Consider the following scenario:
- There are multiple Management Points in a System Center 2012 Configuration Manager site.
- Some Management Points reside in an untrusted forest
- There is a firewall between the Management Points in the untrusted forest and the intranet.
When clients boot from PXE, the Distribution Point contacts Management Points to query client and deployment information. The Distribution Point does not differentiate between local Management Points and those in an untrusted forest, it merely selects Management Points in alphabetical order. If the Management Point in the untrusted forest is the first in the list alphabetically, and there is a firewall between the Distribution Point and the Management Point, the client PXE boot may fail.
The process by which the Distribution Point contacts Management Points is by design. The Distribution Manager component queries the database to get the Management Point list and writes the list to the registry at HKLM\Software\Microsoft\SMS\DP\ManagementPoints. The Management Points in the registry are ordered alphabetically and separated by an asterisk (*).
To alter the order in which Management Points are contacted, rename the Management Point in the untrusted forest so it's not first in the list alphabetically. To do so, remove the role, rename the server, then re-enable the Management Point role on the newly named server.
for other considerations.