Question on Untrusted Forest and Roles Required.

Hi, i need some help understanding untrusted forests and system roles.
All my untrusted forests are well connected to each other; they are all in the same data-center for that matter.
Is at least 1 site system role (MP?) required in an untrusted forest to manage those clients in each untrusted forest from the Pri?
I read this blog here, 
http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/
But one of the readers posted at the bottom of the blog that is it not supported referencing technet.

More info:
Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation
http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx 
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Similar Messages

  • Untrusted forest and right click tools

    I just installed right click tools and it's really a great tool. We manage clients in untrusted ad forest and right click tools doesn't work for them because of the authentication problems. Does anyone know is there something that can be done to bypass
    this limitation?

    Remember, the right-click tools are simply scripts that run in the context of the current user logged into the console and connect directly to the clients to perform their work. They are not part of ConfigMgr and do not use the ConfigMgr infrastructure
    to communicate (because the ConfigMgr infrastructure never ever connects to client agents). Thus, every-thing the right-click tools do is subject to normal restrictions and for connecting to a remote system including authentication and authorization. And thus,
    the account you are using must have the proper privileges and permissions on the target client system.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • SUP in untrusted forest using SCCM 2012 SP1

    Hi, I have a single primary site in a single domain/AD forest. I also have a single site system in an untrusted forest behind a firewall.
    I have installed a DP and an MP onto this server in the untrusted forest and have now installed WSUS and added the SUP role. The SUP role has been installed, however the SUP in the untrusted forest isnt synching its catalog from the SUP in the primary
    site.
    In the Software Update Point Synchronisation Status, its source is specified as Microsoft Update, rather than the name of the Priamry Site server with the SUP role.
    The relevant ports 80/443/8530/8531 are open between the two forests, but it doesnt appear to attempt to sync from the primary site.
    How do I get this SUP to sync from the Primary site? I've tried setting a WSUS Server Connection Account, but this doesnt appear to make any difference.
    Thanks for your help.
    Carl

    I had to remove the use of the proxy server at the primary SUP so that it downloads directly from the internet without the use of a proxy.
    As soon as this was removed the untrusted SUP synchronised successfully. Even though the proxy isnt specified in the SUP properties of the untrusted site system, it still appears to use this when performing a sync.
    Do you want to file this on Connect as feedback to the Product Group?
    https://connect.microsoft.com/ConfigurationManagervnext/Feedback
    Rob Marshall | UK | My Blog |
    WMUG |
    File CM12 Feedback |
    CM12 Docs |
    CM12 Release Notes

  • Why client installation fails in untrusted forest?

    I have one untrusted forest and my ConfigMgr site is published to this untrusted forest ad successfully. When running ccmsetup.exe in untrusted forest it fails and when I look ccmsetup.log I can see that it fails to locate management point. Why is this happening
    because site information is available in AD? 

    If you are trying to do auto site assignment, is there a boundary published for site assignment that this client falls within?
    If not, have you considered just doing SMSSITECODE=<your site code> and also specifying an initial management point for it to contact with SMSMP=<accessible MP>?
    Nash
    Nash Pherson, Senior Systems Consultant
    Now Micro -
    My Blog Posts
    If you've found a bug or want the product worked differently,
    share your feedback.
    <-- If this post was helpful, please click "Vote as Helpful".

  • List DC OS Versions and Roles in a Forest.

    Hi Guys
    I need to get info on all DC's in my forest, like OS version, Role, OU, What domain it resides in etc.
    DSquery does not give me all the info, neither does ADUC, neither does Hyena, and powershell is not sufficient it ignores 2003 DC's.
    ADUC has got me the most info so far, except i cannot export the search results to file.
    Saved Queries only allows me to search one domain at a time.
    I have about 100 Domains in the forest, and 1200 DC's
    Any assistance will be appreciated.
    Regards
    Michael

    I haven't had a chance to post to my Blog yet, but if you wnat to run discovery on a domain the following saved as a cmd file and using the freeware tool adFind.exe will dump a lot of results for you.
    Echo off
    cls
    Rem --------------------------------------------------------------------------------------------------------------------------
    Rem Program      - newDomain_adFind
    Rem Author       - Paul Bergson
    Rem Date Written - February 11, 2014
    Rem Description  - Series of command lines utilizing adFind to extract information from domains (dnscmd is used to enumerate zones)
    Rem                  This script must be run in the same sub-folder where adFind exists or adFind must be in the system path
    Rem                  A sub-folder named domain_dump is created and a series of outputs are generated
    Rem --------------------------------------------------------------------------------------------------------------------------
    SET /P domainName=Please enter domain name:
    md domain_dump_%domainName%
    Echo Schema Version Number
    AdFind -sc schver > .\domain_dump_%domainName%\schemaVersion.txt
    Echo.
    Echo Find Functional Levels
    adfind -sc modes -nodn > .\domain_dump_%domainName%\functionalLevels.txt
    Echo.
    Echo Tombstone Lifetime
    AdFind -config -f objectclass=ntdsservice tombstoneLifetime -nodn > .\domain_dump_%domainName%\tombstoneLifetime.txt
    Echo.
    Echo Password Policy
    AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties -nodn -samdc > .\domain_dump_%domainName%\passwordPolicy.txt
    Echo.
    Echo Find FSMO Roles
    adfind -sc fsmo -nodn > .\domain_dump_%domainName%\fsmo.txt
    Echo.
    Echo Organizational Unit count and number at the root
    Echo Organizational Unit count and number at the root > .\domain_dump_%domainName%\ad_OU.csv
    adfind -f "(objectCategory=organizationalUnit)" name -nodn -csv -s tree -c >> .\domain_dump_%domainName%\ad_OU.csv
    Echo. >> .\domain_dump_%domainName%\ad_OU.csv
    adfind -f "(objectCategory=organizationalUnit)" name -nodn -csv -s one >> .\domain_dump_%domainName%\ad_OU.csv
    Echo.
    Echo Sites In Domain
    Echo Sites In Domain           > .\domain_dump_%domainName%\AD_Sites.csv
    adfind -sites name -nodn -csv >> .\domain_dump_%domainName%\AD_Sites.csv
    Echo.
    Echo Subnets In Domain
    Echo Subnets In Domain                                  > .\domain_dump_%domainName%\AD_Subnets.csv
    AdFind -subnets -f (objectCategory=subnet) -csv  -nodn >> .\domain_dump_%domainName%\AD_Subnets.csv
    Echo.
    Echo List Domain Admins
    Echo List Domain Admins   > .\domain_dump_%domainName%\domain_admins.csv
    adfind -default -f "name= domain admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\domain_admins.csv
    Echo.
    Echo List Enterprise Admins
    Echo List Enterprise Admins > .\domain_dump_%domainName%\ent_admins.csv
    adfind -default -f "name= Enterprise Admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\ent_admins.csv
    Echo.
    Echo List Admins
    Echo List Admins > .\domain_dump_%domainName%\admins.csv
    adfind -default -f "name= administrators" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\admins.csv
    Echo.
    Echo List Schema Admins
    Echo List Schema Admins > .\domain_dump_%domainName%\schema_admins.csv
    adfind -default -f "name= Schema Admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\schema_admins.csv
    Echo.
    Echo List DNSAdmins
    Echo List DNSAdmins > .\domain_dump_%domainName%\dns_admins.csv
    adfind -default -f "name= DNS Admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\dns_admins.csv
    Echo.
    Echo List Account Operator
    Echo List Account Operator > .\domain_dump_%domainName%\account_operators.csv
    adfind -default -f "name= Account Operators" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\account_operators.csv
    Echo.
    Echo List Backup Operators
    Echo List Backup Operators > .\domain_dump_%domainName%\backup_operators.csv
    adfind -default -f "name= Backup Operators" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\backup_operators.csv
    Echo.
    Echo List Print Operators
    Echo List Print Operators > .\domain_dump_%domainName%\print_operators.csv
    adfind -default -f "name= Print Operators" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\print_operators.csv
    Echo.
    Echo List Server Operators
    Echo List Server Operators > .\domain_dump_%domainName%\server_operators.csv
    adfind -default -f "name= Server Operators" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\server_operators.csv
    Echo.
    Echo List Remote Desktop Users
    Echo List Remote Desktop Users > .\domain_dump_%domainName%\remote_desktop_users.csv
    adfind -default -f "name= Remote Desktop Users" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\remote_desktop_users.csv
    Echo.
    Echo List Group Policy Creator Owners
    Echo List Group Policy Creator Owners > .\domain_dump_%domainName%\gpo_creators.csv
    adfind -default -f "name= Group Policy Creator Owners" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn -csv >> .\domain_dump_%domainName%\gpo_creators.csv
    Echo.
    Echo List Domain Controllers and Config
    adfind -config -rb cn=sites -f objectcategory=ntdsdsa > .\domain_dump_%domainName%\domainControllers.txt
    Echo.
    Echo List Trusts  
    Echo List Trusts                                       > .\domain_dump_%domainName%\trusts.csv
    Echo    TrustAttributes - 0x1 (Nontransitive)         >> .\domain_dump_%domainName%\trusts.csv
    Echo                    - 0x2 (Uplevel clients only)  >> .\domain_dump_%domainName%\trusts.csv
    Echo                    - 0x40000 (Tree parent)       >> .\domain_dump_%domainName%\trusts.csv
    Echo                    - 0x80000 (Tree root)         >> .\domain_dump_%domainName%\trusts.csv
    Echo.                                                
    >> .\domain_dump_%domainName%\trusts.csv
    Echo.                                                
    >> .\domain_dump_%domainName%\trusts.csv
    Echo.   TrustDirection  - 1 (Inbound)                 >> .\domain_dump_%domainName%\trusts.csv
    Echo.                   - 2 (Outbound)                >> .\domain_dump_%domainName%\trusts.csv
    Echo.                   - 3 (Bidirectional)           >> .\domain_dump_%domainName%\trusts.csv
    Echo.                                                
    >> .\domain_dump_%domainName%\trusts.csv
    Echo.                                                
    >> .\domain_dump_%domainName%\trusts.csv
    Echo.   TrustType       - 1 (Downlevel)               >> .\domain_dump_%domainName%\trusts.csv
    Echo.   TrustType       - 2 (Uplevel)                 >> .\domain_dump_%domainName%\trusts.csv
    Echo.   TrustType       - 3 (Kerberos realm)          >> .\domain_dump_%domainName%\trusts.csv
    Echo.   TrustType       - 4 (DCE)                     >> .\domain_dump_%domainName%\trusts.csv
    Echo.                                                
    >> .\domain_dump_%domainName%\trusts.csv
    Echo ------------------------------------------------ >> .\domain_dump_%domainName%\trusts.csv
    Echo.                                                
    >> .\domain_dump_%domainName%\trusts.csv
    adfind -gcb -f objectcategory=trusteddomain trustpartner trusttype trustdirection trustattributes -samdc -csv -nodn   >> .\domain_dump_%domainName%\trusts.csv
    Echo.
    Echo User Count
    Echo User Count           > .\domain_dump_%domainName%\userCount.txt
    adFind -sc adobjcnt:user >> .\domain_dump_%domainName%\userCount.txt
    Echo.
    Echo Password Not Expire
    Echo Password Not Expire                             > .\domain_dump_%domainName%\PasswordNotExpire.txt
    adFind -sc users_noexpire -nodn -csv samAccountName >> .\domain_dump_%domainName%\PasswordNotExpire.txt
    Echo.
    Echo Not Required
    Echo Not Required                                      > .\domain_dump_%domainName%\PasswordNotRequired.txt
    adFind -sc users_pwdnotreqd -nodn -csv samAccountName >> .\domain_dump_%domainName%\PasswordNotRequired.txt
    Echo.
    Echo Computer Count
    Echo Computer Count           > .\domain_dump_%domainName%\computerCount.txt
    adFind -sc adobjcnt:computer >> .\domain_dump_%domainName%\computerCount.txt
    Echo.
    Echo User Count
    Echo User Count           > .\domain_dump_%domainName%\userCount.txt
    adFind -sc adobjcnt:user >> .\domain_dump_%domainName%\userCount.txt
    Echo.
    Echo List All Users
    AdFind -f "objectcategory=person" -sl -csv -nodn -tdcd samAccountName displayName lastLogonTimeStamp > .\domain_dump_%domainName%\users.csv
    Echo.
    Echo List Computer Objects
    AdFind -f "objectcategory=computer" cn operatingsystem  operatingsystemServicePack lastLogonTimeStamp -csv -nodn -tdcd > .\domain_dump_%domainName%\computers.csv
    Echo Foreign Security Principals Count
    Echo Foreign Security Principals Count > .\domain_dump_%domainName%\FSP.txt
    adfind -fsps -c                       >> .\domain_dump_%domainName%\FSP.txt
    Echo.
    Echo Partitions
    Echo Partitions        > .\domain_dump_%domainName%\partitions.txt
    adfind -sc domainncs >> .\domain_dump_%domainName%\partitions.txt
    Echo.
    Echo Exchange
    Echo Exchange               > .\domain_dump_%domainName%\exchange.txt
    adfind -exch -nodn -csv dn >> .\domain_dump_%domainName%\exchange.txt
    Echo.
    Echo Group Policy
    Echo Group Policy              > .\domain_dump_%domainName%\gpo.txt
    AdFind -gpo displayname -nodn >> .\domain_dump_%domainName%\gpo.txt
    Echo.
    REM Echo DNS
    REM Echo DNS              > .\domain_dump_%domainName%\dns.txt
    REM dnscmd /enumzones    >> .\domain_dump_%domainName%\dns.txt
    REM Echo.
    Echo DC Diagnostics
    Echo DC Diagnostics   > .\domain_dump_%domainName%\dcDiag.txt
    dcdiag /v /c /d /e    >> .\domain_dump_%domainName%\dcDiag.txt
    Echo.
    Echo Replication Diagnostics
    Echo Replication Diagnostics                       > .\domain_dump_%domainName%\repAdmin.txt
    repadmin.exe /showrepl * /verbose /all /intersite >> .\domain_dump_%domainName%\repAdmin.txt
    Echo.
    Echo This has completed
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

  • Roles required for BIPCatalogUtil.sh and blank rtf files.

    The first question I have are what roles are required to make all the aspects of the BIPCatalogUtil.sh import utility work?
    I have an issue that when importing the rtf files seems to not work. The file looks fine on the OS but in the application they go blank. I have a feeling it's access related, hence the first question, but if anyone has an idea.
    The log so nothing other than success.
    Is there a way to through the utility into debug mode?

    v

  • ConfigMgr 2012 R2 and managing clients in untrusted forest

    I have read documentations and I'm still not 100% sure what are the possible limitations in my situation. I have 2 AD forests without any trusts between them. I'm planning to deploy ConfigMgr 2012 R2 in forest A. I also have clients in forest B.
    I need to install operating systems via PXE, applications and windows updates to clients in untrusted forest. I'm also planning to support internet clients. 

    You can manage clients in un-trusted forests. This blog is a good place to start.
    http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx
    Managing internet clients is called IBCM (Internet Based Client Management). You can read about it here
    http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx
    Gerry Hampson | Blog:
    www.gerryhampsoncm.blogspot.ie | LinkedIn:
    Gerry Hampson | Twitter:
    @gerryhampson

  • Simple question about af:panelTabbed and required="true"

    Hello,
    I have a component af:panelTabbed with four tabs:
    In the fourth tab i have an af:inputText with the tag required="true"
    The problem is: The required is only applied if i am at the fourth tab (where the inputText is on).
    If i am at first tab, the form is commited and the required is not applied.
    Any help, please ?
    Victor Jabur

    To complement, here is my jspx and my Managed Bean:
    When i click at cb1 button, the focus would have to go for tab4, but the partial refresh doesn't work. If i use the refreshPage() method posted above, the focus works, but as mentioned, it's not web 2.0 common use.
    JSPX:
    <?xml version='1.0' encoding='UTF-8'?>
    <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
    <jsp:directive.page contentType="text/html;charset=UTF-8"/>
    <f:view>
    <af:document id="d1" title="Test Tab Component">
    <af:form id="fm1">
    <af:commandButton id="cb1" text="Execution Action" action="#{myBean.executeAction}" partialSubmit="true"/>
    <af:panelTabbed id="ptab" styleClass="AFStretchWidth">
    <af:showDetailItem id="tab1" text="Tab 1"/>
    <af:showDetailItem id="tab2" text="Tab 2"/>
    <af:showDetailItem id="tab3" text="Tab 3"/>
    <af:showDetailItem id="tab4" text="Tab 4" binding="#{myBean.tab4}" clientComponent="true">
    <af:inputText id="it1" label="Input Text" binding="#{myBean.inputText}" clientComponent="true"/>
    </af:showDetailItem>
    </af:panelTabbed>
    </af:form>
    </af:document>
    </f:view>
    </jsp:root>
    Managed Bean:
    package com.test;
    import javax.faces.application.FacesMessage;
    import javax.faces.context.FacesContext;
    import oracle.adf.view.rich.component.rich.input.RichInputText;
    import oracle.adf.view.rich.component.rich.layout.RichShowDetailItem;
    import oracle.adf.view.rich.context.AdfFacesContext;
    public class MyBean {
    private RichInputText inputText = new RichInputText();
    private RichShowDetailItem tab4 = new RichShowDetailItem();
    public void executeAction(){
    if(this.inputText != null){
    if (this.tab4 != null) {
    FacesContext context = FacesContext.getCurrentInstance();
    FacesMessage facesMsg = new FacesMessage(FacesMessage.SEVERITY_ERROR, "Enter a value", "");
    context.addMessage(this.inputText.getClientId(context), facesMsg);
    this.inputText.setValid(false);
    this.tab4.setDisclosed(true);
    AdfFacesContext.getCurrentInstance().addPartialTarget(this.inputText);
    AdfFacesContext.getCurrentInstance().addPartialTarget(this.tab4);
    //AdfFacesContext.getCurrentInstance().partialUpdateNotify(this.inputText);
    //AdfFacesContext.getCurrentInstance().partialUpdateNotify(this.tab4);
    public void setInputText(RichInputText inputText) {
    this.inputText = inputText;
    public RichInputText getInputText() {
    return inputText;
    public void setTab4(RichShowDetailItem tab4) {
    this.tab4 = tab4;
    public RichShowDetailItem getTab4() {
    return tab4;
    }

  • Software Updates in an Untrusted Forest

    Hi all,
    I've build a SCCM2012R2 site with 2 forests involved. They are UNTRUSTED.
    Forest 1 contains a primary site with SQL and a secondary across WAN distribution point. This all worked great for Applications and Window Updates.
    The second untrusted forest has 1 site server with a Management Point, Fallback Status point, Distribution point and default roles. for some reason I can't get a client in the untrusted forest to get the software update packages I create.
    I have deployed them to all distribution points and the clients in the untrusted forest (manually installed) have shown up in SCCM and are in the correct test collection.
    Boundary groups have been setup with boundaries on IP subnets.
    Is there any specific logs I can check? Does the a Software update point need adding to the untrusted forest site system?
    A firewall block communication between the forest to I have created Site server to Site server rules but untrusted forest client don't have access back to the primary site server.
    If I could just get this software updates working I'm complete!! Any help would be great!!

    Thanks for the help trouble shooting,
    This is now resolved.
    For info the clients in the untrusted forest need to be able to access the WSUS website. As I have a locked down firewall between my forests I add an Any to SCCM WSUS on port 8530 and tested on IE. Page comes up as access denied but it proves the connection.
    Software deployment and WSUS on an untrusted domain with out any AD connection, DNS or WINS requires a manual (or scripted) install of the clients specifying the SMSLP, SMSSITECODE, SMSMP and SMSFSP for that forest. All these roles need are required
    to be installed for the site server for that untrusted forest when adding it into SCCM if you don't have access to the forests AD or DNS.
    The only connection clients seem to need back to the primary site it the WSUS website for syncing. Packages are still distributed to the servers in the untrusted.
    As I have been using a firewall between the sites I allowed the site servers communication over the following ports.
    80,443,445, 135,1027, 49152-65535
    Note: Without the RPC dynamic port range I got errors in SCCM distribution logs.
    Site servers to SQL was as standard. 1433,4022.

  • Managing untrusted forest

    Hi All,
    We have actually the following configuration with SCCM 2012 R2 CU4 :
    Same Forest, same Domain (2 x 2 DCs + AD DNS)
     + Primary Site Server with 300 clients  (MP,DP,SUP,SDB,SS,FSP,RSP)
     + Secondary site Server with 300 clients  (MP,DP,SUP,SDB,SS)
    distinct Untrusted Forest (2 DC + AD DNS)
     + 15 clients
    What's the best configuration to manage the untrusted forest ? I already checked the following link (http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx)
    what's the comm ports requirements ? clients + site system <-> primary site 
    Can we avoid the untrusted clients to access to the pri/sec site servers.
    We plan to add a site System to the primary site in the remote untrusted forest with MP,DP,SUP Roles)
    (afaik a secondary site need trusts which is not permitted)
    We need Inventory, Software Distribution, Windows Updates features on the untrusted forest
    Link between primary and secondary site is ~16Mb/s
    Link between primary and untrusted forest is about ~16Mb/s
    Link between secondary site and untrusted forest is about ~1Gb/s
    Thanks a lot !

    Port used by ConfigMgr is well explained here:
    https://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
    In addition, be aware that for discovering computers in untrusted forest you need to open port 53 (DNS) between the SCCM server and remote DC (in untrusted forest) OR create a secondary DNS zone for the untrusted forest in your DNS.
    Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

  • User-based deployment to untrusted forest

    Case:
    Domain A has ConfigMgr 2012 server with all roles (MP, DP, SUP...)
    Domain B is untrusted and hasn't got any ConfigMgr site server roles installed
    ConfigMgr site has been introduced to Domain B also, so all the resources can be discovered (systems, users)
    I can deploy software to systems in the untrusted forest
    I cannot deploy software to users in the untrusted forest
    Is this normal behavior? Do I need MP to untrusted forest so that I can get my user deployment's working? When I deploy software to users in the untrusted domain, they don't even show up in the AppDiscovery.log and deployment status on the console doesn't
    show the device for the user.

    See the Support for users in untrusted forests section at http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx
    Jason | http://blog.configmgrftw.com

  • Problem installing SCCM client in remote untrusted forest

    Hi,
    My configuration is :
    My network is in two parts : intranet and a DMZ. In the DMZ there is another forest and domain. There is no trust between the forest in the DMZ and the internal network. I configured the remote forest in SCCM with a user account that has Domain Admin acces
    in the DMZ forest/domain.
    The primary site server is located in the internal part of my network. SQL is installed on a remote server. Management point, distribution point, Fallback Status Point roles are installed on the primary site server. SMS Provider is installed on the primary
    site server.
    In the DMZ part, I have a management point, distribution point installed on one server.
    The forest discovery works fine. I can query AD in the remote forest (DMZ).
    I have a problem installing the SCCM client on computers located in the remote forest with client push or with the command line.
    CCMSETUP.EXE /MP:DMZ site server /DP:DMZ site server /FSP: primary site server SMSSITECODE:SIT
    In CCMSetup.log I can see that the client try to communicate with my DMZ site server but it reverts to the management point and distribution point located in the internal part of the network. The installation fails and will try in 10 minutes.
    Do anyone has seen this problem before? Am I missing something? Could it be a configuration issue?
    Could you help me whit this please?
    Thanks in advance for your time!
    Jacques

    Does the client installation work when you install the client manually on the untrusted domain client? What does the CCM.log say on the site server?
    Have you double checked the firewall ports for the client push installation? The ports needed for the client push to work are as follows (from the site server to the client):
    SMB - TCP 445
    RPC Endpoint Mapper - TCP 135 / UDP 135
    RPC Dynamic Ports
    And to Management Point:
    HTTP - TCP 80 (When using HTTP)
    HTTPS - TCP 443 (When using HTTPS)
    Also a quote from
    TechNet: "In addition to the ports listed in the following table, client push installation also uses Internet Control Message Protocol (ICMP) echo request messages from the site server to the client computer to confirm whether the client
    computer is available on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any intervening network devices, such as firewalls, must
    permit ICMP traffic for client push installation to succeed."

  • MP Rotation Untrusted Forest.

    Hi, 
    I realize you cannot force a client to use a particular MP, which is creating a design problem for us.
    We have multiple DMZs in an untrusted forest.
    I am not sure how to get around this problem.
    The clients cannot communicate with an MP outside of that DMZ.
    If I have 20 DMZs, and a MP in each, will this not create an MP rotation issue at some point?
    I came across this posting by Anoop, is the only workaround?
    http://anoopcnair.com/2014/04/11/workaround-sccm-2012-clients-mp-selection-rotation-issue-untrusted-dmz-forests/
    Appreciate any suggestions.

    Is there a single, shared forest (or domain) for all DMZ or a separate forests (or domains) for each DMZ?
    The workaround describe in that blog post is for the perception of a bug, not for providing for MP selection.
    Yes, MP rotation could cause an issue -- 20 MPs aren't supported within a single primary site either so you are also running into a support limitation.
    Depending upon your answer to the forest question, LocationAware is probably the only answer today (without doing something crazy like using multiple primary sites).
    Reverse proxy is another possible solution. This would enable a single MP (or sets of central MPs) to be accessed in a protected manner.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Untrusted Forest

    Hi
    I have a forest (Internal) and I have another forest (External).
    SCCM 2012 R2 and SQL 2012 is installed in the "internal forest", I would like to add a new forest (external) to my SCCM setup which is "Untrusted". The two forests  are not trusted across domains or
    forests (internal and external).
    Currently, I have clients in a workgroup capable of communicating with the "external" forest.
    My question:  
    1- It's possible to install a MP and DP in  the external forest ? because i have clients within a  workgroup that I would like to manage through that MP and DP.
    If so, HOW TO PLEASE!?
    Thanks

    Yes this is possible.
    Take a look at the following blog entries which explains the process
    http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
    http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx
    http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx
    Cheers
    Paul | sccmentor.wordpress.com

  • Trying to install features and Roles

    OK I've selected my features and Roles. When I run the install from a PXE boot using the Lite Touch Windows PE (x64). The OS installs and reboots and then attempt to run the roles and features install, at which point it dies and return the summary screen
    showing errors. These error are listed below from the ZTIOSRoles log. Close to the bottom of this transaction list is the following.
    <![LOG[Copying source files locally from
    \\WIN-DEPLOY-SRV\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64\sources\sxs]LOG]!><time="12:46:55.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1"
    thread="" file="ZTIOSRole">
    I am able to browse to the share and dig down to the directory. I guess at this point my questions are.
    1. Why is it looking to something on the deploymentshare when the fuctionallity is built into windows itself?
    2. What component is ZTIOSRole and how do I find out what it is really looking for?
    Note: This is a 2012 R2 Server and I'm trying to install ... And it fails at the First Role
    File and Storage Services
    ---- File Services
    --------File Server
    --------Data DeDuplication
    Hyper-v
    Role Administration
    ---- Hyper-v Management Tools
    -------- Hyper-v GUI Management Tools
    -------- Hyper-v Module for Windows Powershell
    Windows Server Backup
    Can someone please help
    <![LOG[Microsoft Deployment Toolkit version: 6.2.5019.0]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole"
    context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[Roles will be installed.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[Roles specified in Role:]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  FileAndStorage-Services]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  Hyper-V]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[RoleServices specified in RoleService:]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  File-Services]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  FS-FileServer]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  FS-Data-Deduplication]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[Features specified in Feature:]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  RSAT-Role-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  RSAT-AD-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  RSAT-Hyper-V-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  Hyper-V-Tools]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  Hyper-V-PowerShell]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[  Windows-Server-Backup]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[No items were specified in variable OptionalOSRoles.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[No items were specified in variable OptionalOSRoleServices.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[No items were specified in variable OptionalOSFeatures.]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[ZTI Heartbeat: Processing roles (0% complete]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[Event 41003 sent: ZTI Heartbeat: Processing roles (0% complete]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[Property Parameters is now = -FeatureName FileAndStorage-Services]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
    <![LOG[Validating connection to
    \\WIN-DEPLOY-SRV\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64]LOG]!><time="12:46:54.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread=""
    file="ZTIOSRole">
    <![LOG[Mapping server share:
    \\WIN-DEPLOY-SRV\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64\sources\sxs]LOG]!><time="12:46:55.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1"
    thread="" file="ZTIOSRole">
    <![LOG[ZTI ERROR - Unhandled error returned by ZTIOSRole: Path not found (76)]LOG]!><time="12:47:00.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="3" thread="" file="ZTIOSRole">
    <![LOG[Event 41002 sent: ZTI ERROR - Unhandled error returned by ZTIOSRole: Path not found (76)]LOG]!><time="12:47:00.000+000" date="11-08-2013" component="ZTIOSRole" context="" type="1" thread=""
    file="ZTIOSRole">

    OK I've selected my features and Roles. When I run the install from a PXE boot using the Lite Touch I am able to browse to the share and dig down to the directory. I guess at this point my questions are.
    1. Why is it looking to something on the deploymentshare when the fuctionallity is built into windows itself?
    I think you are incorrect in stating that all functionality is built into Windows. Windows may require the sxs directory contents to install some OS Roles and Features. Does this directory exist in your Deployment Share, and if so does it contain all the files
    synced with your original OS source?
    Keith Garner - keithga.wordpress.com

Maybe you are looking for

  • New MBP Dropping Internet Connection

    Hi guys, I've had iPhones and iPods for years and I've recently made the switch to a MBP after my HP died.  So far everything is great, except my internet connectivitiy.  All my other devices are connecting without problem, but my MBP keeps losing co

  • Need the experts advice..

    Hello folks, I need to know how can I solve this situation.. Any help is apperciated. I want to write the client part of a webservice in order to update and query database records. The server allows document/literal type where the xml is about table

  • General Understanding SRM as Add-On to ECC 6.0

    Since I checked in this forum there is no configuration guide for SRM as Add-On available I have some general problems. Does SRM Add-On as single client installation with ECC 6.0  require replication and download of data objects and do I have to main

  • Need Help in installing Acrobat Adobe reader XI

    I have downloaded XI latest version on to my computer. Startet intallation. After "Intalling Files are extracting" the window is closed and nothing happenss. I am using XP SP3 / Antivirus AVG Free was deactivatet for 15 minutes. What shall I do else?

  • Asking for sign in before starting the program.

    Photoshop cc started to ask me to sign in before starting the program, but, when i'm sure my email and password is correct and my internet connection is on, it can't seem to sign in, no matter how much i clicked 'sign in' it won't sign in. it's says