Managing users from other forest in Configuration Manager

Asked By 0 points N/A Posted on -


I need to know one thing. Is Configuration Manager able to manage the users when they are in some other forest from the site server?

Need your answer.


Answered By 10 points N/A #106180

Managing users from other forest in Configuration Manager

Hi Chaya Dixon,
Yes, Configuration Manager able to manage the users when they are in some other forest from the site server. But the following conditions should be satisfied. There should be Trust Relation Between those forests Communications Across Forest Trusts Within a Configuration Manager Site.
There are only two supported scenarios in which site systems within a single site are supported across Active Directory forests:
1. The System Health Validator point, used with Network Access Protection.
2. Internet-based client management, which supports the following site systems installed in a separate forest to the site server:
Management point.
Distribution point.
Software update point.
Fallback status point.
In either supported scenario, even if there is a two-way trust between the two forests, or external trusts between the site server's domain and the site system domain, you must specify a Windows user account for installation and configuration of the site system.
There is an additional configuration across forest trusts that applies to the site systems that support Internet-based client management. When these site systems are installed in a different forest than the site server, and you want to ensure that communication is only ever initiated from the site server to the site systems, and never from the site systems to the site server, enable the site system option Allow only site server initiated data transfers from this site system. 
Additional Info:
Communications Across Forest Trusts Between Configuration Manager Sites.
A Configuration Manager hierarchy supports primary sites from different Active Directory forests. Configuration Manager does not support secondary sites in a remote Active Directory forest from their parent primary site.
When the hierarchy contains primary sites from different Active Directory forests, you must use the hierarchy maintenance tool (Preinst.exe) to configure manual key exchange because the sites in different Active Directory forests cannot automatically retrieve keys from Active Directory Domain Services. Key exchange is required for signing data that is sent between the sites. For information about the manual exchange of public keys, see How to Manually Exchange Public Keys Between Sites.
When one or more primary site in the Configuration Manager 2007 site hierarchy is located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are correctly configured in the sender address properties for each site.
If you do not configure domain user accounts as the site address accounts in the sender address properties of each site, the site server computer accounts will be used. When the site server computer accounts are used as the site address accounts, you must have a full Active Directory forest trust between the forests to enable site-to-site communication.
For these clients to be managed, you must ensure that alternative methods are available for the following:
Site compatibility check to complete site assignment.
Service location for management points, and the server locator point if this is not directly assigned.
Native mode configuration.

Login/Register to Answer

Related Questions