Moving File/Terminal Server Across Forest Trust

Similar Messages

• File sharing server across campuses

  Hi I am looking into setting up file sharing between college campuses for sports videos. However, instead of setting file permission levels that stay pretty constant, users will constantly be uploading new research and determining which users can access the files. So a user from campus A would upload a file and allow access to user B, but not user C. The next file may be allowed to be shared to user C but not B. These permissions will be changing on a regular basis--what would be the best way to manage this to allow users to manage who can access their specific content?
  Crudely I was thinking this could be managed by creating a folder/drop box for each user and then the other users could all submit content to the individual drop boxes. However, my problem with this is that especially for video content this will create a lot of copies of the same files and thus take up unnecessary space. There should be a more efficient way to do this in my thinking. Thoughts?

  I'm guessing you're thinking of setting up a youtube-ish service for multiple sites and multiple clients here, and, well, start thinking of the access control permutations when you hit ten or a hundred or a thousand clients, and start thinking about what sorts of network bandwidth you'll need to stream all that video. Hundreds and thousands of clients and tens of sites work rather differently than a dozen users in the same room with gigabit pipes. You should be designing your web-facing interfaces and your database and your data distribution models, and not thinking about individual files and directories.
  You're basically going to be setting up your own access control and distribution model here, and once the clients are authenticated to the database, geographically local copies of the videos are then streamed to the clients. If there's any particular likelihood of scaling here, you should probably be looking at, for instance, hadoop or voldemort, or other choices.
  Then there are discussions around whether you're going to be doing transcoding (probably yes), and the computes needed to run that.
  You've got a learning curve ahead of you. Consider bringing in some help, if you can't find an existing package that gets you close to where you're going.
  If, on the other hand, you're just doing something small, then I might look to use something akin to Drupal to control access to the files and to manage the general front-end "fun" that a web site has, though I don't know if there's a connection from that over to the Quicktime Streaming Server, or however you're storing video. That might require some custom coding.

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• Forest Trust Issues (Group Membership Issues)

  OK - this is going to be long. I hope I am detailed enough.
  Four domains, each in their own forests:
  domain.w.com
  domain.x.com
  domain.y.com
  domain.z.com
  For the sake of everyone, I'll refer to each domain as "w" or "x", which would be domain.w.com and domain.x.com, respectively.
  Domains x, y, and z all have users that require access to resources on domain
  w. Remember - each domain is in its own forest.
  Three trusts were created on domain w. Since the users on domain w do not need any resources on the other domains, three "ONE-WAY:OUTGOING" trusts were created (one for each) via Active Directory Domains and
  Trusts on domain w. The option to create the trust (have it show up in Active Directory Domains and Trusts) in the other domains (in this case
  x, y, and z) was selected.
  After the trusts were created from domain w, the trusts were verified. Administrators on domain
  w could "verify" the trusts (using admin accounts created for them on the three trusted domains).
  Since everything looked good (domain w shows up as an incoming trust for the other three domains), permissions for specific users on domains
  x, y, and z were granted for a share in domain
  w.
  Only... that didn't happen. When attempting to change permissions on the share, administrators were able to change the working domain directory to either
  x, y, or z... but searching returned zero results. Zilch.
  *It should be noted that this scenario has been in place for quite some time now, and that all groups/users previously defined on the share (that belong to the three domains trusted by domain
  w) now all show up as SIDs.
  When attempting to verify (validate) the incoming trust on any of the three domains, the error "Windows cannot find an Active Directory Domain Controller for the domain.w.com domain. Verify that an AD DC is available and then try again."
  is returned.
  Pinging domain.w.com returns the correct address. Direct pings to both domain controllers on domain w
  is also working. Domain w can also do the same pings that I just listed to all three other domains with correct results.
  There is no firewall in between these forests.
  I am leaning towards a DNS or AD issue on the domain w side. This all occurred at once on the same day last week, and no changes were made on
  x, y, or z. Of course... domain
  w is another entity and they are saying they have no clue why its not working.
  Questions:
  Should I be able to verify the trust from x, y, or
  z to domain w?
  Why cant domain w see the users/groups in the other domains?
  Why does domain w validate the trust if the other three domains cant?
  Could this be caused by some setting in GPO having to do with LDAP security, signing requirements, or authentication settings?
  Any help is much appreciated.
  Chris

  Yes, this is related to DNS, from what you describe.
  The simplest way to configure this is to go to EACH dns server on both sides of the trust and configure it for a conditional forwarder of the others dns zone. 
  http://www.techrepublic.com/blog/windows-and-office/configuring-dns-forwarders-to-support-windows-server-2003-forest-trusts/501/
  Unless you have a root dns server for all four zones already.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Security considertaions across AD trusts

  Hi
  what are the security considerations (for Forest/DomainA) when creating a one-way trust between DomainA (the trusting domain) and Forest/DomainB (the trusted domain)
  so resources in DomainA are exposed to users in DomainB
  I am trying to articulate the security considerations (i.e. that the concept of Forest security boundary has been broken) to the owners of DomainA
  this is because DomainA is also used to provide authentication services to DomainC  - that have very strict security compliance policies
  can DomainB enumerate users in DomainA?, can an Admin in DomainB elevate his/her rights in DomainA
  presumably a misconfiguration of permissioning in DomainA could see rights given to resources used by DomainC
  Thanks everyone

  Hi,
  Let me explain you using a sample scenario to solve your requirement,
  For example, consider two AD forests - contoso.com and nwtraders.com
  Requirement:
  - I want the users from nwtraders.com to access all resources in contoso.com
  - But the users from contoso.com should be able to access only selected resources in nwtraders.com.
  Solution:
  - In contoso.com, we should configure forest wide authentication on incoming trust, to enable users from nwtraders.com to access all resources in contoso.com.
  - In nwtraders.com, we should configure selective authentication on incoming trust, to enable users from contoso.com to access only selected resources in nwtraders.com.
  Checkout the below thread on similar discussion,
  http://social.technet.microsoft.com/Forums/en-US/b47ee506-c014-4131-b16e-c9c86f7fd39f/add-to-domain-across-forest-trust?forum=winserverDS
  Regards,
  Gopi
  JiJi
  Technologies

• Forest Trust RPC timeout across MPLS

  Hi, I am having trouble setting up a Forest trust between two networks. The issue "seems" to be RPC timeout (i see RPC age-out on firewall) but i'm now wondering if it's actually the LDAP or KErberos thats failing first.
  I have read that RPC needs to have the same path outgoing as incoming otherwise you can get SYN-ACK problems (especially through a firewall). So i need to try and work out why it doesnt work. It is laid out something like this.
  Network 1 (domain BOB) (server 2008 R2 at domain functional level 2003)
  Site1,Site2 and Site3 all connect to each other via Site-To-Site link provided by 3rd party. They all egress at Site1's ISA Firewall in a normal 3 leg perimeter config. All works fine
  Network 2 (domain RITA) (server 2008 R2 at domain functional level 2003)
  SiteA,B,C and D all connecto to each other over 3rd party MPLS (essentially Gig ethernet)
  Site1 and SiteA are on the same premises in the same room. There is a spare NIC on the ISA server. So i configured the ISA with a NIC in the same subnet as SiteA (RITA domain) - ie i plugged RITA into BOB. I configured the ISA for routing. Allow ANY ANY
  internal to RITA and ANY ANY RITA to internal
  I set up conditional forwarders on both domains pointing at each other and can ping everything from the other sites. DNS is working fine. I can RDP across sites to each other's DCs. From a "network" point of view it all looks good (though in the
  back of my mind i cant rule out the site to site or the MPLS links)
  When i try and create the trust it fails very quickly with "Cannot Continue. The trust relationship cannot be created because the following error occurred: The operation failed. The error is: The remote procedure call failed"
  I can do a portqry and see all RPC comms looks good
  In ISA and another firewall i tried i can see the RPC ageing out. Have tried wireshark but hard to see whats going on
  I used another server in the BOB domain and dcpromo'd it to a new domain in that subnet and tried setting up a trust. worked first time
  Similarly i did the same at the RITA side and that worked too.
  THere are no errors in DNS or the event logs on either side to suggest anything is failing. i tried verbose DNS logs but couldnt really follow them.
  Help!! Thanks

  Hi,
  To verify if this is a network issue, please try to perform a network capture on the servers in both side.
  We can use "IPv4.Address==xxx.xxx.xxx.xxx" to filter the traffic between the servers. Then compare the capture data from the servers. If all the packets have been forwarded, it should not be caused by network.
  To download Network Monitor, please click the link below:
  http://www.microsoft.com/en-hk/download/details.aspx?id=4865
  About the question related to Directory Services, to get better help, please post your questions on the DS forum.
  Here is the address:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Unable to Copy File From Terminal Server to Client Share

  Hi
  For years client have been able to copy files from our Windows 2003 Terminal Server to their local workstation using:
  copy myfile \\tsclient\mydrive\myfolder
  However we upgraded to Windows 2012 Server R2 and now Windows 7 Pro clients cannot copy files.  The copy function creates the file name in their local folder but no content is sent after maybe 20 minutes or so the copy function times out and they get an
  error message saying that the application was unable to write to the file.  I have tried this function with my Windows 8.1 workstation and the file copies properly and it works fine for older Windows XP clients.  Does anyone know why Windows 7 clients
  are experiencing this issue.
  Thanks
  Simon

  Hi Simon,
  Initially please use latest RDP version 8.1 for windows 7 and check result. 
  What’s the file size which you are copying?
  Does this happens for all users and on all computers?
  You can try below method might resolve your case.
  1. Login to remote computer using Remote Desktop (RDP). 
  2. Open Task Manager in the remote machine
  3. Click the "Process" tab
  4. Locate a program called "rdpclip.exe"
  5. Right click and select "End process" to kill this program
  6. Click on "File" menu in the task manager and select "New Task (Run)"
  7. Type rdpclip.exe and press the button to start the process.
  By killing existing instance of the rdpclip.exe and restarting the program, you can get your copy paste work again in your remote desktop.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Copy File from Terminal Server to Workstation Failure

  Hi
  For years client have been able to copy files from our Windows 2003 Terminal Server to their local workstation using:
  copy myfile \\tsclient\mydrive\myfolder
  However we upgraded to Windows 2012 Server R2 and now Windows 7 Pro clients cannot copy files.  The copy function creates the file name in their local folder but no content is sent after maybe 20 minutes or so the copy function times out and they get
  an error message saying that the application was unable to write to the file.  I have tried this function with my Windows 8.1 workstation and the file copies properly and it works fine for older Windows XP clients.  Does anyone know why Windows 7
  clients are experiencing this issue.
  Thanks
  Simon

  Hi Simon,
  The copy command should also work on the Windows 7 clients. Please provide the detailed error message when run the command on the Windows 7 clients.
  You could also use robocopy command to achieve this.
  Robocopy
  https://technet.microsoft.com/en-us/library/cc733145.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Mandy
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• Office 2007 + Custom template (dot/dotm files) on terminal server -- issues

  We are trying to transition to a terminal server + thin-client setup.
  The TS runs Server 2008 R2, and the Office version is 2007 (for compatibility reasons -- we have a lot of macros etc that won't run with Office 2010).
  The normal.dotm for Office, Excel & Word are customised in order to insert custom macros, font styling etc. A batch file runs on logon, copying the custom normal.dotm files from a network share to the local computer's C: drive in a folder called "Templates".
  So it'd copy the data from "\\SERVER1\share\normal.dotm" to "C:\templates\" on the machine.
  Then, a GPO would re-direct the location for the normal.dotm file from the default location to the new location (i.e. C:\Templates\) from above. This allowed updating of custom macros etc to all computers on the net. It was messy, but it worked.
  Now that we're wanting to transition to terminal server, we're having an issue where the script still works, however when closing Outlook / Excel / Word, users are receiving a message stating "The file normal.dotm is in use".
  I'm guessing what's happening is, the first person to log on to the Terminal Server and launch their instance of Outlook/Word/Excel is getting an exclusive handle to this file; And subsequently launched instances get this error.
  There is nothing _wrong_ with the system per se -- everything works, however every time an Office app is closed, the user gets the annoying message.
  What is the correct solution to this? Is there a cleaner way to deploy macros/styling settings rather than modifying normal.dotm? Another solution I can think of is to create a copy of the templates/normal.dotm for every single user in their %AppData% folder
  and tell Office to use the %AppData% copy -- but this would mean as many copies of the templates as there are users which doesn't seem like a very clean solution.
  I'm open to suggestions and insights on the cleanest and most efficient way to solve this problem.

  Hi
  update to this issue from my side:
  We opened a Support call for this issue and got it solved.
  The SQL script to recreate a fresh Enterprise Global (eglobal.SQL) does not exist for Project Server 2013 currently. But the support created one for us. So if someone has this issue, contact Microsoft Support, they will provide you the script.
  Kind regards
  Christoph
  Christoph Muelder | Senior Consultant, MCTS, MCSE, MCT | SOLVIN information management GmbH, Germany

• How to deal with the extremely big *.ost files in a Terminal Server environment which is running out of space

  Hi,
  Our Terminal Server is running out of hard disk space, and the major files which occupy most of the space are *.ost files of the Outook, which come form the users which use the Terminal Server all the time through remote desktop. The Outlook is installed
  on the Terminal Server and various users can use it.
  What would be a solution in this case. Is there a way to limit the size of the *.ost files? I read in forums that having the Outlook 2010 set up in Cached Exchange Mode isn't the best practice for an environment where the hdd space is a major constraint.
  What do you suggest?
  Thanks,

  Is the Exchange server local or remote? If it's local then it might be worth considering disabling cached mode, since the traffic will be going over the local network and therefore having the data cached becomes much less useful. If it's a remote exchange
  server then realistically turning off cached mode would likely make it unusable.
  If Exchange is remote then other than increasing the available storage, another option might be to upgrade your Outlook / Office installation to 2013. In Outlook 2013 you can configure how much of the users mailbox is cached in terms of time, so for instance
  you could set it to only cache the last 6 months worth of mail, and then all recent messages would continue to be quick to view, but older messages that are less likely to be accessed frequently would have to be downloaded from Exchange each time since they
  would no longer be cached.

• Use batch file to determine if computer is a terminal server

  Hello experts,
  I am trying to create a batch file that I can use to install MS Office 2013 and another software on Windows Server 2003 R2,
   Windows Server 2008 R2, and Windows Server 2012 terminal servers (Remote Desktop Services) via GPO. The installation files are NOT
   "msi" files.  Can you please tell me how I can use command line in a batch or script file to determine if a machine is a terminal server or not? I tried the Change user /query command on a Windows Server 2008 R2
  terminal server and a Windows 7 machine and both machines returned the following status
  Application EXECUTE mode is enabled.
  which will be a problem because the installation batch file would treat the Windows 7 machines as a terminal server when it's not really a terminal server.
  Basically, I want the batch file to check to determine if the machine is a terminal server. If it is a terminal server, then it would run change user /install, install the software, reboot server, then run change user
  / execute.  Your help will be greatly appreciated.

  Hi,
  For Office 2013 there should not be any concerns since it is windows installer based and things will be handled automatically.  For the other software you could simply put the session in install mode in every case.  For the servers/workstations
  where install mode doesn't apply the change user /install and change user /execute will simply fail without any harmful effects.
  You may check whether or not the machine is a terminal server using WMI, for example:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TerminalServiceSetting Get TerminalServerMode
  0 = Remote Administration mode (not a RDSH/TS)
  1 = Application Server mode (aka RDSH/Terminal server)
  -TP
  When I run the command from the command line, it works, but when I try it in a "IF" statement, nothing happens.  I am I doing something wrong using the wmic code in the IF statement?

• Trust ALL root Certifications in Windows not working for non-Admins on Terminal Server

  I have been trying to setup a verification process that will allow us to us Active Directory Certifications to verify signatures. I have finally found the setting to use the Windows Store after not getting Adobe to query our Certificate Authority. It works great on our local desktop where users have Admin access, but when users do it on our Terminal Server it does not allow it. I thought the issue was access to a configuration file in the Adobe directory, but I found the setting in the Registry set correctly. But does not work correctly. One additional note is I had noticed that after I enabled it on a Non-Admin, is Adobe would say it crashed after I shut it down.
  My question is what type of privilege do you need, or maybe Adobe need to access the Windows Cert Store from a Terminal Server with a non-Admin because it is not validating after confirming the Setting is enabled.
  Thanks,
  Donavan  

  hello, since version 26 firefox is able to auto-update on windows even for non-admin users (when the mozilla maintenance service is getting installed in the original configuration): http://www.mozilla.org/en-US/firefox/26.0/releasenotes/#whatsnew
  those would be the auto-updates provided by mozilla directly - so i'm not sure if this is something that would fit in your environment. installing the .exe file of a new version (available at [https://www.mozilla.org/firefox/all/]) on top of an older version will also update the program.

• Terminal Server User license file not found or User ID not matched.

  Hi,
  I recently went for the Process Runner, downloaded trial version and wanted to work with Ides system, but at the very first step the system throws the following error:
  "Terminal Server User license file not found or User ID not matched.
  and the details are as follows:
  Process Runner 2008
  Version : 4.20.10
  Supported file version: 7.3
  Current Framework: 2.0.50727.42
  User Name: Demo User
  Licensed  To: Demo Company
  Product Id : PR-ALL-DR-MTH-CU
  Full Version : 4.20.10.9579
  Current UserID : Administrator
  License Type : Evaluation/Demo License
  Evaluation Days : 1 of 30
  Licensed Uses : 5 of 15
  Expiration Date : 12/31/2011
  COMPANY : Demo Company
  MAX_ROWS : 30
  MAX_THREADS : 3
  USER : Demo User
  Current Node Id : DAAB-AA43-58DB-00DB-4862
  Max Instances Allowed : N/A
  OS-Office culture info : en-US | en-US | en-US | en-US
  C-Info : en-US
  Computer : SAPSERVER
  Current Domain : WORKGROUP
  OS : Microsoft Windows NT 5.2.3790 Service Pack 1
  AppPath : D:\Vijj downloaded\Process Runner
  MyDocPath : C:\Documents and Settings\Administrator\My Documents\Innowera
  Terminal Server User license file not found or User ID not matched.
  Can anybody guide me please.
  Thanks.

  Hi,
  According to the error message, please use performance monitor to diagnose if it is a memory-related bottleneck and you can use the counters of the memory part in the article below:
  https://technet.microsoft.com/en-us/magazine/2008.08.pulse.aspx
  In addition, it may be due to thousands of open connections to the server are in a TIME_WAIT state. You can run "netstat -an" command on the affected server and client. If you see mutiple connections in the TIME_WAIT state, you can follow the article
  to increase the number of TCP/IP connections:
  https://msdn.microsoft.com/en-us/library/ee377084(v=bts.70).aspx
  Furthermore, if you are running windows server 2003, please make sure that you have installed the KB 948496 and stop all services that you don't need.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• AD RMS across forests with external AD trust

  The RMS servers is deployed in the resource AD forest abc.com . My client also wants to let the users in other AD forests to use the RMS services. However, they only have “external trust” type with
  the resource AD. I can find Microsoft document to support the “forest trust” scenario.
  http://technet.microsoft.com/en-us/library/ee918789%28v=ws.10%29.aspx
  But I cannot find any document that Microsoft will support the “external trust” scenario. Can anyone confirm whether this scenario work and any potential issue?
  Do note that we already deployed FIM for directory synchronization. There are contact objects in the resource forest to present users/groups in the account forests.
  William Yang

  Hi William,
  "Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your
  organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest. " 
  Ref. http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx
  So if you want to use two forests with ADRMS, deploy it to each forest and create TUD or TPD. Also you
  can think of having federation services with ADFS together with ADRMS.
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.