none
Active Directory System Discovery errors

    Question

  • We are trying to get active directory system discovery going for a non trusted domain that does not have dns replicated into the same domain that configuration manager resides.   We get the following error in the adsysdis.log file.

    We had to add the name of the ldap machine or domain (dmzdomain.local) in the local host file or it would not resolve.   We tried to connect using a domain admin level user but that didnt seem to work.

    I am able to browse active directory on the same config manager machine using softerra's LDAP browser using the same domain admin account configured in sccm.

    Any ideas on what might be causing our problem?

    INFO: -------- Starting to process search scope (LDAP://DC=dmzdomain,DC=local) --------  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:04.187+300><thread=808 (0x328)>
    INFO: Processing search path: 'LDAP://DC=dmzdomain,DC=LOCAL'.~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:04.188+300><thread=808 (0x328)>
    INFO: Impersonating user [dmzdomain\OSCOM-ACTION] to discover objects.  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:04.212+300><thread=808 (0x328)>
    INFO: Incremental synchronization requested~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:04.214+300><thread=808 (0x328)>
    INFO: CADSource::incrementalSync returning 0x00000001~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:04.216+300><thread=808 (0x328)>
    ERROR: Failed to bind to 'LDAP://DC=dmzdomain,DC=LOCAL' (0x8007054B)~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:06.480+300><thread=808 (0x328)>
    INFO: CADSource::fullSync returning 0x8007054B~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:06.481+300><thread=808 (0x328)>
    INFO: Reverting from impersonated user to default user.  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:06.483+300><thread=808 (0x328)>
    ERROR: Failed to enumerate directory objects in AD container LDAP://DC=dmzdomain,DC=LOCAL  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:06.484+300><thread=808 (0x328)>
    STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=PROD-CONFMGR.DOMAIN.LOCAL SITE=P01 PID=7584 TID=808 GMTDATE=Mon Jun 03 18:10:06.486 2013 ISTR0="LDAP://DC=dmzdomain,DC=LOCAL" ISTR1="The specified domain either does not exist or could not be contacted.~~" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:06.486+300><thread=808 (0x328)>
    INFO: -------- Finished to process search scope (LDAP://DC=dmzdomain,DC=local) --------  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 13:10:06.488+300><thread=808 (0x328)>


    • Edited by Lance Lyons Friday, September 19, 2014 12:25 AM
    Monday, June 3, 2013 10:14 PM

Answers

  • The account which you are using should have discover permission in active directory. This should be delegated from AD. By default all AD accounts have read permission but the SCCM needs discover permission to import the data from AD. Either you can delegate the permission or assign the account you use with domain admin rights which is not a recommended way of approach. http://support.microsoft.com/kb/303972?wa=wsignin1.0 Regards Anoop Mark as answer if it helps.
    Tuesday, June 4, 2013 12:46 PM

All replies

  • 0x8007054b = "The specified domain either does not exist or could not be contacted."

    Not sure what you are looking for here. If the site server can't find the domain and/or a DC and resolve their names to an IP address, it can't connect to them to query them.


    Jason | http://blog.configmgrftw.com

    Tuesday, June 4, 2013 1:37 AM
  • Sorry for all the questions and Thanks for responding.  I guess I wasnt clear.   I cant figure out what might be causing our issue to not see the domain we are trying to discover.

    From the same server that config manager is installed on (Site Server), we can browse active directory for the domain in question using an LDAP browser utility. 

    We had to add out domain (dmzdomain.local) to the host file but that allows us to browse with Softerra Browser.  However, using the same ldap url in config. manager, we are not able to see the specified domain or it cant be contacted.

    What is different about config managers contact / connection approach that makes it not work?

    in the Adforestdisc log file, we also have this..

    Entering function GetUserCredentials()  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><06-03-2013 23:33:29.195+300><thread=5548 (0x15AC)>
    ERROR: [ForestDiscoveryAgent]: Failed to connect to forest dmzdomain.local. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.~~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><06-03-2013 23:33:34.062+300><thread=5548 (0x15AC)>

    dmzdomain.local is there because I can browse it in LDAP browser..but just not from config manager.   

    Perhaps adding dmzdomain.local to the host file doesnt work for config manager?   I noticed when I had another dmzdomain machine that I wanted to setup as a MP and DP,  and I added it to the host file as well but config manager kept complaining that it could not find this machine?


    • Edited by Lance Lyons Friday, September 19, 2014 12:26 AM
    Tuesday, June 4, 2013 4:50 AM
  • new info..  i changed the domain admin account that I am using for discovery and I am getting a different result.

    ERROR: DsAddressToSiteNames Failed . Error: 1722~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:07.746+300><thread=6916 (0x1B04)>
    ERROR: Unable to get AD site name for system WebMachine, DS Error=1722. Win32 Error=0~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:07.748+300><thread=6916 (0x1B04)>
    INFO: DDR was written for system 'LT-RSWEB02' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\ads3be4q.DDR at 6/3/2013 23:35:1.~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:07.752+300><thread=6916 (0x1B04)>
    INFO: discovered object with ADsPath = 'LDAP://DC03.dmzdomain.LOCAL/CN=machinename,OU=DMZ Servers,OU=Servers,DC=dmzdomain,DC=local'~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:07.754+300><thread=6916 (0x1B04)>
      $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:07.757+300><thread=6916 (0x1B04)>
      $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:07.758+300><thread=6916 (0x1B04)>
    ERROR: DsAddressToSiteNames Failed . Error: 1722~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.670+300><thread=6916 (0x1B04)>
    ERROR: Unable to get AD site name for system Machinename, DS Error=1722. Win32 Error=0~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.672+300><thread=6916 (0x1B04)>
    INFO: DDR was written for system 'LT-SSOWEB01' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\ads4qbqs.DDR at 6/3/2013 23:35:1.~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.677+300><thread=6916 (0x1B04)>
    INFO: discovered object with ADsPath = 'LDAP://DC03.dmzdomain.LOCAL/CN=MachineName,OU=DMZ Servers Secondary,OU=Servers,DC=dmzdomaine,DC=local'~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.679+300><thread=6916 (0x1B04)>
      $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.683+300><thread=6916 (0x1B04)>
      $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.684+300><thread=6916 (0x1B04)>
    ERROR: DsAddressToSiteNames Failed . Error: 1722~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><06-03-2013 23:49:26.687+300><thread=6916 (0x1B04)>


    • Edited by Lance Lyons Friday, September 19, 2014 12:28 AM
    Tuesday, June 4, 2013 4:59 AM
  • I think that your SCCM Site server must be able to resolve (dns) your discovered systems in your remote forest, to create the DDR.

    • Edited by jdulongc Tuesday, June 4, 2013 9:18 AM
    Tuesday, June 4, 2013 9:17 AM
  • The account which you are using should have discover permission in active directory. This should be delegated from AD. By default all AD accounts have read permission but the SCCM needs discover permission to import the data from AD. Either you can delegate the permission or assign the account you use with domain admin rights which is not a recommended way of approach. http://support.microsoft.com/kb/303972?wa=wsignin1.0 Regards Anoop Mark as answer if it helps.
    Tuesday, June 4, 2013 12:46 PM
  • What was interesting is that my account I was initially using for discovery was a domain admin in the domain I am trying to discover.  I changed to a domain admin account for the domain SCCM sits and that seemed to work better.

    Tuesday, June 4, 2013 1:17 PM