System Center Configuration Manager 2007 Cross Domain Permissions

Posted on 2009-12-22
Last Modified: 2013-11-21

I am working on a Single site deployment of 2007 SCCM for our enterprise. The primary site is installed into our Forest Domain and I have successfully discovered all systems in our 4 child domains. I have also been able to push the clients to our Forest domain machines as well as my local domain machines. Remote tools, assistance and software deployment works for my local domain and the forest domain, however I can not seem to push out the client to any of the other 3 child domains.


I had the admin at one of the other child domains manually install the client on a workstation and it shows up in the collections as a client, but I can not seem to use the remote tools, or push software or anything. I am thinking I just don't have permissions correct or group membership or something.


Here is a portion of the log when I try to use remote tools.

User "BSE\musueraccount-da" at "PHO-SCCM-001" failed to start a Remote Tools session with "childdomainlaptopcomputer".

Solution: Verify that the Remote Tools Client Agent is installed on the client. If the agent is installed and you cannot start a Remote Tools session, use the "Show Status" command on Control Panel, Remote Tools  on the client to verify that the Remote Control Agent is listening on the right protocol.

I have verified that that the remote tools is installed on that machine and enabled.

I am at a loss here, if anyone can provide me with some insight on the correct permissions set up that would be great.


Thank you for your time.
Question by:MrNiss99
    LVL 33

    Expert Comment

    by default, you need to have local administrator rights on the client machine....

    To test security, can you create a local account with administrator rights on the client machine?  if so, you can then test you remote tools...

    Does this account have local administrator rights on the client machine "BSE\musueraccount-da"?

    If you know a local account, you can leave the domain dialog box blank and type the password.  (or this format also works,  %machinaname%\username

    To me it sounds like you don't have rights to perform the remote tools session.  You can also check the client Remotetools.log found in c:\windows\system32\ccm\logs\ directory on the client.

    LVL 33

    Accepted Solution

    Also, this site setting controls what groups can gain remote tools access...
    LVL 6

    Author Closing Comment

    Although this was not the exact solution the answer pointed me in the right direction. It turns out that it was a DNS issue, the local site server could not contact the clients outside of the installed domain. I had to add the DNS suffixes to the NIC for all child domains in order to contact clients outside of the parent domain.

    Thanks for the help!!

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now