MDT – Use MDT cross domain / workgroups

Hi there,

Just a short post of something I had to deal with very recently, an MDT environment that is cross domain / workgroup connected.

Basically I had two challenges:

  1. Connecting to different shares based on DefaultGateway
  2. Connecting to shares in a domain and in a workgroup

The following example of the bootstrap.ini, does just that:

As you can see here, I use the DefaultGateway section to process from which location the machine is going to be deployed, to choose the designated deploymentshare for this particular location.

Next thing, is making sure the authentication of the shares is going smoothly. My first try was using the “LocationServer.xml“, this seemed to solve my problem of having multiple shares. Unfortunately, when you use LocationServer.xml it will destroy your authentication settings, since they are not parsed through while processing the xml file. Leaving you with a question to authenticate (again!) with the target share.

/rant the not parsing of the credentials while using LocationServer.xml is something that goes back since 2010. A thread on social.technet answered by Keith Garner, reports that a bug was filed, but it did never make it to any new release of MDT 🙁

So how did I get around this, by putting all the common denominators in the default section, and all the anomalies in the DefaultGateway subsection. Giving me the opportunity to use the same account, but use a different UserDomain. This means you can use the same account (a domain account for the machines in the domain, and a local account for the machine in the workgroup)

Also since the deploymentshare outside the domain, cannot be resolved by DNS, you’ll need to map this share based on an ip address.

Now doing the same thing for the CustomSettings.ini, gives me to opportunity, to put logfiles for each machine on the same location where it has been deployed.

Happy deploying 🙂

Cheers! Rens

 

2 thoughts on “MDT – Use MDT cross domain / workgroups

  1. Rob

    Hi Rens
    I am looking for a way to acces the Wsus server with HTTP but I am in a different domain
    and I have acces denied do you have an idee how to proceed.
    I heard from Johan Arwidmark that making a Capture in a temp domain was no problem
    so I made a wim file on a other domain

     
    Reply
    1. Rens Hollanders

      Hi Rob,

      Just to be clear, you have WSUS accessible through HTTP and you are in a different domain. You can incorpate WSUS from the other domain to your deployment, if you resolve it by IP address, or adopt the DNS suffix of the domain into your existing deployment. With registry settings on the client you can then connect with the WSUS server and have your machine being added to the desired target group. No domain GPO’s needed.

      And yes you can make images in a different domain, as long as those images haven’t joined that domain.

      Cheers! Rens

       
      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *