Re: SMS Across 2 Forests

From: Stan White [MS] (stanwh_at_microsoft.com)
Date: 07/19/04 

Date: Mon, 19 Jul 2004 09:28:13 -0700

One SLP at the central site should be fine so long as all clients can
resolve the URL to the SLP. 

-- 
-- 
Stan [MSFT]
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
--
--
"matt" <matt@discussions.microsoft.com> wrote in message 
news:981509B2-9EC7-4BEC-A20D-2F970E198A54@microsoft.com...
> Hey Stan,
> Thank you for providing these details and verifying this. I will now need 
> to place a primary site server with default MP in my other forest. Will I 
> be ok with one SLP in my central site even though it exist in the other 
> forest? Thanks for your help.
>
> Thank You,
> -Matt
>
> "Stan White [MS]" wrote:
>
>> Please see comments inline
>>
>> -- 
>> -- 
>> Stan [MSFT]
>> --
>> --
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>> --
>> --
>>
>> "matt" <matt@discussions.microsoft.com> wrote in message
>> news:1B6AAB8C-4B00-4594-9B33-96166B51E04D@microsoft.com...
>> > Hey Stan,
>> > Thanks for the reply but i had a few additional questions.
>> > - What kind of user account do I need to specify for the address 
>> > account?
>> > A regular Domain User account?
>>     You have to specify a Windows user account that can be authenticated 
>> on
>> the destination site server.  It does not matter what domain either site 
>> is
>> in as long as you can add the account being used to the local
>> SMS_SiteToSiteConnection_<SiteCode>  group on the destination site server
>> and it can be authenticated there.  Site to site communications will work
>> just fine.
>>
>> > - I have an external forest two way trust between the two forests and 
>> > the
>> > forest trust is Windows 2003 interm functional level. Does this change
>> > anything?
>>  It just allows you more flexibilty in where the address accounts can be
>> created and authenticated. You can also create addresses to child primary
>> SMS 2.0 sites in remote domains running NT4 but the account needs to 
>> exist
>> on the remote NT4 domain or site server.
>>
>> > - In a lab environment, i mimiced my two forests with the same trust 
>> > and
>> > functional level. I also created an account with the same name and 
>> > pasword
>> > in both forests and used that as my client push installation account.
>> > Needless to say I got discovery to work for both forests and my 
>> > advanced
>> > client installed. how can this be if another primary sit is needed in 
>> > the
>> > other forest? Could you possibly explain the reasoning for this?
>>
>> You can push to any machine if you provide an account and password the
>> machine will accept as a local admin.  In fact, although not supported 
>> until
>> SP1 you can even push to workgroup clients if the same account and 
>> password
>> exist on each machine that is specified as the client push account. When 
>> you
>> push and specify a network access account, the client uses that account 
>> to
>> download the client.msi and proceeds to install, regardless of the logged 
>> on
>> user or domain membership of the machine.  Where you get into trouble is
>> publishing and querying objects in AD for roaming/server location, site
>> assignment, etc.  You may be falling back to WINS for some of that as 
>> well.
>>
>> There is a big difference between getting the client initially installed 
>> and
>> getting proxy MP's, DP's, software distribution, content location and
>> roaming to work properly in this type of environment.
>>
>>
>> > Thanks for your assistance,
>> > -matt
>> >
>> > "Stan White [MS]" wrote:
>> >
>> >> Machine accounts cannot span forests in Windows 2000 or on Windows 
>> >> Server
>> >> 2003 running in 'Windows 2000 compatibility mode'
>> >> So, yes,  you will need a primary site in the other forest and will 
>> >> need
>> >> to
>> >> specify user accounts in the addresses regardless of the security 
>> >> mode.
>> >> -- 
>> >> -- 
>> >> Stan [MSFT]
>> >> --
>> >> --
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> --
>> >> --
>> >>
>> >> "matt" <matt@discussions.microsoft.com> wrote in message
>> >> news:E114CF8E-5CC1-4D2B-AAC6-86E6E9CCCB53@microsoft.com...
>> >> > Hello Everyone,
>> >> > I've read the following information in the CPDG and I need some
>> >> > clarification on it. Does the below indicate that I will need a site
>> >> > server in each of my forest(if a secondary, then an address with 
>> >> > rights
>> >> > to
>> >> > the other forest, if a primary, then no address with rights to the
>> >> > other
>> >> > forest) ? Or will I be ok without?  I did not plan my sms site
>> >> > hierarchy
>> >> > based on forests, but rather network connectivity and link speeds. 
>> >> > Now
>> >> > I've discovered there are two forests and I am concerned that I will
>> >> > need
>> >> > to place a primary site to support machines in the other forests 
>> >> > rather
>> >> > then none. Can anyone help clarify this?
>> >> >
>> >> > Site-to-site communications
>> >> > Site-to-site communications have limitations across forests. A child
>> >> > primary site in one forest can attach to a parent in a different
>> >> > forest. A
>> >> > child secondary site cannot attach to a parent in a different 
>> >> > forest.
>> >> > Data
>> >> > is sent up the hierarchy from a child primary site to its parent 
>> >> > site.
>> >> > For
>> >> > site-to-site communications to work, the SMS addresses at the 
>> >> > sending
>> >> > site
>> >> > must have access to the receiving site and vice-versa. If one or 
>> >> > more
>> >> > of
>> >> > the forests is running in Windows 2000 Active Directory mixed mode 
>> >> > or
>> >> > if
>> >> > Windows Server 2003 Active Directory is using the interim domain
>> >> > functional level, you must specify user accounts
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • Re: SMS Across 2 Forests
    ... Will I be ok with one SLP in my central site even though it exist in the other forest? ... >> A regular Domain User account? ... >> in both forests and used that as my client push installation account. ...
    (microsoft.public.sms.setup)
  • Re: Client dont appear in a forest
    ... but I have another client which is in another forest I can see thtat ... solution was to type the client account in Connections Account> Client. ... > The simplest solution is to have an SMS site in each forest and make it a ...
    (microsoft.public.sms.setup)
  • Client dont appear in a forest
    ... I have sms 2003 installed in a server which is my primary site. ... modified the schema.My primary site is in a forest called forest 2. ... In my primary site I have set up on Connections Account> Client ... In my client I only have 2 actions, Machine Policy and User policy. ...
    (microsoft.public.sms.setup)
  • Re: Client dont appear in a forest
    ... Your client is reading AD from it's local forest and is not finding sites, ... > modified the schema.My primary site is in a forest called forest 2. ... > In my client I only have 2 actions, Machine Policy and User policy. ...
    (microsoft.public.sms.setup)
  • RE: configuring client users
    ... This newsgroup only focuses on SBS technical issues. ... | Thread-Topic: configuring client users ... |> computer to SBS server while we need use "set up computer wizard" to ... |> For user account issue, please understand that if you join the client ...
    (microsoft.public.windows.server.sbs)