Child Domain Lync Installation
run enable-csadforest on root domain server. Any idea to do csadforest without install Lync deployment tools on root server?
check universal security group is added on root domain.
check child domain didn't replication the universal security group.
Run Enable-CsAdDomain -Domain chil.domain.com for enable child domain user to use Lync.
Any advise? how long time to replication the universal security group?
i will install Lync server into child domain and federation with office 365.
Thanks.
Hi,
Did you prepare schema successfully without issue?
You need to prepare the forest on a computer which joined to a domain as a member of the Enterprise Admins group for the forest root domain. You need to prepare the forest with the Lync Lync Server Deployment Wizard or the Lync server Management Shell cmdlets
directly. So you need to install the Lync deployment tools on one of the root server.
You are right, you must verify that global settings have been replicated before running domain preparation.
Please also login the child domain using the account which as a member of the Enterprise Admins group, the check if the replication happens or not.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support
Similar Messages
-
Establishing Lync Server 2013 on a Child Domain
Hi,
We want to establish Lync Server 2013 Enterprise Edition on a child-domain. I finished the installation. Now, if i add to users to child domain and enable from Lync Server Control Panel for test, users can be signed in. However, we use child domain for only
domain computers. We want to keep users on parent domain, not child domain.
I can enable users which are on parent domain, but users can not sign in. When i look Lync troobleshooting program, i got this error: "user is not sip enabled"
How can i solve this problem not adding users to child domain?Check whether the SIP address is enabled for the user
Get-CSUser -Identity <Alias>
SipAddress : sip:[email protected]
Enable-CsUser –Identity "Raji" –RegistrarPool Pool01.Lync.com –SipAddress "sip:[email protected]" –SipDomain Lync.com
Verify the output
Get-CsAdUser | Select-Object DisplayName, SipAddress, UserPrincipalName
Or
Construct a SIP address using the user’s SamAccountName and domain name
The SamAccountName is the user’s logon name: it’s the kenmyer portion of litwareinc\kenmyer. To use the SamAccountName as the SIP address use the –SipAddressType parameter followed by the parameter value SamAccountName:
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType SamAccountName –SipDomain litwareinc.com
Note that you also need to include the –SipDomain parameter followed by the appropriate SIP domain. With both FirstLastName and SamAccountName you must explicitly indicate the SIP domain; Enable-CsUser won’t try to make a “best guess” at determining the domain
name for you.
Use the user’s email address as his or her SIP address
This is kind of a nice option: it simply grabs the user’s email address and uses that same value for his SIP address. (That way, users have just one address to remember.) To use this option, simply include the –SipAddressType parameter followed by the parameter
value EmailAddress:
Enable-CsUser –Identity "Ken Myer" –RegistrarPool atl-cs-001.litwareinc.com –SipAddressType EmailAddress
Reference: https://blogs.technet.com/b/csps/archive/2010/06/06/howtoenableusers.aspx
Exchange Queries -
Enable new Child Domain in Lync Server 2013
Hello All,
We are running Lync server 2013 in the Root Domain test.local. There are number of child domain enabled for Lync service . Eg: abc.test.local , xyz.test.local etc. Now i have a requirement to create new child domain and enable it for lync service.
So i created a new child domain (site1.test.local), then from lync shell i run below command to enable it.
Enable-CsAdDomain
–Domain site1.test.local –report c:\users\lyncadmin\Report1.html
Then i add the new SIP domain in topology builder in SIP doamin and
Simple URLs and publish the topology.
On AD all users are created in OU so i run below command to give privileges on OU:
Grant-CsOUPermission -Domain site1.test.local -ObjectType "User" -OU "OU=SITEUsers,DC=Site1,DC=TEST,DC=LOCAL"
After all the step , when i try to login the new users, Users are not logging , in Lync client logs it is giving below error:
4005;reason="Destination URI either not enabled for SIP or does not exist";source="LYNCFE13-02.TEST.LOCAL"
Please help to solve this issue .I can see my child domain accounts in Lync control panel (enable user section) and all accounts are enabled. If i run below command then it show result = failure. But my others account are working.
PS C:\Users\administrator> Test-CSRegistration -UserSipAddress [email protected] -TargetFQDN xxxx.xxxx.localTarget Fqdn : xxx.xxx.local Result: Failure Latency : 00:00:00Error Message : 504, Server time-out Diagnosis: ErrorCode=1045,Source=LYNCFE-00.xxxx.xxxx,Reason=Local edge server pool is out of service,port=5061,pool-size=2,pool=xxx-Edges.xxxx.local Microsoft.Rtc.Signaling.DiagnosticHeader
Other accounts are giving SUCCESS msg and running without any issue. -
Migrating to Lync in a child domain from OCS in a Parent domain
I am looking to migrate from OCS to Lync 2010. I have gotten as far as deploying the target pool, but when I try and merge the topologies it fails.
OCS is in The root domain of my forest but Lync is planned for the primary Child domain where 80% of my users live. I just need to know if this is a supported migration scenario for Lync. If it is how do I merge the two topologies, as it looks
like the merge tool is only looking at the child domain for the configuration of OCS?
JeffHi,
Did you build a new pool with Side by side approach?
It is supported to migrate Lync from one domain to another domain in the same forest. Here is the supported server migration paths in the link below:
http://technet.microsoft.com/en-us/library/gg425764.aspx
For the issue merge topology failed, did you receive any error message from FE server Event Viewer?
The Lync server default sip domain should be the same when migrating from OCS to Lync server. If not, you can add sip domain in Lync topology and then run the command such as below on Lync FE server:
Set-CsSipDomain –Identity new sip domain name –IsDefault $True
Note: (change new sip domain name to your Lync server sip domain name)
Then run OCS merge again to test the issue again.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Hey All, I am really stumped on this one.
Environment - Is using split DNS
Forest Root Domain - Contains new Lync 2013 Server Standard, ADDS, DNS, Enterprise CA, Workstations
Clients in this domain connect and work beautifully. No errors.
Child Domain - ADDS, DNS, Workstation, Lync 2013 client
Client autodiscovers, and then asks for a password. Enter the password and this comes up...
Can't sign in to Lync, You didnt get signed in, It might be your sign-in address or logon credentials.. blah blah blah"
Client log shows
Error:
There was an error communicating with the endpoint at 'https://domainlync13srv.Domain.net/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
The server understood the request, but cannot fulfill it.
As far as i can tell certificates are correctly configured with all the SAN's possible in my forest. The user is correctly set up in Lync control panel. Autodiscovery seems to be working as it should. EWS is working correctly.
Repaired client, removed cached creds, has all lync 2013 updates no dice
Thank you all!I am an IDIOT.
I did not prepare the child domain with the LYNC setup tool. Logged on to a file server in the child domain with domain admin rights and sure enough the setup said the domain was "partial". Ran the setup and bam it all started working. -
Additional guidance is needed regarding process for configuring DNS and for configuring the server Network settings (IPv4 properties) for installing a child domain. For example, when installing the Root domain, it is recommended to install DNS when installing
the AD on the forest root. This ensures the proper records are added to DNS for the forest during DC promo. However, when installing the child domain, I'm unsure if a child-domain hosted DNS needs to be pre-installed prior to the child domain install and dcpromo
or included in the child domain install.
Second, there is conflicting guidance as to how to set IPV4 properties for the net interface when installing child-domain DNS. Should primary DNS address be 127.0.0.1 or the address of the Root domain DNS? or both?
ThanksAdditional guidance is needed regarding process for configuring DNS and for configuring the server Network settings (IPv4 properties) for installing a child domain. For example, when installing the Root domain, it is recommended to install DNS when installing
the AD on the forest root. This ensures the proper records are added to DNS for the forest during DC promo. However, when installing the child domain, I'm unsure if a child-domain hosted DNS needs to be pre-installed prior to the child domain install and dcpromo
or included in the child domain install.
Second, there is conflicting guidance as to how to set IPV4 properties for the net interface when installing child-domain DNS. Should primary DNS address be 127.0.0.1 or the address of the Root domain DNS? or both?
Thanks -
Having trouble promoting a server to a Child Domain Controller
Hello,
I am having promoting a 2012 server that's already a member of a domain to a child domain controller. All of the prereq's are met. When I try to promote it, it shows the steps being processed. When it begins to replicate the parent domain's
database, it runs all night and never completes. Any Idea what's going on?
Thanks
John G.
John GraceHello,
Just to let you know I can ftp, telnet, and map drives to gptsserver1.gpts.biz from gptsserver2.gpts.biz but can't promote gptsserver2.gpts.biz to a child domain controller. Any help is appreciated.
Here is the contents of dcpromo.log from gptsserver2.gpts.biz:
08/13/2014 21:14:32 [INFO] Promotion request for domain controller of new domain
08/13/2014 21:14:32 [INFO] DnsDomainName gpts2.gpts.biz
08/13/2014 21:14:32 [INFO] FlatDomainName GPTS2
08/13/2014 21:14:32 [INFO] SiteName Default-First-Site-Name
08/13/2014 21:14:32 [INFO] SystemVolumeRootPath C:\Windows\SYSVOL
08/13/2014 21:14:32 [INFO] DsDatabasePath C:\Windows\NTDS, DsLogPath C:\Windows\NTDS
08/13/2014 21:14:32 [INFO] ParentDnsDomainName gpts.biz
08/13/2014 21:14:32 [INFO] ParentServer gptsserver1.gpts.biz
08/13/2014 21:14:32 [INFO] Account (NULL)
08/13/2014 21:14:32 [INFO] Options 5243072
08/13/2014 21:14:32 [INFO] Validate supplied paths
08/13/2014 21:14:32 [INFO] Validating path C:\Windows\NTDS.
08/13/2014 21:14:32 [INFO] Path is a directory
08/13/2014 21:14:32 [INFO] Path is on a fixed disk drive.
08/13/2014 21:14:32 [INFO] Validating path C:\Windows\NTDS.
08/13/2014 21:14:32 [INFO] Path is a directory
08/13/2014 21:14:32 [INFO] Path is on a fixed disk drive.
08/13/2014 21:14:32 [INFO] Validating path C:\Windows\SYSVOL.
08/13/2014 21:14:32 [INFO] Path is on a fixed disk drive.
08/13/2014 21:14:32 [INFO] Path is on an NTFS volume
08/13/2014 21:14:32 [INFO] Child domain creation -- check the new domain name is child of parent domain name.
08/13/2014 21:14:32 [INFO] Domain Creation -- check that the flat name is unique.
08/13/2014 21:14:42 [INFO] Start the worker task
08/13/2014 21:14:42 [INFO] Request for promotion returning 0
08/13/2014 21:14:42 [INFO] Using supplied domain controller: gptsserver1.gpts.biz
08/13/2014 21:14:42 [INFO] Using supplied site: Default-First-Site-Name
08/13/2014 21:14:42 [INFO] Forcing time sync
08/13/2014 21:14:42 [INFO] Forcing a time sync with gptsserver1.gpts.biz
08/13/2014 21:14:42 [INFO] Reading domain policy from the domain controller gptsserver1.gpts.biz
08/13/2014 21:14:42 [INFO] Stopping service NETLOGON
08/13/2014 21:14:42 [INFO] Stopping service NETLOGON
08/13/2014 21:14:42 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)
08/13/2014 21:14:42 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state
08/13/2014 21:14:42 [INFO] StopService on NETLOGON returned 0
08/13/2014 21:14:42 [INFO] Configuring service NETLOGON to 1 returned 0
08/13/2014 21:14:42 [INFO] Stopped NETLOGON
08/13/2014 21:14:42 [INFO] Creating the System Volume C:\Windows\SYSVOL
08/13/2014 21:14:42 [INFO] Deleting current sysvol path C:\Windows\SYSVOL
08/13/2014 21:14:43 [INFO] Preparing for system volume replication using root C:\Windows\SYSVOL
08/13/2014 21:14:43 [INFO] Created the system volume
08/13/2014 21:14:43 [INFO] Copying initial Directory Service database file C:\Windows\system32\ntds.dit to C:\Windows\NTDS\ntds.dit
08/13/2014 21:14:43 [INFO] Installing the Directory Service
08/13/2014 21:14:43 [INFO] Calling NtdsInstall for gpts2.gpts.biz
08/13/2014 21:14:43 [INFO] Starting Active Directory Domain Services installation
08/13/2014 21:14:43 [INFO] Validating user supplied options
08/13/2014 21:14:43 [INFO] Determining a site in which to install
08/13/2014 21:14:43 [INFO] Examining an existing forest...
08/13/2014 21:14:43 [INFO] Configuring the local computer to host Active Directory Domain Services
08/13/2014 21:14:44 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1094
Software write caching for the following disk drive has been disabled to prevent possible data loss during system failures such as power outages or hardware component failures that can cause a sudden shutdown of the system. The disk drive that stores Active
Directory Domain Services log files is the only drive affected by this change.
Disk drive:
c:
08/13/2014 21:14:55 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2120
This Active Directory Domain Services server does not support the Recycle Bin. Deleted objects may be undeleted, however, when an object is undeleted, some attributes of that object may be lost. Additionally, attributes of other objects that refer to
the object being undeleted may also be lost.
08/13/2014 21:14:56 [INFO] Replicating the schema directory partition
08/13/2014 21:14:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963
Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.
Process ID:
488
Reported error information:
Error value:
Access is denied. (5)
directory service:
gptsserver1.gpts.biz
Extensive error information:
Error value:
Access is denied. 5
directory service:
gptsserver2
Additional Data
Internal ID:
5000dfc
08/13/2014 21:14:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1961
Internal event: This log entry is a continuation from the preceding extended error information entry on the following error and directory service.
Extended information:
Error value:
Access is denied. (5)
directory service:
gptsserver2
Supplemental information:
Detection location:
1461
Generating component:
RPC Runtime
Time at directory service:
2014-08-14 04:14:56
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:14:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 2839
Internal event: This log entry is a continuation from the preceding extended error information entry.
Extended information:
Extended Error Parameters:
0
Parameter 1:
(NULL)
Parameter 2:
(NULL)
Parameter 3:
(NULL)
Parameter 4:
(NULL)
Parameter 5:
(null)
Parameter 6:
(null)
Parameter 7:
(null)
08/13/2014 21:14:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
gptsserver1.gpts.biz
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:14:56 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
Domain controller:
gptsserver1.gpts.biz
Additional Data
Error value:
5 Access is denied.
08/13/2014 21:15:04 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963
Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.
Process ID:
488
Reported error information:
Error value:
Access is denied. (5)
directory service:
gptsserver1.gpts.biz
Extensive error information:
Error value:
Access is denied. 5
directory service:
gptsserver2
Additional Data
Internal ID:
5000dfc
08/13/2014 21:15:04 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1961
Internal event: This log entry is a continuation from the preceding extended error information entry on the following error and directory service.
Extended information:
Error value:
Access is denied. (5)
directory service:
gptsserver2
Supplemental information:
Detection location:
1461
Generating component:
RPC Runtime
Time at directory service:
2014-08-14 04:15:04
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:15:04 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 2839
Internal event: This log entry is a continuation from the preceding extended error information entry.
Extended information:
Extended Error Parameters:
0
Parameter 1:
(NULL)
Parameter 2:
(NULL)
Parameter 3:
(NULL)
Parameter 4:
(NULL)
Parameter 5:
(null)
Parameter 6:
(null)
Parameter 7:
(null)
08/13/2014 21:15:04 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
gptsserver1.gpts.biz
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:15:04 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
Domain controller:
gptsserver1.gpts.biz
Additional Data
Error value:
5 Access is denied.
08/13/2014 21:15:20 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963
Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.
Process ID:
488
Reported error information:
Error value:
Access is denied. (5)
directory service:
gptsserver1.gpts.biz
Extensive error information:
Error value:
Access is denied. 5
directory service:
gptsserver2
Additional Data
Internal ID:
5000dfc
08/13/2014 21:15:20 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1961
Internal event: This log entry is a continuation from the preceding extended error information entry on the following error and directory service.
Extended information:
Error value:
Access is denied. (5)
directory service:
gptsserver2
Supplemental information:
Detection location:
1461
Generating component:
RPC Runtime
Time at directory service:
2014-08-14 04:15:20
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:15:20 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 2839
Internal event: This log entry is a continuation from the preceding extended error information entry.
Extended information:
Extended Error Parameters:
0
Parameter 1:
(NULL)
Parameter 2:
(NULL)
Parameter 3:
(NULL)
Parameter 4:
(NULL)
Parameter 5:
(null)
Parameter 6:
(null)
Parameter 7:
(null)
08/13/2014 21:15:20 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
gptsserver1.gpts.biz
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:15:20 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
Domain controller:
gptsserver1.gpts.biz
Additional Data
Error value:
5 Access is denied.
08/13/2014 21:15:52 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963
Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.
Process ID:
488
Reported error information:
Error value:
Access is denied. (5)
directory service:
gptsserver1.gpts.biz
Extensive error information:
Error value:
Access is denied. 5
directory service:
gptsserver2
Additional Data
Internal ID:
5000dfc
08/13/2014 21:15:52 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1961
Internal event: This log entry is a continuation from the preceding extended error information entry on the following error and directory service.
Extended information:
Error value:
Access is denied. (5)
directory service:
gptsserver2
Supplemental information:
Detection location:
1461
Generating component:
RPC Runtime
Time at directory service:
2014-08-14 04:15:52
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:15:52 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 2839
Internal event: This log entry is a continuation from the preceding extended error information entry.
Extended information:
Extended Error Parameters:
0
Parameter 1:
(NULL)
Parameter 2:
(NULL)
Parameter 3:
(NULL)
Parameter 4:
(NULL)
Parameter 5:
(null)
Parameter 6:
(null)
Parameter 7:
(null)
08/13/2014 21:15:52 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
gptsserver1.gpts.biz
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:15:52 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
Domain controller:
gptsserver1.gpts.biz
Additional Data
Error value:
5 Access is denied.
08/13/2014 21:16:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963
Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.
Process ID:
488
Reported error information:
Error value:
Access is denied. (5)
directory service:
gptsserver1.gpts.biz
Extensive error information:
Error value:
Access is denied. 5
directory service:
gptsserver2
Additional Data
Internal ID:
5000dfc
08/13/2014 21:16:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1961
Internal event: This log entry is a continuation from the preceding extended error information entry on the following error and directory service.
Extended information:
Error value:
Access is denied. (5)
directory service:
gptsserver2
Supplemental information:
Detection location:
1461
Generating component:
RPC Runtime
Time at directory service:
2014-08-14 04:16:56
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:16:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 2839
Internal event: This log entry is a continuation from the preceding extended error information entry.
Extended information:
Extended Error Parameters:
0
Parameter 1:
(NULL)
Parameter 2:
(NULL)
Parameter 3:
(NULL)
Parameter 4:
(NULL)
Parameter 5:
(null)
Parameter 6:
(null)
Parameter 7:
(null)
08/13/2014 21:16:56 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
gptsserver1.gpts.biz
Additional Data
Error value:
Access is denied. (5)
08/13/2014 21:16:56 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
Domain controller:
gptsserver1.gpts.biz
Additional Data
Error value:
5 Access is denied.
John Grace -
Install SSCM 2012 R2 on child domain
Hi,
Following is the infrastructure of my network
root domain: abc.co.uk
dc1.abc.co.uk - DC + DNS + DHCP on Server 2012
dc2.abc.co.uk - DC + DNS + DHCP on Server 2008 R2
child domain: college.abc.co.uk
dc1.college.abc.co.uk - DC + DNS on Server 2008 R2
dc2.college.abc.co.uk - DC + DNS on Server 2012
child domain: school.abc.co.uk
dc1.school.abc.co.uk - DC + DNS on Server 2008 R2
dc2.school.abc.co.uk - DC + DNS on Server 2012
mdt.school.abc.co.uk - Server 2008 R2
mssql1.school.abc.co.uk - SQL 2008 R2 on Server 2008 R2
sccm1.school.abc.co.uk - Server 2008 R2
Currently we have MDT + WDS running in one of the child domain school.abc.co.uk. I am looking to install SCCM 2012 R2 (sccm1.school.abc.co.uk) in this domain. This SCCM will only be used for this child domain. As a prerequisite I have to first create
a (1) system container & assign permissions for SCCM server on the container and (2) extend the active directory schema.
So do I perform these two tasks on both domain controllers for this child domain (school.abc.co.uk)
Do I need to do anything on the root domain/root domain controllers or on another child domain (college.abc.co.uk
Any help would be much appreciated, thank you.You only need to create the system container the one time. Check the details here
http://sccmentor.wordpress.com/2014/01/08/sccm-2012-r2-step-by-step-installation-guide/
Nothing will need to be done in the other domains.
You may need to do some work on PXE Providers if you have MDT + WDS running in the environment on the same VLAN or phase that out.
Cheers
Paul | sccmentor.wordpress.com -
I have setup a test system. It has a domain with 2 child domains. DomainA.xyz.com has users and workstations. DomainB.xyz.com is a resource domain and has servers. wyx.com is for IT administration.
Users in domainA can logon to the domainB computers. I searched to find out why it was so. I found a "NT AUTHORITY\INTERACTIVE" entry in the local users group that enables this.
This is rather confusing. 1. When a user enters his credentials, he is not logged on and therefore would not be "INTERACTIVE" at that time. 2. If everybody that signs on a computer is interactive, then does that mean
everyone in the forest can sign on?
So my issue is: Can I delete the "INTERACTIVE" entry in the local users group and not cause any problems? I want to protect the resource domain from users signing on to them and give them access to the resources they need.Hi,
The Interactive group includes all users that have logged on locally.
In addition, it is not recommended to remove the
interactive group from the local user group since it would cause all kinds of problems. For more detailed information, please refer to the similar thread and link below:
Interactive
group
Staring
at a blank desktop, due to Interactive missing from Users group
Best regards,
Susie -
Exchange 2013 sp1 smtp NTLM auth for child domain users
i have exchange organization with exchange 2007 sp 3 & exchange 2013 sp1.
there are all users in Exchange 2013 server (mail flow is through Exchange 2013 server)
i have single forest, 2 site (site1, site2), root domain root.local and 1 child domain ch.root.local
DC for child domain is located in site2 (dc.ch.root.local)
multirole exchange 2013 server is installed in root domain.
i am traing to configure smtp receive connector with NTLM auth and have one problem.
when user in child domain try send email through this receive connector i see in log
<,AUTH NTLM,
>,334 <authentication response>,
*,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
*,CH\user1,authenticated
*,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
*,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either
the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.15:465"
but authentication is succesfull for users from root domain.
why do it can be?
Thanks.thanks for link
at smtp receive logs (Hub transport role) i've found the next:
Client Proxy EXMAIL2013,08D134DAF6CE1C51,49,192.168.1.15:465,
*,NT AUTHORITY\SYSTEM,authenticated
>,235 <authentication response>,
<,XPROXY SID=08D130D354F520D1 IP=192.168.1.21 PORT=57085 DOMAIN=[192.168.1.21] CAPABILITIES=0 SECID=Uy0xxx...
*,,Error while looking up SamAccountName chuser: The user name or password is incorrect.\r\n
*,None,Set Session Permissions
>,250 XProxy accepted but user identity could not be obtained, -
Active Directory Domain Services Child Domains
I am using Windows Server 2008 R2 SP1.
http://technet.microsoft.com/en-us/library/cc771856(v=ws.10).aspx
When I select "Add Roles" I click on "Active Directory Domain Services (Installed)" the "Next>" button is not enabled and can not be selected.
Did I install ADDS wrong?
Is this not how you define Child Domains?
If I use the Command Line or Answer File Methods I get an error message at "ChildName".
Did I forget to install something about enabling Child Domains when installing ADDS?Hi,
Did you try to create a child domain on the Domain Controller? It seems like that this Server is already a DC, with Active Directory Domain Services installed.
We don’t have to enable anything in the root domain for creating child domains/new trees, we just need to run
Dcpromo or Add Role on another server which is not a DC, and select the existing domain as its parent, then the child domain will be created.
In addition, please make the existing DC as the preferred DNS server on the new server.
I hope this helps.
Amy -
Exchange 2010 unable to find objects in child domain via ESM
I am having a problem on Exchange 2010 which relates to mailboxes whose AD account is in a child domain in the AD forest.
We have two domains A & B in the forest. The site which hosts E2010 only has DCs from domain A (root domain). These DCs are set as Global Catalogues.
All Exchange servers (2 x CAS & 2 x Mailbox) installed in Domain A (primary site) can resolve domain B and performing nslookups for domain B on these server displays the DCs installed
in domain B at remote sites.
I am migrating some resource mailboxes with AD accounts in domain B and need to set them up as room mailboxes to enable the auto accept bookings feature.
After migrating the mailboxes via the EMS to set the mailbox as a room, below is the error I get:
[PS] C:\Windows\system32>set-mailbox mtgrm1@domainB
-Type Room
The operation couldn't be performed because object 'mtgrm1@ domainB' couldn't be found on 'DC01.domainA.com'.
+ CategoryInfo : NotSpecified: (0:Int32) [Set-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 9E6F6A1,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
I have also tried using only the alias and the object CN:
set-mailbox mtgrm1 -Type Room
set-mailbox –identity 'domainB/Sitename/ Users/MSX Resource Accounts/Conf MtgRm1 (Video)' -Type Room
but get the same error.
All employee mailboxes from Domain B have been migrated to Exchange 2010 from 2003 and are working with no problems.
I have confirmed domain B has been prepared for E2010 - In the Microsoft Exchange System Objects container in AD there is the global group Exchange Install Domain Servers.
Event ID 2080
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1864). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
dc02.domainA.COM
CDG 1 7 7 1 0 1 1 7 1
DC01.domainA.com
CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
DC03.domainA.COM
CDG 1 0 0 1 0 0 0 0 0
dc04.domainA.COM
CDG 1 0 0 1 0 0 0 0 0
Please note the Out of site DCs are for our Exchange failover site which is currently down due to the storms on the East Coast.
Does Exchange 2010 require a local DC for the second domain installed in the sites which host Exchange? If not, any advise on what else I can look at will be appreciated.
Thanks.Hi there,
If the questions is answered, please mark it accordingly. Thanks.
Fiona Liao
TechNet Community Support -
I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When
I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn
how can I stop that from being the domain controller that replies?
Thanks for any advice
ChrisHi,
To add, Mr. Ace got a good blog regarding Site and Site links, see if it could help here:
AD Site Design and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
User Folders in a Parent / Child Domain Structure
Hi,
I have a forest setup with a parent and 3 child domains.
We have a DFS share setup for home folders.
I used Group Policy to create the User's share folders, map the drive, and setup folder redirection.
Each user has a separate ID for each domain.
The desire is for each user to be able to use the same \\parent.com\home\%logonuser% share path from each domain in order to access files from any domain, and have privacy from other users doing so.
The problem I have is, after "child1\JohnD" signs into a workstation on domain CHILD1.com, his folder is created at "\\parent.com\home\JohnD" and mapped.
But if child2\JohnD then signs into domain CHILD2.com, he does not have permissions to map the drive.
I realize why, but I'm wondering if anyone can think of a way to change this setup so that parent\JohnD, and child1\2\3\JohnD, all have rights to map and use the same Home Folder.
Having domain specific home folders has been shot down.
Giving all shares EVERYONE access has been shot down.
Open to other suggestions.
Thanks!
-Matt
There's no place like 127.0.0.1You might want to try creating a script that will grant the required rights to both user accounts using Powershell: http://blogs.technet.com/b/heyscriptingguy/archive/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions.aspx
Once you create the script, you can schedule it using Task Scheduler.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Interesting. I've been playing with this module off and on today. From what I can tell, this would have to be scripted to some sort of function like this:
dir \\parent.com\dfshome | Get-NTFSAccess
For each dir in "\\parent.com\dfshome", set $folder
For each $folder where account = "childx\User", set $User
For each $User, Add-NTFSAccess: child1\$user, child2\$user, and child3\$user
(head scratch)
I'll give it some more thought. :)
Thanks!
There's no place like 127.0.0.1 -
ACS 4.1.4.13 is unable authenticate user to child domain
Does an ACS server need to be a member of the parent domain in order to see a forest trust?
and
Error message:
"Could not start CSAdmin on local computer- Error 1069 The service did not start because of logon failure." Does this mean it can't see the forest? or child domain
Any help would be appreciated.
Thanks,
DrewIf its not in the secletable downloads, you need to open a tac case and have your engineer post it for you.
I only found out about it after I saw new documentation available for it.
Maybe you are looking for
-
How can I print all the pages in an email that I have received?
Even when I use print preview, it shows only 1 page when the email might be 2 or 3.
-
I made up an ICloud account but when I try to get my files back after a restore I couldn't get it how can I get them or is it even possible? I'm using a IPod touch version 5.0.1
-
Image not showing in Abobe integrated with Java WebDynPro
Hi All, Image is not showing in Abobe integrated with Java WebDynPro. I did the following: Added the image field in adobe form. in URL value set the value of context node binding. Binding set to none and size set to Use Original Size. Then in script
-
How to make Field mandtory in purchase order?
Dear GURUS, I want to make Tracking no field mandatory in purchase order for particular Purchase Group? Also po not allow more than 2 quantity for above case? pls guide me how can configure this? Regrds pravin.
-
Has anyone noticed a difference? Got the 2.4GHz just last week and running boot camp. When I'm doing ordinary MS Office stuff in XP it's so hot it's uncomfortable to have my hands resting on it while I type and I don't ever hear fans running. When I