I have a test SCCM environment. It consists of two server 2008 r2 boxes, one designated as the internal box and the other designated as the DMZ box. On the internal box I installed SCCM without the MP role. I then installed the MP role on the DMZ machine and setup that box to use a replica DB instead of the site database. Everything seems healthy. I then run a client through the MP and i see the DDR and HINV files sitting in the sms\mp\OUTBOXES\DDR.box and in the hinv.box but they are not being processed. I am not sure what to look for to see what the issue is. Just to add another wrinkle into the problem, I have an internal forest and a dmz forest setup with a one way trust. I did add the internal machine to the dmz box's admin user so don't think it is a permissions issue, but I could be wrong.

replica db: meh--if replication is fine and you confirmed that policies get from the main db to the replica, I wouldn't worry about that part of it--unrelated, imo. essentially, tho, once files get to the mp outbox, it's pretty much is a file-copy issue. if you are at the MP as 'SYSTEM' at a cmd prompt, can you see the internal box? specifically the \\server \sms_site share? oh, and I think, I'm not sure...maybe someone else will chime in, but according to this http://technet.microsoft.com/en-us/library/bb694289.aspx, I think you need a transitive trust. Maybe I'm not reading that right, tho.Standardize. Simplify. Automate.

Nope you are correct. Transitive trust is is reuired for cross forest communications

If I am at the MP cmd prompt, I need to see the internal box's share? the process that copies the files is initialted at the MP? Meaning that process on the MP needs to have read/write writes to the internal machine's share?

What SCCM process moves files between the MP and the primary? Where does this process run, on the primary or the MP?

mpfdm.logTorsten Meringer | http://www.mssccmfaq.de

mpfdm.log Torsten Meringer | http://www.mssccmfaq.de Now I am making progress. I am getting an error in mpfdm that says cannot connect to the inbox source. I am searching that error online now. So if I am understanding this, the file dispatcher ( I assume that is the name ) is running on the MP and it is complaining that it cannot connect to itself (the source)? That seems strange. How can I determine what context the process is running under? I assume system...

My initial finds indicate that the MP which is located in the DMZ cannot read from the site server's registry? Is that a requirement of the MP? The machine account for the DMZ management point will not have permissions on the internal network. If I could have that service that is trying to read the registry run as an internal domain account I think that would solve my issues. Where can I set the user for the FDM?

OK, I think I solved my problems thanks to some helpful suggestions. Here is my final layout and solution in case anyone else needs this in the future. I have two forests, an internal and a DMZ forest. A one way trust, the DMZ forest trusts the internal forest. I have a single sccm site internal and an MP in the DMZ. The MP is running off of a replica DB. Obviously the MP and the site server are not in the same domain. I was running into an issue where DDRs where building up on the MP and my mpfdm.log file indicated an error. From that error I concluded that there was a permissions issue. Since I didn't see any process spcifically for the FDM, I assumed that the SMS_Exec process was in charge of things. I changed the SMS_Exec's logon to be a logon that have admin rights on BOTH the internal primary site and the DMZ machine. I had to use a domain account from the internal domain since that was the only accounts trusted in both forests. Once I changed the logon on the server, the plumbing freed up and things appears to be working. I am not sure if this is a suppored design. I'll report back if I notice any issues with the design.

Changing the account SMS_Executive is running under is not supported at all. It has to be 'local system'!Torsten Meringer | http://www.mssccmfaq.de

Changing the account SMS_Executive is running under is not supported at all. It has to be 'local system'! Torsten Meringer | http://www.mssccmfaq.de Does the system account of the DMZ machine need to have access to the internal primary site? Not only the file share but also the primary site registry?

Does anyone know?