Exchange Autodiscover in a domain trust environment

Similar Messages

• Exchange AutoDiscover not working correctly in 2010/2013 environment

  Here's my setup:
  Mixed environment transitioning:
  Exchange 2010 running on Server 2008 in a VM
  Exchange 2013 running on Server 2012 in a VM
  I have split dns so that autodiscover.domain.com points to my 2013 server internally and my 2010 server externally.  When setting up new profiles in outlook internally, autodiscover seems to work fine.  However, when I try moving the public autodiscover.domain.com
  DNS record over to the 2013, things stop working (like auto profile setup). 
  I know that the 2013 server is reachable from the outside because mail.domain.com will to go owa and ecp without a problem.  I can log in to both without an issue.
  If I point public DNS back to my 2010 server, then all is well again with outlook anywhere and mobile connectivity.
  I'm not really sure what needs to be tweaked for the 2013 server to be ready to take over the day to day communications so that I can decommission my 2010 server.
  Here are the results of the connectivity analyzer:
  The Microsoft Connectivity Analyzer is attempting to test Autodiscover for me.
  Testing Autodiscover failed.
  Additional Details
  Elapsed Time: 1774 ms.
  Test Steps
  Attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
  Additional Details
  Elapsed Time: 1773 ms.
  Test Steps
  Attempting to test potential Autodiscover URL https://domain.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 489 ms.
  Test Steps
  Attempting to resolve the host name domain.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 98.129.228.152
  Elapsed Time: 165 ms.
  Testing TCP port 443 on host domain.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 97 ms.
  Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
  Additional Details
  Elapsed Time: 225 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server domain.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=www.domain.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=2150198723, O=www.domain.com, C=US, Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US.
  Elapsed Time: 170 ms.
  Validating the certificate name.
  Certificate name validation failed.
  Tell me more about this issue and how to resolve it
  Additional Details
  Host name domain.com doesn't match any name found on the server certificate CN=www.domain.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=2150198723, O=www.domain.com, C=US.
  Elapsed Time: 1 ms.
  Attempting to test potential Autodiscover URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 1009 ms.
  Test Steps
  Attempting to resolve the host name autodiscover.domain.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: x.x.x.x
  Elapsed Time: 70 ms.
  Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 189 ms.
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 300 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=mail.domain.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB.
  Elapsed Time: 220 ms.
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
  Elapsed Time: 1 ms.
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.domain.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE.
  Elapsed Time: 34 ms.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 5 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 5/19/2014 12:00:00 AM, NotAfter = 5/18/2016 11:59:59 PM
  Elapsed Time: 0 ms.
  Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
  Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 276 ms.
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  Additional Details
  Elapsed Time: 172 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml for user [email protected].
  The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.HTTP Response Headers:
  Connection: close
  Content-Length: 315
  Content-Type: text/html; charset=us-ascii
  Date: Sat, 19 Jul 2014 03:44:42 GMT
  Server: Microsoft-HTTPAPI/2.0
  Elapsed Time: 171 ms.
  Attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
  Additional Details
  Elapsed Time: 207 ms.
  Test Steps
  Attempting to resolve the host name autodiscover.domain.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: x.x.x.x
  Elapsed Time: 15 ms.
  Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 76 ms.
  The Microsoft Connectivity Analyzer is checking the host autodiscover.domain.com for an HTTP redirect to the Autodiscover service.
  The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
  Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: HTTP Response Headers:
  X-FEServer: SMSE2013
  Content-Length: 0
  Date: Sat, 19 Jul 2014 03:44:42 GMT
  Server: Microsoft-IIS/8.0
  X-Powered-By: ASP.NET
  Elapsed Time: 115 ms.
  Attempting to contact the Autodiscover service using the DNS SRV redirect method.
  The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
  Additional Details
  Elapsed Time: 39 ms.
  Test Steps
  Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
  The Autodiscover SRV record wasn't found in DNS.
  Tell me more about this issue and how to resolve it
  Additional Details
  Elapsed Time: 39 ms.
  Checking if there is an autodiscover CNAME record in DNS for your domain 'domain.com' for Office 365.
  Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning.
  Tell me more about this issue and how to resolve it
  Additional Details
  There is no Autodiscover CNAME record for your domain 'domain.com'.
  Elapsed Time: 28 ms.
  I just double checked my SSL cert and it has the three typical entries:
  DNS Name=mail.domain.com
  DNS Name=AutoDiscover.domian.com
  DNS Name=domain.com
  I have assembled the output for the following commands
  HERE
  Get-OutlookProvider | fl
  Get-OutlookAnywhere | fl
  Get-ActiveSyncVirtualDirectory | fl
  Get-AutodiscoverVirtualDirectory | fl
  Get-EcpVirtualDirectory | fl
  Get-OabVirtualDirectory | fl
  Get-OwaVirtualDirectory | fl
  Get-PowerShellVirtualDirectory | fl
  Get-WebServicesVirtualDirectory | fl
  Text
  I have gone through the Exchange Server Deployment Assistant.  Almost everything was as it should have been.  I made some changes in the "Enable and configure Outlook Anywhere" and "Configure
  service connection point."
  I have switched external DNS over to my 2013 server, and the connectivity test is still failing.  It is also not proxying the 2010 mailboxes through 2013 as it should (according to the Deployment Assistant).
  I have a 2010 test account and a 2013 test account.  Both work fine in their respective WebMail's, but the 2010 mailbox will not pull up through the 2013 WebMail.
  Just for the heck of it, I have checked my SonicWall and it is configured the same for the 2010 host and the 2013 host.  I knew that ports 80 and 443 were passing on both hosts anyway because the port 80 redirect works and https webmail works
  on both hosts.
  If I try to access the xml file directly on both hosts:
  https://mail.domain.com/Autodiscover/Autodiscover.xml (2013)
  https://webmail.domain.com/Autodiscover/Autodiscover.xml
  (2010)
  I do get an xml response from both of them after authenticating like this:
  <Autodiscover>
  <Response>
  <Error Time="18:17:41.0173284" Id="2526055628">
  ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData/>
  </Error>
  </Response>
  </Autodiscover>
  Sooo...I'm stuck.

  Update since my last post.
  I have all mailboxes migrated off of 2010 and onto 2013.  I'm ready to turn 2010 off as soon as I can figure out this autodiscover problem and get mail flow going in and out of the 2013 server instead of the 2010 one.
  Brian, I had a http redirect enabled in 2013.  I disabled that redirect and checked for any others.  There is currently no redirect in place anywhere under the default web site (the root site now goes to an IIS 8 page).  AutoDiscover is still
  failing according to the Exchange Connectivity site.
  When I switch autodiscover.domain.com over to the 2013 server I still get failures:
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  Additional Details
  Elapsed Time: 146 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml for user [email protected].
  The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.HTTP Response Headers:
  Connection: close
  Content-Length: 315
  Content-Type: text/html; charset=us-ascii
  Date: Mon, 11 Aug 2014 16:50:27 GMT
  Server: Microsoft-HTTPAPI/2.0
  Elapsed Time: 145 ms.
  If I try to hit the xml manually, I get the expected 600 error after providing a username and password.  Should IIS be prompting for credentials when hitting the path for AutoDiscover.xml directly?
  <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response>
  <Error Time="10:53:38.3228589" Id="36607859">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid
  Request</Message>
  <DebugData/>
  </Error>
  </Response>
  </Autodiscover>
  If I switch autodiscover.domain.com back over to my 2010 server the test passes:
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
  Additional Details
  Elapsed Time: 444 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml for user [email protected].
  The Autodiscover XML response was successfully retrieved.
  Additional Details
  Autodiscover Account Settings
  XML response:
  <?xml version="1.0"?>
  <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
  <Culture>en:us</Culture>
  <User>
  <DisplayName>Exchange 2013. Test</DisplayName>
  <EMailAddress>[email protected]</EMailAddress>
  </User>
  <Action>
  <Settings>
  <Server>
  <Type>MobileSync</Type>
  <Name>https://mail.domain.com/Microsoft-Server-ActiveSync</Name>
  </Server>
  </Settings>
  </Action>
  </Response>
  </Autodiscover>HTTP Response Headers:
  Persistent-Auth: true
  Content-Length: 736
  Cache-Control: private
  Content-Type: text/xml; charset=utf-8
  Date: Mon, 11 Aug 2014 17:08:12 GMT
  Server: Microsoft-IIS/7.5
  X-AspNet-Version: 2.0.50727
  X-Powered-By: ASP.NET
  Elapsed Time: 444 ms.
  One interesting thing to note, is that <Url>https://mail.domain.com/Microsoft-Server-ActiveSync</Url>
  is my 2013 server, not my 2010 server

• Domain trust for external exchange domain

  Ok so I have inherited two domains, one domain runs activedirectory services that all of the workstations are joined to (domainA), thesecond domain hosts exchange (domainB).After signing in on a computer in domainA we have to authenticateoutlook with domainB to get email.The end result, I would like is to be able to authenticatewith domainA for email but have it load the profile as if it was domainB. I cancreate a one way trust from domainB to domainA but Im not sure how to foolexchange into believing DomainA\user1 is DomainB\user1. I've messed around withAuthenticate as permissions on domainB but that doesnt seemto work correctly. I don’t want to messwith full access permissions on exchange as that would cause issues.I havent had any problems getting the trust functioning correctly, just the windows/exchange user side of things.Does...
  This topic first appeared in the Spiceworks Community

  Hi,
  Which kind of domain trust have you created? Which kind of forest trust do you want to create?
  A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
  every domain in both forests.
  Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
  trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
  In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
  In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
  Best regards,
  Susie

• Error while installing 2nd exchange 2007 on our domain

  We are installing the 2nd exchange 2007 on our domain - for obvious reasons of not able to upgrage the exisitng version to SP3 RU10 - as the server crashes everytime we do an update.
  So we thought we will setup a second new exchange 2007 server with all HT MB & CAS & update it fully and move the mailboxes etc.
  1st Exchange Server: EXCH01
  2nd Exchange Server: EXCH02
  We are doing a fresh install on a fresh vmware machine
  OS: Windows Server Enterprise Service Pack 2
  Exchange 2007 Service Pack 1
  During the hub transport installation part we ran into an error
  Exchange Server component Hub Transport Role failed. 
  Error: Error:
  Property IsProvisionedServer cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0).
  Log Name: Application
  Source: MSExchangeSetup
  Event ID: 1002
  Now I am unable to uninstall the application as well, even while uninstalling the same error is thrown.
  Also, when we open the EMC on 1st exchange server we get an error saying
  "Warning:
  Object PGCMAIL01 has been corrupted and it is in an inconsistent state. The following validation errors have occurred:
  Warning:
  Cannot calculate value of property "AdminDisplayVersion": "SerialNumber property is not present.".

  Hi,
  According to your description, I understand that failed install second Exchange 2007 with error “Property IsProvisionedServer cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object
  is 0.0 (6.5.6500.0).”.
  If I misunderstand your concern, please do not hesitate to let me know.
  Which current Exchange version are you used in your environment?
  I want to double confirm whether run Setup /PrepareAD and Setup /PrepareDomain to complete the prerequisite preparation. More details about Preparing Active Directory for Exchange 2007, for your reference:
  https://technet.microsoft.com/en-us/library/bb288907(v=exchg.80).aspx. If not, please run it and try again.
  Besides, we can use ADSIEdit to double check the version and get more clear-cut error message in Exchange Setup log.
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• How to force Outlook's Junk email fitler to not filter Exchange 2010 SP1 accepted domains?

  Hello,
  I wonder if there really is no way how to reach the result described in the title question. Because
  http://support.microsoft.com/kb/2458522 says:
  This issue occurs because of a functionality change that is introduced in Exchange Server 2010 SP1. In Exchange Server 2010 SP1, domains that are configured as accepted domains are no longer allowed in the junk email lists of a mailbox.
  So please tell us Microsoft how can we force Outlook to accept internal domain as a trusted senders and not apply Junk email filter on it?
  There was already a long discussion about the steps here
  http://social.technet.microsoft.com/Forums/en-US/outlook/thread/15f857c6-0ed4-4004-9d90-cb5d16361752 so please don't offer anything described there.
  Thank you,

  Trying to deal with the Outlook Junk Email Filter is not very easy and had been a pain in the butt.
  The ONLY way to ensure the Outlook 2010 Junk Email filter honors "white listed" emails is to stamp the email with SCL -1. Setting a transport rule will do that but it is not very flexible. 
  I was able to resolve these issues by simply enabling the Exchange 2010 Anti-Spam agents on each hub transport server. We have no Edge Server but we use a couple of Ironports at the gateway which provide the bulk of AntiSpam. We didn't think we would
  need the Exchange AntiSpam so we hadn't initially enabled. After months of trying to resolve people's complaints of emails from internal system ending up in Junk, this solution worked for us.
  This is the order in which it was done.
  1. We set the receive connectors for the internal systems for bypassing Anti Spam. We basically have 2 receive connectors, one for internal system with no relay, and one for internal systems who are allowed external relay.
  Get-ReceiveConnector "server\name of the recieve connector" | Add-ADPermission -User "“NT Authority\Anonymous Logon”  -AccessRights ExtendedRight
  -ExtendedRights ms-exch-bypass-anti-spam
  Note: If you use SMTP Authentication, Exchange will only mark the emails as "Internal" and not assign a SCL of -1. It can only be on anonymous connections.
  Note: We have a separate receive connector for the Ironports delivering external email that will not bypass Anti-Spam. These emails will receive a SCL rating of 0-9
  2. We set the global SCL to 6 (default is 4). You can set it to whatever you want.
  Set-OrganizationConfig -SCLJunkThreshold 6
  So basically, any email tagged with SCL 7-9 will be moved to Junk by Exchange.
  3. Set-ContentFilterConfig -SCLQuarantineEnabled $False -SCLDeleteEnabled $False -SCLRejectEnabled $False
  We don't want delete, reject or quarantine anything on Exchange. Just move email to Junk folder if SCL 7-9 and have user deal with it.
  4. Set the Internal SMTP Servers by adding each Exchange server's IP Address to the Global Transport Settings. I used EMC, Organization Config, Global Settings, Transport Settings properties, Message Delivery tab. Do NOT add any other "internal" servers
  here, only the Exchange servers.
  5. Then we installed the AS agents on each HT Server.
  Starting with the first server
  Stop MSExchange Transport service
  D:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\install-AntispamAgents.ps1
  After installation, disable all the agents except for Content Filtering Agent. This agent has to be enabled for Exchange to stamp the email with SCL -1. I used EMC, Organization Config, Hub Transport. You will see a new tab called Anti-Spam. Disable everything
  except Content Filtering.
  Start MSExchange Transport service.
  Repeat on each HT server. (You won't have to repeat the disabling of the agents as that is a global setting)
  6. You can add global safe senders by doing the following.
  $list = (Get-ContentFilterConfig).BypassedSenders
  $list
  $list.add("[email protected]")
  $list.add("[email protected]")
  Set-ContentFilterConfig -BypassedSenders $list
  The message headers are stamped with
  For emails sent through the Internal connector
  X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
  X-MS-Exchange-Organization-SCL: -1
  OR
  For external emails from a safe sender
  X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedSender
  X-MS-Exchange-Organization-SCL: -1
  OR
  For all other external emails
  X-MS-Exchange-Organization-SCL: 0
  Good Luck. This has basically stopped all the calls about "legitimate" email in Junk Email folder.

• Essentials 2012 R2 Exchange Integration with Multiple Domain Controllers

  Attempting to integrate Exchange Server 2012 with the Essentials wizard results in the error message: "This task must be performed on the domain controller." I've found several threads that speculate this is because there are multiple domain controllers
  in the domain. Is there a workaround or patch available to resolve this issue? Why wouldn't Microsoft want the redundancy of multiple DCs?
  Thanks.

  Hi HartmannTek,
  I agree with Robert.
  We can get the following information from the article:
  Services Integration Overview for Windows Server 2012 R2 Essentials - Part 1. Please refer to.
  Currently, the Services Integration features, including Windows Azure Active Directory integration, Office
  365 integration, Windows Intune integration, and on-premises Exchange integration, are only supported in a single domain controller environment. In addition, the integration wizard must be run on a domain controller.
  Hope this helps.
  Best regards,
  Justin Gu

• Domain Trust and DNS

  Hello,
  We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain.  Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
  The error is:
  it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
  if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
  DC1
  ----->Forward Lookup Zones
  -------->_Msdcs.ukdomain.local
  -------->ukdomain.local
  I though it should look like this:
  DC1
  ----->Forward Lookup Zones
  ------->ukdomain.local
  --------->_Msdcs
  Thanks

  If you are on their network can you ping their domain?
  If not then you have a DNS, routing, or firewall issue.
  Are ports being blocked?  For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
  Testing
  Domain Controller Connectivity Using PORTQRY
  Protocol and Port
  AD and AD DS Usage
  Type of traffic
  TCP and UDP 389
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP
  TCP 636
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP SSL
  TCP 3268
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC
  TCP 3269
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC SSL
  TCP and UDP 88
  User and Computer Authentication, Forest Level Trusts
  Kerberos
  TCP and UDP 53
  User and Computer Authentication, Name Resolution, Trusts
  DNS
  TCP and UDP 445
  Replication, User and Computer Authentication, Group Policy, Trusts
  SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
  TCP 25
  Replication
  SMTP
  TCP 135
  Replication
  RPC, EPM
  TCP Dynamic
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  TCP 5722
  File Replication
  RPC, DFSR (SYSVOL)
  UDP 123
  Windows Time, Trusts
  Windows Time
  TCP and UDP 464
  Replication, User and Computer Authentication, Trusts
  Kerberos change/set password
  UDP Dynamic
  Group Policy
  DCOM, RPC, EPM
  UDP 138
  DFS, Group Policy
  DFSN, NetLogon, NetBIOS Datagram Service
  TCP 9389
  AD DS Web Services
  SOAP
  UDP 67 and UDP 2535
  DHCP
  Note
  DHCP is not a core AD DS service but it is often present in many AD DS deployments.
  DHCP, MADCAP
  UDP 137
  User and Computer Authentication,
  NetLogon, NetBIOS Name Resolution
  TCP 139
  User and Computer Authentication, Replication
  DFSN, NetBIOS Session Service, NetLogon
  If it answered your question, remember to “Mark as Answer”.
  If you found this post helpful, please “Vote as Helpful”.
  Postings are provided “AS IS” with no warranties, and confers no rights.
  Active Directory: Ultimate Reading Collection
  Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
  Kelly Bush
  It appears that you've copied and posted the chart, with some editing,
  from my blog, link posted below. No problem, as long as it helps the poster. :-)
  Active Directory Firewall Ports – Let’s Try To Make This Simple
  http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
  Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
  Here's the matrix:
  Ephemeral Ports:
  And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
  that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
  the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
  TCP & UDP 1025-5000
  Window 2003/XP and older
  Ephemeral Dynamic Service Response Ports
  TCP & UDP 49152-65535
  Windows 2008/Vista and newer
  Ephemeral Dynamic Service Response Ports
  TCP Dynamic Ephemeral
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  UDP Dynamic Ephermeral
  Group Policy
  DCOM, RPC, EPM
  If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
  TCP & UDP 1024 – 65535
  NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
  RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Domain Trust Relationships in Windows Small Business Server 2011

  I have seen that SBS 2011 (and older SBS versions, apparently) do not 'support' Domain Trust relationships.
  Before coming across this information, I have already successfully created a trust relationship between a newly created SBS 2011 domain and an existing 2008 Domain, and everything seems to be working fine - users from one domain are recognized on the other,
  etc.
  So I was wondering - is the 'not supported' more of a 'you're on your own if it breaks', is this a violation of the license, or is it some sort of freak occurrence and I am extremely lucky to have gotten this to work.  This is actually my first time
  setting up a trust relationship and the entire process took about 10 minutes, so it seemed extremely easy for something that I now find out is unsupported.
  If it is a license violation, I'll remove the trust relationship immediately.  This is not a permanent configuration, just testing our software on the SBS2011 platform and domain trusts were the most expedient way of adding the SBS Domain users to the
  list of authorized users on our primary domain's SQL Server.
  Thanks in advance.

  From here, it says that the trust relationship is not supported for SBS: http://technet.microsoft.com/en-us/library/cc672124%28v=ws.10%29.aspx
  This means that this have not been tested by Microsoft and if you will have issues, you will not get supported from Microsoft.
  I don't think that this is a violation of the license but it will be better to check with a Microsoft licensing expert in your country.
  More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/category/sbsserver
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
  Microsoft
  Student Partner 2010 / 2011
  Microsoft
  Certified Professional
  Microsoft
  Certified Systems Administrator: Security
  Microsoft
  Certified Systems Engineer: Security
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft
  Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Setting up two way AD domain trust ?

  Hi,
  I'd like to know what are the steps that I need to take when setting up Active Directory domain trust between two  or more different AD domain? and also the steps to undo the domain trust in case I need to prevent some issues.
  Because I currently have about 15+ site offices that runs their own Active Directory domain to be joined with my current parent company AD domain.
  Thanks
  /* Server Support Specialist */

  Have you thought about using Azure Active Directory with users synchronization to consolidate all your office to one place?
  Answering directly: There are different types of trusts. Think about setting 1-way trust (users from first domain can get access to the resources in second domain but not the other way round) or 2-way trust (users in both domains get access to resources
  such as applications or sysytems in both domains). Please read https://technet.microsoft.com/en-us/library/cc730798.aspx
  Setting up the trust is rather easy task (https://technet.microsoft.com/en-us/library/cc771580.aspx) and can be undone easily as well (https://technet.microsoft.com/en-us/library/cc771137.aspx)
  Hope that helps!
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Domain trust bet. win2003 and win2008R2 not working

  Hi, I try to create Domain trust but not trust. I think I am missing something about NDS, I have read sevel documents but describe diffrent case by case.
  I will Like a god step by step guide of NDS setup domain A trust domain B.
  Question: Before running trust wizard - should nslook see domain B from domain A doman controller?

  Hi,
  Below are some links to help you with this dending on the trust type you want to establish.
  http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/
  DNS resolution for certain trust types:
  http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx
  http://technet.microsoft.com/en-us/library/cc756852(v=ws.10).aspx
  Hope this helps.
  Regards,
  Calin

• Domain Trust over t3s

  I am able to propagate the weblogic security context from one domain to another over t3 but when I switch to an ssl connection (t3s) I no longer am able to propagate the original user. I do have the domain credential setup to allow for domain trust. Does anyone know if this is possible?
  For example, I have a web app in domain 1 calling a remote ejb in domain 2. When a user logs into the web app in domain 1 which then calls a remote ejb over t3 the security context of domain 1 is propagated into the ejb in domain 2. When I use a server certificate to connect b/w domain 1 and domain 2 over t3s I no longer receive the end user in domain 2. Does anyone know if this is possible?
  Thanks!

  Hi,
  >it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local. 
  Would you please tell us what are the DNS Settings of the PC? Is there an AD Integrated DNS zone in the ukdomain?
  I suggest you check the SRV Records. You can try to restart the netlogon services to re-register SRV records. More specifically, in the command prompt, type
  net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
  >it However in DNS can see their _msdcs folder but they can't see ours.
  I suggest you select
  zone transfer to transfer DNS zone to their domain.
  More information about DNS zone transfer, please refer to the following link:
  Modify DNS zone transfer settings
  http://technet.microsoft.com/en-us/library/cc782181(v=WS.10).aspx
  Best Regards,
  Erin

• Change domain trust for Forest trust

  Hi
  I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
  Presently, i have a domain trust between domain 2 and 5.
  I need to change for a forest trust ? what is a best practice ?
  1- Remove domain trust and create a forest trust?
  2- Create a forest trust (waiting a few day) a remove a domain trust?
  3- Create a forest trust and remove immediately a domain trust?
  Do you have a link to explain that?
  Thanks

  Hi,
  Which kind of domain trust have you created? Which kind of forest trust do you want to create?
  A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
  every domain in both forests.
  Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
  trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
  In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
  In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
  Best regards,
  Susie

• Domain controller environment do we required CAL's license ?

  Domain controller environment do we required CAL's license?
  Do I need any licensing to connect workstations to a domain?
   Where we have License for the AD Server (2008 /2012 )  and there License of  client os (windows 7/ windows 8 ) still we required the CAL's license DC ?
  I have a server running Windows Server 2012. I want to turn this into a domain controller. In order to connect my workstations to my server

  Hi,
  on this link:
  http://www.microsoft.com/licensing/about-licensing/windowsserver2012-r2.aspx#tab=4 we have the following:
  Client Access Licenses (CALs) are required for each user or device accessed. The Windows Server 2012 related CALs provide entitlement to access and use Windows 2012 R2 functionality.
  on th emultiplexing link:
  http://www.microsoft.com/licensing/about-licensing/briefs/multiplexing.aspx you can download th ePDF data who is mentioned that:
  "Multiplexing does not reduce the number of Microsoft licenses required. Users are required to have the appropriate licenses, regardless of their
  direct or indirect connection to the product. Any user or device that accesses the server, files, or data or content provided by the server that is made available through an automated process requires a CAL."
  thanks
  diramoh

• AD domain trust

  We have setup a One-Way domain trust between Domain A and Domain B. Users in Domain A can logo on to servers in Domain B. (B trust A). Relevant ports are open in the firewallbetween the domain controllers in A+B. It Works but are very slow. So I need to verify that my conclution is correct. What I think is going on, is that when a users from A is logging on to a server (let us call it B1)in B, thenB1 tries to contact a domain controller in A, using Kerberos. Since this is not allowed in the firewall, the server tries NTML as a fall back option, but here it is the B domain controllers that contact the A domain controllers and the user is authenticated. Because of the "Kerberos then NTML" problem, the logon is very slow. Now is my only option to open so that B1 can connect to domain controllers in Domain A? or is there another way to...
  This topic first appeared in the Spiceworks Community

  Sorry I don't follow your question? Can you expand on what you are after. When you say AD assessment for Domain Trust do you mean you need to validate and document an existing trust, or propose a solution for a new one? And what are you interested in with
  sites.
  Thanks
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• What difference between a domain trust and a forest trust?

  What difference between a domain trust and a forest trust?

  Greetings!
  The answer is right on the question! :)
  I think it is best to distinguish properly between forest and domain. This article is a good one:
  What Are Domains and Forests?
  But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
  be one-way or two-way depending on your needs.
  Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
  What Are Domain and Forest Trusts?
  I hope you got the answer.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?