| Author | Messages | |
joe1
Posts:22
 | | 01/13/2010 12:50 PM |
| Hi all
I have some engineers attempting to setup an SCCM environment in
childdomain1.Forest1.com. They also need to be able to manage computers
in childdomain2.Forest2.com. There is a 2 way domain trust in place
between these two child domains.
The SCCM server resides in childDomain1.Forest1.com. When the SCCM
server attempts an LDAP query against childdomain2.forest2.com, it is
successful. When it attempts an LDAP query against a site, this query
fails. The difference appears to be that the query for a site in
childdomain2.Forest2.com is a query of the Schema, held in the forest
root domain.
I'm not sure of the permissions required to query the schema object, so
added a Domain trust between Forest2.com and childDomain1.Forest1.com,
but this has not solved the issue.
The error we see is:
ERROR: Failed to bind to 'LDAP://DC01.childdomain2.Forest2.com/CN=NTDS
Settings,CN=
DC01,CN=Servers,CN=OurSiteName,CN=Sites,CN=Configuration,DC=Forest2,DC=C
om' (0x80072020): An operations error occurred.~~ -- Extended Error ---
LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to
perform this operation a successful bind must be completed on the
connection., data 0, vece
In the above query, DC01 is a DC in childDomain2.Forest2.com.
I'd be grateful for any advice or experiences people could share.
Many thanks
Joe
| | | |
| edpoteet
Posts:15
| | 01/13/2010 3:48 PM |
| Hi Joe,
Going to ask an obvious question but as the mantra on here and elsewhere is:
1.) Have you checked DNS?
2.) Have you checked DNS?
3.) Goto 1
I.E. Have you tried a nslookup of type srv on
_ldap._tcp.<site>._sites.gc._msdcs.forest2.com
_ldap._tcp.<site>._sites.childdomain2.forest2.com
Realize the returned results probably won't match.
If those resolve I would suggest running ldp and poking around to make sure you have permissions.
-Evan
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas [joe@joemcnicholas.com]
Sent: Wednesday, January 13, 2010 7:49 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] SCCM + LDAP Query + Trusts
Hi all
I have some engineers attempting to setup an SCCM environment in childdomain1.Forest1.com. They also need to be able to manage computers in childdomain2.Forest2.com. There is a 2 way domain trust in place between these two child domains.
The SCCM server resides in childDomain1.Forest1.com. When the SCCM server attempts an LDAP query against childdomain2.forest2.com, it is successful. When it attempts an LDAP query against a site, this query fails. The difference appears to be that the query for a site in childdomain2.Forest2.com is a query of the Schema, held in the forest root domain.
I’m not sure of the permissions required to query the schema object, so added a Domain trust between Forest2.com and childDomain1.Forest1.com, but this has not solved the issue.
The error we see is:
ERROR: Failed to bind to 'LDAP://DC01.childdomain2.Forest2.com/CN=NTDS Settings,CN= DC01,CN=Servers,CN=OurSiteName,CN=Sites,CN=Configuration,DC=Forest2,DC=Com' (0x80072020): An operations error occurred.~~ -- Extended Error --- LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
In the above query, DC01 is a DC in childDomain2.Forest2.com.
I’d be grateful for any advice or experiences people could share.
Many thanks
Joe
| | | |
| barkills
Posts:122
| | 01/13/2010 5:01 PM |
| Hm. That sounds like a question that is better suited to the MyITForum mailing list (mssms@lists.myitforum.com). The LDAP error you are quoting is simply reporting that you haven't successfully made a bind before trying to issue an ldap query. http://technet.microsoft.com/en-us/library/bb694003.aspx talks about running SCCM in multiple forests, and my sense of that article is that for the 2nd forest, you don't really have tight directory integration. The evidence in the article that leads me to that conclusion are:
-the point about how you configure/manage the clients as if you hadn't installed the SCCM schema
-the point in the roaming support section about how clients in another forest can't access site information in AD DS so are in "regional roaming" behavior
However, I'd guess the folks over at the other forum might know better.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
Sent: Wednesday, January 13, 2010 4:49 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] SCCM + LDAP Query + Trusts
Hi all
I have some engineers attempting to setup an SCCM environment in childdomain1.Forest1.com. They also need to be able to manage computers in childdomain2.Forest2.com. There is a 2 way domain trust in place between these two child domains.
The SCCM server resides in childDomain1.Forest1.com. When the SCCM server attempts an LDAP query against childdomain2.forest2.com, it is successful. When it attempts an LDAP query against a site, this query fails. The difference appears to be that the query for a site in childdomain2.Forest2.com is a query of the Schema, held in the forest root domain.
I'm not sure of the permissions required to query the schema object, so added a Domain trust between Forest2.com and childDomain1.Forest1.com, but this has not solved the issue.
The error we see is:
ERROR: Failed to bind to 'LDAP://DC01.childdomain2.Forest2.com/CN=NTDS Settings,CN= DC01,CN=Servers,CN=OurSiteName,CN=Sites,CN=Configuration,DC=Forest2,DC=Com' (0x80072020): An operations error occurred.~~ -- Extended Error --- LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
In the above query, DC01 is a DC in childDomain2.Forest2.com.
I'd be grateful for any advice or experiences people could share.
Many thanks
Joe
| | | |
| joe1
Posts:22
| | 01/13/2010 6:51 PM |
| Thanks for the input - I'll check out DNS and the NSLOOKUP.
The LDAP Query is submitted using the credentials of the SCCM servers
computer object - any idea how I might test this, or where I might see a
failure log? Eventvwr Security log on DC01 only shows a successful
connection by the SCCM server.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: 13 January 2010 15:44
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] SCCM + LDAP Query + Trusts
Hi Joe,
Going to ask an obvious question but as the mantra on here and elsewhere
is:
1.) Have you checked DNS?
2.) Have you checked DNS?
3.) Goto 1
I.E. Have you tried a nslookup of type srv on
_ldap._tcp.<site>._sites.gc._msdcs.forest2.com
_ldap._tcp.<site>._sites.childdomain2.forest2.com
Realize the returned results probably won't match.
If those resolve I would suggest running ldp and poking around to make
sure you have permissions.
-Evan
________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Joe McNicholas
[joe@joemcnicholas.com]
Sent: Wednesday, January 13, 2010 7:49 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] SCCM + LDAP Query + Trusts
Hi all
I have some engineers attempting to setup an SCCM environment in
childdomain1.Forest1.com. They also need to be able to manage computers
in childdomain2.Forest2.com. There is a 2 way domain trust in place
between these two child domains.
The SCCM server resides in childDomain1.Forest1.com. When the SCCM
server attempts an LDAP query against childdomain2.forest2.com, it is
successful. When it attempts an LDAP query against a site, this query
fails. The difference appears to be that the query for a site in
childdomain2.Forest2.com is a query of the Schema, held in the forest
root domain.
I'm not sure of the permissions required to query the schema object, so
added a Domain trust between Forest2.com and childDomain1.Forest1.com,
but this has not solved the issue.
The error we see is:
ERROR: Failed to bind to 'LDAP://DC01.childdomain2.Forest2.com/CN=NTDS
Settings,CN=
DC01,CN=Servers,CN=OurSiteName,CN=Sites,CN=Configuration,DC=Forest2,DC=C
om' (0x80072020): An operations error occurred.~~ -- Extended Error ---
LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to
perform this operation a successful bind must be completed on the
connection., data 0, vece
In the above query, DC01 is a DC in childDomain2.Forest2.com.
I'd be grateful for any advice or experiences people could share.
Many thanks
Joe
| | | |
|
|