Untusted Forest

Similar Messages

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Exchange 2013 Untrusted Cross-Forest Availability Intermittently Working

  Goal:
  I’m attempting to configure cross-forest availability for Exchange 2013 using the instructions here:
  http://technet.microsoft.com/en-us/library/bb125182%28v=exchg.150%29.aspx
  At the very bottom of the page are three different methods.  I have tried the first (per-user) and the third (untrusted) methods, with identical results.  For various unfortunate reasons, I am unable to use the Microsoft Federated Gateway for availability
  information (although that is configured in the production domain and I would use it if it were possible). 
  Situation:
  When attempting to view availability information in either OWA or Outlook, the free/busy information typically isn’t visible.  If you open and close Outlook a few times, creating meetings with the users in other domains, sometimes the other user’s information
  will be visible, and sometimes it will not.  When it is not, the area is filled with diagonal lines and hovering over it says “No Information”.  The situation is the same in both Adatum trying to access Contoso, and in Contoso trying to access either
  Adatum or Fabrikam.
  I’m currently close to finishing up my third week with Microsoft Support on this issue, and am starting over with a third first level support person.  They are quickly eroding what little confidence I had in them already.  I’m posting here because
  I’m desperate, and web searches for my errors turn up zero results.  I fear this method of availability sharing doesn’t actually work correctly in Exchange 2013 as Microsoft is pushing organizations to use the Microsoft Federated Gateway, but I’d love
  to heave about anyone getting this to work, or not.
  Setup:
  There are three separate domains I am working with (names changed to protect the innocent).  Contoso.local is the production domain, containing Exchange 2007 and Exchange 2013 SP1 servers.  Adatum.local is a test domain set up fresh with Exchange
  2013 SP1.  Fabrikam.com is a remote Exchange system that I others are connecting to without issue using Exchange 2010.
  The Contoso and Adatum domain controllers are running Windows Server 2008 R2 SP1 and are running at a 2008 R2 functional levels.  The Exchange 2013 servers are all at SP1 (results were the same prior to SP1), and the OS is Windows Server 2012. 
  Contoso has two sites, connected via 10Gbps links, and ~10ms latency, with Exchange 2013 CAS and mailbox servers in both sites.  Adatum has a single site, and has two CAS and two mailbox servers.  Fabrikam has one internet facing server to connect
  to.  A handful of contacts have been created in both Contoso and Adatum for the other domains, to select to view availability.
  Contoso and Adatum domains sit on different subnets, but there is no firewall or filtering between their subnets.  Routing between them is completely unimpeded.  The Fabrikam server sits on another network across the internet, but firewalls have
  been configured and I can browse the availability website from the Contoso CAS servers.
  The CAS servers were originally set up to be load balanced, but working with Microsoft they’ve had me specify a single CAS server for autodiscover/EWS/ECP/OWA/etc in both Contoso and Adatum.  The number of actual users on Exchange 2013 in Contoso is
  ~10.  In Adatum, there are only a handful of mailboxes configured.  The Exchange 2007 servers in Contoso are using Public Folders for free/busy replication for other domains right now, and we don’t care at the moment if they can use the 2013 availability. 
  None of our testing/configurations have involved the Exchange 2007 servers.  There are no SPNs configured for the other domains in AD.
  Errors:
  There are three basic errors that are returned in Outlook diagnostics.  The first is the timeout error.  For a given mailbox server, the first time it is queried for availability information for a remote domain (after some amount of time of being
  idle) it might not respond for 70 seconds (actually somewhere between 69 and 70 seconds each time when viewing the IIS logs), and eventually fails with the timeout error.  If it doesn’t timeout, then it will respond with the Correct Response.
  Once a particular mailbox server has timed out, it will typically immediately return the first Availability Error for all subsequent calls.  Less frequently, it will return Availability Error 2.  If a mailbox server returns the first Availability
  Error, then it will continue to return that error until it times out again or starts working.  Similarly, if a mailbox server returns the second Availability Error, then it will continue to return that error until it times out again or starts working.
  If an IISRESET is performed on a mailbox server, then it will either timeout at the next cross-forest availability request, or work.  There is never an issue accessing availability information for users in the same domain as the request.
  If the remote Exchange is in an errored state, then the response includes the error.  For example, if the mailbox servers in the remote domain are turned off, and the local mailbox server that you are querying happens to be responding correctly
  for the remote domain, then it will return an error about how no mailbox servers are available in adatum.local to service the request.
  There are no Event Log errors that correspond to failed requests of any type.  IIS logs don’t show anything beyond what is shown in the Outlook diagnostics.  There are no DNS or Active Directory Replication errors in the Event Logs.
  Timeout error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorTimeoutExpired
  ErrorMessage         : Microsoft.Exchange.InfoWorker.Common.Availability.TimeoutExpiredException: Request could not be processed in time. Timeout occurred during 'LookupRecipientsBatchBegin'.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException:
  AvailabilityAddressSpace 'adatum.local' couldn't be used because the Autodiscover endpoint couldn't be discovered.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error 2:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AddressSpaceNotFoundException:
  Configuration information for forest/domain swelab.wayad.corp.wayport.net could not be found in Active Directory.
                            at Microsoft.Exchange.InfoWorker.Common.Availability.TargetForestConfigurationCache.FindByDomain(OrganizationId
  organizationId, String domainName)
                            at Microsoft.Exchange.InfoWorker.Common.Availability.QueryGenerator.GetTargetForestConfiguration(EmailAddress
  emailAddress)
                         . Name of the server where exception originated: Mailbox02
  ErrorDetails         : {}
  ErrorProperties      : {}
  Working:
  CalendarEvents       : {Microsoft.Exchange.WebServices.Data.CalendarEvent}
  ViewType             : FreeBusyMerged
  MergedFreeBusyStatus : {Free, Free, Free, Free...}
  WorkingHours         : Microsoft.Exchange.WebServices.Data.WorkingHours
  Result               : Success
  ErrorCode            : NoError
  ErrorMessage         :
  ErrorDetails         : {}
  ErrorProperties      : {}
  Start : 04/09/2014 00:00:00
  End : 04/12/2014 00:00:00
  Subject :
  Location :
  Testing Methodologies:
  While it is possible to dig through Outlook diagnostics and OWA, we ended up scripting out these requests to save time.  Microsoft support refuses to use the scripts, but they produce the same output that it takes them days to find in the logs, so I’ll
  post them here to help anyone in the future.
  Through reading the documentation and experimenting, it appears that the Exchange 2013 CAS servers really do just proxy availability requests from the client to the mailbox servers.  At least by default, it seems to pick a mailbox server in the same
  site, but which mailbox server in the site appears to be random.  It will typically pick the same one repeatedly for a while.
  The first script uses the Microsoft Exchange Web Services Managed API 2.1.
  http://www.microsoft.com/en-us/download/details.aspx?id=42022
  You specify a source email address, and a target address in the remote domain, and it creates a SOAP request that it sends to a CAS server of the source email address.  The CAS proxies the request to the mailbox server which either responds with a failure
  or the free/busy data.
  The second script takes the XML SOAP request generated by the first script, and uses that to query a mailbox server directly.  That allows you to test specific mailbox servers that are working or failing, instead of randomly using whichever mailbox
  server the CAS happens to select.  I generated a SOAP request with the first script that I knew had some data, and then copy/pasted it into the second script to verify if data was being returned.
  I’ve deleted and recreated the availability address spaces in Contoso and Adatum for each other and Fabrikam multiple times.  I’ve reset the password in the OrgWideAccount in both Adatum and Contoso, and viewed the lastBadPassword attribute in both
  ADs to verify it wasn’t failing authentication.  (A failed authentication also generates a 401 error that is returned to the client.)  I can access the availability site of the other domain using the credentials of the OrgWideAccount without any
  errors ever.
  First Script:
  # Import the Exchange Web Services module
  Import-Module -Name "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
  # Create the services object used to connect to Exchange
  # You can specify a specific Exchange version, which I had to do to connect to 2007
  # Exchange2007_SP1
  # Exchange2010
  # Exchange2010_SP1
  # Exchange2010_SP2
  # Exchange2013
  # $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1
  # $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
  $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
  $Service.UseDefaultCredentials = $true
  # Specify an SMTP address. The autodiscover URL from the associated mailbox will be used to connect to Exchange
  # This is used to distinguish resolving from the 2007 server versus 2013
  #$Service.AutodiscoverUrl("[email protected]") # For Exchange 2007
  $Service.AutodiscoverUrl("[email protected]") # For Exchange 2013
  # Increase the amount output at the end to include the SOAP commands
  $Service.TraceEnabled = $true
  # Specify time frame to get free/busy for
  $StartTime = [DateTime]::Parse([DateTime]::Now.ToString("yyyy-MM-dd 0:00"))
  $EndTime = $StartTime.AddDays(7)
  # Create the various objects needed to perform the EWS request
  $drDuration = new-object Microsoft.Exchange.WebServices.Data.TimeWindow($StartTime,$EndTime)
  $AvailabilityOptions = new-object Microsoft.Exchange.WebServices.Data.AvailabilityOptions
  $AvailabilityOptions.RequestedFreeBusyView = [Microsoft.Exchange.WebServices.Data.FreeBusyViewType]::DetailedMerged
  $Attendeesbatch = New-Object "System.Collections.Generic.List[Microsoft.Exchange.WebServices.Data.AttendeeInfo]"
  $attendee = New-Object Microsoft.Exchange.WebServices.Data.AttendeeInfo($userSMTPAddress)
  # Specify SMTP addresses of accounts to request availability for
  #$Attendeesbatch.Add("[email protected]")
  $Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  # Clear out old results so that a failed request doesn't show information still
  $availresponse = ""
  # Request the availability information from Exchange
  $availresponse = $service.GetUserAvailability($Attendeesbatch,$drDuration,[Microsoft.Exchange.WebServices.Data.AvailabilityData]::FreeBusy,$AvailabilityOptions)
  # Show summary information that would include errors
  $availresponse.AttendeesAvailability
  # Show all of the appointments in the requested time period
  foreach($avail in $availresponse.AttendeesAvailability){
  foreach($cvtEnt in $avail.CalendarEvents){
  "Start : " + $cvtEnt.StartTime
  "End : " + $cvtEnt.EndTime
  "Subject : " + $cvtEnt.Details.Subject
  "Location : " + $cvtEnt.Details.Location
  Second Script:
  # Change the server in this URL to specify which mailbox server to access
  $url = 'https://mailbox01.contoso.local:444/EWS/Exchange.asmx'
  # Uncomment the below lines if you want to query EWS using credentials other than
  # the ones used to run the script.
  #If(!(Test-Path variable:global:cred))
  # $cred = Get-Credential
  function Execute-SOAPRequest
  [Xml] $SOAPRequest,
  [String] $URL
  write-host "Sending SOAP Request To Server: $URL"
  $soapWebRequest = [System.Net.WebRequest]::Create($URL)
  # These appear to be the only things needed in the headers when making the request
  $soapWebRequest.ContentType = 'text/xml;charset="utf-8"'
  $soapWebRequest.Accept = "text/xml"
  $soapWebRequest.Method = "POST"
  If(Test-Path variable:global:cred)
  $soapWebRequest.Credentials = $cred
  Else
  $soapWebRequest.UseDefaultCredentials = $true
  write-host "Initiating Send."
  $requestStream = $soapWebRequest.GetRequestStream()
  $SOAPRequest.Save($requestStream)
  $requestStream.Close()
  write-host "Send Complete, Waiting For Response."
  $resp = $soapWebRequest.GetResponse()
  $responseStream = $resp.GetResponseStream()
  $soapReader = [System.IO.StreamReader]($responseStream)
  $ReturnXml = [Xml] $soapReader.ReadToEnd()
  $responseStream.Close()
  write-host "Response Received."
  return $ReturnXml
  # The specing and line returns in the below variable are important for some reason
  # For example, there must be a line return after the @' on the first line, or it's invalid...
  # Change the line with this:
  # <t:Address>[email protected]</t:Address>
  # to the email address in the domain you want to query
  $soap = [xml]@'
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <t:RequestServerVersion Version="Exchange2013_SP1" />
  <t:TimeZoneContext>
  <t:TimeZoneDefinition Name="(UTC-06:00) Central Time (US &amp; Canada)" Id="Central Standard Time">
  <t:Periods>
  <t:Period Bias="P0DT6H0M0.0S" Name="Standard" Id="Std" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/1" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/2007" />
  </t:Periods>
  <t:TransitionsGroups>
  <t:TransitionsGroup Id="0">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/1</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>4</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>10</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>-1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  <t:TransitionsGroup Id="1">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/2007</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>3</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>2</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>11</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  </t:TransitionsGroups>
  <t:Transitions>
  <t:Transition>
  <t:To Kind="Group">0</t:To>
  </t:Transition>
  <t:AbsoluteDateTransition>
  <t:To Kind="Group">1</t:To>
  <t:DateTime>2007-01-01T06:00:00.000Z</t:DateTime>
  </t:AbsoluteDateTransition>
  </t:Transitions>
  </t:TimeZoneDefinition>
  </t:TimeZoneContext>
  </soap:Header>
  <soap:Body>
  <m:GetUserAvailabilityRequest>
  <m:MailboxDataArray>
  <t:MailboxData>
  <t:Email>
  <t:Address>[email protected]</t:Address>
  </t:Email>
  <t:AttendeeType>Required</t:AttendeeType>
  <t:ExcludeConflicts>false</t:ExcludeConflicts>
  </t:MailboxData>
  </m:MailboxDataArray>
  <t:FreeBusyViewOptions>
  <t:TimeWindow>
  <t:StartTime>2014-04-03T00:00:00</t:StartTime>
  <t:EndTime>2014-04-10T00:00:00</t:EndTime>
  </t:TimeWindow>
  <t:MergedFreeBusyIntervalInMinutes>30</t:MergedFreeBusyIntervalInMinutes>
  <t:RequestedView>DetailedMerged</t:RequestedView>
  </t:FreeBusyViewOptions>
  </m:GetUserAvailabilityRequest>
  </soap:Body>
  </soap:Envelope>
  $ret = Execute-SOAPRequest $soap $url
  # Uncomment out one of the below two lines to get output in different alternative formats
  #$ret | Export-Clixml c:\temp\1.xml;Get-Content c:\temp\1.xml
  #$ret.InnerXml
  # If the request is successful, show the appointments, otherwise show the failure message
  If ($ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage.ResponseClass -eq 'Success')
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.FreeBusyView.CalendarEventArray.CalendarEvent
  Else
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage

  In this case, the SMTP domain is the same as the AD domain.  If the wrong domain were configured then the connection would never work, as opposed to sometimes work.
  RunspaceId            : abb30c12-c578-4770-987f-41fe6206a463
  ForestName            : adatum.local
  UserName              : adatum\availtest
  UseServiceAccount     : False
  AccessMethod          : OrgWideFB
  ProxyUrl              :
  TargetAutodiscoverEpr :
  ParentPathId          : CN=Availability Configuration
  AdminDisplayName      :
  ExchangeVersion       : 0.1 (8.0.535.0)
  Name                  : adatum.local
  DistinguishedName     : CN=adatum.local,CN=Availability Configuration,CN=Wayport,CN=Microsoft
                          Exchange,CN=Services,CN=Configuration,DC=contoso,DC=local
  Identity              : adatum.local
  Guid                  : 3e0ebc2c-0ebc-4be8-83d2-077746180d66
  ObjectCategory        : contoso.local/Configuration/Schema/ms-Exch-Availability-Address-Space
  ObjectClass           : {top, msExchAvailabilityAddressSpace}
  WhenChanged           : 4/15/2014 12:33:53 PM
  WhenCreated           : 4/15/2014 12:33:35 PM
  WhenChangedUTC        : 4/15/2014 5:33:53 PM
  WhenCreatedUTC        : 4/15/2014 5:33:35 PM
  OrganizationId        :
  OriginatingServer     : dc01.contoso.local
  IsValid               : True
  ObjectState           : Unchanged

• Cross Forest Migration from Exchange 2007 to Exchange 2013

  Hi
  Could anybody advice me the steps also the  pros and cons for below mentioned environment if we are going for the cross forest migration.
  Source 
  Domain -   test.local
  Active Directory -  Windows 2003
  Exchange Server - 2007
  Target
  Domain -   test.net
  Active Directory -  Windows 2012
  Exchange Server - 2013
  Also if it is possible ,
  How could I remove the source environment including the exchange servers. after the migration ?
  Regards
  Muralee

  Hi Oliver ,
  Please suggest us.               
   In my environment we are in a plan to migrate from exchange 2007 to exchange 2013 (cross forest migration).
  Source : Exchange 2007 with sp3 ru 10 
  Target : Exchange 2013 with cu2 ( new environment yet to be created).
  Trust : Forest trust in place (two way )
  Domain and forest functional level : 2003 in both target and source  
  Migration Steps :
  Step1 :
  We are in a plan to execute 'preparemoverequest.ps1' first in the target forest ,so that we will get the disable MEU
  in the target forest.
  Step2:
  Then we are going to use ADMT to migrate users SID'S and password .
  Step3:
  Then we are going to move the mailboxes with New-moverequest  
  Please have a look in to our steps and suggest us ,whether we are going to proceed the migration in a right way or not
  .Is anything needs to be changed please intimate me .
  Thanks 
  S.Nithyanandham 
  Hey there,
  Sorry for taking a little while to get back to you, i've been busy working on Hosted Lync deployments!
  Use ADMT first, then when using preparemoverequest.ps1 script using the -uselocalobject cmdlet. This will then tie it up to the ADMT migrated account.
  More info in this thread here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/2916e931-36a0-4ba4-8c04-196dbe792b44/preparemoverequestps1-and-admt?forum=winserverMigration
  Oliver
  Oliver Moazzezi | Exchange MVP, MCSA:M, MCITP:Exchange 2010,MCITP:Exchange 2013, BA (Hons) Anim | http://www.exchange2010.com | http://www.cobweb.com | http://twitter.com/OliverMoazzezi

• Exchange Migration from One domain to another domain on same forest

  Team, 
  we are in the process of migrating exchange infrastructure from one child domain to another child domain within same forest.
  root domain - root.com
  child domains - US.root.com and EMEA.root.com
  EMEA and US Domains setup are different from each other. Like EMEA has different email address policy , Email Flow than US , connectors etc.
  Now we need to migrate all emea users under US Domain. based on the geographical locations, we are building a new dc, mailbox , cas servers on EMEA location , but these servers will be part of US Domain.
  for CAS Servers - we are planing to register respective sites ( site affinity), so all the local requests will be handled by new cas server which is built under US Domain.
  Mailbox Servers - we would be creating new db's and the limits  on new mbx server and going to replicate as its on EMEA Mailbox server.
  can some one please let us know what are the precautions , recommendation, sequence which we need to follow to perform smoother migration. as of now , I can think of below topics.
  Mailbox Migration  -I  Have a script , which
  will take care of mailbox movement once the objects are being moved.
  Contacts Migration - Willard Martin blog helped me to perform migration
  DL Migration - I believe there is no mechanism to migrate DL. only option is to recreate.
  Email address Policy:we would be creating a new address policy and apply to OU's
  DB Consistency check – do we have to perform the health checks on source mailbox server to see , the servers are free from errors /corruption.
  Check outlook configuration - After the migration, we need to check and see , the exchange server/ auto discover works and identify the new exchange servers.
  Internal /External Email flow.- 
  Active Sybc , OWA
  Public folder Migration -
  Offline Address Book
  Certificates
  any help or suggestions would be great.
  Srinivasa K

  Hi Srinivasa,
  According to your description, I think you have done all the preparation.
  For DL migration, the following article may give your some hints:
  How to Migrate Distribution Groups Across a Forest
  Good Luck!
  Niko Cheng
  TechNet Community Support

• DNS configuration in two-domain forests

  hi all,
  We have a forest with two separate domains.First of all we had domain A. When we added the first domain controller for the second domain (B), a trust relationship was established and look fine. but then we realised DNS configuration was not nice and
  some replication issues came out.
  What we have done is setting up domain B zone as a secondary Zone in domain A, and viceversa.
  We configured primary zones to be able to be transferred to the Domain controllers in the other domain and also configured notifications.
  Even with this configuration, some times we check zones and find it empty but a single.
  Does anyone one if our configuration is the right one for our infrastructure? I have been loking in the internet for a manual or a document  regarding DNS configuration for this infrastructure, but I could not find it, Do you know of any manual or document?
  Thank you very much
  kind regards.
  David.

  Hi David,
  First, make sure that the TCP and UDP port 53 is not blocked. To verify it a port is blocked, please use the portqry.
  To download portqry, please click the link below,
  PortQryUI - User Interface for the PortQry Command Line Port Scanner
  http://www.microsoft.com/en-hk/download/details.aspx?id=24009
  If the port is not blocked, please check the serial number of the zone in both of the primary and secondary server.
  If serial number is the same at both the source and destination servers, no zone transfer occurs between the servers.
  To resolve this issue, please follow the steps blow,
  After you increase the serial number at the master server to a higher value than is used currently at the secondary server, initiate zone transfer at the secondary server.
  Increase the value of the serial number for the zone at the master server (source) to a number greater than the value at the applicable secondary server (destination).
  Here is an article about how to troubleshoot zone issues, it may be helpful.
  http://technet.microsoft.com/en-us/library/cc731210.aspx
  Besides, instead of creating scondary zone, we can add conditional forwarder on the DNS server.
  To add conditional forwarder, please refer to the link below,
  http://technet.microsoft.com/en-us/library/cc794735(v=WS.10).aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• How to copy table from database in one forest to a database in a different forest?

  Hello Community
      Using Wndows 2008 Server Enterprise there exists 2 Forests,
  each containing their own SQL Server 2008 installations, a scenario exists as follows:
       a)"Domain1" resides in "Forest1" which has SQL Server 2008 containing
           a database named "Database1" which contains a table named "Table1".
       b)"Domain2" resides in "Forest2" which also has SQL Server 2008
           but containing a database named "Database2"which contains a table
           named "Table2".
      I tried to use <domain_name>.<server_name>.<owner_name>.object
  but that syntax didn't work.
      How can I copy "Table2" from "Database2" into "Database1"
  (keeping in mind the databases are in different forests and domains)?
      Thank you
      Shabeaut

  Configuring a linked server might help you
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/329709ca-349d-490d-9b42-7443caa97364/how-to-created-linked-server-between-two-different-domains?forum=sqlsecurity
  OR
  Generate the schema with data of Table1 using scripting wizard under advance setup and execute the sql file in domain2.
  -Prashanth

• Can I add a two way trusted but in different forest domain to My existing Lync 2013 Topology !

  HI !
  We have an installed Lync 2013 Std Edt. setup and its working perfectly for one domain. Our network infrastructure ( LAN ) is being shared with our sister company. They have their own forest and domain and a two ways trust relationship with our domain. I
  want to add them in our Lync 2013 topology, is it possible ?? if yes, thn what are the requirements and which changes i need to consider.
  Response from experts would be greatly appreciated. 

  Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Run two CA servers in one domain/forest

  When we migrated from Windows Server 2008R2 to Windows Server 2012R2 we decided to migrate the CA from the old server to the new one. The problem was that the new server had a different name and the migration was that simple. After a year that everything
  was running ok, we now have problem with the CA. From one day to another there are no certificate templates anymore and the service keep crashing. As I can't find the reason and the solution I would like to setup a new CA on a fresh server that only will run
  the CA and let this CA deploy all the certificates to the clients. Is it possible to make a new CA while the existing one is still there?

  Hi,
  You can install multiple root CAs in one forest..
  Multiple Root CAs in single forest / single domain
  https://social.technet.microsoft.com/Forums/en-US/796c9e93-c25d-46c5-bd7e-a54afb3b3264/multiple-root-cas-in-single-forest-single-domain?forum=winserversecurity
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• Use same ACS for multiple forests

  Is it posible to use one ACS appliance to authenticate users in different Windows forests ?
  It may be only possible when a trust relationship exists between the forests ?
  Gr.
  Remco

  Remco,
  Yes,trust is reqd. Other way is to set up proxy
  Cross-Forest Authentication
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx#EE
  VAG
  In this set up we would need one more radius server and also need to set up proxy in it.
  Regards,
  ~JG
  Do rate helpful posts

• Can the SidHistory attribute be moved from one User account to a different User account in the same Forest/Domain?

  Hello,
  Can the SidHistory attribute be moved from one User account to a different User account in the same Forest/Domain manually with  Active Directory Users and Computers or with something like Powershell?  it would seem to me this is a safe operation.
  Thanks for your help! SdeDot

  Hi,
  In addition, please also take a look at the below thread:
  copy SIDHistory from one account to another in the same domain
  http://social.technet.microsoft.com/Forums/en-US/2ca8727c-b3fd-4ef8-9747-99295f0cd61c/copy-sidhistory-from-one-account-to-another-in-the-same-domain?forum=winserverDS
  Hope this helps
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• ADFS single sign-on with office 365 and multiple forests

  I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
  to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
  to achieve single sign-on?

  Hi,
  Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
  Multi-forest and Multi-tenant scenarios with Office 365
  http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
  Hybrid Deployment Prerequisites
  http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
  SupportMultipleDomain switch, when managing SSO to Office 365
  http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
  For more information about Office 365, I suggest you refer to Office 365 community below:
  http://community.office365.com/en-us/f/default.aspx
  Best Regards,
  Amy

• Multiple Forests SSO with BO Edge 3.1

  I have to setup and configure SSO on a 3.1 Edge with multiple forests. The setup looks like this right now.
  BO Servers (call it BOXIServer) are in one forest (call it BODomain.top.local)
  AD users and groups on another forest (call it UsersDomain.bottom.local)
  My plan is to create 2 service accounts. One service account to integrate the AD and start up SIA (Call it ADServiceSSO) and the Second service account to implement the Vintela (call it VintelaServiceSSO) as I used to do it on the single domain setup.
  The questions are:
  1.     Is it possible to get SSO to work with this type of configuration (I think I read somewhere that u201CWhen operating with multiple forests, the users must be created on the domain in which the BOE server residesu201D which is not what I have here!)?
  2.     Should I create the 2 service accounts on the forest where the BO server is (BODomain.top.local), or where the Users and groups are (UsersDomain.bottom.local)?
  3.     How would I formulate the setspn and ktpass commands on this type of configuration?
  Would it be true that I can create the 2 services account on BO Servers Forest (BODomain.top.local) and the commands would look like this:
  setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO
  Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ BOXIServer.BODomain.top.local
  Or I can create the 2 services account on users and groups forest (UsersDomain.bottom.local) and the command would look like this:
  setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO @ UsersDomain.bottom.local
  Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ UsersDomain.bottom.local
  Thank for your help
  Aws

  MF requires a 2-way transitive trust, so with this enabled there is no need to span forests with service accounts. 1 account in the same forest as the BO server is fine and straight forward to configure, although you are free to add more as you like.
  Everything else is dependent on the 2 way trust as DNS will have certain records for each other forest that will allow the CMS to query remote forest users and MF users to access the CMS resources. Which is what we want.
  The rules on groups is to put MF users in groups from their own forest and then map into BO, adding all users from multi forests int a single forest group may not work properly in our internal tests.
  The last piece seems to be a Microsoft limitation, but when accessing an SSO URL from a remote forest the FQDN must be used for SPN recognition. When the host name or IP is used the request for SPN is sent to the wrong forest and SSO fails.
  Regards,
  Tim