DPM 2012 - Protect Exchange 2007 in untrusted domain (either via Creds or Certificates)

Similar Messages

• Error while installing 2nd exchange 2007 on our domain

  We are installing the 2nd exchange 2007 on our domain - for obvious reasons of not able to upgrage the exisitng version to SP3 RU10 - as the server crashes everytime we do an update.
  So we thought we will setup a second new exchange 2007 server with all HT MB & CAS & update it fully and move the mailboxes etc.
  1st Exchange Server: EXCH01
  2nd Exchange Server: EXCH02
  We are doing a fresh install on a fresh vmware machine
  OS: Windows Server Enterprise Service Pack 2
  Exchange 2007 Service Pack 1
  During the hub transport installation part we ran into an error
  Exchange Server component Hub Transport Role failed. 
  Error: Error:
  Property IsProvisionedServer cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0).
  Log Name: Application
  Source: MSExchangeSetup
  Event ID: 1002
  Now I am unable to uninstall the application as well, even while uninstalling the same error is thrown.
  Also, when we open the EMC on 1st exchange server we get an error saying
  "Warning:
  Object PGCMAIL01 has been corrupted and it is in an inconsistent state. The following validation errors have occurred:
  Warning:
  Cannot calculate value of property "AdminDisplayVersion": "SerialNumber property is not present.".

  Hi,
  According to your description, I understand that failed install second Exchange 2007 with error “Property IsProvisionedServer cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object
  is 0.0 (6.5.6500.0).”.
  If I misunderstand your concern, please do not hesitate to let me know.
  Which current Exchange version are you used in your environment?
  I want to double confirm whether run Setup /PrepareAD and Setup /PrepareDomain to complete the prerequisite preparation. More details about Preparing Active Directory for Exchange 2007, for your reference:
  https://technet.microsoft.com/en-us/library/bb288907(v=exchg.80).aspx. If not, please run it and try again.
  Besides, we can use ADSIEdit to double check the version and get more clear-cut error message in Exchange Setup log.
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• Protect SQL database from untrusted domain

  Hello,
  I have some problems protecting a SQL 2008 SP3 database from untrusted domain with DPM 2012 R2 RU3. 
  When I try to protect the databases, it does not appear in the tree to select them, also when I try to recover a database into untrusted domain it doesnt appear in the tree.
  The NT Authority\System has sysadmin permissions, I have all TCP ports open and  the following UDP ports: 389,88,netbios-dgm,netbios-ns.
  Any idea ?

  Hi
  Is this sql Server part of Sql Server Cluster or a standalone Sql Server?
  Regards, Trinadh [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. If you found the reply helpful, please "MARK IT AS ANSWER". Looking for source of information for DPM?
  http://blogs.technet.com/b/dpm/ http://technet.microsoft.com/en-in/library/hh758173.aspx

• Remove various accepted domains (exchange 2007) from a list file via powershell

  hello!
  i'm a newbie with powershell and i'm trying to find if is it possible to remove a lot of exchange 2007 accepted domains from a csv file using powershell.
  I want to delete accepted domains contained in a csv, it has only domains name and powershell requires the name , that is different from the domain.
  example of accepted domain in my organization:
  Name                           DomainName                DomainType            Default
  Domain0001        
  domain1.com     Authoritative         False 
  Domain0002 hello1.com
  Authoritative False
  I've only a csv with domains name:
  domain.csv:
  Domain
  domain1.com
  hello1.com
  Deleting an accepted domain via powershell requires the name so I need to extract first the name of , i've tried with this command and it works:
  Get-AcceptedDomain | Where{$_.DomainName -eq 'domain1.com'}
  This works only for 1 domain, I've a lot of domains to delete so it's inviable
  Now, i'm trying to launch this command without success:
  import-csv domain.csv | foreach {Get-AcceptedDomain | Where{$_.DomainName -eq '$_.Domain'}}
  Probably there is a syntax error, or maybe I just can't do it. 
  Any help? 
  Many thanks in advance!!

  Don't know what to tell you, then.  If I create a test file with that data, the Import-CSV works for me:
  Domain
  3414257440.domain.com
  domain1.domain.com
  '@ | set-content c:\testfiles\domain.csv
  $DomainNames =
  Import-CSV 'c:\testfiles\domain.csv' |
  Select -ExpandProperty Domain
  $DomainNames
  3414257440.domain.com
  domain1.domain.com
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Connect Outlook to Exchange 2007 in separate domain

  As part of a merger, we've been asked to discontinue our Exchange 2010 email environment.  We would need to connect up our current email users (over a point to point connection with firewall in between) to the other organizations Exchange 2007 server
  with completely new email accounts/addresses, via Outlook client.  I'm wondering if this is even possible.  Can our Outlook client talk to an Exchange 2007 server if Outlook exists in a native Exchange 2010 environment?

  Yes you certainly should be able to do that. So long as you're able to connect to the remote Exchange server then you should simply be prompted for login details to access it, since obviously your local login details won't work, at which point you simply
  enter the login details provided for the remote exchange server. Obviously you also need to add the remote domain before the username, eg <domain>\<username> to force it to authenticate with that domain login rather than it assuming you're logging
  in using a login from your existing domain.
  We've got several clients who have their mailboxes hosted on our exchange servers, most of which are running in domain environments, and in fact a few of which have old Exchange servers still running on their networks when we first set them up.

• DPM 2012 sp1 Exchange 2013 sp1

  Hello 
  Is DPM 2012 sp1 supported to backup Exchange 2013 sp1?
  Bulls on Parade

  Hello,
  At present, there are no official articles or Exchange Team Blogs to verify whether DPM 2012 sp1 supported to backup Exchange 2013 sp1.
  Before you use DPM 2012 sp1 to back up exchange 2013 sp1, please test it in lab environment. If there is any error, please free let me know.
  Cara Chen
  TechNet Community Support

• DPM 2012 Protection Agent Connection Failure

  I was successfully protecting a Windows Server 2008 R2 Ent. Server with my M.S. System Center 2012 R2 DPM R2 Server until today.  The only changes I know about are the fact that this 2008 server was promoted to a domain controller today using the same
  name and I.P. Address.  It appears that the DCPromo process has broken DPM protection somehow.  Is it true that a "dcpromo" of a protected server can cause DPM Agent failures?  If so what is the preferred method to fix this problem. 
  I'm hoping that I don't really have to stop and clean up the current protection for this server and then start over again.  Does anyone have a solution for this problem?  Here are the errors I'm getting:
  Affected area: ServerName.DomainName
  Occurred since: 1/13/2015 8:30:02 AM
  Description: The DPM protection agent on ServerName.DomainName could not be contacted. Subsequent protection activities for this computer may fail if the connection is not established. The attempted contact failed for the following reason: (ID 3122)
  The protection agent operation failed because it could not access the protection agent on ServerName.DomainName. ServerName.DomainName may be running DPM, or the DPM protection agent may have been installed by another DPM server. (ID 302 Details: )
  More information
  Recommended action: Uninstall DPM or the DPM protection agent from ServerName.DomainName and install the DPM protection agent again from the computer that you want to use to protect the computer.
  On the Agents tab in the Management task area, check the status of the agent.
  Resolution: To dismiss the alert, click below
  Inactivate
  Protection agent version: 4.2.1254.0
  Error: Data Protection Manager Error ID: 270
  The agent operation failed on ServerName.DomainName because DPM could not communicate with the DPM protection agent. The computer may be protected by another DPM server, or the protection agent may have been uninstalled on the protected computer.
  If ServerName.DomainName is a workgroup server, the password for the DPM user account could have been changed or may have expired.
  Recommended action: Check the following to troubleshoot this issue:
  1) If the agent is not installed on ServerName.DomainName, run DpmAgentInstaller.exe with this DPM computer as a parameter. For details, see the DPM Deployment Guide.
  2) To attach the computer correctly to this DPM server, run the SetDpmServer tool with the -Add option on the protected computer.
  3) If the computer is protected by another DPM server, or if the protection agent has been uninstalled, remove the protected data sources on this computer from active protection. Then, remove the entry of this computer from the Agents tab in the Management
  task area.
  4) If ServerName.DomainName is a workgroup server, run SetDpmServer with the -UpdatePassword flag on the protected computer and Update-NonDomainServerInfo.ps1 on the DPM server to update the password.
  5) If the DPM server and the protected computer are not in the same domain, ensure that there is a two-way trust setup between the two domains.
  Note:  I tried running the setdpmserver tool but got the following message:
  SetDpmServer failed with errorcode =0x80070534, error says: No mapping between account names and security IDs was done.
  I also tried the attach agents option but DPM tells me that there is already an agent installed.
  I also tried to manually start the DPMRA service on the client but it fails with error code 1168.
  Any helpfull information would be greatly appreciated. 
  Thank you,
  MPeterson 

  Hi,
  Try the following:
  Uninstall the agent from the protected computer.
  Restart the computer.
  Install the DPM-agent manually.
  Re run the SetDPMServer command.
  Try start the service.
  If the problem still exist, please look into the following steps:
  Verify the COM+ permissions for the DPM agent on the protected server. There could be a mismatch in the permissions:
  Click START / Administrative Tools / Component Services
  Expand Component Services / Computers / My Computer / DCOM Config
  Right click on the "DPM RA Services" and choose properties. Verify that under the Security tab / Launch and Activation Permissions you got Customize marked, click the "Edit..." button in the ACL you should see the computer account for
  your DPM server.
  If it's not present add it and mark all allow boxes and try to start the service again.
  You should also verify that your DPM-server computer account is a member of these two local security groups on the protected server:
  DPMRADCOMTrustedMachines
  DPMRADmTrustedMachines

• Essentials 2012 R2 Exchange Integration with Multiple Domain Controllers

  Attempting to integrate Exchange Server 2012 with the Essentials wizard results in the error message: "This task must be performed on the domain controller." I've found several threads that speculate this is because there are multiple domain controllers
  in the domain. Is there a workaround or patch available to resolve this issue? Why wouldn't Microsoft want the redundancy of multiple DCs?
  Thanks.

  Hi HartmannTek,
  I agree with Robert.
  We can get the following information from the article:
  Services Integration Overview for Windows Server 2012 R2 Essentials - Part 1. Please refer to.
  Currently, the Services Integration features, including Windows Azure Active Directory integration, Office
  365 integration, Windows Intune integration, and on-premises Exchange integration, are only supported in a single domain controller environment. In addition, the integration wizard must be run on a domain controller.
  Hope this helps.
  Best regards,
  Justin Gu

• Exchange 2007 cannot export pst files via its powershell

  Hi,
  I am trying to export pst files from Exchange server 2007.
  This script used to work perfectly.
  Export-Mailbox -Identity paddy -PSTFolderpath C:\pst\
  But now I am getting an error message saying this
  Export-Mailbox : The specified mailbox database "SRV03\First Storage Group\Mail
  box Database" does not exist.
  At line:1 char:15
  + Export-Mailbox  <<<< -identity paddy -PSTFolderPath C:\pst\
  MoveType                         : ExportToPST
  MoveStage                        : Initialization
  StartTime                        : 01/01/0001 12:00:00 AM
  EndTime                          : 01/01/0001 12:00:00 AM
  StatusCode                       : -2147467259
  StatusMessage                    : The specified mailbox database "SRV03\First
                                     Storage Group\Mailbox Database" does not exi
                                     st.
  ReportFile                       : C:\Program Files\Microsoft\Exchange Server\L
                                     ogging\MigrationLogs\export-Mailbox20140527-
                                     155543-8040336.xml
  what would be the problem?
  I checked that the account has full permission so permission would not be the issue.
  Thanks

  Hi,
  First, please check if the mailbox database mentioned in the error message is mounted.
  Besides, please check if you can export other mailbox using the Export-Mailbox cmdlet.
  If all mailbox are affected, please check if you have the Exchange Server Administrator role assigned.
  1. Open EMC.
  2. Select the Organization Configuration node from the console tree.
  3. Please check the permissions assigned in the result pane. If there is no the Exchange Server Administrator role, please add it to check the result.
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• DPM 2012 R2 agent update on Windows 2003 server x64 - Exchange

  According to the release notes on http://blogs.technet.com/b/dpm/archive/2014/04/23/now-available-update-rollup-2-for-system-center-2012-r2-data-protection-manager.aspx the following workloads are supported on Win2K3 with DPM2012 R2 UR2:
  SQL 2005
  SQL 2008
  SQL 2008 R2
  SharePoint 2007
  Does that mean protecting Exchange 2007 on Win2K3 is no longer an option after upgrading to DPM 2012 R2 (UR2)? It works on DPM 2012 SP1 but I need to know if it will continue to work after upgrading.
  (This question follows on from this thread http://social.technet.microsoft.com/Forums/en-US/c425421b-b726-4125-82fc-beae8947722c/dpm-2012-r2-agent-update-on-windows-2003-server-x64?forum=dpmsetup which was marked as 'answered')

  Hi,
  Yes, Exchange 2007 backup will continue to work. I think that due to the timeframe of the UR2 release not all workloads were able to be re-certified, thus the limit in supported workloads.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT]
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Upgrade to Win 2012 R2 + Exchange 2013

  I have server (Windows 2008 R2) work as domain controller and contain exchange 2007 on it .
  I need upgrade both windows from 2008 R2 to 2012 R2 and exchange from 2007 to 2013.
  which one should I start to upgrade first in same server windows or exchange. 

  In order to upgrade your domain controller first you will have to perform exchange 2007 to exchange 2013 upgrade on another server which is called as transition.
  Check this links 
  http://technet.microsoft.com/en-us/library/aa996719(v=exchg.150).aspx
  After you complete finish the transition tested successfully you will have to remove the exchange 2007 from you domain controller.
  Removing Exchange 2007
  http://msexchangeguru.com/2013/09/01/e20102007decomposte2013mig/
  Once removed then you can start with the In place upgrade of Server 2008 R2 Domain controller.
  Note: Usually we dont do an in place upgrade since it can be dangerous. We make an additional domain controller transfer all fsmo from Windows server 2008 r2 to 2012 then remove the active directory from Windows server 2008 r2 then decommission.
  http://www.arabitpro.com

• Error: The specified mailbox database [Mailbox Database Name] does not exist, when you try to export mailbox in Exchange 2007

  [Symptom]
  ======================
  In Exchange 2007, when you want to export mailbox to a .pst file, you should run the
  Export-Mailbox cmdlet from a 32-bit computer that has the following installed:
  The 32-bit version of the Exchange management tools
  Microsoft Office Outlook 2003 SP2 or later versions
  If not, you may encounter the following error message:
  You check that you have these required installed, but you get the error below when you run Export-Mailbox in EMS.
  “The specified mailbox database [Mailbox Database Name] does not exist.”
  [Cause Analysis]
  =======================================
  This is because that the account you use to run Export-Mailbox cmdlet don’t have the Exchange Server Administrator role assigned.
  You can check if this account has been delegated the Exchange Server Administrator role through the following path.
  EMC -> Organization Configuration-> Check permissions in the result pane.
  To delegate this Exchange Server Administrator role, right click on the
  Organization Configuration node and choose Add Exchange Administrator,
  you will see the Add Exchange Administrator window.
  [More Information]
  ==============================
  Export-Mailbox
  http://technet.microsoft.com/en-gb/library/aa998579(v=exchg.80).aspx
  How to Export and Import mailboxes to PST files in Exchange 2007 SP1
  http://blogs.technet.com/b/exchange/archive/2007/04/13/3401913.aspx
  Exchange 2007 cannot export pst files via its powershell
  http://social.technet.microsoft.com/Forums/forefront/en-US/b3bc0dce-35f3-4a69-9a33-4f2a855b9f94/exchange-2007-cannot-export-pst-files-via-its-powershell?forum=exchangesvrgenerallegacy
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi,
  Based on my test, if you make the user the owner of the database (rather than a user with the db_owner role), when you create a query, it creates it under the dbo schema rather than DOMAIN\username.
  Steps to do so (in Management Studio):
  Right click database, select Properties 
  Click File 
  Change Owner in the textbox 
  OK to confirm 
  Downside - other users under db_owner role will still have their username appended. So schemas have to be created for these users.
  Jaynet Zhang
  TechNet Community Support

• Management Servers in untrusted domains

  Hi,
  I am planning a deployment of SCOM 2012 R2 and have several questions regarding the appropriate placement of management and gateway servers.
  The environment has multiple untrusted domains and need to monitor both Windows and Linux computers on both sides of the firewall. The main domain has 1500 Windows computers and 1300 Linux computers. The untrusted domain has 250 Windows servers and
  450 Linux servers.
  It is understandable that gateway servers are utilized to communicate across the firewall.
  The questions are:
  1. Is it possible to locate one or more management servers in the untrusted domain for the Linux servers and another management server to work with the Windows servers and have those management servers in the untrusted domain communicate through the firewall
  via gateway servers to the databases in the main domain?
  2. If it is not possible to have management servers in the untrusted domain communicate via the gateways; how many gateways would be required to relay to the management servers in the main domains management group?
  3. With the number of Linux servers in the untrusted domain is it better to install a separate management group there?
  Thanks, for any advice in dealing with the above scenario.
  --SG

  Hi There,
  Microsoft recommends you to place all the management servers in the same data center so if 1 goes down the other comes to know about it asap.
  If you place it in another location then fail over may happen late.
  Also you have mentioned to place the management servers in another domain, Which is possible but you need to have trust and permission stuff which is a very hectic work.
  So i would suggest you to place gateways as it will help in compression if the network bandwidth is low between the domains and sites.
  And based on the MS's Sizing and management options a Gateway server can manage 100 Unix boxes for a dedicated gateway server and 500 per management server on the same domain.
  So based on your situation as below:
  1300 Linux - Same domain
  450 - Different domain
  3 Management servers for the main domain for dedicated Linux
  1 MS For Windows Agent monitoring.
  Totally 4 in a management group for the same domain one.
  1 Separate management group with 1 MS will be fine for dedicated Linux monitoring for the 450 servers in the other domain.
  If you want to still place gateways then you will need to place 5 Gateway servers which is difficult to manage.
  Operations Manager supports the following number of monitored items.
  Monitored item
  Recommended limit
  Simultaneous Operations consoles
  50
  Agent-monitored computers reporting to a management server
  3,000
  Agent-monitored computers reporting to a gateway server
  2,000
  Agentless Exception Monitored (AEM)-computers per dedicated management server
  25,000
  Agentless Exception Monitored (AEM)-computers per management group
  100,000
  Collective client monitored computers per management server
  2,500
  Management servers per agent for multihoming
  4
  Agentless-managed computers per management server
  10
  Agentless-managed computers per management group
  60
  Agent-managed and UNIX or Linux computers per management group
  6,000 (with 50 open consoles); 15,000 (with 25 open consoles)
  UNIX or Linux computers per dedicated management server
  500
  UNIX or Linux computers monitored per dedicated gateway server
  100
  Network devices managed by a resource pool with three or more management servers
  1,000
  Network devices managed by two resource pools
  2,000
  Agents for Application Performance Monitoring (APM)
  700
  Applications for Application Performance Monitoring (APM)
  400
  URLs monitored per dedicated management server
  3000
  URLs monitored per dedicated management group
  12,000
  URLs monitored per agent
  50
  Refer the below link for the managing details: https://technet.microsoft.com/en-us/library/dn249696.aspx?f=255&MSPPError=-2147217396
  Gautam.75801

• ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

  I have SCOM 2012 R2 Update Rollup 4 installed with 2 management servers running WS12R2 in a single management group in my main AD domain. One of the management servers is also an ACS collector. I have an untrusted AD domain, with a SCOM gateway server in
  it, and I used the gateway to install a SCOM agent on a domain controller in that domain. Now I am trying to configure an ACS forwarder on that untrusted domain controller to talk to the ACS collector back on the management server.
  However, when I restart the
  Microsoft Monitoring Agent Audit Forwarding service on that domain controller, I get this error in its
  Event Viewer > Apps and Services > Operations Manager:
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: <IP>:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  I followed these two articles in order to set up the ACS forwarder on the DC in the untrusted domain: "How to configure security events collection by using Audit Collection Services from computers in untrusted environment?" {1/3/12}https://gefufna.wordpress.com/2012/01/03/how-to-configure-security-events-collection-by-using-audit-collection-services-from-computers-in-untrusted-environment/ "Forwarder
  is unable to connect to collector Event id 4369 in forwarder event view" {5/5/14}
  http://jimmy-scom.blogspot.com/2014/05/forwarder-is-unable-to-connect-to.html
  EXTRA INFO Here are the detailed steps that I took (sorry for all this, but there are an awful number of steps!):
  1) I confirmed that the agent for the DC shows as Healthy in OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (right) pane.
  2) On the ACS collector, I stopped
  Operations Manager Audit Collection Service, then from Admin cmd prompt I did this:
  c:> cd \windows\system32\security\adtserver
  c:> adtserver –c
  } 1 certificates found for server authentication usage.
  Enter the number of the certificate you want AdtServer to use for authenticating to AdtAgent or 0 to quit without saving: 1
  Certificate 1 selected. Attempting to save thumbprint to registry ...
  success.
  Then I started
  Operations Manager Audit Collection Service.
  3) On the DC in the untrusted domain, from Admin cmd prompt I did this:
  c:> cd c:\windows\system32
  c:> adtagent -c
  } No  Issued To                   Issued By                   Expires   
  Thumbprint
   1: <untrustedDCfqdn> <untrustedDomainCA>             2015-11-30 02:44:58    <thumbprint>
  2 certificates found for client authentication usage.
  Enter the number of the certificate you want AdtAgent to use for authenticating to AdtServer or 0 to quit without saving: > 1
  } Certificate 1 selected. Attempting to save thumbprint to registry… success.
  4) On the DC in the untrusted domain, I opened mmc > Certificates > Local Computer > Personal > Certificates > I exported the certificate from step 3 to a DER encoded binary X.509 (.CER) file.
  5) I also looked at the Certification Path for the certificate, and figured out which certificate is its Root CA certificate. I copied that certificate to a DER encoded binary X.509 (.CER) file.
  6) I copied the first .CER file to a computer in my main domain, which is at 2012 R2 level. From AD Users and Computers, I created a "dummy" computer object using the NetBios name of the DC back on the untrusted domain. I right clicked the computer
  object > Named Mappings > I added the .CER file, and left "Use Subject for alternate identity" checked. I unchecked "Use Issuer for alternate security identity".
  7) I copied the Root CA certificate .CER file over to the SCOM management server that doubles as my ACS collector, and from there I did mmc > Certificates > Local Computer > Trusted Root Certificates > Certificates > I imported the Root
  CA certificate.
  8) I also went to my CA server on my main domain, I ran pkiview.msc > right clicked “Enterprise PKI” > Manage AD Containers > NTAuthCertificates tab > and I imported the Root CA certificate there as well.
  9) I ran telnet from the DC on the untrusted domain, and confirmed that port 51909 is open from there to the ACS collector on the main domain.
  10) I enabled audit collection fot the DC on the untrusted domain. I did this from OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (second column in middle pane) > I selected the Healthy <untrustedDCfqdn>
  > I clicked Enable Audit Collection.
  Then under "Task Parameters" > i clicked [Override] > for New Value I specified <ACScollectorFQDN>. For task credentials I specified Other account, and specified a domain admin account in the untrusted domain. The result was "The
  task completed successfully. Enable Audit Collection, status:Success".
  11) On the ACS collector, I restarted Operations Manager Audit Collection Service. On the DC in the untrusted domain I restarted Microsoft Monitoring Agent Audit Forwarding service.
  12) Result was this error on the DC in the untrusted domain, in its
  Event Viewer > Apps and Services > Operations Manager
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: 10.1.1.91:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  13) On the DC in the untrusted domain I created DWORD reg value
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters\TraceFlags and set it to 524420 decimal. The resulting c:\windows\temp\AdtAgent.log file only confirmed that I'm getting 0x80090325 errors.
  After all this, why am I getting 0x80090325, which translates to SEC_E_UNTRUSTED_ROOT ??? Did I do something wrong in steps 5, 7 and 8? Thanks for reading all the way through :)
  Marko

  Thanks Yan Li, you gave me an idea. I got the ACS forwarder in the untrusted domain to work (!), by analyzing the setup on the SCOM gateway that I set up in the untrusted domain. I issued the ACS forwarder a certificate from the domain that SCOM is in, INSTEAD
  of configuring the ACS forwarder to use the certificate that it already had from its own domain.
  So the new procedure is: do steps 1 and 2, then instead of step 3 I did this…
  2B) I issued a certificate from the AD domain containing SCOM to the domain controller in the untrusted domain that is my ACS forwarder. I did this from the AD Certificate Services web site, and asked it to use certificate template that I created for the
  SCOM gateway server in the untrusted domain.
  2C) The new certificate appeared in the Personal store of the domain controller. I exported it, then ran the MomCertImport utility so that I would not get an error in the next step (per
  http://www.systemcentercentral.com/scom-deployment-across-multiple-networks/)
  3) On the domain controller in the untrusted domain, I re-ran "adtserver -c", and selected the new certificate.
  3B) I then ran “MomCertImport /Remove”, since I already have a SCOM gateway in the untrusted domain.
  Then I proceeded with steps 4, skipped 5, did 6, skip 7-8, did 9-11, result was this on the DC in the untrusted domain, in its Event Viewer > Apps and Services > Operations Manager
  2/3/2015 12:20:01 PM Source AdtAgent Event ID 4368 Forwarder successfully connected to the following collector:
  <ACScollectorFQDN>:51909, status: 0x0 (success), source: registry
  addresses tried: <IPaddress>:51909
  ACS forwarding works now! I will confirm by repeating the procedure for another domain controller in the untrusted forest.
  Marko

• Exchange 2007 setup, transitioning from Exchange 2003

  Hello Exchange Experts,
  I just setup a Exchange 2007 within our domain, transistioning from Exchange 2003, question: When I added the mailbox role on the setup of Exchange 2007, the mailboxes appeared instantly from our Exchange 2003..the connector I'm assuming automatically connected
  during the 07 setup. Is this normal? I was under the assumption to migrate mailboxes from 03 to 07 Exchange, the wizard must be ran. All active mailboxes from 03 appear. I attempted to migrate one mailbox using the wizard, error after the wizard completed,
  mailbox exists. Makes sense, just not understanding how the mailboxes flowed/migrated automatically without running the migration steps. Would someone explain? You could say, this migration is very new to me.
  Thanks in advance!
  James

  Ronny, our company had an existing license for 2007. Of courser 2010 or 2013 would have been a better transition, but 2007 is it. The server 2007 has met all the criteria for the transition, spent last moth prepping everything on 2003 and 2007. I'm just
  not understanding why the mailboxes appeared upon 2007 immediately after adding the mailbox role.  The management console on 07 shows the mailboxes reside on 03 exchange server. I did not go through the process/wizard to move to 07. Perhaps because
  during the installation of Exchange 07 created the connector from 2003? Maybe that's my question.
  Mail flow is very responsive now, just wondering for the reasons of decommissioning exchange 2003 at a later date. Exchange 2003 is functioning now as a bridgehead, working perfectly now.  
  Thanks for your input.
  James
  Thanks Ronnie for your input! Issue resolved