ImaNewb Posted February 15, 2022 Report post Posted February 15, 2022 0 Votes"0 blacksuit07 asked • 14 hours ago | blacksuit07 edited • 0 secs ago Actions SCCM Client Management 2 separate domains with two-way trust I am trying to manage a 2nd domain, separate forest with two-way domain trust but I cannot install the SCCM Client. Setup: Domain A (SCCM Server, etc.) PKI CA configuration SCCM CB with HTTPS communication Domain B: Handful of workstations and 4 Servers No CA in the domain Domain A is working fine and has been for over a year. We setup a two-way trust with Domain B Added DNS secondary zones between both domains Established site to site VPN and routing. I can ping and RDP to either domain from either domain. Added Domain A SCCM Service accounts to a security group on Domain B for necessary permissions to manage the client. Extended the Schema on Domain B and imported the PKI CA from Domain A into Domain B for Cross-Forest PKI implementation. (AD CS: Deploying Cross-forest Certificate Enrollment | Microsoft Docs) Added Domain B into the Hierarchy configuration on SCCM, I can see users and computers imported from AD on Domain B I push client install to a couple of machines for testing but they fail. CCMSetup Error Snippet: Sending message body '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1"> <AssignedSite SiteCode="111"/> <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0"> <ADSite Name="Domain.B"/> <Forest Name="Domain.B"/> <Domain Name="Domain.B"/> <IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters> </ClientLocationInfo> </ContentLocationRequest> ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Sending location request to 'SCCM.Domain.A' with payload '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1"> <AssignedSite SiteCode="111"/> <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0"> <ADSite Name="Domain.B"/> <Forest Name="Domain.B"/> <Domain Name="Domain.B"/> <IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters> </ClientLocationInfo> </ContentLocationRequest> ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. Defaulting to state of 480. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to connect to machine policy namespace. 0x8004100e ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Client is on internet ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Client is set to use webproxy if available. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) [CCMHTTP] ERROR: URL=https://SCCM.Domain.A/ccm_system/request, Port=0, Options=480, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) [CCMHTTP] ERROR INFO: StatusCode=200 StatusText= ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed (0x87d00454) to send location request to 'SCCM.Domain.A'. StatusCode 200, StatusText '' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to send location message to 'HTTPS://SCCM.Domain.A'. Status text '' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) GetDPLocations failed with error 0x87d00454 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to get DP locations as the expected version from MP 'HTTPS://SCCM.Domain.A'. Error 0x87d00454 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Sending state '101'... ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to get client version for sending state messages. Error 0x8004100e ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) [] Params to send '5.0.9068.1008 Deployment Error: 0x0, ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Sending Fallback Status Point message to 'SCCM.Domain.A', STATEID='101'. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) <ClientDeploymentMessage ErrorCode="0"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage> ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) State message with TopicType 800 and TopicId {7E7B1ABB-69EC-477A-B8AE-C55E383EBE6D} has been sent to the FSP FSPStateMessage 2/14/2022 5:46:48 PM 12672 (0x3180) I know it is a Cert issue at this point but I am lost on what else I would need to do to get this fixed. Should I create deploy CA in Domain B but then that brings me to the issue on how to add that Cert into SCCM without hijacking the Domain A Cert.... Any guidance is greatly appreciated! Quote Share this post Link to post Share on other sites More sharing options...
ImaNewb Posted February 21, 2022 Report post Posted February 21, 2022 Anyone? Quote Share this post Link to post Share on other sites More sharing options...
Vavamoose Posted April 16 Report post Posted April 16 Any updates on how you achieved this? Quote Share this post Link to post Share on other sites More sharing options...
Henchman21 Posted September 19 Report post Posted September 19 (edited) Create a cert template from existing working template from your CA and name it "XXXXX.INF" on the ca - copy to server that needs the cert SAVE IT WITH THE SERVER NAME. MAKE SURE IT'S AN .INF FILE. Create the REQ from the INF on the local server Open the INF file and replace the server template has “XXXXXX” for server name, replace with the with the server name you are working on. - open CMD as admin, navigate to where you put the XXXXX.INF example below Example: CMD.exe --> C:\temp\Certificate>certreq -new yourservername.inf yourservername.req Copy the XXXXX.req File to your Primary CA, now you want to submita new request. Open the Certification Authority console Click start type in CA and Certificate Authority should appear “Run as Admin” Right-click the CA → All Tasks > Submit a new request Select the XXXXX.req file and save it as a .CER file Example XXXXX.cer Now copy the XXXXX.cer file back to the server that needs it, and import it to the Computer\Personal Store. Trying running your ccmsetup.exe /install /mp blah blah blah I would try to get networks to open up ports to the CA from all subnet in that domain and ports that SCCM needs to communicate with. ports needed Kerberos 464 Certificate Enrollment Web Services Domain Controllers (DC) Allow Source Certificate Enrollment Web Services - Destination : DC LDAP 389 Certificate Enrollment Web Services Domain Controllers (DC) Allow Source Certificate Enrollment Web Services - Destination: DC Service: LDAP (network port tcp/389) LDAP 636 Certificate Enrollment Web Services Domain Controllers (DC) Allow Source Certificate Enrollment Web Services Service: LDAP (network port tcp/636) DCOM/RPC Random port above port 1023 · Certificate Enrollment Web Services CA Allow Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us HTTPS 443 All clients requesting certs Certificate Enrollment Web Services Allow CERT INF Example Below: Example: [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=XXXXX, OU=XXX, O=XXX, L=STATE, S=CITY, C=US" <----needs hostname - no fqdn of server you need KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=XXXXX.company.com" <---needs FQDN 2.5.29.37 = "{text}" _continue_ = "1.3.6.1.5.5.7.3.2" ; Client Authentication [RequestAttributes] CertificateTemplate = ConfigMgrClientCertificate DisableExtensionsList = "2.5.29.31,1.3.6.1.5.5.7.1.1" Hope this helps! Edited September 19 by Henchman21 Quote Share this post Link to post Share on other sites More sharing options...
