AD authentication for domain in another forest- XI R2

Similar Messages

• Move domain to another forest (forest trust)

  Hello
  I have a forest with many domains , and other forest with a domain. They include a trust set up and working . I would like to have only one forest, but it would need to move that single domain in additional forest, and would like to know if it is possible then
  moving a domain from one forest to another forest in forest trust ?
  Thanks also suggestions stop solve my problem

  You're asking to move the domain itself? No, you can't move the domain. You can create a new domain in the forest you want to consolidate to, and then migrate users and groups to that forest. You'll have to migrate workstations and users and repoint
  applications as well, if needed. And then, you're not really moving them, you are creating new ones and copying properties of those objects. You mentioned a forest trust but all the forest trust allows you to do is to assign/use permissions from one forest
  in another. People speak of moving objects but like I said, for users and groups you're simply creating new ones with the same names, and copying properties over. Computers/servers are joined to the new domain, but it's a new computer account, not one that
  gets moved over.
  You'll need a migration tool to do this smoothly. As Malek mentioned ADMT, yes this is one tool that can do this. It's not necessarily the best or easiest tool, but it's free from Microsoft. There are also other third party tools such as Dell/Quest
  Migration Manager for AD and BinaryTree also has similar tool (there are others out there too). Those two latter tools have the ability to add permissions (ACL entries) to new domain objects, based on the old ACLs from the source domain. This can be a huge
  help for servers and workstations (allows the users to continue to use their same profile after their computer is migrated, and they are using their new user account. Otherwise Windows would just create a new profile when the user logged in with his/her new
  domain account.
  Depending on the size of the domain you want to move (how many objects), this could be a pretty big project. There's a lot going on in a migration, and based on your question, I'd recommend finding help with it if you can. There are a number of companies
  and consultants who specialize in AD migrations, even some consultation for planning could help tremendously.

• PEAP authentication for domain & non-domain computers

  Hello Everyone,
  Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
  We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
  "AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
  By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a  3rd party SSL certificate installed on the NPS server. 
  Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem. 
  Any suggestions would be greatly appreciated.
  Thanks,
  Ali.

  Hi Ali,
  That’s all part of the wonderful world of wireless on Windows.
  When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
  Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
  Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
  Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
  The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
  Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
  There isn’t an easy way to support non-domain windows systems on a domain integrated one.
  You might want to try adding another SSID.
  You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
  Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

• Converting a Domain in an other forest to a child domain in another forest!!

  Hi All,
  I Was wondering if there is any possibility to convert a domain to a child domain?
  I'm aware of ADMT and i have used it before. I want to know if there is any trick for managing the name resolution with internal and published web applications?
  **************** Sincerely Yours Ziyaei Ali *****************

  I Was wondering if there is any possibility to convert a domain to a child domain?
  No.
  Imagine There are 2 servers published through out the internet. (actually a lot more) this servers has web applications. Both internal users and external users are using the web applications. Obviously the internal users are using the private IP and
  the external users are browsing through the Public IP. (All done by name resolution through internal and external DNS servers)
  Now, in these web applications there are some hyperlinks which forward the client to the other server by FQDN.
  I do not see a problem with that. If your internal domain name has the same name as your external domain then simply maintain properly a split-DNS setup. You can manage internally the DNS resolution for internal users and make them point to private / public
  IP addresses to access your resources depending on your needs. I do not see a problem with that and I do not see why you would like to do major changes to avoid that.
  If for some reasons you would like to rename your domain then you can consider reading that: https://technet.microsoft.com/en-us/library/cc738208%28v=ws.10%29.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• [SCCM 2012 R2] - IBCM - Authenticate computers on TMG from another forest

  Hi All,
  There is no article on TechNet that describe client certificate requirements for computers in another forest.
  Scenario:
  We have Domain A [aaa.bbb.ccc] and Domain B [111.222.333] and those domains are in different forest. There is "Forest" trust between forests.
  TMG and IBCM site server are in Domain A and computers authenticate successfully from Internet to TMG using SSL client authentication. Problem are computers from Domain B that cannot authenticate to TMG.
  We used old documentation
  https://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixA for SCCM 2007 and ISA without success. I created certificate for computers in Domain B with custom
  SAN:upn=<hostname>$@<domain.tld> and TMG still cannot authenticate computers from Domain B.
  Please help.
  Thank you in advance.
  Regards,

  There's no difference -- ConfigMgr does *not* care about forests, domain, or trusts for client authentication and neither does certificate based authentication.
  The certs in use, both the client auth and server auth certs, must of course be trusted by the site systems and the clients and in this case the TMG server -- that's simply how certs work though and has nothing to do with ConfigMgr. Additionally, the CRLs
  for the certs in use must be accessible to the clients and servers via an accessible CRL DP but that is also simply how certs work.
  For what you've described above, does TMG trust the certs issued to the clients? In other words, does it trust the CA that issued those certs and can it access a CRL for that CA?
  Jason | http://blog.configmgrftw.com | @jasonsandys

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Exchange Migration from One domain to another domain on same forest

  Team, 
  we are in the process of migrating exchange infrastructure from one child domain to another child domain within same forest.
  root domain - root.com
  child domains - US.root.com and EMEA.root.com
  EMEA and US Domains setup are different from each other. Like EMEA has different email address policy , Email Flow than US , connectors etc.
  Now we need to migrate all emea users under US Domain. based on the geographical locations, we are building a new dc, mailbox , cas servers on EMEA location , but these servers will be part of US Domain.
  for CAS Servers - we are planing to register respective sites ( site affinity), so all the local requests will be handled by new cas server which is built under US Domain.
  Mailbox Servers - we would be creating new db's and the limits  on new mbx server and going to replicate as its on EMEA Mailbox server.
  can some one please let us know what are the precautions , recommendation, sequence which we need to follow to perform smoother migration. as of now , I can think of below topics.
  Mailbox Migration  -I  Have a script , which
  will take care of mailbox movement once the objects are being moved.
  Contacts Migration - Willard Martin blog helped me to perform migration
  DL Migration - I believe there is no mechanism to migrate DL. only option is to recreate.
  Email address Policy:we would be creating a new address policy and apply to OU's
  DB Consistency check – do we have to perform the health checks on source mailbox server to see , the servers are free from errors /corruption.
  Check outlook configuration - After the migration, we need to check and see , the exchange server/ auto discover works and identify the new exchange servers.
  Internal /External Email flow.- 
  Active Sybc , OWA
  Public folder Migration -
  Offline Address Book
  Certificates
  any help or suggestions would be great.
  Srinivasa K

  Hi Srinivasa,
  According to your description, I think you have done all the preparation.
  For DL migration, the following article may give your some hints:
  How to Migrate Distribution Groups Across a Forest
  Good Luck!
  Niko Cheng
  TechNet Community Support

• How to bypass from OAM authentication for certain domain

  Hi All,
  We are trying to unprotect certain domain from OAM domain but coudn't. Please help us fix this issue.
  Environement details:
  We have two nodes, one node for OAM_OSSO and another one for OSSO_Portal application.
  OAM server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and OAM. Integrated OAM_OSSO using [ID 979827.1]
  Portal server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and portal weblogic server(portal application) is running. portal weblogic is registered with thier own portal OSSO.
  In OAM, We protected following portal url's
  /sso/auth      
  /pls/orasso/orasso.wwsso_app_admin.ls_login
  portal _OAM integration is working fine.
  Now portal team come with new requirement for customer, application also running in their same portal weblogic server and that portal application domain is alreday registered with Portal OSSO and Portal OSSO page is protected by OAM. the requirement is bypass OAM authentication, and need to authentication against their own portal OSSO+OID.
  Please tell me how to bypass OAM authentication from this scenerio.
  -Sarath

  Hi MD,
  Thanks for your update.
  We are using oracle 10g. Please tell me how Anonymous scheme will help us to get out from this issue.
  Portal Weblogic server registered with portal IDM server and portal IDM server OSSO protected by IDM OAM. So if i tried any of the application which deployed under portal weblogic server will get protected by OAM right. Please correct me if iam wrong.
  In this scenerio we have two OSSO, one in OAM node and another one in portal server. Now portal team come up with new webserver domain for customer, in customer scenerio we want authenticate againt portal OSSO with their own OID rather than using OAM authentication. Here my concern is, customer or employee the portal weblogic server and portal OSSO are common for both user but only difference in webserver domain.
  So if i tried to access customer application, then customer webserver redirect to portal weblogic for open the requested page(note if webgate not in picture). portal weblogic server is register with portal OSSO and its redirect to portal OSSO for authentication but Portal OSSO server integrated with OAM using webgate.
  1. When tried to access customer application ,Portal OSSO server tried to show own sso login page for authentication but Portal OSSO server already integrated with OAM. so portal OSSO server requested to OAM to access portal sso login page not the request of customer page login.
  2. here,portal OSSO login page protected and OAM serve login page for OAM authentication against OAM OID. If i specify anonymous scheme for customer domain then how will work here, portal OSSO requested to OAM to access portal OSSO login page not the customer page or employee page...
  Here OAM authentication will come into picture for all scenario but need bypass for customer login.
  Requirement is when customer trying to access then authentication need to happen in portal OSSO not in OAM. Hope you understand the architecture.Please suggest how.
  -Sarath
  Edited by: 898990 on May 11, 2012 8:22 PM
  Edited by: 898990 on May 11, 2012 8:25 PM

• Powershell Copy User Description from one Domain to another in one Forest

  Hi.
  I would like to copy the Description field from one domain to another domain in the same forest.
  First I would like to get the following data from source domain
  - SamAccountName
  - Description
  - Office
  - Job Title
  - Department
  - Manager
  I would like to get these informations to a txt-file. That I can manage myself, I think.
  These values shoud then be set on the destination domain - and here my powershell skills are not suffecient. How do I add these values from txt-file to existing users? (if some users aren't there, the script should continue)....
  I can Get-AdUser -Identity xxx -Server sourcedomain and Get-AdUser -Identity xxx -Server destinationdomain from the same powershell windows.
  Regards
  Carsten
  Carsten

  Hi. Thank you very much for helping me out. I tried the above script and added in additional properties.
  When I run the script, I only get one line in my csv-file, the Office-field is empty and all items appear on screen instead of output to file.
  The script looks as follows:
  $ou = [adsi] "LDAP:<Server>"
  $searcher = New-Object System.DirectoryServices.DirectorySearcher $ou
  $searcher.Filter = 'objectClass=user'
  $result = $searcher.FindAll()
  foreach($contacts in $result)
   $contact = $contacts.GetDirectoryEntry()
   $contact | Select-Object -Property @{Name="SamAccountName";Expression={$_.SamAccountName}},
             @{Name="Description";Expression={$_.Description}},
             @{Name="Office";Expression={$_.Office}},
             @{Name="Title";Expression={$_.Title}},
             @{Name="Department";Expression={$_.Department}},
             @{Name="Manager";Expression={$_.Manager}}
  $contacts | Export-Csv -Path output.csv
  Carsten

• EJB call from one domain to another, authentication problem

  Two Weblogic servers. WLS A and WLS B. Different domains. Trust relationship between the domains can't be established.
  I have an EJB in WLS B and there is a Web Application deployed to WLS A. There are method-permission declarations in the EJB descriptor xml.
  Step 1. User authenticates to Servlet in Web Application (WLS A). Authentication is done with Http Basic Authentication.
  Step 2. Servlet makes a JNDI lookup to get a handle to the EJB. Handle can not be fetched with the authentication information which was provided by user to servlet. This means that I need to specify a different username and password, which should be used for authentication at WLS B.
  Step 3. After getting a handle to the EJB Servlet calls a method of the EJB.
  Everything seems extremely simple. And it should be. But no.
  At step 2 servlet propagates authentication information from WLS A to WLS B. This authentication information is valid only inside WLS A, not in WLS B. Result: SecurityException: Invalid Subject.
  Setting SECURITY_PRINCIPAL and SECURITY_CREDENTIALS to InitialContext while creating it still results in propagation of authentication information. Same exception.
  So I tried something else.
  Tthe code doing the JNDI lookups and EJB calls was wrapped inside Security.runAs(new Subject(), ....) -block. Authentication information is no longer propagated to WLS B. So JNDI lookup succeeds, excellent!
  But we only got one step further. Now we still need to make the call to EJB method at step 3.
  Now that EJB method call results in Security Violation: User: <anonymous> has insufficient permission to access my method.
  It's a bit strange, because username and password (for WLS B) were provided for InitialContext while creating it. If the password is invalid, the InitialContext can't be created. So it seems that atleast the username and password ARE checked at WLS B.
  Any help and/or suggestions would be highly appreciated.
  Here is a misc list of some misc wondering:
  -Step 2. Should we make the JNDI lookup to JNDI tree of WLS A instead of WLS B. If we do so, then we should use ejb-ref's at web.xml. This was also quickly tested with no results.
  -Would run-as-identity (or some similar element) help? Maybe we could set up some Credential Mapper to WLS A, which would provide username/password when making calls to EJB's of WLS B. Documentation about Credential Mappers seems to be quite useless.

  There was a time, and it was quite some time ago when something similar was tried and it didn't meet with much success. Sure, it may not have been Domain files, it may have been something more like, say, rocks, but the general principle still applies. If you look at the XML and media parts that make up a Domain file, you can think of those pieces as analogous to the atoms in your average run-of-the-mill rock. Though the atoms in two given average run-of-the-mill rocks may seem quite similar, and cracking them open reveals innards that are almost entirely, but not quite, the same, it's still quite difficult to make one whole rock out of the two.
  Now, some say alchemists might be able to accomplish this quite daunting task, but, until a study of use for Domain files (perhaps XMLchemy?) is initiated and studied most earnestly, we shall probably remain unable to bring about the union of one Domain file and another. Or were we talking about the rocks? (You can't melt Domain files, can you? The thought just hit me is all...)
  How's that for a long answer?

• How to migrate Distribution list from one domain to another within same forest

  team,
  we are in the process of migrating all users mailbox, DL and contacts from one domain to another within a same forest.
  can some one please let me know how can we migrate them without loosing the group membership and exchange attributes.
  Kindly help.
  Srinivasa K

  I ran all of them 
  First Command , it works very well and its removed the exchange attribute
  $DomCtrlr = (Dir env:Log*).Value.Replace('\','')
  Get-MailContact -OrganizationalUnit Contacts -DomainController $DomCtrlr | Export-Csv E:\MailContacts.csv
  Get-Contact -OrganizationalUnit Contacts -DomainController $DomCtrlr | Export-Csv E:\UserContacts.csv
  Import-Csv MailContacts.csv | Disable-MailContact -DomainController $DomCtrlr
  Second command
  $DomCtrlr = "DCNAME"
  $MailContacts = Import-Csv E:\MailContacts.csv
  $UserContacts = Import-Csv E:\UserContacts.csv
  after running the above command, I copied below on note pad and saved as .PS1 , as per your advise I make sure that starting with new-mailcontact and below 2 are is same line and Executed the ps1 script.
  Scipt rans but didnt give me any error mesage.
  ForEach ($Contact in $MailContacts) {
      $UserContacts | ? { $_.SamAccountName -eq $Contact.Alias } | % {
          New-MailContact -DomainController $DomCtrlr -LastName $_.LastName -FirstName $_.FirstName -Alias $_.SamAccountName -DisplayName $_.DisplayName -Name $_.Name -ExternalEmailAddress $Contact.ExternalEmailAddress -OrganizationalUnit
  Test_con    }
  By Running
  $MailContacts : it provided the stored value for users
  $UserContacts: it
  provided the stored value for users
  after runing below in  single notepad as .ps1 , not getting error message , but its not giving any
  output nor error.
  suspecting something needs to b checked on for loop
  ForEach ($Contact in $MailContacts)  {
      $UserContacts | ? { $_.SamAccountName -eq $Contact.Alias } | % {
          $_
  Hope this explained clearly.
  Srinivasa K

• Authentication for multiple AD domains

  Hello,
  Currently we have MS AD datasource as UME for all our internal portal users. We also have spnego setup for authentication  for our EP 7.0 The user path and group path is of the form   dc=dom1 dc=company dc=domain dc=com.
  Now we are planning to add additional domains to authenticate users .
  Will the configuration differ if they are maintained on a different ldap server altogether or when only the user and group paths are different for the new domains as shown below?  The user path and group path is of the form dc=dom2,dc=company,dc=domain,dc=com and
  dc=dom3,dc=company,dc=domain,dc=com.
  It seems that we have to change the datasource file for the additional ldap scenario.But are both of these the same,Would appreciate if someone could clarify this.
  Rgds

  Vineeth,
  Within the 1 file, you can setup n-number of datasources.  Below is an example.
  As for having SPNego work for only 1 of those datasources (AD domains), I can't say if that will work.  We have SPNego working for all our domains.  There is probably something you can do within AD or your domain controller to limit Kerberos authentication.
  <?xml version="1.0" encoding="UTF-8"?>
  <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
  <!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
  <dataSources>
       <dataSource id="PRIVATE_DATASOURCE1" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
            <homeFor>
                 <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                 </principals>
            </homeFor>
            <notHomeFor/>
            <responsibleFor>
                 <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                 </principals>
            </responsibleFor>
            <privateSection/>
       </dataSource>
      <dataSource id="PRIVATE_DATASOURCE2" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </responsibleFor>
              <privateSection/>
      </dataSource>
      <dataSource id="PRIVATE_DATASOURCE3" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </responsibleFor>
              <privateSection/>
      </dataSource>
  </dataSources>

• AD Migration from one domain to another domain between different Forest.

  Dear Team,
  We have a domain named "test.gov.in" .Now we want migrate all the users,computers,groups,GP ....etc in to our new domain "abc.net".Operating system of the source DC and destination Dc is same (Windows 2003 32 bit)..
  Pls provide me the steps to migrate one  domain to another domain between different forest
  Thanks
  Anurag

  Would agree with Christoffer and migrate using ADFS but before you can do this you will need to set up a trust between the two domains.  Once this has been accomplished then you can run ADMT.
  http://technet.microsoft.com/en-us/library/cc740018(v=WS.10).aspx
  Downloading ADMT is a free tool from Microsoft
  http://www.microsoft.com/en-us/download/details.aspx?id=8377
  ADMT Guide
  http://www.microsoft.com/en-us/download/details.aspx?id=19188
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.
  I think you mean ADMT and not ADFS :)
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Objects showing from another forest\domain ...

  Hello Community
      On Windows 2008 Server when I go to Windows Explorer, under "Network"
  in the right pane there are 4 columns:
  Name               Category              WorkGroup            
  Network Location
      It is here that I see my server's names under "Name", Computers under
  "Category", NetBios name under "Workgroup" and FQDN\Forest name under
  "Network Location" which is fine.
      However in addition to my own objects that I see in the right pane of
  Windows Explorer I also see objects from another domain the exists in
  a totally separate forest, how can I see or how could those objects reside
  or be displayed in my forest\domain (unless someone else put them there)?
      Thank you
      Shabeaut

  Hello Susie Long
      There is only one network.
      There are 2 separate forests.
      Each forests has has separate domains.
      Under "Network" not all of the objects from the other domain 
  in the other forest are being displayed, only some of the objects 
  from the other domain in the other forest are being displayed under "Network"
  in this forest.
      That is what is puzzling, are you saying that all of the objects from
  the other domain in the other forest should be visible in this forest and if
  so why aren't all of the objects visible (I was under the impression that
  only the objects in this domain in this forest should be visible under "Network"
  in this forest)?
      Thank you
      Shabeaut

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.