Cross Forest Support in ConfigMgr 2012 Part 3: Deploying Site Server / Site Systems in an Untrusted Forest.


Introduction –

Up until this point each scenario in this series of articles has detailed the management of ‘well connected’ clients. In other words changes have been introduced into existing infrastructure in order to facilitate untrusted, cross-forest client management; however no additional infrastructure has been added. This approach may work well in situations such as that where clients are located in a well-connected DMZ forest. In all practicality though, situations will arise in which either cross forest targeted clients are not well connected, for some other reason client / site system communication needs to be localized, or when Kerberos authentication must be used to facilitate client approval. In this third posting to the Cross Forest support in Configuration Manager Blog series I will be discussing the placement of remote site systems in an untrusted forest. Specifically I will detail the placement of a Management Point and Distribution Point in the non-trusted forest.

 

Scenario –

Whereas the previous two examples (example 1 and example 2) have assumed a well-connected DMZ located forest, in this scenario we will shift to a completely different situation. The scenario for this example is that your organization (Houston based) has recently partnered with a new organization. The partner organization has a single physical site that resides in Tokyo and contains 900 computers. There exists a separate AD forest for both ends of the partnership. At this time a trust will not be created between the two organizations. The new partner organization is impressed with the client management solution that your organization is using and would like to introduce all Tokyo located computers into the Configuration Manager environment ASAP.

The challenge here is that with 900 remote clients the need for remote infrastructure (Distribution Point at minimum) is fairly probable. Utilizing some of the Configuration Manager features such as Operating System Deployment, Application Management, and Software Updates, the localization of this content to these clients can become very important.

 

Configuration Overview –

In order to prepare the remote forest to receive a remote site system and then ultimately host clients, some or all of the following actions will need to take place. Many of these were covered in article 2 of this series, for theses I will refer back to the original article. It is also important to note that these steps may not necessarily occur in this order, for instance client installation or deployment needs to be a well thought out and coordinated effort. Based on what will work best for your environment, may determine at what point AD System Discovery is enabled for the untrusted forest (if ever). If you have doubts about what will work best for your environment please consult with a Premier Field Engineer or other experienced party.

High Level Steps:

  • Enable Forest Discover (Refer to Article 2)
  • Configure Site Publishing for the non-trusted forest. This is optional however can offer a more flexible administrative experience (Refer to Article 2).
  • Ensure boundary and boundary groups have been configured for the remote forest.
  • Create a Site System Server in the Remote Forest.
  • Add the desired site system roles to the site server.
  • Configure AD System Discovery (Refer to Article 2).
  • Configure Client Push Installation (Refer to Article 2).

 

Creating the Site System Server and Deploying the DP / MP –

I will not detail each step required to deploy a Management Point nor Distribution Point. Needless to say, the host computer in the non-trusted forest will need to be prepared for each role that will be installed. Refer to the following article on the Windows side configuration needed for each role.

Prepare the Windows Environment for Configuration Manager – http://technet.microsoft.com/en-us/library/gg712264.aspx

What I will highlight is any unique configuration that is needed when deploying infrastructure to a non-trusted forest.

To start we need to initiate the Create Site System Wizard

Adding the new Site System Server

On the General page of the wizard two configurations will need to be accounted for.

  • Require the site server to initiate connections to this site system needs to be selected. More information on this setting – Security and Privacy for Site Administration in Configuration Manager.
  • Secondly specify an account that will be used to install the site system components. This would be an account that has administrative rights on the cross forest site server.

Create Site System Wizard with two configurations necisary for non-trusted forest communication.

Select the roles to be installed on the remote site system. Each role can be installed into the non-trusted forest with the exception of the Out of band service point and the Application Catalog Web Service Point. For the most part this process is identical to installing the role in a trusted forest. Because of this I will not walk through each step for each role rather call out only those that have configuration specific to the non-trusted forest scenario.

For information on configuring each role refer to this article – Install and Configure site System Roles for Configuration Manager – http://technet.microsoft.com/en-us/library/hh272770.aspx

Select both the Distribution Point role and the Management Point role.

In order for the Managent Point to fuction in a non trusted forest ensure that an account has been specified with the apropriate access to the Configuration Manager database.

Configure Management Point database connection account

If this step is missed you will see the following logging in mpcontrol.log – “’logon failed. The logon is from an untrusted domain and cannot be used with Windows authentication”

Mpcontrol.log – looks bad.

When configured, mpcontrol.log will return the following –

Mpcontrol.log – looks good.

Finally, if the Configuration Manager site is configured to publish to the non-trusted forest, we can observer the published MP’s from both forests.

ADUC in the non-trusted forest

Important Note – ensure that each site system regardless of forest membership has a unique NetBIOS name. If duplicate site systems names are configure content distribution will potentially fail with the following error logged to distmgr.log:

ERROR DPConnection::ConnectWMI() – Failed to connect to  <insert server> error = 0x800706ba

 

 

 

 

 

Client Discovery and Client Installation –

At this point, when client installation (ccmsetup.exe) is executed, the client binaries will be downloaded from the new DP/MP that has been introduced into the site and clients will use this DP/MP for policy request, content access, and many other activities. As mentioned before client installation will need to be a coordinated effort. A simple configuration at this point would be to configure AD System Discovery for the non-trusted forest, and once completed let Client Push installation handle client deployment. This was detailed in my previous article.

 

A quick bit on client approval –

If you recall, in the previous two examples in which the non-trusted forest did not contain a management point, after client installation the client remained in an unapproved state (assuming the default approval settings of “Automatically approve computers in trusted domains” has not been changed). With the configuration as shown in this example the presence of an MP in the non-trusted forest allows for the auto approval of clients residing in the non-trusted forest (again, assuming the hierarchy settings have not been changed from their defaults).

 

Conclusion –

During this article I have detailed the deployment of a Remote Site Server into a non-trusted forest. This type of site configuration can be beneficial when there exists a need to localize content or client traffic. This example, along with the examples provided in the previous two postings in this series, provide three different examples of managing client in a non-trusted forest. This concludes all discussion based on untrusted forests. In the next and final posting to this series we will go all the way and discuss what it takes to add a child site (primary or secondary) into a separate forest.

 

 

Comments (26)

  1. Anonymous says:

    Thank you. We have one-way trust environment and we will go with Part 3 scenario (MP+DP+SUP) on a server sitting on the DMZ behid the firewall.

  2. hassan sayed issa20014 says:

    thanks

  3. Anonymous says:

    Mitchawkes, if I understand your question correctly, while you cannot specify an MP for client communication within a site, clients will use the MP residing in their forest by default.

    NP

  4. Fred_HP says:

    Can software update and OSD work with having MP and DP in the untrusted domain and SUP role in the primary server?

  5. Anonymous says:

    Neil, first of all thanks for a great peice of information.

    I am experiencing two problems however impleneting this scenario.

    After defining the MP in the untrusted domain, I receive about 500 of DCOM errors on my primary siteserver every half hour aprox.:

    The description for Event ID 10009 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    Is anyone here able to tell me what causes these errors? I have a test and a production setup of this config in the same 2 domains and have these errors in both environments. Firewalls are turned off and DCOM security is set to the lowest possible level. Anyone got a clue?

    Also the SMS_SITE_COMPONENT_MANAGER is complaining about not being able to publish the site properties in AD. The computer account does have rights on the System Management container however.

  6. Ed (DareDevil57) says:

    awesome post, thanks for sharing.

  7. Timbo says:

    Hi,

    Great article really got me started in the right direction for what we were after.

    One question though:

    I have configured configmgr primary site in forest A and it works fine, it has SQL separate to the site server.

    I have setup a secondary site server as a management and distribution point in untrusted forest B.

    This worked fine, I can deploy agents to other servers in both forests and I have full forest discovery.

    The issue I have is the fact that the SQL server is reporting:

    SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. [CLIENT: IP Here].

    Using Netlogon I can see that the primary site server in forest A (With the SQL server) is trying to pass authentication from the secondary site server in forest B and failing.

    The Site System properties shows that the account is from forest B, but the Management Point SQL connection properties are using the SQL access account from forest A.

    Can you please give any guidance on where I have gone wrong please?

    Thanks.

  8. Frank V says:

    Hi,

    Great document.

    I m trying to install a new site system in my DMZ.

    My DMZ has a non trusted domain.

    I tried to like this document explains but I am stuck.

    I added the new site system as explained here above.

    But when I look at the SMS_SITE_COMPONENT_MANAGER I see errors :

    Site Component Manager could not access site system "\SVSIM222.FASCO.LOCAL". The operating system reported error 2147942453: The network path was not found.

    Possible cause: The site system is turned off, not connected to the network, or not functioning properly.

    Solution: Verify that the site system is turned on, connected to the network, and functioning properly.

    Possible cause: Site Component Manager does not have sufficient access rights to connect to the site system.

    Solution: Verify that the Site Server's computer$ account has administrator rights on the remote site system.

    Possible cause: Network problems are preventing Site Component Manager from connecting to the site system.

    Solution: Investigate and correct any problems on your network.

    Possible cause: You took the site system out of service and do not intend on using it as a site system any more.

    Solution: Remove this site system from the list of site systems for this site. The list appears in the Site Systems node of the Administrator console.

    Could not read registry key "HKEY_LOCAL_MACHINESOFTWAREMicrosoftSMSMPHardware Inventory" on computer SVSIM222.FASCO.LOCAL. The operating system reported error 53: The network path was not found.

    SVSIM222.FASCO.LOCAL is my server in a domain in DMZ.

    I can't ADD the computeraccount of my Site server on internal network because it's another domain. Not trusted.

    Any idea ?

    Regards

  9. Mitchawkes says:

    Hello and thank you for this article

    But I have a question. The use of role management point is it possible in this case, knowing that you can not force the SCCM agents to use a specific MP in same primary site, for a remote physical site, located in a separate forest ?

    Regards

    MP

  10. Mitchawkes says:

    Neil,

    Ah cool !

    Thank you for your response !

    MP

  11. Mitchawkes says:

    Hello,

    Just another question. How to manage the single network access account declared in the primary site (Forest A), for the distribution point located in Forest B Approved or not?

    Regards,

    Mitchawkes

  12. Guido says:

    @Frank V: I have similar issues – have you been able to resolve this error?

  13. Marc says:

    Great article, I just have one question. How should access to the MP should be setup? I keep getting the '’logon failed. The logon is from an untrusted domain and cannot be used with Windows authentication' error. Should I create a login on the SQL Server using SQL Authentication ?

    I'd like to see some more details on this.

    Thanks :)

  14. Faisal says:

    Hi Neil

    We want to deploy SCCM 2012 for our 10 different clients. So that's means we have 10 different forest across different locations. What will be the best possible solution have them connected with our Data Centre SCCM 2012 Primary site?

    Thanks

    Faisal

  15. markkuh says:

    Hi Neil,

    Thank you for excellent descriptions.

    Can you please reply “no official note” from scenario 3:

    • Supported by CSS  

    • Non Microsoft best practises

    I need to add this information to my planning documentation for future reviews, when SCCM supportability reviews or RAP’s are going to be held.

    My customer IT-Sec do not allow any trusts between AD’s.

    Still one Operational Management platform is requirement.

    /thanks for help and guidance.

    markkuh

  16. David says:

    I have som problems with the installation of the DP/SUP/MP.

    Site Component Manager could not access site system "\DMZ-SCCM01-V.DMZ.LOCAL". The operating system reported error 2147943726: The user name or password is incorrect.

    Possible cause: The site system is turned off, not connected to the network, or not functioning properly.
    Solution: Verify that the site system is turned on, connected to the network, and functioning properly.

    Possible cause: Site Component Manager does not have sufficient access rights to connect to the site system.
    Solution: Verify that the Site Server’s computer$ account has administrator rights on the remote site system.

    Possible cause: Network problems are preventing Site Component Manager from connecting to the site system.
    Solution: Investigate and correct any problems on your network.

    Possible cause: You took the site system out of service and do not intend on using it as a site system any more.
    Solution: Remove this site system from the list of site systems for this site. The list appears in the Site Systems node of the Administrator console.

    Is it nessesary for the untrusted site server to have access to the internal DC, so it can resolve the internal Site server computer account??

    I have used your guide all the way. But I think I misses something about the port/fw.
    Great guide by the way.

  17. Gurdeep says:

    As per Marc Comment below: Can you please shed some light on how to get the access acount authenicated with SQL. Dont you think we would need the one way trust atleast?

    Great article, I just have one question. How should access to the MP should be setup? I keep getting the ‘’logon failed. The logon is from an untrusted domain and cannot be used with Windows authentication’ error. Should I create a login on the SQL Server using
    SQL Authentication ?

    I’d like to see some more details on this.

    Thanks :)

  18. Paul Sanders says:

    Hi Faisal,

    It sounds like you are wanting to deploy SCCM to manage un-trusted machines, so ideally you want to build SCCM so that it is multi tenant aware.

    I would personally recommend treating each client as an ‘Internet Based Client’ that connect to your management points that are accessible via the internet (a reverse proxy of sorts.

    This will give some limitations, but you would still be able to deploy software, asset intelligence etc. You wont be able to use AD discovery, but could rollout your client using a powershell script or group policy.

    Thanks

    Paul

  19. Kevin says:

    Great article and refresher while setting up the environment with 2012R2. In the past we have set this up using kb2689646 as a reference where the SQL server and SCCM site server were not on the same box on the internal network. We had to create a local
    account on the SQL box and give it rights to login to match what is out on the external / dmz network

  20. vlu says:

    Hi.

    If we want to manage the clients in the untrusted domain with SCCM2102, do we have to extend the untrusted domain schema for SCCM?

    thx

  21. NicoFa says:

    Hi,

    Technet (https://technet.microsoft.com/fr-fr/library/gg682077.aspx) says to not position MP across a slow link from their primary site (a PRI site support 10 mp), and that a secondary site
    support a single MP.

    So what’s the best way to manage ~15 remote clients which are in an untrusted forest ?

    Thanks,

    Nicolas

  22. Ruben Garcia says:

    Hi. Great article to help people like me, who are implementing the untrusted forest scenario nowadays.

    In my scenario I installed the Management Point role in the untrusted forest with no problem, but when tried to install the distribution point role, it shows the error:

    Failed to remote execute msiexec.exe /norestart /i \………SMS_DP$smsbinmsxml6_x64.msi /qn. hr = 0x80010108

    Failed to configure MSXML 6.0 on DP ……….

    What could be the problem?

    Thanks

    Ruben Garcia

  23. Ruben Garcia says:

    Just to update the previous post. I solved the problem. The issue was caused by a Firewall Issue. The Firewall as blocking the RPC Traffic.

    Best Regards

  24. Mark A-G says:

    Hi Guys

    Just thought I’d add an important point that was hindering my communication between the forests, everything was working except the WMI communication, for us it was only functional one way based on the trust we have in place. In our case the Site server domain
    trusted the remote forest’s domain. The site server required port 88 opened up to the DC’s in the other forest. This is in addition to the documented SCCM required DC LDAP communication.

    Thought I should mention it somewhere as there is absolutely no mention of this fix anywhere on the internet.

  25. Bindusar Kushwaha says:

    With the configuration as shown in this example the presence of an MP in the non-trusted forest allows for the auto approval of clients residing in the non-trusted forest (again, assuming the hierarchy settings have not been changed from their defaults).

    Please note that this behaviour was broken in SCCM 2012 R2 SP1 CU1 (SCCM 2012 SP2 CU1) and its fixed again in SCCM 2012 R2 SP1 CU2 (SCCM 2012 SP2 CU2). So, as always, I would recommend to install latest updates on regular interval.

  26. Carlos de Souza says:

    Hi, It seems the behaviour that Bindusar Kushwaha talking about still broken in (SCCM 2012 SP2 CU2), the client still not get automatic aproval even the MP is deployed in a non-trusted forest.

    Can you guys give un update on this metter?

    Thank you,

    "With the configuration as shown in this example the presence of an MP in the non-trusted forest allows for the auto approval of clients residing in the non-trusted forest (again, assuming the hierarchy settings have not been changed from their defaults).

    Please note that this behaviour was broken in SCCM 2012 R2 SP1 CU1 (SCCM 2012 SP2 CU1) and its fixed again in SCCM 2012 R2 SP1 CU2 (SCCM 2012 SP2 CU2). So, as always, I would recommend to install latest updates on regular interval."