Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Ben — Fri, 19 Apr 2013 16:23:13 GMT

Neil. Thank you for the documentation. What would be your recommendations or best practice to manage the following scenario

I have 4 DMZ no trust relationship in different forest. I want to have only one site server sitting in my corporate network because it is managing three domains (trusted each other). In each DMZ I have 40 and max 270 clients. Can I manage these DMZ clients by opening ports 80/443/8351to my site server? Do I need PKI cert? If yes, how do I setup? Or do I have to put DP/MP/SUP in each DMZ? I prefer the first option to the second one. I might get new DMZ in the near feature and don’t want to add MP\DP for each DMZ created.

Thank you

Ben

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Phil Crawford — Tue, 02 Apr 2013 01:20:56 GMT

Neil,

What is missing from both the Cross-Forest planning document and from the above example, is the requirement for the site server which is doing discovery to be able to communicate directly to the DCs in the untrusted forest using LDAP. I have been fighting my security team over this. It appears to need both UDP in both directions and TCP with DC-end at 389 plus, in our environment, 49155.

It would be really nice if I could get this documented at Microsoft. (I have 2 untrusted forests to manage for servers. No problem with discovery on Test but blocked on Dev.)

It would have been so much simpler for myself had there been discovery VIA the MP/DP server on the domain. ? an extra Communication Point role for this purpose??

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Joachim83 — Mon, 25 Mar 2013 23:32:30 GMT

Thanks for the quick reply. I started a topic of this issue where you can find some more detailed information if you are interested: www.windows-noob.com/.../index.php

I though it was caused by a 2012 forest functional level, but when I reinstalled and made all forests and domains 2008R2 level, the same error message appears on two different untrusted domains I created.

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Neil Peterson — Sat, 23 Mar 2013 19:56:52 GMT

Sorry Joachim - I've tried to replicate the issue in my lab by fudging both the connection account and the target LDAP path, but neither produce the same error. Doing some quick research on E_ADS_CANT_CONCERT_DATATYPE produces several results but nothing that stick out. I would consider opening up a case on this if you cannot get yourself get it resolved.

thanks.

neilp

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Joachim83 — Sat, 23 Mar 2013 17:52:23 GMT

Hi, I followed this guide and added a untrusted 2012 forest, but and all connection tests are successful, However when I run the the discovery jobs they all give the samme error:

Active Directory System Discovery Agent failed to bind to container LDAP://DC=VESSEL1,DC=LOCAL. Error: E_ADS_CANT_CONVERT_DATATYPE.

Any idea what the problem is?

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Phil Crawford — Fri, 01 Mar 2013 03:23:15 GMT

Great Info. But, what about connection requirements for LDAP to non-trusted forest. Specifically, does the site server in this scenario need LDAP connectivity, including high ports, to the DC's of the non-trusted forest?

Info in this article is being used to design our multi-forest implementation.

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Bryan Nettles — Tue, 05 Feb 2013 17:21:55 GMT

-edit- Will be using this article to help plan a deployment in my environment.

re: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

Bryan Nettles — Tue, 05 Feb 2013 17:21:28 GMT

Great info. Will be using to plan a deployment in my environment.