ACS Mapping Group @ Trust-Tree (Domain Trust)

Similar Messages

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• Domain trust parameters meaning

  Hi all,
  can you help me understand what's the meaning of these parameters returned after querying a DC for trust relationships?
  DOMAIN_NAME={domain.netbios.name=NETBIOS_NAME,
  domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=DNS_NAME,
  domain.trust.type=2, objectGUID=0etc, objectSid=Setc}
  Specifically I'm interested in these parameters:
  domain.flags
  domain.trust.attributes
  domain.trust.type
  What do they represent and what are the possible values?
  Thanks in advance
  Have a nice day

  I believe the answer is: https://msdn.microsoft.com/en-us/library/cc237110.aspx
  so in my case 
  domain.flags -> I don't understand this
  domain.trust.attributes -> Domain is root of another forest
  domain.trust.type -> Trust is with a Windows Active Directory-based Domain
  Is this correct?

• Domain Trust and DNS

  Hello,
  We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain.  Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
  The error is:
  it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
  if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
  DC1
  ----->Forward Lookup Zones
  -------->_Msdcs.ukdomain.local
  -------->ukdomain.local
  I though it should look like this:
  DC1
  ----->Forward Lookup Zones
  ------->ukdomain.local
  --------->_Msdcs
  Thanks

  If you are on their network can you ping their domain?
  If not then you have a DNS, routing, or firewall issue.
  Are ports being blocked?  For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
  Testing
  Domain Controller Connectivity Using PORTQRY
  Protocol and Port
  AD and AD DS Usage
  Type of traffic
  TCP and UDP 389
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP
  TCP 636
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP SSL
  TCP 3268
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC
  TCP 3269
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC SSL
  TCP and UDP 88
  User and Computer Authentication, Forest Level Trusts
  Kerberos
  TCP and UDP 53
  User and Computer Authentication, Name Resolution, Trusts
  DNS
  TCP and UDP 445
  Replication, User and Computer Authentication, Group Policy, Trusts
  SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
  TCP 25
  Replication
  SMTP
  TCP 135
  Replication
  RPC, EPM
  TCP Dynamic
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  TCP 5722
  File Replication
  RPC, DFSR (SYSVOL)
  UDP 123
  Windows Time, Trusts
  Windows Time
  TCP and UDP 464
  Replication, User and Computer Authentication, Trusts
  Kerberos change/set password
  UDP Dynamic
  Group Policy
  DCOM, RPC, EPM
  UDP 138
  DFS, Group Policy
  DFSN, NetLogon, NetBIOS Datagram Service
  TCP 9389
  AD DS Web Services
  SOAP
  UDP 67 and UDP 2535
  DHCP
  Note
  DHCP is not a core AD DS service but it is often present in many AD DS deployments.
  DHCP, MADCAP
  UDP 137
  User and Computer Authentication,
  NetLogon, NetBIOS Name Resolution
  TCP 139
  User and Computer Authentication, Replication
  DFSN, NetBIOS Session Service, NetLogon
  If it answered your question, remember to “Mark as Answer”.
  If you found this post helpful, please “Vote as Helpful”.
  Postings are provided “AS IS” with no warranties, and confers no rights.
  Active Directory: Ultimate Reading Collection
  Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
  Kelly Bush
  It appears that you've copied and posted the chart, with some editing,
  from my blog, link posted below. No problem, as long as it helps the poster. :-)
  Active Directory Firewall Ports – Let’s Try To Make This Simple
  http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
  Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
  Here's the matrix:
  Ephemeral Ports:
  And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
  that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
  the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
  TCP & UDP 1025-5000
  Window 2003/XP and older
  Ephemeral Dynamic Service Response Ports
  TCP & UDP 49152-65535
  Windows 2008/Vista and newer
  Ephemeral Dynamic Service Response Ports
  TCP Dynamic Ephemeral
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  UDP Dynamic Ephermeral
  Group Policy
  DCOM, RPC, EPM
  If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
  TCP & UDP 1024 – 65535
  NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
  RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• What difference between a domain trust and a forest trust?

  What difference between a domain trust and a forest trust?

  Greetings!
  The answer is right on the question! :)
  I think it is best to distinguish properly between forest and domain. This article is a good one:
  What Are Domains and Forests?
  But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
  be one-way or two-way depending on your needs.
  Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
  What Are Domain and Forest Trusts?
  I hope you got the answer.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Removing External Trust Type Domain

  We are in process of planning our 2003 to 2012R2 AD upgrade, yea I know, and we have a legacy External Domain that I wish to collapse. 
  The domain is setup with an external trust non-transitive. 
  It also shows another domain that we no longer have in the Trusts tab showing Realm for trust type and Yes for transitive.
  My question is when we DCPromo the last DC in the external domain are the trust settings removed automatically or do I need to ‘remove’ them on both sides of the trust prior to DCPromo process? Or does removing one side remove the other side settings?
  Any concerns about the user account being used.  In each case I have an account in both domains that is a Domain Admin with the same name but different passwords. 
  Should I sync these PW’s up for this process?
  Also, I'm correct in the though that collapsing the external trust domain should not have any affect on my primary domain that is still in place or are there other points that I should be aware of in this process?

  Hi,
  Yes, i would agree with others, you could remove the External Trust.
  How to Remove Existing Active Directory Trust Relationships
  Open the Active Directory Domains And Trusts console.
  In the console tree, right-click a domain that is specified in the trust relationship to be removed and select Properties from the shortcut menu.
  Click the Trusts tab.
  Use the Domains Trusted By This Domain (Outgoing Trusts) box to select the trust to be removed.
  Click the Remove button alongside the box.
  In order to remove the trust from the local domain only, click the No, Remove The Trust From The Local Domain Only option, and click OK.
  In order to remove the trust from the local domain and the other domain, click the Yes, Remove The Trust From Both The Local Domain And The Other Domain option. Enter the appropriate user name and password combination in the User Name and Password boxes
  and click OK.
  Click Yes to verify the desire to remove the trust relationship.
  Use the Domains That Trust This Domain (Incoming Trusts) box to select the trust to be removed.
  Choose the appropriate option in the Active Directory dialog box and click OK.
  Click Yes to verify the desire to remove the trust relationship.
  Please feel free to let us know if you need further assistance.
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Domain Trust Relationships in Windows Small Business Server 2011

  I have seen that SBS 2011 (and older SBS versions, apparently) do not 'support' Domain Trust relationships.
  Before coming across this information, I have already successfully created a trust relationship between a newly created SBS 2011 domain and an existing 2008 Domain, and everything seems to be working fine - users from one domain are recognized on the other,
  etc.
  So I was wondering - is the 'not supported' more of a 'you're on your own if it breaks', is this a violation of the license, or is it some sort of freak occurrence and I am extremely lucky to have gotten this to work.  This is actually my first time
  setting up a trust relationship and the entire process took about 10 minutes, so it seemed extremely easy for something that I now find out is unsupported.
  If it is a license violation, I'll remove the trust relationship immediately.  This is not a permanent configuration, just testing our software on the SBS2011 platform and domain trusts were the most expedient way of adding the SBS Domain users to the
  list of authorized users on our primary domain's SQL Server.
  Thanks in advance.

  From here, it says that the trust relationship is not supported for SBS: http://technet.microsoft.com/en-us/library/cc672124%28v=ws.10%29.aspx
  This means that this have not been tested by Microsoft and if you will have issues, you will not get supported from Microsoft.
  I don't think that this is a violation of the license but it will be better to check with a Microsoft licensing expert in your country.
  More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/category/sbsserver
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
  Microsoft
  Student Partner 2010 / 2011
  Microsoft
  Certified Professional
  Microsoft
  Certified Systems Administrator: Security
  Microsoft
  Certified Systems Engineer: Security
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft
  Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Setting up two way AD domain trust ?

  Hi,
  I'd like to know what are the steps that I need to take when setting up Active Directory domain trust between two  or more different AD domain? and also the steps to undo the domain trust in case I need to prevent some issues.
  Because I currently have about 15+ site offices that runs their own Active Directory domain to be joined with my current parent company AD domain.
  Thanks
  /* Server Support Specialist */

  Have you thought about using Azure Active Directory with users synchronization to consolidate all your office to one place?
  Answering directly: There are different types of trusts. Think about setting 1-way trust (users from first domain can get access to the resources in second domain but not the other way round) or 2-way trust (users in both domains get access to resources
  such as applications or sysytems in both domains). Please read https://technet.microsoft.com/en-us/library/cc730798.aspx
  Setting up the trust is rather easy task (https://technet.microsoft.com/en-us/library/cc771580.aspx) and can be undone easily as well (https://technet.microsoft.com/en-us/library/cc771137.aspx)
  Hope that helps!
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Pros and cons in setting AD domain trust into my AD domain for more than 10+ AD domain and some with same FQDN or label ?

  Hi,
  Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different AD sites into my existing single domain forest let say ParentCompany.com ?
  At the moment I only have one single forest AD domain with the Domain and Forest functionality Windows Server 2003. The main domain controller FSMO role holder is in the Data Center spread across three different VMs running on Windows Server 2008 R2.
  The main/parent company has acquired smaller business chain of 15+ offices in which they have their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain).
  Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure previously.
  I'm now considering what are the benefits of creating the AD domain and trust versus importing those AD objects into my domain and then decommission them.
  No need to worry about Exchange Server since all of the user in those sites connecting to the RDS to my ParentCompany.com terminal servers.
  My requirements or goal are as follows:
  1. Simplify the AD domain structure & maintenance
  2. Try to avoid the disruptions of the user in terms of downtime and selecting multiple different domain everytime they login to their PC or SharePoint sites.
  any kind of help and suggestion would be greatly appreciated.
  Thanks.
  /* Server Support Specialist */

  Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different
  AD sites into my existing single domain forest let say ParentCompany.com ?
  I think you mean 10 AD domains.
  Managing multiple domains can be difficult for administration. I usually recommend using a single domain in a single forest with OUs to separate resources whenever it is possible.
  However, if you can't do that then you can simply create trust relationships between your domains. The advantage is that you can enable access to resources to different domains. I do not see cons here.
  The main/parent company has acquired smaller business chain of 15+ offices in which they have
  their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain). Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure
  previously.
  I'm now considering what are the benefits of creating the AD domain and trust versus importing those
  AD objects into my domain and then decommission them.
  I would recommend consolidating your domains into a single one. ADMT is a migration tool that you can use. The advantage would be the ease of administration. Also, by having multiple DCs for the same domain across sites, you will take benefit of High Availability
  of your and DRP.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• CRM2011/3: Outlook CRM Cient Issues with Dual Domain (trusted forest)

  We currently have CRM2011 but are about to migrate to CRM2013 and then to CRM2015. We have a configuration issue that we not sure is supported and seek clarification from the community please.
  Our CRM deployment is working fine with the browser and Outlook CRM client on our single AD. Recently we have started allowing user within another AD to use our CRM. We have done this by setting up a bidirectional trust between the two domains.
  Users from the new domain can use CRM if we add their {domain}\{login} into the user entity by hand (the add multiple users feature cannot browser the trusted foreign domain).
  With the browser everything is fine, the new user from the foreign domain get straight in without needing to re-authenticate.
  However, we've not been able to install the Outlook CRM client for those users. Is this because they belong to another domain and the authentication is done differently to that of the browser.
  Is this scenario supported? Does it require Claims Authentication to get foreign Outlook User to connect?
  Any feedback gratefully received. 

• Filter out PeoplePicker results coming from trusted AD domains

  We have individuals who have accounts in multiple trusted domains. Thus when a search in PeoplePicker is performed, results will return multiple entries for those individuals.
  i.e. Bob has account in main AD domain foo.int and also has an account in trusted AD domain bar.int . Search for Bob in PeoplePicker currently returns both entries which is confusing to users.
  We have deprecated the trusted domain and eventually it will go away. However until then we want PeoplePicker to only return results from MAIN domain foo.int.
  I believe the correct solution is to setproperty peoplepicker-searchadcustomquery so that PeoplePicker only returns results from the main domain.
  I am not sure of the proper syntax and proper AD attribute to use in the property value for this command.
  stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv (?????)
  (from http://technet.microsoft.com/en-us/library/cc262988.aspx)
  Or is there another approach to this problem?

  Hi Bruce, 
  You want to restrict people picker to specific Domain.
  You can use the following command:
  stsadm -o setsiteuseraccountdirectorypath -url http://<RootSiteURL> -path "<Path to OU>"
  Path to OU examples:
  Single Domain: DC=DOMAIN, DC=COM
  For more information, see Setsiteuseraccountdirectorypath: Stsadm operation (Office SharePoint Server) (http://technet.microsoft.com/en-us/library/cc263328.aspx)
  By the way the command you used before can also achieve the goal, what you need to do is specify a correct LDAP filter.
  stsadm -o setproperty -pn peoplepicker -searchadcustomfilter -pv <LDAP Filter>
  Hope the information can be helpful.
  -lambert
  Posting is provided "AS IS" with no warranties, and confers no rights.

• Remote windows 7 computer has lost trust with domain

  I have a remote windows 7 box on a domain that has lost its domain trust.   I would like to just unjoin/rejoin the machine to reset the trust but i cant log onto it with a domain account (even one that previously was logged onto the machine)
  and there is not a local account on the box.  The local admin account is disabled and the domain admin account errors with the same trust failure message as all other accounts.  Is there any way to access this machine short of wiping it and rebuilding? 

  When Secure channel is broken, you have to disjoint & rejoin the machine to domain.Since you can't log-in to domain using any domain account & you don't have local account password with you its difficult now.
  You can disconnect the cable of LAN & try to login with the previous successful domain login id, but if cache has been refreshed then it will not allow you to login.
  You can use tricks to crack the password else you have to rebuild the machine.
  http://www.online-tech-tips.com/windows-7/forgot-lost-administrator-password-windows-7/
  You can give a try to Artiste1 solution, if it works else rebuild is the option.
  Regards
  Awinish Vishwakarma| MY Blog
  Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Error to export Trusted Publishing Domains

  Hi, I've a problem with an AD RMS installation.
  1. The digital certificate (ssl) is wrong, missed its private key
  2. I replaced by a new certificate (ssl) and the Verification URL its Ok (certification and licencing).
  3. I can't change the Cluster Key Password and the Password Service Account from AD RMS console and I cannot export the Trusted Publishing Domain to install a New AD RMS and import the "old" Trusted Publishing Domain:
  I need to know which option I have to get my AD RMS and continue to open my documents and email(outlook) protected.
  Camilo L

  Hi Camilo,
  Have you tried to access http(or https)://server_name/_wmcs/certification/certification.asmx and licensing pipeline to confirm that ADRMS is working correctly?
  Are you sure your cluster key is correct?
  Can you please try to add another W2K8R2 server with "Join an existing AD RMS cluster" option?
  Also, please view ADRMS DR guide, which you may find usefull http://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-rights-management-services.aspx
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Do I need to enable trust between domains in the following scenario

  I have a domain x and domain y on 2 seperate machines. My client logs into domain x does stuff and logs out. The same client now logs into domian y and needs to do stuff, but the second domain kicks out the client by throwing an exception saying "invalid subject" etc .. But the same scenario works if I enable trust between both domains or have my client restart. What should I do so that the client can logout of domain x and login to domain y without having to enable trust betweeen domain x and y and without having to restart the client.
  Thanks
  Prashanth

  Hi Mike,
  there is no switching circuitry on the UMI, that could disable the Iso Power outputs and there is nothing you need to configure in MAX. If you can't measure a voltage between Iso Power and Iso Common pins on the Dsub outputs, the UMI might be defective (e. g. blown fuse). Please contact your local NI branch for repair options.
  Thanks and kind regards,
  Jochen

• Domain trust bet. win2003 and win2008R2 not working

  Hi, I try to create Domain trust but not trust. I think I am missing something about NDS, I have read sevel documents but describe diffrent case by case.
  I will Like a god step by step guide of NDS setup domain A trust domain B.
  Question: Before running trust wizard - should nslook see domain B from domain A doman controller?

  Hi,
  Below are some links to help you with this dending on the trust type you want to establish.
  http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/
  DNS resolution for certain trust types:
  http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx
  http://technet.microsoft.com/en-us/library/cc756852(v=ws.10).aspx
  Hope this helps.
  Regards,
  Calin