Hi

I have 2 domains domain1.com and domain2.com. In domain1.com i have installed the SCCM2012 SP1 and want do updates machines from domain2.com. There is no trust relation between this two domains.

I created the folder \\10.10.10.1\Updates on SCCM2012 server where all necessary updates were downloaded. I put the sharing and ntfs permission to this folder as read&write for everyone.

When i deploy the updates i see in Deployment Status error of all servers from domain2.com with info Access Denied and error code 0x80070005 and last logon user as (SYSTEM)

I believe it's becasue this machines can't get access to share in domain1.com where the updates and distribution point are located.

All clients on servers in domain2.com succesfully comunicate with SCCM2012 server in domain1.com

Manually i can get to Updates share from domain2.com to domain1.com typing the path but it always ask for credentials.

What i need to change to make working software update process?

• Edited by bllitz 20 hours 6 minutes ago

The ConfigMgr client is going to try to download content from a distribution point over HTTP (or HTTPS), not over a file share.

Are the workstations in domain2 able to get to the Software Update Point to even do their scan?  By default with Server 2012, this will be port 8530 (or 8531 if using SSL).

Also, do you have a network access account defined?

Are the clients Win7?

If so, do they have the hotfix from KB2522623 installed?

When i type in one of the client the http://10.10.10.1:8530 i got 403 forbidden: access denied. Yes workstation are able to comunicate to SUP all functions of client are working, reporting etc

Thanks for checking on that.

So, you will want to move on through the log files for Software Update Management and for finding/downloading content.

I would start with C:\Windows\WindowsUpdate.log for obvious stuff (like Group Policy push those workstations to another WSUS server).

The ConfigMgr logs that have to do with software update management (like Update*.log) are described here:

http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_SU_NAPLog

Let us know what you find,

Nash

I enabled the directory browsing on IIS in SCCM2012 server and now i can list the http://10.10.10.1:8530

The clients are Windows 2003.

Network access acount?

You'll want to review the documentation for managing "workgroup" clients (untrusted forests are going to be handled like workgroup machines).

You have to define a network access account in ConfigMgr for them to use to get permissions to download content.

For more information about the client requirements on workgroup computers, see these:

http://blogs.technet.com/b/anilm/archive/2012/05/06/managing-workgroup-clients-in-configuration-manager-2012.aspx

http://technet.microsoft.com/en-us/library/gg712298.aspx#BKMK_ClientWorkgroup

Servers are reaching the correct update server SCCM2012 where is also WSUS. I checked in WindowsUpdate. The rest of the update*.log files didn't show any errors. There is in CIDownloaded.log something like this

CAS failed to download update (a38dae17-a65e-4663-9a0e-b8f7d5a883f3). Error = 0x80070005. Releasing content request.

>When i deploy the updates i see in Deployment Status error of all servers from domain2.com with info Access Denied and error code 0x80070005 and last logon user as (SYSTEM)

You should see some errors in the client logs that correspond to what you were seeing in the console.

Have you defined a Network Access Account for these devices?  They will not have permissions to download using their computer account since they are not in a trusted forest.

I see not, i will right away do it, but can you please explain. What account i should use as this Network Access Account. Some account from domain2.com (server domain) or some account from domain1.com (SCCM server) domain? Also what else i will need to change to make it work? Do i need to assign permission to some folder to this account?

PS.

I created NAA as account from domain1.com (SCCM2012 server domain) and this account has local admin rights on SCCM2012 server. Is this correct way? Do i need also modify something on client site to use this account accessing to updates?

• Edited by bllitz 18 hours 48 minutes ago

You would need to use an account from domain1 as your network access account since there is not a full trust.  Create an account specifically for this (and don't use it for anything else).  The network access account is specified in Administration > Site Configuration > Sites > Select your site, and then under Configure Site Components > Software Distribution on the Network Access Account tab.

>Do i need to assign permission to some folder to this account?

No, ConfigMgr clients DO NOT access network folders to download content for software distribution or software update management, they download it over HTTP/HTTPS from a distribution point.  Do NOT give access to any content source location folders to all users.  It may be helpful for you to Microsoft Virtual Academy course for ConfigMgr 2012, as well as the TechNet Virtual Labs for Content Management, Application Management, and Software Update Management.

I hope that helps,

Nash

I create the accout as you wrote. Should i update now something on client side to get know the servers to use this account to download the update content?

They will need to update machine policy to find out about this change.