SCCM Primary Installation Error Attempted to perform unauthorized


This happens only in complex environments šŸ™‚ I know, it’s a bit tricky and long one. I’ve a working CAS (in Parent domain) and one working primary site (in another child domain). I was trying to setup another primary server (in a second child domain). The installation wizard failed with following errors. I  was in the page “Specify Join the primary site to an existing hierarchy” and provided the FQDN of the Central Administration Site (CAS) server.

SCCM Primary Server Error

Error “ConfigMgrSetupWizard.log”

ConfigMgrSetupWizard Information: 1 : Cannot detect SMS Type because either SiteServer, SqlServer or SiteServerName is empty.

ConfigMgrSetupWizard Error: 1 : Exception message: [Attempted to perform an unauthorized operation.], Exception details: [System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.

In preparation for a new Primary Site to join the hierarchy, following steps had been completed. Once the new Primary Site has been connected to the CAS and the CM 12 hierarchy, we can remove the Regional Site Administrator Account from the Full Administrators group and also local admin rights.

Prerequisites Checked : –

1. Temporarily added the Regional Site Administrator Account (which will be used to install the primary site) to local admin group of CM 2012 CAS and remote SQL Server.

2. Added to the Full Administrators Group via the CAS Administration Console.

3. Added to the CAS SQL Server CM 12 instance with sysadmin rights via SQL Management Studio.

4. Two way Trust between Parent Domain and Child domain (as per domain admins).

5. The the required Firewall ports are open (as per CM 12 documentation)

6. Child domain credential (which is used for the installation of primary server) has all the required rights/access on CAS as well as CAS – SQL and child domain SQL servers.

7. Child domain computer also has the required permissions on CAS, CAS-SQL and child domain SQL servers.

8. CAS, CAS-SQL, SQL are ping-able from child domain primary server.

 9. Also, tried adding child domain credentials into local administrators group of CAS in parent domain etc….

Troubleshooting Performed :-

I tried connecting remote WMI (WBEMTEST as well as wmimgmt.msc) of the CAS server in parent domain with child domain credentials. It gives following error “Win32: The RPC server is unavailable“. Checked DCOM and WMI permissions on CAS server and all look fine.

When I tried to use parent domain account(which is used to install CAs) to install primary server (in child domain), the wizard didn’t stop over. Because I tried connecting remote WMI of CAS sever with my primary server computer/system account, unfortunately that is also NOT working.

Root Cause and Resolution :-

Taken net mount and checked network traffic between the servers to find out where the communication is getting blocked. While checking the network connectivity between the child domain computers and the Root domain DCs, we found that we could not communicate with the Root dcs on any of the well-known ports, required for domain communication.

We raised Firewall request to allow communication between the child domain client subnet and the Root DCs, on the following ports. This resolved the issue.

– tcp 135,

– tcp/udp ā€“ 389

– tcp 3268

– tcp/udp – 88

– tcp/udp – 53

– tcp 3268

– tcp 445

– dynamic rpc ports for NTDS. Netlogon

Restricting Active Directory replication traffic and client RPC traffic to a specific port –

How to configure a firewall for domains and trusts –



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.