Workaround for Untrusted Forest SCCM MP Rotation Issue. In my previous post, I’ve highlighted SCCM 2012 clients’ MP selection or rotation issues for untrusted forests (DMZ).
When we’ve multiple MPs in untrusted DMZ forests under an SCCM ConfigMgr 2012 primary site, we will have an “MP rotation” issue. This issue is explained in the above post.
Workaround for Untrusted Forest SCCM MP Rotation Issue
Microsoft confirmed that this is the default product design or behavior (from the SCCM architect or admin perspective, it’s not an excellent product design ). This will get fixed in the next version of the product. Next version? Even I’m not sure the next version is SCCM ConfigMgr 2017 or SCCM 2012 R3?
UPDATE: Install SCCM ConfigMgr 2012 R2 CU3 and Stop MP rotation issue with a registry key called “AllowedMPs”. More details here
Another useful topic:- Do you have multiple SUPs in SCCM 2012? Are you getting into a scenario where the clients are not able to switch back to the original SUP? One of the useful Technet forum thread you can look into http://social.technet.microsoft.com/Forums/en-US/57433aa3-2c26-4a46-a94e-7e734e2214c6/sup-assignment-not-correct?forum=configmanagersecurity
Now, we need to find some workaround to live with SCCM 2012 MP rotation issue. We’ve identified 3 workarounds (my colleague contributed more on workarounds) for SCCM ConfigMgr 2012 MP rotation issue. The best option identified for our environment is “Remove AD publishing and add DNS service records for MP lookup”. All the 3 workarounds are discussed in the following sections.
1. Remove AD publishing and add DNS service records for MP lookup.
Navigate SCCM 2012 console – Hierarchy Configuration:: Active Directory Forests:: Select the untrusted (DMZ) forest from where you want to remove AD published details:: Publishing tab, remove the checkmark against your primary server. This will remove all the published details from the untrusted (DMZ) forests AD system management container.
Unlike SCCM 2007, we don’t need to delete anything manually from the System Management container, all the site-related data like boundary and MP details will get removed automatically. You need to repeat these steps for all the untrusted forests (where ever remote MP is installed) under that particular primary site.
Publish DNS service record for MP Lookup on each local forest DNS server (where ever remote MP is installed). How to perform this? More details are available in the section “To manually publish the default management point to DNS on Windows Server” of Technet document http://technet.microsoft.com/en-us/library/bb632936.aspx. Also, we’ve to add/use SMSMP and DNSSUFFIX options to the SMSClientInstallProperties TS variable to get the preferred results.
2. Redirect the foreign forest MPs to local forest MP
Make each DMZ (untrusted) forest DNS server point the “blocked” MPs (which are located in another untrusted forest) at the IP address of the MP that we want the clients to use. This is kind of cheating the SCCM ConfigMgr 2012 client. The client will rotate the MPs and try to communicate with different MPs from the MP list, but in fact, the client is reaching the MP which you want it to reach. From your DNS server, the MPs in the other untrusted (DMZ) forest will get resolved to local forest MP.
All the MPs (ACNCMMP1, ACNCMMP2, and ACNCMMP3) are resolving to the same IP 😉
3. Redirect the foreign forest MPs to Loop-Back Address
In each DMZ (untrusted) forest, we need to make adjustments in the client machine’s host file to point the “blocked” MPs (which are located in another untrusted forest) at the loop-back address. Immediately, the client will get failed to connect. This won’t stop SCCM 2012 MP rotation issue.
However, it can reduce the time the client is going to take to try contacting other blocked MPs. The host file changes can be achieved by using Robert Marshall’s (MVP) tool SCCM SwitchMP. Or else you may need to try some setting on the DNS server to resolve blocked MPs names to the loopback address.