locked
Unable for clients in untrusted domain to communicate with MP in another domain. RRS feed

  • Question

  • We have been testing SCCM a will and have a main forest that our primary SCCM server is located. In another smaller forest we have there is also a site system server that we had the following roles installed DP, SS and MP and we thought everything was okay but we discovered that the client where not choosing a MP in different forest and read that it’s not possible to control which MP clients use in the same Site.

    We removed the MP from the SS server in the untrusted domain and opened the ports needed for clients to communicated with the MP on the Primary site but the clients in the untrusted site receive authentication error no matter if we use http or https Post to https://x/ccm_system_windowsauth/request failed with 0x87d00231.

    Active Directory forest Discovery works and forest discovery publishing status is Succeeded in both forests.

    Friday, June 12, 2015 1:21 PM

Answers

  • If possible for you i would leave the MP in the untrusted domain and upgrade to SCCM 2012 R2 sp1 (sccm 2012 SP2) you can set Preferred Management Points.

    If upgrading is not possible SCCM 2012 r2 CU3 you can use Management point affinity.

    This would be the preferred method of doing things, keeping the MP in the untrusted domain and using either one of those solution to make sure they don't go back to the MP in the other domain.

    Hope this help

    • Proposed as answer by Daniel JiSun Monday, June 15, 2015 6:08 AM
    • Marked as answer by hanspjacobsen Monday, June 15, 2015 8:40 AM
    Friday, June 12, 2015 1:39 PM

All replies

  • If possible for you i would leave the MP in the untrusted domain and upgrade to SCCM 2012 R2 sp1 (sccm 2012 SP2) you can set Preferred Management Points.

    If upgrading is not possible SCCM 2012 r2 CU3 you can use Management point affinity.

    This would be the preferred method of doing things, keeping the MP in the untrusted domain and using either one of those solution to make sure they don't go back to the MP in the other domain.

    Hope this help

    • Proposed as answer by Daniel JiSun Monday, June 15, 2015 6:08 AM
    • Marked as answer by hanspjacobsen Monday, June 15, 2015 8:40 AM
    Friday, June 12, 2015 1:39 PM
  • Thanks I had installed SP1 but didn't know  of the new setting. I will check that computers don't get the wrong MP.
    Friday, June 12, 2015 1:55 PM