locked
SCCM 2012 Hierarchy - 6 domain no trust between how? RRS feed

  • Question

  • Hi

    We  host differnt customers. We have 5 different domains all seperated not truste between them.
    We would like to start using SCCM 2012 as out primary system management product.

    But I am not sure on what is the best (Site structure) solution to go for. The different domains cannot trust each other.

    So how can we install SCCM 2012 in this structure??

    1. Do we need to install a Primary Site for every domain, so each domain is administrated by its own SCCM 2012 primary site?

    2. Can we create a management domain and create a oneway trust from the new management domain to the other 5 domains. Then install a singe SCCM 2012 primary site only.

    The important is that information in the domains is not transmitted to other domains, only maybe up in the hierarchy.

    This is a tricky one, I see that there are limittations to the current structure. But this is the configuration we are running for the moment..

    Thx for all replys on this topic :P

    Wednesday, April 25, 2012 10:10 PM

Answers

  • We are hoping to support the following: Software distribution, Inventory, OS destribution, self service portal (Application model) and reporting. (MP,DP,Application Catalog Website Point, Application Catalog Web service point)

    The Application Catalog Web Service Point would need to be placed in your management domain, but you can have Application Catalog Website Points in each of the customer domains that talk to the Application Catalog Web Service Point in the management domain.  Then you would use custom client settings assigned to individual collections to define which Application Catalog Website Point they should use.

    By having a new administration domain with a primary without any trust to the other domains. All we need is DNS lookup and account access to the domains?

    When you deploy the site system roles into the customer domains, you will have the ability to specify a communication account to be used between the site server and remote site systems.

    How about discovering resources in the different domains? (Users, Devices)?

    Discovery allows you to configure multiple "rules", defining what LDAP path to run queries against.  For each of these, you can specify the account to be used to connect to the remote AD forest.

    Thursday, April 26, 2012 5:57 PM

All replies

  • 1. You could do this if you desired not having a single unified hierarchy.

    2. Not directly no. SQL Replication in 2012 requires Kerberos which involves mutual authentication which means you need a two-way trust.

    You could create another management domain, place a CAS and six primaries in that domain (one for each of the other domains). Then, place a DP, MP, and SUP in each of the six domains with each set attached to one of the primaries. No trusts necessary to my knowledge because you can specify a connection account for each role.

    Now you've got your data separation as well as a single unified hierarchy for reporting.

    Definitely complex but thats a result of your data separation requirements and I'm sure you're used to complexity as a result of that.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Thursday, April 26, 2012 12:38 AM
  • You could also create a managemt domain, and just install a primary.

    Then you can install an MP and DP's in your customers domains (requires no trust).

    Depending on the services you plan to offer you customer, this might be the right solution (or not). It all comes down to your requirements, and what features you wish to use.


    Ronni Pedersen | Configuration Manager MVP | Blog: http://www.ronnipedersen.com/ | Twitter @ronnipedersen

    Thursday, April 26, 2012 12:42 PM
  • Hi Thx for the replys.

    consolidation between the domains is not an option at the moment and installing a primary site in every domain will actually be to much administration. (no go)

    Creating an administration domain with one single primary site and installing an MP and DP's in your customers domains, looks to me like at better ide.

    We are hoping to support the following: Software distribution, Inventory, OS destribution, self service portal (Application model) and reporting. (MP,DP,Application Catalog Website Point, Application Catalog Web service point)

    By having a new administration domain with a primary without any trust to the other domains. All we need is DNS lookup and account access to the domains?

    How about discovering resources in the different domains? (Users, Devices)?

    Thx for responding to this post :)

    Thursday, April 26, 2012 2:49 PM
  • Discovery can be done in a remote forest/domain from the primary site. You just need to specify the credentials for the remote forest/domain.

    The "Application Catalog web service point", cannot be installed in a remote forest (http://technet.microsoft.com/en-us/library/gg712701.aspx), but the "Application Catalog Website Point" can.

    I haven't tested this exact scenario yet (I plan to), but If my understanding is correct, this configuration should be able to provide the features and functionality, you've listed above.

    I'm not 100% sure how you should handle the Network Access Acount, when doing OS Deplyment (you can only specify one), but I'm sure there's a way arround this by using Task Sequence variables etc.


    Ronni Pedersen | Configuration Manager MVP | Blog: http://www.ronnipedersen.com/ | Twitter @ronnipedersen



    Thursday, April 26, 2012 5:53 PM
  • We are hoping to support the following: Software distribution, Inventory, OS destribution, self service portal (Application model) and reporting. (MP,DP,Application Catalog Website Point, Application Catalog Web service point)

    The Application Catalog Web Service Point would need to be placed in your management domain, but you can have Application Catalog Website Points in each of the customer domains that talk to the Application Catalog Web Service Point in the management domain.  Then you would use custom client settings assigned to individual collections to define which Application Catalog Website Point they should use.

    By having a new administration domain with a primary without any trust to the other domains. All we need is DNS lookup and account access to the domains?

    When you deploy the site system roles into the customer domains, you will have the ability to specify a communication account to be used between the site server and remote site systems.

    How about discovering resources in the different domains? (Users, Devices)?

    Discovery allows you to configure multiple "rules", defining what LDAP path to run queries against.  For each of these, you can specify the account to be used to connect to the remote AD forest.

    Thursday, April 26, 2012 5:57 PM
  • After re-reading the post, I think I mis-interpreted the ramifications of this line:

    "The important is that information in the domains is not transmitted to other domains, only maybe up in the hierarchy."

    So, I concur with Ronni's solution which has essentially been verified by Jim below.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Thursday, April 26, 2012 7:56 PM
  • Thx to everyone contributed in this post.

    We will simulate the current structure in a lab environment and test the recommendations outlined here in this post.

    Thx again! :P

    Friday, April 27, 2012 9:19 AM