question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked SimonRenMSFT-3639 commented

MECM 2010 - one-way forest trust

Hi, currently we have two forests (production) completely isolated to each other. Each of them has its own MECM 2010 systems hosting MP, SUP, RSP, Endpoint Protection Role, ... I would like to set up new "management forest" where I will put, among other solutions, MECM. New management forest will have one-way trust only with production forests (production forests trust management forest). I have two questions:

  1. Is there any procedure how to set up MECM in management forest in order to manage servers/clients
    in production forests?

  2. What should I do with existing MECM systems in production forests/MECM clients?



mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered SimonRenMSFT-3639 commented

Finally I cracked it. Issuing CA in trusting forest (which issued CM client certificate to server I wanted to push CM client to) has to be added in communication security tab of CM site properties in order to have CM client certificate selected and used in https communication with MP in trusted forest. Point is this was not only matter of PKI end but this setting in CM site as well. Without this, CM client push was always failing due to "no-existing" CM client certificate. Also I made CDP/AIA extensions of both root CA/issuing CA available to CM server by placing them on web server so I guess that helped too.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thank you very much for your feedback and sharing. We're glad that the question is solved now. It may help others who have similar issue. If you have any questions in future, we warmly welcome you to post in Microsoft Q&A forum again.

Have a nice day!

Best Regards,
Simon

0 Votes 0 ·
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

You can also expand a standalone primary site to install a new central administration site

Don't do this. It won't solve your technical challenge (as two-way trusts are required for SQL replication) and will just make your environment way more complicated (even if it did technically solve your issue) without any actual advantages.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 edited

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

1.==>Is there any procedure how to set up MECM in management forest in order to manage servers/clients in production forests?
Based on my experience, the procedures are different and depend on the real production environment and different business needs that everyone faces. As a application level program, MEMCM doesn't care about the forest structure and can support clients in different forest.


2.==>What should I do with existing MEMCM systems in production forests/MECM clients?
Based on my experience, you can shut down one MECM 2010 environment, then use the other one to support clients in this forest. Please refer to:
Cross Forest Support in ConfigMgr 2012 Part 3: Deploying Site Server / Site Systems in an Untrusted Forest.

You can also expand a standalone primary site to install a new central administration site, to then install additional primary sites (not a prior choice). Please refer to:
Prerequisites to expand a stand-alone primary site
How to Expand SCCM CB Standalone Primary server with CAS server

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered BojanZivkovic-7448 commented
  1. ConfigMgr doesn't care about or depend on the domain membership of managed systems or forest/domain trusts in any way. Thus, there's really not much of a guide needed as long as the ports are open. See https://home.memftw.com/configmgrsccm-domains-forests-trusts-oh/ for more info.

  2. Don't know. Not much you can do with them.

Is ConfigMgr the only reason that you are setting up a management forest? If so, as noted, this won't help and has zero value as far as ConfigMgr goes.



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Problem I have now is administration/maintenance/troubleshooting of MECM/SCOM/Windows Admin Center etc. in multiple forests so idea is to implement management forest where these solutions would be installed/configured and used to manage/monitor etc. all production forests.

If I have to remove existing MECM 2010 infrastructure from production forests altogether prior to deploying new one in management forest and later do necessary steps in production forests that will be huge blow since I have almost 1000 servers/clients in total currently managed by those 2 MECMs (honestly never removed MECM infrastructure so need to see detailed steps as well in case this is a must).

0 Votes 0 ·

so idea is to implement management forest

What problem does that solve though? Forests have nothing to do with network connectivity.

Without a lot more information about the environment and the restrictions in it, there's no way anyone can address this issue for you. I'd highly recommend brining in a knowledgeable third-party to help here.



0 Votes 0 ·

As I said before - we would like to have management forest with MECM/SCOM/WAC and other products that can be used to manage/monitor systems in all production forests, some of which have those tools already leveraged - problem is I have to manage all these solutions individually in each forest. InfoSec team will probably allow us having one-way trust in direction I already mentioned so that is a main restriction. I can post all details about the environment needed for any potential help since this is new territory for me.

Thank you all for your time and efforts.

0 Votes 0 ·