How to add a second AD Forest to MEMCM ?

[FSiglmueller]

Hi Everybody.

I need to know how to add a second forest to my MEMCM environment.

What type of AD Trust is required? What I have to do within a trusted and also in an untrusted forest ?

Has anybody a guide for me how to do it?

Do I Need to extend the AD scheme in the second forest?

What Firewall Ports do I have to Open ?

What I have to do in addition in MEMCM or somewhere else?

Thanks in advance

Regards

Flo

[anyweb]

start here

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/communications-between-endpoints#bkmk_noforesttrust

 

if you can't find what you need please explain what is missing

[FSiglmueller]

Hi.

 

Thanks for the Link.

I just need to know in addition if I have a trust between the 2 forests where I had to place a Distribution Point for the clients from the second forest.

Must it be in the second forest or can it be also in the Primary forest ?

Thanks in advance

[anyweb]

if the other forest is untrusted:

Install site system roles in that untrusted forest, with the option to publish site information to that Active Directory forest

To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data.

 

When a two-way forest trust exists, Configuration Manager doesn't require any additional configuration steps.

 

 

[FSiglmueller]

Hi,

thanks for your answer. Yesterday I got the information, that we have to use the untrusted method. 
Do I need more than a DP role in the remote forest (we want a special DP for those clients - or can we put that DP in the local forest - of I understood the informations from Microsoft correctly, than it is not possible, right?) ?

Do you have a good guide or hands on to fullfill the requirements ? Something like your guide for the PKI implementation.

Thanks in advance

[anyweb]

I think this covers it..

 

Primary sites support the installation of site system roles on computers in remote forests.

• When a site system role accepts connections from the internet, as a security best practice, install the site system roles in a location where the forest boundary provides protection for the site server (for example, in a perimeter network).

To install a site system role on a computer in an untrusted forest:

• Specify a Site System Installation Account, which the site uses to install the site system role. (This account must have local administrative credentials to connect to.) Then install site system roles on the specified computer.

• Select the site system option Require the site server to initiate connections to this site system. This setting requires the site server to establish connections to the site system server to transfer data. This configuration prevents the computer in the untrusted location from initiating contact with the site server that's inside your trusted network. These connections use the Site System Installation Account.

To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the site's SQL Server:

• Asset Intelligence synchronization point

• Endpoint Protection point

• Enrollment point

• Management point

• Reporting service point

• State migration point

For more information, see Ports used in Configuration Manager.

[FSiglmueller]

Hi,

that means I can install the Distribution Point in the Primary forest and only define in the Boundary Group that the Clients from the untrusted Remote forest use the DP from the Primary forest, Right ?

Thanks in advance

[anyweb]

that's not how I read it, I interpret the docs mentioned above as you need to install the DP role on a computer in the untrusted forest, and open ports to allow for communication back to the trusted forest