SCCM 2012 R2 cross forest with one-way trust feasible?

Similar Messages

• MBAM 2.5 in Multi-Forest with two way trust

  Hi All,
  If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
  - Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
  - Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
  Thanks in Advance,
  Regards,
  Vijay

  You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
  the MBAM GPO's to the domain where client resides.
  Check out this link :
  MBAM 2.5 installation - Multi Domain
  Cheers,
  Gaurav Ranjan / Sr. Analyst-Professional Services
  MICROLAND Limited -India leading Infrastructure Management Services Company
  NOTE:Mark as Answer and Vote as Helpful if it helps

• [SCCM 2012 R2] Cross forest Active Directory Boundaries

  Hi All,
  What process/component update information (subnets) for already imported AD Site Boundary?
  How can I be sure that automatically created Active Directory boundaries from native and cross domains really import/use all subnets from AD Sites? What Log shows verbose information? PowerShell?
  Note to Product Group and MVPs who have influence to Product Group:
  please add column in Boundaries view to show actual Domain for Active Directory Boundaries (not using Description Column)
  please allow to manually create Active Directory Boundaries from not native domains
  Regards,

  As mentioned, simply type in the site name instead of using the Browse button.
  Site lookups are a simple string comparison that occurs when the client submits the content location or site assignment request to the MP.
  If you don't have multiple primary sites, site assignment is not anything to worry about because all the clients will belong to the same site.
  If you do have multiple primary sites, it gets a bit more complicated depending upon how those multiple sites are broken down client-wise but would most likely come down to not relying on auto-site assignment so this would be N/A anyway.
  For content location, the assumption is that the like-named sites are for the same area of connectivity and thus content-location, i.e., DP "assignment", should be the same regardless of domain/forest. If this is not a valid assumption for your
  environment, then I would submit that your site naming convention is irrational.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• One way trust relationship between different domain windows server 2012 in different forest

  I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
  connected to the same LAN. The forest level in A.local
  machine is Windows Server 2008 and The forest level in B.int
  is Windows server 2012.
  I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
  my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
   The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
  NOTE : Recently I
  UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
  it is ping by name and IP but from b.int ping by IP JUST >>>
  ihab

  Hi,
  yes i already do it the setup conditional forwarding between the 2 domains and
  the firewall it is off 
  ihab

• Active Directory: One Way Trust from NT Domain to 2003 Domain being upgraded to 2012 R2

  We have an old legacy NT 4 domain that is slowly being decommissioned. (Slowly is the key word) Currently there is a one way External Trust between those NT 4 domains and a child domain that is at 2003 functionality. We are in the middle of upgrading
  those child domain and the root domain to 2012 R2.  My only concern right now and I can't seem to find concert proof either way, but will that external one way trust break when upgrading the forest and domain functionality to 2012 R2 once we
  have all our DC's upgraded?  I have read articles on how to get that trust to work in a 2008 R2 domain and of course it is working with the existing 2003 domain.
  In theory the trust should break, correct?  However, I know there are some security changes among other things in 2012 that may or may not work. 
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Yes.  We are working with the client to migrate any dependencies off these 3 NT legacy domains. We will be able to decommission 2 of the 3 without any issues. However, they still have an old NT box running SQL 6.5 databases for a application still in
  production. Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
  Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
  Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• Cannot share documents with few users in one way trusted domain

  Hello
  I am running in a wiered issue. I setup people picker in SP 2013 foundation version to lookup the user from one way trusted domains after which I started getting all the users from that domain in my intranet. I can also share or modify the permission of
  users being administrator. However when I try to add 2 specific users as site collection administrator or try sharing a document, I get error.
  I can lookup their name but when I try changing their permission or share document with them, I get error. It's wiered because it is only with this two users. there is no difference from Active Directory point of view between these and other users. Please
  help or suggest some trouble shooting steps.
  Regards,
  Hardik Bhilota.

  Hi Hardik,
  What was the error message when sharing documents with the two users?
  Please also check the ULS log for detailed error message which is located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
  What is the permission of the two users in SharePoint site? Can they access the site?
  Please also run the two commands below to see if the issue still occurs:
  First, on every front-end Web server on a farm run this command:
  STSADM.exe -o setapppassword -password key
  Second, on a front-end Web server run this command:
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• One Way Trust, Start with RWDC Then Go To RODC?

  So, we have an internal network and a DMZ network in play here.  I'm attempting to setup a one way trust so resources on the DMZ network can be managed from the internal network.  Internal network has RWDCs in its domain, and the DMZ has its own
  RWDCs in its own domain and a RODC from the internal network's domain.  The internal network's RODC is in its own site in AD and is confirmed to be communicating with the RWDCs in the internal network.  The RODC is not an authoritative DNS server,
  but can host a secondary zone or stub zone.  The functional level of the internal domain is 08r2 and the DMZ domain is 2012r2, if that matters.
  The task is to setup the one way trust, and its proving a bit difficult.  So far I've attempted both Conditional Forwarders or stub zones on the RODC and the DMZ RWDC, no dice.  There are no observed DNS replication problems within the domains
  themselves and using ping and nslookup, I've confirmed that DNS resolution is working between the RODC and the DMZ RWDC.  When I try to create the trust from the DMZ RWDCs, it fails saying the specified domain cannot be contacted.   Based on what
  I've read online in other posts and my inability to get around it, it seems that a trust requires a RWDC at each end to function.  If this is not the case, I would love to hear how it can be setup with a RWDC at one and and a RODC at the other.
  Now, if its correct that the trust requires two RWDCs to setup, what if it was setup with two RWDCs and then one of the RWDCs was removed and replaced with a RODC?  I guess what I'm asking is does it just require a RWDC at each end to be setup, or does
  it also require a RWDC at each end for the trust to function properly on an ongoing basis?

  Hi,
  Sorry it takes me some time for testing and reply.
  I've confirmed that it is fine to replace an RWDC to RODC after trusting is setup. You can set it in your environment. 
  If you have any feedback on our support, please send to [email protected]

• OS-Deployment to virtual servers with SCVMM 2012 R2 vs SCCM 2012 R2 or integration with both?

  Hi,
  OS-Deployment to virtual servers with SCVMM 2012 R2 vs SCCM 2012 R2 or integration with both?
  Is SCCM just for physical servers, and SCVMM for virtual?
  What are benefits of integrating them?
  /SaiTech

  Hi,
  Please refer to the links below:
  Introduction to Configuration Manager
  http://technet.microsoft.com/en-us/library/gg682140.aspx
  Virtual Machine Manager
  http://technet.microsoft.com/en-us/library/gg610610.aspx
  The System Center 2012 Integration Guide provides information about automating each of the System Center components and integrating them with each other and with other systems and applications.
  For more information, see the
  System Center 2012 Integration Guide.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCOM Agent in Pending Management with two way trusted domain

  Hello Guys,
  I have two trusted domain abc.com & xyz.com with two-way trust forest-wise authentication enabled and my SCOM 2012 R2 Management server is part of abc.com. And there are multiple host which are part of domain xyz.com.When I am pushing agent from SCOm console
  to server then agents are getting installed with success message in task pane, but my agents are now at in pending Management.
  for this I am getting Event ID 20002 opsmgr connector with following message "A device at IP 10.1.1.6:54277 attempted to connect but could not be authenticated, and was rejected." on SCOM Server.
  And below message on the server where I am installing the agent.
  Event 20071 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log
  on the server and on the agent for events which indicate a failure to authenticate.
  Event 21016 OpsMgr Connector
  OpsMgr was unable to set up a communications channel to SCOM.abc.com and there are no failover hosts.  Communication will resume when fabSCOM2.nmfab.loc is available and communication from this computer is allowed.
  Event 20070 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received
  configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  Need help to resolve this can any one help me.
  Thanks in Advance.
  NM-BG
  NM-BG

  Hi,
  Here i  suspect Authentication issue. 
  1.Could you please if 88, 389 & 3268 ports are opened between client domain controller and management server.
  2. if ports are already open collect netmon traces on both client and management server simultaneousely and check if there are any kerborose errors
  Kind Regards,
  Naveen Kumar B
  ~Bommi

• Remote Management of Hyper-V Across One-Way Trust

  In order to abstract our hardware from the platform, we would like to virtualize all of our physical machines, installing Hyper-V server and just running one VM on Hyper-V. We hope this will allow us to quickly migrate machines that currently cannot be on
  our virtual environment for whatever reason.
  We set up a management domain for all of the Hyper-V servers separate from our main domain. A one way trust was established between the main domain and the management domain, with the management domain trusting the main domain. On the management domain,
  we created a domain local group, called Management Domain Admins, which contains the foreign security principals from the main domain. The Management Domain Admins group is added to the Hyper-V built in Administrators group.
  Now here is the problem, from a workstation in the main domain, we can manage every part of that server except for adding a virtual hard disk. We can manage the firewall, we can look through the event log, we can create virtual machines and connect them
  to existing virtual hard disks, but we cannot create a virtual hard disk. The log returns:
  The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
  We disabled the firewall on both the workstation and the server with the same result. Using a workstation WITHIN the management domain, logging in with an account from the main domain, we can create a virtual hard disk. We have also tried enabling anonymous
  DCOM and adding the Hyper-V server to the Trusted Hosts list in WinRM to no avail. Also, using inline authentication, we can create virtual hard disks on the server BEFORE adding it to the domain. But as soon as it's added to the domain, we can no longer create
  hard disks.
  Appreciate any insight!

  I hope it isn't the trust and it's something dumb I forgot to set. I checked again and "cscript .\hvremote.wsf /anondcom:grant" returns "INFO: Nothing to do - ANONYMOUS LOGON already has remote access"
  Thanks!
  The event is generate from DCOM, 10028
  DCOM was unable to communicate with the computer <myserver> using any of the configured protocols; requested by PID      a34 (C:\Windows\system32\mmc.exe).
  The full trace is:
  2013-07-24 07:59:24.988 [15] USER_ACTION_INITIATED Wizards NewVirtualHardDiskWizard:CreateVirtualHardDiskOnBackgroundThread() Creating new virtual hard disk ...
  2013-07-24 07:59:24.997 [15] USER_ACTION_INITIATED VirtMan ImageManagementServiceView:BeginCreateVirtualHardDisk() Starting creating dynamic virtual hard disk 'D:\Hyper-V\Virtual Hard Disks\test.vhdx' (size = '136365211648')
  2013-07-24 07:59:26.645 [15] ERROR Wizards VMWizardForm:PerformWizardActionInternal() Failed to perform wizard action!
      The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
         at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObject.Initialize(Boolean getObject)
     at System.Management.ManagementBaseObject.get_wbemObject()
     at System.Management.ManagementClass.CreateInstance()
     at Microsoft.Virtualization.Client.Management.VirtualHardDiskSettingData.GetVirtualHardDiskSettingDataEmbeddedInstance(String serverName, String namespacePath)
     at Microsoft.Virtualization.Client.Management.ImageManagementServiceView.BeginCreateVirtualHardDisk(VirtualHardDiskType type, VirtualHardDiskFormat format, String path, String parentPath, Int64 maxInternalSize)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.CreateVirtualHardDiskOnBackgroundThread(Server server, VirtualHardDiskFormat hardDiskFormat, VirtualHardDiskType hardDiskType, String filePath, ConfigurationInfo configBase)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.PerformWizardAction(Object stateObj)
     at Microsoft.Virtualization.Client.Wizards.VMWizardForm.PerformWizardActionInternal(Object stateObj)
  2013-07-24 07:59:26.754 [16] ERROR Wizards VMWizardForm:WizardActionFailed() Wizard action failed!
      The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
         at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObject.Initialize(Boolean getObject)
     at System.Management.ManagementBaseObject.get_wbemObject()
     at System.Management.ManagementClass.CreateInstance()
     at Microsoft.Virtualization.Client.Management.VirtualHardDiskSettingData.GetVirtualHardDiskSettingDataEmbeddedInstance(String serverName, String namespacePath)
     at Microsoft.Virtualization.Client.Management.ImageManagementServiceView.BeginCreateVirtualHardDisk(VirtualHardDiskType type, VirtualHardDiskFormat format, String path, String parentPath, Int64 maxInternalSize)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.CreateVirtualHardDiskOnBackgroundThread(Server server, VirtualHardDiskFormat hardDiskFormat, VirtualHardDiskType hardDiskType, String filePath, ConfigurationInfo configBase)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.PerformWizardAction(Object stateObj)
     at Microsoft.Virtualization.Client.Wizards.VMWizardForm.PerformWizardActionInternal(Object stateObj)
  2013-07-24 07:59:26.755 [16] ERROR Client InformationDisplayer:GetErrorInformationFromException() Application encountered a non-VirtMan exception! Not going to display non-localized message to user.
  2013-07-24 07:59:26.756 [16] ERROR Client UnhandledExceptionHandler:HandleThreadExceptionInternal() Application encountered an unexpected exception!
      The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
         at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObject.Initialize(Boolean getObject)
     at System.Management.ManagementBaseObject.get_wbemObject()
     at System.Management.ManagementClass.CreateInstance()
     at Microsoft.Virtualization.Client.Management.VirtualHardDiskSettingData.GetVirtualHardDiskSettingDataEmbeddedInstance(String serverName, String namespacePath)
     at Microsoft.Virtualization.Client.Management.ImageManagementServiceView.BeginCreateVirtualHardDisk(VirtualHardDiskType type, VirtualHardDiskFormat format, String path, String parentPath, Int64 maxInternalSize)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.CreateVirtualHardDiskOnBackgroundThread(Server server, VirtualHardDiskFormat hardDiskFormat, VirtualHardDiskType hardDiskType, String filePath, ConfigurationInfo configBase)
     at Microsoft.Virtualization.Client.Wizards.NewVhd.NewVirtualHardDiskWizard.PerformWizardAction(Object stateObj)
     at Microsoft.Virtualization.Client.Wizards.VMWizardForm.PerformWizardActionInternal(Object stateObj)

• One way trust WMI issues - only on domain controllers

  Hi all, 
  I'm having some interesting issues with attempting to setup remote monitoring via WMI from a trusted domain service account to some remote domains in our environment. There is a one way trust setup, and the service account has no problems with any client
  machines, but gets rejected when attempting to query the domain controllers. 
  I've verified this is an issue both in our enterprise and production environment. I assumed it had something to do with the Domain Controller Security Policy and added the account in question to the following policies to no avail:
  Act as part of the operating system
  Log on as a batch job
  Log on as a service
  Replace a process level token
  Now I'm beginning to suspect it's something to do with not being able to add the service account to the "domain admins" group, however I'd much rather a solution that didn't involve giving this account admin privileges at all. 
  I've given the account read permissions to /root/CIMv2 via the WMI control MMC snap-in, as well as DCOM remote enable and added it to the "Distributed COM Users" and "Performance Monitor Users" groups. 
  I'm fully out of ideas and my google-fu is failing. Anyone hit this before? 

  Hi,
  Yes, you will need to know the credentials of the domain admin in the trusted domain.
  You can try to use Get-WmiObject command, and input trusted domain administrator’s credentials, which should give you admin privileges.
  Using the Get-WMiObject Cmdlet
  http://technet.microsoft.com/en-us/library/ee176860.aspx
  If you have problems of applying Powershell, please refer to Powershell forum below:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
  Regards,
  Amy

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• SCCM 2012 R2 ADR issue with proxy authentication

  Hi,
  We're migrating SCCM 2007 to SCCM 2012 R2.
  In SCCM 2007, the proxy server is configured with user authentication, and this works.
  In SCCM 2012 R2, the Software Update Point is installed locally and connected with a local WSUS 4.0 (Server 2012)
  We use a proxy with user authentication for Update Deployment. (This user is the same as configured in SCCM 2007.)
  The Proxy Server is Blue Coat SG.
  The proxy account is used for:
  The Synchronization works, but Automatic Deployment Rule (ADR) doesn't work.
  When an Automatic Deployment Rule is started, it tries to authenticate 3 times.
  The Patchdownloader.log shows:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername>\root\SMS        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\3208bb5e-bcd9-4389-a0c9-02ef33ccb998.1\XPSEPSC-x86-en-US.exe .        Software Updates Patch Downloader        11/8/2013 12:19:07        3608
  (0x0E18)
  Contentsource =
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe .        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Downloading content for ContentID = 16819067, 
  FileName = XPSEPSC-x86-en-US.exe.        Software Updates Patch Downloader        11/8/2013 12:19:07        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:19:07        8364
  (0x20AC)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  HttpSendRequest failed HTTP_STATUS_PROXY_AUTH_REQ        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  Download
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe to C:\Windows\TEMP\CAB6FD2.tmp returns 407        Software Updates
  Patch Downloader        11/8/2013 12:19:07        8364 (0x20AC)
  ERROR: DownloadContentFiles() failed with hr=0x80070197        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Then the proxy user account is locked:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to \\ <servername>\root\SMS        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:20:11        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\e0a54221-3ff2-4129-b7cf-89bf5cd1f726.1\Windows-KB943729-x86-ENU.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Contentsource =
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Downloading content for ContentID = 16824262, 
  FileName = Windows-KB943729-x86-ENU.exe.        Software Updates Patch Downloader        11/8/2013 12:20:12        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:20:12        12480
  (0x30C0)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  Download
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe to C:\Windows\TEMP\CAB6E4B.tmp returns 403        Software Updates
  Patch Downloader        11/8/2013 12:20:12        12480 (0x30C0)
  ERROR: DownloadContentFiles() failed with hr=0x80070193        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  The RuleEngine.log shows:
  Failed to download the update from internet. Error = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  Failed to download ContentID 16824467 for UpdateID 16819978. Error code = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  It seems that the ADR uses a wrong password when authenticating with the proxy, but this same user works when synchronizing with WSUS.
  We performed the following actions with no result:
  run the ADR manually and automatic,
  reinstalled WSUS and SUP,
  changed proxy user account.
  Regards,
  Matthias

  Currently, the command shows:
  Current WinHTTP proxy settings:
      Direct access (no proxy server).
  We've been testing with:
  upddwnldcfg.exe /s:<proxyserver>:<port> /u:<user> /allusers
  psexec -i -s iexplore.exe, set Internet Explorer proxy manually
  All with same result, proxy user getting locked when ADR runs.
  (These settings have been removed after the test.)
  I think dekac99 would suggest netsh winhttp set proxy or import proxy.
  then turn off proxy use on the role SUP (this way not SCCM will send auth but all winhttp will use proxy)
  the problems with that for me are:
  - if MS implemented role-based proxy usage, why set at http layer - of course this might work as a workaround for the time being so it might be a good idea but I'm just not sure what unwanted issues it may cause
  - the other thing is where I'm not sure, with set proxy you cannot define authentication account. if you use import from IE and the IE prompted for proxy auth, the stored credential will be used on winhttp layer (though I'm not 100% sure of that) - so this
  is just too uncontrolled for me
  - upddwnldcfg.exe will need to run in the name of system account (it stores credentials under HKCU so far I know it will be a per user based setting)
  --> what confuses me, the catalog synch works which should use the same configured proxy and account(?), only ADR does not work. shouldn't they both use the same process for sending account auth info?

• Supported AD topology - Two forests with one domain in each

  Hi all,
  I've been tasked with deploying Lync in our environment and I've hit a wall in regards to Lync's AD topology support, my environment is as follows:
  Two forests and each one has a single domain in it. There is a two-way trust relationship between the forests.
  All of our user accounts and computer accounts are in Domain A (in Forest A)
  All of our server accounts and mailboxes (linked with user account in Domain A) are in Domain B (in Forest B)
  If I was to deploy Lync Server in Domain B (Forest B), can my users in Domain A (Forest A) access Lync with all functionality? Are there any special considerations I need to take into account?
  Many thanks,
  Craig

  Hi,
  It is supported by Microsoft for your Lync topology.
  For your Lync topology, it is called Multiple Forests, Central Forest. The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled
  user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 and mail-enabled for Microsoft Exchange
  Server if it is deployed.
  You can refer to the link below to deploy Resource Forest Topology for Lync Server 2010:
  http://technet.microsoft.com/en-us/library/gg670909(v=ocs.14).aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support