Moving SP2013 and SQL2008R2 to new domain - no trusts between domain
Hello,
I'm looking to move a customized installation of SharePoint 2013 (Microsoft server 2012 std VM) and it's db (SQL 2008 r2 VM) from one domain to another domain. There will be no trust between the domains and assume that no users or service accounts will be
migrated. Has anyone performed a similar operation? If so, can you provide guidance as to the best way to tackle this situation. Currently we plan on exporting the SP2013 VM from the old domain, importing (re-creating) that VM in the new domain and importing
the DB to an existing SQL server in the new domain. My concern is being able to log in to Central Admin afterwards because the domain accounts are no longer valid. Should we change all accounts to local admins first, detach the db and change those accounts
as well? Or would a totally different approach make more sense? Any help would be appreciated..
Thanks in advance,
Alex
You need to build a new SharePoint farm, changing SharePoint server's domain membership isn't supported.
What you'll do is build a new farm, create the Web Application(s), etc. and then restore SQL database backups from the old farm into the new farm.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Similar Messages
-
Problem creating external trust between domains
Hello,
When I try to create one-way incoming external trust between 2 domains (to DomainA from DomainB) in separate forests I get this info:
This domain already has a one-way trust relationshp with specified domain.
But I cannot see it on the list of trusts either incoming or outgoing (in both domains).
For sure trust was never setup before.
In DomainA there are several other external not transitive trusts with other domains. But for sure DomainB do not have any incoming or outgoing trusts on list. Name resolution betwen domains is OK. I can ping domain name on both sides.
Any help is welcome.
Darek.Hi,
Were there error events logged in Event Viewer? Besides, did we open necessary firewall ports for creating external trust?
Regarding firewall ports, the following thread can be referred to for more information.
Creating external trust between domain on different forest
http://social.technet.microsoft.com/Forums/en-US/efe56730-ff95-4d6b-b95c-fc2c01ebd2d3/creating-external-trust-between-domain-on-different-forest?forum=winserverDS
Best regards,
Frank Shen -
Moving out and roommate wants new service in her name... 5 day wait?
Phone/internet/DirectTV are in my name. I am moving out and my roommate would like to have new service in her name. She works a lot from home/is on call and can't be with out internet for any extended period of time. I thought I could schedule termination of my service on one day and she could schedule her new service to start on say the next day. When I called customer service to verify we could do this I was told she would not even be able to put an order in for services until mine were already terminated and it would take at least 5 days from her order date to begin her services. This does not sound right to me. Anyone know if this is true or not?
Please advise you still need assistance with this issue. I would be happy to assist you.
Vz_Judy
Verizon Support -
Do I need to enable trust between domains in the following scenario
I have a domain x and domain y on 2 seperate machines. My client logs into domain x does stuff and logs out. The same client now logs into domian y and needs to do stuff, but the second domain kicks out the client by throwing an exception saying "invalid subject" etc .. But the same scenario works if I enable trust between both domains or have my client restart. What should I do so that the client can logout of domain x and login to domain y without having to enable trust betweeen domain x and y and without having to restart the client.
Thanks
PrashanthHi Mike,
there is no switching circuitry on the UMI, that could disable the Iso Power outputs and there is nothing you need to configure in MAX. If you can't measure a voltage between Iso Power and Iso Common pins on the Dsub outputs, the UMI might be defective (e. g. blown fuse). Please contact your local NI branch for repair options.
Thanks and kind regards,
Jochen -
Unable to create Trust between domains
Scenario. I am trying to build 2 way trust between two Windows forests abc.com & xyz.com
Highest OS in both domain is Win 2008 R2
FFL and DFL in both is Win2003
I added forwarders in DNS in both - It is resolving
I disabled Antivirus
I stopped Windows firewall in all the DCs of the domains and no n/w level port restrictions is there
I am able to ping to all DCs from each of the DCs in both domains.
Doing above all I am unable to create trust - in the trust wizard it is not identifying Domain names.
Another thing is I have a Primary zone exists in name of each of the domain name. ie In abc.com I have another Primary zone created in xyz.com, Likewise in XYZ.com I have ABC.com primary zone . Will this be an issue?, If not guidelines please...Hi,
>>In ABC.com I have a Primary zone created as xyz.com, Likewise in XYZ.com I have ABC.com primary zone .
How
did
you create these Primary zones? Is there a ABC.com zone in ABC.com?
>>I am unable to put Conditional forwarders because I have a Primary zone exists in name
of each of the domain name
If
there is
a
DNS zone of another domain
then we cannot create a conditional forwarder for the other domain.
Besides,I
suggest you check the SRV Records. You can try to restart the netlogon services
to re-register SRV records.More
specifically, in the command
prompt, type
net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
Best Regards,
Erin -
Moving iPod and Library to New Hard Drive
60GB Video iPod, purchased 11/05. Started using it at work (with permission) and spent a lot of weekend time downloading all of my cd's, as I did not have a working computer at home (it had crashed).
02/06, a friend gave me their Dell computer. I purchased Anapod software to begin "the move". Mid-transfer, found out that the computer didn't have enough disk space on the C drive! One techy tells me to get a new external drive. Another techy tells me to get an additional internal drive. I did both! I HAVE PLENTY OF MEMORY NOW!!!
I've tried unsuccessfully to move the library at work to the external drive to take it home and attach it to the home system. I get it moved. I change the settings to tell iTunes to look at that drive, BUT it's NOT WORKING!!!!!
I HAVE TO GET THIS OFF OF MY WORK COMPUTER, AS I KEEP GETTING A LOW DISK SPACE ERROR! HELP!? HELP!? HELP!?
I have seriosly had it. I'm ready to just trash everything...but I REALLY don't want to. I've bought several things from iTunes...and I don't want to transfer all my cd's again. I can't take much more of this...two months of pain and suffering is ENOUGH!
Dinie
Dell Windows XPWell, I don't know about getting that external drive behaving, but I know how you can get the music off your iPod and onto your home machine. Once it's safe on the new computer, you can erase it from the work machine
1)On the work computer, connect the iPod.
2) Go to Edit>Preferences and choose "iPod"
3) Select "manually manage songs and playlists"
4) Bring the iPod home
5) on the home computer, download "Yamipod" or "PodUtil"
6) connect your iPod
7) run Yamipod or PodUtil to remove the songs.
I believe those programs will tell you how to get the music into your new iTunes, but if they don't, let me know and I'll get instructions to you. -
I installed a new hard drive and partitioned it into 2, P: Pictures: and M: Music: . I moved all my iTunes Files and Folders to the M: drive. Then when I connected my iPhone4 to iTunes it asked if I wanted to create a new sync, I said no but I seemed it couldn't find my old sync file. So I searched my computer for files and folders of iTunes and placed them all into a iTunes folder on the root of M: drive. I need to rebuild the iTunes folder correctly.
I have all the correct items on my iPhone and haven't lost anything. Its just a problem trying to sync. Biggest problem is my music. When I try to sync music there is trouble. I can't seen to remove all music from iPhone and resync. When I thought I did iTunes would say no more music will fit. (Music is normally 70% of my memory on phone and I try and leave 1GB of 16GB free on it).
I wan't to build the iTunes install on the D:\Program Files (x64)\ since I don't install anything on my SSD drive C: except Windows 7.How exactly did you move the files or more specifically, what did you move?
The correct way to move the iTunes files is to move the ENTIRE iTunes folder (or copy it) from the original location to the new location.
Once moved, hold Shift while launching iTunes and point it to the new location.
If anything other than the ENTIRE iTunes folder was moved, it needs to be put back in the original location to correct the issues created then moved correctly. -
Moving playlists and podcast to new machine
How can I move all of my iTunes playlists and podcasts to my new machine? is there any way of keeping all of the settings the same? thank you.
Found that Apple's _Mac OS X Advanced System Administration v10.5_ book says that cloning works to migrate between machines. Boot from install DVD after cloning and run disc's upgrade. PPC to Intel requires special consideration - recommended to archive old, demote to stand alone, promote, and finally restore from archive.
If anyone has any experience with this, please report how it worked for you. -
Moving Projects and Events - Some New Info (to me anyway)
New Info!
Just came across this in the Apple Support site:
http://support.apple.com/kb/HT4740
What this says basically, is that you CAN use Finder to simply move FCP X event folders to remove them from the FCP x lists when working on current projects.
One concern is that the support article is silent on doing the same with FCP X project folders.
Anyone have any insight on that?
My concern there was that what I had seen earlier from Apple and other discussion boards was that a Finder move of events and projects was not secure.
Clearly one can use the FCP x Move Project command to move a project to another drive or to a disk image. However, I am looking for a way that avoids use of a second drive or disk image.Yes, it should work exactly the same for projects.
One thing I'd highly recommend though is to never do a finder or FCP "move" -- instead do a copy, and then trash (delete) the original once you confirm the copy worked. If, during a "move" command, something unexpected happens, you are vulnerable to losing data. -
Mac Mail Folder on my Mac - Moving it and contents to new MBP
I have a folder in Mac Mail that is on my Mac. It's an archive of my old emails. I thought if I copied it from Home>Library>Mail>Mailboxes to the same on the MBP I could view them in Mac Mail. Well I was wrong. So how do I move this file over from my old Mac to my new Mac where I can view them in Mac Mail? Thanks.
Drag the old folder onto the new one's Desktop, then in Mail select File/Import Mailboxes, then check Mac OSX Mail on the next screen and select the old mailbox folder.
-
ADFS 3.0 WAP and Non-Claims-Aware Relying Party Trusts
I am attempting to migrating a Windows Claims SharePoint page to ADFS 3.0 (Windows Server 2012 R2) and the WAP (Web Application Proxy) from UAG, but are running into problems when our external users attempt to authenticate. Users from our external
domain (call it Domain2.com) have been accessing our SharePoint pages via SAML tokens but when I attempted to move them to the new WAP and off of UAG, they get a http/500 error. The WAP error log gives the following:
Warning Event ID 13016 - Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because there is no UPN in the edge token or in the access cookie
Error Event ID 12027 - Web Application Proxy encountered an unexpected error while processing the request. Error: The specified username is invalid. (0x8007089a).
I presume the Error Event ID 12027 is because there is no UPN in the token and we are using KCD/Kerberos so I need to pass a UPN.
The ADFS server and WAP are joined to Domain1.com. Domain1.com is Active Directory and there is an account for every user in Domain2.com that is allowed access to our SharePoint Sites. These account contain the standard
info... UPN, Email Address, sAMAccountName, etc. The UPN, Email, and sAMAccountName do not always match the accounts with the Domain2.com accounts; however, we have been using an Active Directory Field labled employeeNumber that is synchronized
on both domains and we have been using a custom lookup based on the employeeNumber in AD.
When login's occur via Domain1.com, no problem, the UPN is pulled from the Active Directory Claim Provider Trust. When a user attempts to access from Domain2.com, we have configured ADFS to forwards them to an STS that collects the employeeNumber
from Domain2.com via a Web Auth SAML token. We are able to use the SAML token if we use the standard Claims-Aware Relying Party Trust (CARPT) and convert our SharePoint sites to use the trusted URN via powershell scripts, but we are trying to retain
functionality similar to how we are using UAG so we don't want to change every single SharePoint site to the SAML configuration, hence we are trying to use the Non-Claims-Aware Relying Party Trust (NCARPT)
Problem1: When we are using CARPT we can configure the custom translation for our employeeNumber lookup in AD. But CARPT uses SAML Tokens not Kerberos Tolkens so we cannot login when SharePoint is configured for Kerberos.
Problem2: When we are using NCARPT it works great when authenticating via local (Domain1.com) credentials and look's up the user in AD, but when we attempt to authenticate with remote (Domain2.com) credentials we are unable to configure the employeeNumber
lookup and ADFS doesn't just go out and make that correlation on its own.
Question1: Can I configure CARPT to use Kerberos?
Question2: If not, can I configure NCARPT to lookup the AD employeeNumber, match the UPN, and add the UPN to the token?
Question3: If neither option is available, am I just stuck with UAG or is there something out (not scheduled for EOL) there that can handle the translation between SAML and Kerberos Tokens?
Let me know if I left something out, I tend to ramble, but not sure of all the info that is needed...Hi,
Based on the description, is there trust between domain 1 and domain 2? If not, we can try to create trust between these two domains to see if it helps.
Regarding Event ID 13016 and Event ID 12027, the following article can be referred to for more information.
Web Application Proxy Troubleshooting
https://technet.microsoft.com/en-us/library/dn770156.aspx
Besides, for ADFS questions, in order to get more and better help, it's recommended that we ask for suggestions in the following forum.
Claim based access platform (CBA), code-named Geneva
https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
ISE using 2 domains with trust established
Hi,
I need to authenticate wireless network users from two different domains
abc.company.com
cde.company.com
There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues.
Users from cde.company.com cannot be authenticated (I don't even get to authorization part).
My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed.
Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something?
Has anyone done this before?
Thanks.I have trust. I can get the user information with cde\user and [email protected], but authentication is still not working. So, I see the user, but it is still not being authenticated by the policy.
Here is log:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD-Suffolk
24430 Authenticating user against Active Directory
24412 User not found in Active Directory
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
12315 PEAP inner method finished with failure
22028 Authentication failed and the advanced options are ignored -
Global Trust Between WebLogic Domains ?
Hi there,
Need clarification on "Global Trust between weblogic domains "
My scenario :
WebLogic Version installed : 10.3.5.0
Linux physical machines : 2
x - machine
y - machine
Now, I've created new domain with AdminServer , and 2 managed servers on x-machine. And, 2 more managed servers on y-machine.
x-machine --> AdminServer + 2 managed servers
y-machine --> 2 managed servers
Created a cluster for all the 4 managed servers.
My question : Though we have created 2 domains -
Domain 1- on x-machine where we have Admin + 2 nodes
Domain 2 - on y-machine where we have 2 nodes
Now , do we require to create/enabe "Global trust between these domains to communicate ? And, enable cross-domain security also ? Is this required ?
Or in which situations we require to enable trust between domains ?
Can someone explain me.
ThanksLooking to this Oracle Doc >> http://docs.oracle.com/cd/E24329_01/web.1211/e24375/basics.htm#BRDGE128
"Typical tasks required to manage a messaging bridge using the Administration Console include
Creating a trusted security relationship. See "Configuring Domains for Inter-Domain Transactions" in Programming JTA for Oracle WebLogic Server"
And, clicking the link to Configuring Domains for Inter-Domain Transactions, there's two types of communications:
Inter-domain—The transaction communication is between servers participating in transactions that are not in the same domain.
Intra-domain—The transaction communication is between servers participating in transactions within the same domain
Check the rest of the doc to know how to configure each type, and apply the one that matches your case..
Hope it helps
Regards,
Mohab -
Users , Fileservers and DFS root with DFS links in Domain A all work fine.
each users from Domain A have also credentials and passwords from Domain B
There is NO trust between Domain A and Domain B, both Domains are in different site connected with VPN-tunnel.
Projectdata is stored at fileservers in both Domains. Now DFS links are added in the Domain A to a fileserver from Domain B
When users from Domain A connects to fileserver in Domain B first he/she gets a prompt to authenticated, then DFS link to the fileserver in Domain B work.
When users just use DFS link they get a prompt "not accessible" + "Logon failure unknown user or bad password"
No prompt is given to users from Domain A to enter the credential for Domain B.
We cannot created a trust between these 2 Domains due other policy'sHi,
According to your description, there is no trust between domain A and domain B, right?
Based on my research, if there is no trust between domains/forests, then it is not possible
to share information across domain boundaries, because without trust, no authentication traffic can be passed across domain/forest.
That is why the user cannot access the file he has rights to access across domain.
Here is an article below for your references:
Trust Technologies
http://technet.microsoft.com/en-us/library/cc759554(v=WS.10).aspx
I hope this helps.
Amy Wang -
Filter out PeoplePicker results coming from trusted AD domains
We have individuals who have accounts in multiple trusted domains. Thus when a search in PeoplePicker is performed, results will return multiple entries for those individuals.
i.e. Bob has account in main AD domain foo.int and also has an account in trusted AD domain bar.int . Search for Bob in PeoplePicker currently returns both entries which is confusing to users.
We have deprecated the trusted domain and eventually it will go away. However until then we want PeoplePicker to only return results from MAIN domain foo.int.
I believe the correct solution is to setproperty peoplepicker-searchadcustomquery so that PeoplePicker only returns results from the main domain.
I am not sure of the proper syntax and proper AD attribute to use in the property value for this command.
stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv (?????)
(from http://technet.microsoft.com/en-us/library/cc262988.aspx)
Or is there another approach to this problem?Hi Bruce,
You want to restrict people picker to specific Domain.
You can use the following command:
stsadm -o setsiteuseraccountdirectorypath -url http://<RootSiteURL> -path "<Path to OU>"
Path to OU examples:
Single Domain: DC=DOMAIN, DC=COM
For more information, see Setsiteuseraccountdirectorypath: Stsadm operation (Office SharePoint Server) (http://technet.microsoft.com/en-us/library/cc263328.aspx)
By the way the command you used before can also achieve the goal, what you need to do is specify a correct LDAP filter.
stsadm -o setproperty -pn peoplepicker -searchadcustomfilter -pv <LDAP Filter>
Hope the information can be helpful.
-lambert
Posting is provided "AS IS" with no warranties, and confers no rights.
Maybe you are looking for
-
ITunes cannot locate my music from my external hard drive
I am using the most uptodate software for mac book and itunes. Having followed all other discussions and located the media folder using preferences itunes still cannot locate my music, this is really frustating! All of my music is the the itunes med
-
I live in a 4G area. When I got the LG Revolution about a week ago it was always connected to 4G. Now it only connects to 3G or 1X. Took it back to the store and the guy did a reset of some type and got it to go from 1X to 3G. Still no 4G. Called
-
Webpage error details User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Timestamp: Tue, 3 Aug 2010 16:06:37 U
-
Hello, I've a report-column (varchar2). In the excel-column this column is displayed as 1,23457E+11 but the origin value is 123456789012. I have the same behavior with a number column. So I have to format this column in excel to number. Afterwards th
-
Installing Crystal Reports 2008 fix pack 2.6 is breaking Crystal 2008 exe.
I have a package created to deploy Crystal 2008. I have included in my package SP1 and SP2 and that all works great. However, the issue is when I push fix pack 2.6, once that is pushed, and done running, then I try and open up Crystal 2008 I get an