What about firewall rules between the MP/DP/SUP in the remote domain and the Primary Site?
________________________________ From: listsad...@lists.myitforum.com <listsad...@lists.myitforum.com> on behalf of Jason Sandys <ja...@sandys.us> Sent: Wednesday, November 9, 2016 11:04:52 AM To: mssms@lists.myitforum.com Subject: [mssms] RE: SCCM - Untrusted domain support There's really nothing very special about it. They need to be domain joined in that forest and you'll need a connection and installation account. That's truly it. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Wednesday, November 9, 2016 7:42 AM To: mssms@lists.myitforum.com Subject: [mssms] Re: SCCM - Untrusted domain support Does anyone have any guidance/info/links on setting up DP/MP/SUP in untrusted domains? I think this is the direction I am leaning to go with supporting the requirements for my environment. Thanks, Brian ________________________________ From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> <listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> on behalf of Jason Sandys <ja...@sandys.us<mailto:ja...@sandys.us>> Sent: Tuesday, November 8, 2016 11:29:27 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: SCCM - Untrusted domain support Don't mix up AD domain trusts and certificate trust -- they are not the same thing. If you are using Microsoft enterprise CAs, they align, but that's only a convenience, not a hard-link or requirement. J -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Mote, Todd Sent: Tuesday, November 8, 2016 8:31 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: SCCM - Untrusted domain support As far as my experience has shown me, I have three domains all untrusting of each other and the only way I can get all of those clients into the SCCM in our primary domain is by either each domain having its own CA, that you tell SCCM about, so it can verify the client cert chains, or issuing certificates from the primary domain's CA for all of the untrusted domain's clients. -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Monday, November 7, 2016 7:56 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] SCCM - Untrusted domain support Hello, We are in the process of severing domain trusts between our legacy domain(s) and new domain. Domain A = New Domain (CM Current Branch) Domain B = Old Legacy Domain #1 (CM 12R2 SP1) Domain C = Old Legacy Domain # 2 Domain D = Old Legacy Domain # 3 In Domain B, I currently have SCCM 2012 R2 SP1 deployed. This environment supports clients in Domain A, B, C, D. As mentioned above, we will be Breaking domain trusts. The question I have is will I need to deploy Certs to support clients in these domains once the trust or broken? Are there any actions I need to take to support these clients once we break the trust between the domains? Jason Sandy's responded to your previous email of mine, slightly different scenario that I was explaining. I'd like to know if the same rules apply here. Eventually I will be migrating my SCCM infrastructure from Domain B to Domain A. Are there any other considerations I should be making as far as support with certificates? Thanks, Brian Sent from my iPhone