Config Manager - Forest with Multiple Child Domains

Eric Welshons 21 Reputation points
2021-04-30T17:17:22.08+00:00

Setup:
acme.com as the parent; Config Manager installed here and working.
Three child domains: child1.acme.com, child2.acme.com and child3.acme.com

We are trying to get discovery working in the child domains. What do we need? When trying to add a forest, we use the computer account of the site server, it returns "Insufficient Rights Access". Should we create service accounts in the three child domains? Should the server account just be able to work? Do we need to extend the schema in the child domains as well?

Microsoft Configuration Manager
0 comments
Accepted answer
  1. Simon Ren-MSFT 30,031 Reputation points Microsoft Vendor
    2021-05-01T07:37:19.67+00:00

    Hi,

    Thanks for posting in Microsoft MECM Q&A forum.

    1.Agree with Jason. Extending the schema is a one-time action for any forest, there is no need to do it in the child domains too. To verify whether AD schema extension was successful, open the log file extadsch.log located in the root of the system drive. Please also make sure that the primary site or CAS server computer account have been granted Full Control permissions to the System Management container and all its child objects to publish site information to the container.

    For more information, please refer to: Installing Prerequisites for Configuration Manager

    2.Active Directory Forest Discovery accout could be the computer account of the site server or a user defined Windows user account. This account must have Read permissions to each Active Directory forest where you want to discover network infrastructure. And also this account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data.

    For more information, please refer to the official article: Active Directory forest account

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
    https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-04-30T18:40:16.43+00:00

    Should the server account just be able to work?

    That really has nothing to do with ConfigMgr. It's all about permissions on the objects and OUs in AD. It's been a while since I tried, but I thought computer objects by default have read permissions on all other objects in an AD forest. I could be totally wrong though and based on what you have above, that's at least incorrect for your environment so yes, create additional accounts to perform the discovery. These are not service accounts though as they don't run any services. As for extending the schema, it's already extended in a child domain as the schema is a forest wide, shared construct and thus extending it in the forest extends it in all domains within that forest as well.

    0 comments
  2. Eric Welshons 21 Reputation points
    2021-05-01T12:03:25.123+00:00

    Thank you. This was close to my understanding, but not as neatly articulated. For now, I will have to let the server folks and security hash out what they want to do.

    0 comments
  3. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-05-03T13:32:05.677+00:00

    Note that none of the items mentioned by @Simon Ren-MSFT have anything to do with resource discovery. They are all nice to haves for sure, but AD System discovery is completely unrelated to any of these: forest discovery, schema extension, or site publishing to AD. So, while I'm not trying to detract from the info he gave, it isn't an answer here in any way.

    0 comments