greetings, long time no post !! We have a customer with a very strict AD (single domain) locked down to policy domains applied to separate OUs. These OUs are role based and contain all computer ojects and security groups. These are also separated by firewall policies Schema is extended and changes are being written to it successfully. We have all our SCCM/SQL servers sitting in one OU (with its own domain policy) and clients (servers at this juncture) sitting in one or more other OUs All accounts/service accounts/user accounts have appropriate access to all objects. Servers have been built using SCCM/OSD and have the client installed, boundaries are correct and these are still showing as assigned when in the new OU All "firewall" port requirements are controlled on a policy domain to policy domain basis, and not IP to IP (hope that makes sense) Ports are open between clients and SCCM (custom HTTP for both client and SUP) and all tests prove these work OK (mp URL test and portqry) Port 3268 is open between clients and AD domain controllers (confirmed with portqry) HOWEVER when doing a manual discovery from any client - clientlocation and locationservices logs indicate that that the AD schema has not been extended, and client cannot verrify site version. Manual install of client using SMSSLP= or using the registry key, is 100% successful, however this is NOT an acceptable fix. Any thoughts or ideas on why these clients are not reading the GC properly, very greatly appreciated. thankyou for your time Nick BSolutions Architect

Hope, SCCM computer accounts have access to System Management Container and the related objects (sms-site-<sitecode> and sms-mp-<servername>) are already created.Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.