My main question is could an ePO 4.5 (patch 3) server synch users from an domain controller server in a separate "child" domain (in the same forest)? Is that a supported scenario? Or does the ePO server really need to be in the same domain as the LDAP it is synching users from, as I have seen suggested in other posts.
Our ePO server is a member of the top level forest domain (ForestRoot.com), and the primary domain where our users are is a separate domain in this forest. We are just now getting into EEPC 6 patch 1 set up for pilot testing and have followed the steps, and configured an LDAP server in this sub domain with an account from the same domain for the LDAP authentication. However we seem to be having issues with EEPC not becoming active on new clients, and it appears to be related to the LDAP authentication failing.
Again, the LDAP server is NOT a member of ForestRoot.com, but a child domain in this same AD forest. The account for connecting to LDAP is also in this child domain, so I did not expect that ePO would need to connect to the ForestRoot.com domain at all. Maybe I missed something in the documentation that specified that ePO being in the same domain is a requirement. Assuming this scenario should work, then do I need to set up a single account that would have rights to both the ForestRoot.com domain, AND the sub domain where LDAP and all of the users reside? Which domain should that account be created in, the ePO server's domain, or the primary LDAP domain? I would appreciate any suggestions and help.
Here is an excerpt from the debug log on one of the clients where EEPC won't go active:
2011-2-1 0:3:6,111 DEBUG MfeEpeHost From uuid = B115AA20-0396-4F41-A230-F61AE50E1DF7 From Service = To uuid = To Service = MfeEpeServiceDCServer Message = <element xsi:type="ns1:DCDataMsg"><sendTo serviceName="MfeEpeServiceDCServer" xsi:type="ns1:MfeEpeAddress"></sendTo><name>EEADMIN_1000_AddDomainUsersExc</nam e><data>
<message>Unable to connect to any domain controllers for domain: ForestRoot.com. Last error was: Unable to authenticate with the LDAP server. Verify the username and password are correct.</message>
2011-2-1 0:3:6,111 ERROR EpoPlugin [0xEE000005] Failed to deserialize type
Message was edited by: dmartin on 2/3/11 1:07:51 AM CST