I have a two domains that have a two-way external AD trust. One is windows 2000 and the other is Windows 2008. My SCCM server resides in the Windows 2008 domain with the AD schema extension applied. In my Windows 2000 domain I have SMS 2003 server (to be decomed) and AD schema applied here as well. My question is can I manage my clients in the Windows 2000 domain with my SCCM server in the 2008 domain or will there be a conflict in the AD schema? I want to deploy the SCCM agent to the devices in the Windows 2000 domain but just wanted to know whether these clients will do the AD lookup in the Windows 2008 domain and not the old Windows 2000?

There can be only one schema master in your environment (Forest) if you have already extended schema then there should not be any issue with the domain running windows Server 2000.

Domains don't really matter. It's forests that matter. Are your two domains in the same forest? John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

If the clients are assigned to a ConfigMgr site that lives in any other domain (trusted or not), they will be managed as if they are workgroup clients. Auto site assignment and MP location will not function propely and you will have to assign those at installation time (or using a GPO); this is because the client will automatically try to lookup this information in its own domain which has information from the old site. ConfigMgr clients only lookup info in their own domain regardless of trusts or forests. So yes to your question that they will try to lookup info in their own domain and thus you should "hard-code" or force the site code and MP.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

SLP? John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

Yes. an SLP in the new site is required for clients not able to access site information in AD to check version information. A side note (and bit of correction to my above info in support of John's statement above) is that if these domains are in the same forest, the client "could" find site information from the other domain and thus not be treated a s workgroup client but this could cause other issue like overlapping boundaries -- thus John's statement above is correct in spirit that forests are the site information boundary in ConfigMgr. That's moot to this question (based upon my reading) because the domains are (presumably) in separate forests otherwise the information about the schema extensions is misleading. Can you thus please clarify whether these are in two forests or one? Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

That's moot to this question (based upon my reading) because the domains are (presumably) in separate forests otherwise the information about the schema extensions is misleading. Can you thus please clarify whether these are in two forests or one? I totally agree. I was trying to prod for that info. ;-)John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

Apologies for the delay in response. Just to confirm that there are two seperate forests. One forest is the Windows 2000 forest with a 2000 domain in it. And the other being a Windows 2008 forest with a 2008 domain in it. There is an external 2-way trust between the domains but not a forest trust. And as mentioned in my original question, there is a schema extension applied to both forests/domains (one being sms2003 schema extension and the other being sccm2007 schema update). Hope this makes things clearer.

In seperate forest scenario I always prefer to place a child primary site in the remote forest. If you do not do that you will have to treat those clients as if they are in a workgroup. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

Thanks John. THough this is not an option for us. We need to manage clients in the other forest with the sccm server in the 2008 domain. So are you saying even with an external 2-way trust between domains they have to be treated as workgroups clients? If so what additional steps do I need to take in order for my single sccm server to manage those clients? Thanks.

Yes, that's what he (and I) is (are) saying. As I pointed out above, you need to hard code the MP and SLP to prevent the clients from looking up the info in their own domain. You'll need a network access account configured also if you are deploying software. That's really about it. ConfigMgr doesn't use domain membership as a criteria for client management or client permisions.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

ok thanks guys for your help. One quick point, would removing the systems management folder from the 2000 domain be a workaround to the above? Though I expect that the NAA still needs to be created due to different domains.

If the SLP is properly registered in WINS then yes auto-assignment will work fine as will MP location.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Thanks for all the answers to the questions above. I thought I would continue this thread as my questions relates to the same scenario: Recap: Just to confirm that there are two seperate forests. One forest is the Windows 2000 forest with a 2000 domain in it. And the other being a Windows 2008 forest with a 2008 domain in it. There is an external 2-way trust between the domains but not a forest trust (though this will be put in place in the furutre). And as mentioned in my original question, there is a schema extension applied to both forests/domains (one being sms2003 schema extension and the other being sccm2007 schema update). Now we have a change of plan. The SCCM primary server will be in the same domain as the SMS2003 server. The reason being the majority of the devices to be managed are there. Questions: 1) If I upgrade the SCCM schema to 2007, will I still be able to use the SMS 2003 environment (e.g. SMS 2003 clients still lookup using the AD schema and be managed by SMS) and also use the SCCM 2007 environment to manage new SCCM 2007 clients? 2) To manage the clients in the other forest, do I just do a client push using the sms site code and the sms slp? and for imaged machines use the same details or will the sms site code set to auto work? 3) Before we start using the new SCCM server with managing new machines, we will need to use the existing SMS infrastructure. Will there be an issue with overlapping boundaries as I will need to use the same boundaries in both environments until we are ready to decommision? If so, is there a way around this? Thanks.