In order to configure an SCCM management point to manage an untrusted domain:
Ensure that the firewall ports are open between the two domains:
TCP 53 (DNS) from SCCM Management Point -> to untrusted forest
TCP 389 (LDAP) from SCCM Management Point -> to untrusted forest
TCP 80 (HTTP) from untrusted forest -> to SCCM Management Point
TCP 443 (HTTPS) from untrusted forest -> to SCCM Management Point
TCP 445 (SMB to DP) from untrusted forest -> to SCCM Management Point
TCP 8530 (SUP http) from untrusted forest -> to SCCM Management Point
TCP 8531 (SUP https) from untrusted forest -> to SCCM Management Point
TCP 10123 from untrusted forest -> to SCCM Management Point- Configure DNS with conditional forwarder or STUB ZONES in in both forests for SCCM to resolve remote hostnames in the untrusted domain and for the remote clients to perform system discovery
Create an Active Directory Forest Account in the untrusted forest that will be used to publish the SCCM site information into System Management container.
- It is highly recommended that you extend the schema in untrusted forest as this will make things much easier by adding the following items to AD: Attributes:
cn=mS-SMS-Assignment-Site-Code
cn=mS-SMS-Capabilities
cn=MS-SMS-Default-MP
cn=mS-SMS-Device-Management-Point
cn=mS-SMS-Health-State
cn=MS-SMS-MP-Address
cn=MS-SMS-MP-Name
cn=MS-SMS-Ranged-IP-High
cn=MS-SMS-Ranged-IP-Low
cn=MS-SMS-Roaming-Boundaries
cn=MS-SMS-Site-Boundaries
cn=MS-SMS-Site-Code
cn=mS-SMS-Source-Forest
cn=mS-SMS-Version
Classes:
cn=MS-SMS-Management-Point
cn=MS-SMS-Roaming-Boundary-Range
cn=MS-SMS-Server-Locator-Point
cn=MS-SMS-Site- Create the System Management container in the untrusted forest. Provide full control permission on this container to the Active Directory Forest Account that you created earlier.
In the SCCM console add the untrusted forest. In the Administration workspace, expand Hierarchy Configuration, and click Active Directory Forests, then on the Home tab, in the Create group, click Add Forest to open the Add Forests dialog box. Use the Active Directory Forest Account that you created earlier. Monitor hman.log for any errors.
Check in the untrusted forest to ensure that site information is published into System Management container.
If you want to discover clients from untrusted forest automatically then you must configure AD system discovery. If you have not configured the DNS conditional forwarder system discovery will not work due to name resolution (monitor log Adsysdisc.log for any errors).
If you want to perform client push installation, create an SCCM Client Installation Account in untrusted forest and configure it in SCCM server.
Configure boundaries in SCCM for untrusted forest to manage clients.
If clients in untrusted forest are unable to resolve SCCM roles like MP,DP ,SUP etc for client installation and assignment process or for downloading the policies then you need to add the required entries (MP,DP,SUP) into the DNS of the untrusted forest or in the local host file on each client. This should only be required if the schema was not extended.
Again, you must make sure the ports 80, 443, 8530 and 8531 are working from the untrusted forest to SCCM servers otherwise you cannot get basic things like software distribution, software updates etc.
No comments:
Post a Comment