SCCM Cross Forest support

Here are some points about cross forest support

A two way trust is mainly for adding a child primary or secondary site in a remote forest.

To consolidate devices in a remote forest with an existing Site no trust is required.

To allow remote forest support in a existing Primary

These are all configurable from the console and we can use a specific account to connect to the remote forest (so a trust is not actually required) we obviously need to allow the required network traffic.
So to summarise, the goal is to

• Discover the forest and publish Configuration Manager Site information into the forest.
• Configure AD System Discovery to run against the forest.
• Configure Client Push Installation to work in the forest.
• PXE boot clients for OSD

Configuration Overview –

• Add the forest to the Active Directory Forest Hierarchy Configuration Node in the ConfigMgr console. This will discover information about the forest such as sites and subnets and also allow us to further configure publishing to this forest.
• Publish the ConfigMgr 2012 site information into the remote AD forest. The Active Directory of the forest will require the CM 2007/2012 schema extensions and the System Management container will need to exist prior publishing.
• Configure System Discovery for the remote forest.
• Ensure that boundaries have been created that will represent each client in the remote forest and that these boundaries have been added to a configured boundary group.
• Configure Client Push Installation with an account suitable for client installation in the remote forest.
• Deploy clients
• For PXE use iphelpers which is the prefers method to allow clients to fine the PXE server
• Deploy PXE DP in remote forest

Point to consider
Application Catalog web service point, which must be installed in the same forest as the site server.
firewalls must allow the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the sites SQL Server:

• Asset Intelligence synchronization point
• Endpoint Protection point
• Enrollment point
• Management point
• Reporting service point
• State migration point

The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database.

If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site:

• Management point: Management Point Database Connection Account
• Enrollment point: Enrollment Point Connection Account


Client Push requirements

Client Push is a feature that is responsible for fixing defective SCCM clients that are on the domain, but not reporting directly to its assigned site. Additionally, machines that have never received the SCCM client will have it installed.

There are several prerequisites to meet before you can successfully push a client to a remote computer:

One of the specified client push installation accounts must be a member of the local administrators group on the destination computer. Alternatively, you can grant the machine account of the SCCM server to as a local admin

The computer must have the ADMIN$ share enabled.
The computer must be found by the site server and vice versa, using DNS name resolution.
Client Push Installation Firewall Exceptions –
In order to successfully use client push to install client, you must add the following as exceptions to the Windows Firewall or any other firewall between the site server and the client machine:

 File and Printer Sharing
 Windows Management Instrumentation (WMI)

Server Message Block (SMB) between the site server and client computer. — 445

RPC endpoint mapper between the site server and the client computer. 135 135

RPC dynamic ports between the site server and the client computer. — DYNAMIC

Hypertext Transfer Protocol (HTTP) from the client computer to a mixed mode management point. — 80 (See note 1, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point. — 443 (See note 1, Alternate Port Available)

In the client push installation method, the server makes an initial connection to the admin$ share on the prospective client computer using Windows file-sharing protocols. Administrative access to the client is required to connect to the admin$ share.

The site server uses these connections to copy the required setup files to the client and then installs and starts the ccmsetup service.

Here are some links for WIN 8 customization start screen tiles

Here are some links for WIN 8 customization

Customize Windows 8.1 Start Screens by Using Group Policy

Customize the Start Screen

Windows 8 Start Screen Customization with MDT

Follow the steps below

1. Create a new user account that you will use to customize the Start screen layout.

2. Customize the Start screen as you want users to see.

3. From the Start screen, open Windows PowerShell.

4. At the Windows PowerShell command prompt, enter the following command:

Example: export-startlayout –path .xml -as xml

ConfigMgr 2012 determine if there is a performance problem

The number one reason that small sites like this have performance issues is because of disk IO.  If this is a virtual machine, ensure that you are following the vendor recommendations for virtualizing SQL (don’t over commit processors/cores, ensure SQL data files, tempdb, and logs are on separate spindles, format SQL drives with 64KB block sizes, split SQL data files).

CPU does not matter too much. Disk i/o is more important. Also see
MP replica might take some load off of an MP, but it also adds extra load because of SQL replication.
Content transfer can be scripted: case you did not use a DP group).

Are you experiencing current perf issues with all roles on the site server itself? Can you describe these perf issues?

Have you setup a DB re-indexing and statistics rebuild agent task?

Have you run perfmon to baseline the perf of the system?

Is the system a VM on an over-committed host and/.or is it sharing spindles with other applications?

System Center 2012 Configuration Manager Best Practices

Taking Your Server’s Pulse