Kiltedjedi Posted April 9, 2014 Report post Posted April 9, 2014 Hi all, SCCM 2012 R2 CU1 I'm currently banging my head against a brick wall here. I have a primary site server in 1 domain, and need to manage clients in a separate untrusted domain. Ther is a point to point firewall rule to allow the necessary ports between MP and Primary site I have successfully configured MP and DP in the domain and all the clients are installed and reporting in to the site correcly and recieving policy I have installed a primary SUP on the primary site server and synced successfully with MS and been able to deploy patches in the same domain. I have installed a SUP on the foreign domain MP which is syncing back to the primary sup and shows as healthy on the primary site console. I have confirmed in WSUS console on the MP that it is set to sync from the Primary site, and have successfully ran synchronisations I can patch from the SCCM client on the MP as the firewall is opened between the 2 servers However, the clients on the foreign domain are registering the Update source as the SUP on the primary site server so are throwing up expected errors as there are no ports opened to the primary site server direct from clients. Is there a way I can force the SUP settings in this domain to look towards the SUP installed on the MP for the domain? There is no internet access so cannot use MS update as a source. Thanks in advance Jassen Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted April 9, 2014 Report post Posted April 9, 2014 Well... that's one of those thing that doesn't work as nice as it look is a design. Both the MP and the SUP can be installed multiple time within a site, BUT you can not define which one will be used by the client. The client will pick either of them at random. With the SUP, it should be that after, I thought, three failures, it should switch to a different SUP. The easiest way to prefend this is by installng a secondary site (there goes the flat design...). Quote Share this post Link to post Share on other sites More sharing options...
Kiltedjedi Posted April 10, 2014 Report post Posted April 10, 2014 Well... that's one of those thing that doesn't work as nice as it look is a design. Both the MP and the SUP can be installed multiple time within a site, BUT you can not define which one will be used by the client. The client will pick either of them at random. With the SUP, it should be that after, I thought, three failures, it should switch to a different SUP. The easiest way to prefend this is by installng a secondary site (there goes the flat design...). Hmm, I would have thought with properly defined boundaries that the Client should talk to the SUP on it's own domain It would be really useful if MS allowed us to determine the Intranet software update point in the Client settings much like the GPO settings. Also we can't use secondary sites in an untrusted domain. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted April 11, 2014 Report post Posted April 11, 2014 BUT you can not define which one will be used by the client. The client will pick either of them at random. agreed but you can use Rob's tools here to force a client to use a specific management point (basically by denying access to another mp via localhosts..., perhaps the same will work for SUP selection) Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted April 11, 2014 Report post Posted April 11, 2014 Hmm, I would have thought with properly defined boundaries that the Client should talk to the SUP on it's own domain It would be really useful if MS allowed us to determine the Intranet software update point in the Client settings much like the GPO settings. Also we can't use secondary sites in an untrusted domain. I can't find any real documentation about it, but here is a nice discussion about this subject: http://social.technet.microsoft.com/Forums/en-US/85787201-bdb1-418b-8842-e0770721bc49/how-does-a-client-select-a-management-point Specifically the answer of Kent, which states: Client will select in this order: Local forest HTTPS Randomly in the site Quote Share this post Link to post Share on other sites More sharing options...
Kiltedjedi Posted May 7, 2014 Report post Posted May 7, 2014 Hi, Those are all good with forcing a management point. Unfortunately (for me anyway), the Management point is not an issue as all clients in Domain B are registered with the desired MP., What I have is Domain A CAS Primary Site Server Management Point DP SUP DB Domain B Additional Site Server Management Point DP SUP I have Point to Point firewall rules between the 2 servers and comms is working well. The Clients in Domain B are registered on the site and have picked up the server in Domain B as the management point What I am seeing is that the Software Update source server is coming in as the primary site server in Domain A. I am also seeing that the Software update point is not Synchronising from a source within the SCCM environment, where the Primary site is syncing from the CAS, I have a blue exclamation and the Sync Source is listed as Microsoft (WSUS on server in Domain B is configured as full WSUS prior to SCCM SUP install) What I cannot do is 1. Establish Domain trust between the domains - IE no Secondary site within the domain 2. Open the firewall from all the servers in Domain B to the Primary site server in Domain A - just not even politically viable Quote Share this post Link to post Share on other sites More sharing options...
Kiltedjedi Posted May 9, 2014 Report post Posted May 9, 2014 OK Breakthrough I've found an issue where WSUS was recieving an HTTP 401 error unauthorised. Eventually the fix turned out to be adding the WSUS Connection account into the builtin IIS user group on the gateway server Now the SUP is doing the round robin thing around the available SUPs and I can now deliver patches from the untrusted domain. I still think it would be useful to have the Preferred Intranet Source in the client settings. Quote Share this post Link to post Share on other sites More sharing options...
