Setting up SCCM on multiple domains

Question

In a lab environment, I am attempting to configure an SCCM server (2007) to be our patch solution across three different domains.

DOMAIN A (domA.sample):
The trusted domain. SCCM01 (Server) is on this network.

DOMAIN B (domB.sample):
One way trust between the two domains. DOMAIN B trusts DOMAIN A, but not the other way around.

DOMAIN C (domC.sample):
No trust between this domain and any other domain.

SCCM is set up and running on DOMAIN A. Any server on that domain will receive patches. I am currently working on Domain B (1-way trust). I am unable to add find the systems in my SCCM server. I am able to install the client manually on ServerA.domB.sample, and the site code comes back correct, even if I rediscover the site code, but somehow the ServerA is not communicating with SCCM01.

What I've tried:

http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/6f06bbf1-6ff4-4a41-9d42-894c1a6e13ea
http://scexblog.blogspot.com/2010/06/sccm-discover-another-trusted-domain.html

Any one have experience with SCCM?

Answer 1

I want to say that I don't think that the trust matter all that much. It's been a while since I went through this, so I don't want to give you any BS answers. But from what I vaguely recall, I think it has something to do with setting up an SCCM Network Access Account.

Here is some reading for you:

• http://technet.microsoft.com/en-us/library/bb680398.aspx
• http://social.technet.microsoft.com/Forums/eu/configmgrgeneral/thread/1babd3e4-97ad-42c3-b3da-ee4456e5df7c
• http://www.myitforum.com/forums/SCCM-across-domains-m216328.aspx
• http://www.networksteve.com/enterprise/topic.php/SCCM_and_Multiple,_non_trusting_Active_Directory_Forests/?TopicId=13656&Posts=8

Answer 2

If the end goal is simply to have a patching solution across disparate domains, SCCM is probably more trouble than it's worth. You can setup WSUS and just use group policy in each domain to point to it. Client-side targeting would also allow you to keep the groups of systems separate.

If SCCM is actually required for other reasons, I'll leave it to other answers to provide that help.

Answer 3

Another "work-around" type answer:

cls

$myScriptPurpose = "Welcome!"

$mytrash = "c:\temp\trashFile.txt"


function getCred {

    $mycredential = $host.ui.promptforcredential("patch systens", "Please enter your user name and password.", "", "NetBiosUserName") 

    if(!$mycredential) {
        $myErr = "Please enter a value!"
        $myErr
        exit
    }

    $mypass = $mycredential.getNetworkCredential().password
    $myuser = $mycredential.getNetworkCredential().username
    $mydomain = $mycredential.getNetworkCredential().domain



    $isDomain1 = [string]::Compare($mydomain, "domain1", $True)
    $isDomain2 = [string]::Compare($mydomain, "domain2", $True)




    if ($isDomain1 -eq 0) {
        $myservers = get-content input\domain1ListOfServers.txt
        $myoutputfile = "output-domain1.txt"
    }
    elseif ($isDomain2 -eq 0) {
        $myservers = get-content input\domain2ListOfServers.txt
        $myoutputfile = "output-domain2.txt"
    }
    else {
        $myErr = "Unknown domain!"
        $myErr
        exit

    }


    $emptyStr | out-file $Myoutputfile

}



function patch {

    foreach ($server in $myservers) {
                Write-host "Copying folder."
        xcopy  c:\pathToPatches \\$server\c$\temp\patchJob /Y > $myTrash
        write-host "Installing patches on $server."
        psexec \\$server -u $mydomain\$myuser -p $mypass -i c:\temp\patchjob\install.vbs 2> $myTrash

        write-host "Cleaning up."
                psexec \\$server -u $mydomain\$myuser -p $mypass -i del "c:\temp\patchjob\install.vbs" 2> $myTrash
        Write-host " Done."

    }
}


function cleanUp {

    del c:\temp\trashFile.txt

    Remove-Variable my*
    Remove-Variable is*
}





getCred
patch
cleanup