We are trying to Deploy Software Updates in different ways. So we created different collections based on Active Directory Groups. What we want is for those collections to be fed with all the computers in an specific Active Directory Group. So we have the following Script: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "GRUMACNTRL\\GCUG_SecComp_Group1_AutomaticRestart_Servers_Test" That script is supposed to bring all computers from GCUG_SecComp_Group1_AutomaticRestart_Servers_Test group. And just like that we have many other collections. But we realized that the collections do not get all of their computers, just some of them. After checkin we found out that they just get the computers in the Domain GRUMACNTRL.COM. (Our SCCM server is GRUMA1275.GRUMACNTRL.COM and also the groups were created in Grumacntrl.com Domain). But we also have computers in the following domains: MX.GRUMA.COM, US.GRUMA.COM, CR.GRUMA.COM And those are the ones that are not in the collections. We check the ALL SYSTEMS collections and all computers from any domain are actually there which means that they're being Discovered by SCCM. We set up all of our Discoveys (AD System Group Discovery, AD Security Group Discovery, AD System Discovery). We have them ENABLED and with the following containers (all of them Recursive and Included): LDAP://DC=GRUMACNTRL,DC=COM LDAP://DC=CR,DC=GRUMA,DC=COM LDAP://DC=MX,DC=GRUMA,DC=COM LDAP://DC=US,DC=GRUMA,DC=COM So it's supposed to discover all types with all domains. We checked ADSYSDIS log and we found that for example, one of the servers in GRUMACNTRL has this message: INFO: discovered object with ADsPath = 'LDAP://GRUMA1205.GRUMACNTRL.COM/CN=GCUG_SecComp_Group1_AutomaticRestart_Servers_Test,CN=Users,DC=GRUMACNTRL,DC=com' But, none of the others (CR, MX, US) have messages like that... Which means that "SCCM doesnt know they're on that group and that's why they're not being added to the collection". Any clue on what this could be happening or if there's something else we need to configure in SCCM, Policys or AD to get this to work... We need to do it this way since these are a Lot of Groups and thus a Lot of Collections which computers are going to be add and deleted from Active Directory so often that it would be really difficult to update SCCM Collections manually. Thanks in advanced.

Hmmm So the SCCM server is in the domain that it is able to issue LDAP queries for successfully but it's not able to see other domains? From http://technet.microsoft.com/en-us/library/bb633276.aspx To run Active Directory Discovery, the Active Directory domain can be in any Active Directory mode, and the site server computer account must have Read access to the specified Active Directory containers. Additionally, this account has the following requirements: When you use this account to discover resources in domains other than the site servers domain, the site server computer account must be a member of the Domain Users or local Users group in the other domain.When you use this account to discover resources in a different forest, a full forest trust is required between the two forests. I'd suggest you start here. Do these target domains have logon auditing enabled? Do you have access (and permission to use) a protocol analyzer to see what you are requesting and getting back?

Any chance that you are running into that issue: http://support.microsoft.com/kb/978757/en-usTorsten Meringer | http://www.mssccmfaq.de

Hmmm So the SCCM server is in the domain that it is able to issue LDAP queries for successfully but it's not able to see other domains? From http://technet.microsoft.com/en-us/library/bb633276.aspx To run Active Directory Discovery, the Active Directory domain can be in any Active Directory mode, and the site server computer account must have Read access to the specified Active Directory containers. Additionally, this account has the following requirements: When you use this account to discover resources in domains other than the site servers domain, the site server computer account must be a member of the Domain Users or local Users group in the other domain.When you use this account to discover resources in a different forest, a full forest trust is required between the two forests. I'd suggest you start here. Do these target domains have logon auditing enabled? Do you have access (and permission to use) a protocol analyzer to see what you are requesting and getting back?

Any chance that you are running into that issue: http://support.microsoft.com/kb/978757/en-usTorsten Meringer | http://www.mssccmfaq.de