Few weeks ago ,i was assigned with task to manage clients in untrusted forest using Configuration Manager 2012 R2 SP1.Yes, we are still running on Configmgr 2012 but soon (next few weeks) on Configmgr Current Branch .
Scenario is ,I have a forest (intranet.asia) where SCCM 2012 R2 SP1 is installed and this is being used to manage clients in this forest .Now ,I have a requirement to manage clients in untrusted forest (life.net) which is completely isolated from the existing forest and there is no trust between these 2 .
So the task is ,how to manage the clients in untrusted forest (life.net) using the SCCM server reside in intranet.asia forest for software distribution ,patching etc.
My setup is like this:
Green colour : Current working site
Brown colour: Untrusted forest
Red colour: Firewall between these 2 forests
Blue colour: Clients in untrusted forest must talk to SCCM site in intranet.asia forest and let SCCM publish SCCM site information to AD ,perform AD system discovery ,automatic client push installation etc in untrusted forest .
LIFE.NET forest is completely isolated and there is no trust with INTRANET.ASIA forest that has SCCM installed. The aim is to manage the clients (though it has very few <50 for now ) in life.net forest using the existing SCCM site.
In order to manage the clients in untrusted forest using SCCM ,listed the steps below at high level.
1.First and foremost is firewall ports for clients in untrusted forest to talk to SCCM/roles (all ports that require for client to talk to MP,DP,SUP what is outlined here) and let SCCM server to talk to remote forest (DNS port 53,LDAP port 389) to publish the information and discover objects.
2.Configure DNS with conditional forwarder or STUB ZONES in local forest (For SCCM to resolve remote hostnames dc02.life.net and remote clients for system discovery ) and untrusted for clients to resolve host names a.k.a MP,DP ,SUP etc.
3.Create an account in untrusted forest that is used to publish the SCCM site information into System Management Container that will be created later in LIFE.NET forest
4.Extend Schema (You can get the schema files from configmgr media) in untrusted forest (LIFE.NET) with sufficient permissions (user must be schema admin) (this is optional ,read more if you really need to to extend schema)
5.Create System Management Container in untrusted forest and provide full permissions to this container for account that you created above to publish SCCM site information.
6.On SCCM server (INTRANET.ASIA) ,Add untrusted forest and configure the account that you created above ,monitor hman.log for any errors.
7.Check on the untrusted forest ,if site information is published into system management container or not.
8.If you want to discover clients from untrusted forest automatically ,configure AD system discovery .If you have not configured the DNS conditional forwarder ,then system discovery will not work due to name resolution (monitor log Adsysdis.log for any errors).
9.If you want to perform client push installation ,get an account from untrusted forest and configure it in SCCM server.
10.Configure boundaries in SCCM (INTRANET.ASIA) for untrusted forest to manage clients.
11. If clients in untrusted forest are unable to resolve SCCM roles like MP,DP ,SUP etc for client installation,assignment process and downloading the policies ,you need to add the required entries (MP,DP,SUP) into host file (IP address and FQDN of Site ) on each client. But again, you must make sure the ports http:80,sup:8530 are working from untrusted forest to SCCM servers otherwise you cannot get basic things like software distribution ,software updates etc. .
The steps outlined above are in general ,but when it comes to reality ,some of the steps given above may not be allowed to configure like DNS conditional forwarders etc.. So in that case ,what other methods i have to get this task done ?
Please note ,in this untrusted forest ,i have <50 clients to manage and for that i can skip the DNS configuration and go with host file entry (manual feeding ) .But if you have large number of clients to manage ,you need to look for other solution like DNS configuration to allow name resolution .
The following site system roles can be installed at primary sites support connections from clients that are in untrusted locations, like the Internet or an untrusted forest (secondary sites do not support client connections from untrusted locations):
- Application Catalog website point
- Configuration Manager Policy Module
- Distribution point (HTTPS is required by cloud-based distribution points)
- Enrollment proxy point
- Fallback status point
- Management point
- Software update point
Steps i followed to manage these few clients in LIFE.NET forest for software distribution ,software updates from existing forest.
On Local forest( intranet.asia)
1. Due to the restrictions i have ,cannot configure conditional forwarders in DNS ,so have to add the untrusted forest entries into the host file on SCCM server.
Go to C:\windows\system32\drivers\etc ,open hosts file and add untrusted forest entries which includes life.net ,dc01.life.net with its IP address for name resolution.
Make sure you can ping the remote forest and able to resolve the hostname.
If there are any firewall restrictions ,please work with your network team to get it resolve.
2. For local SCCM Server to talk to remote forest to publish site information into AD ,discover objects,client push installation etc , we need few accounts .Lets create them . In my case ,i will create one account and use this for publishing the site information .
If you want to discover AD objects on remote forest ,you only need normal user account with read permissions ,for client push account ,it must be member of local admin on remote clients that you perform sccm client install.
On untrusted forest ,create an account called CM_Publish (normal user) is enough.
3.On remote forest, login to domain controller or use account that has full permissions to perform following changes.
Open adsiedit.msc, create system management container and give full permissions to CM_Publish .
4. while on remote forest, extend AD schema .To extend it, copy the extadsch.exe file from your SCCM media or SCCM installation folder \bin\X64 . To perform this ,account must be member of schema admins .Verify the status from log extadsch.log to be created in the root of the system drive.
5. Now come back to local SCCM server ,from hierarchy configuration—>Active Directory Forest ,click on add Add forest
6.In domain suffix ,enter the domain suffix (in my case:life.net)
Use an account that we created above (CM_publish) to publish site information into AD System Management container.
Use specific account –>New account type in the credentials .
Click on verify and in path: You must be careful in typing the correct LDAP path .Do not go with default LDAP path as the auto filled path is wrong and it will never get you success. Default path after you enter credentials will be LDAP://DC=life,DC=net.
You need to replace with correct LDAP path : LDAP://life.net/DC=life,DC=net
This LDAP path is needed to verify the connection is successful.
Under publishing tab ,select the Site that you want to publish the information about.
Monitor hman.log if attributes are published in remote forest system management container or not .also for any errors. You must extend schema before you publish the attributes .If you do not want to extend schema ,then clients will not leverage the schema extensions.
SMS-Site-SITECODE could not be created, error code = 8202. If you have not extended AD scheme, you will see errors like above in hman.log. After schema extension, you will see something like below:
After a while ,the publishing status for newly added forest will turn to succeeded .
Go to your untrusted domain controller ,open Active directory users and computers, from system management container, you should be able to see the objects related to site code,boundaries etc published.
With this ,we have successfully added untrusted forest into our SCCM and we are ready to discover objects ,perform client push installation etc before we start distributing applications, deploying software updates.
Before we proceed further like configuring the discovery methods ,client push installation account, we need to make sure ,we can ping the remote forest domain controller name or not ? why do we need it ? well ,the discovery method works on name resolution ,so if the name resolution doesnt happen ,then the discovery of objects will fail .
As i said initially ,if you need to discover the remote forest computer resources ,you need to Configure DNS with conditional forwarder or STUB ZONES on local forest (INTRANET.ASIA) else you forget about discovering the object and just install SCCM client on the remote forest clients manually.
After you configure the conditional forwarder in DNZ ,open configuration manager console ,hierarchy configuration –discovery methods ,open Active Directory System Discovery ,click on Burst Symbol ,add the path location.
Follow the same steps that you did while adding new trust like specifying new account ,LDAP path etc. Use the same LDAP (LDAP://life.net/DC=life,DC=net ) path you did above to verify the connection.
If the name resolution is not working then you will see errors in system discovery log adsysdis.log like below:
Wait for the discover to run ,monitor adsysdis.log for any errors.
Next is to configure Client push installation account ,which is straight forward. Get an account that is local admin on all untrusted forest clients ,add it in client push installation account.
No matter if you have multiple client push installation accounts added in client push properties ,it will try to use each account ,to install SCCM client until it get succeeded. Monitor ccm.log on your site server for any errors .
If you do not use client push but install the SCCM client manually ,you need to approve the clients manually in SCCM console .This is due to the settings in site hierarchy.
Once you install the client on untrusted forest ,approve the clients in SCCM console manually.
you can also create collection for clients that are unapproved ,select all of them manually to approve it. You can also automate this process via powershell.
select distinct system.* from SMS_R_System as system join SMS_FullCollectionMembership as collection on system.ResourceID = collection.ResourceID where collection.IsApproved=0
Hope this guide help you to managed clients in untrusted forest.
43 Comments
Thanks for the article. At 8. May be - not Adsysdisc.log - but - Adsysdis.log?
Thank you. Corrected the post.
Thanks,
Eswar
Thanks for the article. At 8. Mey be - not Adsysdisc.log - but - Adsysdis.log?
Thank you. Corrected the post.
Thanks,
Eswar
Hi,
Apologies if this is a silly question but i am in the process of doing the same scenario above.
When linking the SCCM server on the untrusted domain to the primary site, can i link it using 'Create Site System Server' or does the untrusted server need to be a secondary site? Or does it not matter?
Hi,
There is no dependency for the site system server to be trusted or untrusted.
Thanks,
Eswar
Hi Eswar,
Wondering, if the above approach holds good for users too ? For instance lets says if there is a need for User(In the UN-trusted Domain) based deployment(Application /Package).
If not, then how is it different from the Device management prospective.
Thanks,
VN
Hi,
This is still possible for user based deployments. Pls read this for more information https://social.technet.microsoft.com/Forums/en-US/2b2ec74b-cd8f-48ce-a396-8268237a411c/does-sccm-untrusted-cross-forest-management-supports-userpolicy-deployment?forum=ConfigMgrCBGeneral
Thanks
Eswar
I know that SCCM can manage computers in untrusted Forests, Workgroups (DMZs), etc. and this this is very helpful, thank you.
I do have a different scenario and want to run it by someone. I have multiple forests BUT they have the same identical forest name - domain1.domain.org. Each forest has their own individual SCCM Instance in domain1 child domain. And 2 of the SCCM Instances have the same site codes.
The attempt is to have one SCCM environment manage all computers. Although I understand we don't require a trust; I don't think I can put a trust between each forest as the DNS forwarders would not work; so migrating to one forest might present some challenges too.
Do you know if the SCCM infrastructure will have the same limitation with untrusted Forests if the Forests are the exact same name? If we ensure all computers at least have unique DNS entries, we could populate a list in the host file and distribute to ensure they can resolve to SCCM; or worse force a manual installation; however, after installation, I'm unsure if they client will still resolve to the assigned site or be confused with the two forests and same name. Have you ever encountered such a situation?
And my last option I believe as the only option is to consolidate the required objects in one Forest for a single hierarchy to manage; unless there are tools to rename a Forest!
Thank you,
PGH
Hi Eswar, great artikel: But I am getting SMS-Site-001 could not be updated, error code = 5. not error 8202, publishing account has full control on the container.
Error is gone, it works!!
Hi Remy,
Thanks for the update and glad it worked.
Thanks,
Eswar
I even got recast rct tool working, but in orde to get this working you have to connect to the admin$ of each computer (\\{computername}) without dns suffix (suffix has to be in suffix list) with the account credentials and save them in credential manager used for publishing in the domain the computer is joined.
Perhaps you know a better way to use recast rct tools over untrusted domains?
Hi Remy,
Not aware of any other tools or techniques that does on untrusted domain to connect to.
Thanks,
Eswar
I also got our tool recast rct working on computers in the untrusted domain, but you have to connect to the admin$ share with the publish account and save the credentials for each computer that you want to use the recast rct tool on.
Hi Remy,
Yes, true and this is because of untrusted domains.
Thanks,
Eswar
I don’t need certificates in the Client machines of the untrusted forests?? I don’t know if it makes difference but the Untrusted forest are in a DMZ…..
Hi Eswar, I have followed your post and thus far the Publishing status is successful however I am unable to add the untrusted forest
Hi,
What error do you get when adding the untrusted forest ? any logs with error details ?
thanks,
Eswar
Hi Eswar do you have a write up for sccm support between domains with 2 way trust? I have 2 domains both have sccm but we want to decommission one site and manage both domains with one primary . I’m not sure what needs to be done
SCCM has nothing to do with trust ,it works without trust as well. read this links https://home.configmgrftw.com/configmgrsccm-domains-forests-trusts-oh/ and https://blogs.technet.microsoft.com/neilp/2012/08/20/cross-forest-support-in-configmgr-2012-part-1-simple-management/
Regards,
Eswar
Amazing post Eswar, helped me achieve merging 20+ untrusted domains to my site :))
20+ untrusted sites ,thats amazing Insaf. Glad you liked it.
Regards,
Eswar
Very nice article. I’m in a similar situation and this is great info. The only difference is that I will also install a DP,MP,SUP in the untrusted forest. Do I still need to need to create a stubzone in the untrusted forest for the clients? Do the client still communicate with the primary server
Thanks
Biga
Clients will only talk to site servers like mp sup dp so if you already have these sites that clients can talk in untrusted then you dont need unless you want clients to talk to primary site for MP, sup etc.
Great Post!! Darkfiberman
Hi, with DNS conditional forwarders SCCM Site Server is able to discover and resolve all untrusted clients FQDN names. However, it seems that SCCM tries to use only short hostnames when taking remote control connection to untrusted domain clients. Is there any setting that SCCM handle these always with FQDN? Or any other solution? (W16K2 server infra)
If there is a lot of support activity to untrusted domain clients with SCCM remote control, you always need to give untrusted domain login credentials. Is there any way to make remote session without credentials prompt? Making domain trust is last option 🙂
I forgot to include the error message I am getting, which is same as yours. Error message: Attempted to perform an authorized operation.
Thank you for this. I do have question, I am unable to join primary server from my untrusted forest to my CAS server using account created in untrusted forest. Please advise how you joined the sccm server in untrust forest to your local sccm.
what do you mean by unable to join primary site server from untrusted forest ? what are you tying to do here ? You can install site server only onto domain joined machines. Have a look at this article for more information https://blogs.technet.microsoft.com/neilp/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest/
Regards,
Eswar
Eswar, I cant thank you enough for this post. Great info. Helped me so much with a client that had this kind of requirement.
Hi Tim,
Glad it worked for you.
Regards,
Eswar
Hello Eswar,
I have fewer clients in untrusted domain below 5. I tried adding them manually in the console without adding the forest information in sccm console. I was able to add the machine but the client says 'No" in the console even after the machine has the client installed (which i did manually) . Any thoughts? Is it necessary for us to add the new forest info? Also I have only two actions items on the machines where i installed the client manually specifying MP name. This is the error i see
[CCMHTTP] ERROR: URL=http://xx.xx.com/ccm_system_windowsauth/request, Port=80, Options=480, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!>
Nice and clear blog Eswar keep up the good work.
Nice blog, Thanks very much Eswar.
Very Nice, Thanks for sharing this Eswar.
Welcome Raman.
Regards,
Eswar
Hi Eswar,
I have primary site up and running and I want to install one me site on other network on same location where network is devided by firewalls and no internet on new site (which need to install).
Do I need to install one more primary site and point WSUS to existing site and make existing WSUS as upstream for new site.
Thanks
Hi,
this is too late to respond but did you solve it ? do you want to install 1 more primary or just site system ?
Thanks,
Eswar
I am able to install the MP and SUP roles in an untrusted domain but not the DP role on the same site system. While installing DP role, it fails to connect to WMI. We have opened all the required ports but no luck in installing the DP role.
Am I missing any permission here?
Hi,
what is the error message ? if it is something RPC server unavailable then it is related to firewall ports also make sure the account (computer or user) that you use to install DP role must be added to local admin group .
Thanks,
Eswar
Yes, we are using system account for DP role installation and the account is already added to the local admin group. Also all the ports are opened. I am getting the below WMI error.
CWmi::Connect() failed to connect to \\[“Display=\\DMZServerName\”]MSWNET:[“SMS_SITE=ALP”]\\\DMZServerName\\root\CIMv2. Error = 0x80070776
Can you try wbemtest to \\servername\root\cimv2 remotely, if it works or not?