Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- From: "Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com">
- Date: Wed, 12 Dec 2007 11:39:04 +0100
From what I know what is supported cross forest without trusts
1)Primary site to primary site communication
2)Client to Site system communication
What isn't supported
3)Secondary site to primary site communication
4)Site system to site server communication.
The only potential ambiguity that exists is the branch distribution point in item 4)
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx
Bob wrote:
I called MS presales support and discovered (after 2 hours) that the configuration should work, and would be supported, with communication between different Forest Primary Sites across forest boundaries without trusts, without IBCM and without Native Mode- PKI, although there is still a huge question mark in my opinion because Microsoft seems to have conflicting documentation on exactly what is supported when it comes to Forest to Forest communications. They also agreed with me that the best way to implement this is with IBCM, which (so far) my client is not agreeable to. Thank you for the update! I'm going to be setting up a lab with some forests and see for myself..
Bob
"Cathy Moya [MS]" wrote:
Urg. I should rephrase that. If you have Forest1/DomainA and your distribution points are in that domain, and your clients are in Forest2/DomainB, you would create the network access account in DomainA. The clients in DomainB just know the name and password and use it to access the distribution points. This would also be true if you have distribution points in Forest1/DomainX and Forest 1/DomainY. But you might have to do some global/local/universal group things to make sure the DomainA\network access account had permissions on the dps in X and Y. Note that having an additional distribution point in Forest2/DomainB is not supported, because we don't support distribution points across forest boundaries unless they are supporting Internet-based clients.
Does that help?
--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance
Check out the SMS Technical FAQ: http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.
"Bob" <Bob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:30309F18-03F9-407F-B52F-3EDEDF8F59EA@xxxxxxxxxxxxxxxxRIF, sorry for the additional post, but I just re-read the link Cathy sent
and found this:
"This account can be created in any domain that will provide the necessary
access to resources. The Network Access account must always include a domain
name. Pass-through security is not supported for this account. If there are
multiple domains, create the account in a trusted domain.
"
There are NO trusted Domains in this implementation, (Although THERE SHOULD
BE... client requires that there are no trusts. I know, bad idea, but...).
I'm thinking that the only alternative to support romaing clients in
untrusted domains in theis organization is Internet-Based Client Management,
(which the client is also against, go figure).
:) Still smiling through the pain... :)
"Cathy Moya [MS]" wrote:
About the Network Access Account
http://technet.microsoft.com/en-us/library/bb680398.aspx
--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance
Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.
"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote in
message news:e0zbRbYNIHA.4136@xxxxxxxxxxxxxxxxxxxxxxx
It has indeed been renamed to the Network Access account.
You don't need to create the account multiple times, it just needs to be a
domain user account. People usually create a user in the domain where the
site server is in.
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx
Bob wrote:Thank you, Kim for all your hard work in helping others! I am thinking
that I would need to create the same advanced client network account with
the same password in each domain, then point Configmgr to it? Where do I
set the account up in the Configmgr console? In doing preliminary
research for this, I found this link:
http://myitforum.com/cs2/blogs/socal/archive/2007/03/12/sccm-2007-how-to-site-configuration.aspx
Which states: "Software Distribution configuration is next. This looks
the same as it does in SMS 2003, you will need to specify the drive where
packages are stored, the D drive in our case. And the Advanced Client
Network Access Account. You may think to yourself, didn't we already do
this in the Computer Client Agent, and you would be correct, in the next
build the Advanced Client Network Access Account will be gone, this is
just left over legacy UI. "
This indicates that the Advanced Client Network Account "will be gone"
(?). I haven't been able to find it in the console under that specific
name. Is it the "Network Access Account" under Site Settings/Accounts?
Thanks again!
"Bob" wrote:
OK this is a good one, I think...
Without implementing Internet-based configuration:
I have 3 forests with 3 domains. Can I configure SCCM 2007 so that a
client in Forest 1 - Domain 1 (located in Kyoto Site) who roams to
Forest 3 - Domain 3 (Kentucky Site) can get updates from a DP in Domain
3? Oh, by the way, there are no Domain Trusts.
If so, in a billion words or less, how? :)
Thank you! Now stop laughing...
- Follow-Ups:
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- From: Cathy Moya [MS]
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- References:
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Based
- From: Kim Oppalfens [MVP]
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Based
- From: Cathy Moya [MS]
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- From: Bob
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- From: Cathy Moya [MS]
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- From: Bob
- Re: 4 forests-domains, roaming clients, no trusts, not Internet-Based
- Prev by Date: Re: Swap dead machine, now have 2 entries
- Next by Date: [SPAM]Re: ¤â¾÷²M³f¦U´Ú¦U«¬¸¹
- Previous by thread: Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- Next by thread: Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
- Index(es):
Relevant Pages
|
