Query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment

Similar Messages

• Policy domain root for Active directory

  Does anyone know how to configure policy domain root in Active directory ?.
  I am installing COREid Access policy manager which needs a policy domain root input during the web interface configuration.
  Please some one help in resolving this issue.

  Hi,
  I might help if can give the exact description of the issue that you are getting. However I have encountered similar or exact problem that you are having. Let me know whci ldap directory you are using with your CoreID install.

• Mac show up as domain controllers in Active directory

  Anybody had a tiger intel machine show
  up as a domain controller in active directory....

  Hi Daniel,
  might be the obvious, but is the Time inside your VPC Windows also off by these six hours ?
  Maybe a simple setting of the 'Windows Time' to the correct time is needed.
  Nonetheless I don't think that the different/future time will be affecting your databases in any way.
  Regards
  Stefan

• Policy domain root for Activer directory

  I am setting up the access manager with active directory . But during web configuration ,it prompts for providing a policy domain root. I choose go ahead with default vlaue (i.e /). But it is returning me following error.
  "Error in setting Policy Domain Root."
  Please some one help out in resolving this issue.

  Hi Nataraj,
  I know what your problem is. Go to the computer running Active Directory, open "Open Active Directory Domains and Trusts" under Start -> Administrative tools. Right click on your domain shown and choose "Raise Domain to Functional level", you might need to this three to four times before this takes effect.
  Then on the same window, right click on "active directory domains and trusts" and choose "Raise Forest functional Level", you might need to do this three times as well.
  This will solve your problem, unfortunately you'll have to reinstall Access/Policy Manager. I have had this problem many times and this solved it. I am assuming you are using Windows 2003 Enterprise server.
  Rgds,
  Boland

• Difference between Windows NT domain registry and Active Directory registry

  What are the difference(s) ?

  Frank, thanks for your response :)
  I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service. 
  In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory. 
  While I was going through (WebSphere) documentation, I see following note.
  " With Windows NT domain registry support for Windows 2000 and 2003 domain
  controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
  because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
  You can find the above note in this link (somewhere after 7th line)
  http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
  Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
  advanced ?
  I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
  After going through above links, 
  Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
  (I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
  NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
  And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ?

• Step by step process to create domain name and active directory in windows 7 64 bit

  Step by step process to create domain and active directory in windows 7 64 bit
  I work in an organization
  I want to create a domain name SBBYDP and make it server for other computers
  I want that, all users’ have a personal account while they use any computer from this organization, even they use any computer from this network they use their own account to login to network.
  And this may be in Active directory option.
  I installed windows 7 professional edition 64 bit
  Can any person help me? Step by step process, I always thanks full all of you

  Hi,
  You must use the Windows Server platform system for the AD service, you can refer the following KB first:
  Active Directory
  http://technet.microsoft.com/en-us/library/bb742424.aspx
  AD DS Deployment Guide
  http://technet.microsoft.com/zh-cn/library/cc753963(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SQL Query to get All AD Groups and its users in Active Directory

  Hi,
     Is there any query to get all AD groups and its user in an instance of a SQL server?

  Check this blog.
  http://www.mikefal.net/2011/04/18/monday-scripts-%E2%80%93-xp_logininfo/
  It will give you more than what is required. If you dont want the extra information,then you can try this.. I took the query and removed the bits that you might not require.
  declare @winlogins table
  (acct_name sysname,
  acct_type varchar(10),
  act_priv varchar(10),
  login_name sysname,
  perm_path sysname)
  declare @group sysname
  declare recscan cursor for
  select name from sys.server_principals
  where type = 'G' and name not like 'NT%'
  open recscan
  fetch next from recscan into @group
  while @@FETCH_STATUS = 0
  begin
  insert into @winlogins
  exec xp_logininfo @group,'members'
  fetch next from recscan into @group
  end
  close recscan
  deallocate recscan
  select
  u.name,
  u.type_desc,
  wl.login_name,
  wl.acct_type
  from sys.server_principals u
  inner join @winlogins wl on u.name = wl.perm_path
  where u.type = 'G'
  order by u.name,wl.login_name
  Regards, Ashwin Menon My Blog - http:\\sqllearnings.com

• Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

  Hello Community
      "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
  domain controller using Active Directory and the UI.
      In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
  forest trust with Forest-Wide authentication so that a different forest user(s) or
  group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
      But also forestB needs to create a "One-way, Incoming" forest trust so that
  I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
  in my "forestA" or I can
   add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
      The problem is that when I right click  the global group in my forestA  and then
  properties, when I click "Members" and then the "Add" button when I type
  "forestB\username" I get an error message from Active Directory stating:
      "the following object is not from a domain listed in the Select location
  dialog box, and is therefore not valid: forestB\username".
      Am I doing something wrong when creating the one-way trust in my
  “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
      Or could I possibly need to select "Change Domain" or "Change Domain Controller"
  before adding the users or Groups to my forestA from forestB?
      That is why I am asking
   how do you add an Active Directory user from one forest into another forest?
      Thank you
      Shabeaut

  Hello Denis Cooper
      That is the end result.
      What I was trying  to do was that I was trying to
   bring in the user(s) and group(s) from “forestB”  into
  my “forestA”  Global group.
      Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
   into the domain local groups  on my member servers in my forestA.
      So since the error message is:
  "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
  Does your response
   mean only Global group(s) from forestB not domain user(s) from forestB have
   to been added to domain local groups in forestA?
  Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
  how without getting the above error message?
  Thank you
      Shabeaut

• Active Directory Cross Forest Domain Migration

  Dear All,
  We are in the process to rebuild new Active Directory infrastructure. Multiple single forest domains in organization which needs to be consolidated/migrated on single Active Directory Domain. For this consolidation, have some queries to be addressed before
  going to start consolidation.
  What is the best practices and what tool should we use for domain migration/consolidation
  Active directory is on Windows 2003, forest and domain level is on Windows 2003, this will support to Windows 2012 R2 forest and domain functional level, will be migrated
  directly from windows 2003 to windows 2012?
  When move users to new domain, how will they access the other resources on the network. For e.g. Printer, File server, local web base application
  After moving some computers to new domain would be possible to access remaining computers on old domain?
  How the file server data will be moved? Best practices with NTFS folder permissions and users rights?
  Is there any policy to register network printers on new Active Directory domain?
  How users would be access web base application on new domain as their FQDN would be define with old domain name? Any option to change old domain FQDN with new domain that would be describe with any URL link?
  Kindly give your valuable input to meet the desire result.
  Thanks in Advance.

  Dear Lucky,
   Ya you can Migrate contents from multiple forest domain. Using ADMT (Active Directory Migration Tool)is the best way to migrate AD content. But you can't migrate from Windows Server 2003 to Windows Server 2012 R2, cause in Windwos Server 2012 R2 don't
  have the supportebility of Windows Sever 2003.And not only users you can also migrate all others info (i.e. Computer object info, groups info, Exchange mailbox info, security info).You can migrate users face by face, means which peoples are in old domain they
  can access old domain and new users are in new domain.For more info please follow the given link:
  http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
  Mithun Dey Web: http://cloudmithun.wordpress.com If this may give your necessary resolution please mark it as Answre.

• Active Directory Domain Controllers using Virtual Servers

  Hi,
  I want to place a new SAP landscape in a child domain of the Active Directory forest. Due to an ordering error I am short two servers.
  Basically I am thinking about installing a virtual server on each of the development servers and using the virtual server installation to run as Active Directory Domain controllers.
  I know SAP do not recommend using SAP servers to be used as domain controllers, but as these are separate servers with their defined resources, it should not be a factor if the servers are sized with enough spare capacity.
  Can anyone think of any other major issues that would cause me an further issues.
  TIA
  Chris aka BoobBoo

  should be no problem, but please don't try to put the host-operating system in the domain for which their own guests will provide the domain controlers.
  peter

• Install Domain Controller, Active Directory, RemoteApps on Single Server?

  Have a server that I want to experiment with RemoteApps.   Documentation I have read state you need to have a Domain Controller setup with AD on one server, and have a second server to install all the RemoteApps requirements. Is this true or can
  this all be done on one server.
  If I need a separate server for the Domain Controller and Active Directory, can I assume that a low end server would be sufficient?  Or would using Hyper-V with a single hardware server and create two virtual machines: one as the DC/AD, and the other
  to run Remote Apps be a possible solution.  Any advice?

  it really depends to be honest. I'd probably go something like this though:
  One Small physical server to act as a domain controller - you could put DHCP on this too
  One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined. 
  Then for your VM's create the following:
  1 x additional domain controller
  For remote desktop services:
  1 x Remote Desktop Session Host
  1 x Connection Broker
  1 x Gateway and web server
  For additional services
  1 or 2 x Exchange
  1 x sharepoint
  1 x IIS
  but it really depends what you want to achieve. 
  The benefit from Virtual machines is that you can keep separate virtual servers for separate applications. 
  If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance. 
  Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated. 
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Domain/Active Directory

  Hey Everyone! I can't figure out how to add a domain to my ibook. I try using Directory access (where i can add a workgroup if i wanted) and clicked on active directory. i input all the information, but its not working. Does anybody no another way to add a domain or Configure active directory to work on my mac. I know i have all the info correct because my PC is on the same domain. In advance thanks!
  -Atowner

  Hi JuniorNM,
  Welcome to Apple Discussions!
  When you try to log into a Windows 2003 server from a Mac, the server will respond with a credentials request, same as if it were a PC.
  Username/password need to be entered to gain access.
  The comment you've made about "The alias "comercial2" could not be opened" is saying the "Shortcut" to the networked volume is not accessible because either the path is bad or the credentials are wrong.
  If the location to the origianl item has not changed when the alias was made, then most likely the password has been changed in the PC world. You can use any valid PC account to access the server when using the Mac to log in to the 2003 server.
  When that happens a new alias will have to be made because the alias stores the access request data also.
  (All this has nothing to do with Active directory unless your computer has been added to the A/D forest).
  Also:
  Adding a PC to a domain has nothing to do with using Active Directory except the account adding the computer to the domain must have the priviledges to add computers to the domain. Active Directory will allow a user account to access an individual PC (or groups) and control what the user can and can't do.
  I hope this helps.

• Query relating to the creation of Managed Service Accounts

  Hi Folks
  I am studying for my 70-411 exam and have a query relating to the creation of Managed Service Accounts.
  I have successfully created an MSA account named 'MSATest' on a DC  using:
   new-adserviceaccount -name msatest –dnshostname home-dc-01 -passthru
  and
   add-AdcomputerServiceAccount -identity home-ap-01 -serviceaccount msatest -passthru
  However the guide that I am using now says that I now need to run:  Install-ADServiceAccount on the host computer in the domain to install the MSA in order to make available it available for use by services.
  So on my member server (home-ap-01) I have installed the Active Directory Module for powershell and ran:
  PS C:\Users\administrator.PCECORP> Install-ADServiceAccount -Identity msatest
  Install-ADServiceAccount : Cannot install service account. Error Message: 'An
  unspecified error has occurred'.
  At line:1 char:1
  + Install-ADServiceAccount -Identity msatest
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : WriteError: (msatest:String) [Install-ADServiceA
     ccount], ADException
      + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install
     ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.Insta
    llADServiceAccount
  PS C:\Users\administrator.PCECORP>
  However this errors, Have I misunderstood the purpose of the Install-ADServiceAccount ?  or am I doing something wrong?
  Thanks in advance for you help.

  Try using  -RestrictToSingleComputer parameter when creating service account with New-ADServiceAccount.
  Gleb.
  Hi Gleb
  Thank you for your help, it is appreciated.  That did the trick.
  All the best.

• Query related to GAL

  Hello All,
  We are in process of implementing Exchange 2013 in our Organization and had a Query related to GAL.
  Below is our Environment description:
  01. We have a Single Forest and Single Domain Architecture.
  02. We will have separate Active Directory Sites for all 3 Regions across Global.
  03. Exchange 2013 will be installed in each region.
  04. In APAC region Exchange 2013 Language pack for Japanese will be installed to support Japanese language.
  Our Requirement:
  ================
  01. When a Japanese User tries to browse GAL all the display names have to be displayed in Japanese language and when a user who resides other Region (Europe or AMERICAS) tries to browse GAL the Address list has to be displayed in default English Language.
  Can someone guide us on how this can be achieved?
  Awaiting for all your suggestions.
  Thanks in advance.
  Thanks & Regards,
  Nagaraj N
  Nagaraj N

  Hi Nagaraj,
  Here are some requirements that I am still not quite sure. Could you please provide more information about it? Such as:
  1. Do you mean one user have two display names: one with Japanese language used for users in Japan, one with English language used for English users? Then we filter address lists with language difference. Based on my knowledge, one email address is generally
  involved for one display name.
  2. If there are both Japanese users and English Language users in the forest, and you just need Japanese users view users whose name is displayed as Japanese language. We can use
  Address book policies (ABPs) to segment users into specific groups to provide customized views of your organization’s global address list (GAL).
  To show different GAL for different users, we can specify the CustomAttribute1-15 property to divide your organizations. For example, we can set the CustomAttribute15 property for Japanese users to
  Japan. Just like:
  Set-Mailbox –Identity JapanUser1 –CustomAttribute15 Japan
  Then we can create global address list for Japanese that includes all of the recipients that exists in the address lists and room address list:
  New-GlobalAddressList -Name "GAL_Japan" -RecipientFilter {(CustomAttribute15 -eq "Japan")}
  For detailed steps about how to create and apply the Address Book Policies, please refer to:
  http://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx
  Hope it helps.
  Regards,
  Winnie Liang
  TechNet Community Support

• Will the Power BI Analysis Services Connector work if AD and AAD UPN suffixes don't match?

  We are using Azure Active Directory, AD FS, and DirSync with
  Alternate Login IDs, which means that our on-prem usernames have a different UPN suffix from our AAD usernames.
  Will the Power BI Analysis Services Connector work in this setup? Or do the AD and AAD UPN suffixes absolutely have to match?

  Hey Adam,
  From SSAS, we simply query AD by passing the UPN we receive from AAD. As long as AD can find a match, it'll work.
  So if there is a way in AD to map a particular UPN to another value, it'll work.
  For example: For a user A, her on premises UPN is
  '[email protected]' but she uses '[email protected]' as her email address. From AAD we'll receive
  '[email protected]' & since AD knows that this is same as
  '[email protected]' effective user name will work.
  Hope this clarifies! let me know if you have more questions.
  -mini