Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba

I called MS presales support and discovered (after 2 hours) that the
configuration should work, and would be supported, with communication between
different Forest Primary Sites across forest boundaries without trusts,
without IBCM and without Native Mode- PKI, although there is still a huge
question mark in my opinion because Microsoft seems to have conflicting
documentation on exactly what is supported when it comes to Forest to Forest
communications. They also agreed with me that the best way to implement this
is with IBCM, which (so far) my client is not agreeable to. Thank you for the
update! I'm going to be setting up a lab with some forests and see for myself.

Bob

"Cathy Moya [MS]" wrote:

Urg. I should rephrase that. If you have Forest1/DomainA and your
distribution points are in that domain, and your clients are in
Forest2/DomainB, you would create the network access account in DomainA. The
clients in DomainB just know the name and password and use it to access the
distribution points. This would also be true if you have distribution points
in Forest1/DomainX and Forest 1/DomainY. But you might have to do some
global/local/universal group things to make sure the DomainA\network access
account had permissions on the dps in X and Y. Note that having an
additional distribution point in Forest2/DomainB is not supported, because
we don't support distribution points across forest boundaries unless they
are supporting Internet-based clients.

Does that help?

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.

"Bob" <Bob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:30309F18-03F9-407F-B52F-3EDEDF8F59EA@xxxxxxxxxxxxxxxx
RIF, sorry for the additional post, but I just re-read the link Cathy sent
and found this:

"This account can be created in any domain that will provide the necessary
access to resources. The Network Access account must always include a
domain
name. Pass-through security is not supported for this account. If there
are
multiple domains, create the account in a trusted domain.
"

There are NO trusted Domains in this implementation, (Although THERE
SHOULD
BE... client requires that there are no trusts. I know, bad idea, but...).

I'm thinking that the only alternative to support romaing clients in
untrusted domains in theis organization is Internet-Based Client
Management,
(which the client is also against, go figure).

:) Still smiling through the pain... :)

"Cathy Moya [MS]" wrote:

About the Network Access Account
http://technet.microsoft.com/en-us/library/bb680398.aspx

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.


"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote in
message news:e0zbRbYNIHA.4136@xxxxxxxxxxxxxxxxxxxxxxx
It has indeed been renamed to the Network Access account.
You don't need to create the account multiple times, it just needs to
be a
domain user account. People usually create a user in the domain where
the
site server is in.

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Bob wrote:
Thank you, Kim for all your hard work in helping others! I am thinking
that I would need to create the same advanced client network account
with
the same password in each domain, then point Configmgr to it? Where
do I
set the account up in the Configmgr console? In doing preliminary
research for this, I found this link:

http://myitforum.com/cs2/blogs/socal/archive/2007/03/12/sccm-2007-how-to-site-configuration.aspx

Which states: "Software Distribution configuration is next. This looks
the same as it does in SMS 2003, you will need to specify the drive
where
packages are stored, the D drive in our case. And the Advanced Client
Network Access Account. You may think to yourself, didn't we already
do
this in the Computer Client Agent, and you would be correct, in the
next
build the Advanced Client Network Access Account will be gone, this is
just left over legacy UI. "

This indicates that the Advanced Client Network Account "will be gone"
(?). I haven't been able to find it in the console under that specific
name. Is it the "Network Access Account" under Site Settings/Accounts?
Thanks again!

"Bob" wrote:

OK this is a good one, I think...

Without implementing Internet-based configuration:

I have 3 forests with 3 domains. Can I configure SCCM 2007 so that a
client in Forest 1 - Domain 1 (located in Kyoto Site) who roams to
Forest 3 - Domain 3 (Kentucky Site) can get updates from a DP in
Domain
3? Oh, by the way, there are no Domain Trusts.
If so, in a billion words or less, how? :)

Thank you! Now stop laughing...






.

Relevant Pages

  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... a forest other than the site server's forest, it would probably work, but it ... The only potential ambiguity that exists is the branch distribution point ... you would create the network access account in DomainA. ... client requires that there are no trusts. ...
    (microsoft.public.sms.setup)
  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... configuration should work, and would be supported, with communication between different Forest Primary Sites across forest boundaries without trusts, without IBCM and without Native Mode- PKI, although there is still a huge question mark in my opinion because Microsoft seems to have conflicting documentation on exactly what is supported when it comes to Forest to Forest communications. ... They also agreed with me that the best way to implement this is with IBCM, which my client is not agreeable to. ... distribution points are in that domain, and your clients are in Forest2/DomainB, you would create the network access account in DomainA. ... But you might have to do some global/local/universal group things to make sure the DomainA\network access account had permissions on the dps in X and Y. Note that having an additional distribution point in Forest2/DomainB is not supported, because we don't support distribution points across forest boundaries unless they are supporting Internet-based clients. ...
    (microsoft.public.sms.setup)
  • Re: sms 2003 advance clients in different AD forest ?
    ... Yes I have defined an Advanced Client Network Access Account, ... I also have 2 forests with a 2 way transitive trust between the domains, sms ... sms Primary server in Forest A. ...
    (microsoft.public.sms.setup)
  • Re: sms 2003 advance clients in different AD forest ?
    ... Yes I have defined an Advanced Client Network Access Account, ... I also have 2 forests with a 2 way transitive trust between the domains, sms ... sms Primary server in Forest A. ...
    (microsoft.public.sms.setup)
  • Re: Hn Gibraltar
    ... that I support the AAH!" ... for the origins of bipedalism and have agreed that wading in water can ... Tobias 1995 ³We were all profoundly and unutterably wrong! ... such vines hang from forest trees and would not be ...
    (sci.anthropology.paleo)