LDAP multidirectory with sub-domains

Similar Messages

• 2 domain, each with 2 way transitive truts, with sub domains pointing to the same DNS server (how should forward and reserver look zone be configured)

  Hello,
  I found a test environment and I just trying to understand how it works.
  If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
  zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
  Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
  A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.

  Hello,
  I found a test environment and I just trying to understand how it works.
  If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
  zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
  Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
  A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.
  Make each domain controller as a DNS server too. Reverse lookup zones & forwarders are not replicated automatically. You can create AD-Integrated reverse lookup zone & set the replication scope.
  You can create AD-Integrated DNS zones in the parent/root domain, set the replication scope to the forest-wide & delegate the zones for handling request locally. Once you create AD-Integrated DNS zone & set the replication scope forest wide, all
  the zones will appear automatically in each domain's DNS server.
  http://awinish.wordpress.com/2011/04/09/configuring-dns-in-child-domain/
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• LDAP Authentication with sub-contexts?

  Is it possible to authenticate to an ldap server with a user that belongs under different sub contexts?
  We have one LDAP JAAS login module that we want to use to authenticate ANY user under the LDAP ROOT Context. Which means if a we have:
  O=COMPANY
  |
  |-> OU = DIVISION ONE
          |
          |-> USER1
  |
  |-> OU = DIVISION TWO
         |
         |-> USER2I'd want to set up my login module to always build the DN for the user as:
  cn=<username>,O=COMPANY and have the server itself look in the sub contexts (OU=DIVISION ONE and OU=DIVISION TWO) below when trying to make the initial context.
  Is this possible?
  Thanks,
  - Tim

  The problem with that is that the AD GPO will not let me set the
  password i am using...
  So change your non-LDAP account password in UCM to a password that AD will accept, test that it works for login on CCX, and then do the LDAP integration.
  Besides when i removed LDAP authentication i logged into the UCCX again
  and added the Administrator rights to my LDAP account but it wont
  autheticate me.
  No idea, but one guess would be that changes to the account may not hold when the account is marked as inactive in UCM. Just a guess though.

• Replication with Domain and Sub domain in Active directory sites and services

  I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically because
  it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?

  I seen many AD enviroments and know that when you have mutiple DCs you use Active Directory Sites and services to replicate using the NTDS Settings. If you have a Domain and sub domain do you need to do this as well or does it sync up automatically
  because it's a sub domain? A see a couple of domains where the NTDS settings isn't being used to snyc with the child domain. Just wondering if that is normal or will it cause authentication errors?
  Two way transitive trusts are configured automatically when you create a child domain or tree root domain. You don't have to worry about site/subnet or replication part at least from trust perspective. But make sure site's names are unique in each domain.
  How Domain and Forest Trusts Work
  http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
  http://technet.microsoft.com/en-us/library/cc730868.aspx
  http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Convert database IP link with the sub-domain name

  Can someone help me to covert the database ip with the SUB-domain name ?
  Kind regards,
  Shar Kurtishi
  Freelance Consultant
  10000 Prishtina, KOSOVO
  +377.44.210.456

  Hi Shar,
  You can use unix "nslookup" to get the domain from up or viceversa.
  The aim to get the info frm the dns server.
  Regards,
  Chandan

• How to make a route for sub domains with same IP but another Port

  Hello , 
  I have Windows Server 2008 R2 Domain Controller . the IP address is 172.16.0.200 and the Domain is ( BTC.local ) . I have software login page ( localhost:6090 ) the port of service is 6090 . and if i want to access this page from another PC then i write
  ( 172.16.0.200:6090 ) . My question is how i can change the IP address and the port to sub domain like ( IQ.BTC.local ) so that i can access from another PC by writing the sub domain . 

  > question is how i can change the IP address and the port to sub domain
  > like ( IQ.BTC.local ) so that i can access from another PC by writing
  > the sub domain .
  Create CName records in your subdomains DNS servers.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam

• How to redirect a sub domain to a specific page in Sharepoint Online

  Hi, 
    My Organisation has a O365 account, and hoisted the public website on it, now user requests to have a friendly url for a specific page on the public website.  I've added a sub domain on O365.  but i cant find ways to redirect this domain
  to the page.  How can i do so? 

  Hi,
  If you need to redirect the sub domain to a specific page in SharePoint Online, you need to rename the Public Website with the sub domain.
  Then configure the friendly URL for the page in the Public Website.
  http://office.microsoft.com/en-001/office365-sharepoint-online-enterprise-help/upgrade-your-public-website-HA102801184.aspx?CTT=5&origin=HA102828142#_Step_5_%E2%80%93
  Or you can use the managed metadata navigation for the Public Web site and configure the friendly URL for the page.
  http://jeffkelly.com/2014/05/office-365-public-website-what-no-managed-metadata-mms-navigation/
  In the meanwhile, you can post your question to the forum for Office 365: http://community.office365.com/en-us/f/default.aspx.
  More experts will assist you, then you will get more information relation to SharePoint Online.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Solution to using Site Root with Sub-folders on Testing Server & Browser Previews

  Hi Everyone
  Have found an elegant solution when using Site Root relative linking for a website, that allows browser previews, even when the testing server uses sub-folders and the live code references just the server site root " / " of the live server and not the sub-folder structure of the testing server.  This is really useful when you don't want to use document relative linking, which normally takes care of this problem in Dreamweaver.
  The solution is to use sub-domains referencing the sub-folders on the testing server, so the sub-folders appear as the root of each website and the html code pointing to the site root works correctly on both testing & live servers without alteration.
  Testing Server Setup
  One testing server domain is used for all client development work:
  For example:  www.testingserver.com
  On the testing server there are multiple sub-folder (one for each client website being developed):
  For example:  www.testingserver.com/clientA/ ,  www.testingserver.com/clientB/ , www.testingserver.com/clientC/
  Live Server Setup
  The site code needs to be developed with the final live server folder structure (url references) in mind:
  For example:  www.livesite.com (with all pages referencing the root of the live site server)
  Page URLs on Testing & Live Servers
  /page-name.html
  Testing server url:  www.testingserver.com/clientA/page-name.html
  Live server url:  www.livesite.com/page-name.html (without /clientA/ sub-folder)
  Browser Previews Don't Work
  You want to be able to run browser previews on the testing server while developing the website.  To do this you normally have to reference the sub-folder structure of the testing server in the url for things to work right:
  For example www.testingserver.com/clientA/page-name.html
  What do you do, when you can't keep switching all the urls in the code from pointing to the sub-folder to pointing to the site root, and you don't want to use document relative linking?
  One Solution - Sub-domains on Testing Server
  In your domain hosting (outside of Dreamweaver) setup a sub-domain to point to the testing server sub-folder.
  For example:  Sub-domain clientA.testingserver.com points to www.testingserver.com/clientA (sub-folder)
  So now when you reference the sub-domain it sees the sub-folder as the site root and all your problems are solved.
  Dreamweaver Site Definition Setup
  Site Definition under "Local Info"
  Links relative to: Site Root
  Site Definition under "Remote Info" (live server)
  Access: FTP
  FTP host:  ftp.livesite.com
  Host directory: /
  Site Definition under "Testing Server" 
  Access: FTP
  FTP host:  clientA.testingserver.com
  Host directory: /
  URL prefix: http://clientA.testingserver.com
  (location of the site's root folder on the testing server, the sub-domain redirection takes care of pointing to the sub-folder)
  This is just one solution but it works well for me as it doesn't have any cost associated with it under our hosting package where you can have multiple sub-domains setup.
  Hope this helps someone in a similar situation.
  Aly

  Just Google it, or run out and buy a copy of David Powers' Foundations Dreamweaver CS4 with CSS, Ajax and PHP, a book that is never out of reach for me.  He details the process explicitly for both Mac and PC.
  For me, on W7, I edit the C:/Windows/System32/drivers/etc/hosts file, and add the ip of my testing server along with the site alias -
  192.168.1.82  site.local
  Then I add this same designation to my httpd.conf file in Apache on the testing server.  Finally I restart Apache.
  Now from my production machine if I browse to "http://site.local", I get to see either the default file in the root of the site on the testing server, or a directory of the site on the testing server (my testing server is a unix box running on my LAN at that ip address).  Furthermore, all of my root relative links now work as they would if the pages were being browsed from the live server.

• LDAP Synchronisation with CUCM with multiple forest

  Hello,
  We have CUCM 10.5.
  We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
  We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
  Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
  If it not possible is there an easy way to achieve that?
  Any help would be appreciate.
  Thank you

  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454

• What is the best practice way of stopping a sub-domain from being indexed?

  Hi there
  I notice that a client site is being indexed as both xxx.com.au [their primary domain] as well as xxx.PARTNERDOMAIN.com.au.
  I have Googled quite a bit on the subject and have browsed the forums, but can't seem to find any specific best practice approach to only having the primary domain indexed.
  One method that seems to be the most recommended is having a second robots.txt site for the sub-domain xxx.PARTNERDOMAIN.com.au with Disallow: /
  Does anyone have a definitive recommendation?
  Many thanks
  Gavin

  Sorry I assumed they were two different sites, they are the same "content" just two different URLs?
  Canonical links will help but it wont stop or remove you being indexed it only adds higher index weight to the Canonical linked URL. Plus only search engines that support that meta tag will work.
  You essentially need two robots.txt to do this effectively or add the META TAG if you can split the sites somehow.
  There is a more complex way, you could host the second domain somewhere else, use htaccess or similar to do a reverse proxy to the main site to pull the contents in realtime, all except the robots.txt file. This way you could have two sites with only 1 to update but still have two robots.txt's
  http://en.wikipedia.org/wiki/Reverse_proxy
  I've done this for a few sites, you are essentially adding a middle man, it will be a tad slower depending on how far the two servers are apart, but it is like having a cname domain but with total control.

• I cannot access the sharefolder in W2008R2 in sub-domain.

  We cannot access the network shareholder in W2008R2 DC of the sub-domain.
  Our scenario is as follows:
  The main-domain(AAA.com) has two DCs (W2008R2+W2003R2).
  The sub-domain(BBB.AAA.com) has two DCs(W2008R2+W2003R2).
  There is trust relation between AAA.com and BBB.AAA.com.
  There are network sharefolders in both W2008R2 and W2003R2 of domain BBB.AAA.com.
  Those sharefolders gave access rights to the users in domain AAA.com.
  The domain users in AAA.com can access W2003R2 of BBB.AAA.com but cannot access W2008R2 with the error message “no access right”.
  The domain users in BBB.AAA.com can access both DCs in BBB.AAA.com.
  Presumably there is something wrong with W2008R2 of BBB.AAA.com.
  Please guide to manage this issue.
  Thanks a lot in advance!

  Thanks for your reply.
  *Access rights*
  I have made the screen copy.
  How can I post it?
  I am not allowed to use our Webserver.
  I try to describe the screens.
  Sharing:
  Administrator
       Read/Write
  Administrator     
  Read/Write
  Administrators    
  Owner
  Group A             
  Read/Write
  Group B             
  Read/Write.
  Security:
  Group B (AAA\GroupB)   
             FullControl
  Group A (AAA\GroupA)   
             FullControl
  Administrator            
  FullControl
  Administrator            
  FullControl
  Administrators (BBB\Administrators)
    FullControl.
  Two administrators are on the list.
  One is Administrator of domain AAA.com
  The other one is administrator of domain BBB.AAA.com
  *Search suffix*
  DCs and the member server have the search suffix AAA.com.
  Thanks for your help in advance.
  Best regards

• Content Management in Sub-Domain vs Primary Domain

  I have created a sub-domain (abc.ourURL.com) for one of our
  sites (www.ourURL.com). If I make any changes to the primary site,
  it is carried through to the sub-domain, and visa versa. Is there a
  way to stop this from happening and put a "wall" between the
  changes made on one versus the other. If not, we are going to be
  forced to move to Joomla.

  Have you created a seperate connection to both urls?
  Normally it's possible to create seperate connections on one
  domain in Contribute, but I only have experience with situations
  like this:
  site (connection) 1: www.domain.com/
  site (connection) 2: www.domain.com/site2/
  site (connection) 3: www.domain.com/site3/
  I all situations the ftp information only differs in the url
  you connect to. The contact info (ftp) is the same at all sites.
  I think you should try to set up something like this (or did
  you already try that?):
  site (connection) 1:
  http://www.ourURL.com/
  site (connection) 2:
  http://abc.ourURL.com/

• Map Sub-Domain to specific port

  Hi,
  I installed Tomcat 5 separatly from the built-in one, listening at port 8080.
  What I would like to do now is have a sub-domain, that points to this port.
  sub.mydomain.com -> www.myotherdomain.com:8080
  Is this possible with the Admin Tool, and how?
  Thanks for any help
  Aldo
    Mac OS X Server (10.4.9)  

  I tried again with this two line an it worked.
  Here the rewrite_log:
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (2) init rewrite engine with requested uri /
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (3) applying pattern '.*' to uri '/'
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (4) RewriteCond: input='GET' pattern='^TRACE' => not-matched
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (3) applying pattern '^/(.*)$' to uri '/'
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (4) RewriteCond: input='sub.mydomain.com' pattern='sub.mydomain.com' => matched
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (2) rewrite / -> http://localhost:8080/
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (2) forcing proxy-throughput with http://localhost:8080/
  83.79.170.214 - - [24/Apr/2007:08:54:23 +0200] [sub.mydomain.com/sid#1847e8c][rid#1834834/initial] (1) go-ahead with proxy request proxy:http://localhost:8080/ [OK]
  Hope it helps.
    Mac OS X (10.4.9)  

• LDAP setup with SSL - Can't use tls auth type

  I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
  # ldapclient mod -a authenticationMethod=tls:simple
  Cannot specify LDAP port with tls
  # ldapclient mod -a authenticationMethod=tls
  Unable to set value: invalid authenticationMethod (tls)
  Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
  NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
  NS_LDAP_SERVERS= 10.10.1.14:636
  NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SERVER_PREF= 10.10.1.14:636
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
  Thanks,
  Jay

  When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
  Also, you need to setup up your client to use FQN as well (/etc/hosts).