A. SMS 2003's Advanced Security Mode removes the requirement for multiple accounts and instead relies on the Local System and Computer accounts for all security-related actions (such as interacting with the file system and updating AD). The Computer account therefore needs permission to parts of the AD directory when AD integration is enabled--specifically the System partition of the domain namespace. To grant this permission, perform the following steps:
- Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (click Start, Programs, Administrative Tools, Active Directory Users and Computers).
- On the View menu, click Advanced Features.
- Select the System branch from the snap-in window's treeview pane.
- Right-click the system container and select Properties.
- On the Security tab, click Advanced.
- Click Add.
- Click Object Types and ensure that only the Computers check box is selected. Click OK.
- In the "Enter the object name to select" text box, enter the name of the SMS site server. (Alternatively, you can click Advanced, then click Find Now and select the computer.) Click OK.
- The set of permissions is displayed. Ensure that in the "Apply onto:" list box, only "This object and all child objects" is selected.
- Under Permissions, select the "Full Control" check box under the Allow column. Click OK.
- Click OK to close the main System Properties dialog box.
You must also ensure that the computer account of the SMS site server that uses Advanced Security mode is always a member of the local Administrators group. To set the account in the local Administrators group, run the command
net localgroup Administrators <domain name> \<site server computer name>$ /add
(The command is shown on two lines because of space constraints.)