Solution: ConfigMgr 2007 fails to create AMT User OU objects in Disjointed Namespace Environment

fixHere’s an issue we ran into a while back and since we now have an ideal place to post it I thought I’d throw it out here in the hopes that it'll help the next person. 

Issue: AMT clients are "successfully" provisioned however their accounts are not created in the Out Of Band OU specified.

In the System Center Configuration Manager 2007 console, for the container to create our AMT accounts we have specified:

OU=AMT,OU=Misc,DC=alpha,DC=bravo,DC=charlie,DC=com

However the AMT clients we are trying to provision do not register their DNS suffix in that namespace.  Instead they register it in DC=charlie,DC=com (NOT DC=alpha,DC=bravo,DC=charlie,DC=com).

We tried hosts file on the SCCM server as well as modifying the DNS Suffix Search order on the SCCM server to no avail. Regardless of the console settings, when we try to create the account we do a DNS lookup of the client and then fail to add the user object with this error:

Failure: The AMT Proxy Manager failed to add a object into AD. FQDN: serverName.charlie.com, ADDN: OU=AMT,OU=Misc,DC=charlie,DC=com, UUID: 4C4C4544-0047-5010-8036-B4C04F544631, AMT Version: 3.2.3.

Note: This LDAP path is not the one defined in OOB Mgmt Properties and in fact does not exist!

If we configure the clients to register in DNS the DNS suffix of DC=alpha,DC=bravo,DC=charlie,DC=com then everything works.

Cause: This can occur if the domain has a disjointed namespace.  For more information on disjointed namespaces see the Disjointed namespaces section of https://support.microsoft.com/default.aspx?scid=kb;EN-US;909264.

Resolution: We do not support disjointed namespaces with AMT and ConfigMgr 2007 SP1, and at this time there is no support for this configuration with ConfigMgr 2007 SP2 either. However, we are investigating what it would take to offer that support and will make a final determination at a later date.

So ultimately the answer to this problem would be to allow your clients to register in the correct DNS namespace that matches up to your AD LDAP path specified.

Best,

Buz Brodin | Senior Support Escalation Engineer