locked
SCCM 2012 Untrusted Domain clients Management RRS feed

  • Question

  • Dear all,

    We have Domain A and Domain B with only network connectivity between them no trust enabled. In A domain we have SCCM 2012 R2 , now how to manage Client in Domain B . I have gone through some forums , still my question is only with N\W connectivity , can we able to manage the client in Domain B .

    If yes , how the authentication will happen between two domains ? , how the domain B account will get resolve in Domain A ? vice versa ? 

    http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/

    http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx

    http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx

    Friday, July 24, 2015 10:08 AM

Answers

  • Well managing device in untrusted domain is 100% supported by SCCM 2012.

    The easy way of achieving this is having a MP/DP in the untrsuted domain. This MP will be a member of the domain B. To install this MP/DP in you will need to provide SCCM during the remote install with a account that is admin of the server in domain B. You will also need to provide the MP with a account that as the SMSMP_role in the SQL database since you don't have a trust you can`t use the computer account they will need to be specified.

    By doing it like this you wont have to manually approve the client since the MP will trust them they will be auto approve.

    The reason the account get resolve it`s because they are local to the domain the client is.

    When you install the remote MP/DP you provide SCCM with a account that belong to domain B something like this.

    Domainb\sccmserviceaccount  

    And for the sql you will go with domainA\sccmaccount

    I strongly sugest you read this blog:http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx

    Hope this help

    • Proposed as answer by Frederick Dicaire Tuesday, July 28, 2015 1:46 PM
    • Marked as answer by Joyce L Thursday, August 6, 2015 9:50 AM
    Friday, July 24, 2015 11:15 AM
  • See https://technet.microsoft.com/en-us/gg712701.aspx. I haven't had a look at the blogs you mentioned but I think they are outdated based on the time they were written. Cross forest things have been improved with CM12 R2, e.g. multiple network access accounts. Just see the link I provided. 

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by 74KMS Sunday, October 11, 2015 2:29 AM
    Friday, July 24, 2015 11:17 AM

All replies

  • Well managing device in untrusted domain is 100% supported by SCCM 2012.

    The easy way of achieving this is having a MP/DP in the untrsuted domain. This MP will be a member of the domain B. To install this MP/DP in you will need to provide SCCM during the remote install with a account that is admin of the server in domain B. You will also need to provide the MP with a account that as the SMSMP_role in the SQL database since you don't have a trust you can`t use the computer account they will need to be specified.

    By doing it like this you wont have to manually approve the client since the MP will trust them they will be auto approve.

    The reason the account get resolve it`s because they are local to the domain the client is.

    When you install the remote MP/DP you provide SCCM with a account that belong to domain B something like this.

    Domainb\sccmserviceaccount  

    And for the sql you will go with domainA\sccmaccount

    I strongly sugest you read this blog:http://blogs.technet.com/b/manageabilityguys/archive/2012/09/05/system-center-2012-configuration-manager-and-untrusted-forests.aspx

    Hope this help

    • Proposed as answer by Frederick Dicaire Tuesday, July 28, 2015 1:46 PM
    • Marked as answer by Joyce L Thursday, August 6, 2015 9:50 AM
    Friday, July 24, 2015 11:15 AM
  • See https://technet.microsoft.com/en-us/gg712701.aspx. I haven't had a look at the blogs you mentioned but I think they are outdated based on the time they were written. Cross forest things have been improved with CM12 R2, e.g. multiple network access accounts. Just see the link I provided. 

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by 74KMS Sunday, October 11, 2015 2:29 AM
    Friday, July 24, 2015 11:17 AM
  • While Frederick's answer is total valid, I wouldn't call it the easiest way. The easiest way is set up a network access account for the alternate forest, deploy the agent to the systems, and approve them if necessary (or change your approval policy). ConfigMgr does not in any way care about or use domains, forests, or trusts for managing clients.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, July 24, 2015 1:19 PM