Browsing Sites in Create Boundary Section won’t provide Multi-Domain Active Directory Sites

Nicolas PilonSCCM9 Comments

One of the fundamentals aspect of configuration manager is the boundary because you can’t manage anything without a boundary.  (Thanks to Torsten for pointing that it’s possible to manage client without a boundary). 

There’s different types of boundary like, IP subnet, IP address range, IPv6 prefix and active directory site. The last one is the recommended method and it’s the easiest to manage.

We recently migrate our infrastructure to SCCM 2012 and we have an issue during the boundary configuration. What happen if you have 2 domains with the same active directory site? No big deal, both will be detectable with their respective domain. You think? Yes, we were able to handle it with SCCM 2007.

Everything was going perfect when we activated the active directory forest discovery in the discovery methods and checked the box “Automatically create Active Directory site boundaries when they are discovered” to populate sites within forests.

Create Boundary section won't provide multi-domain Active Directory 01

We realized that all duplicate sites in both domains were not automatically added as a boundary after evaluate the list of active directory sites. I dig into SQL database and look what I discovered, the system see 1 ABC boundary and 2 ABC active directory site.

Create Boundary section won't provide multi-domain Active Directory 02

You can see that WMI class on the primary is also containing both sites.

Create Boundary section won't provide multi-domain Active Directory 03

This problem happens with SCCM 2012 under any versions but it was working perfectly with SCCM 2007.

There’s some solution that can be made like use IP subnet instead but it’s not pretty clean or rename one of duplicate active directory site with unique name but for operation reason, we can’t do it. 

What about adding them manually with the Browsing Active Directory Sites console? This tool is simple, it does a LDAP query to your active directory sites. What happen if you have two domains for one primary? Do you think you will see sites from both domains?

Create Boundary section won't provide multi-domain Active Directory 04

The answer is no!

The tool will provide only sites from the one domain. It should be able to scan multiple domains. 

We opened a bug at Microsoft Connect so more info to come.

If you have the same issue, please comment in the Microsoft Connect bug.

***** Update 2015-03-16 *****

The problem is still active on Microsoft Connect. No fix has yet been released by them. You can use IP subnet or IP address range as a workaround for all duplicate AD Sites.

9 Comments on “Browsing Sites in Create Boundary Section won’t provide Multi-Domain Active Directory Sites”

  1. There is a workaround available, although I don’t know if it will work for two domains in the same forest:

    1. Go to Administration -> Hierarchy Configuration -> Active Directory Forests
    2. Right-click on the forest and choose “Show Active Directory Sites”. It will show you a list of AD Sites in that forest.
    3. Right-click on the AD Site you want, and choose “Add Selected Items to Existing/New Boundary Groups”.
    4. You will now be able to have an entry for an AD site that didn’t show up in the search box when trying to create a boundary.

    Note: This was performed on the SCCM 1511 update.

    1. Hello Jay,

      I have performed your workaround but I still see only one boundary in my test boundary group when trying to join same AD Site in the same boundary group. However, the description are identical on both domain.

      Can you send us by email your screenshots?

      Thanks for your help
      Nick

  2. Hi There,

    I am experiencing the same problem, did you find a solution to this?

    We have 12 domains in a forest and changing the AD site name is not an option.

    Thanks,

    Luke

    1. We still didn’t receive any news from Microsoft Connect.

      Using hybrid configuration is a work around for the moment. For all non duplicate AD Sites, use the Active Directory Site boundary and use IP address range or IP subnet for all duplicates AD Site.

      You can participate by giving your vote or feedback on Microsoft Connect.

      Thanks

  3. The first sentence was right (“”One of the fundamentals aspect of SCCM is the boundary because you can’t manage anything without a boundary””) and Torsten is wrong (“”Thanks to Torsten for pointing that it’s possible to manage client without a boundary””).
    The boundaries are doing absolutely nothing on sccm 2012, are just defining the network limits, but then the Boundary Groups must to be configured for managing the network/DPs/Site code.
    Without boundaries, you cannot create boundary groups, the only way to use a DP without any boundary group configured, is to enable the “fallback” function on the DP itself, but in that case you have no control on the deployments.
    You do not need boundaries/boundary groups only if you have only one location, then the DP fallback it is ok, but with multiple locations, the boundaries and boundary groups are vital.
    Me personally never work in a such a small company with only one location….

  4. I’ve got the same problem as you but I get an error when I try to connect through to the ‘Microsoft Connect’ link to add my comment. Have you had a resolution to this problem?

    1. Hello Jenny,
      You need to have a Microsoft Connect account to be able to log on the website. There’s no resolution for the moment and the ticket still open. We will update the post as soon we have news from them.
      Thanks
      Nick

  5. Hi Torsten,

    You’re absolutely right. We have never worked in a company that had no boundary. This is why we called it as fundamental.

    The post has been modified under your recommendation.

    Really appreciated.

    Thanks for your comments.

  6. Just a small addition: the very first statement (“”One of the fundamentals aspect of SCCM is the boundary because you can’t manage anything without a boundary. ) is not true at all.
    You can run a Config;Mgr site without any boundaries (with some limitations like auto site assignment not working and all DPs being considered remote/slow , but that does not stop anything from working).

Leave a Reply

Your email address will not be published. Required fields are marked *