Share via

ConfigMgr with untrusted domain and without PKI

Andreas Molin 36 Reputation points
2021-08-11T12:09:36.15+00:00

Hi all,

We are in a bit of "trouble" here.

At the moment we have our main domain, lets call it xy.com and a separate domain for our production sites, lets call this zy.com.

In our main domain we have ConfigMgr setup with full PKI infrastructure and everything is working as it is suposed to do.
Now we want to expand our current setup to the other domain, and here comes the issues and where we need help in thinking.

The domain zy.com is not trusted and does not have any PKI in place. There are DNS forwards configured so we can communicate.
Another issue is that every single site is it's own island, so to say, that can only communicate with one other network that has access to all sites. (This is where the DC is located)

My initial thought was to setup a new secondary site at zy.com and one DP at every location. But if I'm right this is not supported since there is no trust between the domains right?

So next step was to try and setup a new DP, MP and SUP in the zy.com domain.
But since there is no PKI in place, this communication will not work, am I right?

I've added the forrest to the current primary site and replication is working, I can that the System Management container is updating and everything.

So, how would one go about to solve this issue? Or what should the dessign be like?

Best regards

Microsoft Security | Intune | Configuration Manager | Other
0 comments
Accepted answer
  1. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2021-08-12T14:00:56.563+00:00

    do I have to do anything else when installting the new MP/DP/SUP

    That depends. All of the normal prereqs apply for each of the roles. You'll need an install account as well in the untrusted forest and you'll need to open up the ports between this new site system and the site server as well as the system hosting the site's db. If you want to publish site info into the untrusted forest, you'll also need to open up those ports from the primary site server to a domain controller in that untrusted forest as well as extending the schema in that forest. Client push won't work unless you open up the ports from the primary site server to all of the potential clients (which I doubt you want to do) so you'll have to choose an alternate client agent installation method.

    And will it affect the current MPs/DPs and clients? Or will these continue to use the certificate from the CA?

    They will be unaffected.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2021-08-11T14:54:15.4+00:00

    Secondary sites are not gateways and will not address the issue of network segregation. They also wouldn't obviate the requirement for PKI certs if your site is HTTPS only. And yes, a trust is also required because SQL replicatoin requires kerberos auth.

    As for setting up an additional site system hosting the client facing roles (SUP, MP, DP), that is the technical solution here but, correct, if your site requires HTTPS only, then without PKI client certs, this won't work either.

    Thus, the question here is whether or not your site requires HTTPS only client communication? If so, is that a hard requirement for your org (for security or other reasons)? If so, then you have no path here at all until those clients get trusted PKI certs.

    1 person found this answer helpful.
  2. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2021-08-11T20:45:51.333+00:00

    The current primary site is at version 2103, so there is no support for HTTP since it has been depricated as well...

    This is not a correct statement. The functionality has been deprecated but will not be force until next year. Additionally, using enhanced HTTP will fulfill the requirement which does not require client PKI certificates.

    Yes, you can use enhanced HTTP and HTTPS together.

    A CMG would be possible here as well. For this, the managed devices would need an AAD identity or a ConfigMgr issued token. You would of course also pay for all egress traffic leaving Azure for these devices though. That can be managed and quite cheap, if you start deploying large things across the board, it could get a bit more expensive.

    0 comments
  3. Andreas Molin 36 Reputation points
    2021-08-12T06:31:58.427+00:00

    Okay, then using enhanced HTTP will solve almost every issue at the moment :)

    I can't use the CMG in this case since none of the clients at the production sites have access to the Internet, they are completelly locked down to only be able to access specific resources on the network. (Everything is blocked and then opened if needed)

    If I tick the box to use configuration manager generated certificates, do I have to do anything else when installting the new MP/DP/SUP and installing the agent?
    And will it affect the current MPs/DPs and clients? Or will these continue to use the certificate from the CA?

    Best regards

    0 comments
  4. Andreas Molin 36 Reputation points
    2021-08-20T08:30:19.897+00:00

    Thanks for the reply and help Jason!

    After further discussions it will most likelly end in a new separate CM-environment.
    This is part due to the nature of the production-sites and also due to the extreme policys in the network.

    Best regards

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.