Friday, November 04, 2011 8:37 PM
Hello, I have a question about multiple sites and internet management. I have primary parent (central) site AA1 and a primary site, BB1, that is a child of AA1. All sites are SCCM 2007 R3 full native mode.
I have recently deployed Internet Client Management in our DMZ, which is installed in site BB1. Site AA1 is back office and has no DMZ (no access from the internet) and is linked to BB1 via a sonet ring (and is accessible from the internet).
Currently I have members of site BB1 using Internet management and it is working just fine. However, I want clients (laptops) of site AA1 to be able to use the Internet Management Points of BB1 when they are on the internet, however I have been unable to get this to work. I essentially want them to roam to BB1 when on the internet. From what I have read on technet is that members of parent sites can roam to child sites.
Howevever, I get the following error in the CertificateMaintenance log: MP site code 'BB1' on server auth header does not match any known site code.
I also get the following error in ClientLocation log: Current Management Point is sccm.publicdomain.com with version 0 and capabilities: .
Is what I am wanting to do possible? If so, any thoughts on why it is not working? Thanks for the help!
Saturday, November 05, 2011 2:53 AMis your hierarchy extended Active Directory Schema??
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Saturday, November 05, 2011 2:34 PMThanks for the reply. Yes, site AA1 and BB1 are part of the same active directory domain with the schema extended. The internet site systems are in another domain/forest (one-way trust), the schema is not extended in that forest because there are no intranet site systems (does it need to be?) Thoughts? Thanks!
- Edited by bcehr Thursday, November 10, 2011 3:23 PM
Wednesday, November 16, 2011 7:01 PMAnyone have any info on this??
- Edited by bcehr Tuesday, November 29, 2011 9:58 PM
Wednesday, January 04, 2012 5:38 PMModerator
I want clients (laptops) of site AA1 to be able to use the Internet Management Points of BB1 when they are on the internet, however I have been unable to get this to work. I essentially want them to roam to BB1 when on the internet. From what I have read on technet is that members of parent sites can roam to child sites.
No, this isn't supported by Configuration Manager, which is why you can't get it to work. Roaming to other sites is supported on the intranet only, and requires boundary information that uses intranet addresses. For clients to be manged when they are on the Internet, you must assign them to a site that has Internet-based site system roles (AA1 in your current design, or deploy Internet-based client management in AA1) and specify the Internet-based management point.
From "Prerequisites for Internet-Based Client Management" (http://technet.microsoft.com/en-us/library/bb633122.aspx):
Clients must be configured to use the Internet-based management point from their assigned site....Clients cannot use an Internet-based management point (or any other Internet-based site systems) from another site.
- Marked As Answer by Carol BaileyMicrosoft Employee, Moderator Wednesday, January 04, 2012 5:38 PM
Wednesday, January 04, 2012 7:12 PMCarol, thanks for clarifying this requirement. Is this requirement also present in SCCM 2012? Or does SCCM 2012 change this at all? Thanks!
Wednesday, January 04, 2012 8:10 PMModerator
No changes to this design in System Center Configuration Manager 2012. This isn't the right place to ask questions about pre-release versions, but since you asked .... from the Frequently Asked Questions page (http://technet.microsoft.com/en-us/library/gg682088.aspx)
What improvements have you made for Internet-based client management?
Configuration Manager contains many improvements since Configuration Manager 2007 to help you manage clients when they are on the Internet:
- Configuration Manager supports a gradual transition to using PKI certificates, and not all clients and site systems have to use PKI certificates before you can manage clients on the Internet. For more information, see
Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management.
- The certificate selection process that Configuration Manager uses is improved by using a certificate issuers list. For more information, see
Planning for the PKI Trusted Root Certificates and the Certificate Issuers List.
- Unless the Configuration Manager client is installed on the Internet or is configured as Internet-only, you no longer have to configure the client with an Internet-based management point. Instead, the client will automatically retrieve a list of Internet-based
management points when it is on the intranet.
- Although deploying an operating system is still not supported over the Internet, you can deploy generic task sequences for clients that are on the Internet.
- If the Internet-based management point can authenticate the user, user polices are now supported when clients are on the Internet. This functionality supports user-centric management and user device affinity for when you deploy applications to users.
- Marked As Answer by Carol BaileyMicrosoft Employee, Moderator Saturday, April 28, 2012 2:15 PM
- Configuration Manager supports a gradual transition to using PKI certificates, and not all clients and site systems have to use PKI certificates before you can manage clients on the Internet. For more information, see Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management.
Wednesday, January 04, 2012 8:19 PMGreat info, thanks Carol!