Root Domain Naming

I’m in a customer’s site , a new site – I would like to set up their domain. That would be the first root domain in a new forest.
Now the question is – Does anyone have concerns in naming a domain .LOCAL?
What domain naming is the best practice MYCOMPANY.COM or   MYCOMPANY.LOCAL
Any pros and cons ?
Thank you
Regards, MassonTech

The RFC 2606 doesn’t reserve any custom TLD. So nothing prevents .local (or .global or anything like that) to become one day valid top level domain extensions. We cannot know what way the industry will go the next years (even though they might probably
not go that way...). We do have some examples where .local is an issue: You No More local names in the certificate starting November 2015
http://autodiscover.wordpress.com/2012/07/09/no-more-local-names-in-the-certificate-starting-november-2015-msexchange-lync-ucoms-lync2010-microsoft-part1/. Also note that the IETF was thinking of using the specific .local in the protocol LLMNR but finally
gave up as far as I know few years ago. The only “technical” side effect that I found is even not related to Windows OS: TIP: Fix for Mac AD authentication failure after reboot on .local domains
http://www.macwindows.com/Fix-AD-dot-local-domains.html.
In term of official guidance, you'll find it here:
https://support.microsoft.com/kb/909264. And according to this one, as long as you own mycompany.com namespace, either are ok.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Similar Messages

  • Root Domain Naming - New DC

    Hello
    I am setting up a new DC and creating a new company forest/domain. I see there is some discussion about the best way to name the root domain name.
    Is it best to set it up using the public internet domain name eg. company.com
    or make it different such as company.local?

    There is a well written article about it here:
    http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
    Don't use local.

  • Lync 2013 on a single lable root domain

    Hello All
    my enviroemnt is in a child root let say its "contoso.local" the root is .local and the child is contoso.local , with this configuration can I install lync 2013? if not is there any workaround other than rename my domain? your help is much
    appreciated.
    THX

    Hi Mado,
    Unfortunately, installing Lync in a Forest with a single label root domain is not supported;
    "Lync Server does not support single-labeled domains. For example, a forest with a root domain named
    contoso.local is supported, but a root domain named
    local is not supported. For details, see Microsoft Knowledge Base article 300684, “Information about configuring Windows for domains with single-label DNS names,” at
    http://go.microsoft.com/fwlink/p/?linkId=143752."
    This is not to say it would not work, but I would never put this into a production environment based on Microsofts stance on this.
    Kind regards
    Ben

  • Broken root domain without a valid backup. Any chance to get it back to work properly ?

    Hi guys,
    i came across the following issue:
    Imagine a standard enterprise environment with a forest. The root domain is called contoso.com and there is a subdomain called company.contoso.com. There are also subdomains of company.contoso.com, but they are not important for the problem description.
    The functional level of the forest is Windows 2003-interim & the domain level of the root domain is Windows 2003, as is the domain level of all subdomains. All Domain Controllers are Windows 2003 SP2.
    There have been people in the environment with too many rights, that used to promote DCs and then also just decommission them without properly demoting them. This left several unreachable domain controllers in both the root domain & the subdomain.
    I cleared all those DCs that are no longer available, which made company.contoso.com stable and reliable. All DCs within the subdomain are properly talking to each other and replicating fine.
    Then i discovered the main issue here. The replication in the root domain is broken. The is only one domain controller left in the root domain, nevertheless the server is suffering from USN rollback. Digging deeper i found out that the domain controllers
    have been virtualized years ago, but no one ever cared about the root domain. So i found out that replication stopped in 2006 when obv. the last healthy domain controller was removed from the root domain.
    So i have basically a crippled root domain with a crippled domain controller. I am not able to set the forest level to 2003 native, as the domain controller says that the domain contoso.com is still Windows 2000. This is not correct, i have checked msDS-Behaviour-Version
    and nTMixedDomain. They are properly set to 2 & 0.
    My idea was to introduce a new installed 2003 server and promote it to a DC. Then get rid of the broken one. Unfortunately the broken DC is not replicating. Due to USN rollback the netlogon service goes constantly to paused state & of course both inbound
    & outbound replication are disabled. Even when i reenable the replication it is just a matter of seconds before they get disabled again. I also tried to introduce a new 2012R2 DC, but that fails of course due to the forest level not beeing 2003.
    So i am a little stuck here. Any thoughts about how to continue to troubleshoot ?
    I have a final idea:
    Install a new forest with the same name contoso.com and set up a trust with company.contoso.com.
    The question would be, how can i convince company.contoso.com that the new installed forest and domain are its parent ?

    > Install a new forest with the same name contoso.com and set up a trust
    > with company.contoso.com.
    > The question would be, how can i convince company.contoso.com that the
    > new installed forest and domain are its parent ?
    You cannot. Sad, but true. If the forest root domain is dead, the forest
    is dead. In addition, you have no Naming Master and no Schema Master
    FSMOs. The only reliable solution is creating a new forest and new
    subdomains, then migrating all objects...
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • AD DS New Forest Domain Naming Problem

    Hey everyone,
    I'm having a bit of a conundrum about the new forest domain name and what possible implications it can have if I chose the wrong name convention...
    Current Setup
    The current issue is that the company I work for was bought out by another company and atm, where using a 2-way forest trust.
    The company also has another site in Africa which is using a different forest domain but doesn't have any forest trust to either of the other 2 domains.
    The current forest domains are:-
    1. Company1.local (my old company)
    2. Company2.com.au (main company)
    3. internal.company2direct.com.ke (Africa site)
    To make it worse, all three sites have their own Exchange environment and there's all types of file share/application authentication issues between sites.
    Therefore, the company has decided that they want to get rid of all the exchange environments/file shares and so forth and move everything to
    Office365, including SharePoint and Lync
    New Solution
    They have also decided that they want a new forest with a single domain and that the locations and security will be delegated by using different OU structures/GPO's as it's all going to administered by 2 people at the main company site. This is non-negotiable
    as they don't want sub/child domains or different forests, just a single entity.
    They're using a third party to do the Office365 design and implementation. However I have been assigned to setup the new initial ADDS server for the new forest.
    After some reading I've found that we really shouldn't be using '.local' or '.internal' for the forest root domain. I suggested that we use 'internal.thecompanynamethatisreallylong.com.au' and a NetBIOS of 'CNF' (which is actually that long,
    and I feel that if we have to use a FQDN for anything then it will cause an issue)
    They want me use the following for the forest root domain ' au.cnf' with a NetBIOS of 'CNF'
    Is that really such a good idea or is there any situation whereby using 'au.cnf' as the
    prefix.suffix could cause any issues?
    I would of like to use 'internal.cnf.com.au' however the domain name 'cnf.com.au' is already registered by another company..
    Once the new forest is created, I'll create a 2way trust between the companies and start using ADMT to migrate accounts across
    Thanks in advance for you help

    Hello,
    for AD limits, especially amount of usable characters, please see
    http://technet.microsoft.com/en-us/library/cc756101.aspx
    Personally I would NOT use the "CNF" as NetBIOS domain name. "CNF" in AD stands for "Conflicting object" and this will be shown in dcdiag or repadmin outputs when conflicts are listed as doubled names for example.
    For the internal naming I would always use short domain names. Top level domain names to avoid for WAAD and Office365 I would also check with the experts in http://social.msdn.microsoft.com/forums/azure/en-US/home?forum=WindowsAzureAD
    and http://community.office365.com/en-us/f/default.aspx
    You could use public TLDs but keep in mind that you have to configure split DNS that way.
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

  • How to change the root domain name in window 2012 server

    Got a window 2012 server build up. My root domain name looks something like corp.marketing   Well I seems to have missed to add the last .com or .local.  How do I add the .com to my existing root domain name please. The server is new, will
    go online in few days time. Thanks for all the help.

    I have a similar question and not sure if this is the right place. I had set a server with corp.brighterworld.com but the install wizard anywhere access had me believe that microsoft's strongly preferred domain name prefix was remote.brighterworld.com so
    I contacted GoDaddy and had it reissued as remote. but when I went to reconfigure for the new name. I had already set the server for being a CA, and in that process it issued like 4 or 5 certificates. So I had tried to rebuild the machine from scratch, but
    the it didn't wipe everything, but rather saved previous state which left the old certificate stuff to be dealt with. Any hints or help out here for us having to learn this stuff the hard way?
    Thanks,
    Mark Saxton

  • AD FS in Forest Root Domain

    I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child
    domain or if that should just magically happen because of the Parent Child trust relationship.
    Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times
    and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.

    I have been using the "AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation".
    I am trying to federate with a diffrent organization where I am the IP and I have no control over the SAML 2.0 side... That being said, I changed my DNS and now I can get to my server using the IDPInitiatedlogon URL. When I run
    through the URL that bounces me between the other organization and then back to my AD FS server.... I get stuck in a loop where it asks me for credentials 3 times and then tells me I am "Not Authorized"
    Here is a bit of the fiddler trace:
    <a href="https:///adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust">https://<other-org-adfs>/adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust
    http://<my-org-adfs>:443
    http://<my-org-adfs>:443
    http://<my-org-adfs>:443
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    http://<my-org-adfs>:443
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
    http://<my-org-adfs>:443
    It seems to be stuck looping between /adfs/ls and /adfs/ls/auth/integrated . It then times out and gives me the error in the browser.

  • SCCM 2012 in child domain unable to publish to root domain

    I have an sccm 2012 (no sp) in a child domain (am.corp) and have given the sccm server computer object full control of the system management folder in ADSI on the root domain (corp.local) but continue to get the error in the Active Directory Forests portion
    of the console that I have insufficient access rights to publish to the root domain (corp.local).
    I have sccm management distribution points in the other child domains of the root.
    Any suggestions on how to get this to stop erroring.

    The discovery log tells me it's found 27 sites and 166 subnets. It has problems identifying the forest of some of the other SCCM servers but doesn't give any warning or error (that I see) about publishing.
    See below: (truncated so it fits)
    SMS_EXECUTIVE started SMS_AD_FOREST_DISCOVERY_MANAGER
    as thread ID 3996 (0xF9C).  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.311+240><thread=2924 (0xB6C)>
    =========================================================== 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.321+240><thread=3996 (0xF9C)>
    Beginning Active Directory Forest Discovery Manager  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.321+240><thread=3996 (0xF9C)>
    Entering function ThreadMain()  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.321+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::Initialize() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.321+240><thread=3996 (0xF9C)>
    Component SMS_AD_FOREST_DISCOVERY_MANAGER
    is marked active.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.333+240><thread=3996 (0xF9C)>
    Log verbosity level = 0~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.346+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::Process() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.346+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::ShouldRun() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.346+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::CheckIfRunCountValueChanged() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.346+240><thread=3996 (0xF9C)>
    Admin requested to run discovery now.  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:34.346+240><thread=3996 (0xF9C)>
    Entering function ReportForestDiscoverySuccessStatusMessage() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.018+240><thread=3996 (0xF9C)>
    Raising discovery success status message for forest corp.acme.com,
    in which we discovered 27 site(s) and 166 subnet(s).~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.018+240><thread=3996 (0xF9C)>
    Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER,
    1073750724, 0~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.018+240><thread=3996 (0xF9C)>
    STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER"
    SYS=SCCMADMPRGL01.am.corp.acme.comSITE=GDC
    PID=2524 TID=3996 GMTDATE=Wed Mar 20 15:43:39.018 2013 ISTR0="corp.acme.com"
    ISTR1="" ISTR2="" ISTR3="" ISTR4="166" ISTR5="27" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.018+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.496+240><thread=3996 (0xF9C)>
    Trying to update forest fqdn for all site systems associated with site GDC  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.500+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.500+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::GetForestName() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.543+240><thread=3996 (0xF9C)>
    ~Trying to discover forest name for server MSPRNPRTW01.au.corp.acme.com. 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:39.543+240><thread=3996 (0xF9C)>
    Server MSPRNPRTW01.au.corp.acme.com belongs
    to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:41.037+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::GetForestName() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:42.756+240><thread=3996 (0xF9C)>
    ~Trying to discover forest name for server SCCMADMPRGL01.am.corp.acme.com. 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:42.757+240><thread=3996 (0xF9C)>
    Server SCCMADMPRGL01.am.corp.acme.com belongs
    to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:42.757+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::GetForestName() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:42.815+240><thread=3996 (0xF9C)>
    ~Trying to discover forest name for server SCCMDPPRAP01.au.corp.acme.com. 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:42.815+240><thread=3996 (0xF9C)>
    Server SCCMDPPRAP01.au.corp.acme.com belongs
    to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:43.689+240><thread=3996 (0xF9C)>
    Entering function CActiveDirectoryForestDiscovery::GetForestName() 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:43.756+240><thread=3996 (0xF9C)>
    ~Trying to discover forest name for server SCCMDPPRAU01.au.corp.acme.com. 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:43.757+240><thread=3996 (0xF9C)>
    Server SCCMDPPRAU01.au.corp.acme.com belongs
    to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:45.040+240><thread=3996 
    (0xF9C)>
    Finishing Active Directory Forest Discovery Manager thread.  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:57.044+240><thread=3996 (0xF9C)>
    =========================================================== 
    $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
    11:43:57.044+240><thread=3996 (0xF9C)>

  • 2012 Domain Prep fails in root domain

    Hi
    We are tryiing to introduce 2012 DCs into our root domain.
    The schema has updated fine but the domain prep fails, both on the 2012 server we are trying to promote and whilst running it direct from the infrastructure server itself.
    Replication is good and AD itself seems happy enough.   The account has the necessary rights.
    Any help gratefully received.
    Thanks
    The error log contains:
    Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d262aae8-41f7-48ed-9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=xxxx,DC=xx,DC=xx.
    [2014/12/08:08:32:53.055]
    LDAP API ldap_search_s() finished, return code is 0x20
    [2014/12/08:08:32:53.055]
    Adprep verified the state of operation cn=d262aae8-41f7-48ed9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=xxxx,DC=xx,DC=xx.
    [Status/Consequence]
    The operation has not run or is not currently running. It will be run next.
    [2014/12/08:08:32:53.055]
    Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=xxxx,DC=xx,DC=xx.
    [2014/12/08:08:32:53.055]
    LDAP API ldap_modify_s() finished, return code is 0x13
    [2014/12/08:08:32:53.070]
    Adprep was unable to modify some attributes on object DC=xxxx,DC=xx,DC=xx.
    [2014/12/08:08:32:53.070]
    Adprep encountered an LDAP error.
    Error code: 0x13. Server extended error code: 0x20b5, Server error message: 000020B5: AtrErr: DSID-03152A9F, #1:
        0: 000020B5: DSID-03152A9F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects)
    DSID Info:
    DSID: 0x181112dd
    ldap error = 0x13
    NT BUILD: 9600
    NT BUILD: 16384
    [2014/12/08:08:32:53.086]
    Adprep was unable to update domain information.
    [Status/Consequence]
    Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

    Hi,
    If possible,could you please post more detail information about adprep.log?
    I noticed that the error indicates the otherWellKnownObjects attribute, it may be related the
    Managed Service Accounts container was missing.
    In order to troubleshot, please first verify that the Managed Service Accounts container was not exists in the domain.
    For more detail information, you could refer to the similar thread:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1a7f9de4-d201-4ac6-a3e7-e396743c31fa/windows-2008r2-adprep-domainprep-fails?forum=winserverMigration
    Regards.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • ContentSubmitters AD group: root domain or child domain???

    Hi
    We have an empty root domain.  Mailbox users & Exchange 2013 servers are in a child domain.
    As per Microsoft's documentation; we want to create the "ContentSubmitters" group in AD for content index to work properly (article 2807668).  However I do not know where to create it!!!  The article doesn't address it.
    Does it go on the root domain where default exchange groups reside OR OR OR OR OR does it go on child domain where exchange servers reside?????
    Thanks

    Hi,
    Agree with Riaz, you need to create the ContentSubmitters group on the domain that Exchange server is installed using Active Directory Users and Computer (ADUC).
    What's more, when you create the active directory security group called ContentSubmitters, follow the steps below to grant Admistrators and NetworkService full access to the group.
    Right click the group -> Properties ->Security tab -> add those two groups -> give them full control to the group.
    Here is a thread for your reference.
    Exchange 2013 Content Catalog Index Failed All Databases
    http://social.technet.microsoft.com/Forums/exchange/en-US/fccf9dca-b865-4356-905b-33ac25dcc44d/exchange-2013-content-catalog-index-failed-all-databases?forum=exchangesvravailabilityandisasterrecovery
    Hope it helps.
    Best regards,
    If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Amy Wang
    TechNet Community Support

  • Forest root domain displayed as network label, rather than child domain

    Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
    I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
    from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
    Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
    a viable explanation for the behaviour, as opposed to 'it's by design'

    Can I ask if something is not working correctly because of this?  The display of the connected network does not affect communication or how DNS will resolve.  Are you chasing this down because you don't like the display, or is there an outage?
    Thanks!
    - Chris Ream -
    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

  • How to create I/O Root domain?

    Hi,
    I would like to ask your help in creating an I/O root domain? Is it the same as creating a guest VM. Is this just another guest VM that has direct connection with I/O such as HBA and Ethernet card?
    Regards,
    Andrew

    Hello
    In the admin manual you can find the definition of root I/O domain, DIO, SR-VIO I think it is worthy you read it so you will be able to make the most of your setup
    https://docs.oracle.com/cd/E38405_01/html/E38406/usingpcibuseswithldoms.html#scrolltoc
    In this doc you can find more information
    white-paper-ldom
    Regards
    Eze

  • Different DNS lookup stratergi for recognized and not recognized root domain

    Firefox DNS lookup stratergy is different if the root domain in the URL is recognized (like .se) or not recognized (like .local). How can I add my selfintroduced root domain in the list of recognized root domains?

    Firefox DNS lookup stratergy is different if the root domain in the URL is recognized (like .se) or not recognized (like .local). How can I add my selfintroduced root domain in the list of recognized root domains?

  • Domain naming master Query

    Hi Team,
    I have gone through some docs related to Domain naming master. I could see that Domain naming master controlls the additional / removal of domain in the forest.
    My query is that  1) if i want to remove an additional domain controller
    whether domain master holder to be live ?
    2 )  if i need to remove a child domain controller which is the last domain controller in the child domain whether domain naming master to be live ? Please suggest me.
    Thanks in Advance
    Regards
    Sajin P S 
    Regards Sajin P S

    1) if i want to remove an additional domain controller whether domain master
    holder to be live ?
    2 )  if i need to remove a child domain controller which is the last domain controller in the child domain whether domain naming master to be live ? Please suggest me.
    Domain naming master role is a forest-wide FSMO role which is not invoked frequently but for domain creation/deletion and application partition creation/deletion.
    No it does not need. Because you are not creating / removing a domain. Your local RID needs to be accessible in this case.
    Yes it is. By demoting the last domain controller in a domain, you are removing the domain also. So because removing a domain from a forest needs to contact the domain naming master tole, it needs to be accessible.
    Mahdi Tehrani   |  
      |  
    www.mahditehrani.ir
    Please click on Propose As Answer or
    to mark this post as
    and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.
    How to query members of 'Local Administrators' group in all computers?

  • Lync Adress book sync with root domain

    Hi 
    i have a root child domain , when i run the CS-updateadresbook i see in the event viewer its trying to pull the updates from the root domain , not the child is this the normal behovour?if not how can i fix it , the server ofcourse  joined to the child
    domain..plese help

    This is a normal behavior. Lync try to collect the info from all Domains in the forest. You can ignore this error or configure the update Service to use only some domains
    Set-CsUserReplicatorConfiguration -Identity global -ADDomainNamingContextList @{Add="dc=fabrikam,dc=com"}
    regards Holger Technical Specialist UC

Maybe you are looking for

  • Connection suddenly drops beyond 5 ft

    I have been using a dlink wireless router with no problems for the past month in a new house. Suddenly I have a strange problem. If I get more than 5 ft away from the router, I loose the connection. When I go another 15 ft to the room where the other

  • What does really mean UIwebView on Iphone?

    my iphone was hacked and i just reset the factory settings to get "the new iphone" . My fb has been hacked as well and yahoo account.i m just curious..i ve heard so many stories about hacking through wifi.anyway can t find out hows that possible whil

  • Ferrer vs Tsonga Live Stream - Djokovic vs Monfils Live Stream

    The 1st match of Mubadala World Tennis Championship Online will feature Ferrer vs Tsonga. Don't miss the last tennis action of year 2011. Ferrer vs Tsonga Live Stream Ferrer vs Tsonga Live Streaming The 2nd match of Mubadala World Tennis Championship

  • Logistic Invoice Verification - OMR6 vs. Vendor specific tolerance

    Hi, a question on the relationship between PP tolerance limit and vendor specific tolerance. In OMR6 I have defined an upper an lower limit of 5% for a company on PP. In Vendor specific tolerances I have defined a tolerance group with lower 1% and up

  • Iphone 4s doesn't vibrate after installing IOS 8.1

    My Iphone 4s, 32GB lately doesn't seem to vibrate and i suppose it is after the recent update of IOS 8.1 . It does vibrate when i do certain tasks like keying in a wrong password or when i go into Settings>Sound to ensure that vibrate is on for both