Active Directory cross forest trust which are deployed in separate subscription

Hi All,
I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

No, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

Similar Messages

Active Directory Cross Forest Domain Migration

Dear All,
We are in the process to rebuild new Active Directory infrastructure. Multiple single forest domains in organization which needs to be consolidated/migrated on single Active Directory Domain. For this consolidation, have some queries to be addressed before
going to start consolidation.
What is the best practices and what tool should we use for domain migration/consolidation
Active directory is on Windows 2003, forest and domain level is on Windows 2003, this will support to Windows 2012 R2 forest and domain functional level, will be migrated
directly from windows 2003 to windows 2012?
When move users to new domain, how will they access the other resources on the network. For e.g. Printer, File server, local web base application
After moving some computers to new domain would be possible to access remaining computers on old domain?
How the file server data will be moved? Best practices with NTFS folder permissions and users rights?
Is there any policy to register network printers on new Active Directory domain?
How users would be access web base application on new domain as their FQDN would be define with old domain name? Any option to change old domain FQDN with new domain that would be describe with any URL link?
Kindly give your valuable input to meet the desire result.
Thanks in Advance.

Dear Lucky,
Ya you can Migrate contents from multiple forest domain. Using ADMT (Active Directory Migration Tool)is the best way to migrate AD content. But you can't migrate from Windows Server 2003 to Windows Server 2012 R2, cause in Windwos Server 2012 R2 don't
have the supportebility of Windows Sever 2003.And not only users you can also migrate all others info (i.e. Computer object info, groups info, Exchange mailbox info, security info).You can migrate users face by face, means which peoples are in old domain they
can access old domain and new users are in new domain.For more info please follow the given link:
http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
Mithun Dey Web: http://cloudmithun.wordpress.com If this may give your necessary resolution please mark it as Answre.

Domain Upgrade & Cross Forest Trusts

Hi,
I manage a single windows 2003 Forest with a single domain (AD Level Windows 2003 R2). I'm preparing to upgrade the domain to Windows 2008 R2 but before I do I'm hoping someone can advise if this will impact on a number of cross forest trusts I have
with related organisations.
The trusts are a mix of 1 way and 2 way non transitive domain level trusts.
My query is, will I need to recreate these trusts after and "adprep /forestprep" or "adprep/domainprep" (getting resources on the opposing side lined up to do create\recreate trusts is a big job so I'm hoping the impact with be zero).
Thanks in advance
Paul

> if this will impact on a number of cross forest trusts
No, it will not.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Where to create cross-forest trust

I need to create a cross-forest trust between DSfW and MS AD. I'm following the documentation at http://www.novell.com/documentation/...n.html#bfb58i5 but I got confused... Do I need to perform these steps on a workstation belonging to DSfW domain or AD domain? The text seems to indicate that these steps need to be done on DSfW domain, but the pictures seem to show AD domain.

OK, confusion cleared. I created the trust on DSfW side, everything went smoothly. We can consider this thread closed.

WS2012r2 - Cross-forest trust - Can add groups to user but when I open it again, groups are not listed

Hello Everyone,
I hope you can help me resolve this issue, I'm missing something but I don't know what.
I have 2 ws2012r2 domain controllers, each one with it's own forest (Lets call them A.com and B.com).
I have a validated 2 way external trust relationship between those domains.
I've added the domain admin "B\Administrator" to the DL group "A\Administrators", so I have permissions to modify everything on A.com
From "Active Directory Users and Computers" on B.com, I can see all users and "Domain Local" groups of A.com
From "Active Directory Users and Computers" on A.com, I can see all users and "Domain Local" groups of B.com
What I need: Add users from B.com to DL groups in A.com using the "B\Administrator" account
The problem: I'm able to open a user from B.com, add a DL group from A.com, click Apply, then OK.
But if I open the user again and go to the "Member of" tab, the group is no longer listed there.
If I go to the A.com domain and open the DL group membership tab, I can see the user from B.com listed there.
So there's something wrong, cause even If the user is listed in the group in A.com, It's not assigning the right permissions when trying to access the resources that group grants access to.
Any ideas what did I do wrong ot forget to do?
Thanks!

Hi,
Have you tried to take a force replication or refresh and then check the membership? Please verify DNS is well configured and we got a GC in both sides of the two forests.
In addition, please take a look at the below link:
Understanding the Global Catalog
Hope that may help
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Problem authenticating user in Active Directory cross domain

Hi,
We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
The code I use which is very basic is given below . The code below run as such gives me the following error,
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "london ldap server url");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.REFERRAL, "follow");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
ctx = new InitialLdapContext(env, null);
I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
Please bear with me if my query is a naive one and point me in the right direction.
Thanks
Jothi

Hi Praveen,
to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
For this, you have to change the following UME properties:
For user objects: ume.ldap.unique_user_attribute=<attributename>
For account objects: ume.ldap.unique_uacc_attribute=<attributename>
For group objects: ume.ldap.unique_grup_attribute=<attributename>
Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
Best regards,
Robert

Active Directory multi forest Kerberos authentication Tomcat

Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
Hi,
I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
There is also an error logged in Tomcat stdout.log file:
70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
If anyone has come across this situation, please share the solution.
Thanks & Regards,
Piotr
Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

Hi
Is your enterprise is configured to a Java Active Directory?
Then there can bemultiple causes:
- The Java and the Central Management Server (CMS) are using encryption types that do not match.
- The Service Principal Name in the CMC is incorrect
Then to resolve this perform the following steps:
- In the Central Configuration Manager, double-click the CMS, and note the service account used.
- In Windows Domain users and computers, go to account properties for the CMS service account.
- Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
- Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
- Restart the CMS server and log on.
In a clustered CMS environment ensure that all CMS's are running under the same domain account.
Hope this helps!!!
Regards
Sourashree

Cross-forest trust

Our network is mainly based on eDirectory, but we also have DSfW set up for some services that need Active Directory. Now we are taking over IT management of another organization which is purely based on MS Active Directory. My boss asked me if we can set up trust between our DSfW domain and their AD domain. Having read the DSfW manual, I can answer that. What I cannot quite answer is, what benefits do we actually get from this trust. As I understand from the manual, this gives our DSfW users access to resources in "their" AD, but "their" users cannot access resources in our DSfW domain. Does this "access" also enable "our" admins to manage users and computers in "their" AD (join computers to domain, create domain users etc)?

Originally Posted by vatson
As I understand from the manual, this gives our DSfW users access to resources in "their" AD, but "their" users cannot access resources in our DSfW domain. Does this "access" also enable "our" admins to manage users and computers in "their" AD (join computers to domain, create domain users etc)?
That's correct about the access only going one way (DSfW users to AD, but not the other way around).
Yes, -with a but- the access enables admins on the DSfW side to administer users in AD, assuming those admin rights have been granted to the DSfW admins on the AD side. The but is (obvious one, but one to mention anyway) that it will require the workstations of those admins to be joined to one of the domains and have them logged in with thier DSfW account.
Cheers,
Willem

Active Directory: One Way Trust from NT Domain to 2003 Domain being upgraded to 2012 R2

We have an old legacy NT 4 domain that is slowly being decommissioned. (Slowly is the key word) Currently there is a one way External Trust between those NT 4 domains and a child domain that is at 2003 functionality. We are in the middle of upgrading
those child domain and the root domain to 2012 R2. My only concern right now and I can't seem to find concert proof either way, but will that external one way trust break when upgrading the forest and domain functionality to 2012 R2 once we
have all our DC's upgraded? I have read articles on how to get that trust to work in a 2008 R2 domain and of course it is working with the existing 2003 domain.
In theory the trust should break, correct? However, I know there are some security changes among other things in 2012 that may or may not work.
Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

Yes. We are working with the client to migrate any dependencies off these 3 NT legacy domains. We will be able to decommission 2 of the 3 without any issues. However, they still have an old NT box running SQL 6.5 databases for a application still in
production. Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

Using LDAP Query in Active Directory to see what users are still logged ?

any suggestions for a LDAP query that I can use in AD to see who is still logged into the network?
It would be great to distinguish who's logged in with a screen lock which means they aren't really at their PC vs what users are actually using their PCs.
Thanks in advance!

I recently posted a framework for checking all machines to see who is logged into them. You can take that and adjust it as you need.
https://social.technet.microsoft.com/Forums/en-US/fb2ef90a-ba15-41bf-8e6c-95d32256225b/how-do-i-run-this-query-from-a-text-file-list?forum=ITCG
Don't retire TechNet! -
(Don't give up yet - 13,085+ strong and growing)

I want to grab the application files which are deployed on the oracle 9i

I want to know the physical path of a java application deployed on server.
I am having the admin console access to the server. But i don't have the login to the physical box. I am pretty much sure this is the only application deployed on this server. I don't have any clue how it is deployed under a [b]war or ear format.
I don't know any thing about the oracle application server. Can any body help me out under which path these j2ee applications will be deployed.
"/u01/app/oracle/ias_app"
Thanks
Tara

Hello Tara,
Unless the deployment directories have been changed the default location for the application to be deployed is:
$OH\j2ee\<OC4J_Name>\applications\<app_name>
$OH\j2ee\<OC4J_Name>\application-deployments\<app_name>
You can have limited access to the applications through the console via the Applications link.
Hope this helps.
Deepak

AD Redesign / Restructure / Tools which further Improve / Enhance Active Directory's USABILITY-CONSUMERIZATION

Hello,
This Study/Discussion can be beneficial for all of us,
As we will be able to know or find out what all is best from the both Business as well as Technical aspects to
in terms :
AD as a Service.
AD as an Application.
Checking IPD for AD does provide details which for the most part are technical which is right as these details are more of best practices irrespective of the nature of function of any company.
Still there are many tools/utilities/apps/solutions which an organization with
1. Over 60,000 users/machines
2. Over 100 Trust Relationships
3. Manufacturing sites/locations with equipment's/machinery whose operations-functionality must not be disturbed ever...
These are few of Real and Practical scenarios Organizations has to manage and with AD once deployed you have to restrict or rather say live with it as this Directory-Service solution is not as Modular as some others are....
This could be very exhaustive as it is purely an organizations decision.
However with the help of this forum I want to know which are the best known and recommended tools/apps/solutions regarding the following:
1. User/Employee Type Differentiation- Attribute basis, Group-Membership basis more.. which are the known and recommended tools ?
         - Tool 1
         -  Tool 2
         -  Tool 3
2. Delegation Model -Delegation of Control/Management of AD objects (Dept./Role Specific) ?
         - Tool 1
         -  Tool 2
         -  Tool 3
3. Control Access Rights and Privileges so that resource is only accessible by the respective dept. - Security Policies - User Rights, App-locker/Software-Restriction, NTFS permissions-Claims Token which are other known tools and which all are recommended
ones..?
         - Tool 1
         -  Tool 2
         -  Tool 3
Thanks!
BR,
An Extremist

Hi,
With Active Directory installed, we have below tools to use to manage AD:
Active Directory Users and Computers
Active Directory Domains and Trusts
Active Directory Sites and Services
In addition, we also have below command tools:
Dcdiag, repadmin, adsiedit, ntdsutil and so on
Please also refer to the below link for Active Directory Management Support Tools
http://technet.microsoft.com/en-us/library/cc738135(v=ws.10).aspx
Regards,
Yan Li
Regards, Yan Li

Authentication against Active Directory Forest

Hello Everyone,
I am new to JNDI programming and would appreciate any help in the following problem.
I am planning to write a program using JNDI APIs to authenticate users against an Active Directory (AD) forest.
Target AD forest contains multiple domains with two-way transitive trust between them. There are several users created in each of these domains.
I would like to know what should be the general approach for authenticating users against such a topology.
I have a working program which uses JNDI APIs to authenticate users against single Domain.
A sample topology would contain domains like these.
- abc.corp.net
- xyy.corp.net
- pqr.xyz.corp.net
- hrdev.xyz.corp.net
- lmn.corp.net
Thanks in advance for any help
Sandeep

Hi,
How does this relate to Sun Directory Server ?
Regards,
Ludovic

Design Problem : How to design/code a java client which is deployed to all the machines in a cluster and make sure that only one of the java client is active

          hi ,
          I have to design a java client (which is basically a JMS message listener)which
          is deplloyed to all the servers in the cluster. But as these are message listeners,
          i want only one of the instance to be active at a time.
          If the server on which the client is active goes down , I want the second server
          to start listening to messages.
          How do i design this ? Also is there a public api for multicasting that we can
          use ?
          Anybody has an idea on how to go about this..
          Thanks
          nisha


Hi Nisha,
          Failover message listeners? Sounds like you want MDBs, which are deployed on all nodes in a
          cluster. If your JMS destination is a queue, then only one MDB will pick up the message. And just
          like any other ejb service, MDBs failover.
          Gene
          "Nisha" <[email protected]> wrote in message news:[email protected]..
          hi ,
          I have to design a java client (which is basically a JMS message listener)which
          is deplloyed to all the servers in the cluster. But as these are message listeners,
          i want only one of the instance to be active at a time.
          If the server on which the client is active goes down , I want the second server
          to start listening to messages.
          How do i design this ? Also is there a public api for multicasting that we can
          use ?
          Anybody has an idea on how to go about this..
          Thanks
          nisha

Windows Server 2008 Active Directory Trust

Hi ,
Can anyone help with the answer to the following questions please?
a) Whether Microsoft Windows Server 2008 SP2 Standard Edition support AD trust relationships (one-way; two-way)
b) Whether we can create trust between Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 Standard Edition AD servers?
Thanks in advance.
India1947

Hello,
First of all, please confirm the firewall on the Windows Server 2008, the TCP/IP filter or any 3 party firewall is not blocking the RPC and ICMP traffic between two domain controllers.
1.    Have a test of creating and verifying trust while all firewalls are all disabled. Then re-create and verify the trust to check how it works.
Allowing Inbound Network Traffic that Uses Dynamic RPC
http://207.46.196.114/windowsserver2008/en/library/d37f96c6-c729-4b29-80a9-88db3d97b8631033.mspx
2.    If it still fails, please try to collect the following information for our further investigation:
-      Run "Netdiag /v >>netdiag.txt" on both DCs
-      Network Monitor trace when verifying the trust:
Download the NetMon3.1 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&DisplayLang=en
1.    Install the NetMon on Windows Server 2008.
2.    In the Microsoft Network Monitor 3.1 window, click Create a new capture tab….
3.    In the new tab, select all the Network Adapter in the Select Networks window.
4.    After that, press F10 to start NetMon.
5.    In the Active Directory Domains and Trusts, try to verify the trust to reproduce the issue.
6.    After that, go back to the Netmon window and press F11 to stop the Netmon on the Windows Vista machine.
7.    Press Ctrl+S to save the Netmon files.
Please send files to [email protected]
Note:
a. Please include the following three lines for this issue in the email body:
Trust Windows Server 2008 and Windows 2000
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3210801&SiteID=17
Miles Li - MSFT
b. We will continue to discuss the issue here in the newsgroup and will NOT reply via emails.
c. Pease post a quick note in the current thread to inform me after sending the email.
Thanks.

Active Directory cross forest trust which are deployed in separate subscription

Similar Messages

Maybe you are looking for