One of the questions that I have had a lot lately, is how we configure Multi forest support in ConfigMgr. 2012. It’s my plan to document a few scenarios in terms of supporting sites, site systems and clients in remote forests. In this first part, I’ll explain how you can support clients in an untrusted forest without installing any remote site systems.
Discover information from the remote forest
To configure support for the remote forest:
- Configure credentials for discovering the “remote forest”.
- Configure Active Directory forest discovery to discover IP ranges and AD sites.
- Configure AD System discovery.
- In the Administrator console, select the Administration Workspace and navigate to Hierarchy Configuration, Active Directory Forests.
- From the ribbon click Add Forest, fill in information about the forest and the discovery account with read permissions to the remote forest.
- Save the new forest information.
- Navigate to Hierarchy Configuration, Discovery Methods and open the properties for Active Directory Forest discovery.
- Enable the forest discovery method, configure the discovery method to discover IP ranges and Active Directory sites. Click OK and start the discovery cycle (for detailed information about the process, check ADForestdisc.log).
Configure Active Directory System Discovery
One of the new features in ConfigMgr. 2012 is the option to configure discovery accounts. In order to discover information about computers in a remote forest, you need to configure an account that has Read permissions in the remote Active Directory.
- Open the Administrator console, select the Administration workspace and navigate to Hierarchy Configuration, Discovery Methods.
- Open the Active Directory System discovery properties
- Click the yellow Icon to create a new Active Directory container.
- Since you do not have any trust, you’ll have to manually type the LDAP path to the objects you want to discover e.g. LDAP://DC=HQ,DC=COM and click OK.
- Click Specify an account and click Set. Type in the remote forest discovery account.
- Finish the configuration, the discovery process will run automatically (you can monitor the process by reading the adsysdis.log)
Before you start planning your client installation you need to make a decision on client approval. By default only clients in a trusted forest will be automatically approved which also includes downloading machine policies. You can manually approve each client, implement a PKI solution or configure the site to automatically approve all clients, including those from an untrusted forest. In my example I approve all clients automatically.
- Open the Administrator console, select the Administration workspace and navigate to Site Configuration.
- Select Sites and click Hierarchy settings from the ribbon.
- Select the Client Approval and Conflicting Records tab.
- Click Automatically approve all computers (not recommended) and click OK.
You can install the client using these installation methods:
- A group policy
- Startup script
- Client Push
In my example I used a client push, with these settings:
- Created a Client Push account in the remote forest
- Configured my Client Installation properties like this:
- SMSSITECODE=PS1 SMSMP=CM04.SC2012.Local FSP=CM04,SC2012.Local DNSSUFFIX=SC2012.Local
Client support in an untrusted forest
Clients in untrusted domains will be able to download and apply machine based policies. When needed, the client will use the Network Access Account to connect to the distribution point and download content.