Few weeks ago ,i was assigned with task to manage clients in untrusted forest using Configuration Manager 2012 R2 SP1.Yes, we are still running on Configmgr 2012 but soon (next few weeks) on Configmgr Current Branch .
Scenario is ,I have a forest (intranet.asia) where SCCM 2012 R2 SP1 is installed and this is being used to manage clients in this forest .Now ,I have a requirement to manage clients in untrusted forest (life.net) which is completely isolated from the existing forest and there is no trust between these 2 .
So the task is ,how to manage the clients in untrusted forest (life.net) using the SCCM server reside in intranet.asia forest for software distribution ,patching etc.
My setup is like this:
Green colour : Current working site
Brown colour: Untrusted forest
Red colour: Firewall between these 2 forests
Blue colour: Clients in untrusted forest must talk to SCCM site in intranet.asia forest and let SCCM publish SCCM site information to AD ,perform AD system discovery ,automatic client push installation etc in untrusted forest .
LIFE.NET forest is completely isolated and there is no trust with INTRANET.ASIA forest that has SCCM installed. The aim is to manage the clients (though it has very few <50 for now ) in life.net forest using the existing SCCM site.
In order to manage the clients in untrusted forest using SCCM ,listed the steps below at high level.
1.First and foremost is firewall ports for clients in untrusted forest to talk to SCCM/roles (all ports that require for client to talk to MP,DP,SUP what is outlined here) and let SCCM server to talk to remote forest (DNS port 53,LDAP port 389) to publish the information and discover objects.
2.Configure DNS with conditional forwarder or STUB ZONES in local forest (For SCCM to resolve remote hostnames dc02.life.net and remote clients for system discovery ) and untrusted for clients to resolve host names a.k.a MP,DP ,SUP etc.
3.Create an account in untrusted forest that is used to publish the SCCM site information into System Management Container that will be created later in LIFE.NET forest
4.Extend Schema (You can get the schema files from configmgr media) in untrusted forest (LIFE.NET) with sufficient permissions (user must be schema admin) (this is optional ,read more if you really need to to extend schema)
5.Create System Management Container in untrusted forest and provide full permissions to this container for account that you created above to publish SCCM site information.
6.On SCCM server (INTRANET.ASIA) ,Add untrusted forest and configure the account that you created above ,monitor hman.log for any errors.
7.Check on the untrusted forest ,if site information is published into system management container or not.
8.If you want to discover clients from untrusted forest automatically ,configure AD system discovery .If you have not configured the DNS conditional forwarder ,then system discovery will not work due to name resolution (monitor log Adsysdis.log for any errors).
9.If you want to perform client push installation ,get an account from untrusted forest and configure it in SCCM server.
10.Configure boundaries in SCCM (INTRANET.ASIA) for untrusted forest to manage clients.
11. If clients in untrusted forest are unable to resolve SCCM roles like MP,DP ,SUP etc for client installation,assignment process and downloading the policies ,you need to add the required entries (MP,DP,SUP) into host file (IP address and FQDN of Site ) on each client. But again, you must make sure the ports http:80,sup:8530 are working from untrusted forest to SCCM servers otherwise you cannot get basic things like software distribution ,software updates etc. .
The steps outlined above are in general ,but when it comes to reality ,some of the steps given above may not be allowed to configure like DNS conditional forwarders etc.. So in that case ,what other methods i have to get this task done ?
Please note ,in this untrusted forest ,i have <50 clients to manage and for that i can skip the DNS configuration and go with host file entry (manual feeding ) .But if you have large number of clients to manage ,you need to look for other solution like DNS configuration to allow name resolution .
The following site system roles can be installed at primary sites support connections from clients that are in untrusted locations, like the Internet or an untrusted forest (secondary sites do not support client connections from untrusted locations):
- Application Catalog website point
- Configuration Manager Policy Module
- Distribution point (HTTPS is required by cloud-based distribution points)
- Enrollment proxy point
- Fallback status point
- Management point
- Software update point
Steps i followed to manage these few clients in LIFE.NET forest for software distribution ,software updates from existing forest.
On Local forest( intranet.asia)
1. Due to the restrictions i have ,cannot configure conditional forwarders in DNS ,so have to add the untrusted forest entries into the host file on SCCM server.
Go to C:\windows\system32\drivers\etc ,open hosts file and add untrusted forest entries which includes life.net ,dc01.life.net with its IP address for name resolution.
Make sure you can ping the remote forest and able to resolve the hostname.
If there are any firewall restrictions ,please work with your network team to get it resolve.
2. For local SCCM Server to talk to remote forest to publish site information into AD ,discover objects,client push installation etc , we need few accounts .Lets create them . In my case ,i will create one account and use this for publishing the site information .
If you want to discover AD objects on remote forest ,you only need normal user account with read permissions ,for client push account ,it must be member of local admin on remote clients that you perform sccm client install.
On untrusted forest ,create an account called CM_Publish (normal user) is enough.
3.On remote forest, login to domain controller or use account that has full permissions to perform following changes.
Open adsiedit.msc, create system management container and give full permissions to CM_Publish .
4. while on remote forest, extend AD schema .To extend it, copy the extadsch.exe file from your SCCM media or SCCM installation folder \bin\X64 . To perform this ,account must be member of schema admins .Verify the status from log extadsch.log to be created in the root of the system drive.
5. Now come back to local SCCM server ,from hierarchy configuration—>Active Directory Forest ,click on add Add forest
6.In domain suffix ,enter the domain suffix (in my case:life.net)
Use an account that we created above (CM_publish) to publish site information into AD System Management container.
Use specific account –>New account type in the credentials .
Click on verify and in path: You must be careful in typing the correct LDAP path .Do not go with default LDAP path as the auto filled path is wrong and it will never get you success. Default path after you enter credentials will be LDAP://DC=life,DC=net.
You need to replace with correct LDAP path : LDAP://life.net/DC=life,DC=net
This LDAP path is needed to verify the connection is successful.
Under publishing tab ,select the Site that you want to publish the information about.
Monitor hman.log if attributes are published in remote forest system management container or not .also for any errors. You must extend schema before you publish the attributes .If you do not want to extend schema ,then clients will not leverage the schema extensions.
SMS-Site-SITECODE could not be created, error code = 8202. If you have not extended AD scheme, you will see errors like above in hman.log. After schema extension, you will see something like below:
After a while ,the publishing status for newly added forest will turn to succeeded .
Go to your untrusted domain controller ,open Active directory users and computers, from system management container, you should be able to see the objects related to site code,boundaries etc published.
With this ,we have successfully added untrusted forest into our SCCM and we are ready to discover objects ,perform client push installation etc before we start distributing applications, deploying software updates.
Before we proceed further like configuring the discovery methods ,client push installation account, we need to make sure ,we can ping the remote forest domain controller name or not ? why do we need it ? well ,the discovery method works on name resolution ,so if the name resolution doesnt happen ,then the discovery of objects will fail .
As i said initially ,if you need to discover the remote forest computer resources ,you need to Configure DNS with conditional forwarder or STUB ZONES on local forest (INTRANET.ASIA) else you forget about discovering the object and just install SCCM client on the remote forest clients manually.
After you configure the conditional forwarder in DNZ ,open configuration manager console ,hierarchy configuration –discovery methods ,open Active Directory System Discovery ,click on Burst Symbol ,add the path location.
Follow the same steps that you did while adding new trust like specifying new account ,LDAP path etc. Use the same LDAP (LDAP://life.net/DC=life,DC=net ) path you did above to verify the connection.
If the name resolution is not working then you will see errors in system discovery log adsysdis.log like below:
Wait for the discover to run ,monitor adsysdis.log for any errors.
Next is to configure Client push installation account ,which is straight forward. Get an account that is local admin on all untrusted forest clients ,add it in client push installation account.
No matter if you have multiple client push installation accounts added in client push properties ,it will try to use each account ,to install SCCM client until it get succeeded. Monitor ccm.log on your site server for any errors .
If you do not use client push but install the SCCM client manually ,you need to approve the clients manually in SCCM console .This is due to the settings in site hierarchy.
Once you install the client on untrusted forest ,approve the clients in SCCM console manually.
you can also create collection for clients that are unapproved ,select all of them manually to approve it. You can also automate this process via powershell.
select distinct system.* from SMS_R_System as system join SMS_FullCollectionMembership as collection on system.ResourceID = collection.ResourceID where collection.IsApproved=0
Hope this guide help you to managed clients in untrusted forest.