Cross-Forest Communications Between Configuration Manager Sites

Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory Domain Services, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure intersite communication.

When one or more primary sites in the Configuration Manager 2007 site hierarchy are located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are properly configured in the sender address properties for each site. If you do not configure domain user accounts as site address accounts in the sender address properties of each site, the site server computer accounts will be used. If the site server computer accounts are used as the site address accounts, all Active Directory forests must be configured for the Windows Server 2003 forest functional level and have a two-way trust to enable site-to-site communication to succeed.


Configuration Manager primary sites can be configured to span multiple Active Directory forests. It is not supported to install secondary sites in a remote Active Directory forest from their parent primary site. It is supported for a Configuration Manager 2007 site hierarchy to have primary sites or clients in a remote Active Directory forest.