AD FS in Forest Root Domain

Similar Messages

• Forest root domain displayed as network label, rather than child domain

  Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
  I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
  from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
  Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
  a viable explanation for the behaviour, as opposed to 'it's by design'

  Can I ask if something is not working correctly because of this?  The display of the connected network does not affect communication or how DNS will resolve.  Are you chasing this down because you don't like the display, or is there an outage?
  Thanks!
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Exch 2013 SP1 Mutidomain set up. mail enabled user shows Forest Root Domain email address.

  Hi,
  First let me explain my Exch 2013 SP1 Multidomain set up.
  1. DA as Forest Root domain, having schema master domain role installed.
  DB as Tree Root domain in above forest 
  DC as Child domain in Tree root domain.
  2. After set up, I ran 'netdom query fsmo' on each DC. It displayed schema master role on forest DC and domain role on individual DC on which command was run.
  3. Now to install Exch 2013 SP1, ran appropriate command on forest  DC (i.e PrepareAD, Prepareschema and alldomain).
  4. Brought 1 machine in Child domain and installed Exch 2013 SP1 server on it.
  Now, when I access ECP, Create user, new mailboxdatabse etc. options available only if login to ECP by ForestRootDomain\administrator credentials. please confirm.
  while creating new user, it shows User Login Name with Child.TreeRootDomain.local default but after creating user, it shows [email protected] as Email address. Please confirm.
  Thanks and regards,
  Sudhir

  Logged on Exch machine by child\administrator user credentials.
  Unabel to get Set-ADServerSettings -ViewEntireForest $true command in exchange powershell.
  can get only Set-AdServeiceAccount command.
  Also if poosible, please confirm, weather multidomain set up is correct?

• Active Directory Forest root domain name

  Hi MSFT Community!
  I've been away from AD for a little while and I'm wondering: is company.lan or company.local still a current/recommended practice for instantiating a new root Active Directory domain for a growing company?
  Thank you!

  Hi MSFT Community!
  I've been away from AD for a little while and I'm wondering: is company.lan or company.local still a current/recommended practice for instantiating a new root Active Directory domain for a growing company?
  I would rather you to stick with ad.company.com where the company.com is the website. Actually I prefer to use a child domain for AD tasks. 
  Why you shouldn't use .local in your Active Directory domain name.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Forest Root non-accessible\Child Domain still accessible. Can I recreate Forest Root and create Trust to current Child Domain?

  Hi,
  The 2 DCs for our Forest Root took a hit and are non-accessible, however the Child domain is still accessible.  Can I recreate the Forest Root from scratch and Trust/Link to current Child Domain?  So Im looking for my options to keep an accessible
  Child Domain, but recreate a new Forest Root cause the current one is inaccessible.
  Thanks for your help! SdeDot

  Hi, 
  Would you please tell us that what do you mean by they
  are non-accessible?
  Are you able to log onto any of the two DCs in the forest root domain? If yes, we can use dcdiag.exe to analyze the state of the dc in the forest root domain.
  If you have any system state backup of the DCs in the root domain, please restore the DC from backup.
  Best Regards,
  Erin

• Broken root domain without a valid backup. Any chance to get it back to work properly ?

  Hi guys,
  i came across the following issue:
  Imagine a standard enterprise environment with a forest. The root domain is called contoso.com and there is a subdomain called company.contoso.com. There are also subdomains of company.contoso.com, but they are not important for the problem description.
  The functional level of the forest is Windows 2003-interim & the domain level of the root domain is Windows 2003, as is the domain level of all subdomains. All Domain Controllers are Windows 2003 SP2.
  There have been people in the environment with too many rights, that used to promote DCs and then also just decommission them without properly demoting them. This left several unreachable domain controllers in both the root domain & the subdomain.
  I cleared all those DCs that are no longer available, which made company.contoso.com stable and reliable. All DCs within the subdomain are properly talking to each other and replicating fine.
  Then i discovered the main issue here. The replication in the root domain is broken. The is only one domain controller left in the root domain, nevertheless the server is suffering from USN rollback. Digging deeper i found out that the domain controllers
  have been virtualized years ago, but no one ever cared about the root domain. So i found out that replication stopped in 2006 when obv. the last healthy domain controller was removed from the root domain.
  So i have basically a crippled root domain with a crippled domain controller. I am not able to set the forest level to 2003 native, as the domain controller says that the domain contoso.com is still Windows 2000. This is not correct, i have checked msDS-Behaviour-Version
  and nTMixedDomain. They are properly set to 2 & 0.
  My idea was to introduce a new installed 2003 server and promote it to a DC. Then get rid of the broken one. Unfortunately the broken DC is not replicating. Due to USN rollback the netlogon service goes constantly to paused state & of course both inbound
  & outbound replication are disabled. Even when i reenable the replication it is just a matter of seconds before they get disabled again. I also tried to introduce a new 2012R2 DC, but that fails of course due to the forest level not beeing 2003.
  So i am a little stuck here. Any thoughts about how to continue to troubleshoot ?
  I have a final idea:
  Install a new forest with the same name contoso.com and set up a trust with company.contoso.com.
  The question would be, how can i convince company.contoso.com that the new installed forest and domain are its parent ?

  > Install a new forest with the same name contoso.com and set up a trust
  > with company.contoso.com.
  > The question would be, how can i convince company.contoso.com that the
  > new installed forest and domain are its parent ?
  You cannot. Sad, but true. If the forest root domain is dead, the forest
  is dead. In addition, you have no Naming Master and no Schema Master
  FSMOs. The only reliable solution is creating a new forest and new
  subdomains, then migrating all objects...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• SCCM 2012 AD Publishing in a Single Forest Multiple Domains

  Hi there,
  Let me explain the situation first so that you get the idea. We have a single forest, multiple child domains AD environment. For some reasons each domain is being managed separately by their geographic location IT.
  Forest has been extended for SCCM by the site who holds the forest root domain. Since everyone wants to manage their own domain and systems, each child domain have their own primary site server.
  In one of the domains I have installed brand new SCCM 2012 R2. I haven't done anything yet, havent turned on any discovery except Heartbeat. Now I see one device, which belongs to another domain with totally separate IP address, shows in my SCCM site. I dont
  know why.
  From here question arises for me. Correct me if I'm wrong and please advice what to do domain/forest wide.
  1. System Container is needed in each child domain, not in the forest, right?
  2. Where does/should each SCCM primary site publish information; in each domain or in the forest root domain?
  3. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing I see forest root domain name and its checked. 
  Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain hoping
  to cure the possible problem.
  So, why would that one device show up in this site? I have disabled Heartbeat together with other discoveries for now till I make everything ready.
  Thanks for your help in advance.

  1. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing If I uncheck forest root domain will devices on my child domain still be able to find my site server?
  2. Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain
  hoping to cure the possible problem. Is this a good practice?
  3. "When clients look for ConfigMgr info, they use GC lookups meaning they return objects from every System Management container in the forest." So, which one do clients choose and how?
  4. "For that one device, have you opened its properties and examined it?" Yes, what abou it? Its found based on Heartbeat Discovery agent (when heartbeat was enabled).
  5. "Have you reviewed the boundaries and boundary groups set up for site assignment?" Yes, as I mentioned this device belongs to different domain and totally outside of my AD site and SCCM boundaries.
  This is fresh install and not in production yet. I have disabled Heartbeat temporarily so that I fix this problem. I will enable it after. 

• Move a distribution list from the forest root to a sub domain.

  Hello,
  I am looking for the best way to migrate a distribution list I have in the AD forest root to a subdomain.  Is there a way to do this without rebuilding it from scratch?  We have Windows 2012 R2 domain controllers with a Windows 2008 R2 functional
  level.
  Thanks!
  Shawn

  Hi Shawn,
  We can try using intraforest migration with ADMT. With the lateste updated ADMT v3.2, it supports Windows Server 2012 and 2012 R2, and we can download it from Microsoft Connect.
  Microsoft Connect
  http://go.microsoft.com/fwlink/?LinkId=401534
  Regarding ADMT and how to install it, the following article can be referred to for more information.
  ADMT Guide: Migrating and Restructuring Active Directory Domains
  http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
  Installing ADMT in the Target Domain
  http://technet.microsoft.com/en-us/library/cc974370(v=WS.10).aspx
  Besides, regarding this topic, the following thread foucsed on the similiar question and can be worth taking a look.
  Moving Distribution List From Root to Child DC
  http://social.technet.microsoft.com/Forums/en-US/1edf8eee-66d1-496a-b51d-48e1f2124eeb/moving-distribution-list-from-root-to-child-dc?forum=winserverDS
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Hope it helps.
  Best regards,
  Frank Shen

• Migrate Users from a child domain to a root domain in different forest

  Hello,
  it supported to migrate users from child source doman to target root domain?
  I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

  You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
  nltest /DOMAIN_TRUSTS
  If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• SCCM 2012 in child domain unable to publish to root domain

  I have an sccm 2012 (no sp) in a child domain (am.corp) and have given the sccm server computer object full control of the system management folder in ADSI on the root domain (corp.local) but continue to get the error in the Active Directory Forests portion
  of the console that I have insufficient access rights to publish to the root domain (corp.local).
  I have sccm management distribution points in the other child domains of the root.
  Any suggestions on how to get this to stop erroring.

  The discovery log tells me it's found 27 sites and 166 subnets. It has problems identifying the forest of some of the other SCCM servers but doesn't give any warning or error (that I see) about publishing.
  See below: (truncated so it fits)
  SMS_EXECUTIVE started SMS_AD_FOREST_DISCOVERY_MANAGER
  as thread ID 3996 (0xF9C).  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.311+240><thread=2924 (0xB6C)>
  =========================================================== 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Beginning Active Directory Forest Discovery Manager  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Entering function ThreadMain()  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::Initialize() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Component SMS_AD_FOREST_DISCOVERY_MANAGER
  is marked active.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.333+240><thread=3996 (0xF9C)>
  Log verbosity level = 0~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::Process() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::ShouldRun() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::CheckIfRunCountValueChanged() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Admin requested to run discovery now.  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function ReportForestDiscoverySuccessStatusMessage() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  Raising discovery success status message for forest corp.acme.com,
  in which we discovered 27 site(s) and 166 subnet(s).~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER,
  1073750724, 0~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER"
  SYS=SCCMADMPRGL01.am.corp.acme.comSITE=GDC
  PID=2524 TID=3996 GMTDATE=Wed Mar 20 15:43:39.018 2013 ISTR0="corp.acme.com"
  ISTR1="" ISTR2="" ISTR3="" ISTR4="166" ISTR5="27" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.496+240><thread=3996 (0xF9C)>
  Trying to update forest fqdn for all site systems associated with site GDC  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.500+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.500+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.543+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server MSPRNPRTW01.au.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.543+240><thread=3996 (0xF9C)>
  Server MSPRNPRTW01.au.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:41.037+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.756+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server SCCMADMPRGL01.am.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.757+240><thread=3996 (0xF9C)>
  Server SCCMADMPRGL01.am.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.757+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.815+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server SCCMDPPRAP01.au.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.815+240><thread=3996 (0xF9C)>
  Server SCCMDPPRAP01.au.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:43.689+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:43.756+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server SCCMDPPRAU01.au.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:43.757+240><thread=3996 (0xF9C)>
  Server SCCMDPPRAU01.au.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:45.040+240><thread=3996 
  (0xF9C)>
  Finishing Active Directory Forest Discovery Manager thread.  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:57.044+240><thread=3996 (0xF9C)>
  =========================================================== 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:57.044+240><thread=3996 (0xF9C)>

• Root Domain Naming

  I’m in a customer’s site , a new site – I would like to set up their domain. That would be the first root domain in a new forest.
  Now the question is – Does anyone have concerns in naming a domain .LOCAL?
  What domain naming is the best practice MYCOMPANY.COM or   MYCOMPANY.LOCAL
  Any pros and cons ?
  Thank you
  Regards, MassonTech

  The RFC 2606 doesn’t reserve any custom TLD. So nothing prevents .local (or .global or anything like that) to become one day valid top level domain extensions. We cannot know what way the industry will go the next years (even though they might probably
  not go that way...). We do have some examples where .local is an issue: You No More local names in the certificate starting November 2015
  http://autodiscover.wordpress.com/2012/07/09/no-more-local-names-in-the-certificate-starting-november-2015-msexchange-lync-ucoms-lync2010-microsoft-part1/. Also note that the IETF was thinking of using the specific .local in the protocol LLMNR but finally
  gave up as far as I know few years ago. The only “technical” side effect that I found is even not related to Windows OS: TIP: Fix for Mac AD authentication failure after reboot on .local domains
  http://www.macwindows.com/Fix-AD-dot-local-domains.html.
  In term of official guidance, you'll find it here:
  https://support.microsoft.com/kb/909264. And according to this one, as long as you own mycompany.com namespace, either are ok.
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Lync Adress book sync with root domain

  Hi 
  i have a root child domain , when i run the CS-updateadresbook i see in the event viewer its trying to pull the updates from the root domain , not the child is this the normal behovour?if not how can i fix it , the server ofcourse  joined to the child
  domain..plese help

  This is a normal behavior. Lync try to collect the info from all Domains in the forest. You can ignore this error or configure the update Service to use only some domains
  Set-CsUserReplicatorConfiguration -Identity global -ADDomainNamingContextList @{Add="dc=fabrikam,dc=com"}
  regards Holger Technical Specialist UC

• Migrate AD users / mailbox from child fomain to root domain

  Hello,
  We have 2003 forest 1 with 2 domains (A root one and B child one) with one exchange organisation (Exchange 2003/2010). All Exchange servers are on the domain root A.
  The users/groups/computers in domain B are migrated to another forest AD.
  Before removing the domain B we wonder the best way of keeping the mailbox and diffusion groups for the users of child domain.
  1- We migrate users/groups to root domain and after that reconnect the mailbox to the migrated users account ?
  2- What are the tools to be used for ?
  3- is there any docs or links which talks about this ?
  Thanks

  Disable mailbox:
  http://technet.microsoft.com/en-us/library/aa997210%28v=exchg.150%29.aspx
  Reconnect mailbox after moving 
  http://technet.microsoft.com/en-us/library/bb123490%28v=exchg.141%29.aspx
  use ADMT to move. Moving users within a forest, requires ADMT if the SIDs are important, which they usually
  are. http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• SCCM 2012 root domain client management from child domain

  Hi All,
  We have SCCM 2012 environment in Child domain and we would like to manage the root domain clients as well. we are using https mode. What all configuration do we need to make for root domain clients to monitor successfully from child domain.  
  Is it mandatory to create System Management container for the Root domain? if yes what all permission i need to give for that System Management container. 
  Do we need to enable Active directory forest discovery?
  Regards,
  Bhaskar K

  No, you do not need to create the System Management container or publish info into it and no you do not need to enable forest discovery.
  ConfigMgr ultimately does not care about AD. AD can be used by clients to help them locate services and configure themselves, but this can also be accomplished in other ways in ConfigMgr.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Lync 2013 on a single lable root domain

  Hello All
  my enviroemnt is in a child root let say its "contoso.local" the root is .local and the child is contoso.local , with this configuration can I install lync 2013? if not is there any workaround other than rename my domain? your help is much
  appreciated.
  THX

  Hi Mado,
  Unfortunately, installing Lync in a Forest with a single label root domain is not supported;
  "Lync Server does not support single-labeled domains. For example, a forest with a root domain named
  contoso.local is supported, but a root domain named
  local is not supported. For details, see Microsoft Knowledge Base article 300684, “Information about configuring Windows for domains with single-label DNS names,” at
  http://go.microsoft.com/fwlink/p/?linkId=143752."
  This is not to say it would not work, but I would never put this into a production environment based on Microsofts stance on this.
  Kind regards
  Ben