Active Directory Forest Discovery and Publishing in Configuration Manager 2012 Beta 2

Published Sep 07 2018 07:59 PM 570 Views
First published on CloudBlogs on Mar, 30 2011

[ Randy Xu provides our first Config Manager 2012 beta 2 post]

Backgrou nd

In many large organizations, network configuration and Active Directory Domain Services are managed separately from Configuration Manager. Changes to the network topology or AD  structure must be communicated between these teams to ensure Configuration Manager boundary settings are accurate.  Up to date boundary information results in efficient application and software update deployments to all managed client computers.  This is especially critical for roaming scenarios, which require boundary information to always be available and up to date.  Now in Configuration Manager 2012 Beta 2, Active Directory Forest Discovery and publishing improvements enable organizations to centrally manage distribution of key site system roles across forests without the requirements to deploy additional sites.

Forest Discovery and Publishing Overview

To improve manageability of an ever-changing network environment, Active Directory Forest Discovery is added in Configuration Manager 2012 Beta 2. With it, Configuration Manager can discover Active Directory forests, their domains, AD Sites and IP subnets. Because domain users (or domain computer accounts) have permission to query forest relationships, Active Directory Forest Discovery can return information about other forests and their trust direction. The system can programmatically connect to all the forests and build a complete mapping of the corporate environment. It can also cross forest boundaries using specific credentials for each forest regardless of the trust type. The information obtained through Active Directory Forest Discovery can be directly exported as boundaries or boundary groups. Changes to discovered data are updated dynamically and aged out from the database if no longer present in Active Directory Domain Services. The discovered data is also used when clients request a management point or distribution point to ensure they receive the best possible site system.

Credentials specified for each Active Directory forest are used for both discovery and publishing and enable Configuration Manager 2012 sites to publish Configuration Manager site information in remote trusted or untrusted forests. Publishing stores information such as site system locations and capabilities, boundaries, and security information required by client computers to establish trusted connections with site systems and information such as the client's trust relationship with the forest, and the management point's communication mode (HTTPS/HTTP) and the network information (boundaries) that are used to locate the most appropriate management point or distribution point to communicate with. This enables client computers to more readily locate servers in a trusted forest to ensure user targeted applications.

How to use AD Forest Discovery

  1. Enable Forest Discovery

    Active Directory Forest Discovery is a new discovery method located in the Administration workspace of the Configuration Manager console.  It can be enabled on the central administration site and primary sites.  It is not supported on secondary sites.

    To enable Active Directory Forest Discovery, open the Active Directory Forest Discovery method properties dialog, and enable the method by checking "Enable Active Directory Forest Discovery".  Active Directory Forest Discovery discovers AD Sites and IP Subnets from the forests, so there are two more flexible options asking whether you want to create the AD Site or IP Subnet boundaries automatically based on the discovery results. Discovery can be scheduled by hour/day/week. Discovery will automatically create the boundaries, but it will still be necessary for you to add the boundaries to a boundary group and to associate them with a site system to ensure content is available to your clients or the boundaries are used for site assignment.

    Active Directory Forest Discovery can be run on demand by selecting the "Run full discovery now" action from the ribbon or a right-click menu.

  2. Monitor Forest Discovery Running Status

    Active Directory Forest Discovery progress can be monitored by viewing forest discovery log located in (SMS Installation Directory)LogsADForestDisc.log or by viewing Active Directory Forest Discovery component status messages.  In the Configuration Manager console, click Monitoring , expand System Status, click Component Status, select SMS_AD_Forest_Discovery_Manager, and click Show Messages to see status messages for this component.

  3. Check Forest Discovery Results and Leverage Them to Create Boundary Groups

    After Active Directory Forest Discovery completes, discovered information can be viewed in the Administration workspace by selecting Active Directory Forests.  Each discovered forest's information and status is listed.  The details pane shows the same information and status.  By default, the Domains tab lists all discovered domains in this forest. If you right-click on one of the available column headers, you can select Functional Level to add this information to the display. The Active Directory Sites tab lists all discovered AD Sites in this forest. The IP Subnets tab lists all discovered IP Subnets.  IP Subnets are associated with each AD Site and retained in the database. Discovery Status includes discovery status and publishing status.

    From the Active Directory Sites tab, you can select one or more AD Sites and IP Subnets from the detail pane list.  Right-click or use the ribbon actions to add these items to a new or existing boundary group.

  4. Discover Additional Forest Resources

    Forests with a trust relationship to the forest containing the site used to perform Active Directory Forest Discovery will be discovered automatically by using the default settings. To use Active Directory Forest Discovery for forests that do not have any trust relationship to the forest containing the site used to perform Active Directory Forest Discovery, add a new Active Directory forest and specify an account that has Read permissions in the forest.

  5. Publish Site Information to the Forest

    Forest publishing saves site and site system role information in Active Directory Domain Services.  Forest publishing requires that the target forest AD Schema is extended with Configuration Manager schema extensions and the Active Directory Forest Account has Full Control permissions to the System Container in the Active Directory for that forest.  You can enable forest publishing from the Properties of the forest in Active Directory Forests, by using the "Publish sites to the Active Directory forest" option.

    The Publishing Status shown in the Active Directory Forests list view is a status summary of all sites in the hierarchy.  The status will show 'Failed' if any sites in the hierarchy failed to publish to the forest.  To view published site information, open Active Directory Users and Computers, connect to a domain controller in the forest, and go to View-> Advanced Features. Site and management point information is published under the System-> System Management node.

Troubleshooting Guide

To troubleshoot problems with forest publishing, check the component status messages for SMS_Hierarchy_Manager and  SMS_Site_Component_Manager on the site performing the publishing.  Each site will publish its information into any forests enabled for publishing.  The hman.log file and sitecomp.log file for each site may also indicate why publishing failed.  Here are the typical reasons for publishing failures.

  1. The forest's AD Schema is not extended. To remedy this, run extadsch.exe from the Configuration Manager 2012 source media to extend the schema while you are logged in with an account that has Schema Administrator permissions to the forest.
  2. The site server's computer account has insufficient permissions to write into the System Container of the target forest AD. To remedy this, give the site server's computer account Full Control to System Container and all child objects.
  3. The specific account used for publishing has insufficient permissions to write into the System Container of the target forest AD. To remedy this, give the specific account Full Control to the System Container and all child objects.
  4. Publishing using alternate credentials (a specific account as the Active Directory Forest Account) will only work for a single site. In Beta 2, there is a functional limitation that prevents the account set in one site from being used by another site. To remedy this, connect the Configuration Manager console to the site that cannot publish its information and select the Administration workspace. In the Active Directory Forests node, modify the properties of the Active Directory forest and set the account again. In the Discovery Methods node, run Active Directory Forest Discovery to trigger publishing from that site.
  5. Publishing status is a summary of all sites in hierarchy. When publishing status indicates "Failed", verify that each site, including the central administration site, primary sites, and secondary sites, have completed publishing by viewing the sites status messages or log files.

For more information about System Center Configuration Manager 2012, see the Configuration Manager 2012 Documentation Library on TechNet.

-- Randy Xu

This posting is provided "AS IS" with no warranties, and confers no rights.

Version history
Last update:
‎Sep 07 2018 07:59 PM
Updated by: