GSS authoritative for an entire domain.

Similar Messages

• Does GSS have to assume authoritative role for the entire domain?

  We'd like deploy GSLB for a critical application between two datacenters.
  From reading through a few documents, it appears the GSS needs to be the authoritative name server for a zone/domain?
  Is it possible for the GSS to only answer DNS queries for a few (or a single) VIP's?
  For example, is it possible for GSS to only handle queries for app1.abc.com, instead of the entire abc.com?
  Or do we have to create a new sub-domain, such as glb.abc.com, and change the application's FQDN to app1.glb.abc.com?
  thx,
  Kevin

  You can make the GSS authoritative for a few vip's or services  if you like.  You will need to tell dns to delegate the subdomains or services to the GSS.
  Will

• Wallpaper fixed for the entire domain with group policy but some systems are getting the updated wallpaper

  Hi , 
  I fixed the wallpaper for the entire domain and It was applied to entire domain. 
  After some day, I have changed the domain wallpaper. Then some systems are showing New wallpaper and some systems are showing old wallpaper.
  I have applied the gpudate /force command for those system who didn't get wallpaper. 
  Could you please suggest. 

  Hi Srikanth,
  First, please make sure that the GPO is applied to client properly.
  To check that, please follow the steps below:
  gpupdate /force
  gpresult /h C:\report.html
  Note: This procedure needs the privilege of the Administrator.
  If the GPO is applied properly, please try to reboot the client.
  If issue persists after reboot, please check if the following link is helpful:
  The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2
  https://support.microsoft.com/en-us/kb/977944
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Is there a way to stop firefox from asking to remember a password for an entire domain?

  At work I have to connect through our website multiple times a day to client machines. We use our machine that creates a connection which is accessed by going to http://*****.ourfakeserver.com where the ***** will change each time. I would like to not be prompted every time I go to ourfakeserver.com. Is there any way to do this?

  The problem is that the subdomain changes all the time. I want to set the "Never Remember Password for This Site" for a whole domain regardless of the subdomain.

• Using get-aduser to search for enabled users in entire domain filter ..

  Hi,
  my first post here.
  I have the following problem. I am trying to figure out to create a powershell command (with get-aduser) that searches for only enabled
  users (in the entire domain),  whose user account login names starts with "b" or "B" (because their user account login names are composed of Bnnnnn, n=numbers). I suppose that a string of "B*" in the command should be sufficient. The query result
  must show the user account login name (Bnnnnn),  first name
  and last name  and the enabled  (yes) status  of those enabled users. I would like to write the entire query result to a file (csv format), saving it to c: for example
  Please help. Thanks in advance

  I use -LDAPFilter mostly because I am used to the LDAP syntax. It can be used in PowerShell, VBScript, dsquery, VB, and many command line utilities (like Joe Richards' free adfind utility). Active Directory is an LDAP compliant database.
  The PowerShell -Filter syntax can do the same things, but the properties it exposes are really aliases. I'm used to the AD attribute names, like sAMAccountName and userAccountControl. PowerShell uses things like "enabled" and "surname", which are aliases
  you need to know or look up. For example, the Get-ADUser default and extended properties, with the actual AD attributes they are based on, are documented here:
  http://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx
  Finally, note that the "Name" property refers to the Relative Distinguished Name (RDN) of the object, which for user objects is the value of the cn attribute (the Common Name of the user). This may not uniquely identify the user, as it only needs to be unique
  in the parent OU/container. The user login name (pre-Windows 2000 logon name) is the value of the sAMAccountName attribute, which must be unique in the domain. In the Wiki article I linked, we see that the PowerShell alias for this attribute is "SamAccountName"
  (in this case the name of the property matches the name of the AD attribute). All of this can be confusing.
  Richard Mueller - MVP Directory Services

• Need WLST for Weblogic portal domain 9.2.2.

  Hi,
  I am very much in-need of it. Can you please provide me the Need WLST for Weblogic portal domain 9.2.2.
  Actually, we are using weblogic 9.2.2 version.
  Actually, I created a portal domain configiuration using configuration wizard and the same I documented with screen shots.
  Now I need the wlst for the same configuration which i created the doc for.
  Please can you help me out doing this.
  If you are ok, then I will share you my doc, so that you can help me out easily.
  Please please please................
  Thanks in Advance..

  You have a few options to build a WLST script from the admin/config operations that you have performed in your development environment using console.
  OPTION 1: (WLST Recording)
  Check the below video. (The only drawback is that this video talks about the WLST recording feature which is available only on WLS10.0. Ofcourse, if you have a 10.0 installation you can still use this feature and then make some small modifications to the generated script to make it suitable for 9.2)
  http://www.youtube.com/watch?v=luhBaviP2uM
  OPTION 2: (Converting the configuration to a script)
  After you have configured your entire domain using the console, you run the configToScript command as per the below documentation (To run this you need to invoke WLST and then run the command with appropriate arguments such as path to the config.xml file etc)
  http://docs.oracle.com/cd/E13222_01/wls/docs92/config_scripting/reference.html#wp1154848
  Then you can use the generated script to create similar domains in your Test AND Production environments.
  Arun

• Unable to find domain controller for the specified domain. Please explicitly specify the domain controller.

  Im getting error "Unable to find domain controller for the specified domain. Please explicitly specify the domain controller."   when I try to create an AD connection for my User Profile Service.  The entire sharepoint environment is installed
  on one server.  That server has everyting on it, AD, SQL, Sharepoint, and its the domain controller. I cant figure out why this will not identify?Trevor Fielder

  Hi,
  Did you get this error when clicking on the Populate Containers button?
  If yes, please make sure that you have provide the domain credentials in the account name and password
  boxes below when entering the domain information. The account must be granted the replicating directory changes permission on the domain.
  You can refer to this blog:
  http://www.harbar.net/articles/sp2010ups.aspx
  Xue-Mei Chang

• We have 4 iphones in our family and an Ipad.  When we purchase music I would like for the entire family to be able to use it.  Should each of us use a different apple account or should we use the same one.

  We have 4 iphones and an Ipad in our family. When we purchase music, I would like for the entire family to be able to use it and then back it up to Icloud. What is the best and cheapest way for this to happen.  Should we all have a different apple id or should we use the same one.

  You will all need to be on the same itunes account ID.
  You can however all have seperate icloud accounts aswel.

• How do you organize multiple mailboxes for each accepted domain with the same local part?

  Let's say we are aceppting emails for the two domains wine-and-cheese.com and beer-and-pretzels.com.
  I plan to create two mailboxes [email protected] and [email protected]
  By default, the local part of the SMTP address uses the alias, which is the same as the sAMAccountName. Since I cannot have two AD users with the same sAMAccountName, I choose to name them "info-wine" and "info-beer". The result is, that
  I have two mailboxes with the address [email protected] and [email protected], respectively.
  One thing I could think of would be to manually add [email protected] and [email protected] to the corresponding mailboxes. I prefer to avoid anything that has to be done manually.
  Another idea, that involves manual editing is, to change the aliases of both mailboxes to "info", but that results in having the second mailbox create the SMTP address info2@….
  I am very interested how you handle those situations, particularly in bigger companies with more than 50 employees and 75 mailboxes.

  Hi ,
  Alright , based on my knowledge i have given some points please have a look in to this.
  Step 1 :
  Please create the first user account on AD in the below format.
  info as the first name in AD
  wine as the last name in AD
  Then please create the second user account on the AD in the below format.
  info as the first name in AD
  beer as the last name in AD
  Step 2 :
  Then you need to have the email address policy with the custom type attribute which should apply the email address based upon the first name.So that all the email address will have the first name (i.e ) "info" on the prefix.
  Custom type attribute should have to be like
  %[email protected]
  %[email protected]
  %[email protected]
  %[email protected]
  Note : The custom type attribute which is created first will be the primary address for all those mailboxes.In the above example
  @wine.com will be the primary smtp address for those mailboxes .In case if you want some set of mailboxes need to have the suffix @wine.com as the primary smtp address and some set of mailboxes to have the suffix @beer.com as the primary smtp
  address then you need to create the separate email address policy with rules.
  Reference Link : 
  https://technet.microsoft.com/en-us/library/bb232171(v=exchg.150).aspx
  Please reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• Why did the App Store bill my debit card for the entire app fee when I had money on my account?

  I bought a Music Studio app recently that costed $15 and I had $15.04 on my account. I was aware this wasn't enough for tax, so I tried to use a debit card when it said I had insufficient funds. After the process, it took no money off of my account, but billed the debit card for the entire fee. Can I get this payment rearranged? Or a refund?

  Contact iTunes. See:
  Contact iTunes

• I have a new hard drive as my old one crashed. Everything seemed to transfer fine except for my entire iTunes library. It shows all of my old songs, but when I click on one it states "the song could not be used as the original file could not be found

  I have a new hard drive as my old one crashed. Everything seemed to transfer fine except for my entire iTunes library. It shows all of my old songs, but when I click on one it states "the song could not be used as the original file could not be found.would you like to locate it".
  Either how do I locate it, and I've tried every trick I know, or how do I restore all of my songs from one of two sources. I have my old hard drive backedup on an external drive which should have all of my songs, and I have most of my songs on my old iPhone 3S which I'm using as a backup iPod.

  The "missing file" error happens if the file is no longer where iTunes expects to find it. Possible causes are that you or some third party tool has moved, renamed or deleted the file, one of its parent folders, or the drive it lives on has had a change of drive letter. It is also possible that iTunes has changed from expecting the files to be in the pre-iTunes 9 layout to post-iTunes 9 layout, or vice-versa, and so is looking in slightly the wrong place. In the case of a library moved from one system to another there are also potential permissions issues. See Repair security permissions for iTunes for Windows.
  Select a track with an exclamation mark, use Ctrl-I to Get Info, then click No when asked to try to locate the track. (Due to a bug in iTunes 12 you currently have to say No twice!) Look on the summary tab for the location that iTunes thinks the file should be. Now take a look around your hard drive(s). Hopefully you can locate the track in question. If a section of your library has simply been moved, a folder renamed, or a drive letter has changed, it should be possible to reverse the actions. If the difference between the two paths is an additional Music folder in one path then this is a layout issue. I can explain further if that is the case.
  In some cases iTunes may be able to repair itself if you go through the same steps with Get Info but this time click Locate and browse to the lost track. It may then offer to attempt to automatically fix other broken links.
  If another application like Windows Media Player has moved/renamed the files then the chances are that subtle differences in naming strategies will make it hard to restore the media to the precise path that iTunes is expecting. In such cases, as long as the missing files can be found somewhere, you should be able to use my FindTracks script to reconnect them to iTunes. See this post for an explanation of how it works.
  See also Recover your iTunes library from your iPod or iOS device.
  tt2

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Authentication for multiple AD domains

  Hello,
  Currently we have MS AD datasource as UME for all our internal portal users. We also have spnego setup for authentication  for our EP 7.0 The user path and group path is of the form   dc=dom1 dc=company dc=domain dc=com.
  Now we are planning to add additional domains to authenticate users .
  Will the configuration differ if they are maintained on a different ldap server altogether or when only the user and group paths are different for the new domains as shown below?  The user path and group path is of the form dc=dom2,dc=company,dc=domain,dc=com and
  dc=dom3,dc=company,dc=domain,dc=com.
  It seems that we have to change the datasource file for the additional ldap scenario.But are both of these the same,Would appreciate if someone could clarify this.
  Rgds

  Vineeth,
  Within the 1 file, you can setup n-number of datasources.  Below is an example.
  As for having SPNego work for only 1 of those datasources (AD domains), I can't say if that will work.  We have SPNego working for all our domains.  There is probably something you can do within AD or your domain controller to limit Kerberos authentication.
  <?xml version="1.0" encoding="UTF-8"?>
  <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
  <!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
  <dataSources>
       <dataSource id="PRIVATE_DATASOURCE1" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
            <homeFor>
                 <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                 </principals>
            </homeFor>
            <notHomeFor/>
            <responsibleFor>
                 <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                 </principals>
            </responsibleFor>
            <privateSection/>
       </dataSource>
      <dataSource id="PRIVATE_DATASOURCE2" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </responsibleFor>
              <privateSection/>
      </dataSource>
      <dataSource id="PRIVATE_DATASOURCE3" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                  <principals>
                      <principal type="group"/>
                      <principal type="user"/>
                      <principal type="account"/>
                      <principal type="team"/>
                      <principal type="ROOT"/>
                      <principal type="OOOO"/>
                  </principals>
              </responsibleFor>
              <privateSection/>
      </dataSource>
  </dataSources>

• Can I set up storage in icloud for the entire family?

  Can  I set up storage in iCloud for the entire family under 1 account?

  See:Family Sharing and also the site http://www.apple.com/icloud/family-sharing and see if that helps.

• How to set the icon for the entire application with JFrame.setIconImage

  I set the icon on the main frame using JFrame.setIconImage(). The icon is shown properly in the main frame.
  If more JFrames are opened from the main frame, the newly opened JFrames also show the icon.
  However if JDialogs are opended, in some cases the icon set on the main frame is shown and in other cases the coffee cup.
  What is JFrame.setIconImage() expected to do? Setting the icon for a single JFrame or the entire application?
  How can I set the icon for the entire application?
  How can I set the icon for JDialogs?
  Thank you

  In order for your dialogs to use the same icon as the frame, you must parent the dialogs to the frame which has the custom icon.
  See the following thread for more information: http://forum.java.sun.com/thread.jsp?forum=57&thread=362542
  cheers,
  Greg