Hi All, I am having 1 Central,2 Primary and 10 Secondary SCCM Servers.For one Secondary server,I am getting the following error message at the interval of 1 Hour repeatedly.There is a Security group for which all SCCM Secondary servers are the member.This Security group is having full permission on System Management Container in AD and even its having full permission in Advanced that is "This object and all of its child object.SCCM Secondary server in which I am facing this issue, in this Primary reporting server is the member in "SMS_SiteToSiteConnection_KTA" and even member of Local Administrator group on this server. Please see the complete error below, what could be the issue for this. Systems Management Server cannot update the already existing object "SMS-Site-KTA" in Active Directory. Possible cause: This site's SMS Service account or the site server's machine account may not have full control rights for the "System Management" container in Active Directory Solution: Give the site's SMS Service account full control rights to the "System Management" container, and all child objects in Active Directory. Possible cause: The Active Directory object "SMS-Site-KTA" has been moved to a location outside of the "System Management" container, or has been lost. Solution: Delete the object from its current location, and let SMS create a new object. Possible cause: The Active Directory schema has not been extended with the correct SMS Active Directory classes and attributes. Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended. The schema can be extended with the tool "extadsch.exe" from the SMS CD.Thanks & Regards Deepak Kumar

Deepak, this error is generally as described, an AD permissions issue on the System Management container. Since you are providing access via a security group for all secondary site servers and only one is generating the error, the permissions for the group must be correct. Therefore it should simply be a group membership issue. The first step to verify this is to temporarily grant the secondary site server computer account permissions directly to the System Management container. Apply this to the DC that is local to the secondary site server and the hourly errors should stop. There are two factors to consider regarding the secondary site server's membership of the security group: 1. this will only take effect after the server has been rebooted. 2. remember to factor in directory replication; i.e. if you add the secondary site server to the security group on a central DC and reboot the server soon after, it will probably not get the updated access token as the security group membership may not have replicated to the local DC. Alan

Hi Alan, Thanks for the reply. I think you are right. I will check your suggestions and will let you know the update on this. But before we give permission to the secondary site server computer account on System Management container in AD,so do we need to remove this secondary server computer account from the Security group first and then add or directly I can add this secondary server computer account to the local DC without removing this secondary server from SG group?Thanks & Regards Deepak Kumar

No need to remove it from the group.