AD RMS across forests with external AD trust

Similar Messages

• MBAM 2.5 in Multi-Forest with two way trust

  Hi All,
  If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
  - Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
  - Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
  Thanks in Advance,
  Regards,
  Vijay

  You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
  the MBAM GPO's to the domain where client resides.
  Check out this link :
  MBAM 2.5 installation - Multi Domain
  Cheers,
  Gaurav Ranjan / Sr. Analyst-Professional Services
  MICROLAND Limited -India leading Infrastructure Management Services Company
  NOTE:Mark as Answer and Vote as Helpful if it helps

• SCCM 2012 R2 cross forest with one-way trust feasible?

  We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
  Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
  in Domain A the same as our current SMS 2003 server.
  What we want to do, at a minimum, using SCCM is:
  Client inventory (hardware, software, user) and package distribution.
  Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
  I have made the below diagram to better illustrate the scenario:
  Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

  Hi,
  The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
  Quote:
  Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
  In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
  two way trust with the forest of the parent (CAS or primary).
  Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
  The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
  Most of these items were taken from this TechNet article – please refer to the article for more information -
  Planning for Communications in Configuration Manager .
  For more information:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
  Not sure which is correct...

• Moving File/Terminal Server Across Forest Trust

  Hello all, I think this question is relatively straightforward but I wasn't able to find any direct answers with a forum search. I have two forests with a full trust, forest A and forest Z. Forest Z has been on the decommission track for two years, and after
  this operation I intend to completely shut it down. I did not migrate users between forests, rather I created completely new user accounts in forest A for users who were in forest Z, and abandoned the forest Z user accounts. Forest Z still has several file
  servers and a terminal server which I would like to move to a domain in forest A. On the file servers, there are shares which have permissions and sharing settings for forest A users, and the terminal server also has user profiles for forest A users..
  The question is: when I move the file servers and terminal server from the domain in forest Z to a domain in forest A, will the file permissions from the previously non-local forest A remain in place, and will the user profiles from forest A still load when
  users sign in to the terminal server? Any help would be greatly appreciated, thanks!

  Hi,
  Do you mean that forest A users have logged on the TS server and created their profiles on it? Now you want to move the TS server from forest Z to forest A?
  Regards,
  Denny
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Mac air with external hard drive - not being found on Finder, Time Machine, Migration Assistant

  I have been using an external drive (Imation Apollo) to access only, old files from previous computer (PC) on a new Mac Air.  I had not transferred them across to new computer (didn't want to do that)  just accessing them from the HD.  It had been working fine until recently.  Each time the external drive had been connected Time Machine would come up and ask if i wanted to use this drive for back ups, and I always chose 'Decide later'.  So, as yetI hadn't as yet configured Time Machine to do back ups.
  Recently I noticed that the extrnal HD was no longer showing up on Finder.  Slight panic as i have 5 or 6 yrs of work saved on that HD
  Further investigations - it's also not showing up either on on Disk Utility, or on Migration Assistant.
  I've done the following: 
  Tried HD in each of different USB ports  - made no difference, HD still not showing up
  Tested different Hubs in each port with HD attached - no difference HD not showing up
  Tried USB flash drives in the USB ports - These are working fine and show up on finder
  Tried the HD on other comptuters (a PC though, don't have access to another mac to do this test)- working fine, the HD is showing up and is accessable
  Interrogated the Console logs to try to see if the act of attaching the HD creates a log entry - couldn't find anything
  Rebooted computer via shut down, power disconnect - no difference
  Reset PRAM - no difference still not showing up
  Reset SMC - no differnce still not showing up
  So I think I have established that all the USB ports are functioning correctly and able to access other external drive devices, using hubs with external powersource is not the issue, identified that the external hard drive is working OK, and it appears that the Mac itself is functioning normally.
  What would be the reason the Mac now does not allow this specific external HD to be identified and accessed.  The only possible things I can think of are
  if I had in fact pressed 'Do not use' when Time Machine asked 'do you want to use this drive for back ups'.  Would that mean that the Mac now totally rejects this HD from being a source of accessible files - I hope not!
  I also think that my husband may have disconnected the hard drive from my computer to access some stuff and he just yanked it out rather than use the safe eject method.  Could this create an issue?  The Hard drive works fine on his PC.
  Why is my Mac Air now rejecting this HD and what can I do to access my historical files now. 
  Any assistance anyone can provide would be very greatly appreciated!
  Thanks
  Anna

  I can't answer why it isn't accessing it, but I have a slightly related issue w my back up drive starting to get noisy.
  Realizing that redundancy is safety for critical data.  I talked to my brother about my situation the other day & he said he has 3 small Western Digital portable HDs that he rotates for backup. He even keeps 1 in the safe deposit box.
  I have read for some time that we should have multiple back ups & also have our critical stuff backed up off site. Amazon HD reviews had a woman telling about how she was very backed up on multiple computers & hard drives, but they were robbed or burgeled & all of them were stolen including her thesis that was on the computers.
  Hard drives aren't that expensive. I just bought a new Western Digital 1 TB drive for $89.99. I plan to use it to back up the Seagate that is getting noisy & then maybe alternate them.
  Also, when I came back to Mac, I moved practially all of my documents to Mac. I think I just dragged & dropped or something. Photos, Office, & pdfs do fine that way. & then you could back them up to a couple of different external drives & remove from your MacBookAir.
  Unfortunately I think most of us do not back up until crisis & then it may be too late.
  Also use Time Machine. For the 1st time in my computer life, my computer is well backed up--although now realizing the need for redundancy so will start backing up to at least 2 different HDs alternatly.
  So, not sure why it isn't working & hopefully you have come up w a solution by now.
  I think what I would do in a situation like this, since you can access it on the Windows machine would be to transfer the data to the Windows machine & then transfer it back to a different back up.
  I'm looking into backing up what I still have in Windows using a thumb flash drive. I think it should all fit ok now that they have the larger drives & I don't have very much left in Windows format.

• Regarding Making DB Connect Delta Capable with external Sources

  Hi Everyone!
  Although as standard DB Connect does not support Delta, this much I have understood.  Lately I came across an article from Shreekant Shiralkar and Bharat Patel, BW System Managers, Bharat Petroleum, India in an old BW Expert Article...  I have understood that this is from BW 3.0 upwards.  Can this be applied to BI 7.0?  The Title of the article is "Make DB Connect Delta Capable with External Sources"
  Chetan?  Edwin? Olivier?  Anil? Sandeep?  Moderators?
  Regards,
  Philips

  Hi Philips,
  I didn't read this article but I'll expose what we have implemented here.
  All data coming from non SAP systems are loaded into what I named a "pre staging" database (PSDB) prior extracted to BW. This PSDB is nothing else than a simple, cheap, easy to manage MSSQL server 2000.
  Our BW has this PSDB system declared as DBConnect source system.
  In few words, we do data cleansing, preparation, formatting in this PSDB when any non SAP data shall be loaded in SAP BW. In addition, we use this machine to perform any R/3 datamigration required for new Rollouts.
  Coming back to the delta handling: we don't handle deltas with this DBConnect source system because SAP BW doesn't consider it as delta capable natively.
  We develop function modules extractors having the MyBW as source system. MyBW then "think" it is a SAP delta capable source system and we can then setup our MyBW DataSources with any kind of delta type by changing manually the core table ROOSOURCE.
  The extractor itself does many things because all structures are handled dynamically and some part of the extractor coding itself is generated on the fly.
  The extractor also creates temporary stored procedure directly in the PSDB so that only deltas are delivered to BW.
  The core of the extractor, I think everyone would agree, is the OPEN CURSOR statement. The OPEN CURSOR in our case is simply done within an EXEC SQL having our PSDB connection open.
  I could discuss this approach at length but we are now running this for more than 3 years (of course a certain effort has been done initially) to our full satisfaction.
  I am now finalizing the next "generation": having the PSDB server posting itself, deltas to the MyBW TRFC queue, emulating some how a LO/LIS DataSource.
  hope this shed light (at leas mine...)
  Olivier.

• Beyond 2560 x 1440 with External Monitors - is W540 the only Option?

  Hello Everyone,
   I went through great efforts to upgrade my x201 to a T430s (NVIDIA) in order to drive 3 external monitors from a dock which I finally got to work.
  I do this because I like to travel between home and the office, but have equally elaborate set ups with external video and external audio, yet while being able to travel with the same laptop.
  I am now experimenting with 2, not 3 monitors, using the new LG 34" curved monitors, which are a bit bigger and display at 3440 x 1440.
  The good news is using my T430s I am able to get both monitors to display at 3440 x 1440 and they look great!
  The bad news is that if I open up just one too many windows, or drag something across the extended desktop, they are crashing.
  When they crash, I lose the signal (DisplayPort) and get error messages from the monitors.
  I have already spoken to
  1) Lenovo sales
  2) Lenovo tech support
  3) Lenovo tech support in Atlanta
  and no one seems to have any idea what I am talking about.
  I am guessing I may need to upgrade from my T430s, which I would rather not do.
  I am also guessing that the W540 would have enough graphics / video horsepower to drive at least 2 of these higher resolution monitors?
  In an ideal world, I would not have the extra weight or features of the W540, but first and foremost, I want multiple and dazzling high resolution displays from a dock.
  Given that I am going from 3 screens down to 2, also wondering if say, an X1 Carbon might drive 2 using a dock?
  Or it is only able to drive 2 screens at 1920 x 1080 or 2560 x 1440 best case.
  In summary, any advice please:
  1) W540 using LG "ultrawide" screens as described above
  2) Any other Lenovo laptop not as big or heavy as the W540 which would still have high end, high powered graphics capabilities when docked?
  Thank you and best regards,

  Thank you for replies so far. 
  Re Lenovo tech "support" I am a die hard Lenovo fan (4 laptops so far...) but find Lenovo's website confusing and their tech support terrible. 
  For my T430s, I paid for at least an hour of support to no avail, before discovering that it was a simple Windows update that was the key to driving 3 external monitors, with better information generally coming from this forum.  Supposedly, even the T430s with the NVIDIA upgrade can handle 3 external monitors at 2560 x 1440.
  Now, however, I would like to use bigger and higher resolution screens, even if it means going from 3 external monitors to only 2.
  I have used the T430s and dock, driving 2 of the new Samsung 28" 4K monitors up to 2560 x 1440 without any issues.  But moving up to the LG 34 ultrawide screens with 3440 x 1440, I can only run one.  With 2 it becomes unstable.
  I hope more Lenovo fans tune into the resolution and display quality  - it would only enhance the brand. 
  Even for business only users, with data and text, everything is cleaner, crisper and less fatiguing at the higher resolutions.
  ColonelONeill thanks for suggestion but hoping to find an integrated, on board, plug and play, drop into the dock and be done with it solution.
  So again, hoping that worst case, the W540 with the highest spec video card could drive 2 of the LG ultrawide monitors without struggling?
  Or one of the other newer machines?

• SCOM Agent in Pending Management with two way trusted domain

  Hello Guys,
  I have two trusted domain abc.com & xyz.com with two-way trust forest-wise authentication enabled and my SCOM 2012 R2 Management server is part of abc.com. And there are multiple host which are part of domain xyz.com.When I am pushing agent from SCOm console
  to server then agents are getting installed with success message in task pane, but my agents are now at in pending Management.
  for this I am getting Event ID 20002 opsmgr connector with following message "A device at IP 10.1.1.6:54277 attempted to connect but could not be authenticated, and was rejected." on SCOM Server.
  And below message on the server where I am installing the agent.
  Event 20071 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log
  on the server and on the agent for events which indicate a failure to authenticate.
  Event 21016 OpsMgr Connector
  OpsMgr was unable to set up a communications channel to SCOM.abc.com and there are no failover hosts.  Communication will resume when fabSCOM2.nmfab.loc is available and communication from this computer is allowed.
  Event 20070 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received
  configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  Need help to resolve this can any one help me.
  Thanks in Advance.
  NM-BG
  NM-BG

  Hi,
  Here i  suspect Authentication issue. 
  1.Could you please if 88, 389 & 3268 ports are opened between client domain controller and management server.
  2. if ports are already open collect netmon traces on both client and management server simultaneousely and check if there are any kerborose errors
  Kind Regards,
  Naveen Kumar B
  ~Bommi

• Creation of Business Partner with External BP #,ID type and Identifications

  Hi Group,
  I have a query on creation of Business Partner with External BP #,ID type and Identification # (along with the Firstname,Lastname,Email, Phone & etc.,) things.
  the thing is that I was using a BAPI called "BAPI_BUPA_FS_CREATE_FROM_DATA", to create a BP and I was not able to have an option available for these things (External BP #,ID type and Identification # ) along with that BAPI.
  So please kindly let me know how these things can be fetched from a BAPI which can accomodate all the above things mentioned.
  Please kindly let me know how it can be achieved.
  thanks in advance.
  Regards,
  Vishnu.

  Hi Gerhard,
  Infact this reply was very useful, but ,while using the BAPI "BAPI_IDENTIFICATION_ADD" while creating the Id type and Id #s, this BAPI was not enabling this.
  I was trying to use this BAPI to create ID #, and it's desc, but, this BAPI was returning like "This BP # does not exist" (in some cases) and in some other cases, it is keeping quiet without giving any indication as whether the things have been updated or not... and also when I checked, things were not getting reflected.
  your help would be very much appreciated.
  thanks & regards,
  vishnu.

• Public SharePoint Online Site with External User Portal

  Hello Everyone,<o:p></o:p>
  My company switched over to Office 365 a few months ago, and now would like to start using our Public SharePoint site to share information (documents
  pertaining to their orders/drawings/etc.) with our customers (external users).<o:p></o:p>
  <o:p> </o:p>
  I have seen documentation on how to share documents with individual users, but we were looking to do something a little bit different. We would ultimately
  like to have a public site with generic company information (like hours, about us,directions etc.) that anyone can see.
  We would also like to use SharePoint as almost an "FTP type" service where we could post documents and share them with individual
  external
  users. HOWEVER, instead of sharing individual documents, we were wondering if there was a way that an external user (that we have granted
  access) could sign into the public SharePoint site, and then see information that ONLY pertains to them.
  I have been doing some research on this, and I haven't seen that anyone else has tried this. Has anyone had any luck? Or would you have suggestions on how to make
  this work? I had originally posted this question on the Office 365 SharePoint forum, and they suggested posting this question here. Any help would be appreciated. Thanks!

  Hi,
  did you finally manage to get what you requested here above ? Indeed, I am also struggling to set up the same (public website with individual content sharing with external authentified user).
  For external user, I am quite sure that we need to go through MS ID creation (I have created some test users using https://login.live.com).
  Our public website is done and (almost) working. I have then created a sub-site for the same, this one to manage permission based on authentified user
  But I am stuck when trying to assign a document library with relavant permission.
  Would be great to share our feedback and I have searched a lto on the web and did not find any satisfying answer to this design (If there is any... here is my doubt...)
  Thanks in advance
  stef

• Federation Service with External Organization is not working

  Hi,
  Exchange 2010 is running in present environment and recently I have introduced Exchange 2013. There is federation Enabled at Exchange 2010 end with External Exchange organization. When we migrated users from E2k10 to E2k13 Free /Busy sync has stopped working.
  Exchange 2k10 & E2k13 in same Exchange organization and no errors found in configuration part and all seems Success.
  Here what I am suspecting, something that I need to do at F5 load balancer end, not sure what :( .. I need urgent help from Experts in this forum to help me in case I have missed something to make Federation working. 
  Amit

  Hi.
  Federation in coexistence mode runs through the Exchange 2013.
  Coexistence with Exchange 2010
  In organizations that contain both Exchange 2010 and Exchange 2013 servers, users who have a mailbox on an Exchange 2010 Mailbox server can use organization relationships to share free/busy information with recipients in external Exchange 2013 federated
  domain organizations. The Exchange 2010 Client Access and Mailbox servers must be running SP2 or higher, and you must have at least one Exchange 2013 Client Access server in the Exchange 2010 organization.
  Troubleshooting plan
  1) Check run correctly Exchange CAS 2010/2013
  2) Enabled Outlook logging and checked the logs. For Client from Exchange 2010 and Exchange 2013 mailbox.
  3) Ran Test-OrganizationRelationship on Exchange 2010 and Exchange 2013.
  4) Checked the Federation settings on Exchange 2013.
  5) On Exchange 2013 and 2010 server: Get-FederationTrust | Set-FederationTrust -RefreshMetadata
  MCITP, MCSE. Regards, Oleg

• Won't boot up with external hard drive attached

  Pavillion HPE h8-1360t, AMI 7.15 Bios, Windows 7 Home Premium x64 bit, consistently fails to boot with external USB hard drive attached (WD 500GB MyBook) attached.  Have tried disabling the device in BIOS, htting f10 to apply the change and then selecting "save changes and exit", but after shutdown/powerup the BIOS returns to the old setting.  Read the posting that states a BIOS upgrade will solve the problem but Support web page shows no BIOS update available.  Any suggestions greatly appreciated. 

  2Suntech,
  Open up command prompt and run the following command SFC /scannow.
  This will scan the system files and correct any errors that it can.
  Here is a link to command prompt.
  When you go to open command prompt, right click and run as administrator.
  If it has not been to long since the problem started, you can run a system restore.
  This will take the system back to when everything was working correctly without affecting your personal files.
  Here is a link on how to do a restore.
  Let me know how everything goes.

• HT2729 Digital Copies to my IMac with external hard drive, then on my MacBook Pro I can see the movies, but if I close out my IMac, I can't access my movies on my laptop???  Can anyone help me out here?  Thanks.

  I have my itunes stored on my external hard drive of my IMac.
  I have started to put my Digital Copies to my IMac with external hard drive, then on my MacBook Pro I can see the movies, but if I close out my IMac, I can't access my movies on my laptop???
  Can anyone help me out here?  Thanks.

  I have my itunes stored on my external hard drive of my IMac.
  I have started to put my Digital Copies to my IMac with external hard drive, then on my MacBook Pro I can see the movies, but if I close out my IMac, I can't access my movies on my laptop???
  Can anyone help me out here?  Thanks.

• Problems in accessing UWL Items - Using SAP r/3 4.7 with External ITS

  Hi,
  When i am trying to open the Tasks in UWL, the Tasks which are calling any Tcode are giving blank page and some Tasks are opening but the Attachments in that Tasks are not opening.
  Tasks and Attachments are pointing to:
  1) http://vq2wk.corio.com:81/scripts/wgate/webgui/!?%7Etransaction=*SWK3+P_INSTID%3D0030000063%3BP_TYPEID%3DZSDQUOTE%3BP_CATID%3DBO%3BDYNP_OKCODE%3DONLI%3B&%7Eokcode=ONLI&%7Eclient=120&%7Elanguage=en&%7Eaccessibility=0
  2) http://vq2wk.corio.com:81/scripts/wgate/webgui/!?%7Etransaction=*SWK1+p_nosecm%3DX%3Bwi_id%3D000000156456%3B&%7Eclient=120&%7Elanguage=en&%7Eaccessibility=0
  All the Connections (RFC, SSO, SLD) and WebGui Tcodes with External ITS are working fine.
  Could any one please suggest me that i am missing any more configuration or any authorizations. Else any Session Managment needs to be done.
  Some times it is showing "/!Session not fall-safe/!\" in the status bar.
  Thanks in Advance.
  Regards,
  Sridhar.

  I already checked in SMLT tcode ,My system is MDMP .I passed that error and now I am getting this
  DbSl Trace: ORA-1403 when accessing table SAPUSER
  (DB) INFO: connected to DB
  (DB) INFO: DbSlControl(DBSL_CMD_NLS_CHARACTERSET_GET): WE8DEC
  (GSI) INFO: dbname   = "D3320110118070143                                                                                "
  (GSI) INFO: vname    = "ORACLE                          "
  (GSI) INFO: hostname = "SAPTST2K3E32                                                    "
  (GSI) INFO: sysname  = "Windows NT"
  (GSI) INFO: nodename = "SAPTST2K3E32"
  (GSI) INFO: release  = "5.2"
  (GSI) INFO: version  = "3790 Service Pack 2"
  (GSI) INFO: machine  = "2x Intel 80686 (Mod 29 Step 1)"
  (VK) ERROR: invalid migration key
  E:\usr\sap\D33\SYS\exe\run/R3load.exe: job finished with 1 error(s)
  E:\usr\sap\D33\SYS\exe\run/R3load.exe: END OF LOG: 20110118215221
  any idea on this??

• PO Creation with external PO number

  Hi All,
  We have SRM and some other legacy system. We will receive the PO information from the legacy system with the Legacy PO number. Now we have to create a PO with external number only.
  So for PO creation we are using the BAPI BAPI_POEC_CREATE.  this is working fine if you dont pass any external PO number.
  But If you pass external PO number I am facing some problem. BAPI_POEC_CREATE is giving the informaiton that PO with XXXXXXX number is created, but when we call BAPI_TRANSACTION_COMMIT it is throing some error like.
  Buffer table not up to date
  Message no. BBP_PD001
  Diagnosis
  In LOOP OBJ_RELATIONS_UPDATE (function group SAPLBBP_PDH_OR) an inconsistent status was discovered.
  Procedure
  Start the transaction again. If the error occurs again, create an OSS message.
  To analyze the error, you can set a breakpoint in the function module 'BBP_PD_ABORT' and look at the call-up hierarchy in debugging mode.
  Is this the number range problem? please tell me what is missing.
  Thanks & Regards,
  Raghu

  Raghavender,
  I think that maybe the external number is not the problem.
  Sometimes the explicit <b>COMMIT</b> causes this error cuz some processes or BADI's  are accessing the table at memory level, so if you use this explicit bapi_transaction_commit maybe it will raise that error...
  Have your tried to remove that function call?
  Please acknowledge if it worked...
  Regards,
  Gerardo.