Re: Error message in site component manager

Correct. On a side note; a tip I was given a long time ago I'll pass on. In
AD, I have a group called SMS_Site_Servers. I grant that group access rights
to that container, as well as put that group in the local groups necessary on
all SMS Site Servers. The contents of that ad group are the computer
accounts of all my SMS Servers. You will need to reboot your SMS Servers at
least once after adding it's computer account to this group; but from then
on, whenever I need to do a lease return or need a new site, I just add the
computer account into the group; add the group into the new computer's local
groups; and I can essentially forget about rights. The theory is that these
are computers--let them them have the rights. If these were user accounts,
you might need to worry about the security impact of having users with these
rights... but these are computer accounts.
--
Standarize. Simplify. Automate.


"apereira" wrote:

Thanks for the response. When you state COMPUTER does this mean lets say
server name ABC. I then go to AD and then to the systems management container
and add ABC with full access rights.

I just want to make sure I understand correctly.

"Kim Oppalfens [MVP]" <""Kim dot Oppalfen" wrote:

apereira wrote:
Would you know what user would need access to the ad container?

"Bruno" wrote:

Hi
For what i read, there might be a problem with the permissions on the
'System management' container in AD.
hope it helps

"apereira" wrote:

Hello,

I am getting the following error message in the SMS_MP_CONTROL_MANAGER here
is the following error message

"The SMS Service Host (CCMEXEC) was unable to update certificate information
in the Active Directory."

I am running the following

1 forest
Windows 2003 SP2
SMS 2003 SP3

Any ideas?

Thanks

The site server COMPUTER account needs this access.
It needs full control on the system management container AND all child
objects. You can set the permissions on the advanced tab of your ad
security properties for the systems management container.

Sorry to put things in capital, but it is just to highlight the mistakes
most people make against this.

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

.

Relevant Pages

  • RE: SMS is not seeing all computers
    ... It could be something as simple as rebooting those site servers so their ... SMS tries to publish in to A/D. ... The majority of our desktops are in B1 ... Nothing has been published in the AD Systems Management container the ...
    (microsoft.public.sms.admin)
  • Re: Error message in site component manager
    ... accounts of all my SMS Servers. ... computer account into the group; add the group into the new computer's local ... and I can essentially forget about rights. ... I then go to AD and then to the systems management container ...
    (microsoft.public.sms.setup)
  • Re: subnet inclusion in the AD site boundary is not being seen by
    ... Are you sure the other 50 servers weren't manually assigned? ... Windows Server System MVP - SMS ... subnet to the SMS site boundaries - even though their subnet is already part ... the sms client is in the correct ad site ...
    (microsoft.public.sms.setup)
  • Re: Event 4319 after secondary site server rebuild
    ... Yes, both the secondary site server's computer account, as well as the SMS ... Service account have full control on the System Management container, ... direct permission assignment, ...
    (microsoft.public.sms.admin)
  • Opinions: Is SMS an option for this scenario?
    ... client machines, plus servers. ... So my question is, without you knowing all of the details, could SMS ... foot opinions on how appropriate SMS might be in our situation. ...
    (microsoft.public.sms.admin)