locked
System Management Delegation RRS feed

  • Question

  • Hi

    I have 3 forest. (A, B,C) 

     - Forest A (1 Root domain)

     - Forest B (1 root domain and 1 child)

    -  Forest C (1 Root domain)

    I install a new SCCM 2012 R2 CU3 i root domain (Forest B).

    - Forest A trust Forest B

    - Forest C no trust with forest B or C

    I install MP and DP in forest A and C.

    My question: it's necessary to delegate MP on "System Management" in Active Directory in:

    -  Root Domain forest A?

    -  Root Domain forest C?

    -  In child domain forest B?

    Thanks

    Friday, November 21, 2014 3:28 PM

Answers

  • Not sure what you mean by delegate here? There is no such concept. Are you talking about setting permissions on the System Management container?

    If so, then is it necessary? No.

    Will it enable ConfigMgr to publish site location information used by clients in those forests to more easily locate the MP? Yes.

    However, it's not the MP that is publishing data, it's the site itself and so the site server must have permissions on the container. Actual publishing is done by Forest Discovery and thus you must configure Forest Discovery with proper credentials also in addition to extending the schema in the forests and manually creating the container.

    Lots more info at http://technet.microsoft.com/en-us/library/hh696542.aspx and http://blogs.technet.com/b/configmgrteam/archive/2011/03/30/active-directory-forest-discovery-and-publishing-in-configuration-manager-2012-beta-2.aspx


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Daniel JiSun Tuesday, December 2, 2014 5:18 AM
    Friday, November 21, 2014 6:32 PM
  • That depends. The requirement is for the site server (as mentioned) to be able publish info to the container if you have configured it to do so. This of course requires it to have permissions or for it be configured with an account that has permissions. Thus, it depends upon the account you use for this. If it has permissions already, then no, you don't have to do anything. If it doesn't have permissions, then yes of course you have to modify them. This is no different than access to *any* resource in your environment, the user performing the operation must have permissions -- if they don't already have permissions, they must be granted or that operation will be denied.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Daniel JiSun Tuesday, December 2, 2014 5:18 AM
    Friday, November 21, 2014 7:59 PM

All replies

  • Not sure what you mean by delegate here? There is no such concept. Are you talking about setting permissions on the System Management container?

    If so, then is it necessary? No.

    Will it enable ConfigMgr to publish site location information used by clients in those forests to more easily locate the MP? Yes.

    However, it's not the MP that is publishing data, it's the site itself and so the site server must have permissions on the container. Actual publishing is done by Forest Discovery and thus you must configure Forest Discovery with proper credentials also in addition to extending the schema in the forests and manually creating the container.

    Lots more info at http://technet.microsoft.com/en-us/library/hh696542.aspx and http://blogs.technet.com/b/configmgrteam/archive/2011/03/30/active-directory-forest-discovery-and-publishing-in-configuration-manager-2012-beta-2.aspx


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Daniel JiSun Tuesday, December 2, 2014 5:18 AM
    Friday, November 21, 2014 6:32 PM
  • hi

    Yes i talk to setting permissions on the System Management container.

    Because presently i have 3 servers SCCM 2007 in 3 forests (A-B-C) , my target is migrate 3 servers SCCM 2007 on 1 server SCCM 2012 (Forest B).

    the scheme is already extended in the 3 forests.

    If i remove a SCCM 2007 in forest A and C and install a new MP and DP, it's necessary to modify settings on "System Management" (Active Directory) on domain in forest A and C?

    Thnaks

    Friday, November 21, 2014 7:24 PM
  • That depends. The requirement is for the site server (as mentioned) to be able publish info to the container if you have configured it to do so. This of course requires it to have permissions or for it be configured with an account that has permissions. Thus, it depends upon the account you use for this. If it has permissions already, then no, you don't have to do anything. If it doesn't have permissions, then yes of course you have to modify them. This is no different than access to *any* resource in your environment, the user performing the operation must have permissions -- if they don't already have permissions, they must be granted or that operation will be denied.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Daniel JiSun Tuesday, December 2, 2014 5:18 AM
    Friday, November 21, 2014 7:59 PM