SAP IDM 7.1 SP4 and Windows 2008r2 domain controller

Similar Messages

• Is it possible for Windows 2008R2 Domain Controllers to audit when a programs are installed/uninstalled on clients and send alerts to Admins?

  We have a program called Audit Wizard that we used with Windows 2003 that monitored all clients and alerted my department when a program was installed/uininstalled. since upgrading to windows server 2008R2, the program no longer works correctly.
  So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
  If so, How?
  Thanks in advance for your help!
  Pete Macias

  Hi Pete,
  >>So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
  As far as I know, group policy can't help us do this. If you are interested, we can take a look at System Center Operation Manager and ask for suggestions in the following SCOM forum.
  Operations Guide for System Center 2012 - Operations Manager
  https://technet.microsoft.com/en-us/library/hh212887.aspx
  System Center Operation Manager
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=systemcenteroperationsmanager
  Best regards,
  Frank Shen 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Binding to Windows 2008r2 domain gives wrong kvno

  I'm getting inconsistent results binding a 10.6.6 system to a windows 2008r2 domain with two DCs. The domain join always appears to work, but in some cases I'm not getting a usable /etc/krb5.keytab file. The upshot is that I can't use GSSAPI with ssh to access the mac from other unix systems.
  In the failure case, the KVNOs in /etc/rb5.keytab disagree with the values in AD. Using 'klist -k -t' on the mac, I see all the KVNOs are 1, but looking on the windows side with ADSIedit, the msDS-KeyVersionNumber on the computer account is 2.
  In the success case, there are duplicate entries for all the keys in the Mac keytab file, one set with KVNO 1 and one set with KVNO 2, windows reports KVNO 2, and everything (ssh) works.
  This also affects kerberos console logins with the /etc/authorizations 'builtin:krb5authenticate,privileged' patch (krb5authnoverify works in both cases).
  I have inconsistent results with Directory Utility (sometimes I get a working krb5.keytab and sometimes I get the broken one). I haven't seen any rhyme or reason to the behavior. I go away for awhile, and maybe it works when I come back (and maybe not). But never an error; DU always thinks it successfully bound. As an aside, with dsconfigad I always get the broken keytab file.
  Any assistance is most appreciated. Thanks!
  David Thompson
  The University of Wisconsin-Madison
  Waisman Brain Imaging Lab

  Thanks for your reply!!
  Yes! I have done it both ways but still the same thing. Now, something interesting, since I'm in the initial setup of the Domain, I decided to reconfigure it to be mydomain.net, instead of mydomain.local. Now I try to bind and I get an error saying that the DNS name forest is incorrect. However, I cannot change the Directory forest from the default value, which is Automatic. So now, I wonder if its that the domain name needs to be set to my.domain.net rather than mydomain.net. I'm lost here.

• CERT_TRUST_IS_NOT_SIGNATURE_VALID when installing a 3rd-party cert in Windows 2008 Domain Controller

  Hello,
  I'm facing with a problem while trying to install a 3rd-party digital certificate on a Windows 2008 Domain Controller.
  Basically, I'm following this TechNet
  http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx
  1) I did create the file Reqdccert.vbs on the Domain Controller
  2) then I did generate the inf file
  cscript reqdccert.vbs DomainController E
  3) and then I generated a certificate request
  certreq -new AD.inf AD.req
  4) also I've imported RootCA and SubCA into the Certificate Store of the DC
  5) I got a signed certificate from our 3rd-party CA running on Windows 2000
  6) when importing the certificate I get the below error
  C:\>certreq -ACCEPT ad.p7c
  Certificate Request Processor: The signature of the certificate cannot be verifi
  ed. 0x80096004 (-2146869244)
  Here is the verbose log from CAPI2:
  + System 
    - Provider 
     [ Name]  Microsoft-Windows-CAPI2 
     [ Guid]  {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} 
     EventID 11 
     Version 0 
     Level 2 
     Task 11 
     Opcode 2 
     Keywords 0x4000000000000003 
    - TimeCreated 
     [ SystemTime]  2014-06-13T09:33:02.604870500Z 
     EventRecordID 304 
     Correlation 
    - Execution 
     [ ProcessID]  1700 
     [ ThreadID]  3032 
     Channel Microsoft-Windows-CAPI2/Operational 
     Computer ad.eac.igs 
    - Security 
     [ UserID]  S-1-5-21-4171312682-976198474-2692596432-500 
  - UserData 
    - CertGetCertificateChain 
    - Certificate 
     [ fileRef]  4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer 
     [ subjectName]  ad.eac.com 
    - AdditionalStore 
    - Certificate 
     [ fileRef]  691847ADD248AEB8579462249B063A1555716B21.cer 
     [ subjectName]  SubCA 
    - Certificate 
     [ fileRef]  4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer 
     [ subjectName]  ad.eac.com
    - Certificate 
     [ fileRef]  0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer 
     [ subjectName]  RootCA 
     ExtendedKeyUsage 
    - Flags 
     [ value]  0 
    - ChainEngineInfo 
     [ context]  user 
    - AdditionalInfo 
    - NetworkConnectivityStatus 
     [ value]  1 
     [ _SENSAPI_NETWORK_ALIVE_LAN]  true 
    - CertificateChain 
     [ chainRef]  {0B005F9F-F15B-4FE2-A630-7BBEE6AB5C0A} 
    - TrustStatus 
    - ErrorStatus 
     [ value]  8 
     [ CERT_TRUST_IS_NOT_SIGNATURE_VALID]  true 
    - InfoStatus 
     [ value]  0 
    - ChainElement 
    - Certificate 
     [ fileRef]  4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer 
     [ subjectName]  ad.eac.com 
    - SignatureAlgorithm 
     [ oid]  1.2.840.113549.1.1.11 
     [ hashName]  SHA256 
     [ publicKeyName]  RSA 
    - PublicKeyAlgorithm 
     [ oid]  1.2.840.113549.1.1.1 
     [ publicKeyName]  RSA 
     [ publicKeyLength]  2048 
    - TrustStatus 
    - ErrorStatus 
     [ value]  8 
     [ CERT_TRUST_IS_NOT_SIGNATURE_VALID]  true 
    - InfoStatus 
     [ value]  4 
     [ CERT_TRUST_HAS_NAME_MATCH_ISSUER]  true 
    - ApplicationUsage 
    - Usage 
     [ oid]  1.3.6.1.5.5.7.3.1 
     [ name]  Server Authentication 
    - Usage 
     [ oid]  1.3.6.1.5.5.7.3.2 
     [ name]  Client Authentication 
    - Usage 
     [ oid]  1.3.6.1.4.1.311.20.2.2 
     [ name]  Smart Card Logon 
     IssuanceUsage 
    - ChainElement 
    - Certificate 
     [ fileRef]  691847ADD248AEB8579462249B063A1555716B21.cer 
     [ subjectName]  SubCA 
    - SignatureAlgorithm 
     [ oid]  1.2.840.113549.1.1.5 
     [ hashName]  SHA1 
     [ publicKeyName]  RSA 
    - PublicKeyAlgorithm 
     [ oid]  1.2.840.113549.1.1.1 
     [ publicKeyName]  RSA 
     [ publicKeyLength]  2048 
    - TrustStatus 
    - ErrorStatus 
     [ value]  0 
    - InfoStatus 
     [ value]  101 
     [ CERT_TRUST_HAS_EXACT_MATCH_ISSUER]  true 
     [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 
    - ApplicationUsage 
     [ any]  true 
     IssuanceUsage 
    - ChainElement 
    - Certificate 
     [ fileRef]  0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer 
     [ subjectName]  RootCA 
    - SignatureAlgorithm 
     [ oid]  1.2.840.113549.1.1.5 
     [ hashName]  SHA1 
     [ publicKeyName]  RSA 
    - PublicKeyAlgorithm 
     [ oid]  1.2.840.113549.1.1.1 
     [ publicKeyName]  RSA 
     [ publicKeyLength]  2048 
    - TrustStatus 
    - ErrorStatus 
     [ value]  0 
    - InfoStatus 
     [ value]  10C 
     [ CERT_TRUST_HAS_NAME_MATCH_ISSUER]  true 
     [ CERT_TRUST_IS_SELF_SIGNED]  true 
     [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 
    - ApplicationUsage 
     [ any]  true 
    - IssuanceUsage 
     [ any]  true 
    - EventAuxInfo 
     [ ProcessName]  certreq.exe 
     [ startTime]  2014-06-13T09:32:53.369Z 
     [ endTime]  2014-06-13T09:33:02.604Z 
     [ duration]  PT9.232850S 
    - CorrelationAuxInfo 
     [ TaskId]  {A8DC7725-FEE9-4E09-905A-FEFF7FAE9B8B} 
     [ SeqNumber]  27 
    - Result The signature of the certificate cannot be verified. 
     [ value]  80096004 
  Any idea what the problem is?
  Thanks in advance,
  Davide.

  One common reason for that error is that the wrong SubCA certificate had been imported accidentally - e.g. an earlier 'version' of that SubCA with the same Subject CA name but a different key. In this case the validating client will try to build a chain
  based on name only but finally the signature check fails.
  Could you cross-check if the extension Authority Key Identifier in your DC certificate is the same as the field
  Subject Key Identifier of the SubCA certificate? (These are typically hashes of the keys though it is not standardized - it should be a unique string characteristic for the CA)
  For the client cert. CERT_TRUST_HAS_NAME_MATCH_ISSUER is indicated in your log - thus Isser name in client cert. matches Subject Name in CA cert, but we don't know about SKI/AKI.
  Elke

• Does Oracle 10G R2 support installation on Windows 2003 Domain Controller?

  Does Oracle 10g R2 support installation on Windows 2003 Domain Controller? I remember that 10g R1 had issues with the DC? Is it still the case. Does it work now?
  Any help is appreciated.
  Regards,
  Raghav

  We have Oracle 10g R2 running on a Windows 2003 domain controller. It was not a domain controller when Oracle was installed. The domain was created after installation. (I don't recommend that procedure. I spent a long day fixing the installation after they configured the domain.) If Oracle is unhappy with being on a domain controller, it has not shown it yet.

• 10.4 and Windows 2003 Domain

  Hello,
  We're a 40% Mac environment where all the Macs are bound to our domain and users log in with Mobile accounts. When we first decided to do this, all the Macs played very nicely with our Windows 2000 domain.
  About three months ago, we upgraded our Windows 2000 domain to a Windows 2003 domain and began enforcing stronger password security. Now all of the Mobile accounts on all of our 10.4 machines refuse to let the users change their passwords. Doing so through the Log In window when a password expires does not work. Neither do the controls in System Preferences/Accounts. Neither do the controls in the Kerberos app. It sits and pinwheels for a few minutes, then returns an error about not being able to change the user's password to the password specified.
  I tried adding myself to a few of these computers as a Mobile user and then changing my password, but that didn't work either. So it isn't something held over in the user accounts from the old domain, and it isn't a permissions thing since I'm an administrator on the domain.
  I've dumped all the Directory Access preferences files. Doesn't help.
  Sometimes this behavior can be fixed by unbinding a machine from the domain, deleting the computer's account in Active Directory, then rebinding it to the domain. Lately, that fix has stopped working, and if I remove a machine from the domain, I cannot rebind it to the domain unless I do so using a different computer name - even though the computer account in Active Directory has been deleted.
  Mobile accounts on all of our 10.5 machines can change their passwords without a problem.
  I'm stumped. Anybody got any brilliant ideas? Information on Macs interacting with Windows domains is pretty scarce.

  Hi Scott, and a warm welcome to the forums!
  What Workgroup do you have set on the Mac in Directory Access Utility?
  See if these 2 links help also...
  http://www.macosxhints.com/article.php?story=20050302023720578
  http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x

• SAP Server Manager Error after BPC installation on domain controller

  Hi, I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager"  I have the following error message " Current user Name does not have permission for Adminitrators group" . I think that the application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users).
  Thanks

  Hi
  I have the same issue that you had.
  "I have installed BPC on a domain controller with windows 2003 server (english version). When I launch diagnostic in the "SAP Server Manager" I have the following error message " Current user Name does not have permission for Adminitrators group" . The application it's taking the local user (the diagnistic show that de current user is "server name\user name" instead of "domain name\user name" but I login with the domain Administrator ( this server is a domain controller don't have local users)."
  Can you please let me know how you solved this ?
  thanks & regards
  Lokesh

• Issue with Installing Oracle 10g R2 on a Windows 2008 Domain Controller

  I'm assigned a evaluation task for my company. The task invoke to install oracle in my Domain Controller Server.
  I got "ORA-12560: TNS:protocol adapter error" when I installed ORACLE 10g R2 for Win2K8 on my Windows 2008 (a Domain Controller Server). It happened in the create predefined database period.
  I tried to google and noted that there are some RUMOS say "We cannot deploy ORACLE on a Domain Controller, It's impossible"
  Is this true? Please, Please advise!
  Thansk,

  This is a link to a same issue
  Creating instance oracle 10.2.0.4 on Windows 2008 32bit

• A question and out CA 'domain controller' templates, and kerbros/KDC in general

  Hello All
  Can someone please help me with the following question. This may be two questions (so if you think I have to post separately please let me know).
  I was reading an MS article called "Active Directory Domain Controllers and Certificate auto-enrolment" which was very helpful but through up some questions too.
  for example the article talks about a 'template' called 'Directory E-mail Replication' what is this? in other words we have all heard of MS Exchange for corporate email, but the name of this template seems to suggest 'Domain Controllers' send e-mails to
  reach other? (over and above their normal AD replication) or is this template used for sending AD replication data via SMTP rather than RPC (which is something I have never heard of). Can someone please explain the purpose of this template, thanks very much.
  Also I want to understand the relationship (if any) between these Domain Controller PKI templates and Kerberos in general (can someone point me to a white paper of good blog article)
  For example my understanding at the moment if Kerberos is basically a 'symmetric'  key encryption system where by the KDC (Key Distribution Center) take care of administering all these symmetric key pairs, is this basic premise
  correct?
  I understand (at a very basic level) to concept of Kerberos TGT and TST (ticket granting ticket and ticket service ticket) and the fact the client cannot read the contents of either of these (rather the KDC is the trust anchor and deals with all the encryption
  and description of the keys to provide/proof identity authentication, and the client simply presents these tickets)
  Hopefully the above is correct (or on the right lines), what I do not understand is how this (Kerberos/KDC) relates to DC's and their 'Domain Controller' templates or how these Domain Controllers use the certificates generated from these templates for encryption
  (I presume to encrypt the AD sync traffic, but isn't this done via Kerberos).
  Also AD CA is optional component therefore my logic suggests there should be no relation to these Domain Controller templates and Kerberos
  As you can see I have some fundermental gaps in my knowleague and would really appreciate someone helping me out here
  Thanks very much
  AAnotherUser__
  AAnotherUser__

  Re the template Directory E-mail Replication.
  Yes, you are right - these are only used for (optional) AD replication via SMTP, and yes this is rather uncommon. I have only encountered this type of replication in a few environments with very specific - and historically grown - firewall and trust requirements.
  Re Kerberos and certificates:
  My favorite white paper is this:
  Windows Vista Smart Card Infrastructure. See especially the details of how Kerberos is used with smart cards as depicted in Figure 16 and the text below.
  When users use smartcards to logon to their computers they authenticate to DCs and DCs authenticate to them. So DCs also need certificates.
  See
  RFC 4556 for details of how public key cryptography is used to protect the Kerberos protocol.
  So in summary certificates are used for authentication and encryption.
  You are right that otherwise - if you don't use smart card logon for users - DC certificates are optional and not needed to do default Kerberos authentication.
  Another reason DC certificates are often deployed is for allowing LDAP browsers and other management tools to connect to AD via LDAPs.
  Elke

• Windows 2012 Domain Controller: Failed to open the runspace pool. The Server Manager WinRM plug-in might be corrupted or missing

  Hi all,
  We have been battling a problem for the last couple of days when we try to add the first windows server 2012 DC to an already existing Domain.
  The Server installation goes smoothly and we can add the computer to the domain and its all green.
  After we promote the server to a domain controller the WinRM service starts acting up (not responding anymore).
  The server manager console shows Remote Management as disabled, and when we try to enable it via the console or Powershell it freezes up.
  The AD DS part of the console is saying that there are post-promotion tasks that need to be completed but once we click on the task it takes us to the promotion wizard again, that basically complains that: Failed to open the runspace pool. The Server Manager
  WinRM plug-in might be corrupted or missing.
  In the Remote Management Event log we see the following entry: "The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)" Event ID 138
  We are unable to do anything with the server (demote, add roles, remotely manage...). We tryed the following already:
  1. Recreate from scratch
  2. Checking the GPOs to see if there is anything setup about RM -> came up with nothing
  We just ran out of ideas so HELP PLEASE !
  BR
  Tomaz Praprotnik

  Hi Cicely,
  Yes the error from the Windows Remote Management event log contains (I took out the User and FQDN of the Computer):
  Log Name:      Microsoft-Windows-WinRM/Operational
  Source:        Microsoft-Windows-WinRM
  Date:          3/29/2013 1:38:53 PM
  Event ID:      138
  Task Category: Response handling
  Level:         Error
  Keywords:      Client
  User:         
  Computer:     
  Description:
  The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
      <EventID>138</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>10</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000002</Keywords>
      <TimeCreated SystemTime="2013-03-29T12:38:53.786357100Z" />
      <EventRecordID>6876</EventRecordID>
      <Correlation ActivityID="{18FCFBD2-2B38-0003-D261-FD18382BCE01}" />
      <Execution ProcessID="1084" ThreadID="2924" />
      <Channel>Microsoft-Windows-WinRM/Operational</Channel>
      <Computer></Computer>
      <Security UserID="" />
    </System>
    <EventData>
    </EventData>
  </Event>
  There is also another entry that sometimes comes up:
  Log Name:      Microsoft-Windows-WinRM/Operational
  Source:        Microsoft-Windows-WinRM
  Date:          3/29/2013 1:36:34 PM
  Event ID:      142
  Task Category: Response handling
  Level:         Error
  Keywords:      Client
  User:         
  Computer:     
  Description:
  WSMan operation Invoke failed, error code 2150859046
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
      <EventID>142</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>10</Task>
      <Opcode>2</Opcode>
      <Keywords>0x4000000000000002</Keywords>
      <TimeCreated SystemTime="2013-03-29T12:36:34.076973400Z" />
      <EventRecordID>6869</EventRecordID>
      <Correlation ActivityID="{18FCFBD2-2B38-0001-F328-FD18382BCE01}" />
      <Execution ProcessID="4888" ThreadID="4392" />
      <Channel>Microsoft-Windows-WinRM/Operational</Channel>
      <Computer></Computer>
      <Security UserID="" />
    </System>
    <EventData>
      <Data Name="operationName">Invoke</Data>
      <Data Name="errorCode">2150859046</Data>
    </EventData>
  </Event>
  Best regards
  Tomaz Praprotnik

• Migration windows 2003 domain controller

  how to migrate windows server 2003 domain controller to windows server 2008/2012 

  Generally you would stand up the new server, join it to existing domain, dcpromo it and transfer the roles over.
  You can follow along on Meinolf's page.
  http://blogs.msmvps.com/mweber/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012/
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Windows 2012 Domain Controller NETLOGON error

  We have Sonicwall
  firewall user authentication System active since last two months. We have Windows 2012 Active directory server setup
  with around 1400 user account created. These accounts were created by using following PowerShell scripts
  Import-Module ActiveDirectory
  #Import CSV
  $csv = @()
  $csv = Import-Csv -Path C:\Users\Administrator\Desktop\"College User Ac Password Details"\FE\civil.csv
  FOREACH ($Person in $csv) {
  $name = $Person.UserName
  $displayname = $Person.Name
  $path = "OU=FE,DC=comp,DC=com"
  $password = $Person.Password
  $enabled = $True
  $changePW = $False
  $description="CIVIL"
  new-ADUser -SamAccountName $name -Name $name -Description $description -DisplayName $displayname -Path $path -AccountPassword (ConvertTo-SecureString $password -AsPlainText -force) -Enabled $enabled -ChangePasswordAtLogon $changePW -PassThru}
  Above script reads an CSV file with username and passwords and create user accounts on Active Directory.
  But since today we are facing issue during authentication process. We are unable to logon to Directory server. When Sonicwall firewall tries to authenticate an user, it logged-out same user. When I checked Event logger on Windows Active Directory server it
  shows following message.
  The dynamic registration of the DNS record 'ForestDnsZones.comp.com. 600
  IN A 192.168.0.12' failed on the following DNS server:
  DNS server IP address: 216.37.64.6
  Returned Response Code (RCODE): 5
  Returned Status Code: 9017
  For computers and users to locate this domain controller, this record must be registered in DNS.
  USER ACTION
  Determine what might have caused this failure, resolve the problem, and initiate
  registration of the DNS records by the domain controller. To determine what might have
  caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and
  Support Center. To initiate registration of the DNS records by this domain
  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain
  controller or restart Net Logon service. Or, you can manually add this record to DNS,
  but it is not recommended.
  ADDITIONAL DATA
  Error Value: DNS bad key.
  Above log entry talks about DNS issue. But I did non configured any DNS server on this machine.Authentication was working fine for last
  two months , but suddenly from today we are facing above issue. Kindly help me out in resolving this issue.

  hi,
  Im not sure of you setup and don't understand where your sonic wall comes in.
  The error with the DNS is that the server is trying to register its DNS entries in the server with the public IP address
  216.37.64.6  which I am assuming is your ISP's DNS server?
  How is the DNS configured on your domain controller? The domain controller should point to it'self as it's preffered DNS server.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• 7110 and The specified domain controller could not be contacted

  Hello,
  Running a 7110 with 2010.Q3.2.0 Software Release and can't seem to join a Windows 2008 SP2 x64 Active Directory Domain.
  I get the following:
  error: The specified domain controller could not be contacted, or the domain is
  invalid for the controller.
  Does anyone know of any known bugs????

  Click Help: Active Directory - there is a link to a registry setting you need to make.

• Can i add a windows 2008 domain controller in a open directory  ?

  i want to add an windows 2008 r2 domain controller to a open directory .
  is this possible, and replicated all users to active directory?

  Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Installing a Windows 2012 Domain Controller into a 2000/2003 domain with Exchange 2003

  Hello,
      I have a client that we are planning to migrate to 2012 over time.  They currently have a Windows 200 DC and 2 member servers running Windows 2003, one of which is running Exchange 2003.
      We first are going to introduce a 2012 server into the domain and my plan was to DCPromo the 2003 server that isn't running Exchange and raise domain level to 2003 and then demote the 2000 server.  I was then going to install the
  2012 server into the domain and make it a backup Domain Controller for the time being and leave the newly promoted Windows 2003 server as the primary Domain Controller with all the roles and global catalog.  My question is will Exchange 2003 still function
  normally in this scenario?
     I've been doing research and read some things about Exchange 2003 not working with 2012 Domain Controllers, but I was thinking if the 2003 is still the primary, it might work.  We will eventually migrate to 2003, they just don't want to
  do it all at once, due to costs and other issues.
  Thanks.

  I didn't ask if it was supported, I just wanted to know if Exchange 2003 would continue
  to function if the Windows 2003 DC still held all the FSMO roles and Global Catalog.
  A not supported situation means that it is a situation where Microsoft made no testing or do not guarantee that you can operate with no problems. Following a not supported scenario could be done but is on your own risk.
  If it won't, can the 2012 server be a member server in the 2003 AD?  The 2000
  DC it is replacing, just shares files on the network in addition to being the lone AD server
  Yes, it can be a member server.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile