Jump to content


Adding untrusted forrest/domain not working

Recommended Posts

I hope someone can help me


I followed the following documentation:




I have extended the schema
I have created the System Management folder in adsiedit

I gave full control on the System Management folder for the servername of the system that I want to use as DP/MP


On the untrusted domain I have opened on the firewall ports for ldap and dns


In the SCCM console I do Add Forest

Domain suffix I fill in the name external IP
Tick Discover sites ......
and select specific account (domain admin account of de untrusted domain)

At publishing tab tick My Site P01


I see the site information in the untrusted domain in de System Management


I can browse the domain with ldap tool

When I use the same information in SCCM I see "Failed to connect using specified account" at Discovery Status

Publishing status is saying "Succeeded"


in the adsysdis.log I see:

ERROR: Failed to bind to 'LDAP://DC=BLABLA,DC=LOCAL' (0x8007054B)






Share this post

Link to post
Share on other sites

Can't get it to work maybe I forgot something


This is the information that I have for the untrusted domain:


the domain suffix: domain2.local
an external IP
I tried creating a external dns record to the server sccm.domain.nl

I used the domain2\admin account to connect to the forrest
I opened port 389 tcp/udp on the firewall (router)
for testing I disabled the windows firewalls on the trusted domain and the untrusted domain

I created the System Management folder in adsiedit
I run the extend schema succesful

I delegated the full control on the System Management folder


When I do add forest I use the following information:

domain suffix = domain2.local

selected Discover sites and subnets
ad forest account = domain2\administrator


On the publishing tab
I selected my site P01

Add specify domain or server I have added my external IP address


When I do okay after a few seconds I see at publishing status: succeeded (and I see that there are files and folders created in the System Management folder in the untrusted domain


But after a few minutes the status of Discovery status is showing:

Failed to connect using specified account


I also tried to add the untrusted domain in my DNS this is working I see all the dns records of the untrusted domain but I still receive the failed to connect using specified account


The untrusted domain is a windows 2012 domain controller (with windows 2012 level)


Am I missing a firewall port or something??? I really have no I idee how to fix this

In Adforestdisc.log I see:

ERROR: [ForestDiscoveryAgent]: Failed to connect to forest domain2.local. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.




Share this post

Link to post
Share on other sites

I configured on both domains in dns conditional forwarders I can do a ping from all systems and see the internal ip of the systems in the untrusted domain

I extended the schema in both domains/forrests

I created the System Management folder and delegated full control rights to the user account I use in the add forrest options


When I add the external ip of the server in "Specify a domain or server" then I get a succes at publishing status

If I try it without the external IP I receive the error Cannot connect to the LDAP server


In all documents and webpages I read that it shouldn't be nessary to use the option Specify a domain or server


Windows firewall on all systems are off for testing

On the router firewalls I opened all the ports I could found about connections for SCCM


Hope someone can help me!

Share this post

Link to post
Share on other sites

Hi Peter,


Thanks for the reply

I'm still wondering how you did it

I have managed to get it working for a customer but this site is set up with vpn tunnels


What I have:


I have 2 domains with external IP the only connection between each other is the internet connection at this moment


How can I manage the untrusted domain from the primary site

What ports do I have to open (on server and router)

And what option do you use for DNS to resolve the names from the other location Conditional Forwarder or other options?


Hope you can let me know how you did it

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...