Active Directory: One Way Trust from NT Domain to 2003 Domain being upgraded to 2012 R2

Similar Messages

• Remote Management of Hyper-V Across One-Way Trust

  In order to abstract our hardware from the platform, we would like to virtualize all of our physical machines, installing Hyper-V server and just running one VM on Hyper-V. We hope this will allow us to quickly migrate machines that currently cannot be on
  our virtual environment for whatever reason.
  We set up a management domain for all of the Hyper-V servers separate from our main domain. A one way trust was established between the main domain and the management domain, with the management domain trusting the main domain. On the management domain,
  we created a domain local group, called Management Domain Admins, which contains the foreign security principals from the main domain. The Management Domain Admins group is added to the Hyper-V built in Administrators group.
  Now here is the problem, from a workstation in the main domain, we can manage every part of that server except for adding a virtual hard disk. We can manage the firewall, we can look through the event log, we can create virtual machines and connect them
  to existing virtual hard disks, but we cannot create a virtual hard disk. The log returns:
  The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
  We disabled the firewall on both the workstation and the server with the same result. Using a workstation WITHIN the management domain, logging in with an account from the main domain, we can create a virtual hard disk. We have also tried enabling anonymous
  DCOM and adding the Hyper-V server to the Trusted Hosts list in WinRM to no avail. Also, using inline authentication, we can create virtual hard disks on the server BEFORE adding it to the domain. But as soon as it's added to the domain, we can no longer create
  hard disks.
  Appreciate any insight!

  I hope it isn't the trust and it's something dumb I forgot to set. I checked again and "cscript .\hvremote.wsf /anondcom:grant" returns "INFO: Nothing to do - ANONYMOUS LOGON already has remote access"
  Thanks!
  The event is generate from DCOM, 10028
  DCOM was unable to communicate with the computer <myserver> using any of the configured protocols; requested by PID      a34 (C:\Windows\system32\mmc.exe).
  The full trace is:
  2013-07-24 07:59:24.988 [15] USER_ACTION_INITIATED Wizards NewVirtualHardDiskWizard:CreateVirtualHardDiskOnBackgroundThread() Creating new virtual hard disk ...
  2013-07-24 07:59:24.997 [15] USER_ACTION_INITIATED VirtMan ImageManagementServiceView:BeginCreateVirtualHardDisk() Starting creating dynamic virtual hard disk 'D:\Hyper-V\Virtual Hard Disks\test.vhdx' (size = '136365211648')
  2013-07-24 07:59:26.645 [15] ERROR Wizards VMWizardForm:PerformWizardActionInternal() Failed to perform wizard action!
      The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
         at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObject.Initialize(Boolean getObject)
     at System.Management.ManagementBaseObject.get_wbemObject()
     at System.Management.ManagementClass.CreateInstance()
     at Microsoft.Virtualization.Client.Management.VirtualHardDiskSettingData.GetVirtualHardDiskSettingDataEmbeddedInstance(String serverName, String namespacePath)
     at Microsoft.Virtualization.Client.Management.ImageManagementServiceView.BeginCreateVirtualHardDisk(VirtualHardDiskType type, VirtualHardDiskFormat format, String path, String parentPath, Int64 maxInternalSize)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.CreateVirtualHardDiskOnBackgroundThread(Server server, VirtualHardDiskFormat hardDiskFormat, VirtualHardDiskType hardDiskType, String filePath, ConfigurationInfo configBase)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.PerformWizardAction(Object stateObj)
     at Microsoft.Virtualization.Client.Wizards.VMWizardForm.PerformWizardActionInternal(Object stateObj)
  2013-07-24 07:59:26.754 [16] ERROR Wizards VMWizardForm:WizardActionFailed() Wizard action failed!
      The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
         at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObject.Initialize(Boolean getObject)
     at System.Management.ManagementBaseObject.get_wbemObject()
     at System.Management.ManagementClass.CreateInstance()
     at Microsoft.Virtualization.Client.Management.VirtualHardDiskSettingData.GetVirtualHardDiskSettingDataEmbeddedInstance(String serverName, String namespacePath)
     at Microsoft.Virtualization.Client.Management.ImageManagementServiceView.BeginCreateVirtualHardDisk(VirtualHardDiskType type, VirtualHardDiskFormat format, String path, String parentPath, Int64 maxInternalSize)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.CreateVirtualHardDiskOnBackgroundThread(Server server, VirtualHardDiskFormat hardDiskFormat, VirtualHardDiskType hardDiskType, String filePath, ConfigurationInfo configBase)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.PerformWizardAction(Object stateObj)
     at Microsoft.Virtualization.Client.Wizards.VMWizardForm.PerformWizardActionInternal(Object stateObj)
  2013-07-24 07:59:26.755 [16] ERROR Client InformationDisplayer:GetErrorInformationFromException() Application encountered a non-VirtMan exception! Not going to display non-localized message to user.
  2013-07-24 07:59:26.756 [16] ERROR Client UnhandledExceptionHandler:HandleThreadExceptionInternal() Application encountered an unexpected exception!
      The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
         at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObject.Initialize(Boolean getObject)
     at System.Management.ManagementBaseObject.get_wbemObject()
     at System.Management.ManagementClass.CreateInstance()
     at Microsoft.Virtualization.Client.Management.VirtualHardDiskSettingData.GetVirtualHardDiskSettingDataEmbeddedInstance(String serverName, String namespacePath)
     at Microsoft.Virtualization.Client.Management.ImageManagementServiceView.BeginCreateVirtualHardDisk(VirtualHardDiskType type, VirtualHardDiskFormat format, String path, String parentPath, Int64 maxInternalSize)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.CreateVirtualHardDiskOnBackgroundThread(Server server, VirtualHardDiskFormat hardDiskFormat, VirtualHardDiskType hardDiskType, String filePath, ConfigurationInfo configBase)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.PerformWizardAction(Object stateObj)
     at Microsoft.Virtualization.Client.Wizards.VMWizardForm.PerformWizardActionInternal(Object stateObj)

• One way trust relationship between different domain windows server 2012 in different forest

  I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
  connected to the same LAN. The forest level in A.local
  machine is Windows Server 2008 and The forest level in B.int
  is Windows server 2012.
  I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
  my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
   The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
  NOTE : Recently I
  UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
  it is ping by name and IP but from b.int ping by IP JUST >>>
  ihab

  Hi,
  yes i already do it the setup conditional forwarding between the 2 domains and
  the firewall it is off 
  ihab

• Cannot share documents with few users in one way trusted domain

  Hello
  I am running in a wiered issue. I setup people picker in SP 2013 foundation version to lookup the user from one way trusted domains after which I started getting all the users from that domain in my intranet. I can also share or modify the permission of
  users being administrator. However when I try to add 2 specific users as site collection administrator or try sharing a document, I get error.
  I can lookup their name but when I try changing their permission or share document with them, I get error. It's wiered because it is only with this two users. there is no difference from Active Directory point of view between these and other users. Please
  help or suggest some trouble shooting steps.
  Regards,
  Hardik Bhilota.

  Hi Hardik,
  What was the error message when sharing documents with the two users?
  Please also check the ULS log for detailed error message which is located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
  What is the permission of the two users in SharePoint site? Can they access the site?
  Please also run the two commands below to see if the issue still occurs:
  First, on every front-end Web server on a farm run this command:
  STSADM.exe -o setapppassword -password key
  Second, on a front-end Web server run this command:
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• One way trust WMI issues - only on domain controllers

  Hi all, 
  I'm having some interesting issues with attempting to setup remote monitoring via WMI from a trusted domain service account to some remote domains in our environment. There is a one way trust setup, and the service account has no problems with any client
  machines, but gets rejected when attempting to query the domain controllers. 
  I've verified this is an issue both in our enterprise and production environment. I assumed it had something to do with the Domain Controller Security Policy and added the account in question to the following policies to no avail:
  Act as part of the operating system
  Log on as a batch job
  Log on as a service
  Replace a process level token
  Now I'm beginning to suspect it's something to do with not being able to add the service account to the "domain admins" group, however I'd much rather a solution that didn't involve giving this account admin privileges at all. 
  I've given the account read permissions to /root/CIMv2 via the WMI control MMC snap-in, as well as DCOM remote enable and added it to the "Distributed COM Users" and "Performance Monitor Users" groups. 
  I'm fully out of ideas and my google-fu is failing. Anyone hit this before? 

  Hi,
  Yes, you will need to know the credentials of the domain admin in the trusted domain.
  You can try to use Get-WmiObject command, and input trusted domain administrator’s credentials, which should give you admin privileges.
  Using the Get-WMiObject Cmdlet
  http://technet.microsoft.com/en-us/library/ee176860.aspx
  If you have problems of applying Powershell, please refer to Powershell forum below:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
  Regards,
  Amy

• One Way Trust, Start with RWDC Then Go To RODC?

  So, we have an internal network and a DMZ network in play here.  I'm attempting to setup a one way trust so resources on the DMZ network can be managed from the internal network.  Internal network has RWDCs in its domain, and the DMZ has its own
  RWDCs in its own domain and a RODC from the internal network's domain.  The internal network's RODC is in its own site in AD and is confirmed to be communicating with the RWDCs in the internal network.  The RODC is not an authoritative DNS server,
  but can host a secondary zone or stub zone.  The functional level of the internal domain is 08r2 and the DMZ domain is 2012r2, if that matters.
  The task is to setup the one way trust, and its proving a bit difficult.  So far I've attempted both Conditional Forwarders or stub zones on the RODC and the DMZ RWDC, no dice.  There are no observed DNS replication problems within the domains
  themselves and using ping and nslookup, I've confirmed that DNS resolution is working between the RODC and the DMZ RWDC.  When I try to create the trust from the DMZ RWDCs, it fails saying the specified domain cannot be contacted.   Based on what
  I've read online in other posts and my inability to get around it, it seems that a trust requires a RWDC at each end to function.  If this is not the case, I would love to hear how it can be setup with a RWDC at one and and a RODC at the other.
  Now, if its correct that the trust requires two RWDCs to setup, what if it was setup with two RWDCs and then one of the RWDCs was removed and replaced with a RODC?  I guess what I'm asking is does it just require a RWDC at each end to be setup, or does
  it also require a RWDC at each end for the trust to function properly on an ongoing basis?

  Hi,
  Sorry it takes me some time for testing and reply.
  I've confirmed that it is fine to replace an RWDC to RODC after trusting is setup. You can set it in your environment. 
  If you have any feedback on our support, please send to [email protected]

• SCCM 2012 R2 cross forest with one-way trust feasible?

  We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
  Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
  in Domain A the same as our current SMS 2003 server.
  What we want to do, at a minimum, using SCCM is:
  Client inventory (hardware, software, user) and package distribution.
  Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
  I have made the below diagram to better illustrate the scenario:
  Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

  Hi,
  The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
  Quote:
  Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
  In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
  two way trust with the forest of the parent (CAS or primary).
  Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
  The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
  Most of these items were taken from this TechNet article – please refer to the article for more information -
  Planning for Communications in Configuration Manager .
  For more information:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
  Not sure which is correct...

• One-Way sync from Palm to iBook?

  Wiped my address book with a crashed sync, but the data remains on my Palm device (Treo 650). Anyone know how to setup a one-way sync from the Treo back into the iBook? Thanks, M

  Welcome to Apple Discussions.
  You should first try to correct the problem by dragging the AddressBook.data file out of your Address Book folder at the end of this path:
  Macintosh HD:Users:<username>:Library:Application Support:Address Book
  Duplicate the AddressBook.data.previous file, and rename it simple AddressBook.data and launch the application to see if it can recover your files.
  If not, you should understand that there is no easy, quick, painless way to achieve what you want - moving a copy of your handheld data to your Macintosh.
  You can restore synchronization to the Palm Desktop, by moving the Apple conduit out of the active Conduits folder, and by moving the following disabled Palm conduits out of the Disabled Conduits folder and back into the active one:
  • Address Conduit
  • Calendar Conduit
  • Contacts Conduit
  • Datebook Conduit
  • Tasks Conduit
  • ToDo Conduit
  (Only one of each conduit pair is used by your Treo 650, but these instructions would also apply to users of the older conduits.)
  By setting each conduit to Handheld overwrites Macintosh, you will transfer the data on your smartphone to the Palm Desktop, overwriting any existing records by doing so.
  You can then export contact data as a vCard file and calendaring data as a vCal file but, here's a problem: you cannot export task or to do data, so in this process, you will lose all of the to do items in iCal. Once you have exported the Palm Desktop data in vCard and vCal format, you can import the contents of each file into the Address Book and iCal, remembering that your vCal file contains only event—and not to do—data.
  You can then return the Palm conduits to the Disabled Conduits folder and the iSync Palm Conduit to the active one, and synchronize once again with iSync, choosing to overwrite the contents of your handheld with the data from the Address Book and iCal. Once again, say goodbye to your to do records. You do this by removing your device from iSync and adding it back prior to the next synchronization, causing the framework to act as if you have never synchronized before. Choose Replace (and not Merge) to avoid data duplication errors.
  Do you see why periodically backing up Address Book and iCal data is so important? To do so, just select the Back up Address Book in the Address Book or the Back up Database option in iCal.

• We are deloying IPhone 4s models in our organization and I am trying to setup a one way sync from Google to IPhone? Help

  We are deploying IPhone model 4s in our organization and we want to have a Global addressbook. I have setup with Google using Gmail and accessing the contacts however this provides a two-way sync. I need the setup to be a one-way sync from Google to IPhone only!
  HELP

  I use the same id and password as I want them all in the same place.  I have tried other solutions offered here like turning off contact, saving to the phone and turning them back on and merging.  still no contacts go to icloud.

• HT1535 How do I do a one-way sync from computer to I-pad? Outlook Contacts only.  It has already been synced and there is bad info on I-pad that I don't want on my computer.

  How do I do a one way sync from contacts in computer (Outlook), to contacts on I pad (also for I-phone)?  Contacts on I-Pad are incorrect and I do not want to add them back to my computer?
  Alternatively, is there any way to delete contact groups all at once instead of one contact at a time?
  Thank you in advance...
  David McKercher

  1. Create a new Profile.
  https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles#w_creating-a-profile
  https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
  2. Then use that new Profile when you connect to Sync on the old laptop.

• One way replication from MS sql server to Oracle 10g

  Hi,
  We are using Sql server 2005 windows 2003 32 bit and Oracle 10g 10.2.0.3 on linux 64 bit
  Is it possible to replcate table data on real time from sql server (2005 32 bit or sql server 2000 32 bit)to oracle 10g running on linux 64 bit?
  If yes then what are the steps.
  It will be one way replication from sql server to oracle.
  Which option is best sql server dts or Oracle Stream replication to replicate table data?
  Regards,

  If you want to push data from SqlServer, then ODBC, Linked tables, DTS etc.
  If you want to pull data from Oracle, then Heterogenous Services / Gateway.

• Anyway to reset/reload the iCloud Contact list from a good know source (one way synch, from an iOS device to iCloud)?

  Is there anyway to reset/load the iCloud Contact list form a good known source?
  i.e. One way synch, from an iOS device to iCloud (The way we used to be able to do it with MobileMe)?
  My current iCloud Contact list is messed up and I want to reset/reload it with a good know list from one of my iOS devices, but I can't find a way to do it, or at least it is not obviouse to me.
  Any help is greatly appreciated.

  I agree ! Need to be able to flush out and reset what's in the Cloud easily/simply, then start a new sync from a known good source.
  So far, not impressed (again) with Apple's syncing prowess...

• Active Directory cross forest trust which are deployed in separate subscription

  Hi All,
  I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
  We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
  site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
  Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
  Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
  do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
  Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
  My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  No, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
  For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

• 2-way Trust Relationship between Windows and Mac Domain

  Hi guys I hope someone can help me.
  Just a quick explanation of what I am trying to do.
  I have an Xserve running OSX 10.5.8 server, which is the OD Master. On that server I’m running Kerio mail server. I have a Microsoft 2003 server running AD.
  The problem is I need to run BlackBerry Enterprise on the Windows server as the BlackBerry need active directory to work.
  Since I have both system already running, I do not want to destroy my open directory just to get the BlackBerry working.
  So what I have tried to do is create a 2-way Trust Relationship between the 2 domains, so the BlackBerry server will talk to the Kerio mail server.
  The trust relationship appears to create fine from the Windows server side, but I’m not able to retrieve LDAP information from the open directory server.
  The creation from the OSX server starts fine automated but then I had to finish it manually.
  Has anyone else here created a 2-way trust relationship between Windows and Mac’s before? Any help on how you did it would be appreciated. Thanks

  Have you checked on when the computer last checked in and changed the computer account password with the domain?  When a computer changes it's password, Active Directory will store only the current password and it does not expire.  The workstation
  will store both the current password and the previous password.  This for cases when you may restore Active Directory to a point before the computer password change.  
  To handle this, the workstation will try it's current password, then it's previous.
  If you're restoring the workstation to a previous point in time, you may be rolling the stored passwords back too far for Active Directory to accept.  I would only imagine this to be the case a handful of times if you're going back 1-2 days.
  Are you experiencing 100% failure?