: Site server computer account has full control permissions only to System Management container. It shouldhave "This object and descendant objects". You have to use Advanced Security Settings. Panu

Panu, thanks but I've already gave this permissions to all objects. Another information: 2000 Active Directory in Native Mode

Panu's response is all that I'm aware of. The only time I've ever heard this is when the site server computer account does not have Full Control to the System (or System Management container is pre-created) AND all child objects. Are you using groups instead of directly adding the computer account to this object in AD? If so, maybe you have not rebooted the computer after adding it to the group (which is required).

No .. i'm just adding the machine account on the System Management container. I found another problem... inside the System container, I can't create any objects ... I receive the following error: The server is unwilling to process the request. I've check the permissions on the System container against my virtual machine (all working) and I can't find where is the problem ..

Well, that would explain it then. If you can't create things outside of Configuration Manager, and you have rights to do so, not sure how we'd be able to either. My *guess* would be some sort of policy or lockdown has been implemented to prevent this from happening. I have no clue as to how, that's completely outside our product. You would need to query some AD dudes on that from what you are saying. Or, there is always the "reboot solves everything" option - not sure it will fix it, but always something to try.

Hello Wally ... thanks for the support... I really don't know whats going on here with this customer. After a couple hours and after disabling and enabling the option for Configuration Manager publish the information on Active Directory, two containers appear like magic in the System Management container (Management Point and SLP). But any other records, like SMSSite, wasn't there ... So I create this record manually .. I'm here just to implement a Proof of Concept scenario, so I'll not do a deep support on this AD problem .. Thanks Carlos A.

You can't create our objects manually. You would not have the data needed. If the objects can't be created, you should check the hman.log and sitecomp.log for the errors they report. But manual object creation won't work. Hman creates the site object while sitecomp would add the SLP and MP. So maybe Hman just had not tried since the change (it tries hourly).

hman.log gives me this infos: Update Site Boundaries in Active Directory Active Directory DS root: ....... Could not obtain Access to Active Directory. HRESULT=8007200A And the sitecomp.log before the containers inside System Management shows: Cannot publish SERVERNAME as a Management Point into Active Directory .... Cannot publishing SERVERNAME as an SLP into Active Directory .... After the containers were created: Publishing SERVERNAME(ServerName.domain) as a Management Point into Active Directory SMS-MP-A01-SERVERNAME successfully updated. .... Publishing SERVERNAME as an SLP into Active Directory SLP Class SMS-SLP-A01-ServerName already exists. Updating SMS-SLP-A01-ServerName successfully updated. .... The only thing I create manually was the SMS-Site-A01, Type mSSMSSite.

Hi! I'm having the same problem myself. I was able to get MP and SLP information out but are also missing the SMS-SITE-CEN and A01 AD entries. I also have the problem you described in my hman.log. Do you have boundaries configured for your site servers? I don't since my servers are only test systems yet. I am not sure if boundaries are prerequisite to publish site information to AD. Fredrik Campelo

Fredrik & Carlos, I ran into the same issue at my company and through quite a bit of troubleshooting, figured out our issue. This may OR may not be the same issue you are running into. We had our site roles (the MP& SLP containers) publishing to Active Directory, but our SMS Site was not being published. Technically you can still get your sms site working like this, you just need the SLP and won't be able to support all the AD features. In the hman.log, you seethe following: Update Site Boundaries in Active Directory Active Directory DS Root : DC=mysite,DC=myzone,DC=mycompany,DC=org Could not obtain Access to Active Directory. HRESULT=8007200A What I found out was that our company had modified (tightened) security on our System Container in AD. Our SMS Site did not have list or read access to the System Container.You can validate this by using the "effective permissions" tab in the advancedwindow of security permissions. During our sms/sccm install, we had manually created the Systems Managment Container and given full control through a global group on that new container. This allowed the site roles to publish, but not the site object. The PROBLEM is that the site object (SMS-Site-XXX) publishes with a slightly different method. You can see from the log above that it connects to the root and appears to walk itself down the path to the System and then Systems Management container to publish it's site. Of course it can't read the System container, so it errors out. Once I figured this out, we gave the SMS Site "read" access to the System Container, and then on it's cycle (I told SMS to publish again), it created the SMS site! Default AD installation leaves authenticated users read access, so this may only be your issue if permissions have been modified. I will say that the documentation for installing SCCM does not make any implications about the System container, but this is probably because it assumes default AD values. Once you have made the change, you will see the following in the log. In the hman.log, after you fix the System Container, you will see the following: Update Site Boundaries in Active DirectoryActive Directory DS Root : DC=mysite,DC=myzone,DC=mycompany,DC=orgSearching for the System Management Container. System Management container exists. Searching for SMS-Site-MY1 Site Object SMS-Site-MY1 doesn't exist, creating it.SMS-Site-MY1 successfully created. I'd love to know if this works for you!I have tested this several times (in our production and test domains) and this is definitely something to be aware of - or maybe document. The SCCM installation guide does not imply that you need access at the System container (http://technet.microsoft.com/en-us/library/bb633169.aspx). This may be corrected in future service packs/etc, but we are at SCCM R2 right now and still had the problem. Thanks! Wally, thanks for being so diligent in helping us out in these forums! For anyone who has not attended MMS or been to any of the classes Wally teaches - I highly recommend it!

Hi!I saw this post this morning. We reconfigured AD and everything worked beutiful.Thanks a lot for helping us out./Fredrik

Fredrik & Carlos, I ran into the same issue at my company and through quite a bit of troubleshooting, figured out our issue. This may OR may not be the same issue you are running into. We had our site roles (the MP& SLP containers) publishing to Active Directory, but our SMS Site was not being published. Technically you can still get your sms site working like this, you just need the SLP and won't be able to support all the AD features. In the hman.log, you seethe following: Update Site Boundaries in Active Directory Active Directory DS Root : DC=mysite,DC=myzone,DC=mycompany,DC=org Could not obtain Access to Active Directory. HRESULT=8007200A What I found out was that our company had modified (tightened) security on our System Container in AD. Our SMS Site did not have list or read access to the System Container.You can validate this by using the "effective permissions" tab in the advancedwindow of security permissions. During our sms/sccm install, we had manually created the Systems Managment Container and given full control through a global group on that new container. This allowed the site roles to publish, but not the site object. The PROBLEM is that the site object (SMS-Site-XXX) publishes with a slightly different method. You can see from the log above that it connects to the root and appears to walk itself down the path to the System and then Systems Management container to publish it's site. Of course it can't read the System container, so it errors out. Once I figured this out, we gave the SMS Site "read" access to the System Container, and then on it's cycle (I told SMS to publish again), it created the SMS site! Default AD installation leaves authenticated users read access, so this may only be your issue if permissions have been modified. I will say that the documentation for installing SCCM does not make any implications about the System container, but this is probably because it assumes default AD values. Once you have made the change, you will see the following in the log. In the hman.log, after you fix the System Container, you will see the following: Update Site Boundaries in Active DirectoryActive Directory DS Root : DC=mysite,DC=myzone,DC=mycompany,DC=orgSearching for the System Management Container. System Management container exists. Searching for SMS-Site-MY1 Site Object SMS-Site-MY1 doesn't exist, creating it.SMS-Site-MY1 successfully created. I'd love to know if this works for you!I have tested this several times (in our production and test domains) and this is definitely something to be aware of - or maybe document. The SCCM installation guide does not imply that you need access at the System container (http://technet.microsoft.com/en-us/library/bb633169.aspx). This may be corrected in future service packs/etc, but we are at SCCM R2 right now and still had the problem. Thanks! Wally, thanks for being so diligent in helping us out in these forums! For anyone who has not attended MMS or been to any of the classes Wally teaches - I highly recommend it! I have been going nuts for the last few hours!!! thanks for this post, I needed to add read access to the system container as you stated!!!!! Thanks!!!!

I've banging my head for the last two hours, thanks to your post i was able to resolve the issue!!