Parent child domain best practice

Similar Messages

• Parent/Child Domain

  I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When
  I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn
  how can I stop that from being the domain controller that replies?
  Thanks for any advice
  Chris

  Hi,
  To add, Mr. Ace got a good blog regarding Site and Site links, see if it could help here:
  AD Site Design and Auto Site Link Bridging, or Bridge All Site Links (BASL)
  http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Problems with Centralized No Delegation DNS with forest wide replication in a Parent-Child domain

  Hi,
  I have a parent domain "parent" with a child domain "child" as shown below. There are no delegations and DNS replication is set to forest wide DNS replication for both the child and parent zone. I've read that forest wide replication
  in this scenario is not recommended, but no one explains why.
  Also, running "dcdiag /test:dns" produces the warning below (expected as child is not a DNS zone)
   (test:basic (Basc))
  Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
  I'm looking at upgrading the domain, then forest functional level to 2008, but want to ensure that this DNS config doesn't cause any issues.
  Hoping someone can advise.
  The only thing I've noticed is that some SRV records for DCs are not up to date when viewed from other DCs (dns diagnostics and event logs report OK) and all else seems OK.
  Thanks
  IT Support/Everything

  Hey Aetius2012, So I am a little confused
  What is the current domain/forest functional level?
  Normally I would expect to see three dns forward lookup zones in a 2 domain (Parent/Child) environment
  2 zones if the domain/forest level is 2000/2003 where the _msdcs zone has not been moved to its own forward lookup zone - see image below
  In your environment I would expect to see 3 zones (_msdcs.parent.com, parent.com, child.parent.com) on every domain controller because all zones are replicated forest wide.
  I would also expect to see 2 delegation records under the parent.com for _msdcs and child
  I know you stated there was no delegations, and would like to understand better by what you mean. Not saying that anything is configured wrong just trying to get clarification on your environment to give you the best answer from the community as possible.
  Thanks

• User Folders in a Parent / Child Domain Structure

  Hi,
  I have a forest setup with a parent and 3 child domains.
  We have a DFS share setup for home folders.
  I used Group Policy to create the User's share folders, map the drive, and setup folder redirection.
  Each user has a separate ID for each domain.
  The desire is for each user to be able to use the same \\parent.com\home\%logonuser% share path from each domain in order to access files from any domain, and have privacy from other users doing so.
  The problem I have is, after "child1\JohnD" signs into a workstation on domain CHILD1.com, his folder is created at "\\parent.com\home\JohnD" and mapped.
  But if child2\JohnD then signs into domain CHILD2.com, he does not have permissions to map the drive.
  I realize why, but I'm wondering if anyone can think of a way to change this setup so that parent\JohnD, and child1\2\3\JohnD, all have rights to map and use the same Home Folder.
  Having domain specific home folders has been shot down.
  Giving all shares EVERYONE access has been shot down.
  Open to other suggestions.
  Thanks!
  -Matt
  There's no place like 127.0.0.1

  You might want to try creating a script that will grant the required rights to both user accounts using Powershell: http://blogs.technet.com/b/heyscriptingguy/archive/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions.aspx
  Once you create the script, you can schedule it using Task Scheduler.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile
  Interesting.  I've been playing with this module off and on today.  From what I can tell, this would have to be scripted to some sort of function like this:
  dir \\parent.com\dfshome | Get-NTFSAccess
  For each dir in "\\parent.com\dfshome", set $folder
  For each $folder where account = "childx\User", set $User
  For each $User, Add-NTFSAccess: child1\$user, child2\$user, and child3\$user
  (head scratch)
  I'll give it some more thought. :)
  Thanks!
  There's no place like 127.0.0.1

• Webaccess Domain Best Practice

  With GroupWise 8, best practice was to put the Webaccess domain on the same server as Webaccess. While designing our GW 2014 system security is much more important. In efforts to make GroupWise more secure, I don't think I like the idea any longer putting a secondary domain on a host that has direct internet access.
  What are other people doing?

  Thanks
  >>> On 2/2/2015 at 3:56 PM, magic31<[email protected]> wrote:
  kwhite;2345909 Wrote:
  > With GroupWise 8, best practice was to put the Webaccess domain on the
  > same server as Webaccess. While designing our GW 2014 system security
  > is much more important. In efforts to make GroupWise more secure, I
  > don't think I like the idea any longer putting a secondary domain on a
  > host that has direct internet access.
  >
  > What are other people doing?
  In short, no need for a secondary domain on the WebAccess server. I
  haven't done so since GroupWise 2012. As a note, it was not a necessity
  with GroupWise 8 and lower, as you could install the WebAccess agent on
  a server that was running on the LAN, and only install the
  WebApplication on the server in the DMZ.
  One main thing that has changed with WebAccess, as of GroupWise 2012, is
  that the WebAccess application doesn't make use of gwinter anymore
  (meaning there's no more Web Access agent component in 2012 and 2014).
  It's now a standalone (client) component that talks directly to the
  POA(s).
  So all you need is a SLES or Windows server in the DMZ and install and
  configure the WebAccess component on that.
  There are also no more eDir counterparts for WebAccess. All that is
  needed is a port opened to the POA's (for SOAP, which defaults to 7191)
  and since 2014 also port 8500 needs to be opened from POA(s) to the
  server running WebAccess. 8500 is needed for the auto refresh
  functionality that's new in WebAccess 2014.
  Cheers,
  Willem
  Knowledge Partner (voluntary sysop)
  magic31's Profile: https://forums.novell.com/member.php?userid=2303
  View this thread: https://forums.novell.com/showthread.php?t=481627

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• Time Sync from Child domain to Parent doamin

  Now the time in our child domain is fast 2 Mins than parent domain, how to sync the time by what command ?

  Hi,
  By default, the PDC Emulator of the Forest Root Domain is considered as the best time source in an Active Directory forest. Other domain controllers
  in the Forest Root Domain use it for time synchronization while domain controllers in child domains use the PDC Emulator or any domain controller from parent domain for time synchronization. Member servers and Workstation use domain controllers in their domain
  for time synchronization. With this hierarchy, we can maintain a reliable time synchronization system that allows avoiding Kerberos failure issues in an Active Directory domain. This configuration is by default in an Active Directory forest and does not need
  to be changed.
  As mentioned by SH.Hashemi, we can run command
  w32tm\resync to resynchronize the clock as soon as possible, disregarding all accumulated error statistics.
  Regarding time synchronization in active directory, the following articles can be referred to for more information.
  Time Synchronization in Active Directory Forests
  https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  How the Windows Time Service Works
  http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx
  W32tm
  http://technet.microsoft.com/en-us/library/bb491016.aspx
  Best regards,
  Frank Shen

• Separating a child domain from a forest/parent domain

  Our infrastructure is currently as follows:
  There are two domains which I will call "apple.local" and "banana.local". The domain "apple.local" is the parent/forest which is at a Windows 2003 Functional Level. The domain "banana.local" is a child domain of "apple.local"
  which is at a Windows 2008 Functional Level. This unusual arrangement was the result of a merger.
  Recent business changes have meant that the domain "banana.local" needs to become the forest and "apple.local" needs to be permanently retired. I have been searching as to whether this is possible but the general consensus is "no".
  However, many of the discussions are several years old and I am interested in whether anything has changed with recent updates.
  As an added "bonus", a single Exchange 2010 SP3 server is present and - just to complicate things further - is a member of the child domain "banana.local". Mailboxes (shared and user) and DGs from both domains are present. Access to shared
  mailboxes is granted using a mixture of users and security groups from both domains.
  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  I am in a position to purchase new servers, software and licenses as required to meet the ultimate goal and - within reason - additional expenditure is not an obstacle. We also have the option to create new IP ranges if required.
  Any ideas and/or suggestions welcomed!

  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  It is not possible to detach a child domain from its parent. One of the things you can do is to create your domain and establish trusts between them and migrate resources from old domain to the new domain. Note that computer account migration will take some
  time. For exchange part you can ask in Exchange forums but the one thing you can do is to Cross-Forest mailbox move after you set up the new forest.
  Exchange 2010 Cross-Forest Mailbox Moves
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Best practices of having a different external/internal domain

  In the midst of migrating from a joint Windows/Mac server environment to a completely Apple one. Previously, DNS was hosted on the Windows machine using the companyname.local internal domain. When we set up the Apple server, our Apple contact created a new internal domain, called companyname.ltd. (Supposedly there was some conflict in having a 10.5 server be part of a .local domain - either way it was no worries either way.) Companyname.net is our website.
  The goal now is to have the Leopard server run everything - DNS, Kerio mailserver, website, the works. In setting up the DNS on the Mac server this go around, we were advised to just use companyname.net as the internal domain name instead of .ltd or .local or something like that. I happen to like having a separate local domain just for clarity's sake - users know if they are internal/external, but supposedly the Kerio setup would respond much better to just the one companyname.net.
  So after all that - what's the best practice of what I should do? Is it ok to have companyname.net be the local domain, even when companyname.net is also the address to our external website? Or should the local domain be something different from that public URL? Or does it really not matter one way or the other? I've been running companyname.net as the local domain for a week or so now with pretty much no issues, I'd just hate to hit a point where something breaks long term because of an initial setup mixup.
  Thanks in advance for any advice you all can offer!

  Part of this is personal preference, but there are some technical elements to it, too.
  You may find that your decision is swayed by the number of mobile users in your network. If your internal machines are all stationary then it doesn't matter if they're configured for companyname.local (or any other internal-only domain), but if you're a mobile user (e.g. on a laptop that you take to/from work/home/clients/starbucks, etc.) then you'll find it a huge PITA to have to reconfigure things like your mail client to get mail from mail.companyname.local when you're in the office but mail.companyname.net when you're outside.
  For this reason we opted to use the same domain name internally as well as externally. Everyone can set their mail client (and other apps) to use one hostname and DNS controls where they go - e.g. if they're in the office or on VPN, the office DNS server hands out the internal address of the mail server, but if they're remote they get the public address.
  For the most part, users don't know the difference - most of them wouldn't know how to tell anyway - and using one domain name puts the onus on the network administrator to make sure it's correct which IMHO certainly raises the chance of it working correctly when compared to hoping/expecting/praying that all company employees understand your network and know which server name to use when.
  Now one of the downsides of this is that you need to maintain two copies of your companyname.net domain zone data - one for the internal view and one for external (but that's not much more effort than maintaining companyname.net and companyname.local) and make sure you edit the right one.
  It also means you cannot use Apple's Server Admin to manage your DNS on a single machine - Server Admin only understands one view (either internal or external, but not both at the same time). If you have two DNS servers (one for public use and one for internal-only use) then that's not so much of an issue.
  Of course, you can always drive DNS manually by editing the zone files directly.

• Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

  So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
  1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
  2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
  Other key items:
  1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
  2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
  Questions:
  1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
  2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
  All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• DNS best practice in local domain network of Windows 2012?

  Hello.
  We have a small local domain network in our office. Which one is the best practice for the DNS: to setup a DNS in our network forwarding to public DNSs or directly using public DNS in all computers including
  server?
  Thanks.
  Selim

  Hi Selim,
  Definately the first option  "setup a DNS in our network forwarding to public DNSs " and all computers including server has local DNS configured
  Even better best practice would be, this local DNS points to a standalone DNS server in DMZone which queries the public DNS.
  Using a centralized DNS utilizes the DNS cache to answer similar queries, resulting in faster response time, less internet usage for repeated queries.
  Also an additional DNS layer helps protect your internal DNS data from attackers out in the internet.
  Using internal DNS on all the computer will also help you host intranet websites and accessibility to them directly. Moreover when you are on a AD domain, you need to have the computers DNS configured properly for AD authentication to happen.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Best Practice for VPC Domain failover with One M2 per N7K switch and 2 sups

  I Have been testing some failover scenarios with 4 nexus 7000 switches with an M2 and an F2 card in each. Each Nexus has two supervisor modules.
  I have 3 VDC's Admin, F2 and M2
  all ports in the M2 are in the M2 VDC and all ports on the F2 are in the F2 VDC.
  All vPC's are connected on the M2 cards, configured in the M2 VDC
  We have 2 Nexus representing each "site"
  In one site we have a vPC domain "100"
  The vPC Peer link is connected on ports E1/3 and E1/4 in Port channel 100
  The peer-keepalive is configured to use the management ports. This is patched in both Sups into our 3750s. (this is will eventually be on a management out of band switch)
  Please see the diagram.
  There are 2 vPC's 1&2 connected at each site which represent the virtual port channels that connect back to a pair of 3750X's (the layer 2 switch icons in the diagram.)
  There is also the third vPC that connects the 4 Nexus's together. (po172)
  We are stretching vlan 900 across the "sites" and would like to keep spanning tree out of this as much as we can, and minimise outages based on link failures, module failures, switch failures, sup failures etc..
  ONLY the management vlan (100,101) is allowed on the port-channel between the 3750's, so vlan 900 spanning tree shouldnt have to make this decision.
  We are only concerned about layer two for this part of the testing.
  As we are connecting the vPC peer link to only one module in each switch (a sinlge) M2 we have configured object tracking as follows:
  n7k-1(config)#track 1 interface ethernet 1/1 line-protocol
  n7k-1(config)#track 2 interface ethernet 1/2 line-protocol
  n7k-1(config)#track 5 interface ethernet 1/5 line-protocol
  track 101 list boolean OR
  n7k-1(config-track)# object 1
  n7k-1(config-track)# object 2
  n7k-1(config-track)# object 5
  n7k-1(config-track)# end
  n7k-1(config)# vpc domain 101
  n7k-1(config-vpc-domain)# track 101
  The other site is the same, just 100 instead of 101.
  We are not tracking port channel 101, not the member interfaces of this port channel as this is the peer link and apparently tracking upstream interfaces and the peer link is only necessary when you have ONE link and one module per switch.
  As the interfaces we are tracking are member ports of a vPC, is this a chicken and egg scenario when seeing if these 3 interfaces are up? or is line-protocol purely layer 1 - so that the vPC isnt downing these member ports at layer 2 when it sees a local vPC domain failure, so that the track fails?
  I see most people are monitoring upstream layer3 ports that connect back to a core? what about what we are doing monitoring upstream(the 3750's) & downstream layer2 (the other site) - that are part of the very vPC we are trying to protect?
  We wanted all 3 of these to be down, for example if the local M2 card failed, the keepalive would send the message to the remote peer to take over.
  What are the best practices here? Which objects should we be tracking? Should we also track the perr-link Port channel101?
  We saw minimal outages using this design. when reloading the M2 modules, usually 1 -3 pings lost between the laptops in the diff sites across the stretched vlan. Obviously no outages when breaking any link in a vPC
  Any wisdom would be greatly appreciated.
  Nick

  Nick,
  I was not talking about the mgmt0 interface. The vlan that you are testing will have a link blocked between the two 3750 port-channel if the root is on the nexus vPC pair.
  Logically your topology is like this:
      |                             |
      |   Nexus Pair          |
  3750-1-----------------------3750-2
  Since you have this triangle setup one of the links will be in blocking state for any vlan configured on these devices.
  When you are talking about vPC and L3 are you talking about L3 routing protocols or just intervaln routing.
  Intervlan routing is fine. Running L3 routing protocols over the peer-link and forming an adjaceny with an router upstream using L2 links is not recommended. Teh following link should give you an idea about what I am talking here:
  http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
  HSRP is fine.
  As mentioned tracking feature purpose is to avoid block hole of traffic. It completely depends on your network setup. Don't think you would be needing to track all the interfaces.
  JayaKrishna

• Disabling IPv6 on 2008R2 Domain Controllers... Best Practice?

  At the end of last year I had a call with Microsoft Support in which I spoke with a member of the Directory Services team regarding an issue.  The issue was resolved with no further problems, but while conversing with the Technical Support Engineer
  I queried him on another issue regarding a second copy of our DNS zone in Active Directory.  He looked at it (remoted in via RDP) then looked at my NIC properties and stated that the reason it happened is because we are running IPv6 on our DCs. 
  I told him we do that on all our servers. (leave IPv6 enabled.)  He then stated that we should not do that, expanding by saying that "Microsoft is in the process of rewriting documentation as IPv6 is no longer supported on Domain Controllers."    
  Needless to say I could not believe this.  I told him how Exchange on an SBS server cannot have IPv6 disabled as the server will stop booting, but he was very adamant about it; he even put me on hold for 10 minutes then came back saying he confirmed
  that this is the case and spoke with the "Documentation Team" and the new Best Practices would be released within the next month. In the meantime he recommended I disable IPv6 on all my DCs. (I work in Consulting so that's a lot of DCs at various different
  business entities.)
  I didn't believe him then, and I don't believe him now.  Reviewing the FAQ linked through http://support.microsoft.com/kb/929852  Says that Microsoft does not recommend disabling IPv6.  Of course no documentation ever came out, nor have I
  found anything to agree with his statements. (we solved the duplicate partition issue ourselves.)
  I just wanted to post here and see if anyone else has heard of this, maybe I'm the one not up and up on my info.  Has or does Microsoft plan on reversing course on the new IPv6 technology that 2008 and up are built on?  I would think that quite
  preposterous!
  Thanks,
  Christopher Long
  Science is a way of thinking much more than it is a body of knowledge. -- Carl Sagan

  There are cases where you DO WANT to disable IPv6 on a domain controller. 
  Example: you have an IPV4 network and do not have IPV6 deployed. In this case if you are not using IPv6 but leave it enabled than Windows will assign itself an IPv6 at random via the APIPA process. That IP address can and does change when you reboot the
  server.... So I bet you see the problem here. 
  If you build a domain controller with IPv6 enabled - it will register it's IPV6 address in DNS as offering AD services. Then when you reboot that domain controller and that address changes - BOOM. AD comes crashing down. AD relies heavily on DNS. Windows
  thinks it's smarter than you and registers it's IPv6 address obtained via APIPA in DNS. Now that's a problem. Particularly because Win Server 2008+ prefer IPV6 over IPV4 networks. So communication can blow up even if a valid IPv4 network is available. 
  So yes - there are instances where you do want to - in fact need to - disable IPv6 on domain controllers. Microsoft's documentation does not reflect this but it should. At a minimum if they want you to leave it on they should at least remind you to set a
  static IPv6 address if you're running an IPv4 network. 
  (ask me how I know all this over a beer some time)
  I opted to just disable it. Despite MS's documentation warning of the contrary - I've seen no adverse impacts. Exchange, Sharepoint, AD, etc. all humm along fine. 

• Running Best Practice Analyzer on remote 2008 R2 domain controllers

  Hello Powershell World,
  I'll start out by first mentioning that I am a powershell rookie so I gladly welcome any input to help me improve or work more efficiently.  Anyway, I recently used powershell to run the best practice analyzer for DNS on all of our domain controllers.
   The way I went about was pretty tedious and inefficient but still got the job done through a series of one-liners and exported the report to a UNC path as follows:
  Enable-PSremoting -Force (I logged into all of the domain controllers individually and ran this before running the one-liners below from my workstation)
  New-PSSession -Name <Session Name> -ComputerName <Hostname>
  Enter-PSSession -Name <Session Name>
  Import-Module bestpractices
  Invoke-BPAModel Microsoft/Windows/DNSServer
  Get-BPAResult Microsoft/Windows/DNSServer | Select ModelId,Severity,Category,Title,Problem,Impact,Resolution,Compliance,Help | Sort Category | Export-CSV \\server\share\BPA_DNS_SERVERNAME.csv
  I'm looking to do this again but for the Directory Services best practice analyzer without having to individually enable remoting on the domain controllers and also provide a lsit of servers for the script to run against. 
  Thanks in advance for all your help!

  What do you mean by "without having to individually enable remoting "?
  You cannot remote without enabling remoting.  You only need to enable remoting once.  It is a configuraiton change.  If you have done it once you do not need to do it again.
  Here is how to runfrom a list of DCs.
  $sb={
  Import-Module bestpractices
  Invoke-BPAModel Microsoft/Windows/DNSServer
  Get-BPAResult Microsoft/Windows/DNSServer |
  Select ModelId,Severity,Category,Title,Problem,Impact,Resolution,Compliance,Help |
  Sort Category |
  Export-CSV "\\server\share\BPA_DNS_$env:COMPUTERNAME.csv"
  Invoke-BPAModel Microsoft/Windows/DirectoryServices
  # etc...
  ForEach($dc in $listofDCs){
  Invoke-Command -ScriptBlock $sb -Computer $dc
  ¯\_(ツ)_/¯

• What is the best practice for genereating seq in parent

  I'm wondering what the best practice is for generating seq in parent.
  I have the following tables:
  invoice(id, date, ...)
  invoice_line(invoice_id, seq, quantity, price ...)
  There are shown in 1 uix displaying invoice in form layout and invoice lines in tabular layout.
  Now I like the seq automaticaly generated by ADF Business Components, not enterable by the user.
  The 1st record within each invoice should get seq 1.
  Regards,
  Marcel Overdijk

  Marcel,
  I think best practices is to create a database trigger on the tables that obtains the sequence number from a database sequence on insert.
  In JDeveloper assign DBSequence as a type to the attribute representing the sequence field in the EO. ADF BC then assigns a temporary value to it. The real sequence number then gets added on submit.
  If you want to have IDs that don't miss a single number, then database seuqences may not be a good option. In this case you would use the table trigger to implement your own sequencing.
  Frank