Active Directory Forest root domain name

Similar Messages

• AD FS in Forest Root Domain

  I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child
  domain or if that should just magically happen because of the Parent Child trust relationship.
  Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times
  and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.

  I have been using the "AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation".
  I am trying to federate with a diffrent organization where I am the IP and I have no control over the SAML 2.0 side... That being said, I changed my DNS and now I can get to my server using the IDPInitiatedlogon URL. When I run
  through the URL that bounces me between the other organization and then back to my AD FS server.... I get stuck in a loop where it asks me for credentials 3 times and then tells me I am "Not Authorized"
  Here is a bit of the fiddler trace:
  <a href="https:///adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust">https://<other-org-adfs>/adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust
  http://<my-org-adfs>:443
  http://<my-org-adfs>:443
  http://<my-org-adfs>:443
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  http://<my-org-adfs>:443
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  http://<my-org-adfs>:443
  It seems to be stuck looping between /adfs/ls and /adfs/ls/auth/integrated . It then times out and gives me the error in the browser.

• Forest root domain displayed as network label, rather than child domain

  Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
  I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
  from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
  Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
  a viable explanation for the behaviour, as opposed to 'it's by design'

  Can I ask if something is not working correctly because of this?  The display of the connected network does not affect communication or how DNS will resolve.  Are you chasing this down because you don't like the display, or is there an outage?
  Thanks!
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Exch 2013 SP1 Mutidomain set up. mail enabled user shows Forest Root Domain email address.

  Hi,
  First let me explain my Exch 2013 SP1 Multidomain set up.
  1. DA as Forest Root domain, having schema master domain role installed.
  DB as Tree Root domain in above forest 
  DC as Child domain in Tree root domain.
  2. After set up, I ran 'netdom query fsmo' on each DC. It displayed schema master role on forest DC and domain role on individual DC on which command was run.
  3. Now to install Exch 2013 SP1, ran appropriate command on forest  DC (i.e PrepareAD, Prepareschema and alldomain).
  4. Brought 1 machine in Child domain and installed Exch 2013 SP1 server on it.
  Now, when I access ECP, Create user, new mailboxdatabse etc. options available only if login to ECP by ForestRootDomain\administrator credentials. please confirm.
  while creating new user, it shows User Login Name with Child.TreeRootDomain.local default but after creating user, it shows [email protected] as Email address. Please confirm.
  Thanks and regards,
  Sudhir

  Logged on Exch machine by child\administrator user credentials.
  Unabel to get Set-ADServerSettings -ViewEntireForest $true command in exchange powershell.
  can get only Set-AdServeiceAccount command.
  Also if poosible, please confirm, weather multidomain set up is correct?

• How to change the root domain name in window 2012 server

  Got a window 2012 server build up. My root domain name looks something like corp.marketing   Well I seems to have missed to add the last .com or .local.  How do I add the .com to my existing root domain name please. The server is new, will
  go online in few days time. Thanks for all the help.

  I have a similar question and not sure if this is the right place. I had set a server with corp.brighterworld.com but the install wizard anywhere access had me believe that microsoft's strongly preferred domain name prefix was remote.brighterworld.com so
  I contacted GoDaddy and had it reissued as remote. but when I went to reconfigure for the new name. I had already set the server for being a CA, and in that process it issued like 4 or 5 certificates. So I had tried to rebuild the machine from scratch, but
  the it didn't wipe everything, but rather saved previous state which left the old certificate stuff to be dealt with. Any hints or help out here for us having to learn this stuff the hard way?
  Thanks,
  Mark Saxton

• Active Directory Forests Publishing Status

  Hello,
  I installed SCCM and my active directory Forest has Publishing Status: Insufficient access rights
  Any idea how I can fix this?  I searched on the internet and can not find it.  Thanks.

  You need to give your SCCM server computer account in AD permissions to publish to the SystemsManagement container. That's where it publishes information to the forest.
   http://social.technet.microsoft.com/Forums/en-US/ab6dc179-0348-4343-8c36-7e8b92313524/sccm-2012-system-management-container-in-ad?forum=configmanagergeneral

• Active Directory forest which need to be sync with Office 365 E1 plan

  we have multiple local Active Directory forest which need to be sync with Office 365 E1 plan, how we can do that?

  Hiya,
  you need to use either FIM or AAD. I would recommend the AAD, even though it's in beta, it will properly be a better choice.
  Windows Azure Active Directory Connector for FIM 2010 R2 Quick Start Guide
  http://technet.microsoft.com/en-us/library/dn511002%28v=ws.10%29.aspx
  New sync capabilities in preview: Password Write Back, New AAD Sync and Multi-forest support
  http://blogs.technet.com/b/ad/archive/2014/04/21/new-sync-capabilities-in-preview-password-write-back-new-aad-sync-and-multi-forest-support.aspx

• Project Server 2010 Active Directory Synchronization - duplicate Windows Name - Event ID 7734

  Environment: SharePoint Server 2010, Project Server 2010, SP2, DEC 2013 CU (Farm Build number: 14.0.7113.5001)
  Scenario: 
  Domain user has been added to the Active Directory group being synchronized with Project Server for the Team Members group.
  That user has participated as a team member in numerous projects, added documents, been assigned tasks, typical project stuff...
  Employee quits.
  AD account is deleted. (NOT deactivated or moved into another OU)
  Time passes...
  Employee gets rehired.  NEW AD account is set up: same display name, SamAccountName, email address, different GUID of course.
  Daily Active Directory job runs again and throws event ID 7734 and the sync ends with a partial fail.
  I understand why this is happening.  Solutions I've found point me to deleting the Enterprise Object resource in Project Server and then rerunning the sync.  Sure, this works BUT won't all of the previous documents, tasks,
  etc. be disassociated from that user?  If so, this is not ideal.
  2 questions:
  Is there a better way to deal with the fixing of the resource in Project Server to somehow link the old resource to the new resource allowing the sync to run successfully while still leaving the association to all old content intact?
  How are other organizations dealing with rehires when they have been added as resources in Project Server?  What is the best practice guidance from Microsoft on this?  Are other companies not actually deleting AD accounts when users leave organizations
  or are they putting them into a "ARCHIVE" OU or something like that? This happens at least half a dozen times a year at my company. We would like to keep our AD as clean as possible, but this appears to change our approach.
  Any suggestion/guidance is appreciated.

  For the question to relink the new account to the account which is already available in Project Server. You will have to update the WRES_AD_GUID to Null for the the Resource in MSP_RESOURCES table in the published database.
  Whenever a users gets synchronized to the PWA his ADGUID, SAMAccountName, Display Name, Email Address and DepartmentName is Synchronized from AD to Project Server. When the user was deleted and recreated the ADGUID got changed. During the next sync, project
  found the user with similar properties but different ADGUID which was updated in WRES_AD_GUID column in MSP_RESOURCES table. Hence it says that there is a duplicate account in the table with the same properties but a different ADGUID
  Nullifying the WRES_AD_GUID column value in MSP_RESOURCES table should get the user synchronized to Project server in the next sync.
  Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
  the thread.

• PowerShell Script Get the User's Active Directory Fully Qualified Login Name for Specific Locked Out Accounts

  I have a script which displays locked out accounts. It works great.
  I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
  Example: Davis, Susan
  Want instead: Domain\Susan.Davis
  I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
  Here is my script:
  $objDomain = New-Object System.DirectoryServices.DirectoryEntry
  $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
  $objSearcher.SearchRoot = $objDomain
  $objSearcher.PageSize = 1000
  $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
  $colProplist = "name","samaccountname"
  foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
  $colResults = $objSearcher.FindAll()
  foreach ($objResult in $colResults) {
  $domainname = $objDomain.name
  $samaccountname = $objResult.Properties.samaccountname
  $user = [ADSI]"WinNT://$domainname/$samaccountname"
  $ADS_UF_LOCKOUT = 0x00000010
  if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
  $objResult.Properties.name
  John
  John

  Sorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
  If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
  if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
  "$domainname\$($objResult.Properties.samaccountname)"
  $domainname might not be what you're expecting, just FYI.
  As for filtering, you can add to the if statement and check for your known usernames only.
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)

• Active Directory migration from domain X to Y

  Hey Guys 
  Planning to migrate Child domain to another child domain inter forest with ADMT 
  we do have a small environment with Active directory integrated DNS, I do have a rough knowledge of migrating domains but still if there is any checklist kind of thing on priority (i.e migrate users first then do groups then computers then GPO) and let me
  know how much time it will take for 500 users 800 machines and 400 groups approximately .
  We do not have techinical Architecture guys to plan up , Please list out any excel sheets for migration if any
  Went through n number of blogs but still did not get any proper info about this , Thank you in advance

  1) I would recommend you first run a test of the steps in test before you do this in production.  Otherwise your production becomes test.
  2) By doing in test, you have taken a large amount of the risk out of the upgrade since, in test you should be able to look for any unforseen issues.  The easiest way to test is to build a virtual fence from production and clone the DC's and member
  servers that you want to test against (This is assuming you are running in a virtual environment).  Ensure that you production environment is error free.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
  3) There should be no downtime at all, you can just extend the schema and then promote a new 2012 DC (I would recommend R2 if you can).
  4) Before you do the schema extension you should take 2 backups on two different DC's.  Taking two gives you less of a chance of a problem if one of the backups fails.
  5)
  Take a backup
  Extend the schema
  Join the 2012 R2 servers to the domain
  Add the ADDS role to the 2012 R2 member servers
  Promote the 2012 R2 DC's
  Transfer the FSMO roles to the 2012 R2 DC's (Not required but recommended)
  If you want to retire the 2003 DC's, then you will need to make sure that any clients pointing to the 2003 DC's for DNS are pointing to other DC's.
  If you do retire the 2003 then you can think about updating the DFL and FFL of the domain and forest.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Authentication against Active Directory Forest

  Hello Everyone,
  I am new to JNDI programming and would appreciate any help in the following problem.
  I am planning to write a program using JNDI APIs to authenticate users against an Active Directory (AD) forest.
  Target AD forest contains multiple domains with two-way transitive trust between them. There are several users created in each of these domains.
  I would like to know what should be the general approach for authenticating users against such a topology.
  I have a working program which uses JNDI APIs to authenticate users against single Domain.
  A sample topology would contain domains like these.
  - abc.corp.net
  - xyy.corp.net
  - pqr.xyz.corp.net
  - hrdev.xyz.corp.net
  - lmn.corp.net
  Thanks in advance for any help
  Sandeep

  Hi,
  How does this relate to Sun Directory Server ?
  Regards,
  Ludovic

• Short root-domain names

  Not long ago I posted a problem about login-failures with an IE browser.
  We discovered that this happens only when one installs a portal (even 6.1 version) in a domain which has only two or less characters in it's name, ie "aa.nl". Adding a sub-domain ("portals.aa.nl") or changing the domain-name ( "aaa.nl") solves this problem.
  Netscape browers are not effected in any way. The problem has something to do with the iPlanet domain cookie being blocked / missed by the browser during a LDAP login attempt.
  The problem has been reported to SUN support. We have yet to find a proper solution to this problem.

  Hi Amber,
  The only way of doing it is having the section "domain_realm" in your krb5.ini:
  [domain_realm]
  child2.domain.com = CHILD2.DOMAIN.COM
  and so on, but Java is case sensitive and you should include all the possible combination that your users type.
  As Praveen suggested, if you set up SSO, users won't need to type anything and they will log to InfoView transparently.
  Regards,
  Julian

• What action required for Cisco Unity 8 if i am migrating Active Directory Forest

  HI
  Currently we have running cisco unity 8.0 in our environment. Now we are planing to change our domain name ( i.e from abc.com to xyz.com ) for that change what is the procedure to change the Cisco Unity Server domain name. We need to do anything on cisco unity software or just we neeed to change the domain name of the appliance.
  Please share your ideas.
  Thanks

  Renaming a Cisco Unity 8.x Server or  Moving a Cisco Unity 8.x Server to Another Domain
  http://www.cisco.com/en/US/docs/voice_ip_comm/unity/8x/upgrade/guide/8xcurug080.html
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Active Directory multi forest Kerberos authentication Tomcat

  Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
  Hi,
  I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
  There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
  I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
  There is also an error logged in Tomcat stdout.log file:
  70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
  If anyone has come across this situation, please share the solution.
  Thanks & Regards,
  Piotr
  Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

  Hi
  Is your enterprise is configured to a Java Active Directory?
  Then there can bemultiple causes:
  - The Java and the Central Management Server (CMS) are using encryption types that do not match.
  - The Service Principal Name in the CMC is incorrect
  Then to resolve this perform the following steps:
  - In the Central Configuration Manager, double-click the CMS, and note the service account used.
  - In Windows Domain users and computers, go to account properties for the CMS service account.
  - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
  - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
  - Restart the CMS server and log on.
  In a clustered CMS environment ensure that all CMS's are running under the same domain account.
  Hope this helps!!!
  Regards
  Sourashree

• SCCM 2012 AD Publishing in a Single Forest Multiple Domains

  Hi there,
  Let me explain the situation first so that you get the idea. We have a single forest, multiple child domains AD environment. For some reasons each domain is being managed separately by their geographic location IT.
  Forest has been extended for SCCM by the site who holds the forest root domain. Since everyone wants to manage their own domain and systems, each child domain have their own primary site server.
  In one of the domains I have installed brand new SCCM 2012 R2. I haven't done anything yet, havent turned on any discovery except Heartbeat. Now I see one device, which belongs to another domain with totally separate IP address, shows in my SCCM site. I dont
  know why.
  From here question arises for me. Correct me if I'm wrong and please advice what to do domain/forest wide.
  1. System Container is needed in each child domain, not in the forest, right?
  2. Where does/should each SCCM primary site publish information; in each domain or in the forest root domain?
  3. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing I see forest root domain name and its checked. 
  Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain hoping
  to cure the possible problem.
  So, why would that one device show up in this site? I have disabled Heartbeat together with other discoveries for now till I make everything ready.
  Thanks for your help in advance.

  1. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing If I uncheck forest root domain will devices on my child domain still be able to find my site server?
  2. Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain
  hoping to cure the possible problem. Is this a good practice?
  3. "When clients look for ConfigMgr info, they use GC lookups meaning they return objects from every System Management container in the forest." So, which one do clients choose and how?
  4. "For that one device, have you opened its properties and examined it?" Yes, what abou it? Its found based on Heartbeat Discovery agent (when heartbeat was enabled).
  5. "Have you reviewed the boundaries and boundary groups set up for site assignment?" Yes, as I mentioned this device belongs to different domain and totally outside of my AD site and SCCM boundaries.
  This is fresh install and not in production yet. I have disabled Heartbeat temporarily so that I fix this problem. I will enable it after.