Multi forest support in ConfigMgr 2012 Part II–There can be only one Network Access Account……or……

In part one I explained how you can get support for clients that are installed in an untrusted forest. In this post I’ll explain a slightly different scenario with two untrusted forest and local site systems installed in the untrusted forest. There is full support for installing user facing site system roles like a Management Point and a Distribution Point. The problem with installing a Distribution point in the untrusted forest is the Network Access Account. This account is being used when deploying operating systems and in some scenarios when clients are accessing the distribution point. Without a trust this process will fail due to the fact that the ConfigMgr agent will connect using the network access account created in the same forest as the primary site server.

Use Multiple Network Access Accounts

The solution is to create a local account on each Distribution Point with the same password. Instead of writing the name of the distribution point (which you cannot because you have multiple DP’s) I specify a variable which I will later create on the clients. Below is my account which is %SMSDPNetbios%\CM_NAA.

image

How to implement multiple network access accounts

The trick is to figure out what DP will be used by the client and to create the %SMSDPNetbios% and match that with the local Distribution Point. To solve that challange I use use this script (huge thanks to Claus Codam for assisting with the script) which will find the local DP and automatically create the variable on the client. That way the ConfigMgr client will use the local account on the DP server when accessing the distribution point.

How to implement the solution

You must run the script twice in order to get OSD running, first time while being in WIN PE and the second time when you boot into the “correct” operating system. To run the script in WIN PE add it to your boot image and create a prestart command like this cscript.exe GetDPNetbios.vbs 1 The script will read the smsts.log file and get the DP from the log file and create the environment variable. Once you have restarted in Windows create a run command step cscript.exe GetDPNetbios.vbs 2 This will once again create the environment variable but this time in the Windows operating system.


Comments (3):

    • Hermann says:

      Thanks for that perfect post!
      Only one little bug: DP NetBios with minus-character are not retrieved correctly.
      Please change your vbscript-code with that:
      Old: .Pattern = “(Setting URL = http[s]*?://)([\w]*)”
      New: .Pattern = “(Setting URL = http[s]*?://)([\w\-]*)”

      Kind regards

  1. Hermann says:

    One more bug found in script. It could be that smsts.log is in X:\Windows\Temp\SMSTSLOG! Please correct first part of script…
    Old:
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)
    If objFSO.FileExists(“X:\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“X:\SMSTSLog\smsts.log”, 1)
    CheckError()
    Elseif objFSO.FileExists(“C:\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“C:\SMSTSLog\smsts.log”, 1)
    CheckError()
    Elseif objFSO.FileExists(“D:\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“D:\SMSTSLog\smsts.log”, 1)
    CheckError()
    End If

    New:
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)
    If objFSO.FileExists(“X:\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“X:\SMSTSLog\smsts.log”, 1)
    CheckError()
    Elseif objFSO.FileExists(“C:\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“C:\SMSTSLog\smsts.log”, 1)
    CheckError()
    Elseif objFSO.FileExists(“D:\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“D:\SMSTSLog\smsts.log”, 1)
    CheckError()
    Elseif objFSO.FileExists(“X:\Windows\Temp\SMSTSLog\smsts.log”) Then
    Set objFile = objFSO.OpenTextFile(“X:\Windows\Temp\SMSTSLog\smsts.log”, 1)
    CheckError()
    End If

    Kind regards

Leave a Reply

(required)