Our main domain, containing our SCCM 2007 R2 SP2 infrastructure has trusts to 4 other test, QC, and development domains. I am trying to configure Active Directory System Discoveries of those 4 domains and am using a simple LDAP query against the GCs of each domain, so the query looks like this LDAP://dmz.domain.company.com. 1. In checking the adsysdis.log, the query does return the FQDN of the GC server from DNS 2. Based upon postings I have seen, I have granted the primary site server (one doing the discovery), EFT03SM40$, read permissions on the other 4 entire domains My adsysdis log has the following entries, indicating that it can't BIND. ** Service Thread is starting ** SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:34 AM 9384 (0x24A8) INFO: Component setting of ACTIVE was specified in the site control file. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:35 AM 9384 (0x24A8) INFO: Removing redundant containers and validating them... SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:35 AM 9384 (0x24A8) The Run Count value in the site control file is 32. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:35 AM 9384 (0x24A8) The Schedule token value in the site control file is 0021170000500008. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) Incremental synchronization is disabled. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) Optional attributes count = 0 SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) !!!!Valid AD container 0: LDAP://DMZ.MO.EFT.FISERV.NET/CN=COMPUTERS,DC=DMZ,DC=MO,DC=EFT,DC=FISERV,DC=NET SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) Configuration data have changed. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) Starting the data discovery. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) INFO: Processing search path: 'LDAP://DMZ.MO.EFT.FISERV.NET/CN=COMPUTERS,DC=DMZ,DC=MO,DC=EFT,DC=FISERV,DC=NET'. SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) INFO: Full synchronization requested SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:36 AM 9384 (0x24A8) INFO: DC DNS name = 'm2qeft04dc22.dmz.mo.eft.fiserv.net' SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:37 AM 9384 (0x24A8) ERROR: Failed to bind to 'LDAP://m2qeft04dc22.dmz.mo.eft.fiserv.net/CN=NTDS Settings,CN=M2QEFT04DC22,CN=Servers,CN=Portland,CN=Sites,CN=Configuration,DC=dmz,DC=mo,DC=eft,DC=fiserv,DC=net' (0x80072020): An operations error occurred.~~ -- Extended Error --- LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:37 AM 9384 (0x24A8) ERROR: Failed to enumerate directory objects in AD container LDAP://DMZ.MO.EFT.FISERV.NET/CN=COMPUTERS,DC=DMZ,DC=MO,DC=EFT,DC=FISERV,DC=NET SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:37 AM 9384 (0x24A8) STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=EFT03SM40 SITE=MPS PID=4704 TID=9384 GMTDATE=Thu Aug 19 13:15:37.554 2010 ISTR0="LDAP://DMZ.MO.EFT.FISERV.NET/CN=COMPUTERS,DC=DMZ,DC=MO,DC=EFT,DC=FISERV,DC=NET" ISTR1="An operations error occurred.~~ -- Extended Error --- LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:37 AM 9384 (0x24A8) STATMSG: ID=5202 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=EFT03SM40 SITE=MPS PID=4704 TID=9384 GMTDATE=Thu Aug 19 13:15:37.648 2010 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="0" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:37 AM 9384 (0x24A8) *** Shutting Down ************************ SMS_AD_SYSTEM_DISCOVERY_AGENT 8/19/2010 9:15:37 AM 9384 (0x24A8) If I use a third-party LDAP browser, such as LDAPAdmin, with the username being the primary site server and the password being blank, I get the same result but can verify that the tool is able to see the naming contexts for that domain. This issue obviously must revolve around permissions. What am I doing wrong? Thanks.

Hi Scott, Is it by any change External trust and do you have ConfigMgr. SP2 installed? If yes, have a look at this article - http://blogs.technet.com/b/configurationmgr/archive/2010/02/11/configuration-manager-ad-system-discovery-will-not-work-across-external-trusts-starting-with-service-pack-2.aspxKent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products

Your LDAP query looks wrong to me. It should look something like this: LDAP://CN=dmz,DC=domain,DC=company,DC=comJohn Marcum | http://myitforum.com/cs2/blogs/jmarcum |

It was autogenerated. I entered in the domain, in this case dmz.mo.eft.fiserv.net, and SCCM added the LDAP formatting after I was able to access the trusted domain via the Browse button Yes. THis setup is 2007 R2 SP2 Thanks for replying, guys.