Deploy SCCM in a environment with multiple domains
Hi,How can I manage to deploy SCCM in a enviroment with multiple domains, where not trusts exists?I have requests from several customers, which wants us to manage thier environment.I don't want to deploy a seperate SCCM infrastructure in each domain, so I hope someone is able to give help me here.Cheers,Kenneth
December 7th, 2007 8:28am

I believe there is some documentation in our doc set on this, though not sure how much. First off, do you mean different domains, or different forests? That makes a difference. When you are talking about multiple customers, that to me means forests. If so, then we do support managing client computers in a different forest than the site is installed in. The biggest issues are that clients can't access AD to find site resources, so you need to have a WINS infrastructure to find those resources. And clients can't access the distribution points using the computer account, so you need to specify a Network Access account that clients can use to access the distribution points.
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2007 11:24am

This is not everything but hope this helps get you started I have been doing this in testing for both SMS 2003 and SCCM You have to resolve the Management points ETC so if it is in a domain outside of the forest SCCM is installed you need to Use WINS or Host files to resolve then http://www.myitforum.com/articles/8/view.asp?id=7323 probably also need to configure the SPN for your SQL?? Then you cannot push the clients so you have to do a manual install and point it to the site code The stuff is out there a other forest is just like a workgroup BUT not every component works if the client is not in the forest SCCM is installed, The key ones do but remote etc does not. Not sure about NAP etc From http://technet.microsoft.com/en-us/library/bb680717.aspx To support workgroup clients, the following requirements must be met: During client installation, the logged-on user must possess local administrator rights on the workgroup system. The only account that Configuration Manager 2007 can use to perform activities that require local administrator privileges is the account of the user that is logged on to the computer. The Configuration Manager client must be installed from a local source on each client machine. This requirement ensures a local source for repair and client update application will be available for the client. Workgroup clients must be able to locate a server locator point for site assignment because they cannot query Active Directory Domain Services. The server locator point can be manually published in WINS, or it can be specified in the CCMSetup.exe installation command-line parameters. Workgroup clients use the Network Access Account, downloaded as part of their machine policy, to access package source files on distribution points. Important Until a workgroup client has been approved in the Configuration Manager console, it will be unable to download machine policies containing the Network Access Account information. Although workgroup computers can be Configuration Manager 2007 clients, there are inherent limitations in supporting workgroup computers: Workgroup clients cannot reference Configuration Manager 2007 objects published to Active Directory Domain Services. For workgroup clients to locate their default management point computer, it must be registered and accessible to workgroup clients in either WINS or DNS. Active Directory system, user, or user group discovery is not possible. User targeted advertisements are not possible. The client push installation method is not supported for workgroup client installation. Using a workgroup client as a branch distribution point is not supported. Configuration Manager 2007 requires that branch distribution point computers be members of a domain.
December 7th, 2007 11:36am

For a Configuration Manager client that's enabled for NAP, there is no difference whether the computer is in the same or different forest from its site. The client never contacts Active Directory for anything NAP-related in Configuration Manager - it's the site server and System Health Validator point that contact Active Directory. - Carol This posting is provided AS IS with no warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2007 5:50pm

Yes, that scenario is fully supported. You can have different primary sites in different forests. However, secondary sites must be in the same forest as their parent primary site. That looks to be the case here. For this, since you are installing child primary sites in each forest, depending on any trusts, you may just have to designate a local account in the forest as the sender address account to the remote site. For example: Central site (site CEN in domain CENDOMAIN): Create address to child site 1 (CH1) and designate the account CH1DOMAIN\user as the connection account Adds "CENDomain\User" as a member of the SMS_SiteToSiteConnection_CEN group Child site (CH1 in domain CH1Domain): Create an address to parent site CEN and designate the account CENDomain\user as the connection account Adds "CH1Domain\User" as a member of the SMS_SiteToSiteConnection_CH1 group Each site creates a user called "user" (or whatever you want it to be). Again, I think there is some documentation on this in the docs, just search on "forest" and see what comes up.
December 10th, 2007 11:50am

Suppose you have the following scenerioSite ADomain1 Separate Forest SCCM primary site with SecondariesAD Schema is extended for Site A SCCM PrimarySite BDifferent SCCM Primary Site (not managed by Site B)Domain2. Separate Forest*** All Computers accounts in this site are a member of Site A, Domain 1 )Firewall between site A and B (only certain ports open).i.e. proxy settings pointing to proxy in Site AMy question is how do you configure the clients, in Site B to use the SCCM server in Site B?1. Publish MP and SLP in WINS / or use local Hosts file for Site B Primary2. Use local network access account (local local on PC ) for Site B SCCM server (different domain/forest)3. Minally install client and assign to site code for Site BDo i need to do anything else, since there are IE proxy settings will this have any bearing on the client, although the client is running under system contextAny suggestions are welcome.ThanksLawrence Byrne
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2010 11:57pm

Hi, Please see my solution at: http://social.technet.microsoft.com/Forums/en-US/configmgrai/thread/3729e8cf-db7f-48ae-9766-6222b725f352 Best regards, -Yossi Mitch
September 21st, 2012 1:29pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics