Business Objects XI 3.0 connecting to domains from different forest

Similar Messages

• Issuing certificates for user and clients from different forest/domain

  Hello,
  at first I would like to say that I have made some researches on this forum and in the Internet overall.
  I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
  Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
  Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
  now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
  What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
  I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
  see all templates which I should see, but when I try to enroll I got an error:
  (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
  My root CA cert is added to trusted publishers for computer and user node as well.
  What could be wrong? If you have any ideas or questions, please share or ask. 
  Thank you in advance.

  Everything is clear, I have Certificate Enrollment Web Services installed and configured,
  problem is what i get from certutil - TCAInfo
  ================================================================
  CA Name: COMPANY-HATADCS002-ISSUING-CA
  Machine Name: COMPANYClustGenSvc
  DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
  Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
  CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
   NotAfter: 2019-02-14 12:44
  Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
  Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
    Enterprise Subordinate CA
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 02:
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      ThisUpdate: 2014-02-14 12:16
      NextUpdate: 2024-02-15 00:36
      d7bafb666702565cae940a389eaffef9c919f07a
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 11:55
    NotAfter: 2024-02-14 12:05
    Subject: CN=HATADCS001-COMPANY-ROOT-CA
    Serial: 18517ac8a4695aa74ec0c61b475426a8
    b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  Exclude leaf cert:
    5b309c67a8b47c50966088a4d701c8526072c9ac
  Full chain:
    413b91896ba541d252fc9801437dcfbb21d37d91
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Supported Certificate Templates:
  Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
  Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
  Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
  Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
  Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
  Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
  Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
  Validated Cert Types: 7
  ================================================================
  COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
    Enterprise Subordinate CA
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Online
  CertUtil: -TCAInfo command completed successfully.
  please put some light on it because it's driving me crazy :/
  Thanks in advance
  one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

• AD Migration from one domain to another domain between different Forest.

  Dear Team,
  We have a domain named "test.gov.in" .Now we want migrate all the users,computers,groups,GP ....etc in to our new domain "abc.net".Operating system of the source DC and destination Dc is same (Windows 2003 32 bit)..
  Pls provide me the steps to migrate one  domain to another domain between different forest
  Thanks
  Anurag

  Would agree with Christoffer and migrate using ADFS but before you can do this you will need to set up a trust between the two domains.  Once this has been accomplished then you can run ADMT.
  http://technet.microsoft.com/en-us/library/cc740018(v=WS.10).aspx
  Downloading ADMT is a free tool from Microsoft
  http://www.microsoft.com/en-us/download/details.aspx?id=8377
  ADMT Guide
  http://www.microsoft.com/en-us/download/details.aspx?id=19188
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.
  I think you mean ADMT and not ADFS :)
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Lync 2010 server and UM role on different domains in different forests

  Hello 
  I have a Lync 2010 environment running on domain A, with exchange 2010 UM also running in Domain A.  We are in the process of migrating users and mailboxes from domain A to domain B.  Once we reach our enterprise voice users with exchange UM enabled
  we will need to install the exchange UM role on the exchange server in Domain B.  
  There is a 2-way trust relationship between domain A and domain B.
  All the users from are running Lync on a PC located in Domain B, using Lync credentials from Domain A.
  Are there any issues running Lync 2010 and Exchange UM from different domains in different forests?  Is it as simple as creating a new UM DialPlan and UM IP Gateway to the domain A Lync FQDN?
  Thanks

  Hi,
  Each UM forest must be configured to trust the forest in which Lync Server is deployed, and the forest in which Lync Server 2013 is deployed must be configured to trust each UM forest. If Exchange UM is installed in multiple forests, the Exchange
  Server integration steps must be performed for each UM forest or you’ll have to specify the Lync Server domain.
  Here is a link about for UM of Lync server 2013 but similar for Lync server 2010:
  http://technet.microsoft.com/en-us/library/jj966276(v=exchg.150).aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Business Objects XI 3.1 Connection to Oracle 10

  I am new to the world of Business Objects and In Universe Designer, when I try to create an Oracle OCI connection, I get the following error:
  CS:DBDriver failed to load : C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\dataAccess\ConnectionServer\dbd_oci.dll (The specified module could not be found).
  The path for windows environment variable is :
  C:\oracle\product\10.2.0\client_1\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\HP OpenView\bin;C:\Program Files\HP OpenView\bin\OpC;C:\Program Files\HP OpenView\bin\;C:\Program Files\HP OpenView\lib\
  Also, when I try to use cscheck on server to check connection, nothing happens - is there any setting I have to make to get this working.  I have used SQLPLUS to connect to the database successfully.
  Any help or pointers appreciated

  Hi Michelle,
  Please restart the connection server and try again. In case Oracle client was installed after installing BOE, restart of Connection server might be required. You can also verify if all the Orcale libraries are indeed inside the Oracle/bin. When you install Oracle instant clinet there will be no bin. the binaries will be present C:\oracle\product\10.2.0\client_1\. Please try these two option.
  Hope this helps
  Thanks
  -Anup-

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam

• Separating a child domain from a forest/parent domain

  Our infrastructure is currently as follows:
  There are two domains which I will call "apple.local" and "banana.local". The domain "apple.local" is the parent/forest which is at a Windows 2003 Functional Level. The domain "banana.local" is a child domain of "apple.local"
  which is at a Windows 2008 Functional Level. This unusual arrangement was the result of a merger.
  Recent business changes have meant that the domain "banana.local" needs to become the forest and "apple.local" needs to be permanently retired. I have been searching as to whether this is possible but the general consensus is "no".
  However, many of the discussions are several years old and I am interested in whether anything has changed with recent updates.
  As an added "bonus", a single Exchange 2010 SP3 server is present and - just to complicate things further - is a member of the child domain "banana.local". Mailboxes (shared and user) and DGs from both domains are present. Access to shared
  mailboxes is granted using a mixture of users and security groups from both domains.
  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  I am in a position to purchase new servers, software and licenses as required to meet the ultimate goal and - within reason - additional expenditure is not an obstacle. We also have the option to create new IP ranges if required.
  Any ideas and/or suggestions welcomed!

  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  It is not possible to detach a child domain from its parent. One of the things you can do is to create your domain and establish trusts between them and migrate resources from old domain to the new domain. Note that computer account migration will take some
  time. For exchange part you can ask in Exchange forums but the one thing you can do is to Cross-Forest mailbox move after you set up the new forest.
  Exchange 2010 Cross-Forest Mailbox Moves
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Error when connecting to MDM from different lan

  Hi,
  I got "Image Server Login Error" when connecting with client to server from different LAN, server is up, and i can connect to it when i in the same LAN. Ports 20003, 20004, 20005 for MDM server discovering and repository port 2345 is accessible through router. Running SP2 5.5.24.06.
  Rem: it's not a port problem, when port 2345 is closed i got "WinSock error on connect"
  PS: When I used MDM SP1 i connected to him properly in the same case.

  Hi Dmitry,
  If your repository is set to port 2345, then 4 subsequent ports should be openned also, i.e. 2346-2349.
  Regards, Lev

• Integration of ACS with two different Domain in different forest

  Hi
  We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
  Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
  Thanks
  Ritesh

  It is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  HTH
  Jeremy

• Business Objects Dashboard and Webi Connectivity

  Hi All,
  I am on BI 4.0 Sp6 and would like to create a BO Dashboard based on Webi Instance. What is the best approach to do the same.
  1. I want the BO Dashboard data to be visible on Ipad ( hence no data source connections)
  2. In case of live office , how does the refresh mechanism work
  3. Does add on tools like XWIS help in mitigating the issue
  Would like to hear best practices around the same.
  Thanks
  Vijay

  Hi Vijay,
  I am on BI 4.0 Sp6 and would like to create a BO Dashboard based on Webi Instance. What is the best approach to do the same.
  If you are using LO connection, then its not mobile supported connections & struggled a lot to make it stabilize. but still its a good connection to view the data in dashboard design time.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b02e31fb-3568-2e10-e78f-92412c3c0a96?quicklink=index&…
  Take look at the below links for the up's & down for BIWS Connection.
  Xcelsius and Business Intelligence Web Services (BIWS)
  Xcelsius and Business Intelligence Web Services (BIWS)- Part 2
  http://everythingxcelsius.com/topics/web-intelligence
  How to create Xcelsius Dashboard based of BI Web Service ( BIWS )
  I want the BO Dashboard data to be visible on Ipad ( hence no data source connections)
  If you are looking for a connection which is specific to mobile supported, then look into the below links.
  You can get all aspect of information which is necessary to create a dashboard.
  How to Configure and Access Dashboards from IPad
  Dashboards currently support only data manager connections defined using Query Browser as Live Data connections and QaaWS and Flash variable connections support is planned in BI 4.1
  In case of live office , how does the refresh mechanism work
  Refresh can be done webi side by scheduling the report in repository or you can keep a refresh button in dashboard to refresh the data. I hope automatic refresh is not possible here.
  Does add on tools like XWIS help in mitigating the issue
  I have no idea regarding this,
  Hope this helps.

• Business objects universe designer remote connectivity

  Hi,
  I am trying to access BO universe designer remotely. The ports 8080 and 6400 have been opened on the BO server remotely.
  I am able to acess infoView and CMC  on port 8080, however while accessing universe desinger on port 6400 using the system as <server>:6400 , username, password and authentication as Enterprise.
  I get the error "Canot access repository (USR0013). [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Transport error: Communication failure.(FWM 00001)
  (hr=#0x80042a01)"
  Please respond if you've faced similar problem and the resolution.
  Thanks in advance.
  Raman

  1. you tray to connect with host name then try IP  if not solved.
  2. you should  open some or all ports of bottom:
  AA Alert & Notification Server 4601
  AA Analytics Server 4602
  AA Dashboard Server 4603
  AA Individual Profiler Server 4604
  AA Metric Aggregation Server 4605
  AA Predictive Analytic Server 4606
  AA Repository Management Server 4607
  AA Set Analyzer Server 4608
  AA Statistical Process Server 4609
  Connection Server 4610
  Crystal Reports Cache Server 4611
  Crystal Reports Job Server 4612
  Crystal Reports Page Server 4613
  Desktop Intelligence Cache Server 4614
  Desktop Intelligence Job Server 4615
  Desktop Intelligence Report Server 4616
  Destination Job Server 4617
  Event Server 4618
  Input File Repository Server 4619
  List of Values Job Server 4620
  Output File Repository Server 4621
  Program Job Server 4622
  Report Application Server 4623
  Web Intelligence Job Server 4624
  Web Intelligence Report Server 4625
  we tryed thees and its ok.
  regards.

• Intermittent connection to domain from remote site.. What is the recommended solution?

  Hello,
  I used to have a separated branch office with its own application/db standalone server, and about 15 users locally configured on that server...
  Recently we implemented a Microwave connection (25 Mbps) between the main and branch office, joined the server of the  branch office as a member server of the main office domain and add users' accounts to the domain. So now remote users have there logon
  and credentials from the DC in the main office but still work on there application/db member server located on the branch office.
  The problem in this design is that when the connection occasionally goes down, users can't work on their application although there server is located on their same LAN, because they can't gain the necessary credentials from the DC/GC on the main site!!!
  Would you please suggest any solution for this problem... do I have to make a local DC in the branch office, or create Child domain, or what?
  PS.. I'm working on Windows 2003 domain
  Thank you all

  Greetings!
  If you are not running low on budget and bandwidth is not a concern, consider implementing an additional domain controller in your branch office and make it as global catalog.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• CONNECT BY - Start from different levels

  Hello again,
  It's me again with a hierarchical query on which I'm stuck...
  I think, the easiest way to understand my issue is to get an example:
  DROP TABLE my_organisations;
  CREATE TABLE my_organisations
    org_id NUMBER(10),
    org_name VARCHAR2(100),
    parent_org_id NUMBER(10),
    is_modified NUMBER(1)
  INSERT INTO my_organisations VALUES(1, 'Top organisation', null, 0);
  -- first department
  INSERT INTO my_organisations VALUES(362, 'HR', 1, 0);
  INSERT INTO my_organisations VALUES(11, 'Recruitment', 362, 0);
  INSERT INTO my_organisations VALUES(119, 'Local Recruiment', 11, 1);
  INSERT INTO my_organisations VALUES(192, 'Remote recruitment', 11, 0);
  -- second department
  INSERT INTO my_organisations VALUES(1000, 'SALES', 1, 0);
  INSERT INTO my_organisations VALUES(1101, 'Local Sales', 1000, 0);
  INSERT INTO my_organisations VALUES(1102, 'Remote Sales', 1000, 0);
  INSERT INTO my_organisations VALUES(9452, 'Brazilian Sales', 1102, 1);
  INSERT INTO my_organisations VALUES(9992, 'Mexican Sales', 1102, 1);
  INSERT INTO my_organisations VALUES(9110, 'Japanese Sales', 1102, 0);
  INSERT INTO my_organisations VALUES(1103, 'Lost', 11, 0);
  -- thirst department
  INSERT INTO my_organisations VALUES(333, 'IT', 1, 0);
  INSERT INTO my_organisations VALUES(444, 'Helpdesk', 333, 0);
  INSERT INTO my_organisations VALUES(555, 'Hardware', 444, 0);
  INSERT INTO my_organisations VALUES(666, 'Software', 444, 0);
  INSERT INTO my_organisations VALUES(777, 'Microsoft', 666, 0);
  INSERT INTO my_organisations VALUES(778, 'Linux', 666, 0);
  INSERT INTO my_organisations VALUES(788, 'MAC OS', 666, 0);
  INSERT INTO my_organisations VALUES(888, 'Windows', 777, 0);
  INSERT INTO my_organisations VALUES(999, 'XP', 888, 1);
  INSERT INTO my_organisations VALUES(1111, 'MAC', 555, 0);
  COMMIT;I have a hierarchical structure store in the my_organisations table. The parent child relation is made using parent_org_id. As you can see in my table definition, I have a flag is modified. That flag can be set at any level in the hierarchy.
  I would like to have a statement that returns all the modified organisations with all their hierarchy (ascendants and descendants). Is this possible without having to write PL/SQL procedure?
  I have no idea how to start. If I have a SELECT ... CONNECT BY... START WITH is_modified = 1, I only have the modified nodes and then I can get ascending nodes. But I have no idea how I can get the whole hierarchy of a node...
  Can anyone help ?? (Im using 10g)
  Thanks,

  Hi,
  Stew Ashton wrote:
  Adding a few details to Frank's idea, just to get things sorted reasonably:To really get things sorted correctly, I think you'll have to do yet another CONNECT BY, on the result set of the UNION:
  WITH     universe     AS
       SELECT     *          -- Get modified nodes and descendants 
       FROM     my_organisations
       START WITH     is_modified     = 1
       CONNECT BY     parent_org_id     = PRIOR org_id
               UNION
       SELECT     *          -- Get ancestors of modified nodes
       FROM     my_organisations
       START WITH     is_modified     = 1
       CONNECT BY     PRIOR parent_org_id     = org_id
  SELECT     org_id
  ,     LPAD ( ' '
            , 2 * (LEVEL - 1)
            ) || org_name     AS org_name
  ,     parent_org_id
  ,     is_modified
  ,     LEVEL
  FROM     universe
  START WITH     parent_org_id     IS NULL
  CONNECT BY     parent_org_id     = PRIOR org_id
  ;Output:
  ORG_ID ORG_NAME                  PARENT_ORG_ID IS_MODIFIED LEVEL
       1 Top organisation                                  0     1
     333   IT                                  1           0     2
     444     Helpdesk                        333           0     3
     666       Software                      444           0     4
     777         Microsoft                   666           0     5
     888           Windows                   777           0     6
     999             XP                      888           1     7
     362   HR                                  1           0     2
      11     Recruitment                     362           0     3
     119       Local Recruiment               11           1     4
    1000   SALES                               1           0     2
    1102     Remote Sales                   1000           0     3
    9452       Brazilian Sales              1102           1     4
    9992       Mexican Sales                1102           1     4

• Migrate Users from a child domain to a root domain in different forest

  Hello,
  it supported to migrate users from child source doman to target root domain?
  I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

  You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
  nltest /DOMAIN_TRUSTS
  If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Connect Business Objects to SAS Data Set?

  Has anyone ever been able to use a SAS data set as a data source for Business Objects?

  I've connected to a SAS datastore in Business Objects Data Services, and it's straightforward.
  What you need is to set SAS up as an ODBC server.
  This can be done in 2 ways:
  - Using the SAS/SHARE product on any server that is accessible from BOBJ. This is quite pricey, so maybe you should only consider this if you have a SAS/SHARE license already, or your project can pay for it.
  - Using an ordinary running SAS session on the same server.
  You also need to install an ODBC driver on your BOBJ server, in order to access your SAS ODBC server.
  You can read about SAS ODBC on SAS Institutes website. Start here:
  http://support.sas.com/documentation/cdl/en/odbcdref/63284/HTML/default/viewer.htm#p0pqrmjmkckqugn1099ywy9o8myj.htm