locked
DP for each untrusted site RRS feed

  • Question

  • Hi,

     

    Our SCCM 2012 design is;

     

    Site 1:
    1 Primary Server

     

    Site 2:
    1 DP member of forest1.local (Untrusted)

    There is also forest2.local (Untrusted) forest but there is no second DP, I've configured the boundary groups to use the first DP, so in this case do I have to place DP for each untrusted forest?

     

    I'm asking this because when I tried to deploy something to forest2.local(there is no dedicated DP) I came across following errors:

     

    PROPFIND 'http://DP01.forest1.local/SMS_DP_SMSPKG$/ST200003'	ccmsetup	10/30/2012 11:57:56 PM	684 (0x02AC)
    Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401)	ccmsetup	10/30/2012 11:57:56 PM	684 (0x02AC)
    Failed to check url http://DP01.forest1.local/SMS_DP_SMSPKG$/ST200003. Error 0x80004005	ccmsetup	10/30/2012 11:57:56 PM	684 (0x02AC)

    Thanks








    • Edited by HUNAL Tuesday, October 30, 2012 10:27 PM
    Tuesday, October 30, 2012 10:18 PM

Answers

  • Finally the problem is resolved!

     

    I was supposing an MP role which is in untrusted forest1.local with DP was installed succesfully but it wasn't. When I check the event logs on the remote site server I saw a lot of error about mp.msi installation failure etc. because of there was a missing windows feature BITS that I forgot to install :/

     

    After the successfully MP installation I haven' t seen any error. 

     

    Thanks



    • Marked as answer by HUNAL Friday, November 2, 2012 11:33 PM
    • Edited by HUNAL Friday, November 2, 2012 11:35 PM
    Friday, November 2, 2012 11:33 PM

All replies

  • Have you configured a network access account?

    Jason | http://blog.configmgrftw.com

    Wednesday, October 31, 2012 1:46 AM
  • Hi Jason,

    I've configured it on Primary site but I think the problem is related to remote DP that member of untrusted domain.


    • Edited by HUNAL Wednesday, October 31, 2012 6:59 AM
    Wednesday, October 31, 2012 6:55 AM
  • By the way a correction, I came across the error when I tried to install agent to forest2.local forest's clients, agents are installed successfully but the errors in ccmsetup.log says the clients are getting the content from primary site instead of DP which member of forest1.local.

     

    Is it supported design to place one DP to remote site for multiple untrusted domain?



    • Edited by HUNAL Wednesday, October 31, 2012 7:38 AM
    Wednesday, October 31, 2012 7:37 AM
  • Yes it's supported to place site systems in untrusted forests: http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest

    However, I thought you said above that you did not place a DP in the untrusted forest?


    Jason | http://blog.configmgrftw.com

    Wednesday, October 31, 2012 3:14 PM
  • Hi Jason,

     

    We have 1 primary site and 2 separate untrusted forest, we have placed the DP in forest1, in this design can forest2 use forest1's DP?


    • Edited by HUNAL Wednesday, October 31, 2012 6:26 PM
    Wednesday, October 31, 2012 6:12 PM
  • It can, but you must have an network access account defined so that the clients can authenticate.

    Jason | http://blog.configmgrftw.com

    Thursday, November 1, 2012 1:37 PM
  • Thanks Jason,

     

    I've defined a network access account for primary site but according to the error logs, clients of forest2 are trying to access closest DP which member of forest1.local domain "http://DP01.forest1.local/SMS_DP_SMSPKG$/ST200003"

     

    I have also another distribution point which in the same domain with primary site, in this case there are 2 different DPs domains but 1 network access account so what account do I have to define as a network access account?

    Thursday, November 1, 2012 3:45 PM
  • The NAA is only used as a fallback if the computer's account fails to access the content on the DP. Thus, the NAA you specify should have access to the DP in forest1 because clients in forest2 cannot access it. Clients in forest1 will be able to access the DP also in forest1 with their computer account.

    Now, if you have clients in forest1 trying to access a DP in forest2, the solution starts to get trickier. You essentially have to have network access accounts in each domain and use pass-through authentication.


    Jason | http://blog.configmgrftw.com

    Thursday, November 1, 2012 3:52 PM
  • Thanks Jason, I'll try and let you know.
    Thursday, November 1, 2012 5:22 PM
  • I have changed NAA from primary site domain account to forest1.local account unfortunately I get the same error. 
     

    When I push the agents to forest2 in the ccmsetup.log:

     
    Found local location 'http://DP01.forest1.local/SMS_DP_SMSPKG$/THQ00003'	ccmsetup	11/2/2012 2:00:41 PM	728 (0x02D8)
    PROPFIND 'http://DP01.forest1.local/SMS_DP_SMSPKG$/THQ00003'	ccmsetup	11/2/2012 2:00:41 PM	728 (0x02D8)
    Got 401 challenge Retrying with Windows Auth...	ccmsetup	11/2/2012 2:00:41 PM	728 (0x02D8)
    PROPFIND 'http://DP01.forest1.local/SMS_DP_SMSPKG$/THQ00003'	ccmsetup	11/2/2012 2:00:41 PM	728 (0x02D8)
    Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401)	ccmsetup	11/2/2012 2:00:41 PM	728 (0x02D8)
    Failed to check url http://DP01.forest1.local/SMS_DP_SMSPKG$/THQ00003. Error 0x80004005	ccmsetup	11/2/2012 2:00:41 PM	728 (0x02D8)
     


    So forest2 clients are getting the agent installation files from the primary site instead of the closest forest1 DP.

    • Edited by HUNAL Friday, November 2, 2012 12:22 PM
    Friday, November 2, 2012 12:21 PM
  • Finally the problem is resolved!

     

    I was supposing an MP role which is in untrusted forest1.local with DP was installed succesfully but it wasn't. When I check the event logs on the remote site server I saw a lot of error about mp.msi installation failure etc. because of there was a missing windows feature BITS that I forgot to install :/

     

    After the successfully MP installation I haven' t seen any error. 

     

    Thanks



    • Marked as answer by HUNAL Friday, November 2, 2012 11:33 PM
    • Edited by HUNAL Friday, November 2, 2012 11:35 PM
    Friday, November 2, 2012 11:33 PM