Child domain loss Exchange server permission

Similar Messages

• How to add domain in Exchange Server

  i have installed exchange server it is working fine i am able to create multiple (email account / mailbox) for default domain but
  i have 5 domains and i want multiple (email account / mailbox) on each domain 
  i have also added the domain but that domain is not visible in mailbox creation option please any one tell me how can i add multiple domain to create email account /mailbox 
  for example
  "[email protected]","[email protected]","[email protected]","[email protected]","[email protected]"

  What Policies should i add and how can i create MX and SPF record for domain 
  Email Address Policies
  Email Fundamentals: What is an MX Record?
  Sender ID Framework SPF Record Wizard

• Enable new Child Domain in Lync Server 2013

  Hello All,
  We are running Lync server 2013 in the Root Domain test.local. There are number of child domain enabled for Lync service . Eg: abc.test.local , xyz.test.local etc. Now i have a requirement to create new child domain and enable it for lync service.
  So i created a new child domain (site1.test.local), then from lync shell i run below command to enable it.
  Enable-CsAdDomain
  –Domain site1.test.local –report c:\users\lyncadmin\Report1.html
  Then i add the new SIP domain in topology builder in SIP doamin and
  Simple URLs and publish the topology.
  On AD all users are created in OU so i run below command to give privileges on OU:
  Grant-CsOUPermission -Domain site1.test.local -ObjectType "User" -OU "OU=SITEUsers,DC=Site1,DC=TEST,DC=LOCAL"
  After all the step , when i try to login the new users, Users are not logging , in Lync client logs it is giving below error:
  4005;reason="Destination URI either not enabled for SIP or does not exist";source="LYNCFE13-02.TEST.LOCAL"
  Please help to solve this issue .

  I can see my child domain accounts in Lync control panel (enable user section) and all accounts are enabled. If i run below command then it show result = failure. But my others account are working.
  PS C:\Users\administrator> Test-CSRegistration -UserSipAddress [email protected] -TargetFQDN xxxx.xxxx.localTarget Fqdn   : xxx.xxx.local Result: Failure Latency : 00:00:00Error Message : 504, Server time-out Diagnosis: ErrorCode=1045,Source=LYNCFE-00.xxxx.xxxx,Reason=Local edge server pool is out of service,port=5061,pool-size=2,pool=xxx-Edges.xxxx.local                Microsoft.Rtc.Signaling.DiagnosticHeader
  Other accounts are giving SUCCESS msg and running without any issue.

• Lync 2013 Clients in Child Domain Log "The server returned HTTP status code '403 (0x193)' with text 'Forbidden'."

  Hey All, I am really stumped on this one. 
  Environment - Is using split DNS
  Forest Root Domain - Contains new Lync 2013 Server Standard, ADDS, DNS, Enterprise CA, Workstations
  Clients in this domain connect and work beautifully. No errors. 
  Child Domain - ADDS, DNS, Workstation, Lync 2013 client
  Client autodiscovers, and then asks for a password. Enter the password and this comes up...
  Can't sign in to Lync, You didnt get signed in, It might be your sign-in address or logon credentials..  blah blah blah" 
  Client log shows 
  Error:
  There was an error communicating with the endpoint at 'https://domainlync13srv.Domain.net/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
  The server understood the request, but cannot fulfill it.
  As far as i can tell certificates are correctly configured with all the SAN's possible in my forest. The user is correctly set up in Lync control panel. Autodiscovery seems to be working as it should. EWS is working correctly. 
  Repaired client, removed cached creds, has all lync 2013 updates no dice
  Thank you all! 

  I am an IDIOT. 
  I did not prepare the child domain with the LYNC setup tool. Logged on to a file server in the child domain with domain admin rights and sure enough the setup said the domain was "partial". Ran the setup and bam it all started working. 

• Manage Systems in other child domain through sccm server placed in another child domain.

  Hi,
  We have single forest , multiple domain AD structure. There is full trust between the child domains. 
  We have a requirement to manage systems in another child domain. the admin account is placed in one of the child domain, where the SCCM Server is also installed.
  I tried placing LDAP query for other child domain in AD system discovery method., but it shows the attached error.
  Pls. help

  Hi,
  Have you granted the admin account permissions to read computer accounts in the other Child Domain? do the Primary Site servers computer account have permissions to read computer account information in the other child domain? Otherwise it will not work..
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Prepping New Child Domain for Exchange so Users can use it

  I have a new Child Domain that needs a "prep" for Exchange 2010 User objects.  Instructions don't indicate on which DC this "prep" needs to be made.
  Anyone done this before?  Thank you!!
  Charlie

  Hi ,
  You can prefer anyone of the domain controller in the child domain for preparing the domain .
  Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTermsReference link : http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspxOn that above link please refer the topic "Let me choose which Active Directory domains I want to prepare"RegardsS.Nithyanandham
  Thanks & Regards S.Nithyanandham

• ContentSubmitters AD group: root domain or child domain???

  Hi
  We have an empty root domain.  Mailbox users & Exchange 2013 servers are in a child domain.
  As per Microsoft's documentation; we want to create the "ContentSubmitters" group in AD for content index to work properly (article 2807668).  However I do not know where to create it!!!  The article doesn't address it.
  Does it go on the root domain where default exchange groups reside OR OR OR OR OR does it go on child domain where exchange servers reside?????
  Thanks

  Hi,
  Agree with Riaz, you need to create the ContentSubmitters group on the domain that Exchange server is installed using Active Directory Users and Computer (ADUC).
  What's more, when you create the active directory security group called ContentSubmitters, follow the steps below to grant Admistrators and NetworkService full access to the group.
  Right click the group -> Properties ->Security tab -> add those two groups -> give them full control to the group.
  Here is a thread for your reference.
  Exchange 2013 Content Catalog Index Failed All Databases
  http://social.technet.microsoft.com/Forums/exchange/en-US/fccf9dca-b865-4356-905b-33ac25dcc44d/exchange-2013-content-catalog-index-failed-all-databases?forum=exchangesvravailabilityandisasterrecovery
  Hope it helps.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support

• Free Busy takes over 30 seconds to retrieve on Outlook 2010 using Exchange Server 2010

  We have a small 100 user domain running Exchange server 2010 and outlook 2010 clients.  The issue is that Retrieving Free/Busy takes over 30 seconds.  
  So someone is trying to schedule a meeting has to wait Minutes see the Free/busy time for many users..  I have checked and all the users in question have published at least one month free busy time.
  It seems it would be much faster.  Anyone have this same experience and know of a way to speed it up?
  thanks in Advance
  David 

  Hi David,
  Does the issue happen in OWA? In Exchange 2010, the free/busy information is retreved by using Availability service (EWS url). Generally, if a user wants to view free/busy information when create a meeting, the http Availability service request
  would send to CAS server.
  Please check whether the usage in Exchange server is high when the slow free/busy information occurs. This reflect time would also be related to the network in your environment.
  Regards,
  Winnie Liang
  TechNet Community Support

• Installation of exchange server 2013

  Hi,
  can we install ADDS, DNS, and Exchange server 2013 on a single server, and the OS is windows server 2012 r2 Standard Edition.
  If it is possible then, is there any dis-advantages that my disturb Exchanger Server 2013 Services.
  Thanks & regards,
  Anil.  

  Its not recommended for wide variety of reasons in Production environment... Good to go if you want to just test something and not worried about things...
  Configuring Exchange 2013 for Active Directory split permissions isn’t supported.
  The Exchange Trusted Subsystem universal security group (USG) is added to the Domain Admins group when Exchange is installed on a domain controller. When this occurs, all Exchange servers in the domain are granted domain administrator rights in that domain.
  Exchange Server and Active Directory are both resource-intensive applications. There are performance implications to be considered when both are running on the same computer.
  You must make sure that the domain controller Exchange 2013 is installed on is a global catalog server.
  Exchange services may not start correctly when the domain controller is also a global catalog server.
  System shutdown will take considerably longer if Exchange services aren’t stopped before shutting down or restarting the server.
  Demoting a domain controller to a member server isn’t supported.
  Running Exchange 2013 on a clustered node that is also an Active Directory domain controller isn’t supported.
  Refer:
  Installing Exchange on a domain controller is not recommended
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• Windows Exchange Server 2010

  After installation of Windows 2010 server.
  can any one tell me...what are the next steps to work with Exchange Server 2010 ?
  [email protected]

  Hello friend,
  first of all there is no version on windows server named "windows 2010 server"!!!!!
  To install exchange server 2010, you can either install windows server 2008 standard/enterprise SP2 or windows server 2008 standard/enterprise R2 (actually its better to install w2k8 standard/enterprise R2 release to make the installation of exchange server
  2010 easier). The server on which exchange will be installed should be part of a domain because exchange server works along with active directory
  Here are the steps to follow for a successful exchange server 2010 installation:
  Hardware requirements
  -x64 architecture (Intel or AMD64)
  -Quad core processor (minimum)
  -8 GB RAM (minimum) if you want to combine the roles on one server
  -2 GB HDD minimum
  Software requirements
  -w2k8 enterprise/standard R2 or w2k8 enterprise/standard service pack 2
  -exchange server 2010 software
  *Prerequisites for server 2008 standard/enterprise SP2
  -Install the Microsoft.NET framework 3.5 SP1
  -Install the .NET Framework 3.5 Family Update
  -Install Windows Remote Management 2.0
  -Install Powershell v2
  -On Hub Transport & Mail Box servers install the Microsoft Filter Pack
  -On Unified messaging server install server manager desktop experience
  *Prerequisites for server 2008 standard/enterprise R2
  -Install the Microsoft Filter Pack on Hub Transport and Mail Box server
  -From PowerShell, type "Import-Module ServerManager"
  -Use the Add-WindowsFeature cmdlet to type:
      Add-WindowsFeature NET-Framework, RSAT-ADDS, Web-Server, Web-Basic-Auth,
      Web-Windows-Auth, Web-Metabase, Web-Net-Ext, Web-Lgcy-Mgmt-Console, WAS-Process-Model,
      RSAT-Web-Server, Web-ISAPI-Ext, Web-Digest-Auth, Web-Dyn-Compression, NET-HTTP-Activation,
  RPC-Over-HTTP-Proxy, Desktop-Experience-Restart
  Note: If you are not using the Unified Messaging role you can remove Desktop Experience
  After restarting, configure the TCP Port service to start automatically using: "Set-Service NetTcpPortSharing-StartupType Automatic".
  Put the user account from which you performed the installation in the "Organization Management" group

• AD User Cannot reset their password on Child Domain

  I have windows server 2008r2 which is my Parent Domain and child domain on windows server 2003. All my users on Child domain stuck on resetting their password
  and following error message appears 
  "The password does not meet the password
  policy requirements"
  Although I have not applied any password policy, don't know why this error message is appearing.
  Please help...

  Hi,
  In addition to the above information, you can check the resultant password policy settings applied for an AD user account by following the below steps,
  - Login to a client machine as AD user
  - Go to Start -> Run -> Type RSPO.msc.
  - In the RSOP console, navigate to the node Computer Configuration\ Windows Settings\ Security Settings\ Account Policies\ Password Policy.
  - In Password Policy page, you can confirm, what is the current password settings applied to that AD user.
  - Now based on the password policy settings you can try to change the password.
  Regards,
  Gopi
  JiJi
  Technologies

• Exchange Server Affected by SSL Certificate Organization Name Change

  We recently underwent a name change of our company. We added a few new domain names for the new company to our Exchange Server 2007 and updated our address policy to include them and everything seemed to work okay for a while.  We subsequently reissued
  the SSL Certificate for our Exchange Server under the new organization name (per the CA's recommendation) .  Shortly thereafter we experienced all sorts of issues necessitating a rebuild of our Exchange Server.  Is there any dependency between
  the organization name in an SSL certificate and the organization name that Exchange Server stores it's info under in Active Directory (which still had the old name) that would cause Exchange to go haywire?

  Hi,
  Please confirm you were creating a new domain in your AD or creating an accepted domain in Exchange server.
  If you directly create an accepted domain in Exchange, the new domain would be
  considered authoritative when the Exchange organization hosts mailboxes for recipients in this SMTP domain. We don’t need to create a new Exchange certificate for this new accepted domain because the
  SRV records can be used to connect to Autodiscover service. And the Exchange services URLs are not changed and they can still be authenticated by the original certificate (mail.domain.com, autodiscover.domain.com).
  Certainly, we can reissue a new Exchange certificate, please make sure the new Exchange certificate has included all needed namespaces for your Exchange server such as:
  Mail.domain.com, autodiscover.domain.com, autodiscover.newdomain.com
  We can also run Get-ExchangeCertificate | fl to check it.
  Regards,
  Winnie Liang
  TechNet Community Support

• Exchange 2013 sp1 smtp NTLM auth for child domain users

  i have exchange organization with exchange 2007 sp 3 & exchange 2013 sp1.
  there are  all users in Exchange 2013 server (mail flow is through Exchange 2013 server)
  i have single forest, 2 site (site1, site2), root domain root.local and 1 child domain ch.root.local
  DC  for child domain is located in site2 (dc.ch.root.local)
  multirole exchange 2013 server is installed in root domain.
  i am traing to configure smtp receive connector with NTLM auth and have one problem.
  when user in child domain try send email through this receive connector i see in log
  <,AUTH NTLM,
  >,334 <authentication response>,
  *,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
  *,CH\user1,authenticated
  *,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
  *,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either
  the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.15:465"
  but authentication is succesfull for users from root domain.
  why do it can be?
  Thanks.

  thanks for link
  at smtp receive logs (Hub transport role) i've found the  next:
  Client Proxy EXMAIL2013,08D134DAF6CE1C51,49,192.168.1.15:465,
  *,NT AUTHORITY\SYSTEM,authenticated
  >,235 <authentication response>,
  <,XPROXY SID=08D130D354F520D1 IP=192.168.1.21 PORT=57085 DOMAIN=[192.168.1.21] CAPABILITIES=0 SECID=Uy0xxx...
  *,,Error while looking up SamAccountName chuser: The user name or password is incorrect.\r\n
  *,None,Set Session Permissions
  >,250 XProxy accepted but user identity could not be obtained,

• More than one Exchange server on a domain @ different locations

  Hello,  I'm looking for advice, best practices,  on setting up a backup exchange server.  I currently have one Exchange 2010 server that everyone connects to.  We have about 30 users spread out between 8 locations. We have a mix of bandwidth
  capabilities. A couple of us have fiber, we have a couple of sites with t1's, and the rest have business class cable or dsl.  All the sites are connected by IPsec tunnels. We're all part of a single domain and some of the sites have a local domain controllers. 
  What I would like to do is add a second exchange server, at a different site, so that if something happens to the primary server like a fire, power loss, comet :) the other server could take it's place and users could get their email without noticing much
  of a difference. Or maybe having them both up at the same time and assigning some users to one server and the balance to the other, and if one went down everyone would still be able to use the server that is working.  Any idea's?  
  If it matters I do have Exchange 2013 licenses. I haven't upgraded yet, but it on the to do list.

  Hi Profector,
  Great information from Ed.
  DAG is a great method to configure a DR site for backup.
  I find an article on "Database Availability Group Design Examples" for your reference:
  http://technet.microsoft.com/en-us/library/dd979781(v=exchg.141).aspx
  Thanks
  Mavis Huang
  TechNet Community Support

• Exchange 2010 unable to find objects in child domain via ESM

  I am having a problem on Exchange 2010 which relates to mailboxes whose AD account is in a child domain in the AD forest.
  We have two domains A & B in the forest. The site which hosts E2010 only has DCs from domain A (root domain). These DCs are set as Global Catalogues.
  All Exchange servers (2 x CAS & 2 x Mailbox) installed in Domain A (primary site) can resolve domain B and performing nslookups for domain B on these server displays the DCs installed
  in domain B at remote sites.
  I am migrating some resource mailboxes with AD accounts in domain B and need to set them up as room mailboxes to enable the auto accept bookings feature.
  After migrating the mailboxes via the EMS to set the mailbox as a room, below is the error I get:
  [PS] C:\Windows\system32>set-mailbox mtgrm1@domainB
   -Type Room
  The operation couldn't be performed because object 'mtgrm1@ domainB' couldn't be found on 'DC01.domainA.com'.
      + CategoryInfo          : NotSpecified: (0:Int32) [Set-Mailbox], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 9E6F6A1,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
  I have also tried using only the alias and the object CN:
  set-mailbox mtgrm1 -Type Room
  set-mailbox –identity 'domainB/Sitename/ Users/MSX Resource Accounts/Conf MtgRm1 (Video)' -Type Room
  but get the same error.
  All employee mailboxes from Domain B have been migrated to Exchange 2010 from 2003 and are working with no problems.
  I have confirmed domain B has been prepared for E2010 - In the Microsoft Exchange System Objects container in AD there is the global group Exchange Install Domain Servers.
  Event ID 2080
  Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1864). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
   (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
  In-site:
  dc02.domainA.COM           
  CDG 1 7 7 1 0 1 1 7 1
  DC01.domainA.com            
  CDG 1 7 7 1 0 1 1 7 1
   Out-of-site:
  DC03.domainA.COM          
  CDG 1 0 0 1 0 0 0 0 0
  dc04.domainA.COM           
  CDG 1 0 0 1 0 0 0 0 0
  Please note the Out of site DCs are for our Exchange failover site which is currently down due to the storms on the East Coast.
  Does Exchange 2010 require a local DC for the second domain installed in the sites which host Exchange? If not, any advise on what else I can look at will be appreciated.
  Thanks.

  Hi there,
  If the questions is answered, please mark it accordingly. Thanks. 
  Fiona Liao
  TechNet Community Support