locked
SCCM 2012 Hierarchy - 2 domains no trust - how to set a different Network Access Account? RRS feed

  • Question

  • Hi,

    We have one SCCM 2012 Primary Site and two untrusted domains (one site system with MP and DP in the untrusted Domain). Almost everything works fine, with the following exception:
    How can I set a "second" Network Access Account for the OS deployment in this domain? I tried to manipulate _SMSReserved1 and _SMSReserved2 during a OS Task Sequence. But it doesn't work (read-only?)

    VBScript:
    strUsername = "Domain\Username"
    Set objTSEnv = CreateObject("Microsoft.SMS.TSEnvironment")
    objTSEnv("_SMSTSReserved1") = strUsername

    Error number: 5
    Error message: Invalide procedure call or argument 

    Any ideas?

    Daniel

    Monday, June 11, 2012 3:23 PM

Answers

  • This is supposed to work nicely.

    No black magic here, what you are seeing is pass through authentication at work.

    http://support.microsoft.com/kb/102716

    "If the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name."

    So in short, when talking to a remote untrusted domain, the netlogon service will strip off the domain part to authenticate

    As a result even one of the real domain names should work.


    "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm

    • Proposed as answer by 'Avi' Wednesday, June 27, 2012 11:04 AM
    • Marked as answer by BueDan Friday, July 13, 2012 9:56 AM
    Tuesday, June 12, 2012 9:03 PM

All replies

  • Hi,

    You can only have one Network Access account per Primary Site, so it won't work.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Monday, June 11, 2012 7:36 PM
  • Hi Jörgen,

    Thank you for your answer. This means, that the SCCM 2012 configuration with untrusted domains doesn't really work, because OS deployment only works in one domain! Even Microsoft tells us this a supported configuration (http://technet.microsoft.com/en-us/library/dd8eb74e-3490-446e-b328-e67f3e85c779#Plan_Com_X-Forest) with just two limitations: out of band and application catalog! We (our customer and me) are a little bit confused and angry...

    Best regards,
    Daniel

    Tuesday, June 12, 2012 10:29 AM
  • Just an (untested) idea: you could create one account in each domain (dom1\account and dom2\account using the same passwords). Use 'account' as the network access account then (without providing the domain information).

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, June 12, 2012 11:39 AM
  • The notation for the network access account is always: DOMAIN\USERNAME!
    But I tried the following in my lab (all SCCM roles on one server):

    - create local account on the site server (username: naa)
    - configure network access account (Set - New Account - User name: NONE\naa)

    And it works (doesn't matter what you set for the domain, except the real domain name)! I will try this next week in production (local account with the same username on every DP). I will publish the result here.

    Daniel

    Tuesday, June 12, 2012 8:30 PM
  • This is supposed to work nicely.

    No black magic here, what you are seeing is pass through authentication at work.

    http://support.microsoft.com/kb/102716

    "If the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name."

    So in short, when talking to a remote untrusted domain, the netlogon service will strip off the domain part to authenticate

    As a result even one of the real domain names should work.


    "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm

    • Proposed as answer by 'Avi' Wednesday, June 27, 2012 11:04 AM
    • Marked as answer by BueDan Friday, July 13, 2012 9:56 AM
    Tuesday, June 12, 2012 9:03 PM
  • Hey Kim,

    Thanks for the explanation it helped me with the same configuration but in SCCM 2007,

    i have a network access account configured to support main forest (2k clients already configured) and i created accounts with the same name in the untrusted forest for deploying from BDP.

    that's my thread:

    http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/e7950f11-ed5e-4228-b180-6c94d36aeef4

    i provided a link it to this thread.

    Wednesday, June 27, 2012 11:07 AM
  • thanks a lot! that solved the problem for me so far.
    Thursday, July 12, 2012 9:16 AM
  • Hi together,

    Thank you Kim for your explanations! I configured succesfully the following on the customer environment:

    - Network Access Account: NONE\naa
    - On every DP: a new local user account named "naa" as a member of the "Users" (always the same password!)
    - For the connection from the MP in the untrusted domain to the SQL server: I had also to configure a local user account on the SQL server!
    --> http://technet.microsoft.com/en-us/library/hh427337 (Management Point Database Connection Account)

    Daniel

    Friday, July 13, 2012 9:47 AM