Pull DP error for cross untrusted domain

I have put the pull DP into untrusted domain and opened bidirectional ports in both firewall.clients are not communicating to primary SCCM server.

I am trying to install SCCM agent manually on untrusted forest and getting following error.
Failed to get assigned site from AD.Error 0x800004005
getADinstallparams failed with 080004005
no valid source or MP locations could be identified to download content from ccmsetup.exe cannot continue

Similar Messages

"ICM_HTTP_CONNECTION_FAILED" error for cross catalog search

We are running SRM 7.0 SP 08.
I have set up the external web services to access multiple external product catalogs to create shopping carts. These individual catalogs work fine for SC creation. (BTW, we removed the parameter for HOOK_URL as it seems to be not required starting SRM7).
However, when we are trying to run "cross catalog search", either from SC creation wizard or from normal SC creation screen, the popup window would appear with search in progress, but always return no result with detail message: "ICM_HTTP_CONNECTION_FAILED" for all catalogs.
I have debugged the scenario, and the error seems to be from FM /SAPSRM/PDO_CCS_BCKGRSEARCH, which is called in a background task. The statement that got the error is the following, with return code 1.
    CALL METHOD lv_res_client->receive
      EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        OTHERS                     = 4.
Could you shed some light as to what might have been the problem?
Thanks for your help.

We are running SRM 7.0 SP 08.
I have set up the external web services to access multiple external product catalogs to create shopping carts. These individual catalogs work fine for SC creation. (BTW, we removed the parameter for HOOK_URL as it seems to be not required starting SRM7).
However, when we are trying to run "cross catalog search", either from SC creation wizard or from normal SC creation screen, the popup window would appear with search in progress, but always return no result with detail message: "ICM_HTTP_CONNECTION_FAILED" for all catalogs.
I have debugged the scenario, and the error seems to be from FM /SAPSRM/PDO_CCS_BCKGRSEARCH, which is called in a background task. The statement that got the error is the following, with return code 1.
    CALL METHOD lv_res_client->receive
      EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        OTHERS                     = 4.
Could you shed some light as to what might have been the problem?
Thanks for your help.

Error adding untrusted domains

Hello,
When adding a untrusted forest to configuration manger to discover client and users I receive "Logon failure: unknown user name or bad password when adding a new account for the untrusted domain. I know the account is ok. If I use the console
on a pc in the untrusted domain the account works.
Thanks
Dave

Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
Take a look at this blog, it might help you.
http://anoopcnair.com/2013/05/23/configmgr-2012-tip-on-untrusted-forest-ad-system-discovery/
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ

I am calling an xml , that come from rtmp server and i want to play a video . when i pause it show an error of cross domain. what i can i do?

I am calling an xml , that come from rtmp server and i want to play a video . when i pause it show an error of cross domain. what i can i do?

Please quote the exact error message, word-for-word, verbatim.
What is your operating system?
What version of Lightroom?

Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

Hi there,
I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
instances.
A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
Currently both instances are running on same node.
While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
Please help resolve the issue.
Thanks,
AY

Hello,
I Confirm that I encountred the same problem when the first domain controller was dow !!
During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
When the firts DC restart finishied restarting every thing was Ok !
The Question here : Why the cluster instance does'nt used the second DC ???
Best Regards
J.K

Error in F110 (Payment run 07/28/2011 1008I is intended for cross-payment )

Hi,
We are getting error in F110 Automatic Payment run.
Proposal and Payment run are getting created , But when we run the printout step it is giving the following error
1. Payment run 07/28/2011 1008I is intended for cross-payment run payment media FZ 110 S
2. No Record found
Please help me if any one has worked on same senario.
Thanks,
Babumiya Mohammad

Hi Babumiya,
Please check FBZP setting for the payment run - Company Code , Country Code - for the corresoonding Payment method.
The form with driver program will trigger for the above combination ( as whatever is detailed out in FBZP transaction code).
While triggering the payment run, do check whether the standard job has been created or not (F110*).
Regards,
Anmol Saxena.

Using JSONscriptRequest for cross domain calls?

Hi,
Looking through the REST SDK I see mention of the "JSONscriptRequest class" but I don't find much else about it.
Is this a jsonp callback and how can it be used?
Thanks

Hi Willem,
I've never heard of this "JSONscriptRequest class", but as far as I know, the REST SDK doesn't support JSONP callbacks or JSONP in general.
For cross domain request, you'll find CORS settings on your WebApplicationContainer Server settings page in the CMC, but I'm not sure how / if they work.
Hope that helps.
Jan

SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

Hello!
Scenario
Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
errors indicate that this software can'tbe downloaded.
In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
Problem
The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
were reinstalled. A fresh install didn't detect the NAA.
Solution
After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
domains aren't approved automatically (by default).
In this case something as simple as an Approving the client fixed these issues.
The DataTransferService.log highlights the issue:
<![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
context="" type="1" thread="3136" file="dtsjob.cpp:3501">
<![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
<![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
context="" type="3" thread="3136" file="dtsjob.cpp:3513">
<![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
file="dtsjob.h:166">
<![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
{38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download. Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
context="" type="2" thread="3136" file="dtsjob.cpp:3652">
<![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
file="dtsjob.cpp:3205">
<![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
thread="3136" file="netaccessaccount.cpp:288">
<![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
type="1" thread="3136" file="netaccessaccount.cpp:858">
<![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
(0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
The IIS server logs u_ex150219.log captures the request:
2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
401 2 5 1509 2
2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
401 1 3221225581 1509 4
2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
401 1 3221225581 1509 3
2 x Domains: DomainA and DomainX
- Single domain forests
- No trusts between domains/forests
DomainA\PRIMARYSERVER
- Primary Site Server, MP, DP, IIS, all roles
DomainX\DP1
- Distribution Point, IIS, etc
- CCM client installed

Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
Jason | http://blog.configmgrftw.com | @jasonsandys

SCCM MP Account from accessing across untrusted domain

Hi,
I am wondering if anyone has any suggestion on how to setup MP connection account from MP in untrusted domain (DMZ) to site server. I tried to create a user account in the domain where SCCM primary site exists and configured that account for MP to use but
unfortunately I am getting following error..
*** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
I have not tried using SQL replica yet but I thought if account works then I would refrain from using SQL replica.
Thanks,

** Resolved **
Instead of using DOMAIN\USER, I created a local account on site server and assigned EXECUTE right to DB.. Its now communicating from DMZ without any problem...

JAAS between WLS (untrusted) domains - ServerIdentity failed validation

I'm trying to create a proxy/delegate class that can be used by clients to
transparently access a server.
The class should be usable from clients within WLS containers and from
regular java apps.
Using JNDI authentication everything works fine.
Using JAAS I'm having a problem when my client is a EJB app in an untrusted
WLS domain. When the login is requested the following error is occuring:
<ServerIdentity failed validation, downgrading to anonymous.>
I want to be able to do a JAAS login to a non-trusted domain. I'm assuming
that the server is trying to pass the subject who is logged into the current
container, and my call to LoginContext.login()
Any thoughts?
//Example of code
loginContext = new LoginContext("ServiceSecurity", new
FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
loginContext.login();
Subject subject = loginContext.getSubject();
serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
new PrivilegedExceptionAction() {
public Object run() throws Exception{
//JNDI lookup
//Create session bean instance
weblogic.security.Security.runAs( subject,
new PrivilegedExceptionAction() {
public Object run() throws Exception{
//do operation on instance

Then I'd start talking to BEA support to see if they even know how to do
this.
Without the trust relationship I'm not sure if you can achieve what you
want.
Dejan
Mark Fine wrote:
This is exactly what I am doing.
Implicitly there is a security context within the session bean (the user
logs in via the web app and context is propagated). I obtain a LoginContext
to the other server and call the method within that context.
It doesn't work because it is implicitly passing the security context of the
session bean and failing due to lack of trust.
//Example of code
loginContext = new LoginContext("ServiceSecurity", new
FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
loginContext.login();
Subject subject = loginContext.getSubject();
serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
new PrivilegedExceptionAction() {
public Object run() throws Exception{
//JNDI lookup
//Create session bean instance
weblogic.security.Security.runAs( subject,
new PrivilegedExceptionAction() {
public Object run() throws Exception{
//do operation on instance
"Deyan D. Bektchiev" <[email protected]> wrote in message
news:[email protected]...
In that case you should be able to get the two different Subjects from
the two different domains (return a different url from the URLCallback
when you login with JAAS), and afterwards use
weblogic.security.Security.doAs(...);
with the correct Subject for the appropriate server when you access the
servers.
HTH,
--dejan
Mark Fine wrote:
Thanks, but i think the content was miscommunicated. Everything works
fine
when the domains are "trusted". I want to know how to have "untrusted"
domains talk to each other through explicit logins.
ie. imagine an application on a domain in a finance department. What if
they are trusted against other domains and can't / don't want to
establish
trust with your domain. They just need access to one particular service
you
expose.
Thanks,
m
"Deyan D. Bektchiev" <[email protected]> wrote in message
news:[email protected]...
Hi Mark,
You should first establish a trust relationship between your Weblogic
servers:
http://e-docs.bea.com/wls/docs70/secmanage/domain.html#1171534
Then you can use JAAS to authenticate and get valid Subjects for the two
users.
--dejan
Mark Fine wrote:
I'm trying to create a proxy/delegate class that can be used by clients
to
transparently access a server.
The class should be usable from clients within WLS containers and from
regular java apps.
Using JNDI authentication everything works fine.
Using JAAS I'm having a problem when my client is a EJB app in an
untrusted
WLS domain. When the login is requested the following error is
occuring:
<ServerIdentity failed validation, downgrading to anonymous.>
I want to be able to do a JAAS login to a non-trusted domain. I'm
assuming
that the server is trying to pass the subject who is logged into the
current
container, and my call to LoginContext.login()
Any thoughts?
//Example of code
loginContext = new LoginContext("ServiceSecurity", new
FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
loginContext.login();
Subject subject = loginContext.getSubject();
serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
new PrivilegedExceptionAction() {
public Object run() throws Exception{
//JNDI lookup
//Create session bean instance
weblogic.security.Security.runAs( subject,
new PrivilegedExceptionAction() {
public Object run() throws Exception{
//do operation on instance

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Hello,
I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
Details:
1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
2) Both instances are configured to accept SQL+ Windows authentication.
3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
any issues)
4) Also, we observed following error in windows application event log,
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
The logon attempt failed [CLIENT: 192.168.xxx.xyx]
5) If we create SQL login it is working fine without any issues.
Could someone guide/help me identifying and fixing this issue.
Thank you

Hello,
Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
The following resources may help:
http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
http://support.microsoft.com/kb/555332
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com

SQL server(PC1) --- PC2: Login failed. The login is from untrusted domain and cannot be used with windows authentification

Hey,
I'want to make connection from my laptop(xxx.xxx.xxx.xxx = A) to a fixed computer(SQL server xxx.xxx.xxx.xxx =B). My connection string = "Provider=SQLNCLI11; Data source:name-pc/SQLEXPRESS; Integrated circuit=SSPI;Intial Catalog=Database name for visual
studio C#.
Laptop -> PC1 : Eror
It works when i use localhost or 127.0.0.1 and i can read my database without any problems if i install SQL server on my laptop. Know i install it to PC1 and uninstall on my laptop. When i change the name-pc by an ip-adress i get this error: Login failed.
The login is from untrusted domain and cannot be used with windows authentification. I did some research on multiple forums where they say about Local security policy(secpol.exe) but i don't have this file.
PC2-> PC3: work fine but i want to work with my laptop and i don't understand why it isn't working with my Laptop.
Can someone help me?
Thx a lot and sry about my english(its a disaster)
Thibaut

Hello,
Yes, for the Windows Authentication to work you should be using the same Windows account and password.
Are you willing to create SQL logins inside SQL Server and allow your users to connect to SQL Server using SQL Authentication
instead of Windows Authentication? That could be a solution on a workgroup network.
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com

ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

I have SCOM 2012 R2 Update Rollup 4 installed with 2 management servers running WS12R2 in a single management group in my main AD domain. One of the management servers is also an ACS collector. I have an untrusted AD domain, with a SCOM gateway server in
it, and I used the gateway to install a SCOM agent on a domain controller in that domain. Now I am trying to configure an ACS forwarder on that untrusted domain controller to talk to the ACS collector back on the management server.
However, when I restart the
Microsoft Monitoring Agent Audit Forwarding service on that domain controller, I get this error in its
Event Viewer > Apps and Services > Operations Manager:
1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
<acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: <IP>:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
directory.
I followed these two articles in order to set up the ACS forwarder on the DC in the untrusted domain: "How to configure security events collection by using Audit Collection Services from computers in untrusted environment?" {1/3/12}https://gefufna.wordpress.com/2012/01/03/how-to-configure-security-events-collection-by-using-audit-collection-services-from-computers-in-untrusted-environment/ "Forwarder
is unable to connect to collector Event id 4369 in forwarder event view" {5/5/14}
http://jimmy-scom.blogspot.com/2014/05/forwarder-is-unable-to-connect-to.html
EXTRA INFO Here are the detailed steps that I took (sorry for all this, but there are an awful number of steps!):
1) I confirmed that the agent for the DC shows as Healthy in OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (right) pane.
2) On the ACS collector, I stopped
Operations Manager Audit Collection Service, then from Admin cmd prompt I did this:
c:> cd \windows\system32\security\adtserver
c:> adtserver –c
} 1 certificates found for server authentication usage.
Enter the number of the certificate you want AdtServer to use for authenticating to AdtAgent or 0 to quit without saving: 1
Certificate 1 selected. Attempting to save thumbprint to registry ...
success.
Then I started
Operations Manager Audit Collection Service.
3) On the DC in the untrusted domain, from Admin cmd prompt I did this:
c:> cd c:\windows\system32
c:> adtagent -c
} No Issued To Issued By Expires
Thumbprint
1: <untrustedDCfqdn> <untrustedDomainCA> 2015-11-30 02:44:58 <thumbprint>
2 certificates found for client authentication usage.
Enter the number of the certificate you want AdtAgent to use for authenticating to AdtServer or 0 to quit without saving: > 1
} Certificate 1 selected. Attempting to save thumbprint to registry… success.
4) On the DC in the untrusted domain, I opened mmc > Certificates > Local Computer > Personal > Certificates > I exported the certificate from step 3 to a DER encoded binary X.509 (.CER) file.
5) I also looked at the Certification Path for the certificate, and figured out which certificate is its Root CA certificate. I copied that certificate to a DER encoded binary X.509 (.CER) file.
6) I copied the first .CER file to a computer in my main domain, which is at 2012 R2 level. From AD Users and Computers, I created a "dummy" computer object using the NetBios name of the DC back on the untrusted domain. I right clicked the computer
object > Named Mappings > I added the .CER file, and left "Use Subject for alternate identity" checked. I unchecked "Use Issuer for alternate security identity".
7) I copied the Root CA certificate .CER file over to the SCOM management server that doubles as my ACS collector, and from there I did mmc > Certificates > Local Computer > Trusted Root Certificates > Certificates > I imported the Root
CA certificate.
8) I also went to my CA server on my main domain, I ran pkiview.msc > right clicked “Enterprise PKI” > Manage AD Containers > NTAuthCertificates tab > and I imported the Root CA certificate there as well.
9) I ran telnet from the DC on the untrusted domain, and confirmed that port 51909 is open from there to the ACS collector on the main domain.
10) I enabled audit collection fot the DC on the untrusted domain. I did this from OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (second column in middle pane) > I selected the Healthy <untrustedDCfqdn>
> I clicked Enable Audit Collection.
Then under "Task Parameters" > i clicked [Override] > for New Value I specified <ACScollectorFQDN>. For task credentials I specified Other account, and specified a domain admin account in the untrusted domain. The result was "The
task completed successfully. Enable Audit Collection, status:Success".
11) On the ACS collector, I restarted Operations Manager Audit Collection Service. On the DC in the untrusted domain I restarted Microsoft Monitoring Agent Audit Forwarding service.
12) Result was this error on the DC in the untrusted domain, in its
Event Viewer > Apps and Services > Operations Manager
1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
<acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: 10.1.1.91:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
directory.
13) On the DC in the untrusted domain I created DWORD reg value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters\TraceFlags and set it to 524420 decimal. The resulting c:\windows\temp\AdtAgent.log file only confirmed that I'm getting 0x80090325 errors.
After all this, why am I getting 0x80090325, which translates to SEC_E_UNTRUSTED_ROOT ??? Did I do something wrong in steps 5, 7 and 8? Thanks for reading all the way through :)
Marko

Thanks Yan Li, you gave me an idea. I got the ACS forwarder in the untrusted domain to work (!), by analyzing the setup on the SCOM gateway that I set up in the untrusted domain. I issued the ACS forwarder a certificate from the domain that SCOM is in, INSTEAD
of configuring the ACS forwarder to use the certificate that it already had from its own domain.
So the new procedure is: do steps 1 and 2, then instead of step 3 I did this…
2B) I issued a certificate from the AD domain containing SCOM to the domain controller in the untrusted domain that is my ACS forwarder. I did this from the AD Certificate Services web site, and asked it to use certificate template that I created for the
SCOM gateway server in the untrusted domain.
2C) The new certificate appeared in the Personal store of the domain controller. I exported it, then ran the MomCertImport utility so that I would not get an error in the next step (per
http://www.systemcentercentral.com/scom-deployment-across-multiple-networks/)
3) On the domain controller in the untrusted domain, I re-ran "adtserver -c", and selected the new certificate.
3B) I then ran “MomCertImport /Remove”, since I already have a SCOM gateway in the untrusted domain.
Then I proceeded with steps 4, skipped 5, did 6, skip 7-8, did 9-11, result was this on the DC in the untrusted domain, in its Event Viewer > Apps and Services > Operations Manager
2/3/2015 12:20:01 PM Source AdtAgent Event ID 4368 Forwarder successfully connected to the following collector:
<ACScollectorFQDN>:51909, status: 0x0 (success), source: registry
addresses tried: <IPaddress>:51909
ACS forwarding works now! I will confirm by repeating the procedure for another domain controller in the untrusted forest.
Marko

Administer untrusted domain

I'm trying to administer users in an untrusted domain from my PC.
I use the below CMD line and I'm able to get ADUC running. Doing some tasks in ADUC, gives me the error "The specified domain either does not exist or could not be contacted."
C:\Windows\System32\runas.exe /netonly /user:UntrusedDomain\user"mmc dsa.msc /server=1.1.1.1"

Hi,
If you want to access the other domains, you have to configure a trust relationship:
For more and detail information, please refer to:
http://windowsitpro.com/windows-server/how-do-i-configure-trust-relationship
Regards.
Vivian Wang

Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."

Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHui

Hi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS

Pull DP error for cross untrusted domain

Similar Messages

Maybe you are looking for