locked
Publishing sites to forest with no trust. Works for primary but not secondary site. RRS feed

  • Question

  • Hi,

    I've set-up an environment with primary & secondary servers in domain A. I have some clients in domain B but there are no trusts between A & B.

    I set-up the forest in the AD Forest section of the console and selected the primary & secondary sites to publish to domain B. I set the account to use that has full access to the System Management container in domain B (its a domain admin account for testing purposes). The schema is extended.

    I can verify the connection in the console using the LDAP query:
    LDAP://domainB.com/CN=System Management,CN=System,DC=domainB,DC=com

    When I click ok, I check the logs of the primary server and it successfully publishes the primary site to the System Management container within domainB.

    The problem is that when I check the logs of the secondary site it gives me the following error:

    No publishing account defined for this forest, will use the machine account instead.
    Could not connect to the RootDSE container in Active Directory. HRESULT=8007052E  

    Both servers can ping the domainB.com suffix. There are no firewall issues.

    Anyone have any thoughts what might be wrong?

    Thursday, February 4, 2016 1:31 PM

Answers

  • It could very well be a bug that you may need to contact support about. Secondary sites are becoming decreasingly used for many reasons. Ultimately though, this won't affect functionality. Clients locate and use the roles within a secondary site based upon boundary groups used for content location which are not published to AD. I don't think that even if it worked that it would actually publish anything useful so the bug may actually be that you are able to select this option for secondary sites at all as it truly doesn't matter.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by KP2015 Monday, February 8, 2016 11:43 AM
    Friday, February 5, 2016 1:57 PM
  • Per https://technet.microsoft.com/en-us/library/gg712308.aspx?f=255&MSPPError=-2147217396

    Secondary Sites cannot publish to an untrusted forest.


    Shawn Bolan

    • Marked as answer by KP2015 Monday, February 8, 2016 11:41 AM
    Friday, February 5, 2016 6:57 PM

All replies

  • Dear Sir,

    Make sure the account information to connect to un-trust forest is correct. Any more information in hman.log?

    Have you tried to disable publish on secondary and re-enable again?

    Best regards

    Frank

    Friday, February 5, 2016 3:18 AM
  • Hi Frank,

    Thanks for your reply. There's not much more in the hman log. Similar errors around no publishing account being defined.

    I've tried various combinations of disabling publish on secondary, secondary only, primary then secondary etc... No change. It's as if publishing secondary site info to un-trusted domains is not supported.

    Regards,

    KP

    Friday, February 5, 2016 8:34 AM
  • It could very well be a bug that you may need to contact support about. Secondary sites are becoming decreasingly used for many reasons. Ultimately though, this won't affect functionality. Clients locate and use the roles within a secondary site based upon boundary groups used for content location which are not published to AD. I don't think that even if it worked that it would actually publish anything useful so the bug may actually be that you are able to select this option for secondary sites at all as it truly doesn't matter.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by KP2015 Monday, February 8, 2016 11:43 AM
    Friday, February 5, 2016 1:57 PM
  • Per https://technet.microsoft.com/en-us/library/gg712308.aspx?f=255&MSPPError=-2147217396

    Secondary Sites cannot publish to an untrusted forest.


    Shawn Bolan

    • Marked as answer by KP2015 Monday, February 8, 2016 11:41 AM
    Friday, February 5, 2016 6:57 PM
  • That confirms my theory that the bug actually a UI bug that it even allows you to select them. And since it provides no value anyway, unselect it and carry on.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, February 5, 2016 8:50 PM
  • Hi Shawn. Thanks for the info.
    Monday, February 8, 2016 11:42 AM
  • Thanks Jason.
    Monday, February 8, 2016 11:43 AM