Jump to content


Joachim83

Discovery not working for untrusted forest with Win2012 and SCCM12 SP1

Recommended Posts

Hi

 

I am trying to discover objects in an untrusted domain by following this guide: http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx

 

Forest A with the SCCM server is Windows 2012 with SCCM 2012 SP1 using SQL 2012 SP1 on a separate DB server..

 

Forest B is the untrusted forrest with a Windows 2012 DC

 

I am able to resolve dns between the domains using stub zones, and when I add the untrusted forest in sccm I get success on both discovery status and publishing status. I have also added the untrusted domain in the various discovery methods as described in the article, and when I test the connection it is successful.

 

However, when I run the discovery methods they all give the same error message and nothing is discovered. The is the error message from the site system status:

 

Active Directory System Discovery Agent failed to bind to container LDAP://DC=VESSEL1,DC=LOCAL. Error: E_ADS_CANT_CONVERT_DATATYPE.
Possible cause: The AD container specified earlier might be invalid now. The Domain Controller is inaccessible.
Solution: Please verify that the AD container paths specified are valid. Confirm accessibility of the site server to the Domain Controller to be queried.

 

This is from the adsysdis.log:

 

INFO: -------- Starting to process search scope (LDAP://DC=Vessel1,DC=local) -------- SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)
INFO: Processing search path: 'LDAP://DC=VESSEL1,DC=LOCAL'. SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)
INFO: Impersonating user [VESSEL1\ADMINISTRATOR] to discover objects. SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)
INFO: Incremental synchronization requested SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)
INFO: CADSource::incrementalSync returning 0x00000001 SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)
INFO: New DC DNS name = 'VesselDC01.Vessel1.local' SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
INFO: New highest committed USN = '29047' SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
ERROR: Failed to read attribute 'invocationId' (0x8000500C) SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
INFO: CADSource::fullSync returning 0x8000500C SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
INFO: Reverting from impersonated user to default user. SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
ERROR: Failed to enumerate directory objects in AD container LDAP://DC=VESSEL1,DC=LOCAL SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=ShoreSCCM.vesselnet.local SITE=P01 PID=1928 TID=152 GMTDATE=Fri Mar 22 21:45:04.423 2013 ISTR0="LDAP://DC=VESSEL1,DC=LOCAL" ISTR1="E_ADS_CANT_CONVERT_DATATYPE" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)
INFO: -------- Finished to process search scope (LDAP://DC=Vessel1,DC=local) -------- SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)

 

Is there some new requirement that I am missing to get untrusted forests to work with SCCM SP1 and Windows 2012?

I would appreciate if anyone could help me with this problem, I have spent all day trying to find information on this error, but there is not much out there related to SCCM.

Edited by Joachim83

Share this post


Link to post
Share on other sites

Would just like to add to this that I have a fully functional 2012 domain infrastructure up and running without any errors with forest discovery or system discovery.

 

I have no problems discovering the primary forest which SCCM is installed in, but is this an external 2012 forest you are discovering? I would be interested to know how you managed to fix that :)

Share this post


Link to post
Share on other sites

Seems like the issue was not related to the 2012 Forest/domain function level. I reconfigured the servers so all domain and forests are 2008R2 function level, and this time I tried with two different untrusted forests, one 2008R2 AD server and one 2012 AD server. However I still get the same error message when trying to discover a untrusted forest.

 

Active Directory System Discovery Agent failed to bind to container LDAP://DC=VESSEL1,DC=LOCAL. Error: E_ADS_CANT_CONVERT_DATATYPE.

 

Anyone got any more ideas what could be causing this?

Share this post


Link to post
Share on other sites

I found this error in the ADForestDisc.log file, maybe it is the root of the problem and need to be sorted before any of the other discovery methods work.

Entering function GetUserCredentials() SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)
ERROR: [ForestDiscoveryAgent]: Discovery is being aborted due to an unexpected exception. SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)
ERROR: [ForestDiscoveryAgent]: Exception is returned from System.DirectoryServices with messsage Unable to cast object of type 'System.Byte[]' to type 'System.String'.. SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)
ERROR: [ForestDiscoveryAgent]: Exception call stack is: SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)
Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)

Anyone got an idea of what can cause this error?

Share this post


Link to post
Share on other sites

I finally figured out the problem and it is working now.


My setup with the various forests were installed on a 2012 hyper-v server. Forest A and Forest B were on different virtual switches and I was using Routing and Remote Access to route between the different LAN's, I followed this guide: http://blogs.technet.com/b/letsdothis/archive/2012/01/08/configuring-hyper-v-for-multiple-subnets-with-only-one-nic.aspx


Routing was working, I could resolve, ping and copy files between the servers on the different LAN's, even the connection tests were succesful in SCCM, but it just wasnt working and giving these error I mentioned.


I moved all servers to the same virtual switch and changed their IP adress to all be on the same subnet, THEN it finaly worked! It looks like RRAS is blocking something when discovering for the first time, when I moved the Forest B server back to the other virtual switch and other subnet there were no longer any errors when discovering, I even deleted and recreated the forest in SCCM but still no errors when discovering and working 100%.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.