Alternative UPN & Forest Trust.

Similar Messages

• Kerberos and Alternative UPN's

  I have a single on premesis W2K8 domain forest which exists within a Disjointed Namespace. I have added an alternative UPN to the domain to accomodate Office 365 federation. My understanding is that although users can logon to my domain with the alternative
  UPN of [email protected] access to services will fall back on NTLM because the Kerberos service tickets will be issued for
  [email protected] Is it possible and how do I resolve this situation? I need users to logon to our domain with thier alterantive UPN's and have Kerberos issue tickets to services with thier alternative.
  Domain Namespace: mydomain.ac.uk
  AD Domain: mail.mydomain.ac.uk
  Alternative UPN: live.mydomain.ac.uk

  Hi,
  The UPN suffix is used for resolving to a corresponding zone in DNS, which means, it’s used to find the Domain Controller which can process the logon request, that’s why I gave the example about Office 365 in my last reply.
  If you have specified an alternative UPN when you created the user account, then a DNS server (zone) should be set up to resolve the suffix which is different than the default one, no matter the domain is in an on-premises network
  or a branch office with less secure network. Otherwise, the user can’t use the alternative UPN to log on, I have tested this, and the user can’t log on using alternative UPN without the extra DNS server (zone). You can try to test this in your environment,
  too.
  As I mentioned before, when it comes to Kerberos authentication, it doesn’t issue tickets based-on UPN, the Kerberos authentication mechanism issues ticket to the user account. Because these parameters, UPN/suffix/NetBIOS Name,
  are used to determine the Domain Controller which is used to process logon requests, once determined, tickets are associated with user account, could be bind to SID or GUID or both.
  More information for you:
  Technologies for Federating Multiple Forests
  http://technet.microsoft.com/en-us/library/dd560679(v=WS.10).aspx
  How the Kerberos Version 5 Authentication Protocol Works
  http://technet.microsoft.com/en-us/library/cc772815(v=WS.10).aspx
  Best Regards,
  Amy

• Alternative UPN suffix exists for all users except new user

  Hello,
  I am updating AD based on how it was setup by an outside IT company.  I am not an IT professional myself.  When I view the current user properties on the account tab, each user has 2 options in the UPN drop box; namely, mydomain.local & mydomain.com. 
  All users are set to mydomain.com.  I've added a new user to the same group in AD but there is only the mydomain.local option in the drop down.  Does anyone know why or how I can get the two options so I can choose the mydomain.com?

  Hi,
  If you add the Alternative UPN suffix correctly in
  Active DIrectory Domains and trusts, you could choose the UPN suffix even for the new user account.
  As other said, please make sure the Alternative UPN suffix is added, and create test user account to check the result.
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• Active Directory cross forest trust which are deployed in separate subscription

  Hi All,
  I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
  We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
  site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
  Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
  Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
  do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
  Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
  My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  No, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
  For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

• Forest trust unable to find Active Directory Domain Controller

  I have two domains with a two-way forest trust. We'll call them ForestA and ForestB. They're on seperate subnets. ForestA's DCs are in one physical location. ForestB's DCs are in two locations, one of which is shared with A.
  I'm unable to route traffic directly from the remote DC in ForestB to the subnet ForestA is on, so I created a new DC in ForestA that sits on the subnet ForestB uses (basically, I can't route between subnets via the wireless bridge between locations, but
  can within the same location).
  I found this: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc/
  I followed the instructions to set the new DC in forest A to be the only one the remote DC in forest B was aware of.
  Nslookup ForestA.com resolves correctly to this DC, but I'm unable to validate the trust relationship, getting the error:
  "Windows cannot find an Active Directory Domain Controller for the ForestA.com domain. Verify that an AD DC is available and then try again."
  I'd appreciate any help.

  In the event viewer, have you found any event id's that corrospond with this error? Have you ensured all ports required are open? Windows firewall is correctly setup? NIC is properly configured?
  Statement below taken from: http://technet.microsoft.com/en-us/library/cc961803.aspx
  If you receive the following error, ERROR_NO_LOGON_SERVERS while using the Nltest tool to query the secure channel, this is usually indicative of the inability to find a domain controller for that domain. Run nltest /dsgetdc: < DomainName > : to verify
  whether you can locate a domain controller. If you are unable to find a domain controller examine DNS registrations and network connectivity.
  ADDS Ports:
  http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

• Forest Trust Issues (Group Membership Issues)

  OK - this is going to be long. I hope I am detailed enough.
  Four domains, each in their own forests:
  domain.w.com
  domain.x.com
  domain.y.com
  domain.z.com
  For the sake of everyone, I'll refer to each domain as "w" or "x", which would be domain.w.com and domain.x.com, respectively.
  Domains x, y, and z all have users that require access to resources on domain
  w. Remember - each domain is in its own forest.
  Three trusts were created on domain w. Since the users on domain w do not need any resources on the other domains, three "ONE-WAY:OUTGOING" trusts were created (one for each) via Active Directory Domains and
  Trusts on domain w. The option to create the trust (have it show up in Active Directory Domains and Trusts) in the other domains (in this case
  x, y, and z) was selected.
  After the trusts were created from domain w, the trusts were verified. Administrators on domain
  w could "verify" the trusts (using admin accounts created for them on the three trusted domains).
  Since everything looked good (domain w shows up as an incoming trust for the other three domains), permissions for specific users on domains
  x, y, and z were granted for a share in domain
  w.
  Only... that didn't happen. When attempting to change permissions on the share, administrators were able to change the working domain directory to either
  x, y, or z... but searching returned zero results. Zilch.
  *It should be noted that this scenario has been in place for quite some time now, and that all groups/users previously defined on the share (that belong to the three domains trusted by domain
  w) now all show up as SIDs.
  When attempting to verify (validate) the incoming trust on any of the three domains, the error "Windows cannot find an Active Directory Domain Controller for the domain.w.com domain. Verify that an AD DC is available and then try again."
  is returned.
  Pinging domain.w.com returns the correct address. Direct pings to both domain controllers on domain w
  is also working. Domain w can also do the same pings that I just listed to all three other domains with correct results.
  There is no firewall in between these forests.
  I am leaning towards a DNS or AD issue on the domain w side. This all occurred at once on the same day last week, and no changes were made on
  x, y, or z. Of course... domain
  w is another entity and they are saying they have no clue why its not working.
  Questions:
  Should I be able to verify the trust from x, y, or
  z to domain w?
  Why cant domain w see the users/groups in the other domains?
  Why does domain w validate the trust if the other three domains cant?
  Could this be caused by some setting in GPO having to do with LDAP security, signing requirements, or authentication settings?
  Any help is much appreciated.
  Chris

  Yes, this is related to DNS, from what you describe.
  The simplest way to configure this is to go to EACH dns server on both sides of the trust and configure it for a conditional forwarder of the others dns zone. 
  http://www.techrepublic.com/blog/windows-and-office/configuring-dns-forwarders-to-support-windows-server-2003-forest-trusts/501/
  Unless you have a root dns server for all four zones already.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Set-up of a Forest Trust - Unique situation

  I am in need of advice on how to setup a forest trust between to separate, but similar forests.
  My AD server is Server 2012R2, their AD server is Server 2008R2.
  We are a small community college in the process of separating from our parent university, current the parent university has AD services for both domains ( theirname.edu and ourname.edu) I have built a completely new & separate AD server on a different
  network using the same ourname.edu as the parent university is currently using.
  Is it possible to setup a forest trust between the NEW ourname.edu and the old ourname.edu?
  We are trying to get the NEW AD server up and running so as that it can be fully functional by users, also this trust is so we can migrate our student & employees user data from the OLD AD to our NEW AD using ADMT tool or something similar.

  You can't create a trust between two domains/forest with the same name.  How would the client know where to go to when referencing the name?
  One thing to consider is a radical pruning situation.  You could introduce a new server in the theirname.edu and promote it as a new DC.  Then physically remove it from the domain and
  NEVER all it to talk to the theirname.edu ever again.  In the theirname.edu do a metadata cleanup of this recently promoted DC to remove all references of the DC.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
  Now sieze all FSMO roles on the DC you just removed and consider this the first DC in your forest.  Go back within this forest and do a metadata cleanup of all the old DC's.
  You now have a duplicate forest that should be cleaned up removing all users and computers that didn't transfer from the original domain.  The old domain should also cleanup all unused accounts and computers as well.
  Just be aware that pruning isn't supported by Microsoft, but this is a known practice in mergers and divestures:
  http://technet.microsoft.com/en-us/library/mergers_acquisitions_active_directory_prune_and_graft_restructuring_support_limitations(v=WS.10).aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Forest Trust RPC timeout across MPLS

  Hi, I am having trouble setting up a Forest trust between two networks. The issue "seems" to be RPC timeout (i see RPC age-out on firewall) but i'm now wondering if it's actually the LDAP or KErberos thats failing first.
  I have read that RPC needs to have the same path outgoing as incoming otherwise you can get SYN-ACK problems (especially through a firewall). So i need to try and work out why it doesnt work. It is laid out something like this.
  Network 1 (domain BOB) (server 2008 R2 at domain functional level 2003)
  Site1,Site2 and Site3 all connect to each other via Site-To-Site link provided by 3rd party. They all egress at Site1's ISA Firewall in a normal 3 leg perimeter config. All works fine
  Network 2 (domain RITA) (server 2008 R2 at domain functional level 2003)
  SiteA,B,C and D all connecto to each other over 3rd party MPLS (essentially Gig ethernet)
  Site1 and SiteA are on the same premises in the same room. There is a spare NIC on the ISA server. So i configured the ISA with a NIC in the same subnet as SiteA (RITA domain) - ie i plugged RITA into BOB. I configured the ISA for routing. Allow ANY ANY
  internal to RITA and ANY ANY RITA to internal
  I set up conditional forwarders on both domains pointing at each other and can ping everything from the other sites. DNS is working fine. I can RDP across sites to each other's DCs. From a "network" point of view it all looks good (though in the
  back of my mind i cant rule out the site to site or the MPLS links)
  When i try and create the trust it fails very quickly with "Cannot Continue. The trust relationship cannot be created because the following error occurred: The operation failed. The error is: The remote procedure call failed"
  I can do a portqry and see all RPC comms looks good
  In ISA and another firewall i tried i can see the RPC ageing out. Have tried wireshark but hard to see whats going on
  I used another server in the BOB domain and dcpromo'd it to a new domain in that subnet and tried setting up a trust. worked first time
  Similarly i did the same at the RITA side and that worked too.
  THere are no errors in DNS or the event logs on either side to suggest anything is failing. i tried verbose DNS logs but couldnt really follow them.
  Help!! Thanks

  Hi,
  To verify if this is a network issue, please try to perform a network capture on the servers in both side.
  We can use "IPv4.Address==xxx.xxx.xxx.xxx" to filter the traffic between the servers. Then compare the capture data from the servers. If all the packets have been forwarded, it should not be caused by network.
  To download Network Monitor, please click the link below:
  http://www.microsoft.com/en-hk/download/details.aspx?id=4865
  About the question related to Directory Services, to get better help, please post your questions on the DS forum.
  Here is the address:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

  Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
  and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
  from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
  to moving the Domain to 2008R2

  Hi,   
  Based on my knowledge,
  the Upgrade of the function level do not affect the trust relationship.
  Besides, before you upgrade the Functional Level,
  verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
  Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
  For more information about function level, we can refer to following links:
  Understanding Active Directory Domain Services (AD DS) Functional Levels
  http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  What is the Impact of Upgrading the Domain or Forest Functional Level?
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Best Regards,
  Erin

• Exchange mailboxes, corporate AD, forest trust, arrays, Can you look this over?

  This is my first script, it took a while to figure some things out, but it is working. I wanted to know if it is overkill, or if there is something that sticks out that would be an easier way of accomplishing something with this script.
  Background info:
  Company was bought out, forest trust set up between corp network and ours (years ago). So what we wanted was to compare exchange mailboxes with linked mailboxes array, to be compared to corporate AD array with user accounts that are disabled. a list is created
  in another script which shows linked mailboxes and disabled corp AD accounts, helpdesk looks these through to make sure there are no exceptions. Exceptions are entered into PS cmdline, those are pulled out of the array. Then the left objects in the array are
  PST backed up to network share, and then mailboxes removed. Admin trust across corp allows Exchange admin to search through Corp AD through search-AdAccount cmdlet. The script is run from a VM with exchange server tools installed and running 32-bit os of Windows
  7 and 32-bit Office (Because that's how great... Exchange 2007 is for exporting mailboxes to PST). 
  Not sure of this, though it works: 
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  Wanted to clear variables before running script, data was being held over each run before adding this in
  Here is the code "xxxxx" used in lieu of server names:
  <#Import in modules, if statement for PSSnapin so that it doesn't throw an error if it is already loaded.#>
  Import-Module ActiveDirectory
  if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Admin -ErrorAction SilentlyContinue) -eq $null )
      add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  <#Variables needed to complete script. $testIteration shows the number of times nested for loop happens, $exUserCorpMatch=@() is an empty array that will have objects added to it
  when linked mailboxes on Exchange are compared to disabled corp accounts, the $adminUser and $adPW are the login credentials so that anyone can enter admin login credentials to run script#>
  $errorLogPath = "c:\scripts\logs\exchangeADerror.txt"
  $testIteration=0
  $exUserCorpMatch=@()
  $adminUser = whoami
  $exceptionUsers=@()
  $exceptionArray=@()
  <#Create an Array from Get-mailbox cmdlet that has the value "LinkedMailbox" tying it to a Corporate account, .count value used to check results against expected#>
  $mailboxes = Get-Mailbox -resultSize unlimited -RecipientTypeDetails LinkedMailbox
  $mailboxes.count
  <#Create an array of objects from Corp server of user only dissabled accounts, .count value used to check results against expected#>
  $corpAccDis = Search-ADAccount -ResultSetSize $null -Server xxxxx -AccountDisabled -UsersOnly
  $corpAccDis.count
  <#Read in a list of users whose mailboxes shouldn't be removed#>
  while ($var -ne "q"){
      $var = Read-Host "Enter user exception linked mailbox name, or press q to quit entering names:"
      if ($var -ne "q"){
      $exceptionUsers += $var
  $exceptionUsers.count
  <#Create an Array with the usernames that were supplied by the Read-Host Cmdlet#>
  foreach ($name in $exceptionUsers){ 
  $exceptionArray += Get-Mailbox -Identity $name
  $exceptionArray
  <#Compare the two arrays on the value of name from the "Linked Master Account" and the Corp server "Sam Account Name" and insert the matching objects into an Array#>
  For ($a=0 ; $a -le $mailboxes.count -1 ; $a++){ 
      For ($b=0 ; $b -le $corpAccDis.count -1 ; $b++){
      $testIteration++
                          if ($mailboxes[$a].LinkedMasterAccount.Split("\")[-1] -eq $corpAccDis[$b].SamAccountName){
                              $exUserCorpMatch += $mailboxes[$a]
                              break
  $testIteration  #Test value checking nember of times the loop took place
  $exUserCorpMatch.count
  <#For loop to take exception users mailboxes out of the script#>
  For ($d=0;$d -lt $exceptionArray.Count; $d++){
      $exUserCorpMatch = $exUserCorpMatch| ? {$_.alias -ne $exceptionArray[$d].alias}
  $exUserCorpMatch.count
  $exUserCorpMatch | sort
  <#Taking the newly created array from the comparison and running the bulk of decisions, gives full access rights to the before entered admin account, then exports the mailbox to a PST
  file on the network share, and produces a txt file of the users properties, attributes, etc.. Then removes-mailbox, this is cmdlet is currently commented out until testing is done and 
  confirmed removal is ready to take place. #>
  for ($c = 0 ; $c -le $exUserCorpMatch.count -1; $c++){
      $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
      $displayName = $exUserCorpMatch[$c].DisplayName
      $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
      $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
      try {
          $everythingIsOk = $true
          Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
      } catch {
          $everythingIsOk = $false
          Write-Warning "Permission add problem, logging error to $errorLogPath!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Export-Mailbox -Identity $exUserCorpMatch[$c] -PSTFolderPath $pstFolderPath -ErrorAction Stop -Verbose
          }catch{
          $everythingIsOk = $false
          Write-Warning "Export problem!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try {
          Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
          } catch {
          $everythingIsOk = $false
          Write-Warning "Problem writing to txt"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append

  Half of you code appears to be doing nothing.
  This does nothing:
  if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append
  The way we do a limiting Try/Catch is to just use a single "try/catch".
  $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
  for ($c = 0 ; $c -lt $exUserCorpMatch.count; $c++){
  $displayName = $exUserCorpMatch[$c].DisplayName
  $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
  $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
  try {
  Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
  Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
  <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
  }catch
  Write-Warning $error[0]
  $error[0] | Out-File $errorLogPath -Append
  The following does the same thing your code did.  It executes but aborts further execution on an exception.
  ¯\_(ツ)_/¯

• Auto discovery between forest trust.

  HI,
    We are merging to a company and set the forest trust. We are going to export our mail to their exchange and remove our exchange server.
  We are login to our Domainold.com and currently outlook2010 clients are looking for our old domain exchange.
  But how do i set this to go and find the New Exchange in our parent domain (newdomain.com) exchange and configure the client automatically? 
  AS

  Hello Aussupport,
  Currently your autodiscover URL is pointing to Old CAS servers, Please point to new CAS  server, Please below command to set the required URL for Autodiscover Virtual directory, in below command ,  you can use Internal/external URL's how 
  you want
  Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -ExternalUrl 'http://www.contoso.com'
  like this please configure for all the virtual directries
  always use external URL (ie FQDN of CAS form)
  currently users are looking for Old RPC Client access server as their End point to access the mailbox resource,  please point to new cas form