Jump to content


Recommended Posts

0 Votes"0
blacksuit07 asked  14 hours ago | blacksuit07 edited  0 secs ago
Actions

SCCM Client Management 2 separate domains with two-way trust

I am trying to manage a 2nd domain, separate forest with two-way domain trust but I cannot install the SCCM Client.

Setup:
Domain A (SCCM Server, etc.)
PKI CA configuration
SCCM CB with HTTPS communication

Domain B:
Handful of workstations and 4 Servers
No CA in the domain

Domain A is working fine and has been for over a year.

We setup a two-way trust with Domain B
Added DNS secondary zones between both domains
Established site to site VPN and routing. I can ping and RDP to either domain from either domain.
Added Domain A SCCM Service accounts to a security group on Domain B for necessary permissions to manage the client.
Extended the Schema on Domain B and imported the PKI CA from Domain A into Domain B for Cross-Forest PKI implementation. (AD CS: Deploying Cross-forest Certificate Enrollment | Microsoft Docs)
Added Domain B into the Hierarchy configuration on SCCM, I can see users and computers imported from AD on Domain B
I push client install to a couple of machines for testing but they fail.

CCMSetup Error Snippet:

Sending message body '<ContentLocationRequest SchemaVersion="1.00"  BGRVersion="1">
  <AssignedSite SiteCode="111"/>
  <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
  <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
    <ADSite Name="Domain.B"/>
    <Forest Name="Domain.B"/>
    <Domain Name="Domain.B"/>
<IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters>  </ClientLocationInfo>
</ContentLocationRequest>
'	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Sending location request to 'SCCM.Domain.A' with payload '<ContentLocationRequest SchemaVersion="1.00"  BGRVersion="1">
  <AssignedSite SiteCode="111"/>
  <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
  <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
    <ADSite Name="Domain.B"/>
    <Forest Name="Domain.B"/>
    <Domain Name="Domain.B"/>
<IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters>  </ClientLocationInfo>
</ContentLocationRequest>
'	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. Defaulting to state of 480.	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
MapNLMCostDataToCCMCost() returning Cost 0x1	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Failed to connect to machine policy namespace. 0x8004100e	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Client is on internet	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Client is set to use webproxy if available.	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server.	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
[CCMHTTP] ERROR: URL=https://SCCM.Domain.A/ccm_system/request, Port=0, Options=480, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
[CCMHTTP] ERROR INFO: StatusCode=200 StatusText=	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Failed (0x87d00454) to send location request to 'SCCM.Domain.A'. StatusCode 200, StatusText ''	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Failed to send location message to 'HTTPS://SCCM.Domain.A'. Status text ''	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
GetDPLocations failed with error 0x87d00454	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Failed to get DP locations as the expected version from MP 'HTTPS://SCCM.Domain.A'. Error 0x87d00454	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Sending state '101'...	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Failed to get client version for sending state messages. Error 0x8004100e	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
[] Params to send '5.0.9068.1008 Deployment Error: 0x0, '	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
Sending Fallback Status Point message to 'SCCM.Domain.A', STATEID='101'.	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
<ClientDeploymentMessage ErrorCode="0"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage>	ccmsetup	2/14/2022 5:46:48 PM	12672 (0x3180)
State message with TopicType 800 and TopicId {7E7B1ABB-69EC-477A-B8AE-C55E383EBE6D} has been sent to the FSP	FSPStateMessage	2/14/2022 5:46:48 PM	12672 (0x3180)

I know it is a Cert issue at this point but I am lost on what else I would need to do to get this fixed. Should I create deploy CA in Domain B but then that brings me to the issue on how to add that Cert into SCCM without hijacking the Domain A Cert....

 

Any guidance is greatly appreciated!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...