This month I’m working on a new complex infra environment with few untrusted forests. For managing servers and deploying workstations we implemented SCCM 2012 R2 SP1 in the new environment. Unfortunately SCCM is not ‘designed’ for forest without trust relationships. This bug or ‘by-design-thing’ exists from the beginning of SCCM 2012. This bug is still in ConfigMgr 2012 R2 SP1, but Microsoft has released a workaround to solve the rotating assigned management point, if your environment using multiple management points.
Anoop has a nice explanation about this ‘bug\by design thing’. The link: http://anoopcnair.com/2014/03/07/configmgr-sccm-2012-mp-selection-forest-trust-related-bug/
In CU3 Microsoft has released a workaround. To use this workaround you had to add a multi string in the registry of your client(s). The string (AllowedMPs) has the info of the correct management point for the client. In ConfigMgr 2012 R2 SP1 there is an option in the properties of Sites. You can force the assigning of management points from the console. You have to go Administration -> Site Configuration -> right click on Sites. In the submenu you have the option Hierarchy Settings. Herein you have the option to turn on “Clients prefer to use management points specified in boundary groups” This option replace the AllowedMPs registry multi string workaround.
There is another thing, a tip about boundary. Don’t use IP Subnet but you have to use IP address range. If you are using the forest discovery, ConfigMgr will create the boundary with IP address range for you. The IP Subnets are not working, what it should. The created Subnet IDs are not correct and that’s why IP Subnet boundary will not work. Boundary must have the correct management point for assigning them with the clients. Jason wrote a blog about IP Subnets and IP Address range boundary. http://blog.configmgrftw.com/ip-subnet-boundaries-still-evil/
The client uses the correct management point, which is configured in the boundary and it will not rotate with assigning of management points anymore. The client get still the information from the Active Directory. So you will see the management points in the log, but is not rotating.