ISW 6.1 not replication group membership

Similar Messages

• Not inheriting group membership / users not showing in workgroup "Everyone"

  Hi,
  In the new OS X Lion Server Profile Manager, there is a default group called Everyone, that should contain all users.
  However, it only shows the first user I created (UID 1025).
  Users created after that are not automatically added to the group Everyone
  I can assign these newer users to a Workgroup I created myself, but since they are absent in the Everyone group, I cannot assign devices to these users, and thus not properly manage these users and their devices.
  Using Workgroup Manager to check on the membership of the users with UID>1025 I see that the inherited workgroup membership of Users (GID 403) is missing.
  How can fix a problem with the inherited group membership of users?
  Thanks in advance.
    Patrick

  did you configure the people picker
  http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
  http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
  No need to configure the People Picker in a full trust between domains of the same forest.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• UPS not resolving group membership for domain group

  I have two trusted domains A and B in a single forest. We have an AD group groupA in domain A that contains users from both domain A and domain B. SharePoint is installed in domain A. However, after UPS is run, when looking at the the group in the audience
  setting, you see that the membership count only reflects the members of domain A but not in domain B. The AD permissions for Directory replication is set correctly.
  So in summary-
  Domain A and Domain B (Full Trust)
  SharePoint in Domain A
  GroupA in Domain A with 5 users from Domain A and 12 users from Domain B
  Post UPS import in audience setup, group only shows membership count as 5 instead of 17
  Users from both Domain A and Domain B show up in the User Profiles
  Is this a known limitation? or is something wrong?

  did you configure the people picker
  http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
  http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
  No need to configure the People Picker in a full trust between domains of the same forest.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• Group Membership under Settings/My Account is not updating

  We use an External table for User permissions/Groups to get updated in Group Membership.
  We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
  -Dinesh

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

• Group membership on AD-bound server is not updating correctly

  I have a 10.6.4 server that is bound to AD with Win2008 domain controllers. I am seeing group membership not update properly on this OS X server. If I type "id -p username" I don't get a full list of groups the user is a member of. If I launch Workgroup Manager, all of the groups are listed. I am using the box as a Subversion server and need the group updates to propagate from AD for Apache authentication to work correctly. Any ideas as to why the propagation is not happening? Is there a way I can flush whatever cache might be causing an issue? Can the group membership list be "refreshed"?

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

• DFS - The replication group cannot be created - insufficient permissions - NOT DOMAIN ADMIN, LOCAL ADMIN

  Hi,
  I am trying to setup DFS replication on tow servers. I am local admin on the servers but NOT domain account. Is it possible to create Replication group anyway? or should i contact the Domain administrator to the job?
  Thanks

  Hi,
  We cannot use local administrator to create a dfs replication group. By default, Domain Admins group can create a dfs replication group. You could also delegate to a user or group the ability to create replication groups and the user must add to the local Administrators
  group on the namespace server.
  For more detailed information, please refer to the article below:
  Delegate the Ability to Manage DFS Replication
  http://msdn.microsoft.com/en-us/library/cc771465.aspx
  Best Regards,
  Mandy 
  If you have any feedback on our support, please click
  here .
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Service account not inheriting AD group membership permissions on SQL Server

  I am adding Active Directory groups as logins and database users to our SQL Servers. A service account added to an AD group did not inherit the group permissions that the user accounts did. Can there be different attributes of service accounts that would
  prevent service accounts from inheriting the permissions of AD groups?
  Example: An AD Group AD_group contains a service account user, svc_account and a user account, user_account. AD_group is added to a SQL Server as a login. User_account can log in to SQL Server but svc_account cannot.

  SQL Server will use the information within the token used for authentication, so it may be possible that the service has a stale token (i.e. the token has not been refreshed or the service has not restarted) since you made the changes to the AD group.
  I would recommend using a tool such as ProcessExplorer (https://technet.microsoft.com/en-us/sysinternals/bb896653) to make sure the token for the process is showing the latest group
  memberships properly.
  I hope this helps,
  -Raul Garcia
     SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Group Memberships not Flowing into Metaverse

  Hello,
  I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:
  An HR system running on SQL Server
  A staging database that extract data from the HR system
  The staging database has a table representing person object
  The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
  The staging database has a table representing group objects
  The staging database has a table representing group memberships (mult-valued)
  A SQLMA connected to the person and person multi tables
  A SQLMA connected to the group and group membership tables
  All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership
  table
  This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
  I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.
  But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.
  Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.
  I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute. 
  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
  group functions and person types (bascially, I don't care about the MV rdn).
  Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
  Thanks,
  Greg Wilkerson

  Hey Cameron,
  I have total control of all the DB tables FIM is accessing.  I build them up as part of IDM process.
  I've read this article, along the many others that address the "manager" scenario.  This really doesn't apply in this case as the user and group objects are loaded in separate MAs.  Getting reference values to flow with both object live in the
  same CS shouldn't be an issue. 
  I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group).  That solution solved the issue of the groups and user being in the same CS.  As I grow tired of my daily
  FIM beatdown, that solution is growing more attractive.  That's a major DB redesign, and seems quite inefficient.
  The multi-value table for group memberships already exists in the DB.  For FIM purposes, I transferred that data into the user object multi-value table.  See screen shot.  I can certainly configure the group MA to access that multi-value table
  and load the group members as references.  But, because the group MA CS will not contain the user objects, I don't see how the references will be set.  If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
  figured out a way to set the an reference value for an object in the MV - my problem all along.
  This whole "setting a reference value" encompasses much more than just group memberships in my implementation.  Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system.  These objects exist
  in our current IDM system and are associated with users based on rules.  So, the reference value process is something I need to figure out, if I'm going to use this product.
  Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact.  I'm not sure that would get me where I want to go, and
  it seems like a lot of extra "stuff" to solve what should be a simple problem.  Hmmmmmm.  Or, connect the ECMA2 directly to my group membership multi-value table in the DB.  Hmmmmmm.  I'd still have to export the groups and users into that
  CS, but the import might be much more straight forward.  Hmmmmmm.
  The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
  EmployeeGroups
      GroupName varchar(50) not null,
      EmployeeID nvarchar(50) not null,
      ID int identity(1,1) not null

• Policies assigned to groups - membership changes not working

  I have a single ZESM IR8 server setup.
  All security throughout my environment, ZESM and otherwise, is based on group membership.
  If I change a user from one group to another group this change does not reflect in their policy assignment.
  Scenario: GroupA = standard user policy, GroupB = power user policy.
  UserA was first in Group A and therefore got the standard user policy.
  UserA now requires the power user policy.
  Remove UserA from GroupA and add UserA to GroupB (in iManager).
  UserA does NOT get the "power user" policy that is assigned to GroupB
  Am aware that I can assign the policy at a user level but this is NOT an option in my environment. All security assignments MUST happen at a group level.

  What you observed is the expected behavior.
  ZESM doesn't updates group membership in real time once a policy has been published. I've described this behavior on previous posts.
  What the MC does behind the scenes when you click "Publish" on a container or group object is to assign the policy individually to each member/user. For groups, it resolves membership at the time the policy is published then the MC iterates among each member assigning the policy to each of them. That's why you don't see updates once the policy is published.
  Try Updating the published policy to see if that works. From the docs:
  Updating a Published Policy
  Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish. The affected end-users and computers receive the updated policy (and the new key) at their next check-in.
  >>>
  From: laurabuckley<[email protected]>
  To:novell.support.zenworks.endpoint-security-management
  Date: 12/15/2009 7:16 AM
  Subject: Policies assigned to groups - membership changes not working
  I have a single ZESM IR8 server setup.
  All security throughout my environment, ZESM and otherwise, is based on
  group membership.
  If I change a user from one group to another group this change does not
  reflect in their policy assignment.
  Scenario: GroupA = standard user policy, GroupB = power user policy.
  UserA was first in Group A and therefore got the standard user policy.
  UserA now requires the power user policy.
  Remove UserA from GroupA and add UserA to GroupB (in iManager).
  UserA does NOT get the "power user" policy that is assigned to GroupB
  Am aware that I can assign the policy at a user level but this is NOT
  an option in my environment. All security assignments MUST happen at a
  group level.
  laurabuckley
  laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
  View this thread: http://forums.novell.com/showthread.php?t=395870

• AD groups membership not working for target Audience

  Hiya,
  Got a peculiar problem here. Trying to set audience on a link it doesnt work as we want it to. We have the following behavior:
  If adding users directly on SharePoint Group no problems. However if adding AD group to SP group, it doesnt work. Member count for AD Group is 0
  AD Group is created as Global, however tried placing it in a Domain Local group to see if that changed anything. SP synchs the AD groups fine, however it seems like it doesnt read the members, thus not granting any users access based on AD group membership.
  Not sure if this is default behavior or?

  Hi,
  It seems a known issue, but there is no workaround for this.
  It worth to reading these threads
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/8ede2f40-2b11-416b-b426-51c1b6479c33
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/586494b9-d259-4abf-a857-26137fa30460
  Hope this helps
  Thanks!
  Stanfford
  Everything will be fine.

• Event 4004, Error 9098. after deleting and recreating replication group

  I have my primary server replicating with 3 servers and 3 different replication groups across a WAN. I'm working through a hardware upgrade, and need to move my RG up one folder level now at one of the locations now that I have the new hardware in place.
  I've removed the RG in DFS manager,  I stopped the dfs service and deleted the DFSPrivate folder from both servers.
  Now when I recreate the RG, one folder level higher on the primary server, it replicates in AD/event log on both servers, but after about 7min I get the error 9098 on the primary, and a failure error on the secondary server.
  Replication is still working to other 2 servers, so I'm afraid to run the rmdir "D:\System Volume Information\DFSR" /s command in fears that it will mess up the other 2 RG's.
  Is there a better way to kickstart this new RG? is my only option to rebuild the DB? What does rebuilding do, just rebuild all the file indexes? will I need to also delete it on all the secondary servers? I have good backups of all the data, so I'm not too
  concerned about loosing data, just downtime, and long hours for me.
  I also tried creating a new folder on the secondary server, it seemed to get a little further, it created a new DFSPrivate folder, but still failed a short time later with the same 9098 error on the Primary. I know another option is to recreate the folder
  on both servers, copy data, and replicate, but I'd rather not if I don't have to.

  Followup for anyone in the same boat. on my existing RG, I purged the dfsr folder from both servers(3 servers in total), with the dfs replications service stopped, and each leg of the connecting disabled and purged the DFSPrivate directories, I then restarted
  the service, and enabled the replication for each connection, replication connected on each server but did not start replicating, I had to restart the dfsr service on each server again, and manually set the primary server, both were set to NO when I checked
  membership status. No data loss in this process, it all worked very slick, the initial replication finished in about 2hrs.
  I was then able to recreate the connection for my 2nd replication group that started all of this, it fired right off, no more 9098 errors since both dfsr databases were re-created.

• Error while creating MV replication group object

  Hi,
  I am getting error while creating replication group object. I tried to create using OEM and SQLPlus
  OEM error
  This error while creating M.V. rep. group object
  There is a table or view named SCOTT.EMP.
  It must be dropped before a materialized view can be created.
  In SQLPLUS
  SQL> CONNECT MVIEWADMIN/MVIEWADMIN@SWEET
  Connected.
  SQL>
  SQL> BEGIN
  2 DBMS_REPCAT.CREATE_MVIEW_REPOBJECT (
  3 gname => 'SCOTT',
  4 sname => 'KARTHIK',
  5 oname => 'emp_mv',
  6 type => 'SNAPSHOT',
  7 min_communication => TRUE);
  8 END;
  9 /
  BEGIN
  ERROR at line 1:
  ORA-23306: schema KARTHIK does not exist
  ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 2840
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 773
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 5570
  ORA-06512: at "SYS.DBMS_REPCAT_SNA", line 82
  ORA-06512: at "SYS.DBMS_REPCAT", line 1332
  ORA-06512: at line 2
  Please not already I have created KARTHIK schema.

  Arthik,
  I think I know what may have happened.
  As I can see you are trying to create support for an updateable materialized view.
  You have to make sure the name of the schema that owns the materialized view is the same as the schema owner of the master table (at master site).
  From the code you have shown, I bet the owner of table EMP is SCOTT.
  From the other hand, you want to create materialized view EMP_MV under schema KARTHIK that refers to table SCOTT.EMP at master site.
  According to the documentation, the schema name used in DBMS_REPCAT.CREATE_MVIEW_REPOBJECT must be same as the schema that owns the master table.
  Please check the documentation at the link below
  http://download.oracle.com/docs/cd/B19306_01/server.102/b14227/rarrcatpac.htm#i109228
  I tried to reproduce your example in my environment, and I got exactly the same error which actually confirms my assumption that the reason for the error is the fact that you tried to create the materialized view in a schema with different name than the one where master table exists.
  I'll skip some of the steps that I used to create the replication environment.
  I have two databases, DB1.world and DB2.world
  On DB2.world I will generate replication support for table EMP which belongs to user SCOTT
  SQL> conn scott/*****@DB2.world
  Connected.
  SQL>create materialized view log on EMP with primary key;
  Materialized view log created.
  SQL>
  SQL>conn repadmin/*****@DB2.world
  Connected.
  SQL>BEGIN
    2       DBMS_REPCAT.CREATE_MASTER_REPGROUP(
    3         gname => 'GROUPA',
    4         qualifier => '',
    5         group_comment => '');
    6*   END;
  PL/SQL procedure successfully completed.
  SQL>BEGIN
    2       DBMS_REPCAT.CREATE_MASTER_REPOBJECT(
    3         gname => 'GROUPA',
    4         type => 'TABLE',
    5         oname => 'EMP',
    6         sname => 'SCOTT',
    7         copy_rows => TRUE,
    8         use_existing_object => TRUE);
    9*   END;
  10  /
  PL/SQL procedure successfully completed.
  SQL> BEGIN
    2       DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT(
    3         sname => 'SCOTT',
    4         oname => 'EMP',
    5         type => 'TABLE',
    6         min_communication => TRUE);
    7    END;
    8  /
  PL/SQL procedure successfully completed.
  SQL>execute DBMS_REPCAT.RESUME_MASTER_ACTIVITY(gname => 'GROUPA');
  PL/SQL procedure successfully completed.
  SQL> select status from dba_repgroup;
  STATUS                                                                         
  NORMAL                                                                          Now let's create updateable materialized view at DB1. Before that I want to let you know that I created one sample in DB1 user named MYUSER. MVIEWADMIN is Materialized View administrator.
  SQL>conn mviewadmin/****@DB1.world
  Connected.
  SQL>   BEGIN
    2       DBMS_REFRESH.MAKE(
    3         name => 'MVIEWADMIN.MV_REFRESH_GROUPA',
    4         list => '',
    5         next_date => SYSDATE,
    6         interval => '/*1:Hr*/ sysdate + 1/24',
    7         push_deferred_rpc => TRUE,
    8         refresh_after_errors => TRUE,
    9         parallelism => 1);
  10    END;
  11  /
  PL/SQL procedure successfully completed.
  SQL>   BEGIN
    3       DBMS_REPCAT.CREATE_SNAPSHOT_REPGROUP(
    5         gname => 'GROUPA',
    7         master => 'DB2.wolrd',
    9         propagation_mode => 'ASYNCHRONOUS');
  11    END;
  12  /
  PL/SQL procedure successfully completed.
  SQL>conn myuser/*****@DB1.world
  Connected.
  SQL>CREATE MATERIALIZED VIEW MYUSER.EMP_MV
    2    REFRESH FAST
    3    FOR UPDATE
    4    AS SELECT EMPNO, ENAME, JOB, MGR, SAL, COMM, DEPTNO, HIREDATE
    5*      FROM   [email protected];
  Materialized view created.
  SQL>conn mviewadmin/******@DB1.world
  Connected.
  SQL> BEGIN
    2       DBMS_REFRESH.ADD(
    3         name => 'MVIEWADMIN.MV_REFRESH_GROUPA',
    4         list => 'MYUSER.EMP_MV',
    5         lax => TRUE);
    6    END;
    7  /
  PL/SQL procedure successfully completed.And now lets run CREATE_MVIEW_REPOBJECT.
  SQL>   BEGIN
    2       DBMS_REPCAT.CREATE_MVIEW_REPOBJECT(
    3         gname => 'GROUPA',
    4         sname => 'MYUSER',
    5         oname => 'EMP_MV',
    6         type => 'SNAPSHOT',
    7         min_communication => TRUE);
    8    END;
    9  /
    BEGIN
  ERROR at line 1:
  ORA-23306: schema MYUSER does not exist
  ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 2840
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 773
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 5570
  ORA-06512: at "SYS.DBMS_REPCAT_SNA", line 82
  ORA-06512: at "SYS.DBMS_REPCAT", line 1332
  ORA-06512: at line 3 I reproduced exactly the same error message.
  So the problem is clearly in the schema name that owns the materialized view.
  Now lets see if what would happen if I create the MV under schema SCOTT which has the same name as the schema on DB2.world where the master table exists.
  SQL>conn scott/****@DB1.world
  Connected.
  SQL>CREATE MATERIALIZED VIEW SCOTT.EMP_MV
    2    REFRESH FAST
    3    FOR UPDATE
    4    AS SELECT EMPNO, ENAME, JOB, MGR, SAL, COMM, DEPTNO, HIREDATE
    5*      FROM   [email protected];
  Materialized view created.
  SQL>conn mviewadmin/******@DB1.world
  Connected.
  SQL> BEGIN
    2       DBMS_REFRESH.ADD(
    3         name => 'MVIEWADMIN.MV_REFRESH_GROUPA',
    4         list => 'SCOTT.EMP_MV',
    5         lax => TRUE);
    6    END;
    7  /
  PL/SQL procedure successfully completed.And now lets run CREATE_MVIEW_REPOBJECT.
  SQL>   BEGIN
    2       DBMS_REPCAT.CREATE_MVIEW_REPOBJECT(
    3         gname => 'GROUPA',
    4         sname => 'SCOTT',
    5         oname => 'EMP_MV',
    6         type => 'SNAPSHOT',
    7         min_communication => TRUE);
    8    END;
  PL/SQL procedure successfully completed.As you can see everything works fine when the name of the schema owner of the MV at DB1.world is the same as the schema owner of the master table at DB2.world .
  -- Mihajlo
  Message was edited by:
  tekicora

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Cannot add multiple members of a failover cluster to a DFSR replication group

  Server 2012 RTM. I have two physical servers, in two separate data centers 35 miles apart, with a GbE link over metro fibre between them. Both have a large (10TB+) local RAID storage arrays, but given the physical separation there is no physical shared storage.
  The hosts need to be in a Windows failover cluster (WSFC), so that I can run high-availability VMs and SQL Availability Groups across these two hosts for HA and DR. VM and SQL app data storage is using a SOFS (scale out file server) network share on separate
  servers.
  I need to be able to use DFSR to replicate multi-TB user data file folders between the two local storage arrays on these two hosts for HA and DR. But when I try to add the second server to a DFSR replication group, I get the error:
  The specified member is part of a failover cluster that is already a member of the replication group. You cannot add multiple members for the same cluster to a replication group.
  I'm not clear why this has to be a restriction. I need to be able to replicate files somehow for HA & DR of the 10TB+ of file storage. I can't use a clustered file server for file storage, as I don't have any shared storage on these two servers. Likewise
  I can't run a HA single DFSR target for the same reason (no shared storage) - and in any case, this doesn't solve the problem of replicating files between the two hosts for HA & DR. DFSR is the solution for replicating files storage across servers with
  non-shared storage.
  Why would there be a restriction against using DFSR between multiple hosts in a cluster, so long as you are not trying to replicate folders in a shared storage target accessible to both hosts (which would obviously be a problem)? So long as you are not replicating
  folders in c:\ClusterStorage, there should be no conflict. 
  Is there a workaround or alternative solution?

  Yes, I read that series. But it doesn't address the issue. The article is about making a DFSR target highly available. That won't help me here.
  I need to be able to use DFSR to replicate files between two different servers, with those servers being in a WSFC for the purpose of providing other clustered services (Hyper-V, SQL availability groups, etc.). DFSR should not interfere with this, but it
  is being blocked between nodes in the same WSFC for a reason that is not clear to me.
  This is a valid use case and I can't see an alternative solution in the case where you only have two physical servers. Windows needs to be able to provide HA, DR, and replication of everything - VMs, SQL, and file folders. But it seems that this artificial
  barrier is causing us to need to choose either clustered services or DFSR between nodes. But I can't see any rationale to block DFSR between cluster nodes - especially those without shared storage.
  Perhaps this blanket block should be changed to a more selective block at the DFSR folder level, not the node level.