[ActiveDir] migration help
Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] migration help
http://support.microsoft.com/kb/325379/en-us How to upgrade Windows 2000 domain controllers to Windows Server 2003 badhusha sd [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 29/12/2006 09:22 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: [ActiveDir] migration help
in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] migration help
Your right , basically i was thought of it . But company has bought Hp DL G4 servers for new windows 2003 dc , instead of Ml 530 , i have to use DL G4 servers for new installation . How do i proceed. Thanks - Original Message From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 11:24:39 AM Subject: RE: [ActiveDir] migration help in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] migration help
please read the articles I mailed earlier Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 13:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] migration help Your right , basically i was thought of it . But company has bought Hp DL G4 servers for new windows 2003 dc , instead of Ml 530 , i have to use DL G4 servers for new installation . How do i proceed. Thanks - Original Message From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 11:24:39 AM Subject: RE: [ActiveDir] migration help in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com http://mail.yahoo.com/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com winmail.dat
RE: [ActiveDir] migration help
Hi badhusha, I believe one of Jorge's points was that you can install new DCs (new hardware and new 2003 installation) to the existing domain, so you don't create a new domain and don't have to migrate anything. Then, after some intermediate steps, you can remove (with proper steps) the old 2000 DCs, and your are left with only the 2003 DCs. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of badhusha sd Sent: 29. joulukuuta 2006 14:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] migration help Your right , basically i was thought of it . But company has bought Hp DL G4 servers for new windows 2003 dc , instead of Ml 530 , i have to use DL G4 servers for new installation . How do i proceed. Thanks - Original Message From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 11:24:39 AM Subject: RE: [ActiveDir] migration help in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information -is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00 _E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com http://mail.yahoo.com/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] migration help
Return Receipt Your Re: [ActiveDir] migration help document: was[EMAIL PROTECTED] received by: at:12/29/2006 10:50:17 AM EST List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] migration help
Boas festas -Original Message- From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 12/29/06 8:03 AM Subject: RE: [ActiveDir] migration help please read the articles I mailed earlier Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 13:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] migration help Your right , basically i was thought of it . But company has bought Hp DL G4 servers for new windows 2003 dc , instead of Ml 530 , i have to use DL G4 servers for new installation . How do i proceed. Thanks - Original Message From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 11:24:39 AM Subject: RE: [ActiveDir] migration help in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com http://mail.yahoo.com/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - Disclaimer NOTICE: The information contained in this email and any document attached hereto is intended only for the named recipient(s). It is the property of the BankFive and shall not be used, disclosed or reproduced without the express written consent of BankFive. If you are not the intended recipient (or the employee or agent responsible for delivering this message in confidence to the intended recipient(s), you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this transmittal or its attachments is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify me immediately by reply email or telephone and immediately delete this message and all its attachments. Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve - Original Message - From: Ken Schaefer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 4:58 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely upfront about the web server component in my original diagram. That is actually several dozen different web applications - some of which do not have an option to use Basic (either technical limitation -or- a security standard). The aim of the project is to (a) see if transparent logons can be made available to users (i.e. via IWA challenges) and (b) see if SSO can be enabled (so users do not need to authenticate to different applications behind the proxy) and (c) get away from Basic Auth. So I'm going to have to keep looking at Kerberos related solutions :-) Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need) : because : PT is tied to constrained delegation and it only works in a single : domain, : not even in multiple domains in a forest. Your understanding is : basically : correct. : : This is a documented limitation and not something I've played with : personally, so I'm not sure if there is more to it than that. : : I honestly don't know if this can be made to work with unconstrained : delegation/kerb auth in IIS, as I've never tried that either. However, : giving out unconstrained delegation privileges is a bit icky. : : This may be one of those situations where it is easier to just pass the : plaintext credentials around between the tiers using basic auth/SSL and : such. : : Joe : : - Original Message - : From: Ken Schaefer : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 5:29 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Steve, : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : not : sure how to tell whether I would need it or not. Are you saying below : that : protocol transition can be used cross-forest? I thought protocol : transition : was tied to constrained delegation (in a user/computer account's : properties, : on the delegation tab there is an option that says any protocol, but : that's : only available in the section for constrained delegation. If that's the : case, then how can protocol transition work cross-forest? : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] : Sent: Wednesday, 20 December 2006 12:37 AM : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org : Cc: Ken Schaefer : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : If I understand your scenario correctly : : In order for S4U2self ( protocol transition ) to work in this sceanrio : you : will need a 2 way forest trust. : If you do not need S4U2self you can get by with the one way trust. : : steve : -- Original message -- : From: Ken Schaefer [EMAIL PROTECTED] : : Hi all, : : I am looking at a slightly tricky situation, at least for me - I'm : sure : you : guys would find this a walk in the park :-) : : I have a situation where there are two forests (2003 Forest : Functional : Level). Each contains a single domain. One domain is a resource : domain : (DomainB), and the other contains the user accounts (DomainA). There : is a : one-way forest trust, such that the resource forest/ domain trust the : user : forest (and domain). : : The situation I have is as follows: : : Client --- ISA Server 2006 --- Web Server --- App Server : : The user that is logged on to the client is from DomainA. All the : servers : belong to DomainB. The user's credentials need to be passed from the : web : server back to the app server. So I could use Basic Authentication : all the : way through. Or I can try to use Kerberos delegation. : : Now, ISA Server can use protocol transition, so that Client --- ISA : Server : can be
Re: [ActiveDir] Cross-Forest Kerberos Delegation
Wow that turned out ugly didnt it? Basically it should have shown that all machines are in one domain in Forest1 and the user account is in Forest 2 and F1 trusts F2. Sorry for the long delay in reply also - I was on vacation ... Happy New Years! steve - Original Message - From: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 4:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve - Original Message - From: Ken Schaefer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 4:58 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely upfront about the web server component in my original diagram. That is actually several dozen different web applications - some of which do not have an option to use Basic (either technical limitation -or- a security standard). The aim of the project is to (a) see if transparent logons can be made available to users (i.e. via IWA challenges) and (b) see if SSO can be enabled (so users do not need to authenticate to different applications behind the proxy) and (c) get away from Basic Auth. So I'm going to have to keep looking at Kerberos related solutions :-) Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need) : because : PT is tied to constrained delegation and it only works in a single : domain, : not even in multiple domains in a forest. Your understanding is : basically : correct. : : This is a documented limitation and not something I've played with : personally, so I'm not sure if there is more to it than that. : : I honestly don't know if this can be made to work with unconstrained : delegation/kerb auth in IIS, as I've never tried that either. However, : giving out unconstrained delegation privileges is a bit icky. : : This may be one of those situations where it is easier to just pass the : plaintext credentials around between the tiers using basic auth/SSL and : such. : : Joe : : - Original Message - : From: Ken Schaefer : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 5:29 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Steve, : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : not : sure how to tell whether I would need it or not. Are you saying below : that : protocol transition can be used cross-forest? I thought protocol : transition : was tied to constrained delegation (in a user/computer account's : properties, : on the delegation tab there is an option that says any protocol, but : that's : only available in the section for constrained delegation. If that's the : case, then how can protocol transition work cross-forest? : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] : Sent: Wednesday, 20 December 2006 12:37 AM : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org : Cc: Ken Schaefer : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : If I understand your scenario correctly : : In order for S4U2self ( protocol transition ) to work in this sceanrio : you : will need a 2 way forest trust. : If you do not need S4U2self you can get by with the one way trust. : : steve : -- Original message -- : From: Ken Schaefer [EMAIL PROTECTED] : : Hi all, : : I am looking at a slightly tricky situation, at least for me - I'm : sure : you : guys would find this a walk in the park :-) : : I have a situation where there are two forests (2003 Forest : Functional : Level). Each contains a single domain. One domain is a resource : domain : (DomainB), and the other contains the user accounts (DomainA). There : is a : one-way forest trust, such that the resource forest/ domain trust the : user : forest (and domain). : : The situation I have is as follows: : : Client
[ActiveDir] OT MOM 2005 Install
Is there someone who has a MOM 2005 SP1 install and access to the SQL server it's on that could ping me offlist? I don't have access to my VMWare environment and I need the create script for a couple things. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
Re: [ActiveDir] Cross-Forest Kerberos Delegation
That is what I was thinking of. I couldn't find where I read that and went from memory. Thanks for the clarification. Joe K. - Original Message - From: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 6:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
