After upgrading to SCCM 2007 SP2, AD discovery methods will fail to bind across external trusts. When the failure occurs, the ADSysDis.log will contain entries similar to this:
ERROR: Failed to bind to AD Object LDAP://DC02-140-52S.LITWARE.COM/CN=COMPUTERS, error=An operations error occurred.~~ -- Extended Error --- LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece.
ERROR: Failed to enumerate directory objects in AD container LDAP://DC02-140-52S.LITWARE.COM/CN=COMPUTERS
STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=SMS4-120-52S SITE=2P4 PID=1340 TID=308 GMTDATE=Thu Dec 17 18:31:10.528 2009 ISTR0="LDAP://DC02-140-52S.LITWARE.COM/CN=COMPUTERS" ISTR1="An operations error occurred.~~ -- Extended Error --- LDAP Provider : 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
The failure occurs because of a change made in Service Pack 2 which makes the product more secure by requiring authentication for AD binds. As discovery is performed by the site server System account, authentication on the network requires Kerberos which is not supported across external trusts.
You can use one of the following methods to work around this new behavior:
- Use Windows 2003 or higher forest trusts instead of external trusts, as Kerberos is supported across them.
- Install a primary site server in the trusted domain to perform discovery there. This server can leverage an address configured with a user name and password, which works with NTLM, to forward the data to the original site server in the trusting domain.
Keith Thornley | Senior Support Escalation Engineer