AD schema update & trusts between forests.

Similar Messages

• Questions in the migration between Forest A to Forest B

  Hello Team,
  We have the following environment and questions, please advise.
  Environment
  Forest A with the following roles:
  Domain Controller
  Dirsync
  ADFS
  ADFS Proxy
  Exchange 2013 onpremise server with no mailboxes hosted in it.
  Has trust between Forest A and Office 365 tenant.
  All the mailboxes has already been moved to office 365 tenant.
  Requirement
  Want to bring in Forest B
  Then going to migrate all the users from Forest A to Forest B
  Then going to decommission Forest A and create trust between Forest B and office 365 Tenant.
  Questions
  What are the implications and how long do we need to schedule downtime?
  Will there be any impacts?
  How & when can I manage (enable/disable) Dirsync, ADFS, ADFS proxy?
  How can I transfer these roles (Dirsync, ADFS, ADFS proxy) to Forest B?
  Please advise. Thank you for your time.

  Hi Balamurugan,
  According to your posting, I noticed that all mailboxes for users in ForestA have been moved to Exchange Online (Office 365) and there is no mailbox in Exchange 2013.
  Sorry that I am not familiar with the Office 365 tenant. I am not sure about the impacts for mailbox in Exchange Online when you migrate all users from ForestA to ForestB. I suggest we can ask a question in Exchange Online for more suggestion:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=onlineservicesexchange
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.
  Thank you for your understanding.
  Regards,
  Winnie
  Winnie Liang
  TechNet Community Support

• Two-way forest trust between two (single domain) forests with multiple identical user ID's

  Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
  We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
  are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
  I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
  something go wrong. 
  Any suggestions for the easiest way to setup this forest trust?

  Hi,
  To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
  The SID for domain account/group consists of a
  Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
  name from two forests have the same SID.
  The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
  If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
  Here are some related articles below for your references:
  How Security Identifiers Work
  http://technet.microsoft.com/en-us/library/cc778824(v=WS.10).aspx
  Security Identifier Structure
  http://technet.microsoft.com/en-us/library/cc962011.aspx
  Security Identifier
  http://en.wikipedia.org/wiki/Security_Identifier
  I hope this helps.
  Amy Wang

• No authentication prompt using DFS links to fileserver into another domain with no trusts between both domains

  Users  , Fileservers  and DFS root with DFS links in Domain A all work fine.
  each users from Domain A have also credentials and passwords from Domain B
  There is NO trust between Domain A and Domain B, both Domains are in different site connected with VPN-tunnel.
  Projectdata is stored at fileservers in both Domains. Now DFS links are added in the Domain A to a fileserver from Domain B
  When users from Domain A connects to fileserver in Domain B  first he/she gets a prompt to authenticated, then DFS link to the fileserver in  Domain B work.
  When users just use DFS link they get a prompt "not accessible" + "Logon failure unknown user or bad password"
  No prompt is given to users from Domain A to enter the credential for Domain B.
  We cannot created a trust between these 2 Domains due other policy's

  Hi,
  According to your description, there is no trust between domain A and domain B, right?
  Based on my research, if there is no trust between domains/forests, then it is not possible
  to share information across domain boundaries, because without trust, no authentication traffic can be passed across domain/forest.
  That is why the user cannot access the file he has rights to access across domain.
  Here is an article below for your references:
  Trust Technologies
  http://technet.microsoft.com/en-us/library/cc759554(v=WS.10).aspx
  I hope this helps.
  Amy Wang

• Problem creating external trust between domains

  Hello,
  When I try to create one-way incoming external trust between 2 domains (to DomainA from DomainB) in separate forests I get this info:
  This domain already has a one-way trust relationshp with specified domain.
  But I cannot see it on the list of trusts either incoming or outgoing (in both domains).
  For sure trust was never setup before.
  In DomainA there are several other external not transitive trusts with other domains. But for sure DomainB do not have any incoming or outgoing trusts on list. Name resolution betwen domains is OK. I can ping domain name on both sides.
  Any help is welcome.
  Darek.

  Hi,
  Were there error events logged in Event Viewer? Besides, did we open necessary firewall ports for creating external trust?
  Regarding firewall ports, the following thread can be referred to for more information.
  Creating external trust between domain on different forest
  http://social.technet.microsoft.com/Forums/en-US/efe56730-ff95-4d6b-b95c-fc2c01ebd2d3/creating-external-trust-between-domain-on-different-forest?forum=winserverDS
  Best regards,
  Frank Shen

• Change domain trust for Forest trust

  Hi
  I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
  Presently, i have a domain trust between domain 2 and 5.
  I need to change for a forest trust ? what is a best practice ?
  1- Remove domain trust and create a forest trust?
  2- Create a forest trust (waiting a few day) a remove a domain trust?
  3- Create a forest trust and remove immediately a domain trust?
  Do you have a link to explain that?
  Thanks

  Hi,
  Which kind of domain trust have you created? Which kind of forest trust do you want to create?
  A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
  every domain in both forests.
  Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
  trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
  In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
  In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
  Best regards,
  Susie

• Trust between 2008r2 dc and 2012r2 dc

  i have to setup a new forest/domain in the dmz but I will be using 2012r2. 
  on the internal, I am running 2008R2 forest/domain
  Can I setup a trust between them or do I need to use 2008r2 for both dmz and internal?

  Do i have to build the forest/domain in the dmz as 2008r2 level?
  I poan to setup a DC and another server with AD LDS on it. Then I will open 389 or secure ldap to the AD LDS to the public. Then AD LDS will talk to the DC on the DMZ network
  what do you think??
  In a DMZ I will always tell you to not setup a DC there, for security reason, as even if you restrict the communication to your internal AD from that server, a thrust exist, thus you expose via the DMZ all your AD. Depend on your need, if for IIS in exemple,
  can you do a reverse proxy setup ? (a good example for the OWA webpage for Exchange there; http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx)
  Regards, Philippe
  Don't forget to mark as answer or vote as
  helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• Unable to create Trust between domains

  Scenario. I am trying to build 2 way trust between two Windows forests abc.com & xyz.com
  Highest OS in both domain is Win 2008 R2
  FFL and DFL in both is Win2003
  I added forwarders in DNS in both - It is resolving
  I disabled Antivirus
  I stopped Windows firewall in all the DCs of the domains and no n/w level port restrictions is there
  I am able to ping to all DCs from each of the DCs in both domains.
  Doing above all I am unable to create trust - in the trust wizard it is not identifying Domain names.
  Another thing is I have a Primary zone exists in name of each of the domain name. ie In abc.com I have another Primary zone created in xyz.com, Likewise in XYZ.com I have ABC.com primary zone . Will this be an issue?, If not guidelines please...

  Hi,   
  >>In ABC.com I have a Primary zone created as xyz.com, Likewise in XYZ.com I have ABC.com primary zone .
  How
  did
  you create these Primary zones?  Is there a ABC.com zone in ABC.com?
  >>I am unable to put Conditional forwarders because I have a Primary zone exists in name
  of each of the domain name
  If
  there is
  a
  DNS zone of another domain
  then we cannot create a conditional forwarder for the other domain.
  Besides,I
  suggest you check the SRV Records. You can try to restart the netlogon services
  to re-register SRV records.More
  specifically, in the command
  prompt, type
  net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
  Best Regards,
  Erin

• How to create Trust between two domain

  How to create Trust between two domain:
  please help

  Hi,
  By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation
  Wizard. The two default trust types are defined in the following table. However there have others many types of the AD trust, please refer the following KB to determine which type you need:
  Trust types
  http://technet.microsoft.com/en-us/library/cc775736%28v=ws.10%29.aspx
  More relate KB:
  Creating Domain and Forest Trusts
  http://technet.microsoft.com/en-us/library/cc740018(WS.10).aspx
  The related third party article:
  How to configure Forest Level Trust in Windows Server
  http://blogs.interfacett.com/how-to-configure-forest-level-trust-in-windows-server
  *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control
  these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the
  use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to prevent iTunes for Windows from "Updating iTunes Library"? (Library is on a NAS and managed by iTunes for Mac. Now getting update wars between Mac and Windows versions of the player.

  How to prevent iTunes for Windows from "Updating iTunes Library"?
  My library is on a NAS and managed by iTunes on a Mac. I can connect from wife's Windows laptop using iTunes for Windows but every time I do, it Updates iTunes Library. Next time I log in from my Mac it Updates iTunes Library in return. It appears I'm experiencing "Update Wars" between the Mac and Windows versions of iTunes. I would like to allow my wife to stream iTunes songs to her new laptop but I don't want any updates from this source... prefer to manage the library from my Mac and not allow Windows to do any thing other than listen to existing playlists.
  Thanks for any help/suggestions.

  Connect the PC to the library on the NAS. Wait while "updated".
  Under Edit > Preferences > Advanced make sure the media folder is correctly pointed at the media folder on the NAS. If not correct, close iTunes, wait a few moments, then open iTunes again.
  Close iTunes on the PC. Do not open iTunes on the Mac.
  Copy the library files, iTunes Library.itl, iTunes Library Extras.itdb, iTunes Library Genius.itdb, sentinel and the folder Album Artwork into an empty iTunes folder on the PC, for example C:\iTunes.
  Click the icon to start iTunes and immediately press and hold down SHIFT. Keep holding until prompted to choose or create a library. Click choose and browse to the copied .itl file, e.g. C:\iTunes\iTunes Library.itl
  The library should now work properly on the PC, however check the setting for the media folder. If needs be correct, close iTunes and reopen.
  Open iTunes on the Mac. It will update again, but that should be last time.
  tt2

• Change description of update rule between ODS'es

  Hi!
  In a BW 3.5 system I have the following problem: I cannot change the description of an update rule between two ODS'es.
  When creating such a rule the system automatically generates the technical name and takes the description of the source ODS for the naming of the update rule. Afterwards I have changed the description of the ODS. I have deleted the old update rule and recreated it. When selecting the source ODS from the F4 picklist the new description can be seen. When the source ODS is selected and the update rule is generated, the old description has appeared again however.
  Does anybody knows how this is possible and what can be done about it?
  Best regards,
  Hans

  have you tried regenerating an export DataSource out of the ODS?

• Moving SP2013 and SQL2008R2 to new domain - no trusts between domain

  Hello,
  I'm looking to move a customized installation of SharePoint 2013 (Microsoft server 2012 std VM) and it's db (SQL 2008 r2 VM) from one domain to another domain. There will be no trust between the domains and assume that no users or service accounts will be
  migrated. Has anyone performed a similar operation? If so, can you provide guidance as to the best way to tackle this situation. Currently we plan on exporting the SP2013 VM from the old domain, importing (re-creating) that VM in the new domain and importing
  the DB to an existing SQL server in the new domain. My concern is being able to log in to Central Admin afterwards because the domain accounts are no longer valid. Should we change all accounts to local admins first, detach the db and change those accounts
  as well? Or would a totally different approach make more sense? Any help would be appreciated..
  Thanks in advance, 
  Alex

  You need to build a new SharePoint farm, changing SharePoint server's domain membership isn't supported.
  What you'll do is build a new farm, create the Web Application(s), etc. and then restore SQL database backups from the old farm into the new farm.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• VS 2012 Professional with SSDT to accomplish automated Schema updates to QA Server?

  I am looking for a HOW TO article that covers the following:
  1. A Visual Studio 2012 or 2013 Professional .NET Database Project  (SSDT)
  2. A Visual Studio Online TFS Service Server that is linked to a On-Site Build Agent on a QA Box
  3. A BUILD Definition that will execute when a developer checks in schema changes to the code repository
  4. The build will execute and if it succeeds will then do a schema update to an existing database.
  Now I found a tool by REDGATE called RedGate SQL CI TFS Build Plugin that rocks this process, but it has an associated cost (400+ per developer) and I would like to avoid this extra cost if possible.  We use Build Definitions to deploy our web projects
  to our QA servers and I keep reading that it can be used for Database projects also, but I have not found an article that has been helpful for a schema update process...
  Anyone know of a step by step guide out there for this... 
  NOTE:  I found this, https://msdn.microsoft.com/en-us/library/ff805001.aspx#createtemplate -- but it is for an older version of VS and we are using VS 2012 + and SQL Server 2008 R2  
  Warren

  Jamie's article should be a great starting point for you. In addition we have a presentation and whitepaper available on the SSDT blog. These cover setting up CI and also doing automated database unit test runs on checkin to validate that changes are correct:
  Presentation
  Whitepaper covering multiple scenarios
  The summary of all this is that CI is supported with the built in tools and is worth looking into.
  Kevin

• Secure Login and trust between BO/BW

  Hi.
  We configured server-side trust between BO and BW using libsapcrypto library. All works fine.
  Now we installing Secure Login (SAP NetWeaver Single Sign-On) for SSO from SAP GUI based on Kerberos token. To configure Secure Login we need to modify profile parameters like
    snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU
    snc/gssapi_lib=/sapmnt/QBW/exe/libsapcrypto.so
  which were in use by server-side trust between BO and BW. So when we modify them like in installation guide for Secure Login to this:
    snc/identity/as=p:CN=SAP/[email protected]
    snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl
  we can use SAP GUI SSO to BW but can't run reports from BO since we broke server-side trust.
  We tried many different variations of using these two libraries (including fully regenerating certificates both on BW and BO for server-side trust) but they all failed.
  Any suggestions of how we can activate SAP NetWeaver Single Sign-On on our BW systems, without breaking server-side trust between BW and BO?
  Thanks in advance
  wbr
  Stanislav

  Thanks, but this problem was resolved. Frane was very helpfull in solving this problem, but it was beyond the forum.
  He described the possibility of Secure Login Client that I did not know.
  Another possibility is implemented in Secure Login Client 1.0 SP02 Patch 03 and higher (current version is 1.0 SP03 Patch 02).
  Secure Login Client is able to “rebuild” the required SPN Name (in your example p:CN=SAP/[email protected]).
  This means if the X.509 certificate SNC name is p:CN=KerberosSSO à Secure Login Client will rebuild p:CN=SAP/[email protected]
  This works also if the X.509 certificate name is p:CN=KerberosSSO, OU=SAP Security, C=RU
  Maybe this solution integration is easier for You? You can use the transaction STRUST to create a self-signed certificate.
  Thanks again, Frane.

• Enabling Trust Between WebLogic Server Domains

  Hi everyone,
  We have two sites, each one running one WL 8.1 instance. The problem is that we have different users in each one, and they need to access both sites (using a RMI call).
  When the user is created in both sites, there is no problem. But we do not want to replicate all users in all sites.
  So this is what we are trying to do:
  Create the user in one site and enable trust between Weblogic Server domains (giving both sites the same password), so once one user is authenticated, the other site will not try to authenticate this user again. But since this user does not exist in the other site, he has no permission to do anything at all. Because of that we receive the following error message: "User a7ax does not have permission on br to perform lookup operation."
  Does anyone have any idea about how we can handle this, and enable the users to use other sites, without creating the user in both sites?
  Thanks in advance.
  Cesar

  In order to debug this issue you need to determine which kind of security has been applied on the web service deployed on remote weblogic server.
  Whether it requires username/password from the calling web service ?
  or it requires any kind of digital certificate from the calling web service etc......
  the most usual secnario where cross-domain security is required is as:
  If a user- Test calls a service- ServiceA on Weblogic Domain-domainA and provides its credentials and is authenticated properly.
  Then if this service requires to call another service -ServiceB on another Weblogic Domain - DomainB which is also secured then there should be a cross-domain trust should be enabled between the domains DomainA and DomainB so that the subject populated in the domainA can be transferred to DomainB.
  Now you should determine whether this is the secnario you are trying to achieve or it is something else.
  Also try to use the following debug flag in the DomainB where the provider service is deployed to get the exact reason why it is failing to verify the security check.
  -Dweblogic.DebugSecurityAtn=true
  This debug flag is enabled as JAVA_OPTIONS.
  Thanks,
  Sandeep