I'm Rob Marshall, a consultant who specialises in the Microsoft System Center Configuration Manager product. I like to share, i do so by blogging and helping out when I can in the MS SMS newsgroups and participating in the ConfigMgr MVP program.
I was awarded and joined the program in 2009. It'd be an understatement to say it has to be one of the best experiences an IT engineer can have, if they really enjoy specialising in a product.
My biggest weapon for troubleshooting is, my formidable knowledge, no, only joking, you, the community. I find if I cannot answer a question, then I can usually find the answer from using Bing\Google, pouring over the documentation, and if that doesn't work, tinkering in mine or someone elses virtual lab.
The blogs pretty much about ConfigMgr, but it is also a platform for me to express my random urges to display something I've stumbled across, and that I imagine would entertain you or what not as equally as it did me.
I've written a few documents covering this, but never for the community, always an employer!
Well Clifton Hughes over at MS has taken opportunity to bring together all the nuggets of information on aiding ConfigMgr to support workgroup based or clients in untrusted domains.
This document covers the processes and considerations for managing clients in another un-trusted domain, as if they were in a workgroup, and/or to manage actual Workgroup Clients. In this documentation, Workgroup Clients is the term that is used, however, be aware that through these same processes and procedures, clients in an un-trusted domain can be managed in the same way, and with the same limitations as actual Workgroup Clients. Note below, that if you do not have one already installed in your environment, you will need the Server Locator Point (SLP) role if you decide to pursue this process.
This method requires a little more effort and planning that with a domain joined clients, because of the lack of discoverability, name resolution, and lack of support for Client Push installation method, however, it is doable
[Read more]
*** Update ***
An engineer emailed me to ask a question that came about due to this posting:
Q. Should I pinhole my firewall for a bunch of clients in a DMZ, or locate an MP inside the DMZ?
A. The answer really does depend on your environment. If you have a lot of clients in your DMZ site you might want to think about localising an MP to service them, you might also want to consider placing a PDP into the DMZ to localise content for the clients. You should be aware that placing a Site system into a DMZ will require further firewall pinholing to take place so that the Site system can communicate with a Domain Controller for the domain it is homed into. My best advice is to review Ports used by ConfigMgr to figure out which ports are needed to support the Roles and Site system.