SCOM deployment in Child Domain

Similar Messages

• Addint a child domain process hangs in Replicating the schema directory partition

  Hello everyone,
  for practice proposes and exam preparations I have my own virtual private network setup on an PowerEdge R905 Machine (which is a beast) I have two networks and windows server 2008R2 on a DMZ zone setup as router to rout traffic between two of my networks.
  My two networks are 192.168.10.0 - and 192.168.20.0. the 10 network has its own active directory setup, now on my 20 network I am trying to deploy a child domain. during the process everything is going just fine BUT the process of promoting the domain gets
  stuck on Replicating The Schema Directory Partition. Can anyone tell me what the issue might be ? I tried everything that I could think of such as:
  made sure the 20 network server is pointed to the DNS on the 10th server.
  you can ping the IP address and the FQDN of 10 network from the 20 network.
  I made sure all firewalls are disabled on both networks
  on my 10 network I have created sites  and assigned the right subnets for each site
  so please any hint and explanation is greatly appreciated

  If firewalls are disabled between the 2 subnets then you are sure that all of the below ports are opened:
  Client Port(s)
  Server Port
  Service
  49152 -65535/UDP
  123/UDP
  W32Time
  49152 -65535/TCP
  135/TCP
  RPC Endpoint Mapper
  49152 -65535/TCP
  464/TCP/UDP
  Kerberos password change
  49152 -65535/TCP
  49152-65535/TCP
  RPC for LSA, SAM, Netlogon (*)
  49152 -65535/TCP/UDP
  389/TCP/UDP
  LDAP
  49152 -65535/TCP
  636/TCP
  LDAP SSL
  49152 -65535/TCP
  3268/TCP
  LDAP GC
  49152 -65535/TCP
  3269/TCP
  LDAP GC SSL
  53, 49152 -65535/TCP/UDP
  53/TCP/UDP
  DNS
  49152 -65535/TCP
  49152 -65535/TCP
  FRS RPC (*)
  49152 -65535/TCP/UDP
  88/TCP/UDP
  Kerberos
  49152 -65535/TCP/UDP
  445/TCP
  SMB
  49152 -65535/TCP
  49152-65535/TCP
  DFSR RPC (*)
  Then make sure that the other subnet is across route not across NAT to avoid a lot of additional configurations.
  Regards,
  Housam Smadi

• New deploy child domain certificate server didn't publish root trust certificate to the client

  Child domain certificate didn't install into child domain workstation.
  https://support.microsoft.com/en-us/kb/281271?wa=wsignin1.0
  Certification Authority configuration to publish certificates in Active Directory of trusted domain
  Any advise?
  Thanks.

  Hi,
  >>New deploy child domain certificate server didn't publish root trust certificate to the client
  Is this an enterprise root CA or standalone CA?
  If it is an enterprise root CA, it will automatically use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. If it is an standalone CA, we can configure GPO
  to distribute the certificate.
  Regarding how to use policy to distribute certificates, the following article can be referred to for more information.
  Use Policy to Distribute Certificates
  https://technet.microsoft.com/en-us/library/cc772491.aspx
  We can run command gpupdate/force to immediately update group policy and then we can refresh the certificates in certmgr.msc to see if the certificate will come up.
  Besides, for certificate questions, we can also ask for suggestions in the following forum.
  Security
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Active Directory: 2003 to 2012 R2 Upgrade across single forest with child domains

  I just have a quick questions about something that should be simple. We will be upgrading our current domain from Windows 2003 functionality to Windows 2012 R2.  This forest has domain and two child domains.  I have two questions.  Since we
  have to do this in a few steps in order to get up to 2012 functionality I am wondering where is it consider best practice to start?  In the Root (top level) domain of the forest or in one of the child domains?  I want to say the root (top level)
  domain is where I would place my first Windows 2012 R2 box and promote it to a domain controller.  Then move to the child domains one the root domain controllers have all be replaced with Server 2012.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Yes.  We are working with the client to migrate any dependencies off these 3 NT legacy domains.  We will be able to decommission 2 of the 3 without any issues.  However, they still have an old NT box running SQL 6.5 databases for a application
  still in production.  Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
  Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
  Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

• Child Domain Lync Installation

  run enable-csadforest on root domain server. Any idea to do csadforest without install Lync deployment tools on root server?
  check universal security group is added on root domain.
  check child domain didn't replication the universal security group.
  Run Enable-CsAdDomain -Domain chil.domain.com for enable child domain user to use Lync.
  Any advise?  how long time to replication the universal security group?
  i will install Lync server into child domain and federation with office 365.
  Thanks.

  Hi,
  Did you prepare schema successfully without issue?
  You need to prepare the forest on a computer which joined to a domain as a member of the Enterprise Admins group for the forest root domain. You need to prepare the forest with the Lync Lync Server Deployment Wizard or the Lync server Management Shell cmdlets
  directly. So you need to install the Lync deployment tools on one of the root server.
  You are right, you must verify that global settings have been replicated before running domain preparation.
  Please also login the child domain using the account which as a member of the Enterprise Admins group, the check if the replication happens or not.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Forest root domain displayed as network label, rather than child domain

  Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
  I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
  from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
  Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
  a viable explanation for the behaviour, as opposed to 'it's by design'

  Can I ask if something is not working correctly because of this?  The display of the connected network does not affect communication or how DNS will resolve.  Are you chasing this down because you don't like the display, or is there an outage?
  Thanks!
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Migrating to Lync in a child domain from OCS in a Parent domain

  I am looking to migrate from OCS to Lync 2010.  I have gotten as far as deploying the target pool, but when I try and merge the topologies it fails.
  OCS is in The root domain of my forest but Lync is planned for the primary Child domain where 80% of my users live.  I just need to know if this is a supported migration scenario for Lync.  If it is how do I merge the two topologies, as it looks
  like the merge tool is only looking at the child domain for the configuration of OCS?
  Jeff

  Hi,
  Did you build a new pool with Side by side approach?
  It is supported to migrate Lync from one domain to another domain in the same forest. Here is the supported server migration paths in the link below:
  http://technet.microsoft.com/en-us/library/gg425764.aspx
  For the issue merge topology failed, did you receive any error message from FE server Event Viewer?
  The Lync server default sip domain should be the same when migrating from OCS to Lync server. If not, you can add sip domain in Lync topology and then run the command such as below on Lync FE server:
  Set-CsSipDomain –Identity new sip domain name –IsDefault $True    
  Note: (change new sip domain name to your Lync server sip domain name)
  Then run OCS merge again to test the issue again.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Migrating 2 domains into child domains in a new forest

  I have a unique senario in which my company merged with another. 
  My Company:
  Windows 2003 AD
  Exchange 2003 SP3
  192.x.x.x
  New Company
  Windows 2008 AD
  Exchange 2010
  10.x.x.x
  Each domain has its own resources, servers and workstations.  For political reasons we still need some management seperation. 
  My Goals:
  Create a new root neutral forest/domain. 
  Migrate both domains to 2 child domains under this new root
  Bring the domain to 2012 R2
  Create a single Exchange 2010/2013 cluster with all mailboxes
  What is the best way to accomplish this? Where exactly does Exchange sit?
  Thanks!

  Hi,
  >>What is the best way to accomplish this?
  In Active Directory, we can use ADMT to do the migration. However, if we need Inter-forest migration from Domain Controller 2003 to Domain Controller 2012, at this time MS
  has not ADMT for Windows Server 2012. We can downgrade our forest and Domain functional level to Windows Server 2008 R2, add an additional Domain Controller 2008 R2 and use ADMT 3.2 for migration. After migration is completed, we can demote Domain Controller
  2008 R2 and raise again FFL & DFT to Windows Server 2012.
  Regarding specific procedures for performing the migration, the following article can be referred to as reference.
  Interforest Migration with ADMT 3.2 - Part 1
  http://social.technet.microsoft.com/wiki/contents/articles/11996.interforest-migration-with-admt-3-2-part-1.aspx
  Interforest Migration with ADMT 3.2 - Part 2
  http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
  Interforest Migration with ADMT 3.2 - Part 3
  http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx
  >>Where exactly does Exchange sit?
  For mailbox migration, in order to get better help, we can ask for suggestions in the following exchange forum.
  Exchange Server 2013- Setup, Deployment, Updates, and Migration
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrdeploy
  Best regards,
  Frank Shen

• Why can the users in one child domain logon to computers in a different child domain in Server 2012 R2?

  I have setup a test system. It has a domain with 2 child domains.  DomainA.xyz.com has users and workstations. DomainB.xyz.com is a resource domain and has servers.  wyx.com is for IT administration.
  Users in domainA can logon to the domainB computers.  I searched to find out why it was so.  I found a "NT AUTHORITY\INTERACTIVE" entry in the local users group that enables this.
  This is rather confusing.  1.  When a user enters his credentials, he is not logged on and therefore would not be "INTERACTIVE" at that time.  2.  If everybody that signs on a computer is interactive, then does that mean
  everyone in the forest can sign on?
  So my issue is: Can I delete the "INTERACTIVE" entry in the local users group and not cause any problems?  I want to protect the resource domain from users signing on to them and give them access to the resources they need.

  Hi,
  The Interactive group includes all users that have logged on locally.
  In addition, it is not recommended to remove the
  interactive group from the local user group since it would cause all kinds of problems. For more detailed information, please refer to the similar thread and link below:
  Interactive
  group
  Staring
  at a blank desktop, due to Interactive missing from Users group
  Best regards,
  Susie

• Exchange 2013 sp1 smtp NTLM auth for child domain users

  i have exchange organization with exchange 2007 sp 3 & exchange 2013 sp1.
  there are  all users in Exchange 2013 server (mail flow is through Exchange 2013 server)
  i have single forest, 2 site (site1, site2), root domain root.local and 1 child domain ch.root.local
  DC  for child domain is located in site2 (dc.ch.root.local)
  multirole exchange 2013 server is installed in root domain.
  i am traing to configure smtp receive connector with NTLM auth and have one problem.
  when user in child domain try send email through this receive connector i see in log
  <,AUTH NTLM,
  >,334 <authentication response>,
  *,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
  *,CH\user1,authenticated
  *,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
  *,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either
  the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.15:465"
  but authentication is succesfull for users from root domain.
  why do it can be?
  Thanks.

  thanks for link
  at smtp receive logs (Hub transport role) i've found the  next:
  Client Proxy EXMAIL2013,08D134DAF6CE1C51,49,192.168.1.15:465,
  *,NT AUTHORITY\SYSTEM,authenticated
  >,235 <authentication response>,
  <,XPROXY SID=08D130D354F520D1 IP=192.168.1.21 PORT=57085 DOMAIN=[192.168.1.21] CAPABILITIES=0 SECID=Uy0xxx...
  *,,Error while looking up SamAccountName chuser: The user name or password is incorrect.\r\n
  *,None,Set Session Permissions
  >,250 XProxy accepted but user identity could not be obtained,

• Active Directory Domain Services Child Domains

  I am using Windows Server 2008 R2 SP1.
  http://technet.microsoft.com/en-us/library/cc771856(v=ws.10).aspx
  When I select "Add Roles" I click on "Active Directory Domain Services (Installed)" the "Next>" button is not enabled and can not be selected.
  Did I install ADDS wrong?
  Is this not how you define Child Domains?
  If I use the Command Line or Answer File Methods I get an error message at "ChildName".
  Did I forget to install something about enabling Child Domains when installing ADDS?

  Hi,
  Did you try to create a child domain on the Domain Controller? It seems like that this Server is already a DC, with Active Directory Domain Services installed.
  We don’t have to enable anything in the root domain for creating child domains/new trees, we just need to run
  Dcpromo or Add Role on another server which is not a DC, and select the existing domain as its parent, then the child domain will be created.
  In addition, please make the existing DC as the preferred DNS server on the new server.
  I hope this helps.
  Amy

• Exchange 2010 unable to find objects in child domain via ESM

  I am having a problem on Exchange 2010 which relates to mailboxes whose AD account is in a child domain in the AD forest.
  We have two domains A & B in the forest. The site which hosts E2010 only has DCs from domain A (root domain). These DCs are set as Global Catalogues.
  All Exchange servers (2 x CAS & 2 x Mailbox) installed in Domain A (primary site) can resolve domain B and performing nslookups for domain B on these server displays the DCs installed
  in domain B at remote sites.
  I am migrating some resource mailboxes with AD accounts in domain B and need to set them up as room mailboxes to enable the auto accept bookings feature.
  After migrating the mailboxes via the EMS to set the mailbox as a room, below is the error I get:
  [PS] C:\Windows\system32>set-mailbox mtgrm1@domainB
   -Type Room
  The operation couldn't be performed because object 'mtgrm1@ domainB' couldn't be found on 'DC01.domainA.com'.
      + CategoryInfo          : NotSpecified: (0:Int32) [Set-Mailbox], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 9E6F6A1,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
  I have also tried using only the alias and the object CN:
  set-mailbox mtgrm1 -Type Room
  set-mailbox –identity 'domainB/Sitename/ Users/MSX Resource Accounts/Conf MtgRm1 (Video)' -Type Room
  but get the same error.
  All employee mailboxes from Domain B have been migrated to Exchange 2010 from 2003 and are working with no problems.
  I have confirmed domain B has been prepared for E2010 - In the Microsoft Exchange System Objects container in AD there is the global group Exchange Install Domain Servers.
  Event ID 2080
  Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1864). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
   (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
  In-site:
  dc02.domainA.COM           
  CDG 1 7 7 1 0 1 1 7 1
  DC01.domainA.com            
  CDG 1 7 7 1 0 1 1 7 1
   Out-of-site:
  DC03.domainA.COM          
  CDG 1 0 0 1 0 0 0 0 0
  dc04.domainA.COM           
  CDG 1 0 0 1 0 0 0 0 0
  Please note the Out of site DCs are for our Exchange failover site which is currently down due to the storms on the East Coast.
  Does Exchange 2010 require a local DC for the second domain installed in the sites which host Exchange? If not, any advise on what else I can look at will be appreciated.
  Thanks.

  Hi there,
  If the questions is answered, please mark it accordingly. Thanks. 
  Fiona Liao
  TechNet Community Support

• Parent/Child Domain

  I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When
  I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn
  how can I stop that from being the domain controller that replies?
  Thanks for any advice
  Chris

  Hi,
  To add, Mr. Ace got a good blog regarding Site and Site links, see if it could help here:
  AD Site Design and Auto Site Link Bridging, or Bridge All Site Links (BASL)
  http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• User Folders in a Parent / Child Domain Structure

  Hi,
  I have a forest setup with a parent and 3 child domains.
  We have a DFS share setup for home folders.
  I used Group Policy to create the User's share folders, map the drive, and setup folder redirection.
  Each user has a separate ID for each domain.
  The desire is for each user to be able to use the same \\parent.com\home\%logonuser% share path from each domain in order to access files from any domain, and have privacy from other users doing so.
  The problem I have is, after "child1\JohnD" signs into a workstation on domain CHILD1.com, his folder is created at "\\parent.com\home\JohnD" and mapped.
  But if child2\JohnD then signs into domain CHILD2.com, he does not have permissions to map the drive.
  I realize why, but I'm wondering if anyone can think of a way to change this setup so that parent\JohnD, and child1\2\3\JohnD, all have rights to map and use the same Home Folder.
  Having domain specific home folders has been shot down.
  Giving all shares EVERYONE access has been shot down.
  Open to other suggestions.
  Thanks!
  -Matt
  There's no place like 127.0.0.1

  You might want to try creating a script that will grant the required rights to both user accounts using Powershell: http://blogs.technet.com/b/heyscriptingguy/archive/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions.aspx
  Once you create the script, you can schedule it using Task Scheduler.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile
  Interesting.  I've been playing with this module off and on today.  From what I can tell, this would have to be scripted to some sort of function like this:
  dir \\parent.com\dfshome | Get-NTFSAccess
  For each dir in "\\parent.com\dfshome", set $folder
  For each $folder where account = "childx\User", set $User
  For each $User, Add-NTFSAccess: child1\$user, child2\$user, and child3\$user
  (head scratch)
  I'll give it some more thought. :)
  Thanks!
  There's no place like 127.0.0.1

• EDN:  subscribe to the same event deployed on different domain/Servers

  We are working on use case where in we would like to publish an Event from an ADF application . We would like to subscribe to the same event deployed on different domain/Servers than the servers on which ADF Application deployed. We would like to get more information on the configuartion of Foreing JNDI for the Business events for this use case. in the documentation it was mentioned, it is possible but not much details were provided.
  So far all I have to go on is: http://download.oracle.com/docs/cd/E21764_01/integration.1111/e10224/obe_intro.htm#BABHBGAG

  We are working on use case where in we would like to publish an Event from an ADF application . We would like to subscribe to the same event deployed on different domain/Servers than the servers on which ADF Application deployed. We would like to get more information on the configuartion of Foreing JNDI for the Business events for this use case. in the documentation it was mentioned, it is possible but not much details were provided.
  So far all I have to go on is: http://download.oracle.com/docs/cd/E21764_01/integration.1111/e10224/obe_intro.htm#BABHBGAG