No votes. Be the first one to vote.

Hello Friends,

I need guidance & advice for implementing different cross-forest support in existing SCCM. Below is the scenario:

We have Forest-A with a SCCM server which acts as Primary Site server with MP,WSUS roles installed on it. We also have 30 DP’s in Forest-A which provide services to 500+ servers.
My client has recently acquired 2 new organizations lets name them as Forest-B & Forest-C. Each of these forests have multiple domains & child-domains.
My client wants to manage all servers( almost 2000+ windows servers) of Forest-B & C via SCCM of Forest-A.
They have established only one-way AD trust between Forest-A & Forest-B where we are now able to search objects of Forest-B under Forest-A DC’s.
They don’t want to establish any AD trust between Forest-A & Forest-C.

My client has the below requirements:
1>They don’t want to extend AD schema in Forest-B & Forest-C related to SCCM’s attributes & classes.
2>They want to manage all servers of Forest-B & C via SCCM of Forest-A.
3>They want to setup new DP server in each Forest-B & C so that those client machines can get the software updates policies from Forest-A SCCM MP and content from new DP server.
4>They also want to have SCCM console access for the technician’s from Forest-B & C so that they can install SCCM client on their servers, create SUG & push patching deployments for their servers from Forest-A SCCM console without needing our intervention.

I have done following steps:
1>Created conditional forwarders in DNS of Forest-B & Forest-C for Forest-A and vice versa.
2>As AD Schema extension is not allowed in Forest-B & C by my client, hence I have created SRV (Service Location) records in DNS of Forest-B & C which points to MP related information of my Forest-A SCCM server.
3>Created “System Management” container in Forest-B and delegated Full Control permission for a new service account of Forest-B. My Forest-A SCCM related info got published in DC of Forest-B. I haven’t done this step yet in Forest-C as there is no AD trust for this forest.
4>Configure AD Forest Discovery in my SCCM for Forest-B & it was successful. I can see the status as success in SCCM console but still my SCCM server is not able to pull AD site’s & subnets related information of Forest-B.
5>Configured AD System Discovery in my SCCM for Forest-B & I am able to see all objects of Forest-B under “Devices” node of Forest-A SCCM console.
6>Tried manual installation on a test server of Forest-B but it was not able to communicate with my Forest-A SCCM MP and not able to download client installation content. Tried telnet port 80 from test server to Forest-A MP but it was not getting connected. Hence I am checking with network team of both forests.
7>If above steps are correct then I will follow the same steps on Forest-C.

I need guidance & suggestion for below points:
1>Can I manage all clients of Forest-B from existing MP of Forest-A SCCM ?? or Do I need to build new MP in Forest-B to manage those clients ??
2>How to configure & setup new DP in Forest-B as I can’t add my existing SCCM computer account of Forest-A under “Administrator” group on Forest-B as there is only 1-way AD trust between them.
3>How to delegate rights for Forest-B technicians on my SCCM(of Forest-A) console so that they can manage only their devices. Does it need to have new MP under Forest-B to achieve this requirement ?
4>If I get solution for above step then I need help to limit access rights for Forest-B technicians so that they can manage only their collections, create SUG & do patching deployments on their collections only. They should not able to see other devices collection to avoid any misuse.

Kindly help me with proper guidance & solutions so that I can manage all devices of Forest-B & C from my existing SCCM (of Forest-A).

Thank You :)

Answers ( 2 )


    Not exactly with your requirement but a good article to read by eswar.


      Hello Ankit,

      Thanks for your reply & support.

      I have already gone through the above URL few months back but that scenario is not matching with me as in that URL, Eswar has done AD Schema Extension whereas in my case it is not allowed by management.

      Also in my case I am able to publish site information on cross-forest’s domain but failing with discovery status.
      Hence searching for correct & working solution.

Leave an answer

Sorry, you do not have permission to answer to this question .