Domain Upgrade & Cross Forest Trusts

Similar Messages

• Active Directory cross forest trust which are deployed in separate subscription

  Hi All,
  I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
  We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
  site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
  Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
  Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
  do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
  Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
  My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  No, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
  For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

• Where to create cross-forest trust

  I need to create a cross-forest trust between DSfW and MS AD. I'm following the documentation at http://www.novell.com/documentation/...n.html#bfb58i5 but I got confused... Do I need to perform these steps on a workstation belonging to DSfW domain or AD domain? The text seems to indicate that these steps need to be done on DSfW domain, but the pictures seem to show AD domain.

  OK, confusion cleared. I created the trust on DSfW side, everything went smoothly. We can consider this thread closed.

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

  Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
  and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
  from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
  to moving the Domain to 2008R2

  Hi,   
  Based on my knowledge,
  the Upgrade of the function level do not affect the trust relationship.
  Besides, before you upgrade the Functional Level,
  verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
  Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
  For more information about function level, we can refer to following links:
  Understanding Active Directory Domain Services (AD DS) Functional Levels
  http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  What is the Impact of Upgrading the Domain or Forest Functional Level?
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Best Regards,
  Erin

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• WS2012r2 - Cross-forest trust - Can add groups to user but when I open it again, groups are not listed

  Hello Everyone,
  I hope you can help me resolve this issue, I'm missing something but I don't know what.
  I have 2 ws2012r2 domain controllers, each one with it's own forest (Lets call them A.com and B.com).
  I have a validated 2 way external trust relationship between those domains.
  I've added the domain admin "B\Administrator" to the DL group "A\Administrators", so I have permissions to modify everything on A.com
  From "Active Directory Users and Computers" on B.com, I can see all users and "Domain Local" groups of A.com
  From "Active Directory Users and Computers" on A.com, I can see all users and "Domain Local" groups of B.com
  What I need: Add users from B.com to DL groups in A.com using the "B\Administrator" account
  The problem: I'm able to open a user from B.com, add a DL group from A.com, click Apply, then OK.
  But if I open the user again and go to the "Member of" tab, the group is no longer listed there.
  If I go to the A.com domain and open the DL group membership tab, I can see the user from B.com listed there.
  So there's something wrong, cause even If the user is listed in the group in A.com, It's not assigning the right permissions when trying to access the resources that group grants access to.
  Any ideas what did I do wrong ot forget to do?
  Thanks!

  Hi,
  Have you tried to take a force replication or refresh and then check the membership? Please verify DNS is well configured and we got a GC in both sides of the two forests.
  In addition, please take a look at the below link:
  Understanding the Global Catalog
  Hope that may help
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Cross-forest trust

  Our network is mainly based on eDirectory, but we also have DSfW set up for some services that need Active Directory. Now we are taking over IT management of another organization which is purely based on MS Active Directory. My boss asked me if we can set up trust between our DSfW domain and their AD domain. Having read the DSfW manual, I can answer that. What I cannot quite answer is, what benefits do we actually get from this trust. As I understand from the manual, this gives our DSfW users access to resources in "their" AD, but "their" users cannot access resources in our DSfW domain. Does this "access" also enable "our" admins to manage users and computers in "their" AD (join computers to domain, create domain users etc)?

  Originally Posted by vatson
  As I understand from the manual, this gives our DSfW users access to resources in "their" AD, but "their" users cannot access resources in our DSfW domain. Does this "access" also enable "our" admins to manage users and computers in "their" AD (join computers to domain, create domain users etc)?
  That's correct about the access only going one way (DSfW users to AD, but not the other way around).
  Yes, -with a but- the access enables admins on the DSfW side to administer users in AD, assuming those admin rights have been granted to the DSfW admins on the AD side. The but is (obvious one, but one to mention anyway) that it will require the workstations of those admins to be joined to one of the domains and have them logged in with thier DSfW account.
  Cheers,
  Willem

• AD authentication for domain in another forest- XI R2

  Situation:
  - Windows 2003
  - BOXI R2 (tomcat)
  - 2 domains (in different forest)
  - trust between the two domains
  We have succesfully installed the AD-authentication plugin for domain1.
  To work around for domain2, we've added users from domain2 inside a group of domain1, but these users are not shown inside the CMC when we import the AD-group.
  Can we use the LDAP plugin for the domain2? What should be the procedure?
  If found a similar question on this forum from one month ago, where they were talking about BO3 SP1, which will support multiple forest. But not really a solution the could help me out now.
  Please advise
  Thanks in advance!
  Quinten

  In XIR2 we cannot map in groups that contain users from 2 different forests. To work around this we could use LDAP to AD, but there are a few limitations.
  If you want to upgrade the version that should contain this will hopefully be out by the end of this month XI 3.1 or XI 3.0 integrated SP1.
  There should be some notes on using LDAP to AD in the SMP as well as it's documented in the [XI 3.0 Admin Guide|http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf]
  Regards,
  Tim

• Cross-forest user administration

  I have created a cross-forest trust between DSfW domain and MSAD domain. In both domains, I have added one user (call him CrossAdmin) as member of Builtin\Administrators group.
  I can log in to DSfW domain as CrossAdmin and successfully administer users in MSAD domain using "Active Directory Users and Computers"). But the reverse doesn't work. If I log in to MSAD domain as CrossAdmin and in "Active Directory Users and Computers" try to switch to the DSfW domain, I get an error message:
  "The domain dsfwdomain.oursite could not be found because: Access is denied".
  At the same time, the following is logged to /var/log/messages on the DSfW server:
  krb5kdc: [KDC] Regenerating authorization data for cross-realm client [email protected]
  krb5kdc: [KDC] Failed to locate PAC principal data buffer
  krb5kdc: [KDC] PAC lacks principal name authenticator
  krb5kdc: [KDC] Ticket for client [email protected] is not bound to PAC
  Is this a restriction by design, or can it be made to work somehow?

  vatson,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• Internal CA - Cross Forest Enrollment

  Hi,
  I'm trying to get cross-forest certificate enrollment working. My resource forest is built on Serer 2012 R2, and my accounts forest is built on Server 2008 R2.
  I have s simple setup with an offline Root CA, and an Enterprise subordinate CA.
  I have followed the steps in this article: https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
  While it seems to be mostly working, I'm getting many failed requests on the Enterprise CA. Each domain controller in the accounts forest is trying to enroll a certificate every 8 hours.
  with the error:
  The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422 CERTCRV_E_TEMPLATE_DENIED)
  If I right click the failure and try to issue it, the error changes to:
  Configuration informaiton could not be read from the domain controller, either because the machine is unavailable, or access has been denied. 0x80070547 (WIN32: 1351 ERROR_CANT_ACCESS_DOMAIN_INFO)
  The domain controller gets errors 13 and 6 in the event log.
  I have noticed that error 13 in the event log refers to the NT AUTHORITY\SYSTEM account (the SID is listed in the details tab).
  Is there special permissions I need to apply to get this working? Any ideas on what I need to do?
  Sorry, I do not have a great deal of experience in Certificate Services yet.
  Thankyou for your help

  In a cross forest enrollment issue, there are a few possibilities on what you have missed in your configuration.
  1) As Amy stated, did you configure permissions on the certificate template to include global/universal groups from the remote forest (and assign the group the minimum of Read and Enroll permissions)
  2) Did you enable LDAP referrals on the issuing CA so that Kerberos will allow authentication of a security principal from the remote forest.
  3) Did you replicate the certificate templates, OIDs, and Enrollment services containers fully (and successfully) from the CA forest to the remote forest.
  4) Did you validate that a two-way,  bi-directional, cross-forest trust exists between the two forests.
  Brian

• Integration of ACS with two different Domain in different forest

  Hi
  We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
  Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
  Thanks
  Ritesh

  It is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  HTH
  Jeremy

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• Monitoring cross Forest and Domain that isnt trusted

  Hello,
  I am completely new to the SCOM product....and before i get too involved in setting up and configuring my test lab to evaluate id like to ask a question.
  I have 5 domains all in seperate forests in a data centre.
  Domain 1 is a management rack where Nagios lives, my Backup server lives - Hopefully SCOM will live and a few other management servers.
  Domain 2 belongs to one client on its own network, with routers/switches/firewall
  Domain 3 to another client - own network range, routers, firewall, switches.
  And so on - each domain and rack replicating the above setup.
  I have been advised by senior management that i cannot allow trust or forest relationships between any of them.
  However to get my other monitoring solutions working i have been allowed to open limited ports between each domains networks and firewalls to allow communication between the management rack and the client racks.
  I want to implement SCOM into Management Rack 1 and have it monitor all of the servers/network devices in the other 4 domains and forests via the agents and have it report and function just like it would in a single domain/forest setup.
  Is this possible please without having the domains and forests trusted?
  If so could somebody steer me in the right direction?
  Many Thanks

  Hi,
  I would suggest you install SCOM 2012 R2 Gateway Server in domain 2,3,4 and 5
  About Gateway Servers in Operations Manager
  http://technet.microsoft.com/en-us/library/hh212823.aspx
  Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server
  http://www.toolzz.com/?p=281
  Gateway Server:-Install for another untrusted domain
  http://scompanion.wordpress.com/2012/10/18/gateway-server-install-for-another-untrusted-domain/
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.

  Dear All,
  Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
  Number of forests: 2
  1. First is with name of domain1.local
  2. Second is with name of domain2.local
  Trust Level: One Way trust from domain1 and domain2.
  CRM Farm Details:
  1.  1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
  2.  1 SQL Server (CRMSQL-01.domain1.local)
  3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
  4. CRM site url: http://mscrminternal.domain.local/MSORG1
  *I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
  But once I tried to access for users of domain2. I am getting following error.
  HTTP Error 401 - Unathorized: Access denied.
  *If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
  I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
  Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
  Regards
  Gyan
  GYAN SHUKLA

  Hi Gyan,
  I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
  Then your last reply should be marked as answer.
  If this issue still persists, pelase feel free to let us know.
  Best Regards,
  Amy