Workaround for Untrusted Forest SCCM MP Rotation Issue

In my previous post, I’ve highlighted SCCM 2012 clients MP selection or rotation issue for untrusted forests (DMZ).  When we’ve multiple MPs in untrusted DMZ forests under a SCCM ConfigMgr 2012 primary site, we will have “MP rotation” issue. This issue is explained in the above post.

Microsoft confirmed that this is default product design or behavior (from SCCM architect or admin perspective, it’s not an excellent product design ). This will get fixed in the next version of the product. Next version? Even I’m not sure the next version is SCCM ConfigMgr 2017 or SCCM 2012 R3?

UPDATE : Install SCCM ConfigMgr 2012 R2 CU3 and Stop MP rotation issue with a registry key called “AllowedMPs”. More details here

Another useful topic :- Do you have multiple SUPs in SCCM 2012? Are you getting into a scenario where the clients are not able to switch back to the original SUP ? One of the useful technet forum thread you can look into

Now, we need to find some workaround to live with SCCM 2012 MP rotation issue. We’ve identified 3 workarounds (my colleague contributed more on workarounds) for SCCM ConfigMgr 2012 MP rotation issue. The best option identified for our environment is “Remove AD publishing and add DNS service records for MP lookup”. All the 3 workarounds are discussed in the following sections.

1. Remove AD publishing and add DNS service records for MP lookup. 

Navigate SCCM 2012 console – Hierarchy Configuration :: Active Directory Forests :: Select the untrusted (DMZ) forest from where you want to remove AD published details ::Publishing tab, remove the check mark against your primary server.This will remove all the published details from untrusted (DMZ) forests AD system management container. Unlike SCCM 2007, we don’t need to delete anything manually from System Management container, all the site related data like boundary and MP details will get removed automatically. You need to repeat these steps for all the untrusted forests (where ever remote MP is installed) under that particular primary site.

Remove SCCM 2012 MP details from AD
Remove SCCM 2012 MP details from AD

Publish DNS service record for MP Lookup on each local forest DNS server  (where ever remote MP is installed). How to perform this? More details available below section “To manually publish the default management point to DNS on Windows Server”  of technet document Also, we’ve to add/use SMSMP and  DNSSUFFIX options to SMSClientInstallProperties TS variable to get the preferred results .

Publish SCCM 2012 MP to DNS server
Publish SCCM 2012 MP to DNS server

2. Redirect the foreign forest MPs to local forest MP

Make each DMZ (untrusted) forest DNS server to point the “blocked” MPs (which are located in another untrusted forest) at the IP address of the MP that we want the clients to use.  This is kind of cheating the SCCM ConfigMgr 2012 client. The client will rotate the MPs and try to communicate with different MPs from MP list, but in fact the client is reaching the MP which you want it to reach.  From your DNS server the MPs in the other untrusted (DMZ) forest will get resolved to local forest MP.

All the MPs (ACNCMMP1, ACNCMMP2 and ACNCMMP3) are resolving to the same IP 😉

SCCM 2012 MP rotation Issue Workaround
SCCM 2012 MP rotation Issue Workaround

3. Redirect the foreign forest MPs to Loop-Back Address

In each DMZ (untrusted) forest, we need to make adjustments in client machine’s host file to point the “blocked” MPs (which are located in another untrusted forest) at the loop-back address. Immediately,  the client will get failed to connect. This won’t stop SCCM 2012 MP rotation issue. However, it can reduce the time the client is going to take try contacting another blocked MPs.  The host file changes can be achieved by using Robert Marshall’s (MVP) tool SCCM SwitchMPOr else you may need to try some setting on DNS server to resolve blocked MPs names to loop back address.

SCCM 2012 MP rotation Issue Loop Back Address

Sharing is caring!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.