Configuration Manager in Multiple Active Directory Forests

Configuration Manager primary sites can be configured to span multiple Active Directory forests. It is not supported to install secondary sites in a remote Active Directory forest from their parent primary site. It is supported for a Configuration Manager 2007 site hierarchy to have primary sites or clients in a remote Active Directory forest.

When deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:

  • Communications within a Configuration Manager 2007 site
  • Communications between Configuration Manager 2007 sites
  • Support for clients across forests
    • Configuring clients across Active Directory forests
    • Approving clients (mixed mode) across Active Directory forests
    • Roaming support across Active Directory forests

Cross-Forest Communications within a Configuration Manager Site

There are only two supported scenarios in which site systems within a single site are supported across Active Directory forests:

  • The System Health Validator point, used with Network Access Protection.
  • Internet-based client management, which supports the following site systems installed in a separate forest to the site server:
    • Management point
    • Distribution point
    • Software update point
    • Fallback status point

    In either supported scenario, even if there is a two-way trust between the two forests, or external trusts between the site server's domain and the site system domain, you must specify a Windows user account for installation and configuration of the site system. There is an additional cross-forest configuration that applies to the site systems that support Internet-based client management. When these site systems are installed in a different forest than the site server, and you want to ensure that communication is only ever initiated from the site server to the site systems, and never from the site systems to the site server, enable the site system option Allow only site server initiated data transfers from this site system. In an Internet-based client management scenario where these site systems are installed in a perimeter network, this configuration ensures that all connections between these site systems and the intranet are only initiated from the intranet, and not from the untrusted network. It is therefore a more secure solution than accepting connections into the intranet that are initiated from the perimeter network. However, if you choose this cross-forest configuration, be aware of the following considerations:

    • You must configure a Windows user account for installation, even if there is a trust relationship between the two forests.
    • This configuration results in some latency in sending status messages to the site, with a decrease in performance on the site server.
    All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server which must all reside in the same domain.

    Cross-Forest Communications between Configuration Manager Sites

    Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure inter-site communication. When one or more primary sites in the Configuration Manager 2007 site hierarchy are located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are properly configured in the sender address properties for each site. If you do not configure domain user accounts as site address accounts in the sender address properties of each site, the site server computer accounts will be used. If the site server computer accounts are used as the site address accounts, all Active Directory forests must be configured for the Windows Server 2003 forest functional level and have a two-way trust to enable site-to-site communication to succeed.

    Cross-Forest Client Support

    If you have clients that are in a different forest than their assigned site server's forest, use the following information to ensure that they are configured correctly.

    Configuring Clients across Active Directory Forests

    Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server. For these clients to be managed, you must ensure that alternative methods are available for the following:

    • Site compatibility check to complete site assignment
    • Service location for management points, and the server locator point if this is not directly assigned
    • Native mode configuration

    Configure these clients as if Active Directory Domain Services is not extended for Configuration Manager 2007. The information that these clients will need, together with additional configuration steps is listed in the section "Feature and Function Considerations for Extending the Active Directory Schema for Configuration Manager" in the following topic: Decide If You Should Extend the Active Directory Schema.

    Approving Clients (Mixed Mode) Across Active Directory Forests

    If the site is in mixed mode and you are using the site configuration of Automatically approve computers in trusted domains, you must configure the management point with an intranet fully qualified domain name (FQDN). For more information about approval, see About Client Approval in Configuration Manager and for procedural information about how to specify the management point's FQDN, see How to Configure the Intranet FQDN of Site Systems.

    Roaming Support across Active Directory Forests

    Clients can perform global roaming within the forest of their assigned site if all sites within the hierarchy publish site information to Active Directory Domain Services. Roaming allows clients to download software distribution package content from distribution points closest to them when they roam within the boundaries of a sibling site, a site higher in the hierarchy than their assigned site, or are otherwise not within the boundaries of their assigned site. If the Active Directory schema has not been extended for Configuration Manager 2007, or sites are not publishing site data to Active Directory Domain Services, clients can use a server locator point to perform regional roaming. Regional roaming allows clients to find local software distribution package content when the site that they roam into is lower in the hierarchy than their assigned site. If a server locator point is not deployed, regional roaming is supported if all management points are registered in WINS or DNS.

    See Also

Leave a Comment