ConfigMgr SCCM 2012 Untrusted Forest AD System Discovery Issue

Most of complex and multi tiered environments require to perform AD System Discovery across untrusted forests. Recently, I’ve faced an issue with untrusted forest AD system discovery. Using Active Directory Forest Account, I’m able to publish MP details into “System Management” container of untrusted forest. So, name resolution and Fire-Wall ports are fine between both the forests or Domain Controllers.

When I tried to enable Active Directory System Discovery in SCCM 2012,  it was not working. Had a look at “adsysdis.log” and as always log files are very helpful in SCCM 2012. Following were the errors I could see in the discovery process log. 

INFO: Impersonating user [SCCMUAT\SVC_CM12_AD_FOREST] to discover objects.
INFO: Full synchronization requested
INFO: CADSource::fullSync returning 0x8007054B
INFO: Reverting from impersonated user to default user.
ERROR: Failed to enumerate directory objects in AD container LDAP://OU=COMPUTERS,DC=SCCMUAT,DC=ACNCONFIGMGR

Some more details about the configuration of AD system Discovery. I’ve configured AD system discovery to discover the systems in untrusted forest. As you know, need to provider container path or LDAP query details, I’ve given the LDAP query “LDAP://OU=COMPUTERS,DC=configmgr1,DC=com”. I was getting the following error 0x8007054B and that error translates to  “The specified domain either does not exist or could not be contacted”. Now, what ….

It’s almost clear error message and that means system or site server is not able to find the domain details. How to resolve this? I’m not excellent in Active Directory to be honest. As mentioned at the starting of this post, I don’t have any other external issues with site server forest and untrusted forest . Also, I’m able to publish MP details into untrusted forest Active Directory.

Sitecomp.log came to help me again in this scenario. How? I wanted to find out the way in which MP details are getting published to untrusted forest and how the communication is taking place between site server and untrusted forest. So, in sitecomp.log, I could see the following entries.

Processing forest
Publishing account user account configmgr1\SVC_CM12_AD_FOREST will be used
DS Root:DC=configmgr1,DC=com
Searching for the System Management Container.
LDAP:// Management,CN=System,DC=configmgr1,DC=com container exists.

Oh, yes. You could see, it was using the following LDAP query to communicate with untrusted forest.

LDAP:// Management,CN=System,DC=configmgr1,DC=com

After seeing that LDAP query, I could relate that with AD System Discovery configuration. I’ve added the remote forest domain controller name in to LDAP query of AD system Discovery and it started working !!! The LDAP query used is given below.


You can get more details in “adsysdis.log” file (details are given below). Remember, site server or local DNS should be able to resolve the names of the systems which are discovered from untrusted forest. Otherwise, the systems which you’ve discovered don’t get appeared in CM 12 console. To  create DDRs  (Data Discovery Record) for all discovered systems, DNS record or name resolution must be in place.

INFO: Search provider = ‘LDAP’
INFO: Domain controller = ‘’
INFO: Succeed to cached binding for LDAP://
INFO: Include groups option will be ignored during incremental discovery.
INFO: search filter = ‘(&(uSNChanged>=93223)(|(objectCategory=group)(&(objectClass=user)(objectCategory=computer))))’
INFO: ads path = ‘LDAP://,DC=configmgr1,DC=com’
INFO: Bound to ‘LDAP://,DC=configmgr1,DC=com’
INFO: successfully completed directory search
INFO: AD Discovery under container LDAP://,DC=configmgr1,DC=com found 0 objects
INFO: ——– Finished to process search scope (LDAP://,DC=configmgr1,DC=com) ——–

About Author 

Anoop is Microsoft MVP and Veeam Vanguard ! He is a Solution Architect on enterprise client management with more than 13 years of experience (calculation done on the year 2014) in IT. He is Blogger, Speaker and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...

    Find more about me on:
  • googleplus
  • twitter
  • facebook
  • linkedin
  • youtube
Posted in: ConfigMgr (SCCM), Configmgr2012, Domain Controller, SCCM 2012, SCCM 2012 SP1, System Center 2012, System Center 2012 Configuration Manager

One Comment

  1. Thomas Froitzheim says:

    Thanks a lot for this contribution! I faced exactly the same Problem and was able to fix it using your instructions. Thank you.

Leave a Comment and Contact Anoop