Linked Server across the Domain

Similar Messages

• Need to collect the Windows logon and logoff events across the Domain in a DC eviornment, for different machines and user accounts.

  Hello All,
  I am trying to build a Tool to collect the info about all the user's who login and logoff on daily basis in a domain network. I am using a windows 2008 server as a DC and have xp, win 7, win 8 , win 12 server as clients in the network.
  There are few questions in my mind which I am not able to answer.
  1> When a user tries to login to the DC network, he/ she gets authenticated using the kerberos protocol. does these authentication gets logged on the AD server by default? I have see a way to enable it from registry but even that's not giving me the expected
  output in the eventvwr.
  2> Do I have to use Audit policies to monitor all the user's log off and log on activities?
  3> Is there a way to collect these information from any place on the AD server other than the Eventvwr?
  Please help me in finding the solutions to these query's  of mine.
  Thanks.

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start → Administrative Tools → Group Policy Management.
  2. In the left pane, navigate to Forest: <domain_name>→ Domains → <domain_name>→ Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up
  menu. </domain_name></domain_name>
  <domain_name><domain_name>3. In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies → Windows Settings → Security Settings → Local Policies → Audit Policy. </domain_name></domain_name>
  <domain_name><domain_name>4. Set the Audit account management and the Audit directory service access policy to "Success". Set the Audit logon events policy to  "Success" and "Failure". </domain_name></domain_name>
  5. Navigate to Start → Run and type '"cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.
  Number of events could be excessive so you need to adjust size of Security log ( 1gb for example ) 
  Usage of EventCombMT Tool (part of
  MS ALtools )
   This tool gathers specific events from several different servers to one central location.
   Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs in Domain > Mark your Domain Controllers for search
   Click the Searches menu > replace Event ID field values with
  4624  LOGON / 4634  LOGOFF
   Click Search and wait for the process to complete the operation.
   After the search is done the output directory contains the log files for the domain controllers where events with the specified Event ID’s were found.
  Alternatively you can try Netwrix Auditor for Active Directory solution with 20 days of free trial to generate such reports.
  --- Jeff (Netwrix)

• Unable to join a server to the domain

  We're currently running into a problem trying to rejoin one of our servers to our domain.
  When we try to join the domain (as <ourdomain>) we're receiving the error "DNS name does not exist error 0x0000232B RCORD_NAME_ERROR SRV record _ldap._tcp.dc._msdcs.<ourdomain>". If we try to join it as <ourdomain>.local we get
  the error "The network path was not found".
  Looking online the main thing that I see suggested is to set the primary DC server's IP as the primary DNS IP. We've done that, and set our secondary DC as the secondary DNS IP. Both DC's are running DNS.
  The DCs are running Server 2012 core and the new server is running Server 2012 R2.
  Any insights on what else we can try?
  Thanks,
  -Tyler

  Hi,
  In addition, can you ping the primary DC and secondary DC on the server that you wanted to join the domain?
  Please make sure that the related ports (espencially for TCP/UDP port 53, 135) and services required for DCs and client computer are not blocked or disabled.
  Please also check the whether DNS SRV records for the DCs on the DNS servers exist. If not, you can
  stop and start the Netlogon service on the DCs to force the DCs to re-register the appropriate SRV records.
  Best regards,
  Susie

• How do I apply a win7 localgpo to a server on the domain?

  Hi,
  I exported a backup of group policy via LocalGPO and need to apply it to many Win7 machines in AD domain. Can I do this, and how would I accomplish this task? Do I need to create .cab package in SCM too?
  Thanks in advance,
  J

  > I exported a backup of group policy via LocalGPO and need to apply it to
  > many Win7 machines in AD domain. Can I do this, and how would I
  > accomplish this task? Do I need to create .cab package in SCM too?
  A local gpo essentially is a registry.pol file and a gpttmpl.inf file.
  Maybe some others, but that doesn't matter.
  In short:
  To "copy" a local gpo into a domain GPO, simply create a new domain gpo,
  edit this new GPO and add a setting of your choice in each gpedit node
  that you used in your local gpo. This will create some required
  attributes for the domain gpo.
  Then navigate to the sysvol folder of this domain gpo and copy the
  contents of your local gpo into that folder - done.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Removing dead Exchange 2003 and Exchange 2000 Server from the domain

  Hi Team,
  I have come across a client who wants to migrate to O365 from existing Exchange 2003 environment through the Hybrid Model. I am trying to introduce 2010 Sp3 to the environment. While checking the environment using Exchange pre-deployment found 2 servers
  in the environment which is not present on the network now. Client has no clue what they are.
  One is Exchange 2003 and the other is Exchange 2000. The problem here is i cannot introduce Exchange 2010 Sp3 unless all the Exchange servers are running minimum Exchange 2003 Sp2. 
  At present i find only 2 exchange 2003 Sp2 server which are in production. Need kind assistance to move forward.

  Hi,
  I recommend you follow the steps below:
  1. Please upgrade Exchange 2000 and Exchange 2003 to Exchange 2003 SP2 at first.
  2. Deploy Exchange 2010 servers in this order: CAS, Hub, UM and Mailbox. For more information, here is an article for your reference:
  Exchange 2003 - Planning Roadmap for Upgrade and Coexistence
  http://technet.microsoft.com/en-us/library/aa998186(v=exchg.141).aspx
  3. Install Exchange 2010 SP3.
  Here is an article for your reference.
  Upgrade Exchange 2010 to Exchange 2010 SP1, Exchange 2010 SP2, or Exchange 2010 SP3
  http://technet.microsoft.com/en-us/library/bb629560(v=exchg.141).aspx
  About a hybrid deployment with Microsoft Office 365 using Microsoft Exchange Server 2010 servers, here is an article for your reference. 
  Understanding Upgrading Office 365 Tenants for Exchange 2010-based Hybrid Deployments
  http://technet.microsoft.com/en-us/library/jj945383(v=exchg.141).aspx
  Hope it helps.
  If there are any problems, please feel free to let me know.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• Socks proxy call  from a weblogic server across the firewall to an external program

  Hi,
  From our weblogic server, we are trying to connect to an external
  program outside our firewall through SSL. The SSL connection is being
  tunneled through a socks proxy in the DMZ. (We have not yet made it
  work so far. Currently, we are trying to make it work)
  From the weblogic bean, we are doing the following
  System.setProperty("socksProxySet", "true");
  System.setProperty("socksProxyHost", "w.x.y.z");
  System.setProperty("socksProxyPort", "1080");
  Not that weblogic bean is the initiator of the connection and it talks
  to a program outside our firewall.
  My question is, will this kind of system level setting in the weblogic
  server have any negative impact? This is because, RMI is over sockets
  and weblogic might be talking to its internal components through
  sockets.
  Is it advisable to have such socks related setting the weblogic bean
  level?
  thanks,
  jas.

  Hi,
  From our weblogic server, we are trying to connect to an external
  program outside our firewall through SSL. The SSL connection is being
  tunneled through a socks proxy in the DMZ. (We have not yet made it
  work so far. Currently, we are trying to make it work)
  From the weblogic bean, we are doing the following
  System.setProperty("socksProxySet", "true");
  System.setProperty("socksProxyHost", "w.x.y.z");
  System.setProperty("socksProxyPort", "1080");
  Not that weblogic bean is the initiator of the connection and it talks
  to a program outside our firewall.
  My question is, will this kind of system level setting in the weblogic
  server have any negative impact? This is because, RMI is over sockets
  and weblogic might be talking to its internal components through
  sockets.
  Is it advisable to have such socks related setting the weblogic bean
  level?
  thanks,
  jas.

• Error while linked server is used to verify the existence of a table

  Hi All,
  Pls help me solve an issue related to linked Server..
  Following is my query:
  IF EXISTS (select 1 from [LinkedServerName].Sales.sys.tables where name = 'SalesTable') 
  BEGIN
   DECLARE @LastSales varchar(25) 
   SET @LastSales = (select CONVERT(VARCHAR(25),max(LastSalesTime)) from [LinkedServerName].SalesDB.dbo.SalesTable)
  END
  What should happen is, it should check the existence of SalesTable on Linked Server (select 1 from [LinkedServer].Sales.sys.tables where name = 'SalesTable'), and only after the it returns 1, the variable @LastSales should be alloted a value.
  But in my case, as soon as I run the code, it gives the error:
  The OLE DB provider "SQLNCLI10" for linked server "LinkedServerName" does not contain the table ""Sales"."dbo"."SalesTable"". 
  The table either does not exist or the current user does not have permissions on that table.
  My question is that if the condition fails at the very outset returning null (as the table does not exist), then why it is entering BEGIN and throwing the error.
  All your valuable inputs are appreciated !!

  Inconsistency is the hailmark of SQL Server.
  If you say:
  IF EXISTS (select 1 from Sales.sys.tables where name = 'SalesTable') 
  BEGIN
   DECLARE @LastSales varchar(25) 
   SET @LastSales = (select CONVERT(VARCHAR(25),max(LastSalesTime)) from        SalesDB.dbo.SalesTable)
  END
  This will work as you expect. That is, if the table does not exist, the batch will parse and produce no result. This is because SQL Server has deferred name resolution for tables. If a table is missing at compile time, SQL Server suppresses the error in
  hope that the table will be there at run-time.
  But there is an exception to this. For table sources on remote data sources, there is no deferred name resolution, but the table has to be there at compile time. This is quite ironic. Personally, I think deferred name resolution (which was introduced in
  SQL 7) is a big misfeature, but I could buy if there was deferred name resolution for objects on linked server, since the server may be down, and you have coded for this like you have above. Well, if the server is down, the IF EXISTS will fail to compile to.
  You will need to introduce a new scope somewhere to avoid the problem. For instance:
  IF EXISTS (select 1 from [LinkedServerName].Sales.sys.tables where name = 'SalesTable') 
  BEGIN
     DECLARE @LastSales varchar(25) 
     EXEC [Linkedservername].SalesDB.sys.sp_executesql
          N'SET @LastSales = (select CONVERT(VARCHAR(25),max(LastSalesTime)) from SalesTable)',
          N'@LastSales varchar(25) OUTPUT', @LastSales
  END
  Erland Sommarskog, SQL Server MVP, [email protected]

• Whatif: Conflict Computer Vs User in the same GPO linked to the domain

  Hi, I'm actually trying understand how the gpo works when you create a conflict in the
  same gpo.
  So, I've created a new GPO with "Prevent changing proxy settings" and linked it to the domain, with the default filter. (for testing purposes).
  When:
  On Computer Configuration: "Prevent changing proxy settings" is Enabled
  On User Configuration: "Prevent changing proxy settings" is Disabled
  Result: "Prevent changing proxy settings" = Enabled
  When:
  On Computer Configuration: "Prevent changing proxy settings" is Disabled
  On User Configuration: "Prevent changing proxy settings" is Enabled
  Result: "Prevent changing proxy settings" = Enabled
  And just to be sure:
  On Computer Configuration: "Prevent changing proxy settings" is Disabled
  On User Configuration: "Prevent changing proxy settings" is Disabled
  Result: "Prevent changing proxy settings" = Disabled
  In this case it looks that the most restrictive is applied, is it a particular case (no luck for my test)? or each potentially conflicting settings has a predefined result (like: computer configuration win, user configuration win, most restrictive configuration win...)?
  Regards,
  L.H.

  Hi,
  A GPO is divided into two part: Computer Configuration & User Configuration.
  If we configure the settings under User Configuration, these settings apply to user accounts, regardless of which computer they log onto.
  If we configure the settings under Computer Configuration, these settings apply to computer accounts, regardless of which user logs onto the computer.
  However, when there is conflicting settings existing in the same GPO, as suggested by Martin in the following thread:
  If conflicting settings exist, it depends on the individual setting and windows component which setting will win. Most times, it will be the computer setting. Loopback does NOT change this behaviour.
  computer configuration conflict with user configuration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/423c12e8-8303-48d0-b8ac-5a8d46e71137/computer-configuration-conflict-with-user-configuration?forum=winserverGP
  Best regards,
  Frank Shen

• Trouble with detect network "Domain network" in the domain member server

  HI a have quetstaion about detecking "domain network " in the windows 2012 r2 server . after instaling and adding this member server to domain i look that i cannot connect to this server . After I connect to console a detect site also public site
  . After I disable and enable this netwotk site the network is correct domain. How is detect which network is it ? this contacted domain controller ? etc. ???
  Thank you for answer 
  Falcon

  Hi
  Not fully understood the problem. But if you have a Windows domain and you can't add the new server to the domain or can't connect
  to the server after or before joining to the domain. Then it could be no of reason first one to check is firewall.
  Turn the firewall on host and source and then try again. Also are you able to ping the new server?
  How are you trying to connect to the server via RDP?
  If yes then you need to enable the RDP and give yourself permission to remote dial in.
  Thanks
  Umar

• OLEDB provider VFPOLEDB for linked server returned message "Invalid path or file name"

  Hello,
  I'm hoping someone can shed some light on this.  I'd researched this error for days, reading all the post in this forum, however none of them address my issue.
  We use VFP 9 .dbf tables (free tables).  I setup a linked server to query the tables.  As first we were not able to view the tables in SQL Server Mgmt Studio (MSMS) until I sorted out the permissions.  I can query the tables if I copy over
  to the server so they are local tables.  However, across the network I am continually getting the error above and the following error:
  "Cannot initialize the data source object of OLE DB provider VFPOLEDB for linked server XXX."
  Here are the steps I've performed...
  Installed a 32 bit instance of SQL Server Express 2008 R2 using Windows Authentication on server 2 (the 64 bit instance could not see the VFP OLE DB provider, as we all know, because the provider is only 32 bit)
  Installed the latest VFP OLE DB from http://www.microsoft.com/en-us/download/details.aspx?id=14839.
  In the VFPOLEDB provider, I enabled Nested queries, Level zero only, Allow inprocess, and Supports 'Like' operator.
  Setup a linked server using the following query:
  EXEC master.dbo.sp_addlinkedserver
  @server = N'LinkedAC',
  @srvproduct = N'Visual FoxPro 9',
  @provider = N'VFPOLEDB',
  @datasrc = N'"\\server1\share\TIW\KOKAC"',
  @provstr = N'VFPOLEDB.1'
  At first I could not view the tables when expanding default>Tables, it failed due to a "catastrophic failure".  That can't be good ;-).  After digging around, I surmised it was because I'd set the SQL Instance to run as NT Authority\NetworkService.
  I created a new user, LinkedVFP, and added to the SQL Instance (using Windows Authentication), mapped the user to the master database with the db_datareader role.  I also added the LinkedVFP user to the network share.  I was then able to browse
  the tables in MSMS and query the data when local, but still not across the network.
  I'm using Crystal Reports to try and query the data from my local workstation using SELECT * FROM OPENQUERY(mylinkedserver, 'select * from table1').  This produces the two errors I mentioned above.
  To clarify, the VFP tables are on server 1 and the linked server is on server 2.  I've read about service account delegation, but unclear if this is the issue.  I went into our domain controller (neither server 1 or 2), AD User and Computers, and
  for server 2 I enabled 'Trust this computer for delegation to any service (Kerberos only)'. 
  Can anyone shed some light on this for me?
  Thanks!
  Aaron McVanner

  Hi Aaron,
  Thank you for your question. I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated. 
  If you have any feedback on our support, please click
  here.
  Regards,
  Elvis Long
  TechNet Community Support

• User created SQL Agent Job that uses linked server with Windows authentication

  OK, here's what I want to do, but not sure exactly what I need to accomplish it.
  Environment
  Windows 2008 Enterprise
  SQL 2012 Enterprise
  SQL Server & SQL Agent running under AD account (which has local Windows Administrative privileges...yes, I know..bad!)
  Linked server to Teradata utilizing AD account mappings (the linked server works successfully and each windows login is mapped to a Teradata LDAP login)
  Requirement
  Allow non sysadmins to create SQL Agent jobs which execute TSQL statements which use OPENQUERY(LDAPLinkedServer, '....) syntax
  I've already given the non sysadmins the necessary permissions to create and run SQL Agent jobs, and I understand that the jobs run under their login context, but I suspect that I'm missing something when it comes to the linked server.
  Each windows user could have access to different databases/tables on the Teradata system that even I (the SQL Server sysadmin) don't have access to.
  How can I facilitate this functionality?  Any ideas?

  I think I may have been over complicating the Teradata piece.  The authentication methodology in Teradata is LDAP, which just means that it authenticates against AD, but you still have to submit your Windows login & password.  It doesn't automatically
  authenticate you just because you're logged into Windows.  
  The linked server has the mapping for the individual windows logins like:
  Local Login = <domain>.<windows id>
  Remote User = <windows id>
  Remote Password = <windows password>
  This setup requires the user to have to change the passwords in the linked server whenever they change their passwords according to domain policy (every xx days)...but we've created a utility proc that they can use to do this.
  So, I'm thinking that Teradata isn't really part of this equation.

• Current Security Context Not Trusted When Using Linked Server From ABAP

  Hello,
  I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system.  We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
  The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server.  The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server.  I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance.  This alias and Linked Server worked great for several years.
  Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1.  The application itself has been upgraded to ECC 6.0.  I performed the migration with a homogeneous system copy, and everything has worked just fine.  I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio.  It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase).  From outside of R/3, I cannot make it fail.  It works perfectly.
  That all changes when I try to use the Linked Server within an ABAP application, however.  The basic code in use is
  EXEC SQL.
     SET XACT_ABORT ON
     DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
  ENDEXEC.
  The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
  The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR.  The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
  I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account).  I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954.  I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
  What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not.  A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
  Any insight someone could offer on this thorny problem would be most appreciated.
  Best regards,
  Matt

  Good news! We have got it to work. However, we did it in something of
  a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
  At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
  reference the tables in SAP via the Linked Server defined on the remote
  server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
  So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
  Then, in our ABAP code, we simply do something along the lines of
  exec sql.
     set connection 'REMOTE'
  endexec.
  exec sql.
     connect to 'REMOTE'
  endexec.
  exec sql.
     insert into REMOTE_TABLE
        select * from SAPSERV.SID.sid.SAP_TABLE
  endexec.
  exec sql.
     commit
  endexec.
  exec sql.
     disconnect 'REMOTE'
  endexec.
  This is, of course, a test program, but it demonstrated that it worked,
  and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
  I don't know if this solution will have applicability to any other customers, but it works for us, for now.
  SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
  Best regards,
  Matt

• Exchange Server 2010 Accepted Domain

  Dear,
  I have the following environment:
  The company bought the company dominioA.com dominioB.com.
  Both companies have mail system.
  Company A wants to standardize the environment and wants only the mail platform remains in Exchange 2010 mail servers Company A.
  to have many users, and also change the MX ip address, the company does not want to do all of one.
  As I raise the following:
  One Accepted Domain was created with the dominioB.com
  An email policy which I think I will do that by creating the accounts you create them in an organizational unit and change them to dominioB.com SMTP.
  Send mail testing was made from those accounts to accounts dominioA.com and there were no problems.
  Send mail testing was done from the dominioB.com account to an external account and it worked.
  Send test mail dominioA.com to DominioB.com and began to bounce post is made. because the mail server is in the domainB, and server Only the domain was created. for this to work one must change the MX, but the company wants to do it gradually.
  As I can do ????
  Waiting for your comments
  Thank You,
  Edwin Duran Ospina

  Hi,
  According to your description, I notice that you have two company, Company A and Company B. Then want to deploy only one Exchange server for mail flow.
  If I misunderstand your concern, please do not hesitate to let me know.
  If you want to deploy Only one Exchange server SMTP name for two company, I suggest we can deploy forest trust and linked mailbox for Company B’s user.
  More details about Deploy Exchange 2010 in an Exchange Resource Forest Topology, for your reference:
  https://technet.microsoft.com/en-us/library/aa998031(v=exchg.141).aspx
  Best Regards,
  Allen Wang

• Testing an ISA Server Rule, the recursive query to other DNS Servers test fails

  Hello,
  I am trying to configure the following infrastructure with ISA Server 2006 and two W2003 servers (called "Server1" and "Server2") . "Server1" is a domain controller, and in
  "Server2" is the ISA Server installed, which also has
  attached two network Ethernet cards, one called "Internal Ethernet Card", and the other one called
  "External Ethernet Card".
  The infrastructure would be:  "Internal Ethernet Card"---- ISA Server ----"External Ethernet Card"---"Router"----"Internet"
  "Internal Ethernet Card" manages the internal package traffic of the infrastructure, the network segment which belongs is isolated from what we could called the Outbound traffic, which is linked to a router. "Internal Ethernet Card" it`s
  a virtual network.
  "Internal Ethernet Card" feature configuration is the following:
  - IP address: 192.168.3.3
  - Subnet Mask: 255.255.255.0
  - DHCP Enabled: No
  - DNS Server: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
  - Default Gateway:  None  (because doesnt point to outside)
  - Primary WINS Server: 192.168.3.1  
  The "External Ethernet Card" provides, the outbound connection, and this card is connected to the physical router.
  It`s feature configuration is the following:
  - IP address: 192.168.1.50
  - Subnet Mask: 255.255.255.0
  - DHCP Enabled: No
  - Default Gateway: 192.168.1.1
  - DNS Servers: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
  After configuring the network cards, I create the following rule in the ISA Server to allow the traffic towards outside from the server and the clients which have joined to the domain:
  Action: Allow.  Protocol: DNS.  From:"Server2".  To : External.  Condition: All Users
  After applying the changes to update the configuration, I enter in the Dns Server of "Server1" and in the "Monitoring" tab, I run a "recursive query to other DNS Servers" but fails.
  Only works the "simple query against this DNS Server".
  I don`t know why fails, but I`m stucked on this issue, because in the "Server1" DNS Server, in the "domain forward IP address list", I have added two DNS addresses which work OK.
  I would appreciate some help to solve this issue.
  Thanks
  Regards 

  Hello Ms. Long, 
  Yes, you are right. In the Server1 is configured the DNS server, to use forwarders whose are set in the field "Selected domain`s forwarder IP address list", two DNS address numbers obtained from "Open DNS", which work well.
  There is no DNS Server linked to the External NIC.
  The Server1 belongs to a private network configured as "VMnet3", which it is set as follows:
  IP address: 192.168.3.1
  Subnet Mask: 255.255.255.0
  Default Gateway: 192.168.3.3
  DNS Server: 192.168.3.1
  I have tried to test your suggested idea:
  > set d2
  > google.com
  Server:  srv-dcfs-01.dominio.local
  Address:  192.168.3.1
  SendRequest(), len 42
      HEADER:
          opcode = QUERY, id = 2, rcode = NOERROR
          header flags:  query, want recursion
          questions = 1,  answers = 0,  authority records = 0,  additional = 0
      QUESTIONS:
          google.com.dominio.local, type = A, class = IN
  Got answer (113 bytes):
      HEADER:
          opcode = QUERY, id = 2, rcode = NXDOMAIN
          header flags:  response, auth. answer, want recursion, recursion avail.
          questions = 1,  answers = 0,  authority records = 1,  additional = 0
      QUESTIONS:
          google.com.dominio.local, type = A, class = IN
      AUTHORITY RECORDS:
      ->  dominio.local
          type = SOA, class = IN, dlen = 46
          ttl = 3600 (1 hour)
          primary name server = srv-dcfs-01.dominio.local
          responsible mail addr = hostmaster
          serial  = 41
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  SendRequest(), len 28
      HEADER:
          opcode = QUERY, id = 3, rcode = NOERROR
          header flags:  query, want recursion
          questions = 1,  answers = 0,  authority records = 0,  additional = 0
      QUESTIONS:
          google.com, type = A, class = IN
  DNS request timed out.
      timeout was 2 seconds.
  timeout (2 secs)
  SendRequest failed
  *** Request to srv-dcfs-01.dominio.local timed-out
  As you can see highlighted in bold, the problem remains in the "recursive query to other DNS Servers" check.
  Maybe is better to put the issue on the "Windows Server General Forum" , because the issue has not nothing in common with the ISA Server, dont you?
  Thanks
  Best regards

• Interesting Presence issue and changing the domain

  I've got an interesting problem that I recently posted about in a different discussion forum.
  Basically I've got a presence setup. This is federated with an OCS. The OCS domain is something like company.com This is the same as the email domain, and the SIP uri's are sip:[email protected]
  The issue is that when the presence server was set up, the proxy domain was set as something like cmp.local. cmp.local is the domain for the entire internal MS infrastructure. The problem appears to be that this conflicts with the internal domain. So when looking up in the directory instead of getting the OCS domain it gets replaced with the cmp.local. Functionally this results in the jabber client being unable to add federated OCS contacts from the directory as they just get added as internal jabber contacts.
  I'm thinking of changing the domain on the presence server to something like jabber-cmp.local, i.e. a domain that doesnt exist. Once we migrate to jabber we'll change the domain again back to company.local so we can federate externally properly. Does anyone have any experience of doing something similar? Any pitfalls anyone can point out?

  Federation can only be setup  a few ways
  - Intra domain  (company.com   federated to im.company.com)
  - inter domain (company.com  federated to abc.com)
  - Intra domain partitioned  (Company.com federated to company.com)
  You need to define this to make any of the with CUPS 8.6.4 (you should run latest and greatest).   Now, depending on which version OCS you have R1 or R2 is important as well.
  Put the CUPS server in the domain you want it in.  Some of the SIP paramenters can be pushed for Jabber 4 windows XML file  IE:  
  msRTCSIP-PrimaryUserAddress
    true
    sip:>