1

I have an implementation of SCCM 2007 in forest "A" that manages hosts in that Windows 2008 forest. There is another forest/domain, "B", which I have no trust with that I need to manage hosts in as well. I don't need to push out clients from the SCCM console, I am going to install them manually. I just need the hosts in domain "B" to connect back to the forest/domain "A" for management purposes. To date, I have not added any AD objects to domain "B" for hosts to query for site, SLP or management point info.

I am installing the hosts with the command line:

ccmsetup.exe /mp:SCCM_Server /site:mysite

SCCM_Server = FQDN of my sccm server (which is resolvable by the client)

There are no ACL's between the two servers.

From the logs, I can see the install complete and the client tries to query the local AD for the site info for "mysite" but it can't find it and it stops and never connects.

Can anyone give me some direction as to how this should be setup?

BoxerBucks
  • 1,374
  • 1
  • 9
  • 19

2 Answers2

1

We have this setup for managing machines (mainly virtuals) in our development environment from our live environment's SCCM infrastructure. These are totally separate forests with a fairly stringent firewall between them. We mainly only use it for OS/app patching via SCCM Software Updates, and limited hardware/software inventory reporting.

Once we'd opened up the required ports in the firewall between the environments, all we needed was to use the correct command line when installing the SCCM client on the dev machines, we use this command line:

\\server\share\ccmsetup.exe /mp:siteserver.fqdn smssitecode=SMS ccmhttpport=50010 smsslp=siteserver.fqdn  FSP=fspservername

Obviously the fallback status point is optional (but highly recommended for troubleshooting, especially if you're currently having problems installing clients), and there's no need to specify the port if you're using the standard port.

We found that installs were failing to connect properly to the site until we properly specified the site code and SLP server in the install string.

Update See this new TechNet article Using ConfigMgr 2007 to Manage Clients in a Workgroup or Un-Trusted Domain

GAThrawn
  • 2,434
  • 3
  • 20
  • 38
  • Awesome. Thanks. I will try this setup string today. – BoxerBucks Mar 14 '11 at 11:46
  • One thing I had not enabled as a site service was the Site Location Point role. Apparently this isn't installed by default. When my clients were initially configuring themselves they couldn't retrieve site info from AD so they fall back to the SLP specified on the command line. When I installed this role, everything started working and the client showed up in the All Systems collection – BoxerBucks Mar 14 '11 at 14:20
0

What you want in this case is against Microsoft's published best practices as it breaches administrative boundaries which should end with a within a forest.

But that's doesn't says It can't be done. See here for more information SCCM across UNTRUSTED Forests

And here you will find how to do within the Microsoft best practices. In Microsoft scenario there must be two-way trust between the forests, or an external trust between the site server's domain and the site system domain Configuration Manager in Multiple Active Directory Forests

Guido van Brakel
  • 942
  • 5
  • 10
  • I read that article. I want to try and avoid having to stand up a primary site in the managed forest and have to extend the schema. Maybe it can't be done. – BoxerBucks Mar 14 '11 at 02:10