Setting up two way AD domain trust ?

Similar Messages

• Can't set up two step verification - no trusted devices

  Hi,
  I can't seem to set up two step verification on my apple ID.
  I can log in to manage my account and start the process, but when I get to what should be the list of trusted devices (step 1), the list is empty and I'm prompted to enter in a number than can receive SMS. I do this using my iphone number, and I recevie a 4 digit verification code via SMS/iMessage, but I can't enter this in to the setup process on the manage my ID site as there is nowhere to enter the code in to in order to have my iphone number tagged as a trusted device. So, I can't get past step 1.
  I have been able - in the past - to allow a new device to use icloud keychain using another device to verify it.
  All IOS devices are 7.1.1, and the mac is 10.9.3.
  For info, I have an iphone, imac, and two ipads all set up using the same apple id, all are signed in to iCloud with the same id for keychain syncing, and all have find my iphone enabled. I can log in to icloud or use the find my phone app and see all my devices in the device list, and locate them. I've tried turning find my iphone off and on - no change, devices still don't appear in the two step verification setup process.
  I've rung apple support and no luck - they suggested waiting 24 hours and trying again - but still no worky.
  Am I doing something wrong, or is there a problem that someone else has been bale to solve? I'd really like two step verification enabled but am stumped.
  Help!
  Cheers.
  Andrew

  I had the same problem.
  I don't know whether or not it was a coincidence, but I did the following:
  Use a computer to Logon to www.icloud.com.
  Go into Account Settings.
  Click on Advanced.
  Then click on logout of all browsers.
  I was then able to log into My AppleID and start the two step authentication setup. When I added a new phone, it sent an SMS and it then prompted me for the 4 digit code.
  Again, not sure whether this is a coincidence, but I never received the prompt to enter the 4 digit code until I accessed the iCloud website and followed the above steps.

• IPod Touch "Two-Way Sync"

  I am pleased to report that I just returned from a month-long trip throughout Europe and my iPod touch worked like a charm. I bought it prior to departing to use it for mobile internet access as I new I would find WiFi-enabled places everywhere. It enabled me to stay in contact with with friends and family via .Mac e-mail, book guest-houses on-line, share photos with travel companions, not to mention having access to music on the long train rides. In short, a great digital travel tool.
  But here is the question:
  I came home and found that while the e-mails that were sent to me (and read on the road on my iPod) were available to read on my MacBook, I was not able to find the e-mails in my Desktops's Send Box that I originally sent from my iPod Touch. I am not sure if I need to set this "two-way" sync up via the iPod touch when I hook it up to my computer via iTunes or is it something I need to arrange on my computer via Systems Preferences?
  Thanks kindly in advance,
  john

  Hi John,
  Nope. Messages sent from my iPod Touch do not appear in the Sent folder either on the desktop or the .mac web mail. I am wondering, how do you have System Preferences- .Mac under Sync set up? I just noticed that "Synchronize with .Mac" for me is set on Manually. Perhaps you have it on Automatic? Also, on the iPod itself, I now find that there is a section to set up Sent Messages to be placed in Sent messages on the Server. And you didn't have to do any of this? Seems the Sync was set up for you more readily. Let's see if these adjustments do it for me too.

• PeoplePicker not showing domain accounts from other forest in two way trust

  We recently moved from our old farm in domainA of forestA to a new farm in domainB of forestB. We also have an older farm in domainC in forestC. There is two-way trust between all these forests. By default, Peoplepicker-SearchADForests property is not set
  to anything, so it will only allow forestB accounts to be looked up from AD. But, we want PeoplePicker to lookup users from both domainA and domainB. I used below script to update the settings.
  $wa = Get-SPWebApplication -Identity "https://webapp"
  $oldDomain = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
  $oldDomain.IsForest = $false
  $oldDomain.DomainName = "domainA"
  $wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($oldDomain)
  $wa.Update()
  $wa = Get-SPWebApplication -Identity "https://webapp"
  $newDomain = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
  $newDomain.IsForest = $false
  $newDomain.DomainName = "domainB"
  $wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($newDomain)
  $wa.Update()
  For some reason, this doesn't work for domainA. Actually, it worked once before, but it stopped working at some point. PeoplePicker is only returning domainB accounts. If I add domainC using above script, it works too, but not for domainB.
  So, my question is obvious - how to make this work? I've searched for an answer a lot and went through all troubleshooting there is, but could not resolve this permanently. Any help is appreciated.
  Thanks.

  Thanks Vladimir. I was able to run it finally in CMD. Here are the results. Now I'm thinking that the ports are not open )) Trevor's app was probably checking the ports in domain controller servers, though not sure.
    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       672
    TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2184
    TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:8081           0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:14004          0.0.0.0:0              LISTENING       1464
    TCP    0.0.0.0:22233          0.0.0.0:0              LISTENING       5240
    TCP    0.0.0.0:22234          0.0.0.0:0              LISTENING       5240
    TCP    0.0.0.0:22236          0.0.0.0:0              LISTENING       5240
    TCP    0.0.0.0:32843          0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:32844          0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       448
    TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       540
    TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       776
    TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       800
    TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       540
    TCP    0.0.0.0:49177          0.0.0.0:0              LISTENING       928
    TCP    0.0.0.0:49201          0.0.0.0:0              LISTENING       532
    TCP    SERVERIP:139         0.0.0.0:0              LISTENING       4
    TCP    [::]:80                [::]:0                 LISTENING       4
    TCP    [::]:135               [::]:0                 LISTENING       672
    TCP    [::]:443               [::]:0                 LISTENING       4
    TCP    [::]:445               [::]:0                 LISTENING       4
    TCP    [::]:3389              [::]:0                 LISTENING       2184
    TCP    [::]:5985              [::]:0                 LISTENING       4
    TCP    [::]:8081              [::]:0                 LISTENING       4
    TCP    [::]:14004             [::]:0                 LISTENING       1464
    TCP    [::]:22233             [::]:0                 LISTENING       5240
    TCP    [::]:22234             [::]:0                 LISTENING       5240
    TCP    [::]:22236             [::]:0                 LISTENING       5240
    TCP    [::]:32843             [::]:0                 LISTENING       4
    TCP    [::]:32844             [::]:0                 LISTENING       4
    TCP    [::]:47001             [::]:0                 LISTENING       4
    TCP    [::]:49152             [::]:0                 LISTENING       448
    TCP    [::]:49153             [::]:0                 LISTENING       540
    TCP    [::]:49154             [::]:0                 LISTENING       776
    TCP    [::]:49155             [::]:0                 LISTENING       800
    TCP    [::]:49156             [::]:0                 LISTENING       540
    TCP    [::]:49177             [::]:0                 LISTENING       928
    TCP    [::]:49201             [::]:0                 LISTENING       532

• Two-way forest trust between two (single domain) forests with multiple identical user ID's

  Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
  We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
  are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
  I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
  something go wrong. 
  Any suggestions for the easiest way to setup this forest trust?

  Hi,
  To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
  The SID for domain account/group consists of a
  Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
  name from two forests have the same SID.
  The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
  If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
  Here are some related articles below for your references:
  How Security Identifiers Work
  http://technet.microsoft.com/en-us/library/cc778824(v=WS.10).aspx
  Security Identifier Structure
  http://technet.microsoft.com/en-us/library/cc962011.aspx
  Security Identifier
  http://en.wikipedia.org/wiki/Security_Identifier
  I hope this helps.
  Amy Wang

• SCOM Agent in Pending Management with two way trusted domain

  Hello Guys,
  I have two trusted domain abc.com & xyz.com with two-way trust forest-wise authentication enabled and my SCOM 2012 R2 Management server is part of abc.com. And there are multiple host which are part of domain xyz.com.When I am pushing agent from SCOm console
  to server then agents are getting installed with success message in task pane, but my agents are now at in pending Management.
  for this I am getting Event ID 20002 opsmgr connector with following message "A device at IP 10.1.1.6:54277 attempted to connect but could not be authenticated, and was rejected." on SCOM Server.
  And below message on the server where I am installing the agent.
  Event 20071 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log
  on the server and on the agent for events which indicate a failure to authenticate.
  Event 21016 OpsMgr Connector
  OpsMgr was unable to set up a communications channel to SCOM.abc.com and there are no failover hosts.  Communication will resume when fabSCOM2.nmfab.loc is available and communication from this computer is allowed.
  Event 20070 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received
  configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  Need help to resolve this can any one help me.
  Thanks in Advance.
  NM-BG
  NM-BG

  Hi,
  Here i  suspect Authentication issue. 
  1.Could you please if 88, 389 & 3268 ports are opened between client domain controller and management server.
  2. if ports are already open collect netmon traces on both client and management server simultaneousely and check if there are any kerborose errors
  Kind Regards,
  Naveen Kumar B
  ~Bommi

• Can I add a two way trusted but in different forest domain to My existing Lync 2013 Topology !

  HI !
  We have an installed Lync 2013 Std Edt. setup and its working perfectly for one domain. Our network infrastructure ( LAN ) is being shared with our sister company. They have their own forest and domain and a two ways trust relationship with our domain. I
  want to add them in our Lync 2013 topology, is it possible ?? if yes, thn what are the requirements and which changes i need to consider.
  Response from experts would be greatly appreciated. 

  Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Are there any security risks in two-way trusts?

  Hello!
  Can anybody enumerate security risks two-way trusts have? Security holes?
  I mean two-way trusts between two domains from different forests Windows 2003\2008.
  Thank you for any info.

  Hi,
  There are two potential threats to interforest trust relationships in Windows Server 2003 :
  1: Attack on trusting forest by malicious user in a trusted forest :
  A malicious user with administrative credentials who is located in a trusted forest could monitor network authentication requests from the trusting forest to obtain the security ID (SID) information of a user who has full access to resources in the trusting
  forest, such as a Domain or Enterprise Administrator. SID filtering is set on all trusts by default to help prevent malicious users from succeeding with this form of attack
  2: Attack on shared resources in a trusting forest by malicious users in another organization’s forest :
  Creating an external or forest trust between two forests essentially provides a pathway for authentications to travel from the trusted forest to the trusting forest. While this action by itself does not necessarily create a threat to either forest, because
  it allows all secured communications to occur over the pathway, it creates a larger surface of attack for any malicious user located in a trusted forest. Selective authentication can be set on interforest trusts to help minimize this attack surface area.
  For more info , Please refer :
  http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
  Though the forest mentioned is on win 2003, this article applies to Win 2008,2008R2 forest environment as well.
  Please revert in case of any queries
  pankaj(MCT)

• MBAM 2.5 in Multi-Forest with two way trust

  Hi All,
  If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
  - Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
  - Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
  Thanks in Advance,
  Regards,
  Vijay

  You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
  the MBAM GPO's to the domain where client resides.
  Check out this link :
  MBAM 2.5 installation - Multi Domain
  Cheers,
  Gaurav Ranjan / Sr. Analyst-Professional Services
  MICROLAND Limited -India leading Infrastructure Management Services Company
  NOTE:Mark as Answer and Vote as Helpful if it helps

• Two-way SSL: Private key is incorrectly read if the charset is set to UTF8

  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

  I would suggest posting this to the security newsgroup.
  -- Rob
  Govinda Raj wrote:
  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

• My wife and I both have the new iPhones.  Is there a way to set up two separate iCloud accounts but have photo stream from both phones sync with one family mac?  So we don't want to share contacts or anything else, just photos... Thanks in advance

  My wife and I both have the new iPhones.  Is there a way to set up two separate iCloud accounts but have photo stream from both phones sync with one family mac?  So, we don't want to share contacts or anything else, just photos... Thanks in advance

  If you turned off Contacts wouldnt that mean that the Contacts would no longer be backed up to iCloud as well? That would make it a pain when upgrading a phone to not easily pull contacts back down.

• How do I set up itunes sync with outlook to "replace information on this iphone" only? I do not want to do a two way sync.

  I am tired of fighting sync incompatibilities between Outlook 2007 and I Tunes, and no longer want to do a two-way sync.
  I still want my Outlook contacts and calendar on my iPhone and use advanced setup in iTunes to "replace information on this iPhone" only.
  iTunes only offers the ability to do this on "the next sync only". Is there a way to set up iTunes to "replace information on this iPhone" every time I connect my phone?

  Hi there Greg,
  Welcome to Apple Support Communities.
  It sounds like you want to always replace content on your iPhone 5S with content from Outlook on your PC, to do this you’ll just have to Reset the Sync History in iTunes as shown below.
  Troubleshooting Sync Services on Windows with Microsoft Outlook 2003, Outlook 2007, or Outlook 2010 - Apple Support
  To reset sync history:
  Open iTunes.
  From the Edit menu, choose Preferences.
  Click the Devices tab.
  Click the Reset Sync History button.
  If the issue continues and you know all of the data is on the computer:
  Reset the Sync History again using the steps above.
  Select the device in iTunes and click the Info tab.
  Scroll down to the Advanced section, and under "Replace information on this iPhone/iPad/iPod touch" select Contacts or Calendars.
  Click Apply.
  Cheers,
  -Jason

• I have two iPads; mine and my daughters. One Apple ID one email. Can I FaceTime her when we are set up that way?

  I have two iPads; mine and my daughters. One Apple ID one email. Can I FaceTime her when we are set up that way?

  This might be helpful for you. It explains how to use additional email messages so that you can FaceTime and Message with each other even while sharing the one Apple ID.
  http://macmost.com/setting-up-multiple-ios-devices-for-messages-and-facetime.htm l
  Before my wife, daughter and I all bought iPhones, we used this method with great success. I have 4 iOS devices myself and still use email addresses on two of them for FaceTime on two of them.

• Best way to set up two thunderbolt displays and thunderbolt ethernet on a Late 2013 MBP with only 2 thunderbolt ports?

  I have a late 2013 MBP with only 2 thunderbolt ports. I want to set up two external displays (both have usb ports on the back but not thunderbolt so I can't daisy-chain) but one of my thunderbolt ports is being taken up by the ethernet adapter. Is it possible to convert one of my displays to plug into my open HDMI slot? Or is it better to use the two thunderbolt ports for the two displays and switch the ethernet to the slower usb adapter?

  You can use a HDMI to DVI adapter if the display resolution is not greater than 1920 x 1200.
  <http://startech.com/Cables/Audio-Video/HDMI/>
  or you could use wireless for your network connection.
  <http://www.apple.com/airport-express/>
  If you use 5GHz, it should be nearly as fast as Ethernet.

• Exchange Autodiscover in a domain trust environment

  I am preparing an Exchange and AD migration / merge between two AD Domains and Exchange Org due to a recent merger / acquisition of another company. I am in the middle of an Exchange 2007 to Exchange 2013 migration whcih may complicate things:
  Let me give you some background:
  Domain A - "My Company" - Where all the mailboxes and AD accounts will eventually reside. We are mostly Exchange 2007 SP3 UR13, but we have Exchange 2013 SP1 set up, and are migrating accounts to 2013 as we speak. Domain is 2003 Native Mode.
  Domain B - "The other company" - Where all the "other" mailboxes and AD accounts currently are. They are Exchange 2010 SP3 UR5. Domain is 2003 Native Mode.
  I currently have a two-way transitive trust set up between Domain A and Domain B. The trust is working, users from either domain can log onto PC's on the other domain without issue. DNS resolution is fully functional between domains. Mapped drives happen,
  group policy runs, everything is good, except Outlook.
  However, when users from either domain try to log into Exchange from a PC on the opposite domain, they get an error which says "The connection to Microsoft Exchange is Unavailable. Outlook must be online or connected to complete this action". It
  appears autodiscover is not allowing connection to the other domain. I can resolve autodiscover.DomainA.com from a DomainB.com computer, and vice versa.
  So question is, do I have to do something  inside of Autodiscover for it to resolve or forward autodiscover requests from one domain to another? I would say I am fairly competent at Exchange, but this is something I am unfamiliar with.

  Ok, that worked fine. I had to deploy the root CERT for domain B through Group Policy and everything is working.
  Only one further question, not really related to above, but sort of. As I explained, "Domain B" is a company we acquired and have maintained for the past 6 months. Their Domain and Exchange was a mess, but we fixed pretty much all their issues. Some of the
  stuff, I have no idea how it was even working. When we first took them over, they were still on Exchange 2010 RTM with no Update rollups, their certificates had expired, an Exchange 2003 server was still in the mix, hosting public folders and acting as the
  outbound mail relay. An absolute mess. We brought them up to SP3 and the current update rollup, properly removed Exchange 2003, migrated public folders. Two of their 4 DC's were in Journal Wrap, probably for months. But everything is fully working and patched.
  One oddity that I have observed, but have been hesitant to mess with is a DNS issue. They have no autodiscover A record in DNS. What they have instead is what looks like a zone inside their primary forward zone. It's not a record, the icon looks like a folder
  with a piece of paper on it. A different color than the other zones, kind of a pale tan. Anyway inside this "autodiscover" zone is a single NS record (not an A record, an NS record), pointing to one of the DC's.
  What I had planned to do is just delete whatever this is, and create an A record pointing to the IP primary CAS Array's VIP IP. But thought I would ask before I did this.
  I have no idea some of the half baked stuff that went on in this environment before I took over... but what is weird is everything is working, at least from within their domain