Jump to content




vanderaatje

Adding untrusted forrest/domain not working



Recommended Posts

I hope someone can help me

 

I followed the following documentation:

 

http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

 

I have extended the schema
I have created the System Management folder in adsiedit

I gave full control on the System Management folder for the servername of the system that I want to use as DP/MP

 

On the untrusted domain I have opened on the firewall ports for ldap and dns

 

In the SCCM console I do Add Forest

Domain suffix I fill in the name external IP
Tick Discover sites ......
and select specific account (domain admin account of de untrusted domain)

At publishing tab tick My Site P01

 

I see the site information in the untrusted domain in de System Management

 

I can browse the domain with ldap tool

When I use the same information in SCCM I see "Failed to connect using specified account" at Discovery Status

Publishing status is saying "Succeeded"

 

in the adsysdis.log I see:

ERROR: Failed to bind to 'LDAP://DC=BLABLA,DC=LOCAL' (0x8007054B)

 

 

 

 

 

Share this post


Link to post
Share on other sites


Can't get it to work maybe I forgot something

 

This is the information that I have for the untrusted domain:

 

the domain suffix: domain2.local
an external IP
I tried creating a external dns record to the server sccm.domain.nl

I used the domain2\admin account to connect to the forrest
I opened port 389 tcp/udp on the firewall (router)
for testing I disabled the windows firewalls on the trusted domain and the untrusted domain

I created the System Management folder in adsiedit
I run the extend schema succesful

I delegated the full control on the System Management folder

 

When I do add forest I use the following information:

domain suffix = domain2.local

selected Discover sites and subnets
ad forest account = domain2\administrator

 

On the publishing tab
I selected my site P01

Add specify domain or server I have added my external IP address

 

When I do okay after a few seconds I see at publishing status: succeeded (and I see that there are files and folders created in the System Management folder in the untrusted domain

 

But after a few minutes the status of Discovery status is showing:

Failed to connect using specified account

 

I also tried to add the untrusted domain in my DNS this is working I see all the dns records of the untrusted domain but I still receive the failed to connect using specified account

 

The untrusted domain is a windows 2012 domain controller (with windows 2012 level)

 

Am I missing a firewall port or something??? I really have no I idee how to fix this

In Adforestdisc.log I see:

ERROR: [ForestDiscoveryAgent]: Failed to connect to forest domain2.local. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.

 

 

 

Share this post


Link to post
Share on other sites

I configured on both domains in dns conditional forwarders I can do a ping from all systems and see the internal ip of the systems in the untrusted domain

I extended the schema in both domains/forrests

I created the System Management folder and delegated full control rights to the user account I use in the add forrest options

 

When I add the external ip of the server in "Specify a domain or server" then I get a succes at publishing status

If I try it without the external IP I receive the error Cannot connect to the LDAP server

 

In all documents and webpages I read that it shouldn't be nessary to use the option Specify a domain or server

 

Windows firewall on all systems are off for testing

On the router firewalls I opened all the ports I could found about connections for SCCM

 

Hope someone can help me!

Share this post


Link to post
Share on other sites

Hi Peter,

 

Thanks for the reply

I'm still wondering how you did it

I have managed to get it working for a customer but this site is set up with vpn tunnels

 

What I have:

 

I have 2 domains with external IP the only connection between each other is the internet connection at this moment

 

How can I manage the untrusted domain from the primary site

What ports do I have to open (on server and router)

And what option do you use for DNS to resolve the names from the other location Conditional Forwarder or other options?

 

Hope you can let me know how you did it

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×