RBAC Role Group rights across a Forest Trust

Similar Messages

• Force Forest Trust to establish between Core DCs

  Hi,
  The scenario is as follows; 2 forests which require a trust. Network comms only allow Domain Controllers residing in respective data centres to talk yet there are multiple remote sites in each forest.
  I am finding that the verification and trust secure channel works intermittently and external network monitoring indicates DCs trying to talk to remote site DCs (which indeed fails).
  _msdcs nslookup returns all DCs in 'other' domain and all with same priority and weight (0,100). There is conditional forwarding configured (also tried Stub and Primary Zones with same result). I am suspecting that a round robin / pseudorandom effect is
  happening that results in timeouts.
  How does one establish consistent trust communication between 'bridgehead' domain controllers while ignoring those DCs that are not reachable?
  Appropriate ports are open and tested. These are Windows 2008 DCs in Windows 2003 functional level. I have researched DCLocator and AD Site configuration without luck. If we need to change SRV records for ONLY those trust domain requests, how would that
  be achieved?
  Thanks in Advance,
  Al

  Hi Ahmed,
  Thanks for the links, I've reviewed them. The issue I have is that the remote domain controllers in each domain traverse long WAN links with substantial latency while the 'core' domain controllers have a dedicated low latency link between them. Therefore
  limiting the trust traffic to just these DCs is preferable.
  Internal domain controllers of each domain have consistent network connectivity and replicate as required.
  To create a rudimentary picture; Domain1RemoteDC --> Domain1CloseDC <--> Domain2CloseDC
  <-- Domain2RemoteDC.
  Domain1RemoteDC cannot route to Domain2RemoteDC. I am seeing port389 requests between which fail, and which I believe is killing the trust / time out on secure channel.
  I'd like to force the trust and authentication path to be limited to Domain1CloseDC and Domain2CloseDC.
  I have reviewed this link: http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx though creating sites in each directory does not seem to assist.
  Thanks,
  Al

• Forest Trust Issues (Group Membership Issues)

  OK - this is going to be long. I hope I am detailed enough.
  Four domains, each in their own forests:
  domain.w.com
  domain.x.com
  domain.y.com
  domain.z.com
  For the sake of everyone, I'll refer to each domain as "w" or "x", which would be domain.w.com and domain.x.com, respectively.
  Domains x, y, and z all have users that require access to resources on domain
  w. Remember - each domain is in its own forest.
  Three trusts were created on domain w. Since the users on domain w do not need any resources on the other domains, three "ONE-WAY:OUTGOING" trusts were created (one for each) via Active Directory Domains and
  Trusts on domain w. The option to create the trust (have it show up in Active Directory Domains and Trusts) in the other domains (in this case
  x, y, and z) was selected.
  After the trusts were created from domain w, the trusts were verified. Administrators on domain
  w could "verify" the trusts (using admin accounts created for them on the three trusted domains).
  Since everything looked good (domain w shows up as an incoming trust for the other three domains), permissions for specific users on domains
  x, y, and z were granted for a share in domain
  w.
  Only... that didn't happen. When attempting to change permissions on the share, administrators were able to change the working domain directory to either
  x, y, or z... but searching returned zero results. Zilch.
  *It should be noted that this scenario has been in place for quite some time now, and that all groups/users previously defined on the share (that belong to the three domains trusted by domain
  w) now all show up as SIDs.
  When attempting to verify (validate) the incoming trust on any of the three domains, the error "Windows cannot find an Active Directory Domain Controller for the domain.w.com domain. Verify that an AD DC is available and then try again."
  is returned.
  Pinging domain.w.com returns the correct address. Direct pings to both domain controllers on domain w
  is also working. Domain w can also do the same pings that I just listed to all three other domains with correct results.
  There is no firewall in between these forests.
  I am leaning towards a DNS or AD issue on the domain w side. This all occurred at once on the same day last week, and no changes were made on
  x, y, or z. Of course... domain
  w is another entity and they are saying they have no clue why its not working.
  Questions:
  Should I be able to verify the trust from x, y, or
  z to domain w?
  Why cant domain w see the users/groups in the other domains?
  Why does domain w validate the trust if the other three domains cant?
  Could this be caused by some setting in GPO having to do with LDAP security, signing requirements, or authentication settings?
  Any help is much appreciated.
  Chris

  Yes, this is related to DNS, from what you describe.
  The simplest way to configure this is to go to EACH dns server on both sides of the trust and configure it for a conditional forwarder of the others dns zone. 
  http://www.techrepublic.com/blog/windows-and-office/configuring-dns-forwarders-to-support-windows-server-2003-forest-trusts/501/
  Unless you have a root dns server for all four zones already.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Forest Trust RPC timeout across MPLS

  Hi, I am having trouble setting up a Forest trust between two networks. The issue "seems" to be RPC timeout (i see RPC age-out on firewall) but i'm now wondering if it's actually the LDAP or KErberos thats failing first.
  I have read that RPC needs to have the same path outgoing as incoming otherwise you can get SYN-ACK problems (especially through a firewall). So i need to try and work out why it doesnt work. It is laid out something like this.
  Network 1 (domain BOB) (server 2008 R2 at domain functional level 2003)
  Site1,Site2 and Site3 all connect to each other via Site-To-Site link provided by 3rd party. They all egress at Site1's ISA Firewall in a normal 3 leg perimeter config. All works fine
  Network 2 (domain RITA) (server 2008 R2 at domain functional level 2003)
  SiteA,B,C and D all connecto to each other over 3rd party MPLS (essentially Gig ethernet)
  Site1 and SiteA are on the same premises in the same room. There is a spare NIC on the ISA server. So i configured the ISA with a NIC in the same subnet as SiteA (RITA domain) - ie i plugged RITA into BOB. I configured the ISA for routing. Allow ANY ANY
  internal to RITA and ANY ANY RITA to internal
  I set up conditional forwarders on both domains pointing at each other and can ping everything from the other sites. DNS is working fine. I can RDP across sites to each other's DCs. From a "network" point of view it all looks good (though in the
  back of my mind i cant rule out the site to site or the MPLS links)
  When i try and create the trust it fails very quickly with "Cannot Continue. The trust relationship cannot be created because the following error occurred: The operation failed. The error is: The remote procedure call failed"
  I can do a portqry and see all RPC comms looks good
  In ISA and another firewall i tried i can see the RPC ageing out. Have tried wireshark but hard to see whats going on
  I used another server in the BOB domain and dcpromo'd it to a new domain in that subnet and tried setting up a trust. worked first time
  Similarly i did the same at the RITA side and that worked too.
  THere are no errors in DNS or the event logs on either side to suggest anything is failing. i tried verbose DNS logs but couldnt really follow them.
  Help!! Thanks

  Hi,
  To verify if this is a network issue, please try to perform a network capture on the servers in both side.
  We can use "IPv4.Address==xxx.xxx.xxx.xxx" to filter the traffic between the servers. Then compare the capture data from the servers. If all the packets have been forwarded, it should not be caused by network.
  To download Network Monitor, please click the link below:
  http://www.microsoft.com/en-hk/download/details.aspx?id=4865
  About the question related to Directory Services, to get better help, please post your questions on the DS forum.
  Here is the address:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Forest Trust across internet

  Hi
  We need to establish a one way, outgoing forest trust between companyA and companyB.
  Both companies have their own forest.
  Do we have to establish a site-to-site vpn to be able to establish the forest trust, or is it possible to make a forest trust through the internet without a vpn?
  Regards
  Peter

  It's bad bad practice, if even possible. One thing is you will have to route traffic between to networks over the Internet. Next thing is, you will expose all uncrypted traffic. And, you will have to open alot of ports on your firewall to allow traffic.
  Go for VPN.
  best regards,
  jesper vindum, denmark

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• Set-up of a Forest Trust - Unique situation

  I am in need of advice on how to setup a forest trust between to separate, but similar forests.
  My AD server is Server 2012R2, their AD server is Server 2008R2.
  We are a small community college in the process of separating from our parent university, current the parent university has AD services for both domains ( theirname.edu and ourname.edu) I have built a completely new & separate AD server on a different
  network using the same ourname.edu as the parent university is currently using.
  Is it possible to setup a forest trust between the NEW ourname.edu and the old ourname.edu?
  We are trying to get the NEW AD server up and running so as that it can be fully functional by users, also this trust is so we can migrate our student & employees user data from the OLD AD to our NEW AD using ADMT tool or something similar.

  You can't create a trust between two domains/forest with the same name.  How would the client know where to go to when referencing the name?
  One thing to consider is a radical pruning situation.  You could introduce a new server in the theirname.edu and promote it as a new DC.  Then physically remove it from the domain and
  NEVER all it to talk to the theirname.edu ever again.  In the theirname.edu do a metadata cleanup of this recently promoted DC to remove all references of the DC.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
  Now sieze all FSMO roles on the DC you just removed and consider this the first DC in your forest.  Go back within this forest and do a metadata cleanup of all the old DC's.
  You now have a duplicate forest that should be cleaned up removing all users and computers that didn't transfer from the original domain.  The old domain should also cleanup all unused accounts and computers as well.
  Just be aware that pruning isn't supported by Microsoft, but this is a known practice in mergers and divestures:
  http://technet.microsoft.com/en-us/library/mergers_acquisitions_active_directory_prune_and_graft_restructuring_support_limitations(v=WS.10).aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Exchange mailboxes, corporate AD, forest trust, arrays, Can you look this over?

  This is my first script, it took a while to figure some things out, but it is working. I wanted to know if it is overkill, or if there is something that sticks out that would be an easier way of accomplishing something with this script.
  Background info:
  Company was bought out, forest trust set up between corp network and ours (years ago). So what we wanted was to compare exchange mailboxes with linked mailboxes array, to be compared to corporate AD array with user accounts that are disabled. a list is created
  in another script which shows linked mailboxes and disabled corp AD accounts, helpdesk looks these through to make sure there are no exceptions. Exceptions are entered into PS cmdline, those are pulled out of the array. Then the left objects in the array are
  PST backed up to network share, and then mailboxes removed. Admin trust across corp allows Exchange admin to search through Corp AD through search-AdAccount cmdlet. The script is run from a VM with exchange server tools installed and running 32-bit os of Windows
  7 and 32-bit Office (Because that's how great... Exchange 2007 is for exporting mailboxes to PST). 
  Not sure of this, though it works: 
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  Wanted to clear variables before running script, data was being held over each run before adding this in
  Here is the code "xxxxx" used in lieu of server names:
  <#Import in modules, if statement for PSSnapin so that it doesn't throw an error if it is already loaded.#>
  Import-Module ActiveDirectory
  if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Admin -ErrorAction SilentlyContinue) -eq $null )
      add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  <#Variables needed to complete script. $testIteration shows the number of times nested for loop happens, $exUserCorpMatch=@() is an empty array that will have objects added to it
  when linked mailboxes on Exchange are compared to disabled corp accounts, the $adminUser and $adPW are the login credentials so that anyone can enter admin login credentials to run script#>
  $errorLogPath = "c:\scripts\logs\exchangeADerror.txt"
  $testIteration=0
  $exUserCorpMatch=@()
  $adminUser = whoami
  $exceptionUsers=@()
  $exceptionArray=@()
  <#Create an Array from Get-mailbox cmdlet that has the value "LinkedMailbox" tying it to a Corporate account, .count value used to check results against expected#>
  $mailboxes = Get-Mailbox -resultSize unlimited -RecipientTypeDetails LinkedMailbox
  $mailboxes.count
  <#Create an array of objects from Corp server of user only dissabled accounts, .count value used to check results against expected#>
  $corpAccDis = Search-ADAccount -ResultSetSize $null -Server xxxxx -AccountDisabled -UsersOnly
  $corpAccDis.count
  <#Read in a list of users whose mailboxes shouldn't be removed#>
  while ($var -ne "q"){
      $var = Read-Host "Enter user exception linked mailbox name, or press q to quit entering names:"
      if ($var -ne "q"){
      $exceptionUsers += $var
  $exceptionUsers.count
  <#Create an Array with the usernames that were supplied by the Read-Host Cmdlet#>
  foreach ($name in $exceptionUsers){ 
  $exceptionArray += Get-Mailbox -Identity $name
  $exceptionArray
  <#Compare the two arrays on the value of name from the "Linked Master Account" and the Corp server "Sam Account Name" and insert the matching objects into an Array#>
  For ($a=0 ; $a -le $mailboxes.count -1 ; $a++){ 
      For ($b=0 ; $b -le $corpAccDis.count -1 ; $b++){
      $testIteration++
                          if ($mailboxes[$a].LinkedMasterAccount.Split("\")[-1] -eq $corpAccDis[$b].SamAccountName){
                              $exUserCorpMatch += $mailboxes[$a]
                              break
  $testIteration  #Test value checking nember of times the loop took place
  $exUserCorpMatch.count
  <#For loop to take exception users mailboxes out of the script#>
  For ($d=0;$d -lt $exceptionArray.Count; $d++){
      $exUserCorpMatch = $exUserCorpMatch| ? {$_.alias -ne $exceptionArray[$d].alias}
  $exUserCorpMatch.count
  $exUserCorpMatch | sort
  <#Taking the newly created array from the comparison and running the bulk of decisions, gives full access rights to the before entered admin account, then exports the mailbox to a PST
  file on the network share, and produces a txt file of the users properties, attributes, etc.. Then removes-mailbox, this is cmdlet is currently commented out until testing is done and 
  confirmed removal is ready to take place. #>
  for ($c = 0 ; $c -le $exUserCorpMatch.count -1; $c++){
      $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
      $displayName = $exUserCorpMatch[$c].DisplayName
      $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
      $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
      try {
          $everythingIsOk = $true
          Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
      } catch {
          $everythingIsOk = $false
          Write-Warning "Permission add problem, logging error to $errorLogPath!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Export-Mailbox -Identity $exUserCorpMatch[$c] -PSTFolderPath $pstFolderPath -ErrorAction Stop -Verbose
          }catch{
          $everythingIsOk = $false
          Write-Warning "Export problem!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try {
          Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
          } catch {
          $everythingIsOk = $false
          Write-Warning "Problem writing to txt"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append

  Half of you code appears to be doing nothing.
  This does nothing:
  if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append
  The way we do a limiting Try/Catch is to just use a single "try/catch".
  $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
  for ($c = 0 ; $c -lt $exUserCorpMatch.count; $c++){
  $displayName = $exUserCorpMatch[$c].DisplayName
  $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
  $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
  try {
  Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
  Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
  <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
  }catch
  Write-Warning $error[0]
  $error[0] | Out-File $errorLogPath -Append
  The following does the same thing your code did.  It executes but aborts further execution on an exception.
  ¯\_(ツ)_/¯

• What difference between a domain trust and a forest trust?

  What difference between a domain trust and a forest trust?

  Greetings!
  The answer is right on the question! :)
  I think it is best to distinguish properly between forest and domain. This article is a good one:
  What Are Domains and Forests?
  But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
  be one-way or two-way depending on your needs.
  Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
  What Are Domain and Forest Trusts?
  I hope you got the answer.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• Forest trust - should i add their subnet into my AD site

  Hi all
  Quick question, we have a forest trust with a another computer after we bought them and their sys admin wants me to add their 2 subnets to my AD site for our Datacentre.
  I have never heard or read about adding subnets from the other side into your AD site. 
  Can anyone confirm/deny this?

  In addition, Computers are looking their local DC & self domain subnet not for Remote forest subnet.
  You can check the computer site using below command.
  For DC
  PS C:\> dsquery server -s WIN-CT049RQ4TQF | dsget server -site
  site
  Default-First-Site-Name
  dsget succeeded
  PS C:\>
  Also check the below reg key for getting the site name.
  NON DC
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  \DynamicSitename
  Regards,
  Biswajit
  MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
  Blog:
    Script Gallary:
  LinkedIn:
  Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

• Samba4 user groups rights management problem

  Hey,
  I have a network with an archlinux server as only server on the network.
  On the server with samba3 there are different directories with different user and group rights. Every user was existing twice, as a Linux user and as a samba user. In the samba smb.conf force group was set to the linux group, the files were forced 660 and directories 770.
  user 1-4 were in officesmbgroup with access only to share1
  user 1-2 were in officesmbgroup and extrasmbgroup with access to share1 and share2
  all 4 users exist as linux users and have ssh access to the linux server
  Example working on samba3
  [share1]
  available = Yes
  browseable = Yes
  comment = office
  create mask = 660
  directory mask = 2770
  force create mode = 660
  force directory mode = 2770
  force group = officesmbuser
  guest ok = No
  path = /data/office
  writeable = Yes
  valid users = @officesmbuser
  [share2]
  available = Yes
  browseable = Yes
  comment = office
  create mask = 660
  directory mask = 2770
  force create mode = 660
  force directory mode = 2770
  force group = extrasmbuser
  guest ok = No
  path = /data/extra
  writeable = Yes
  valid users = @extrasmbuser
  As I understood with samba4 this is no longer possible because it is not possible to force a linux group in samba any more. I figured out to mange this in samba4 standalone role mode. But this has a big disadvantage: I had to set all files on the shares to 666 and folders to 777.
  Working wtih samba4 standalone role mode, but security problem
  [share1]
  available = Yes
  browseable = Yes
  comment = office
  create mask = 666
  directory mask = 2777
  force create mode = 666
  force directory mode = 2777
  guest ok = No
  path = /data/office
  writeable = Yes
  valid users = user1, user2, user3, user4
  [share2]
  available = Yes
  browseable = Yes
  comment = office
  create mask = 666
  directory mask = 2777
  force create mode = 666
  force directory mode = 2777
  guest ok = No
  path = /data/extra
  writeable = Yes
  valid users = user1, user2
  This would be a problem because linux user3 and user4 have ssh access and would have access to all files on both shares in all directories.
  Is there another way to manage this or do I have to set up active directory, manage group rights there and leave the local rights on the linux machine at 660 and 770?
  Thanks in advance

  Thanks Bill, that was really handy.
  I'd used the Add ID option without being on a specific store, and it had placed it under Digital IDs. It was still offering me the option to use that certificate to authenticate against the server with. I imported the certificate into the Windows Digital ID section it now authenticates against the server perfectly.
  So problem solved, although I'm still not 100% sure why the Import Digital ID places the certificates into a location which doesn't work with Rights Management, although I'm sure there's a good reason.
  I'll make sure that we only add to the Windows Digital ID container in Acrobat/Reader or import directly into the Personal Certificate store in Windows for the demonstration.
  Thanks for your help in fixing this.

• NWA 7.1 - User Administration with regards to Roles/Groups

  Hello,
  Environment = NWA 7.1 , Java Stack Only , No Central User Administration
  Situation      = One group of individuals responsible for developing and maintaining Java Roles & Groups
                        (Permissions). Another group of individuals responsible for maintaining Users and
                        allocating the above Roles & Groups to the Users.
  In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.
  The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.
  This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.
  Many thanks in advance,
  Jay

  Hi Jay,
  UME.Manage_All Provides permissions required by an overall user administrator.
  These include:
  u2022 Administration of users belonging to any company and
  possibility of assigning users to companies
  (In a multitenant portal, even if a tenant user is assigned this
  action, he or she will still only have access to users, groups,
  and roles in his or her tenant.)
  u2022 Group management
  u2022 Role assignment
  u2022 User mapping
  u2022 Import and export of user data
  u2022 Manual replication of user data
  To set up delegated user administration, overall user administrators
  must belong to a role to which the UME.Manage_All action is
  assigned.
  In portal installations, any role that includes the UME.Manage_All
  action automatically has Role Assigner permissions on all portal roles in the portal installation.
  Try this.
  Regards,
  Gowrinadh

• Move domain to another forest (forest trust)

  Hello
  I have a forest with many domains , and other forest with a domain. They include a trust set up and working . I would like to have only one forest, but it would need to move that single domain in additional forest, and would like to know if it is possible then
  moving a domain from one forest to another forest in forest trust ?
  Thanks also suggestions stop solve my problem

  You're asking to move the domain itself? No, you can't move the domain. You can create a new domain in the forest you want to consolidate to, and then migrate users and groups to that forest. You'll have to migrate workstations and users and repoint
  applications as well, if needed. And then, you're not really moving them, you are creating new ones and copying properties of those objects. You mentioned a forest trust but all the forest trust allows you to do is to assign/use permissions from one forest
  in another. People speak of moving objects but like I said, for users and groups you're simply creating new ones with the same names, and copying properties over. Computers/servers are joined to the new domain, but it's a new computer account, not one that
  gets moved over.
  You'll need a migration tool to do this smoothly. As Malek mentioned ADMT, yes this is one tool that can do this. It's not necessarily the best or easiest tool, but it's free from Microsoft. There are also other third party tools such as Dell/Quest
  Migration Manager for AD and BinaryTree also has similar tool (there are others out there too). Those two latter tools have the ability to add permissions (ACL entries) to new domain objects, based on the old ACLs from the source domain. This can be a huge
  help for servers and workstations (allows the users to continue to use their same profile after their computer is migrated, and they are using their new user account. Otherwise Windows would just create a new profile when the user logged in with his/her new
  domain account.
  Depending on the size of the domain you want to move (how many objects), this could be a pretty big project. There's a lot going on in a migration, and based on your question, I'd recommend finding help with it if you can. There are a number of companies
  and consultants who specialize in AD migrations, even some consultation for planning could help tremendously.