SCCM 2007 managing hosts in non trusted forest

We have this setup for managing machines (mainly virtuals) in our development environment from our live environment's SCCM infrastructure. These are totally separate forests with a fairly stringent firewall between them. We mainly only use it for OS/app patching via SCCM Software Updates, and limited hardware/software inventory reporting.

Once we'd opened up the required ports in the firewall between the environments, all we needed was to use the correct command line when installing the SCCM client on the dev machines, we use this command line:

\\server\share\ccmsetup.exe /mp:siteserver.fqdn smssitecode=SMS ccmhttpport=50010 smsslp=siteserver.fqdn  FSP=fspservername

Obviously the fallback status point is optional (but highly recommended for troubleshooting, especially if you're currently having problems installing clients), and there's no need to specify the port if you're using the standard port.

We found that installs were failing to connect properly to the site until we properly specified the site code and SLP server in the install string.

Update See this new TechNet article Using ConfigMgr 2007 to Manage Clients in a Workgroup or Un-Trusted Domain

What you want in this case is against Microsoft's published best practices as it breaches administrative boundaries which should end with a within a forest.

But that's doesn't says It can't be done. See here for more information SCCM across UNTRUSTED Forests

And here you will find how to do within the Microsoft best practices. In Microsoft scenario there must be two-way trust between the forests, or an external trust between the site server's domain and the site system domain Configuration Manager in Multiple Active Directory Forests