Problems with Centralized No Delegation DNS with forest wide replication in a Parent-Child domain

Similar Messages

• Active Directory: 2003 to 2012 R2 Upgrade across single forest with child domains

  I just have a quick questions about something that should be simple. We will be upgrading our current domain from Windows 2003 functionality to Windows 2012 R2.  This forest has domain and two child domains.  I have two questions.  Since we
  have to do this in a few steps in order to get up to 2012 functionality I am wondering where is it consider best practice to start?  In the Root (top level) domain of the forest or in one of the child domains?  I want to say the root (top level)
  domain is where I would place my first Windows 2012 R2 box and promote it to a domain controller.  Then move to the child domains one the root domain controllers have all be replaced with Server 2012.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Yes.  We are working with the client to migrate any dependencies off these 3 NT legacy domains.  We will be able to decommission 2 of the 3 without any issues.  However, they still have an old NT box running SQL 6.5 databases for a application
  still in production.  Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
  Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
  Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

• Traffic between AD DCs in child domain and AD DCs in other forest

  Hello, fellows.
  I feel really stupid: cannot find a definitive answer on a very simple question. Let's say, there is on forest (F1) with two domains: forest root (F1-RDOMAIN) and a child domain (F1-CDOMAIN), single tree. There is another forest (F2) with only single domain
  F2-RDOMAIN. If I setup two-way forest transitive trust between F1 and F2 forests, I know that some firewall ports must be open to allow communication between DCs in F1-RDOMAIN and F2-RDOMAIN. However, what I cannot say for sure whether there will any traffic
  between F1-CDOMAIN and F2-RDOMAIN! Do I need to open the firewall ports between them as well? Let's assume that DNS servers in F1-CDOMAIN forward requests to DNS servers in F1-RDOMAIN, all domains have GCs.
  Could someone refer me to the MS KB or something else that would say: "...all DCs must communicate with each other" or "only DCs in the root forests domains", please?
  Many thanks in advance,
  Rustam.

  You do not need to open for direct communication between F1-CDOMAIN-DC and F2-RDOMAIN-DC, but workstations located in F1-CDOMAIN must be allowed to communicate with DC in F2-RDOMAIN if they are going to access resources that reside in F2-RDOMAIN. Take
  a look at this description
  of authentication process for more info.
  Gleb.

• Forest vs Child Domain

  Hi Guys,
  I'm thinking to separate the Development/Test environments from Acceptance/Production (DTAP). For this i don't want to make the separation only on the host level but i'm also thinking whether to choose to create a separate forest for Dev/Test or a child domain.
  What are your recommendations? Child domain or different forest?

  I'm thinking to separate the Development/Test environments from Acceptance/Production (DTAP). For
  this i don't want to make the separation only on the host level but i'm also thinking whether to choose to create a separate forest for Dev/Test or a child domain.
  What are your recommendations? Child domain or different forest?
  By creating a child domain, you will be sharing the schema, configuration and some application partitions of your production environment. This means that operations like adding a new custom attribute would be global and replicated to all DCs in your forest.
  For a better isolation, you simply need to create a new domain in a new forest. If you require access to some production resources or the reverse then you can create a trust relationship between both forests.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Need help with process for installation of DNS when establishing a child domain in AD forest using Windows Server 2012

  Additional guidance is needed regarding process for configuring DNS and for configuring the server Network settings (IPv4 properties) for installing a child domain. For example, when installing the Root domain, it is recommended to install DNS when installing
  the AD on the forest root. This ensures the proper records are added to DNS for the forest during DC promo. However, when installing the child domain, I'm unsure if a child-domain hosted DNS needs to be pre-installed prior to the child domain install and dcpromo
  or included in the child domain install.
  Second, there is conflicting guidance as to how to set IPV4 properties for the net interface when installing child-domain DNS. Should primary DNS address be 127.0.0.1 or the address of the Root domain DNS? or both?
  Thanks

  Additional guidance is needed regarding process for configuring DNS and for configuring the server Network settings (IPv4 properties) for installing a child domain. For example, when installing the Root domain, it is recommended to install DNS when installing
  the AD on the forest root. This ensures the proper records are added to DNS for the forest during DC promo. However, when installing the child domain, I'm unsure if a child-domain hosted DNS needs to be pre-installed prior to the child domain install and dcpromo
  or included in the child domain install.
  Second, there is conflicting guidance as to how to set IPV4 properties for the net interface when installing child-domain DNS. Should primary DNS address be 127.0.0.1 or the address of the Root domain DNS? or both?
  Thanks

• Multi-Site WAN With Centralized Call Manager

  The customer has HQ with 15 Branches. Head quarter has about 4300 Phones, and Branches has:
  Branch 1 = 420
  Branch 2 = 256
  Branch 3 = 385
  Brnach 4 = 298
  Branch 5 = 262
  Branch 6 = 171
  Branch 7 = 200
  Branch 8 = 97
  Branch 9 = 198
  Branch 10 = 254
  Branch 11 = 269
  Branch 12 = 224
  Branch 13 = 90
  I would still like to propose Centralized Call Manager Cluster with SRST, but little confused since the number of phones per branch is very high.
  What would be best deployment model for this type of scenerio along with VoiceMail and CER.

  Of course you can use CME/CUE, but the problem is that you need 3845 for SRST with CME/CUE, which cost a lot of money CISCO3845-CCME/K9 is $16495 plus CUE ($3000, not include voice mail subscriber box).
  So I will agree what people suggest here.
  I have centralized design (Publisher, subscriber) at Main Location, and another subscriber at remote site coz 500 users. I chose put subscriber there rather than use 3845 with SRST.
  They share voice box at Main site (Unified).
  The rest of remote site use SRST for backup.
  Large remote site with T1 PRI with SRST if WAN down.
  Small remote site with vic2-2fxo/4fxo with SRST if WAN down.
  You can read the SRND here:
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_book09186a00806e8a79.html
  Also, you can design multiple cluster depends the location of main and branches. For example, half office located at West Coast, another half at East Coast. If I were you, I will create two clusters.
  Again, it depends a lot of things, for example bandwidth, round-trip delay etc...
  Hopefully, thats can help you.
  Ken

• Strange behaviour of OS X Server DNS with IPv6 reverse zones

  I am running a full IPv4 / IPv6 dual stack setup across several machiens including a server (OS X 10.9.1 / OS X Server 3.0.2). I also have IPv6 Internet access via TunnelBroker and have a /64 prefix assigned to me. All my systems have valid and correct IPv6 addresses (not temporary ones) from the range denoted by that prefix.
  I have setup IPv4 and IPv6 addresses for all my systems in OS X Server DNS and that works fine. However, when I add an IPv6 address for a system, the DNS server (or maybe the server GUI) insists on creating a reverse zone for the /127 version of the address. This means I pretty much have a separate reverse zone for every system, which seems crazy to me. it is especially annoying as I have another DNS server where all my zones are defined as slave zoes (for availability reasons) and thsi makes the process of addign a new IPv6 host somewhat tedious. I tried pre-creating a properly named reverse zone for the /64 prefix but the DNS server would not use that and still persists in creating these strange zones.
  Here is a (fictitous example)...
  My /64 prefix is 2001:fd0:f19:2ab::/64
  I have a system with an address of 2001:fd0:f19:2ab:7e6d:62ff:fe8a:a84c
  I add this to OS X Server DNS and it created the reverse DNS zone:
  4.8.a.a.8.e.f.f.f.2.6.d.6.e.7.b.a.2.0.9.1.f.0.0.d.f.0.1.0.0.2.ip6.arpa
  whereas I would expect it to instead add it to the zone
  b.a.2.0.9.1.f.0.0.d.f.0.1.0.0.2.ip6.arpa
  if that zone already exists.
  Has anyone else noticed this? Or do you have it working as one might expect?

  Chris..
  I, too, have the same problem.  I take issue with much of the OS X "Server" after it has been so completely dummed down that it is virtually useless for anyone that would actually like to utilize it as an actual, as the name implies, "SERVER."  I won't get into all of the details of everything that drives me crazy with Apple's decisions here but, suffice it to say, I am EXTREMELY DISAPPOINTED with Apple more than ever.  They should, at a minimum, offer a full-fledged server like they used to have, for an additional price, for people that need more than a nice looking interface and a worthless box.
  That being said, the DNS server, like the rest of the OS X Mavericks Server, is dummed down to the point of allowing very little customization.  Short of using the command line, which I have decided to do (I scrapped the OS X server all together, and just set up BIND, openLDAP, DHCP, Quagga, etc. from the CLI just like I do with all of my Linux servers), there is not much you can do to get the correct prefixes to show up in IPv6 reverse zones.  The reason is that when you enter the forward record, the interface does not give an option to enter the prefix.  So, it seems that for EACH AND EVERY v6 entry (AAAA record) you have (or at least every 10 entries), you will get a separate reverse zone.
  To be completely honest, I don't even know why they included IPv6 zones in this implementation because it is totally out of compliance with the RFCs and, obviously, will not provide proper and correct reverse lookups.  How could it? As you pointed out above, with a /64 prefix, you're getting a 31 digit long reverse zone (which, btw, is a /124)...***???  I've never heard of such a thing.  There should be 16 digits in a /64, 12 in a /48, 8 in /32 and so on.
  I don't think it is anything to do with your using a tunnel broker -- all of our systems are native IPv6 and all reverse queries to the Mac Server fail. 
  I can tell you how to use the CLI to manually enter the zones with the serveradmin tool, if you like, but my advice is to just move to a full fledged BIND implementation .... and, if you want some type of interface other than the console, use something like Webmin which has a GREAT DNS zone interface...and it also keeps up with the RFC compliance.
  Just message me back if you'd like the shell commands.  I hate to say this, it literally pains me, but I administer a ton of servers (physical and virtualized)... roughly 1000 +- to be exact...and WINDOWS Server has a DNS server that is so much further ahead and ADVANCED than Mac, it is disgusting.  In fact, we are running 12 Win Server 2012R2 Active Directory Domain Servers, each running synchronized DNS records and even with over 250,000 DNS records, it works like a champ.  Still, our primary and fail-safe DNS servers are all BIND v9.  Like I said, it is awful to say that about Mac, but dude, they need to wake up and either get back to the real-deal systems or just get out of the advanced product arena all together.  (one exception...my new MacPRO is AWESOME and the most advanced piece of computing equipment money can buy for the price...so kudos there)
  Sorry about the rant, but when i read your post, I was reminded how frustrated I am at all of this nonsense.
  Take care...and good luck.

• 2 domain, each with 2 way transitive truts, with sub domains pointing to the same DNS server (how should forward and reserver look zone be configured)

  Hello,
  I found a test environment and I just trying to understand how it works.
  If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
  zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
  Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
  A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.

  Hello,
  I found a test environment and I just trying to understand how it works.
  If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
  zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
  Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
  A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.
  Make each domain controller as a DNS server too. Reverse lookup zones & forwarders are not replicated automatically. You can create AD-Integrated reverse lookup zone & set the replication scope.
  You can create AD-Integrated DNS zones in the parent/root domain, set the replication scope to the forest-wide & delegate the zones for handling request locally. Once you create AD-Integrated DNS zone & set the replication scope forest wide, all
  the zones will appear automatically in each domain's DNS server.
  http://awinish.wordpress.com/2011/04/09/configuring-dns-in-child-domain/
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Error in test with Central Output Pro Server 5.5

  I am getting the following error,
  when I testing the Central Output Pro Server.
  I begin with a Central Output Pro Server Vers. 5.5 (demonstration version)
  some is the example which I use, I always have the same message in the logs:
  [313]*** Spawn of agent may have failed ***
  [306]Processing file 'exmpl1.dat', '^job exmpl1 "d:\Program Files\Adobe\
  [307]Launching task '"jftrans" "C:\Program Files\Adobe\Central\Server\Data\exmpl1.dat"
  [314]Agent exit message: [313]*** Spawn of agent may have failed ***
  [375]Skipping event because infile A is missing.
  It is probaly a configuration problem? but that to make.

  I was checking my log file and I noticed an anomoly between some of the "launching" log entries. That got me to looking further into my jfserver.ini file. I think I know what your problem is.
  Every program (agent) that Central can launch has to have entries in the jfserver.ini file. This includes the agents that come with Central as well as any custom agents that are added later (we have several that we've written for our application). These entries include an EXEPATH statement that is specific to the agent. Apparently this is separate and in addition to the entry in the [Paths] section.
  For your specific problem look for a section with a [jftrans] header. It may be missing, or it may just be missing the ExePath entry or that entry may be blank.
  If one is fouled up, look for others. If all options of Central were checked when it was installed you should have entries like the following. These are all in my file as a result of the installation. Of course the actual location would be different.
  [JFSTARTUP]
  ExePath=C:\JetForm\Central\Bin
  IniFileName=C:\JetForm\Central\Server\JFSTARTUP.ini
  LogFileName=C:\JetForm\Central\Server\jfserver.log
  EditCfgRtn=notepad %s
  [JFSHUTDN]
  ExePath=C:\JetForm\Central\Bin
  IniFileName=C:\JetForm\Central\Server\JFSHUTDN.ini
  LogFileName=C:\JetForm\Central\Server\jfserver.log
  EditCfgRtn=notepad %s
  [JFERROR]
  ExePath=C:\JetForm\Central\Bin
  IniFileName=C:\JetForm\Central\Server\PrtErrorCheck.ini
  LogFileName=C:\JetForm\Central\Server\jfserver.log
  EditCfgRtn=notepad %s
  [DEFAULT]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfmerge.ini
  [JFNOJOB]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfnojob.ini
  [JFEMSEND]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfemsend.ini
  EditCfgRtn=notepad c:\jetform\central\Server\jfemsend.ini
  [JFMERGE]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfmerge.ini
  [JFPVAGENT]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jfpvagent.ini
  EditCfgRtn=Notepad c:\jetform\central\Server\jfpvagent.ini
  [JFTRANS]
  ExePath=c:\jetform\central\Bin
  IniFileName=c:\jetform\central\Server\jftrans.ini
  EditCfgRtn=notepad c:\jetform\central\Server\jftrans.ini
  [XMLIMPORT]
  ExePath=c:\jetform\central\Bin
  EditCfgRtn=Notepad c:\jetform\central\Bin\xmlimport.xci
  IniFileName=c:\jetform\central\Bin\xmlimport.xci

• UCS Central unable to communicate with UCSM

     We started using UCS Central .. Its very cool . I can add domains into UCS Central . I see pools of the domains I add in . I even see the fault Numbers at the top of the screen . What I cannot do is click on the faults tab or events tab of any Domain I add in . It makes UCS Central unusable .
  The is happening with the defualt key ring and we created CA certificates also which doesn't solve the issue . It almost looks like its trying to connect to UCSM by IP rather then DNS name . I'm not sure why this happening . I will probably open a TAC case . I attached a screen shot of the error .
  Hope someone has run into this .                

  Hello Chris,
  Is http to https re-direction enabled on UCSM ?
  Is UCSM correctly registered with Central with valid certifcates ?
  Check out best practices guide ( section Registration and Certificates and Certificate troubleshooting section )
  https://communities.cisco.com/docs/DOC-32030
  Padma

• Airport Extreme doesn't work with VriginMedia's(NTL) DNS

  My ISP is Virgin Media (NTL).
  When I set up my AEBS, using DHCP & VMs DNS servers (62.253.162.237 & 194.688.4.237), I can see their web site, but I can't access other websites.
  Network diagnostics shows: Ethernet, Network Settings, ISP & Server as Green with the Internet as Red.
  A couple of calls verified that the Virgin Media support line just weren't interested, saying it was a router problem.
  After several frustrating hours trawling through discussion threads & trying the various combinations of powering off/on & changing various settings, I discovered that If I use OpenDNS( 208.67.222.222 & 208.67.220.220), everything works just fine.
  But I still am left with the question: why doesn't it work with Virgin Media's DNS?

  As for why it doesn't work using the DNS servers that VM provide - it's probably because you are supposed to use the modem to provide the dns servers (this is done automatically when you use dhcp via VM's cable platform). Try removing all dns servers from the AEBS and it should work fine as it will get the correct, read Virgin Media, DNS settings.

• DPM console not connecting . Error- Cannot connect to Data Protection Manager. This version of DPM is not supported with Central Console Client (ID : 33345) DPM console not connecting

  I  am having problem connecting the DPM console to ther server. It gives me following error -
  "Cannot connect to Data Protection Manager. This version of DPM is not supported with Central Console Client (ID : 33345)"
  The server is DPM R2 and the same console is working on one other computer.
  Any idea how to solve the problem?
  Thanks   

  Hi
  Please make sure you have both versions of Microsoft Visual C++ 2008 Redistributable installed..
  Also make sure you have .netframework 2 installed. If you look at the dpm logs it should say what is missing.

• How to attach agent with unusual AD and DNS setup?

  I am trying to configure DPM for a client, which is a university department. They have a somewhat unusual setup of their AD and DNS and I think that is why I am having trouble attaching an agent I have installed.
  It is a new installation of DPM 2012 R2 version 4.2.1292.0 with a local SQL Server 2012 SP2. The OS is Windows Server 2012 R2. It is going to protect a bunch of SQL Server databases all on the same Windows Server 2012 R2 server. The SQL Server is a physical
  server and the DPM server is a hyper-v VM, running on a Windows Server 2012 R2 host.
  The install of DPM itself went smoothly.
  To install the agent on the SQL Server machine, I followed the instructions here:
  https://technet.microsoft.com/en-us/library/hh758186.aspx#BKMK_Manual. This was successful (I think)
  Then I proceeded with these instructions to attach the agent:
  https://technet.microsoft.com/en-us/library/hh757916.aspx
  This fails at the enter credentials stage with this message:
  DPM could not connect to the service control manager on these servers: [SqlMachinename].win.[universityname].dk (ID: 33221)
  As far as I can tell, the problem has to do with how the university manages windows AD domains and DNS lookup.
  The university uses one common AD domain named win.[universityname].dk for the entire campus, but it looks like DNS names for individual windows machines is managed locally at individual departments.
  Ipconfig says this (abbreviated) for the SQL Server where I installed the agent:
  Host Name . . . . . . . . . . . . : [SqlMachinename]
  Primary Dns Suffix  . . . . . . . : win.[universityname].dk
  DNS Suffix Search List. . . . . . : win.[universityname].dk
  [departmentname].[universityname].dk
  Ethernet adapter T2:
     Connection-specific DNS Suffix  . : [departmentname].[universityname].dk
     DHCP Enabled. . . . . . . . . . . : Yes
  This works from the DPM machine and shows the correct IP:
  ping [SqlMachinename]
  This works from the DPM machine and shows the correct IP:
  ping [SqlMachinename].[departmentname].[universityname].dk
  This fails from the DPM machine ("could not find host") and does not get an IP:
  ping [SqlMachinename].win.[universityname].dk
  I've used Message Analyzer to verify that when pinging just [SqlMachinename], in fact DNS tries first to append win.[universityname].dk, which fails and second [departmentname].[universityname].dk, which then succeeds. This is by the book, as I understand
  it because of the DNS Suffix Search list or because of the connections-specific DNS Suffix.
  The problem is that DPM only tries [SqlMachinename].win.[universityname].dk. I have verified this with Message Analyzer.
  I am not sure how to proceed. Is there another way to attach the agent? Maybe by IP-address?
  I cannot ask the client to put [SqlMachinename].win.[universityname].dk in their DNS database. I am sure that they do not register any individual machines in that DNS domain which cuts across the entire campus. I am equally sure that they will not consider
  creating individual AD domains for each department just because I ask (although that would probably be best in the long run).
  Any suggestions would be very much appreciated.

  Found a workaround:
  I can install and attach the agent using one of the methods designed for agents in workgroups or untrusted domains. For me NTLM worked fine as long as I used simple nertbios computer names without any domain suffixes.
  This is what worked:
  On protected server:
  SetDpmServer.exe -dpmServerName DPMServername -isNonDomainServer -userName DpmNtlmAccount
  On DPM Server:
  Attach-NonDomainServer.ps1 -DPMServername DpmServername -PSName servername -Username DpmNtlmAccount -Password xxxxx
  I still think it is weird that DPM insist that protected servers in thewe same AD domain must use the AD domain name in their DNS name. Very inflexible.

• Having problems getting Comcast internet to work with my power Mac running 10.5.8  Help needed

  Just got Comcast Cable and everything works: phone, WiFi, and TV, BUT ethernet won;t work with my power mac tower running 10.5.8 . Hooked modem to laptop running Microsoft and no problem, but it won't work with my Mac.  Any solutions out there?

  Hi, see if this changes anything...
  Make a New Location, Using network locations in Mac OS X ...
  http://support.apple.com/kb/HT2712
  10.5, 10.6, 10.7 & 10.8…
  System Preferences>Network, top of window>Locations>Edit Locations, little plus icon, give it a name.
  10.5.x/10.6.x/10.7.x/10.8.x instructions...
  System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.
  The interface that connects to the Internet should be dragged to the top of the list.
  If using Wifi/Airport...
  Instead of joining your Network from the list, click the WiFi icon at the top, and click join other network. Fill in everything as needed.
  For 10.5/10.6/10.7/10.8, System Preferences>Network, unlock the lock if need be, highlight the Interface you use to connect to Internet, click on the advanced button, click on the DNS tab, click on the little plus icon, then add these numbers...
  208.67.222.222
  208.67.220.220
  (There may be better or faster DNS numbers in your area, but these should be a good test).
  Click OK.

• DMVPN phase 3 migration with Central hub

  I am looking at migrating my phase 2 DMVPN network to phase 3. The current network contains 3 regional hubs each serving approx 100 spokes. The end goal is to be able to build spoke to spoke tunnels between sites that are homed to hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3" that phase 3 regional hubs can be linked in a heirarchy via a cental hub but there is no detail in the doc and I have not been able to find a white paper that deals with this specifically. Does anyone have experience with this topology or have documention that deals with central hub configuration and deployment?
  Regards,
  Mike

  Mike,
  Might be a good idea to run this by your SE.
  In general phase 3 design with phase 3 images you need to remember you will follow routing for NHRP, i.e. if you summarize properly you will scale pretty decently (with or without regional hub).
  What are the benefits of phase 3 design comapred to phase 2 design that you're trying to achieve?
  Marcin.
  P.S. If we're talking about same migtation document
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
  it's an un-maintained marketing document, all our efforts to correct some of the problems there (ip ospf network point-to-multipoint for example) so far have not come to fruition.