First note that there's no reason to set up a site server at all for a DMZ or an alternate domain. This can easily be handled by a site system - note the difference between a site server and site system. Also, a site system can happily exist in an untrusted domain so it's really moot whether or not you have a trust in place.
To directly answer one of your questions though, yes, two domains within a forest automatically have two-way trusts - this is simply part of them being part of the same forest. But as mentioned, is irrelevant for this scenario. And finally, yes you could also treat the systems in the DMZ as Internet based clients. J From: [email protected] [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Monday, August 4, 2014 6:28 PM To: [email protected] Subject: [mssms] Cross domain ConfigMgr Support We're looking at setting up a domain in our DMZ where some IIS servers (10-20 at most) would reside and up until now, I've only ever managed one domain so one of the items I'm researching is how we'd manage resources in a separate domain with CM. One of the questions I had were about trusts. Would something like the simplest scenario #1 in this blog post below require a trust between the DMZ domain and our main domain where the CM primary site resides? http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx Theres a statement where it says "In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a two way trust with the forest of the parent (CAS or primary)". Am I reading that correctly where as long as the two domains are in the same forest, we wouldn't need a two-way trust? How about a one-way trust? I don't think we're going to put a child site in the DMZ domain unless we have to. I'd like to see those servers be managed directly from the primary site but I'm not at all familiar with cross-domain authentication. Understandably, certificate management is a factor but just from an SCCM communication standpoint, would something like this require a one-way, two-way, or no trust at all? Another idea I had was just manage the servers like they are laptops on the internet. Is there any reason that wouldn't work? Then they could just communicate with CM through our external facing URL and no trust would be needed at all. That would just require a lot of manual work to manage the certificates and install the client so if it's easier to do the method described in the blog post, we'll do that. Thanks in advance for your input. Thanks, James ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.
