dns00At one of my customers I am currently building a System Center 2012 R2 Configuration Manager environment that must be able to support and manage their enterprise environment but also multiple not trusted forests in their environment. When adding one of the not trusted Active Directory Forests, the Active Directory Forest the Configuration Manager site information was published correctly but the discovery of the Active Directory Forest failed every time with an error that it failed to connect to forest.

Looking at the ADForestDisc.log file I noticed errors like below that the Active Directory forest was my primary site server was not able to connect to the not trusted Active Directory Forest.

ERROR: [ForestDiscoveryAgent]: Failed to connect to forest configmgrfaq.com. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.

Entering function ReportForestConnectionFailureStatusMessage()

Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2

The communication between the two environments was configured, the DNS conditional forwarders and the  accounts with the right permissions in the not trusted Active Directory Forest were in place so all the prerequisites to discover a not trusted forest were there.

So searching for a solution, I came across the Technet Forums where fellow MVP Jason Sandys explained the fact the Forest Discovery relies on DNS name resolution. This was exactly what was the issue in my case. Looking at the DNS configuration I noticed that the delegation of _msdcs was missing in my remote DNS zone. (in this example configmgrfaq.com) Like Jason explained Forest Discovery is using the SRV records to locate the Domain Controller of the remote not trusted forest.

Missing the _msdcs

Missing the _msdcs delegation

Adding the _msdc

Adding the _msdcs delegation to the zone

After adding the delegation of the (in this example) _mstdc.configmgrfaq.com the not trusted Active Directory Forest was discovered straight away.

Not trusted Active Directory Forest added successfully

Not trusted Active Directory Forest added successfully

Note As always  names and figures of my customer are replaced by names from my lab environment.