ACS 4.0 to NT Domain with NTLMv2 problem.
I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
When I run the Authentication test from the VPN setup screen I get a failed request.
In the CSAuth log I am getting:
AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
Does anyone have any advise? thanks!
Please make sure you read this Field Notice:
http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
- DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
- DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
- DC on Win 2003 - require hotfix KB893318
Similar Messages
-
Force acs v.5 to join domain with a certain Domain Controller
Hi everybody,
I try to join an ACS v. 5.3 to the domain. For my acs in Location A, I can join without problems using my account. When I try to join the ACS in location B to the same domain with the same account, it doesnt work.
I looked at the debug log files for the ad client, and noticed, that the ACS in location B goes to a certain Domain Controller. However, I would have expected the ACS to contact another DC, which is located on the same location as the ACS ... this doesnt happen.
My question: How does the ACS determine what DC to contact ? Is it possible to force the AC to join by connecting a certain DC ?
Thanks for any help or ideas ?!?
IdaHi,
Please check your sites and services in your DNS configuration to see if the right Domain controllers are being sent to the ACS when it attempts to connect to the domain. This feature is critical and will optimize the connections that the ACS chooses in order to join the domain.
The way this works is that ACS attempts to resolve some dns records for global catalog servers and domain controllers to the dns server configured in the initial installation script. Then the dns makes a decision based on the source ip address of the dns query and thinks that the ACS is at a specific site and returns the result of which DCs and GCs are configured in that specific site.
let me know if that helps.
Tarik Admani
*Please rate helpful posts* -
ACS 4.2 and EAP-TLS with AD and prefix problem
Hi there
we have the following situation:
- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
This is the normal output of the Remote Agent, it finds the host but then nothing happens:
CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB: Creating Domain cache
CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB: Creating Domain cache
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
Could this be the problem or does someone see any other problem?
Best Regards
DominicHi Colin
thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
Regards
Dominic -
Join acs express to active directory domain
i have a problem joining acs express active directory domain , both are reachable to each other in the same subnet & no firewalls between them , but when i test the connectivity it gives this error:
" required service unavailable. DNS is setup correctly , and the domain controller is reachable , however , one of the required services, such as ldap,kerberos, or global catalog service is not available. This issue may arise if there is a firewall between AD domain controller, and the ACS Express appliance"It is sounds like a bug CSCsw29387 Join AD domain, with one DC down fails. If the ACS Express is trying to join an AD domain in a multi domain controller environment and one of the domain controllers is down, the ACS Express will fail to join the domain.
-
Cisco ACS 5.3 multiple AD domains
Hello everyone
I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
Thanks,
MarkusMarkus,
If you are using peap mschapv2 then you can not use LDAP.
Here is the link when it comes authentication protocol and database support -
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase.html#wp1014889
thanks,
Tarik Admani
*Please rate helpful posts* -
ACS Mapping Group @ Trust-Tree (Domain Trust)
Dears,
Could ACS mapping group @ AD Domain trust??
I install abc.com / qqq.com and trust other!
My ACS install in abc.com domain, but I cannot get qqq.com user information?
^ ^
消息编辑者为:mr.marslinThe Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a CiscoSecure ACS group for assigning authorization profiles. For external user databases from which CiscoSecure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific CiscoSecure ACS groups
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4f.html#wp712817 -
ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation
We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
Is there any requirements or configurations change needs to be done to make it success?Use the license that is currently on your ISE. If your account has access to download the software, then you are good. The license will not change during the upgrade. If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model.
If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Can I run 2 different domains with same name but on 2 different machines?
I am trying to setup 2 domains with same name (sharedcds1) on 2 different machines (Machine1 and Machine2).
When I start the weblogic managed server 1 (sharedcds1managedserver1) on Machine2, it throws an error saying it has some conflicts with the managed server 1 running on Machine1. How did the managed server of one machine know about the other server. Can I run 2 different domains with same name but on 2 different machines?
Here is the error in the log -
<Jun 14, 2005 10:53:29 AM EDT> <Error> <Cluster> <BEA-000123> <Conflict start: You tried to bind an
object under the name weblogic.transaction.coordinators.sharedcds1managedserver1 in the JNDI tree.
The object from 4596206652609838848S:130.170.61.153:[9505,9505,-1,-1,9505,-1,-1,0,0]:sharedcds1:s
haredcds1managedserver1 is non-clusterable, and you have tried to bind more than once from two or m
ore servers. Such objects can only be deployed from one server.>
<Jun 14, 2005 10:53:29 AM EDT> <Error> <Cluster> <BEA-000123> <Conflict start: You tried to bind an
object under the name weblogic.transaction.coordinators.sharedcds1managedserver1 in the JNDI tree.
The object from 8842351474821025197S:130.170.61.154:[9505,9505,-1,-1,9505,-1,-1,0,0]:sharedcds1:s
haredcds1managedserver1 is non-clusterable, and you have tried to bind more than once from two or m
ore servers. Such objects can only be deployed from one server.>
Thanks
SatishYes you can. Make sure that domains configured to use different multicast address. WLS uses multicast for communications between nodes in domain.
although your configuration will work, you could have troubles if you going to execute inter-domain calls between domains/servers with the same names. -
As title,
I have a domain with 2 DCs (both virtual machines) in 2 different Hyper-V Hosts, and one of the perform as a PDC Emulator.
Dose this case make any influence on the time sync?
i.e. Both of the VMs sync with Hyper-V host, instead the other host should sync with the PDC Emulator?
I run w32tm command and get the following result:
C:\Users\Administrator.DOMAIN8>w32tm /query /computer:dc8.domain8.local /source
VM IC Time Synchronization Provider
C:\Users\Administrator.DOMAIN8>w32tm /query /computer:hpvzh05.domain8.local /source
VM IC Time Synchronization Provider
HPVZH05.domain8.local works as PDC server.
How can I make DC8 sync with HPVZH05?Awesome!
It looks like your PDC is successfully pulling time from an external source. DC8 is not longer pulling from Hyper-V so that is good.
When you set a client to pull from a source ( and in this case DC8 is pulling from NT5DS, which tells it to pull from the PDC), and it CAN'T pull from that source, it will default to Local CMOS Clock. This is likely an easy fix.
First, check connectivity:
- Method one- Download Portqry and run this command: portqry -n HPVZH05 -p both -e 123 and see if the results say listening, or
- Method two- Run this command from DC8: w32tm /stripchart /computer:HPVZH05
If you get any kind of error using method two, it's a connectivity issue. (Maybe you have a firewall that's blocking access?)
The other cause of this, and probably more likely in your case, is that your PDC isn't properly advertising as a reliable time source, so DC8 isn't 'allowed' to pull from it.
Try running this command on your PDC: w32tm /config /reliable:yes
Then go restart time on your PDC, THEN DC8 again. (net stop w32time & net start w32time)
Here's an article you can reference: http://technet.microsoft.com/en-us/library/cc794937(v=WS.10).aspx
- As always, if you find my posts to be helpful, please mark it appropriately. Thank you :)
Chris Ream -
How do I create an Integration Domain with 3 servers ?
Hi,
I would like to create a WLI domain with three servers:<br>
Ø One for the administration console;<br>
Ø One for WLI;<br>
Ø And the last to deploy EJB Session (which are the service called by WLI)<br><br>
To create the domain, I use the WLI 8.1 SP4 Configuration Wizard.<br><br>
After creating the domain with 3 services, I have not succeeded to start the WLI Server.<br><br>
For another test, I would like to create a WLI domain with two servers:<br>
Ø One for the administration console and WLI;<br>
Ø And the last to deploy EJB Session<br><br>
To create the main server, I have used the configuration wizard. For the other, I have used the console administration. With this configuration, the message brocker was not initialised.<br><br>
For the last test, I have created a domain with single server and I had no errors.<br><br>
<b>So, my question is: What is the method to create a domain with three servers?</b><br><br>
Thanks for your help<br> <br><br><br>
<b>Case 1: Test to define 3 servers</b>
<4 nov. 2005 14 h 45 CET> <Notice> <WebLogicServer> <BEA-000328> <Starting WebLogic Managed Server "etsoWLI" for domain "complexDomain">
The WebLogic Server did not start up properly.
weblogic.management.AbortDeploymentException: weblogic.t3.srvr.FatalStartupException: Can't start server due to startup class failure WLI Startup Class - with nested exception:
[com.bea.wli.management.BPMComponentInitializationException: Failed to initialize ProcessConfiguration module]
at weblogic.t3.srvr.StartupClassService.addDeployment(StartupClassService.java:92)
at weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentTarget.java:337)
at weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(DeploymentTarget.java:597)
at weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(DeploymentTarget.java:575)
at weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(DeploymentTarget.java:241)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.java:754)
at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:733)
at weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBeanImpl.java:509)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.java:988)
at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:954)
at weblogic.management.internal.MBeanProxy.invokeForCachingStub(MBeanProxy.java:481)
at weblogic.management.configuration.ServerMBean_Stub.updateDeployments(ServerMBean_Stub.java:7691)
at weblogic.management.deploy.slave.SlaveDeployer.updateServerDeployments(SlaveDeployer.java:1304)
at weblogic.management.deploy.slave.SlaveDeployer.resume(SlaveDeployer.java:347)
at weblogic.management.deploy.DeploymentManagerServerLifeCycleImpl.resume(DeploymentManagerServerLifeCycleImpl.java:229)
at weblogic.t3.srvr.SubsystemManager.resume(SubsystemManager.java:131)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:966)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:361)
at weblogic.Server.main(Server.java:32)
Reason: [Deployer:149601]The deployment framework was unable to resume accepting requests.weblogic.t3.srvr.FatalStartupException: Can't start server due to startup class failure WLI Startup Class - with nested exception:
[com.bea.wli.management.BPMComponentInitializationException: Failed to initialize ProcessConfiguration module]
<4 nov. 2005 14 h 45 CET> <Emergency> <WebLogicServer> <BEA-000342> <Unable to initialize the server: [Deployer:149601]The deployment framework was unable to resume accepting requests.weblogic.t3.srvr.FatalStartupException: Can't start server due to startup class failure WLI Startup Class - with nested exception:
[com.bea.wli.management.BPMComponentInitializationException: Failed to initialize ProcessConfiguration module]>
<br> <br>
<b>Case 2 : Test to define 2 servers</b><br>
<4 nov. 2005 15 h 03 CET> <Error> <WLI-Core> <BEA-484037> <Process Tracking failed to initialize properly. Tracking data cannot be recorded for process typ
e "/MailProcess/processes/process02.jpd".>
<4 nov. 2005 15 h 03 CET> <Error> <WLI-Core> <BEA-481000> <The Message Broker is not initialized>
<4 nov. 2005 15 h 03 CET> <Error> <WLW> <000000> <Failed to register subscriptions for JPD /MailProcess/processes/process02.jpd
java.lang.RuntimeException: The Message Broker is not initialized
at com.bea.wli.broker.MessageBroker.getMessageBroker(MessageBroker.java:277)
at com.bea.wli.control.MBUtils.registerSubscriptionRules(MBUtils.java:99)
at com.bea.wli.bpm.runtime.JpdDispFile$3.run(JpdDispFile.java:903)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at com.bea.wli.bpm.runtime.JpdDispFile.registerSubscriptions(JpdDispFile.java:912)
at com.bea.wli.bpm.runtime.JpdDispFile.<init>(JpdDispFile.java:212)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
at com.bea.wlw.runtime.core.dispatcher.DispUnit.loadDispFile(DispUnit.java:219)
at com.bea.wlw.runtime.core.dispatcher.DispUnit.<init>(DispUnit.java:153)
at com.bea.wlw.runtime.core.dispatcher.DispCache.ensureDispUnit(DispCache.java:578)
at com.bea.wlw.runtime.core.dispatcher.HttpServerHelper.getDispUnit(HttpServerHelper.java:501)
at com.bea.wlw.runtime.core.dispatcher.HttpServerHelper.executeGetRequest(HttpServerHelper.java:541)
at com.bea.wlw.runtime.core.dispatcher.HttpServer.doGet(HttpServer.java:81)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6718)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
javax.management.InstanceNotFoundException: lastEtsoDomain:Location=etsoMain,Name=MsgBroker,Type=MsgBrokerRuntime (admin server:true)
at weblogic.management.internal.MBeanHomeImpl.getMBean_helper(MBeanHomeImpl.java:145)
at weblogic.management.internal.MBeanHomeImpl.getMBean(MBeanHomeImpl.java:130)
at weblogic.management.internal.MBeanHomeImpl.getRuntimeMBean(MBeanHomeImpl.java:557)
at weblogic.management.internal.MBeanHomeImpl.getRuntimeMBean(MBeanHomeImpl.java:549)
at weblogic.management.internal.AdminMBeanHomeImpl.getRuntimeMBean(AdminMBeanHomeImpl.java:580)
at com.bea.wli.management.MBeanHelper.getMsgBrokerRuntimeMBean(MBeanHelper.java:549)
at com.bea.wli.bpm.runtime.__broker.listSubscriptions(__broker.java:178)
at com.bea.wli.bpm.runtime.__broker._jspService(__broker.java:833)
at com.bea.wlw.runtime.core.dispatcher.ServiceView.dispatchToPage(ServiceView.java:269)
at com.bea.wlw.runtime.core.dispatcher.ServiceView.forward(ServiceView.java:438)
at com.bea.wlw.runtime.core.dispatcher.HttpServerHelper.executeGetRequest(HttpServerHelper.java:617)
at com.bea.wlw.runtime.core.dispatcher.HttpServer.doGet(HttpServer.java:81)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6718)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)To use 3 managed servers with Weblogic, I must a cluster environment.
Weblogic say: "WebLogic Integration domain that includes an administrative server and one or more managed servers must include a cluster. A WebLogic Integration domain that includes an administrative server and one or more managed servers without a cluster is an unsupported configuration."
Fred -
Hi,
we have acquired another company, and they have multiple, separate domains with the same name (every site has a domain with NetBIOS name "COMPANY" and DNS name "company.local"). Now we want to migrate all these domains into ours using
ADMT.
Unfortunately, we did not manage to migrate one of these domains completely, so the trust must remain established for some time. But we have to continue with the second domain - which normally would require a trust, but of course we can't establish a trust
to two domains with the same name at the same time.
I found two potential solutions for the dilemma, but I'm not sure if both are reasonable:
1) Rename the domain with RENDOM.EXE to COMPANY2 and company2.local and then migrate with ADMT
2) Migrate COMPANY to a temporary domain such as COMPANYTEMP and then migrate from COMPANYTEMP to our domain
Given that there are roughly 100 users, 2 domain controllers and 8 other servers, what would be the better approach? Is option 2 possible at all, so would I be able to use the sidHistory attribute migrated from the original COMPANY domain in our domain at
all?
There is also an Exchange 2007 server, which seems to make option 1 impossible unless we find another way to migrate it (like, export all mailboxes to PST before migration) ...Ok, that's what I expected. Still, I have servers in the old domain, so if I do these steps:
first create a new temporary domain i.e COMPANYTEMP and
create trust between COMPANYTEMP -
COMPANY(Right)
then do the migration with sidHistory from COMPANY(right) --> COMPANYTEMP ,
disconnect the domain COMPANY(right) ,
users will lose connectivity to any servers in the domain. I understand that it does not work with all domains connected? Of course I can't make OURCOMPANY's domain controllers see the DCs of COMPANY (right) in DNS (though I could achieve it the other way
round).
My original plan was:
first create a new temporary domain i.e COMPANYTEMP and
create trust between COMPANYTEMP -
COMPANY(Right)
then do the migration with sidHistory from COMPANY(right) --> COMPANYTEMP ,
create trust between OURDOMAIN and COMPANYTEMP
then do the migration with sidHistory from
COMPANYTEMP --> OURDOMAIN,
Migrate users
Migrate computers
Migrate servers
remove trusts and old domain
But I see that this will not work out, right? So, my only option would be:
first create a new temporary domain i.e COMPANYTEMP and
create trust between COMPANYTEMP -
COMPANY(Right)
then do the migration with sidHistory from COMPANY(right) --> COMPANYTEMP ,
Migrate computers and servers to COMPANYTEMP
Install new Exchange server in COMPANYTEMP
migrate mailboxes to COMPANYTEMP
disconnect / abandon COMPANY(right)
create trust between OURDOMAIN and COMPANYTEMP
then do the migration with sidHistory from COMPANYTEMP
--> OURDOMAIN,
Migrate users
Migrate computers
Migrate servers
Migrate mailboxes
remove trusts and old domain
And to minimize user impact, all this would have to be done in one go (over night), which is hardly possible ......................... -
I have forgotten my appleID password and the email it is linked to is deactivated, security questions aren't working. This is on my iPhone and iTunes acs so I can't sync with my new computer. How do I merge AppleID accounts and shut down the old one (when I have no password and the security questions aren't working?)
You cannot merge Apple ID accounts, that has never been supported.
You can contact the Apple ID Security folks per the listing in http://support.apple.com/kb/HT5699 and they can help reset security questions and get the account working. -
How to delete multiple data domains with single step ?
how to delete multiple data domains with single step ?
You can go to your Endeca-Server domain home e.g.($WEBLOGIC-HOME$/user_projects/domains/endeca_server_domain/EndecaServer/bin)
run
[HOST]$ ./endeca-cmd.sh list-dd
default is enabled.
GettingStarted is enabled.
endeca is enabled.
BikeStoreTest is enabled.
create a new file from the output just with the domains that you want to delete and then create a loop
[HOST]$ vi delete-dd.list
default
GettingStarted
endeca
BikeStoreTest
[HOST]$ for i in $(cat delete-dd.list); do; ./endeca-cmd.sh delete-dd $i; done
Remember that this can not be undone, unless you have a backup. -
Reg : Creation of domain with 8130 characters
Hi Experts,
I want to create Domain with 8130 characters...
Can anybody suggest..
Thanks & Regards,
Mahendar.I don't think string can contain 8130 characters
mahendar, can you please tell us what option you used -
Two soa domain with same name "TestSOADomain" sharing same SOA schema ?
I tried creating two soa domain with same name "TestSOADomain" (different path) sharing same SOA schema .However one domain came UP to Running mode and other domain going to AdminMode and "soa-infra" application of that domain is not active.
I do want to understand can this be possible with SOA ,ie. two soa domain sharing same SOA schema ?
If possible what are all the problems might come
1. While executing soa composites with asyncronous behaviour ?
2. How the polling services will work ?
3. will the XREF_DATA table ROW_NUMBER column inserted uniquely while inserting data from two different domain into same SOA schema ?
4. Other issues ?
ThanksEach domain is expected to refer to its own unique database schema. Same SOA schema should not be shared by multiple SOA clusters/domains. It is technically possible though, I suppose, and still can run fine any one SOA environment at any given time with the other SOA environments/domains (sharing the same SOA schema) shutdown. It is not the general/recommended practice to share SOA schema across domains and there could be potential implications and unexpected behavior, particularly when the SOA environments pointing to the same schema are all running at a time.
Maybe you are looking for
-
Web page appears different when located on local server
I was editing a web page that is already up and running. Downloaded a copy to my local PC and everything was fine. Copied all the code to my local Microsoft Windows 2003 server and now the pages appear wrong. If the file is uploaded back to a website
-
I updated my soft wear and now cant open my e-mails
I updated my soft wear and now I cannot open my e-mails it keeps saying it can't open in the new version
-
Premiere elements 10 trial - buttons not clickable
hello, i am evaluating premiere elements 10 and i have an apparently weird problem with buttons and tabs. here's an example of what happens: when i run pe10, it starts in sceneline mode. the timeline tab has a dark background and if i click it nothin
-
Should we report bugs which are in the latest EA (JavaFX 8, b83)?
Hi, I just downloaded JDK 8 b83, just to see how my application runs with it and to see the new Modena style. However I recognized a lot of bugs and my application is nearly unusable. Should I report them? Or is it just because it is beta... I mean i
-
Cannot save files - ' do not have enough access privileges'
When I try and save a newly made file in Illustrator CS3, I get the error message - 'Can't save the illustration - you do not have enough access privileges'. I installed Leopard recently, and also upgraded my hard drive. I tried running Disk Permissi