When the site component manager and sms executive is trying to access site systems in remote domains in untrusted forest i got a lot of events in the system log with event id 10028:
 
"DCOM was unable to communicate with the computer <computername> using any of the configured protocols; requested by PID     32a4 (D:\Program Files\Microsoft Configuration Manager\bin\x64\sitecomp.exe)."
 
"DCOM was unable to communicate with the computer <computername> using any of the configured protocols; requested by PID     2990 (D:\Program Files\Microsoft Configuration Manager\bin\x64\smsexec.exe)."
 
I have checked the sitecomp.log and smsexec.log for errors, but I cant find anything wrong and everything seems to be working fine. I am using Site system installation account to connect to the site systems. Is this normal behavior?
 
Thanks
Markus Lindgren

Hi,

Have you check the firewall? This problem may be the result of a firewall blocking the connection. For security, COM+ network access is not enabled by default. Check the system to determine whether the firewall is blocking the remote connection.

Best Regards,

Joyce Li

Yes, there is no firewall between the site server and the site systems and no local firewalls on the servers. Could it be that DCOM is trying to use kerberos authentication connecting to the site system in the remote untrusted domain and then falls back to NTLM?

Hi Kungcocos,

I have the exact same issue when I have MP in untrusted domain.

From the MP in untrusted domain, I also found this:

It seems the primary site server is trying to communicate with the MP in untrusted domain by using its computer account, which cannot be recognized by the MP. Thus, the authentication failed.

Is this normal or not? What is the primary site server trying to do with the MP in untrusted domain?

There is continuous communication between the MP and the primary site server. You need to configure a site system account for that site system so that this communication can take place.

Hello Jason,

Thanks so much for getting back. But how to configure that account? I don't see any option in SCCM to configure the account that can be used by ccmexec.exe and sitecomp.exe when communicating with the server in untrusted forest.

Besides, all SCCM components are working properly, and there is no error messages in SCCM logs.

Could you please provide more information about configuring the account?

Thanks a lot!

You have to do this on the Site System role of the server in the console in the Admin workspace under Site Config -> Server and Site System Roles.

Hi Jason,

Do you mean this one?

I've configured that already for the MP site systems, and all components worked fine but the DCOM errors.

Anything else that I can try?

Thanks again!

Hi!

I still have the same issue. I opened a Premier support case, but so far no resolution. I have also configured the site system installation account, but the primary site server still seems to use the computer account first, and then the site system account. Microsoft has not confirmed this to be true.

Thank you so much!

I opened a case with Microsoft support last Friday with Software Assurance support, but I guess this is a bug. :)

Do you have any problems on your site components and servers in the untrusted forest? Could you please post back here for the result of the Premier support?

Thanks again!

No problems on the site systems in the untrusted forest, no errors in ConfigMgr logs or in event Viewer. I run MP and DP on the site systems in the untrusted Forests.

I will post back here when I get a result from Microsoft. Please post if you get an answer from Software Assurance support.

Maybe I can send you the Contact details for my support engineer at Microsoft and you can forward it to yours so they can work together on the case?

Same result here. We don't have any problems on all systems, but the annoying DCOM errors.

I will update here with the SA support. If you have your Case ID, it will be great that I can have it. I will let the SA support to reproduce this issue first.

Thanks!

I had to check the security event logs again on the site system, and I was wrong in my last reply. I have the same event on the site system in the untrusted forest as you have, the site server is trying to use the computer account and fails. The event is generated at the same time the DCOM event is generated on the site server. Got to be a bug that it is not trying the site system installation account first.

My incident number on premier support is 113110610923387.