Answered by:
Forest Discovery Failing with Generic Error
Question
-
Hi,
I'm designing a large 100k+ seat multi-forest Configuration Manager architecture. I've reached the point of putting the whole thing to the test in the lab for validation and I've discovered a quirk I could use some advice on how to handle. For the purposes of this post I will only describe the components of the architecture that are relevant- if I miss something please let me know and I will post it asap.
I have a CAS (CAS) and a Primary Site (NA2) which both exist in the domain na.hhcpr.htn.corp. I am publishing site server information via AD Discovery to several other domains in one forest called ad.htn.corp. Although the publishing to the subdomains in ad.htn.corp (Hotels, HRCC and HQ) is throwing some errors everything is working in the ad.htn.corp forest. HGV trusts NA with a one way domain wide trust. HGV.CORP also has a 2-way domain wide trust with HQ.AD.HTN.CORP. NA trusts HQ with a 1 way selective auth trust.
I cannot seem to publish to the hgv.corp forest however. It has only a single domain and I have extended the schema, granted the NA site server full control to the System Management tree and also granted it full control permission to the domain controller for good luck. I should point out that I have configured a DNS Conditional Forwarder to HGVC.COM from the NA domain controller.
Please find the forest discovery log below. Let me know anything else you need and you'll have it straight away.
Thanks!
SMS_EXECUTIVE started SMS_AD_FOREST_DISCOVERY_MANAGER as thread ID 5856 (0x16E0). $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.414+420><thread=2140 (0x85C)>
=========================================================== $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.417+420><thread=5856 (0x16E0)>
Beginning Active Directory Forest Discovery Manager $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.417+420><thread=5856 (0x16E0)>
Entering function ThreadMain() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.417+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::Initialize() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.417+420><thread=5856 (0x16E0)>
Component SMS_AD_FOREST_DISCOVERY_MANAGER is marked active.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.451+420><thread=5856 (0x16E0)>
Log verbosity level = 0~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.451+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::Process() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.452+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::ShouldRun() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.452+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::CheckIfRunCountValueChanged() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.452+420><thread=5856 (0x16E0)>
Admin requested to run discovery now. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.452+420><thread=5856 (0x16E0)>
Entering function GetUserCredentials() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:50.642+420><thread=5856 (0x16E0)>
ERROR: [ForestDiscoveryAgent]: Failed to connect to forest hrcc.ad.HTN.corp. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.~~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.058+420><thread=5856 (0x16E0)>
Entering function ReportForestConnectionFailureStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.075+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.076+420><thread=5856 (0x16E0)>
STATMSG: ID=8904 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:56:51.076 2013 ISTR0="hrcc.ad.HTN.corp" ISTR1="" ISTR2="" ISTR3="" ISTR4="2" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.076+420><thread=5856 (0x16E0)>
Entering function GetUserCredentials() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.078+420><thread=5856 (0x16E0)>
ERROR: [ForestDiscoveryAgent]: Failed to connect to forest hq.ad.HTN.corp. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.~~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.492+420><thread=5856 (0x16E0)>
Entering function ReportForestConnectionFailureStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.495+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.496+420><thread=5856 (0x16E0)>
STATMSG: ID=8904 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:56:51.496 2013 ISTR0="hq.ad.HTN.corp" ISTR1="" ISTR2="" ISTR3="" ISTR4="2" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.496+420><thread=5856 (0x16E0)>
Entering function GetUserCredentials() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.498+420><thread=5856 (0x16E0)>
ERROR: [ForestDiscoveryAgent]: Failed to connect to forest hotels.ad.HTN.corp. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.~~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.688+420><thread=5856 (0x16E0)>
Entering function ReportForestConnectionFailureStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.690+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.690+420><thread=5856 (0x16E0)>
STATMSG: ID=8904 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:56:51.690 2013 ISTR0="hotels.ad.HTN.corp" ISTR1="" ISTR2="" ISTR3="" ISTR4="2" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.690+420><thread=5856 (0x16E0)>
Entering function ReportForestDiscoverySuccessStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.781+420><thread=5856 (0x16E0)>
Raising discovery success status message for forest HHCPR.HTN.CORP, in which we discovered 1 site(s) and 0 subnet(s).~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.781+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, 1073750724, 0~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.781+420><thread=5856 (0x16E0)>
STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:56:51.782 2013 ISTR0="HHCPR.HTN.CORP" ISTR1="" ISTR2="" ISTR3="" ISTR4="0" ISTR5="1" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.782+420><thread=5856 (0x16E0)>
Entering function GetUserCredentials() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:51.801+420><thread=5856 (0x16E0)>
ERROR: [ForestDiscoveryAgent]: Failed to connect to forest HGV.corp. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.~~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:56.785+420><thread=5856 (0x16E0)>
Entering function ReportForestConnectionFailureStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:56.792+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:56.792+420><thread=5856 (0x16E0)>
STATMSG: ID=8904 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:56:56.793 2013 ISTR0="HGV.corp" ISTR1="" ISTR2="" ISTR3="" ISTR4="2" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:56.793+420><thread=5856 (0x16E0)>
Entering function GetUserCredentials() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:56:56.797+420><thread=5856 (0x16E0)>
ERROR: [ForestDiscoveryAgent]: Failed to connect to forest HGV.com. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.~~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:01.797+420><thread=5856 (0x16E0)>
Entering function ReportForestConnectionFailureStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:01.800+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:01.801+420><thread=5856 (0x16E0)>
STATMSG: ID=8904 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:57:01.801 2013 ISTR0="HGV.com" ISTR1="" ISTR2="" ISTR3="" ISTR4="2" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:01.801+420><thread=5856 (0x16E0)>
Entering function GetUserCredentials() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:01.804+420><thread=5856 (0x16E0)>
Entering function ReportForestDiscoverySuccessStatusMessage() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.260+420><thread=5856 (0x16E0)>
Raising discovery success status message for forest AD.HTN.CORP, in which we discovered 1 site(s) and 0 subnet(s).~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.260+420><thread=5856 (0x16E0)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, 1073750724, 0~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.261+420><thread=5856 (0x16E0)>
STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=NACM01.na.HHCPR.HTN.CORP SITE=CAS PID=1632 TID=5856 GMTDATE=Sat Oct 26 17:57:02.261 2013 ISTR0="AD.HTN.CORP" ISTR1="" ISTR2="" ISTR3="" ISTR4="0" ISTR5="1" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.261+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.282+420><thread=5856 (0x16E0)>
Trying to update forest fqdn for all site systems associated with site CAS $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.288+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.288+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::GetForestName() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.312+420><thread=5856 (0x16E0)>
~Trying to discover forest name for server NACM01.na.HHCPR.HTN.CORP. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.312+420><thread=5856 (0x16E0)>
Server NACM01.na.HHCPR.HTN.CORP belongs to forest HHCPR.HTN.CORP.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.313+420><thread=5856 (0x16E0)>
Trying to update forest fqdn for all site systems associated with site CM2 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.503+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.504+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::GetForestName() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.528+420><thread=5856 (0x16E0)>
~Trying to discover forest name for server HQCM01.hq.AD.HTN.CORP. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.529+420><thread=5856 (0x16E0)>
Failed to get the domain basic info for machine HQCM01.hq.AD.HTN.CORP. Error returned is: 5 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.536+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::GetForestName() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.537+420><thread=5856 (0x16E0)>
~Trying to discover forest name for server HQCM01.hq.AD.HTN.CORP. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.537+420><thread=5856 (0x16E0)>
Failed to get the domain basic info for machine HQCM01.hq.AD.HTN.CORP. Error returned is: 5 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.549+420><thread=5856 (0x16E0)>
Entering function CActiveDirectoryForestDiscovery::GetForestName() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.549+420><thread=5856 (0x16E0)>
~Trying to discover forest name for server NACM02.na.HHCPR.HTN.CORP. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.549+420><thread=5856 (0x16E0)>
Server NACM02.na.HHCPR.HTN.CORP belongs to forest HHCPR.HTN.CORP.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.585+420><thread=5856 (0x16E0)>
Finishing Active Directory Forest Discovery Manager thread. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.653+420><thread=5856 (0x16E0)>
=========================================================== $$<SMS_AD_FOREST_DISCOVERY_MANAGER><10-26-2013 10:57:02.670+420><thread=5856 (0x16E0)>
Saturday, October 26, 2013 5:30 PM
Answers
-
"I am publishing site server information via AD Discovery to several other domains in one forest called ad.htn.corp. Although the publishing to the subdomains in ad.htn.corp (Hotels, HRCC and HQ) is throwing some errors everything is working in the ad.htn.corp forest."
First, note that it's called "forest" discovery. There is no reason to publish anything to multiple domain within a single forest because clients use global catalog lookups to find published information thus it is sufficient to publish the info into a single domain within a forest and thus does not make sense to try to publish to multiple domains within a forest. This is most likely the root cause of these issues.
There are two errors in the above log.
1. "Failed to connect to forest X. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted."
This error occurs for all of the domains that you mentioned and is typical when SRV records for DCs in those remote domains cannot be found. Forest discovery relies on DNS name resolution of SRV records to locate a suitable DC to communicate with.
2. "Failed to get the domain basic info for machine HQCM01.hq.AD.HTN.CORP. Error returned is: 5"
Error code 5 = "Access Denied". Thus, the account being used to communicate with this domain does not have the required permissions. This looks to be the home domain of the ConfigMgr site server but I don't know that for sure. If it is, this is unusual because by default it uses the site server's computer account to query AD and (also) by default, all user and computer accounts within AD have permissions to read just about everything else in AD.
Jason | http://blog.configmgrftw.com
- Marked as answer by Angry Cartoon Sunday, October 27, 2013 12:28 AM
Saturday, October 26, 2013 9:27 PM
All replies
-
"I am publishing site server information via AD Discovery to several other domains in one forest called ad.htn.corp. Although the publishing to the subdomains in ad.htn.corp (Hotels, HRCC and HQ) is throwing some errors everything is working in the ad.htn.corp forest."
First, note that it's called "forest" discovery. There is no reason to publish anything to multiple domain within a single forest because clients use global catalog lookups to find published information thus it is sufficient to publish the info into a single domain within a forest and thus does not make sense to try to publish to multiple domains within a forest. This is most likely the root cause of these issues.
There are two errors in the above log.
1. "Failed to connect to forest X. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted."
This error occurs for all of the domains that you mentioned and is typical when SRV records for DCs in those remote domains cannot be found. Forest discovery relies on DNS name resolution of SRV records to locate a suitable DC to communicate with.
2. "Failed to get the domain basic info for machine HQCM01.hq.AD.HTN.CORP. Error returned is: 5"
Error code 5 = "Access Denied". Thus, the account being used to communicate with this domain does not have the required permissions. This looks to be the home domain of the ConfigMgr site server but I don't know that for sure. If it is, this is unusual because by default it uses the site server's computer account to query AD and (also) by default, all user and computer accounts within AD have permissions to read just about everything else in AD.
Jason | http://blog.configmgrftw.com
- Marked as answer by Angry Cartoon Sunday, October 27, 2013 12:28 AM
Saturday, October 26, 2013 9:27 PM -
Impressive Jason- you nailed each issue exactly. I fixed a misspelled conditional forwarder to enable SRV lookups, removed the sub-domains from AD Forest publishing, and used a new account for access. Viola!
Thanks again for your time and attention.
Best,
--g
Saturday, October 26, 2013 10:04 PM
