locked
add an MP in a remote forest RRS feed

  • Question

  • I have posted a few questions about a site across multiple forests.

    I noticed that in SCCM 2012 site-to-site communication across forests requires two-way trusts, while communication within a site that spans forests does not require two-way forest trust.

    Now, consider this scenario that the site server is in forest A which has only incoming trust from forest B. Now I want to add an MP site system in forest B.

    According to documentation, the computer account of the (MP) site system server in forest B needs to be added to the local group "SMS_SiteSystemToSiteServerConnection_MP<sitecode>" of site server in forest A. But this is only possible if forest A also trusts forest B.

    Does this mean if I want to place a remote MP in forest B and the site server is in forest A, a two-way trust between the two forests is needed?

    Is my understanding correct?


    • Edited by TreeLeafs Wednesday, August 1, 2012 10:35 AM
    Wednesday, August 1, 2012 10:35 AM

Answers

  • The Answer to your question in short, Can a site or hierachy span multiple forest?

    • Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust exists between the forests.
    • Within a site, Configuration Manager supports placement of site system roles on computers in an untrusted forest.,Configuration Manager also supports clients that are in a different forest from their site’s site server when the site system role that they connect to is in the same forest as the client. For more information

    Please refer to Planning for Communications in Configuration Manager; http://technet.microsoft.com/en-us/library/gg712701.aspx and section planning for communications across forests, and review the sections ,

    • Communication in a site that spans forests: , Does not require a two-way forest trust.
    • Communication between clients and site system roles when the clients are not in the same Active Directory forest as their site server.

    Also make note of the new feature:Active Directory Forest discovery is a new discovery method in System Center 2012 Configuration Manager that allows you to discover network locations from multiple Active Directory forests. This discovery method can also create boundaries in Configuration Manager for the discovered network locations and you can publish site data to another Active Directory forest to help support clients, sites, and site system servers in those locations.

    Please consider Firewall change requirements

    Hope I answered your question.

    Wednesday, August 1, 2012 11:40 AM
  • See http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest:
    "When you specify a computer to be a site system server, you must specify the Site System Installation Account. This account must have local administrative credentials to connect to, and then install site system roles on the specified computer.

    When you install a site system role in an untrusted forest, you must select the site system option Require the site server to initiate connections to this site system. This configuration enables the site server to establish connections to the site system server to transfer data. This prevents the site system server that is in the untrusted location from initiating contact with the site server that is inside your trusted network. These connections use the Site System Installation Account that you use to install the site system server."


    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, August 1, 2012 11:43 AM

All replies

  • The Answer to your question in short, Can a site or hierachy span multiple forest?

    • Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust exists between the forests.
    • Within a site, Configuration Manager supports placement of site system roles on computers in an untrusted forest.,Configuration Manager also supports clients that are in a different forest from their site’s site server when the site system role that they connect to is in the same forest as the client. For more information

    Please refer to Planning for Communications in Configuration Manager; http://technet.microsoft.com/en-us/library/gg712701.aspx and section planning for communications across forests, and review the sections ,

    • Communication in a site that spans forests: , Does not require a two-way forest trust.
    • Communication between clients and site system roles when the clients are not in the same Active Directory forest as their site server.

    Also make note of the new feature:Active Directory Forest discovery is a new discovery method in System Center 2012 Configuration Manager that allows you to discover network locations from multiple Active Directory forests. This discovery method can also create boundaries in Configuration Manager for the discovered network locations and you can publish site data to another Active Directory forest to help support clients, sites, and site system servers in those locations.

    Please consider Firewall change requirements

    Hope I answered your question.

    Wednesday, August 1, 2012 11:40 AM
  • See http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest:
    "When you specify a computer to be a site system server, you must specify the Site System Installation Account. This account must have local administrative credentials to connect to, and then install site system roles on the specified computer.

    When you install a site system role in an untrusted forest, you must select the site system option Require the site server to initiate connections to this site system. This configuration enables the site server to establish connections to the site system server to transfer data. This prevents the site system server that is in the untrusted location from initiating contact with the site server that is inside your trusted network. These connections use the Site System Installation Account that you use to install the site system server."


    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, August 1, 2012 11:43 AM
  • Thanks both!

    Let me summarise what I should do:

    Env: site server in forest A (say, serverA), forest A has incoming only trust from forest B

    Task: add a MP site system in forestB (say, serverB)

    Steps:

    1. create a site system installation installation account in forestA;

    2. add this account in local administrators group of serverB;

    3. add this account in local group "SMS_SiteSystemToSiteServerConnection_MP_<sitecode>" of serverA

    4. from management console add serverB as a new site system with MP role

    5. ensure "require the site server to initiate connections to this site system" is selected.

    Are these correct?

    I am not sure whether step 5 can apply to an MP?

    thanks for help!


    • Edited by TreeLeafs Thursday, August 2, 2012 3:38 AM
    Thursday, August 2, 2012 3:37 AM