SCCM Primary Installation Error Attempted to perform unauthorized ConfigMgr Endpoint Manager. This happens only in complex environments 🙂 I know, it’s a bit tricky and a long one.
I have a working CAS (in the Parent domain) and one working primary site (in another child domain). I tried to set up another primary server (in a second child domain).
The installation wizard failed with the following errors. I was on the page “Specify Join the primary site to an existing hierarchy” and provided the FQDN of the Central Administration Site (CAS) server.
SCCM Primary Installation Error Attempted to perform unauthorized ConfigMgr Endpoint Manager
ConfigMgrSetupWizard Information: 1 : Cannot detect SMS Type because either SiteServer, SqlServer or SiteServerName is empty. SCCM Primary Installation Error.
ConfigMgrSetupWizard Error: 1 : Exception message: [Attempted to perform an unauthorized operation.], Exception details: [System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
The following steps have been completed in preparation for a new Primary Site to join the hierarchy. Once the new Primary Site has been connected to the CAS and the CM 12 hierarchy, we can remove the Regional Site Administrator Account from the Full Administrators group and local admin rights.
Prerequisites Checked : – SCCM Primary Installation Error
1. Temporarily added the Regional Site Administrator Account (used to install the primary site) to the local admin group of CM 2012 CAS and remote SQL Server.
2. Added to the Full Administrators Group via the CAS Administration Console.
3. Added to the CAS SQL Server CM 12 instance with sysadmin rights via SQL Management Studio.
4. Two-way Trust between Parent Domain and Child domain (as per domain admins).
5. The required Firewall ports are open (as per CM 12 documentation)
6. Child domain credential (which is used for the installation of the primary server) has all the required rights/access on CAS and CAS – SQL and child domain SQL servers.
7. Child domain computer also has the required permissions on CAS, CAS-SQL, and child domain SQL servers.
8. CAS, CAS-SQL, SQL are ping-able from the child domain primary server.
9. Also, I tried adding child domain credentials into the local administrators group of CAS in the parent domain, etc…
Troubleshooting Performed :- SCCM Primary Installation Error
I tried connecting remote WMI (WBEMTEST and wmimgmt.msc) of the CAS server in the parent domain with child domain credentials. It gives the following error “Win32: The RPC server is unavailable”. I checked DCOM and WMI permissions on the CAS server, and all look fine.
When I tried to use the parent domain account(used to install CAs) to install the primary server (in the child domain), the wizard didn’t stop. Because I tried connecting remote WMI of CAS sever with my primary server computer/system account, unfortunately, that is also NOT working.
Root Cause and Resolution :- SCCM Primary Installation Error
I have taken a net mount and checked network traffic between the servers to find out where the communication was getting blocked. While checking the network connectivity between the child domain computers and the Root domain DCs, we found that we could not communicate with the Root dcs on any of the well-known ports required for domain communication.
We raised a Firewall request to allow communication between the child domain client subnet and the Root DCs, on the following ports. This resolved the issue.
– tcp 135,
– tcp/udp – 389
– tcp 3268
– tcp/udp – 88
– tcp/udp – 53
– tcp 3268
– tcp 445
– dynamic rpc ports for NTDS. Netlogon
Restricting Active Directory replication traffic and client RPC traffic to a specific port – http://support.microsoft.com/kb/224196
How to configure a firewall for domains and trusts –http://support.microsoft.com/kb/179442
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…