locked
failure to install MP in remote forest RRS feed

  • Question

  • hi,

    i was doing some testing lately in order to properly prepare and document how and what to do when an environment needs to have a remote DP&MP in another forest.

    in my lab environment (running on hyperv) I installed three new domains (with static ips) with each an additional server and client (all manual installs). why three? because I wanted to test a domain with no trust, oneway trust and twoway trust

    in the existing domain I had already an operating dc, dhcp, dns and sccm 1702 primary site. all machines are configured with the internal switch

    the setups all fail at the same point (no matter the trust level configured), which kind of makes me think that it is a hyperV issue:

    installation of the remote MP/DP fails with error in sitecomp.log: failed to make a network connection (0x35) and failed to access server

    what did i do so far?

    -in the existing DNS created a conditional forwarder to the remote domain

    -in DNS the remote DC is listed as NS record type

    -added the remote domain into the dns suffix search list (with gpo)

    -in sccm add a new forest with its suffix by using an administrative account of the remote forest

    -configure system discovery with the remote forest by using the proper LDAP query

    -check and force ad forest & system discovery: no errors in logs and all systems of the remote forest are listed in the console

    -created new boundary groups for the remote forests

    -on the remote forest server machine use the prererequisite powershell tool to make sure all roles/features for MP&DP are installed

    -on ALL machines firewall is turned off for all profiles (first test without firewall...)

    -install a new site system server with DP and MP role by using an account of the remote forest

    -in all three new domains I can ONLY ping the dc from the existing forest, pinging another machine resolves the proper IP but it times out

    -in the remote forests, the schema extension is done

    -when I check port 53 using portqry it shows TCP port 53 : filtered / UDP port 53 listening or filtered (but still returns the proper IP)

    -nslookup of the remote server returns the IP address

    -tracert to the remote server returns the IP but immediately times out

    -the remote server has no antivirus, the first forest had the SCEP client running on the servers, but uninstalled that one also just to make sure

    this has kept me going for some hours now, what am I missing guys? if rerouting to another forum is needed, please advice so

    the thing is I did the same steps today at a customer in an untrusted domain and everything works the first time...

    Monday, May 29, 2017 3:27 PM

All replies

  • Hi,

        >>"in all three new domains I can ONLY ping the dc from the existing forest, pinging another machine resolves the proper IP but it times out"

        This indicated that it should be a network related issue, maybe you can ask your Network team for help.

    Regards,

    Jimmy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 2, 2017 7:58 AM