locked
SCCM 1702 Operating system deployment in cross forest scenario RRS feed

  • Question

  • Hi,

    Trying to implement OSD in cross forest and multiple domain environment using SCCM 1702,Goal is to ensure that software update deployment and OSD works for Windows 7 & 10 deployment 

    Details of the environment : 

    Even though its one physical location Multiple Forest and domains are created for legacy reason  
    2 forests -  ABC.COM and  DEF.COM
    Forest ABC.COM has total 2000 PCs with 2 domains -   Test1.ABC.COM (1000 Pcs)  ,Test2.ABC.COM(1000 Pcs) 
    Forest DEF.COM has total 1000 PCs with one domain  Test3.DEF.COM 
    Trust is there between 2 forests.
    Total clients = 3000
    ===========================

    SCCM 1702 environment planned as below

    SCCM 1702 Primary site in Test1.ABC.COM with single management point,Software update point and distribution point  with AD schema extended. No other site role is planned as of now as count of PCs is well supported by single instance

    Network bandwidth is not an issue > 1 GB 
    Not looking for redundancy of roles at this point of time.

    Questions : 

    1. Do I need to have management point in each of the domains or a single management point would be able to manage PCs in all domains and forests ?
    2. If answer to question 1 is single management point then
       Will clients in domain Test2.ABC.COM will use that MP directly from other domain TEST1.ABC.COM 
       ( Ideally they should look up AD schema to fetch MP)
       But how clients in another forest Test4.DEF.com will use MP in Test1.ABC.COM
    3. Do I need to have DPs in each domain with PXE ? Can have only one DP per forest
       Will the design  support operating system deployment using PXE configured only on one DP in TEST1..ABC.COM (if I configure IP helper) can it serve for OSD in other    domains in the same forest like Test2.ABC.COM in the same forest ?  
    4. Can I install one SUP at Primary site in Test1.ABC.com and will the clients from Test2.ABC.COM and Test3.DEF.COM forest will be able to use it.
       Need help with better placement of management point and DPs to support OSD across domains and forests
       Note : I did go through link https://blogs.technet.microsoft.com/neilp/2012/08/20/cross-forest-support-in-configmgr-2012-part-1-simple-management/ but not much help     in my scenario.


    • Edited by BhaskarK Tuesday, June 27, 2017 11:49 PM
    Tuesday, June 27, 2017 11:47 PM

Answers

  • 1. Trust **or** MP in each. (typo in my answer above)

    2. The network access account needs to be set but that's more or less always required because of OSD anyway. For publishing to another untrusted forest, you'll need an account that has permission to do so. If you are using client push, you'll need a client push account for systems in other forests.

    3. Intune doesn't care about or use any on-prem infrastructure. Hybrid Intune is simply a connector between ConfigMgr and Intune that surfaces [nearly] all device management in the ConfigMgr console.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by BhaskarK Friday, June 30, 2017 1:50 AM
    Wednesday, June 28, 2017 2:48 PM

All replies

  • Hi,

    Are there a trust between the domains/forests? that makes a difference as well. With that in mind and if you have a trust then yes it will work, the Primary Site server can publish the AD information and do discovery in an additional Forest. So you should be fine  with one MP/DP if that is ok from a network perspective.

    Reagrds,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Wednesday, June 28, 2017 6:44 AM
  • First, in general, ConfigMgr doesn't care about or use AD for much as far as client management goes. Also, keep in mind AD is a directory that provides information and authentication/identity. When thinking about your questions, keep this in mind -- if you are asking about something non-authentication, non-identity, or non-information lookup related, then it's irrelevant as far as ConfigMgr goes.

    1. One is sufficient for normal device management. If you need user targeting of deployments then you need a trust of an MP in each untrusted domain. This is because user identity is involved.

    2. Yes. As far as the clients go, AD is simply a place to find info about the site if they don't have it. There are other ways for them to get the info. You can certainly publish the info to untrusted forests though enabling clients to look up the info, like which MP to use. As noted though, once the clients initially know about an MP, then they really have no need of AD anymore. Also, clients don't query the schema, that's not what the schema does or is for, they query the global catalog.

    3. PXE has absolutely nothing to do with domains. PXE is a network level service. PXE has nothing to do with identity, authentication, or info lookup.

    4. Yes.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, June 28, 2017 1:32 PM
  • Thanks for reply Jason and Jorgen. Your explains does clarify most of the doubts.

    Yes,there is plan to create trust between 2 forests.

    so could you please clarify below points
    1. For point 1,we may need user based application deployment  so please elaborate on

     "you need a trust of an MP in each untrusted domain".
    2. Any document which explains what accounts needs to be created with exact permissions for cross domain/forest support
    3. Can this framework with one MP and DP will work for hybrid Intune. 


    • Edited by BhaskarK Wednesday, June 28, 2017 2:28 PM
    Wednesday, June 28, 2017 2:25 PM
  • 1. Trust **or** MP in each. (typo in my answer above)

    2. The network access account needs to be set but that's more or less always required because of OSD anyway. For publishing to another untrusted forest, you'll need an account that has permission to do so. If you are using client push, you'll need a client push account for systems in other forests.

    3. Intune doesn't care about or use any on-prem infrastructure. Hybrid Intune is simply a connector between ConfigMgr and Intune that surfaces [nearly] all device management in the ConfigMgr console.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by BhaskarK Friday, June 30, 2017 1:50 AM
    Wednesday, June 28, 2017 2:48 PM
  • Thanks Jason for the reply. I have marked it as answer :).
    Friday, June 30, 2017 1:50 AM