We are receiving the following error while trying to discover a specific OU (all other OU's work as intended): SMS Active Directory System Discovery Agent failed to bind to container LDAP://OU=DOMAIN CONTROLLERS,DC=OURDOMAIN,DC=COM. Error: The specified directory service attribute or value does not exist. Possible cause: The AD container specified earlier might be invalid now. The Domain Controller is inaccessible. Solution: Please verify that the AD container paths specified are valid. Confirm accessibility of the site server to the Domain Controller to be queried. I tried deleting the LDAP Query and re-adding it, then forcing discovery but SCCM spit out the same error. Any help would be much appreciated!

I've downloaded and installed the Microsoft Hotfix, however, I am still receiving the same error.

Is that an exact copy of the error message? If so, there is a comma missing between DC=OUR and DC=COM. That hotfix doesn't address your issue. Do other OUs get discovered properly? Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

Did you extend the schema? Also, please check if the option Enable Active Directory publishing for the Configuration Manager site is checked in Site properties under Advanced tab.Sabrina TechNet Community Support

I don't see any connection between extending the schema (and AD publishing) and discovery at all. It's totally unrelated IMHO. Torsten Meringer | http://www.mssccmfaq.de

I didn't think the Hotfix would address my issue but some people had reported that it resolved theirs. This is the exact error message. There is a common in between OURDOMAIN,DC=COM.All other OUs are discovered properly.AD was extended, but I am with Torsten, I don't see a connection between my issue and extending the schema.

If you remove all other OUs from the discovery except this one, does it still error out? Have you reviewed permissions on this one specific OU to ensure that the site system's computer account has read permissions on it and all of its child objects?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

Giving "Read" permissions to the site system server seemed to have resolved the error with the SMS_AD_SYSTEM_DISCOVERY_AGENT component. However, the objects are not showing up in the "All Systems" collection. Not really sure why I had to give "Read" permissions to my site system server though. I didn't have to do that for any other OU. I simple gave "Full Control" over the System container (and all of it's child objects) and it seemed to work for every other OU.

Someone probably locaked down your Domain Controller container. By default, all user and computer accounts have read permissions to every OU and otehr computer and user objects. Thus, there is generally no need to explicitly grant any other permissions and that's why you didn't have to for the other OUs (note that permissions on the System Management container have nothing to do with discovery). As for the systems not showing up in the All Systems collection, has it been updated (either manually or by schedule)?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

It has been resolved. Granting "Read" permissions to the Domain Controller OU solved the issues. The DCs are now listed in the All Systems container and clients have been installed.