Re: Discovery problem
From: Jørn Jørgensen (jorn_at_hotmail.com)
Date: 03/11/04
- Next message: Evan [MSFT]: "Re: SMS 2.0 Uninstall"
- Previous message: BillB: "SMS 2.0 Web Reporting Installation Issue"
- In reply to: Jørn Jørgensen: "Re: Discovery problem"
- Next in thread: Stan White [MS]: "Re: Discovery problem"
- Reply: Stan White [MS]: "Re: Discovery problem"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 11 Mar 2004 17:22:27 +0100
Hi,
A situation update:
* I've reinstalled SMS again, this time setting it up with standard security
to make sure pass-through authenticaion works as it should.
* I can browse the remote AD fine using Softerra LDAP Administrator with
what I believe to be the same credentials that SMS is supplying.
* SMS is set up to use the Administrator account at the site level
* I've also added 'remote domain'\Administrator to Site Settings ->
Connection -> Accounts -> Clients and to Site Servers as well (is this
necessary?).
* In the Discovery Methods, if I type in LDAP://server:389/DC=T4HTEST,DC=NO
I can browse the remote AD fine.
* If I select a container and return to the dialog box the LDAP
query is updated to eg. LDAP://server:389/CN=COMPUTERS,DC=T4HTEST,DC=NO. If
I click browse here I get the same error message as described in the
previous post.
If I force a discovery, one of two thing happens:
* LDAP://server:389/DC=T4HTEST,DC=NO: AD_SYSTEM_DISCOVERY_AGENT reports that
it starts and stops (message IDs 500 and 502)
* LDAP://server:389/CN=COMPUTERS,DC=T4HTEST,DC=NO: AD_SYSTEM_DISCOVERY_AGENT
reports that it starts (ID 500), and then it seems to hang. I've waited as
long as an hour and no other status is returned. In the SMS Service Manager
the thread appears as 'running'.
In the latter case, if I use the SMS Service Manager to stop and start
AD_SYSTEM_DISCOVERY_AGENT, or if necessary do a reboot I sometimes get a
warning like this in the AD_SYSTEM_DISCOVERY_AGENT log:
"SMS Active Directory System Discovery Agent reported errors for 39 objects.
DDR's were generated for 0 objects that had errors while reading
non-critical properties. DDR's were not generated for 39 objects that had
errors while reading critical properties. Possible cause: The SMS Service
might not have access to some properties of this object. The container
specified might not have the properties available. Solution: Please verify
the Active Directory schema for properties that are not replicated or
locked. Refer to the discovery logs for more information."
If this makes sense to anyone, please help!
Thanks,
Jørn
"Jørn Jørgensen" <jorn@hotmail.com> wrote in message
news:OfIFaozBEHA.2628@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> Previously when entering the LDAP string in the Active Directory System
> Discovery Properties, I've just typed in LDAP://DC=T4HTEST,DC=NO and
> clicked
> OK. I've noticed now, however, that if I click browse after I type in the
> string to validate that SMS can connect, I get an error message saying:
> "SMS cannot connect to the Active Directory container you specified.
> Container: LDAP://DC=T4HTEST,DC=NO
> The container either does not exist or could not be contacted."
>
> The same thing happens both with our production domain and the test domain
> set up specifically for this purpose.
>
> I'll try to do a remote LDAP query from outside of SMS, but:
> * Which user account does SMS use when querying the remote AD?
> * Where is this account specified in SMS?
>
> Have I understood it correctly if you go to Site Settings -> Connection
> Accounts -> Clients and create a user account entry to match a domain
> admin
> (for the time being) in the remote domain?
>
> Also, this time around I installed SMS with Advanced Security. Does this
> affect discovery in any way?
>
> Thanks,
> Jørn
>
> "Stan White [MS]" <stanwh@microsoft.com> wrote in message
> news:#7VG93sBEHA.1456@TK2MSFTNGP09.phx.gbl...
>> Discovery is not dependent on assignment or boundaries, the discovered
>> records will just show up as client=NO and Assigned=NO if discovery
> succeeds
>> but the resources are not in any site boundary. AD discovery is probably
>> failing because the SMS service (or machine) account has no rights to
>> read
>> in the remote domain, but it could also be due to not finding the remote
> AD
>> to even attempt a query. The error message is not useful. If you can
>> try
> a
>> remote LDAP query using the service account that may shed some light.
>>
>>
>> --
>> Stan [MSFT]
>> --
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>> --
>> --
>>
>> "Jørn Jørgensen" <jorn@hotmail.com> wrote in message
>> news:u$vc5irBEHA.3852@TK2MSFTNGP10.phx.gbl...
>> > Hi again,
>> >
>> > I've reinstalled the whole setup again, so here's a quick recoup of
>> > what
>> > has been done this time around:
>> > * The SMS Server is a DC in domain T4h, the site is called "OPS - T4h
>> > Operations"
>> > * Resources to be discovered are in T4hTest domain
>> > * The two domains are in separate forests and there are no trusts, but
> all
>> > hardware is on the same IP subnet
>> > * There is an administrator account with the same name and password in
>> > both domains
>> > * ONLY the following changes have been made to the standard SMS server
>> > install:
>> > 1. The site boundaries are set to Default-First-Site-Name and the
> local
>> > subnet (192.168.1.0)
>> > 2. Two client connection accounts have been added (corresponding to
> the
>> > domain administrator accounts in the two domains)
>> > 3. The SMS Server has been assigned all site roles
>> > 4. The Active Directory System Discovery has been turned on and
> points
>> > to the following AD container: LDAP://DC=T4hTest,DC=NO.
>> > 5. The Network Discovery has been configured with 'everything on' as
>> > described in the initial post.
>> >
>> > I've then selected to run discovery as soon as possible, but nothing
> shows
>> > up in All Systems. I have done the Update Collection Membership and
>> > refreshed the All Systems collection.
>> >
>> > I've copied below one complete entry from adsysdis.log. I hope someone
> can
>> > help me interpret this...
>> >
>> > I haven't included anything from the netdisc.log because it's too big
> and
>> > I don't know which parts are relevant. It is clear, however, that
>> > something's going on with network discovery, as I can find the names of
>> > servers and workstations within this log file. They just don't show up
> in
>> > the console...
>> >
>> > Questions:
>> > * Should the above configuration allow SMS to read the other AD? If
>> > not,
>> > how should this be configured in terms of accounts/rights, both within
> SMS
>> > and the external domain?
>> > * Am I correct in assuming that the site boundaries defined at the site
>> > level only limit what resources are assigned to a site and do not
>> > affect
>> > discovery as such?
>> >
>> > Thanks for any input!
>> > Jørn
>> >
>> > ADsysdis.log:
>> > ** Service Thread is starting **~ $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on
>> > mar 10 16:22:24.968 2004 Romance Standard Time><thread=2960 (0xB90)>
>> > Removing redundant containers and validating them...~
>> > $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10 16:22:25.968 2004 Romance
>> > Standard Time><thread=2960 (0xB90)>
>> > The Run Count value in the site control file is 4.~
>> > $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10 16:22:25.968 2004 Romance
>> > Standard Time><thread=2960 (0xB90)>
>> > The Schedule token value in the site control file is 0001170000500008.~
>> > $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10 16:22:25.968 2004 Romance
>> > Standard Time><thread=2960 (0xB90)>
>> > !!!!Valid AD container 0: LDAP://DC=T4HTEST,DC=NO~
>> > $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10 16:22:25.968 2004 Romance
>> > Standard Time><thread=2960 (0xB90)>
>> > Starting the data discovery.~ $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar
> 10
>> > 16:22:25.968 2004 Romance Standard Time><thread=2960 (0xB90)>
>> > ERROR: Failed to bind to AD Object LDAP://DC=T4HTEST,DC=NO, error=A
>> > referral was returned from the server.~~ -- Extended Error --- LDAP
>> > Provider : 0000202B: RefErr: DSID-031006D9, data 0, 1 access points~
>> > ref
>> > 1: 't4htest.no'~.~ $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10
>> > 16:22:32.718 2004 Romance Standard Time><thread=2960 (0xB90)>
>> > STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server"
>> > COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=T4H-SMSDEPLOY SITE=OPS
>> > PID=1864
>> > TID=2960 GMTDATE=on mar 10 15:22:32.718 2004
>> > ISTR0="LDAP://DC=T4HTEST,DC=NO" ISTR1="A referral was returned from the
>> > server.~~ -- Extended Error --- LDAP Provider : 0000202B: RefErr:
>> > DSID-031006D9, data 0, 1 access points~ ref 1: 't4htest.no'~" ISTR2=""
>> > ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9=""
> NUMATTRS=0
>> > $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10 16:22:32.718 2004 Romance
>> > Standard Time><thread=2960 (0xB90)>
>> > STATMSG: ID=5202 SEV=I LEV=M SOURCE="SMS Server"
>> > COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=T4H-SMSDEPLOY SITE=OPS
>> > PID=1864
>> > TID=2960 GMTDATE=on mar 10 15:22:32.718 2004 ISTR0="1" ISTR1="0"
> ISTR2="0"
>> > ISTR3="0" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9=""
> NUMATTRS=0
>> > $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><on mar 10 16:22:32.718 2004 Romance
>> > Standard Time><thread=2960 (0xB90)>
>> > *** Shutting Down ************************
>> >
>> >
>> >
>> > "Stan White [MS]" <stanwh@microsoft.com> wrote in message
>> > news:uTO1Y9qBEHA.3256@TK2MSFTNGP09.phx.gbl...
>> >> The settings you have look fine. (Of course you remembered to 'update
>> >> collection membership' on the 'All Systems' collection after discovery
>> >> then hit F5)
>> >>
>> >> Your next troubleshooting step would be to review the discovery logs
>> >> on
>> >> the site server to see what the details were about the discovery
>> >> operations.
>> >> Look for anything with 'DISC' in the log file name, such as
> adsysdisc.log
>> >> or netdisc.log Also check ddm.log for details on processing of any
>> >> discovery records
>> >>
>> >> It's likely that you don't have read permissions to the remote forest
>> >> since their is no trust, do not count on pass-through in this case.
>> >>
>> >> --
>> >> Stan [MSFT]
>> >> --
>> >> --
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> --
>> >> --
>> >>
>> >> "Jørn Jørgensen" <jorn@hotmail.com> wrote in message
>> >> news:%23fKUMVfBEHA.1600@tk2msftngp13.phx.gbl...
>> >>> Hi,
>> >>>
>> >>> What I'm trying to do:
>> >>> * Have SMS discover resources in neighboring domains (on the same IP
>> >>> subnet, for the time being)
>> >>>
>> >>> The scenario:
>> >>> * One primary SMS site
>> >>> * SMS 2003 installed on a DC in it's own domain
>> >>> * IIS and SQL 2000 SP3 are installed and running on the same box, but
>> >>> are only used for SMS
>> >>> * Resources to be discovered are located in completely separate
> domains
>> >>> (no trusts), but on the same subnet without any routing or firewall
>> >>> in
>> >>> between.
>> >>> * It's a small LAN with maybe 20 computers on the subnet total.
>> >>>
>> >>> The problem:
>> >>> * I cannot get SMS to discover any other resources than the SMS
>> >>> server
>> >>> itself (which is the only computer in this domain).
>> >>>
>> >>> After installing SMS 2003, I've done the following configuration:
>> >>> 1. Configured the site boundaries (local subnet +
>> >>> Default-First-Site-Name)
>> >>> 2. Configured Site System - everything on, and everything running on
> the
>> >>> same computer
>> >>> 3. Configured discovery methods as follows:
>> >>> a. Active Directory System Discovery
>> >>> 1. Turn it on and point to the local domain. This results in
> the
>> >>> SMS server itself showing up in All Systems
>> >>> 2. Add domain2.com . no change
>> >>> b. Network discovery
>> >>> 1. Enable it and choose "Topology, client, and client
>> >>> operating
>> >>> system",
>> >>> 2. Add the local subnet (192.168.1.0, 255.255.255.0),
>> >>> 3. Add the local domain and domain2 (both with and withut
>> >>> .com)
>> >>> 4. Set maximum hops to 10 in SNMP (leave the default Public
>> >>> community name)
>> >>> 5. Schedule an immediate discovery (running time 20 minutes)
>> >>> 4. I don't know if it matters, but I'm logged on the SMS server as a
>> >>> domain admin. In domain2 there's an administrator account with the
> same
>> >>> user name and password as the SMS domain admin. I have not configured
>> >>> connection accounts in SMS as I figure that isn't necessary for
>> >>> discovery...
>> >>>
>> >>> The result of all discoveries is - with the exception of the SMS
> server
>> >>> itself - zilch (I have of course updated the collections).
>> >>>
>> >>> So, am I missing something crucial here? What mechanisms are in fact
>> >>> involved in discovering resources in a separate domain? What is the
>> >>> preferred method for discovering in external domains (Network or
> Active
>> >>> Directory System Discovery). And in the case of the latter, does
>> >>> anything need to be configured in the AD domain which is to be
>> >>> discovered?
>> >>>
>> >>> Any feedback highly appreciated!
>> >>>
>> >>> Thanks,
>> >>> Jørn
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Evan [MSFT]: "Re: SMS 2.0 Uninstall"
- Previous message: BillB: "SMS 2.0 Web Reporting Installation Issue"
- In reply to: Jørn Jørgensen: "Re: Discovery problem"
- Next in thread: Stan White [MS]: "Re: Discovery problem"
- Reply: Stan White [MS]: "Re: Discovery problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
