AD FS in Forest Root Domain
I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child
domain or if that should just magically happen because of the Parent Child trust relationship.
Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times
and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.
I have been using the "AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation".
I am trying to federate with a diffrent organization where I am the IP and I have no control over the SAML 2.0 side... That being said, I changed my DNS and now I can get to my server using the IDPInitiatedlogon URL. When I run
through the URL that bounces me between the other organization and then back to my AD FS server.... I get stuck in a loop where it asks me for credentials 3 times and then tells me I am "Not Authorized"
Here is a bit of the fiddler trace:
<a href="https:///adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust">https://<other-org-adfs>/adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust
http://<my-org-adfs>:443
http://<my-org-adfs>:443
http://<my-org-adfs>:443
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
http://<my-org-adfs>:443
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
http://<my-org-adfs>:443
It seems to be stuck looping between /adfs/ls and /adfs/ls/auth/integrated . It then times out and gives me the error in the browser.
Similar Messages
-
Forest root domain displayed as network label, rather than child domain
Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
a viable explanation for the behaviour, as opposed to 'it's by design'Can I ask if something is not working correctly because of this? The display of the connected network does not affect communication or how DNS will resolve. Are you chasing this down because you don't like the display, or is there an outage?
Thanks!
- Chris Ream -
**Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.** -
Hi,
First let me explain my Exch 2013 SP1 Multidomain set up.
1. DA as Forest Root domain, having schema master domain role installed.
DB as Tree Root domain in above forest
DC as Child domain in Tree root domain.
2. After set up, I ran 'netdom query fsmo' on each DC. It displayed schema master role on forest DC and domain role on individual DC on which command was run.
3. Now to install Exch 2013 SP1, ran appropriate command on forest DC (i.e PrepareAD, Prepareschema and alldomain).
4. Brought 1 machine in Child domain and installed Exch 2013 SP1 server on it.
Now, when I access ECP, Create user, new mailboxdatabse etc. options available only if login to ECP by ForestRootDomain\administrator credentials. please confirm.
while creating new user, it shows User Login Name with Child.TreeRootDomain.local default but after creating user, it shows [email protected] as Email address. Please confirm.
Thanks and regards,
SudhirLogged on Exch machine by child\administrator user credentials.
Unabel to get Set-ADServerSettings -ViewEntireForest $true command in exchange powershell.
can get only Set-AdServeiceAccount command.
Also if poosible, please confirm, weather multidomain set up is correct? -
Active Directory Forest root domain name
Hi MSFT Community!
I've been away from AD for a little while and I'm wondering: is company.lan or company.local still a current/recommended practice for instantiating a new root Active Directory domain for a growing company?
Thank you!Hi MSFT Community!
I've been away from AD for a little while and I'm wondering: is company.lan or company.local still a current/recommended practice for instantiating a new root Active Directory domain for a growing company?
I would rather you to stick with ad.company.com where the company.com is the website. Actually I prefer to use a child domain for AD tasks.
Why you shouldn't use .local in your Active Directory domain name.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Hi,
The 2 DCs for our Forest Root took a hit and are non-accessible, however the Child domain is still accessible. Can I recreate the Forest Root from scratch and Trust/Link to current Child Domain? So Im looking for my options to keep an accessible
Child Domain, but recreate a new Forest Root cause the current one is inaccessible.
Thanks for your help! SdeDotHi,
Would you please tell us that what do you mean by they
are non-accessible?
Are you able to log onto any of the two DCs in the forest root domain? If yes, we can use dcdiag.exe to analyze the state of the dc in the forest root domain.
If you have any system state backup of the DCs in the root domain, please restore the DC from backup.
Best Regards,
Erin -
Broken root domain without a valid backup. Any chance to get it back to work properly ?
Hi guys,
i came across the following issue:
Imagine a standard enterprise environment with a forest. The root domain is called contoso.com and there is a subdomain called company.contoso.com. There are also subdomains of company.contoso.com, but they are not important for the problem description.
The functional level of the forest is Windows 2003-interim & the domain level of the root domain is Windows 2003, as is the domain level of all subdomains. All Domain Controllers are Windows 2003 SP2.
There have been people in the environment with too many rights, that used to promote DCs and then also just decommission them without properly demoting them. This left several unreachable domain controllers in both the root domain & the subdomain.
I cleared all those DCs that are no longer available, which made company.contoso.com stable and reliable. All DCs within the subdomain are properly talking to each other and replicating fine.
Then i discovered the main issue here. The replication in the root domain is broken. The is only one domain controller left in the root domain, nevertheless the server is suffering from USN rollback. Digging deeper i found out that the domain controllers
have been virtualized years ago, but no one ever cared about the root domain. So i found out that replication stopped in 2006 when obv. the last healthy domain controller was removed from the root domain.
So i have basically a crippled root domain with a crippled domain controller. I am not able to set the forest level to 2003 native, as the domain controller says that the domain contoso.com is still Windows 2000. This is not correct, i have checked msDS-Behaviour-Version
and nTMixedDomain. They are properly set to 2 & 0.
My idea was to introduce a new installed 2003 server and promote it to a DC. Then get rid of the broken one. Unfortunately the broken DC is not replicating. Due to USN rollback the netlogon service goes constantly to paused state & of course both inbound
& outbound replication are disabled. Even when i reenable the replication it is just a matter of seconds before they get disabled again. I also tried to introduce a new 2012R2 DC, but that fails of course due to the forest level not beeing 2003.
So i am a little stuck here. Any thoughts about how to continue to troubleshoot ?
I have a final idea:
Install a new forest with the same name contoso.com and set up a trust with company.contoso.com.
The question would be, how can i convince company.contoso.com that the new installed forest and domain are its parent ?> Install a new forest with the same name contoso.com and set up a trust
> with company.contoso.com.
> The question would be, how can i convince company.contoso.com that the
> new installed forest and domain are its parent ?
You cannot. Sad, but true. If the forest root domain is dead, the forest
is dead. In addition, you have no Naming Master and no Schema Master
FSMOs. The only reliable solution is creating a new forest and new
subdomains, then migrating all objects...
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
SCCM 2012 AD Publishing in a Single Forest Multiple Domains
Hi there,
Let me explain the situation first so that you get the idea. We have a single forest, multiple child domains AD environment. For some reasons each domain is being managed separately by their geographic location IT.
Forest has been extended for SCCM by the site who holds the forest root domain. Since everyone wants to manage their own domain and systems, each child domain have their own primary site server.
In one of the domains I have installed brand new SCCM 2012 R2. I haven't done anything yet, havent turned on any discovery except Heartbeat. Now I see one device, which belongs to another domain with totally separate IP address, shows in my SCCM site. I dont
know why.
From here question arises for me. Correct me if I'm wrong and please advice what to do domain/forest wide.
1. System Container is needed in each child domain, not in the forest, right?
2. Where does/should each SCCM primary site publish information; in each domain or in the forest root domain?
3. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing I see forest root domain name and its checked.
Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain hoping
to cure the possible problem.
So, why would that one device show up in this site? I have disabled Heartbeat together with other discoveries for now till I make everything ready.
Thanks for your help in advance.1. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing If I uncheck forest root domain will devices on my child domain still be able to find my site server?
2. Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain
hoping to cure the possible problem. Is this a good practice?
3. "When clients look for ConfigMgr info, they use GC lookups meaning they return objects from every System Management container in the forest." So, which one do clients choose and how?
4. "For that one device, have you opened its properties and examined it?" Yes, what abou it? Its found based on Heartbeat Discovery agent (when heartbeat was enabled).
5. "Have you reviewed the boundaries and boundary groups set up for site assignment?" Yes, as I mentioned this device belongs to different domain and totally outside of my AD site and SCCM boundaries.
This is fresh install and not in production yet. I have disabled Heartbeat temporarily so that I fix this problem. I will enable it after. -
Move a distribution list from the forest root to a sub domain.
Hello,
I am looking for the best way to migrate a distribution list I have in the AD forest root to a subdomain. Is there a way to do this without rebuilding it from scratch? We have Windows 2012 R2 domain controllers with a Windows 2008 R2 functional
level.
Thanks!
ShawnHi Shawn,
We can try using intraforest migration with ADMT. With the lateste updated ADMT v3.2, it supports Windows Server 2012 and 2012 R2, and we can download it from Microsoft Connect.
Microsoft Connect
http://go.microsoft.com/fwlink/?LinkId=401534
Regarding ADMT and how to install it, the following article can be referred to for more information.
ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
Installing ADMT in the Target Domain
http://technet.microsoft.com/en-us/library/cc974370(v=WS.10).aspx
Besides, regarding this topic, the following thread foucsed on the similiar question and can be worth taking a look.
Moving Distribution List From Root to Child DC
http://social.technet.microsoft.com/Forums/en-US/1edf8eee-66d1-496a-b51d-48e1f2124eeb/moving-distribution-list-from-root-to-child-dc?forum=winserverDS
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Hope it helps.
Best regards,
Frank Shen -
Migrate Users from a child domain to a root domain in different forest
Hello,
it supported to migrate users from child source doman to target root domain?
I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visibleYou should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
nltest /DOMAIN_TRUSTS
If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
SCCM 2012 in child domain unable to publish to root domain
I have an sccm 2012 (no sp) in a child domain (am.corp) and have given the sccm server computer object full control of the system management folder in ADSI on the root domain (corp.local) but continue to get the error in the Active Directory Forests portion
of the console that I have insufficient access rights to publish to the root domain (corp.local).
I have sccm management distribution points in the other child domains of the root.
Any suggestions on how to get this to stop erroring.The discovery log tells me it's found 27 sites and 166 subnets. It has problems identifying the forest of some of the other SCCM servers but doesn't give any warning or error (that I see) about publishing.
See below: (truncated so it fits)
SMS_EXECUTIVE started SMS_AD_FOREST_DISCOVERY_MANAGER
as thread ID 3996 (0xF9C). $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.311+240><thread=2924 (0xB6C)>
===========================================================
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.321+240><thread=3996 (0xF9C)>
Beginning Active Directory Forest Discovery Manager $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.321+240><thread=3996 (0xF9C)>
Entering function ThreadMain() $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.321+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::Initialize()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.321+240><thread=3996 (0xF9C)>
Component SMS_AD_FOREST_DISCOVERY_MANAGER
is marked active.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.333+240><thread=3996 (0xF9C)>
Log verbosity level = 0~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.346+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::Process()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.346+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::ShouldRun()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.346+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::CheckIfRunCountValueChanged()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.346+240><thread=3996 (0xF9C)>
Admin requested to run discovery now. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:34.346+240><thread=3996 (0xF9C)>
Entering function ReportForestDiscoverySuccessStatusMessage()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.018+240><thread=3996 (0xF9C)>
Raising discovery success status message for forest corp.acme.com,
in which we discovered 27 site(s) and 166 subnet(s).~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.018+240><thread=3996 (0xF9C)>
Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER,
1073750724, 0~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.018+240><thread=3996 (0xF9C)>
STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER"
SYS=SCCMADMPRGL01.am.corp.acme.comSITE=GDC
PID=2524 TID=3996 GMTDATE=Wed Mar 20 15:43:39.018 2013 ISTR0="corp.acme.com"
ISTR1="" ISTR2="" ISTR3="" ISTR4="166" ISTR5="27" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.018+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.496+240><thread=3996 (0xF9C)>
Trying to update forest fqdn for all site systems associated with site GDC $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.500+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.500+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::GetForestName()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.543+240><thread=3996 (0xF9C)>
~Trying to discover forest name for server MSPRNPRTW01.au.corp.acme.com.
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:39.543+240><thread=3996 (0xF9C)>
Server MSPRNPRTW01.au.corp.acme.com belongs
to forest corp.acme.com.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:41.037+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::GetForestName()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:42.756+240><thread=3996 (0xF9C)>
~Trying to discover forest name for server SCCMADMPRGL01.am.corp.acme.com.
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:42.757+240><thread=3996 (0xF9C)>
Server SCCMADMPRGL01.am.corp.acme.com belongs
to forest corp.acme.com.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:42.757+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::GetForestName()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:42.815+240><thread=3996 (0xF9C)>
~Trying to discover forest name for server SCCMDPPRAP01.au.corp.acme.com.
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:42.815+240><thread=3996 (0xF9C)>
Server SCCMDPPRAP01.au.corp.acme.com belongs
to forest corp.acme.com.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:43.689+240><thread=3996 (0xF9C)>
Entering function CActiveDirectoryForestDiscovery::GetForestName()
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:43.756+240><thread=3996 (0xF9C)>
~Trying to discover forest name for server SCCMDPPRAU01.au.corp.acme.com.
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:43.757+240><thread=3996 (0xF9C)>
Server SCCMDPPRAU01.au.corp.acme.com belongs
to forest corp.acme.com.~ $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:45.040+240><thread=3996
(0xF9C)>
Finishing Active Directory Forest Discovery Manager thread. $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:57.044+240><thread=3996 (0xF9C)>
===========================================================
$$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
11:43:57.044+240><thread=3996 (0xF9C)> -
I’m in a customer’s site , a new site – I would like to set up their domain. That would be the first root domain in a new forest.
Now the question is – Does anyone have concerns in naming a domain .LOCAL?
What domain naming is the best practice MYCOMPANY.COM or MYCOMPANY.LOCAL
Any pros and cons ?
Thank you
Regards, MassonTechThe RFC 2606 doesn’t reserve any custom TLD. So nothing prevents .local (or .global or anything like that) to become one day valid top level domain extensions. We cannot know what way the industry will go the next years (even though they might probably
not go that way...). We do have some examples where .local is an issue: You No More local names in the certificate starting November 2015
http://autodiscover.wordpress.com/2012/07/09/no-more-local-names-in-the-certificate-starting-november-2015-msexchange-lync-ucoms-lync2010-microsoft-part1/. Also note that the IETF was thinking of using the specific .local in the protocol LLMNR but finally
gave up as far as I know few years ago. The only “technical” side effect that I found is even not related to Windows OS: TIP: Fix for Mac AD authentication failure after reboot on .local domains
http://www.macwindows.com/Fix-AD-dot-local-domains.html.
In term of official guidance, you'll find it here:
https://support.microsoft.com/kb/909264. And according to this one, as long as you own mycompany.com namespace, either are ok.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Lync Adress book sync with root domain
Hi
i have a root child domain , when i run the CS-updateadresbook i see in the event viewer its trying to pull the updates from the root domain , not the child is this the normal behovour?if not how can i fix it , the server ofcourse joined to the child
domain..plese helpThis is a normal behavior. Lync try to collect the info from all Domains in the forest. You can ignore this error or configure the update Service to use only some domains
Set-CsUserReplicatorConfiguration -Identity global -ADDomainNamingContextList @{Add="dc=fabrikam,dc=com"}
regards Holger Technical Specialist UC -
Migrate AD users / mailbox from child fomain to root domain
Hello,
We have 2003 forest 1 with 2 domains (A root one and B child one) with one exchange organisation (Exchange 2003/2010). All Exchange servers are on the domain root A.
The users/groups/computers in domain B are migrated to another forest AD.
Before removing the domain B we wonder the best way of keeping the mailbox and diffusion groups for the users of child domain.
1- We migrate users/groups to root domain and after that reconnect the mailbox to the migrated users account ?
2- What are the tools to be used for ?
3- is there any docs or links which talks about this ?
ThanksDisable mailbox:
http://technet.microsoft.com/en-us/library/aa997210%28v=exchg.150%29.aspx
Reconnect mailbox after moving
http://technet.microsoft.com/en-us/library/bb123490%28v=exchg.141%29.aspx
use ADMT to move. Moving users within a forest, requires ADMT if the SIDs are important, which they usually
are. http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
Thanks, MAS
Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
SCCM 2012 root domain client management from child domain
Hi All,
We have SCCM 2012 environment in Child domain and we would like to manage the root domain clients as well. we are using https mode. What all configuration do we need to make for root domain clients to monitor successfully from child domain.
Is it mandatory to create System Management container for the Root domain? if yes what all permission i need to give for that System Management container.
Do we need to enable Active directory forest discovery?
Regards,
Bhaskar KNo, you do not need to create the System Management container or publish info into it and no you do not need to enable forest discovery.
ConfigMgr ultimately does not care about AD. AD can be used by clients to help them locate services and configure themselves, but this can also be accomplished in other ways in ConfigMgr.
Jason | http://blog.configmgrftw.com | @jasonsandys -
Lync 2013 on a single lable root domain
Hello All
my enviroemnt is in a child root let say its "contoso.local" the root is .local and the child is contoso.local , with this configuration can I install lync 2013? if not is there any workaround other than rename my domain? your help is much
appreciated.
THXHi Mado,
Unfortunately, installing Lync in a Forest with a single label root domain is not supported;
"Lync Server does not support single-labeled domains. For example, a forest with a root domain named
contoso.local is supported, but a root domain named
local is not supported. For details, see Microsoft Knowledge Base article 300684, “Information about configuring Windows for domains with single-label DNS names,” at
http://go.microsoft.com/fwlink/p/?linkId=143752."
This is not to say it would not work, but I would never put this into a production environment based on Microsofts stance on this.
Kind regards
Ben
Maybe you are looking for
-
How can I share external devices connected to my Mac mini via USB on a wired network.
Own a Mac mini with Mountain Lion. Purchased the server app. The Mac mini is connected to a wired network with Mac's and Windows machines. I have an external hard drive and 2 printers connected to the MAC mini via USB. I would like to share these
-
Unable to edit php files in CS3
Hi, I have users that need to edit content in php files in Contribute CS3, just editing text and adding images etc. Every time they try to edit a page they just get a grey screen with the words 'headerMenu', which happens to be the page title of a fi
-
Hide selection fields in SAP PS Report (TCode:S_ALR_87013533)
Dear Friends, We are implementing EP. In that i have to take one report of PS which tcode is S_ALR_87013533. In this report having various selection parameters field in 1st screen.But i want only Project defination field to be displayed and remaing f
-
How to use iterate suites in DrawSparseFrame of an AEIO?
I want to put the data into the effect world, but I can't use "suites.Iterate8Suite1()->iterate" because I don't have a "PF_InData" I tried to access every pixel by sampleIntegral32. It doesn't work usually.(crashed many times for (A_long i = 0; i <
-
While downloading excel template I am getting error in Weblogic 10.3.4
while downloading excel template I am getting error as java.lang.IllegalStateException: Cannot resize buffer - 325 bytes have already been written (Servlet 2.3, sec. 5.1)