locked
Clients not getting correct MP for AD query. RRS feed

  • Question

  • We have a very strange network setup and I'm having an even stranger issue. I'll try to describe this as best I can, but please ask me questions if I forgot to mention something. 

    We're running SCCM 2012R2 SP1. We have our domain and a sub-domain. Domain.local and Sub.Domain.local. The way things are setup is clients on Domain.local can talk to servers on Domain.local and clients on Sub.Domain.local can talk to servers on Sub.Domain.local. Servers in the domain and sub domain can talk to each other. Clients in Sub.Domain.local can NOT talk to Servers on Domain.local. 

    We're trying to mange all of the clients with SCCM. I have a primary site on Domain.local and a secondary site on Sub.Domain.local. The clients can talk to their respective server and the severs can talk to each other. When the clients in Sub.Domain.local query AD looking for a MP they get back the MP on the primary site and not the MP on the secondary site. The clients are unable to talk to the primary site so they just get stuck. I've tried to specify the MP in the secondary site when I push the SCCM client and it seems to work at first, but then the client will run the AD query and get back the wrong MP and gets stuck again. 

    It seems the client is not seeing the secondary site when it queries AD. When I check AD under the System Management container in Sub.Domain.local the secondary site is the only one there. I know I can open up the firewall to allow the clients in Sub.Domain.local to talk to the primary site, but I'd like to avoid that if I could. 

    Thanks for any help. 

    Monday, February 8, 2016 9:24 PM

Answers

  • That's because management points in secondary sites are not full replacements for MPs in primary sites; clients must still be able to communicate with an MP in the primary site. Secondary sites are *not* gateways so what you are seeing is by design. 

    You should replace the MP in the sub domain with a site system that hosts the MP, DP, and SUP roles (no secondary site). Clients will then prefer (or fail-over) to these roles.

    Also, AD doesn't really provide any info about which MP to use. It provides an MP for the clients to use when the client doesn't know about any MPs and this in turn is only used to determine which MP to continue to use -- a bootstrap process.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, February 9, 2016 12:24 AM