SCCM Cross Forest support

Here are some points about cross forest support

A two way trust is mainly for adding a child primary or secondary site in a remote forest.

To consolidate devices in a remote forest with an existing Site no trust is required.

To allow remote forest support in a existing Primary

These are all configurable from the console and we can use a specific account to connect to the remote forest (so a trust is not actually required) we obviously need to allow the required network traffic.
So to summarise, the goal is to

• Discover the forest and publish Configuration Manager Site information into the forest.
• Configure AD System Discovery to run against the forest.
• Configure Client Push Installation to work in the forest.
• PXE boot clients for OSD

Configuration Overview –

• Add the forest to the Active Directory Forest Hierarchy Configuration Node in the ConfigMgr console. This will discover information about the forest such as sites and subnets and also allow us to further configure publishing to this forest.
• Publish the ConfigMgr 2012 site information into the remote AD forest. The Active Directory of the forest will require the CM 2007/2012 schema extensions and the System Management container will need to exist prior publishing.
• Configure System Discovery for the remote forest.
• Ensure that boundaries have been created that will represent each client in the remote forest and that these boundaries have been added to a configured boundary group.
• Configure Client Push Installation with an account suitable for client installation in the remote forest.
• Deploy clients
• For PXE use iphelpers which is the prefers method to allow clients to fine the PXE server
• Deploy PXE DP in remote forest

Point to consider
Application Catalog web service point, which must be installed in the same forest as the site server.
firewalls must allow the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the sites SQL Server:

• Asset Intelligence synchronization point
• Endpoint Protection point
• Enrollment point
• Management point
• Reporting service point
• State migration point

The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database.

If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site:

• Management point: Management Point Database Connection Account
• Enrollment point: Enrollment Point Connection Account