locked
Un-Trusted Cross Forest Communication Controlled RRS feed

  • Question

  • I am working with an infrastructure in which there are about 8 forests.  Currently, there are no trusts that support Kerberos (Two way forest trusts).   The network connectivity is 'fast'  for all Forests and the number of clients is well below 100,000.   I have the boundary groups configured correctly (pointing to the sites/subnets within the respective forests).  Clients are getting the MP from AD correctly as SCCM is set for Publishing the site.  Adding trusts is not an option (currently) in order to add Primary Sites (+ that seems to be a lot of DB replication/support for an infrastructure of about 2000 systems total) and administration is not a concern as the Forests are managed by the same SCCM admins. 

    My goal was to install a SCCM SP1 standalone Primary Site in the "Management" Forest and install Site systems (MP,DP and SUP) in the other forests in order to help control client traffic between forests.  As I am working with and learning more about 2012, it seems as though that is not possible with rotating MP assignments and multiple SUPs.  The networking team would prefer to limit the number of ports opened and/or the number of clients using these ports between forests.    Are there any tricks of the trade ;) that will help me ensure systems within the forest look to the site systems within the forest (at least as the 1st option) without a Primary or Secondary site in all these forests?  I would appreciate any help.  Thanks in advance.

        
    Thursday, May 1, 2014 6:57 PM

Answers

  • Is the statement above correct?

    Yes, it seems to be correct as far as I can tell by looking at 2 implementations. They are selecting the SUP from their forest.

    The last time I tested this scenario on a single client by blocking outbound network traffic to the local SUP.  Checking it later, the client had failed over successfully to the SUP in the other domain.

     

    I hope that helps,

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you've found a bug or want the product worked differently, share your feedback.
    <-- If this post was helpful, please click "Vote as Helpful".

    • Marked as answer by AMRDC Friday, May 2, 2014 1:57 PM
    Thursday, May 1, 2014 10:47 PM

All replies

  • As I am working with and learning more about 2012, it seems as though that is not possible with rotating MP assignments and multiple SUPs. 

     

    The domains / forests are taken into consideration when it comes to MP selection so you should be fine.

    Sites (primaries or secondaries) would require a trust (Kerberos).


    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, May 1, 2014 7:19 PM
  • Thank you so much for your quick response!  I did find additional information concerning locating of the MPs in same forest.  The ClientLocation.log indicates the MPs are rotating but it did actually use the MP in the same forest. 

    I also found the following concerning SUPs cross forest:

    ...the software update points from the same forest that the client is in are prioritized first, ahead of the cross-forest software update points

    Is the statement above correct? Thanks again for your help.

    Thursday, May 1, 2014 9:58 PM
  • Is the statement above correct?

    Yes, it seems to be correct as far as I can tell by looking at 2 implementations. They are selecting the SUP from their forest.

    The last time I tested this scenario on a single client by blocking outbound network traffic to the local SUP.  Checking it later, the client had failed over successfully to the SUP in the other domain.

     

    I hope that helps,

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you've found a bug or want the product worked differently, share your feedback.
    <-- If this post was helpful, please click "Vote as Helpful".

    • Marked as answer by AMRDC Friday, May 2, 2014 1:57 PM
    Thursday, May 1, 2014 10:47 PM