MECM Client in a separate forest/domain not working

anaconda1442 96 Reputation points
2021-02-19T20:15:56.527+00:00

Hello Microsoft Endpoint Configuration Manager User Community, I need your help with installing Configuration Manager (CM) client in a separate one-way trusted domain/forest. I will first begin and share information on how our development CM environment was setup. We have Domain Controller A (Server 2016-Active Directory & DNS Server) and SCCM server CB (current branch) authenticated on Domain Controller A (DC-A) and finally a MP/DP server on domain A. We have no problems installing CM Clients on any development computer authenticated to DC-A. We have a separate Domain Controller B (DC-B) (Server 2016-Active Directory & DNS Server) in a separate forest along with a MP server in Domain B. We have development computers authenticated in DC-B. DNS Server Conditional forwarding has been setup between DC-A and DC-B. Computers authenticated in DC-A can ping computers authenticated in DC-B and vice versa. The next step completed was that we setup a one-way domain trust between DC-A and DC-B. Computers in DC-A are trusted in DC-B. Reason why we chose one-way trust is because we are told to do it in CM production environment if it works in the CM development environment. To setup DNS and MP server on Domain B, some instructions from these articles was followed- [https://eskonr.com/2017/02/sccm-configmgr-how-to-manage-clients-in-untrusted-forest/][1] [https://systemcenterdudes.com/installing-sccm-dp-mp-sup-untrusted-domain/][2] With our CM development environment explained, I will describe the problem we are having when installing a CM client on computers authenticated to DC-B. We tried a CM client push install and the install works, as we see the CM client in control panel. However we don't see client certificate installed and see that CCM notifications disabled. See screenshot below. ![70088-squid-cm-client.jpg][3] We tried several solutions and none of them worked- Client Certificate none- [https://www.itreliable.com/wp/sccm-client-certificate-none-issue/][4] [https://forums.prajwaldesai.com/threads/client-certificate-is-none-when-sccm-client-is-installed.712/][5] Has anyone successfully installed a CM Client in a one-way trusted domain? If yes please help & share your experience and thanks in advance. [1]: https://eskonr.com/2017/02/sccm-configmgr-how-to-manage-clients-in-untrusted-forest/ [2]: https://systemcenterdudes.com/installing-sccm-dp-mp-sup-untrusted-domain/ [3]: /api/attachments/70088-squid-cm-client.jpg?platform=QnA [4]: https://www.itreliable.com/wp/sccm-client-certificate-none-issue/ [5]: https://forums.prajwaldesai.com/threads/client-certificate-is-none-when-sccm-client-is-installed.712/

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,416 questions
Microsoft Configuration Manager Application
Microsoft Configuration Manager Application
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Application: A computer program designed to carry out a specific task other than one relating to the operation of the computer itself, typically to be used by end users.
464 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. anaconda1442 96 Reputation points
    2021-02-26T13:57:28.343+00:00

    Hi,

    Sure no problem, thanks for responding.

    I figured out the problem and sccm clients are now receiving certificates and clients are manageable from the sccm console.

    However first of all, let me reply to your response-
    I have correctly configured Forest Discovery and published SCCM site information. I see under Administration>Hierarchy Configuration>Active Directory Forests Discovery Status and Publishing status as succeeded.

    Now after digging through IIS logs on MP server and client install logs, we noticed the client gets an unauthorized error message. I found out the root of the problem is the MP server on domain B needed the setting enabled "require the site server to initiate connections to this site system"

    after that setting was enabled, SCCM clients in Domain B are now receiving certificates and it all now works.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Simon Ren-MSFT 31,446 Reputation points Microsoft Vendor
    2021-02-22T05:22:14.507+00:00

    Hi,

    Thanks for posting in Microsoft MECM Q&A forum.

    1.Please help check the ccmsetup.log, locationServices.log, policyagent.log to see if there is any further information.

    2.Have you correctly configured Forest Discovery and published SCCM site information to the Domain B? For more detailed information, please refer to: Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation.

    Thanks for your time.

    Best regards,
    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments