Jump to content


Recommended Posts

Hi Everybody.

I need to know how to add a second forest to my MEMCM environment.

What type of AD Trust is required? What I have to do within a trusted and also in an untrusted forest ?

Has anybody a guide for me how to do it?

Do I Need to extend the AD scheme in the second forest?

What Firewall Ports do I have to Open ?

What I have to do in addition in MEMCM or somewhere else?

Thanks in advance

Regards

Flo

Share this post


Link to post
Share on other sites

Hi.

 

Thanks for the Link.

I just need to know in addition if I have a trust between the 2 forests where I had to place a Distribution Point for the clients from the second forest.

Must it be in the second forest or can it be also in the Primary forest ?

Thanks in advance

Share this post


Link to post
Share on other sites

if the other forest is untrusted:

Install site system roles in that untrusted forest, with the option to publish site information to that Active Directory forest

To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data.

 

When a two-way forest trust exists, Configuration Manager doesn't require any additional configuration steps.

 

 

Share this post


Link to post
Share on other sites

Hi,

thanks for your answer. Yesterday I got the information, that we have to use the untrusted method. 
Do I need more than a DP role in the remote forest (we want a special DP for those clients - or can we put that DP in the local forest - of I understood the informations from Microsoft correctly, than it is not possible, right?) ?

Do you have a good guide or hands on to fullfill the requirements ? Something like your guide for the PKI implementation.

Thanks in advance

Share this post


Link to post
Share on other sites

I think this covers it..

 

Primary sites support the installation of site system roles on computers in remote forests.

  • When a site system role accepts connections from the internet, as a security best practice, install the site system roles in a location where the forest boundary provides protection for the site server (for example, in a perimeter network).

To install a site system role on a computer in an untrusted forest:

  • Specify a Site System Installation Account, which the site uses to install the site system role. (This account must have local administrative credentials to connect to.) Then install site system roles on the specified computer.

  • Select the site system option Require the site server to initiate connections to this site system. This setting requires the site server to establish connections to the site system server to transfer data. This configuration prevents the computer in the untrusted location from initiating contact with the site server that's inside your trusted network. These connections use the Site System Installation Account.

To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the site's SQL Server:

  • Asset Intelligence synchronization point

  • Endpoint Protection point

  • Enrollment point

  • Management point

  • Reporting service point

  • State migration point

For more information, see Ports used in Configuration Manager.

Share this post


Link to post
Share on other sites

that's not how I read it, I interpret the docs mentioned above as you need to install the DP role on a computer in the untrusted forest, and open ports to allow for communication back to the trusted forest

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...