For a multiple-forest domain configuration I was working on I needed to be able to discover and deploy agents from another forest than the one that my ConfigMgr server was in. This is a ConfigMgr environment which was using advanced security.  The discovery in the remote system kept failing on the discovery for the forest which the ConfigMgr server was NOT a member of.

Lessons learned:

In a ConfigMgr environment with advanced security, you can only query AD in the same forest because ConfigMgr is using the machine account to perform the discovery.  This can be worked around through creation of trusts however.

If you want to discover resources in a remote domain, you need a two-way trust between the domains. My attempts at accomplishing a discovery in a remote domain without a two-way trust were completely fruitless. A one-way trust did not work for the discovery either.

If you want to enable logging in a 64-bit environment, there is an article which discusses setting logging but it does not provide information on how to do so for a 64-bit platform ( To do this on a 64-bit platform us:

HKLM\SOFTWARE\Wow6432Node\Microsoft\SMS\Components\SMS_DISCOVERY_DATA_MANAGER instead of the location referenced in the article.

LDIFDE is a quick and easy way to validate if LDAP communication is working between the domains. As a sample, I used:

Ldifde –m –f output.ldf –b domain * -s –d  “DC=domain,DC=com”

Good reference URL’s on this:

Two-way trust discussion:

How to enable logging:

Thanks you to James Avery who helped me to debug this to the point that discovery worked!