When your Configuration Manager 2007 hierarchy spans more than one Active Directory forest, but all the site servers and System Health Validator points reside in the same Active Directory forest that has been extended for Configuration Manager 2007, you do not need to decide which forest will publish health state references for Network Access Protection. In this scenario, follow the configuration procedures as if you have a single forest.
However, when all the site servers and System Health Validator points do not reside in the same Active Directory forest, you must identify which forest they reside in, identify whether trust relationships exist between them, and decide which forest will publish the Configuration Manager health state references.
The Active Directory forest that publishes the health state references must be extended with the Configuration Manager 2007 schema extensions, the site servers must be publishing to Active Directory, and permissions must be set appropriately on the System Management container in Active Directory. These Active Directory dependencies might affect your decision on which forest will be used to publish the Configuration Manager health state references.
The following scenarios identify four basic configurations when Network Access Protection in Configuration Manager spans multiple Active Directory forests. Use these scenarios to help you decide which Active Directory forest will publish the health state references.
- Site servers reside in one Active Directory forest, and
all System Health Validator points reside in another
Active Directory forest. Configuration Manager health state
references are published to the forest that contains the site
servers. Choose this option if you can extend Active Directory
Domain Services for Configuration Manager, and if the System Health
Validator points reside in a perimeter network.
- Site servers reside in one Active Directory forest, and
all System Health Validator points reside in another
Active Directory forest. Configuration Manager health state
references are published to the forest that contains the System
Health Validator points. Choose this option if you cannot extend
Active Directory Domain Services for Configuration Manager, but you
can extend the schema of the second forest.
- Site servers reside in one Active Directory forest, and
all System Health Validator points reside in another Active
Directory forest. Configuration Manager health state references are
published to a third Active Directory forest that has trust
relationships with the other two forests (either a forest trust or
external domain trusts). Choose this option if you cannot extend
Active Directory Domain Services for either forest, but you can
extend the schema of a new or existing forest.
- Site servers reside in one Active Directory forest, and
all System Health Validator points reside in another
Active Directory forest. Configuration Manager health state
references are published to a third Active Directory forest that
has no trust relationships with the other two forests (neither a
forest trust nor external domain trusts). Choose this option if you
cannot extend Active Directory Domain Services for either forest,
but you can extend the schema of a new or existing forest that
cannot have any trust relationships with the other two forests.
For information on how to provision Active Directory Domain Services for each scenario, see How to Deploy Network Access Protection Across Multiple Forests.