Hi,
I hope someone can advise.
My environment is SCCM 2012 R2 (5.0.7958.1000) The SCCM Site Server is in a Data Centre domain. I am trying to set up cross forest connectivity to an untrusted forest there are no trusts or connectivity in place, so the Servers in the remote domain have no visibility of the SCCM Domain/Site Server. I have followed the instructions here:
As we are going to be doing this for quite a few remote, untrusted domains, of varying sizes, we are going for the 3<sup>rd</sup> scenario Neil identifies. Each remote domain will have a site system running, as a minimum, a Management Point and an Endpoint Protection Point.
I have worked my way through Neil's documentation, and I have got as far as MP deployment. Forest discovery in my test domain has worked successfully and client machines are visible within the SCCM (with no client agents deployed). In the console I see under Active directory Forests that Discovery succeeded, but Publishing status is showing Insufficient access rights
Since the forests are untrusted, I cannot add the Site Server computer account to the permissions of the System Management container in the remote domain, but the System Management container does have in it the details for the SCCM Site Server (mSSMSSite, mSSMSMangementPoint and mSSMSRoamingBoundaryRange), but not the local site system (Management point).
When I look in the sitecomp.log file on the SCCM Site Server, I see some lines which are worrying.
SMS-MP-<SITECODE>-<Site Server>.<Domain.local> could not be updated, error code = 5
SMS-MP-<SITECODE>-<Site Server>.<Domain.local> could not be updated (using SMSv1 Schema), error code = 5
Then after a few lines which include successful impersonation, a successful network connection to the remote domains Domain controller, updating MP config and security config etc, the log says
Reverting to current impersonation
Publishing <REMOTE DOMAIN CONTROLLER>.<REMOTE DOMAIN>.<LOCAL> (FQDN of remote DC) as a Management Point into Active Directory.
SMS-MP-<SITECODE>-<Remote MP Server name>.<Domain.local> could not be created with Configmgr 2007/2012 Schema, error code = 5
SMS-MP-<SITECODE>-<Remote MP Server name>.<Domain.local> could not be created, Win32 error = 5
I have configured a group of accounts in the remote domain to do all the various domain/forest lookups that Neil documents in the Blog series. The Management Point has installed successfully on the Remote site system (MPSetup.log says Installation was successful and mpmsi.log says Configmgr Management Point Installation operation completed successfyully). But the MPControl Log is filled with
Call to HttpsendREquest failed for port 80 with access code 500
Http test request failed, status code is 500, Internal Server Error
I assume this is because the System Management container is not properly populated. During the setup process, I extended the remote domain schema, and I can see in the extadsch.log file that all went well.
My question: is this a problem with the schema extension do I need to re-run a more up to date extadsch.exe (I believe the .exe was from the SCCM 2012 R2 DVD, but I cannot be sure) or is this a permissions error in the remote System Management container? The console seems to indicate it is access rights, the sitecomp.log file seems to indicate it is a scheme version issue. Has anyone seen this before? Please can someone advise? I have to get this nailed, so that I can update internal documentation and deploy SCCM to several remote untrusted domains.
Many Thanks in advance
Regards