locked
management points in a site spanning multiple AD forests RRS feed

  • Question

  • I am still planning a hierarchy that spanning multiple AD forests.

    Since the PKI is in place in all forests I am thinking install a MP in each of the forests so that client authentication can be done within the forest. Is this the right thing to do? (But I can't find in the documentation for the installing the MP.)

    I am also thinking using one MP to manage clients in multiple forests. Is it possible? and in which conditions (requirements)?

    Thanks

    Sunday, August 5, 2012 10:14 AM

Answers

  • I saw in sccm 2007 environment that when a client move (roaming) from one forest the other it got certificate related errors even the same rootca certificate is trusted.

    There's no reason ConfigMgr would have any issues with this which leads me to believe some type of PKI issue.  All ConfigMgr is doing is using the certs by looking them up in the local system cert repository. It's the OS's job to validate them and deliver them for use to which application is trying to use them, thus cert trust issues are the result of a PKI issue before ConfigMgr ever gets involved. One reason I could think of that that might happen is if your CDPs were somehow inaccessible which is entirely possible if you are relying on a default CA configuration because they only publish their CRLs to AD.

    Jason | http://blog.configmgrftw.com

    Monday, August 6, 2012 1:47 AM

All replies

  • Both options are possible. You can publish the MP information in the other forest. Create the System Management container, and configure the MP publishing in the Forest feature in the Administration workspace.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    Sunday, August 5, 2012 11:01 AM
  • Thanks Kent.

    I am also thinking of the PKI requirements, as the MP in one forests with its CA and clients in another forest with another CA. What need to be done at the PKi level?

    Sunday, August 5, 2012 12:08 PM
  • So you have two separate PKI hierarchies -- one for each forest? That would be highly unusual.

    Nothing needs to be done at a PKI level as long as the root CAs are trusted by the clients and servers.


    Jason | http://blog.configmgrftw.com

    Sunday, August 5, 2012 3:05 PM
  • Thanks Jason.

    One PKI hierarchy but two issuing CAs, each in one forest. The root CA is the same though.

    I saw in sccm 2007 environment that when a client move (roaming) from one forest the other it got certificate related errors even the same rootca certificate is trusted.

    I may leave this in the implemetation stage to see how it goes.

    Sunday, August 5, 2012 11:05 PM
  • I saw in sccm 2007 environment that when a client move (roaming) from one forest the other it got certificate related errors even the same rootca certificate is trusted.

    There's no reason ConfigMgr would have any issues with this which leads me to believe some type of PKI issue.  All ConfigMgr is doing is using the certs by looking them up in the local system cert repository. It's the OS's job to validate them and deliver them for use to which application is trying to use them, thus cert trust issues are the result of a PKI issue before ConfigMgr ever gets involved. One reason I could think of that that might happen is if your CDPs were somehow inaccessible which is entirely possible if you are relying on a default CA configuration because they only publish their CRLs to AD.

    Jason | http://blog.configmgrftw.com

    Monday, August 6, 2012 1:47 AM