SCCM Primary Installation Error Attempted to perform unauthorized ConfigMgr. This happens only in complex environments 🙂 I know it’s a bit tricky and a long one.
I have a working CAS (in the Parent domain) and one working primary site (in another child domain). I tried to set up another primary server (in a second child domain).
The installation wizard failed with the following errors. I was on the page “Specify Join the primary site to an existing hierarchy” and provided the FQDN of the Central Administration Site (CAS) server.
Table of Contents
SCCM Primary Installation Error Attempted to Perform Unauthorized ConfigMgr
- FIX: SCCM Application Installation Failed 0x87D00324
- SCCM Firewall Ports Details Direction with DC Other Servers | Configuration Manager | Bi-direction
- SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager
- List of SCCM Default Reports | Configuration Manager
- SCCM Troubleshooting Intune Error Codes Table | ConfigMgr
Error “ConfigMgrSetupWizard.log”
ConfigMgrSetupWizard Information: 1: Cannot detect SMS Type because either SiteServer, SqlServer or SiteServerName is empty. SCCM Primary Installation Error.
ConfigMgrSetupWizard Error: 1: Exception message: [Attempted to perform an unauthorized operation.], Exception details: [System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
The following steps have been completed in preparation for a new Primary Site to join the hierarchy. Once the new Primary Site has been connected to the CAS and the CM 12 hierarchy, we can remove the Regional Site Administrator Account from the Full Administrators group and local admin rights.
Prerequisites Checked: – SCCM Primary Installation Error
- Temporarily added the Regional Site Administrator Account (used to install the primary site) to the local admin group of CM 2012 CAS and remote SQL Server.
- Added to the Full Administrators Group via the CAS Administration Console.
- Added to the CAS SQL Server CM 12 instance with sysadmin rights via SQL Management Studio.
- Two-way Trust between Parent Domain and Child domain (as per domain admins).
- The required Firewall ports are open (as per CM 12 documentation)
- Child domain credential (which is used for the installation of the primary server) has all the required rights/access on CAS and CAS – SQL and child domain SQL servers.
- Child domain computer also has the required permissions on CAS, CAS-SQL, and child domain SQL servers.
- CAS, CAS-SQL, and SQL are ping-able from the child domain primary server.
- Also, I tried adding child domain credentials into the local administrator’s group of CAS in the parent domain, etc.
Troubleshooting Performed:- SCCM Primary Installation Error
I tried connecting to the remote WMI (WBEMTEST and wmimgmt.msc) of the CAS server in the parent domain with child domain credentials. It gave the following error: “Win32: The RPC server is unavailable.” I checked the DCOM and WMI permissions on the CAS server, and everything looks fine.
When I tried to use the parent domain account (used to install CAs) to install the primary server (in the child domain), the wizard didn’t stop. I tried connecting the remote WMI of the CAS server with my primary server computer/system account, but unfortunately, that is also NOT working.
Root Cause and Resolution: SCCM Primary Installation Error
I took a net mount and checked network traffic between the servers to find out where communication was getting blocked. While checking the network connectivity between the child domain computers and the Root domain DCs, we found that we could not communicate with the root DCs on any of the well-known ports required for domain communication.
We raised a Firewall request to allow communication between the child domain client subnet and the Root DCs on the following ports, which resolved the issue.
- tcp 135,
- tcp/udp – 389
- tcp 3268
- tcp/udp – 88
- tcp/udp – 53
- tcp 3268
- tcp 445
- dynamic rpc ports for NTDS. Netlogon
Restricting Active Directory replication traffic and client RPC traffic to a specific port – http://support.microsoft.com/kb/224196
How to configure a firewall for domains and trusts –http://support.microsoft.com/kb/179442
Resources
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here – HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Nice Txs a lot definately helpful