Hi, I have one primary site with 1 DP, and one secondary site with 1 DP and 1 BDP. PS: System1 (ps,MP), System2 (DP) SS: System3 (ss, DP, P-MP), System4 (BDP) I protected all DPs/BDPs (site systems). The problem is that only the site systems in the PS show as protected, the systems in the SS do not show as protected (but they should be, as they have this option enabled and configured 'enable this site system as a protected site system'). I look under Boundaries to see all the boundaries, type and protected... In AD (System Management) OU, I only see the entries for the PS (SMS-Site-PS1), SS (SMS-Site-SS1) and MP (SMS-MP-PS1-xxxxxxxxx). I am missing the entries for the Proxy MP (ss) and the IP Range of the BDP. I know that both systems(ps/ss) can write to System Management in AD. If I un-protect a system in the PS, it takes effect. Also, my PS computer account is local admin on the SS, and the SS computer account is in the group 'SMS_SiteToSiteConnection_PS1' of the PS, and the PS computer account is in the group 'SMS_SiteToSiteConnection_SS1' of the SS. Both sites are configured for 'Publish this site in Active Directory Domain Services'. I tried re-installing the MP role; makes no difference. How can I troubleshoot this? thanks

I'm not totally following everything you've said above. The following may help clear things up a little though: - Protecting site systems is only applicable to the DP and SMP roles -- no others roles are impacted by protecting site systems. - Protecting site systems has nothing to do with publishing info into AD and has nothing to do with the MP. - Protecting a site system just prevents it from being returned to a client during a content lookup based upon the client's and site system's boundaries. Nothing more, nothing less. - For AD publishing, ensure that the site system (both primary and secondary) have proper permissions on the System Management containerJason | http://blog.configmgrftw.com | Twitter @JasonSandys

Jason, I added a bunch of other info because I think that there's more than one issue (writing to the OU and protecting DP). When I protect the DP (site system > 'enable this site system as a protected site system'), and I select the boundaries that are to be served by this DP, it saves the information, but it never shows it as protected. If you have protected DPs and you go under Site Settings > Boundaries, to see the boundaries and on the far right, it shows the systems that are protected (the site systems - i know only DP). In my case it doesn't show any systems as protected, even though they are... Something about that task is not completing. I need help troubleshooting to figure out why the boundaries do not show as protected. I have a lab environment that I configured the same way and it behaves normally (systems show as protected). The reason I threw in the comment about the MP entry missing in AD, is because it is supposed to be there, but it's not. Also, when you create a boundary based on an IP range, it also creates an entry in AD for it (mSSMSRoamingBoundaryRange). As I said, the systems can write to the AD container System Management (I installed a secondary site and there is an entry in the same OU)... thanks

Sanity check question: have you refreshed your console by selecting the Boundaries node in the tree and pressing F5 or choosing refresh from the right-click context menu? Have you reviewed the health of each of your sites under site status in the console?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

ok, it's fixed... in case someone makes the same mistake... my bad, i had a typo on the server name of the secondary site, on the 'Address' at the PS node. As soon as I corrected the name, packages started replicating to the SS, the applications in IIS (on the SS) got created (MP, DP, etc) AND the IP Range boundaries, MP (as stated above - missing) got created. Thanks for you help. I dislike making dumb mistakes, but sometimes... :)