locked
Discovery and permissions - Single forest, multiple domains in SCCM 2012 R2 RRS feed

  • Question

  • Hi, 

     

    We are in the process of rolling out SCCM 2012 R2. We will be managing < 25k clients. We will be running one primary site, a dedicated MSSQL box, and a single DP.

     

    Our first goal is to use it to automate patching in our test/dev environments. The issue we are running up against is our prod SCCM environment is in one domain and out dev environments span multiple domains. I'm trying figure out the best way to manage all of these servers without creating a service account at the root domain level for security scope reasons.

     

    Here is an example of the domains.

     


    ad.rootdomain.com - Production SCCM server lives here.

     

    Dev:

    adlab.rootdomain.com - Dev

    ----->tritest.adlab.rootdomain.com - Dev

    ----->devad.adlab.rootdomain.com - Dev

    devid.rootdomain.com - Dev

    devcv.rootdomain.com - Dev

     

    What would be the best way to handle managing these servers? I've read about doing one way trusts and service accounts. I'm not sure where the trusts would need to be placed exactly. 

    I'm sure this has been covered.. I've been reading many technet articles/forum posts but haven't found what I'm looking for. Or maybe I have but didn't understand it. Any help would be great!

     

    Thanks.

    Tuesday, July 22, 2014 10:44 PM

All replies

  • See the table in http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest You could place MPs and DPs in untrusted forests/domains.

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by draker541 Thursday, July 24, 2014 11:13 PM
    Wednesday, July 23, 2014 7:10 AM
  • thanks, I think I remember reading about this option. I should also note these domains in the same location. They are simply test/dev AD instances for testing various platforms before we roll the changes into our production environment. They are in turn, very small and very simple. Often just to provide AD functionality. If possible I'd like to manage with the same sccm server to save resources. 

    I will review that link in depth. Thank you for taking the time to reply.

    Wednesday, July 23, 2014 5:17 PM
  • I have not read through the links provided yet but I definitely will. I believe I saw at least one of these links when I was searching myself. I didn't think it was what I wanted because it was listed as cross-forest support and my configuration is actually a single forest with multiple domains. 

    I'll read through the links. Thanks for taking the time to reply.

    Wednesday, July 23, 2014 5:20 PM
  • Have a look at this blog series about Cross Forest Support in Configuration Manager 2012:


    In part 2 of this blog post it mentions adding the second forest in the AD Forest hierarchy node. Can I simply add another domain? For example: AD.rootdom.com and devAD.rootdom.com?

    Then extend the schema and give permissions etc as mentioned in post?

    Wednesday, July 23, 2014 5:56 PM
  • Hi

    If I understand correctly - there is no need for you to add another forest as long as the machines you wish to administer is in the same forest.

    If you want to discover the machines in your other domains (same forest) you would just go to i.e Active Directory System Discovery, click browse and choose the domain or OUs. The computer account of the site server will need permissions to AD (read).

    Wednesday, July 23, 2014 6:12 PM
  • Hi

    If I understand correctly - there is no need for you to add another forest as long as the machines you wish to administer is in the same forest.

    If you want to discover the machines in your other domains (same forest) you would just go to i.e Active Directory System Discovery, click browse and choose the domain or OUs. The computer account of the site server will need permissions to AD (read).

    I have looked in there. I can actually see one of the domains devad.rootdom.com. I can't actually read anything from it. I'll look into adding the read permissions for the computer account. Does the schema need to be extended or permissions added to the system container? Or simply just read permission granted?

    The other domains however, I'm not sure why I can't see those. I'll consult with our AD guy.

    Wednesday, July 23, 2014 6:39 PM
  • Schema publishing is on a forest level, not a domain level. So if the same domain, then no additional schema extensions are necessary. Only if using different forests.

    Wally Mead

    Wednesday, July 23, 2014 11:32 PM
  • We have an empty forest, and AD actually lives in a child domain. So the schema has been extended only in ad.rootdom.com.

    I read the above blog articles as well as talked to a PFE. Since the dev/test domains only have a select few clients we've opted just to do manual client installs on the machines. We will likely do GPO deploys for new machines but we are still looking into that to see if it will work well in our environment.

    The issue now is the clients appear to not be able to locate the MP. What I've done so far:

    Setup boundaries and assigned to boundary groups.

    Confirmed the client can ping the site server via FQDN

    Manually installed the client using: ccmsetup.exe /mp:FQDN SMSSITECODE=code

    Found the following in LocationServices.Log

    Unable to find lookup MP(s) in Registry, AD, DNS and WINS

    Failed to retrieve DNS service record using _mssms_mp_101._tcp.devad.adlab.rootdom.com lookup. DNS returned error 9003

    Is there a specific DNS entry I need to add in each of the domains? I didn't see this mentioned.

    

    Thursday, July 24, 2014 6:18 PM
  • Schema extension is a forest-wide thing.
    Have you enabled AD publishing to the remote domain?

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, July 24, 2014 6:28 PM
  • Schema extension is a forest-wide thing.
    Have you enabled AD publishing to the remote domain?


    I have it enabled. But there are no trusts between the domains. We are going to treat it similar to a workgroup is my understanding.

    Thursday, July 24, 2014 9:30 PM
  • There are at least 3 options that can be used - just read the table in the link I already posted. There's no need for a trust for publishing data to another forest.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, July 24, 2014 9:33 PM
  • Thank you. I went back and re-read it.

    I actually got it working. I'm not sure what actually got it working though. I added the domain and enabled publishing. Setup a few more boundaries and added them to groups. 

    It wasn't working at that point. But some time earlier today the clients checked in. 

    I added another client just a few minutes ago, and it checked in without issue.

    Thank you everyone that took the time to respond. Very much appreciated.

    Thursday, July 24, 2014 11:12 PM