The question of how to manage systems in a multi-forest Active Directory (AD) infrastructure using System Center Configuration Manager (ConfigMgr) comes up quite often in online forums and at customers; this post will summarize and detail the answers I’ve given (over and over again).
The Really Short Answer
It doesn’t matter, and ConfigMgr doesn’t care.
The Short Answer
For client management activities, ConfigMgr neither relies on or requires AD in any way, so multiple domains or forests with or without trusts are irrelevant. If you intend to target users in untrusted domains or forests, then you will need to have a site system with the management point role installed in that untrusted domain or forest to perform authentication and authorization.
The Detailed Answer
Just knowing the really short and short answers don’t help much if you are designing a ConfigMgr implementation in a multi-forest or domain environment so here are some additional details.
[note]Niel Peterson posted a four part series titled Cross Forest Support in ConfigMgr 2012 about five years ago. His series is still relevant and [almost completely] accurate for ConfigMgr Current Branch (CB) so reading it will help you learn how to set up ConfigMgr for common scenarios. His blog post series jumps straight into the scenarios without always explaining the whys though leading many to draw the conclusion that they need to do “something”. It also doesn’t focus solely on domains and forests so that’s where this post comes in although I won’t in general cover the details he did there. [/note]
Firewalls and Network Segregation
First, don’t confuse multiple forests and domains with network segregation, isolation, or traffic filtering. They are independent constructs. Your organization may have separated domain and forest members from each other by a firewall (or other traffic filtering mechanism) but this is technically unrelated to their forest and domain membership and thus must be accounted for separately and distinctly. For firewalls and segregated networks, you need to open ports and design for network traffic flow which is not the topic of this post.
Similar to firewalls and network segregation is WAN separation of managed clients and the answer is the same here: they are technically independent and must be planned for separately and distinctly. For WAN separated clients, you typically place distribution points or secondary sites across the WAN link at the remote locations or use a peer-to-peer content solution such as 1E’s Nomad. This is also not the topic of this post, however.
AD Domains and Forests
For AD domains and forests, you need to design for what domains and forests do — hint, it’s not network traffic related in any way. Domains and forests are about identity and authentication.
That doesn’t mean that ConfigMgr doesn’t authenticate activity or identity (it most certainly does); it just means that it [mostly] doesn’t use AD for authentication. So, the question becomes “If ConfigMgr doesn’t use the identity or authentication services of AD for client management, what does it use?”
And the answer is … certificates.
When using HTTPS client communication in ConfigMgr, a [unique] client authentication certificate issued from a trusted PKI is required for each managed system. As the type name implies, these certificates are used for authentication; identity is part of authentication, and the certificate serves this purpose as well.
But what about ConfigMgr sites that are not using HTTPS client communication? Well, it’s the same answer. The certificates are slightly different though: they are still client authentication certificates, but instead of being issued from a trusted PKI, they are self-signed (and self-generated). If you open certificates MMC snap-in for the Computer account of any ConfigMgr managed system not using HTTPS client communication, you will see an SMS certificate store. This store contains two certificates as shown in the figure below that the local ConfigMgr client agent uses. (SMS here of course, as always, means Super-wicked-awesome Management Server).