DFS for user profiles, redirected folders and general shares

[XenosTech]

4 minutes ago, Falconevo said:

As long as the machine resides on the the same domain as the exchange system, you can install the management tool/role via the exchange setup and manage it with an administrative domain account.

However, fixing the error with management on the actual exchange host may be quicker.  Got any info on the error you are getting?

Even better a screenshot of it 

[Falconevo]

1 minute ago, XenosTech said:

Even better a screenshot of it 

Is this just from opening the exchange management shell or are you running a particular command to try and connect to a certain exchange server?

[XenosTech]

1 minute ago, Falconevo said:

Is this just from opening the exchange management shell or are you running a particular command to try and connect to a certain exchange server?

just opening the shell

[Falconevo]

2 minutes ago, XenosTech said:

just opening the shell

When you try and access outside of powershell via the exchange gui, does it return a WinRM http error?

[XenosTech]

2 minutes ago, Falconevo said:

When you try and access outside of powershell via the exchange gui, does it return a WinRM http error?

They don't have the gui installed just this power shell... been driving me bat shit crazy for a week now

[Falconevo]

Then just install the GUI from the setup, its just a management portal.

Check that IIS has all the application pools running on the exchange server and restart the Windows Remote Management service.

[XenosTech]

1 minute ago, Falconevo said:

Then just install the GUI from the setup, its just a management portal.

Check that IIS has all the application pools running on the exchange server and restart the Windows Remote Management service.

I don't want to install it, these clients are pretty bitchy about changing stuff even if would have fix 99% of their problems .-.

[Falconevo]

2 minutes ago, XenosTech said:

I don't want to install it, these clients are pretty bitchy about changing stuff even if would have fix 99% of their problems .-.

If they don't want you installing it on the exchange server directly, then install it on a different device and connect in to the exchange platform from another server/device.

Sorry buddy but tell who ever it is that you need tools to debug, those tools are not currently installed so don't expect a resolution.

[XenosTech]

1 minute ago, Falconevo said:

If they don't want you installing it on the exchange server directly, then install it on a different device and connect in to the exchange platform from another server/device.

Sorry buddy but tell who ever it is that you need tools to debug, those tools are not currently installed so don't expect a resolution.

At this point I'm starting not to care lol I'm not really cut out to be dealing with snobby people who don't wanna meet you halfway in fixing their shit but that's just me. There's another VM I was going to slap it onto but idk if it's gonna require a restart and can't restart that during production hours and no way in hell I'm working overtime on it to not be paid for it.

[leadeater]

@XenosTech Add yourself to the Exchange Organization Administrators AD group, that error looks like a lack of permissions.

[XenosTech]

4 minutes ago, leadeater said:

@XenosTech Add yourself to the Exchange Organization Administrators AD group, that error looks like a lack of permissions.

Add myself in AD or exchange ? Having a brain lapse atm

[leadeater]

2 minutes ago, XenosTech said:

Add myself in AD or exchange ? Having a brain lapse atm

AD, there's a few default groups that get created during Exchange install in AD.

[XenosTech]

1 minute ago, leadeater said:

AD, there's a few default groups that get created during Exchange install in AD.

I'll go fish for that and see what happens, be back in 5 mins

[XenosTech]

6 minutes ago, leadeater said:

AD, there's a few default groups that get created during Exchange install in AD.

Which one of these groups ?

[leadeater]

1 minute ago, XenosTech said:

Which one of these groups ?

Ah? Those the only ones that start with exchange? It's none of those.

[XenosTech]

1 minute ago, leadeater said:

Ah? Those the only ones that start with exchange? It's none of those.

Man I'm having a serious brain fart over here (not to self bring lunch to work again .-.)

 

[leadeater]

4 minutes ago, XenosTech said:

Which one of these groups ?

Should be Organization Management, https://technet.microsoft.com/en-us/library/dd335087(v=exchg.150).aspx.

 

Keep in mind that is the super admin group of exchange and it can do anything.

[leadeater]

2 minutes ago, XenosTech said:

Man I'm having a serious brain fart over here (not to self bring lunch to work again .-.)

Dw I forgot they changed the group names from Exchange 2010 to 2013.

[XenosTech]

3 minutes ago, leadeater said:

Dw I forgot they changed the group names from Exchange 2010 to 2013.

Welp that was a no go lol Still got the same error.

[leadeater]

1 minute ago, XenosTech said:

Welp that was a no go lol Still got the same error.

You logged out then back in? Windows doesn't refresh group memberships unless you do that (for most things).

[XenosTech]

6 minutes ago, leadeater said:

You logged out then back in? Windows doesn't refresh group memberships unless you do that (for most things).

Yup I even logged into the other account I saw in that group but i'll try again

 

 

Edit: And it still gives me the same error... will crack at this when I get home

Edited January 30, 2017 by XenosTech
Added stuff

[XenosTech]

14 hours ago, leadeater said:

You logged out then back in? Windows doesn't refresh group memberships unless you do that (for most things).

I'm thinking my best bet is to whack the management tools on another server... still getting that error

[XenosTech]

So I gots another question related to DFS @leadeater and @Falconevo

 

So this same environment... we're flipping out the domain name to something else.... if I wanted to put site 1 as alpha.google.com and site 2 as bravo.google.com, would that be an issue ? and is that even supported ? I'll go do my digging in the meantime just need extra clarity on this.

[Falconevo]

DFS 'can' stretch outside its domain but you would need to look in to two-way transitive trusts between domain infrastructures on each side.

 

Using your example;

 

Site A (alpha.google.com) >> Firewall >> VPN/MPLS << Firewall << Site B (bravo.google.com)

                                              \  Bi-Directional Domain Trust  /

 

I would not advise implementing this unless you are very familiar with domain trusts and have significant experience managing windows domains.  Considering your questions I would doubt this is the case (no offense intended)

 

Instead I would recommend this for starting out using the same domain prefix to handle both sides;

 

Primary Site  (alpha.google.com) >> Firewall >> VPN/MPLS << Firewall << Secondary Site (alpha.google.com)

                                                           \ DFS Active Directory Sync /

 

Primary Site - 2x Domain Controllers (FSMO Master on Site A)

Secondary Site - 2x Domain Controllers (15minute Sites&Services Sync)

 

This is directly reliant on the Site 2 Site VPN or Site to Site Transit (MPLS etc) being available for domain authentication.  Believe me when I say if you haven't had experience with this type of thing before, try and keep things as simple as possible.  It's a big subject a lot of people will have a different opinion than me, ADFS etc is another alternative but I doubt you will have ever heard of it let alone be familiar with it.

 

 

[XenosTech]

2 minutes ago, Falconevo said:

DFS 'can' stretch outside its domain but you would need to look in to two-way transitive trusts between domain infrastructures on each side.

 

Using your example;

 

Site A (alpha.google.com) >> Firewall >> VPN/MPLS << Firewall << Site B (bravo.google.com)

                                              \  Bi-Directional Domain Trust  /

 

I would not advise implementing this unless you are very familiar with domain trusts and have significant experience managing windows domains.  Considering your questions I would doubt this is the case (no offense intended)

 

Instead I would recommend this for starting out using the same domain prefix to handle both sides;

 

Primary Site  (alpha.google.com) >> Firewall >> VPN/MPLS << Firewall << Secondary Site (alpha.google.com)

                                                           \ DFS Active Directory Sync /

 

Primary Site - 2x Domain Controllers (FSMO Master on Site A)

Secondary Site - 2x Domain Controllers (15minute Sites&Services Sync)

 

This is directly reliant on the Site 2 Site VPN or Site to Site Transit (MPLS etc) being available for domain authentication.  Believe me when I say if you haven't had experience with this type of thing before, try and keep things as simple as possible.  It's a big subject a lot of people will have a different opinion than me, ADFS etc is another alternative but I doubt you will have ever heard of it let alone be familiar with it.

 

 

It's not really my area... I'm just doing research based on what info this guy passes along to me. I won't have any hand in setting this up other than building out the file servers and moving all the shares to them.