Friends, I am looking for guidance in installing a DP in an un-trusted forest. Current Config: 1. No AD Extension , Mixed Mode. 2. Clients locate MP from DNS and SLP. 3. Single site in Forest A where the site server with all the site components resides. Now I need to install just a DP in Forest B mainly for Software Updates. 4. NO trust between Forest A and B and a Firewall in-between them. 5. SQL resides in Forest A. Steps Taken so far: 1. SCCM Agents installed manually on Forest B clients with SLP, Site code CCMSETUP installation switches. 2.Forest B Clients can very well communicate with the MP residing in Forest A. ( I have the name resolution done with a separate DNS Scope). 3. Configured the Network Access Account (Belongs to Forest B) for clients accessing packages from forest A. 4. Installed the DP in Forest B using a installation account (Belongs to Forest B). 5. Got the Ports 80, 445, Opened in the firewall as well. Issue: 1. When I try to copy a package to the newly created DP in forest B, it won't copy and throws the below error message in distmgr.logs *** [28000][18452][Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an un-trusted domain and cannot be used with Windows authentication. Failed to connect to the SQL Server. Any suggestion, is this scenario possible first of all, for me it looks similar to managing Workgroup clients scenario. Any Help is much appreciated! Regards, ARBest Regards, AR

That's not supported, see http://technet.microsoft.com/en-us/library/bb694003.aspx: "All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server, which must all reside in the same domain."Torsten Meringer | http://www.mssccmfaq.de

Thanks for writing Torsten! I went through this link before as well and it says the otherway round it seems. "{ Internet-based client management, which supports the following site systems installed in a separate forest to the site server: Management pointDistribution pointSoftware update pointFallback status point And then it says the below comment which you said. "All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server, which must all reside in the same domain." "} Am I getting it rightly? for me itsays there can be a DP in a separate forest. what do u say?/ Many thanks, AR Best Regards, AR

That's true, but only if you are using IBCM (internet based client management) and you did not mention native mode at all.Torsten Meringer | http://www.mssccmfaq.de

You are right Torsten! I missread Internet as Intranet. To summarize it for readers; 1. You can not have any site systems in a non trusted forest; if you run the site in Mixed mode. (Single site) 2. There is a clear requirement for Native mode here and inturn a Public Key Infrastructure along with it to manage Intranet/Internet clients located in a diferent forest. Comming back to my requirement: Any other way I can acheive this? another primary site? anything else? Many Thanks, AR Best Regards, AR

How many clients should be managed in the untrusted forest? You could also treat them as workgroup clients (if it's only a few) or set up another primary site.Torsten Meringer | http://www.mssccmfaq.de

It would be 50-100 clients. could you please elobrate the options? 1. Workgroup clients: what would be the action items? 2. Another primary site - can that span accross non trusted forest in the above said conditions? Thanks for your help again! ARBest Regards, AR

#1: see http://technet.microsoft.com/en-us/library/bb680962.aspx and the links contained in the document #2: yes (and I already posted the link in one of my previous postings: http://technet.microsoft.com/en-us/library/bb694003.aspx)Torsten Meringer | http://www.mssccmfaq.de