SCCM 2012 Hierarchy - 2 domains no trust - how to set a different Network Access Account?

All replies

• 

  

  0

  Sign in to vote

  Hi,

  You can only have one Network Access account per Primary Site, so it won't work.

  Regards,
  Jörgen

  ---

  -- My System Center blog ccmexec.com -- Twitter @ccmexec

  Monday, June 11, 2012 7:36 PM
• 

  

  0

  Sign in to vote

  Hi Jörgen,

  Thank you for your answer. This means, that the SCCM 2012 configuration with untrusted domains doesn't really work, because OS deployment only works in one domain! Even Microsoft tells us this a supported configuration (http://technet.microsoft.com/en-us/library/dd8eb74e-3490-446e-b328-e67f3e85c779#Plan_Com_X-Forest) with just two limitations: out of band and application catalog! We (our customer and me) are a little bit confused and angry...

  Best regards,
  Daniel

  Tuesday, June 12, 2012 10:29 AM
• 

  

  0

  Sign in to vote

  Just an (untested) idea: you could create one account in each domain (dom1\account and dom2\account using the same passwords). Use 'account' as the network access account then (without providing the domain information).

  ---

  Torsten Meringer | http://www.mssccmfaq.de

  Tuesday, June 12, 2012 11:39 AM
• 

  

  0

  Sign in to vote

  The notation for the network access account is always: DOMAIN\USERNAME!
  But I tried the following in my lab (all SCCM roles on one server):

  - create local account on the site server (username: naa)
  - configure network access account (Set - New Account - User name: NONE\naa)

  And it works (doesn't matter what you set for the domain, except the real domain name)! I will try this next week in production (local account with the same username on every DP). I will publish the result here.

  Daniel

  Tuesday, June 12, 2012 8:30 PM
• 

  

  0

  Sign in to vote

  This is supposed to work nicely.

  No black magic here, what you are seeing is pass through authentication at work.

  http://support.microsoft.com/kb/102716

  "If the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name."

  So in short, when talking to a remote untrusted domain, the netlogon service will strip off the domain part to authenticate

  As a result even one of the real domain names should work.

  ---

  "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm

  • Proposed as answer by 'Avi' Wednesday, June 27, 2012 11:04 AM
  • Marked as answer by BueDan Friday, July 13, 2012 9:56 AM

  Tuesday, June 12, 2012 9:03 PM
• 

  

  0

  Sign in to vote

  Hey Kim,

  Thanks for the explanation it helped me with the same configuration but in SCCM 2007,

  i have a network access account configured to support main forest (2k clients already configured) and i created accounts with the same name in the untrusted forest for deploying from BDP.

  that's my thread:

  http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/e7950f11-ed5e-4228-b180-6c94d36aeef4

  i provided a link it to this thread.

  Wednesday, June 27, 2012 11:07 AM
• 

  

  0

  Sign in to vote

  thanks a lot! that solved the problem for me so far.

  Thursday, July 12, 2012 9:16 AM
• 

  

  1

  Sign in to vote

  Hi together,

  Thank you Kim for your explanations! I configured succesfully the following on the customer environment:

  - Network Access Account: NONE\naa
  - On every DP: a new local user account named "naa" as a member of the "Users" (always the same password!)
  - For the connection from the MP in the untrusted domain to the SQL server: I had also to configure a local user account on the SQL server!
  --> http://technet.microsoft.com/en-us/library/hh427337 (Management Point Database Connection Account)

  Daniel

  Friday, July 13, 2012 9:47 AM