Hello!

In my organization we have two domain/forests. DomainA.local and DomainB.local

in one forest (DomainA.local) we have sccm 2012 sp1 CAS site. with dedicated database server on sql 2012 sp1 cu5

in other forest (DomainB.local) we want to setup primary site on sccm 2012 sp1 with dedicated database server on sql 2012 sp1 cu5

forests have trust both sided.

all installation accounts have administrative rights on all SC servers. in both domains.

when i try to install SCCM 2012 primary site in the hierarchy,

i receiving the errors:

INFO: Created SQL Server machine certificate for Server [S-SCDB-02.DomainB.local] successfully.

  ERROR: Failed to open certificate store (HRESULT=0x35)    Configuration Manager Setup    9/3/2013 11:56:19 AM    3268 (0x0CC4)
ERROR: Failed to write S-SCDB-02.DomainB.local SQL Server certificate to store (TrustedPeople) on site server (S-SCDB-01.DomainA.local).

ERROR: Failed to write certificate of primary site's SQL Server [S-SCDB-02.DomainB.local] to CAS SQL Server [S-SCDB-01.DomainA.local].

Install user from domainB.local has administrative rights on S-SCDB-01.DomainA.local and sysadmin rights in sql server.

Also, it has full administrator role on CAS.Of course, it has administrative rights on primary site server and sql server S-SCDB-02.DomainB.local and sysadmin rights.

WHY????

Taking a step back: why? Are you using a CAS and multiple primary sites at all? Do you have 100,000+ clients to manage?

As for the exact error, 0x35 = "The network path was not found." This is generally a name resolution type error meaning that the server you are installing the primary onto cannot resolve the name of the system hosting the CAS's SQL instance.

Name resolution must be correct and functioning for anything to work in ConfigMgr, CAS or no CAS; however, I highly recommend you take a step back and question whether you truly need multiple primary sites. It is not in any way required to have multiple primary sites for a cross-forest architecture.

>Taking a step back: why? Are you using a CAS and multiple primary sites at all? Do you have 100,000+ clients to manage?

we need CAS due to our network infrastructure.

thank you for you help.

we solved problem today.

it was need to open "windows" ports on the firewall between SCCM Primary Site server and CAS SQL server to give SCCM primary site installation process the ability to install the primary site's sql-server's self-signed certificate to CAS sql-server trusted people local store.

i did not remember this point in deploying documentation((((

• Marked as answer by Robert Marshall - MVPMVP, Moderator Sunday, September 08, 2013 5:15 PM

>Taking a step back: why? Are you using a CAS and multiple primary sites at all? Do you have 100,000+ clients to manage?

we need CAS due to our network infrastructure.

Just being curious: which network infrastructure would require a CAS?

sorry, i can not say more for security reasons.

just believe, we considered to use hierarchy infrastructure not just for fun))

ERROR: Failed to write S-SCDB-02.DomainB.local SQL Server certificate to store (TrustedPeople) on site server (S-SCDB-01.DomainA.local).

ERROR: Failed to write certificate of primary site's SQL Server [S-SCDB-02.DomainB.local] to CAS SQL Server [S-SCDB-01.DomainA.local].

I ran into the same problem today while setting up a Primary Site Server which runs under a CAS. The resolution was to add the SQL service user, which i use for the Primary Site, to the local admins of the SQL of the CAS and to the local admins of the CAS itself.