What specific rights are required in Active Directory for SCCM to successfully publish?  The site server computer account has Full Control permissions to the System Management container and all descendant objects, but is unable to publish to AD.  If I give a service account Domain Admin permissions, publishing works successfully.  Keeping the service account as a Domain Admin is not an option for our environment, so where exactly does the SCCM need to write in AD besides the Systems Management container in order to publish?

• Edited by BrianG_ERDMAN 20 hours 8 minutes ago

Full control to this object and all descendant objects.

There has to be more than that.  As I mentioned, the site server computer account has Full Control permissions to the System Management container, but is unable to publish to AD.  I apparently failed to mention that its permissions also include all descendant objects.

Nothing more than Torsten specified is required.

That can't be true.  The site server computer account and a service account both have Full Control permissions to the System Management container and all descendant objects.  Neither of them are able to publish successfully.

There's nothing more. Have you added permissions directly or via group membership? The latter would require a reboot of the server.
Also see http://technet.microsoft.com/en-us/library/gg712264.aspx#BKMK_SetSMContainer if you don't believe me.
How did you determine that there are permission issues at all?

Permissions are given via group membership.  The server has been rebooted several times since the group and permissions were applied.  What led me to a permissions issue was the line in hman.log that says "Could not obtain Access to Active Directory, HRESULT=0x8007200A."  When I found that, I gave the service account Domain Admin permissions and had it try publishing again.  That time it succeeded where ten minutes before (without the Domain Admin permissions) it had failed.

Since then, I removed the Domain Admin permissions.  It has tried publishing again, and failed with the same error.

• Edited by BrianG_ERDMAN 19 hours 54 minutes ago

Since then, I removed the Domain Admin permissions.  It has tried publishing again, and failed with the same error.

What you are describing is odd.

1. Did you extend the schema in advance? (although theoretically it should work anyway but it's better to do this)

2. How is your AD replic

The schema has been extended for years.  We were on SCCM 2007 a few years ago and upgraded to 2012, then to 2012 SP1, and now I'm working on a new 2012 R2 server.  TechNet states you don't need to do anything with the schema to use 2012 if you extended it for 2007.

AD replication is usually near-instant.  The group membership and permissions were applied over 24 hours ago.

0x8007200A = "The specified directory service attribute or value does not exist."

Based on this and this article -- http://support.microsoft.com/kb/325053 (which is in no way specific to your issue but similar in nature) -- I'd say you have your AD locked down in some non-standard way and/or inheritance is disabled on the System Management container.

I've asked our Systems Engineer to make sure there isn't any broken inheritance within the container and will report back.

Our Systems Engineer tells me the only subcontainer is inheriting permissions from System Management.

can you check the effective permissions upon the CMobjects in the container?
(maybe something odd has happened, e.g. inheritance is broken/removed on the objects)

Our Systems Engineer just spot-checked about 10 of the 30-or-so objects and all of them were inheriting permissions.

Is there anywhere that I can see what exactly happens during publishing?  Meaning, how can I find out what objects it's trying to write to as it goes through the publishing process?

Yes, in the logs -- just like everything else in ConfigMgr :-)

hman.log to be specific.

That's the log I've been looking at, but it doesn't tell me what happened when it failed, just "Could not obtain Access to Active Directory, HRESULT=0x8007200A."  It doesn't tell me what container or object it was trying to access when it failed.

I would recommend that I contact Microsoft Support (CSS) for this. Generally this is a "two second" task to set full control to this object and all descendant objects.

There is no special permissions need outside of the one Torsten has already stated in the first post.

My guess is that you are have some AD issues or something is locked down. CSS is the best team to deal with this issue.