Let’s fix the insufficient access rights issue with SCCM Active Directory Forest publishing. The AD forest publishing is important for domain-joined Windows 10 and Windows 11 devices to locate SCCM Management Point.
I have noticed that SCCM secondary site can’t publish the site details into Active Directory forest. In this scenario, primary and secondary servers are in the same domain; hence no need to create a new System Management Container.
When you have SCCM site systems (MP, DP, etc.) with untrusted forests, you will have some interesting scenarios during the AD forest publishing. I have explained the details in the below section below.
Publishing SCCM secondary server Management Point (MP) and boundary group details to Active Directory Forest is important to have SCCM clients working as expected. If your clients in the secondary site are not working properly, they might not be getting secondary site MP information from AD.
SCCM Active Directory Forests
SCCM Active Directory forests node is where you can see how many Active Directory forests are connected to the SCCM environment. This node also gives you the AD publishing details of each site.
Whenever you add a new SCCM Site System or Site System Server from a new Active Directory forest, the new AD forest will show up automatically in the SCCM Active Directory Forest node. You can check this from the following location in the console.
\Administration\Overview\Hierarchy Configuration\Active Directory Forests
As you can see below, the secondary server AD publishing is not working. It gives an error Insufficient Access Rights. We will see more details of this issue in the below section of the post.
SCCM Untrusted AD Forest Publishing Status
For untrusted AD forests, you will need to ensure that the service account with appropriate permission to publish System Management Container is added to SCCM. Also, the DNS resolution to the untrusted AD forest domain controller should be in place.
- Navigate to \Administration\Overview\Hierarchy Configuration\Active Directory Forests
- Select AD forest available from the list and Click on Properties from the ribbon menu.
- Add New Account under Active Directory Forest account from the Untrusted domain.
The AD Forest Account connects to the specific forest to discover AD sites and IP subnets. It also helps to publish site information to Active Directory forest. CAS and Primary sites can connect using either the computer account or a specified account.
Related Post – ConfigMgr SCCM Untrusted Forest AD System Discovery Issue HTMD Blog (anoopcnair.com).
NOTE! – The SCCM secondary site always connects using the computer account because the secondary server should always have two-way trust with the primary server AD forest.
Check ADSIEDIT.MSC to Confirm Published SCCM Records in AD
Let’s check ADSIEDIT.MSC to confirm published SCCM Records in AD. You can check ADSIEdit.MSC tool to get AD forest publishing details. From ADSIEdit, you can check whether the secondary server site and boundary information is published in the Active Directory forest.
I can see that only the primary server (site code = MEM) MP, Boundary, and Site derails are available in the Active Directory forest. We will see how to fix the secondary server AD forest publishing issue.
- Open ADSIEdit.MSC.
- Navigate to System Management Container.
- Check whether primary site details such as MP, Site, Boundary objects are publsihed in AD forest or not.
NOTE! – The SCCM secondary server (site code = HSO) cannot publish Site, Boundary, and MP details because of Win32 error = 5 error.
SMS-MP-<site code>-<site system server name>
SMS-<site code>-<Boundary Group 1>
SMS-<site code>-<Boundary Group 2>
SMS-<site code>-<Active Directory site name or subnet>
SiteComp.log file on Secondary Server Win32 error = 5
The SiteComp.log file on SCCM secondary server where AD publishing failing with Win32 error = 5. The secondary server couldn’t create a secondary site and boundary details into Active Directory.
Installing DNS publishing settings on site system …
DNS publishing settings are up to date for MEMCMSECONDARY.MEMCM.COM.
SMS-MP-HS0-MEMCMSECONDARY.MEMCM.COM could not be created with ConfigMgr 2007/2012 schema, error code = 5.
SMS-MP-HS0-MEMCMSECONDARY.MEMCM.COM could not be created, Win32 error = 5
FIX: Insufficient Access Rights Issue with SCCM AD Forest Publishing | Win32 error = 5
Let’s fix the Insufficient access rights issue with SCCM secondary site AD Forest publishing error Win32 error = 5. The Win32 error 5 indicates insufficient permission to complete the activity in general terms.
Let’s launch ADSIEdit.msc from the run menu to check and provide appropriate permission to secondary site server computer account in System Management Container. If you don’t have a System Management container created (it should not be the case), you should create one.
- Navigate to the properties of the System Management container from ADSIEdit.MSC.
Select the Security tab from System Management Properties.
Select Security Tab from System Management Properties – Assign Permission for System Management Container.
- Click on Add button.
- Enter the SCCM Secondary site server computer account in the box below “Enter the object names to select“.
- Click on Object Types.
Select Computers and Click OK.
Click on OK to continue with selection.
- Select on the SCCM Secondary Site System Computer account.
- Select the Full Control permission.
- Repeat this step for all the site server in this domain if there is any.
- Click on Advanced button.
Select the site server’s computer account.
Select the Edit button.
Select the drop-down option called “This object and all descendant objects” from Applies to option. Click OK to continue.
- Click OK & OK to finish.
Validation of SCCM AD Forest Publishing
Let’s see how to verify the SCCM AD Forest Publishing. There are two easy ways to confirm whether the permission changes worked or helped SCCM secondary server to publish SCCM MP, Site, and Boundary details to Active Directory Forest or not.
- Log file SiteComp.log at Secondary Server
- Confirm the publishing status from ADSIEDIT.
NOTE! – The default reevaluation or retry cycle for all SCCM site components, including AD Forest publishing, is 1 hour. So you will need to wait an hour to confirm whether the permission fix is working or not.
Another option is to speed up the site component polling cycle using Configuration Manager Service Manager. You can go through the following steps to restart the site component for the secondary server.
- Navigate to \Monitoring\Overview\System Status\Component Status
- Select and right click on the SMS_Site_Component_Manager for the secondary site.
- Click on the Start button and select Configuration Manager Service Manager.
Select and Right-Click on SMS_Site_Component_Manager from Configuration Manager Service Manager. Select the option called QUERY to check the status of the component or service.
- Click on the RED button after selecting the SMS_Site_Component_Manager service to stop the service for secondary server.
Start the Service back again either by right-clicking on SMS_Site_Component_Manager service or clicking the green button from the top menu.
Check the SiteComp.log on the secondary server to confirm the SCCM AD Forest publishing activity. I see the following entries immediately after the restart of the secondary server’s SMS Site Component Manager service.
Installing DNS publishing settings on site system …
DNS publishing settings are up to date for MEMCMSECONDARY.MEMCM.COM.
Publishing MEMCMSECONDARY.MEMCM.COM(MEMCMSecondary.memcm.com) as a Management Point into Active Directory.
SMS-MP-HS0-MEMCMSECONDARY.MEMCM.COM successfully created
You would be able to see a new Secondary server Management Point(MP) related record In the ADSIEdit – System Management Container (try to hit on refresh button before checking).
Now, the clients in the secondary site server would get the correct management point details as per the boundary group configuration.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.