Schema extension required in DMZ domain for IBCM?

Similar Messages

• Questions On New Domain in DMZ for IBCM

  We would like to create a new, untrusted AD domain in our DMZ for the purpose of IBCM and perhaps to also join workgroup-based servers that would be in the DMZ(for instance Lync Edge server and so on) so they can be more easily managed by using centralized
  group policies.  They will need to at least have managed Windows Updates and centrally managed A/V as well as ways to manage RDP access to them so they can be remotely managed without having to do one-off local configuration on each DMZ server.
  Can the DC required to create this DMZ domain also be the same machine used for the DP/MP/SUP?
  Can the DC and all the other servers located in the DMZ also be be managed via SCCM along with the IBCM clients?

  Can the DC required to create this DMZ domain also be the same machine used for the DP/MP/SUP?
  It *can* be, but it's not a good idea for it to be at all. Putting things on a DC always introduces idiosyncrasies with security and functionality in general. 
  Can the DC and all the other servers located in the DMZ also be be managed via SCCM along with the IBCM clients?
  Yes.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Installing MP,DP and SUP in DMZ for IBCM

  Hi all,
  I would like start installing MP, DP and SUP role in my DMZ to support IBCM. My DMZ is in the same forest but in different and untrusted domain. The primary site and Enterprise Root Certificate (CA) are in the same domain (intranet). An admin account
  has been created in DMZ domain so the above roles can be installed from primary site server. I am still not too sure how I will install Cert that I created on root CA that is on intranet. Do I need to export it from Intranet and import back on the new site
  server in DMZ or use a different method?
  If the question is too confusing then please give your experience as how you have installed certificate on your site server (DMZ) for IBCM?
  Are you using primary server computer account for installing site roles in DMZ or a user account?
  Do I need to publish site information in DMZ domain as well?
  Thanks

  "My DMZ is in the same forest but in different and untrusted domain"
  This is not possible. By definition, all domains in a forest trust each other -- maybe not directly, but they do trust each other.
  Also, the new system in the DMZ will not be a "site server", it will be a site system (sometime called a site system server but not usually). This may seem like semantics, but its very important because "site server" means something very
  specific which the site system in the DMZ is not.
  Deploying certs in the DMZ can be done in one of many ways. You really should get a PKI smart person involved though because it's not ConfigMgr task. There are ways to deploy certs cross-domain and cross-forest using group policy auto-enrollment but these
  take setup and configuration on the PKI side. Alternatively you could use web enrollment on your CA is it is setup and has the proper templates available -- once again, that will take setup and configuration on your PKI. Finally, you could just use the command-line
  assuming the cert templates are accessible for the system in the other domain.
  For your scenario, you should be able to grant the site server's computer account local admin permissions on the DMZ site system. Don't forget about the FSP which can be very valuable for IBCM but will require and additional site system because it must be
  left to listen for HTTP traffic.
  Finally, publishing site information to the domain allows clients to locate the MP on the intranet however your clients won't be on the intranet to use location information, so that wouldn't help much. Additionally, clients use global catalog queries to
  perform their site location so within a forest, there is no need to publish the same informatin to mutliple domains (unless you have multiple sites which you do not).
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Active Directory Schema Extension for Directory Synchronization - ADFS 3.0, Office 365

  Hi Team,
  We are in a situation with extending the schema for one customer so that these additional exchange attributes may be utilized. They have a single data center where the Primary Domain Controller resides and have multiple remote sites each of which have Additional
  Domain Controllers installed.
  As recommended by Microsoft, I am going to extend the Active Directory Schema with Exchange Setup so that I can leverage targetaddress attribute from Local AD to set primary email address when directory synchronization happens.
  My Query: Do I have to extend the AD Schema with Exchange from each of these ADC's? Or the changes I make on any of them will replicate over the others also?
  Note: The customer will be using ADFS 3.0 'Single Sign On' with Office 365 and does NOT have any On-Premise Exchange deployment.

  My Query: Do I have to extend the AD Schema with Exchange from each of these
  ADC's? Or the changes I make on any of them will replicate over the others also?
  Schema extension is done against the Schema Master. Once done, it gets replicated to other DCs with the AD forest.
  For more details about Schema Extension by Exchange, you can refer to that: http://www.resdevops.com/2013/02/13/extend-ad-schema-to-allow-greater-office-365-management/
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Prepare 2003 Forest/Domain for 2008 R2 or 2012 Domain Controllers

  Hi,
  I would be grateful if you could help me with this:
  We have a single Forest/Single Domain structure which is managed by 4 Windows Server 2003 Std Edition. We are now trying to add a Server 2008 R2 as a domain controller. I have followed lots of articles on MS and other website with regards to preparing the
  Forest and domain before promoting the new server and here is what I got so far:
  Schema master - Windows 2003 SE
  FFL/DFL both set to 2003
  Run Adprep32.exe (found it on 2008 R2 disc) /forestprep and the outcome was:
  lDAPDisplayName "uidNumber" defined for object "CN=VintelauidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value uidNumber and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "gidNumber" defined for object "CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value gidNumber and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.1" defined for object CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.1" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "gecos" defined for object "CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value gecos and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.2" defined for object CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.2" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "unixHomeDirectory" defined for object "CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value unixHomeDirectory and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.3" defined for object CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.3" and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  lDAPDisplayName "loginShell" defined for object "CN=VintelaloginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the lDAPDisplayName value loginShell and resolve this inconsistency.  Then run adprep again.
  ==============================================================================
  OID "1.3.6.1.1.1.1.4" defined for object CN=Vintela-loginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
  [Status/Consequence]
  Adprep will not extend your existing schema.
  [User Action]
  Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.4" and resolve this inconsistency.  Then run adprep again.
  On the Schema master, run AD Schema, MMC and deactivated the object for Vintela. run the adprep32 /forestprep again and still the same result.
  Would you please advise what else can/must be done? anyone knows anything on Vintela (Quest VAS) and how to get rid of it?
  thanks for your help in advance.

  Hi,
  Thanks for your post.
  In this case, the most cause may be the OIDS are in conflict with the 2008 /forestprep. Could you please let me know if the forest functional level is 2003? If not, please raise it to 2003.
  For the information about how to raise functional level, please refer to the articles as below:
  What Are Active Directory Functional Levels?
  http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx
  Raise the Domain Functional Level
  http://technet.microsoft.com/en-us/library/cc753104.aspx
  Raise the Forest Functional Level
  http://technet.microsoft.com/en-us/library/cc730985.aspx
  What is the Impact of Upgrading the Domain or Forest Functional Level?
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Besides, for the best practice, we can back up all domain controllers’ system state for the unexpected issues. Here is one article related to backup Active Directory.
  Backing up Active Directory
  http://technet.microsoft.com/en-us/library/cc961924.aspx
  I hope this information is helpful for you. If there is anything that requires further clarification, please don’t hesitate to let me know.
  Best regards,
  Ann
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Schema extension with unique value

  I would like to know if it's possible to perform a schema extension to add a new field to active directory and then require that the value entered into the new field be unique between all users.
  For example say I want to track computer to user assignment by adding a field to record the computers serial number. I want to make sure that the same computer is not assigned to 2 people so when I enter the serial number I would like AD to make sure it's
  a unique value between all other users.
  If this is possible any links to documentation on how it would be done would be much appreciated.
  Thanks for the help

  Hello,
  why not using the already existing attributes that are empty on the account proeprties?
  Be aware that changing the schema can result in loss of the domain if done wrong. If you still like to change the schema built a lab BEFORE doing this on production and test everything in detail in the domain to be sure not problems occur.
  Additional keep in mind that own schema changes may result in problems when updating the schema with new versions from Microsoft.
  http://technet.microsoft.com/en-us/library/cc961737.aspx
  http://technet.microsoft.com/en-us/library/bb727064.aspx
  http://technet.microsoft.com/en-us/magazine/2008.05.schema.aspx
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f899e538-c197-497c-beb3-c9968c681867/
  http://blogs.technet.com/b/isingh/archive/2007/02/18/adding-custom-attributes-in-active-directory.aspx
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Active Directory schema extensions

  Hi
  We are in a process of implementing SAP LDAP sync to manage users from MS Active Directory. SAP requires schema extension generated by RSLDAPSCHEMAEXT program to be applied to Active Directory so that report RSLDAPSYNC_USER can be identify SAP users in MS AD.
  The MS AD team says that any non miscrosoft schema extensions are not supported as OIDs of the schema might conflict with other applications / patches.
  Are the MS AD schema extensions generated by SAP program RSLDAPSCHEMAEXT supported / certified by Microsoft.
  Harsh

  Hi Harsh,
  I would like to point you also to SAP Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
  It especially states that:
  ..."The text document generated by RSLDAPSCHEMAEXT was supplied and validate as part of a certification process by the directory vendor."...
  that means in this case by Microsoft.
  If you decide not to use the schema extension that has been supplied by Microsoft you can use attributes that are already existing in your Active Directory as Juergen already pointed out.
  As an example Microsoft Exchange Server creates several additional attributes such as extensionattribute1, ... , extensionattribute15 as part of the installation process. These attributes might be an option for you if you do not want to use the schema extension suggested by RSLDAPSCHEMAEXT.
  Please have in mind that the filter attribute that you will use to determine the SAP username should be indexed since this will reduce the synchronization time.
  Best Regards,
  André

• Creating domain for BI Publisher issue

  Hello,
  Im trying to create domain for BI Publisher 11.1.1.3.0.
  When configuring JDBC there are two component schemas: BIP Schema and OWSM MDS Schema. For database I have MS SQL Server configured with required RCU schemas.
  The strange part: when testing the configuration, one fails - the BIP Schema. In the result log I see a very strange ""SELECT 1 FROM DUAL"" test which is obviously for oracle and not MS SQL.
  For the 2nd schema, the one with successful test, there is a valid test query.
  Please help me understand what am I doing wrong, why is there an Oracle test query for a MS SQL database and finally why on earth only one test fails because for both i have the same database type.
  The version of fusion middleware is the one that came with BI installer 11g (11.1.1.3.0)
  If wonder why am I doing this manually it is because the BI installer hangs at step 11 Creating Domain for about 100 minutes and then exits with timeout. great programming!
  Please give me any hint, advise i can use to make BI Publisher run.
  thank you

  809239 wrote:
  Hi Experts,
  OBIEE 10.1.3.4.1.
  I am able to login bi publisher though Administrator user. But am not able to login remaing users.
  I am getting below error.
  Oracle BI Publisher Enterprise
  Reporting Login: Login failed: Please contact administrator for your username/password.
  Error Details
  Error Codes:
  Please help above issue it is very urgent.
  ThaksHi,
  Refer to this post to make sure you have all the settings implemented correctly: ( http://onlineappsdba.com/index.php/2009/01/15/oracle-bi-publisher-admin-console-xmlpserver-login-issue-administratoradministrator/ ).
  Also, check the log files to see if you can get more detailed error messages.
  -Amith.

• Schema extension

  I am trying to install Server Management and Monitoring Services on a test
  network.
  On the first screen, I have chosen extend schema.
  Then when I go to install Management and Monitoring Services, it checks
  the schema and returns this error. The selected tree does not have the
  required schema extension. Error Code 1.
  What am I missing? How do I correct it?
  Thanks for your help!

  > Have a look at TID 10084926, think this will still apply to the current
  > install
  >
  > Ron
  >
  > <[email protected]> wrote in message
  > news:e_Jaf.904$[email protected]..
  > >I am trying to install Server Management and Monitoring Services on a
  test
  > > network.
  > >
  > > On the first screen, I have chosen extend schema.
  > >
  > > Then when I go to install Management and Monitoring Services, it checks
  > > the schema and returns this error. The selected tree does not have the
  > > required schema extension. Error Code 1.
  > >
  > > What am I missing? How do I correct it?
  > >
  > > Thanks for your help!
  >
  >
  Running the install with the NO_SCHEMA_CHECK allowed me to install server
  management.
  I am still curious why it does't recognize the extended schema. What
  ramifications does that have down the road?

• Configure SUP location for IBCM (Internet Only) Clients

  I'm using ConfigMgr 2012 R2 with a single primary site.   I have a second site server deployed in the DMZ configured
  for Internet  clients.  I have a Internet MP and DP configured with SSL and they are working well. 
  I have a question about how to configure the SUP for internet only clients.   I configured my internet facing SUP to require SSL and configured it for Internet and Intranet clients.
  I installed the ConfigMgr 2012 client on my test machines with the CCMALWAYSINF=1 option to be connected internet only.  
  The clients are not getting a local policy to connect to the SUP and if I add the internet SUP in the local group policy myself it doesn't do anything.  If I run the "windows updates" cycle from the Windows Update client (NOT
  ConfigMgr) it seems to connect and sync with the SUP (WindowsUpdate.log) but ConfigMgr does not appear to recognize the SUP and doesn't point the clients to connect to it and upload the results.  
  Any Ideas how to force my clients to connect to the internet facing (IBCM) SUP to scan for required updates?  Anybody deploy a internet SUP lately that can provide some guidance?  Thank you very much

  Check the log file(s) on the Internet facing site system. The easiest method to check the sync status is by going to the monitoring workspace in the console and then look at the
  Software Update Point Synchronization Status node.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• SCCM 2012 AD schema extension

  Hi all,
  we were in the process of installing SCCM 2012 R2 in our lab, we have extended the schema & schema extension creates classes & attributes we just wanted to know where we can find these Classes & attributes in AD. where we can see it being created
  in AD.
  We have seen the successful schema extension in the log files but we also wanted to get the details from AD side.
  Please suggest.
  Thanks,
  Pranay.

  This has all the details
  But in summary:
  Attributes and Classes Added by the Configuration Manager Schema Extensions
  When you extend the Active Directory schema for ConfigMgr 2012, the following attributes and classes are added to Active Directory Domain Services:
  Attributes:
  cn=mS-SMS-Assignment-Site-Code
  cn=mS-SMS-Capabilities
  cn=MS-SMS-Default-MP
  cn=mS-SMS-Device-Management-Point
  cn=mS-SMS-Health-State
  cn=MS-SMS-MP-Address
  cn=MS-SMS-MP-Name
  cn=MS-SMS-Ranged-IP-High
  cn=MS-SMS-Ranged-IP-Low
  cn=MS-SMS-Roaming-Boundaries
  cn=MS-SMS-Site-Boundaries
  cn=MS-SMS-Site-Code
  cn=mS-SMS-Source-Forest
  cn=mS-SMS-Version
  Classes:
  cn=MS-SMS-Management-Point
  cn=MS-SMS-Roaming-Boundary-Range
  cn=MS-SMS-Server-Locator-Point
  cn=MS-SMS-Site
  The Active Directory schema extensions might include attributes and classes that are carried forward from previous versions of the product but not used by ConfigMgr 2012. For example:
  o Attribute: cn=MS-SMS-Site-Boundaries
  o Class: cn=MS-SMS-Server-Locator-Point

• Configuring weblogic domain for IAM using WLST

  Hi All,
  i have to configure a weblogic domain using wlst(off-line).i am able to do this by using wls.jar template but that domain does not contain all the deployable component which is required for IAM ,IDM.
  I don't know how to set the configuration component which is required for IAM,IDM as asked configuration wizard aske when we use GUI mode and how to give the schema details.
  please give any idea how to configure a domain(for IAM,IDM) using WLST exactly same as GUI mode .
  thanks

  I'm not sure what is your problem, but there is no compatibility issue between CSS and Bind normally.
  The docuement you referenced only says, in the background section, that the DNS server itself needs to be configured so part of your domain is handled by the CSS.
  So, your dns server handles all request for your.domain but there is one NS entry forwarding request for www.your.domain to the CSS so the CSS can answer the dns request.
  The css is not able to handle all types of dns request (ie: email server ip address request) so you can configure a 'dns forwarder' on the css to forward the request to another dns server.
  See the following for dns forwarder config example
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801d3b52.shtml
  Regards,
  Gilles.
  Thanks for rating.

• Intermediary DMZ domain - Will this allow access whilst maintaining seperation?

  Hi 
  We have a client who has a requirement to link the domain of an acquired company whilst maintaining separation from the legacy environment. We have access to the legacy resources using legacy resource domain credentials but the customer wants to connect
  to these resources using the user domain credentials.
  The company has a large forest with several child domains, the users and workstations are hosted in one of these child domains.
  The legacy/resource domain runs many services print/application/file from both the forest root and several of their child domains.
  There is to be a DMZ between both domains and there are DNS/routing/firewall constraints which prevent a direct trust between the two at the moment.
  The user domain is only permitted to have an external one-way (incoming trust) from one of the child domains.
  With these constraints in mind would the introduction of an intermediary domain in the DMZ allow users in the user domain access to the resource domain as described below?
  Groups are created in the DMZ domain which contain the user accounts from the users domain using the one-way trust
  These groups in the DMZ domain are then added, where required, to the acl's of the resources in the resource domain.
  Would the above allow a user in the user domain access to the legacy resources using the user credentials?
  Any suggestions comments will be greatly appreciated, hopefully I have qualified the requirements and the constraints please ask if I have missed out some detail you need to clarify the scope of what I am trying to achieve.
  Thanks, Garry

  Thanks Gleb
  Your answer does support what I thought may be the case as the external trust is non-transitive, wasn't sure if the 2 way forest trust between the resource domain and DMZ domain using group membership would allow access without authentication.
  We have looked into creating a direct trust with a DC in the DMZ of the resource domain and due to a split DNS, address NATing, lack of reverse routing (all configured for other reasons and not something that can easily be undone) and reliance on root DFS
  of the resource domain we experienced issues when trying to establish a trust in this fashion - hence the attempt to further separate the user and resource domains.
  Also a forest trust is not permissible from the user domain due to company policies. The firewall rules are the least of our issues as this is well documented and has been configured before in the environment just highlighting another layer of complexity.
  The users can currently access resources in the legacy domain however they need to authenticate with legacy credentials. The primary goal we are trying to achieve is provide a solution to allow access to these resources with the user domain credentials.
  Any further suggestions would be welcome.
  Garry.

• Is autoconfig required to be run for apps password change

  Is autoconfig required to be run for apps password change -- We are only changing APPS and APPLSYS passwords.
  How to Change Applications Passwords using Applications Schema Password Change Utility (FNDCPASS or AFPASSWD) [ID 437260.1] -- does not mention anything about autoconfig.
  Please clarify.
  Thanks

  It's mentioned in the document twice
  1. For APPLSYSPUB/GUEST as you mentioned
  2. Under "Verify the new password" which cover the apps/applsys passwords
  If you search the doc for "AutoConfig" you will find it there.
  Thanks,
  Hussein

• Error  while building the default domain for intigrated weblogic server

  Hi,
  An error occurred while building the default domain for integrated weblogic server
  log file contains fallowing details about error
  "C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd" "C:\Oracle\Middleware\jdeveloper\MyWork\system11.1.1.5.38.61.26\o.j2ee.adrs\CreateDefaultDomain.py"
  Process started
  wlst >
  wlst > CLASSPATH=C:\Oracle\Middleware\patch_wls1035\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\Middleware\patch_jdev1111\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\Middleware\jdk160_24\lib\tools.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\weblogic_sp.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\weblogic.jar;C:\Oracle\Middleware\modules\features\weblogic.server.modules_10.3.5.0.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\webservices.jar;C:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-all.jar;C:\Oracle\Middleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar;;C:\Oracle\Middleware\oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\adf-share-mbeans-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\adfscripting.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\applcore-diagnostics-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\mdswlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\auditwlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\igfwlsthelp.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\jps-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\jrf-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\oamap_help.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\oamAuthnProvider.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\ossoiap.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\ossoiap_help.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\ovdwlsthelp.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\sslconfigwlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\wsm-wlst.jar
  wlst >
  wlst > PATH=C:\Oracle\Middleware\patch_wls1035\profiles\default\native;C:\Oracle\Middleware\patch_jdev1111\profiles\default\native;C:\Oracle\Middleware\wlserver_10.3\server\native\win\32;C:\Oracle\Middleware\wlserver_10.3\server\bin;C:\Oracle\Middleware\modules\org.apache.ant_1.7.1\bin;C:\Oracle\Middleware\jdk160_24\jre\bin;C:\Oracle\Middleware\jdk160_24\bin;;C:\Oracle\Middleware\wlserver_10.3\server\native\win\32\oci920_8
  wlst >
  wlst > Your environment has been set.
  wlst >
  wlst > CLASSPATH=C:\Oracle\Middleware\patch_wls1035\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\Middleware\patch_jdev1111\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\Middleware\jdk160_24\lib\tools.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\weblogic_sp.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\weblogic.jar;C:\Oracle\Middleware\modules\features\weblogic.server.modules_10.3.5.0.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\webservices.jar;C:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-all.jar;C:\Oracle\Middleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar;;C:\Oracle\Middleware\oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\adf-share-mbeans-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\adfscripting.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\applcore-diagnostics-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\lib\mdswlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\auditwlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\igfwlsthelp.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\jps-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\jrf-wlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\oamap_help.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\oamAuthnProvider.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\ossoiap.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\ossoiap_help.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\ovdwlsthelp.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\sslconfigwlst.jar;C:\Oracle\Middleware\oracle_common\common\wlst\resources\wsm-wlst.jar;C:\Oracle\Middleware\utils\config\10.3\config-launch.jar;C:\Oracle\Middleware\wlserver_10.3\common\derby\lib\derbynet.jar;C:\Oracle\Middleware\wlserver_10.3\common\derby\lib\derbyclient.jar;C:\Oracle\Middleware\wlserver_10.3\common\derby\lib\derbytools.jar;;
  wlst >
  wlst > Initializing WebLogic Scripting Tool (WLST) ...
  wlst >
  wlst > Welcome to WebLogic Server Administration Scripting Shell
  wlst >
  wlst > Type help() for help on available commands
  wlst >
  wlst > Creating Default Domain
  wlst > Reading template: /C:/Oracle/Middleware/wlserver_10.3/common/templates/domains/wls.jar
  wlst > Setting Name to 'DefaultServer'
  wlst > Setting ListenAddress to ''
  wlst > Setting ListenPort to 7101
  wlst > Setting domain administrator to 'FAAdmin'
  wlst > Setting domain password.
  wlst > Problem invoking WLST - Traceback (innermost last):
  wlst > File "C:\Oracle\Middleware\jdeveloper\MyWork\system11.1.1.5.38.61.26\o.j2ee.adrs\CreateDefaultDomain.py", line 59, in ?
  wlst >      at com.oracle.cie.domain.script.jython.WLSTSecurityPrincipal.set(WLSTSecurityPrincipal.java:70)
  wlst >
  wlst >      at com.oracle.cie.domain.script.jython.WLSTSecurityUser.setPassword(WLSTSecurityUser.java:33)
  wlst >
  wlst >      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  wlst >
  wlst >      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  wlst >
  wlst >      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  wlst >
  wlst >      at java.lang.reflect.Method.invoke(Method.java:597)
  wlst >
  wlst >
  wlst > com.oracle.cie.domain.script.jython.WLSTException: com.oracle.cie.domain.script.jython.WLSTException: java.lang.Exception: The password must be at least 8 alphanumeric characters with at least one number or special character.
  wlst >
  rohit

  Hi,
  you see that message: "The password must be at least 8 alphanumeric characters with at least one number or special character." ?
  The password: The weblogic password you provide when prompted
  must be at least: minimal condition for secure passwords enforced on WLS by default
  at least 8 alphanumeric characters: no 7 but eight or more characters
  with at least one number or special character: password should have a number in it or an "@" "-" or similar
  E.g.
  weblogic1
  is one password option that would meet that requirement
  Frank