ConfigMgr SCCM Untrusted Forest AD System Discovery Issue


Most of complex and multi tiered environments require to perform AD System Discovery across untrusted forests. Recently, I’ve faced an issue with untrusted forest AD system discovery. Using Active Directory Forest Account, I’m able to publish MP details into “System Management” container of untrusted forest. So, name resolution and Fire-Wall ports are fine between both the forests or Domain Controllers.

When I tried to enable Active Directory System Discovery in SCCM 2012,  it was not working. Had a look at “adsysdis.log” and as always log files are very helpful in SCCM 2012. Following were the errors I could see in the discovery process log. ConfigMgr SCCM Untrusted Forest AD System Discovery Issue 1

INFO: Impersonating user [SCCMUAT\SVC_CM12_AD_FOREST] to discover objects.
INFO: Full synchronization requested
INFO: CADSource::fullSync returning 0x8007054B
INFO: Reverting from impersonated user to default user.
ERROR: Failed to enumerate directory objects in AD container LDAP://OU=COMPUTERS,DC=SCCMUAT,DC=ACNCONFIGMGR

Some more details about the configuration of AD system Discovery. I’ve configured AD system discovery to discover the systems in untrusted forest. As you know, need to provider container path or LDAP query details, I’ve given the LDAP query “LDAP://OU=COMPUTERS,DC=configmgr1,DC=com”. I was getting the following error 0x8007054B and that error translates to  “The specified domain either does not exist or could not be contacted”. Now, what ….

It’s almost clear error message and that means system or site server is not able to find the domain details. How to resolve this? I’m not excellent in Active Directory to be honest. As mentioned at the starting of this post, I don’t have any other external issues with site server forest and untrusted forest . Also, I’m able to publish MP details into untrusted forest Active Directory.

Sitecomp.log came to help me again in this scenario. How? I wanted to find out the way in which MP details are getting published to untrusted forest and how the communication is taking place between site server and untrusted forest. So, in sitecomp.log, I could see the following entries.

Processing forest
Publishing account user account configmgr1\SVC_CM12_AD_FOREST will be used
DS Root:DC=configmgr1,DC=com
Searching for the System Management Container.
LDAP:// Management,CN=System,DC=configmgr1,DC=com container exists.

Oh, yes. You could see, it was using the following LDAP query to communicate with untrusted forest.

LDAP:// Management,CN=System,DC=configmgr1,DC=com

After seeing that LDAP query, I could relate that with AD System Discovery configuration. I’ve added the remote forest domain controller name in to LDAP query of AD system Discovery and it started working !!! The LDAP query used is given below.


ConfigMgr SCCM Untrusted Forest AD System Discovery Issue 2

You can get more details in “adsysdis.log” file (details are given below). Remember, site server or local DNS should be able to resolve the names of the systems which are discovered from untrusted forest. Otherwise, the systems which you’ve discovered don’t get appeared in CM 12 console. To  create DDRs  (Data Discovery Record) for all discovered systems, DNS record or name resolution must be in place.

INFO: Search provider = ‘LDAP’
INFO: Domain controller = ‘’
INFO: Succeed to cached binding for LDAP://
INFO: Include groups option will be ignored during incremental discovery.
INFO: search filter = ‘(&(uSNChanged>=93223)(|(objectCategory=group)(&(objectClass=user)(objectCategory=computer))))’
INFO: ads path = ‘LDAP://,DC=configmgr1,DC=com’
INFO: Bound to ‘LDAP://,DC=configmgr1,DC=com’
INFO: successfully completed directory search
INFO: AD Discovery under container LDAP://,DC=configmgr1,DC=com found 0 objects
INFO: ——– Finished to process search scope (LDAP://,DC=configmgr1,DC=com) ——–


  1. Thanks a lot for this contribution! I faced exactly the same Problem and was able to fix it using your instructions. Thank you.

  2. Hello,

    Thanks a lot, I faced exactly the same Problem…
    But for me, into my SCCM environment with AD 2012 R2 and SCCM 1606:

    idem for “USERS” container for Groups and Users discovery methods (LDAP Query)

    Best regards,


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.