Domain setup for 2012

Similar Messages

• I wan't setup for sccm 2012 read only console

  i wan't setup for sccm 2012 read only console

  There is role read only analyst please assign same to user or group.

• Event 12014, MSExchangeTransport - Domain is setup for .Local, new Cert renewel is set to use external DNS

  Microsoft Exchange could not find a certificate that contains the domain name XYZMail.XYZ.Local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default XYZMAIL with a FQDN parameter
  of XYZMAIL.XYZ.Local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists,
  run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
  My domain is configured to be a .Local domain and my external is at a .US domain (I realize that the .Local is non preferred setup now).  I'd like to change that but it's a very large undertaking. I'm exploring my options of how to make this function
  properly within Exchange 2010.  I realize I can change the Certificate, but that will only get me until October 2015, as I'll be forced to remove the .Local at that point from the Cert. 
  Default XYZMAIL Is my incoming mail Receive Connector, so it cannot be easily changed.  Is there a work around to resolving this issue without massive changes?  If it helps at all, I'm also in the early stages of moving to Exchange 2013,
  if that would make this resolution easier.  Any advice is greatly appreciated. 

  Hi,
  According to this error, please try the following step to check this issue
  Run get-ExchangeCertificate via EMS.
  Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
  Review the current certificate that use by the Exchange server and each certificate function.
  Then run Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
   (The value of -Thumbprint obtained in stage 2.)
  Restart the Exchange server.
  If this doesn’t help, we should consider to renew certificate.
  And this document for reference
  https://technet.microsoft.com/en-us/library/bb510128%28EXCHG.80%29.aspx?f=255&MSPPError=-2147217396
  Best Regards.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Lynn-Li
  TechNet Community Support

• DNS Setup for Lion.

  I'm a little confused with the DNS setup for Lion Server.
  My scenario is this.
  I have a router, IP 10.0.0.1.
  Server running DNS is manually set to 10.0.0.253.
  FQDN for the server is server1.mycompany.net (it is proper registered and live domain name I have used)
  Externally I use Dyndns to point external folks to mycompany.net, and through the correct ports I can hit the router/gateway with the URL. This confirms that Dyndns is working.
  I have forwarded POrt 80 on the router to 10.0.0.253.
  Currently I have set DNS to have a zone of mycompany.net. Within the zone I have a machine record server1.mycompany.net set to 10.0.0.253
  I think I have set the reverse lookup correctly, but the way it is shown in the DNS record looks strange (IP address looks backwards and says something about ARPA.
  Web Server is running on the server.
  Currently if I go to a web browser inside the LAN and use either www.server1.mycompany.net or www.mycompany.net (or the same without the www) I get an error message. The same occurs outside the lan on an internet connected machine.
  If I enter 10.0.0.253 from inside the lan, I get the Mac WebServer default screen, showing the server is working fine.
  I'm guessing I have made a mess of setting up DNS.
  I'm looking at some point set up a small website, just to prove to myself I can get this working, but I can't work out what I have done wrong.
  Can anyone suggest where to look?
  TIA

  Right now down to diagnostics
  in terminal on server type
  william:~ william$ dig www.wenatcheefirst.org
  below is what i get  copy what you get
  ; <<>> DiG 9.7.3-P3 <<>> www.wenatcheefirst.org
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29412
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;www.wenatcheefirst.org.                    IN          A
  ;; ANSWER SECTION:
  www.wenatcheefirst.org.          3600          IN          CNAME          wenatcheefirst.org.
  wenatcheefirst.org.          3600          IN          A          205.186.154.164
  ;; AUTHORITY SECTION:
  org.                              126088          IN          NS          a2.org.afilias-nst.info.
  org.                              126088          IN          NS          d0.org.afilias-nst.org.
  org.                              126088          IN          NS          b0.org.afilias-nst.org.
  org.                              126088          IN          NS          a0.org.afilias-nst.info.
  org.                              126088          IN          NS          c0.org.afilias-nst.info.
  org.                              126088          IN          NS          b2.org.afilias-nst.org.
  ;; Query time: 430 msec
  ;; SERVER: 192.168.88.250#53(192.168.88.250)
  ;; WHEN: Fri Apr 13 20:08:06 2012
  ;; MSG SIZE  rcvd: 208

• I need help with proper DNS setup for 10.5.8 Server

  I'm administering a 10.5.8 server that I sold and setup about a year ago. I'm experiencing issues with getting iCal server to be happy. All of the clients are running 10.5.8, but I'm running 10.6.1. I've heard from others that connecting iCal in 10.6 to a 10.5 iCal Server should be no problem.
  I'm beginning to think that I have DNS issues. Probably because I'm not and never have been 100% certain how to set it up completely correctly. I used to be able to get Kerberos tickets, but now I can't. With the new "Ticket Viewer" in 10.6, it asks for two bits of information. First is "Identity" where I'm guessing I should put [email protected] and then password. When I do this I get an alert dialog that says "Kerberos Error -- cannot resolve network address for KDC in realm example.com"
  The server is a Mac Pro tower with two Ethernet ports. En2 is connected directly to the Internet and has a static IP with a domain name assigned to it. We'll call it "example.com" for the purposes of the discussion. The En1 is connected to the network switch and has a static LAN IP of 192.168.1.250. All clients inside and outside are able to reach the server via domain name for WWW & AFP, no problem.
  nslookup on the static IP address returns "example.com" and nslookup on "example.com" returns the correct static IP address. Open Directory is running and happy including Kerberos. The LDAP search base is "dc=example,dc=com". The LDAP search base is a concept I haven't quite grasped, so I'm just going to assume it's correct.
  The domain name is hosted outside by a service provider that forwards all "example.com" requests to the server with the exception of mail.
  In DNS, I have three "sections" that look like this:
  Name Type Value
  1.168.192.in-addr.arpa. Reverse Zone -
  192.168.1.250 Reverse Mapping example.com.
  000.000.00.in-addr.arpa. Reverse Zone -
  000.000.000.000 Reverse Mapping example.com.
  com. Primary Zone -
  mail.example.com. Alias mail.our-email-isp.com.
  example.com. Machine Multiple values
  www.example.com. Machine Multiple values
  NOTE: the zeros aren't actually zeros, they are the static IP assigned to the server/domain
  When I select the top element "1.168.192.in-addr.arpa." down below "Allows zone transfer" is NOT checked. Nameservers shows the zone as "1.168.192.in-addr.arpa." and the Nameserver Hostname as "ns.example.com."
  When I select the next line down "192.168.1.250", Resolve 192.168.1.250 to: example.com.
  When I select the "000.000.00.in-addr.arpa." element, it has the same settings -- nameservers "000.000.00.in-addr.arpa." and "ns.example.com."
  When I select the next line down (our static IP), Resolve 000.000.000.000 to: example.com.
  When I select "com." the admin email is populated with a valid email address, Allows zone transfer is NOT checked. In nameservers, Zone is "com." and Nameserver Hostname is "example.com." The mail exchangers are mail2.our-email-isp.com. priority 10 and mail.our-email-isp.com. and priority 20.
  When I select the machine "example.com." it shows both the real-world static IP and the 192.168.1.250, same with "www.example.com.".
  Am I doing something wrong with this setup? Should "com." be the primary zone or should that be "example.com." ???
  I've been thinking about getting rid of the DNS entry for the 192.168.1.250 address altogether, but will the clients in the office suffer performance issues??? I do not think that the client workstations are configured to get DNS from the server anyway. Should the "www.example.com." record be a Machine record or should it be an alias record?
  Any help you have to offer is greatly appreciated! Thanks!
  In the meantime, I'm going to look around and see if I can understand "Allows zone transfer" and LDAP Search base a bit better.

  Okay, I found a lovely article at the following address which I think helps me to clarify what I'm doing wrong. Despite that, I'd still like to have any feedback you have to offer.
  http://www.makemacwork.com/configure-internal-dns-1.htm
  Also, when editing DNS entries, Server Admin likes to set the nameserver to "ns." -- whatever your domain is. Should I be overriding that and if so, replace it with what?

• Office 2013 RMS Client Configuration - Your Machine is not setup for IRM

  Hi All,
  I have successfully setup a test AD RMS farm but stuck at trying to configure Office 2013 to work with this. The farm configuration is as below
  DC: Windows 2003 
  AD RMS Server: Windows 2008/ SQL Server 2008 R2
  Client: Windows 7 64 bit with Office 2013 32 bit, Domain Joined
  Client is domain joined and SCP has been successfully registered ( I can see the SCP in AD RMS properties).
  When I open word and select Protect Document -> Restrict Access, the only option is to Connect to RMS Server and get template, which eventually gives an error
  Your Machine isn't setup for Information Rights Management (IRM). To set up IRM, sign in to office, open an existing IRM protected message or document, or contact your help desk.
  Surprisingly, when I open a document protected by IRM (from a different machine), IRM is automatically configured for the user and starts working from that point. However any new domain user login into this client faces the same issue.
  Can anyone help identify the required registry keys that need to be present for getting this working on the client.
  Thanks for your help
  Anuj

  Hi  Manoj,
  To install Microsoft Deployment Agent, you must be a member of the Windows
  Administrators security group on the computer where you will install it. You must also be a member of the
  Release Manager role in Release Management.
  From the log, the user you‘re using seems not in the local administrator group. Please make sure the corresponding users has the needed permissions to install the deployment agent. Please check this
  page for more information about installation of deployment agent. If you have any other issues, please elaborate more details about your scenario.
  Best regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Why is Domain required for an identity in the FIM Service?

  I have a scenario where FIM is managing identity, but not all identities have an Active Directory account. I have a flag in the FIM Portal (Service) that indicates if a particular
  user is entitled to an AD account or not. My provisioning setup adds or removes the AD account as appropriate. To support FIM Portal activities for those that do have AD accounts, I populate AccountName, Domain, and ObjectSID in the FIM Service from their
  corresponding attributes in AD.
  What I have noticed is that it does not seem possible to null out or delete the Domain attribute for a user in the FIM Service. I can delete the attributes for both AccountName
  and ObjectSID without issues.
  When attempting to remove the Domain attribute for a user I get the following in the event logs:
  Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain'
  expects parameter '@domainName', which was not supplied.
  I assume that something internal to the FIM Service is trying to do some magic with validating the domain name and the domain configuration. I did found a post saying, “Yeah,
  you have to populate Domain”:
  http://social.technet.microsoft.com/Forums/en-US/f207caa9-3a6f-4f2d-8461-a83777280803/fim-service-ma-export-failedmodificationviawebservices-error?forum=ilm2
  My question is why is Domain required for a user? It is obviously needed for users that have AD accounts an must authenticate with the Portal, but in the case where a user
  does not have an account (and therefore does not have a domain), it feels odd to store the incorrect data for the user. It also looks weird when you bring up list of users in the portal and see domain values for users that do not have accounts. In this particular
  case, the client has many domains and does have the Domain and AccountName attributes displayed on the user search results page.

  Hi Henry,
  Using another domain attribute and workflow to maintain the actual Domain and DomainConfiguration is a good suggestion, thanks.
  My original question still stands however... Why is Domain required in the FIM Service?
  It is sounding like the answer is "It is not really required on it's own, but there is an internal process that requires it if there is a value for DomainContext set (and there is some magic that sets DomainContext, so you have to manually clear it.)"
  Since DomainContext is automatically set when a client writes a value to Domain. I would suggest that it is a bug that DomainContext is not automatically cleared when Domain is cleared.
  I poked around a bit and the bug can be fixed by changing the stored procedure definition to allow null parameters. In the FIM Service database the stored procedure [fim].[GetDomainConfigurationIdentifiersFromDomain] has a parameter declaration of "@domainName
  NVARCHAR(448)". If this is changed to "@domainName NVARCHAR(448) = null" the problem appears to be solved.
  Making this change would of course be totally unsupported, but perhaps it can be included in a future product update.
  For now I will use Henry's workaround, or just live with potential out of date Domain data.
   Thanks

• Best pracices for setting up Domain controller for our remote European offices

  Hi,,
  We have about 17 remote site across Europe (HQ in UK), I want to start revoking the offices local DC's and host them in a couple of Cloud servers in Germany with local NAS boxes for file storage. I will have MPLS network between the offices to the Cloud
  DC.
  Now what would be the best practices and tips for this situation in respect to the DC's. How can I prioritize the remote offices to use the Cloud DC/DNS and not our DC at our HQ in the UK. Would it be better to have a sub-domain created (europe.company.co.uk)
  for the other offices.
  Any suggestions on this setup for the DC

  Hiya,
  on the conceptual level. The reason for having local DC's, is that if the local sites internet line is offline, people are still able to authenticate and access local resources. From that point of view, you might as well just run with your HQ DC's only. Note:
  the cloud does offer availability on their services, that might not be matched by your HQ in terms of double internet lines.
  That said.
  The DNS server of the clients as well as the sites & services of Active Directory. Your clients will use the nearest domain controller available from sites and services information.
  Managing Intersite Replication
  http://technet.microsoft.com/en-us/library/cc794799%28v=ws.10%29.aspx

• AEBS "Ghost" Router Issue - The Challenge for 2012 (and it's only January)

  Yes, it's a bold statement to claim that I have the biggest issue so far for 2012. Why may you ask? Because I've stumped RCN (ISP), Access Media 3 (ISP), Apple Tech Support, and Cisco Tech Support. Here's the challenge for you to see if you can figure it out:
  ***Also, sorry for the long-winded post. I've spend over 20 hours on this issue and racked up a lot of info to share with you. So please bear with me***
  I used to own a Linksys E4200 router (early 2011), which I set up using the wireless network name (for example) "wifi-box". Due to performance issues, I returned the router back to Linksys in April 2011. Shortly thereafter, I purchased a used AESB. I performed a factory reset (not a hard reset, as I know the difference between the two) before setting up my network. Things worked great from April to Dec. 2011.
  On Jan. 1st, 2012, the building that I live in switched ISPs. I used to have RCN, and now have Access Media 3 (AM3). Both provide the same type of connection - cable - and both provided me with a modem (not sure the model of the one that RCN provided to me, but AM3 gave me a Surfboard 5101N...shudder). Once the transition from RCN to AM3 took place, I performed another factory reset on the AESB before setting up my my network from scratch.
  Now, here's where things get start to get weird. I "Created a wireless network" on my AESB, entered in the name "wifi-box" (to keep it the same as before) as the wireless network name, and followed the rest of the steps until I updated the router. Shortly after the AESB restarted, I received a "Dual (or double) NAT" error right off the bat. Looking into the issue futher, there were now 2 wireless network names called "wifi-box"?!? Huh?!? The actual name isn't "wifi-box", but was something quite unique. So it was easy to tell that it was (once) my wireless name.
  The next 5 hours were a blur of reconfiguing, resetting, unplugging, etc. anything that is connected to my network. Nothing worked. During all of this, I also switched the name of the AESB to (for example) "apple-wifi".
  As a last resort, I unplugged everything - the Surfboard, the AESB, wiped all Airport Util profiles off my 2 Macs, wiped my profile off my 1 PC, shut them down, did the same for my iPhone 3G, shut off the power strip that the modem and AESB were connected to, and unscrewed the coax cable from the wall. I had a friend come over with his laptop, which he never brought over before, and had him search for a wifi signal. As you would guess, "apple-wifi" didn't appear...BUT "WIFI-BOX" WAS AVAILABLE TO CONNECT TO!!! Arrrgggg!!
  At this point it seems that the profile is somewhere outside of my condo. But where???
  Moving along, I used a tool called WiFi Stumbler to see if that could help shed some light on my issue. What I found was unheard of. The wirless name "wifi-box" was linked to a Linksys router.  Once I discovered this, I logged into my Linksys profile (192.168.1.1) to see if it still worked. IT DID!!! However, that was short lived, because as soon as I clicked on a tab, I was booted out. On top of that, I couldn't log back in. Not sure if this is because it was looking for the Linksys router or not. Whatever the reason...it's just flat out weird.
  Because the password to log into my old Linksys profile was the same, it somewhat leads me to believe that someone doesn't have the same wireless name that I do.
  Over the past two days, I talked to RCN, Linksys, Apple Tech, AM3, had an AM3 tech out to look at it...no one knew what the issue was. When I talked to Apple, and they thought it might be the Surfboard. The tech said that the Surfboard is also a router, which is why the "dual NAT" error is taking place. However, I then spoke to AM3 and they told me the Surfboard was only a modem. I looked it up online, and it's just modem. Also, I was able to get rid of the "dual NAT" error, but yet I still cannot connect.
  My current error msg is: "Airport has the self-assigned IP address 169.XXX.XXX.XXX and will not be able to connect to the Internet". The AirPort indicator light in my Network Preferences is orange, but the AESB indicator light is green (and is reporting no issues).
  To end this, (if you're still reading), any help that you may have is greatly appreciated. Everyone I spoke to is stumped. I'm not sure where to go next from here. If you know anything, please let my know . As a quick recap, here are my current settings:
  Devices:
       1) MacBook Pro (2011), OSX Lion;
       2) MacBook (2009), OSX Snow Leopard;
       3) IBM Lenovo PC, Win XP SP2
       4) iPhone 3G (iOS 4.2)
  Modem:
       Former modem: unknown
       Current router: Surfboard SB5101N
  Router:
       Former router: Linksys E4200 (wireless network name "wifi-box")
       Current router: AESB - Apple AirPort Extreme Base Station - Simultaneous Dual-Band MC340LL/A (wireless network name "apple-wifi")
       # of Router in my condo: 1
  ISP:
       Former ISP: RCN
       Current ISP: Access Media 3
  Thanks and good luck (to you and me)

  Thanks Tessarax,
  Thanks for the reply, and no worries about the long form answer. Yesterday, I went through your process twice (for good measure). I also unplugged/shut down everything overnight and tried it once again today. Unfortunately, the results are the same.
  Me network is currently up and running, albeit a limited connection. It's still producing the "Double NAT" error. My Internet is set up as follows:
  These are the settings for "apple-wifi" in the AirPort Util.:
  Connect Using: Ethernet
  Ethernet WAN: Automatic
  Connection Sharing: Share a public IP address. ("Bridge Mode" and Distribute a range of IP addresses" cause additional errors which brings down the network. These errors include setting a DHCP beginning/ending address and no Internet connection. I tried setting the DHCP beginning/ending address several times, but the AEBS never accepts my entries.)
  IP: 10.XXX.XXX.XXX
  DHCP: Beginning/Ending Address: 172.XXX.XXX.XXX
  DNS: 8.8.8.8, 8.8.4.4
  These are the settings for "wifi-box" in the Network Preferences:
  IP: 192.XXX.XXX.XXX
  DNS Servers: 8.8.8.8, 8.8.4.4
  Search Domains: 221am3.com
  802.1X: No profiles (I deleted them)
  Bypass proxy settings for these Hosts & Domains: *.local, 169.XXX/XX
  Use Passive FTP Mode (PASV): checked
  MAC Address: same as "apple-wifi"
  These are the settings for "apple-wifi" in the Network Preferences:
  IP: 172.XXX.XXX.XXX
  DNS Servers: 172.XXX.XXX.XXX
  Search Domains: 221am3.com
  802.1X: No profiles (no profiles were avaible for "apple-wifi")
  Bypass proxy settings for these Hosts & Domains: *.local, 169.XXX/XX
  Use Passive FTP Mode (PASV): checked
  MAC Address: same as "wifi-box"
  Two new discoveries that I uncovered yesterday are as follows:
  1. 802.1X (under Network Preferences): There were 3 profiles that I deleted from this tab last week. After resetting the network, they came back. Whether they were present or deleted, it didn't affect the connectivity of my network. Just mentioning that these profiles came back after deletion (I deleted them again).
  2. Yesterday, the network in my building went down for a few hours. I noticed that neither "wifi-box" nor "apple-wifi" were available to connect to. This is an obvious insight, but it seems that when "wifi-box" is unavailable, "apple-wifi" is unavailable as well. However, 'wifi-box' has always been available even when "apple-wifi" is down. Sounds like my Internet signal follows this path:
  AM3 > Condo building > "wifi-box" > my condo > Surfboard modem > AEBS "apple-wifi" > my devices (laptops, iPhone, Xbox, etc.)
  Two new questions:
  1. What is DHCP Client ID and is this something that I need to provide?
  2. Could the cables that I'm using cause any problems? Here's the cable that I'm using and the connections between the devices:
  CAT5: Router > AEBS
  CAT5e: AEBS > MacBook Pro
  CAT6: AEBS > Xbox
  If there's other questions or infer that you need, please ask

• Issue with Fiscal Year Varient Period modifications for 2012

  Hi All,
  Can you please advice how the Fiscal Year Varient modified periods be transported to different clients.
  The issue is, we have 2012 Periods already setup in DEV and transported to QAS and PRD, now the clinet came up with different periods for 2012. I have modified the periods as requested and captured them in transport.
  When the new transport was sent to QAS, the new periods are appended to the old periods, instead of replacing the old periods.
  any help is much appreaciated.
  Thanks
  Shasha

  Hi All,
  My issue has been resolved, we figured out that we need to delete the existing calender and capture that in transport and  then recreate the calender for 2012 with new periods and capture this in the same transport and this works.
  Instead of deleting the existing calender we changed the values before, which is the reason it was appedning the previous periods and the new periods.
  Thanks
  Smitha

• The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted

  I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
  with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
  The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
  Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
   is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
  I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
  is not available.
  Help please!

  Hi,
  As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC. 
  If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
  are different site then check the ports are open on firewall. 
  http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
  http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
  If issue reoccurs, post dcdiag /q result.
  NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
  Active Directory Metadata Cleanup
  http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
  Best regards,
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

• Failed to Configured Domain Services for Windows

  Hi!
  I am installing OES 2 SP3 with DSfW Pattern as a "New Domain Controller in an Existing Domain Services for Windows Domain" with Replication Configuration and Schema Partition.
  During the "Perform eDirectory Configuration" at last task "Configure Domain Services for Windows " at 93% we encountered an error: "Failed to configure Domain Services for Windows".
  Here's details of error ;
  command : perl /opt/novell/xad/sbin/ndsdcinit.pl retry full-replica -d 'vec.apd.com.ph' -l 'ou=OESSystemObjects,dc=vec,dc=apd,dc=com,dc=ph'
  -g 'ou=OESSystemObjects,dc=vec,dc=apd,dc=com,dc=ph' -f 'apd.com.ph' -p 'apd.com.ph' -o 192.168.81.92 -t
  Could not create gss directory /etc/opt/novell/xad/gss at /opt/novell/xad/sbin/ndsdcinit.pl line 463, line 652
  LDAP Based utility [ndsConfigServerContext.sh] to retrieve server context for YaST
  DomainName : vec.apd.com.ph
  NdsAdminName : CN=Administrator,CN=Users,DC=vec,DC=apd,DC=com,DC= ph
  ExistingServerIP : ANDROMEDA.vec.apd.com.ph
  ExistingServerPort : 0
  Add_DC : true
  Returning server context->ou=OESSystemObjects.dc=vec.dc=apd.dc=com.dc=ph
  LDAP Based utility [ndsConfigServerContext.sh] to retrieve server context for YaST
  DomainName : vec.apd.com.ph
  NdsAdminName : CN=Administrator,CN=Users,DC=vec,DC=apd,DC=com,DC= ph
  ExistingServerIP : ANDROMEDA.vec.apd.com.ph
  ExistingServerPort : 0
  Add_DC : true
  Returning server context->ou=OESSystemObjects.dc=vec.dc=apd.dc=com.dc=ph
  SASL/GSS-SPNEGO authentication started
  SASL SSF: 56
  SASL installing layers
  Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT at /opt/novell/xad/lib64/perl/Install/adc_install.pm line 503
  at /opt/novell/xad/lib64/perl/Logger.pm line 119
  Logger::_err('Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT at /opt/...') called at /opt/novell/xad/lib64/perl/Logger.pm line 202
  Logger::Log(0, 'Failed to fetch dNIPDNSZones from DNS_LOCATOR_OBJECT at /opt/...') at /opt/novell/xad/lib64/perl/Install/adc_install.pm line 532
  adc_install::decide_domain_zones() called at /opt/novell/xad/lib64/perl/install/adc_install.pm line 150
  adc_install::stage_domain('adc_install=HASH (0X8b9370)') called at /opt/novell/xad/sbin/ndsdcinit.pl line 1383
  main::main(62, 'apd.com.ph', 'vvec.apd.com.ph', 'TRUE','ou=OESSystemObjects,dc=vec,dc=apd,dc=com,d c=ph','ADM_PASSWD_DOMAIN','ou=OESSystemObjects,dc= vec,dc=apd,dc=com,dc=ph','replops::DESTROY',
  'APD.COM.PH',...) called at /opt/novell/xad/sbin/ndsdcinit.pl line 1301
  main::main() called at /opt/novell/xad/sbin/ndsdcinit.pl line 1425
  ENV PATH = /opt/novell/xad/sbin:/opt/novell/xad/bin:/opt/novell/xad/share/dcinit:/opt/novell/eDirectory/bin:
  LIB=lib64
  LD LIBRARY PATH =
  /opt/novell/xad/lib64:/opt/novell/xad/lib64/nds-
  modules:/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules
  SASL PATH = /opt/novell/xad/lib64/sasl2
  DCINIT CONFIG: /etc/opt/novell/xad/xad.ini
  DOMAIN NAME: vec.apd.com.ph
  PARENT NAME: apd.com.ph
  FOREST NAME: apd.com.ph
  NETBIOS NAME: VEC
  Any ideas on this error ?
  Regards. Thanks.
  denzmo

  Thanks for the reply.
  I have some followup questions
  2. Can you explain the DNS setting in your setup ?
  Tree ---> Power--> apd.com.ph -- dlpc.apd.com.ph
  -- vec.apd.com.ph -- Andromeda.vec.apd.com.ph (DNS)
  -- Pictor.vec.apd.com.ph ( additional domain server ) -> "Failed to configure in DSFW"
  1. apd.com.ph, dlpc.apd.com.ph, vec.apd.com.ph are DSfW domains or just DNS domains ?
  2. Andromeda.vec.apd.com.ph (DNS) - is this the DC of a DSfW domain ?
  3. You are adding the Additional domain controller to the vec.apd.com.ph domain right ?
  The
  # LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf /usr/bin/ldapsearch -Y EXTERNAL -s sub -b dc=ph "(objectclass=dniplocator)" dn
  Heres the result ;
  a.) running the command in the DNS server (child domain) ANDROMEDA;
  SASL /EXTERNAL authentication started
  SASL username: gidNumber=0+uidNumber=0, cn=peercred,cn=external,cn=auth
  SASL SSF: 0
  # extended LDIF
  # LDAPv3
  # base <dc=ph(objectclass=dniplocator) [email protected]> with scope subtree
  # filter: (objectclass=*)
  # requesting:ALL
  # search result
  search : 2
  result : 32 No such object
  text : NDS error : no such entry (-601)
  # numResponses :1
  This is strange. This ldapsearch is failing to find the locator object in the tree under dc=ph.
  - Can you try this same command from your FRD DC too and find the result ?
  - Is your server non-name mapped or your adding a DSfW server into an existing eDirectory tree (name mapped) ?
  - If it is later can you try the same search with '-b' parameter replaced with container to which FRD is mapped to into the eDirectory Tree.
  - Can you tell in your setup where are the locator object present for your first DSfW server which is acting as DNS server ?
  - While installing this ADC server, you have given the remote dns server as 192.168.81.92. In the YaST DNS screen did you do retrieve (by clicking 'retrieve' button on the screen ) or you entered those inputs manually ?
  - Another follow up question. The locator context provided to the ndsdcinit command in your first post, is 'ou=OESSystemObjects,dc=vec,dc=apd,dc=com,dc=ph'. Can you confirm your locator
  context is correct ?
  [/QUOTE]
  b.) running the command in the ADC PICTOR;
  SASL /EXTERNAL authentication started
  ldap_sasl_interactive_bind_s: invalid credentials (49)
  [/QUOTE]
  This is expected as the server is not completely configured.
  Please get it touch with our NTS for passing on more information about this setup.

• CMS Domain setup

  Hi
  I am trying to setup the CMS transport domain but get the following error when saving the config.
  SLD (URL http://172.17.1.154:50000/sld) server exception: HTTP response code: 500 Internal Server Error.
  I can login on the SLD server via a browser and everything is running without errors.
  Regards
  Elmo

  Hi ELMO
  the following is the setup for SLD look at that.
  1)Open SLD from following location:
  http://host.domain.com:50000/sld
  Enter Administrator user name and password.
  2)Go to Administration -> Server Settings
  Make sure that the SLD server is stopped
  Enter the following Server Parameters
  Object Server:
  <Host name of the J2EE server>
  Working Directory:
  The working directory of the System Landscape Directory.
  The standard path is "/usr/sap/<SAPSID>/SYS/global/sld"
  Click on SET.
  Select the following parameter for Persistence
  Persistence: Database
  Click on SET.
  Leave ABAP Connection Parameters Blank.
  Go back to Administration
  3)Click on Data Supplier Bridge
  Configure the data supplier bridge with following parameters.
  Update local SLD (sld/active): TRUE
  RFC Gateway:
  Server : <host name of J2EE server>
  Service : <The SAP gateway service port> (Here, 50000)
  Click on SET.
  4)Open Administration Tool for J2EE server from following Location.
  C:\usr\sap\<SID>\JC<instance number>\j2ee\admin\go.bat
  (Here, C:\usr\sap\VP1\JC00\j2ee\admin\go.bat)
  Select Default and Click on Connect.
  Enter password for Administrator.
  Click on Connect.
  Select Cluster->Server->Services->SLD Data Supplier
  Select http setting tab page and enter following details.
  Host: <host name of J2EE server>
  Port: <Port Number of J2Ee Server> (Here, 50000)
  User: <Administrator User>
  Password: <Password for Administrator User>
  Use https? : <Check this if you want to use https>
  Trust Store: <leave default i.e. TrustedCAs>
  Click on SAVE.
  Select RFC Settings tab page and enter following details.
  Gateway Host : <host name of J2EE server>
  Gateway Service/Port: sapgw<instance number> (Here, sapgw00)
  Click on SAVE.
  Restart the SLD data Supplier Service.
  5) Open SLD from following location:
  http://vngsap2.vcerp.com:50000/sld
  Enter Administrator user name and password.
  Select Technical Landscape.
  Click on New Technical System…
  Select Web AS ABAP (here u define ur abap system)
  Click Next.
  Technical System Wizard Appears.
  Enter the required information about the technical system.
  Details
  Web AS ABAP Name (SID): the SAP system ID (SID)
  Installation Number: <Installation Number of SAP system> Database Host Name: <Database Host Name>
  Click Next.
  Now, Enter information about the message server and the central application server.
  Message Server
  Host Name : <Host Name>
  Message Port: <Message Server Port>
  Logon Groups: PUBLIC
  Central Application Server
  Host Name : <Host Name>
  Instance Number : <SAP System instance Number>
  Click Next.
  Optionally define additional application servers.
  Click Next.
  Enter at least one client details.
  Client Number: client (i.e 800)
  Logical System Name (optional):
  Click Add.
  Click Next.
  Now, select one or more software products, and then the software components that are installed in this system.
  Here, select SAP ECC 5.0 click ADD.
  (If you can not find SAP ECC 5.0, then import the CR content on J2EE server follow the sap note :- 669669)
  Check all the components in the list.
  Click Finish.
  The created technical system appears on the Technical System browser page.
  regards,
  kaushal

• Pre-Production Setup for Failover

  Hi
  I have installed my SAP Production environment on Window 2008 R2 , SAP ECC 6.0 EHP5, Oracle 11.2.0.3.
  I have setup my DR system at different seismatic zone  on Window 2008 R2 , SAP ECC 6.0 EHP5, Oracle 11.2.0.3.
  The Oracle Dataguard is used for data replication from Production to SAP DR system.
  Now I want to test the failover scenario. I would like to go and install the separate SAP environment in primary site as Pre-Production for DR Test on different hardware box. The system identification (SID) for production and pre-production is same as RP9.
  Would like to know that Can I use the same root domain controller (RDC) available at primary site for production and pre-production environment. The domain users are same  for both SAP systems.
  Please clarify that does this situation will create any problem to my production or pre-production environment with same root domain controller?
  or
  should I go head with different root domain controller for pre-production environment ?
  Regards
  vimal

  Hello
  It is not recommended to have SAP systems sharing the same SID in a landscape... at least because it is not possible to have the system in the same TMS transport domain (but this can also have other drawback, especially if both system have client with same logical system name).
  Even if it is possible to use the same domain users for two different systems I would not  recommend this option, especially if one of the systems is a production one...
  Suppose that for any reason the SAP domains accounts gets locked / modified / deleted ...
  Either you create pre-prod system with a different SID (best option) and then you can share the same windows domain, or if you are willing to keep the same SID I would suggest that you install your pre-prod system either in an other domain or in a workgroup...
  If your purpose is to test your Oracle DR abilities that is not a domain related mechanism, so you can test it in a workgroup...
  Regards

• CSS11501 - VIP Setup for DR in Active/Active Mode

  I have the following request from the Email team:
  EXISTING - CSS at Site A (in one-armed mode) supports "webmail" app for the following ports:
  - content webmail_http, port 80
  - content webmail_https, port 443
  - content webmail_imap, port 143
  - content webmail_imaps, port 993
  - content webmail_pop3s, port 995
  NEW - Adding 2nd CSS at Site B support the same app/tcp ports with new servers/mailboxes at site B
  Site A & Site B are physically/logically separated by a MAN (behind different WAN/LAN routers/switches, in different IP subnet/vlan).
  Want to setup DR in active/active mode, ie. both CSS's at Sites A & B support "webmail" VIP - load sharing.
  How would CSS config be setup for this request:
  Main VIP - "webmail"
  Load sharing between 2 VIP's - "webmail_siteA" & "webmail_siteB" from 2 CSS's at different sites?
  Pls help.
  Regards,
  Diane Ly

  Hello Diane
  There are 3 different ways to handle an active/active setup - you can use 'VIP and interface redundancy', GSLB on the CSS ,or a GSS and CSS combination.
  Vip and interface Redundancy:
  http://cco/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00802206a3.shtml
  CSS GSLB:
  http://cco/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801dcd75.shtml
  GSS/CSS Combo:
  There are no direct examples, but in effect, you would have 2 different domains, one for each site. The answers for those domains would be vips and based on both Kal-Ap and rtt from the client to each answer (hence if a site goes down, the client will be directed to the other side.)  With this mode, the CSS's can be configured for no redundancy/awareness of eachother at all if that is what is desired.
  Kal-Ap-
  http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_example09186a00801f230e.shtml
  On a sidenote, the CSS has a vast technical library with sample configs located here:
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
  Regards,
  Chris Higgins