Forest trust - should i add their subnet into my AD site

Similar Messages

• How to add the reports into INTRANET PORTAl SITE ?

  Hi everybody,
  We developed reports in character mode Reports 2.5 , i wants to add all the reports into INTRANET PORTAL SITE ( OUR COMPANY PORTAL SITE ) , Can you please anyone tell me what are all the procedure to followup.
  Thanks in advance.

  Please see chapter 5, chapter 8 and appendix C of following document on how to publish reports to Oracle Portal,
  http://otn.oracle.com/docs/products/reports/htdocs/doc_library/getstart/docs/a92102_01.pdf
  -Jeff

• Forest Trust RPC timeout across MPLS

  Hi, I am having trouble setting up a Forest trust between two networks. The issue "seems" to be RPC timeout (i see RPC age-out on firewall) but i'm now wondering if it's actually the LDAP or KErberos thats failing first.
  I have read that RPC needs to have the same path outgoing as incoming otherwise you can get SYN-ACK problems (especially through a firewall). So i need to try and work out why it doesnt work. It is laid out something like this.
  Network 1 (domain BOB) (server 2008 R2 at domain functional level 2003)
  Site1,Site2 and Site3 all connect to each other via Site-To-Site link provided by 3rd party. They all egress at Site1's ISA Firewall in a normal 3 leg perimeter config. All works fine
  Network 2 (domain RITA) (server 2008 R2 at domain functional level 2003)
  SiteA,B,C and D all connecto to each other over 3rd party MPLS (essentially Gig ethernet)
  Site1 and SiteA are on the same premises in the same room. There is a spare NIC on the ISA server. So i configured the ISA with a NIC in the same subnet as SiteA (RITA domain) - ie i plugged RITA into BOB. I configured the ISA for routing. Allow ANY ANY
  internal to RITA and ANY ANY RITA to internal
  I set up conditional forwarders on both domains pointing at each other and can ping everything from the other sites. DNS is working fine. I can RDP across sites to each other's DCs. From a "network" point of view it all looks good (though in the
  back of my mind i cant rule out the site to site or the MPLS links)
  When i try and create the trust it fails very quickly with "Cannot Continue. The trust relationship cannot be created because the following error occurred: The operation failed. The error is: The remote procedure call failed"
  I can do a portqry and see all RPC comms looks good
  In ISA and another firewall i tried i can see the RPC ageing out. Have tried wireshark but hard to see whats going on
  I used another server in the BOB domain and dcpromo'd it to a new domain in that subnet and tried setting up a trust. worked first time
  Similarly i did the same at the RITA side and that worked too.
  THere are no errors in DNS or the event logs on either side to suggest anything is failing. i tried verbose DNS logs but couldnt really follow them.
  Help!! Thanks

  Hi,
  To verify if this is a network issue, please try to perform a network capture on the servers in both side.
  We can use "IPv4.Address==xxx.xxx.xxx.xxx" to filter the traffic between the servers. Then compare the capture data from the servers. If all the packets have been forwarded, it should not be caused by network.
  To download Network Monitor, please click the link below:
  http://www.microsoft.com/en-hk/download/details.aspx?id=4865
  About the question related to Directory Services, to get better help, please post your questions on the DS forum.
  Here is the address:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Two-way forest trust between two (single domain) forests with multiple identical user ID's

  Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
  We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
  are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
  I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
  something go wrong. 
  Any suggestions for the easiest way to setup this forest trust?

  Hi,
  To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
  The SID for domain account/group consists of a
  Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
  name from two forests have the same SID.
  The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
  If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
  Here are some related articles below for your references:
  How Security Identifiers Work
  http://technet.microsoft.com/en-us/library/cc778824(v=WS.10).aspx
  Security Identifier Structure
  http://technet.microsoft.com/en-us/library/cc962011.aspx
  Security Identifier
  http://en.wikipedia.org/wiki/Security_Identifier
  I hope this helps.
  Amy Wang

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• Forest trust unable to find Active Directory Domain Controller

  I have two domains with a two-way forest trust. We'll call them ForestA and ForestB. They're on seperate subnets. ForestA's DCs are in one physical location. ForestB's DCs are in two locations, one of which is shared with A.
  I'm unable to route traffic directly from the remote DC in ForestB to the subnet ForestA is on, so I created a new DC in ForestA that sits on the subnet ForestB uses (basically, I can't route between subnets via the wireless bridge between locations, but
  can within the same location).
  I found this: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc/
  I followed the instructions to set the new DC in forest A to be the only one the remote DC in forest B was aware of.
  Nslookup ForestA.com resolves correctly to this DC, but I'm unable to validate the trust relationship, getting the error:
  "Windows cannot find an Active Directory Domain Controller for the ForestA.com domain. Verify that an AD DC is available and then try again."
  I'd appreciate any help.

  In the event viewer, have you found any event id's that corrospond with this error? Have you ensured all ports required are open? Windows firewall is correctly setup? NIC is properly configured?
  Statement below taken from: http://technet.microsoft.com/en-us/library/cc961803.aspx
  If you receive the following error, ERROR_NO_LOGON_SERVERS while using the Nltest tool to query the secure channel, this is usually indicative of the inability to find a domain controller for that domain. Run nltest /dsgetdc: < DomainName > : to verify
  whether you can locate a domain controller. If you are unable to find a domain controller examine DNS registrations and network connectivity.
  ADDS Ports:
  http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

• Forest Trust Issues (Group Membership Issues)

  OK - this is going to be long. I hope I am detailed enough.
  Four domains, each in their own forests:
  domain.w.com
  domain.x.com
  domain.y.com
  domain.z.com
  For the sake of everyone, I'll refer to each domain as "w" or "x", which would be domain.w.com and domain.x.com, respectively.
  Domains x, y, and z all have users that require access to resources on domain
  w. Remember - each domain is in its own forest.
  Three trusts were created on domain w. Since the users on domain w do not need any resources on the other domains, three "ONE-WAY:OUTGOING" trusts were created (one for each) via Active Directory Domains and
  Trusts on domain w. The option to create the trust (have it show up in Active Directory Domains and Trusts) in the other domains (in this case
  x, y, and z) was selected.
  After the trusts were created from domain w, the trusts were verified. Administrators on domain
  w could "verify" the trusts (using admin accounts created for them on the three trusted domains).
  Since everything looked good (domain w shows up as an incoming trust for the other three domains), permissions for specific users on domains
  x, y, and z were granted for a share in domain
  w.
  Only... that didn't happen. When attempting to change permissions on the share, administrators were able to change the working domain directory to either
  x, y, or z... but searching returned zero results. Zilch.
  *It should be noted that this scenario has been in place for quite some time now, and that all groups/users previously defined on the share (that belong to the three domains trusted by domain
  w) now all show up as SIDs.
  When attempting to verify (validate) the incoming trust on any of the three domains, the error "Windows cannot find an Active Directory Domain Controller for the domain.w.com domain. Verify that an AD DC is available and then try again."
  is returned.
  Pinging domain.w.com returns the correct address. Direct pings to both domain controllers on domain w
  is also working. Domain w can also do the same pings that I just listed to all three other domains with correct results.
  There is no firewall in between these forests.
  I am leaning towards a DNS or AD issue on the domain w side. This all occurred at once on the same day last week, and no changes were made on
  x, y, or z. Of course... domain
  w is another entity and they are saying they have no clue why its not working.
  Questions:
  Should I be able to verify the trust from x, y, or
  z to domain w?
  Why cant domain w see the users/groups in the other domains?
  Why does domain w validate the trust if the other three domains cant?
  Could this be caused by some setting in GPO having to do with LDAP security, signing requirements, or authentication settings?
  Any help is much appreciated.
  Chris

  Yes, this is related to DNS, from what you describe.
  The simplest way to configure this is to go to EACH dns server on both sides of the trust and configure it for a conditional forwarder of the others dns zone. 
  http://www.techrepublic.com/blog/windows-and-office/configuring-dns-forwarders-to-support-windows-server-2003-forest-trusts/501/
  Unless you have a root dns server for all four zones already.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Set-up of a Forest Trust - Unique situation

  I am in need of advice on how to setup a forest trust between to separate, but similar forests.
  My AD server is Server 2012R2, their AD server is Server 2008R2.
  We are a small community college in the process of separating from our parent university, current the parent university has AD services for both domains ( theirname.edu and ourname.edu) I have built a completely new & separate AD server on a different
  network using the same ourname.edu as the parent university is currently using.
  Is it possible to setup a forest trust between the NEW ourname.edu and the old ourname.edu?
  We are trying to get the NEW AD server up and running so as that it can be fully functional by users, also this trust is so we can migrate our student & employees user data from the OLD AD to our NEW AD using ADMT tool or something similar.

  You can't create a trust between two domains/forest with the same name.  How would the client know where to go to when referencing the name?
  One thing to consider is a radical pruning situation.  You could introduce a new server in the theirname.edu and promote it as a new DC.  Then physically remove it from the domain and
  NEVER all it to talk to the theirname.edu ever again.  In the theirname.edu do a metadata cleanup of this recently promoted DC to remove all references of the DC.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
  Now sieze all FSMO roles on the DC you just removed and consider this the first DC in your forest.  Go back within this forest and do a metadata cleanup of all the old DC's.
  You now have a duplicate forest that should be cleaned up removing all users and computers that didn't transfer from the original domain.  The old domain should also cleanup all unused accounts and computers as well.
  Just be aware that pruning isn't supported by Microsoft, but this is a known practice in mergers and divestures:
  http://technet.microsoft.com/en-us/library/mergers_acquisitions_active_directory_prune_and_graft_restructuring_support_limitations(v=WS.10).aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Alternative UPN & Forest Trust.

  Hi all!
  I have 3 domain:
  main.local
  child.main.local (child of main.local)
  test.local (new forest)
  In "main.local", under Active Directory Site & Services, i defined 2 UPN:
  "mycorp.com" & "child.mycorp.com"
  I used "mycorp.com" as alternative upn for users in "main.local"
  Then I used "child.mycorp.com" as alternarive upn for users in "child.main.local"
  Now I'd like to trust "main.local" with "test.local" and use users in "*.main.local" with their alternative upn.
  Example:
  [email protected] should login in test.local with it's upn.
  [email protected] shoud login in test.local with it's upn.
  * 02/26/2014 correction.
  I made a Forest Transitive Trust with one direction and all routed UPN suffix are  enable and don't have conflict, but I can't logon using *.mycorp.com Alternative UPN.
  Where I had my mistake?

  Hi, Vivian,
  I'm sorry, I should post my question after sleeping...
  Just few hints.
  I'm working with Windows Server 2012 R2 and it's a lab/test environment.
  I read both articles you link about hundred time in last few days and all my configuration are like described.
  I'l try to recap my situation and be more clear:
  Forest A:
  Domain: main.local (Parent)
  Alternarive UPN: mycorp.com, child.mycorp.com
  Domain: child.main.local (Child)
  Alternative UPN: *came from parent domain"
  Forest B:
  Domain: test.local
  Alternarive UPN: none.
  Transitive Forest Trust between A & B Onedirection (Users in A can login/authenticate in B).
  user1 is in Forest A/main.local
  user2 is in Forest A/child.main.local
  If I try to logon in "Forest B/test.local"as: MAIN\user1 or [email protected] everything it's ok and I can logon.
  If I try to logon as: [email protected] it return me that user do not exist or password is wrong.
  If I try to logon as: [email protected] it return me that user do not exist or password is wrong.
  In "Active Directory Domain & Trust" under the propertie of the trust, under "Name Suffix Routing":
  *.main.local (Enabled)
  *.mycorp.com (Enabled)
  But as I wrote, I can't logon using "*.mycorp.com" as suffix in truster domain, only "*.main.local" or "DOMAIN\user".

• Exchange mailboxes, corporate AD, forest trust, arrays, Can you look this over?

  This is my first script, it took a while to figure some things out, but it is working. I wanted to know if it is overkill, or if there is something that sticks out that would be an easier way of accomplishing something with this script.
  Background info:
  Company was bought out, forest trust set up between corp network and ours (years ago). So what we wanted was to compare exchange mailboxes with linked mailboxes array, to be compared to corporate AD array with user accounts that are disabled. a list is created
  in another script which shows linked mailboxes and disabled corp AD accounts, helpdesk looks these through to make sure there are no exceptions. Exceptions are entered into PS cmdline, those are pulled out of the array. Then the left objects in the array are
  PST backed up to network share, and then mailboxes removed. Admin trust across corp allows Exchange admin to search through Corp AD through search-AdAccount cmdlet. The script is run from a VM with exchange server tools installed and running 32-bit os of Windows
  7 and 32-bit Office (Because that's how great... Exchange 2007 is for exporting mailboxes to PST). 
  Not sure of this, though it works: 
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  Wanted to clear variables before running script, data was being held over each run before adding this in
  Here is the code "xxxxx" used in lieu of server names:
  <#Import in modules, if statement for PSSnapin so that it doesn't throw an error if it is already loaded.#>
  Import-Module ActiveDirectory
  if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Admin -ErrorAction SilentlyContinue) -eq $null )
      add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  <#Variables needed to complete script. $testIteration shows the number of times nested for loop happens, $exUserCorpMatch=@() is an empty array that will have objects added to it
  when linked mailboxes on Exchange are compared to disabled corp accounts, the $adminUser and $adPW are the login credentials so that anyone can enter admin login credentials to run script#>
  $errorLogPath = "c:\scripts\logs\exchangeADerror.txt"
  $testIteration=0
  $exUserCorpMatch=@()
  $adminUser = whoami
  $exceptionUsers=@()
  $exceptionArray=@()
  <#Create an Array from Get-mailbox cmdlet that has the value "LinkedMailbox" tying it to a Corporate account, .count value used to check results against expected#>
  $mailboxes = Get-Mailbox -resultSize unlimited -RecipientTypeDetails LinkedMailbox
  $mailboxes.count
  <#Create an array of objects from Corp server of user only dissabled accounts, .count value used to check results against expected#>
  $corpAccDis = Search-ADAccount -ResultSetSize $null -Server xxxxx -AccountDisabled -UsersOnly
  $corpAccDis.count
  <#Read in a list of users whose mailboxes shouldn't be removed#>
  while ($var -ne "q"){
      $var = Read-Host "Enter user exception linked mailbox name, or press q to quit entering names:"
      if ($var -ne "q"){
      $exceptionUsers += $var
  $exceptionUsers.count
  <#Create an Array with the usernames that were supplied by the Read-Host Cmdlet#>
  foreach ($name in $exceptionUsers){ 
  $exceptionArray += Get-Mailbox -Identity $name
  $exceptionArray
  <#Compare the two arrays on the value of name from the "Linked Master Account" and the Corp server "Sam Account Name" and insert the matching objects into an Array#>
  For ($a=0 ; $a -le $mailboxes.count -1 ; $a++){ 
      For ($b=0 ; $b -le $corpAccDis.count -1 ; $b++){
      $testIteration++
                          if ($mailboxes[$a].LinkedMasterAccount.Split("\")[-1] -eq $corpAccDis[$b].SamAccountName){
                              $exUserCorpMatch += $mailboxes[$a]
                              break
  $testIteration  #Test value checking nember of times the loop took place
  $exUserCorpMatch.count
  <#For loop to take exception users mailboxes out of the script#>
  For ($d=0;$d -lt $exceptionArray.Count; $d++){
      $exUserCorpMatch = $exUserCorpMatch| ? {$_.alias -ne $exceptionArray[$d].alias}
  $exUserCorpMatch.count
  $exUserCorpMatch | sort
  <#Taking the newly created array from the comparison and running the bulk of decisions, gives full access rights to the before entered admin account, then exports the mailbox to a PST
  file on the network share, and produces a txt file of the users properties, attributes, etc.. Then removes-mailbox, this is cmdlet is currently commented out until testing is done and 
  confirmed removal is ready to take place. #>
  for ($c = 0 ; $c -le $exUserCorpMatch.count -1; $c++){
      $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
      $displayName = $exUserCorpMatch[$c].DisplayName
      $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
      $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
      try {
          $everythingIsOk = $true
          Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
      } catch {
          $everythingIsOk = $false
          Write-Warning "Permission add problem, logging error to $errorLogPath!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Export-Mailbox -Identity $exUserCorpMatch[$c] -PSTFolderPath $pstFolderPath -ErrorAction Stop -Verbose
          }catch{
          $everythingIsOk = $false
          Write-Warning "Export problem!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try {
          Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
          } catch {
          $everythingIsOk = $false
          Write-Warning "Problem writing to txt"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append

  Half of you code appears to be doing nothing.
  This does nothing:
  if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append
  The way we do a limiting Try/Catch is to just use a single "try/catch".
  $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
  for ($c = 0 ; $c -lt $exUserCorpMatch.count; $c++){
  $displayName = $exUserCorpMatch[$c].DisplayName
  $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
  $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
  try {
  Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
  Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
  <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
  }catch
  Write-Warning $error[0]
  $error[0] | Out-File $errorLogPath -Append
  The following does the same thing your code did.  It executes but aborts further execution on an exception.
  ¯\_(ツ)_/¯

• Move domain to another forest (forest trust)

  Hello
  I have a forest with many domains , and other forest with a domain. They include a trust set up and working . I would like to have only one forest, but it would need to move that single domain in additional forest, and would like to know if it is possible then
  moving a domain from one forest to another forest in forest trust ?
  Thanks also suggestions stop solve my problem

  You're asking to move the domain itself? No, you can't move the domain. You can create a new domain in the forest you want to consolidate to, and then migrate users and groups to that forest. You'll have to migrate workstations and users and repoint
  applications as well, if needed. And then, you're not really moving them, you are creating new ones and copying properties of those objects. You mentioned a forest trust but all the forest trust allows you to do is to assign/use permissions from one forest
  in another. People speak of moving objects but like I said, for users and groups you're simply creating new ones with the same names, and copying properties over. Computers/servers are joined to the new domain, but it's a new computer account, not one that
  gets moved over.
  You'll need a migration tool to do this smoothly. As Malek mentioned ADMT, yes this is one tool that can do this. It's not necessarily the best or easiest tool, but it's free from Microsoft. There are also other third party tools such as Dell/Quest
  Migration Manager for AD and BinaryTree also has similar tool (there are others out there too). Those two latter tools have the ability to add permissions (ACL entries) to new domain objects, based on the old ACLs from the source domain. This can be a huge
  help for servers and workstations (allows the users to continue to use their same profile after their computer is migrated, and they are using their new user account. Otherwise Windows would just create a new profile when the user logged in with his/her new
  domain account.
  Depending on the size of the domain you want to move (how many objects), this could be a pretty big project. There's a lot going on in a migration, and based on your question, I'd recommend finding help with it if you can. There are a number of companies
  and consultants who specialize in AD migrations, even some consultation for planning could help tremendously.

• Forest trust - security issues and how to avoid

  Hi guys,
  I have few questions.
  1/Planning do Forest trust.We have Forest + Domain functional level at WS 2003 level.
  In case of trust what are the security issues and how to avoid them? Meant something like browsing in AD, possible hacking from new destination etc.
  2/ What in case that the trust will not be possible create because of security reasons (rejected by other company)? What can be an workaround for that? I have idea with resource forest or ADFS? Any other ideas?
  Thanks in advance or for a good link to study about.
  Petr Weiner

  Other than broad general answers it is difficult to answer this from the negative side.  I work in a very large company where we have hundreds of domains with one way trusts in place and I don't believe we have any security issues in place.  With
  the large numbers of domains we can't operate in any other fashion.  We have a user forest and many resource forests.  All of our domains and forests are operated and maintained within the company but if you have domains operated by different departments
  then you can run into issues on who trusts.  Also if you need to have a situation where you need to trust other companies then you start to look at ADFS, you can also use it internally for many applications as well as cloud services.  But as I already
  mentioned you haven't detailed what exactly is going on so it is hard to try and give you a concrete answer.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Bidirectional forest trust does not list child domains

  Hi all,
  we have this setup
  DomainA-ForestA <--------> Forest B-DomainB
  A bidirectional forest trust between ForestA and ForestB with domain-wide authentication. ForestA includes a domain DomainA and ForestB includes a domain DomainB. We're trying to authenticate via NTLM from a machine under DomainA to a resource under DomainB
  by contacting a PDC in ForestA without success.
  If we query a DC in DomainA for the trusts, we see that ForestB is listed, but ForestB.DomainB is not.
  What could be the cause?
  Thanks in advance

  Hello Frank,
  We're using NTLM because the customer wants it that way. The relevant part of the environment is:
  domainA(root) under forestA
  domainA1 under domainA (root) under forestB
  domainB under forestB
  Bidirectional forest trust. I do not know about transitivity. There are many other domains and forests which we do not care about in this instance.
  We're using a Java library (JESPA) to query a PDC emulator in domainA for the trusts. A non-complete edited sample output is:
  forestA={domain.netbios.name=forestA, domain.flags=0x0000001D, domain.trust.attributes=0x00000000, domain.dns.name=some.domain, domain.trust.type=2, objectGUID=, objectSid=},
  forestB={domain.netbios.name=forestB, domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=forestB.domain, domain.trust.type=2, objectGUID=, objectSid=},
  forestA.domainA={domain.netbios.name=forestA.domainA, domain.flags=0x0000001D, domain.trust.attributes=0x00000000, domain.dns.name=forestA.domainA, domain.trust.type=2, objectGUID=, objectSid=},
  forestB.domainB={domain.netbios.name=forestB.domainB, domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=forestB.domainB, domain.trust.type=2, objectGUID=, objectSid=},
  forestB.domainA={domain.netbios.name=forestB, domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=forestB.domain, domain.trust.type=2, objectGUID=, objectSid=},
  ~={domain.netbios.name=forestA, domain.flags=0x0000001D, domain.trust.attributes=0x00000000, domain.dns.name=forestA.domainA, domain.trust.type=2, objectGUID=, objectSid=}
  In the full sample there are many other domains not interesting in this scenario. You can see that forestB.domainA is listed as well as forestB.domainB but forestB.domainA1 is not. 
  We know this is not a library issue - and have already checked internally and with the library's vendor support - rather it's either a trust setup issue or PDC/DC configuration issue but do not know where the problem resides and how to solve it or work around
  it.
  In detail, the library we're using "sometimes may need to canonicalize a domain name (convert the NetBIOS name to the DNS name or visa versa). Unfortunately it is not uncommon for one or both names to be missing from trust information of foreign domains
  retrieved through the local NETLOGON service. This seems to be particularly true of older networks where Windows NT domains were migrated and merged into an AD forest over time."
  Although there's a workaround from the library side, it's not scalable enough to cover the entire network as we would need in the future.
  Do you have any inputs? Is this solution from the thread you linked the only way to add that missing information?
  You have to create a shortcut Trust to view the child Domain. For more information about shortcut trust,
  please refer to the article below. 
  Since this is a production environment we would like to limit the impacts as much as possible.
  Thank you again
  Best regards

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• How to add PDF files into a slides? (Flash 8)

  I am new to flash and I am using Macromedia Flash 8. My task is simple enough: I need create a Presentation with Screens from PDF files: I have 10-12 PDF files which I want convert into flash presentation.
  I have read this tutorial:
  http://w3.id.tue.nl/fileadmin/id/objects/E-Atelier/Phidgets/Software/Flash/fl8_tutorials.p df
  Chapter 11: Basic Tasks: Create a Presentation with Screens.
  I'm having trouble how to add PDF files into a slides: I want insert a whole pdf file as separate slide, without splitting pdf file into separate elements: pictures, text, etc. I tried import pdf file into Flash, wheen import there is shown prompt how program should process this pdf file(add in stage, library, as keyframes, etc) , not clear which option is correct for my task. What I got is pdf file splitted into multiple images, text, - which is not what I want. I want keep PDF files without changes, preserve original design and formatting, just convert this pdf into flash, so presentation will consist of PDFs organized in correct order, then add navigation buttons and some effects. How to solve this task?

  Just to avoid potential confusion... PDF is an Adobe format, but Flash 8 is/was not.  Flash 8 came out before Adobe bought Macromedia.  Even today, I don't believe anything has been done to accomodate direct integration of PDF content in Flash.