Solution: ConfigMgr 2007 fails to create AMT User OU objects in Disjointed Namespace Environment

Solution: ConfigMgr 2007 fails to create AMT User OU objects in Disjointed Namespace Environment

  • Comments 1
  • Likes

fixHere’s an issue I ran into the other day and since I didn’t see it documented anywhere I thought I’d post a quick heads-up here. 

Issue: AMT clients are "successfully" provisioned however their accounts are not created in the Out Of Band OU specified.

In the System Center Configuration Manager 2007 console, for the container to create our AMT accounts we have specified:

OU=AMT,OU=Misc,DC=alpha,DC=bravo,DC=charlie,DC=com

However the AMT clients we are trying to provision do not register their DNS suffix in that namespace.  Instead they register it in DC=charlie,DC=com (NOT DC=alpha,DC=bravo,DC=charlie,DC=com).

We tried hosts file on the SCCM server as well as modifying the DNS Suffix Search order on the SCCM server to no avail. Regardless of the console settings, when we try to create the account we do a DNS lookup of the client and then fail to add the user object with this error:

Failure: The AMT Proxy Manager failed to add a object into AD. FQDN: serverName.charlie.com, ADDN: OU=AMT,OU=Misc,DC=charlie,DC=com, UUID: 4C4C4544-0047-5010-8036-B4C04F544631, AMT Version: 3.2.3.

Note: This LDAP path is not the one defined in OOB Mgmt Properties and in fact does not exist!

If we configure the clients to register in DNS the DNS suffix of DC=alpha,DC=bravo,DC=charlie,DC=com then everything works.

Cause: This can occur if the domain has a disjointed namespace.  For more information on disjointed namespaces see the Disjointed namespaces section of http://support.microsoft.com/default.aspx?scid=kb;EN-US;909264.

Resolution: We do not support disjointed namespaces with AMT and ConfigMgr 2007 SP1, and at this time there is no support for this configuration with ConfigMgr 2007 SP2 either. However, we are investigating what it would take to offer that support and will make a final determination at a later date.

So ultimately the answer to this problem would be to allow your clients to register in the correct DNS namespace that matches up to your AD LDAP path specified.

Best,

Buz Brodin | Senior Support Escalation Engineer

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • the Disjointed namespace link above is broken:

    Sorry, but we couldn't find the page that you requested.

    Please refine your search or try one of the other helpful links that are provided here.