Hi,

I hope someone can advise.

My environment is SCCM 2012 R2 (5.0.7958.1000) The SCCM Site Server is in a Data Centre domain. I am trying to set up cross forest connectivity to an untrusted forest there are no trusts or connectivity in place, so the Servers in the remote domain have no visibility of the SCCM Domain/Site Server. I have followed the instructions here:

http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

As we are going to be doing this for quite a few remote, untrusted domains, of varying sizes, we are going for the 3^rd scenario Neil identifies. Each remote domain will have a site system running, as a minimum, a Management Point and an Endpoint Protection Point.

I have worked my way through Neil's documentation, and I have got as far as MP deployment. Forest discovery in my test domain has worked successfully and client machines are visible within the SCCM (with no client agents deployed).  In the console I see under Active directory Forests that Discovery succeeded, but Publishing status is showing Insufficient access rights

Since the forests are untrusted, I cannot add the Site Server computer account to the permissions of the System Management container in the remote domain, but the System Management container does have in it the details for the SCCM Site Server (mSSMSSite, mSSMSMangementPoint and mSSMSRoamingBoundaryRange), but not the local site system (Management point).

When I look in the sitecomp.log file on the SCCM Site Server, I see some lines which are worrying.

SMS-MP-<SITECODE>-<Site Server>.<Domain.local> could not be updated, error code = 5

SMS-MP-<SITECODE>-<Site Server>.<Domain.local> could not be updated (using SMSv1 Schema),  error code = 5

Then after a few lines which include successful impersonation, a successful network connection to the remote domains Domain controller, updating MP config and security config etc, the log says

Reverting to current impersonation

Publishing <REMOTE DOMAIN CONTROLLER>.<REMOTE DOMAIN>.<LOCAL> (FQDN of remote DC) as a Management Point into Active Directory.

SMS-MP-<SITECODE>-<Remote MP Server name>.<Domain.local> could not be created with Configmgr 2007/2012 Schema, error code = 5

SMS-MP-<SITECODE>-<Remote MP Server name>.<Domain.local> could not be created, Win32 error = 5

I have configured a group of accounts in the remote domain to do all the various domain/forest lookups that Neil documents in the Blog series.  The Management Point has installed successfully on the Remote site system (MPSetup.log says Installation was successful and mpmsi.log says Configmgr Management Point Installation operation completed successfyully). But the MPControl Log is filled with

Call to HttpsendREquest failed for port 80 with access code 500

Http test request failed, status code is 500, Internal Server Error

I assume this is because the System Management container is not properly populated. During the setup process, I extended the remote domain schema, and I can see in the extadsch.log file that all went well.

My question: is this a problem with the schema extension do I need to re-run a more up to date extadsch.exe (I believe the .exe was from the SCCM 2012 R2 DVD, but I cannot be sure) or is this a permissions error in the remote System Management  container? The console seems to indicate it is access rights, the sitecomp.log file seems to indicate it is a scheme version issue. Has anyone seen this before? Please can someone advise? I have to get this nailed, so that I can update internal documentation and deploy SCCM to several remote untrusted domains.

Many Thanks in advance

Regards

For this error Insufficient access rights in the discovery since no trust you can't give the site system right to the container but you can configure an account in the untrsuted domain and in the discovery windows you can specified the account. So SCCM will use the account of the untrusted domain to do it's query.

The error you are getting on the MP with as nothing to do with the schema update or the active directory discovery. Did you do some test to see if the MP actually listen to the port 80 do this http://<ServerName>/sms_mp/.sms_aut?mplist To see if the MP answer.

• Edited by Frederick Dicaire 20 hours 12 minutes ago

Hello Frederick,

Many Thanks for the prompt reply to my question. I already have a remote domain account specified in that dialog box you mention, it is an account that has Read access to the System Management Container, but yesterday, I gave it write access as well (to the container) and it made no difference. I will amend the permissions so that it has read on the whole Active Directory and Read/Write on th econtainer and see what happens.

Many Thanks. At least I know now I don't need to re-extend the Schema :-)

Regards

John

The primary site server computer account (in your case it as to be the account you created) must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

This is only in the case you want to publish in that container. Witch is an option you can check in the same windows i have shown above (publishing tab). 

https://technet.microsoft.com/en-us/library/gg712264.aspx?f=255&MSPPError=-2147217396#BKMK_PrepAD

• Edited by Frederick Dicaire 17 hours 12 minutes ago

For this error Insufficient access rights in the discovery since no trust you can't give the site system right to the container but you can configure an account in the untrsuted domain and in the discovery windows you can specified the account. So SCCM will use the account of the untrusted domain to do it's query.

The error you are getting on the MP with as nothing to do with the schema update or the active directory discovery. Did you do some test to see if the MP actually listen to the port 80 do this http://<ServerName>/sms_mp/.sms_aut?mplist To see if the MP answer.

• Edited by Frederick Dicaire Thursday, August 27, 2015 11:37 AM

For this error Insufficient access rights in the discovery since no trust you can't give the site system right to the container but you can configure an account in the untrsuted domain and in the discovery windows you can specified the account. So SCCM will use the account of the untrusted domain to do it's query.

The error you are getting on the MP with as nothing to do with the schema update or the active directory discovery. Did you do some test to see if the MP actually listen to the port 80 do this http://<ServerName>/sms_mp/.sms_aut?mplist To see if the MP answer.

• Edited by Frederick Dicaire Thursday, August 27, 2015 11:37 AM

Hi Frederick.

Thanks for the follow up. I have implemented the changes and when the process re-ran, it didn't give any errors in the Sitecomp.log file and the MP object was created in the remote domain System Management Container.

We will not be implementing secondary sites, so that won't be necessary. I have read the URL you included a couple of times, but the comment about Site Server Computer Account having full control distracted, me, I think, because in this scenario, the Site Server Computer account cannot have permissions in the untrusted domain. I think this must be where my confusion came in.

Regards

John

yeah in your case just replace Site Server Computer account with untrusteddomain\account.

Just to make sure is everything working now the MP as well ?

Hi Frederick,

I'm not certain yet. The Active Directory Forests is still showing Publishing Status as Insufficient Access in the Console. and the MPControl log still has the https errors. If I browse to the Server:80 I see the default IIS page. The Default Website has all the SCCM applications and App Pools are created. Localhost:SMS_MP is showing 401.3 Unauthorised errors.

I suppose the next step is to determine what permissions I need to assign within IIS to allow the SMS_MP to work

Regards

John

http://yourservernamehere/sms_mp/.sms_aut?mplist

https://<ServerName>/sms_mp/.sms_aut?mpcert

To test your MP are you using HTTPS or HTTP ? If you are using HTTPS you need to have a certificate to to get access to the MP true HTTPS.

Also for the publishing if you look into the system management container do you see items inside?

Look at these logs hman.log file and sitecomp.log for the publishing issue if the container is empty or not enough right.

• Edited by Frederick Dicaire 15 hours 18 minutes ago

Hi Frederick,

Thanks for that. The ?Mpcert responds with a Certificate string, as expected, but the ?mplist gives an internal server error.

The Systems Managemnt container has in it 4 items:

msSMSSite

msSMSRoamingBoundaryRange

These are objects. Then there are 2 Sub containers, one for the SCCM Site Server and the other for the remote domain Management Point.

ie 2 x mSSMSManagementPoint sub containers. Both of these are empty,

At present, I am only doing HTTP, once it is all up and running, I would hope to initiate HTTPS and the Certificates, but I will need input from another Team for that, and want to get things working before I over complicate things.Accordingto the sitecomp.log, everything looks Ok, no errors or warnings since I amended the permissions as you suggested.

The hman.log file did have in it some SMS-Site-<Sitecode> coul;d not be updated, error code = 5, but these are all before the permissions changes earlier, and since that time, at 17:30, I see Successfully added client upgrade packages to all distribution points from Site <Site code> so it looks like the permissions issue in AD has resolved that too.

Regards

John  

Can you look into the IIS log to see what the error you are getting.

C:\inetpub\logs\LogFiles\W3SVC1

• Edited by Frederick Dicaire 14 hours 43 minutes ago

The primary site server computer account (in your case it as to be the account you created) must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

This is only in the case you want to publish in that container. Witch is an option you can check in the same windows i have shown above (publishing tab). 

https://technet.microsoft.com/en-us/library/gg712264.aspx?f=255&MSPPError=-2147217396#BKMK_PrepAD

• Edited by Frederick Dicaire Thursday, August 27, 2015 2:37 PM

The primary site server computer account (in your case it as to be the account you created) must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

This is only in the case you want to publish in that container. Witch is an option you can check in the same windows i have shown above (publishing tab). 

https://technet.microsoft.com/en-us/library/gg712264.aspx?f=255&MSPPError=-2147217396#BKMK_PrepAD

• Edited by Frederick Dicaire Thursday, August 27, 2015 2:37 PM

http://yourservernamehere/sms_mp/.sms_aut?mplist

https://<ServerName>/sms_mp/.sms_aut?mpcert

To test your MP are you using HTTPS or HTTP ? If you are using HTTPS you need to have a certificate to to get access to the MP true HTTPS.

Also for the publishing if you look into the system management container do you see items inside?

Look at these logs hman.log file and sitecomp.log for the publishing issue if the container is empty or not enough right.

• Edited by Frederick Dicaire Thursday, August 27, 2015 4:31 PM

http://yourservernamehere/sms_mp/.sms_aut?mplist

https://<ServerName>/sms_mp/.sms_aut?mpcert

To test your MP are you using HTTPS or HTTP ? If you are using HTTPS you need to have a certificate to to get access to the MP true HTTPS.

Also for the publishing if you look into the system management container do you see items inside?

Look at these logs hman.log file and sitecomp.log for the publishing issue if the container is empty or not enough right.

• Edited by Frederick Dicaire Thursday, August 27, 2015 4:31 PM

Can you look into the IIS log to see what the error you are getting.

C:\inetpub\logs\LogFiles\W3SVC1

• Edited by Frederick Dicaire Thursday, August 27, 2015 5:06 PM

Can you look into the IIS log to see what the error you are getting.

C:\inetpub\logs\LogFiles\W3SVC1

• Edited by Frederick Dicaire Thursday, August 27, 2015 5:06 PM

Hi Frederick,

My apologies for the delayed response, I have been dealing with other things. I have had a look at the iis logs:

mpcert works fine, the mplist give a server error. I'm wondering if the IIS permissions are correct. Does the SCCM Forest account need specific permissions applying to the x:\SMS directory on the remote MP?

The console is still showing insufficient access rights.

Regards

John

what did the IIS log show when you try the Mplist

The primary site need to be admin of the computer running the MP.

So when you install the MP you can specified a account that account need to be local admin of the MP

Hi Frederick

Apologies, I posted a screenshot of the log file but it dint' upload for some reason.

The remote system in this particular domain is a domain controller (its a small domain) and I have added the Forest Account to the domain admins group, but this has not made any difference. The Site System will not always be a domain controller, (in every remote domain) but in this case it is.

The IIS log shows the following:

GET /SMS_MP/.sms_aut MPLIST 80 -  :: 1 SMS_MP_CONTROL_MANAGER - 200 0 0 60021

CCM_POST /ccm_system/request - 80 - ::1 ccmhttp - 50 0 64 60029

This is repeated a few times.

 Monday is a bank holiday here in the UK, so I will pick this up on Tuesday, but I appreciate your help and advise.

Many Thanks

Regards

john

Never heard of anyone installing a MP on a domain controller and i STRONGLY suggest you find another server for this.

For the IIS log you got 200 witch means IIS was successful. Now since i know it`s on a DC might be issue with this i don't even know if a Management Point being install on a DC is supported. Try adding the installation account to this group on the remote domain builtin\administrators group in Active directory

But like i said please reconsider. You are giving the account WAY MORE right that he need because you using a DC.

Hi Frederick,

My apologies for the delay in responding. I have not had a chance to do much with this over the last week, but I have created a new Virtual machine in the testing domain, and I have applied MP and DP pre-requisites to the VM. I am going to try to deploy the MP role onto that Server some time, and I will update this thread with the results once I have made any progress. I thanks you for your advise regarding the use of a DC for the SCCM Roles. Some of our monitored environments are very small, only 3 servers, others are a much larger and should easily allow the MP role on a server that is not a DC.

Many thanks for your advise and assistance so far.

Regards

John