Best pracices for setting up Domain controller for our remote European offices

Similar Messages

• Ports for Creating Additional Domain controller at my remote DRC site

  Hello Expert,
  I have my disaster recovery center (DRC) at a remote place, now I want to configure Additional domain controller (ADC) at my DRC, kindly share me the list of ports that I need to open at my firewall to configure this ADC. I am having Server 2008R2 environment.
  Swaprakash..

  Hi,
  The blelow link has a detailed information of the required port should be open for AD communication
  Active Directory Firewall Ports - Let's Try To Make This Simple 
  http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
  http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• ACL migration Error : 1210 could not find a domain controller for domain "Test Domain" (Old Domain)

  Hi
  We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
  ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
  the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.  
  subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
  \\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
  Mapping file contains : Domain Users=NewDomain_Users
  But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
  will not be processed."

  Hello,
  how in detail is DNS set up in each domain?
  Any problems when using nslookup to verify?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• What is the best practice for setting up warehouse inventory for oil & gas tank farm

  Hi, i want to know the best practice for setting up warehouse inventory for oil & gas tank farm. SAP has these levels for inventory management in warehouse environment: warehouse-aisle-shelf-bin. To me the bin seems to be the central location for inventory. So do i set up each oil tank as a bin location?

  Hi,
  Please refer below link:
  https://help.sap.com/saphelp_sbo900/helpdata/EN/ad/4f233a7b864c7cbe2b57ad09246adb/content.htm
  SAP Business One 9.0 Training - Feb 6, 2013 - Warehouse Bins - YouTube
  Thanks & Regards,
  Nagarajan

• Charm: No Domain Controller for SB5

  Hi,
  I configured Charm in solution Manager 4.0, created a satellite system SB5 in smsy and run the batch to get the info to charm. now i have it in /tmwflow/cmsconf but when i synchronize the project in solar_admin_project we get the error No Domain Controller for SB5.
  The STMS is configured correctly in SB5
  The RFC dests are OK also from SMSY i can see the dommain controller without any problem and distribution routes also.
  Any advise
  Thanks
  Ahmed

  Thanks Pascal,
  I was able to fix the problen but adding a domain link between solution manager and satellite systems.
  Ahmed

• Unable to find domain controller for the specified domain. Please explicitly specify the domain controller.

  Im getting error "Unable to find domain controller for the specified domain. Please explicitly specify the domain controller."   when I try to create an AD connection for my User Profile Service.  The entire sharepoint environment is installed
  on one server.  That server has everyting on it, AD, SQL, Sharepoint, and its the domain controller. I cant figure out why this will not identify?Trevor Fielder

  Hi,
  Did you get this error when clicking on the Populate Containers button?
  If yes, please make sure that you have provide the domain credentials in the account name and password
  boxes below when entering the domain information. The account must be granted the replicating directory changes permission on the domain.
  You can refer to this blog:
  http://www.harbar.net/articles/sp2010ups.aspx
  Xue-Mei Chang

• Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

  So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
  1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
  2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
  Other key items:
  1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
  2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
  Questions:
  1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
  2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
  All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• [Forum FAQ] How to sync time with a Domain Controller for a standalone server

  As we all known, if a computer belongs to an Active Directory domain, it will sync the time automatically by using the Windows Time service that is available on Domain Controllers.
  While a standalone server will synchronize with its local hardware time and Windows time server. (Figure 1)
  Figure 1.
  Under some circumstances, a standalone server is necessary in a product environment. We can sync the time of this standalone server with the Domain Controller using
  the steps below:
  1. Modified the value of the AnnounceFlags:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
  Under this entry we can see the default value of AnnounceFlags is 10 (Decimal), we configure the value as 5 (Decimal). (Figure 2)
  Figure 2.
  2. Confirm the value of the registry key below is set to 0:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer 
  Figure 3.
  3. Configure the standalone server to synchronize with a specific time source (Domain Controller).
  In our test, we configured our Domain Controller (192.168.10.200) as the time source. Used the following commands:
  w32tm /config /syncfromflags:manual /manualpeerlist:192.168.10.200
  4. Sync the time with the Domain Controller using the command below:
  w32tm /config /update
  From the figure below (Figure 4), you can see the after we did all the steps above, the time on the standalone server was synced with the Domain Controller.
  Figure 4.
  (Note: Peerlist is a separated list of DNS servers, or IP Addresses for the time servers)
  More information:
  Windows Time Service Tools and Settings
  http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx#w2k3tr_times_tools_dyax
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Thank you for the instruction! I am sure it is one of the scenarios that majority of administrators will run into. So I suggest to write a wiki about it and publish it for this month's TechNet Guru in Windows Server section. This month's TechNet Guru can
  be found here:
  Calling All Wise Men! Windows
  Server Gurus Needed! Apply Within! No One Turned Away!
  Thanks for your informative post. :)
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Changing Domain Controller for Exchange 2013

  Folks
  I have an Exchange 2013 running on Server 2012.
  Old DC on Server 2008.
  I want to decommission the 2008 server. I have build a 2012 DC and for the life of can not work out how to change the DC that my exchange box uses????
  Using Set-ADServerSettings cmdlet only seems to change the server for that current session?? reboot and back to the old DC...
  When I use the Se-ExchangeServer cmdlet, I get domain controller cant be found. I have set the execution policy on the dc to unrestricted and still Domain controlleer cant be found..
  New dc is a GC..
  Any ideas would be good.
  -graham

  First, the behavior observed for the cmdlet Set-ADServerSettings is normal. The values for the domain controllers
  designated are " per session". For example:
  The PreferredServer parameter
  specifies the FQDN of the domain controller to be used for this session.
  http://technet.microsoft.com/en-us/library/dd298063(v=exchg.150).aspx
  +++
  What parameters, exactly, did you use for Set-ExchangeServer? What was the entire command?
  If the domain controller(s) were found for "Set-ADServerSettings"
  and... if Exchange is functioning OK in general, the domain controllers should be accessible.
  +++
  Are you in a position where you could shut down the older server (during off hours for example) and see if Exchange can
  find - and use - the newer DC?
  Will you only have one DC after decommission of the old one?
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• AD account logging to a remote domain controller for authentication

  Hi,
  I have a weird issue with an AD account using a different logonserver when authenticating to AD.  A domain admin account uses the local site domain controller but another account is using a remote domain controller as logonserver. I'm using both account
  to logon to the same server (CRM 2011). But when I issue the command "set l' from the command line, they shows different logonserver value. 
  My issue is the crm account is pointing to a remote domain controller (windows 2012 R2) which I don't want and should use the local site domain controller (windows 2008 R2). The reason being is that the CRM server is on a  test network (isolated) and
  when we test an upgrade of CRM addon product called Experlogix, the upgrade requires to get authenticated by AD but it fails and I think the logonserver is the issue. When the crm account is used on the test server it points not to the local site domain controller
  but to the remote dc which is not in the test server.
  Thanks for your help!!!
  AA

  Start by checking that your are sites and subnets are well configured.
  Use dssite.msc and make sure that:
  You have AD sites that represent your physical sites
  All the subnets in use are created and moved to the correct AD site
  Your DCs belong to the correct AD site
  You can read more about the DC Locator process here: http://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• What's the best way to set up new imac for logic etc?

  In brief:
  Getting new imac (27", 3.4 i7, 8-16GB ram, 1TB HD). Will be using it mainly to run Logic Studio (loads of plugins) and Final Cut Express. I also have 2 external Hard drives one 500G one 1TB.
  The last imac I bought was my first and just went ahead and threw everything at it not really knowing where things should go. This time I want to set things up correctly.
  Basically, with what I've got, what is the best way to set things up. I.e where do I put logic files, samples, BFD2, Amplitube etc. Where do I put videos for use in FCE. Storing projects and backups for use with Time Machine.
  Also noticed the new imac will only have 1 firewire port. I will need to plug in the Hard drives (daisy chained), camera and RME Fireface 800. Was thinking of getting a Thunderbolt Hard drive but they are expensive and hard to find.
  Would really appreciate any help before I get the new machine and start messing things up again.
  Thanks.

  Adding to babowa, enable the system firewall in System Preferences>Security>Firewall tab. Click Advanced and check Stealth Mode.
  Lion is a pretty steady and secure operating system, and as there really aren't MANY Mac viruses, there ARE viruses out there still. OS X is pretty good about letting you know if you do accidently download a virus, and it will help you throw it away if it detects one, such as the MACDefender virus. OS X has built in security features such as sandboxing that doesn't allow viruses in as easily as a Windows PC. As for hackers, as long as you have the firewall enabled and a secure password (for your computer and email accounts), then you should be fine.
  It's the user that lets the virus in, not the computer (unless there's some untold serious vulnerability in OS X, which is highly unlikely). Keep your apps up to date, don't download pirated software, and be street smart on the internet. Don't download things or visit websites that you don't think are real. Safari includes a Phishing feature that automatically detects known phishing sites, protecting you from that big problem. Keep your passwords secure and you should be fine.
  There are antivirus solutions out there, one notable one available in the AppStore is Intego's VirusBarrier (free and plus versions), if you feel you still need one.
  I wouldn't worry about it. Windows users who switch to Mac are always asking these questions.
  Here's some good reading as well
  http://www.apple.com/macosx/what-is/security.html
  Enjoy OS X Lion

• Best way to set up iPad mini for child?

  So I bought my 3yr old an iPad Mini since he already knows how to fully operate most things on my iPhone! Now when I go to set it up, I don't want my music and apps and other content popping up on his iPad. Now can I create an Apple ID for him but set it up to where I can still have control over it? The guy in the store suggested I set it up using iCloud Family Sharing. When I got home and looked more into the family sharing option, I am not sure that is what I want either. That sounds like everybody in your family would have access to everything on the main device correct or am I wrong?
  So this is what I want. I want to be the one who can purchase apps or download free apps by typing in his Apple ID info (if possible). I want him to have his own favorite songs via iTunes. The only thing I would want to share is probably a Family photo album in iCloud.
  So what is the best way of setting this device up?
  Before he mentioned the iCloud Family Sharing option, the guy in the store suggested I leave the iCloud info blank when it asked for it but set up the iPad Mini as if it was my device. I think that just confused me even more.
  If I chose the Family Sharing option, can I select exactly what gets shared or no? If yes? Can apps be shared?
  Lastly if I set him up with his own Apple ID, and he wants a new song or some music or download a movie etc. will he need his own iTunes Library?
  Thanks for your help!

  I think that, if you read through these forums and familiarize yourself with the number of problems allowing children the ability to exercise and maintain control of an iDevice, and to purchase and download content, you'll change your mind.

• Pricing for VM running WS 2012 E R2 primarily as domain controller for ~5 clients

  Hi
  I am starting a small medical clinic, with only about 6 client PCs.  However, I  would like a domain network structure for security purposes moving forward rather than a workgroup.
  I'm looking at either purchasing a modest server (ie HP Proliant ml310) with windows server 2012 essentials r2 and using it locally (total cost ~$1500) or using a Windows Azure virtual machine to run the domain controller over a VPN.  We already use
  office 365 e3, so don't really need a local server for email, storage etc. I already have an old synology NAS that could be used for disk images etc that we would lose out on with the hosted server solution.
  Can someone verify my calculations for monthly cost estimate I tried using the calculator --1 small VM + 225 GB storage for the OS came to $65/month
  Would I be able to run it on the small virtual machine or would I need to go up to medium just for the OS?  If the later is the case it would definitely not be cost effective.
  Thanks for the help
  TM

  hi tdiddy,
  Thanks for posting!
  About VM and azure storage pricing , I suggest you could refer to this pricing details page and calculations fee:
  http://azure.microsoft.com/en-us/pricing/details/virtual-machines/
  http://azure.microsoft.com/en-us/pricing/details/storage/
  Also, for this billing question Please contact azure billing support team via
  http://www.windowsazure.com/en-us/support/contact/
  Hope it helps.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Best Practices for setting up InDesign Effects for offset printing.

  I'm new to the forum so I hope I'm posting my question in the correct place.  I'm a prepress supervisor for a company that receives most of it's work as PDFs exported from InDesign.  I notice on more and more work (proabably 75%) our customers are setting up their effects in InDesign.  We receive files exported from CS3 and CS4, mac and pc.  Our prepress system is Prinergy 4.1.  We have job options that we recommend customers use for PDF export directly out of the applicaton and we are currently testing PDFX4.  The problem is we don't have consistent results with our ripped files, we often see artifacts around items that use certain effects (such as the bevel and emboss effect), many times the customer uses a drop shadow along with the bevel and emboss and we see "pixelation" or low-resolution "jagginess."   Files that use feathering often drop part of the feathered image and if black text is touching an effect it will process out to CMYK. If we have the InDesign file it sometimes works to change how the effect is applied (text, object, fill), sometimes we have to flatten on export or write a PDFX4.  If we are working with the customer's PDF we often have to flatten at the rip, save the PDF as a postscript file or request the native files to troubleshoot.  Are there guidelines to applying effects in Indesign?  We would like to try to document for our customers recommended processes for creating files.
  Thanks!

  Our strongest recommendation at Adobe for best PDF print publishing workflow results is to use the PDF/X-4 settings for exporting PDF from InDesign 6 and saving PDF from Adobe Illustrator 14. (The "draft PDF/X-4" support of InDesign 5 and Illustrator 13 was based on a draft version of the ISO PDF/X-4 specification that was significantly modified prior to final ISO standard ratification and publication!) PDF/X-4 provides for a reliable workflow in which live transparency and color management is carried in the PDF file itself; no "flattening" of transparency effects or color conversions occur until as late as possible in the print workflow, preferably at the RIP itself!
  PDF/X-4 is an excellent choice for PDF if you have a workflow which uses the Adobe PDF Print Engine technology in the RIP. In your case, Prinergy 4.1 does in fact provide Adobe PDF Print Engine technology. Make sure that (1) you enable the Adobe PDF Print Engine as opposed to CPSI and (2) you don't refine the pages as part of the Prinergy workflow (that process ruins your PDF by converting to PostScript and converting back to PDF - not something you want to do for a reliable PDF workflow with transparency and color management).
  Note that even if you do use PDF/X-4 and properly configure your PDF workflow system / RIP, it is still incumbent upon the designer to produce reasonable content. Just because "it looks good on the screen" (additive screen color) doesn't mean that it will reasonably translate to ink on substrate (subtractive printing color). Adobe does provide guidelines for use of transparency and color on its website for use by designers to guide them.
            - Dov

• Replace WS2003 domain controller for WS2012 domain controller

  Hi, I think that is a common problem but I haven't found anythink exactly like this, only something similar, but I have a lot of doubts yet.
  The thing is that I have a network with two domain controllers:
  WS2003     - 192.168.0.1, who is the first domain controller I created and is also a file sharing server
  WS2008R2 - 192.168.0.8, who is a  new domain controller I added one year ago.
  Now, I want to replace the first one, keeping the second. One.
  I thinking of removing the first one and replace it with a new machine (WS2012) with the same IP and name host. I need the same host because clients are pointing to it to get the shared files.
  My main fear is that clients get some error related with trust relationship and I will have to rejoin them one by one to the domain.
  As I have another domain controller, Will the global catalog of the new machine be synchronized automaticly with the WS2008R2 domain controller?
  Do I need to demote the old domain controller before add the new one?
  Thanks a lot

  Hi Tomas,
  As pointed by Burakm you should have an additional file server and should avoid using a Domain controller which has priviledged access, to share files. This puts you at a security risk.
  Regarding the requirement of old host name:
  Here is something that would let you keep a different servername and IP, yet allow your users to connect to the old hostname and access the share. Use CNAME records of old server to point it to the new hostname.
  How to Configure Windows Machine to Allow File Sharing with DNS Alias
  You might also look for Distributed File System Shares.
  http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
  NOTE- You can't run in-place upgrade of a 2003 to 2012 DC.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.