At one of my customers I am currently building a System Center 2012 R2 Configuration Manager environment that must be able to support and manage their enterprise environment but also multiple not trusted forests in their environment. When adding one of the not trusted Active Directory Forests, the Active Directory Forest the Configuration Manager site information was published correctly but the discovery of the Active Directory Forest failed every time with an error that it failed to connect to forest.
Looking at the ADForestDisc.log file I noticed errors like below that the Active Directory forest was my primary site server was not able to connect to the not trusted Active Directory Forest.
ERROR: [ForestDiscoveryAgent]: Failed to connect to forest configmgrfaq.com. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.
Entering function ReportForestConnectionFailureStatusMessage()
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2
The communication between the two environments was configured, the DNS conditional forwarders and the accounts with the right permissions in the not trusted Active Directory Forest were in place so all the prerequisites to discover a not trusted forest were there.
So searching for a solution, I came across the Technet Forums where fellow MVP Jason Sandys explained the fact the Forest Discovery relies on DNS name resolution. This was exactly what was the issue in my case. Looking at the DNS configuration I noticed that the delegation of _msdcs was missing in my remote DNS zone. (in this example configmgrfaq.com) Like Jason explained Forest Discovery is using the SRV records to locate the Domain Controller of the remote not trusted forest.
Missing the _msdcs delegation
Adding the _msdcs delegation to the zone
After adding the delegation of the (in this example) _mstdc.configmgrfaq.com the not trusted Active Directory Forest was discovered straight away.
Not trusted Active Directory Forest added successfully
Note As always names and figures of my customer are replaced by names from my lab environment.
parasmani
May 12, 2014 @ 23:21
I am facing the same issue in my environment. I am able to discover forest that is not trusted, but after that when i push SCCM client, it only publish two policies in the action tab. There is error in the management point in the site system role in untrusted forest which is related to “Http request unable to succeed for port 80 error 500”. Also it says that the remote forest is having no access to the SQL database. Please help me. My project delivery is already 20 days delayed.
Baatch
April 15, 2015 @ 00:13
Hi Peter, thanks for a great blog post.
I’m trying to do the same and discover an untrusted forest.
Did you add the _msdcs on the untrusted forest DNS servers or your own DNS server?
What specific SRV record did you add and what is SCCM forest discovery looking for?
How does the forest discovery choose which domain controller it will contact to do forest discovery?