Untrusted Forest

Similar Messages

• SCCM Console, untrusted forest

  Hi,
  I have a site system server with MP, DP in a untrusted forest. Is it possible to install SCCM console on it and connect back to Primary server?
  I have checked all ports that are in the documentation https://technet.microsoft.com/en-us/library/hh427328.aspx?f=255&MSPPError=-2147217396 regarding "Configuration Manager Console" but I still cannot run the console. I have tried opening
  SCCM Console with RunAs and a account in the Primary servers forest.
  Does the MP, DP need to have firewall ports open to the Primary servers forests domain controllers and to authenticate ?
  In that case what are ports needed?
  /A

  Hi Peter,
  We want to have a console on each untrusted forest site system server to be able to manage the computers in the untrusted forest with Right-Click Tools and Remote Control. Because the untrusted site system server is on the network already, many firewall
  ports all already allowed. We don't want to do it through the Primary because of the difficulty of opening for all firewall ports that are needed for remote tools.
  Does that make sense?

• User-based deployment to untrusted forest

  Case:
  Domain A has ConfigMgr 2012 server with all roles (MP, DP, SUP...)
  Domain B is untrusted and hasn't got any ConfigMgr site server roles installed
  ConfigMgr site has been introduced to Domain B also, so all the resources can be discovered (systems, users)
  I can deploy software to systems in the untrusted forest
  I cannot deploy software to users in the untrusted forest
  Is this normal behavior? Do I need MP to untrusted forest so that I can get my user deployment's working? When I deploy software to users in the untrusted domain, they don't even show up in the AppDiscovery.log and deployment status on the console doesn't
  show the device for the user.

  See the Support for users in untrusted forests section at http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx
  Jason | http://blog.configmgrftw.com

• Software Updates in an Untrusted Forest

  Hi all,
  I've build a SCCM2012R2 site with 2 forests involved. They are UNTRUSTED.
  Forest 1 contains a primary site with SQL and a secondary across WAN distribution point. This all worked great for Applications and Window Updates.
  The second untrusted forest has 1 site server with a Management Point, Fallback Status point, Distribution point and default roles. for some reason I can't get a client in the untrusted forest to get the software update packages I create.
  I have deployed them to all distribution points and the clients in the untrusted forest (manually installed) have shown up in SCCM and are in the correct test collection.
  Boundary groups have been setup with boundaries on IP subnets.
  Is there any specific logs I can check? Does the a Software update point need adding to the untrusted forest site system?
  A firewall block communication between the forest to I have created Site server to Site server rules but untrusted forest client don't have access back to the primary site server.
  If I could just get this software updates working I'm complete!! Any help would be great!!

  Thanks for the help trouble shooting,
  This is now resolved.
  For info the clients in the untrusted forest need to be able to access the WSUS website. As I have a locked down firewall between my forests I add an Any to SCCM WSUS on port 8530 and tested on IE. Page comes up as access denied but it proves the connection.
  Software deployment and WSUS on an untrusted domain with out any AD connection, DNS or WINS requires a manual (or scripted) install of the clients specifying the SMSLP, SMSSITECODE, SMSMP and SMSFSP for that forest. All these roles need are required
  to be installed for the site server for that untrusted forest when adding it into SCCM if you don't have access to the forests AD or DNS.
  The only connection clients seem to need back to the primary site it the WSUS website for syncing. Packages are still distributed to the servers in the untrusted.
  As I have been using a firewall between the sites I allowed the site servers communication over the following ports.
  80,443,445, 135,1027, 49152-65535
  Note: Without the RPC dynamic port range I got errors in SCCM distribution logs.
  Site servers to SQL was as standard. 1433,4022.

• Question on Untrusted Forest and Roles Required.

  Hi, i need some help understanding untrusted forests and system roles.
  All my untrusted forests are well connected to each other; they are all in the same data-center for that matter.
  Is at least 1 site system role (MP?) required in an untrusted forest to manage those clients in each untrusted forest from the Pri?
  I read this blog here, 
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/
  But one of the readers posted at the bottom of the blog that is it not supported referencing technet.

  More info:
  Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation
  http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Managing untrusted forest

  Hi All,
  We have actually the following configuration with SCCM 2012 R2 CU4 :
  Same Forest, same Domain (2 x 2 DCs + AD DNS)
   + Primary Site Server with 300 clients  (MP,DP,SUP,SDB,SS,FSP,RSP)
   + Secondary site Server with 300 clients  (MP,DP,SUP,SDB,SS)
  distinct Untrusted Forest (2 DC + AD DNS)
   + 15 clients
  What's the best configuration to manage the untrusted forest ? I already checked the following link (http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx)
  what's the comm ports requirements ? clients + site system <-> primary site 
  Can we avoid the untrusted clients to access to the pri/sec site servers.
  We plan to add a site System to the primary site in the remote untrusted forest with MP,DP,SUP Roles)
  (afaik a secondary site need trusts which is not permitted)
  We need Inventory, Software Distribution, Windows Updates features on the untrusted forest
  Link between primary and secondary site is ~16Mb/s
  Link between primary and untrusted forest is about ~16Mb/s
  Link between secondary site and untrusted forest is about ~1Gb/s
  Thanks a lot !

  Port used by ConfigMgr is well explained here:
  https://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
  In addition, be aware that for discovering computers in untrusted forest you need to open port 53 (DNS) between the SCCM server and remote DC (in untrusted forest) OR create a secondary DNS zone for the untrusted forest in your DNS.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• SUP in untrusted forest using SCCM 2012 SP1

  Hi, I have a single primary site in a single domain/AD forest. I also have a single site system in an untrusted forest behind a firewall.
  I have installed a DP and an MP onto this server in the untrusted forest and have now installed WSUS and added the SUP role. The SUP role has been installed, however the SUP in the untrusted forest isnt synching its catalog from the SUP in the primary
  site.
  In the Software Update Point Synchronisation Status, its source is specified as Microsoft Update, rather than the name of the Priamry Site server with the SUP role.
  The relevant ports 80/443/8530/8531 are open between the two forests, but it doesnt appear to attempt to sync from the primary site.
  How do I get this SUP to sync from the Primary site? I've tried setting a WSUS Server Connection Account, but this doesnt appear to make any difference.
  Thanks for your help.
  Carl

  I had to remove the use of the proxy server at the primary SUP so that it downloads directly from the internet without the use of a proxy.
  As soon as this was removed the untrusted SUP synchronised successfully. Even though the proxy isnt specified in the SUP properties of the untrusted site system, it still appears to use this when performing a sync.
  Do you want to file this on Connect as feedback to the Product Group?
  https://connect.microsoft.com/ConfigurationManagervnext/Feedback
  Rob Marshall | UK | My Blog |
  WMUG |
  File CM12 Feedback |
  CM12 Docs |
  CM12 Release Notes

• MP Rotation Untrusted Forest.

  Hi, 
  I realize you cannot force a client to use a particular MP, which is creating a design problem for us.
  We have multiple DMZs in an untrusted forest.
  I am not sure how to get around this problem.
  The clients cannot communicate with an MP outside of that DMZ.
  If I have 20 DMZs, and a MP in each, will this not create an MP rotation issue at some point?
  I came across this posting by Anoop, is the only workaround?
  http://anoopcnair.com/2014/04/11/workaround-sccm-2012-clients-mp-selection-rotation-issue-untrusted-dmz-forests/
  Appreciate any suggestions.

  Is there a single, shared forest (or domain) for all DMZ or a separate forests (or domains) for each DMZ?
  The workaround describe in that blog post is for the perception of a bug, not for providing for MP selection.
  Yes, MP rotation could cause an issue -- 20 MPs aren't supported within a single primary site either so you are also running into a support limitation.
  Depending upon your answer to the forest question, LocationAware is probably the only answer today (without doing something crazy like using multiple primary sites).
  Reverse proxy is another possible solution. This would enable a single MP (or sets of central MPs) to be accessed in a protected manner.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Untrusted forest with duplicate AD site names

  Can anyone speculate on the behavior when enabling Forest discovery of an untrusted forest that has AD sites with the same names as what are in the installed forest (The forest where Config Mgr lives)?
  My concern is that the currently discovered boundaries (AD Site boundaries) already exist with the Site names so there may be some kind of conflict when Config Mgr tries to create AD Site boundaries based on the untrusted forest's duplicate named AD sites.

  There will be a conflict, but not with Forest discovery per se. I don't think it will really care. The conflict will come when clients actually use the boundaries for content lookup.
  Do the like-named sites represent the same locations in the enterprise? If so, then this should be a non-issue. If not, then you'll have to switch to another boundary type or get the AD folks to rename their sites -- it would be kind of dumb to name two
  different locations the same thing though so I suspect the former is the case.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Untrusted Forest Discovery failed

  I'm having a issue with remote untrusted forest.  Forest Discovery fails, but I can publish site server information to this forest. 
  ERROR: [ForestDiscoveryAgent]: Failed to connect to forest domain.com. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.
  Entering function ReportForestConnectionFailureStatusMessage()
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2
  I have configured conditional forwarders between forests and name resolution works. There shouldn't be any firewall issues either and I tested SRV records via nslookup with this method
  Type nslookup, and then press ENTER.
  Type set type=all, and then press ENTER.
  Type _ldap._tcp.dc._msdcs.<var>Domain_Name</var>, where <var>Domain_Name</var> is the name of your domain, and then press ENTER.
  Nslookup lists correct domain controllers from remote forest.
  Any ideas what could be causing this? I think it's AD related problem.

  LDAP://DCNAME.domain.com/OU=Computers,DC=domain,DC=com 
  I tested this last week and this works. Now I can discover computer objects from untrusted forest. There must be something wrong with the ad/dns infrastructure becasue
  normally you dont need to specify domain controller directly because it should find it with srvlookup.

• Deploying SCOM 2012 Agents to untrusted Forests/Domain

  Can we deploy SCOM 2012 agents to untrusted forest/domain? I don't want to use SCCM 2012 for installing agents via package deployment. Pls suggest.
  Regards,
  Ravi

  Yes, You can deploy SCOM Agent to untrusted domain manually and using Certificate.
  For deployment scom Agent, you can refer below links
  http://www.toolzz.com/?p=279
  http://jimmoldenhauer.blogspot.com/2012/11/scom-2012-deploying-agents-to-untrusted.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Why client installation fails in untrusted forest?

  I have one untrusted forest and my ConfigMgr site is published to this untrusted forest ad successfully. When running ccmsetup.exe in untrusted forest it fails and when I look ccmsetup.log I can see that it fails to locate management point. Why is this happening
  because site information is available in AD? 

  If you are trying to do auto site assignment, is there a boundary published for site assignment that this client falls within?
  If not, have you considered just doing SMSSITECODE=<your site code> and also specifying an initial management point for it to contact with SMSMP=<accessible MP>?
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you've found a bug or want the product worked differently,
  share your feedback.
  <-- If this post was helpful, please click "Vote as Helpful".

• Domain is not discovered in untrusted forest

  I have the following Setup.
  Domain A in forest A. ASCCM2012 Primary Server  with SCCM 2012 SP1 CU1 server installed with MP,DP and SUP. Domain A i a 2008 R2 domain.
  Domain B in Forest B, MP and DP and SUP installed on BSCCM2012. Domain B is a 2012 domain.
  There is no trust between forest A and forest B. For the testing the firewalls on the SCCM servers are disabled. There is full network connectivity between the servers. I have setup a forest discover account SCCMADDiscover that is created in domain B as a normal
  user.
  Problem.
  I have setup forest discovery (and thereby forest publishing) of the Forest B on the Primary SCCM server.
  In the console on the "Active Directory Forests" it says that both the discover and the publishing have been successfully.
  But when I look at the "Domains" tab for the Forest B it says “No Items Found”.
  When I look in the ADForestDisc.log file I see the following errors:
  Entering function GetUserCredentials() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:20 7988 (0x1F34)
  ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException. Discovery will be attempted on next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function ReportForestDiscoverySuccessStatusMessage() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Raising discovery success status message for forest B, in which we discovered 1 site(s) and 0 subnet(s). SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, 1073750724, 0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=ASCCM2012 SITE=P01 PID=2344 TID=7988 GMTDATE=to maj 16 11:07:21.315 2013 ISTR0="AssensOpen.dk" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="0" ISTR5="1" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to update forest fqdn for all site systems associated with site P01 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to discover forest name for server BSCCM2012. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Failed to get the domain basic info for machine BSCCM2012. Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to discover forest name for server BSCCM2012 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Failed to get the domain basic info for machine BSCCM2012 Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  As it can be seen in the log file it fails to get forest name and domain name for the server BSCCM2012 in the untrusted domain. It gets an error 5 that I assume is a Access Denied.
  I have tried to give the SCCMADDiscover account domain and enterprise admin rights but that did not help. I have also tried to add the SCCMADDiscover to the local admin group on BSCCM2012 server but that didn’t help either.
  It also seems that the data is not saved correct.
  ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException
  Where is it the SCCMADDiscover account have insufficient rights?
  Thomas Forsmark Soerensen

  Thanks for letting me know. This means that this is not the root cause, so I can focus on other things.
  There´s also another problem I´m not sure if it related to the Forest Discovery and I wonder if it´s the same for you. I will create a separate topic if it´s not related, but maybe you can confirm from your side. For the Computers which have been discovered
  in the untrusted Forest, when I go to the properties of a system, the property "System OU Name" changes from time to time. When I look at the property throughout the day for different systems it´s sometimes empty, sometimes shows the complete OU paths and
  sometimes just the single OU Containers. For example when a System is located in EU\COMPUTERS\SERVERS, sometimes the whole path is shown (like for all systems in the trusted Forest) and sometimes it just shows "EU";"COMPUTERS";"SERVERS" or it´s just empty.
  All for the same system during different times throughout the day. Like it´s not able to grab the complete OU paths. I have no error in the AD System discovery log, so I wonder if this is related to the Forest Discovery too.
  This makes it impossible to build collections based on System OUs, so I am using the DN currently (which is populated properly).

• SCCM 2012 R2 - Install MP in the Untrust forest How to???

  Hello my Customer want to install a MP in untrusted forest...
  1- I have added the forest in the add forest menu
  2- I have place the option of the client push installation
  3- The sccmadmin account with the same password it was created in the untrusted forest
  4- But the AD said connection error with th untrusted forest.
  3- What is the good step by step to accomplish this installation?

  Extending the AD schema is not a requirement, unless you are using Network Access Protection, see also:
  http://technet.microsoft.com/en-us/library/gg712272.aspx
  I don't what errors you get, but also make sure that the site is not trying to publish information to that AD. That could cause errors, if the AD schema is not extended.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• ConfigMgr 2012 R2 and managing clients in untrusted forest

  I have read documentations and I'm still not 100% sure what are the possible limitations in my situation. I have 2 AD forests without any trusts between them. I'm planning to deploy ConfigMgr 2012 R2 in forest A. I also have clients in forest B.
  I need to install operating systems via PXE, applications and windows updates to clients in untrusted forest. I'm also planning to support internet clients. 

  You can manage clients in un-trusted forests. This blog is a good place to start.
  http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx
  Managing internet clients is called IBCM (Internet Based Client Management). You can read about it here
  http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson