Remove From My Forums

Primaries in separate forests

Question
0

Sign in to vote

Hi,

I'm just looking for some pointers to a design we are working on at the moment. We are going to install SCCM 2012 sp1 and want to install a CAS in a management AD forest, and then three primaries in three separate AD forests, all of them are untrusted forests and will be firewalled off between each other and the forest where the CAS resides will also have be firewalled. The CAS will have firewall rules to connect to each primary and the primaries will have rules to talk to the CAS. Is this configuration possible? I want to be able to manage these primaries from one location, and have all asset info in the CAS. I may also let the support departments at each primary be responsible for there own software deployments and software updates.

Thanks

Jaz

Sunday, July 21, 2013 8:17 PM

Answers

0

Sign in to vote
You can't install a CAS and then a primary site in an untrusted forest in 2012 like you could in 2007: http://technet.microsoft.com/en-us/library/dd8eb74e-3490-446e-b328-e67f3e85c779#Plan_Com_X_Forest

More than likely it would be better for you not to install a CAS anyway the main need for a CAS is to support more than 100K clients.

You can install a standalone primary site and install user facing roles (e.g. MP, DP, SUP) to manage client in that forest.

Some helpful links for site roles in untrusted forest:

http://technet.microsoft.com/en-us/library/bb694003.aspx

http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/

http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx

http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx

For delegating permissions across departments, use Role Based Administration. You don't need two sites for this like in 2007.

Justin Chalfant | My Blog | LinkedIn | Please mark as helpful/answer if this resolved your post
- Edited by Justin Chalfant Sunday, July 21, 2013 9:49 PM Update
- Marked as answer by JazK Monday, July 29, 2013 9:24 PM
Sunday, July 21, 2013 9:48 PM

All replies

0

Sign in to vote
You can't install a CAS and then a primary site in an untrusted forest in 2012 like you could in 2007: http://technet.microsoft.com/en-us/library/dd8eb74e-3490-446e-b328-e67f3e85c779#Plan_Com_X_Forest

More than likely it would be better for you not to install a CAS anyway the main need for a CAS is to support more than 100K clients.

You can install a standalone primary site and install user facing roles (e.g. MP, DP, SUP) to manage client in that forest.

Some helpful links for site roles in untrusted forest:

http://technet.microsoft.com/en-us/library/bb694003.aspx

http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/

http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx

http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx

http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx

For delegating permissions across departments, use Role Based Administration. You don't need two sites for this like in 2007.

Justin Chalfant | My Blog | LinkedIn | Please mark as helpful/answer if this resolved your post
- Edited by Justin Chalfant Sunday, July 21, 2013 9:49 PM Update
- Marked as answer by JazK Monday, July 29, 2013 9:24 PM
Sunday, July 21, 2013 9:48 PM
0

Sign in to vote

Hi,

I know about the 100k client rule, but I needed to have SCCM designed this way for a reason, but if it can't be done then I'll have to rethink the situation.

Thanks
Jaz

Monday, July 29, 2013 9:24 PM
0

Sign in to vote

What's "the reason"?

The *only* technically reason in 2012 is 100,000+ clients.
Jason | http://blog.configmgrftw.com

Monday, July 29, 2013 9:30 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Primaries in separate forests

Question

Answers

All replies