Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba

What Kim says. Though regarding #4, Wally and Cheng and I went around on
this a few times. The answer is, if you have a branch distribution point in
a forest other than the site server's forest, it would probably work, but it
is not a tested scenario and therefore would not be supported if you have
problems.

If you are hearing conflicting statements from anyone at Microsoft, please
direct them to this page:
http://technet.microsoft.com/en-us/library/bb694003.aspx
and if they have a problem with it, tell them to write to the UA team at
smsdocs@xxxxxxxxxxxxx and we'll work with them to address the confusion.

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.


"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote in
message news:%23Ojr%23sKPIHA.4136@xxxxxxxxxxxxxxxxxxxxxxx

From what I know what is supported cross forest without trusts
1)Primary site to primary site communication
2)Client to Site system communication

What isn't supported
3)Secondary site to primary site communication
4)Site system to site server communication.

The only potential ambiguity that exists is the branch distribution point
in item 4)
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Bob wrote:
I called MS presales support and discovered (after 2 hours) that the
configuration should work, and would be supported, with communication
between different Forest Primary Sites across forest boundaries without
trusts, without IBCM and without Native Mode- PKI, although there is
still a huge question mark in my opinion because Microsoft seems to have
conflicting documentation on exactly what is supported when it comes to
Forest to Forest communications. They also agreed with me that the best
way to implement this is with IBCM, which (so far) my client is not
agreeable to. Thank you for the update! I'm going to be setting up a lab
with some forests and see for myself.

Bob

"Cathy Moya [MS]" wrote:

Urg. I should rephrase that. If you have Forest1/DomainA and your
distribution points are in that domain, and your clients are in
Forest2/DomainB, you would create the network access account in DomainA.
The clients in DomainB just know the name and password and use it to
access the distribution points. This would also be true if you have
distribution points in Forest1/DomainX and Forest 1/DomainY. But you
might have to do some global/local/universal group things to make sure
the DomainA\network access account had permissions on the dps in X and
Y. Note that having an additional distribution point in Forest2/DomainB
is not supported, because we don't support distribution points across
forest boundaries unless they are supporting Internet-based clients.

Does that help?

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no rights.

"Bob" <Bob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:30309F18-03F9-407F-B52F-3EDEDF8F59EA@xxxxxxxxxxxxxxxx
RIF, sorry for the additional post, but I just re-read the link Cathy
sent
and found this:

"This account can be created in any domain that will provide the
necessary
access to resources. The Network Access account must always include a
domain
name. Pass-through security is not supported for this account. If there
are
multiple domains, create the account in a trusted domain.
"

There are NO trusted Domains in this implementation, (Although THERE
SHOULD
BE... client requires that there are no trusts. I know, bad idea,
but...).

I'm thinking that the only alternative to support romaing clients in
untrusted domains in theis organization is Internet-Based Client
Management,
(which the client is also against, go figure).

:) Still smiling through the pain... :)

"Cathy Moya [MS]" wrote:

About the Network Access Account
http://technet.microsoft.com/en-us/library/bb680398.aspx

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Management & Solutions Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
Read the Configuration Manager 2007 Documentation Library
http://technet.microsoft.com/en-us/library/bb694263.aspx
This posting is provided AS IS with no warranties and confers no
rights.


"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote
in
message news:e0zbRbYNIHA.4136@xxxxxxxxxxxxxxxxxxxxxxx
It has indeed been renamed to the Network Access account.
You don't need to create the account multiple times, it just needs to
be a
domain user account. People usually create a user in the domain where
the
site server is in.

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Bob wrote:
Thank you, Kim for all your hard work in helping others! I am
thinking
that I would need to create the same advanced client network account
with
the same password in each domain, then point Configmgr to it? Where
do I
set the account up in the Configmgr console? In doing preliminary
research for this, I found this link:

http://myitforum.com/cs2/blogs/socal/archive/2007/03/12/sccm-2007-how-to-site-configuration.aspx

Which states: "Software Distribution configuration is next. This
looks
the same as it does in SMS 2003, you will need to specify the drive
where
packages are stored, the D drive in our case. And the Advanced
Client
Network Access Account. You may think to yourself, didn't we already
do
this in the Computer Client Agent, and you would be correct, in the
next
build the Advanced Client Network Access Account will be gone, this
is
just left over legacy UI. "

This indicates that the Advanced Client Network Account "will be
gone"
(?). I haven't been able to find it in the console under that
specific
name. Is it the "Network Access Account" under Site
Settings/Accounts?
Thanks again!

"Bob" wrote:

OK this is a good one, I think...

Without implementing Internet-based configuration:

I have 3 forests with 3 domains. Can I configure SCCM 2007 so that
a
client in Forest 1 - Domain 1 (located in Kyoto Site) who roams to
Forest 3 - Domain 3 (Kentucky Site) can get updates from a DP in
Domain
3? Oh, by the way, there are no Domain Trusts.
If so, in a billion words or less, how? :)

Thank you! Now stop laughing...






.

Relevant Pages

  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... I called MS presales support and discovered that the ... different Forest Primary Sites across forest boundaries without trusts, ... you would create the network access account in DomainA. ... untrusted domains in theis organization is Internet-Based Client ...
    (microsoft.public.sms.setup)
  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... configuration should work, and would be supported, with communication between different Forest Primary Sites across forest boundaries without trusts, without IBCM and without Native Mode- PKI, although there is still a huge question mark in my opinion because Microsoft seems to have conflicting documentation on exactly what is supported when it comes to Forest to Forest communications. ... They also agreed with me that the best way to implement this is with IBCM, which my client is not agreeable to. ... distribution points are in that domain, and your clients are in Forest2/DomainB, you would create the network access account in DomainA. ... But you might have to do some global/local/universal group things to make sure the DomainA\network access account had permissions on the dps in X and Y. Note that having an additional distribution point in Forest2/DomainB is not supported, because we don't support distribution points across forest boundaries unless they are supporting Internet-based clients. ...
    (microsoft.public.sms.setup)
  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... distribution points are in that domain, ... Forest2/DomainB, you would create the network access account in DomainA. ... untrusted domains in theis organization is Internet-Based Client ...
    (microsoft.public.sms.setup)
  • Re: sms 2003 advance clients in different AD forest ?
    ... Yes I have defined an Advanced Client Network Access Account, ... I also have 2 forests with a 2 way transitive trust between the domains, sms ... sms Primary server in Forest A. ...
    (microsoft.public.sms.setup)
  • Re: sms 2003 advance clients in different AD forest ?
    ... Yes I have defined an Advanced Client Network Access Account, ... I also have 2 forests with a 2 way transitive trust between the domains, sms ... sms Primary server in Forest A. ...
    (microsoft.public.sms.setup)