System Management in Child Domain

Similar Messages

• Manage Systems in other child domain through sccm server placed in another child domain.

  Hi,
  We have single forest , multiple domain AD structure. There is full trust between the child domains. 
  We have a requirement to manage systems in another child domain. the admin account is placed in one of the child domain, where the SCCM Server is also installed.
  I tried placing LDAP query for other child domain in AD system discovery method., but it shows the attached error.
  Pls. help

  Hi,
  Have you granted the admin account permissions to read computer accounts in the other Child Domain? do the Primary Site servers computer account have permissions to read computer account information in the other child domain? Otherwise it will not work..
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• SCCM 2012 root domain client management from child domain

  Hi All,
  We have SCCM 2012 environment in Child domain and we would like to manage the root domain clients as well. we are using https mode. What all configuration do we need to make for root domain clients to monitor successfully from child domain.  
  Is it mandatory to create System Management container for the Root domain? if yes what all permission i need to give for that System Management container. 
  Do we need to enable Active directory forest discovery?
  Regards,
  Bhaskar K

  No, you do not need to create the System Management container or publish info into it and no you do not need to enable forest discovery.
  ConfigMgr ultimately does not care about AD. AD can be used by clients to help them locate services and configure themselves, but this can also be accomplished in other ways in ConfigMgr.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Remove discovered Child Domain information from SCCM

  Hi,
  I have Domain named X. configured well. 
  And a child Domain Y. which was not configured to discover in SCCM. for testing purpose i have enabled AD system discovery for this child domain and all system on "Y" also got discovered on "all windows workstation collection".
  Soon i identified due to bandwidth issue i do not need to manage this child domain "Y"via SCCM. and want to remove these systems from  'All windows workstations' collection on SCCM, as i will be patching "All windows workstations "
  every month
  I go ahead and removed : AD system discovery >Properties>General tab> Removed the container of the Child domain "Y".
  almost one week over. no hopes. systems are still visible.
  Some one please help me to get those systems removed ?
  Regards
  KP

  As Torsten said , you may lower the Delete Aged Discovery Data and wait for the task to run or manually delete the clients from SCCM.
  Juke Chou
  TechNet Community Support

• Arbitration mailboxes exist in root and child domains, which to delete?

  Hi,
  I discovered a problem with my Arbitration Mailboxes when setting up a Moderated Distribution group. The moderator wasn't receiving an email from Exchange advising that there was a message that needed to be approved or declined. A bit of digging in Message
  Tracking and the Event log (IDs 9214 & 9217) revealed that the email address for the MS Exchange Approval Assistant exists twice, in both our root and child domains. 
  The question is which to delete, the account in root or child? All of the users are in the child domain so presumably it's the account in root which I should delete, but I'm not 100% sure.
  Any pointers very welcome.
  Cheers.

  Hi,
  Agree with Andy. The arbitration accounts are in the root domain by default. You should delete the account in child domain. Then you can use the Get-Mailbox -Arbitration | fl displayname command to check if you can get this system mailbox in child domain.
  If you can't get this system mailbox in the child domain, you need to run the following command, so that the scope of the search is changed to the forest level.
  Set-ADServerSettings –ViewEntireForest $true
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• Manage client in parent domain from child domain

  My site has a root domain (mydomain.net) and a parent domain (ent.mydomain.net).
  My primary SCCM site is installed in ent.mydomain.net and is managing all my clients.
  I have 4 DC's installed in mydomain.net that I would like to manage from my child domain (ent.mydomain.net).
  It is my understanding that if the schema has been extended in the parent domain, and I manually install the client on the DC, it should be able to be managed from the child domain.  
  I have installed the client in the parent, but it cannot find the site in the child (I have not extended the schema yet).  i know that the client will not be able to find the site until the system management container has been created and populated
  (does not currently exist).  I know that I can create the container, but how would it get populated with the correct site information.  
  If anyone has any experience with this kind of configuration, the help would be appreciated.
  Thanks

   i know that the client will not be able to find the site until the system management container has been created and populated (does not currently exist).  I know that I can create the container, but how would it get populated with the
  correct site information.  
  You could enable AD publishing to that domain, but site assignment is also a matter of site assignment boundary groups. You can also assign a client to a site manually though.
  Torsten Meringer | http://www.mssccmfaq.de

• KMS license activation issues client systems within child domains

  KMS Server Setup:
  OS: W2K12 R2
  KMS ver: 2012
  Multiple child domains including a single domain in which the KMS server resides. All client systems and servers are scattered across the child domains throughout the enterprise.
  The new KMS server, running OS 2012 R2 and KMS 2012, sits within a separate domain. All systems will eventually get migrated to this domain. I have two (2) KMS servers I plan on using to accommodate the pending activations. From reading I think you're allowed
  to have a totla of six (6) KMS servers.
  I've modified DNS to include placing the two servers within a security group and granting that group Full control permissions on the new _svc record.
  As of right now I'm able to discover servers and client systems scattered across the enterprise. I've also confirmed the ability to update license status on a number of servers.
  When attempting to update license credentials on client systems I get the following error:
  Unable to connect to the WMI service on the remote machine.
  I've come across a few systems that I've been able to update, most sitting within the same location. So I'm a little confused on how best to troubleshoot this issue.
  In addition I have a few Macintosh systems running a virtual parallel of Win7 that are also getting this error when attempting to activate.
  I've had other instances where when attempting to update license status the office products will get activated but not the OS.
  This issue only occurs on client systems so I'm hoping to get some direction as I've ruled out firewall and blocked ports as the cause.
  Any response appreciated.

  remote WMI needs a few things to work;
  a) networking/routing (can the destination machine be resolved by name? can you route to the destination machine?)
  b) permissions (is the account you are using to connect to the target, permitted or denied?)(is there a trust?)
  c) is WMI and DCOM on the target machine, healthy/configured correctly?
  d) can you successfully connect/authenticate to the target machine, using tools such as msinfo32, compmgmt.msc, "WMIC /node:computername csproduct get name"
  some useful tips:
  http://technet.microsoft.com/en-us/library/hh672144(v=office.14).aspx
  http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-can-t-connect-to-remote-wmi.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Administrator in parent domain has no administrator rights when logging into child domain systems.

  We have a simple layout, parent domain in the office is foo.com, I've adding a child domain in the datacenter called prod.foo.com (we have machines with the same names in the office and production, not my doing :p)  Prior to this all of our production
  machines were standalone and various users just had the local administrator account, which has led to some problems. 
  Anyway, on to my issue;
  I have a security group in foo.com called Production Logins that I've added myself to, and on the test windows 2003 server I've allowed FOO\Production Logins the ability to remote desktop, and I'm able to remote into the box web01.prod.foo.com
  just fine, however;   When I log into web01.prod.foo.com under my admin account in the parent domain, I only have basic user rights on that machine, not administrator rights.  Shouldn't administrator rights carry over to the child domain for
  my account?  Is there something specific I need to do to allow that?

  Hi,
  To
  do what
  the friend
  said
  above you need
  to configure
  restricted groups
  GPO
  More
  information:
  http://www.windowsecurity.com/articles/Using-Restricted-Groups.htmlMCP, MCDST e MCSA 2003

• Exchange 2010 unable to find objects in child domain via ESM

  I am having a problem on Exchange 2010 which relates to mailboxes whose AD account is in a child domain in the AD forest.
  We have two domains A & B in the forest. The site which hosts E2010 only has DCs from domain A (root domain). These DCs are set as Global Catalogues.
  All Exchange servers (2 x CAS & 2 x Mailbox) installed in Domain A (primary site) can resolve domain B and performing nslookups for domain B on these server displays the DCs installed
  in domain B at remote sites.
  I am migrating some resource mailboxes with AD accounts in domain B and need to set them up as room mailboxes to enable the auto accept bookings feature.
  After migrating the mailboxes via the EMS to set the mailbox as a room, below is the error I get:
  [PS] C:\Windows\system32>set-mailbox mtgrm1@domainB
   -Type Room
  The operation couldn't be performed because object 'mtgrm1@ domainB' couldn't be found on 'DC01.domainA.com'.
      + CategoryInfo          : NotSpecified: (0:Int32) [Set-Mailbox], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 9E6F6A1,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
  I have also tried using only the alias and the object CN:
  set-mailbox mtgrm1 -Type Room
  set-mailbox –identity 'domainB/Sitename/ Users/MSX Resource Accounts/Conf MtgRm1 (Video)' -Type Room
  but get the same error.
  All employee mailboxes from Domain B have been migrated to Exchange 2010 from 2003 and are working with no problems.
  I have confirmed domain B has been prepared for E2010 - In the Microsoft Exchange System Objects container in AD there is the global group Exchange Install Domain Servers.
  Event ID 2080
  Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1864). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
   (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
  In-site:
  dc02.domainA.COM           
  CDG 1 7 7 1 0 1 1 7 1
  DC01.domainA.com            
  CDG 1 7 7 1 0 1 1 7 1
   Out-of-site:
  DC03.domainA.COM          
  CDG 1 0 0 1 0 0 0 0 0
  dc04.domainA.COM           
  CDG 1 0 0 1 0 0 0 0 0
  Please note the Out of site DCs are for our Exchange failover site which is currently down due to the storms on the East Coast.
  Does Exchange 2010 require a local DC for the second domain installed in the sites which host Exchange? If not, any advise on what else I can look at will be appreciated.
  Thanks.

  Hi there,
  If the questions is answered, please mark it accordingly. Thanks. 
  Fiona Liao
  TechNet Community Support

• System Management container in Multidomain environment (same forest)

  Greetings,
  The scenario is the following:
  1 root domain. 5 child domains. The schema was extended for Win2008 R2.
  1 primary parent SCCM site (implemented in a child domain. 1 sccm server). 4 primary child SCCM sites (implemented in the 4 remaining child domains. 1 sccm server per child domain).
  All of the SCCM servers are SP2 R3.
  The System Management container was created in all of the child domains and the permissions was applied according to http://technet.microsoft.com/en-us/library/bb633121.aspx
  In every AD site, in System Management container appears the information pertaining to its sccm server.
  The questions are:
  At the AD domain where is the parent sccm site, in its System Management container, all of the sccm servers must be granted permissions?
  The System Management container must be created at the root domain? (and what would be the permissions?)
  Thanks in advance!

  Site servers write their information to the System Management container in their own domain (and only their own domain) thus you need to create the System Management container in each and every domain where there is a site server but only the site server
  in that domain needs to be granted permissions in that domain.
  Clients use the global catalog to query for info so the actual domain where the System Management container or objects contained therein doesn't really matter.
  Jason | http://blog.configmgrftw.com

• Can I add a WinServer 2012 into a mix child Domain with 2008 and 2003?

  The founctionall level is 2003 and the main domain is mix with 2008 and 2003. The user need the templete of Server 2012 and use the "new" group policy so that they are able to use the "new" feature in windows 8 (which I totally
  do Not think is much useful). I've a plan that join the 2012 server into a child domain as a DC but I don't know if that will cause any problems. Can I do so?
  Thanks all.
  Gary

  @Darren: http://technet.microsoft.com/en-us/library/jj592683.aspx
  For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as
  a property in the Computer object itself for the default Windows Server 2008 R2 schemas.
  To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects.
  Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change.
  To support Windows 8 computers that are managed by a Windows Server 2003 or Windows 2008 domain controller
  There are two schema extensions that you can copy down and add to your AD DS schema:
  TpmSchemaExtension.ldf 
  This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created
  the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update
  to the schema was created.
  TpmSchemaExtensionACLChanges.ldf 
  This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer
  in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing
  to track changes for these objects. 
  To download the schema extensions, see Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from
  Windows 8 clients.
  If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated.
  Also, if you check the GPO's in 2012, there are specific templates for Windows8/2012 and specific (legacy) templates for Windows 7.
  MCITP:SA:EA:EMA2010:VA2008R2

• System Management Delegation

  Hi
  I have 3 forest. (A, B,C) 
   - Forest A (1 Root domain)
   - Forest B (1 root domain and 1 child)
  -  Forest C (1 Root domain)
  I install a new SCCM 2012 R2 CU3 i root domain (Forest B).
  - Forest A trust Forest B
  - Forest C no trust with forest B or C
  I install MP and DP in forest A and C.
  My question: it's necessary to delegate MP on "System Management" in Active Directory in:
  -  Root Domain forest A?
  -  Root Domain forest C?
  -  In child domain forest B?
  Thanks

  Not sure what you mean by delegate here? There is no such concept. Are you talking about setting permissions on the System Management container?
  If so, then is it necessary? No.
  Will it enable ConfigMgr to publish site location information used by clients in those forests to more easily locate the MP? Yes.
  However, it's not the MP that is publishing data, it's the site itself and so the site server must have permissions on the container. Actual publishing is done by Forest Discovery and thus you must configure Forest Discovery with proper credentials also
  in addition to extending the schema in the forests and manually creating the container.
  Lots more info at http://technet.microsoft.com/en-us/library/hh696542.aspx and http://blogs.technet.com/b/configmgrteam/archive/2011/03/30/active-directory-forest-discovery-and-publishing-in-configuration-manager-2012-beta-2.aspx
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2012 in child domain unable to publish to root domain

  I have an sccm 2012 (no sp) in a child domain (am.corp) and have given the sccm server computer object full control of the system management folder in ADSI on the root domain (corp.local) but continue to get the error in the Active Directory Forests portion
  of the console that I have insufficient access rights to publish to the root domain (corp.local).
  I have sccm management distribution points in the other child domains of the root.
  Any suggestions on how to get this to stop erroring.

  The discovery log tells me it's found 27 sites and 166 subnets. It has problems identifying the forest of some of the other SCCM servers but doesn't give any warning or error (that I see) about publishing.
  See below: (truncated so it fits)
  SMS_EXECUTIVE started SMS_AD_FOREST_DISCOVERY_MANAGER
  as thread ID 3996 (0xF9C).  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.311+240><thread=2924 (0xB6C)>
  =========================================================== 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Beginning Active Directory Forest Discovery Manager  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Entering function ThreadMain()  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::Initialize() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.321+240><thread=3996 (0xF9C)>
  Component SMS_AD_FOREST_DISCOVERY_MANAGER
  is marked active.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.333+240><thread=3996 (0xF9C)>
  Log verbosity level = 0~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::Process() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::ShouldRun() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::CheckIfRunCountValueChanged() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Admin requested to run discovery now.  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:34.346+240><thread=3996 (0xF9C)>
  Entering function ReportForestDiscoverySuccessStatusMessage() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  Raising discovery success status message for forest corp.acme.com,
  in which we discovered 27 site(s) and 166 subnet(s).~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER,
  1073750724, 0~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  STATMSG: ID=8900 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_FOREST_DISCOVERY_MANAGER"
  SYS=SCCMADMPRGL01.am.corp.acme.comSITE=GDC
  PID=2524 TID=3996 GMTDATE=Wed Mar 20 15:43:39.018 2013 ISTR0="corp.acme.com"
  ISTR1="" ISTR2="" ISTR3="" ISTR4="166" ISTR5="27" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.018+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForAllSiteSystems() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.496+240><thread=3996 (0xF9C)>
  Trying to update forest fqdn for all site systems associated with site GDC  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.500+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::UpdateForestNamesForSiteSystems() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.500+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.543+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server MSPRNPRTW01.au.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:39.543+240><thread=3996 (0xF9C)>
  Server MSPRNPRTW01.au.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:41.037+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.756+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server SCCMADMPRGL01.am.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.757+240><thread=3996 (0xF9C)>
  Server SCCMADMPRGL01.am.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.757+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.815+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server SCCMDPPRAP01.au.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:42.815+240><thread=3996 (0xF9C)>
  Server SCCMDPPRAP01.au.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:43.689+240><thread=3996 (0xF9C)>
  Entering function CActiveDirectoryForestDiscovery::GetForestName() 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:43.756+240><thread=3996 (0xF9C)>
  ~Trying to discover forest name for server SCCMDPPRAU01.au.corp.acme.com. 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:43.757+240><thread=3996 (0xF9C)>
  Server SCCMDPPRAU01.au.corp.acme.com belongs
  to forest corp.acme.com.~  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:45.040+240><thread=3996 
  (0xF9C)>
  Finishing Active Directory Forest Discovery Manager thread.  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:57.044+240><thread=3996 (0xF9C)>
  =========================================================== 
  $$<SMS_AD_FOREST_DISCOVERY_MANAGER><03-20-2013
  11:43:57.044+240><thread=3996 (0xF9C)>

• Why can the users in one child domain logon to computers in a different child domain in Server 2012 R2?

  I have setup a test system. It has a domain with 2 child domains.  DomainA.xyz.com has users and workstations. DomainB.xyz.com is a resource domain and has servers.  wyx.com is for IT administration.
  Users in domainA can logon to the domainB computers.  I searched to find out why it was so.  I found a "NT AUTHORITY\INTERACTIVE" entry in the local users group that enables this.
  This is rather confusing.  1.  When a user enters his credentials, he is not logged on and therefore would not be "INTERACTIVE" at that time.  2.  If everybody that signs on a computer is interactive, then does that mean
  everyone in the forest can sign on?
  So my issue is: Can I delete the "INTERACTIVE" entry in the local users group and not cause any problems?  I want to protect the resource domain from users signing on to them and give them access to the resources they need.

  Hi,
  The Interactive group includes all users that have logged on locally.
  In addition, it is not recommended to remove the
  interactive group from the local user group since it would cause all kinds of problems. For more detailed information, please refer to the similar thread and link below:
  Interactive
  group
  Staring
  at a blank desktop, due to Interactive missing from Users group
  Best regards,
  Susie

• Exchange 2013 sp1 smtp NTLM auth for child domain users

  i have exchange organization with exchange 2007 sp 3 & exchange 2013 sp1.
  there are  all users in Exchange 2013 server (mail flow is through Exchange 2013 server)
  i have single forest, 2 site (site1, site2), root domain root.local and 1 child domain ch.root.local
  DC  for child domain is located in site2 (dc.ch.root.local)
  multirole exchange 2013 server is installed in root domain.
  i am traing to configure smtp receive connector with NTLM auth and have one problem.
  when user in child domain try send email through this receive connector i see in log
  <,AUTH NTLM,
  >,334 <authentication response>,
  *,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
  *,CH\user1,authenticated
  *,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
  *,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either
  the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.15:465"
  but authentication is succesfull for users from root domain.
  why do it can be?
  Thanks.

  thanks for link
  at smtp receive logs (Hub transport role) i've found the  next:
  Client Proxy EXMAIL2013,08D134DAF6CE1C51,49,192.168.1.15:465,
  *,NT AUTHORITY\SYSTEM,authenticated
  >,235 <authentication response>,
  <,XPROXY SID=08D130D354F520D1 IP=192.168.1.21 PORT=57085 DOMAIN=[192.168.1.21] CAPABILITIES=0 SECID=Uy0xxx...
  *,,Error while looking up SamAccountName chuser: The user name or password is incorrect.\r\n
  *,None,Set Session Permissions
  >,250 XProxy accepted but user identity could not be obtained,