When deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:
- Communications within a Configuration Manager 2007 site
- Communications between Configuration Manager 2007 sites
- Support for clients across forests
- Configuring clients across Active Directory forests
- Approving clients (mixed mode) across Active Directory forests
- Roaming support across Active Directory forests
Cross-Forest Communications within a Configuration Manager Site
There are only two supported scenarios in which site systems within a single site are supported across Active Directory forests:
- The System Health Validator point, used with Network Access Protection.
- Internet-based client management, which supports the following site systems installed in a separate forest to the site server:
- Management point
- Distribution point
- Software update point
- Fallback status point
.gif) Note |
|---|
| Although not the security best practice, the following site systems are also supported if they are installed in a separate forest: server locator point and PXE service point. |
In either supported scenario, even if there is a two-way trust between the two forests, or external trusts between the site server's domain and the site system domain, you must specify a Windows user account for installation and configuration of the site system.
There is an additional cross-forest configuration that applies to the site systems that support Internet-based client management. When these site systems are installed in a different forest than the site server, and you want to ensure that communication is only ever initiated from the site server to the site systems, and never from the site systems to the site server, enable the site system option Allow only site server initiated data transfers from this site system. In an Internet-based client management scenario where these site systems are installed in a perimeter network, this configuration ensures that all connections between these site systems and the intranet are only initiated from the intranet, and not from the untrusted network. It is therefore a more secure solution than accepting connections into the intranet that are initiated from the perimeter network. However, if you choose this cross-forest configuration, be aware of the following considerations:
- You must configure a Windows user account for installation, even if there is a trust relationship between the two forests.
- This configuration results in some latency in sending status messages to the site, with a decrease in performance on the site server.
.gif) Important |
| All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server, which must all reside in the same domain. |
Cross-Forest Communications Between Configuration Manager Sites
Configuration Manager primary sites can be configured to span multiple Active Directory forests. However, it is not supported to install secondary sites in a remote Active Directory forest from their parent primary site.
Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory Domain Services, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure intersite communication.
When one or more primary sites in the Configuration Manager 2007 site hierarchy are located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are properly configured in the sender address properties for each site. If you do not configure domain user accounts as site address accounts in the sender address properties of each site, the site server computer accounts will be used. If the site server computer accounts are used as the site address accounts, all Active Directory forests must be configured for the Windows Server 2003 forest functional level and must have a two-way trust to enable site-to-site communication to succeed.
Cross-Forest Client Support
It is supported for a Configuration Manager 2007 site hierarchy to have primary sites or clients in a remote Active Directory forest.
If you have clients that are in a different forest than their assigned site server's forest, use the following information to ensure that they are configured correctly.
Configuring Clients across Active Directory Forests
Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server.
For these clients to be managed, you must ensure that alternative methods are available for the following:
- Site compatibility check to complete site assignment
- Service location for management points, and the server locator point if this is not directly assigned
- Native mode configuration
Configure these clients as if Active Directory Domain Services is not extended for Configuration Manager 2007. The information that these clients will need, together with additional configuration steps is listed in the section "Feature and Function Considerations for Extending the Active Directory Schema for Configuration Manager" in the following topic: Decide If You Should Extend the Active Directory Schema.
Approving Clients (Mixed Mode) Across Active Directory Forests
Roaming Support across Active Directory Forests
Because clients from another forest cannot access site information published to Active Directory Domain Services, they do not have global roaming capability that would allow them to find distribution points in any site in the hierarchy. Instead, they have regional roaming capability, which allows them to find local distribution points when they roam into a site that is lower in the hierarchy than their assigned site. If clients from another forest roam into a sibling site or into a site higher in the hierarchy, they will download package source files from their assigned site. For more information about global and regional roaming behavior, see About Client Roaming in Configuration Manager.
See Also
Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: