Friday, 12 September 2008

SCCM across UNTRUSTED Forests

Before I type anything more I must warn you that the following article is against Microsoft's published best practices as it breaches administrative boundaries which should end with a within a forest.

But that's not to say it can't be done ;)

We had a case here where we wanted to deliver managed public Internet in various locations (both existing corporate buildings and new purpose built locations).

When designing the solution it was decided to create an entirely new domain to help keep things separate and secure from the corporate side of the business.

The problem came about when I came along and decided that ICT needed to have the same amount of remote administration benefits over it as SCCM had given us on the corporate side.

I'm sure that it would have been much simpler had we been in native mode, but since we aren't I had to tackle it from a Mixed Mode perspective.

First step was to install a new Primary site within the domain/forest that needed managing which is the same as installing SCCM for the first time and the DB was split off to a separate shared SQL box again.

Once the new site is installed and running I needed to give both sites some way to trust each other as each forests AD schema has been extended but because their is no trust they don't know about each others presence or have a security trust.

For this I used the Preinst command to export the site keys.

To manually transfer the Public Forest Primary site public key to the Corporate Central site
  1. While logged on to the Primary site, open a command prompt and navigate to the location of Preinst.exe. (Microsoft Configuration Manager\bin\i386\00000409)
  2. Run the following command to export the Primary site’s public key: Preinst /keyforparent
  3. The Preinst /keyforparent command places the public key of the Primary site in the .CT4 file located at the root of the system drive.
  4. Move the .CT4 file to the Central site's \inboxes\hman.box directory.

To manually transfer the Corporate Central site public key to the Public Forest Primary site

  1. While logged on to the Central site, open a command prompt and navigate to the location of Preinst.exe. (Microsoft Configuration Manager\bin\i386\00000409)
  2. Run the following command to export the Central site’s public key: Preinst /keyforchild.
  3. The Preinst /keyforchild command places the public key of the Central site in the .CT5 file located at the root of the system drive.
  4. Move the .CT5 file to Primary site’s \inboxes\hman.box directory.

Once that was done accounts were created on both domains/forests for the sender accounts that are required and then addresses created and pointed at each site.

  • Central site contains sender address pointing down at Primary site using account created on public domain/forest
  • Primary site contains sender address pointing up at Central site using account created on corporate domain/forest

Final thing to do was on the Public forest SCCM server through the console and expand Site Management. Right click on the site and choose properties. Click set parent site, choose the Central Corporate site... and you're done!

2 comments:

Dean said...

We are attempting to do something similar from a forest in a DMZ. Do I need additional ports opened to accomplish this?

StevyB said...

Sorry, only just seen the comment!

I think we've just got 80,443 and445 open.

Check http://technet.microsoft.com/en-us/library/bb632618.aspx for a full list of ConfigMgr ports.