PENDING SCCM - Multi Domain - PKI and Non-PKI

[graemeswalker]

Hi,

I've a bit of a problem with my company SCCM setup.
We have SCCM fully running in our OFFICE domain - running PKI and all is fine.

Now, we need to also manage clients in our MFG domain, which is not running PKI.
This domain is totally separate, but there is a full two-trust between them.

Is there a way for the SCCM Management and Distribution points on our OFFICE server to manage the MFG clients - bearing in mind at present the client installation on MFG machines fails as it has no certificate?

MFG domain DNS has the management point FQDN as a service locator record and it is able to find the Management point in the OFFICE domian.

Or is the option a second Management/Distribution Point in this MFG domain that is only set as HTTP?

Thanks,
Graeme

 

[anthonyb]

Graeme,

Were you able to figure this out? I currently have 2 domains with 2 way domain trust that I enabled PKI in both domains but SCCM resides in Domain A and cannot install the client no longer in Domain B.

Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server.

 

[graemeswalker]

Hi,

No unfortunately I have not got this resolved as of yet – it is such a small number of machines in our other domain that we’re just going to do without managing them as they’re all on the same site.

I believe I would need a second Management & Distribution Point in this domain that is allowed to have standard HTTP (or self signed certs HTTPS) that would communicate with the main database – which would also mean changing our boundaries to run this.

It will be something I pick up but there are more pressing issues – I’d just like the clarity on my idea/solution before going forward.

Graeme

 

[graemeswalker]

Is anyone able to offer any insight into this, or my proposed setup?
It's back on my radar after having to drop it for Windows 10 upgrades and O365 deployments.

I do think the idea of a MP/DP in my MFG domain will work but it is just the PKI that adds confusion. I plan to look at this MFG domain as a DMZ with clients being all on the same domain rather than workgroups - don't think that would matter.

The SCCM Primary site is set to allow HTTP or HTTPS communications so a site in the MFG domain can use self signed certs.
I am thinking that the MFG AD schema will need extending to allow system discovery.

I feel confident this would work but wouldn't mind someone with a bit more experience telling me if I am on the right track or not.

Thanks,
Graeme

 

[Henric Appelgren]

Is anyone able to offer any insight into this, or my proposed setup?
It's back on my radar after having to drop it for Windows 10 upgrades and O365 deployments.

I do think the idea of a MP/DP in my MFG domain will work but it is just the PKI that adds confusion. I plan to look at this MFG domain as a DMZ with clients being all on the same domain rather than workgroups - don't think that would matter.

The SCCM Primary site is set to allow HTTP or HTTPS communications so a site in the MFG domain can use self signed certs.
I am thinking that the MFG AD schema will need extending to allow system discovery.

I feel confident this would work but wouldn't mind someone with a bit more experience telling me if I am on the right track or not.

Thanks,
Graeme

Hi!

Any updates on this? We have two domains with SCCM and CA in domain1. Before we switched to PKI on the SCCM server all the clients from domain2 could install the SCCM client using self-signed certificate and even after switching to PKI the existing clients are still able to connect to sccm. New clients however won´t find the DP/MP.

 

[Lachlan]

Hi All, I searched for months and ended up not having much luck in finding a useful resource for this question.

After much tinkering with our SCCM deployment we found the most effective solution was to do it with PKI, as deploying more management points didn't make sense when we already had AD just need to add ADCS.

One thing we did learn was try to have both your ADCS root certificates the same, we didn't and it caused us a bit of grief with SCCM. For those with only a small amount of devices you could manually generate certificates out of your CA for each machine.

 

[Henric Appelgren]

Hi All, I searched for months and ended up not having much luck in finding a useful resource for this question.

After much tinkering with our SCCM deployment we found the most effective solution was to do it with PKI, as deploying more management points didn't make sense when we already had AD just need to add ADCS.

One thing we did learn was try to have both your ADCS root certificates the same, we didn't and it caused us a bit of grief with SCCM. For those with only a small amount of devices you could manually generate certificates out of your CA for each machine.

Thanks for the update! Our second domain is small and will soon be decommissioned..

Do you have any reference/guide to "Manually genereat certs"? I thought of that as well but didn´t managed to figure out how to..

 

[Lachlan]

Thanks for the update! Our second domain is small and will soon be decommissioned..

Do you have any reference/guide to "Manually genereat certs"? I thought of that as well but didn´t managed to figure out how to..

No i dont have any reference details unfortunately. I would imagine it would really be a matter of doing the following:
1. Generating a CSR on the computer;
2. Submit CSR to CA
3. Download returned certificate
4. Install certificate.

I would imagine there would need to be some customisation done to the CA to enable device certificates to be issued this way.

There are some options in this link as well https://serverfault.com/questions/9...machine-cert-for-a-non-domain-joined-computer

Would really come down to engineering something to work for your particular environment.