If you're managing a multi-domain Active Directory (AD) environment and using Microsoft Configuration Manager (SCCM), you might encounter a scenario where you need to add computers from another domain into SCCM for management. This is a common use case in enterprise environments with multiple AD forests or domains, and it's essential to configure SCCM correctly to allow cross-domain or cross-forest computer discovery and management.
Why Add Computers from Another Domain to SCCM?
There are several reasons you might want to manage computers from a different domain in SCCM:
- Centralized IT management across multiple AD domains
- Software deployment to remote domain computers
- Patch management across different networks
- Hardware and software inventory for compliance and reporting
To make this possible, certain prerequisites and configurations must be met.
Key Requirements Before You Begin
To successfully add and manage devices from another domain in SCCM, ensure the following:
- Trust Relationship Exists: A two-way trust between domains or forests is typically required.
- Name Resolution Works: Ensure DNS resolution is configured correctly between the domains.
- Proper SCCM Site Boundaries and Boundary Groups: The IP subnets or AD sites of the remote domain should be part of SCCM boundaries.
- Discovery Methods Enabled: Active Directory System Discovery and/or User Discovery should be enabled for the remote domain.
- Proper Permissions: SCCM must have appropriate permissions to read from the other domain’s Active Directory.
Step-by-Step: Add Computers from Another Domain in SCCM
Here’s a general outline of how to configure SCCM to add and manage computers from a different domain:
1. Establish a Trust Between Domains
If not already configured, set up a two-way trust between the source and target domains via Active Directory Domains and Trusts. This allows communication between the SCCM server and the other domain.
2. Configure DNS Forwarding
Ensure each domain can resolve names from the other. You can use conditional forwarding or stub zones in DNS Manager for proper name resolution.
3. Update SCCM Discovery Methods
In the SCCM console:
- Go to Administration > Hierarchy Configuration > Discovery Methods
- Enable Active Directory System Discovery
- Click on Browse to add the remote domain
- Set the LDAP path (e.g.,
LDAP://DC=remotedomain,DC=com
) - Set an account with read access to the remote domain’s AD
Repeat this process for Active Directory User Discovery if needed.
4. Add the Remote Domain to SCCM Boundaries
To ensure devices are assigned to the proper SCCM site:
- Go to Administration > Hierarchy Configuration > Boundaries
- Create a new boundary for the remote domain’s subnet or AD site
- Add it to an existing or new Boundary Group
- Assign the Boundary Group to the appropriate Site System
5. Install SCCM Client on Remote Domain Computers
You can install the SCCM client using:
- Client push installation
- Group Policy
- Manual installation using the
ccmsetup.exe
installer - PowerShell or other automation tools
Make sure that firewall ports are open, and SMB and RPC protocols are accessible from the SCCM server.
Common Issues and Troubleshooting Tips
- DNS issues: If SCCM can't resolve computer names, check DNS forwarding or host entries.
- Authentication problems: Ensure the SCCM discovery account has proper permissions in the remote domain.
- Trust issues: Without a proper domain trust, SCCM won’t be able to authenticate with the remote domain.
Conclusion
Adding computers from another domain to SCCM requires careful planning and correct configurations—especially when it comes to trust relationships, DNS, discovery settings, and client installation. By following the steps outlined above, you can ensure a smooth integration and extend SCCM’s management capabilities across multiple domains.