Active Directory: 2003 to 2012 R2 Upgrade across single forest with child domains

Similar Messages

• Migrate Active Directory 2003 to 2012 R2 and Exchange Server 2007 to 2013.

  My question is which one need to migration first. Active Directory 2003 to 2012 R2 and FFL & DFL or Exchange Server 2007 to 2013.
  Md. Ramin Hossain

  My question is which one need to migration first. Active Directory 2003 to 2012 R2 and FFL & DFL or Exchange Server 2007 to 2013.
  Domain. For Exchange installation and upgrading to 2013, you need to make sure that your domain controllers can understand attributes of exchange 2013. Besides if you have DC/Exch on the same server which is 2003 is not supported. Because Windows Server
  2003 is not supported.
  Migrate your domain to at least 2008 R2 and then proceed with Exchange 2013.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Integration of sap R/3 (4.7) and Microsoft active directory (2003)

  Hi All,
  I would like to know integration of sap R/3 (4.7) and Microsoft active directory (2003) and also SAP EP and Microsoft active directory. I have been working as a ep consultant with a local bank. I am new for this integration work, So please kindly provide me the steps for integrating these both directories.
  Pls help me with this issue.
  Thanks in advance,
  Regards,
  Raghav.

  Hi,
  First You should read:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
  Regards,
  Jarek

• Active Directory 2003 and Sun One Directory Server 5.2

  I just installed Sun One Directory Server 5.2 on a Linux machine. I want to configure LDAP on that machine so that it can be authenticated on Active Directory 2003. How do I go about doing this?

  Active Directory server is a "directory server" (and kerberos server.) If your linux client authenticates against Active Directory it doesn't have to involve the Sun Directory Server at all. You have several general approaches you could investigate:
  1. Linux client gets accounts and and authentication via LDAP from Active Directory
  If you use AD to handle unix LDAP authentication (opt 1) you may need to extend schema in AD to add the unix password field. I haven't tried it yet, but hope to.
  2. Linux client gets accounts from AD LDAP and authorization from AD Kerberos.
  There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
  3. Linux client (with samba client installed, with winbind or pam_smb to support unix level services) gets accounts and authentication as a "Windows" client from Active directory "Windows server"
  Check the samba.org docn or forums- I think this is a pretty common solution.
  4. Linux client gets account information from Sun Directory server but uses kerberos (against active directory) for authentication.
  There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
  5 Linux client gets account and authorization from Sun Directory server, which the sun Directory server configured to use Active Directory as a Kerberos server.
  Probably incredibly complex.

• I am new How to make internet enable group in my active directory 2003 ?

  I am new How to make internet enable group in my active directory 2003 ?
  Thanks & Regards, Amol . Amol Dhaygude

  Greetings!
  What is Internet Enabled Group? Would you please clarify this?
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

  How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

  You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
  Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
  Let me know if you have any doubts.
  Regards,
  Jatin

• Upgradation Of Active Directory 2003

  Hi,
  Would like to upgrade AD 2003 to 2008.
  Please provide essential steps for the upgradations purpose.
  Regards
  Rajesh

  Hello,
  Here is a post which explains the procedure for upgrading AD 2003 to 2008.
  http://blogs.technet.com/b/omers/archive/2010/06/30/step-by-step-guide-for-upgrading-active-directory-from-microsoft-windows-2003-to-microsoft-windows-server-2008.aspx
  Hope this helps :)

• If Active Directory will be effected when upgrade to Windows Server2008

  Client will upgrading its existing AD to Windows Server 2008 version. Will like to know what will be the impact to our ALUI portal.
  We have used AquaLogic Interaction Identity Service - Active Directory to create remote authentication and profile sources. And the users are currently being synchronized between the client's existing AD and ALUI database on the daily basis.
  If the client upgrades the AD version, what will happend to the existing "AD users" in ALUI database. The upgrading may involves installation a new AD 2008
  The existing client AD is installed in a separate machine from ALUI portal.
  Thanks,

  Hi there! Your laptop is certainly 'Windows 10 ready' as mentioned in the website: http://us.acer.com/ac/en/US/content/series/aspire-e You may also want to look into the following forum too: http://community.acer.com/t5/Windows-10/Welcome-to-the-Windows-10-forum-Start-here-first/m-p/366899#U366899 Regards

• How to populate a sharepoint 2010 list from the active directory. How to populate a sharepoint 2010 list with all sharepoint user profiles

  How to populate a sharepoint 2010 from the active directory.
  I want a list of all the computers in the active directory,
  another one with all users.
  I want also to populate a sharepoint 2010 list from the sharepoint user profiles.
  Thanks
  sz

  While
  the contacts list is usually filled out for contacts that are outside the company, there are times when you would use a contacts list to store internal and external resources.  Wouldn’t it be nice if you didn’t have to re-type your internal contacts’
  information that are already in the system?  Now you can with a little InfoPath customization on the contacts list. 
  Here’s our plan:
  Create the contacts list, and open in InfoPath
  Create a data connection to the User Profile web service
  Customize the form adding some text, a people picker and a button
  Create InfoPath rules that will populate the contact fields from the user fields in the User Profile store
  Let’s get going!  Before we begin, make sure you have InfoPath 2010 installed locally on your computer.  I also want to give credit Laura
  Rogers and Darvish Shadravan’s book Using
  Microsoft InfoPath 2010 with Microsoft SharePoint 2010 Step by Step.  I know it looks like a lot of steps, but it’s easy once you get the hang of it.
  So obviously we need a contacts list.  If you don’t already have one, go to the SharePoint site where it will live, and create a contacts list.
  From the list, click the List tab on the ribbon, then click Customize form:
  So now we have our form open in InfoPath 2010.  Let’s add our elements to the form. 
  Above all the fields, let’s add some text instructing users what to do with the the field we’re about to add (.e.g To enter an existing user’s information, choose the user below).
  Insert a people picker control by clicking the Person/Group Picker control in the Controls section of the ribbon.  This will add a column to the contacts list called group.
  Below the people picker, insert a button control from the same section of the ribbon as above.  With the button still highlighted, click the Control Tools|Properties tab on the ribbon. 
  Then in the Label box, change the text to something more appropriate to our task (e.g. Click here to load user data!).
  You can drag the button control a little larger to account for the text.
  We should end up with something like this:
  Before we can populate the fields with user data, we need to create a connection to the User Profile Service.
  Add a data connection to the User Profile Service
  Click the Data tab on the ribbon, and click the option From Web Service, and From SOAP Web Service.
  For the location, enter the URL of your SharePoint site in the following format – http://<site url>/_vti_bin/UserProfileService.asmx?WSDL.  Click Next.
  Note - for the URL, it can be any SharePoint site URL, not just to the site where your list is.
  For the operation, choose GetUserProfileByName.  Click Next.
  Click Next on the next two screens.
  On the final screen, uncheck the box for “Automatically retrieve data when form is opened”. This is because we are going to retrieve the data when the button is clicked, also for performance reasons.
  Now we need to wire up the actions on our button to populate the fields with the information for the user in the people picker control.
  Tell the form to read the user from the people picker control
  Click the Home tab on the ribbon.
  Click the button control we created, and under the Rules section of the ribbon, click Manage Rules. Notice the pane appear on the far right.
  In the Rules pane, click New –> Action. Change the name to something like “Query and load user data”.
  Leave the condition to default (none – rule runs when button is clicked).
  Click the Add button next to “Run these actions:”, and choose “Set a field’s value”.
  For Field, click the button on the right to load the select a field dialog.  Click the Show advanced view on the bottom.  At the top, click the drop down and choose the GetUserProfileByName
  (Secondary) option.  Expand myFields and queryFields to the last option and highlightAccountName.  Click ok. 
  For Value, click the formula icon. On the formula screen, click the Insert Field or Group button. Again click the show advanced view link, but this time leave the data
  connection as Main. Expand dataFields, then mySharePointListItem_RW.  At the bottom you should see a folder called group (the people picker control we just added to the form).  Expand this, then pc:Person,
  and highlightAccountId.  Click Ok twice to get back to the Rules pane.
  If we didn’t do this and just queried the user profile service, it would load the data of the currently logged in user.  So we need to tell the form what user to load the data for.  We take the AccountID field from the people
  picker control and inject into the AccountName query field of the User Profile Service data connection. 
  Load the user profile service information for the chosen user
  Click the Add button next to “Run these actions:”, and choose Query for data.
  In the popup, for Data connection, click the one we created earlier – GetUserProfileByName and clickOk.
  We’re closing in on our goal.  Let’s see our progress.  We should see something like this:
  Now that we have the user’s data read into the form, we can populate the fields in the contact form.  The number of steps to complete will depend on how many fields you want to populate.  We need to add an action step for
  each field.  I’ll show you one example and then you will just repeat the steps for the other fields.  Let’s update the Job Title field.
  Populate the contact form fields with existing user’s data
  Click the Add button next to “Run these actions:”, and choose “Set a field’s value”.
  For Field, click the button on the right to load the select a field dialog.  Highlight the field Job Title.
  For Value, click the formula icon. On the formula screen, click the Insert Field or Group button.  Click the Show advanced view on the bottom. At the top, click the
  drop down and choose theGetUserProfileByName (Secondary) option.  Expand the fields all the way down until you see the Value field.  Highlight it but don’t click ok, but click the Filter
  Data button, then Add. 
  For the first dropdown that says Value, choose Select a field or group.   The value field will be highlighted, but click the field Name field
  under PropertyData.  Click Ok. 
  In the blank field after “is equal to”, click in the box and choose Type text.  Then type the text Title. 
  Click ok until you get back to the Manage Rules pane.  The last previous screen will look like this.
  We’re going to update common fields that are in the user’s profile, and likely from Active Directory.  You can update fields like first and last name, company, mobile and work phone number, etc.  For the other fields, the
  steps are the same except the Field you choose to update from the form, and the very last step where you enter the text will change.  Here’s what the rules look like when we’re done:
  We’re all done, good work!  You can preview the form and try it now.  Click Ctrl+Shift+B to preview the form.  Once you’re satisfied, you can publish the form back to the library.  Click File –> Quick
  Publish.  Once it’s done, you will get confirmation:
  Now open your form in SharePoint.  From the contact list, click Add new item.  Type in a name, and click the button and watch the magic happen!

• How to do provisioning in Active Directory multiple lavel OU structure from FIM 2010 R2 with Country basis.

  Hi,
  I want to do provisioning in Active Directory multiple level Organization Unit(OU) from FIM 2010 R2  with country name basis.
  Suppose i have Asia,Europe,UK,USA region OU and they have another OU in Asia OU like India,china etc if country name is India then Users should be go in India OU and if  if country name is China then Users should be go
  in China OU.so please give me any idea on this this would be very helpful for me
  Regards
  Anil Kumar

   
  Do you have Region attribute in your user object? If yes, then you can do something like this
  "CN="+displayname+
  ",OU="+country+
  ",OU="+region+
  ",DC=mycompany,DC=local"
  If you don’t have region attribute, then you have to write own IIF statement for every county
  IIF(Eq(contry,"China",",OU=China,OU=Asia","")
  You can also parse your dn for synchronization rule in some other place (e.g. metaverse extension), but if you want to do it codeless, IIFs are the way to go.

• Active directory.....Need how it works with WEBSHOP(B2B)

  Hi ,
  Can someone throw light on how webshop(B2B) would be configured to authenticate with Active Directory.
  Any pointers, even though very basic also would help us a lot.
  Thanks in advance
  Regards,
  PV

  Hello PV,
  There is no direct AD support in Webshop. Reason is simple. Webshop uses JCo for connecting to CRM and uses hence its capabilities are limited to what JCo can do. Webshop has support (through JCo) for SAP Logon Tickets / SSO2 cookies. Single Sign On with SSO2 cookies is supported through JCo.
  SAP Portal is generally used as the user authentication gateway and can use Active Directory as data store. It also generates SSO2 cookies for authenticated users. If [SSO has been defined and established between the Portal and the CRM backend|http://help.sap.com/saphelp_crm60/helpdata/en/14/252f4069702d22e10000000a1550b0/content.htm], these SSO2 cookie is enough to logon to the CRM system.
  Now, if you view this from a CRM UME perspective, it is possible to have [LDAP as the data source for UME|http://help.sap.com/saphelp_crm60/helpdata/en/12/7678123c96814bada2c8632d825443/content.htm].
  Hope this is enough information for a good start.
  Easwar Ram
  http://www.parxlns.com

• How to query user across multiple forest with AD powershell

  Hi Guys
    Our situation like this , we have two forest ,let say forestA.com and forestB.com, and they are many subdomian in forest A.
    I'd like to write a script to the AD object information via get-adobject -identify xxxx
    My accont belongs to forestA.com , and the computer i logged on belongs to forestB.com ,A & B have forest trust.
    Now the problem is if the object i quried belngs to forestB.com ,the Get-ADObject works fine ,however if the object belongs to forestA.com ,i got the error "Get-ADObject: Cannot find a object with identify: 'xxxx' under: 'DC=forestB,DC=com'.
    So how can i have a script than can query user in both forest

  Prepared this some time ago for a PowerShell Chalk & Talk. Just change the forest names and credentials. Each Active Directory cmdlet you are calling works on the current drive. So to switch between the forests you need just change the drive / location.
  This is also quite nice for migration scenarios.
  $forests = @{
  'forest1.net' = (New-Object pscredential('forest1\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
  'forest2.net' = (New-Object pscredential('forest2\Administrator', ('Password2' | ConvertTo-SecureString -AsPlainText -Force)))
  'forest3.net' = (New-Object pscredential('forest3\Administrator', ('Password3' | ConvertTo-SecureString -AsPlainText -Force)))
  'a.forest1.net' = (New-Object pscredential('a\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
  'b.forest1.net' = (New-Object pscredential('b\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
  Import-Module -Name ActiveDirectory
  $drives = $forests.Keys | ForEach-Object {
  $forestShortName = ($_ -split '\.')[0]
  $forestDN = (Get-ADRootDSE -Server $forestShortName).defaultNamingContext
  New-PSDrive -Name $forestShortName -Root $forestDN -PSProvider ActiveDirectory -Credential $forests.$_ -Server $forestShortName
  $result = $drives | ForEach-Object {
  Set-Location -Path "$($_):"
  Get-ADUser -Identity administrator
  $drives | Remove-PSDrive -Force
  $result
  -Raimund

• Unity Connection 8.5.1ES16.11900-16 upgrade for Single Inbox with Exchange 2007 ?

  Hello friends,
  I'm currentely running Unity Connection 8.5.1ES16.11900-16.
  I would like to use the single inbox feature with Exchange 2007.
  It is in the documentation that we need at least Unity Connection 8.5(1) Service Update 1 (UCSInstall_UCOS_8.5.1.11900-21.sgn.iso).
  I downloaded, checked MD5 but when searching on the FTP directory it won't accept it (No valid upgrade options were found). Is this a supported upgrade?
  Same happens with the localization file in Portuguese that i need to install: uc-locale-pt_PT-8.5.1.1-16.cop.sng ...
  Please can you give me some hints about what I may be doing wrong?
  Thank you very much and warm regards,
  met

  Hi Met,
  Hope all is well
  I think you are hitting this caveat. Although the numbers don't match exactly I'm
  pretty sure you will need to wait for an 8.5.1.12xxx.x ES
  If the Connection server is running an engineering special with a full Cisco Unified Communications
  Operating System version number between 8.5.1.11001-x and 8.5.1.11899-x, do not upgrade the server
  to Connection 8.5(1) SU 1 because the upgrade will fail. Instead, upgrade the server with an ES released
  after 8.5(1) SU 1 that has a full Unified Communications OS version number of 8.5.1.12xxx.x or later
  to get the SU 1 functionality.
  http://www.cisco.com/web/software/282074295/44508/851su1cucrm.pdf
  Cheers!
  Rob

• Strange Active Directory issue on 2012 R2 2ND-DC with 2003 R2 PRI-DC

  I ran into this issue earlier today which is something I haven't seen before. 
  Current setup is 1 Forest & 1 Domain with a single Domain Controller (W2003 R2) which obviously has all the FSMO roles since it's the only DC in the domain ever installed. We're ready to decommission this OLD W2003r2 server so I prepped a new machine
  and installed Windows Server 2012 r2 on it, all patched up. 
  Done the followings:
  1. Joined the new server to the domain (successful)
  2. promoted the new server to a domain controller (successful without any errors or warnings)
  3. Verified that the DNS records have replicated from the primary DC to the 2nd DC (successful)
  4. Verified that I was able to access the AD services on the new domain controller, users, ou's, sites etc. (successful)
  5. Verified replication of AD objects by adding users/ou's/distribution groups on Primary DC and see them replicate over and vice-versa (successful)
  I waited about an hour just to make sure that everything has replicated over and was in sync and decided to shutdown the primary server (domain controller) to make sure things were functional on the new one and as soon as the old DC was shutdown I wasn't
  able to open any of the AD services like AD Domain and Trusts, AD users and computers or AD Sites and Services. The window opened but my domain wasn't listed and neither of the related objects. What is the issue here? Shouldn't the secondary domain controller
  be a replica of the primary where I can see all the objects and make changes which will sync back once the primary comes up again. I've worked in setups where we had two DC's in one domain and I was able to view the AD objects and services regardless if one
  of the DC was not available, same thing in a setup with 3 DC's. 
  If someone can chime in on this it would be great, I'm not sure if I'm missing but it's weird.
  Regards

  Did you apply the hotfix to the 2012R2 server:
  http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
  Mike
  NOTICE: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Active Directory on Windows 2012

  I have a domain security group in the domain 2012. I would want the group to be populated dynamically by all the users who are logged to the domain and dynamically, a user is removed from the group after logging out of the domain. Is this possible?

  Sorry for taking much time with my response, I was out of town. We are running squid proxy. Our domain users do not log to the domain. We need to force them to log by denying internet access when the log on locally. To do this, a dynamically populated group
  called 'Proxy Access' needs to be populated with everyone who logs to the domain and remove the username from the group when the user logs out. The 'Proxy Access' group is then used to provide rights to access the net.
   When a user does not log to the domain and attempts to access the net, the system prompts for the username and password. We need to replace this with an error message saying 'You need to log to the domain for you access internet'.