Re: Site to Site communication
- From: "Luke Packard [MSFT]" <lukep@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Mar 2005 19:37:59 -0800
The text "if Microsoft Windows ServerT 2003 Active Directory is
>> using the interim domain functional level, you must specify user accounts
>> as
>> addresses for site-to-site communications to work." does not say it but
>> implies that you would also need a forest transitive trust setup or you
>> will have to specify user accounts for site addresses (for site to site
>> communication).
Your forests must be at Windows 2003 function level and have a transitive
forest trust between them for you to be able to use machine accounts for
site addresses (for site to site communication). If you have Windows 2003
functional level but don't have a forest trust or you have any other domain
functional level you must use User accounts for site addresses.
Whether or not your schema is extended in either forest is not relevant for
site to site communication.
--
Luke Packard [MSFT]
SMS 2003 Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
SMS 2003 Scenarios and Procedures Planning and Deployment Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyId=E0644BB4-2336-4254-8A18-9BC180713F7E&displaylang=en.
SMS 2003 Scenarios and Procedures: Security Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4376-a72d-fd34a6c4a44c&DisplayLang=en
This posting is provided "AS IS" with no warranties, and confers no rights.
"Richard" <Richard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B0472A25-3DA1-4BF8-833F-441DFCC3FF16@xxxxxxxxxxxxxxxx
> Luke,
>
> I gave false info below. I spoke to our AD admin. and he states that our
> local forest is running in Windows 2000 native mode because we have a few
> DCs
> running Windows 2000 server at remote offices. All others are running
> Windows 2003 server.
>
> The other forest has all Windows 2003 DCs, but is currently set to the
> default Windows 2000 mixed mode. We should be able to move the functional
> forest level to Windows 2003. How does this affect the below?
>
>
> "Richard" wrote:
>
>> Luke,
>>
>> Well, actually was looking at pg. 263 of the Concepts, Planning, and
>> Deployment Guide (SMSCPDG.pdf) instead of the S&P Planning and Deployment
>> Guide. I just opened up this S&P and looked at pg. 22 and it states the
>> same
>> things you quoted.
>>
>> It states on pg. 22, "if Microsoft Windows ServerT 2003 Active Directory
>> is
>> using the interim domain functional level, you must specify user accounts
>> as
>> addresses for site-to-site communications to work." I think this is what
>> you
>> were referring to 'cross forest site to site and Windows Server 2003
>> domains
>> being misleading'. I should have mentioned this clearer, but we do not
>> want
>> to use a forest transitive trust because each forest is being managed
>> seperately by different IT people.
>>
>> Since both forests are running Windows 2003 AD, you are stating that we
>> can
>> use user accounts so we don't have to create a forest trust?
>>
>> All DCs are running Windows 2003 server so both forests are a "pure"
>> (native?) W2k3 AD domain environment.
>>
>> We decided not to extend the Schema for SMS so not sure if that will
>> create
>> problems for us?
>>
>>
>>
>> "Luke Packard [MSFT]" wrote:
>>
>> > Sorry. I realize its in the S&P Planning guide (as you have
>> > discovered).
>> >
>> > The text is misleading and/or wrong in some places. You can designate
>> > user accounts for site to site communication whether in standard or
>> > advanced security, if the sites are in one or multiple forest, and
>> > whether the sites are primary or secondary.
>> >
>> > The text on page 22 that says "A child secondary site cannot attach to
>> > a parent in a different forest" is not correct. Child sites can indeed
>> > attach to parent sites in a different forest, they just can't do
>> > automatic secure key exchange which would require they be in the same
>> > forest. If secure key exchange is disabled then they can join without
>> > problem. I will ensure the documentation is updated in the next
>> > release.
>> >
>> > This is the case regardless of the domain OS version. The text about
>> > cross forest site to site communication a Windows Server 2003 domains
>> > is a bit misleading. If you have WIndows Server 2003 domains you can
>> > setup a forest trust between them and then use site server machine
>> > accounts for site to site communication instead of using user accounts.
>> > You can still use user account if you want though.
>> >
>> > I don't see the text you're referring to on page 263. I see it on page
>> > 22
>> >
>> > --
>> > Luke Packard [MSFT]
>> >
>> > SMS 2003 Technical FAQ:
>> > http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
>> > SMS 2003 Scenarios and Procedures Planning and Deployment Guide:
>> > http://www.microsoft.com/downloads/details.aspx?FamilyId=E0644BB4-2336-4254-8A18-9BC180713F7E&displaylang=en.
>> > SMS 2003 Scenarios and Procedures: Security Guide
>> > http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4376-a72d-fd34a6c4a44c&DisplayLang=en
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> >
>> > "Richard" <Richard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:BFC4E643-8242-4494-85D0-C9363CF0E6D6@xxxxxxxxxxxxxxxx
>> > > Luke,
>> > >
>> > > Sorry for the long delay. I can't find this info in the Scenarios
>> > > and
>> > > Procedures security doc. Can you show me where it is? I did a scan
>> > > for
>> > > forests and other and couldn't find the info. I need to show to my
>> > > supervisor before I proceed with this.
>> > >
>> > >
>> > > So even though it states on Pg. 263 of the SMS 2003 Concepts,
>> > > Planning, and
>> > > Deployment Guide "Site-to-site communications have limitations across
>> > > forests. A child primary site in one forest can
>> > > attach to a parent in a different forest. A child secondary site
>> > > cannot
>> > > attach to a parent in a
>> > > different forest.", there is actually a way around this without
>> > > creating a
>> > > two-way transitive forest trust? Meaning that a secondary site can
>> > > communicate with a parent/primary site in a different forest w/o the
>> > > forest
>> > > trust?
>> > >
>> > > Thanks for all your help with this.
>> > >
>> > > Richard
>> > >
>> > > "Luke Packard [MSFT]" wrote:
>> > >
>> > >> Secondaries or Primaries can talk to other sites in different
>> > >> forests
>> > >> whether they are in standard or advanced security. In advanced
>> > >> security you
>> > >> will need to designate a user account for the site address (sender)
>> > >> unless
>> > >> you have a forest trust. The URL I sent is to the SMS 2003 FAQ
>> > >> which won't
>> > >> necessarily have this info. I think you can find it in the
>> > >> Scenarios and
>> > >> Procedures security doc up on
>> > >> http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4376-a72d-fd34a6c4a44c&DisplayLang=en
>> > >>
>> > >> --
>> > >> Luke Packard [MSFT]
>> > >>
>> > >> SMS 2003 Technical FAQ:
>> > >> http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
>> > >>
>> > >> This posting is provided "AS IS" with no warranties, and confers no
>> > >> rights.
>> > >>
>> > >> "Richard" <Richard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > >> news:530CED40-F05C-43B1-9412-BA6837F297C3@xxxxxxxxxxxxxxxx
>> > >> > Luke,
>> > >> >
>> > >> > "A child secondary site cannot attach to a parent in a
>> > >> > different forest." Is this still the case??
>> > >> > If not, can a primary site communicate with another primary in a
>> > >> > different
>> > >> > forest?
>> > >> >
>> > >> > Just to clarify, you are saying that Sites can communicate across
>> > >> > forests
>> > >> > using machine or user accts. If we are going to run everything in
>> > >> > Advanced
>> > >> > Security mode, which uses the Local System Acct., will this still
>> > >> > work?
>> > >> >
>> > >> > Also, in the URL you sent, where can I find the info you are
>> > >> > referring to?
>> > >> >
>> > >> >
>> > >> > "Luke Packard [MSFT]" wrote:
>> > >> >
>> > >> >> Site's can communicate cross forest using machine or user
>> > >> >> accounts. What
>> > >> >> is
>> > >> >> not supported is client regional roaming cross forest because the
>> > >> >> client
>> > >> >> will not be talk to the Proxy MP
>> > >> >>
>> > >> >> --
>> > >> >> Luke Packard [MSFT]
>> > >> >>
>> > >> >> SMS 2003 Technical FAQ:
>> > >> >> http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
>> > >> >>
>> > >> >> This posting is provided "AS IS" with no warranties, and confers
>> > >> >> no
>> > >> >> rights.
>> > >> >>
>> > >> >> "Serge Berat" <srgbrt@xxxxxxxxxxx> wrote in message
>> > >> >> news:%23M%23xr0aJFHA.3332@xxxxxxxxxxxxxxxxxxxxxxx
>> > >> >> > Hi,
>> > >> >> >
>> > >> >> > Just a little guessing here, but couldn't this be tackled with
>> > >> >> > a
>> > >> >> > two-way
>> > >> >> > transitive forest trust? A two-way, forest trust between two
>> > >> >> > forests
>> > >> >> > allows members from either forest to utilize resources located
>> > >> >> > in the
>> > >> >> > other forest; domains in each respective forest trust domains
>> > >> >> > in the
>> > >> >> > other
>> > >> >> > forest implicitly.
>> > >> >> > Of course such a forest trust can only be created between two
>> > >> >> > Windows
>> > >> >> > 2003
>> > >> >> > forests.
>> > >> >> >
>> > >> >> > Serge
>> > >> >> >
>> > >> >> > "Richard" <Richard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > >> >> > news:913F81F2-CF30-401D-ABEF-82860A352567@xxxxxxxxxxxxxxxx
>> > >> >> >> Stan,
>> > >> >> >>
>> > >> >> >> Rinus read that "A child secondary site cannot attach to a
>> > >> >> >> parent in a
>> > >> >> >> different forest."
>> > >> >> >>
>> > >> >> >> Is this still the case with SMS 2003 SP1? So seperate from
>> > >> >> >> the
>> > >> >> >> security
>> > >> >> >> mode (we are going with both Advanced security), I can't
>> > >> >> >> create a
>> > >> >> >> regular
>> > >> >> >> secondary site in a different forest that where our
>> > >> >> >> central/primary/parent
>> > >> >> >> site is?
>> > >> >> >>
>> > >> >> >>
>> > >> >> >> "Stan White [MS]" wrote:
>> > >> >> >>
>> > >> >> >>> It is not supported primarily because of the proxy MP
>> > >> >> >>> scenario.
>> > >> >> >>> The proxy MP connects directly to the SQL server at the
>> > >> >> >>> parent site.
>> > >> >> >>> The machine account is a problem in that scenario.
>> > >> >> >>>
>> > >> >> >>> --
>> > >> >> >>> --
>> > >> >> >>> Stan [MSFT]
>> > >> >> >>> --
>> > >> >> >>> --
>> > >> >> >>> This posting is provided "AS IS" with no warranties, and
>> > >> >> >>> confers no
>> > >> >> >>> rights.
>> > >> >> >>> --
>> > >> >> >>> --
>> > >> >> >>>
>> > >> >> >>> "Rinus" <Rinus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > >> >> >>> news:EB415DFC-68F1-4E79-80C7-C2236731DCEF@xxxxxxxxxxxxxxxx
>> > >> >> >>> > I've read the document S&P-Planning and Deployment and it's
>> > >> >> >>> > still
>> > >> >> >>> > not
>> > >> >> >>> > clear
>> > >> >> >>> > to me.
>> > >> >> >>> >
>> > >> >> >>> > It says: A child primary site in one forest can attach to a
>> > >> >> >>> > parent
>> > >> >> >>> > in
>> > >> >> >>> > a
>> > >> >> >>> > different forest. A child secondary site cannot attach to a
>> > >> >> >>> > parent
>> > >> >> >>> > in
>> > >> >> >>> > a
>> > >> >> >>> > different forest.
>> > >> >> >>> >
>> > >> >> >>> > Is this dependant on the security mode? Is it possible to
>> > >> >> >>> > have a
>> > >> >> >>> > child
>> > >> >> >>> > secondary site in a different forest when SMS is operating
>> > >> >> >>> > in the
>> > >> >> >>> > standard
>> > >> >> >>> > security mode?
>> > >> >> >>> >
>> > >> >> >>> > I ask this because we want to implement SMS in two forests.
>> > >> >> >>> > We are
>> > >> >> >>> > migrating
>> > >> >> >>> > to a new forest, forest A, but this will take some time. In
>> > >> >> >>> > the
>> > >> >> >>> > mean
>> > >> >> >>> > time
>> > >> >> >>> > we
>> > >> >> >>> > want to be able to distribute software with SMS. We are
>> > >> >> >>> > planning to
>> > >> >> >>> > install
>> > >> >> >>> > the central site in the forest A and the child secondary
>> > >> >> >>> > sites in
>> > >> >> >>> > forest
>> > >> >> >>> > B.
>> > >> >> >>> > When the forest migration is completed we want to move the
>> > >> >> >>> > servers
>> > >> >> >>> > that
>> > >> >> >>> > have
>> > >> >> >>> > the child secondary sites from forest A to forest B and
>> > >> >> >>> > switch to
>> > >> >> >>> > the
>> > >> >> >>> > advanced security mode.
>> > >> >> >>> >
>> > >> >> >>>
>> > >> >> >>>
>> > >> >> >>>
>> > >> >> >
>> > >> >> >
>> > >> >>
>> > >> >>
>> > >> >>
>> > >>
>> > >>
>> > >>
.
- Prev by Date: Re: SMS Maintenance Tasks missing
- Next by Date: Re: Problem with Legacy client discovery
- Previous by thread: Question about migrating to a new SMS Server...
- Next by thread: RE: SMS Central Site Setup
- Index(es):
Relevant Pages
|
Loading
