When deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:

Communications Across Forest Trusts Within a Configuration Manager Site

There are only two supported scenarios in which site systems within a single site are supported across Active Directory forests:

  • The System Health Validator point, used with Network Access Protection

  • Internet-based client management, which supports the following site systems installed in a separate forest to the site server:

    • Management point

    • Distribution point

    • Software update point

    • Fallback status point

    Note
    Although not the security best practice, the following site systems are also supported if they are installed in a separate forest: server locator point and PXE service point.

In either supported scenario, even if there is a two-way trust between the two forests, or external trusts between the site server's domain and the site system domain, you must specify a Windows user account for installation and configuration of the site system.

There is an additional configuration across forest trusts that applies to the site systems that support Internet-based client management. When these site systems are installed in a different forest than the site server, and you want to ensure that communication is only ever initiated from the site server to the site systems, and never from the site systems to the site server, enable the site system option Allow only site server initiated data transfers from this site system. In an Internet-based client management scenario where these site systems are installed in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet), this configuration ensures that all connections between these site systems and the intranet are only initiated from the intranet, and not from the untrusted network. It is therefore a more secure solution than accepting connections into the intranet that are initiated from the perimeter network. However, if you choose this configuration across forest trusts, be aware of the following considerations:

  • You must configure a Windows user account for installation, even if there is a trust relationship between the two forests.

  • This configuration results in some latency in sending status messages to the site, with a decrease in performance on the site server.

Important
All other site systems within a site that are not listed above must reside within the same Active Directory forest. They can be installed in different domains within the forest, with the exception of the site server, SMS Provider computer, reporting point, and site database server, which must all reside in the same domain.

Communications Across Forest Trusts Between Configuration Manager Sites

A Configuration Manager hierarchy supports primary sites from different Active Directory forests. Configuration Manager does not support secondary sites in a remote Active Directory forest from their parent primary site.

When the hierarchy contains primary sites from different Active Directory forests, you must use the hierarchy maintenance tool (Preinst.exe) to configure manual key exchange because the sites in different Active Directory forests cannot automatically retrieve keys from Active Directory Domain Services. Key exchange is required for signing data that is sent between the sites. For information about the manual exchange of public keys, see How to Manually Exchange Public Keys Between Sites.

When one or more primary sites in the Configuration Manager 2007 site hierarchy are located within different Active Directory forests, an Active Directory forest trust is not required to enable site-to-site communication as long as domain user accounts are correctly configured in the sender address properties for each site. If you do not configure domain user accounts as site address accounts in the sender address properties of each site, the site server computer accounts will be used. When the site server computer accounts are used as the site address accounts, you must have a full Active Directory forest trust between the forests to enable site-to-site communication.

Client SupportAcross Forest Trusts

A Configuration Manager hierarchy supports primary sites and clients in a remote Active Directory forest. In this scenario, ensure that the site systems can successfully resolve the short name of the client computers in the other forest. Most server-initiated actions, such as client push installation and remote control, connect to clients by using the short name of the computer instead of the fully qualified domain name (FQDNA). Configuring the site systems with DNS search suffixes for client computers that are in a different forest is one method to ensure that the short name resolves successfully.

To discover a computer resource in another forest by using Active Directory System Discovery, there must be a forest trust between the site server forest and the forest where the computer is located.

When there is a firewall between the site system and the client, ensure that the firewall is configured to allow communication that is required for Configuration Manager. For a list of ports that are used during client deployment, see Ports Used During Configuration Manager Client Deployment. For more information about the ports that are used after client deployment, see Ports Used by Configuration Manager.

If you have clients that are in a different forest than their assigned site server's forest, use the following additional information to ensure that they are configured correctly.

Configuring Clients Across Active Directory Forests

Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they cannot retrieve information that is published to Active Directory Domain Services by their assigned site server.

For these clients to be managed, you must ensure that alternative methods are available for the following:

  • Site compatibility check to complete site assignment

  • Service location for management points, and the server locator point if this is not directly assigned

  • Native mode configuration

Configure these clients as if Active Directory Domain Services is not extended for Configuration Manager 2007. The information that these clients will need, and additional configuration steps are listed in the section "Feature and Function Considerations for Extending the Active Directory Schema for Configuration Manager" in Decide If You Should Extend the Active Directory Schema.

Approving Clients (Mixed Mode) Across Active Directory Forests

If the site is in mixed mode, and you are using the site configuration of Automatically approve computers in trusted domains, you must configure the management point with an intranet fully qualified domain name (FQDN).

For more information about approval, see About Client Approval in Configuration Manager and for information about how to specify the management point's FQDN, see How to Configure the Intranet FQDN of Site Systems.

Roaming Support Across Active Directory Forests

Because clients from another forest cannot access site information published to Active Directory Domain Services, they do not have global roaming capability that would enable them to find distribution points in any site in the hierarchy. Instead, they have regional roaming capability, which enables them to find local distribution points when they roam into a site that is lower in the hierarchy than their assigned site. If clients from another forest roam into a sibling site or into a site higher in the hierarchy, they will download package source files from their assigned site. For more information about global and regional roaming behavior, see About Client Roaming in Configuration Manager.

See Also