How to manage computers from different domains (without trust relationship between domains) from a single Notification Server

book

Article ID: 180601

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Question
What do I need to do in order to manage Client Computers in a foreign Windows Domain which doesn't have a Trust Relationship set up with the domain where the Notification Server is located?

Answer
 

First you will need to discover the computers from the other domain so those can be managed by your Notification Server. There are many ways to do this but the two most common methods are the following:

  • Resource Discovery: Go to Configuration tab> Server Settings > Discovery Methods > Resource Discovery. In the main frame you will have the option to add the domain that you want to discover or you can browse in the list of what Domains the Notification Server is able to see. See the Notification Server Help Documentation for more details regarding Resource Discovery.
  • Active Directory Connector: If you install the Altiris Integrated Component for Microsoft Active Directory 6.1, you will be able to import all the computers or specific OUs that belong to the other Domain. Obviously you need to have access to the AD information from that other Domain. If you want to know how to use AD Connector, see article HOWTO3888,"How do I perform an Active Directory import with AD Connector 6.1.842?".

 

After the computers are added into the Notification Server database, you need to install the Altiris Agent on those computers. One important consideration when working with multiple domains (without trust relationships) is to ensure proper authentication occurs both ways (when the server accesses the client computer and when the client computers access the Notification Server).

If you go to Configuration tab > Altiris Agent > Altiris Agent Rollout > Altiris Agent Installation, you will be able to install the agent on computers individually (by selecting the computers to which you want to install the Altiris Agent), or you can select to install the agent on schedule to specific collection of computers (generally the discovered computers that are in the foreign domain and do not have the Altiris agent installed yet).

Click on the Installation Settings button to specify the account used to push the Altiris Agent. Input the foreign domain admin account name and credential and click OK.

If the computers in the foreign domain are already managed by another Notification Server, then you will need to follow the instructions on article HOWTO5538, "How do you migrate computers from one Notification Server to another?".

If for some reason your DNS is not able to resolve the Notification Server name from the client machines in the other domain but you can use the IP Address for your Notification Server, see Article ID: HOWTO8066 "How to Install the Altiris Agent using the Notification Server IP Address when the Server Name cannot be Resolved"

Once the deployment of the Altiris Agent is completed, you will have the base configuration to manage the computers on the foreign domain. Then you will need to consider the access to packages from one domain to another. Review article HOWTO3588, "How can a File Store be accessed in a non-trusted domain from the Notification Server?," which can be applied to your situation.

Note: If there is a firewall between both domains, you may need to open certain ports. However, usually it is not necessary. In case you need to do it, see article HOWTO1041, "Ports and Protocols for Altiris 6 Products." This document talks about the most common ports/protocols used by Altiris.