Two separate domains in separate forests. One SCCM server. How to make it work?

Question

Good day!

we have two independent domains, each in its own forest. Each domain has its own CA and SubCA, which issues a certificate to each workstation.

Domain A has a SCCM server.

Is it possible to somehow make one SCCM server work for both of these domains? We don’t want to install second SCCM for domain B.

Now it’s not possible to do this SCCM complains about domain B certificates.

Answer 1

Hi,

Yes, it is possible to make one SCCM server work for both domains in separate forests, but it requires proper configuration. You can support clients in a different Active Directory forest by publishing site information to that forest.

Here are the steps you can follow:

• Install Site System Roles: You need to install site system roles in the untrusted forest (Domain B) and publish site information to that Active Directory forest.
• Client Communication: Ensure that the client-to-server communication from clients in Domain B is kept within that forest. Configuration Manager can authenticate the computers using Kerberos if properly configured.
• Certificate Configuration: Since you mentioned issues with certificates, ensure that the certificate authorities (CAs) in both domains are configured to allow cross-forest authentication and that the SCCM server trusts the certificates issued by Domain B's CA.
• Service Location: Clients in Domain B can use Active Directory Domain Services for service location when their site is published to their Active Directory forest. You may also need to configure DNS or directly assign a management point for clients that cannot use Active Directory for service location.

By following these steps, you should be able to manage clients from both domains using a single SCCM server.

---

References:

• Communications between endpoints in Configuration Manager
• Support for Active Directory domains in Configuration Manager