Identity firewall with Single Forest/Multi-Domain

Similar Messages

• CES/CEP in Intranet with single forest

  In which scenario CES/CEP are preferred over Certificate Request Wizard (or alternatives) for requesting certificates when in Intranet with single forest?
  I have read article http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Intranet_with_a_Single_Forest.
  In scenario when non domain joined users use perimeter CES for certificate renewal (http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Renewal_Only_Mode) is it
  correct to request original certificate using other way then internal CES/CEP?

  > In which scenario CES/CEP are preferred over Certificate Request Wizard (or alternatives) for requesting certificates when in Intranet with single forest?
  1) CEP/CES do not replace certificate request wizard.
  2) CEP/CES in internal domains are preferred when you want to completely hide CA servers from forest members. For example, you put CAs in a dedicated VLAN with limited access (though, CA servers should have a full connectivity with domain controllers), so
  only CES service can contact ICertRequest interface on CA server.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Understanding Lync 2013 Deployment for Single forest multiple domain Infrastructure

  Hello Everyone,
  I have an issue in understanding a deployment scenario of Lync 2013 Enterprise edition.
  We have a single forest multiple domain infra. 
  My My question here is, while AD prep, do we need to run Domainprep on every domain in the forest. 
  Thanks!
  Thank You!!! BR, Ammi.

  Hi Ammi,
  To prepare Active Directory Domain Services for your Lync Server 2013 deployment, you must perform three steps in a specific sequence.
  1.
   Preparing the Active Directory schema in Lync Server 2013
  Extends the Active Directory schema by adding new classes and attributes that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  2. Preparing the forest for Lync Server 2013
  Creates global settings and universal groups that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  3. Preparing domains for Lync Server 2013
  Adds permissions on objects to be used by members of universal groups.
  Run once per user domain or server domain.
  Hope it can be helpful.
  Best regards,
  Eric

• Exchange 2003 migrate to Exchange 2010 - single forest multiple domain. Active Sync problem

  Hi All, 
  I have AD single forest and multiple domain. for example, the forest domain is jakarta.co.id, and the other domain is bali.co.id.
  Exchange 2003 deployed in jakarta.co.id, User mail enabled in domain jakarta.co.id and bali.co.id.
  Then, I upgrade to Exchange 2010 (deploy in jakarta.co.id) and move mailbox from Exchange 2003 to Exchange 2010.
  All users in bali.co.id are able to access email from Owa, BlackBerry (BIS), Outlook, but cannot access from Android, Windows Phone. (Active-Sync).
  I got error information generated from https://testconnectivity.microsoft.com, as following:
  Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
  Tell me more about this issue and how to resolve it
  Additional Details
  Exchange ActiveSync returned an HTTP 500 response (Internal Server Error).
  Active-Sync still not work even I check option "Include inheritable permissions from this object" in security tab.
  any idea to fix this issue?
  Thanks.
  Endrik
  Endrik | blog: itendrik.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

  Hi Sathish, 
  We are planning to migrate Exchange 2003 to Exchange 2013, all user already in Exchange 2010 and Exchange 2003 was decommissioned
  Event Viewer log as following:
  Log Name:      Application
  Source:        MSExchange ActiveSync
  Date:          1/17/2014 10:00:48 PM
  Event ID:      1008
  Task Category: Requests
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      EXC2010.jakarta.co.id
  Description:
  An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case,
  Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization. 
  URL=/Microsoft-Server-ActiveSync/default.eas?Cmd=Sync&User=bali%5Csteveng&DeviceId=SAMSUNG123456789&DeviceType=SAMSUNGGTN7000
  --- Exception start ---
  Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
  Exception message: A null value was received for the NTSD security descriptor of container CN=ExchangeActiveSyncDevices,CN=Steven Gerrard,OU=IT,DC=bali,DC=co,DC=id.
  Exception level: 0
  HttpStatusCode: 500
  AirSyncStatusCode: 110
  XmlResponse: 
  This request does not contain a WBXML response.
  Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
     at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDeviceContainer(Boolean retryIfFailed)
     at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
     at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime)
     at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
     at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
     at Microsoft.Exchange.AirSync.Command.WorkerThread()
  --- Exception end ---.
  I think KB817379 is not related because Exchange 2003 was decommissioned.
  Regards, 
  Endrik
  Endrik | blog: itendrik.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• SCCM 2012 AD Publishing in a Single Forest Multiple Domains

  Hi there,
  Let me explain the situation first so that you get the idea. We have a single forest, multiple child domains AD environment. For some reasons each domain is being managed separately by their geographic location IT.
  Forest has been extended for SCCM by the site who holds the forest root domain. Since everyone wants to manage their own domain and systems, each child domain have their own primary site server.
  In one of the domains I have installed brand new SCCM 2012 R2. I haven't done anything yet, havent turned on any discovery except Heartbeat. Now I see one device, which belongs to another domain with totally separate IP address, shows in my SCCM site. I dont
  know why.
  From here question arises for me. Correct me if I'm wrong and please advice what to do domain/forest wide.
  1. System Container is needed in each child domain, not in the forest, right?
  2. Where does/should each SCCM primary site publish information; in each domain or in the forest root domain?
  3. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing I see forest root domain name and its checked. 
  Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain hoping
  to cure the possible problem.
  So, why would that one device show up in this site? I have disabled Heartbeat together with other discoveries for now till I make everything ready.
  Thanks for your help in advance.

  1. Under Administration > Overview > Site Configuration > Sites > Properties > Publishing If I uncheck forest root domain will devices on my child domain still be able to find my site server?
  2. Under Administration > Overview > Hierarchy Configuration > Active Directory Forests > Properties > Publishing my site is checked and its the only one in there. In that same window I went ahead and specified my own domain
  hoping to cure the possible problem. Is this a good practice?
  3. "When clients look for ConfigMgr info, they use GC lookups meaning they return objects from every System Management container in the forest." So, which one do clients choose and how?
  4. "For that one device, have you opened its properties and examined it?" Yes, what abou it? Its found based on Heartbeat Discovery agent (when heartbeat was enabled).
  5. "Have you reviewed the boundaries and boundary groups set up for site assignment?" Yes, as I mentioned this device belongs to different domain and totally outside of my AD site and SCCM boundaries.
  This is fresh install and not in production yet. I have disabled Heartbeat temporarily so that I fix this problem. I will enable it after. 

• Identity firewall with OpenLDAP ?!

  Hi Guys
  I am interested to use identity firewall but I am using OpenLDAP , as far as I know there is no OpenLDAP agent like AD Agent!
  Does it mean that I only able to use OpenLDAP for VPN authentication and not for identity feature ?
  Thanks
  Ehsan

  Probably the answer is Yes I guess , ASA identity feature works only with Microsoft Active Directory !!!!

• Active Directory: 2003 to 2012 R2 Upgrade across single forest with child domains

  I just have a quick questions about something that should be simple. We will be upgrading our current domain from Windows 2003 functionality to Windows 2012 R2.  This forest has domain and two child domains.  I have two questions.  Since we
  have to do this in a few steps in order to get up to 2012 functionality I am wondering where is it consider best practice to start?  In the Root (top level) domain of the forest or in one of the child domains?  I want to say the root (top level)
  domain is where I would place my first Windows 2012 R2 box and promote it to a domain controller.  Then move to the child domains one the root domain controllers have all be replaced with Server 2012.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Yes.  We are working with the client to migrate any dependencies off these 3 NT legacy domains.  We will be able to decommission 2 of the 3 without any issues.  However, they still have an old NT box running SQL 6.5 databases for a application
  still in production.  Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
  Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
  Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

• How many ADFS farms can you have in a single forest/single domain?

  Hi
  I may have some terminology incorrect...please let me know if I do. :)
  My question is, how many ADFS farms can you have in a single forest/single domain? If you want to know why I am asking...please read on.
  We have 1 ADFS Farm and we are looking adding services to it. However not every cloud vendor provides a "Identity Broker" with there services.
  We have a consultant that is advising that we need to enable a SAML-based IdP-initiated single sign-on (SSO) ie using "IdpInitiatedSignOnPage"
  However to do this we need to modify the ADFS website to have "drop down" list so the user can select the "Relying Party" and then authentication with them.
  This means we are exposing a list of every company/party we have federated with. The exposure of this information, is deemed a security concern by our company....which I agree with.
  So the consultant advises that we need a separate ADFS farm. I have searched online, but haven't found any information that confirms multiple ADFS farms can be implemented in a single forest/single domain.
  Thanks for reading and if you have any other suggestions...I'd appreciate it.
  Nyobi

  This is not exactly FIM related question - there is ADFS forum available on Technet. However - technically there is no limit of ADFS farms in a forest \ domain. It is just a service which uses AD and is not altering it in any way or storing some forest-wide
  information like Exchange. So you can setup two ADFS services in single forest - no problem. 
  If it is a best solution to your problem? I can't say with that limited information but maybe just customization of pages on ADFS side would be enough? 
  Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

• 2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?

  I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains.  I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of
  any way of doing this?
  During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.
  In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.
  This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there
  are major problems with the service.
  The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.
  I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.
  Also the child domain DCs don't actually appear in the management servers list.

  Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.  
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• MDT from Single Site for Multi Domain OS Deployment

  Hi all,
  We are looking for a solution which will make it possible to use MDT from a single site to deploy Windows 7 or Windows 8 and join different domains of different customers without trust relationships between domains.
  We are a service provider which supports different customers with separate domains. At this moment those different customers have their own WDS server on site and administration is time consuming because a lot of hardware changes occur.
  We are now searching for a solution which is easier to manage and one of the solutions we are thinking about is to install a WDS server in our office and use MDT for some custom task sequences but just build one image with all the different driver packs we
  have.
  Does anyone know how to deal with this from our point of view. All tooling I can find is based on Enterprise clients with one Domain Forest and maybe some different sites but all in one domain, which makes deployment a bit easier then in our situation I guess
  as we are looking for a solution that supports Multi-domain deployment.
  Hope someone might experienced this before and can help us in the right direction. If someone has experience with additional tooling which might help us I am more then interested to know how the tooling helped in solving this.
  Preferrably we had a tool which was Multi-tenant and multiple domains could be managed from a single console, but I think that tool just doesn't exist.
  Hope someone is able to help us in the right direction. Please let me know if you have any tips or did experience the same while making a Deployment plan for the service provider you are working for.
  Many thanks in advance!

  Hi all,
  We are looking for a solution which will make it possible to use MDT from a single site to deploy Windows 7 or Windows 8 and join different domains of different customers without trust relationships between domains.
  We are a service provider which supports different customers with separate domains. At this moment those different customers have their own WDS server on site and administration is time consuming because a lot of hardware changes occur.
  We are now searching for a solution which is easier to manage and one of the solutions we are thinking about is to install a WDS server in our office and use MDT for some custom task sequences but just build one image with all the different driver packs we
  have.
  Does anyone know how to deal with this from our point of view. All tooling I can find is based on Enterprise clients with one Domain Forest and maybe some different sites but all in one domain, which makes deployment a bit easier then in our situation I guess
  as we are looking for a solution that supports Multi-domain deployment.
  Hope someone might experienced this before and can help us in the right direction. If someone has experience with additional tooling which might help us I am more then interested to know how the tooling helped in solving this.
  Preferrably we had a tool which was Multi-tenant and multiple domains could be managed from a single console, but I think that tool just doesn't exist.
  Hope someone is able to help us in the right direction. Please let me know if you have any tips or did experience the same while making a Deployment plan for the service provider you are working for.
  Many thanks in advance!
  So is the goal is not only to get multiple domains to select from, if so you could use a DomainOUList.xml file .
  Also would the clients be imaged at your site or your clients site?
  If this post is helpful please click "Mark for answer", thanks! Kind regards

• Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

  Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
  Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
  I can get a PC on its own to authenticate via dot1x/tls
  I can get a Cisco IP Phone on its own to authenticate via MAB.
  When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
  The switchport has the LowImpact port ACL of
  ip access-group ACL-DEFAULT in
  The IP Phone gets a dACL that allows it ok.
  I assume MAB phone and dot1x PC is supported?  Any ideas?
  Thanks in advance.

  The ISE log detailed steps are as follows:
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  5411  No response received during 120 seconds on last EAP message sent to the client

• Lync Server 2013 Deployment - Cross domain within Single Forest

  Hello Team,
  We have 5 separate domains in a Single Forest with two-way trust between domains. We are planning to deploy Lync 2013 On-Premise across all domains.
  1) What would be best possible approach to deploy Lync Servers ?
  2) We are planning to get 16000 Users (spread across 5 different domains) on Lync account, Can we have a Single pool managing all users ? 
  3) What high availability options should we opt for ?

  Hello Saleesh,
  Thanks for the update.
  I could just go ahead with below steps, Could you advise ?
  1) add additional sip domains as part of Lync pool configuration
  2) Install Certificates on all the domains
  3) update DNS suffix for all the domains - Any other changes i need to do with respect to DNS.
  4) Web publishing rules - Do i need to add seperate simple URLS for all domains ?
  5) Should i do any further changes on Office web app servers to make sure it works for all users from 5 seperate domains.
  Thanks,
  Shady

• How to delete multiple data domains with single step ?

  how to delete multiple data domains with single step ?

  You can go to your Endeca-Server domain home e.g.($WEBLOGIC-HOME$/user_projects/domains/endeca_server_domain/EndecaServer/bin)
  run
  [HOST]$ ./endeca-cmd.sh list-dd
  default is enabled.
  GettingStarted is enabled.
  endeca is enabled.
  BikeStoreTest is enabled.
  create a new file from the output just with the domains that you want to delete and then create a loop
  [HOST]$ vi delete-dd.list
  default
  GettingStarted
  endeca
  BikeStoreTest
  [HOST]$ for i in $(cat delete-dd.list); do; ./endeca-cmd.sh delete-dd $i; done
  Remember that this can not be undone, unless you have a backup.

• People Picker search order with multiple forest domains

  I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
  The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
  All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
  Any Solution for that?
  Thanks for your feedback!
  P.

  Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
  Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker.

• Install Exchange server 2010 in Single forest Multiple AD domain Scenario

  Hello Folks,
  I am trying to install a new exchange 2010 server in an enviroment which never had exchange.
  Below is the env details
  1 Forest
  3 AD domains
  Coustmer's requirement is that he wants to install exchange in only domain and other domain will not have exchange server the domain A which has server install should host the exchange mailbox's for other 2 domains and also capable enough to handle
  the mailflow of each domain with diffrent SMTP domain. Have done research but havent got the exact scenario.
  Now i am confused on how to start with this project any feedback inputs would be of great help to me.
  BR/Deepak

  Exchange server is forest wide role, so it does not depend much on number of domains in the same forest. Usually, you install Exchange in forest root domain in your forest, and Exchange will host mailboxes from any user from entire forest. So, actually,
  your scenario is supported by default :). Just go and install Exchange in one domain. As soon as you prepare other domains for Exchange recipients, you will be able to create mailboxes from all domains in your forest.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir