ISE domain PC question

I am trying to figure out how to grant access to users based on user authentication and computer accounts. I am trying to setup our ISE so that if a user on our domain connects to the wifi it will check to see if the PC they connected from is a member of our domain. If the computer is a member of the domain they will get full access to our network. If they are not s member of our domain they will get put into a different vlan than only has Internet access. Ultimately I would like to have a group in active directory for computer accounts that are allowed on the wifi. Is a setup like this possible? I have tried a few things and i can not get the computer account part to work.
Sent from Cisco Technical Support iPhone App

Hi Eric,
We  can create different rules in the authorization policies as per the  your scenarios. For you query we can setup the following rule
step1
: Prior to user enetering theri credentials.....machine will get authorized access when machine  boots up
iselabin.local:ExternalGroups==Domain  Computers
step2
:User will enter credentials and he will get  authorized access because of  2nd Rule.
Network Access:WasMachineAuthenticated ==True
                              AND
iselabin.local:ExternalGroups==Domain Users
Also you need to go through the MAR as you are using Macine+User  authentication.Below is the link for the same in which you can find MAR  section.:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354105.

Similar Messages

  • About ISE 802.1X question!

    Today my colleagues and I deploy ISE found the following question.
    Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
    Why is that?
    Two ise ,Distributed Deployment,
    I test redundancy。I closed the main equipment,The following error:
    LOG:==============================================
    The normal time:
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  172.30.60.11
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000410155DA40
          Acct Session ID:  0x0000006C
                   Handle:  0x73000041
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  172.30.60.10
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000400154E52C
          Acct Session ID:  0x0000006D
                   Handle:  0x91000040
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
    When there is a problem:
    6509-vss#
    Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
    Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
    Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#
    6509-vss(config-if)#
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#end
    6509-vss#show
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
    6509-vss#show authentication
    Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
    6509-vss#show authentication sessions int
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  Unknown
                User-Name:  0021cc68a63e
                   Status:  Running
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004E01CCCA18
          Acct Session ID:  0x00000086
                   Handle:  0x7300004E
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Running
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  Unknown
                User-Name:  shenshu
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004D01CCB640
          Acct Session ID:  0x00000089
                   Handle:  0xB400004D
    Runnable methods list:
           Method   State
           mab      Not run
           dot1x    Authc Success
    LOG:============================================

    Please consider the order of authnetication method fail from here
    http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028

  • ISE Domain Name, Certificates and Guest Portal

    Hi everyone,
    We have an ISE deployment using our internal domain for its FQDN (For example: ise01.private.local). We now want to use it for authenticating guest access and have noticed the redirection URL by default uses the FQDN of the ISE server.
    This works fine for our corporate machines as we have our own internal CA and generated certificates. As we do not want certificate errors occurring for our guests, we need to use a public FQDN.
    Are we best off changing the domain-name used by the ISE servers or is there a way to edit the redirection URL to use a custom domain?
    I have heard suggestions that changing the domain-name is unsupported, but I can't find any other way.
    Thanks,
    Mark

    Mark,
    Do you already have a public FQDN pointing to your ISE?  If so, let's assume that you are authenticating guests using CWA.  First creat a new Authorization Profile, under Common Tasks, select Web Redirection (CWA, DRW, MDM, NSP, CPP), Choose the Authentication Method (in this case, CWA) and define the ACL to be used.  Just below that, select Static IP/Host Name and enter the public FQDN that points to your ISE.
    From here you can create an Authorization Policy to reference the profile you just created.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Iweb/Domain name question

    Hi,
    I am making my first Iweb site. I want to host the site through IWeb, but want to be sure I can use the simple domain name I own as the address, rather than a long www.mobileme.myname.domainname.com address. I see instructions involing setting up an alias on with the domain name provider, but wanted to ask around first.
    Also, do you know if I can host more than one website through Iweb.
    thanks for any and all help!
    I have sent these questions to Apple support, but no response yet. I gather the new Iphone is taking up a lot of their tech support time.
    Kim

    the url instantly changes and is long.
    This is the way CNAME pointing works with .Mac. If you like you can make things shorter by shortening the names you give your site and pages.
    Your "url", namely what people need to type to get to your site, is of course just the short version. What appears in the browser address bar is really irrelevant, but if it matters a lot to you, then you can undo everything you did for CNAME and switch to ordinary url forwarding/masking. With that, for every page on your site only www.myname.com will appear in the browser address bar for every page.

  • ISE AD join question

    Hello, we have recently purchased ISE and are in the process of intial configuration. We have joined the applainces to our AD. Now in our firewall rules, we see the ISE applaince sending LDAP (389) traffic to all of our DC's. Is there a way to limit what DC's ISE will query, or does it just pull up a list of DC's from the domain that is joined? If I do an NSLOOKUP on just the domain, I see numerous DC's listed, but ISE is sending to DC's that are outside of this list as well. I am not an AD guy, so forgive me if I do not understand how this is populated, but I am very confused on how ISE is getting the IP's of all the DC's. ANd would really like to restrict if possible, since many of the DC's are behnid firewalls that we did not open up for ISE to talk to, so the traffic is just being denied and filling up our syslog with denies.
    Also, is there a show command, CLI or GUI, to show what DC's the ISE applainces knows about?  
    We are running 1.1.1.268 code.
    Thank you all in advance for your help.                 

    Hi,
    If you are using sites and services in your DNS environment then ISE should only query the domain controllers that are sent in the dns response for GC and DC resolution requests. You may need to consult your AD and DNS folks in order to insure that the ISE is only given the correct domain controllers.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE Sponsor Portal Questions!!!

    Hi Team,
    Few questions!!
    Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
    2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
    3. Advantages of Sponsor portal over NAC guest server?
    Cheers!!
    Minakshi

    Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
    Yes you can
    2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
    They are updated into Local ISE database
    3. Advantages of Sponsor portal over NAC guest server?
    Sponsor portal allows a person ( can be anyone assigned by Admin ) to manage Guest account.
    Refer http://www.cisco.com/c/en/us/td/docs/security/ise/1-0/sponsor_guide/ise10_sponsor_book/ise10_sponsor.html

  • Active Directory Cached Domain Login question

    Hi all,
    I would like to seek assistance on the following scenario setup where I have 2 independent AD forest setup
    Production Forest #1 - Contoso
    Test Lab Forest #2 - Contoso
    Assuming both AD forests domain controllers are issued with Domain Controller Certs (to support smartcard login) from the same CA, and there exists a AD user acct - Mark in Production Forest #1 and this user is currently using a issued smartcard to perform
    AD login on desktop client #1
    Would it be possible to create a AD user acct - Mark in Test Lab Forest #2 and use the same issued production smartcard to perform AD login on laptop client #2 which is joined to Test Lab Forest #2? If not technically possible, why??? :(
    I am trying to find a solution where I can have the laptop clients support login using the issued production smartcard. The challenge here is not all the laptop clients site have access to the production domain controllers hence am thinking of building the
    Test Lab Forest #2 on another "server" laptop which provides a mobile means to allow the laptop clients to be joined to the Test Lab Forest and then supporting the issued production smartcard via domain cached login.

    So far I know the only requirement is that the UPN match and that the PKI is trusted (in NTAuth) in the forest, but I'm not a PKI expert. I suggest to ask this question in the security forum as well:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • ISE policy creation question - best practices

    Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.
    I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?
    As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.
    Thanks ...
    Brent

    Mostly makes sense. I have the AD part just need to get an AD group created for my test subject.
    I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.
    I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.
    I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right?

  • Windows Server Primary & Secondary Domain Controller Question

    lulzchicken wrote:
    Right now the DHCP is assigning 192.168.200.1 (DNS server) and 8.8.8.8 (Google's DNS) as DNS servers for each client. I don't necessarilly want to change these assignment settings,Yes, you do. This is absolutely the worst thing you can ever do with DNS. More details why here -> Ramblings of a Sysadmin: How to do DNS correctly
    Primary and secondary DNS should ALWAYS be internal.
    Your DNS Servers should use FORWARDERS go go out to google. That's the only place that should see google DNS servers in your environment.

    Hi everyone, thank you for taking the time to listen.
    I have successfully implemented an Active Directory setup using a Primary DC and a Secondary DC with Windows Server 2012 R2.
    EL1 is my PDC and EL2 is my BDC.
    Active Directory is in sync among the two Domain Controllers. Here is my question:
    If I were to have a policy (Group Policy) that sets the wallpaper of each client machine to whatever is in the "\\EL1\Wallpaper\wp.jpg" - what would happen if I were to have that Domain Controller fail? That directory is no longer available due to the outage - even though the Backup Domain Controller will still be pushing out the policy (pointing to the down server).
    My idea was to have that directory replicated on the Backup Domain Controller, "\\EL2\Wallpaper\wp.jpg" however - the policy will still be looking for the file in the Primary Domain...
    This topic first appeared in the Spiceworks Community

  • Domain architecture question if using multiple FMW products

    Hi,
    We are in the initial phases of setting up a WLS/FMW environment to replace our iAS 10.1.2 (forms and reports) and 10.1.3 (j2ee) environments. In addition to bringing over the in-house written applications we will be using the following FMW products - OBIEE, SOA/BPEL, and eventually Forms & Reports. Our question is what would be a good way to architect this environment?
    I initially installed WLS and then configured a domain. When I went to install and configure OBIEE 11.1.1.6 it would not let me extend the existing domain, so I created another domain for it. I haven't been able to find any documentation yet that indicated OBIEE must run in it's own domain, but is that what it is trying to tell us by not allowing us to extend an existing domain?
    Should we create a separate domain for each of the Oracle FMW products I mentioned above? That would require 3 domains if we were to put our in-house applications in to one of 3, but is that a good or a bad idea?
    I see some potential advantages to putting each in it's own domain, but one disadvantage would seem to be that we'd need 3 AdminServers which would also be using resources on the physical server. Would we need 3 node managers if we had 3 separate domains?
    I'm hoping someone else out there has had to create an environment similar to ours and may be able to provide some guidance here. Any advice would be appreciated.
    Thanks.

    Hi
    1. What you want is totally possible like have a single domain with all the stuff installed for atleast 3 products you mentioned like OBIEE, SOA/BPM, Forms/Reports etc.
    2. Lets take few steps back. Domain creation comes in the end. The first thing is installing each of the above products in the same middleware home or different middleware home.
    3. For any product from Oracle, Weblogic Server is the basic underlying application server. First you need to install this with the same version of soa/bpm, obiee that you plan to install on top of this. Once WLS is installed. Now install OBIEE on top of this. You can install SOA/BPM also on top of this same WLS. For OBIEE, you may need to first run RCU and have OBIEE shcemas ready. Because OBIEE simple installation will create a ready to use BI Domain also. Anyhow point is now on top of WLS you have 2 products installed like OBIEE and SOA/BPM.
    4. Now comes the Domain creation. Use config wizard, and create a domain. At this point, you will see all the options (Project Facets) for both the prouducts. If you choose, all soa/bpm modules and obiee modules, you will get a Single Domain with 1 AdminServer and different managed servers for soa/bpm and obiee. I know for soa/bpm, it creates soa_server1, bam_serve1 and for obiee it may have like bi_server1. If you really plan to have all in one domain, I would prefer create clusters like soa_cluster, bam_cluster, bi_cluster, forms_cluster etc. And in these clusters have corresponding managed servers. Then you can have these serves on same physical machine or across remote different physical machine. Only thing is, on all the machines you should have exact same version of wls and all products installed in the same folder structure.
    5. The advantage of having one domain is, you will have one single point of control for all admin stfuff and em stuff to control any product. Also if they interact with each other like soa calling bi reports, this may be little easy from single sign on etc and security configuration etc.
    6. But if you do not have any interaction between them, you can have separate installers like WLS+soa and WLS+biee on different machines. Now a days hardware machines are very cheap with best configuration like 16GB 4 cpu workstation you can get for $2k.
    I have on my side a single installation with WLS + SOA/BPM + OBIEE (all 11.5). Single RCU DB for all these schemas. Single Domain with all soa/bpm and obiee modules deployed ofcourse with different managed servers and 1 admin server. They are all running fine so far.
    Thanks
    Ravi Jegga

  • VDI 3 + Active Directory Child Domain Setup Question

    Hi Everyone,
    Quick question. Will this config work because I'm having some issues.
    Domain A
    Child Domains A.A, B.A, C.A, etc..
    Kerbros is setup and pointing at domain A with admin account access.
    VDI3 can see all the domains when I pull down the domain selector... however!... I can only log into the parent domain A. Attempts to log into child domains A.A, B.A, etc give me an 'Unknown user/password error'.
    Will this config work? All child domains are part of the same forest which I thought was supported.
    Many thanks in advanced for any replies.
    Dono

    Hello,
    yes, forests with multiple child domains are supported and your configuration should be working.
    In order to troubleshoot the problem, please follow the instructions at:
    http://wikis.sun.com/display/VDI3/End-users+cannot+access+their+virtual+machines.
    The cacao logs should contain more details about the error.
    Thanks,
    Katell

  • Upgrading Domain Controller Questions

    Hello, we currently have 2 domain controllers in our environment, both with Server 2003 R2. We are looking to upgrade them one at a time to 2008 R2 but I have some questions. 
    Here's the environment:
    Server 1 (the one we are going to upgrade first):
    Server 2003 R2
    Domain Controller
    DHCP Server
    DNS Server
    Server 2 (we will be upgrading this in the near future but not just yet):
    Server 2003 R2
    Domain Controller
    DHCP Server
    DNS Server
    File Server with most of the company data
    We also have DNS replication set up between the two servers. 
    My questions:
    Will we run into any issues having two domain controllers with different Operating Systems?
    We would like for the domain controllers to keep the same names and IP's. Any issues with that?
    How will we stop, then re-setup DNS replication between the two servers?
    Any other 'gotcha's' we should be aware of?
    Dan Chandler-Klein

    I don't see any reason why not keeping old name and IP.
    Before upgrading make sure AD has no issues:
    look at the event viewer, run DCDiag, replication runs clean (repadmin /showrepl) etc.
    OS has no warning/errors.
    Not  must but I would move the FSMO roles to another DC before demote.
    Make sure applications installed on the new DC's (AV\Backup agents etc.)  support Windows 2008 R2 OS.
    Make sure all your network applications in your environment support working with Windows 2008 R2 DC - I recommend test it in lab first.
    Make sure that the DC you are about to demote not holding CA role. 
    Most important:
    Make sure you successfully demote the old DC and no records left in DNS.
    I'm not agree with evrimicelli about DC's naming and I wouldn't go for CNAME record - this can get you in many troubles in the future. 
    after demote the old DC, I would rename it or remove it from the domain, than you can rename the new server with old Dc name and promote it to DC with old DCs' IP address. 
    I didn't understand the question about DNS replication.
    What kind of DNS zone do host?  if its AD integrated (and thats what you should have), you don't need to configure any replication, AD integrated DNS zone replicate as part of AD replication between your two DC's.
    Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

  • OAM domain configuration: question

    When installing OAM, and during domain configuration for OAM specific, in the following
    screen where you select Admin Server, Managed Server, Cluster, Deployment Services etc
    there are two more options
    JMS File Store and JMS Distributed Destination which do not show up- these only show
    up for domain configuration for OIM.
    Question: Why JMS options do not show up during OAM domain config? But show up
    during OIM domain config.

    Unfortunately this is currently not a supported configuration. A domain must contain a single ALSB cluster. This is something we are looking to improve in the future.
    Gregory

  • Tuxedo domain sizing question

    Background:
    This is a Peoplesoft app (PT 8.5, Tux 10gR3, Weblogic 11g)
    We are moving from 4 app server virtual machines which each hosted a tuxedo domain (4 vcpu each, actually getting slices from 8 physical cpu each) to one physical server with 12 cores (2 6 core procs). We only need this horsepower for 7 30 minute events per year (course registration). Otherwise a single domain is fine.
    We ran a test last event that showed a physical machine significantly outperformed the virtual when given similar resources, So we have decided to employ a large physical server.
    We intended to configure 3 Tuxedo Domains, mostl;y as it helps us compare to where we came from (Webserver VM will still host one domain) so we are effectively throwing 4 cpu at each domain. This comes from an understanding that we shouldn't have too many appsrv processes in one domain. We currently run a a pre-spun 25 appsrv procs each domain, and we get ok performance. From the looks of our physical server test, our performance will improve.
    During the peak of the registration event, we have around 500 sessions, we limited to 225 active http sessions on the webserver, which acts as the valve to the event. Note: all previous events were on PT8.48, OAS 10g.
    So , on to my question.
    Is there a way to make a single larger domain, with say 50 or more appsrv processes (mostly to avoid the config maint) or does anyone have any recommendations here?
    Any and all input appreciated.

    Hi,
    Take these comments with a large grain of salt as they are generalizations and not necessarily applicable to PeopleSoft. I'd really suggest asking this question in their forums as there may be PeopleSoft specific configuration constraints that I'm about to violate.
    In any case a Tuxedo domain can range from a single machine with a single 1 core processor, to many machines each with many cores. Once you move beyond a single machine, regardless of the number of cores, you are in a clustered environment, or what Tuxedo refers to an MP domain.
    Regards,
    Todd Little
    Oracle Tuxedo Chief Architect

  • OCSP across domains - signing questions

    hi all, another question for you
    2-tier PKI hierarchy with an offline root and 2 subordinate Enterprise CA's in different domains (also different forests, lets call them domain1 and domain2).
    We have an OCSP array in domain1 and that all works well. We are now looking to set up domain2 to also use OCSP. I think there are two main scenarios we can pursue
    1) Install a new OCSP server in domain2
    2) Create a new revocation config in the OCSP server in domain 1
    Option 2 is our preference although I'm sure option 1 is technically a better solution (we have some internal reasons to want to keep it to one OCSP server). So creating the config for the new domain seems easy enough, but how do install an OCSP signing
    certificate from domain2 to the OCSP server in domain1? Will it be a manual enrolment (and if so, what about the validity period then? If it's set to the 2 week default we would have to manually renew every 2 weeks, any issue increasing it?).
    thanks in advance!

    Yes, scenario 1 would be more straight-forward.
    With 2 you would have to do one of the following:
    Manually enroll OCSP certificates cross-forest which I think is not feasible for short validity periods. You could try to
    automate it such as: Creating the request and key with certutil, submitting it to the CA in the other forest (in the context of a user with Enroll permissions in the other forest), and installing the retrieved certificate.
    Increase the validity period of the OCSP Signing template (and manually enrol or script it) but since those certificate cannot be revoked by design I would not do this unless you use an HSM to store the OCSP server's key.
    If there a trust between the forests: Add the Certificate Enrollment and Policy Service (CES / CEP) in domain 2 and give the OCSP server from the other forest autoenroll permissions (assuming that OCSP 1 can also access the CDP 2).
    But this means adding two more AD CS roles - so instead of maintaining a second OCSP responder you have to manage CEP/CES (and configure Kerberos delefagation if you want to run them on the smae machine). But since you have a CA in the each forest cross-forest
    enrollment is not needed except for OCSP - unless you might need CEP/CES anyway, e.g. for supporting telecommuting users or external users that enroll for certificates over HTTP.
    Elke
    Edit: Having read Vadim's reply - I wrote this being ignorant of the option to use certificates from a different CA. I would be wary about non-Windows platforms though.

Maybe you are looking for

  • I touch is not recognized

    I purchased a new computer about 2 months ago. All programs transferred over except for itunes. It was downloaded and installed (current version. My touch will not sync with my itunes and on diagnostic checks the error comes up that my device is not

  • Internal HD (aluminium PWB) refuses to be erased.

    Erasing the original internal HD on a aluminium PWB does not work. I friend of mine had a big crash on a aluminium PWB and was no longer able to access the machine. It would get as far as initializing network and than we would get the awful grey rest

  • Can I turn off sharing using applescript

    Is it possible to write AppleScript that will turn iTunes sharing on and off?  I would like to be able to do this so that it's easier to turn that on and off when I carry my laptop around (I don't always want to share my iTunes library with everyone

  • Problem updating iPod software

    When I open iTunes with my video iPod connected I get this dialog: "Some of the items in the iTunes library were not copied to the iPod because your iPod software is old. Go to the Summary tab and click Update...." etc. When I go to the Summary tab t

  • Why do my airport, bluetooth, and some applications automatically turn on after start up?

    Hello. I have some problems with my Powerbook G4 15" (last generation). While most of airport problem is, it can't be turned on, but why do my airport and bluetooth automatically turn on as well as some application like microsoft word and VLC everyti