Domain is not discovered in untrusted forest RRS feed

  • Question

  • I have the following Setup.

    Domain A in forest A. ASCCM2012 Primary Server  with SCCM 2012 SP1 CU1 server installed with MP,DP and SUP. Domain A i a 2008 R2 domain.
    Domain B in Forest B, MP and DP and SUP installed on BSCCM2012. Domain B is a 2012 domain.
    There is no trust between forest A and forest B. For the testing the firewalls on the SCCM servers are disabled. There is full network connectivity between the servers. I have setup a forest discover account SCCMADDiscover that is created in domain B as a normal user.

    I have setup forest discovery (and thereby forest publishing) of the Forest B on the Primary SCCM server.
    In the console on the "Active Directory Forests" it says that both the discover and the publishing have been successfully.
    But when I look at the "Domains" tab for the Forest B it says “No Items Found”.

    When I look in the ADForestDisc.log file I see the following errors:

    Entering function GetUserCredentials() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:20 7988 (0x1F34)
    ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException. Discovery will be attempted on next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Entering function ReportForestDiscoverySuccessStatusMessage() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Raising discovery success status message for forest B, in which we discovered 1 site(s) and 0 subnet(s). SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, 1073750724, 0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=ASCCM2012 SITE=P01 PID=2344 TID=7988 GMTDATE=to maj 16 11:07:21.315 2013 ISTR0="AssensOpen.dk" ISTR1="" ISTR2="" ISTR3="" ISTR4="0" ISTR5="1" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Trying to update forest fqdn for all site systems associated with site P01 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Trying to discover forest name for server BSCCM2012. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Failed to get the domain basic info for machine BSCCM2012. Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Trying to discover forest name for server BSCCM2012 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
    Failed to get the domain basic info for machine BSCCM2012 Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)

    As it can be seen in the log file it fails to get forest name and domain name for the server BSCCM2012 in the untrusted domain. It gets an error 5 that I assume is a Access Denied.
    I have tried to give the SCCMADDiscover account domain and enterprise admin rights but that did not help. I have also tried to add the SCCMADDiscover to the local admin group on BSCCM2012 server but that didn’t help either.

    It also seems that the data is not saved correct.
    ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException

    Where is it the SCCMADDiscover account have insufficient rights?

    Thomas Forsmark Soerensen

    • Edited by Forsmark Thursday, May 16, 2013 1:47 PM
    Thursday, May 16, 2013 12:08 PM

All replies

  • Are you specifying a discovery account that resides IN the domain that you want to discover information from?

    My Personal Blog: http://madluka.wordpress.com

    Thursday, May 16, 2013 1:17 PM
  • Yes. As I wrote:

    SCCMADDiscover is created in Domain B, which is the untrusted domain.


    Thomas Forsmark Soerensen

    Thursday, May 16, 2013 1:49 PM
  • Did you find a solution for this? I have exactly the same problem with the same setup.
    Thursday, February 13, 2014 9:41 AM
  • No I am afraid not.

    I think I just kind of accepted that it was like this...

    Please let me know if you find any solution to this problem.

    Thomas Forsmark Soerensen

    Thursday, February 13, 2014 9:50 AM
  • Thank you very much for your quick reply.

    I´m still trying to figure out what it is.

    I´ve seen a difference however in how the Forests have been created. I have 2 Forests configured in SCCM. One for the production Domain and the other one (with the problem) for the untrusted Forest. The production one has a "Created by" with my Username.

    The untrusted Forest however has a "Created by" pointing to one of my Primary Site Server Computer Accounts. The strange thing is, when I delete the Forest in the SCCM console and create it again by hand, it still has the "Created By" set to the same Primary Site Server Computer Account and a "Date Created" timestamp from yesterday, where it has been initially created. I wonder if the problem has something to do with the Forest entry in the Database being automatically created. The fact that it cannot be deleted properly makes me wonder if the record is in one way or another broken.

    Thursday, February 13, 2014 9:59 AM
  • Hi again,

    I have my administrator as "created by" on both forests.

    Thomas Forsmark Soerensen

    Thursday, February 13, 2014 10:05 AM
  • Thanks for letting me know. This means that this is not the root cause, so I can focus on other things.

    There´s also another problem I´m not sure if it related to the Forest Discovery and I wonder if it´s the same for you. I will create a separate topic if it´s not related, but maybe you can confirm from your side. For the Computers which have been discovered in the untrusted Forest, when I go to the properties of a system, the property "System OU Name" changes from time to time. When I look at the property throughout the day for different systems it´s sometimes empty, sometimes shows the complete OU paths and sometimes just the single OU Containers. For example when a System is located in EU\COMPUTERS\SERVERS, sometimes the whole path is shown (like for all systems in the trusted Forest) and sometimes it just shows "EU";"COMPUTERS";"SERVERS" or it´s just empty. All for the same system during different times throughout the day. Like it´s not able to grab the complete OU paths. I have no error in the AD System discovery log, so I wonder if this is related to the Forest Discovery too.

    This makes it impossible to build collections based on System OUs, so I am using the DN currently (which is populated properly).

    Thursday, February 13, 2014 1:41 PM
  • I have just checked a few systems in my SCCM and the all have the whole list of OU's present as the "System OU Name". I have not been aware of any problems like you describe with missing/wrong "System OU Name".

    How do you check it? Do you just look at some computer objects in the SCCM console or du you have a report or SQL statement that can list the "System OU's" so you can monitor any changes?

    Thomas Forsmark Soerensen

    Thursday, February 13, 2014 1:54 PM
  • Thanks again, this is saving a lot of time again and helps that I don´t search on the wrong spot. Since this is a brand new forest, there are not much systems and since I deployed SCCM there only yesterday, I keep my eye on the Logs and systems from time to time. So no, there´s no script. I just open the properties of one of the Computers in the Management Console to have a quick look of the discovered properties. Since the OU problem is clearly not related to the Forest Discovery, I´ll now try to keep it away from this thread :-)

    I have another untrusted forest and I´m tempted to deploy SCCM there too, and if it´s just to see if the AD Forest Discovery behaves the same. If I find time to do so and the outcome is different, be sure that I´ll post it here.

    Thursday, February 13, 2014 2:02 PM
  • I promised to come back to this when I have installed SCCM in that other untrusted Forest. And there the Domain is discovered. Everything was installed exactly the same (same steps, same permissions etc.) as in the previous Domain, so I can´t tell why it works for one Forest and not for the other one. This seems to be random. But since everything else works perfectly fine on both forests, it´s more a cosmetic problem than a real issue which limits functionality.
    Thursday, May 8, 2014 11:16 AM