Hi Everyone, We have a multiple site hierarchy with about 25 Secondary Sites. All Secondary Site servers are added to a "SCCM Servers" group and this group had been granted Full Control permissions to the System Management Active Directory container and all child objects. On ONE Secondary Site we are receiving an Error Code = 8228 when the Site Component Manager attempts to publish its MP info to AD. Here are the log entries from SiteComp.log: Publish Servers in Active Directory. SMS_SITE_COMPONENT_MANAGER DS Root:DC=xxx,DC=xxx,DC=ad,DC=xxx,DC=com Searching for the System Management Container. LDAP://CN=System Management,CN=System,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com container exists. Site System <ServerName> is the Default Management Point. No Fallback Status Point installed on the Site Size of Signing Certificate: 0 Signing Certificate: Checking configuration information for server: <SserverName>. <ServerName> is the Default MP. Updated MP Configuration for <ServerName>. Installing Security settings on site system ... Security settings are up to date for <ServerName>. Installing DNS publishing settings on site system ... DNS publishing settings are up to date for <ServerName>. Publishing <ServerName>(<ServerName>.xxx.xxx.xxx.xxx.com) as a Management Point into Active Directory. SMS-MP-<SiteCode>-<ServerName> could not be updated, error code = 8228. SMS-MP-<SiteCode>-<ServerName> could not be updated (using SMSv1 Schema), error code = 8228. STATMSG: ID=4912 ... Looking up the error code, 8228 = "The administrative limit for this request was exceeded.". Give me an "Access is Denied" and I have something to work with here. But what the heck does "The administrative limit for this request was exceeded." mean in this context?! Looking in AD, I can see the object is already there but it seems we're having a problem updating it. I've tried unchecking the site from publishing to AD and re-enabling it but as expected, that didn't resolve it. I'm thinking to turn it off again and then remove the existing entries for this site from AD via ADSIEDIT.MSC and then re-enable and see what happens but I need to jump through some security hoops to do that so in the meantime, looking for any further info on this error. I found Microsoft article http://support.microsoft.com/kb/838872 with a similar error regarding Site Boundaries but it doesn't seem to apply to what we're running into here. Anyone run into this before or have any suggestions? Thanks, -Jeff

Try just deleting the object that it is having issues updating and it should recreate it when you restart the SMS_EXECUTIVE on the secondary. I know it is not explicitly access denied, but did you reboot the site servers after adding them to the group you are granting permissions to?Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Hi SMS Marchall. Yeah I saw that one (as I linked to it in my initial post). We have 200 and change.

Hi Everyone, Just wanted to post to close out the thread. As suspected, it turned out to be the DC at the remote location and the fact that it apparently hadn't been syncing with the rest of the domain since the spring (that's when I'm told the schema was updated for SCCM 2007 SP2)! Amazing... :) Once we handed that back over to the AD team here and they finally got the server synched up the DC got the updated schema and the site was able to publish successfully. Thanks, Jeff

Hi Jason, Thanks for the reply. Yeah that's what I was thinking too. Someone else in the organization added it to the group originally so not sure if they had rebooted it or not since adding it to the group, so I went ahead and did so but still had the same problem after reboot. Just got the object deleted from AD and restarted SMS_SITE_COMPONENT_MANAGER. No joy. SiteComp.log: SMS-MP-MON-<SERVERNAME> could not be updated (using SMSv1 Schema), error code = 8228. Thanks, -Jeff

Looks like the DC at that location is having issues. Will wait for the AD guys to resolve whatever those issues are and then revisit. Seems we're getting the same error even when trying to add a user to a group when connected to that DC.

How about other object SMS-site-<sitecode> ? Is this object getting created? Have you tried to remove MP and install it again? Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Looks like the DC at that location is having issues. Will wait for the AD guys to resolve whatever those issues are and then revisit. Seems we're getting the same error even when trying to add a user to a group when connected to that DC. Out of interest, how many objects do you have in your systems management container? http://support.microsoft.com/kb/838872