Group Management related to different forest

Can any one please help me to achieve below goal:
Environment:
Two Forest: ForestA and ForestB
Trust: 2 way
In FIM: 
Created 2 AD MA(ADMA-A and ADMA-B) and pulled users from both forest in MV and then flown to FIM Portal.
Created one more AD MA(ADGroupMA-A) which is connected to Forest A. This MA is used for group management in Forest A.
There is a group in Forest A called GroupA.
Requirement:
We have added few forest A users and few Forest B users in GroupA using FIM Portal and then flown back members of this group to MV.
So in MV we have users from both forest A and B as member of this group.
Now I have to flow these members(Both Forest A and Forest B) to ADGrooupMA-A management agent. However I am not able to do this because 
connector space stores these users as reference and we don't have any reference for Forest B users in ADGroupMA-A connector.(ADGroupMA-A is only connected to Forest A)
How can we resolve this issue so that we will be able to flow users from both forest(A and B) as a member of a group which is existing in Forest A.
Thanks in advance!!

Take a look at the Cross Forest Deployment guide:
http://technet.microsoft.com/en-us/library/ff721965(v=WS.10).aspx
David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

Similar Messages

  • Group managed service accounts for SQL Server

    Hey guys,
    Unfortunately I missed that (g/s)MSAs aren't supported yet for SQL Servers but I'm using them without any worries since ages.
    As i digged a bit deeper I could find different informations due to the related TechNet entrys. So it seems Microsofts Informations about (s)MSAs and gMSAs aren't consistent.
    I'm not a SQL Server guy and use SQL only for System Center testing stuff so i would like to get a real world exps of SQL Server guys.
    Should I continue using gMSAs or are there any worries I should know?
    some sources I found so far:
    Not supported:
    "Hi Adam,
    Thank you for your feedback. Windows Server 2012 Group Managed Service Account is not currently supported as SQL 2012 released earlier than Windows Server 2012. We will consider to support gMSA in future SQL Server release.
    Regards,
    Min He, Program Manager, SQL Server"
    11.2012 -
    https://connect.microsoft.com/SQLServer/feedback/details/767211/gmsa-for-sql-server-failover-Clusters
    gMSA are not yet available, are not yet supported for SQL Server.  gMSA exist and are available and supported in Windows Server 2012 and higher.  SQL does not support them , but
    from an OS perspective, they exist and are supported.    
    http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
    Within the FAQ Task Scheduler isn't supported as well ...
    http://technet.microsoft.com/en-us/library/ff641729%28WS.10%29.aspx
    ... but also PFEs using them for Tasks... this is confusin... 0o
    http://blogs.msdn.com/b/arvindsh/archive/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips.aspx
    supported?:
    Configure Windows Service Accounts and Permissions
    ... New Account Types Available with Windows 7 and Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx#Default_Accts
    The MSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
    others sources won't mentioning s/gMSAs...
    I couldn't find clear informations about using gMSA for SQL Server 2014. 
    only the same page which also Looks like the page for 2008 R2 and SQL 2012.
    Configure Windows Service Accounts and Permissions
                SQL Server 2014        
    http://msdn.microsoft.com/en-us/library/ms143504.aspx
    annoying topic so far... ;) 

    Hi Enrico
    aside from what Dan says about the risk for support, on which I agree, the following thread may clear it up a bit:
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/acb2048c-ffce-4d44-b882-6aafc7eb689d/managed-service-accounts-to-run-sql-server-service?forum=sqlsecurity
    Andreas Wolter (Blog |
    Twitter)
    MCM - Microsoft Certified Master SQL Server 2008
    MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.andreas-wolter.com |
    www.SarpedonQualityLab.com

  • Group Management (IGLDA)

    i have a short question about group management in AD. i've read a lot about IGLDA/IGUDLA and while most of it is quite clear, i still wonder whether to use the domain local groups for each and every object i apply permissions to. i understand that i use
    the DL groups when assigning permissions to file shares, printers, ... but what about delegating permissions to AD objects like group policies and OUs? do i also use DL groups in that case? or what about groups that i assign specific rights to like local admin
    permissions on my workstations or RDP access to specific servers? 
    all the examples in the various blogs/books/articles only speak about file/printer permission and don't elaborate about permissions in AD itself - so maybe someone can shed some light into this?

    > <http://ss64.com/nt/syntax-groups.html> site marks the setting of
    > permissions on AD objects for DL groups with a warning saying "not
    > recommended by MS".
    That's definitely "partially wrong" :)
    https://technet.microsoft.com/library/cc786285.aspx states:
    "If multiple global groups need the same access, create a local group
    containing the global groups and assign permissions to the local group."
    On the other hand, using domain local groups can introduce issues when
    accessing the global catalog: The replica in the global catalog has the
    same ACL as the original object, but if the user is in a different
    domain and accesses the GC in this different domain, the DL ACLs will
    not work... Thus preventing access to the object. Or - worse, if you use
    DENY ACLs with DL groups - granting access where it shouldn't.
    https://technet.microsoft.com/library/cc759007.aspx
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    i love it when MS documentation contradicts itself ;) your second link states "As a best practice, you should avoid using domain local
    groups when assigning permissions on Active Directory objects" while the first link recommends this as "best practice". if i understand correctly, it only hurts me when i'm in a multi-domain environment, right? then what about using DL groups
    with members of a trusted (forest-external) domain? do the same constraints regarding not working ACLs apply?

  • Work Group Manager Reports and Logs

    Mac Manager maintains logs and display current activity information somewhat different that Work Group Manager. With Mac Manager we are able to quickly report for Activity Log, Disk Usage, Connected Machines, Printer Quotas, Workgroup by User, Computers, Checked Out Computers and user activity.
    How can we duplicate such a report with Work Group Manager?
    We are a school district that is 88% Macintosh and miss the reports and logs feature in Mac Manager (10.3.9).
    Hope to hear and find a solution to this challenge.
    Marco Baeza, Director of Technology

    Hello,
    Possibly some ideas here. http://www.macintouch.com/macmanager.html
    Carolyn

  • REP-1510 Group manager unable to compute column

    Hai all,
    I am using oracle 6i report builder.I have created a matrix report with different type of grouping and i tried to add a slno in the matrix report.I used summary column for showing the Serial Number but the serial number is showing on the report  when user has  select only one item (fromitem=01 and toitem=01).when user has  select more than one item (from item=01,toitem=10)it showing the error
    'REP-1510 Group manager unable to compute column'.
    How to solve this issue,how can create serial number in my matrix report

    try this one
       SELECT ROW_NUMBER() OVER (ORDER BY COLUMN_NAME) SLNO FROM TABLE_NAME;

  • Cisco Prime 4.2, Inventory group management and reports group

    Hi
    I have created some groups under Inventory > Group Management > Device.  This works fine.
    Then I want to create a monthly report for Reports > Performance > Device > Availability.  Here I guessed I would find my groups created under inventory.
    But I can se the groups, one group is duplicated, but all groups are empty.  Under all devices, I can only see 6 og th devices but it should have been 122. Under the different subnet groups, there's no devices.
    Should'nt I've seen the groups created under inventory when I want to make a report? Under the device list for quick report.
    Br
    Geir

    Hm.... strange  I've been looking around under Report, and looked at Inventory and Performance reports.
    Inventory > Detailed Device shows all the devices and my groups.
    Performance > Device > Availability show just 6 out of my 122 devices.
    Under Inventory > Group Managment > Device I have a group called Datasenter.
    Under Performance > Device > Availability I can see 2 of these groups, but their both empty.
    When i delete this group, one of them dissapeer from Under performance.  WHen I create it again, it comes back but empty.
    Something must be corrupt.
    Geir

  • Can AD work with different forests?

    Hello Community
        Using AD is it possible to bring in a "group" from a domain
    in one forest into a group in a domain in a different forest
    when a one-way trust relationship exists, if so how?
        Note: If it is possible can the users "friendly" username
    be retained instead of the usernames changing into  "SID's"?
        Thank you
        Shabeaut

    It is possible.  My production has a one way trust with another forest and I am able to assign permissions/group nesting like how you're asking.
    For your SID translation, there is a security option you may want to check in to.
    LocalSecurityPolicy(secpol.msc)->Security Settings->Local Policies->Security Options -> Network Access: Allow anonymous SID/Name Translation.
    That setting has given me grief in the past.
    -If you have found my posts to be helpful, or the answer, please mark it appropriately.  Thank you.
    Chris Ream

  • AD Migration from one domain to another domain between different Forest.

    Dear Team,
    We have a domain named "test.gov.in" .Now we want migrate all the users,computers,groups,GP ....etc in to our new domain "abc.net".Operating system of the source DC and destination Dc is same (Windows 2003 32 bit)..
    Pls provide me the steps to migrate one  domain to another domain between different forest
    Thanks
    Anurag

    Would agree with Christoffer and migrate using ADFS but before you can do this you will need to set up a trust between the two domains.  Once this has been accomplished then you can run ADMT.
    http://technet.microsoft.com/en-us/library/cc740018(v=WS.10).aspx
    Downloading ADMT is a free tool from Microsoft
    http://www.microsoft.com/en-us/download/details.aspx?id=8377
    ADMT Guide
    http://www.microsoft.com/en-us/download/details.aspx?id=19188
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.
    I think you mean ADMT and not ADFS :)
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • Pushing client to machines in different forests with different user accounts

    I'm managing 2 different forests and need to use 2 different accounts to perform the client push installation. I see that I can add more than one account to the client push installation properties. Will the client push installation process try all the configured
    accounts until it succeeds? Or must I constantly move one of the accounts to the top of the list depending on where I'm pushing the client? 
    thanks!

    HI,
    As Paul wrote it will try all the accounts in the list, make sure that you have a working name resolution ijn place that is what normally causes the biggest issues when pushing clients to computers in other forests.
    I always end up using Jason Sandys legendary startup script,
    http://blog.configmgrftw.com/?page_id=349 which is much easier and you don't have to opern firewalls and use service accounts to deploy the client.
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Can I run the admin and managed servers as different users?

    in unix, is it possible to run my admin and manged servers as different users with
    7.1?

    As long as users are in admin group, there could be different users starting different
    servers.
    "Frank" <[email protected]> wrote:
    >
    "Erik Johnson" <[email protected]> wrote:
    Hi, Frank.
    Could you be a little more specific about what it is you want to do?
    Thanks.
    erikUh, I'm on unix, I have Weblogic 7.0 service pack4. I have 1 managed
    server and
    I have one admin server...Can I run the admin server as user 'hithere'
    and run
    the managed server as user, 'byethere'......
    "Frank" <[email protected]> wrote:
    in unix, is it possible to run my admin and manged servers as different
    users with
    7.1?

  • Group Managed Service Accounts Error Message access denied

    Hi I am playing around with group managed service accounts in my lab using a 2012 R2 DC on a 2012 r2 forest and domain Level .Net 3.5 installed.
    I am following this tutorial
    http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
    1. I installed the keys
    2. I waited for 10 hours
    3. I created the GMSA
    4. I tried to install the GMSA on the DC logged in as the Domain admin under a administrative powershell prompt
    5. I got the nasty error: access denied message.

    the powershell statement could be wrong...
    -PrincipalsAllowedToRetrieveManagedPassword

  • Do Group Managed Service Accounts require permissions to run service in question?

    I'm testing out GMSA (Group Managed Service Accounts) in Windows 2012 R2. My domain and forest functional level is 2008 R2 (which I understand is the minimal functional level for GMSA support). 
    Question I have is if I create a new GMSA for a particular service, does the GMSA require permissions to run service? For example, SQL rights, IIS rights, etc...
    Also, can they be used to run scheduled tasks? Thanks.

    a gMSA is like any other service account. when you it you need to prepare for whatever the app/service requires. the you eed to think HOW to implement. the HOW focusses on if you can use gMSA for the app/service or not, because it depends on the app and
    the underlying os
    regarding scheduled task support for gMSA  see
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/42273a38-05dc-4f62-b915-8f55480d59bd/how-do-i-use-a-group-managed-service-account-with-the-task-scheduler?forum=winserver8gen
    https://technet.microsoft.com/en-us/library/hh831782.aspx
    http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
    Cheers,
    Jorge de Almeida Pinto
    Principal Consultant | MVP Directory Services | IAM Technologies
    COMMUNITY...:
    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

  • Error Message when accessing Group Manager

    When I click the "Create Group or Add New Members" button, I get the following message, System error. Please re-try your action. If you continue to get this error, please contact the Administrator." I have tried various browsers, cleared cache, etc. Also, one of my external users reports not being able to access a workspace. I am wondering if the two problems may be related. I cannot access the group manager to see if the user has appropriate permissions.

    We would need to know the group and the user affected to be able to help.
    Are you the manager of the group - when you connect to the userAdmin tool = right hand button on the main https://beehiveonline.oracle.com page you will see who is the manager and can get them to add the user.
    If you are the manager then we need to fix the access.
    If you want to email me directly with the details of the group etc. my email is [email protected]
    Phil

  • Group Items showing for different lengths of time

    I have created a group of check and x-marks to indicate correct and incorrect answers.  The check mark and X-mark are both smart shapes.  In my advanced actions, I hide the group and then show either a check or X-mark after the answers have been submitted.  The advanced actions are written as, " show X-mark" and "Hide Check Mark" and vice versa.  But when I preview the slide the check mark only stays by the correct answers for 3 seconds, and the X-marks remain. 
    Any ideas as to why two items in a group would display for different lengths of time?

    Lieve, was the timeline okay or did you need more?  One thing that was different about the check marks, I noticed, was that they were set as "Use as button".  I unchecked that box for each of the 72 check marks that are on my slides.  I think that I got them all.   However, they are still each linked to 24 Object style manager Smart Shapes which will help me position them three at a time.  I don't see anything in the Object style manager that has a setting that might affect the length that they stay visible.

  • How to copy table from database in one forest to a database in a different forest?

    Hello Community
        Using Wndows 2008 Server Enterprise there exists 2 Forests,
    each containing their own SQL Server 2008 installations, a scenario exists as follows:
         a)"Domain1" resides in "Forest1" which has SQL Server 2008 containing
             a database named "Database1" which contains a table named "Table1".
         b)"Domain2" resides in "Forest2" which also has SQL Server 2008
             but containing a database named "Database2"which contains a table
             named "Table2".
        I tried to use <domain_name>.<server_name>.<owner_name>.object
    but that syntax didn't work.
        How can I copy "Table2" from "Database2" into "Database1"
    (keeping in mind the databases are in different forests and domains)?
        Thank you
        Shabeaut

    Configuring a linked server might help you
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/329709ca-349d-490d-9b42-7443caa97364/how-to-created-linked-server-between-two-different-domains?forum=sqlsecurity
    OR
    Generate the schema with data of Table1 using scripting wizard under advance setup and execute the sql file in domain2.
    -Prashanth

Maybe you are looking for

  • Can you change devices and keep all of your same apps if they are not saved on iCloud?

    Hey all, Looking to get a new device - have a 4s want to get a new one to replace my current - and I want to avoid downloading all of the same apps that I currently have on my phone without purchasing more iCloud space. Does anyone know if there is a

  • FCP6 Digital Cinama Desktop Preview not working

    I've just upgraded from FCP 5.1 to 6.0 and now I can't seem to get desktop preview to work. When I press cmd F12, all I get is audio and a still frame. Are others having problems? Have I forgotten a setting? Motion, etc preview without any problem -

  • I received a complimentary upgrade to CS6 online. I want to reinstall. How?

    I received a complimentary upgrade online to CS6. When I downloaded and installed, I had a trial version of a PDF maker on my computer, which worked in the print dialog. I have since uninstalled it, and I can't make a PDF with proX from the Print dia

  • Import Keywords from Bridge ?

    I have a lot of keywords in Bridge and I'd love to bring them in LR (no way I'm going to retype them all). Is there any way to do that ? Thanks ! Matt

  • JFileChooser Approve_Button moves/"jumps"

    I have created a subclass of the JFileChooser , setting the my own images on the Save/Open & Cancel buttons. I do this through a changeproperty event. Everything works well until I click the File Name textfield - this causes the Save/Open button to m