Most of complex and multi tiered environments require to perform AD System Discovery across untrusted forests. Recently, I’ve faced an issue with untrusted forest AD system discovery. Using Active Directory Forest Account, I’m able to publish MP details into “System Management” container of untrusted forest. So, name resolution and Fire-Wall ports are fine between both the forests or Domain Controllers.
When I tried to enable Active Directory System Discovery in SCCM 2012, it was not working. Had a look at “adsysdis.log” and as always log files are very helpful in SCCM 2012. Following were the errors I could see in the discovery process log.
INFO: Processing search path: ‘LDAP://OU=COMPUTERS,DC=SCCMUAT,DC=ACNCONFIGMGR’.
INFO: Impersonating user [SCCMUAT\SVC_CM12_AD_FOREST] to discover objects.
INFO: Full synchronization requested
ERROR: Failed to bind to ‘LDAP://OU=COMPUTERS,DC=SCCMUAT,DC=ACNCONFIGMGR’ (0x8007054B)
INFO: CADSource::fullSync returning 0x8007054B
INFO: Reverting from impersonated user to default user.
ERROR: Failed to enumerate directory objects in AD container LDAP://OU=COMPUTERS,DC=SCCMUAT,DC=ACNCONFIGMGR
Some more details about the configuration of AD system Discovery. I’ve configured AD system discovery to discover the systems in untrusted forest. As you know, need to provider container path or LDAP query details, I’ve given the LDAP query “LDAP://OU=COMPUTERS,DC=configmgr1,DC=com”. I was getting the following error 0x8007054B and that error translates to “The specified domain either does not exist or could not be contacted”. Now, what ….
It’s almost clear error message and that means system or site server is not able to find the domain details. How to resolve this? I’m not excellent in Active Directory to be honest. As mentioned at the starting of this post, I don’t have any other external issues with site server forest and untrusted forest . Also, I’m able to publish MP details into untrusted forest Active Directory.
Sitecomp.log came to help me again in this scenario. How? I wanted to find out the way in which MP details are getting published to untrusted forest and how the communication is taking place between site server and untrusted forest. So, in sitecomp.log, I could see the following entries.
Processing forest ConfigMgr1.com.
Publishing account user account configmgr1\SVC_CM12_AD_FOREST will be used
Searching for the System Management Container.
LDAP://ACNCMRFOR.ConfigMgr1.com/CN=System Management,CN=System,DC=configmgr1,DC=com container exists.
Oh, yes. You could see, it was using the following LDAP query to communicate with untrusted forest.
After seeing that LDAP query, I could relate that with AD System Discovery configuration. I’ve added the remote forest domain controller name in to LDAP query of AD system Discovery and it started working !!! The LDAP query used is given below.
You can get more details in “adsysdis.log” file (details are given below). Remember, site server or local DNS should be able to resolve the names of the systems which are discovered from untrusted forest. Otherwise, the systems which you’ve discovered don’t get appeared in CM 12 console. To create DDRs (Data Discovery Record) for all discovered systems, DNS record or name resolution must be in place.
INFO: Search provider = ‘LDAP’
INFO: Domain controller = ‘ACNCMRFOR.configmgr1.com’
INFO: Succeed to cached binding for LDAP://ACNCMRFOR.configmgr1.com/RootDSE
INFO: Include groups option will be ignored during incremental discovery.
INFO: search filter = ‘(&(uSNChanged>=93223)(|(objectCategory=group)(&(objectClass=user)(objectCategory=computer))))’
INFO: ads path = ‘LDAP://ACNCMRFOR.configmgr1.com/OU=COMPUTERS,DC=configmgr1,DC=com’
INFO: Bound to ‘LDAP://ACNCMRFOR.configmgr1.com/OU=COMPUTERS,DC=configmgr1,DC=com’
INFO: successfully completed directory search
INFO: AD Discovery under container LDAP://ACNCMRFOR.configmgr1.com/OU=COMPUTERS,DC=configmgr1,DC=com found 0 objects
INFO: ——– Finished to process search scope (LDAP://ACNCMRFOR.configmgr1.com/OU=COMPUTERS,DC=configmgr1,DC=com) ——–