myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


SCCM System discovery and Multiple domains

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> SCCM System discovery and Multiple domains Page: [1]
Login
Message << Older Topic   Newer Topic >>
SCCM System discovery and Multiple domains - 6/3/2008 6:35:31 PM   
ldegroot

 

Posts: 47
Score: 0
Joined: 4/28/2007
Status: offline 		Hi all

I have just installed SCCM in a Single Forest, 2 Domain infrastructure for a client and when I do a AD System discovery on the Domain 2, it only alows me to see the first?

I have the Central site in Domain 1, and no SCCM infrastructrure in Domain 2 (yet)

How will I be able to see the computers objects from the Domain 2 in the console? There is a two way trust in place.

1) Do I have to have an account in the Domain 2, login with that account to the Central site and then try the Discovery again?
2) Also, if this is the answer, how would I be abe to get all the computer objects from Domain 2 to show in the console?

Cheers



Post #: 1
RE: SCCM System discovery and Multiple domains - 6/4/2008 3:28:05 AM   
iglatz


Posts: 821
Score: 22
Joined: 9/21/2001
From: Erding, Bavaria - Germany
Status: offline 		Does the machine name of the SCCM server have READ rights on the second domain? Usually, if you do have 2 way trusts, there shouldn't be an access issue. I'm at a site with about 7 different domains and can select each individual domain for AD system discovery.

When you specify a local AD location, are you selecting "local domain" or "local forest"? I only get all domain displayed with "local forest" selection.

(in reply to ldegroot)
Post #: 2
RE: SCCM System discovery and Multiple domains - 6/4/2008 3:57:46 AM   
sudhir1982

 

Posts: 1
Score: 0
Joined: 6/4/2008
Status: offline 		Hi,

Seems like the SCCM does not have the required access to the other domain in the forest, SCCM uses the system account for the LDAP query, and it needs at least user rights on the target domain, More information at
http://technet.microsoft.com/en-us/library/bb932200(TechNet.10).aspx

After have the required permissions on the other domain, you could enable the verbose logging for the discovery and chk the log(adsysdis.log) for more information.

Keep me updated




_____________________________

Regards,
Sudhir

(in reply to ldegroot)
Post #: 3
RE: SCCM System discovery and Multiple domains - 7/3/2008 2:01:21 AM   
ldegroot

 

Posts: 47
Score: 0
Joined: 4/28/2007
Status: offline 		Sorry for the long time between updates

I have investigated this further and found that the DC in the second domain I am querying has both INFRA and Global catalog enabled on the same machine, We are currently running in a Windows 2000 domain.

http://support.microsoft.com/kb/197132

quote:



NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.


Could this be causing the fact I cannot see the second domain, even though I have set perms on the second domain root for the Universal group that the SCCM computer account belongs to?


Cheers

(in reply to sudhir1982)
Post #: 4
RE: SCCM System discovery and Multiple domains - 7/7/2008 3:36:38 PM   
brpo

 

Posts: 22
Score: 0
Joined: 8/11/2006
Status: offline 		Hi
If this is the only DC in this domain, then there is no problem (if you have more, the roles should be separate)
If i remember well, you don't see the other domain in your console. This is a 'normal problem'. Just define the discovery paths
manually, entering the domain and ous the same way it's been done via the console for the first domain.
Discovery should work without problem once you've updated the list manually.

(in reply to ldegroot)
Post #: 5
RE: SCCM System discovery and Multiple domains - 7/7/2008 6:21:14 PM   
ldegroot

 

Posts: 47
Score: 0
Joined: 4/28/2007
Status: offline
quote:

ORIGINAL: sudhir1982

Hi,

Seems like the SCCM does not have the required access to the other domain in the forest, SCCM uses the system account for the LDAP query, and it needs at least user rights on the target domain, More information at
http://technet.microsoft.com/en-us/library/bb932200(TechNet.10).aspx

After have the required permissions on the other domain, you could enable the verbose logging for the discovery and chk the log(adsysdis.log) for more information.

Keep me updated




HI Sudhir

Here is an excerpt from the adsys.log 

ERROR: Failed to bind to AD Object LDAP://DC=OTHERDOMAIN,DC=COM,DC=AU, error=A referral was returned from the server.~~  -- Extended Error --- LDAP Provider : 0000202B: RefErr: DSID-031006E0, data 0, 1 access points~ ref 1: 'otherdomain.com.au'~. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)
ERROR: Failed to enumerate directory objects in AD container LDAP://DC=OTHERDOMAIN,DC=COM,DC=AU SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 
8:11:30 AM 5436 (0x153C)
STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" 
SYS=CCM01 SITE=SYD PID=5896 TID=5436 GMTDATE=Mon Jul 07 22:11:30.031 2008 
ISTR0="LDAP://DC=OTHERDOMAIN,DC=COM,DC=AU" 
ISTR1="A referral was returned from the server.~~  -- 
Extended Error --- LDAP Provider : 0000202B: RefErr: DSID-031006E0, data 0, 
1 access points~ ref 1: 'otherdomain.com.au'~" ISTR2="" ISTR3="" ISTR4="" 
ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 
SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)
STATMSG: ID=5203 SEV=W LEV=M SOURCE="SMS Server" 
COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" 
SYS=CCM01 SITE=SYD PID=5896 TID=5436 
GMTDATE=Mon Jul 07 22:11:30.031 2008 ISTR0="722" 
ISTR1="0" ISTR2="722" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 
SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)
STATMSG: ID=5202 SEV=I LEV=M SOURCE="SMS Server" 
COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" 
SYS=CCM01 SITE=SYD PID=5896 TID=5436 
GMTDATE=Mon Jul 07 22:11:30.031 2008 ISTR0="2" 
ISTR1="3642" ISTR2="2920" ISTR3="722" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)



I have applied read access to all objects including child objects on the second domain, but at this stage as there is more than one DC in the second domain AND the site server is NOT part of the domain users group on the second domain, I think that is still preventing this to work.

Will get to the bottom of this and let you guys know

Thanks for all the help thus far to all concerned, much appreciated!

(in reply to sudhir1982)
Post #: 6
RE: SCCM System discovery and Multiple domains - 7/7/2008 6:22:31 PM   
ldegroot

 

Posts: 47
Score: 0
Joined: 4/28/2007
Status: offline
quote:

ORIGINAL: brpo

Hi
If this is the only DC in this domain, then there is no problem (if you have more, the roles should be separate)
If i remember well, you don't see the other domain in your console. This is a 'normal problem'. Just define the discovery paths
manually, entering the domain and ous the same way it's been done via the console for the first domain.
Discovery should work without problem once you've updated the list manually.


Hi brpo...

I entered the path manually, and got the result as shown in the above post ...

(in reply to brpo)
Post #: 7
RE: SCCM System discovery and Multiple domains - 7/7/2008 9:40:29 PM   
ldegroot

 

Posts: 47
Score: 0
Joined: 4/28/2007
Status: offline 		Brpo

My mistake, I had the incorrect LDAP string for the second domain. I went back to it and noticed the error, corrected this and it's working now..

THANK YOU VERY MUCH :)

Cheers

(in reply to ldegroot)
Post #: 8
Page:   [1]
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> SCCM System discovery and Multiple domains Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.227