Using Client Push Installation on UNTRUSTED FOREST systems with ConfigMgr 2012

Last week my post was about using the Client Push Installation on WORKGROUP systems and this week my post will be a sort of follow-up on that. This week my post will be about using the Client Push Installation on UNTRUSTED FOREST systems. The method of last week will also work on UNTRUSTED FOREST systems, but the nice thing about ConfigMgr 2012 is that there are now better options for UNTRUSTED FOREST systems! The systems and domain(s) of the UNTRUSTED FOREST can be discovered AND to make it even better, it is even possible to write information to the Active Directory!

Prerequisites

Before it is possible to use the Client Push Installation on UNTRUSTED FOREST systems, there are a few things to keep in mind. The following points are a prerequisite and, besides the Active Directory Forest and the Active Directory System Discovery, they are not further explained in this post:

  • The FQDN of the Management Point system can be resolved on the UNTRUSTED FOREST systems.
  • The UNTRUSTED FOREST can be resolved on the site server (and domain).
  • The Active Directory of the UNTRUSTED FOREST is extended.
  • The Client Push Installation Account has administrative rights.
  • The UNTRUSTED FOREST is added as an Active Directory Forest.
  • The Active Directory System Discovery is enabled to find the UNTRUSTED FOREST systems.

Pre-configuration

Normally I leave the prerequisites for what they are, but in this case it all stands-or-falls with the configuration of the Active Directory Forest and the Active Directory System Discovery. So I will first show in two steps how to pre-configure the Active Directory Forest and the Active Directory System Discovery, before I will show how to configure the Client Push Installation.

The first step is to add the UNTRUSTED FOREST as a Active Directory Forest, so it can also write the site information to that Active Directory, and that can be done by following the next steps:

  • ADFPropNavigate to Administration > Overview > Hierarchy Configuration > Active Directory Forests.
  • In the Home tab, click Add Forest and the Add Forest –popup will show.
  • On the General tab, fill in with Domain suffix <aDomainSuffix>, select Use a specific account and Set <aAccount>.
    • Note: <aAccount> needs to have the appropriate security rights to write to the System Management container in the Active Directory of the UNTRUSTED FOREST.
  • On the Publishing tab, select <aSite> and click OK.

The second step is to configure the Active Directory System Discovery, so it can discover the systems from the UNTRUSTED FOREST, and that can be done by following the next steps:

  • ADSD_ADContNavigate to Administration > Overview > Hierarchy Information > Discovery Methods and select Active Directory System Discovery.
  • In the Home tab, click Properties and the Active Directory System Discovery Properties will show.
  • On the General tab, click <YellowStar> and the Active Directory Container popup will show.
  • Fill in with Path <aLDAPPath>, select Specify an account, Set <aAccount> and click OK.
    • Note: <aAccount> needs to have the appropriate security rights to discover objects in the Active Directory of the UNTRUSTED FOREST.

Configuration

Now let’s start with the real configuration! After doing all the discoveries it is possible to configure the Client Push Installation for UNTRUSTED FOREST systems. The configuration of the Client Push Installation is actually the easiest part this post. To configure Client Push Installation for UNTRUSTED FOREST systems follow the next steps:

  • CPIP_AccoNavigate to Administration > Overview > Site Configuration > Sites and select the site.
  • In the Home tab, click Settings > Client Installation Settings > Client Push Installation and the Client Push Installation Properties will show.
  • On the Accounts tab, click <YellowStar> > New Account and the Windows user Account popup will show.
  • Fill in with User name <DOMAINNAME>\<USERNAME> with the corresponding password in the appropriate fields and click OK.

Results

After the configuration is done it is time to take a look at the results. The best place to look at the results is still the CCM.log, but as I showed that last week already I will now show a snippet of the ccmsetup.log. This log shows that it successfully retrieves information from the Active Directory during the client installation. After the installation was successful the client will show up in the console as an active client with as Domain <DOMAINNAME>.CCMSetupLogHTSystem

Using Client Push Installation on WORKGROUP systems with ConfigMgr 2012

This week my post will be about using the Client Push Installation on WORKGROUP systems. We all know that a manual installation will work on WORKGROUP systems, but wouldn’t it be easier to just use the Client Push Installation? In my opinion the answer would be, YES! And as long as the WORKGROUP systems are configured the same, the configuration is actually quite easy.

Prerequisites

Before it is possible to use the Client Push Installation on WORKGROUP systems, there are a few things to keep in mind. The following points are a prerequisite and are not further explained in this post:

  • The FQDN of the Management Point system can be resolved on the WORKGROUP system.
  • The Network Discovery is enabled to find the WORKGROUP systems.
  • The Client Push Installation Account has administrative rights.

Configuration

Now let’s start with the configuration! It is possible to configure the Client Push Installation for WORKGROUP systems, because it is possible to use a variable in the accounts used for a Client Push Installation. So this makes it possible to also configure local accounts. To configure Client Push Installation for WORKGROUP systems follow, at least, the following steps:

  • CPIP_AccountsNavigate to Administration > Overview > Site Configuration > Sites and select the site.
  • In the Home tab, click Settings > Client Installation Settings > Client Push Installation and the Client Push Installation Properties will show.
  • On the Accounts tab, click <YellowStar> > New Account and the Windows user Account popup will show.
  • Fill in with User name %COMPUTERNAME%\<USERNAME> with the corresponding password in the appropriate fields and click OK.
  • On the Installation Properties tab, fill in as Installation Properties, at least, SMSSITECODE=XXX SMSMP=<FQDN_MP>. 

Results

After the configuration is done it is time to take a look at the results. The best place to look at the results is in the CCM.log after a Client Push Installation on a WORKGROUP system is performed. This log shows that it first tried my domain credentials. After the domain credentials failed it used the local credentials, which are configured via the COMPUTERNAME variable, as second. After the installation was successful the client will show up in the console as an active client with as Domain WORKGROUP.CCMLogWGSystem