Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba

inline:

"Bob" <Bob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7F6F36D-C7A3-44EC-AEA0-23FE73EF0266@xxxxxxxxxxxxxxxx
THANK YOU for your help! This is a really challenging puzzle to be figured
out.

I was getting scared when I read the following, but now it appears there
may
be another way...

http://technet.microsoft.com/en-us/library/bb694289.aspx says:

"Windows Server 2003 and Cross Forest Site Communications
Communications across forests work in Configuration Manager 2007 if the
following conditions are met:
You are using the Windows Server 2003 family.
The forest functional level is set to Windows Server 2003.
The forests are configured with a transitive trust.
The Domain Admins group from the trusted Domain are added to the local
administrators group on the Configuration Manager 2007 primary site
servers
spanning the trust."

How do we get the site servers to talk to each other? The Network Access
Account appears to be for Client to Server communication. Or am I missing
the
train at the harbor? :)
cathy: If you are talking about primary site servers in different forests,
you use the Site Address account between them. If you are talking about site
systems in different forests, see the topic about the Site System
Installation Account.


The link Cathy supplied states "The Network Access account is provided for
times when Configuration Manager 2007 clients from workgroups or
non-trusted
domains require access resources in the site server's domain."

Which seems to indicate that a client from untrusted Forest/Domain 1 can
Roam into Forest/Domain 3 and (if boundaries are configured properly?),
contact a Distribution Point in Forest/Domain 3.
cathy: yes, it is possible to roam between multiple forests within the
ConfigMgr hierarchy, but you lose global roaming capability when the client
can't query ActiveDirectory. Read Example Roaming Scenarios for
Configuration Manager: Simple and Example Roaming Scenarios for
Configuration Manager: Complex in the doc library.

But, it also states "The Network Access account is never used to run the
program, even if it was used to access the distribution point shared
folder."

So, what account needs to be created that all non-trusted forests/domains
recognize as valid to allow a client from an untrusted domain to gain
access
to a software package advertised on a non-trusted domain DP? (I'm thinking
it
would use the Site code as the locator? How else would it even know a DP
is
there?)
cathy: the network access account provides the network access, but it
doesn't run the program. The program always runs as either local system or
as the logged on user. See Example Package Access Scenarios.

The easiest way to find these topics is using scoped searches, as described
here
http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2007/11/07/how-to-more-easily-search-the-configuration-manager-documentation-library-online.aspx

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.


Configurations like this is why I'm in IT! I really want a deep
understanding of how this works to be able to implement this well. So many
clients don't understand that configuration and planning is going to be a
huge percentage of the time for implementation.

THANK YOU again for taking the time to help!!!

Bob




"Cathy Moya [MS]" wrote:

About the Network Access Account
http://technet.microsoft.com/en-us/library/bb680398.aspx

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.


"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote in
message news:e0zbRbYNIHA.4136@xxxxxxxxxxxxxxxxxxxxxxx
It has indeed been renamed to the Network Access account.
You don't need to create the account multiple times, it just needs to
be a
domain user account. People usually create a user in the domain where
the
site server is in.

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Bob wrote:
Thank you, Kim for all your hard work in helping others! I am thinking
that I would need to create the same advanced client network account
with
the same password in each domain, then point Configmgr to it? Where
do I
set the account up in the Configmgr console? In doing preliminary
research for this, I found this link:

http://myitforum.com/cs2/blogs/socal/archive/2007/03/12/sccm-2007-how-to-site-configuration.aspx

Which states: "Software Distribution configuration is next. This looks
the same as it does in SMS 2003, you will need to specify the drive
where
packages are stored, the D drive in our case. And the Advanced Client
Network Access Account. You may think to yourself, didn't we already
do
this in the Computer Client Agent, and you would be correct, in the
next
build the Advanced Client Network Access Account will be gone, this is
just left over legacy UI. "

This indicates that the Advanced Client Network Account "will be gone"
(?). I haven't been able to find it in the console under that specific
name. Is it the "Network Access Account" under Site Settings/Accounts?
Thanks again!

"Bob" wrote:

OK this is a good one, I think...

Without implementing Internet-based configuration:

I have 3 forests with 3 domains. Can I configure SCCM 2007 so that a
client in Forest 1 - Domain 1 (located in Kyoto Site) who roams to
Forest 3 - Domain 3 (Kentucky Site) can get updates from a DP in
Domain
3? Oh, by the way, there are no Domain Trusts.
If so, in a billion words or less, how? :)

Thank you! Now stop laughing...





.

Relevant Pages

  • Re: SBS 2003 Client Application Launcher Error
    ... Executing MAPI Profile configuration... ... would you please help me confirm if the problematic client ... This newsgroup only focuses on SBS technical issues. ... | The client does logon with a domain account and that account is ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN
    ... I am not quite sure what you mean about "not being picked up by the remote client". ... If the client has deny configured in their AD account for dial up and they dial in ... the proper ports and protocols to your internal rras server. ... >> Depending on your configuration the dial in options could be allow, deny, ...
    (microsoft.public.win2000.security)
  • Re: Distributing App to Workgroup Client
    ... I've added a domain administrator account in the "Advanced Client Network ... Access Account" field under Under Site Hierarchy, Component Configuration, ... Software Distribution and still no luck. ...
    (microsoft.public.sms.swdist)
  • OWA Vanishing Emails
    ... account configured in outlook on the server or any other ... I have seen the same symptoms on an Outlook client that ... configuration. ...
    (microsoft.public.exchange2000.misc)
  • Re: Adding domain users to local Administrator group
    ... the account should be validated and added with no ... Configuration particulars: ... > Windows Server 2003 Standard Edition with AD installed ... > on the workstation but I cannot reason out the location or the conditions ...
    (microsoft.public.windowsxp.security_admin)