To deploy this scenario you need to deploy 2 Domain Controllers in 2 Different forest, have SCCM installed with all the requirements installed on any 1 of the Forest, have some test systems for SCCM Client installation.
Systems used in this case are:
Forest Name:
1) Training.com
2) Trainingtest.com
DNS:
1) DC.training.com
2) TDC.trainingtest.com
SCCM Server:
1) EUCSSCCM.training.com
Client System in Trainingtest.com
1) Win10.trainingtest.com
Below are the steps will be required to be carried out for creating DNS (Conditional Forwarder)
1) You need to open the DNS management console on the domain controllers.
Domain controller: DC.Training.com
Right click on the Conditional Forwarder Select New Conditional Forwarder.
Enter the IP Address and the DNS Domain name of the untrusted Forest as shown in the image below.
Select OK on the below window:
Now go to the Conditional Forwarders you will see the recent forwarder created there tdc.trainingtest.com right click go to Properties verify the IP address.
Once both the sides conditional forwarder are created we see the below screen after selecting the edit button on the above image (In the properties of the new created Conditional Forwarder)
Domain Controller 2 in the Different forest the same above steps needs to be repeated to create a conditional forwarder.
Domain Controller: TDC.Trainingtest.com
Schema Extending for SCCM in the Untrusted Forest: TDC.Trainingtest.com
For this you will require to Dump the SCCM install files / mount ISO on the Domain Controller.
Step 1: Go to start Run Type adsiedit.msc click on OK.
Step 2: Verify if you have System Management OU created if not right click on System OU and create a new Container OU with the name System Management.
You will also require to create a Services Account which will be used to publishing the data and make changes by updating the SCCM Server information in the Other Forest.
Once the SYSTEM MANAGEMENT OU is created you will need to give rights to the service account created to publish the SCCM information.
Below are the steps to delegate control on System Management OU.
Right Click on System Management OU Delegate Control.
Select the user which needs to be given access.
Select Create a custom task to delegate.
Select 1st option as per the image below.
Select all the Checkbox in this window.
Verify all the details and click on finish.
Then verify the file shown in the below image
Now run the extadsch.exe as shown below.
You shall get the below output successfully extended the Active Directory schema.
Configuration on the SCCM Server.
Step 1: Go to SCCM Console Administration à Select Active Directory ForestsAdd Forest.
In the General Tab: Add the Other Forest Domain Suffix: Trainingtest.com and enter the user name which has full access on the System Management OU. (Or else enter the Administrator account)
In the Publishing Tab select SCCM Site Code Checkbox and specify a domain or server .As mentioned in the below image.
After sometime you can monitor the status it will show Discovery Status and Publishing status as succeeded.
You can also verify the SCCM Site is being published in the TDC.Trainingtest.com Domain Controller.
Now you can do a quick look up on the Client system in Trainingtest.com to verify the Conditional Forwarder are working fine.
Now go to the Distribution Point Properties.
Select Allow clients to connect anonymously then apply ok.
Create a new Boundary & Boundary Groups for Trainingtest.com Systems with the IP address.
Now go to the Properties of the Trainingtest.com mention all the details as per the below image.
Now go to Relationships and add the Fallback Boundary Group.
Now you will have to manual install the SCCM Client on the Win10.trainingtest.com and will be then listed as below.
Now you need to add the Approved Column and see the status of the new SCCM Client of Trainingtest.com. It will be Not Approved.
So now you right click on the SCCM Client Win10 and selectApprove.
Now you deploy any test package to verify that all the SCCM Components are working fine.
In the below image we can see that the Application Deployment request is received, package downloaded.
You SCCM Client in the Untrusted Forest is now fully manageable from the SCCM Server.
Hope you have enjoy details solution. keep watching space hiraniconfigmgr.com
Happy Learning!!!
Many Problem, One Place solutions.
Thanks & Regards,
Haresh Hirani
Email: [email protected]
Follow me: Twitter @hirravi1
linkedin: https://www.linkedin.com/in/hiraniconfigmgr
X
2 Comments
ali
13-03-2023 02:39 pmThis article helped me a lot. you are awesome dude :)
unkownuser
20-05-2023 09:01 amtrusted root certificate needs to deploy from non trusted root or not required