Cross-forest SCCM 2012 client push RRS feed

  • Question

  • Hi all,

    Hoping that you might be able to send me in the right direction either by pointing me at some existing documentation or sharing your insights.

    First, we’ve got an SCCM 2012 installation running fairly well in a domain (let’s call it A), doing things like Forefront and Software Updates.  Second, I’ve got another domain (B).  There is a two-way trust between these domains.

    We’re able to run a discovery on domain B, and show clients in SCCM, but we are not able to push the client to machines in Domain B.

    We’ve added and have succeeded in publishing domain A’s SCCM management points into domain B’s AD.

    So far… so good, but… now there are two scenarios:

    1)  When the SCCM site is configured to use PKI client certificate authentication, domain B clients cannot access resources on the domain A management point.

    We’ve tried trusting Domain B’s certificate authority by importing in the CA root certificate into the Domain A management point server (local machine) certificate store for Trusted Certificate Authorities, but that doesn’t seem to work.

    The following error is seen in the ccmsetup log:

    Failed to get DP loations as the expected version from MP “HTTPS://servername.domain.local’. Error 0x80072f8f (I’ve the machine name)

    2)  When SCCM is *not* configured to use client certs, it looks like the clients try to hit the MP using a UNC path that does not exist on the MP.  The error shows:

    Source \\servername.domain.local\SMSClient is inaccessible (67)

    The client *can* connect to the server using the UNC, however, the correct path to this server would be, \\servername.domain.local\SMS_Site1\Client

    In the absence—or inability to find—documentation on this subject, we are pretty much guessing here on how to do this stuff.

    The preference would be to get scenario 1 working so that domain B clients can access the MP, using client certs; however, if that’s not possible, we’d like to get scenario B working.

    Thanks in advance for your help.



    Thursday, October 4, 2012 11:06 AM

All replies

  • Still struggling with this.  Anyone?
    Thursday, October 11, 2012 7:23 AM
  • Hi there,

    A short note on this:

    In fiddling around more, I came up with a workaround.  In short, I turned of the certificate authentication requirement, which (as stated above) changes the client behavior to use a UNC install path that did not exist.  So I created a share with the client files in it and granted everyone read access to it on the share and NTFS levels.

    I am near sure that this is not the best way to do things, but I did get client push to work.

    The problem now is that these clients are not showing up as having clients in the SCCM Management console.

    Any further direction or advice on the proper way to get push install working in the environment described would be most appreciated.



    Thursday, October 11, 2012 10:45 AM
  • Hi Kim,

    Did you ever get a good resolution to this that allowed clients computers to correctly reflect the fact that they had the client installed when viewed in the console?



    Monday, August 18, 2014 3:11 PM
  • that allowed clients computers to correctly reflect the fact that they had the client installed when viewed in the console?

    What does that mean in technical terms? Is the CM agent installed on the clients but the client the console does not display "client = yes"?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, August 18, 2014 3:32 PM