Within a ConfigMgr Current Branch environment with multiple untrusted forests, the following error message was seen in Site and System status: Active Directory System Discovery Agent failed to bind to container LDAP. This on every 5 minutes (delta discovery).
-Error: The specified domain either does not exist or could not be contacted.
-Possible cause: The AD container specified earlier might be invalid now. The Domain Controller is inaccessible.
-Solution: Please verify that the AD container paths specified are valid. Confirm accessibility of the site server to the Domain Controller to be queried.
Looking in adsysdis.log error 0x8007054B is given:
-ERROR: Failed to bind to LDAP://OU=Test,DC=Contoso,DC=local (0x8007054B)
-ERROR: Failed to enumerate directory objects in AD container LDAP://OU=Test,DC=Contoso,DC=local
When looking in Active Directory System Discovery the following was configured: LDAP://OU=Test,DC=Contoso,DC=local (for example)
This for every untrusted forest given..
When looking in sitecomp.log however the following was seen:
-Processing forest contoso.local.
-Publishing account user account <Domain>\<Account> will be used
-Searching for the System Management Container.
-LDAP://Contoso.local/CN=System Management,CN=System,DC=Contoso,DC=local container exists.
So yes, there must be an extra FQDN step in between.
Just change LDAP://OU=Test,DC=Contoso,DC=local to LDAP://Contoso.local/OU=Test,DC=Contoso,DC=local for every untrusted forest in Active Directory System Discovery and you will be fine. (for example)
Looking in adsysdis.log again will show the following information:
-INFO: Bound to LDAP://Contoso.local/OU=Test,DC=Contoso,DC=local
-INFO: successfully completed directory search
-INFO: Start to recursively process into group objects
-INFO: Finished recursively processing into group objects
So no errors in adsysdis.log and Site and System status seen anymore. Very happy with the solution!
Source: Anoop C Nair