locked
Client push in foreign forests without AD integration RRS feed

  • Question

  • I am working through a scenario where an SCCM installation is not making use of AD integration and there will be clients in several foreign, untrusted forests. I am looking at how to use the Client Push function to install the client on endpoints. As I will have MP+DP site systems living in these foreign forests, I need to find a way to tell the client (during install) to use its local MP.

    Looking at the Client Push Installation Properties dialog I see that I can configure installation properties such as "SMSMP". Granted, this is a global setting and not one I would apply to every endpoint I want to push the client to. I noticed the actual Client Push Wizard only allows me to select a Site during the installation. So there is no way for me to configure the MP for a client during a manual push.

    Knowing this, and that clients will use the MP residing in their forest by default, I am a little confused on how MP specification goes down during a Client Push in this scenario. Can someone help me wrap my head around this?

    Tuesday, April 21, 2015 9:38 PM

Answers

  • Clients will always prefer to use the MP in their own forest/domain and DP is entirely dependent upon your boundaries and their membership in boundary groups. The SMSP property simply defines an initial bootstrap MP that will be queried by the client initially to find other, possibly better MPs. In this way, the client will find the MP in its own forest. In you scenario, it will initially be unavoidable for the client to not use some central MP if you use the SMSMP property and client push.

    Have you considered using a client start up script instead of client push?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by SecOpsGuy Thursday, April 23, 2015 8:09 PM
    Wednesday, April 22, 2015 1:44 AM

All replies

  • Clients will always prefer to use the MP in their own forest/domain and DP is entirely dependent upon your boundaries and their membership in boundary groups. The SMSP property simply defines an initial bootstrap MP that will be queried by the client initially to find other, possibly better MPs. In this way, the client will find the MP in its own forest. In you scenario, it will initially be unavoidable for the client to not use some central MP if you use the SMSMP property and client push.

    Have you considered using a client start up script instead of client push?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by SecOpsGuy Thursday, April 23, 2015 8:09 PM
    Wednesday, April 22, 2015 1:44 AM
  • Hey, Jason. Thanks again for your help.

    Yes, I initially recommended a manual, scripted install that might be utilized as a login script. I was asked "why not use the client push feature" and was trying to gather all of the facts for using one versus the other.

    With your input, it sounds like it doesn't matter as the client will eventually report to its "local" MP. Which is great! I'm assuming an endpoint finds its local MP by querying http://<SMSMP_HOST>/sms_mp/.sms_aut?mplist and making the switch.

    Wednesday, April 22, 2015 2:37 AM