ImaNewb Posted February 15, 2022 Report post Posted February 15, 2022 0 Votes"0 blacksuit07 asked • 14 hours ago | blacksuit07 edited • 0 secs ago Actions SCCM Client Management 2 separate domains with two-way trust I am trying to manage a 2nd domain, separate forest with two-way domain trust but I cannot install the SCCM Client. Setup: Domain A (SCCM Server, etc.) PKI CA configuration SCCM CB with HTTPS communication Domain B: Handful of workstations and 4 Servers No CA in the domain Domain A is working fine and has been for over a year. We setup a two-way trust with Domain B Added DNS secondary zones between both domains Established site to site VPN and routing. I can ping and RDP to either domain from either domain. Added Domain A SCCM Service accounts to a security group on Domain B for necessary permissions to manage the client. Extended the Schema on Domain B and imported the PKI CA from Domain A into Domain B for Cross-Forest PKI implementation. (AD CS: Deploying Cross-forest Certificate Enrollment | Microsoft Docs) Added Domain B into the Hierarchy configuration on SCCM, I can see users and computers imported from AD on Domain B I push client install to a couple of machines for testing but they fail. CCMSetup Error Snippet: Sending message body '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1"> <AssignedSite SiteCode="111"/> <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0"> <ADSite Name="Domain.B"/> <Forest Name="Domain.B"/> <Domain Name="Domain.B"/> <IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters> </ClientLocationInfo> </ContentLocationRequest> ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Sending location request to 'SCCM.Domain.A' with payload '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1"> <AssignedSite SiteCode="111"/> <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0"> <ADSite Name="Domain.B"/> <Forest Name="Domain.B"/> <Domain Name="Domain.B"/> <IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters> </ClientLocationInfo> </ContentLocationRequest> ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. Defaulting to state of 480. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to connect to machine policy namespace. 0x8004100e ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Client is on internet ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Client is set to use webproxy if available. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) [CCMHTTP] ERROR: URL=https://SCCM.Domain.A/ccm_system/request, Port=0, Options=480, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) [CCMHTTP] ERROR INFO: StatusCode=200 StatusText= ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed (0x87d00454) to send location request to 'SCCM.Domain.A'. StatusCode 200, StatusText '' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to send location message to 'HTTPS://SCCM.Domain.A'. Status text '' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) GetDPLocations failed with error 0x87d00454 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to get DP locations as the expected version from MP 'HTTPS://SCCM.Domain.A'. Error 0x87d00454 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Sending state '101'... ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Failed to get client version for sending state messages. Error 0x8004100e ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) [] Params to send '5.0.9068.1008 Deployment Error: 0x0, ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) Sending Fallback Status Point message to 'SCCM.Domain.A', STATEID='101'. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) <ClientDeploymentMessage ErrorCode="0"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage> ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180) State message with TopicType 800 and TopicId {7E7B1ABB-69EC-477A-B8AE-C55E383EBE6D} has been sent to the FSP FSPStateMessage 2/14/2022 5:46:48 PM 12672 (0x3180) I know it is a Cert issue at this point but I am lost on what else I would need to do to get this fixed. Should I create deploy CA in Domain B but then that brings me to the issue on how to add that Cert into SCCM without hijacking the Domain A Cert.... Any guidance is greatly appreciated! Quote Share this post Link to post Share on other sites More sharing options...
ImaNewb Posted February 21, 2022 Report post Posted February 21, 2022 Anyone? Quote Share this post Link to post Share on other sites More sharing options...
