locked
untrusted multiforest hierarchy...setup login user does not have sufficiënt permissions... RRS feed

  • Question

  • Our current SCCM 2007 environment. The reason for this is simple management.

    Primary Site (domain1)
    Primary Child Site (domain1)
    Primary Child Site (domain2)
    Primary Child Site (domain3)

    At this moment we're building a new SCCM 2012 environment and we like to build it with the same hierachie.

    We have a CAS site in domain1.
    Now we're setting up a child primary site into domain2. When we want to join CAS we're getting:

    “The setup login user does not have sufficient permission to configure replication with specified central administration site"

    In the documentation I found: If you do not have a two-way forest trust which supports Kerberos authentication, then Configuration Manager does not support the child site in the remote forest.http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest )

    Is the only solution for untrusted mulitforest environments to have a site server in the other domain with some roles? So a primary child site is never possible a untrusted domain? Or is a workaround available?

    thx


    Wednesday, September 19, 2012 12:27 PM

Answers

  • So a primary child site is never possible a untrusted domain? 

    True. Why do you want to install a CAS at all? How many clients are you going to manage? How many locations are there in total and how many clients at each location? 

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by Risjard Thursday, September 20, 2012 12:49 PM
    Wednesday, September 19, 2012 12:39 PM
  • Simple Management is not the same as having a CAS. Most folks in these Communities will tell you that simple management = 1 primary site (including me). It would be wrong to reuse the CM07 design in CM12. A lot of changes has been made, espcieally when it comes to using multiple sites.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    • Marked as answer by Risjard Thursday, September 20, 2012 12:49 PM
    Wednesday, September 19, 2012 1:07 PM

All replies

  • So a primary child site is never possible a untrusted domain? 

    True. Why do you want to install a CAS at all? How many clients are you going to manage? How many locations are there in total and how many clients at each location? 

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by Risjard Thursday, September 20, 2012 12:49 PM
    Wednesday, September 19, 2012 12:39 PM
  • there is no work-around for setting up multiple sites with a forest trust. I you have multiple domains with a trust, stick to one site and configure the firewall to allow clients to be managed from one domain. You can also configure some of the user site systems in the untrusted domains.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    Wednesday, September 19, 2012 12:54 PM
  • We choose for a CAS server so we can do simple management from the CAS server and because a primary child site cannot have another primary site. But if we cannot build a child primary child (in a other domain) under a CAS site, then the CAS server is unnecessary.

    So the conclusion is that our current hierarcy is not possible anymore in 2012?

    We like our current situation because administrators from domain2 can publish advertisement only to clients in that site. If we are building the new environment then the administrators must advertise a package to a predefined collections with clients domain2?

    Wednesday, September 19, 2012 1:03 PM
  • Simple Management is not the same as having a CAS. Most folks in these Communities will tell you that simple management = 1 primary site (including me). It would be wrong to reuse the CM07 design in CM12. A lot of changes has been made, espcieally when it comes to using multiple sites.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    • Marked as answer by Risjard Thursday, September 20, 2012 12:49 PM
    Wednesday, September 19, 2012 1:07 PM
  • Thanks for the answers. We are going to rebuild and choose for a single standalone primary site.
    Thursday, September 20, 2012 12:49 PM