Domain is not discovered in untrusted forest

Similar Messages

• Deploying SCOM 2012 Agents to untrusted Forests/Domain

  Can we deploy SCOM 2012 agents to untrusted forest/domain? I don't want to use SCCM 2012 for installing agents via package deployment. Pls suggest.
  Regards,
  Ravi

  Yes, You can deploy SCOM Agent to untrusted domain manually and using Certificate.
  For deployment scom Agent, you can refer below links
  http://www.toolzz.com/?p=279
  http://jimmoldenhauer.blogspot.com/2012/11/scom-2012-deploying-agents-to-untrusted.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• PeoplePicker-SearchADForests not limiting to specified forest domains

  We have a SharePoint 2010 farm and we have 3 forests with a few domains in each. Initially, we had PeoplePicker-SearchADForests setting set as below.
  <Property Exist="Yes" Value="forest:compX.com;forest:compY.com;forest:compZ.local" />
  We want to limit users search to certain domains in 2 of the 3 forests, so we set it as below for all the web applications.
  <Property Exist="Yes" Value="domain:domain1.compY.com;domain:domain2.compZ.local" />
  The problem is that when I go to People Picker search for users, it still returns users from the 3rd forest - compX.com, if I enter the domain name and click Search button. Actually, I can get all users from all forests as if the setting doesn't work at
  all.
  Any idea why this happens?

  Hi,
  According to your description, my understanding is that you want to limit the people picker to search specified domains.
  Which command did you use to set the limitation on people picker?
  I recommend to use the command below(for example) to restrict the people picker for specific domains to see if the issue still occurs:
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:aaa.com;domain:bbb.com;domain:ccc.com;domain:ddd.com" -url
  http://webappurl
  More references:
  http://blogs.msdn.com/b/svarukala/archive/2014/03/26/issue-with-peoplepicker-searchadforests-stsadm.aspx
  http://blog.ithinksharepoint.com/2008/10/30/restricting-the-people-picker-to-searching-one-domain/
  http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx
  Thanks,
  Victoria
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Victoria Xia
  TechNet Community Support

• Managing untrusted forest

  Hi All,
  We have actually the following configuration with SCCM 2012 R2 CU4 :
  Same Forest, same Domain (2 x 2 DCs + AD DNS)
   + Primary Site Server with 300 clients  (MP,DP,SUP,SDB,SS,FSP,RSP)
   + Secondary site Server with 300 clients  (MP,DP,SUP,SDB,SS)
  distinct Untrusted Forest (2 DC + AD DNS)
   + 15 clients
  What's the best configuration to manage the untrusted forest ? I already checked the following link (http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx)
  what's the comm ports requirements ? clients + site system <-> primary site 
  Can we avoid the untrusted clients to access to the pri/sec site servers.
  We plan to add a site System to the primary site in the remote untrusted forest with MP,DP,SUP Roles)
  (afaik a secondary site need trusts which is not permitted)
  We need Inventory, Software Distribution, Windows Updates features on the untrusted forest
  Link between primary and secondary site is ~16Mb/s
  Link between primary and untrusted forest is about ~16Mb/s
  Link between secondary site and untrusted forest is about ~1Gb/s
  Thanks a lot !

  Port used by ConfigMgr is well explained here:
  https://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
  In addition, be aware that for discovering computers in untrusted forest you need to open port 53 (DNS) between the SCCM server and remote DC (in untrusted forest) OR create a secondary DNS zone for the untrusted forest in your DNS.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Untrusted Forest Discovery

  Hi all,
  installed SCCM 2012 R2 in one domain - all seems to be functioning well. We have a second, untrusted domain which I need to deploy a DP and MP into. In order to do this I first need to use the Add Forest feature to discover the untrusted domain and all the
  machines which lurk therein. To this end, I have created a new discovery account (SCCM2012discovery) in the untrusted domain.
  Are there any particular rights the new account needs in the untrusted domain? Since all Domain Users can 'Read' Active Directory I'm presuming not.
  Second, is there a particular log file I can view to watch the discovery process ticking over?

  To Narcoticoo:
  So, NSlookup from the sccm 2012 server resolves both the domain.local and domaincontroller.domain.local names. However, when I try changing the LDAP path as you suggested I get a "Configuraiton Manager Cannot Connect to the Active Directory container
  you specified......The server is not operational". If I revert to just using the LDAP://DC=domain,DC=local then the connection verifies successfully. Not sure whether this is expected behaviour or not?
  To Torsten:
  So I re-ran a Full Forest Discovery and opened up adforestdisc.log to see what was going on. Had multiple entries for the various subnets of the untrusted domain which read as follows:
  ERROR: [ForestDiscoveryAgent]: Discovered subnet (subnet) in AD site Kew-Untrusted in forest web.local was not saved in the database. Return value was -1. Discovery will be attempted on the next cycle.
  and then once they had all been listed, this popped up:
  ERROR: [ForestDiscoveryAgent]: Failed to get trust relationships of forest domain.local due to ActiveDirectoryOperationException. Discovery will be attempted on next cycle.
  In spite of this ominous sounding error all the subnets have appeared in SCCM's 'Boundaries' list.
  I then re-ran the Full System Discovery and, once again, encountered this in adsysdis.log
  ERROR: Failed to read account (domain\sccmaccount) from site control file (0x87D20702)
  ERROR: Failed to enumerate directory objects in AD container
  LDAP://DC=domain,DC=local
  Sort of feel like I may have missed something obvious here. Can anyone shed any light on why the system discovery process might be having trouble reading the account info from the site control file?
  Thanks to both of you for taking the time to help me out!

• Untrusted Forest Discovery failed

  I'm having a issue with remote untrusted forest.  Forest Discovery fails, but I can publish site server information to this forest. 
  ERROR: [ForestDiscoveryAgent]: Failed to connect to forest domain.com. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.
  Entering function ReportForestConnectionFailureStatusMessage()
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2
  I have configured conditional forwarders between forests and name resolution works. There shouldn't be any firewall issues either and I tested SRV records via nslookup with this method
  Type nslookup, and then press ENTER.
  Type set type=all, and then press ENTER.
  Type _ldap._tcp.dc._msdcs.<var>Domain_Name</var>, where <var>Domain_Name</var> is the name of your domain, and then press ENTER.
  Nslookup lists correct domain controllers from remote forest.
  Any ideas what could be causing this? I think it's AD related problem.

  LDAP://DCNAME.domain.com/OU=Computers,DC=domain,DC=com 
  I tested this last week and this works. Now I can discover computer objects from untrusted forest. There must be something wrong with the ad/dns infrastructure becasue
  normally you dont need to specify domain controller directly because it should find it with srvlookup.

• User-based deployment to untrusted forest

  Case:
  Domain A has ConfigMgr 2012 server with all roles (MP, DP, SUP...)
  Domain B is untrusted and hasn't got any ConfigMgr site server roles installed
  ConfigMgr site has been introduced to Domain B also, so all the resources can be discovered (systems, users)
  I can deploy software to systems in the untrusted forest
  I cannot deploy software to users in the untrusted forest
  Is this normal behavior? Do I need MP to untrusted forest so that I can get my user deployment's working? When I deploy software to users in the untrusted domain, they don't even show up in the AppDiscovery.log and deployment status on the console doesn't
  show the device for the user.

  See the Support for users in untrusted forests section at http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx
  Jason | http://blog.configmgrftw.com

• Software Updates in an Untrusted Forest

  Hi all,
  I've build a SCCM2012R2 site with 2 forests involved. They are UNTRUSTED.
  Forest 1 contains a primary site with SQL and a secondary across WAN distribution point. This all worked great for Applications and Window Updates.
  The second untrusted forest has 1 site server with a Management Point, Fallback Status point, Distribution point and default roles. for some reason I can't get a client in the untrusted forest to get the software update packages I create.
  I have deployed them to all distribution points and the clients in the untrusted forest (manually installed) have shown up in SCCM and are in the correct test collection.
  Boundary groups have been setup with boundaries on IP subnets.
  Is there any specific logs I can check? Does the a Software update point need adding to the untrusted forest site system?
  A firewall block communication between the forest to I have created Site server to Site server rules but untrusted forest client don't have access back to the primary site server.
  If I could just get this software updates working I'm complete!! Any help would be great!!

  Thanks for the help trouble shooting,
  This is now resolved.
  For info the clients in the untrusted forest need to be able to access the WSUS website. As I have a locked down firewall between my forests I add an Any to SCCM WSUS on port 8530 and tested on IE. Page comes up as access denied but it proves the connection.
  Software deployment and WSUS on an untrusted domain with out any AD connection, DNS or WINS requires a manual (or scripted) install of the clients specifying the SMSLP, SMSSITECODE, SMSMP and SMSFSP for that forest. All these roles need are required
  to be installed for the site server for that untrusted forest when adding it into SCCM if you don't have access to the forests AD or DNS.
  The only connection clients seem to need back to the primary site it the WSUS website for syncing. Packages are still distributed to the servers in the untrusted.
  As I have been using a firewall between the sites I allowed the site servers communication over the following ports.
  80,443,445, 135,1027, 49152-65535
  Note: Without the RPC dynamic port range I got errors in SCCM distribution logs.
  Site servers to SQL was as standard. 1433,4022.

• Problem installing SCCM client in remote untrusted forest

  Hi,
  My configuration is :
  My network is in two parts : intranet and a DMZ. In the DMZ there is another forest and domain. There is no trust between the forest in the DMZ and the internal network. I configured the remote forest in SCCM with a user account that has Domain Admin acces
  in the DMZ forest/domain.
  The primary site server is located in the internal part of my network. SQL is installed on a remote server. Management point, distribution point, Fallback Status Point roles are installed on the primary site server. SMS Provider is installed on the primary
  site server.
  In the DMZ part, I have a management point, distribution point installed on one server.
  The forest discovery works fine. I can query AD in the remote forest (DMZ).
  I have a problem installing the SCCM client on computers located in the remote forest with client push or with the command line.
  CCMSETUP.EXE /MP:DMZ site server /DP:DMZ site server /FSP: primary site server SMSSITECODE:SIT
  In CCMSetup.log I can see that the client try to communicate with my DMZ site server but it reverts to the management point and distribution point located in the internal part of the network. The installation fails and will try in 10 minutes.
  Do anyone has seen this problem before? Am I missing something? Could it be a configuration issue?
  Could you help me whit this please?
  Thanks in advance for your time!
  Jacques

  Does the client installation work when you install the client manually on the untrusted domain client? What does the CCM.log say on the site server?
  Have you double checked the firewall ports for the client push installation? The ports needed for the client push to work are as follows (from the site server to the client):
  SMB - TCP 445
  RPC Endpoint Mapper - TCP 135 / UDP 135
  RPC Dynamic Ports
  And to Management Point:
  HTTP - TCP 80 (When using HTTP)
  HTTPS - TCP 443 (When using HTTPS)
  Also a quote from
  TechNet: "In addition to the ports listed in the following table, client push installation also uses Internet Control Message Protocol (ICMP) echo request messages from the site server to the client computer to confirm whether the client
  computer is available on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any intervening network devices, such as firewalls, must
  permit ICMP traffic for client push installation to succeed."

• MP Rotation Untrusted Forest.

  Hi, 
  I realize you cannot force a client to use a particular MP, which is creating a design problem for us.
  We have multiple DMZs in an untrusted forest.
  I am not sure how to get around this problem.
  The clients cannot communicate with an MP outside of that DMZ.
  If I have 20 DMZs, and a MP in each, will this not create an MP rotation issue at some point?
  I came across this posting by Anoop, is the only workaround?
  http://anoopcnair.com/2014/04/11/workaround-sccm-2012-clients-mp-selection-rotation-issue-untrusted-dmz-forests/
  Appreciate any suggestions.

  Is there a single, shared forest (or domain) for all DMZ or a separate forests (or domains) for each DMZ?
  The workaround describe in that blog post is for the perception of a bug, not for providing for MP selection.
  Yes, MP rotation could cause an issue -- 20 MPs aren't supported within a single primary site either so you are also running into a support limitation.
  Depending upon your answer to the forest question, LocationAware is probably the only answer today (without doing something crazy like using multiple primary sites).
  Reverse proxy is another possible solution. This would enable a single MP (or sets of central MPs) to be accessed in a protected manner.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Untrusted Forest

  Hi
  I have a forest (Internal) and I have another forest (External).
  SCCM 2012 R2 and SQL 2012 is installed in the "internal forest", I would like to add a new forest (external) to my SCCM setup which is "Untrusted". The two forests  are not trusted across domains or
  forests (internal and external).
  Currently, I have clients in a workgroup capable of communicating with the "external" forest.
  My question:  
  1- It's possible to install a MP and DP in  the external forest ? because i have clients within a  workgroup that I would like to manage through that MP and DP.
  If so, HOW TO PLEASE!?
  Thanks

  Yes this is possible.
  Take a look at the following blog entries which explains the process
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx
  http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx
  Cheers
  Paul | sccmentor.wordpress.com

• Untrusted forest with duplicate AD site names

  Can anyone speculate on the behavior when enabling Forest discovery of an untrusted forest that has AD sites with the same names as what are in the installed forest (The forest where Config Mgr lives)?
  My concern is that the currently discovered boundaries (AD Site boundaries) already exist with the Site names so there may be some kind of conflict when Config Mgr tries to create AD Site boundaries based on the untrusted forest's duplicate named AD sites.

  There will be a conflict, but not with Forest discovery per se. I don't think it will really care. The conflict will come when clients actually use the boundaries for content lookup.
  Do the like-named sites represent the same locations in the enterprise? If so, then this should be a non-issue. If not, then you'll have to switch to another boundary type or get the AD folks to rename their sites -- it would be kind of dumb to name two
  different locations the same thing though so I suspect the former is the case.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM Console, untrusted forest

  Hi,
  I have a site system server with MP, DP in a untrusted forest. Is it possible to install SCCM console on it and connect back to Primary server?
  I have checked all ports that are in the documentation https://technet.microsoft.com/en-us/library/hh427328.aspx?f=255&MSPPError=-2147217396 regarding "Configuration Manager Console" but I still cannot run the console. I have tried opening
  SCCM Console with RunAs and a account in the Primary servers forest.
  Does the MP, DP need to have firewall ports open to the Primary servers forests domain controllers and to authenticate ?
  In that case what are ports needed?
  /A

  Hi Peter,
  We want to have a console on each untrusted forest site system server to be able to manage the computers in the untrusted forest with Right-Click Tools and Remote Control. Because the untrusted site system server is on the network already, many firewall
  ports all already allowed. We don't want to do it through the Primary because of the difficulty of opening for all firewall ports that are needed for remote tools.
  Does that make sense?

• "following domains are not available" error - functionally trusted domains but with same NETBIOS dc computernames giving problems.

  For SCOM monitoring and user permissions I am trying to add the Action Account from HQ.local domain to some other domains like DOMAIN1.local, TEST1.local and TEST2.local. 
  (a trust persists between the domains en HQ.local, and DNS Conditional forwarders are configured to correctly resolve the FQDN DNS names).
  Problem is, when adding a user from the HQ.local domain to the Active Directory of the DC's SRVPDC01.DOMAIN1.local or SRVPDC01.TEST1.local domain I get an error:
  "The Active Directory Domain Controllers Required to find the selected objects in the following domains are not available:
  HQ.local
  Ensure the Active Directory Domain Controllers are available, and try to select the objects again."
  But when I try to do the same thing, so add user1 from HQ.local to the AD on TESTDC01.TEST2.local…. No error!
  The other way around, like adding users from DOMAIN1.local, TEST1.local or TEST2.local to the DC01.HQ.local Active directory… also no error!
  To make things even more strange, when I validate the trust with HQ.local… and then try to add user1.HQ.local -> No problem, but only for about 1 minute.. After that
  it doesn't recognize user1.HQ.local and only displays some CN=S-1-5... ID of the user. Also when trying to add a new user, I receive the error again.
  My guess is that the problem has something to do with the same NETBIOS names of the DC's (server 3 and 4). because authenticating users from HQ.local and TEST2.local
  doesn't give me errors and all other domains which have same DC names are giving errors. 
  (for testing purposes I set-up TESTDC01.TEST2.local with a different DC servername to see if the error persists, and it didn't).
  Overview of the servers and situation:
  - All server 3, 4 and 5 are on separate Vlan's and have no connectivity among each other. But they do have connectivity to the internet, the HQ.local domain and its servers
  DC01 and DC02.
  - same firewall settings for each vlan
  - even Server 4 and server 5 are on the same Vlan for testing purposes, just to make sure the firewall is not the problem.
  Server no.
  DC FQDN name
  Domain DNS name
  1
  DC01.HQ.local
  HQ.local
  2
  DC02.HQ.local
  HQ.local (secondary DNS)
  3
  SRVPDC01.DOMAIN1.local
  DOMAIN1.local
  4
  SRVPDC01.TEST1.local
  TEST1.local
  5
  TESTDC01.TEST2.local
  TEST2.local
  Two-Way Forest Trusts are configured without any problems but here's an overview when the error occurs.
  On SRVPDC01.DOMAIN1.local -> adding user1.HQ.local to the AD =
  error
  On DC01.HQ.local -> adding user1.DOMAIN1.local to the AD = no problem.
  On SRVPDC01.TEST1.local -> adding user1.HQ.local to the AD =
  error
  On DC01.HQ.local -> adding user1.TEST1.local to the AD = no problem.
  On TESTDC01.TEST2.local -> adding user1.HQ.local to the AD = no problem.
  On DC01.HQ.local -> adding user1.TEST2.local to the AD = no problem.
  What are my options to fix this? There must be more possibilities than renaming the DC names.
  And why does the problem only occur when adding users in Foreign domain ->from-> HQ.local and not HQ.local ->from-> Foreign domain. Because that's the only
  thing I really need: users from HQ.local having permissions in groups of the other domains… :(
  Any advise or help would be much appreciated. I've been struggeling with this for a while now and i'm pretty much out of ideas.

  Hi aperelli,
  On srvpdc01.DOMAIN1.local
  nslookup
  set type=all
   _ldap._tcp.dc._msdcs.hq.local
  Result:
  C:\Windows\system32>nslookup
  DNS request timed out.
      timeout was 2 seconds.
  Default Server:  UnKnown
  Address:  ::1
  > set type=all
  > _ldap._TCP.DC._msdcs.HQ.local
  Server:  UnKnown
  Address:  ::1
  Non-authoritative answer:
  _ldap._TCP.DC._msdcs.HQ.local  SRV service location:
            priority       = 0
            weight         = 100
            port           = 389
            svr hostname   = dc01.hq.local
  _ldap._TCP.DC._msdcs.HQ.local  SRV service location:
            priority       = 0
            weight         = 100
            port           = 389
            svr hostname   = dc02.hq.local
  dc01.hq.local  internet address = 192.168.1.200
  dc02.hq.local  internet address = 192.168.1.201
  =======================
  On srvpdc01.TEST1.local
  nslookup
  set type=all
   _ldap._tcp.dc._msdcs.hq.local
  Result:
  C:\Windows\system32>nslookup
  DNS request timed out.
      timeout was 2 seconds.
  Default Server:  UnKnown
  Address:  ::1
  > set type=all
  > _ldap._TCP.DC._msdcs.HQ.local
  Server:  UnKnown
  Address:  ::1
  Non-authoritative answer:
  _ldap._TCP.DC._msdcs.HQ.local  SRV service location:
            priority       = 0
            weight         = 100
            port           = 389
            svr hostname   = dc01.hq.local
  _ldap._TCP.DC._msdcs.HQ.local  SRV service location:
            priority       = 0
            weight         = 100
            port           = 389
            svr hostname   = dc02.hq.local
  dc01.hq.local  internet address = 192.168.1.200
  dc02.hq.local  internet address = 192.168.1.201
  =======================
  On DC01.HQ.local
  nslookup
  set type=all
   _ldap._tcp.dc._msdcs.domain1.local
  Result:
  C:\Windows\system32>nslookup
  Default Server:  dc01.hq.local
  Address:  192.168.1.200
  > set type=all
  > _ldap._tcp.dc._msdcs.domain1.local
  Server:  dc01.hq.local
  Address:  192.168.1.200
  Non-authoritative answer:
  _ldap._tcp.dc._msdcs.domain1.local      SRV service location:
            priority       = 0
            weight         = 100
            port           = 389
            svr hostname   = srvpdc01.domain1.local
  srvpdc01.domain1.local     internet address = 10.0.113.150
  =======================
  I have tested port 3268 and 3269 with Port Query UI and ports are listening on alle DC servers.

• Question on Untrusted Forest and Roles Required.

  Hi, i need some help understanding untrusted forests and system roles.
  All my untrusted forests are well connected to each other; they are all in the same data-center for that matter.
  Is at least 1 site system role (MP?) required in an untrusted forest to manage those clients in each untrusted forest from the Pri?
  I read this blog here, 
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/
  But one of the readers posted at the bottom of the blog that is it not supported referencing technet.

  More info:
  Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation
  http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.