[SCCM 2012 R2] Cross forest Active Directory Boundaries

Hi All,
What process/component update information (subnets) for already imported AD Site Boundary?
How can I be sure that automatically created Active Directory boundaries from native and cross domains really import/use all subnets from AD Sites? What Log shows verbose information? PowerShell?
Note to Product Group and MVPs who have influence to Product Group:
please add column in Boundaries view to show actual Domain for Active Directory Boundaries (not using Description Column)
please allow to manually create Active Directory Boundaries from not native domains
Regards,

As mentioned, simply type in the site name instead of using the Browse button.
Site lookups are a simple string comparison that occurs when the client submits the content location or site assignment request to the MP.
If you don't have multiple primary sites, site assignment is not anything to worry about because all the clients will belong to the same site.
If you do have multiple primary sites, it gets a bit more complicated depending upon how those multiple sites are broken down client-wise but would most likely come down to not relying on auto-site assignment so this would be N/A anyway.
For content location, the assumption is that the like-named sites are for the same area of connectivity and thus content-location, i.e., DP "assignment", should be the same regardless of domain/forest. If this is not a valid assumption for your
environment, then I would submit that your site naming convention is irrational.
Jason | http://blog.configmgrftw.com | @jasonsandys

Similar Messages

SCCM 2012 R2 cross forest with one-way trust feasible?

We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
in Domain A the same as our current SMS 2003 server.
What we want to do, at a minimum, using SCCM is:
Client inventory (hardware, software, user) and package distribution.
Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
I have made the below diagram to better illustrate the scenario:
Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

Hi,
The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
Quote:
Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
two way trust with the forest of the parent (CAS or primary).
Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
Most of these items were taken from this TechNet article – please refer to the article for more information -
Planning for Communications in Configuration Manager .
For more information:
http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
Not sure which is correct...

SCCM 2012 installation without integrating active directory

I will explain my scenario.
I have one Active Directory, And different OU for different location, ie for US i have one OU, for UK i have another OU, for Dubai i have one OU.
Now we have SCCM installed in US, It has a CAS server under which there are 4 primary and 20 secondary sites.
I want to install a standalone SCCM for the Dubai office, for just that single OU and manage the domain joined clients. But i do not want to integrate with the AD, as already there is one SCCM in the same AD.
How can this be achieved? How can the clients be installed and what will be different during the site installation.
Any response is highly appreciated.
Thank you.

You will find it here:
http://technet.microsoft.com/en-us/library/gg712272.aspx
You're particularly interested in "Client computer installation and site assignment"
Thanks Gerry.
But my active directory schema is already extended since i already have SCCM installed in the AD environment. Will that make any difference?

SCCM 2012 clients are reflecting without configure boundaries

Hi Team,
I am using SCCM 2012 SP1. I have configured boundaries as 10.101.x.x series. While checking in all system collection there system are reflecting related 10.100.x.x series IP address. Please suggest how to do troubleshoot.
Regards
Harvansh Singh

Boundaries have nothing to do with discovery (if that's what you are asking).
Torsten Meringer | http://www.mssccmfaq.de

SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

Hello,
Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
I get the folowing error in smsts.log:
::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
End program: TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
Here is the complete smsts.log: http://1drv.ms/1pwTEBf
To explain the Problem in Detail:
The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
My Problem must be related to the different Domains and the forest trust.
My Setup:
MP published to DNS in both domains
Schema Extended in both domains
System Management Container published and verified in both domains
ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
Network Access account configured with Domain B account
Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
Any suggestions?
Many thanks.
regards,
Christian

Hi Christian,
So do you actual get an error message in your TS or is it just failing to join Domain B? (Could be both if the machines fails to join the domain).
Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

Can an SCCM 2012 instance handle multiple Active Directories?

Hi All,
Historically (SCCM 2007 or
earlier version), each active directory
domain has need an SCCM instance. Has that changed/improved in SCCM 2012 so that each instance can handle multiple Active Directories?

Historically (SCCM 2007 or
earlier version), each active directory
domain has need an SCCM instance.
That's not true BTW.
Torsten Meringer | http://www.mssccmfaq.de

I have windows server 2012 R2 and install active directory

My question is I install active directory in windows server 2012 R2 and create Group Policy. ( These set-up is only for test)
Have not registered domain only install active directory to test.
So the problem is when I created Group policy for my user and put software restriction policy but its affected to my administrator accounts too, No when I open VMware (install Virtual Machine windows XP) and start os then its shows you can not user this
software as you restricted from installing software (Something like that don't know exact Error). I could not start installed Virtual Machine.
Please give me a solution for this.
This is the setup for a test use only so their not big environment connect with my pc.
Thanks in advance.
Regards,
Krunal

Hi,
The following article is talking about creating and managing Group Policy on a Windows Server 2012:
http://www.thomas-krenn.com/en/wiki/Creating_and_managing_a_Group_Policy_on_a_Windows_2012_Server
As Darren Blanchard mentioned, if you want to apply the GPO, you could link it to an OU that contain the computer or user.
Group Policy Overview
http://technet.microsoft.com/en-us/library/hh831791.aspx
Please feel free to let us know if you need further assistance.
Regards.
Vivian Wang

Cross Forest Support - Same Boundaries?

We're planning move our existing AD to a new domain with a different name. To support clients in the new domain, would it be easier to just setup a new SCCM 2012 R2 instance and then let it manage systems in the new domain? We currently have our boundaries
setup as subnets. If we move clients over to the new domain, we can use the same boundaries over there can we?
Orange County District Attorney

If everything is going to migrated over to the new domain, then I would definitely stand up SCCM in the new domain. I wouldn't say you absolutely have to move SCCM to the new domain, you could keep the old domain and leave SCCM in it as long as the AD infrastructure
is still in place. But if everything else is being migrated over, then SCCM should be too.
You shouldn't have to do anything additional as far as permissions to MPs or DPs. I would probably do a reinstall of the SCCM client once the PC has changed domains but I don't think that's absolutely necessary. All client communication is through HTTP(S)
or SMB. HTTP doesn't care what domain a computer is joined to...

SCCM 2007 & SCCM 2012 on same forest. Not AD publishing

We have SCCM 2007. MP is published on not DNS Windows Server (not AD). SiteCode=A00.
We're going to deploy SCCM 2012. MP will be published on same not DNS Windows Server (not AD). SiteCode=B00.
So, on DNS will be two entries.
During migration, we will remove boundaries on SCCM 2007 and add them to SCCM 2012.
My question is: How does SCCM client list MP on DNS ?? Alphabetical order ?? When it finds some MP, i supposed that it tries to connect one to one until finds a good boundary... not ??

if bounday is present only in single site & you use SCCM Site code parameter (don't use Auto) while doing client installation there should be no issue.
Prashant Patil

SCCM 2012 - Distributing Flash 16 Active X & Plugin - Disables Play sound in Webpages

Hello,
We use MS SCCM 2012 R2 to distribute applications and some updates.
We have created the necessary packages to distribute adobe flash 16 active X & plugin.
Our end user environment consists of Win7 64bit, with a range of IE 9,10,11. Mostly 9 then 11 and a few 10s
A test deployment to approx 20 users told us that in about 33-50% of the time an IE setting was modified.
This setting is found at Internet Options, Advanced, Settings, (Scroll down) to Multimedia. Setting "Play sounds in webpages"
Is there a way to prevent this change from happening?

Anyone? I am attempting to reach adobe support via phone... Seems adobe doesn't like to be called for flash.

Boot media and Active Directory Boundaries

I am using a active directory site as a boundary. It works fine for deployments etc to machines that are already on the domain.
When I however boot with bootable media it does not get any task sequence's and seems like it cant find the management point. When I enter the machines IP as a static boundary, it works. Please assist? Is this normal behaviour?

If you are satisfied, then please do mark the thread as answered (don't just tell us that you are happy :-). Marking it as answered helps people know there is an answer, and to not worry about it any longer (those that are moderators of the forums).
Thanks.
Wally Mead
Will do, thanks :-)

Problem authenticating user in Active Directory cross domain

Hi,
We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
The code I use which is very basic is given below . The code below run as such gives me the following error,
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "london ldap server url");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.REFERRAL, "follow");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
ctx = new InitialLdapContext(env, null);
I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
Please bear with me if my query is a naive one and point me in the right direction.
Thanks
Jothi

Hi Praveen,
to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
For this, you have to change the following UME properties:
For user objects: ume.ldap.unique_user_attribute=<attributename>
For account objects: ume.ldap.unique_uacc_attribute=<attributename>
For group objects: ume.ldap.unique_grup_attribute=<attributename>
Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
Best regards,
Robert

Implications of Domain Migration / Rename to SCCM 2012 R2

Our agency is preparing to migrate our entire AD to a new AD domain with a new name. I'm looking for any docs or user experiences with SCCM 2012 R2. Will I need to reinstalled a new SCCM 2012 R2 site in the new domain or is there a way to 'move' the existing
site over?
Orange County District Attorney

You can do it without installing a new SCCM.
- Discover the new Active Directory Forests in the Administration /
Hierarchy Configuration in the console.
- Modify Active Directory System Discovery settings to discover new domain resources.
- When you are ready to make the migration, remove Boundary config from old Active Directory and add a new boundary for the new Active Directory.
It will assign resource from new Active Directory to your actual site assignment and content library.
Nick Pilon | Blog : System Center Dudes

Active directory domain services stopped after removing routing and remote access role

Hello everyone;;
I am in deep trouble.. I did install routing and remote access and then lost connection to the server remotely. Then I connected a monitor to the server and removed the role... then it asked me to restart the server . After logging back in I found
all my active directory service has gone... I can see red cross on active directory domain services.. Also I am able to ping other pcs but other pcs cannot ping my server..
However when I go into the active directory services, it shows all services are running except file replication service. I have tried to start that service but it give error 1053 error..
My server in between loses LAN connection... I dont know what is going on.. Please help!!!
My server is win 2008 R2 ser pack 1
Only one DC....
Has fixed ip,
no DNS server running..

Hi,
The File Replication Service Start Error 1053 error can be caused by damaged Windows system files. Corrupted system files entries can threaten the well-being of your computer. Many events can result in creating system file errors.
Please refer to the articles below to troubleshoot the issue:
File Replication Service Start Error 1053
http://repairerrors.net/file-replication-service-start-error-1053.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Cannot find the object "CrossRef" in Active Directory

I am trying to install Lync 2013. I'm getting the following error: Error:
An error
occurred: "Microsoft.Rtc.Management.Deployment.ActiveDirectoryException" "Cannot
find the object "CrossRef" in Active Directory."
WARNING: Enable-CSAdForest failed.
This error is at "Step 3: Prepare Current Forest" of the install.

I've tried to run the forest prep as a local domain and I get the following:
Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-052cfe14-7f42-4969-88da-83279413ab8c.xml".Enable the Active Directory forest to host Lync Server 2013 deployments.
Prepare Forest Active Directory settings execution failed on an unrecoverable error.Creating new log file "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".WARNING:
Enable-CSAdForest failed.WARNING: Detailed results can be found at "C:\Users\administrator.xxx\AppData\Local\Temp\2\Enable-CSAdForest-[2013_05_30][13_25_56].html".Command
execution failed: Container CN=Microsoft,CN=Program Data,DC=xxx,DC=local not found

[SCCM 2012 R2] Cross forest Active Directory Boundaries

Similar Messages

Maybe you are looking for