Workaround for Untrusted Forest SCCM MP Rotation Issue

Workaround for Untrusted Forest SCCM MP Rotation Issue. In my previous post, I highlighted SCCM 2012 clients’ MP selection or rotation issues for untrusted forests (DMZ).

We will have an ” MP rotation ” issue when we’ve multiple MPs in untrusted DMZ forests under an SCCM ConfigMgr primary site; we will have an “MP rotation” issue. This issue is explained in the above post.

Workaround for Untrusted Forest SCCM MP Rotation Issue

Microsoft confirmed this is the default product design or behavior (from the SCCM architect or admin perspective, it’s not an excellent product design ).

Patch My PC

This will get fixed in the next version of the product. Next version? Am I not sure the next version is SCCM ConfigMgr CB or SCCM 2012 R3?

UPDATE: Install SCCM ConfigMgr 2012 R2 CU3 and Stop MP rotation issue with a registry key called “AllowedMPs.” More details here.

Another useful topic:- Do you have multiple SUPs in SCCM 2012? Are you getting into a scenario where the clients cannot switch back to the original SUP?

One of the useful Technet forum threads you can look into http://social.technet.microsoft.com/Forums/en-US/57433aa3-2c26-4a46-a94e-7e734e2214c6/sup-assignment-not-correct?forum=configmanagersecurity.

We need to find some workaround to live with the SCCM 2012 MP rotation issue. We’ve identified 3 workarounds (my colleague contributed more on workarounds) for SCCM ConfigMgr 2012 MP rotation issue.

The best option identified for our environment is “Remove AD publishing and add DNS service records for MP lookup.” All the 3 workarounds are discussed in the following sections.

1. Remove AD publishing and add DNS service records for MP lookup. 

Navigate SCCM 2012 console – Hierarchy Configuration:: Active Directory Forests:: Select the untrusted (DMZ) forest from where you want to remove AD published details:: Publishing tab, remove the checkmark against your primary server. This will remove all the published details from the untrusted (DMZ) forests AD system management container.

Unlike SCCM 2007, we don’t need to delete anything manually from the System Management container; all the site-related data like boundary and MP details will get removed automatically.

You need to repeat these steps for all the untrusted forests under that particular primary site (wherever remote MP is installed).

Remove SCCM 2012 MP details from AD Workaround for Untrusted Forest SCCM MP Rotation Issue
Remove SCCM 2012 MP details from AD Workaround for Untrusted Forest SCCM MP Rotation Issue.

Publish DNS service record for MP Lookup on each local forest DNS server  (wherever remote MP is installed). How to perform this?

More details are available in the section “To manually publish the default management point to DNS on Windows Server”  of Technet document http://technet.microsoft.com/en-us/library/bb632936.aspx. 

Also, we’ve to add/use SMSMP and  DNSSUFFIX options to the SMSClientInstallProperties TS variable to get the preferred results.

Publish SCCM 2012 MP to DNS server Workaround for Untrusted Forest SCCM MP Rotation Issue
Publish SCCM 2012 MP to DNS server Workaround for Untrusted Forest SCCM MP Rotation Issue

2. Redirect the foreign forest MPs to local forest MP

Make each DMZ (untrusted) forest DNS server point the “blocked” MPs (which are located in another untrusted forest) at the IP address of the MP that we want the clients to use.  

This is kind of cheating the SCCM ConfigMgr 2012 client. The client will rotate the MPs and try to communicate with different MPs from the MP list, but in fact, the client is reaching the MP you want it to reach.  

The MPs in the other untrusted (DMZ) forest will get resolved to local forest MP from your DNS server.

All the MPs (ACNCMMP1, ACNCMMP2, and ACNCMMP3) are resolving to the same IP 😉

SCCM 2012 MP rotation Issue Workaround Workaround for Untrusted Forest SCCM MP Rotation Issue
SCCM 2012 MP rotation Issue Workaround Workaround for Untrusted Forest SCCM MP Rotation Issue

3. Redirect the foreign forest MPs to Loop-Back Address

In each DMZ (untrusted) forest, we need to make adjustments in the client machine’s host file to point the “blocked” MPs (which are located in another untrusted forest) at the loopback address. Immediately,  the client will get failed to connect. This won’t stop SCCM 2012 MP rotation issue.

However, it can reduce the client’s time to try contacting other blocked MPs. The host file changes can be achieved using Robert Marshall’s (MVP) SCCM SwitchMP

Or else you may need to try some setting on the DNS server to resolve blocked MPs names to the loopback address.

SCCM 2012 MP rotation Issue Loop Back Address

Resources

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…..…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.