joeqwerty's questions

I have a cross forest trust between two Windows Server 2008 R2 domains/forests (domain and forest functional levels at Windows Server 2008 R2). Domains A and B are the forest root domains in their respective forests and domain C is the child domain of domain B.

A<->B--C

The trust is a two-way transitive forest trust configured with forest-wide authentication. When I look at the TDO objects in each domain I see that domainB has a TDO for domainA and domainC, but domainC only has a TDO for domainB. domainA likewise has a TDO only for domainB. I see the same thing reflected in Active Directory Domains and Trusts in each domain.

When selecting the "Log on to" dropdown on a domainC computer I only see domainB and domainC listed. When selecting the "Log on to" dropdown on a domainB computer I see domainB, domainC and domainA listed. When selecting the "Log on to" dropdown on a domainA computer I only see domainA and domainB listed.

Cross forest DNS name resolution works between all three domains via conditional forwarders between domainA and domainB and I can successfully query AD SRV records in domainA from domainC and vice versa.

Am I not understanding domain transitivity in a cross forest trust? Shouldn't the transitivity extend from domainC to domainA and vice versa?

Edit

Based on Ryan's answer:

I've started to think the same thing but I have no first hand experience with a Forest Trust where a child domain exists so I don't know for sure what I should be seeing. Even though transivity should exist betweem domains A and C that doesn't neccessarily imply "visibility". I've run nltest /dclist, nltest /dsgetdc and nltest /dnsgetdc and all return successfully from domains A to C and vice versa. The thing that has me puzzled is that when trying to add a user to a Domain Local group in domain A I can only see domain B in Locations and not domain C. That may be the expected behavior but it seems odd. for instance, if I wanted to add a domain C user to the Remote Desktop Users Domain Local group in domain A I can't get there because I don't see domain C in locations in domain A. There's no way to "nest" a domain C user in a domain B group and then add the domain B group to the domain A group (because of group scope). So if I want to grant access to domain C users to log onto RDS servers in domain A how would I achieve that?

I'm setting up several child domains in an existing Active Directory forest and I'm looking for some conventional wisdom/best practice guidance for configuring both DNS client settings on the child domain controllers and for the DNS zone replication scope.

Assuming a single domain controller in each domain and assuming that each DC is also the DNS server for the domain (for simplicity's sake) should the child domain controller point to itself for DNS only or should it point to some combination (primary VS. secondary) of itself and the DNS server in the parent or root domain? If a parent>child>grandchild domain hierarchy exists (with a contiguous DNS namespace) how should DNS be configured on the grandchild DC?

Regarding the DNS zone replication scope, if storing each domain's DNS zone on all DNS servers in the domain then I'm assuming a DNS delegation from the parent to the child needs to exist and that a forwarder from the child to the parent needs to exist. With a parent>child>grandchild domain hierarchy then does each child forward to the direct parent for the direct parent's zone or to the root zone? Does the delegation occur at the direct parent zone or from the root zone?

If storing all DNS zones on all DNS servers in the forest does it make the above questions regarding the replication scope moot? Does the replication scope have some bearing on the DNS client settings on each DC?

I'm trying to watch ICMP redirects in a lab using Cisco Packet Tracer (version 5.3.2) and I'm not seeing them, which leads me to believe that either my lab configuration isn't correct or my understanding of ICMP redirects isn't correct or that Packet Tracer doesn't support/use ICMP redirects. Here's what I believe to be true regarding ICMP redirects:

Routers send ICMP redirects when all of these conditions are met:

1. The interface on which the packet comes into the router is the same interface on which the packet gets routed out.

2. The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.

3. The datagram is not source-routed.

4. The router kernel is configured to send redirects.

I have the lab set up in Cisco Packet Tracer as displayed in the image and would expect to see an ICMP redirect from Router1 when pinging from PC1 to PC3. I'm not seeing the ICMP redirect and it looks like Router1 is actually routing all of the packets via Router2. I have IP ICMP debugging enabled on Router1 (and Router2) and I'm not seeing any ICMP redirect activity in either console. I'm also not seeing a route to the PC3 network in the routing table on PC1, which I think confirms that the ICMP redirect is not occurring. I'm using only static routing on Routers 1 and 2. Is my understanding of ICMP redirects incorrect, or is there a problem with my lab configuration or does Packet Tracer not support/use ICMP redirects?

Related to this question: When building a storage area network, do storage administrators generally create the physical disk arrays based on I/O type (sequential versus random access) and provision LUN's from those arrays to hosts needing that particular type of I/O?

I'm running vSphere 5 in an HA cluster across two hosts (vsphereA and vsphereB). I have the HA cluster configured for host monitoring and datastore heartbeat monitoring with admission control disabled (hopefully I rightfully understand that datastore heartbeat monitoring prevents inadvertent and unwanted HA failovers due to management network isolation). Each host has a single connection to a dedicated iSCSI network and iSCSI target (no MPIO). All vmdk's for all VM's exist on the iSCSI datastore. As a test of HA I disconnected the iSCSI connection on vsphereB and was surprised to see that the running VM's on vsphereB continued to run on vsphereB. The powered off VM's were showing as inaccessible (which I expected due to the fact that they weren't running and the connection from vsphereB to the iSCSI target was severed) but the running VM's continued to run and continued to be "owned" by vsphereB. I expected to see an HA failover occur for those VM's and expected to see them "owned" by vsphereA after the HA failover (which didn't occur). I'm at a loss to understand why an HA failover didn't occur for those VM's. Am I misunderstanding in which cases an HA failover should occur?

This Saturday evening we're going to be replacing our existing Windows Server 2003 domain controllers/dns servers with Windows Server 2008 R2 domain controllers/dns servers. The current forest and domain functional levels are Windows Server 2003 and I've already run adprep /forestprep and adprep /domainprep /gprep from the W2K8R2 media on the existing schema operations master. I've also installed the AD DS bits on the new servers but haven't run DCPROMO yet. Our AD DNS zones are AD integrated.

Is there any reason not to go a step further and "pre-stage" the new servers by running DCPROMO now? We won't be cutting over to them until this Saturday evening but I don't see any harm in getting as close as possible in our preparations before then.

In looking at the AD partitions using ADSIEdit I see that both the Domain partition and the DomainDnsZones partitions have a DC=RootDNSServers container which both contain objects of dnsNode class representing the Root Hint servers. I have two questions about this:

1. Why are the Root Hints being stored in AD? I always understood that they were loaded from the "C:\Windows\System32\dns\cache.dns" file.

2. Why are they stored in both the Domain and the DomainDnsZones partitions?

I'm trying to write a database backup statement that will overwrite the existing backup but I'm not having any luck. I've tried various combinations of the INIT, FORMAT, and RETAINDAYS =x clauses but the backup seems to always append to the existing file instead of overwriting/recreating it.

What is the correct statement to use to achieve this?

I'm attempting to build my first iSCSI storage area network, using openfiler version 2.99 as an iSCSI target. I want to present storage to both vSphere 5 and Windows Server 2008R2 Hyper-V as datastores for my virtual machines. I'm assuming that since I'll be setting up openfiler as an iSCSI target that I need to present a different LUN each to vSphere and to Hyper-V. I'm trying to create two primary physical partitions/volumes on a single 2TB HDD in order to create two volumes/volume groups, one for vSphere and one for Hyper-V. After creating the first physical partition/volume using roughly half of the available space on the HDD I try to create a second physical partition/volume with the remaining space but the GUI does nothing and I see only the first physical partition/volume that I created. Due to the fact that my understanding of the subject is sparse (which is why I'm undertaking this) I have no idea if what I'm experiencing is due to a bug in openfiler or due to a lack of understanding on my part. If someone could chime in and point me in the right direction I'd appreciate it.

Below are screen snips illustrating the issue. The first snip is how things look before I create the first physical partition/volume and the second snip is what I see after trying to create the second physical partition/volume (after the first physical partition/volume has been created). The GUI keeps coming back showing the same thing but never creates the second physical partition/volume.

EDIT

Even though I seem to have configured openfiler to meet my objective, I didn't accomplish it by creating multiple physical partitions/volumes on the HDD. Here's how I did it:

I created a single physical partition/volume from the HDD, created a single volume group, then created two volumes in the volume group. Once that was accomplished I created two iSCSI targets and mapped a LUN to each iSCSI target for each volume, one for my vSpehere host and the other for my Hyper-V host. I've now successfully added each target as a datastore on the appropriate host.

Which begs the question: Shouldn't I be able to create multiple physical partitions/volumes on a single HDD? The openfiler tutorials that I've read describe doing this exact thing, yet I'm unable to work out how to do it.

Is a UPN suffix case sensitive? Is it possible to have identically named UPN suffixes distinguished only by case?

While running a network capture when performing an nslookup for bgsu.edu, I noticed that my DNS server was not querying for the SOA record for bgsu.edu. Here's the order of operations that I see in my capture:

1. My DNS server issues an A record query to one of the root hint servers for bgsu.edu.

2. The root hint server returns a list of NS records for the gTLD servers.

3. My DNS server issues an A record query to one of the gTLD servers for bgsu.edu.

4. The gTLD servers returns a list of NS records for bgsu.edu.

5. My DNS server issues an A record query to one of the name servers returned in step 4 for bgsu.edu.

6. The name server for the domain in question returns the A record information for bgsu.edu.

So my question is: Does my DNS server not need to query for the SOA record for the domain in question first? If not, then how exactly are SOA records used? Which name servers query for the SOA record? Do the gTLD servers query for the SOA record, and therefore, I don't see this in my capture? My understanding is that the SOA holds a list of the NS records, so shouldn't the SOA be the first record queried?

We're running a Terminal Server farm in a Windows 2003 Domain, and I found a problem with the Software Restrictions GPO settings that are being applied to our TS servers. Here are the details of our configuration and the problem:

All of our servers (Domain Controllers and Terminal Servers) are running Windows Server 2003 SP2 and both the domain and forest are at Windows 2003 level. Our TS servers are in an OU where we have specific GPO's linked and have inheritance blocked, so only the TS specific GPO's are applied to these TS servers. Our users are all remote and do not have workstations joined to our domain, so we don't use loopback policy processing. We take a "whitelist" approach to allowing users to run applications, so only applications that we approve and add as path or hash rules are able to run. We have the Security Level in Software Restrictions set to Disallowed and Enforcement is set to "All software files except libraries".

What I've found is that if I give a user a shortcut to an application, they're able to launch the application even if it's not in the Additional Rules list of "whitelisted" applications. If I give a user a copy of the main executable for the application and they attempt to launch it, they get the expected "this program has been restricted..." message. It appears that the Software Restrictions are indeed working, except for when the user launches an application using a shortcut as opposed to launching the application from the main executable itself, which seems to contradict the purpose of using Software Restrictions.

My questions are: Has anyone else seen this behavior? Can anyone else reproduce this behavior? Am I missing something in my understanding of Software Restrictions? Is it likely that I have something misconfigured in Software Restrictions?

EDIT

To clarify the problem a little bit:

No higher level GPO's are being enforced. Running gpresults shows that in fact, only the TS level GPO's are being applied and I can indeed see my Software Restictions being applied. No path wildcards are in use. I'm testing with an application that is at "C:\Program Files\Application\executable.exe" and the application executable is not in any path or hash rule. If the user launches the main application executable directly from the application's folder, the Software Restrictions are enforced. If I give the user a shortcut that points to the application executable at "C:\Program Files\Application\executable.exe" then they are able to launch the program.

EDIT

Also, LNK files are listed in the Designated File Types, so they should be treated as executable, which should mean that they are bound by the same Software Restrictions settings and rules.