R/3 Implmenetation Landscape Local/Domain Installation

Similar Messages

• BPC multi server install local + domain installation

  Hi all,
  Is it possible to install a BPC multi server local + domain installation?
  will be installing BPP app server locally, using local admin
  and install BPC DB server using domain account?
  will that be possible?
  Company wants BPC users to be maintained locally in 1 server, but the DB will be maintained by domain administrator
  THanks!

  Hi Jeb,
  The authentication to IIS level is done with local user but after that all the operation between application server and database server are impersonate and are using the installation user which has full access.
  I hope you stored the webfolders into application server because if you didn't do that again you will have a problem with access.
  File server will be access at is working using NTFS rights.
  So if you store the File Server into db server again you will have access problems because the users from application server will not be able to access the file server.
  If you have File Server into application server then it muust be ok.
  You said the connection wizard is working fine ...so the only problem which I see it seems to be related to file server.
  Check the the rights to Webfolders and make sure you are not into situation mentioned before.
  Regards
  Sorin Radulescu

• R/3 installation local/domain differences

  Hi,
  Client wanted to Implement ECC6 Landscape installation on Windows. My question is during installation which method recomenadable Local/Domain .
  If it is local how the transport" \usr\sap\trans "directory would be shared from across dev,qa,and prod systems.
  In Unix we can use NFS mounts .what about windows if i install local installation.
  For domain installation they need to create a user with domain admin rights . also can create domian groups.
  Which method recomenadable .Since client is fully secured , Also let me know what are the ports need to open to communicate between the systems (dev/qa/prod) and fronend users.
  Thanks in advance,
  kristene

  Hello Kristene,
  Always install SAP in a Domain.  You may want to talk to your Active Directory team regarding their domain structure to select the most appropriate domain if your customer is using a multi-domain architecture.
  The ECC 6.0 installation guide and the Netweaver 2004s installation guides have a section on "How to install SAP if you do not have domain admin access". It is explained in detail. Basically you get your AD team to create the accounts prior to your installation.
  I would recommend you AD team create a new container and delegate control of the container to the Basis team.  You should create all your service accounts in this container.
  If you want to determine which ports to open - you can look at the windows\system32\drivers\etc\services file.  This applies only for ABAP based systems, not Java. If you ask you security team to open 3200-3600, 4800-4801 and 40080-49980 this usually will work.
  Good luck
  NPC

• Converting a local SAP installation into a domain SAP installation

  Hello,
  We plan to convert a local installed SAP system into a domain installed SAP system. Is it just enough to change the user from the services SAPOSCOL and SAP<SID>_nn from local to domain users? If not, what else do I have to do or do we have to do this by a system copy ;-( We use SAP ECC6.0 EHP4.
  Thanks in advance
  Peter

  Hi,
  Would also suggest to check this thread:
  Change from local to domain installation
  We have tried this approach and works fine - saved quite some time and effort. However if you want to go the safe way, please go for a system copy as Sunny suggested. Either way, I recommend a complete backup first
  Regards,
  Srikishan

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Local domain, IIS Hosting and SMTP issues.

  I have a local domain on Windows server 2012 with dns, dhcp, iis and smtp. (Yes, I am aware of the dangers of these combinations) it is for learning purposes only and not my main pc. 
  My local domain is willow.run and I am hosting a website, the domain for that is machinerylubricant.com I have IIS 8 installed (6.0 also for smtp) 
  My original issue was getting IIS to send an email to localhost through a php script for a contact form hosted on the website. I finally got to where it appears to be sending the contact form info to my drop folder but I ahve no idea how to get that .EML
  file to actually forward to gmail account or even outlook on my computer/server. 
  In the email file (.eml in drop folder) it says "To: *******@gmail.com" as it is supposed to but that email is not making it to the specified gmail account. Also no error messages in the ph logs or the log files for smtp. How would I go about setting
  up a email program to work on the lan with the acual www domain name I own? 
  I am learning everything at once basically, windows server, coding, protocols etc. Please bare with me.

  Rather than answer your specific question, how about I give you the best way to achieve what you're looking for?
  For inbound messages, you want to use the "aliasdetourhost" keyword. Check the documentation for how this is set up.
  For outbound messages, you want to use the "alternate conversion channel"
  When used together, this will achieve what you're looking for, without the looping that you have generated....
  The alternate conversion channel was written up here:
  http://ims.balius.com/resources/downloads/files/AlternateConversion.pdf

• .local domain and autodiscover issues

  I want to preface this by saying I am a new administrator.
  Our SSL cert recently expired, and since .local domains can no longer be on certs, were registered a CA cert with autodiscover.domain.com and mail.domain.com. This new cert was successfully applied, but whenever someones opens their e-mail they get a warning
  about the name on the server not matching the cert. I
  I'm pretty sure this is juts a few DNS records I need to update but I don't know which ones and really need some guidance.
  Thanks for your time.

  So what you are saying is that his current DNS for company.com (which his internal users use for external access) needs to be duplicated internally, then modified to support his internal email access?  I've set up many systems where internal DNS and
  external DNS hosted the same name, and it is far from simple as "a new zone takes less than a minute to create".  How do you handle internal access to external sites (which is currently working just fine with his external DNS)?
  To answer your question, my recommendation is that his internal clients use AutoDiscover to gain their internal settings. Keep in mind that while the Exchange server may be in the .local domain, the SMTP domain they host is a .com domain. And since his servers
  are in a domain, any domain-attached Outlook client will be able to access the mailbox successfully.
  Just create a new DNS record pointing to the external host.  Or get a new domain name that doesn't have external websites, then create a new DNS zone for that.
  Alright, so with your recommendation - he updates his clients to use Autodiscover, which they are likely already using, to gain internal settings.  And then what do you configure the internal URLs as?  
  For example - Autodiscover.
  You set the AutoDiscoverServiceInternalURI to servername.domain.local -> he still gets a cert prompt every time he opens Outlook.
  You set the AutoDiscoverServiceInternalURI to mail.domain.com to match the certificate -> Now ALL autodiscover requests from all clients are going out to the internet, then back into the Public VIP.  
  Same with EWS.  And this is assuming he's using RPC/TCP rather than HTTP.  So then he's either going to get prompts for cert every time he opens outlook and checks OOF or mailtips, or all internal clients are going to use the external VIP for Autodiscover
  and EWS. 

• DNS best practice in local domain network of Windows 2012?

  Hello.
  We have a small local domain network in our office. Which one is the best practice for the DNS: to setup a DNS in our network forwarding to public DNSs or directly using public DNS in all computers including
  server?
  Thanks.
  Selim

  Hi Selim,
  Definately the first option  "setup a DNS in our network forwarding to public DNSs " and all computers including server has local DNS configured
  Even better best practice would be, this local DNS points to a standalone DNS server in DMZone which queries the public DNS.
  Using a centralized DNS utilizes the DNS cache to answer similar queries, resulting in faster response time, less internet usage for repeated queries.
  Also an additional DNS layer helps protect your internal DNS data from attackers out in the internet.
  Using internal DNS on all the computer will also help you host intranet websites and accessibility to them directly. Moreover when you are on a AD domain, you need to have the computers DNS configured properly for AD authentication to happen.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Firefox on Linux doesnt connect to .local domains

  Hello,
  im running FF 3.6.18 on Ubuntu (64bit, 32bit) and im not able to connect to any domain ending in .local (for example: apple.fruits.local). Name resolution is working, prefetching and fixup is disabled. Using FF on windows works without a problem with the same domain name - only in Linux it fails.

  Hi!
  Thats quite simpel:
  .local domains belong to the zeroconf system ( linux: avahi, apple: bonjour, windows: zeroconf) - so if you enter a www.dummy.local than the request is not forwarded to the DNS server it is forwarded to the MDNS and in many networks simply not resolvable.
  Turn of the avahi, bonjour or zeroconf service or daemon and it will work again
  regards
  Martin

• Connect LDAP service to local domain

  Is there anyone who can tell me if it's possible to connect form the LDAP service to a local domain?
  I have made a new local domain with some groups and users in the Domain management in LC ES admin module.
  Now I want to retrieve those users to my prcess in workbench with the LDAP service, but I can't get it to connect to the new domain (it works fine when I connect to our company AD).
  I have tried with Base DN: DC=NewDomain,DC=local and Search filter: cn=* but with no luck :-(
  Is it possible to connect to the local domaim from the LDAP service if it is, what should the "Base DN" look like and what are the atributes to use in the search filter?
  Thanks
  Søren

  I think you are getting a few things mixed up.
  When you create the users in a local domain, you're in fact creating them in the LiveCycle database. Not in a LDAP system. LiveCycle NEVER writes to an LDAP system. It only reads from it.
  When LC integrates with an LDAP system (like when you create an enterprise domain in adminui), it connects to an external LDAP system and sychronizes with it. I also adds a copy of the users in its database.
  The LDAP service does the same thing is the sense that it just connects to a external LDAP system to get a list of users.
  If you want to query the users from the livecycle database you can use the User Lookup service (under Foundation) instead.
  Jasmin

• Migrate existing users from local domains to Open Directory.

  Here is the environment I'm working with:
  Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
  I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
  The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
  Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
  Thanks for any help.

  Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
  As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
  1: Bind system to the domain
  2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
  3: Delete the file using rm
  4: Restart the machine or restart Open Directory
  5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
  sudo chown -R juser /Users/juser
  6: Log out of the admin account
  7: Log in as the user after choosing Other at login window.
  Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
  This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.

• DNS: Client can't connect because .local domain isn't in DNS. How can I connect over the WAN to server.domain.local?

  So my 2012 server is set up on the LAN with a .local domain name. 
  Remote Desktop Services are set up and remoteapp stuff works fine on the LAN.
  I've set up port forwarding so I can connect to the server over the WAN too, but remoteapp stuff is a bit different. I can connect to the server by specifying the correct IP address. Giving a Web browser the address
  https://serverIPAddress/RDWeb
  lets me get the login screen and see the range of apps for me to run. I select one, the connectoid is downloaded correctly (in Chrome) and I click on the downloaded connectoid. 
  Unfortunately, rather than pursuing the sensible IP-address approach that I started with, the connectoid has been given the server's name on the LAN:  server.domain.local. Clearly, the client machine tries to look this up but DNS hasn't heard of
  it because it's a .local address. 
  I cannot be the only one to have come across this apparent oversight on Microsoft's part. Any ideas as to how this can sensibly be overcome? Obviously, I could put the IP address translation into every client's hosts file (and I've done this and shown it
  works) but I've got too many clients to mess about like this. Anybody know 'the Microsoft way' to fix this?
  Thank you for checking this out -- I am confident the details of the problem are completely specified in this query but, if I'm wrong, please ask.
  Many thanks again,
  Biffo

  Hi,
  I would like to suggest you to follow the checklist.
  Checklist: Make RemoteApp Programs Available from the Internet
  http://technet.microsoft.com/en-us/library/cc772415.aspx
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Resolving local domain name and nameserver address

  Hi,
  Is there any way to get the local domain name (on Windows it would be NT domain name and on Unix based platform it is DNS server's domain name) and local DNS server address ?
  Thanks,
  Rohit

  import java.net.*;
  try
     InetAddress ip = InetAddress.getLocalHost();
     String fqdn = InetAddress.getCanonicalHostName();
     int firstDot = fqdn.indexOf(".");
     String domain = fqdn.substring(firstDot+1);
     System.out.println("domain: "+domain);
  catch(Exception ex)
     ex.printStackTrace();
  }

• RDS - .local domain and external users. Best way to get rid of SSL warnings

  I am evaluating MS RDS as a possible solution for a VDI implementation at the college I work for.  When we setup our AD years ago we set it up as a .local domain.  I am running into issues with the .local machine name on the connection broker for
  external users.  I know for internal domain systems we can setup the self signed .local cert as a trusted root cert to bypass the self signed untrusted warning  but for the bulk of our users which will be using systems external to our domain they
  will get the SSL warning about the self signed certificate when they try to connect to a remote app or a desktop.
  Initially I thought if I setup a local AD CA that we could setup a trust relationship with the SSL cert.  After further reading I believe that this would only work for systems internal to our domain and we would still have the issue with external devices.
  The other option would be to tell our users to click the box to never display the warning message again and to go on or to add the self signed cert to their trusted list.  Of course when ever you ask the user to do something there will be issues.  We
  have also found that in our testing that we can not seem to connect via the web portal with a macbook.  We get an error that there is a problem with the trust relationship with the server after we login and click on an app or a desktop to connect.  We
  have been able to connect with iOS devices.  
  We could of course rename the .local domain to a .edu domain which would permit us to use our wildcard certificate but that is a major undertaking that we don't want to cross at the moment.  I think I might have some up with a solution and wanted to
  bounce the idea off of those on this forum.
  If we setup a second domain on campus that is not a .local.  Join the non internet facing RDS systems to this new domain that would have a SSL cert that was trusted and then setup a full trust relationship between the two domains such that users and
  systems in one domain could communicate with the systems in the other domain would that remove the certificate warnings for external users?

  Hi AKlein,
  Initially I thought if I setup a local AD CA that we could setup a trust relationship with the SSL cert.  After further reading I believe that this would only work for systems internal to our domain and we would
  still have the issue with external devices.
  Just add the root CA certificate of the internal CA into Trusted Root Certification Authorities store on external clients manually (or through group policy if there is an external domain), then SSL certificate warning would be gone.
  We could of course rename the .local domain to a .edu domain which would permit us to use our wildcard certificate but that is a major undertaking that we don't want to cross at the moment.
  Yes, renaming domain is not recommended due to its complexity.
  If we setup a second domain on campus that is not a .local.  Join the non internet facing RDS systems to this new domain that would have a SSL cert that was trusted and then setup a full trust relationship between
  the two domains such that users and systems in one domain could communicate with the systems in the other domain would that remove the certificate warnings for external users?
  If you are setting up a new domain with two way trust, then root CA certificate of the internal CA still needs to be distributed manually (or through group policy). If you are setting up a child domain, then enterprise CA would be trusted within the same
  forest.
  As long as there are enough external users and devices to manage, an external private network exists and extra domain management tasks are acceptable, then setting up a new domain is a good choice since domain provides secure boundary.
  Or, you could just create a new site from the other network location, which saves you from creating a new domain, new users and trust.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Is domain installation mandatory?

  Hello Guys,
  Is Domain installation of an SAP system mandatory for it to connect to an Active directory?
  Thanks and Regards,
  Ankit Mishra

  Hi Ankit,
  plesae find the below thread
  SAP in its own Extra Active Directory Domain SAP in its own Extra Active Directory Domain  
  May be that helps you to understand more on your query.
  -Srini