SCOM deployment in Child Domain
Dears,
I am confused with request, please help me with an answers on my questions.
I have my Forest Like this:
ABC.Local which is the root domain, it is a single site with SCOM 2007 Fully Deployed and configured with Remote DB.
One.ABC.Local, where one is my child domain of my ABC Domain, there is there many servers, but no SCOM there
The request is to monitor Servers in One.ABC.Local using SCOM, my doubts are:
Can I monitor the Child domain using my Root domain SCOM Server, just like if it is in my root domain?
or shall I deploy dedicated SCOM there?
Any other helpful suggestion?
Thank you
Hi,
From my point of view, adding another management server to another domain server should work, please follow the link below to add additional management server:
http://technet.microsoft.com/en-us/library/hh284673.aspx
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Similar Messages
-
Addint a child domain process hangs in Replicating the schema directory partition
Hello everyone,
for practice proposes and exam preparations I have my own virtual private network setup on an PowerEdge R905 Machine (which is a beast) I have two networks and windows server 2008R2 on a DMZ zone setup as router to rout traffic between two of my networks.
My two networks are 192.168.10.0 - and 192.168.20.0. the 10 network has its own active directory setup, now on my 20 network I am trying to deploy a child domain. during the process everything is going just fine BUT the process of promoting the domain gets
stuck on Replicating The Schema Directory Partition. Can anyone tell me what the issue might be ? I tried everything that I could think of such as:
made sure the 20 network server is pointed to the DNS on the 10th server.
you can ping the IP address and the FQDN of 10 network from the 20 network.
I made sure all firewalls are disabled on both networks
on my 10 network I have created sites and assigned the right subnets for each site
so please any hint and explanation is greatly appreciatedIf firewalls are disabled between the 2 subnets then you are sure that all of the below ports are opened:
Client Port(s)
Server Port
Service
49152 -65535/UDP
123/UDP
W32Time
49152 -65535/TCP
135/TCP
RPC Endpoint Mapper
49152 -65535/TCP
464/TCP/UDP
Kerberos password change
49152 -65535/TCP
49152-65535/TCP
RPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP
389/TCP/UDP
LDAP
49152 -65535/TCP
636/TCP
LDAP SSL
49152 -65535/TCP
3268/TCP
LDAP GC
49152 -65535/TCP
3269/TCP
LDAP GC SSL
53, 49152 -65535/TCP/UDP
53/TCP/UDP
DNS
49152 -65535/TCP
49152 -65535/TCP
FRS RPC (*)
49152 -65535/TCP/UDP
88/TCP/UDP
Kerberos
49152 -65535/TCP/UDP
445/TCP
SMB
49152 -65535/TCP
49152-65535/TCP
DFSR RPC (*)
Then make sure that the other subnet is across route not across NAT to avoid a lot of additional configurations.
Regards,
Housam Smadi -
New deploy child domain certificate server didn't publish root trust certificate to the client
Child domain certificate didn't install into child domain workstation.
https://support.microsoft.com/en-us/kb/281271?wa=wsignin1.0
Certification Authority configuration to publish certificates in Active Directory of trusted domain
Any advise?
Thanks.Hi,
>>New deploy child domain certificate server didn't publish root trust certificate to the client
Is this an enterprise root CA or standalone CA?
If it is an enterprise root CA, it will automatically use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. If it is an standalone CA, we can configure GPO
to distribute the certificate.
Regarding how to use policy to distribute certificates, the following article can be referred to for more information.
Use Policy to Distribute Certificates
https://technet.microsoft.com/en-us/library/cc772491.aspx
We can run command gpupdate/force to immediately update group policy and then we can refresh the certificates in certmgr.msc to see if the certificate will come up.
Besides, for certificate questions, we can also ask for suggestions in the following forum.
Security
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Active Directory: 2003 to 2012 R2 Upgrade across single forest with child domains
I just have a quick questions about something that should be simple. We will be upgrading our current domain from Windows 2003 functionality to Windows 2012 R2. This forest has domain and two child domains. I have two questions. Since we
have to do this in a few steps in order to get up to 2012 functionality I am wondering where is it consider best practice to start? In the Root (top level) domain of the forest or in one of the child domains? I want to say the root (top level)
domain is where I would place my first Windows 2012 R2 box and promote it to a domain controller. Then move to the child domains one the root domain controllers have all be replaced with Server 2012.
Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.Yes. We are working with the client to migrate any dependencies off these 3 NT legacy domains. We will be able to decommission 2 of the 3 without any issues. However, they still have an old NT box running SQL 6.5 databases for a application
still in production. Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb. -
Child Domain Lync Installation
run enable-csadforest on root domain server. Any idea to do csadforest without install Lync deployment tools on root server?
check universal security group is added on root domain.
check child domain didn't replication the universal security group.
Run Enable-CsAdDomain -Domain chil.domain.com for enable child domain user to use Lync.
Any advise? how long time to replication the universal security group?
i will install Lync server into child domain and federation with office 365.
Thanks.Hi,
Did you prepare schema successfully without issue?
You need to prepare the forest on a computer which joined to a domain as a member of the Enterprise Admins group for the forest root domain. You need to prepare the forest with the Lync Lync Server Deployment Wizard or the Lync server Management Shell cmdlets
directly. So you need to install the Lync deployment tools on one of the root server.
You are right, you must verify that global settings have been replicated before running domain preparation.
Please also login the child domain using the account which as a member of the Enterprise Admins group, the check if the replication happens or not.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support -
Forest root domain displayed as network label, rather than child domain
Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
a viable explanation for the behaviour, as opposed to 'it's by design'Can I ask if something is not working correctly because of this? The display of the connected network does not affect communication or how DNS will resolve. Are you chasing this down because you don't like the display, or is there an outage?
Thanks!
- Chris Ream -
**Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.** -
Migrating to Lync in a child domain from OCS in a Parent domain
I am looking to migrate from OCS to Lync 2010. I have gotten as far as deploying the target pool, but when I try and merge the topologies it fails.
OCS is in The root domain of my forest but Lync is planned for the primary Child domain where 80% of my users live. I just need to know if this is a supported migration scenario for Lync. If it is how do I merge the two topologies, as it looks
like the merge tool is only looking at the child domain for the configuration of OCS?
JeffHi,
Did you build a new pool with Side by side approach?
It is supported to migrate Lync from one domain to another domain in the same forest. Here is the supported server migration paths in the link below:
http://technet.microsoft.com/en-us/library/gg425764.aspx
For the issue merge topology failed, did you receive any error message from FE server Event Viewer?
The Lync server default sip domain should be the same when migrating from OCS to Lync server. If not, you can add sip domain in Lync topology and then run the command such as below on Lync FE server:
Set-CsSipDomain –Identity new sip domain name –IsDefault $True
Note: (change new sip domain name to your Lync server sip domain name)
Then run OCS merge again to test the issue again.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Migrating 2 domains into child domains in a new forest
I have a unique senario in which my company merged with another.
My Company:
Windows 2003 AD
Exchange 2003 SP3
192.x.x.x
New Company
Windows 2008 AD
Exchange 2010
10.x.x.x
Each domain has its own resources, servers and workstations. For political reasons we still need some management seperation.
My Goals:
Create a new root neutral forest/domain.
Migrate both domains to 2 child domains under this new root
Bring the domain to 2012 R2
Create a single Exchange 2010/2013 cluster with all mailboxes
What is the best way to accomplish this? Where exactly does Exchange sit?
Thanks!Hi,
>>What is the best way to accomplish this?
In Active Directory, we can use ADMT to do the migration. However, if we need Inter-forest migration from Domain Controller 2003 to Domain Controller 2012, at this time MS
has not ADMT for Windows Server 2012. We can downgrade our forest and Domain functional level to Windows Server 2008 R2, add an additional Domain Controller 2008 R2 and use ADMT 3.2 for migration. After migration is completed, we can demote Domain Controller
2008 R2 and raise again FFL & DFT to Windows Server 2012.
Regarding specific procedures for performing the migration, the following article can be referred to as reference.
Interforest Migration with ADMT 3.2 - Part 1
http://social.technet.microsoft.com/wiki/contents/articles/11996.interforest-migration-with-admt-3-2-part-1.aspx
Interforest Migration with ADMT 3.2 - Part 2
http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
Interforest Migration with ADMT 3.2 - Part 3
http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx
>>Where exactly does Exchange sit?
For mailbox migration, in order to get better help, we can ask for suggestions in the following exchange forum.
Exchange Server 2013- Setup, Deployment, Updates, and Migration
http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrdeploy
Best regards,
Frank Shen -
I have setup a test system. It has a domain with 2 child domains. DomainA.xyz.com has users and workstations. DomainB.xyz.com is a resource domain and has servers. wyx.com is for IT administration.
Users in domainA can logon to the domainB computers. I searched to find out why it was so. I found a "NT AUTHORITY\INTERACTIVE" entry in the local users group that enables this.
This is rather confusing. 1. When a user enters his credentials, he is not logged on and therefore would not be "INTERACTIVE" at that time. 2. If everybody that signs on a computer is interactive, then does that mean
everyone in the forest can sign on?
So my issue is: Can I delete the "INTERACTIVE" entry in the local users group and not cause any problems? I want to protect the resource domain from users signing on to them and give them access to the resources they need.Hi,
The Interactive group includes all users that have logged on locally.
In addition, it is not recommended to remove the
interactive group from the local user group since it would cause all kinds of problems. For more detailed information, please refer to the similar thread and link below:
Interactive
group
Staring
at a blank desktop, due to Interactive missing from Users group
Best regards,
Susie -
Exchange 2013 sp1 smtp NTLM auth for child domain users
i have exchange organization with exchange 2007 sp 3 & exchange 2013 sp1.
there are all users in Exchange 2013 server (mail flow is through Exchange 2013 server)
i have single forest, 2 site (site1, site2), root domain root.local and 1 child domain ch.root.local
DC for child domain is located in site2 (dc.ch.root.local)
multirole exchange 2013 server is installed in root domain.
i am traing to configure smtp receive connector with NTLM auth and have one problem.
when user in child domain try send email through this receive connector i see in log
<,AUTH NTLM,
>,334 <authentication response>,
*,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
*,CH\user1,authenticated
*,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
*,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either
the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.15:465"
but authentication is succesfull for users from root domain.
why do it can be?
Thanks.thanks for link
at smtp receive logs (Hub transport role) i've found the next:
Client Proxy EXMAIL2013,08D134DAF6CE1C51,49,192.168.1.15:465,
*,NT AUTHORITY\SYSTEM,authenticated
>,235 <authentication response>,
<,XPROXY SID=08D130D354F520D1 IP=192.168.1.21 PORT=57085 DOMAIN=[192.168.1.21] CAPABILITIES=0 SECID=Uy0xxx...
*,,Error while looking up SamAccountName chuser: The user name or password is incorrect.\r\n
*,None,Set Session Permissions
>,250 XProxy accepted but user identity could not be obtained, -
Active Directory Domain Services Child Domains
I am using Windows Server 2008 R2 SP1.
http://technet.microsoft.com/en-us/library/cc771856(v=ws.10).aspx
When I select "Add Roles" I click on "Active Directory Domain Services (Installed)" the "Next>" button is not enabled and can not be selected.
Did I install ADDS wrong?
Is this not how you define Child Domains?
If I use the Command Line or Answer File Methods I get an error message at "ChildName".
Did I forget to install something about enabling Child Domains when installing ADDS?Hi,
Did you try to create a child domain on the Domain Controller? It seems like that this Server is already a DC, with Active Directory Domain Services installed.
We don’t have to enable anything in the root domain for creating child domains/new trees, we just need to run
Dcpromo or Add Role on another server which is not a DC, and select the existing domain as its parent, then the child domain will be created.
In addition, please make the existing DC as the preferred DNS server on the new server.
I hope this helps.
Amy -
Exchange 2010 unable to find objects in child domain via ESM
I am having a problem on Exchange 2010 which relates to mailboxes whose AD account is in a child domain in the AD forest.
We have two domains A & B in the forest. The site which hosts E2010 only has DCs from domain A (root domain). These DCs are set as Global Catalogues.
All Exchange servers (2 x CAS & 2 x Mailbox) installed in Domain A (primary site) can resolve domain B and performing nslookups for domain B on these server displays the DCs installed
in domain B at remote sites.
I am migrating some resource mailboxes with AD accounts in domain B and need to set them up as room mailboxes to enable the auto accept bookings feature.
After migrating the mailboxes via the EMS to set the mailbox as a room, below is the error I get:
[PS] C:\Windows\system32>set-mailbox mtgrm1@domainB
-Type Room
The operation couldn't be performed because object 'mtgrm1@ domainB' couldn't be found on 'DC01.domainA.com'.
+ CategoryInfo : NotSpecified: (0:Int32) [Set-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 9E6F6A1,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
I have also tried using only the alias and the object CN:
set-mailbox mtgrm1 -Type Room
set-mailbox –identity 'domainB/Sitename/ Users/MSX Resource Accounts/Conf MtgRm1 (Video)' -Type Room
but get the same error.
All employee mailboxes from Domain B have been migrated to Exchange 2010 from 2003 and are working with no problems.
I have confirmed domain B has been prepared for E2010 - In the Microsoft Exchange System Objects container in AD there is the global group Exchange Install Domain Servers.
Event ID 2080
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1864). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
dc02.domainA.COM
CDG 1 7 7 1 0 1 1 7 1
DC01.domainA.com
CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
DC03.domainA.COM
CDG 1 0 0 1 0 0 0 0 0
dc04.domainA.COM
CDG 1 0 0 1 0 0 0 0 0
Please note the Out of site DCs are for our Exchange failover site which is currently down due to the storms on the East Coast.
Does Exchange 2010 require a local DC for the second domain installed in the sites which host Exchange? If not, any advise on what else I can look at will be appreciated.
Thanks.Hi there,
If the questions is answered, please mark it accordingly. Thanks.
Fiona Liao
TechNet Community Support -
I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When
I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn
how can I stop that from being the domain controller that replies?
Thanks for any advice
ChrisHi,
To add, Mr. Ace got a good blog regarding Site and Site links, see if it could help here:
AD Site Design and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
User Folders in a Parent / Child Domain Structure
Hi,
I have a forest setup with a parent and 3 child domains.
We have a DFS share setup for home folders.
I used Group Policy to create the User's share folders, map the drive, and setup folder redirection.
Each user has a separate ID for each domain.
The desire is for each user to be able to use the same \\parent.com\home\%logonuser% share path from each domain in order to access files from any domain, and have privacy from other users doing so.
The problem I have is, after "child1\JohnD" signs into a workstation on domain CHILD1.com, his folder is created at "\\parent.com\home\JohnD" and mapped.
But if child2\JohnD then signs into domain CHILD2.com, he does not have permissions to map the drive.
I realize why, but I'm wondering if anyone can think of a way to change this setup so that parent\JohnD, and child1\2\3\JohnD, all have rights to map and use the same Home Folder.
Having domain specific home folders has been shot down.
Giving all shares EVERYONE access has been shot down.
Open to other suggestions.
Thanks!
-Matt
There's no place like 127.0.0.1You might want to try creating a script that will grant the required rights to both user accounts using Powershell: http://blogs.technet.com/b/heyscriptingguy/archive/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions.aspx
Once you create the script, you can schedule it using Task Scheduler.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Interesting. I've been playing with this module off and on today. From what I can tell, this would have to be scripted to some sort of function like this:
dir \\parent.com\dfshome | Get-NTFSAccess
For each dir in "\\parent.com\dfshome", set $folder
For each $folder where account = "childx\User", set $User
For each $User, Add-NTFSAccess: child1\$user, child2\$user, and child3\$user
(head scratch)
I'll give it some more thought. :)
Thanks!
There's no place like 127.0.0.1 -
EDN: subscribe to the same event deployed on different domain/Servers
We are working on use case where in we would like to publish an Event from an ADF application . We would like to subscribe to the same event deployed on different domain/Servers than the servers on which ADF Application deployed. We would like to get more information on the configuartion of Foreing JNDI for the Business events for this use case. in the documentation it was mentioned, it is possible but not much details were provided.
So far all I have to go on is: http://download.oracle.com/docs/cd/E21764_01/integration.1111/e10224/obe_intro.htm#BABHBGAGWe are working on use case where in we would like to publish an Event from an ADF application . We would like to subscribe to the same event deployed on different domain/Servers than the servers on which ADF Application deployed. We would like to get more information on the configuartion of Foreing JNDI for the Business events for this use case. in the documentation it was mentioned, it is possible but not much details were provided.
So far all I have to go on is: http://download.oracle.com/docs/cd/E21764_01/integration.1111/e10224/obe_intro.htm#BABHBGAG
Maybe you are looking for
-
Long story about what happened but basically I was using the iPad (first generation without retina display) to watch TV at one point it had 20% battery so I plugged it in then it wasn't charging and I didn't realize so it got to 5% and shut off. I pl
-
Hi expert i want to know........we maintaing By Product in BOM in Sub Contracting Process.sometime what happen i send Spray bottle to Sub contracting, but before complete the finished product. i want to get back Spray bottle back from vendor. Proces
-
Hi, I have excel 2013 Professional installed and i have created a windows service to open the excel document and read it. Service is running as System account. Now when i am trying to access the excel doucment, it is throwin the exception as EXCEL C
-
Can iWeb make changes (update) to Web site made with Microsoft Front Page
Hello, Our local historical society hired a web master to create a web site for us. He made it with Microsoft Front Page. I was able to make changes until my husband upgraded to Microsoft Office integral 2007. My question is: Would I be able to conti
-
I CAN NOT RETURN TO DSL ONCE FIOS IS INSTALLED. IF THE FIOS PRICES GO UP, I WILL GO TO CABLE OR SOME OTHER WAY. MONEY IS TIGHT IN THIS ECONOMY. PEOPLES SALARIES GO DOWN, BUT SERVICES GO UP. PRICES SHOULD BE LOWERED WHEN THE ECONOMY IS THREATENED. THO