Share via

deploying DP in different forest

YaroC 321 Reputation points
2021-02-11T10:35:12.28+00:00

When trying to deploy a DP in a different forest using an account from that forest rather than adding the MP as local administrator on the target machine I can see some DP related folders were created on the machine and also I see in DP Configuration Status that the DP Installation successfully completed however Distributing Content fails or gets stuck in In Process where in description it mentions that either Site Server has no sufficient rights or there isn't enough space. Since there is plenty of space on the target machine I suspect it's something with access but the account that was designated to run the deployment is a full local admin on the target host and also it managed to create the folder structure which proves it has access. I looked into PckgXferMgr file on the MP but can't see any detailed information what's really behind the issue. Has anyone encounter something similar?

Microsoft Security | Intune | Configuration Manager | Other

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. YaroC 321 Reputation points
    2021-02-15T10:35:26.393+00:00

    Thanks for the detailed explanation. I assigned a different account and managed to distribute the content with success. Problem is now I can't create a bookable media targeting that particular DP as again it hits permissions where apparently the MP computer account needs to be a local admin on the DP for remote registry so stuck again since I can't add that computer account to local admins on the DP.

    Was this answer helpful?

    0 comments
  2. Simon Ren-MSFT 40,386 Reputation points Microsoft External Staff
    2021-02-15T09:03:52.803+00:00

    Hi,

    Thanks for your reply.

    The corresponding account in Distribution Point is Package access account. A Package access account lets you set NTFS permissions to specify the users and user groups that can access package content on distribution points.

    By default, when Configuration Manager copies the content files to a distribution point, it grants Read access to the local Users group, and Full Control to the local Administrators group. The actual permissions required depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the network access account to access the package content. Make sure that the network access account has permissions to the package by using the defined package access accounts.

    For more information, please refer to: Accounts that Configuration Manager uses

    Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments
  3. YaroC 321 Reputation points
    2021-02-12T10:22:57.33+00:00

    Thanks but I'm referring to a new Distribution Point not a MP. Don't have access the the SQL db so can't see what accounts are there. Would there be a corresponding Distribution Point connection account?

    Was this answer helpful?

    0 comments
  4. Simon Ren-MSFT 40,386 Reputation points Microsoft External Staff
    2021-02-12T07:23:30.017+00:00

    Hi,

    Thanks for posting in Microsoft MECM Q&A forum.

    In order for the Managent Point to fuction in a non trusted forest ensure that an account has been specified with the apropriate access to the Configuration Manager database: Management Point connection account. If this step is missed you will see the following logging in mpcontrol.log – “’logon failed. The logon is from an untrusted domain and cannot be used with Windows authentication”

    The management point uses the Management Point connection account to connect to the Configuration Manager site database. It uses this connection to send and retrieve information for clients. The management point uses its computer account by default, but you can configure a user account instead. When the management point is in an untrusted domain from the site server, you must specify a user account. Create the account as a low-rights, local account on the computer that runs Microsoft SQL Server.

    The "SQL Native Client 11 Login Failed" error is the same as the guidance:
    Cross Forest Support in ConfigMgr 2012 Part 3: Deploying Site Server / Site Systems in an Untrusted Forest.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments
  5. YaroC 321 Reputation points
    2021-02-11T11:05:35.523+00:00

    On second look I can now see there are errors in the log saying SQL Native Client 11 Login Failed for User <my local admin account in the target forest> and then PullDP Notification Failed errors.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.