Query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment
This is regarding a query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment.
We use LDAP query (filter uPNSuffixes=* for the parent domain DN) to retrieve the upn suffixes configured in the AD Domain. This returns the UpnSuffixes configured for the entire domain tree ( upnsuffixes of parent domain and all the child domains) in the
hierarchy. The AD Domains and Trusts configuration lists all the upnsuffixes as part of the dnsroot domain.
For one of our implementation, we need to distinguish between the UPNsuffixes belonging to the parent and child domain and map the UPN suffixes with the respective domain in the hierarchy. As the upnsuffixes are stored as part of the root domain in the AD
domains and trusts configuration, it was not clear how to retrieve the information specific to each domain in the hierarchy.
It would be helpful if you could provide pointers on how to obtain the above mapping for the upn suffixes in a hierarchical domain setup.
Thank you,
Durgesh
By default, you can use only the domain name as UPN suffix for user accounts you create within the domain. It is possible to add extra UPN suffixes but these are added at the forest level and not specific to a domain.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Similar Messages
-
Policy domain root for Active directory
Does anyone know how to configure policy domain root in Active directory ?.
I am installing COREid Access policy manager which needs a policy domain root input during the web interface configuration.
Please some one help in resolving this issue.Hi,
I might help if can give the exact description of the issue that you are getting. However I have encountered similar or exact problem that you are having. Let me know whci ldap directory you are using with your CoreID install. -
Mac show up as domain controllers in Active directory
Anybody had a tiger intel machine show
up as a domain controller in active directory....Hi Daniel,
might be the obvious, but is the Time inside your VPC Windows also off by these six hours ?
Maybe a simple setting of the 'Windows Time' to the correct time is needed.
Nonetheless I don't think that the different/future time will be affecting your databases in any way.
Regards
Stefan -
Policy domain root for Activer directory
I am setting up the access manager with active directory . But during web configuration ,it prompts for providing a policy domain root. I choose go ahead with default vlaue (i.e /). But it is returning me following error.
"Error in setting Policy Domain Root."
Please some one help out in resolving this issue.Hi Nataraj,
I know what your problem is. Go to the computer running Active Directory, open "Open Active Directory Domains and Trusts" under Start -> Administrative tools. Right click on your domain shown and choose "Raise Domain to Functional level", you might need to this three to four times before this takes effect.
Then on the same window, right click on "active directory domains and trusts" and choose "Raise Forest functional Level", you might need to do this three times as well.
This will solve your problem, unfortunately you'll have to reinstall Access/Policy Manager. I have had this problem many times and this solved it. I am assuming you are using Windows 2003 Enterprise server.
Rgds,
Boland -
Difference between Windows NT domain registry and Active Directory registry
What are the difference(s) ?
Frank, thanks for your response :)
I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service.
In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory.
While I was going through (WebSphere) documentation, I see following note.
" With Windows NT domain registry support for Windows 2000 and 2003 domain
controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
You can find the above note in this link (somewhere after 7th line)
http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
advanced ?
I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
After going through above links,
Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
(I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ? -
Step by step process to create domain name and active directory in windows 7 64 bit
Step by step process to create domain and active directory in windows 7 64 bit
I work in an organization
I want to create a domain name SBBYDP and make it server for other computers
I want that, all users’ have a personal account while they use any computer from this organization, even they use any computer from this network they use their own account to login to network.
And this may be in Active directory option.
I installed windows 7 professional edition 64 bit
Can any person help me? Step by step process, I always thanks full all of youHi,
You must use the Windows Server platform system for the AD service, you can refer the following KB first:
Active Directory
http://technet.microsoft.com/en-us/library/bb742424.aspx
AD DS Deployment Guide
http://technet.microsoft.com/zh-cn/library/cc753963(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
SQL Query to get All AD Groups and its users in Active Directory
Hi,
Is there any query to get all AD groups and its user in an instance of a SQL server?Check this blog.
http://www.mikefal.net/2011/04/18/monday-scripts-%E2%80%93-xp_logininfo/
It will give you more than what is required. If you dont want the extra information,then you can try this.. I took the query and removed the bits that you might not require.
declare @winlogins table
(acct_name sysname,
acct_type varchar(10),
act_priv varchar(10),
login_name sysname,
perm_path sysname)
declare @group sysname
declare recscan cursor for
select name from sys.server_principals
where type = 'G' and name not like 'NT%'
open recscan
fetch next from recscan into @group
while @@FETCH_STATUS = 0
begin
insert into @winlogins
exec xp_logininfo @group,'members'
fetch next from recscan into @group
end
close recscan
deallocate recscan
select
u.name,
u.type_desc,
wl.login_name,
wl.acct_type
from sys.server_principals u
inner join @winlogins wl on u.name = wl.perm_path
where u.type = 'G'
order by u.name,wl.login_name
Regards, Ashwin Menon My Blog - http:\\sqllearnings.com -
Hello Community
"forestA" is my forest it is a Windows 2008 Server Enterprise Edition
domain controller using Active Directory and the UI.
In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
forest trust with Forest-Wide authentication so that a different forest user(s) or
group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
But also forestB needs to create a "One-way, Incoming" forest trust so that
I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
in my "forestA" or I can
add user(s) as "domain user(s)" from “forestB” into my "forestA".
The problem is that when I right click the global group in my forestA and then
properties, when I click "Members" and then the "Add" button when I type
"forestB\username" I get an error message from Active Directory stating:
"the following object is not from a domain listed in the Select location
dialog box, and is therefore not valid: forestB\username".
Am I doing something wrong when creating the one-way trust in my
“forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
Or could I possibly need to select "Change Domain" or "Change Domain Controller"
before adding the users or Groups to my forestA from forestB?
That is why I am asking
how do you add an Active Directory user from one forest into another forest?
Thank you
ShabeautHello Denis Cooper
That is the end result.
What I was trying to do was that I was trying to
bring in the user(s) and group(s) from “forestB” into
my “forestA” Global group.
Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
into the domain local groups on my member servers in my forestA.
So since the error message is:
"the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
Does your response
mean only Global group(s) from forestB not domain user(s) from forestB have
to been added to domain local groups in forestA?
Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
how without getting the above error message?
Thank you
Shabeaut -
Active Directory Cross Forest Domain Migration
Dear All,
We are in the process to rebuild new Active Directory infrastructure. Multiple single forest domains in organization which needs to be consolidated/migrated on single Active Directory Domain. For this consolidation, have some queries to be addressed before
going to start consolidation.
What is the best practices and what tool should we use for domain migration/consolidation
Active directory is on Windows 2003, forest and domain level is on Windows 2003, this will support to Windows 2012 R2 forest and domain functional level, will be migrated
directly from windows 2003 to windows 2012?
When move users to new domain, how will they access the other resources on the network. For e.g. Printer, File server, local web base application
After moving some computers to new domain would be possible to access remaining computers on old domain?
How the file server data will be moved? Best practices with NTFS folder permissions and users rights?
Is there any policy to register network printers on new Active Directory domain?
How users would be access web base application on new domain as their FQDN would be define with old domain name? Any option to change old domain FQDN with new domain that would be describe with any URL link?
Kindly give your valuable input to meet the desire result.
Thanks in Advance.Dear Lucky,
Ya you can Migrate contents from multiple forest domain. Using ADMT (Active Directory Migration Tool)is the best way to migrate AD content. But you can't migrate from Windows Server 2003 to Windows Server 2012 R2, cause in Windwos Server 2012 R2 don't
have the supportebility of Windows Sever 2003.And not only users you can also migrate all others info (i.e. Computer object info, groups info, Exchange mailbox info, security info).You can migrate users face by face, means which peoples are in old domain they
can access old domain and new users are in new domain.For more info please follow the given link:
http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
Mithun Dey Web: http://cloudmithun.wordpress.com If this may give your necessary resolution please mark it as Answre. -
Active Directory Domain Controllers using Virtual Servers
Hi,
I want to place a new SAP landscape in a child domain of the Active Directory forest. Due to an ordering error I am short two servers.
Basically I am thinking about installing a virtual server on each of the development servers and using the virtual server installation to run as Active Directory Domain controllers.
I know SAP do not recommend using SAP servers to be used as domain controllers, but as these are separate servers with their defined resources, it should not be a factor if the servers are sized with enough spare capacity.
Can anyone think of any other major issues that would cause me an further issues.
TIA
Chris aka BoobBooshould be no problem, but please don't try to put the host-operating system in the domain for which their own guests will provide the domain controlers.
peter -
Install Domain Controller, Active Directory, RemoteApps on Single Server?
Have a server that I want to experiment with RemoteApps. Documentation I have read state you need to have a Domain Controller setup with AD on one server, and have a second server to install all the RemoteApps requirements. Is this true or can
this all be done on one server.
If I need a separate server for the Domain Controller and Active Directory, can I assume that a low end server would be sufficient? Or would using Hyper-V with a single hardware server and create two virtual machines: one as the DC/AD, and the other
to run Remote Apps be a possible solution. Any advice?it really depends to be honest. I'd probably go something like this though:
One Small physical server to act as a domain controller - you could put DHCP on this too
One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined.
Then for your VM's create the following:
1 x additional domain controller
For remote desktop services:
1 x Remote Desktop Session Host
1 x Connection Broker
1 x Gateway and web server
For additional services
1 or 2 x Exchange
1 x sharepoint
1 x IIS
but it really depends what you want to achieve.
The benefit from Virtual machines is that you can keep separate virtual servers for separate applications.
If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance.
Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn: -
Hey Everyone! I can't figure out how to add a domain to my ibook. I try using Directory access (where i can add a workgroup if i wanted) and clicked on active directory. i input all the information, but its not working. Does anybody no another way to add a domain or Configure active directory to work on my mac. I know i have all the info correct because my PC is on the same domain. In advance thanks!
-AtownerHi JuniorNM,
Welcome to Apple Discussions!
When you try to log into a Windows 2003 server from a Mac, the server will respond with a credentials request, same as if it were a PC.
Username/password need to be entered to gain access.
The comment you've made about "The alias "comercial2" could not be opened" is saying the "Shortcut" to the networked volume is not accessible because either the path is bad or the credentials are wrong.
If the location to the origianl item has not changed when the alias was made, then most likely the password has been changed in the PC world. You can use any valid PC account to access the server when using the Mac to log in to the 2003 server.
When that happens a new alias will have to be made because the alias stores the access request data also.
(All this has nothing to do with Active directory unless your computer has been added to the A/D forest).
Also:
Adding a PC to a domain has nothing to do with using Active Directory except the account adding the computer to the domain must have the priviledges to add computers to the domain. Active Directory will allow a user account to access an individual PC (or groups) and control what the user can and can't do.
I hope this helps. -
Query relating to the creation of Managed Service Accounts
Hi Folks
I am studying for my 70-411 exam and have a query relating to the creation of Managed Service Accounts.
I have successfully created an MSA account named 'MSATest' on a DC using:
new-adserviceaccount -name msatest –dnshostname home-dc-01 -passthru
and
add-AdcomputerServiceAccount -identity home-ap-01 -serviceaccount msatest -passthru
However the guide that I am using now says that I now need to run: Install-ADServiceAccount on the host computer in the domain to install the MSA in order to make available it available for use by services.
So on my member server (home-ap-01) I have installed the Active Directory Module for powershell and ran:
PS C:\Users\administrator.PCECORP> Install-ADServiceAccount -Identity msatest
Install-ADServiceAccount : Cannot install service account. Error Message: 'An
unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount -Identity msatest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (msatest:String) [Install-ADServiceA
ccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install
ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.Insta
llADServiceAccount
PS C:\Users\administrator.PCECORP>
However this errors, Have I misunderstood the purpose of the Install-ADServiceAccount ? or am I doing something wrong?
Thanks in advance for you help.Try using -RestrictToSingleComputer parameter when creating service account with New-ADServiceAccount.
Gleb.
Hi Gleb
Thank you for your help, it is appreciated. That did the trick.
All the best. -
Hello All,
We are in process of implementing Exchange 2013 in our Organization and had a Query related to GAL.
Below is our Environment description:
01. We have a Single Forest and Single Domain Architecture.
02. We will have separate Active Directory Sites for all 3 Regions across Global.
03. Exchange 2013 will be installed in each region.
04. In APAC region Exchange 2013 Language pack for Japanese will be installed to support Japanese language.
Our Requirement:
================
01. When a Japanese User tries to browse GAL all the display names have to be displayed in Japanese language and when a user who resides other Region (Europe or AMERICAS) tries to browse GAL the Address list has to be displayed in default English Language.
Can someone guide us on how this can be achieved?
Awaiting for all your suggestions.
Thanks in advance.
Thanks & Regards,
Nagaraj N
Nagaraj NHi Nagaraj,
Here are some requirements that I am still not quite sure. Could you please provide more information about it? Such as:
1. Do you mean one user have two display names: one with Japanese language used for users in Japan, one with English language used for English users? Then we filter address lists with language difference. Based on my knowledge, one email address is generally
involved for one display name.
2. If there are both Japanese users and English Language users in the forest, and you just need Japanese users view users whose name is displayed as Japanese language. We can use
Address book policies (ABPs) to segment users into specific groups to provide customized views of your organization’s global address list (GAL).
To show different GAL for different users, we can specify the CustomAttribute1-15 property to divide your organizations. For example, we can set the CustomAttribute15 property for Japanese users to
Japan. Just like:
Set-Mailbox –Identity JapanUser1 –CustomAttribute15 Japan
Then we can create global address list for Japanese that includes all of the recipients that exists in the address lists and room address list:
New-GlobalAddressList -Name "GAL_Japan" -RecipientFilter {(CustomAttribute15 -eq "Japan")}
For detailed steps about how to create and apply the Address Book Policies, please refer to:
http://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx
Hope it helps.
Regards,
Winnie Liang
TechNet Community Support -
Will the Power BI Analysis Services Connector work if AD and AAD UPN suffixes don't match?
We are using Azure Active Directory, AD FS, and DirSync with
Alternate Login IDs, which means that our on-prem usernames have a different UPN suffix from our AAD usernames.
Will the Power BI Analysis Services Connector work in this setup? Or do the AD and AAD UPN suffixes absolutely have to match?Hey Adam,
From SSAS, we simply query AD by passing the UPN we receive from AAD. As long as AD can find a match, it'll work.
So if there is a way in AD to map a particular UPN to another value, it'll work.
For example: For a user A, her on premises UPN is
'[email protected]' but she uses '[email protected]' as her email address. From AAD we'll receive
'[email protected]' & since AD knows that this is same as
'[email protected]' effective user name will work.
Hope this clarifies! let me know if you have more questions.
-mini
Maybe you are looking for
-
Calenndar - when I want to edit a monthly recurring event but only for one month I am no longer given the box to update only that date month. How do I do this with the new operating system?
-
Just got a new nano & the ITunes Music Store is not allowing me to create an account. I hit "create an account" then move to the "agreement" page. I click on Agree & then my computer tries to start up a windows program & then can't find it so it clos
-
Accounting doc is not create?
Hello cham's, After creating the billing document it was not posted into finance and the system is showing accounting document is not created. How to procede to resolve this error will anyone share your expertise?.
-
Does the GPS feature on the new G3 iPhone an extra monthly expense?
I have just pre-ordered the new G3 iPhone. The sales person at the AT&T store told me that when the phone comes in, we can set up my account to include texting and GPS features. I thought one feature of the G3 phone was the GPS and am surprised that
-
The manual inevitably says "Use only Apple's own charger" but gives no specifications as to output voltage, etc. I have a perfectly good plug-in USB charger (for an HP PocketPC), which outputs 5.5VDC-1.0A. Any reason this shouldn't be safe/effective?