How to configure SCCM in Multiple Active Directory Forests

1. Introduction:

Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server.

For these clients to be managed, you must ensure that alternative methods are available for the following:

• Site compatibility check to complete site assignment.
• Service location for management points, and the server locator point if this is not directly assigned.
• Native mode configuration (Optional).

We have two domains in diffrient forest, first domain call primary.local domain and this domain will contain SCCM Server, 2nd domain is Domain.com which contain clients that should be managed by SCCM in Primary domain.

To successfully deploy CCM client and allow SCCM server to manage multiple AD forests, we should do the following configuration:

1- Configure Boundaries correctly to allow SCCM client agent distribution to clients which are located in 2nd trusted domain.
2- Configure Push Installation method switches in the client installation properties to allow clients in 2nd domain to find SLP.
3- Configure Discovery method to allow SCCM Server to discover 2nd trusted domain.
4- Add Server Locator Point “SLP” to SCCM site system role.
5- CCM Admin account should be local admin for client computers in 2nd domain.
6- Publish SLP Manually in WINS for 2nd trusted domain.
7- Enable WINS on the client PC’s in 2nd domain.

2.Configure Boundaries

In Normal scenario it’s recommended to Active directory Site as boundaries to install CCM Client, but in this case all computers which is located in another forest will not be able to receive CCM client agent from SCCM Server.

In this case we have to configure “IP Subnet” or “IP Address Range”, to allow Clients in 2nd domain to receive client agent.

3.Discovery method:

In normal scenario, it’s recommended to enable “Active Directory Site System” and select Local domain, but this settings will discover only MOWASALAT.LOCAL domain.

To discover 2nd domain name we have to make sure that sure Active Directory System discovery is configured with LDAP://DC=domain,DC=COM LADP path. Then run discovery and check adsysdis.log to confirm if it is able to search the domain in other forest.

LDAP Query:

LDAP://DC=domain,DC=com

4.Add Server Locator Point:

Server locator points are used in a Configuration Manager 2007 hierarchy to complete client site assignment on the intranet and help clients find management points when they cannot find that information through Active Directory Domain Services.

So we need to add Server Locator Point to Site System role.

5.Configure Push Installation method switches:

It would also help if you add the following switches in the client installation properties, especially SMSSLP switch as clients in the other forest won’t be able to find SLP in their forest.

DNS and NetBIOS Name resolution should work between forests for this to work.

Switches:

SMSITCODE=S01 SMSMP=SRV-SCCM01.Primary.com
SMSSLP=SRV-SCCM01 FSP=SRV-SCCM01

6.Publish SLP Manually in WINS:

To resolve this issue, manually add an SMS_SLP record and an SMS_MP record to the Windows Internet Name Service (WINS) database. To do this, use one of the following methods, depending on the operating system that you are running:
To manually add the SMS_SLP and SMS_MP records to WINS in Microsoft Windows Server 2003 for 2nd domain, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following commands at the command prompt, and then press ENTER after each command:
o netsh
o wins
o server
3. Add the SMS_SLP record. To do this, type the following command, and then press ENTER:
add name name=SMS_SLP endchar=1A rectype=0 ip={ip addresses}
Note Make sure that you enclose the IP address in braces (“{ }”).
4. Add the MP_SMSSiteCode record. To do this, type the following command, and then press ENTER:
add name name=MP_SMSSiteCode endchar=1A rectype=0 ip={ip addresses}

Note: Make sure that you enclose the IP address in braces (“{ }”). The SMSSiteCode variable represents the three-character string (letters, integers, or a combination of both) that is the code for the SMS site to which the Management Point belongs. It is displayed in the SMS Administrator Console.

7.Publish MP in DNS:

We should publish MP on DNS and make sure MP FQDN is resolvable from the clients in another domain.

To publish the default MP in DNS, Site Management -> S01-Primary -> Properties -> Advanced Tab -> publishes the default Management Point in DNS.

If you any qustion regarding How to configure SCCM in Multiple Active Directory Forests please send your qustion to the following forum:
Microsoft System Center Configuration Manager Technical Forum

2 thoughts on “How to configure SCCM in Multiple Active Directory Forests

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s