AADSYNC in Account/Resource Forest

Hello,
we installed AADSYNC in an Account/Resource Forest Scenario. The logic in this scenario is that the object that will be synced to Office365 is put together with information from account and resource forest. It knows what to combine by taking into account
that the objectsid from account forest and msexchangemasteraccountsid from resource forest are the same for the users that need to be synchronized.
Now we have some filtering in place to only sync user objects from both forests when they have the attribute "pager" filled with "Office365".
This works fine most of the time. The user object to sync is successfully buidl together with information from both forests and exists only once in the Metaverse.
If we create new users we create them first in Account forest and then we do migrate them with admt to the resource forest. Then they get the mailbox (linked) and are disabled in resource forest. If we fill the filter attribute first in AD meaning the pager
gets filled with "Office365" and a synchronization process occurs before filling the pager attribute in the other forest we end up with two different objects in the metaverse and only the account part is synchronized to Office365.
Is this by design? Is there any workaround to combine the two different metaverse objects into one?

It depend's on the Version, but if you are using Azure AD Sync, you can open the "Synchronization Rules Editor", and edit the "In from AD - User Join" Rule:
And when you have two AD to sync, make sure, that the second (resource forest) ist selected to join, because this will prevent to create new user objects from the resource forest:
www.sccmfaq.ch

Similar Messages

Auto-mapping of shared mailboxes in a resource forest scenario

In a resource forest scenario you assign full access to a shared mailbox using:
Add-MailboxPermission -Identity SharedMailbox -User AccountForestDomain\UserID -AccessRights FullAccess
This provides the user in the account forest full access, but it will NOT auto-map the shared mailbox in Outlook.
If you use the command:
Add-MailboxPermission -Identity SharedMailbox -User UserID -AccessRights FullAccess
and UserID is the disabled account of the linked mailbox in the resource forest then the user in the account forest does not have the necessary permission to
open the mailbox, but the auto-mapping of the mailbox in Outlook works.
You have to use both commands to have the auto-mapping feature and have access to the shared mailbox.
This looks like another issue of the auto-mapping feature. The intention of the feature is good, but the way it was implemented can be improved.
How do you configure full access to shared mailboxes in a resource forest scenario?

Hi J-H,
Because i don’t have such a lab environment, so I am unable to do a test.
Now let’s separate the issue.
1. The first issue is
[email protected]
unable to auto configure outlook profile.
I suggest you
changing the user’s attributes in the account forest, does it work?
2. The second issue is
[email protected] unable to open a shared mailbox in the resource
forest.
At first, I suggest you create a shared mailbox in resource forest with this command.
New-Mailbox -name
<name> -Database <Database name> -OrganizationalUnit Users –UserPrincipalName
<UPN value, example: [email protected]> -<ResourceType: Room, Equipment or Shared>
Managing
Resource Mailboxes in Exchange Server 2007 (Part 1)
Then test if you can log on the shared mailbox via outlook.
If yes, then grant full access right for
[email protected]
to [email protected]
Resource:
Shared mailbox
permission in resource forest with linked users
Manage Full Access Permissions
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Can't move Exchange 2003 mailbox to Exchange 2010 Resource forest (Linked Mailbox)

Problem Description:
Can’t move Exchange 2003 mailbox to Exchange 2010 resource forest
Error message:
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials.
Source Environment Configuration:
Active Directory
FQDN: umfolozi.local
Domain name (pre-Windows 2000): UMFOLOZI
Domain Function Level: Windows Server 2003
Domain Controllers:
Hostname
OS
Operation Master
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Schema Master, Domain Naming, RID, PDC
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Infrastructure
Exchange
Version: Microsoft Exchange 2003 Standard SP2 Build 7638.2
Server Information:
Hostname
OS
TUSKUMFMAIL.umfolozi.local
Windows Server 2003 R2 SP2
DNS Zones
Zone Name
Zone Type
Domain Controllers
umfolozi.local
Active Directory-Integrated (Primary)
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
peermont.com
Secondary
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
Trusts
Domain Name
Trust Type
Transitive
Validated
peermont.com
Forest
Yes
Yes
Target Environment Configuration:
Active Directory
FQDN: peermont.com
Domain name (pre-Windows 2000): PG
Domain Functional Level: Windows Server 2008 R2
Domain Controllers:
Hostname
OS
Operation Master
SRVPGVMDC01.peermont.com
Windows Server 2008 R2 Std SP1
SRVPGVMDC02.peermont.com
Windows Server 2008 R2 Std SP1
Domain naming, RID, PDC, Infrastructure, Schema Master
Exchange
Resource Exchange Forest
Server Information:
Hostname
OS
Role
Version
Client Access Array
SRVPGVMEXCH01.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
SRVPGVMEXCH02.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
Hostname
OS
Role
Version
Database Availibility Group
SRVPGVMEXCH03.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
SRVPGVMEXCH04.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
DNS Zones
Zone Name
Zone Type
Domain Controllers
peermont.com
Active Directory-Integrated (Primary)
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
umfolozi.local
Secondary
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
Trusts
Domain Name
Trust Type
Transitive
Validated
umfolozi.local
Forest
Yes
Yes
Migration Process
Task
Description
Successful/Error
1
SYNC AD Domain account from source forest (umfolozi.local) to target forest (peermont.com) using BinaryTree SMART Directory Sync (ADMT can be used as alternative)
Successful
2
Create mailed enabled user
Successful
3
Run Prepare-MoveRepuest with –OverWriteLocalObject
Command Example:
.\Prepare-MoveRequest.ps1 -Identity [email protected] -RemoteForestDomainController SRVUMVMDC01.umfolozi.local
-RemoteForestCredential $RemoteCredentials -UseLocalObject -LocalForestDomainController SRVPGVMDC01.peermont.com -LocalForestCredential $LocalCredentials -OverWriteLocalObject
Successful
4
Submit mailbox request
Command Example:
New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeliveryDomain
"internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Credential "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True
Error
All the standard migration task works as expected until the mailbox migration move request is submitted. See move request verbose detail below:
[PS] C:\Windows\system32>New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeli
veryDomain "internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Crede
ntial "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True -Verbose
VERBOSE: [11:34:27.346 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire
Forest: 'False', Default Scope: 'peermont.com', Configuration Domain Controller: 'SRVPGVMDC02.peermont.com', Preferred
Global Catalog: 'SRVPGVMDC02.peermont.com', Preferred Domain Controllers: '{ SRVPGVMDC02.peermont.com }'
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Runspace context: Executing user: peermont.com/Admin/Users/Admin
Accounts/Information Technology/SoarSoft/Johann Van Schalkwyk, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin
Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it
will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such
items to the destination mailbox. At move completion, these corrupted items won't be available in the destination
mailbox.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Searching objects "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" of type
"MailboxDatabase" under the root "$null".
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write
Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s):
{}, Exclusive Configuration Scope(s): {} }
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Searching objects "0fa7d17e-3637-4708-a51b-f14eaae17968" of type "ADUser"
under the root "$null".
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] No RequestJob messages found.
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MDB c5d6ea95-07b3-4a52-9868-e41e808a76fe found to belong to Site:
peermont.com/Configuration/Sites/Peermont
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MRSClient: attempting to connect to 'SRVPGVMEXCH02.peermont.com'
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] MRSClient: connected to 'SRVPGVMEXCH02.peermont.com', version
14.3.178.0 caps:07
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] Loading source mailbox info
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Failed to reconnect to Active Directory server
SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials. --> A
local error occurred.
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that
you have used the correct credentials.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : F48FD74B,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : srvpgvmexch02.peermont.com
VERBOSE: [11:34:28.859 GMT] New-MoveRequest : Ending processing &
Troubleshooting Performed
1. When submitting mailbox move request tried the following credential inputs:
1.1. DOMAIN\Username
1.2. FQDN\Username
1.3. userPrincipalName
2. Confirmed domain trust between source and target domain is in place and validated.
3. Confirmed name resolution in source and target domain is functioning as expected.
4. Confirmed network connectivity between source and target domain controllers as well as source and target exchange servers.
5. Tried to create new Linked Mailbox to account in source forest, can’t select Global Catologue via the wizard;
Tried to specify the credentials for the account forest and got the following error when tried to select Global Catalog from wizard:

The error talk about the credential. Did you check the credential
Did you tried this command?
New-MoveRequest -Identity "Distinguished name of User in Target Forest" -RemoteLegacy -TargetDatabase "E2K10 Mailbox Database Name" -RemoteGlobalCatalog "FQDN of Source DC" -RemoteCredential $Remote -TargetDeliveryDomain "Target
domain name"
http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com    Twitter:
  LinkedIn:
   Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

AD Resource forest access with user from different forest

I am trying to access a AD resource forest using a user from a different forest.
The "different forest" is the main forest used to contain all user accounts etc. This domain is trusted by the resource forest (which contains things like outlook distribution lists etc) and so I am able to log into the resource forest (using ldp.exe or the mmc ad snap-ins) with my credentials from the main forest.
How can I replicate this in java?
I can connect directly to the user forest with simple authentication. But I can't do the same with the resource forest (as the user does not exist on it - it is merely trusted). Is there an authentication method that will allow me to do this?
In this organisation user accounts for the resource forest are not given out - you have to use one from the main user forest. So I have to find a work-around where I can connect with my current credentials.
Any ideas anyone?

Devid,
I am facing the same problem.
Did you get the solutions.
I am getting exception while calling "InitialDirContext"
"Problem searching directory: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece"

Windows 2012 R2 - NPS in resource forest won't auteticate users in the user forest by UPN, only by DOMAIN\username

Hi there
I have recently setup a windows 2012 R2 NPS server (for WIFI auth) in our resource forest to replace an aging 2003 RADIUS server.
The problem I am having is users logging in with their UPNs.
To give some background our user forest and domains look like company.local and a few child domains department.company.local etc.
Our resource domain is companyresources.com
As we use office 365 we had to add UPNs to our users called company.com and set them.
The NPS cannot authenticate users when they use their [email protected] UPN.
From logs
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: -
Fully Qualified Account Name: -
Followed by event ID 4402
There is no domain controller available for domain DOMAIN.
I believe its cannot translate the Account name into an Account domain when using the UPN we need for office 365 ([email protected]).
If I set a test user to a UPN of [email protected] it does (however we cannot do this because it will affect our office 365 users)
Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\user1
Account Name: [email protected]
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
or if I use DOMAIN\username
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: DOMAIN\user1
Account Name: DOMAIN\user1
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
Is there any way I can get my UPN authentication working form the resource domain s I would prefer my users logging into WiFi with their UPNs as we have moved away from the DOMAIN\username method.
Thanks

Hi,
According to your description, my understanding is that client using UPN can’t be authenticated by NPS server, event ID 4402.
In general, when NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains.
You may try to use realm names configured in connection request policies to ensure that connection requests are routed from RADIUS clients to RADIUS servers that can authenticate and authorize the connection request.
You may reference the link below for detailed information:
Realm Names
https://technet.microsoft.com/en-us/library/cc731342(v=ws.10).aspx
Using Pattern-Matching Syntax in NPS
https://technet.microsoft.com/en-us/library/dd197583%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Exchange 2010 Resource Forest - Autodiscover

Environment:
Account Forest (No Exchange server installed)
Resource Forest (Exchange 2010 SP3)
I understand that a SCP record can be created in the account forest using the following command: Export-AutoDiscoverConfig -DomainController <FQDN> -TargetForestDomainController <String> -TargetForestCredential $a -MultipleExchangeDeployments
$true
Questions:
1. Do I need to prep the schema in the Account Forest to create the relevant Exchange configuration before running Export-AutoDiscoverConfig?
2. Is the switch MultipleExchangeDeployments $true needed? Technet states that it's only needed if both forests contain Exchange but also states it's needed for
multiple accepted email domains? (which we do have)
http://technet.microsoft.com/en-us/library/aa998832(v=exchg.141).aspx3.
3. Can this change be backed out. i.e. can the SCP record be removed by using ADSI edit.
Thanks in advance

Hi,
Here are my answers you can refer to:
1. It depends.
If Exchange deployment has two or more trusted forests, you must update Active Directory so that Outlook users in one forest can access the CAS servers in the remote (or target) forest to use the Autodiscover service. To do this, we must extend the schema in
the user forest by running Exchange 2010 Setup with the /PrepareAD or /PrepareSchema switch, and then run the Export-AutodiscoverConfig cmdlet in the resource forest that contains the Client Access servers that provide the Autodiscover service against the
target forests.
If you do not want to extend the schema in the user forest, you can update DNS in the user forest with a host record that points to the internal IP address of the Client Access server in the resource forest where Autodiscover is hosted.
For more information, you can refer to the following article:
http://www.testlabs.se/blog/2010/11/06/configuring-the-autodiscover-service-for-multiple-forests/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
2. It doesn’t need in your environment.
When the parameter MultipleExchangeDeployments is set to TRUE you will tell the forests that you have multiple Exchange forests. The parameter will also export the accepted domains which are defined in the Exchange environment.
3. SCP record can be removed by using ADSI edit:
On your account domain, open adsiedit.msc, locate the SCP records in
CN=Autodiscover,CN=Protocols,CN=<CAS_SERVER>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ORG>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
For more information, you can refer to the following thread:
http://social.technet.microsoft.com/Forums/exchange/en-US/a06686ec-f1dc-4738-b4c5-76c41088e145/configuring-autodiscover-in-resource-forest?forum=exchangesvrdeploylegacy
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support

Exchange 2013 resource forest deployment, auth error with imap/pop3 clients.

Hello Everyone!
We have an issue with pop/imap clients trying to authenticate.
Users log on with credentials from Account Forest, security audit shows a succesful log on and impersonation from process Microsoft.Exchange.Pop3.exe, but fails to login to mailbox.
The following warning appears in the event log:
Log Name: Application
Source: MSExchangePOP3
Date: 22/01/2014 11:41:29
Event ID: 2005
Task Category: (1)
Level: Warning
Keywords: Classic
User: N/A
Computer: exchangeCAS
Description:
User [email protected] wasn't found in Active Directory.
Protocol logs show the same warning.
Seems that Microsoft.Exchange.Pop3.exe process is unable to determine the linked mailbox of the provided credentials.

Thanks for your answer.
We can access this mailbox with any protocol but pop/imap.
Anyway, I think that I found something.
In an isolated enviroenment, with an Active directory trace (Performance Monitor tool) those are the LDAP querys with some tests:
Trying to log on with an account in the same forest as the mailbox:
User string: resource.forest\administrator\userA_linkedMB
LDAP Query: ( (mailNickname=userA_linkedMB) ( !(msExchCU=*) ) ....
Success, as expected.
Trying to log on with an account in the account forest:
User string: account.forest\userA\userA_linkedMB
LDAP Query: ( (sAMAccountName=userA) ( ! (msExchCU=*) ) ....
First, in this case the query seems incorrect, I expect it filtering by mailNickname and with the third part of the logon string. Of course it fails because there isnt any user with this SAM in the resource forests.
Same test, with resource.forest\userA, sAMAccountName = userA
User string: account.forest\userA
LDAP Query: ( (sAMAccountName=userA) ( ! (msExchCU=*) ) ....
This query returns 1 matching user, but seems that pop3 process checks if its from account.forest (it isn't of course, because query is sent to resource.forest DC) and fails.
I'm not sure, but seems a bug in the POP3/IMAP login code.

Lync 2013 Hybrid deployment with resource forest scenario on-premise

Hi there,
Im starting to deploy this scenario of Lync on-premise in resource forest with Lync Online:
I´am not finding any documentation about this specific scenario. I wish to know how the flow between forests will be to have users in lync online and users on premise.
Thank you very much in advance for your help.
Joaquin Gonzalez

Hi Joaquin,
You need to deploy Microsoft Forefront Identity Manager (FIM) 2010 to manage the life cycle of user accounts.
In a resource forest topology, one forest is dedicated to running server applications, such as Microsoft Exchange Server and Lync Server. The resource forest hosts the server applications and a synchronized representation of the active user object, but it
does not contain logon-enabled user accounts. The resource forest acts as a shared services environment for the other forests where user objects reside. The user forests have a forest-level trust relationship with the resource forest. When you deploy Lync
Server in this type of topology, you create one disabled user object in the resource forest for every user account in the user forests. If Microsoft Exchange is already deployed in the resource forest, the disabled user accounts might already exist. A directory
synchronization product, such as MIIS, Microsoft Forefront Identity Manager (FIM) 2010, or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1), manages the life cycle of user accounts. When a new user account is created in one of the user
forests or a user account is deleted from a forest, the directory synchronization product synchronizes the corresponding user representation in the resource forest.
Click the links below for more information.
Supported Active Directory topologies in Lync Server 2013
http://technet.microsoft.com/en-us/library/gg398173.aspx
Windows Azure Active Directory Connector for FIM 2010 R2 Quick Start Guide
http://technet.microsoft.com/en-us/library/dn511002(v=ws.10).aspx
Hope it can be helpful.
Best regards,
Eric

Skype for Business - Hybrid model - resource forest

Microsoft just announced that in Hybrid model Resource Forests is not supported. This mean that forest trusts will not be supported so what’s are options ?

Hi MikesTroa,
I recommend that you can visit the Lync Team’s Blog, if there’s any latest news about Lync for Business, they will post the articles with this blog.
Due to there’s no official document released by Microsoft, so I can’t give you the clear answer. Thanks for your understanding.
If you are eager to know the answer, I suggest you contact Microsoft for help.
Best regards,
Eric
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

ADFS-Resource forest Web server sample files

Team,
Help required. Setup 4 Servers & need ADFS-Resource forest Web server sample files. Include webconfig.
Can you pls provide a link where I can download those files? Thanks in advance.
Want to deploy Test ADFS Scenario.
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers

Hi Biswajith,
How about this?
http://technet.microsoft.com/en-us/library/dn280939.aspx#BKMK_5
http://www.microsoft.com/en-us/download/details.aspx?id=4451
Best Regards,
Amy

Creating an Account/Resource Party Trust - What do I need to do?

I have an ADFS 2.0 deployment and I am looking to create a trust with another organisation. I have an application that there user base will access using their domain credentials but they don't have an ADFS Proxy Server, only a federation server deployment.
Therefore I am creating the relying party trust manually? What certificate do I need to import when creating the trust? Is it the service communication certificate, i.e. the certificate with my federation service name?
kind regards
Hendy

Hi Hendy,
Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
Claims based access platform (CBA), code-named Geneva Forum
http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
Here are some references below for you:
Certificate requirements for federation servers
http://technet.microsoft.com/en-us/library/cc783182(v=WS.10).aspx
Add a Relying Party Trust
http://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust(v=WS.10).aspx
Best Regards,
Amy

What are the recommended methods to keep CA Certs and CRLs updated in Account Forests for a Cross Forest Enrollment implementation?

Hello,
We have 1 resource Forest and multiple account Forests. We've reviewed the Cross-Forest Cert Enrollment with Windows Server 2008 R2 doc and followed steps 8 and 9 under the 'Deploying AD CS for Cross Forest Cert enrollment' regarding publishing
the root CA Cert and Enterprise CA certs. We run PKISync.psi to copy objects from the resource to the account Forest, and understand Certs and CRLs are not copied from the resource to the account Forests. We are trying to figure out the best way
of keeping the Root and SubCA Certs and CRLs updated in the account Forests.
1. Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
2. Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
3. Any other suggestions/references regarding best practices on how to do this?
Thanks for your help! SdeDot

> Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
yes. Though, we do not bother with CRL copy as it published to HTTP location only.
> Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
I would suggest to not use LDAP URLs in favor to HTTP.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.

Move account to another forest

Dear.
We have two forests with a forest trust between them. Today, our users are in Forest A, their Exchange 2013 mailbox too. We want to move the user accounts to Forest B while their mailbox remains in forest A.The accounts are synced between both forests.
Are there command line, PowerShell command we can use to automate this? If so, how.
Does someone has a link to a good article or document describing this procedure?
Thanks in advance.
Regards.

Hi,
You can use the ADMT to perform object migrations and security translation as necessary so that users can maintain access to network resources during the migration process.
What's more, here is a thread for your reference.
Cross Org migration
http://social.technet.microsoft.com/Forums/exchange/en-US/1ecd1261-fa66-4b4a-9c52-a51917d84356/cross-org-migration?forum=exchange2010
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support

Cannot link mailbox to user in accounts forest

original forest is a single domain configuration named mydomain.com. A new accounts forest was created named ad.mydomain.com. This domain is *not* a subdomain of the original domain, but a separate domain in a separate forest. This forest
also uses a single domain design. (It's a long story) All mailboxes reside in a single mailbox database on an Exchange 2010 server running on Windows Server 2008 R2. I've used the ADMT to migrate some test accounts to the accounts forest.
The migration works and the account appears functional, i.e., SID history migrated and the account can still get to shares and files on machines located in the resource forest.
I then use the disable-mailbox and connect-mailbox commands to setup the linked mailbox. My test account is user Joe Doakes (as listed in Get-MailboxStatistics), username is jdoakes, mailnickname is jdoakes and SMTP address is [email protected]
Here is the exact command I am using:
Connect-Mailbox -Identity "Joe Doakes" -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com
-LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred
to which the command shell replies-
Confirm
Do you want to connect this mailbox to user "mydomain.com/Testing/Joe Doakes" with the alias "JoeDoakes"?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):
I've re-entered the credentials for the accounts forest twice. The canonical name above is the name of the now disabled account in the resource forest. If I select Y here, it reconnects to the old account and changes the alias from jdoakes
to JoeDoakes. This behavior is very strange. I have confirmed the distinguished name used is correct. Can anyone point out what I am doing wrong?
TIA
Tom

I wanted to update this post in case anyone else runs into this problem. I wound up opening
a support ticket and spent a day and a half on the phone with Microsoft.
This issue was the result of several chance problems and my misinterpretation
of the command's results. To start off, when the command comes back to
say that it wants to connect the mailbox to "mydomain.com/Testing/Joe Doakes", it
really means that it is the disabled account in the Exchange (source) forest to which the
mailbox will be connected. It will be "linked" to the account in the accounts forest, but the command does not say that. This behavior is by design. We also found that I have to specify the alias in the command or a new alias is created that
concatenates the target account's first
and last names. Last, we found that running a number of
clean-mailboxdatabase commands was the trick that finally made things
work. To recap, the procedure that worked for me was:
1. Disable-mailbox to disconnect the user in the source forest
2. Verify the mailbox is actually disconnected. If it does not show up in the
Disconnected Mailbox node in the EMC, run the clean-mailboxdatabase "<database
name>" command
3. Disable the source forest user account.
4. Enter the account forest credential ($cred = get-credential)
5. Connect the mailbox to the linked account. This is the command that worked for me:
Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes
-Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential
$cred
6. The new account may not be able to get to the mailbox without running another clean-mailboxdatabase.
I hope this saves someone else a call to Microsoft.

ActiveSync - link resource account and password push

Is it possible to push a password from an IDM account to a resource account at the same time as linking the two accounts, during ActiveSync?
Scenario: I have an account in IDM and an account on a resource. I use ActiveSync to "discover" the account on the resource and link the IDM account with the resource account. At the same time I would like to push the IDM password to the resource. Thereby, synchronizing the IDM password with the resource password.
I have unsuccessfully tried to accomplish this in many ways:
1) Within the Admin GUI, I've edited an account and when I assign the resource to the account the password in IDM does not push to the resource.
2) Within ActiveSync, I have used global.password, password.password, password.confirmPassword, password.targets, password.accounts[resource].selected
NOTES:
- when the account exists on the resource and IDM links to the resource account, the password does not push
- when the account does not exist on the resource and IDM is required to create the resource account, the password is pushed
At this point my guess is that I will have to kick off a workflow to trigger the password push as the ActiveSync cannot handle linking and subsequently updating an attribute on that resource at the same time. Any ideas would be helpful. Thank you in advance.

I have been able to successfully push the password to the resource both during activesync and within the Admin console. However, I have found some inconsistencies with IDM that might need attention or an explanation.
First off, the key to pushing the password from IDM to the resource in the above scenario is....within the Resource Schema don't map IDM user attribute "password" but map an attribute such as "resource_password" to the password field on the resource. When I did this, I was able to provision the resource to the user in IDM and push the password to the existing resource account.
Secondly, there is an inconsistency with IDM and how it treats password and the other fields. I mapped lastname to a field on the resource. From the admin console, I edited the user and the only change I made was to provision the resource to the user (Resources tab). After saving this user, the lastname field from IDM was updated on the resource.
Why doesn't this work with password?

AADSYNC in Account/Resource Forest

Similar Messages

Maybe you are looking for