Cross Forest Support - Same Boundaries?

Similar Messages

• [SCCM 2012 R2] Cross forest Active Directory Boundaries

  Hi All,
  What process/component update information (subnets) for already imported AD Site Boundary?
  How can I be sure that automatically created Active Directory boundaries from native and cross domains really import/use all subnets from AD Sites? What Log shows verbose information? PowerShell?
  Note to Product Group and MVPs who have influence to Product Group:
  please add column in Boundaries view to show actual Domain for Active Directory Boundaries (not using Description Column)
  please allow to manually create Active Directory Boundaries from not native domains
  Regards,

  As mentioned, simply type in the site name instead of using the Browse button.
  Site lookups are a simple string comparison that occurs when the client submits the content location or site assignment request to the MP.
  If you don't have multiple primary sites, site assignment is not anything to worry about because all the clients will belong to the same site.
  If you do have multiple primary sites, it gets a bit more complicated depending upon how those multiple sites are broken down client-wise but would most likely come down to not relying on auto-site assignment so this would be N/A anyway.
  For content location, the assumption is that the like-named sites are for the same area of connectivity and thus content-location, i.e., DP "assignment", should be the same regardless of domain/forest. If this is not a valid assumption for your
  environment, then I would submit that your site naming convention is irrational.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2007 and 2012 coexistence and Cross Forest support

  Hi All
  I have a question
  My company has recently acquired another company
  That company exist of 2 forests (forest A has one domain namely domain A : and forest B has one domain namely domain B) with a two way forest trusts between them
  Domain A has a SCCM 2007 primary Site
  Domain B has a SCCM 2007 primary site and 2 secondary Sites
  The active directory schema is extended in both domains
  We cannot migrate the SCCM 2007 environment because it is a mess , so we want to build a new SCCM 2012 R2 environment into Domain B and from that environment manage both domains  (OSD, software deployment client management ...)
  We want to install a SCCM 2012 R2 (CU3) primary server into domain B and add two distribution points instead of the two secondary sites and manage both forests (domain A and B) from that primary site server
  Now my questions are
  1 )
  Can an SCCM 2007 environment coexist with a SCCM 2012 environment?
  I believe it can If I make sure that in the new SCCM 2012 environment we only use boundary groups for content locations and not for site assignment and in the SCCM 2007 environment (domain A and domain B) I need to disable the client push account.
  2)
  Discovery , How do we make sure that systems and users are discovered from both domains?
  Do we need to do some additional configuration to make that happen or will this be no problem because of the Two way trust and active directory schema extension.
  3 )
  Can we do all the management from the new SCCM 2012 R2 site , also OSD deployments for both domains ?
  I hope someone can help me with these questions
  Thanks in advance
  Regards
  Johan

  Hi All
  After talk with management and local support the decision is made not to deploy only distribution points but instead deploy secondary sites (of course with management point and distribution point) because the bandwidth to these sites is a
  problem.
  So the situation will be Domain A Primary site (SCCM 2012 R2) and for both remote locations a secondary site , domain B a secondary site (of course all the related ports need to be opened for both domains as explained here https://technet.microsoft.com/en-us/library/hh427328.aspx
  Question 
  Can we do all the management from the new primary SCCM 2012 R2 site (domain A) , also OSD deployments for both domains A and B ?
  I hope someone can review this
  Thx in advance
  Regards Johan

• Cross Forest - SCCM 2012SP1

  Hi All - I've re-posted this as I put it in the wrong thread initially under 2007.
  I've configured a cross forest SCCM scenario, with all the SCCM config in one Forest and a single Windows XP SP3 desktop in the other. There is a trust between both Forests/2-way external but I haven't added Forests/Domain to SCCM to enable searching
  etc. I deployed the agent manually in the external Forest using a mapped drive and ccmsetup /mp:........ this all works fine.
  After installation, after the client is approved, when I click on the client in the SCCM console and try to initiate any of the "right-click" features, I just get a stack of access denied errors back "0x80070005". I've tried rebuilding
  WMI, re-installing the client to no avail. Im thinking that its related to the cross forest config but I see no provision for setting up external credentials for the other forest - am I right in thinking that the only account that needs to be configured is
  the "Network Access Account" that the agent uses to make network connections (the rest being run under the guise of the "Local System" account) if so - this is already done too.
  I'm not seeing any access denied entries on the XP desktop and I've been through the DCOM config and local policy to make adjustments/slacken off the permissions...still no dice.
  Am I chasing my tail with this? can I manage a client from the console that actually sits outside of the Forest where the SCCM installation is actually installed?
  The installation is pretty much inline with scenario 1 from the following blog:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  -a

  http://social.technet.microsoft.com/Forums/systemcenter/en-US/a64548eb-11dd-441f-95d7-097c70c96f17/sccm-2012sp1-cross-forest-scenario?forum=configmgrgeneral
  is the original thread. You shouldn't cross post -- you should wait for a mod to move the thread as now we have multiple people answering the same question without the benefit of seeing what others have answered.
  As mentioned there, this really has nothing to do with ConfigMgr and stems from the use of right-click tools.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2012 R2 cross forest with one-way trust feasible?

  We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
  Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
  in Domain A the same as our current SMS 2003 server.
  What we want to do, at a minimum, using SCCM is:
  Client inventory (hardware, software, user) and package distribution.
  Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
  I have made the below diagram to better illustrate the scenario:
  Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

  Hi,
  The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
  Quote:
  Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
  In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
  two way trust with the forest of the parent (CAS or primary).
  Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
  The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
  Most of these items were taken from this TechNet article – please refer to the article for more information -
  Planning for Communications in Configuration Manager .
  For more information:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
  Not sure which is correct...

• SCCM 2012SP1 - Cross Forest Scenario

  Guys/Girls
  I've configured a cross forest SCCM scenario, with all the SCCM config in one Forest and a single Windows XP SP3 desktop in the other. There is a trust between both Forests/2-way external but I haven't added Forests/Domain to SCCM to enable searching
  etc. I deployed the agent manually in the external Forest using a mapped drive and ccmsetup /mp:........ this all works fine.
  After installation, after the client is approved, when I click on the client in the SCCM console and try to initiate any of the "right-click" features, I just get a stack of access denied errors back "0x80070005". I've tried rebuilding
  WMI, re-installing the client to no avail. Im thinking that its related to the cross forest config but I see no provision for setting up external credentials for the other forest - am I right in thinking that the only account that needs to be configured is
  the "Network Access Account" that the agent uses to make network connections (the rest being run under the guise of the "Local System" account) if so - this is already done too.
  I'm not seeing any access denied entries on the XP desktop and I've been through the DCOM config and local policy to make adjustments/slacken off the permissions...still no dice.
  Am I chasing my tail with this? can I manage a client from the console that actually sits outside of the Forest where the SCCM installation is actually installed?
  The installation is pretty much inline with scenario 1 from the following blog:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  -a

  Reading more closely, I notice now that you said "right-click tools". That explains it as those truly have nothing to do with ConfigMgr. Essentially, what all right-click tools are are individual scripts run on your local system that directly connect
  to the remote system to perform an action. The console initiates these scripts but that's it. Thus, the credentials of the user logged into the console are used to launch those scripts and the problem here is that the user you are running the console
  as does not have permissions to remotely connect to that remote system.
  As mentioned, this has nothing to do with ConfigMgr though because ConfigMgr never ever connects to remote clients -- call client agent communication is initiated by the client.
  Thus, the right-click tools, while sometimes/often useful, should not be confused with native ConfigMgr functionality.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2012 & SCOM 2012 - Cross Forest

  My current environment is running Operations Manager and Configuration Manager 2007, I am planning an upgrade them to the 2012 version.
  I need to know whether my upgrade to 2012 will support cross forest support ?
  Cheers

  And, there is no 'upgrade' of Configuration Manager 2007 to Configuration Manager 2012 (if you mean Configuration Manager 2007 instead of "SCCM 2008"). You would need to do a side-by-side migration. There are docs, webcasts, webinars (in fact I just did
  one a couple of weeks ago), and TechNet virtual labs on migration to help you gain understanding on how it would work.
  However, yes, Configuration Manager (both 2007 and 2012) do support cross forest environments.
  Wally Mead

• Does Apple native AD Plugin support Cross Forest login in 10.9?

  I know in the past this wasn't possible with the native Apple AD plugin.  Does any know if 10.9 or above has added any more capabilities to do built in cross forest authentication?  Was just wondering if it is still not possible and we need to start looking at third party solutions like Centrify Direct Control.  We have setup two AD forest with trust between them that works perfectly when logging in on a Windows machine but not on the Macs.  I hope in the future we make a full migration to just one Domain forest, but in the mean time I need a fix to allow for single logins to either forest from a Mac.  Otherwise is it possible to bind to two AD's at once with Apple's AD plugin or will this cause more problems than good?

  I know in the past this wasn't possible with the native Apple AD plugin.  Does any know if 10.9 or above has added any more capabilities to do built in cross forest authentication?  Was just wondering if it is still not possible and we need to start looking at third party solutions like Centrify Direct Control.  We have setup two AD forest with trust between them that works perfectly when logging in on a Windows machine but not on the Macs.  I hope in the future we make a full migration to just one Domain forest, but in the mean time I need a fix to allow for single logins to either forest from a Mac.  Otherwise is it possible to bind to two AD's at once with Apple's AD plugin or will this cause more problems than good?

• Exchange 2013 Untrusted Cross-Forest Availability Intermittently Working

  Goal:
  I’m attempting to configure cross-forest availability for Exchange 2013 using the instructions here:
  http://technet.microsoft.com/en-us/library/bb125182%28v=exchg.150%29.aspx
  At the very bottom of the page are three different methods.  I have tried the first (per-user) and the third (untrusted) methods, with identical results.  For various unfortunate reasons, I am unable to use the Microsoft Federated Gateway for availability
  information (although that is configured in the production domain and I would use it if it were possible). 
  Situation:
  When attempting to view availability information in either OWA or Outlook, the free/busy information typically isn’t visible.  If you open and close Outlook a few times, creating meetings with the users in other domains, sometimes the other user’s information
  will be visible, and sometimes it will not.  When it is not, the area is filled with diagonal lines and hovering over it says “No Information”.  The situation is the same in both Adatum trying to access Contoso, and in Contoso trying to access either
  Adatum or Fabrikam.
  I’m currently close to finishing up my third week with Microsoft Support on this issue, and am starting over with a third first level support person.  They are quickly eroding what little confidence I had in them already.  I’m posting here because
  I’m desperate, and web searches for my errors turn up zero results.  I fear this method of availability sharing doesn’t actually work correctly in Exchange 2013 as Microsoft is pushing organizations to use the Microsoft Federated Gateway, but I’d love
  to heave about anyone getting this to work, or not.
  Setup:
  There are three separate domains I am working with (names changed to protect the innocent).  Contoso.local is the production domain, containing Exchange 2007 and Exchange 2013 SP1 servers.  Adatum.local is a test domain set up fresh with Exchange
  2013 SP1.  Fabrikam.com is a remote Exchange system that I others are connecting to without issue using Exchange 2010.
  The Contoso and Adatum domain controllers are running Windows Server 2008 R2 SP1 and are running at a 2008 R2 functional levels.  The Exchange 2013 servers are all at SP1 (results were the same prior to SP1), and the OS is Windows Server 2012. 
  Contoso has two sites, connected via 10Gbps links, and ~10ms latency, with Exchange 2013 CAS and mailbox servers in both sites.  Adatum has a single site, and has two CAS and two mailbox servers.  Fabrikam has one internet facing server to connect
  to.  A handful of contacts have been created in both Contoso and Adatum for the other domains, to select to view availability.
  Contoso and Adatum domains sit on different subnets, but there is no firewall or filtering between their subnets.  Routing between them is completely unimpeded.  The Fabrikam server sits on another network across the internet, but firewalls have
  been configured and I can browse the availability website from the Contoso CAS servers.
  The CAS servers were originally set up to be load balanced, but working with Microsoft they’ve had me specify a single CAS server for autodiscover/EWS/ECP/OWA/etc in both Contoso and Adatum.  The number of actual users on Exchange 2013 in Contoso is
  ~10.  In Adatum, there are only a handful of mailboxes configured.  The Exchange 2007 servers in Contoso are using Public Folders for free/busy replication for other domains right now, and we don’t care at the moment if they can use the 2013 availability. 
  None of our testing/configurations have involved the Exchange 2007 servers.  There are no SPNs configured for the other domains in AD.
  Errors:
  There are three basic errors that are returned in Outlook diagnostics.  The first is the timeout error.  For a given mailbox server, the first time it is queried for availability information for a remote domain (after some amount of time of being
  idle) it might not respond for 70 seconds (actually somewhere between 69 and 70 seconds each time when viewing the IIS logs), and eventually fails with the timeout error.  If it doesn’t timeout, then it will respond with the Correct Response.
  Once a particular mailbox server has timed out, it will typically immediately return the first Availability Error for all subsequent calls.  Less frequently, it will return Availability Error 2.  If a mailbox server returns the first Availability
  Error, then it will continue to return that error until it times out again or starts working.  Similarly, if a mailbox server returns the second Availability Error, then it will continue to return that error until it times out again or starts working.
  If an IISRESET is performed on a mailbox server, then it will either timeout at the next cross-forest availability request, or work.  There is never an issue accessing availability information for users in the same domain as the request.
  If the remote Exchange is in an errored state, then the response includes the error.  For example, if the mailbox servers in the remote domain are turned off, and the local mailbox server that you are querying happens to be responding correctly
  for the remote domain, then it will return an error about how no mailbox servers are available in adatum.local to service the request.
  There are no Event Log errors that correspond to failed requests of any type.  IIS logs don’t show anything beyond what is shown in the Outlook diagnostics.  There are no DNS or Active Directory Replication errors in the Event Logs.
  Timeout error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorTimeoutExpired
  ErrorMessage         : Microsoft.Exchange.InfoWorker.Common.Availability.TimeoutExpiredException: Request could not be processed in time. Timeout occurred during 'LookupRecipientsBatchBegin'.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException:
  AvailabilityAddressSpace 'adatum.local' couldn't be used because the Autodiscover endpoint couldn't be discovered.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error 2:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AddressSpaceNotFoundException:
  Configuration information for forest/domain swelab.wayad.corp.wayport.net could not be found in Active Directory.
                            at Microsoft.Exchange.InfoWorker.Common.Availability.TargetForestConfigurationCache.FindByDomain(OrganizationId
  organizationId, String domainName)
                            at Microsoft.Exchange.InfoWorker.Common.Availability.QueryGenerator.GetTargetForestConfiguration(EmailAddress
  emailAddress)
                         . Name of the server where exception originated: Mailbox02
  ErrorDetails         : {}
  ErrorProperties      : {}
  Working:
  CalendarEvents       : {Microsoft.Exchange.WebServices.Data.CalendarEvent}
  ViewType             : FreeBusyMerged
  MergedFreeBusyStatus : {Free, Free, Free, Free...}
  WorkingHours         : Microsoft.Exchange.WebServices.Data.WorkingHours
  Result               : Success
  ErrorCode            : NoError
  ErrorMessage         :
  ErrorDetails         : {}
  ErrorProperties      : {}
  Start : 04/09/2014 00:00:00
  End : 04/12/2014 00:00:00
  Subject :
  Location :
  Testing Methodologies:
  While it is possible to dig through Outlook diagnostics and OWA, we ended up scripting out these requests to save time.  Microsoft support refuses to use the scripts, but they produce the same output that it takes them days to find in the logs, so I’ll
  post them here to help anyone in the future.
  Through reading the documentation and experimenting, it appears that the Exchange 2013 CAS servers really do just proxy availability requests from the client to the mailbox servers.  At least by default, it seems to pick a mailbox server in the same
  site, but which mailbox server in the site appears to be random.  It will typically pick the same one repeatedly for a while.
  The first script uses the Microsoft Exchange Web Services Managed API 2.1.
  http://www.microsoft.com/en-us/download/details.aspx?id=42022
  You specify a source email address, and a target address in the remote domain, and it creates a SOAP request that it sends to a CAS server of the source email address.  The CAS proxies the request to the mailbox server which either responds with a failure
  or the free/busy data.
  The second script takes the XML SOAP request generated by the first script, and uses that to query a mailbox server directly.  That allows you to test specific mailbox servers that are working or failing, instead of randomly using whichever mailbox
  server the CAS happens to select.  I generated a SOAP request with the first script that I knew had some data, and then copy/pasted it into the second script to verify if data was being returned.
  I’ve deleted and recreated the availability address spaces in Contoso and Adatum for each other and Fabrikam multiple times.  I’ve reset the password in the OrgWideAccount in both Adatum and Contoso, and viewed the lastBadPassword attribute in both
  ADs to verify it wasn’t failing authentication.  (A failed authentication also generates a 401 error that is returned to the client.)  I can access the availability site of the other domain using the credentials of the OrgWideAccount without any
  errors ever.
  First Script:
  # Import the Exchange Web Services module
  Import-Module -Name "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
  # Create the services object used to connect to Exchange
  # You can specify a specific Exchange version, which I had to do to connect to 2007
  # Exchange2007_SP1
  # Exchange2010
  # Exchange2010_SP1
  # Exchange2010_SP2
  # Exchange2013
  # $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1
  # $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
  $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
  $Service.UseDefaultCredentials = $true
  # Specify an SMTP address. The autodiscover URL from the associated mailbox will be used to connect to Exchange
  # This is used to distinguish resolving from the 2007 server versus 2013
  #$Service.AutodiscoverUrl("[email protected]") # For Exchange 2007
  $Service.AutodiscoverUrl("[email protected]") # For Exchange 2013
  # Increase the amount output at the end to include the SOAP commands
  $Service.TraceEnabled = $true
  # Specify time frame to get free/busy for
  $StartTime = [DateTime]::Parse([DateTime]::Now.ToString("yyyy-MM-dd 0:00"))
  $EndTime = $StartTime.AddDays(7)
  # Create the various objects needed to perform the EWS request
  $drDuration = new-object Microsoft.Exchange.WebServices.Data.TimeWindow($StartTime,$EndTime)
  $AvailabilityOptions = new-object Microsoft.Exchange.WebServices.Data.AvailabilityOptions
  $AvailabilityOptions.RequestedFreeBusyView = [Microsoft.Exchange.WebServices.Data.FreeBusyViewType]::DetailedMerged
  $Attendeesbatch = New-Object "System.Collections.Generic.List[Microsoft.Exchange.WebServices.Data.AttendeeInfo]"
  $attendee = New-Object Microsoft.Exchange.WebServices.Data.AttendeeInfo($userSMTPAddress)
  # Specify SMTP addresses of accounts to request availability for
  #$Attendeesbatch.Add("[email protected]")
  $Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  # Clear out old results so that a failed request doesn't show information still
  $availresponse = ""
  # Request the availability information from Exchange
  $availresponse = $service.GetUserAvailability($Attendeesbatch,$drDuration,[Microsoft.Exchange.WebServices.Data.AvailabilityData]::FreeBusy,$AvailabilityOptions)
  # Show summary information that would include errors
  $availresponse.AttendeesAvailability
  # Show all of the appointments in the requested time period
  foreach($avail in $availresponse.AttendeesAvailability){
  foreach($cvtEnt in $avail.CalendarEvents){
  "Start : " + $cvtEnt.StartTime
  "End : " + $cvtEnt.EndTime
  "Subject : " + $cvtEnt.Details.Subject
  "Location : " + $cvtEnt.Details.Location
  Second Script:
  # Change the server in this URL to specify which mailbox server to access
  $url = 'https://mailbox01.contoso.local:444/EWS/Exchange.asmx'
  # Uncomment the below lines if you want to query EWS using credentials other than
  # the ones used to run the script.
  #If(!(Test-Path variable:global:cred))
  # $cred = Get-Credential
  function Execute-SOAPRequest
  [Xml] $SOAPRequest,
  [String] $URL
  write-host "Sending SOAP Request To Server: $URL"
  $soapWebRequest = [System.Net.WebRequest]::Create($URL)
  # These appear to be the only things needed in the headers when making the request
  $soapWebRequest.ContentType = 'text/xml;charset="utf-8"'
  $soapWebRequest.Accept = "text/xml"
  $soapWebRequest.Method = "POST"
  If(Test-Path variable:global:cred)
  $soapWebRequest.Credentials = $cred
  Else
  $soapWebRequest.UseDefaultCredentials = $true
  write-host "Initiating Send."
  $requestStream = $soapWebRequest.GetRequestStream()
  $SOAPRequest.Save($requestStream)
  $requestStream.Close()
  write-host "Send Complete, Waiting For Response."
  $resp = $soapWebRequest.GetResponse()
  $responseStream = $resp.GetResponseStream()
  $soapReader = [System.IO.StreamReader]($responseStream)
  $ReturnXml = [Xml] $soapReader.ReadToEnd()
  $responseStream.Close()
  write-host "Response Received."
  return $ReturnXml
  # The specing and line returns in the below variable are important for some reason
  # For example, there must be a line return after the @' on the first line, or it's invalid...
  # Change the line with this:
  # <t:Address>[email protected]</t:Address>
  # to the email address in the domain you want to query
  $soap = [xml]@'
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <t:RequestServerVersion Version="Exchange2013_SP1" />
  <t:TimeZoneContext>
  <t:TimeZoneDefinition Name="(UTC-06:00) Central Time (US &amp; Canada)" Id="Central Standard Time">
  <t:Periods>
  <t:Period Bias="P0DT6H0M0.0S" Name="Standard" Id="Std" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/1" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/2007" />
  </t:Periods>
  <t:TransitionsGroups>
  <t:TransitionsGroup Id="0">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/1</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>4</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>10</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>-1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  <t:TransitionsGroup Id="1">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/2007</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>3</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>2</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>11</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  </t:TransitionsGroups>
  <t:Transitions>
  <t:Transition>
  <t:To Kind="Group">0</t:To>
  </t:Transition>
  <t:AbsoluteDateTransition>
  <t:To Kind="Group">1</t:To>
  <t:DateTime>2007-01-01T06:00:00.000Z</t:DateTime>
  </t:AbsoluteDateTransition>
  </t:Transitions>
  </t:TimeZoneDefinition>
  </t:TimeZoneContext>
  </soap:Header>
  <soap:Body>
  <m:GetUserAvailabilityRequest>
  <m:MailboxDataArray>
  <t:MailboxData>
  <t:Email>
  <t:Address>[email protected]</t:Address>
  </t:Email>
  <t:AttendeeType>Required</t:AttendeeType>
  <t:ExcludeConflicts>false</t:ExcludeConflicts>
  </t:MailboxData>
  </m:MailboxDataArray>
  <t:FreeBusyViewOptions>
  <t:TimeWindow>
  <t:StartTime>2014-04-03T00:00:00</t:StartTime>
  <t:EndTime>2014-04-10T00:00:00</t:EndTime>
  </t:TimeWindow>
  <t:MergedFreeBusyIntervalInMinutes>30</t:MergedFreeBusyIntervalInMinutes>
  <t:RequestedView>DetailedMerged</t:RequestedView>
  </t:FreeBusyViewOptions>
  </m:GetUserAvailabilityRequest>
  </soap:Body>
  </soap:Envelope>
  $ret = Execute-SOAPRequest $soap $url
  # Uncomment out one of the below two lines to get output in different alternative formats
  #$ret | Export-Clixml c:\temp\1.xml;Get-Content c:\temp\1.xml
  #$ret.InnerXml
  # If the request is successful, show the appointments, otherwise show the failure message
  If ($ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage.ResponseClass -eq 'Success')
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.FreeBusyView.CalendarEventArray.CalendarEvent
  Else
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage

  In this case, the SMTP domain is the same as the AD domain.  If the wrong domain were configured then the connection would never work, as opposed to sometimes work.
  RunspaceId            : abb30c12-c578-4770-987f-41fe6206a463
  ForestName            : adatum.local
  UserName              : adatum\availtest
  UseServiceAccount     : False
  AccessMethod          : OrgWideFB
  ProxyUrl              :
  TargetAutodiscoverEpr :
  ParentPathId          : CN=Availability Configuration
  AdminDisplayName      :
  ExchangeVersion       : 0.1 (8.0.535.0)
  Name                  : adatum.local
  DistinguishedName     : CN=adatum.local,CN=Availability Configuration,CN=Wayport,CN=Microsoft
                          Exchange,CN=Services,CN=Configuration,DC=contoso,DC=local
  Identity              : adatum.local
  Guid                  : 3e0ebc2c-0ebc-4be8-83d2-077746180d66
  ObjectCategory        : contoso.local/Configuration/Schema/ms-Exch-Availability-Address-Space
  ObjectClass           : {top, msExchAvailabilityAddressSpace}
  WhenChanged           : 4/15/2014 12:33:53 PM
  WhenCreated           : 4/15/2014 12:33:35 PM
  WhenChangedUTC        : 4/15/2014 5:33:53 PM
  WhenCreatedUTC        : 4/15/2014 5:33:35 PM
  OrganizationId        :
  OriginatingServer     : dc01.contoso.local
  IsValid               : True
  ObjectState           : Unchanged

• Cross-forest user administration

  I have created a cross-forest trust between DSfW domain and MSAD domain. In both domains, I have added one user (call him CrossAdmin) as member of Builtin\Administrators group.
  I can log in to DSfW domain as CrossAdmin and successfully administer users in MSAD domain using "Active Directory Users and Computers"). But the reverse doesn't work. If I log in to MSAD domain as CrossAdmin and in "Active Directory Users and Computers" try to switch to the DSfW domain, I get an error message:
  "The domain dsfwdomain.oursite could not be found because: Access is denied".
  At the same time, the following is logged to /var/log/messages on the DSfW server:
  krb5kdc: [KDC] Regenerating authorization data for cross-realm client [email protected]
  krb5kdc: [KDC] Failed to locate PAC principal data buffer
  krb5kdc: [KDC] PAC lacks principal name authenticator
  krb5kdc: [KDC] Ticket for client [email protected] is not bound to PAC
  Is this a restriction by design, or can it be made to work somehow?

  vatson,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• Cross Forest User GPOs not applying

  I know I've read a ton of forums concerning this issue and most were resolved but nothing read so far has helped and I'm really hoping there are a few ideas out there that I have missed.
  We have two forests: a new 2012 forest and an 2008 at an 2003 forest level with two way forest trust.
  We are able to login to computers in the 2012 forest regardless of domain with any user in the 2008 forest.  However we are setting up our workstation environment in the 2012 forest which requires us applying user policies.  All users are in the
  2008 forest.  We have enabled the allow cross forest policy and the loopback processing applied to the OU where the client machines are located in Active Directory.  We have verified the trust on both sides and tested DNS using nslookup on both sides.
   The DCs for both forest are located in the same physical building but two different subnets.  The WAN guy has assured us that there are no ACLs involved.  The firewall has been shut off on all DCs and all workstations.  I see no LSA errors
  on the DCs.  Each forest has a stub DNS zone to the other forest zones.  I've been able to successfully setup computer gpos to map drives to the users when they login to 2012 clients.
  I'm completely lost for what else we need to be looking at to solve this problem.   Any suggestion would be most welcome.  

  Hi,
  Before going further, what settings have we configured? Which Loopback mode have we chosen, Merger or Replace? What are operating systems of our clients?
  For further troubleshooting, we can follow the following article to collect Gpsvc.log file.
  How to enable GPO logging on windows 7 /2008 r2 ?
  http://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx
  After getting the log, you may upload it to OneDrive and provide us the download link.
  Besides, we can try using netmon.exe to further trace network to see if this is caused by network traffic.
  Microsoft Network Monitor 3.4
  http://www.microsoft.com/en-in/download/details.aspx?id=4865
  How to use Network Monitor to capture network traffic
  http://support.microsoft.com/kb/812953/en-us
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• DHCP Migration - Cross Forest

  I have an existing AD - oldco.com, with DHCP configured.
  I am now migrating the entire AD infrastructure to a new domain - newco.com.
  The migration of computers will be phased over a period of weeks / months.
  DHCP scopes will remain the same, however DNS servers will be different (new DNS servers in the new AD).
  Can someone please validate this approach:
  Set up conditional forwarders on oldco.com DNS servers for newco.com
  Migrate PCs from oldco.com to newco.com using ADMT (DHCP is not domain dependent so PCs should pick up DHCP lease from oldco.com DHCP server. oldco.com DNS settings will be applied but conditional forwarding will be in place. (I could also just add newco.com
  DNS servers to oldco.com DHCP scope settings?)
  After all PCs have been migrated to newco.com, migrate DHCP databases from oldco.com to newco.com DHCP servers (edit DNS settings to use newco.com DNS servers).
  De-authorise oldco.com DHCP servers, authorise newco.com DHCP servers.
  I have completed several DHCP migrations previously in the same forest so I am ok with steps 3 and 4. It is really the cross-forest element that I am concerned with.

  Hi,
  According to you description, my understanding is that you want to migrate current AD infrastructure to a new domain, and need to confirm your plan about migrating DHCP.
  Clients will obtain IP lease from the DHCP server which provides them the DHCPACK message. Is there is only one DHCP server, clients will still obtain IP lease from the old DHCP server. It is better to set conditional forwarders(to transfer DNS queries to
  new domain) instead of adding the new DNS server to scope option. Or you may create a secondary zone on old DNS server to obtain a read-only copy zone file from the new DNS server.
  Manually assigned new DNS server of TCP/IP properties on client is needed when client join to new domain.
  You may do lab tests before migration. And remember to backup related data.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Cross-forest access to public folders Exchange 2013-2007

  Dear.
  We have an Exchange 2007 org in one forest and an Exchange 2013 org in another forest.
  User accounts remain in the 2007 AD, mailbox moved to Exchange 2013 in the other forest, so a linked mailbox.
  What do I need to do in the Exchange 2007 public folders to give the migrated mailboxes (not migrated users) access to these public folders?
  Thanks for the support.
  Regards.
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Stephen,<o:p></o:p>
  <o:p> </o:p>
  Do you have trust between Exchange 2007 forest and Exchange 2013 forest? Please set up a trust between the two forests. Then set the public folder client  permission
  to see if we can access the
  public folders.<o:p></o:p>
  <o:p> </o:p>
  If not, since Public folder cross forest migration is not supported in from an Exchange 2007/2010 forest to an exchange 2013 forest, refer to forum:
  http://social.technet.microsoft.com/Forums/office/en-US/51da1b97-fbb1-4f81-87da-c3370960c4ab/crossforest-public-folder-migration?forum=exchangesvrdeploy
  http://social.technet.microsoft.com/Forums/office/en-US/663f0dc3-a977-408a-93c7-94584fbefc62/public-folder-issue-cross-forest-migration-exchange-2010-to-2013?forum=exchangesvrdeploy
  <o:p></o:p>
  Title: Migrate Public Folders to Exchange 2013 From Previous Versions<o:p></o:p>
  Link:
  http://technet.microsoft.com/en-us/library/jj150486(v=exchg.150).aspx<o:p></o:p>
  <o:p> </o:p>
  So for public folder migration,
  the only supported path is cross forest 2007/2010 to 2007/2010 and then inter forest 2007/010 to 2013. Or
  we can first export all the public folder to PST from the Exchange 2007 forest, then import the PST to the Exchange 2013 forest.
  <o:p></o:p>
  Regards, Eric Zou

• SCCM 2012 - Network requirements for Client communication to primary in a Cross Forest Environment

  Hello, I have been trying to get some definitive answers on what network traffic is required between a client and a primary site versus a secondary in a cross forest scenario.
  Here is the scenario:
  Company A has an existing SCCM 2012 primary Site. Company B (Separate Forest) has now been brought in. One subnet on each side can route to each other and using that one subnet a two way forest
  trust has been setup. But the remote offices have IP address overlaps between companies. At some point in the future all assets on company B will be re-IP and brought over to Company A domain. But in the interim it would be nice to get SCCM cross forest clients
  working. Upgrading to a CAS model with two Primaries would not be preferred here as this is a temporary solution. 
  My questions are as follows.
  If a secondary site is deployed into Company B Forest/Network. I have seen people online elude to that clients will still need to communicate to the Primary located at Company A, even though they
  are assigned to a secondary on Company B’s network. Is this true? Is there any workarounds for this? Is a NAT back to the primary acceptable, or is reverse lookup required?
  Will the Primary need to communicate directly to the clients in Company B? If this is in fact a requirement, then this would be a show stopper. But if its only needed for things like client pushes,
  then we could work around it.
  Thanks

  "But the remote offices have IP address overlaps between companies"
  Technically, this is unsupported because clients, depending upon your boundaries, will not be able to find a local DP since they use IP addresses for this. The only way to work around this is to use AD Site boundaries.
  "though they are assigned to a secondary"
  Clients are *never* assigned to a secondary site -- that's not what secondary sites are for. Yes, clients require communication with an MP in the primary site where they are assigned. There is no way to change this or work-around this except to put
  an MP from the primary site closer to those clients and use the new MP affinity option in R2 CU3.
  Reverse lookups are only used to verify names by applications that wish to have this type of functionality (which are very few in number) and have nothing to do with true network traffic. NATing is an issue for the reason I gave above -- DP location.
  Remote control, client push, and WoL won't work either because there is no way for the traffic to reach the destination behind the NAT.
  All client *agent* communication in ConfigMgr is client initiated in ConfigMgr (remote control, client push, and WoL -- as just mentioned -- are sort of exceptions to this but they don't really involve the client *agent*.)
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Active Directory cross forest trust which are deployed in separate subscription

  Hi All,
  I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
  We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
  site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
  Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
  Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
  do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
  Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
  My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  No, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
  For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync