Joachim83 Posted March 22, 2013 Report post Posted March 22, 2013 (edited) Hi I am trying to discover objects in an untrusted domain by following this guide: http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx Forest A with the SCCM server is Windows 2012 with SCCM 2012 SP1 using SQL 2012 SP1 on a separate DB server.. Forest B is the untrusted forrest with a Windows 2012 DC I am able to resolve dns between the domains using stub zones, and when I add the untrusted forest in sccm I get success on both discovery status and publishing status. I have also added the untrusted domain in the various discovery methods as described in the article, and when I test the connection it is successful. However, when I run the discovery methods they all give the same error message and nothing is discovered. The is the error message from the site system status: Active Directory System Discovery Agent failed to bind to container LDAP://DC=VESSEL1,DC=LOCAL. Error: E_ADS_CANT_CONVERT_DATATYPE.Possible cause: The AD container specified earlier might be invalid now. The Domain Controller is inaccessible.Solution: Please verify that the AD container paths specified are valid. Confirm accessibility of the site server to the Domain Controller to be queried. This is from the adsysdis.log: INFO: -------- Starting to process search scope (LDAP://DC=Vessel1,DC=local) -------- SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)INFO: Processing search path: 'LDAP://DC=VESSEL1,DC=LOCAL'. SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)INFO: Impersonating user [VESSEL1\ADMINISTRATOR] to discover objects. SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)INFO: Incremental synchronization requested SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)INFO: CADSource::incrementalSync returning 0x00000001 SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:02 152 (0x0098)INFO: New DC DNS name = 'VesselDC01.Vessel1.local' SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)INFO: New highest committed USN = '29047' SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)ERROR: Failed to read attribute 'invocationId' (0x8000500C) SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)INFO: CADSource::fullSync returning 0x8000500C SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)INFO: Reverting from impersonated user to default user. SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)ERROR: Failed to enumerate directory objects in AD container LDAP://DC=VESSEL1,DC=LOCAL SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=ShoreSCCM.vesselnet.local SITE=P01 PID=1928 TID=152 GMTDATE=Fri Mar 22 21:45:04.423 2013 ISTR0="LDAP://DC=VESSEL1,DC=LOCAL" ISTR1="E_ADS_CANT_CONVERT_DATATYPE" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098)INFO: -------- Finished to process search scope (LDAP://DC=Vessel1,DC=local) -------- SMS_AD_SYSTEM_DISCOVERY_AGENT 22.03.2013 21:45:04 152 (0x0098) Is there some new requirement that I am missing to get untrusted forests to work with SCCM SP1 and Windows 2012? I would appreciate if anyone could help me with this problem, I have spent all day trying to find information on this error, but there is not much out there related to SCCM. Edited March 23, 2013 by Joachim83 Quote Share this post Link to post Share on other sites More sharing options...
baramine44 Posted March 24, 2013 Report post Posted March 24, 2013 windows server 2012 Domain is not supported in SCCM2012 SP1 Quote Share this post Link to post Share on other sites More sharing options...
Joachim83 Posted March 25, 2013 Report post Posted March 25, 2013 Thanks, that would explain it. I did some more research and found other people reporting that forest discovery does not work on a 2012 forest: http://social.technet.microsoft.com/Forums/en-US/configmanagergeneral/thread/aa05f47d-9bc6-4810-9aa0-c0fd810098d7 Quote Share this post Link to post Share on other sites More sharing options...
Rocket Man Posted March 25, 2013 Report post Posted March 25, 2013 Would just like to add to this that I have a fully functional 2012 domain infrastructure up and running without any errors with forest discovery or system discovery. Quote Share this post Link to post Share on other sites More sharing options...
Joachim83 Posted March 25, 2013 Report post Posted March 25, 2013 Would just like to add to this that I have a fully functional 2012 domain infrastructure up and running without any errors with forest discovery or system discovery. I have no problems discovering the primary forest which SCCM is installed in, but is this an external 2012 forest you are discovering? I would be interested to know how you managed to fix that Quote Share this post Link to post Share on other sites More sharing options...
Rocket Man Posted March 25, 2013 Report post Posted March 25, 2013 Hi, No this is more directed at the link provided http://social.techne...a0-c0fd810098d7. I only have single forest on server 2012....... as you know works fine. Quote Share this post Link to post Share on other sites More sharing options...
Joachim83 Posted March 25, 2013 Report post Posted March 25, 2013 Seems like the issue was not related to the 2012 Forest/domain function level. I reconfigured the servers so all domain and forests are 2008R2 function level, and this time I tried with two different untrusted forests, one 2008R2 AD server and one 2012 AD server. However I still get the same error message when trying to discover a untrusted forest. Active Directory System Discovery Agent failed to bind to container LDAP://DC=VESSEL1,DC=LOCAL. Error: E_ADS_CANT_CONVERT_DATATYPE. Anyone got any more ideas what could be causing this? Quote Share this post Link to post Share on other sites More sharing options...
Joachim83 Posted March 29, 2013 Report post Posted March 29, 2013 I found this error in the ADForestDisc.log file, maybe it is the root of the problem and need to be sorted before any of the other discovery methods work. Entering function GetUserCredentials() SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)ERROR: [ForestDiscoveryAgent]: Discovery is being aborted due to an unexpected exception. SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)ERROR: [ForestDiscoveryAgent]: Exception is returned from System.DirectoryServices with messsage Unable to cast object of type 'System.Byte[]' to type 'System.String'.. SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)ERROR: [ForestDiscoveryAgent]: Exception call stack is: SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14)Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 29/03/2013 01:24:04 2580 (0x0A14) Anyone got an idea of what can cause this error? Quote Share this post Link to post Share on other sites More sharing options...
Joachim83 Posted March 29, 2013 Report post Posted March 29, 2013 I finally figured out the problem and it is working now. My setup with the various forests were installed on a 2012 hyper-v server. Forest A and Forest B were on different virtual switches and I was using Routing and Remote Access to route between the different LAN's, I followed this guide: http://blogs.technet.com/b/letsdothis/archive/2012/01/08/configuring-hyper-v-for-multiple-subnets-with-only-one-nic.aspx Routing was working, I could resolve, ping and copy files between the servers on the different LAN's, even the connection tests were succesful in SCCM, but it just wasnt working and giving these error I mentioned. I moved all servers to the same virtual switch and changed their IP adress to all be on the same subnet, THEN it finaly worked! It looks like RRAS is blocking something when discovering for the first time, when I moved the Forest B server back to the other virtual switch and other subnet there were no longer any errors when discovering, I even deleted and recreated the forest in SCCM but still no errors when discovering and working 100%. Quote Share this post Link to post Share on other sites More sharing options...