User-based deployment to untrusted forest

Similar Messages

• User based deployment not working

  Looking to make app available to user IDs.
  I have the user IDs into a user collection and making package available to collection.  Content is on the distribution points.
  It isn't showing up on client.  Package is set to be available, so I'm not getting an return code automatically.
  It isn't required so there is no package ID or deployment ID to search for.
  Where do I start looking?
  Also, this is my first use of user based collections, so is there anything I need to enable.

  Here's a post to reinforce Torsten's answer and provide additional detail:
  http://blogs.technet.com/b/configmgrteam/archive/2012/03/31/introducing-the-application-catalog-and-software-center-in-system-center-2012-configuration-manager.aspx
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Untrusted forest with duplicate AD site names

  Can anyone speculate on the behavior when enabling Forest discovery of an untrusted forest that has AD sites with the same names as what are in the installed forest (The forest where Config Mgr lives)?
  My concern is that the currently discovered boundaries (AD Site boundaries) already exist with the Site names so there may be some kind of conflict when Config Mgr tries to create AD Site boundaries based on the untrusted forest's duplicate named AD sites.

  There will be a conflict, but not with Forest discovery per se. I don't think it will really care. The conflict will come when clients actually use the boundaries for content lookup.
  Do the like-named sites represent the same locations in the enterprise? If so, then this should be a non-issue. If not, then you'll have to switch to another boundary type or get the AD folks to rename their sites -- it would be kind of dumb to name two
  different locations the same thing though so I suspect the former is the case.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Deploying SCOM 2012 Agents to untrusted Forests/Domain

  Can we deploy SCOM 2012 agents to untrusted forest/domain? I don't want to use SCCM 2012 for installing agents via package deployment. Pls suggest.
  Regards,
  Ravi

  Yes, You can deploy SCOM Agent to untrusted domain manually and using Certificate.
  For deployment scom Agent, you can refer below links
  http://www.toolzz.com/?p=279
  http://jimmoldenhauer.blogspot.com/2012/11/scom-2012-deploying-agents-to-untrusted.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• User based application deployment issue

  Hi
  Since one week ago I have some problems with the user based application deployment. It has worked until last week without any problem but now I can't deploy any application. If I check the deployment status the say me ever "unknown".
  I see the username but no device before. But, if the user logon on another (new) device the deployment works again. But on all actual from the useres used devices I can't deploy applications.
  Has anyone an idea what could be the reason for that and how could be fixed?
  Thanks in advance.
  Sacha

  yes I've the ConfigMgr toolkit installed but the deployments are also on the Deployment Monitoring Tool not listed. the client logs are normal, no errors. I'm pretty sure the deployment doesn't reach the client. there are no requirements configured.
  just to clarify, all actual clients are affected, not just a few. what could be also interesting, I've changed last week the client settings. before I had automatically primary device assignment by useage configured. Now I've disabled that again. Maybe that
  could be a reason?

• Domain is not discovered in untrusted forest

  I have the following Setup.
  Domain A in forest A. ASCCM2012 Primary Server  with SCCM 2012 SP1 CU1 server installed with MP,DP and SUP. Domain A i a 2008 R2 domain.
  Domain B in Forest B, MP and DP and SUP installed on BSCCM2012. Domain B is a 2012 domain.
  There is no trust between forest A and forest B. For the testing the firewalls on the SCCM servers are disabled. There is full network connectivity between the servers. I have setup a forest discover account SCCMADDiscover that is created in domain B as a normal
  user.
  Problem.
  I have setup forest discovery (and thereby forest publishing) of the Forest B on the Primary SCCM server.
  In the console on the "Active Directory Forests" it says that both the discover and the publishing have been successfully.
  But when I look at the "Domains" tab for the Forest B it says “No Items Found”.
  When I look in the ADForestDisc.log file I see the following errors:
  Entering function GetUserCredentials() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:20 7988 (0x1F34)
  ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException. Discovery will be attempted on next cycle. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function ReportForestDiscoverySuccessStatusMessage() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Raising discovery success status message for forest B, in which we discovered 1 site(s) and 0 subnet(s). SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, 1073750724, 0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER" SYS=ASCCM2012 SITE=P01 PID=2344 TID=7988 GMTDATE=to maj 16 11:07:21.315 2013 ISTR0="AssensOpen.dk" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="0" ISTR5="1" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to update forest fqdn for all site systems associated with site P01 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to discover forest name for server BSCCM2012. SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Failed to get the domain basic info for machine BSCCM2012. Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Entering function CActiveDirectoryForestDiscovery::GetForestName() SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Trying to discover forest name for server BSCCM2012 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  Failed to get the domain basic info for machine BSCCM2012 Error returned is: 5 SMS_AD_FOREST_DISCOVERY_MANAGER 16-05-2013 13:07:21 7988 (0x1F34)
  As it can be seen in the log file it fails to get forest name and domain name for the server BSCCM2012 in the untrusted domain. It gets an error 5 that I assume is a Access Denied.
  I have tried to give the SCCMADDiscover account domain and enterprise admin rights but that did not help. I have also tried to add the SCCMADDiscover to the local admin group on BSCCM2012 server but that didn’t help either.
  It also seems that the data is not saved correct.
  ERROR: [ForestDiscoveryAgent]: Failed to save data for domain B in forest B due to ActiveDirectoryOperationException
  Where is it the SCCMADDiscover account have insufficient rights?
  Thomas Forsmark Soerensen

  Thanks for letting me know. This means that this is not the root cause, so I can focus on other things.
  There´s also another problem I´m not sure if it related to the Forest Discovery and I wonder if it´s the same for you. I will create a separate topic if it´s not related, but maybe you can confirm from your side. For the Computers which have been discovered
  in the untrusted Forest, when I go to the properties of a system, the property "System OU Name" changes from time to time. When I look at the property throughout the day for different systems it´s sometimes empty, sometimes shows the complete OU paths and
  sometimes just the single OU Containers. For example when a System is located in EU\COMPUTERS\SERVERS, sometimes the whole path is shown (like for all systems in the trusted Forest) and sometimes it just shows "EU";"COMPUTERS";"SERVERS" or it´s just empty.
  All for the same system during different times throughout the day. Like it´s not able to grab the complete OU paths. I have no error in the AD System discovery log, so I wonder if this is related to the Forest Discovery too.
  This makes it impossible to build collections based on System OUs, so I am using the DN currently (which is populated properly).

• Issuing certificates for user and clients from different forest/domain

  Hello,
  at first I would like to say that I have made some researches on this forum and in the Internet overall.
  I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
  Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
  Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
  now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
  What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
  I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
  see all templates which I should see, but when I try to enroll I got an error:
  (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
  My root CA cert is added to trusted publishers for computer and user node as well.
  What could be wrong? If you have any ideas or questions, please share or ask. 
  Thank you in advance.

  Everything is clear, I have Certificate Enrollment Web Services installed and configured,
  problem is what i get from certutil - TCAInfo
  ================================================================
  CA Name: COMPANY-HATADCS002-ISSUING-CA
  Machine Name: COMPANYClustGenSvc
  DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
  Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
  CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
   NotAfter: 2019-02-14 12:44
  Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
  Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
    Enterprise Subordinate CA
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 02:
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      ThisUpdate: 2014-02-14 12:16
      NextUpdate: 2024-02-15 00:36
      d7bafb666702565cae940a389eaffef9c919f07a
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 11:55
    NotAfter: 2024-02-14 12:05
    Subject: CN=HATADCS001-COMPANY-ROOT-CA
    Serial: 18517ac8a4695aa74ec0c61b475426a8
    b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  Exclude leaf cert:
    5b309c67a8b47c50966088a4d701c8526072c9ac
  Full chain:
    413b91896ba541d252fc9801437dcfbb21d37d91
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Supported Certificate Templates:
  Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
  Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
  Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
  Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
  Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
  Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
  Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
  Validated Cert Types: 7
  ================================================================
  COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
    Enterprise Subordinate CA
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Online
  CertUtil: -TCAInfo command completed successfully.
  please put some light on it because it's driving me crazy :/
  Thanks in advance
  one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

• ConfigMgr 2012 R2 and managing clients in untrusted forest

  I have read documentations and I'm still not 100% sure what are the possible limitations in my situation. I have 2 AD forests without any trusts between them. I'm planning to deploy ConfigMgr 2012 R2 in forest A. I also have clients in forest B.
  I need to install operating systems via PXE, applications and windows updates to clients in untrusted forest. I'm also planning to support internet clients. 

  You can manage clients in un-trusted forests. This blog is a good place to start.
  http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx
  Managing internet clients is called IBCM (Internet Based Client Management). You can read about it here
  http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• User based uninstall collections - Dynamic

  Hi Guys,
  I have been looking for sometime at how User based uninstalls are done and I see that mostly people do an Exclude on the collection and deploy an uninstall to basically everyone who DOESNT have the application deployed to them. The issue with this is
  if you have a high number of apps (500 lets say) you deploy 400 either uninstall or install deployments to everyone which dramatically slows down deployment of apps on new machines etc.
  With APP-V the queries are fairly straight forward and we have dynamically changing uninstall collections that only show users that have the app for them in a compliant state on a workstation in the estate, when they are fully unpublished they drop
  out of the collection based on compliance state.
  I am trying to achieve the same method for uninstall collections where physical installs are used. Unfortunately there isn't a class like the APP-V AppClientState for Physical apps, or from what I can see at least and just wanted to see if anyone had
  achieved uninstall collection for physical apps in a more dynamic way than doing Include/Exclude on the collections which I see as very static and uneconomical.
  Many thanks,
  Adam

  Hi Hican, Torsten,
  Thanks both for your replies. below is the query i have used. I'll just be clear that this may not suit a lot of environments because of users moving around etc.
  select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where uniqueusername in (select distinct SMS_G_System_SYSTEM_CONSOLE_USAGE.TopConsoleUser from SMS_G_System_ADD_REMOVE_PROGRAMS INNER JOIN SMS_G_System_SYSTEM_CONSOLE_USAGE ON SMS_G_System_SYSTEM_CONSOLE_USAGE.ResourceID=SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID WHERE SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = '<ARP DISPLAYNAME>' and TopConsoleUser not in (Select SMSID From SMS_CM_RES_COLL_XXXXXXX))
  This query basically finds all workstations with a specific Display name in ARP, it then looks at the topconsoleuser in the SystemConsoleUsage class for that workstation. The User resource is then pulled back based on that username and the uninstall is deployed
  to the user alongside the install.
  When the machine tied to that user no longer has that software installed the user drops out of the collection. I have these collections scheduled to do an update overnight at random intervals.
  You will note at the end i use a "NOT IN" clause so i can exlude specific accounts from being included in the uninstall collections. The reason for this is we have a couple of service accounts that gets used heavily in various places
  and end up getting registered as the top consoleuser in some instances. This is put in as a safeguard.
  the only bits in the query that change is the <DisplayName> section which is what gets added in ARP.
  SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = '<ARP DISPLAYNAME>'
  Again you need to be careful here as a program may have the same displayname as another if it hasnt been versioned correctly. in this case it may be better to use another attribute such and Product GUID.
  Lastly if you choose to have an exclude collection like myself the collection Class will also need amending:
  and TopConsoleUser not in (Select SMSID From SMS_CM_RES_COLL_XXXXXXX)
  Somone may say there is an issue with doing it this way. obviously if users roam a lot you could end up stripping software off peoples machines which is why i say it may not suit some environments but this goes quite well where we are.
  Some users may also not show if they are not yet registered as the TopConsoleUser of their workstation yet as this is a 3 month calculation (if i remember rightly). If this is being put in with a new not yet deployed app it looks clean from a returned list
  of users standpoint, if however you have an estate where applications have never been unstalled and workstations have changed hands, initially you will see a lot of users in the uninstall collections which werent in the install. These applications will uninstall
  for them and they will drop out of the collections.
  Hican, like i said adding the software metering part in to the above query could prove even more economical as the uninstall deployment wouldn't actually be deployed if the software was active. If i get a chance i will look at this.
  Hopefully the above makes sense, obviously this is just my take on how to do some uninstall collections and if somone decides to try it they are doing so at their own risk. retrofitting uninstalls is painful and risky.
  Thanks,
  Adam

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Automate USER BASED PACKAGE installations in SCCM 2012

  Hi All,
  I want to automate the installation of software(in my case a user based package) from the Application Catalog.
  Here is just some general information:
  1. All software(Applications and Packages) deployed to Device Colllections will be published in Software Center
  2. All software(Applications and Packages) deployed to User Based Collections will be published in the Application Catalog
  3. Once software has been deployed from the Application Catalog, it is also available/visible in Software Centre .. this could be confusing for (scripted) test purposes!
  To Automate installations i tested the following (Powershell) methods:
  Methode 1 - Install Device Based Packages (This works)
  $SoftwareCenter = New-Object -ComObject UIResource.UIResourceMgr
  # to show applications
  $Application = $SoftwareCenter.GetAvailableApplications() | where {$_.name -like $APPNAME}
  # to install an application
  $SoftwareCenter.ExecuteProgram($Application.id, $Application.PackageId, $true)
  (once an User Based Package has been installed from the Application Catalog, it will be shown in the results of this method .. but initially it don't!!)
  Method 2 - Install Device based Applications (This works)
  Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_Application -Name Install -ArgumentList 0,"xxAPP scope IDxx",$True,$False,1,1
  Method 3 - Install User based Applications
  Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_Application -Name Install -ArgumentList 0,"xxAPP scope IDxx",$False,$False,1,1
  (once an User Based Application has been installed from the Application Catalog, this method can be used .. but initially it can't!!)
  Method 4 - Install User Based Packages (NOT WORKING)
  This solution is based on an (scripted) installation from the Application Catalog. Information can be found on the following sites:
  http://blogs.technet.com/b/configmgrteam/archive/2012/09/19/extending-the-application-catalog-in-system-center-2012-configuration-manager.aspx
  http://allthingsconfigmgr.wordpress.com/2012/10/02/application-catalog-uncovered/#more-284
  You can see the usable operations/methodes, by using the following URL in your SCCM 2012 environment:
  http://YOURSITE/CMApplicationCatalog/ApplicationViewService.asmx
  The method i tried for an installation part is 'installapplication', see example below:
  $service.Installapplication($appid, $deviceid, $null)
  This syntax is correct because it's giving a result that indicates the my command was correct(when i change the variables it produces an error), but that's it ... no application is installed.
  For the record: the operations/methods 'RequestApplicationForUser and GetApplications' are working fine.
  There is also log file 'ServicePortalWebService.log' on the Application Catalog Server in
  C:\Program Files\SMS_CCM\CMApplicationCatalogSvc\Logs, where i can see that Installation call is (correctly) be done.
  To be short:
  Is there anybody who can tell me how to automate (with Powershell) an USER BASED PACKAGE installation?
  With kind regards,
  Hayo Veenstra

  Thanks for your reaction.
  What i want is creating shortcuts in the startmenu of a user, that initiates a SCCM software installation. We also use this method for our SCCM 2007 environment by initating advertisments. I do not want a required user deployments, because when that user
  logs on on another machine (for a short time) .. all his/her software will be deployed. So i do not want to install unnescessary software .. only what a user initiates.
  Do you have other suggestions?
  I'm not sure about the shortcuts.  But, as for required deployments to users installing on all machines they log onto:  Not if you have User Device Affinity running for you.  You can set a requirement in the application to only install on a user's
  primary device.  Another option that we often deploy is to use App-V to deploy a virtual version of that app if the device they logged onto is not their primary.  When they log off, it goes away.  This is all done using User Device Affinity. 
  This is new in 2012. 

• Software Updates in an Untrusted Forest

  Hi all,
  I've build a SCCM2012R2 site with 2 forests involved. They are UNTRUSTED.
  Forest 1 contains a primary site with SQL and a secondary across WAN distribution point. This all worked great for Applications and Window Updates.
  The second untrusted forest has 1 site server with a Management Point, Fallback Status point, Distribution point and default roles. for some reason I can't get a client in the untrusted forest to get the software update packages I create.
  I have deployed them to all distribution points and the clients in the untrusted forest (manually installed) have shown up in SCCM and are in the correct test collection.
  Boundary groups have been setup with boundaries on IP subnets.
  Is there any specific logs I can check? Does the a Software update point need adding to the untrusted forest site system?
  A firewall block communication between the forest to I have created Site server to Site server rules but untrusted forest client don't have access back to the primary site server.
  If I could just get this software updates working I'm complete!! Any help would be great!!

  Thanks for the help trouble shooting,
  This is now resolved.
  For info the clients in the untrusted forest need to be able to access the WSUS website. As I have a locked down firewall between my forests I add an Any to SCCM WSUS on port 8530 and tested on IE. Page comes up as access denied but it proves the connection.
  Software deployment and WSUS on an untrusted domain with out any AD connection, DNS or WINS requires a manual (or scripted) install of the clients specifying the SMSLP, SMSSITECODE, SMSMP and SMSFSP for that forest. All these roles need are required
  to be installed for the site server for that untrusted forest when adding it into SCCM if you don't have access to the forests AD or DNS.
  The only connection clients seem to need back to the primary site it the WSUS website for syncing. Packages are still distributed to the servers in the untrusted.
  As I have been using a firewall between the sites I allowed the site servers communication over the following ports.
  80,443,445, 135,1027, 49152-65535
  Note: Without the RPC dynamic port range I got errors in SCCM distribution logs.
  Site servers to SQL was as standard. 1433,4022.

• Untrusted Forest

  Hi
  I have a forest (Internal) and I have another forest (External).
  SCCM 2012 R2 and SQL 2012 is installed in the "internal forest", I would like to add a new forest (external) to my SCCM setup which is "Untrusted". The two forests  are not trusted across domains or
  forests (internal and external).
  Currently, I have clients in a workgroup capable of communicating with the "external" forest.
  My question:  
  1- It's possible to install a MP and DP in  the external forest ? because i have clients within a  workgroup that I would like to manage through that MP and DP.
  If so, HOW TO PLEASE!?
  Thanks

  Yes this is possible.
  Take a look at the following blog entries which explains the process
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx
  http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx
  Cheers
  Paul | sccmentor.wordpress.com

• Creating native MSI bundle that is "per user"-based (not "system"-based)

  I am trying to collect all information in order to create a native MSI bundle that is "per user" based - but failed.
  This means:
  (.) The MSI should install into the user's local directory
  (.) There should be no admin permission required
  When using the default <fx:deploy ... nativebundle="msi" ...>-ANT-element, then the MSI is created "system wide" based, installing in "/Prorgram Files" and requiring an admin permission.
  In the Oracle docu (http://docs.oracle.com/javafx/2/deployment/self-contained-packaging.htm) there is no concrete hint how to create "per user" based MSI files. Maybe, someone already has done this and could tell the imprortant steps...
  THANKS!
  PS: I know - using the .exe-bundling with Inno Setup will create "per user" based installers by default, but I do not want to use .exe if possible

  Try
  <fx:preferences install="false"/>
  although the parameter name doesn't give much indication that it's system vs per user :)
  I checked that the MSI bundler code and it should honor this.
  Let me know if this works (I don't have time to try myself today and am leaving on Holidays for a week so won't be able to check until I'm back).
  Mark

• Reporting on user based deployments

  We have done a large deployment of software on a user based collection, does anyone know of a way to report on the result of the deployment?
  All the in built report seem to targeted to machine based deployment and do not seem to work for the users deployments.
  Thanks

  If you want to get the report of a particular user, you need to use the report I mentioned above.
  If you want to get a report of a User collection, use the report All application deployments (advanced) or basic.
  Juke Chou
  TechNet Community Support