SCCM System discovery and Multiple domains

SCCM System discovery and Multiple domains (Full Version)

All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager

Message

ldegroot -> SCCM System discovery and Multiple domains (6/3/2008 6:35:31 PM)
Hi all I have just installed SCCM in a Single Forest, 2 Domain infrastructure for a client and when I do a AD System discovery on the Domain 2, it only alows me to see the first? I have the Central site in Domain 1, and no SCCM infrastructrure in Domain 2 (yet) How will I be able to see the computers objects from the Domain 2 in the console? There is a two way trust in place. 1) Do I have to have an account in the Domain 2, login with that account to the Central site and then try the Discovery again? 2) Also, if this is the answer, how would I be abe to get all the computer objects from Domain 2 to show in the console? Cheers

iglatz -> RE: SCCM System discovery and Multiple domains (6/4/2008 3:28:05 AM)
Does the machine name of the SCCM server have READ rights on the second domain? Usually, if you do have 2 way trusts, there shouldn't be an access issue. I'm at a site with about 7 different domains and can select each individual domain for AD system discovery. When you specify a local AD location, are you selecting "local domain" or "local forest"? I only get all domain displayed with "local forest" selection.

sudhir1982 -> RE: SCCM System discovery and Multiple domains (6/4/2008 3:57:46 AM)
Hi, Seems like the SCCM does not have the required access to the other domain in the forest, SCCM uses the system account for the LDAP query, and it needs at least user rights on the target domain, More information at http://technet.microsoft.com/en-us/library/bb932200(TechNet.10).aspx After have the required permissions on the other domain, you could enable the verbose logging for the discovery and chk the log(adsysdis.log) for more information. Keep me updated [8\|]

ldegroot -> RE: SCCM System discovery and Multiple domains (7/3/2008 2:01:21 AM)
Sorry for the long time between updates I have investigated this further and found that the DC in the second domain I am querying has both INFRA and Global catalog enabled on the same machine, We are currently running in a Windows 2000 domain. http://support.microsoft.com/kb/197132 quote: NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. Could this be causing the fact I cannot see the second domain, even though I have set perms on the second domain root for the Universal group that the SCCM computer account belongs to? Cheers

brpo -> RE: SCCM System discovery and Multiple domains (7/7/2008 3:36:38 PM)
Hi If this is the only DC in this domain, then there is no problem (if you have more, the roles should be separate) If i remember well, you don't see the other domain in your console. This is a 'normal problem'. Just define the discovery paths manually, entering the domain and ous the same way it's been done via the console for the first domain. Discovery should work without problem once you've updated the list manually.

ldegroot -> RE: SCCM System discovery and Multiple domains (7/7/2008 6:21:14 PM)

quote:

ORIGINAL: sudhir1982

Hi,

Seems like the SCCM does not have the required access to the other domain in the forest, SCCM uses the system account for the LDAP query, and it needs at least user rights on the target domain, More information at
http://technet.microsoft.com/en-us/library/bb932200(TechNet.10).aspx

After have the required permissions on the other domain, you could enable the verbose logging for the discovery and chk the log(adsysdis.log) for more information.

Keep me updated [8|]

HI Sudhir

Here is an excerpt from the adsys.log

ERROR: Failed to bind to AD Object LDAP://DC=OTHERDOMAIN,DC=COM,DC=AU, error=A referral was returned from the server.~~  -- Extended Error --- LDAP Provider : 0000202B: RefErr: DSID-031006E0, data 0, 1 access points~ ref 1: 'otherdomain.com.au'~. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)
ERROR: Failed to enumerate directory objects in AD container LDAP://DC=OTHERDOMAIN,DC=COM,DC=AU SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 
8:11:30 AM 5436 (0x153C)
STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" 
SYS=CCM01 SITE=SYD PID=5896 TID=5436 GMTDATE=Mon Jul 07 22:11:30.031 2008 
ISTR0="LDAP://DC=OTHERDOMAIN,DC=COM,DC=AU" 
ISTR1="A referral was returned from the server.~~  -- 
Extended Error --- LDAP Provider : 0000202B: RefErr: DSID-031006E0, data 0, 
1 access points~ ref 1: 'otherdomain.com.au'~" ISTR2="" ISTR3="" ISTR4="" 
ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 
SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)
STATMSG: ID=5203 SEV=W LEV=M SOURCE="SMS Server" 
COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" 
SYS=CCM01 SITE=SYD PID=5896 TID=5436 
GMTDATE=Mon Jul 07 22:11:30.031 2008 ISTR0="722" 
ISTR1="0" ISTR2="722" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 
SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)
STATMSG: ID=5202 SEV=I LEV=M SOURCE="SMS Server" 
COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" 
SYS=CCM01 SITE=SYD PID=5896 TID=5436 
GMTDATE=Mon Jul 07 22:11:30.031 2008 ISTR0="2" 
ISTR1="3642" ISTR2="2920" ISTR3="722" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_SYSTEM_DISCOVERY_AGENT 8/07/2008 8:11:30 AM 5436 (0x153C)

I have applied read access to all objects including child objects on the second domain, but at this stage as there is more than one DC in the second domain AND the site server is NOT part of the domain users group on the second domain, I think that is still preventing this to work.

Will get to the bottom of this and let you guys know

Thanks for all the help thus far to all concerned, much appreciated!

ldegroot -> RE: SCCM System discovery and Multiple domains (7/7/2008 6:22:31 PM)
quote: ORIGINAL: brpo Hi If this is the only DC in this domain, then there is no problem (if you have more, the roles should be separate) If i remember well, you don't see the other domain in your console. This is a 'normal problem'. Just define the discovery paths manually, entering the domain and ous the same way it's been done via the console for the first domain. Discovery should work without problem once you've updated the list manually. Hi brpo... I entered the path manually, and got the result as shown in the above post ...

ldegroot -> RE: SCCM System discovery and Multiple domains (7/7/2008 9:40:29 PM)
Brpo My mistake, I had the incorrect LDAP string for the second domain. I went back to it and noticed the error, corrected this and it's working now.. THANK YOU VERY MUCH :) Cheers

Page: [1]

0.25