I was unable to determine the exact firewall rules required to setup access for clients in another forest while working on a project and this post was born.

For this example we will use two forests with the following configuration:-

  • Forest / Domain lab.local which contains the SCCM site systems you want to use.
  • Forest / Domain dev.local which contains the clients you wish to leverage the SCCM server in lab.local.
  • dev.local trusts lab.local (one way trust between the domain hosting the sites systems required and the domain with the clients)
  • You need to ensure that ports 389 (LDAP) and 636 (LDAPS) is enabled through the firewall between the SCCM Primary Site Server in lab.local and the target domain controllers in dev.local.

Note: This procedure does not go through the steps required to setup the trust relationship for that follow this link

1) Ensure that you copy the extadsch.exe file from the SCCM 2012 R2 DVD to one of the domain controllers in the target domain (dev.local example) and execute this as a member of the Schema Administrators group.

Schema - A Schema - B

2) Within the target domain add the System Management container and grant the Primary Site Server full control over the System Management container and all descendent objects.


3) From within the SCCM Console add the target forest and enable publishing.

Forest.A Forest.B

4) You can now monitor the Hierarchy logs and components to ensure the publishing has worked as expected.

hman hman-b

5) I was specifically looking to validate the minimal ports that were required to complete this task as per the trace below. Only port 389 OR 636 were required for this task.