Cross Forest support in Configuration Manager is a topic often discussed, can be confusing, and has changed considerably with the introduction of 2012 Configuration Manager. While each environment may have its own needs based on environmental configuration, there are some ‘Hard’ technical requirements that must be followed in order to achieve cross forest management of clients, site systems, etc. Fear not, there are many supported configurations that can be used to support cross forest clients. Understanding the reasons to use a specific configuration, technical requirements for each configuration, and configuration steps should help clear up confusion around cross forest support and also arm you with the information you need to select the proper configuration for your environment.
I will be breaking this subject down into four separate blog posting.
With each of these blog postings I intend to demystify the technical requirements of cross forest communication. I will do so using a series of examples starting at what may be the most simple configuration working up to more complex configurations. For each example or scenario I will detail why you may choose the specific configuration, the configuration steps needed to achieve cross forest management, and will also include gotchas, tips, logging, etc.. As already mentioned I will be focusing on four specific scenarios throughout this series of articles.
Cross Forest Technical Requirements –
Before getting started with the cross forest examples, let’s examine the technical requirements or rules that have been put in place for the support of cross forest communication. In addition to technical limitations and rules I will include in this list a few of the items used to support cross forest client management. So think of this list as laying the ground work or terminology for the remainder of these blog postings.
Scenario 1 Simple: Cross Forest Management of Clients with no added infrastructure.
The first scenario is what I would consider the most simple (both in implementation and impact). In this scenario you may have a small group of known clients residing in a non-trusted domain. Because the clients are known there may be no need for discovery of any sort. These clients may either be well connected (network connectivity) to a cross forest distribution point, or content distribution is of no concern.
A practical example of this scenario may include a DMZ forest that contains less than ten clients. Each of these ten clients is well connected to the cross forest ConfigMgr infrastructure so network utilization between the clients and ConfigMgr MP’s / DP’s is not of concern. Because the number of clients is relatively small and no additional clients will be introduced to the environment it may also be practical to manually install the Configuration Manager agent. A lookup MP will be specified at client installation time which will handle location services.
Given this scenario, the steps needed in order to manage this small group of clients with a cross forest located 2012 Configuration Manager site are as follows –
Given this configuration, once the client has been installed, the lookup management point will be queried for the location of all available management points, one of these will be selected based on a set of criteria (subject for another post), policy will be applied to the CM client, and proper management will commence. Very simple, however also limiting in respects to automated discovery / installation, and overall management experience.
Example Information -
Client Installation with Lookup Management Point Specification – ccmsetup.exe SMSMP=TWOSYS2012CM01
After client installation the Location Service Log showing the acknowledgement of the lookup MP.
Notice that the lookup MP is referred to as SMSSLP in registry (HKLM\Software\Microsoft\CCM).
Finally in LocationServices.log we can see that the list of MP’s has been returned from the lookup MP.
Client Approval –
Be aware, the default behavior of Configuration is to only auto approve clients residing in a trusted domain. So by default, in the configuration describe in this posting, each cross forest client will require manual approval.
Example of client requiring manual approval.
This approval behavior can be changed to auto approve all clients, however this configuration is not recommended. For more information see this article – Security and Privacy for Client in Configuration Manager .
To close, there are many technical requirements that need to be taken into consideration before approaching cross-forest client management. During this initial posting of this multi-article series we have discussed the hard technical requirements that will need to be considered and have also looked at a very simple example detailing simple management of a small amount of cross forest clients. Stay tuned for the next installment of this series in which I will dig deeper into cross forest client management introducing a more complex cross forest management scenario.