New Domain in Existing Forest (2008)

Similar Messages

• Does we need new CALs for adding a new domain for existing users?

  Hi, 
  Our company has setup a new company with domain.  We want to add the new email account to existing mail box.  Do we need new CALs?
  Thanks
  Wilson

  Hi Wilson,
  For license related questions, it will be more professional to inquiry Microsoft Customer Service:
  http://support.microsoft.com/gp/customer-service-phone-numbers/en-gb
  Thanks,
  Simon Wu
  TechNet Community Support

• Move domain to another forest (forest trust)

  Hello
  I have a forest with many domains , and other forest with a domain. They include a trust set up and working . I would like to have only one forest, but it would need to move that single domain in additional forest, and would like to know if it is possible then
  moving a domain from one forest to another forest in forest trust ?
  Thanks also suggestions stop solve my problem

  You're asking to move the domain itself? No, you can't move the domain. You can create a new domain in the forest you want to consolidate to, and then migrate users and groups to that forest. You'll have to migrate workstations and users and repoint
  applications as well, if needed. And then, you're not really moving them, you are creating new ones and copying properties of those objects. You mentioned a forest trust but all the forest trust allows you to do is to assign/use permissions from one forest
  in another. People speak of moving objects but like I said, for users and groups you're simply creating new ones with the same names, and copying properties over. Computers/servers are joined to the new domain, but it's a new computer account, not one that
  gets moved over.
  You'll need a migration tool to do this smoothly. As Malek mentioned ADMT, yes this is one tool that can do this. It's not necessarily the best or easiest tool, but it's free from Microsoft. There are also other third party tools such as Dell/Quest
  Migration Manager for AD and BinaryTree also has similar tool (there are others out there too). Those two latter tools have the ability to add permissions (ACL entries) to new domain objects, based on the old ACLs from the source domain. This can be a huge
  help for servers and workstations (allows the users to continue to use their same profile after their computer is migrated, and they are using their new user account. Otherwise Windows would just create a new profile when the user logged in with his/her new
  domain account.
  Depending on the size of the domain you want to move (how many objects), this could be a pretty big project. There's a lot going on in a migration, and based on your question, I'd recommend finding help with it if you can. There are a number of companies
  and consultants who specialize in AD migrations, even some consultation for planning could help tremendously.

• Creating a new domain tree under the forest

  Hi
  I have one primary domain and one additional domain at moment so I want to create a new domain tree under the forest however during the configuration it gives me the below message ?
  the last time I installed without tick marking "Create DNS Delegation" option I had a lot of issue in replication and in DNS between my forest domain and this new tree domain.
  my main question would be:
  1- how to resolve this ?
  2- how to create a manual DNS delegation in Parent zone.?
  please suggest ?

  Hi greeMann,
  This is an expected behaviour and it can be ignored.  The error message occurs because this is the first DNS server so there is not a DNS server available to create the delegation from. 
  If you are not concerned that people in other domains or on the Internet will not resolve DNS name queries for computer names in the local domain, you can disregard the message and click Yes.
  Known Issues for Installing and Removing AD DS
  http://technet.microsoft.com/en-us/library/cc754463(WS.10).aspx
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• DNS lookup on a new tree in an existing forest

  Hi! I have a small question
  I am labbing for an exam, and just created a domain like this
  I was just curious why i cannot resolve the IP adress to the DC in wingtiptoys, when I can to contoso and canberra domains.
  Isnt that supposed to be added automatically in CONTOSO.COM DNS when I created WINGTIPTOYS as a new tree in the contoso forest? I can easily lookup CONTOSO and CANBERRA from the WINGTIPTOYS DNS server
  This is what I get testing from the CONTOSO DNS server
  Freddy

  Hi,
  Add a new domain tree in the current forest:
  A new and first DC of the tree –> a new and first domain of the tree -> a new domain tree in the forest.
  Add domain tree wingtiptoys.com to forest contoso.com, there are different choice about DNS:
  1. Both wingtiptoys.com and contoso.com use the same DNS server. New a primary zone named
  wingtiptoys.com and enabled dynamic update on the DNS server.
  2. Use different DNS server, both DNS servers has its domain’s primary zone, and other domain’s secondary zone. Copy zone file by zone transfer.
  3. By default, when you add the first DC for wingtiptoys.com, DNS server is selected and automatically created a zone named
  wingtiptoys.com. Transfer is also automatically added and another domain name will be transferred to the first DNS server.
  Here is a test lab which is corresponding to the 1 condition, just for your reference:
  http://social.technet.microsoft.com/wiki/contents/articles/12781.test-lab-guide-mini-module-creating-a-second-forest-and-domain.aspx
  check to see if corresponding zone is created, and then, do the NSLOOKUP test. If the problem still exits, how do you deploy your DNS server, and the zone.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Creating new Domain by Copying the existing domain

  Hi,
  Is there any way to create a new domain by copying the already existing domain directory and pasting it to another directory in same machine or different machine.
  Can anyone suggest me the configuration file that needs to be updated for new domain name.
  Thanks
  Harish
  Edited by: user10833531 on Dec 2, 2009 7:52 AM

  When you mention "Before posting on forum I have tried this option. I tried again but no luck." do you mean you tried pack/unpack or template approach and this did not work. Or did you just copied domain folder and renamed and start the new domain and you got errors. Copying domain may not work 100% (not in the long run). But pack/unpack or template approach should work pretty much without any errors.
  As mentioned, I would recommend template approach or pack/unpack. You can provide the internal details and risk factors involved with hard disk copy of domain folder and renaming approach to the client. If domain copy approach works, then bea/oracle would not have come up with approaches like pack/unpack or template approach at all in the very first place. Copying domain folder and renaming may still work, unless you do all regression testing that includes cluster scenario also and all usecases.
  I would still recommend for pack/unpack or template approach to copy any existing domains.
  Just incase if your domain is like Portal Domain and if you deploy portal applications on this domain, then copying domain will just not work. Every domain is very tightly coupled with ldap files and db tables for any Security Visitor Entitlements and Delegated Admin roles. If its pure weblogic server application, these things will not come into picture. But for Portal, we do have something called Propagation Tool to migrate portal app from one domain to other domain. But still the domain cannot be copied and renamed.
  HTH
  Ravi Jegga

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam

• New domain new subnet problem

  We were trying to add a new domain tree to our forest/domain with windows 2012 r2 but the promotion of the new domain controller for the new domain tree failed. Everything goes well until the final setup window, but then the new domain controller for the
  new domain tree appears to stuck at "Replicating the schema directory partition" stage... It never ends the "Replicating the schema directory partition" stage!!!
  So I went to the lab (in our Hyper-V) and try to replicate the problem. I created a new forest/domain and add a new domain tree, the process completed successfully. Bu then I replicated the same setup but using different IP subnet for each DC (like our production
  environment), and the the SAME HAPPENS again, the setup goes until the final stage and stays forever at the "Replicating the schema directory partition" stage!!!
  At this stage I don`t know if the problem is the same that we have in our PRD environment, but the problem has the same behavior. I suspect that the problem has something to do with IPV6 (I see the primary DNS for the NIC primary DNS listed with the IPV6 "::1"
  before the IPV4 address), but i don`t know much about IPV6. I already tried several configurations, I disabled the firewalls in both lab DCs, I removed the IPV6 check option from the NIC  properties from both DCs, I set BOTH DNS to respond only from their
  IPV4, I tried to pre-stage the new domain tree DNS zone in the DC, and so on... Nothing works...
  So the current scenario is:
  Hyper-V physical machine / 2 Private switches (one for each subnet)
  3 VMs
  1 DC - First Domain/Forest / Static IP / DNS IPV4 point to itself / and IPV6 DNS = ::1 / It has the First DNS/Domain Zone and a conditional Forwarder that points to the 2nd DC that is in the other subnet.
  2 DC - This is the one to be added with new domain tree in the existing Forest. Static IP address / DNS point to itself /  and IPV6 DNS = ::1 / also has a conditional Forwarder that points to the 1st DC DNS domain zone that is in the other subnet.
  Between both subnets I have a server that has RAS role to provide routing between both subnets
  From both DCs I can ping each end, I have access to the shares in both ends, DNS appears to be working ok...
  (Note: In one of the tests I created a new primary zone in DC02 to pre-stage the new domain tree zone in DC02 before running the active directory setup in DC02, then I went to DC01 and ping the DC02 by its FQDN, and DC02 replied, however if I try to ping only
  the Primary Zone by its name "newdomaintree.com" it fails in both DCs witch is weird to me, I did the same test for the First/Domain DNS Zone in DC01 and worked ok for both tests, I could ping DC01 by FQDN and ping the "Domain.com" DNS
  zone in both ends ).
  Any thoughts on this one?!
  Thank you.
  Ip Config for the Lab Servers:
  DC01
  PS C:\> IPCONFIG /ALL
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : f1d1-srv-01
     Primary Dns Suffix  . . . . . . . : f1d1.lc
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : f1d1.lc
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
     Physical Address. . . . . . . . . : 00-15-5D-01-47-17
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::3423:7d39:f13b:22e4%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.10.10.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.10.10.254
     DHCPv6 IAID . . . . . . . . . . . : 201332061
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-91-77-A5-00-15-5D-01-47-17
     DNS Servers . . . . . . . . . . . : ::1
                                         10.10.10.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{FFDDBBEF-DD20-4ADD-98B1-B3C6D6BD66FE}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  PS C:\>
  DC02
  PS C:\> ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : f1d2-srv-01
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
     Physical Address. . . . . . . . . : 00-15-5D-01-47-1A
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d562:7f42:6041:30f8%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.10.20.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.10.20.254
     DHCPv6 IAID . . . . . . . . . . . : 201332061
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-92-44-F8-00-15-5D-01-47-1A
     DNS Servers . . . . . . . . . . . : ::1
                                         10.10.20.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{545D35C6-250D-41AB-87CD-6FE8FA85E175}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  PS C:\>

  As far as getting the ::1 from being the first resolver go into network properties for ip 6 and modify the address so that both the address and dns are provided via dhcp.  Since you don't have a dhcp server for ip 6 to give a dns record that should
  go away.
  If I understand your output correctly DC2 is the new DC.  Do you have a forwarder to on DC2 so that it can find the zone for the root forest?  My guess is no.  I would recommend that although these two DC's are in different domains that they
  point at each other as primary DNS (For DC 1 you can't point at DC2 until after it has been properly promoted into the forest).
  So to start with change DC2's network settings to point to DC1 or use a conditional forwarder or a secondary zone of the root zone on DC2.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.
  Hi Paul
  As far as getting the ::1 from being the first resolver go into network properties for ip 6 and modify the address so that both the address and dns are provided via dhcp.  Since you don't have a dhcp server for
  ip 6 to give a dns record that should go away.
  I try that but makes no difference for this scenario.
  If I understand your output correctly DC2 is the new DC.  Do you have a forwarder to on DC2 so that it can find the zone for the root forest?  My guess is no. 
  Your guess wrong - remember, I can validate the credentials at the parent domain, and the setup only freezes at the
  "Replicating the schema directory partition" stage.
  I tested with forwarders, stubzones, conditional forwarding, IT WALYS FAILS at  "Replicating
  the schema directory partition" stage. when the new DC (DC2) is pointing to itself. It only WORKS when is pointing to DC01.

• Moving SP2013 and SQL2008R2 to new domain - no trusts between domain

  Hello,
  I'm looking to move a customized installation of SharePoint 2013 (Microsoft server 2012 std VM) and it's db (SQL 2008 r2 VM) from one domain to another domain. There will be no trust between the domains and assume that no users or service accounts will be
  migrated. Has anyone performed a similar operation? If so, can you provide guidance as to the best way to tackle this situation. Currently we plan on exporting the SP2013 VM from the old domain, importing (re-creating) that VM in the new domain and importing
  the DB to an existing SQL server in the new domain. My concern is being able to log in to Central Admin afterwards because the domain accounts are no longer valid. Should we change all accounts to local admins first, detach the db and change those accounts
  as well? Or would a totally different approach make more sense? Any help would be appreciated..
  Thanks in advance, 
  Alex

  You need to build a new SharePoint farm, changing SharePoint server's domain membership isn't supported.
  What you'll do is build a new farm, create the Web Application(s), etc. and then restore SQL database backups from the old farm into the new farm.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• New Domain Controller does not show in our different site's Domain controller's Sites and Services

  Hi,
  we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
  functional level is also 2003R2.
  We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
  the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
  from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
  can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happening

  Just noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          1/4/2014 8:11:40 AM
  Event ID:      2042
  Task Category: Replication
  Level:         Error
  Keywords:      Classic
  User:          ANONYMOUS LOGON
  Computer:      NORDC1.vertrue.com
  Description:
  It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
   The reason that replication is not allowed to continue is that the two DCs may contain lingering objects.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
  of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".  If the local destination DC was allowed to replicate with the source DC, these potential lingering object
  would be recreated in the local Active Directory Domain Services database.
  Time of last successful replication:
  2013-05-16 15:26:38
  Invocation ID of source directory server:
  9236ac56-d046-4632-b072-acbe823c5f6c
  Name of source directory server:
  accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
  Tombstone lifetime (days):
  90
  The replication operation has failed.
  User Action:
    The action plan to recover from this error can be found at
  http://support.microsoft.com/?id=314282.
   If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
  <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
  DC> <Destination DC DSA GUID> <NC>".
   If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
  http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
   If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
   Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
  DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime
  number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
  located immediately.
  Alternate User Action:
  Force demote or reinstall the DC(s) that were disconnected.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
      <EventID Qualifiers="49152">2042</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>5</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
      <EventRecordID>38018</EventRecordID>
      <Correlation />
      <Execution ProcessID="660" ThreadID="1596" />
      <Channel>Directory Service</Channel>
      <Computer>NORDC1.vertrue.com</Computer>
      <Security UserID="S-1-5-7" />
    </System>
    <EventData>
      <Data>2013-05-16 15:26:38</Data>
      <Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
      <Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
      <Data>90</Data>
      <Data>Allow Replication With Divergent and Corrupt Partner</Data>
      <Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
    </EventData>
  </Event>

• AD Migration from one domain to another domain between different Forest.

  Dear Team,
  We have a domain named "test.gov.in" .Now we want migrate all the users,computers,groups,GP ....etc in to our new domain "abc.net".Operating system of the source DC and destination Dc is same (Windows 2003 32 bit)..
  Pls provide me the steps to migrate one  domain to another domain between different forest
  Thanks
  Anurag

  Would agree with Christoffer and migrate using ADFS but before you can do this you will need to set up a trust between the two domains.  Once this has been accomplished then you can run ADMT.
  http://technet.microsoft.com/en-us/library/cc740018(v=WS.10).aspx
  Downloading ADMT is a free tool from Microsoft
  http://www.microsoft.com/en-us/download/details.aspx?id=8377
  ADMT Guide
  http://www.microsoft.com/en-us/download/details.aspx?id=19188
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.
  I think you mean ADMT and not ADFS :)
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Adding new domain controller under tree domain

  i have one forest root domain is ABC.com and one tree root domain under this forest is DEF.com ,
  i want to add a new domain controller under tree root domain in windows server 2008 r2? i need steps and DNS configuration on forest or domain level
  Thnx

  If you want to add an additional domain controller to a domain you should promote the new dc with the primary dns in the nic settings of the new dc pointing at the current dc and once promoted you should point the original ip address nic settings to
  the new dc.  I am making the assumption that you are using AD integrated DNS.
  http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Migrating Lync 2013 to new domain

  I have a customer who wants to migrate their Lync servers to a new domain.  Is this possible with the existing servers or do I need to backup the config, deploy new Lync servers in that domain and restore the config?  Thanks in advance.

  New SIP domain or a new Active Directory Domain?  You can easily add new SIP domains to the environment.  You cannot move a Lync Server from one AD domain to another.  You would need to migrate users in a cross forest scenario or backup contacts
  and restore.
  Thanks,
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Change domain trust for Forest trust

  Hi
  I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
  Presently, i have a domain trust between domain 2 and 5.
  I need to change for a forest trust ? what is a best practice ?
  1- Remove domain trust and create a forest trust?
  2- Create a forest trust (waiting a few day) a remove a domain trust?
  3- Create a forest trust and remove immediately a domain trust?
  Do you have a link to explain that?
  Thanks

  Hi,
  Which kind of domain trust have you created? Which kind of forest trust do you want to create?
  A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
  every domain in both forests.
  Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
  trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
  In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
  In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
  Best regards,
  Susie

• Separating a child domain from a forest/parent domain

  Our infrastructure is currently as follows:
  There are two domains which I will call "apple.local" and "banana.local". The domain "apple.local" is the parent/forest which is at a Windows 2003 Functional Level. The domain "banana.local" is a child domain of "apple.local"
  which is at a Windows 2008 Functional Level. This unusual arrangement was the result of a merger.
  Recent business changes have meant that the domain "banana.local" needs to become the forest and "apple.local" needs to be permanently retired. I have been searching as to whether this is possible but the general consensus is "no".
  However, many of the discussions are several years old and I am interested in whether anything has changed with recent updates.
  As an added "bonus", a single Exchange 2010 SP3 server is present and - just to complicate things further - is a member of the child domain "banana.local". Mailboxes (shared and user) and DGs from both domains are present. Access to shared
  mailboxes is granted using a mixture of users and security groups from both domains.
  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  I am in a position to purchase new servers, software and licenses as required to meet the ultimate goal and - within reason - additional expenditure is not an obstacle. We also have the option to create new IP ranges if required.
  Any ideas and/or suggestions welcomed!

  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  It is not possible to detach a child domain from its parent. One of the things you can do is to create your domain and establish trusts between them and migrate resources from old domain to the new domain. Note that computer account migration will take some
  time. For exchange part you can ask in Exchange forums but the one thing you can do is to Cross-Forest mailbox move after you set up the new forest.
  Exchange 2010 Cross-Forest Mailbox Moves
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?