Integration of SCCM in another forest

Hi,
I have a standalone primary SCCM 2012 in Forest A with 10k clients assigned to it. Now my company is planning to aquire another company which is having 5K clients reporting to a different standalone primary SCCM 2012 in Forest B. My
question is, I wanted these two sccm setup to be managed from one single heirarchy preferable from Forest A. How can i merge them? Do i need to re-install the clients here or can I setup a CAS in forest A, make the primaries in both forest report to them.
If this is the case, do i need to do any changes to the clients in Forest B?
Regards
AKP

Hi,
No you cannot merge them, you cannot migrate two primary sites to a new CAS. what you can do in ConfigMgr 2012 SP1 in add a CAS to and existing primary but not migrate an existing primary to that CAS.
So the scenario you face is to use the bulitin Migration feature in Configuration Manager 2012 Sp1 (it requires sp1) and migrate packages/programs and all the objects you need to either a new Primary site or one of the existing ones and use that in the future.
After that you reassign the clients to the new site.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec

Similar Messages

[SCCM 2012 R2] - IBCM - Authenticate computers on TMG from another forest

Hi All,
There is no article on TechNet that describe client certificate requirements for computers in another forest.
Scenario:
We have Domain A [aaa.bbb.ccc] and Domain B [111.222.333] and those domains are in different forest. There is "Forest" trust between forests.
TMG and IBCM site server are in Domain A and computers authenticate successfully from Internet to TMG using SSL client authentication. Problem are computers from Domain B that cannot authenticate to TMG.
We used old documentation
https://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixA for SCCM 2007 and ISA without success. I created certificate for computers in Domain B with custom
SAN:upn=<hostname>$@<domain.tld> and TMG still cannot authenticate computers from Domain B.
Please help.
Thank you in advance.
Regards,

There's no difference -- ConfigMgr does *not* care about forests, domain, or trusts for client authentication and neither does certificate based authentication.
The certs in use, both the client auth and server auth certs, must of course be trusted by the site systems and the clients and in this case the TMG server -- that's simply how certs work though and has nothing to do with ConfigMgr. Additionally, the CRLs
for the certs in use must be accessible to the clients and servers via an accessible CRL DP but that is also simply how certs work.
For what you've described above, does TMG trust the certs issued to the clients? In other words, does it trust the CA that issued those certs and can it access a CRL for that CA?
Jason | http://blog.configmgrftw.com | @jasonsandys

Intel vPro AMT integration with SCCM 2012R2 - Issues with SCCM finding the "ConfigMgr AMT Web Server Certificate"

Good evening all,
I'm attempting to get Intel SCS integrated with SCCM 2012 R2 and I have both sides working, doing what they do best, however, I have issues when I try to mate the two. I started with a single server for the site and then tackled the Intel side with success,
then I added another site server to run the Out of Band service point and Enrollment point. Up until this point I've had no issues with certificate templates, or issuance of those certs.
I have re-read the TechNet documents a few times regarding the PKI setup, some Intel documentation and three step by step articles and non of them seem to differ so I can't understand why I'm unable to choose my "ConfigMgr AMT Web Server Certificate"
when configuring the Out of Band Management Component Properties page. The "AMT web server certificate template:" dialog shows my CA FQDN and CA name, but the certificate template list is always blank. I've tried this from both the remote
and local ConfigMgr consoles. The site servers have rights on the CA to manage and issue certs, is there something I'm missing that isn't in the documentation or buried somewhere that I missed? Is there a Application policy that should be on the
cert that isn't mentioned anywhere?
Thanks in advance!
Tesfaye

Hi Joyce,
Thanks for responding. I pretty much have this error repeating in the log file and not much else:
[28, PID:13388][05/21/2014 15:17:15] :System.DirectoryServices.DirectoryServicesCOMException\r\nThere is no such object on the server.
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindAll()
   at Microsoft.ConfigurationManagement.AdminConsole.Common.ADUtils.EnumEnterpriseCACertificateTemplates(String domainEntryName, String certAuthorityFqdn, Boolean isServerAuthen)\r\n
I will look into this, but another hint would be greatly appreciated!
Thanks,
Tesfaye

Remote WSUS integration with SCCM 2012

Hi,
We are currently having WSUS already in place for Patching , but not used at all its just installed.
can remote WSUS be integrated with SCCM 2012 server which is on different server ? what is the best practice ? is it to have WSUS on same server as Primary server?
or I decommission it and install a new WSUS on same server as SCCM server.
what steps have to be taken care if remote WSUS is integrated ? any documents or steps to be taken care .
Thanks in Advance

When you install SUPs, they automatically configure the underlying WSUS instance to sync from an upstream server based upon your ConfigMgr hierarchy.
A couple of notes here though:
- You generally shouldn't use an existing instance of WSUS for ConfigMgr. Once integrated into ConfigMgr, WSUS should no longer manage approvals, update binary downloads, or update binary distribution as these are all handled by ConfigMgr separate from WSUS.
Using an existing WSUS instance where this was the case can be problematic at best and will cause unexpected behavior and results.
- Clients do not choose SUPs based upon boundaries or location so using a remote SUP is typically not beneficial and in many cases will cause additional network load. The exception to this is if the SUP is within a secondary site.
Jason | http://blog.configmgrftw.com | @jasonsandys

Exeuting a file in another forest

Hello Community
    Using Windows 2008 Server on a network there is a file that I
am attemping to execute in another forest.
    Lets call them Forest1/Domain1(trusted) and Forest2/Domain2(trusting)
in a One-Way Trust Relationship.
    Server1 is in Forest1/Domain1 and Server2 is in Forest2/Domain2.
    The filename is MyFile.exe and it resides on Server1 in Forest1/Domain1.
    Server1 us a portal in Forest1.
    Executing the file has to be done using a url for example:
http://Server1/MyFile.exe
    What is the correct syntax for the url to execute MyFile.exe that exists in
Forest1/Domain1 on Server1 using http?
    Thank you
    Shabeaut

Hi,
Glad to hear that the issue is resolved and thanks for sharing the information!
Steven Lee
TechNet Community Support

Move domain to another forest (forest trust)

Hello
I have a forest with many domains , and other forest with a domain. They include a trust set up and working . I would like to have only one forest, but it would need to move that single domain in additional forest, and would like to know if it is possible then
moving a domain from one forest to another forest in forest trust ?
Thanks also suggestions stop solve my problem

You're asking to move the domain itself? No, you can't move the domain. You can create a new domain in the forest you want to consolidate to, and then migrate users and groups to that forest. You'll have to migrate workstations and users and repoint
applications as well, if needed. And then, you're not really moving them, you are creating new ones and copying properties of those objects. You mentioned a forest trust but all the forest trust allows you to do is to assign/use permissions from one forest
in another. People speak of moving objects but like I said, for users and groups you're simply creating new ones with the same names, and copying properties over. Computers/servers are joined to the new domain, but it's a new computer account, not one that
gets moved over.
You'll need a migration tool to do this smoothly. As Malek mentioned ADMT, yes this is one tool that can do this. It's not necessarily the best or easiest tool, but it's free from Microsoft. There are also other third party tools such as Dell/Quest
Migration Manager for AD and BinaryTree also has similar tool (there are others out there too). Those two latter tools have the ability to add permissions (ACL entries) to new domain objects, based on the old ACLs from the source domain. This can be a huge
help for servers and workstations (allows the users to continue to use their same profile after their computer is migrated, and they are using their new user account. Otherwise Windows would just create a new profile when the user logged in with his/her new
domain account.
Depending on the size of the domain you want to move (how many objects), this could be a pretty big project. There's a lot going on in a migration, and based on your question, I'd recommend finding help with it if you can. There are a number of companies
and consultants who specialize in AD migrations, even some consultation for planning could help tremendously.

Migrating MBAM 2.0 Integration from SCCM 2007 R3 to SCCM 2012 R2

Hello--
We are preparing to migrate our client base from SCCM 2007 to SCCM 2012 R2. We have MBAM 2.0 integrated with SCCM 2007 and need to know what steps/process is needed to successfully move the integration over to SCCM 2012.
I know that the .mof files need to be modified, but what else do we need to do? Re-run the SCCM Integration Setup on the MBAM SQL Server and SCCM Server?
Any help would be much appreciated!
Thank you!
Matt

TPM ownership info is hit or miss. I personally have never had to use it, but I now that we have a few machines that get configured incorrectly and we have to manually initialize and take ownership of the TPM, so that information does not make into MBAM.
How would we go about moving the DB? I agree that building the new implementation sounds desirable.
Thanks!
Matt

Installing SCUP/WSUS and integration into SCCM

I have tried installing SCUP onto a SCCM 2012 Server with WSUS hosted on another site.
I used the instructions that have been circulated on the internet from Kent Agerlund. Despite persevering with this I cannot get updates to show in system centre configuration manager to deploy.
Installed the site update role on the sccm server
1)Installed Hotfix KB2530678-x64
2) Installed the update sc update publisher
3) Installed the Signing certificate using the designated port to our wsus server
4) Enabled config mgr integration connecting to a local CM server
5) Exported the certificate to the WSUS server
6) Imported the partner catalogue and published the abobe flash player update.
I get
File C:\Users\<username>\AppData\Local\Temp\2\\1t1ilkm3.geb\AdobeFlashPlayerCatalog_SCUP.cab has certificate but signature check failed, will be treated as unsigned.
Updates Publisher 01/12/2014 10:16:29
9 (0x0009)
The error log that I get now is
WSUS Configuration Manager failed to configure upstream server settings on WSUS Server "<sccmsername>.Local".
Is is easier to migrate all of the WSUS updates to the SCCM server and then install scup?

Are you running SCUP with an account this is a local administrator on the WSUS instance and/or have you run SCUP elevated to ensure UAC is not getting in the way?
Jason | http://blog.configmgrftw.com | @jasonsandys

Need help removing MBAM 2.5 SCCM integration from SCCM 2012!!

Hi there,
I upgraded the infrastructure from MBAM 2.0 SP1 to MBAM 2.5. We have three server infrastructure. Everything is working fine except the computers wont show up under MBAM computer collection.
I am trying to remove MBAM 2.5 SCCM integration feature from my SCCM 2012 and reinstall it. When I try to uninstall it, it fails and says " setup failed to update MBAM. Fix the issue and run setup again.
For more information, review the setup log file.
This is the log file:
[13E8:1494][2015-04-09T10:27:30]i001: Burn v3.7.1224.0, Windows v6.2 (Build 9200: Service Pack 0), path: C:\ProgramData\Package Cache\{361e0078-625a-4d34-a8fd-7cac477cf297}\MbamServerSetup.exe, cmdline: '/uninstall -burn.unelevated BurnPipe.{614807DE-1C28-4AF6-9D35-D96A2C18F49F}
{4D8799C7-35F5-4852-8DD9-C9F1A150F41D} 5496'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_FATALEXIT' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_ERROR' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_WARNING' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_USER' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_INFO ' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_RESOLVESOURCE' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_OUTOFDISKSPACE' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_ACTIONSTART' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_ACTIONDATA' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_VERBOSE' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_PROPERTYDUMP' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Initializing numeric variable 'INSTALLLOGMODE_COMMONDATA' to value '1'
[13E8:1494][2015-04-09T10:27:30]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\PWAGHW~1\AppData\Local\Temp\Microsoft_BitLocker_Administration_and_Monitoring_20150409102730.log'
[13E8:1494][2015-04-09T10:27:30]i052: Condition 'VersionNT >= v6.1' evaluates to true.
[13E8:1494][2015-04-09T10:27:30]i000: Loading managed bootstrapper application.
[13E8:1494][2015-04-09T10:27:30]i000: Creating BA thread to run asynchronously.
[13E8:1924][2015-04-09T10:27:30]i000: Running WixBa
[13E8:1494][2015-04-09T10:27:30]i100: Detect begin, 1 packages
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISMBAM21ALREADYINSTALLED' to value 2
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISMBAM25ALREADYINSTALLED' to value 3
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISMBAMALREADYINSTALLED' to value 2
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISNETFRAMEWORK45' to value 1
[13E8:1494][2015-04-09T10:27:30]i101: Detected package: MBAMServer.msi, state: Present, cached: Complete
[13E8:1494][2015-04-09T10:27:30]i199: Detect complete, result: 0x0
[13E8:1494][2015-04-09T10:27:30]i100: Detect begin, 1 packages
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISMBAM21ALREADYINSTALLED' to value 2
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISMBAM25ALREADYINSTALLED' to value 3
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISMBAMALREADYINSTALLED' to value 2
[13E8:1494][2015-04-09T10:27:30]i000: Setting numeric variable 'ISNETFRAMEWORK45' to value 1
[13E8:1924][2015-04-09T10:27:30]i000: Creating a UI
[13E8:1494][2015-04-09T10:27:30]i101: Detected package: MBAMServer.msi, state: Present, cached: Complete
[13E8:1494][2015-04-09T10:27:31]i199: Detect complete, result: 0x0
[13E8:1924][2015-04-09T10:27:32]i000: SQM opt in:
[13E8:1924][2015-04-09T10:27:32]i000: MU opt in:
[13E8:1924][2015-04-09T10:27:32]i000: Installation Location:
[13E8:1494][2015-04-09T10:27:32]i200: Plan begin, 1 packages, action: Uninstall
[13E8:1494][2015-04-09T10:27:32]i000: Setting string variable 'WixBundleRollbackLog_MBAMServer.msi' to value 'C:\Users\PWAGHW~1\AppData\Local\Temp\Microsoft_BitLocker_Administration_and_Monitoring_20150409102730_0_MBAMServer.msi_rollback.log'
[13E8:1494][2015-04-09T10:27:32]i000: Setting string variable 'WixBundleLog_MBAMServer.msi' to value 'C:\Users\PWAGHW~1\AppData\Local\Temp\Microsoft_BitLocker_Administration_and_Monitoring_20150409102730_0_MBAMServer.msi.log'
[13E8:1494][2015-04-09T10:27:32]i201: Planned package: MBAMServer.msi, state: Present, default requested: Absent, ba requested: Absent, execute: Uninstall, rollback: Install, cache: No, uncache: Yes, dependency: Unregister
[13E8:1494][2015-04-09T10:27:32]i299: Plan complete, result: 0x0
[13E8:1494][2015-04-09T10:27:32]i300: Apply begin
[1578:0914][2015-04-09T10:27:32]i360: Creating a system restore point.
[1578:0914][2015-04-09T10:27:32]i362: System restore disabled, system restore point not created.
[1578:0914][2015-04-09T10:27:32]i326: Removed dependency: {361e0078-625a-4d34-a8fd-7cac477cf297} on package provider: {5F17D209-508F-4BFF-AE47-5C46BEE48C99}, package MBAMServer.msi
[1578:0914][2015-04-09T10:27:32]i329: Removed package dependency provider: {5F17D209-508F-4BFF-AE47-5C46BEE48C99}, package: MBAMServer.msi
[1578:0914][2015-04-09T10:27:32]i301: Applying execute package: MBAMServer.msi, action: Uninstall, path: C:\ProgramData\Package Cache\{5F17D209-508F-4BFF-AE47-5C46BEE48C99}v2.5.0244.0\MBAMServer.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7"
INSTALLDIR="" OPTIN_FOR_MICROSOFT_UPDATES="" CEIPENABLED="" WIXFAILWHENDEFERRED="" FORCE_UNINSTALL=""'
[1578:0914][2015-04-09T10:27:35]e000: Error 0x80070643: Failed to uninstall MSI package.
[1578:0914][2015-04-09T10:27:35]e000: Error 0x80070643: Failed to execute MSI package.
[13E8:1494][2015-04-09T10:27:35]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[13E8:1494][2015-04-09T10:27:35]i319: Applied execute package: MBAMServer.msi, result: 0x80070643, restart: None
[13E8:1494][2015-04-09T10:27:35]e000: Error 0x80070643: Failed to execute MSI package.
[1578:0914][2015-04-09T10:27:35]i318: Skipped rollback of package: MBAMServer.msi, action: Install, already: Present
[13E8:1494][2015-04-09T10:27:35]i319: Applied rollback package: MBAMServer.msi, result: 0x0, restart: None
[1578:0914][2015-04-09T10:27:35]i323: Registering package dependency provider: {5F17D209-508F-4BFF-AE47-5C46BEE48C99}, version: 2.5.0244.0, package: MBAMServer.msi
[1578:0914][2015-04-09T10:27:35]i325: Registering dependency: {361e0078-625a-4d34-a8fd-7cac477cf297} on package provider: {5F17D209-508F-4BFF-AE47-5C46BEE48C99}, package: MBAMServer.msi
[13E8:1494][2015-04-09T10:27:35]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No
[13E8:1494][2015-04-09T10:29:52]i500: Shutting down, exit code: 0x80070643
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_ACTIONDATA = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_ACTIONSTART = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_COMMONDATA = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_ERROR = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_FATALEXIT = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_INFO = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_OUTOFDISKSPACE = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_PROPERTYDUMP = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_RESOLVESOURCE = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_USER = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_VERBOSE = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: INSTALLLOGMODE_WARNING = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: ISMBAM21ALREADYINSTALLED = 2
[13E8:1494][2015-04-09T10:29:52]i410: Variable: ISMBAM25ALREADYINSTALLED = 3
[13E8:1494][2015-04-09T10:29:52]i410: Variable: ISMBAMALREADYINSTALLED = 2
[13E8:1494][2015-04-09T10:29:52]i410: Variable: ISNETFRAMEWORK45 = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: VersionNT = 6.2.0.0
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleAction = 3
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleElevated = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleInstalled = 1
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleLog = C:\Users\PWAGHW~1\AppData\Local\Temp\Microsoft_BitLocker_Administration_and_Monitoring_20150409102730.log
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleLog_MBAMServer.msi = C:\Users\PWAGHW~1\AppData\Local\Temp\Microsoft_BitLocker_Administration_and_Monitoring_20150409102730_0_MBAMServer.msi.log
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleName = Microsoft BitLocker Administration and Monitoring
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleOriginalSource = C:\Users\pwaghwani\Desktop\mu_microsoft_desktop_optimization_pack_2014_r2_x86_x64_dvd_6110480\MBAM\MBAM 2.5\Installers\x64\MbamServerSetup.exe
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleProviderKey = {361e0078-625a-4d34-a8fd-7cac477cf297}
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleRollbackLog_MBAMServer.msi = C:\Users\PWAGHW~1\AppData\Local\Temp\Microsoft_BitLocker_Administration_and_Monitoring_20150409102730_0_MBAMServer.msi_rollback.log
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleTag =
[13E8:1494][2015-04-09T10:29:52]i410: Variable: WixBundleVersion = 2.5.244.0
[13E8:1494][2015-04-09T10:29:52]i007: Exit code: 0x80070643, restarting: No
Thanks for your help!!
Thanks, Prakash Waghwani Microsoft E-Learning Support Team

have you tried to run it from an elavated prompt ?
/Oliver

SCCM Console, untrusted forest

Hi,
I have a site system server with MP, DP in a untrusted forest. Is it possible to install SCCM console on it and connect back to Primary server?
I have checked all ports that are in the documentation https://technet.microsoft.com/en-us/library/hh427328.aspx?f=255&MSPPError=-2147217396 regarding "Configuration Manager Console" but I still cannot run the console. I have tried opening
SCCM Console with RunAs and a account in the Primary servers forest.
Does the MP, DP need to have firewall ports open to the Primary servers forests domain controllers and to authenticate ?
In that case what are ports needed?
/A

Hi Peter,
We want to have a console on each untrusted forest site system server to be able to manage the computers in the untrusted forest with Right-Click Tools and Remote Control. Because the untrusted site system server is on the network already, many firewall
ports all already allowed. We don't want to do it through the Primary because of the difficulty of opening for all firewall ports that are needed for remote tools.
Does that make sense?

AD authentication for domain in another forest- XI R2

Situation:
- Windows 2003
- BOXI R2 (tomcat)
- 2 domains (in different forest)
- trust between the two domains
We have succesfully installed the AD-authentication plugin for domain1.
To work around for domain2, we've added users from domain2 inside a group of domain1, but these users are not shown inside the CMC when we import the AD-group.
Can we use the LDAP plugin for the domain2? What should be the procedure?
If found a similar question on this forum from one month ago, where they were talking about BO3 SP1, which will support multiple forest. But not really a solution the could help me out now.
Please advise
Thanks in advance!
Quinten

In XIR2 we cannot map in groups that contain users from 2 different forests. To work around this we could use LDAP to AD, but there are a few limitations.
If you want to upgrade the version that should contain this will hopefully be out by the end of this month XI 3.1 or XI 3.0 integrated SP1.
There should be some notes on using LDAP to AD in the SMP as well as it's documented in the [XI 3.0 Admin Guide|http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf]
Regards,
Tim

SCCM 2012SP1 - Cross Forest Scenario

Guys/Girls
I've configured a cross forest SCCM scenario, with all the SCCM config in one Forest and a single Windows XP SP3 desktop in the other. There is a trust between both Forests/2-way external but I haven't added Forests/Domain to SCCM to enable searching
etc. I deployed the agent manually in the external Forest using a mapped drive and ccmsetup /mp:........ this all works fine.
After installation, after the client is approved, when I click on the client in the SCCM console and try to initiate any of the "right-click" features, I just get a stack of access denied errors back "0x80070005". I've tried rebuilding
WMI, re-installing the client to no avail. Im thinking that its related to the cross forest config but I see no provision for setting up external credentials for the other forest - am I right in thinking that the only account that needs to be configured is
the "Network Access Account" that the agent uses to make network connections (the rest being run under the guise of the "Local System" account) if so - this is already done too.
I'm not seeing any access denied entries on the XP desktop and I've been through the DCOM config and local policy to make adjustments/slacken off the permissions...still no dice.
Am I chasing my tail with this? can I manage a client from the console that actually sits outside of the Forest where the SCCM installation is actually installed?
The installation is pretty much inline with scenario 1 from the following blog:
http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
-a

Reading more closely, I notice now that you said "right-click tools". That explains it as those truly have nothing to do with ConfigMgr. Essentially, what all right-click tools are are individual scripts run on your local system that directly connect
to the remote system to perform an action. The console initiates these scripts but that's it. Thus, the credentials of the user logged into the console are used to launch those scripts and the problem here is that the user you are running the console
as does not have permissions to remotely connect to that remote system.
As mentioned, this has nothing to do with ConfigMgr though because ConfigMgr never ever connects to remote clients -- call client agent communication is initiated by the client.
Thus, the right-click tools, while sometimes/often useful, should not be confused with native ConfigMgr functionality.
Jason | http://blog.configmgrftw.com | @jasonsandys

MBAM 2.5 integrated with SCCM 2012 SP1 compliance issue

Hi,
I have installed MBAM 2.5 in a SCCM integrated topology. GPO for encryption on the OS drive only have been deployed and encryption completed using the MBAM client. When running the compliance report and evaluating using the SCCM client the compliance comes
back as non-compliant. I have tried several tweaks to the GPO but had no luck getting it to report as compliant. Using the dashboard report to try and pin point why it is non-compliant shows as non-compliant but using the reasons in the top right corner all
have 0 instances.
Is there a log file on the local system that can tell me what aspect is causing the status?

In the Event Viewer, there is MBAM node, you will find all MBAM client events there.
Also, review your GPO and see what encryption types are allowed and which are required. Maybe one reason would be, that your GPO requires something, which your client hasn´t done yet, like PIN code.
I´ve seen issues with not being compliant to policy before, and there was some explanations of this, if you google around. I´m also intrested to get knowing this, because I couldn´t solve this compliance issue.
For customer reporting, I just did query in SCCM where I listed ecrypted status and drive letters, that was a "customized report method" to tell customer, are all their Computers encrypted or not.

Is it possible to deploy VM with RDS RDVH in one forest and VMs in another forest?

Hello,
We have a situation with a Remote Desktop Services (RDS) with virtual desktops (RDVH) where we are limited in our possibilities. We have a multi forest domain structure with trusts between the forests, some trusts are 2 way trusts,
some trusts are 1 way trusts and some forests have no trust at all.
We are trying to implement a RDS solution with virtual desktops, the servers are in domain 1 and the client VDI VM’s are in domain 2. Our question is in which trust configuration (domain trust/ forest trust) is this supported and
is there any documentation?
Our consideration is that we are not flexible and we need hardware for every forest and it’s getting very expensive.

Hi Sir,
>>We have a multi forest domain structure with trusts between the forests, some trusts are 2 way trusts, some trusts are 1 way trusts and some forests have no trust at all.
If you want to deploy VDI VMs into another domain , you may need to build 2way full trust between RDS domain and the destination domain .
Best Regards,
Elton Ji
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

Objects showing from another forest\domain ...

Hello Community
    On Windows 2008 Server when I go to Windows Explorer, under "Network"
in the right pane there are 4 columns:
Name               Category              WorkGroup
Network Location
    It is here that I see my server's names under "Name", Computers under
"Category", NetBios name under "Workgroup" and FQDN\Forest name under
"Network Location" which is fine.
    However in addition to my own objects that I see in the right pane of
Windows Explorer I also see objects from another domain the exists in
a totally separate forest, how can I see or how could those objects reside
or be displayed in my forest\domain (unless someone else put them there)?
    Thank you
    Shabeaut

Hello Susie Long
    There is only one network.
    There are 2 separate forests.
    Each forests has has separate domains.
    Under "Network" not all of the objects from the other domain
in the other forest are being displayed, only some of the objects
from the other domain in the other forest are being displayed under "Network"
in this forest.
    That is what is puzzling, are you saying that all of the objects from
the other domain in the other forest should be visible in this forest and if
so why aren't all of the objects visible (I was under the impression that
only the objects in this domain in this forest should be visible under "Network"
in this forest)?
    Thank you
    Shabeaut

Integration of SCCM in another forest

Similar Messages

Maybe you are looking for