SCCM Secondary Site in child domain woes

LostITSoul 21 Reputation points
2020-08-17T16:19:22.94+00:00

We have a primary site setup for SCCM on the forest level and it is working feeding other child domains with no issue. We have a separate child domain for network/system management side of things. We want to setup a secondary site so that the holes poked between the two domains are isolated to only connect the primary server to the new secondary server without having to open up all the needed ports for every machine in the child domain to communicate back to the forest level.

When running the precheck on the primary server we are seeing the error:
Configuration Manager Setup requires that the site server computer has administrative rights on the SQL Server and management point computers.

The primary site server is setup as a local admin on the secondary site server. In testing our network team opened all ports between the two and still got the same error.

On the forest level DC found an error there:
DCOM was unable to communicate with the computer 'FQDN of secondary site server' using any of the configured protocols;

Any thoughts on were to start looking as AD is not my strong suit and my team inherited quite the $#!+ show from our predecessors?

Thank you,
LostITSoul

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,946 questions
Accepted answer
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2020-08-18T02:54:19.87+00:00

    Secondary sites are not gateways thus the solution you've described is not valid and won't work. Secondary sites are for clients at remote locations to address bandwidth issues. Clients must always be able to communicate with a management point that directly belongs to the primary site.

    For a segregated network, use an additional site system hosting the MP, DP, and SUP roles and placed in that screened network. Ensure your boundaries and boundary groups properly map the clients in the screened network to this additional site system. Make sure to enable MP affinity on the hierarchy settings of the site also.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenLiu-MSFT 40,316 Reputation points Microsoft Vendor
    2020-08-18T07:48:31.653+00:00

    Hi,

    Agree with Jason, a secondary site is not a solution for your situation, here is the guidance to install SCCM DP/MP/SUP in a segregated network:
    https://www.systemcenterdudes.com/installing-sccm-dp-mp-sup-untrusted-domain/

    Regards,
    Allen

    0 comments