KCC

i encountered problem in iis7 after disabled "anonymous authentication" , enabled "integrated window  authentication". hopefully helps encountered same issue. kb article link:  http://support.microsoft.com/kb/215383 check ntauthenticationproviders iis metabase property, if set default "negotiate,ntlm" . c:\inetpub\adminscripts>cscript adsutil.vbs w3svc/ntauthenticationproviders set ntauthenticationproviders iis metabase property "ntlm". c:\inetpub\adminscripts>cscript adsutil.vbs set w3svc/ntauthenticationproviders "ntlm" Windows Server  >  Security

hi all, i have working ipsec policy secures communication web servers clients. the web servers behind nlb (not ms). the rules configured on servers : rule name, protocol, src port, dst port any <-> webserver1, tcp, any, 80 any <-> webserver1,  tcp, any, 443 any <-> webserver2,  tcp, any, 80 any <-> webserver2,  tcp, any, 443 any <-> webnlb,  tcp, any, 80 any <-> webnlb,  tcp, any, 443 on client rules same. both rules in request mode. the policy works great people syn_sent when accessing servers. we checked rules , oakley.log seems fine. we check server's ipsec monitor , saw sa computers, same on clients. when changed ip address of 1 of problematic clients worked ! when changed back, still working... i have no clue... can help? assaf miron http://assaf.miron.googlepages.com Windows Server

hi there, disable toe/tcp chimney - of these options should disabled please?  (windows server 2012 r2 - vmxnet3) ipv4 checksum offload ipv4 tso offload large send offload v2 (ipv4) large send offload v2 (ipv6) offload ip options offload tcp options tcp checksum offload (ipv4) tcp checksum offload (ipv6) udp checksum offload (ipv4) udp checksum offload (ipv6) :-) hi ran, this article has steps disable netwrok card properties , regedit well. update turn off snp features windows server 2003 , windows sbs 2003 go each nic card properties -> advanced tab. change ipv4 checksum offload none , large send offload disable. but article says not disabling tcp ip, decide not to. tcp offloading/chimney & rss…what , should disable it? regards, satyajit please “vote as helpful” if find contribution useful or “mark answer” if answer question. encourage me - , others - take time out you.

my scenario: i have ds3400 disk system dual controller fibre channel storage equipped 2 controllers each equipped 2 4-gbps fc ports, total of 4 fc ports. then have 4 servers each equipped 1 ibm 4-gbps fc single-port pci-e hba card. i'm trying setup windows 2012-r2 hyper-v cluster. it sufficient connect each server 1 of 4 fc ports of ds3400 or need sort of fc switch obtain fact if 1 storage's controller crash cluster still obtain access storage ? thank support ! ivano c. ivano carrara " what "fc clusters" expecially ? " a failover cluster uses fibre channel storage. okay, looking @ configuration, not able configure highly available fc cluster.  apologize. glanced @ configuration first time , did not read details. " servers each equipped 1 ibm 4-gbps fc single-port pci-e hba card " each server need 2 hbas each server can connect both fc controllers in storage array.  need configure mpio on each server. in environme

i installed windows server core rc1 , installed microsoft virtual server 2005 r2 on cannot create virtual machines.  when go 1 of other server's have windows 2008 full installation on go hyper-v role , connect server core , select new -> virtual machine error reads:  error occurred while attemting open following form:  new virtual machine wizard.  hardware checks out fine.  there else should doing?  appreciated , if need more info me solve problem please let me know.   thanks in advance, tyrone it depends on the version of windows server 2008 you've installed. (assuming you've used same x64 rc1 media both servers since you're talking 'bout hyper-v instead of wsv , you've got hyper-v console , running on full installation...) if you're using windows server 2008 rc1 hyper-v/wsv v.667 this version allows installation of hyper-v on full installations of windows server 2008. server core boxes could install virtual server 2005 , it's unsupp

2 x w2k3 servers dfs replication partners , 1 of servers dfs service had been stopped few weeks .... server has updates users not updating files on server b ... if start dfs service on server a, has many files deleted still exist on server b, dfs replication replicate files server b server a? thx! feel confident server b receive new files server i'm worried older files no longer exist on server .. don't want them replicate , i'm not 100% of every file & folder changes or deletions. what expected behavior when dfs service starts on server again? rr dfs replication uses "last-writer wins" method determining version of file keep when file modified on 2 or more members. losing file stored in conflict , deleted folder on member resolves conflict. conflict , deleted folder can used store files deleted replicated folders. so in case, files on server b deleted on server moved conflict , deleted folder.  to make sure deleted, please try abov

dear mates...... i have windows server 2008 r2 active directory in organization.... now need apply desktop wall paper users login ad also want set default home page in internet explorer .........which organizations internal webpage........ so kindly me how can  do through group policy ..... i have default group policy ........ thnx in advance istiaq hi, first of all, perfer create ous users , apply gpo instead of default gpo. to apply disktop wallpeper through gpo: user configurations --> policies --> administrative tamplates --> desktop --> desktop and enable disktop wallpeper , make sure users have picture on same local directory or it's available on network share. to set default home page on internet explorer: user configurations --> preferances --> control panel settings --> internet settings and create new iex version , put home page (don't forget hit f5 when type home page because , make sure underline changed green)

sfc scan shows integrity issues.  dism command returns: error: 0x800f0907 dism failed. no operation performed. more information, review log file. i've tried dism online repair, specified local source, i've used install.wim iso, i've disabled use of windows update dism in local group policy.  nothing allows dism work properly. this came because ie continually gives errors can't download , gives , error , snow balled windows updates searches forever. i'd try to repair .net https://www.microsoft.com/en-us/download/details.aspx?id=30135 or repair install running setup.exe from root of install media.     regards, dave patrick .... microsoft certified professional microsoft mvp [windows server] datacenter management disclaimer: posting provided "as is" no warranties or guarantees, , confers no rights. Windows Server

we have gpo defines password expiry warning being default 14 days. changed 10 days, it's not working still prompted 14 days ahead. any idea how can find out why happening? hi, i confirm if password gpo linked on domain level? the password policies settings in group policy applied @ domain level only. otherwise, need use fine-grained password policies. for more information, please refer following microsoft technet articles: domain level account policies http://technet.microsoft.com/en-us/library/cc748850(v=ws.10).aspx ad ds: fine-grained password policies http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx for more troubleshooting information, please refer following microsoft technet article: troubleshooting group policy problems http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx regards, arthur li technet community support Windows Server

have problem on 1 of servers running w2k3 enterprise sp2. i'm attempting setup performance counter in performance console, of performance object names , names of counters in list appearing numbers. additionally, opening explain option not display text when counter selected. have ideas? hi, you have to rebuild performance counters. if server not have other applications specific counters (for example sql), must run command: lodctr /r see here details , explanations:  http://support.microsoft.com/kb/300956 have nice day! masterplan - mcse,mcitp-ea http://winmasterplan.blogspot.com Windows Server  >  Management

hi folks, we planning consolidate 2 forest 1 forest have few questions around migration. considering use admt if possible. 1. how user profiles migrated when user 1 forest moved 2nd forest. understand guid of user change? need migrate user profile? 2. how migrating computer object new forest? require domain join them? 3. enable cross forest sid history resource access between source , target forest. there checklist available cross-forest migration can refer prepare. regards, navdeep 1. how user profiles migrated when user 1 forest moved 2nd forest. understand guid of user change? need migrate user profile? profiles can migrated on server or computer old domain new 1 - update profiles acls. 2. how migrating computer object new forest? require domain join them? no. can migrate them using admt , restart them twice. 3. enable cross forest sid history resource access between source , target forest. there checklist available cross-forest migration can refer prepa

hi, would ask advise, need create keytab ktpass on domain controller (windows 2003 enterprise edtion) for squid server perform kerberos authentication. comamnd syntax, specified "/out squid.keytab" after full ktpass, show "successfully mapped http/squid.example.com", couldn't find tab file generated command issue. command i issued below; ktpass -out squid.keytab -princ http/squid.example.com -mapuser example\squid$ /ptype krb5_nt_srv_hst /crypto des-cbc-md5 thanks feedback. regards. don't need password specified? "-pass" , syntax should server.%domainnetbiosname%@%fqdn%. http://docs.sun.com/app/docs/doc/820-3885/gimtn?l=en&a=view http://technet.microsoft.com/en-us/library/cc782155(ws.10).aspx http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ regards, leonid Windows Server

the get-eventlog command apparently exports guids fields (object types, object names, additional info, etc.). there anyway "user friendly" object name replace guids? example, event 566 on windows 2003 server, if makes change organizational unit,  the output get-eventlog looks this:   object type: %{bf967a9c-0de6-11d0-a285-00aa003049e2} object name: %{e9047ae5-2a37-43a6-81f4-aaca2cd028e6}   but when view same event in eventvwr, looks this:   object type: organizationalunit object name: ou=computers,ou=staff,ou=testingou,ou=technology,dc=childdomain,dc=domain,dc=net below revised code. $desthost = "server1" $destdrive = "d$" $computer = gc env:computername $tmpdate = get - date - format "mm-dd-yyyy-hhmm" $nowrun = get - date - format g $lastrun = gc env:lastrun if ( $? -eq $false ) { $lastrun = "11/10/2010 09:00 am" } $eventidz = @(566,624,626,629,630,631,632

hi all, occasionally have users on our rds farm have "frozen" session in rdsh. fact in same server not got issue. sessions stuck on windows 2012 welcome windows. as administrator of solution, i'm not able reset, log off, or disconnect session using remote desktop services manager.  way can resolve issue reboot rds server or service on remote rdsh. solution means users on server have disconnected. ve checked on remote desktop session host, on gateway , on broker's event log there nothing. i found in other technet possible kill "end process" remote user's session id : winlogon.exe , crss.exe in remote desktop services manager. guess option possible in old version of rds because can not find option in rds 2012. so, i'd know how solve 2 issue: - stuck session on rdsh : welcome windows - disconnect user session remote desktop services manager console. thanks lot help hi, are able end problematic session via task manager u

here scenario:   i have 2 servers; server server 2003 , server b server 2008r2   now server has folder on 500gb - 1tb i want transfer folder server b now not want interfere network put both servers in workgroup, ip scheme 192.168.1.100 & 192.168.1.101   i plug both servers gig switch (linksys small home user ones buy @ bestbuy)    both servers have gig connection; server browse server b , copy huge folder over, getting speeds @ 20mbs after few minutes drop down under 15mbs   now both these servers running 7200 sata drives.  why not getting faster transfer speeds?  understand won't solid gig transfer rate should getting pretty high.  both nics set @ auto duplex, tried setting nic's full duplex 1 gig not downgrade themselves.  i have done on multiple servers , same results. switch dummy switch not managed.  tried changing out cables , used cat6 cables.    hello, the speed relies on piece of hardware badest/slowest reaction writing data new

i total noob please nice. i engineer @ power plant , have reciently been working on getting complex modeling software working on servers have been purchased job. process memory , cpu intensive gathers substancial amount of data on network. currently software package using has 3 separate applications use sql databases. have 3 quad core servers each running 1 of applications , 4th server running client software. will achieve running 3 apps in cluster. can buy quad core server , update servers 16gb of ram. unsure of types of situations better clustering , arent. applications using not built clustering, hoping windows might smart enough balance load between 4 or 5 cpu's , can performance boost things sluggish right now. in advance! hello rswing! the circumstances have describe isn't related failover cluster scenario. failover clusters intend increase availability of application, "failing over" to different node whenever problem occurs. it doesn't seem related load b

hi all i having problem group policy on windows 2003 dc . when go windows xp sp3 , execute rsop.msc seeing red mark againest computer configuration , in error information getting followin error. suggesition please group policy infrastructure   failed. group policy infrastructure failed due error listed below. specified domain either not exist or not contacted. note:  due gp core failure, none of other group policy components processed policy.  consequently, status information other components not available.   hi, i confirm have tried troubleshooting suggestions “nav_007” provided? if not, please try of them. it looks network connectivity issue. based on current situation, suggest refer following microsoft kb article , use built-in tools troubleshoot network connectivity issue: troubleshooting rpc endpoint mapper errors using windows server 2003 support tools product cd http://support.microsoft.com/kb/839880 regards, arthur li technet subscriber s

hi, we have rds on windows 2012 server have problem grace period while have licenses ... problem not solved story... there 3 users logging on , users same rights, in same group .... can login 1 , same , temporary profile ... what problem , how coul solved ? thanks in advance dirk dirk hi, we solved problem removing items concerning profi in registry thanks answer dirk dirk Windows Server  >  Remote Desktop Services (Terminal Services)

i got windows 10 while ago, got distracted , forgot while, , have tried update build 9841 wouldn't it. tried fbl_release , didn't work. please 10 more days!! thanks! ~z what  fbl_release ? have tried downloading build 10041 iso , use install ? http://windows.microsoft.com/en-us/windows/preview-iso-update-1503 if did download 10041 iso, method did use install ? in case don't know, have 2 options : 1. burn iso bootable dvd or usb @ least 4 gb capacity, , use clean install. 2. go folder downloaded iso kept > right click @ > click mount > click setup.exe. system start installing , can keep personal files , settings. might have reinstall 3rd party programs. *****  after have build 10041 installed, go settings > update & recovery > right side, click advanced options > under choose how preview builds installed, change fast slow. why change slow ring ? microsoft trying fix slow install of current build 10049. unable find solution.

windows experts, i have customer requirement of dual-homed virtual 2012r2 domain controllers. these dcs @ service provider, back-end network requirement monitoring, maintenance, , backups. service provider hosting several 2008r2 dcs in configuration. however, 2012r2 dcs having issues.  i have been researching week now, , believe configuration correct: have ensured front-end nic @ top of binding order, default route in front-end nic. no gateway entry on back-end nic, netbios on tcp/ip disabled on nics. dns listening on front-end nic, , dns registration active on front-end. dns round-robin disabled. everything seems working correctly, except dns self-tests. if both nics active, dns self-tests fail. disable back-end nic, self-tests work correctly. thanks insight, -p " the service provider not provide front-end services management services.  " that not prevent creating own front-end services.  elaine notes, , find copious amounts of first-person reports, dual-ho

hi all, new-ish powershell , have following script calling .csv file in same directory create 250 users test environment. import-module activedirectory $users = import-csv -delimiter "," -path "c:\multiusers\users.csv" foreach ($user in $users)  {      $ou = "ou=users,dc=<domain>,dc=<com>"      $password = $user.passw0rd     $detailedname = $user.firstname + " " + $user.name     $userfirstname = $user.firstname     $firstletterfirstname = $userfirstname.substring(0,1)     $sam =  $firstletterfirstname + $user.name     new-aduser -name $detailedname -samaccountname $sam -userprincipalname $sam -displayname $detailedname -givenname $user.firstname -surname $user.name -accountpassword (convertto-securestring $password -asplaintext -force) -enabled $true -path $ou  } and following error: convertto-securestring : cannot bind argument parameter 'string' because null. @ c:\multiusers\multiusers.ps1:1

i'm running number of systems here fail build 64bit version of windows 10 (build 10162 , 10166). the 2 i've hit far hp z620 workstation , hp elitebook 1040 g1. now in both cases build splendidly if use 32bit, seeing z620 has 32gb of memory , 1040 had 8gb users here going want 64bit os.  but 64bit builds blue screen when attempting first boot os , throw "critical process failed" error. any boot option try (safe mode, safe mode w/cmd prmpt, disable driver signing req., disable launch anti-malware, etc.) result in same bsod. anyone else run this?  anyone fix or find cause? thanks hi, how did build, upgrade via windows update or via iso file? based on description, appeared in safe mode. caused hardware compatibility. could you refer following guide to upload the minidump file onedrive , share link here? http://answers.microsoft.com/en-us/windows/wiki/windows_other-system/blue-screen-of-death-bsod/1939df35-283f-4830-a4dd-e95ee5d8669d please rememb

i required time zone related work on rdp session on ts using redirected time zone information.  i need locate current remote desktop time zone (i.e. via routine timezoneinfo.findsystemtimezonebyid) on ts using timezoneinfo.local.id acquired via time zone redirection. unfortunately timezoneinfo.local.id in remote desktop language , language not match terminal server language. find fails. far way have found similar matching time zone using baseutcoffset , supportsdaylightsavingtime property values. unfortunately there may multiple entries using technique. why appear redirection taking std value of time zones remote registry entry instead of subkey value? no matter language based os installed subkeys of currentversion\time zones in english. any suggestion out there? this has been confirmed issue microsoft. kb2592687 created address issues found time zone redirection in server 2008 r2 did confirm not repair issue seeing. told since issue appearing in server 2008 r2 , not in l

hi thanks in advance reading problem has me stumped. i've got 2 x hyperv host servers running 2012\r2 patched local sas r10 storage via lsi sas card.  1 host 3 guest servers (1 x 2012/r2, 1 x 2008/r2 sql , 2003) , other used replication plus domain controller guest.  has been working fine since feb 14 until last week when had shutdown both servers.  since restarting 2012 guest replication working fine status of normal 2008/r2 , 2003 guest machines both won't replicate status turning critical replication started.  far i've tried: deleting , recreating replica servers updating integration services on guests full windows update on hosts , guests checking vss errors on hosts , guests - there none checked event logs - can't find sign of error problem none of has plus numerous reboots has made difference unfortunately.  replication working ok 1 server (which biggest) i'm pretty confident hardware, switches , network ok , diagnostics i've run come no pr

we have several server 2008 r2 environments running hyper-v.   randomly on of these boxes unable connect vm's using hyper-v console.  message comes "cannot connect virtual machine.  try connect again.  if problem persists, contact system administrator."  have searched through these forums , internet , tried various things including restarting hyper-v virtual machine management service , issue not go away.   there no errors in of event viewer logs indicate issue.   the affected vm's usually never same , be fine when first turned on.  they start having issue after being online while (usually longer have been up, more issue occur).    guest os seems continue function fine, can rdp them (those setup such) , continue operate, can't connect via hyper-v console. so far solution has been either shutdown , restart vm, or 'save' , start again , fixes problem, it's far permanent solution.    of guest os's having issue have latest integrated servic

hello all.........several applications use ad ds ldap provider, have following questions regarding them: 1.  need special configuration/account connect application adds using ldap? 2.  can applications make both ldap , secure ldap connection default or account, configuration or certificate required? 3.  secure ldap (ssl), need special configuration respect certificates? certificate trusted both ad ds , application involving ca? 4.  when making secure ldap connection, several applications show certificate expiry date well.  certificate that?  self-signed certificate?  how renewed?  itself?  if not, how 1 renews it, default cert 1 year long? 5.  type of ssl , tls connections supported secure ldap? ssl 1, 2 or 3/tsl 1.0, 1.1 or 1.3?  or supported?  recommended connection method use apps?  if all are supported, does not make system vulnerable?  possible turn off of them specific method supported? thanks in advance.  hi technet junkie, if application requires dedic

in windows server 2003 have set print server. xp clients in network print via printers included on print server. have 1 problem, locally slow... first of add new local tcp/ip printer on server , set needed values. next add network printer on each client computer. here comes problem, if add network printer, fine, on server have made printing preferences template each printer want use. so when network printer added, inherits settings printserver. , if choose printer in print dialog of document, selected relatively fast(1,5seconds). set inherited template in printing preferences of printer on client computer, takes 8 seconds select printer list in print dialog?? can tell me be? have checked printer sharing options in exceptions firewall allthough firewall disabled. ip's static have checked netbios if have searched whole google, can't seem find working solution anyone please can me?? how can disable these advanced features? here pictures: this tab set template(these example picture

dear, i have problem after migrating windows server 2000 domain windows server 2008 r2 domain. after migration, looking good. problem when client logon using 6-10 minutes apply computer settings. machines use long time applying user setting instead. i'm check dns work fine. i'm looking @ security log see process policy change every time logon. thank in advance thana howdie! thanapha wrote: > hi florian, > use new machine name , ip on old domain name. > - adprep forest, domain, rodc, gprep, respectively. > - join ws2k8 domain , promote them > - transfer fsmo roles , gc new one > - demote ws2k member okay - have re-configured clients use new dc's ip address as dns server? have changed dns configuration on other dcs accordingly? cheers, florian microsoft mvp - group policy (http://www.frickelsoft.net/blog) Windows Server  > 

the preview installed bootable vhd, , runs great.  the update not install , errors "can't install virtual hard drive".  the preview not installed in hyper v or other vm.  thoughts? i gave thought , think difference when using client hyper-v, client there handle stuff external machine expansion of virtual disk (in case of dynamic vhd/vhdx). perhaps "block" arose such situations. anyways, have feeling might have made missteps in attaching vhdx virtual machine in hyper-v (there's need "repair" installation can boot in hyper-v instead of direct boot menu - more here: http://blog.davidbarrett.net/archive/2013/10/19/upgrading-windows-8-boot-to-vhd-to-windows-8.1ndashstep-by.aspx). i'm going re-do "repair" (make different selection in menu), report again when can. update: tried reinstalling win 10 using hyper-v on vhdx , still not update (0x80070003). gave up, formatted vhdx , installed scratch. update applied. shut down on hy

i have questions in regards ntfs permissions.  possible grant read , write ntfs access on share, make sure user not able delete files or did not create.  user should able able update or make changes file in share, should able create or add new files, not able delete file or did not create. hi, you not able overwrite file without delete permission, without delete permission, can open, modify file cannot save same file name create new file. shaon shan |technet subscriber support in forum |if have feedback on our support, please contact tngfb@microsoft.com Windows Server  >  File Services and Storage

i have changed static i p address (from internet provider) terminal server, using windows server 2008 r2.  how make change in software @ terminal? hi, what software using remote access rds server? if dns works properly, may consider using computer name instead of ip address. this posting provided "as is" no warranties, , confers no rights. please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread. Windows Server  >  Remote Desktop Services (Terminal Services)

as browse our win2008 server based lan [domain or workgroup] using winexplorer\network, see column named  discovery method. the discovery method stated wsd . what wsd discovery method? is there other method of discovery can used? how discovery method matter? can altered? hi,   thanks post.   please understand wsd (web services dynamic discovery) technical specification defines multicast discovery protocol locate services on local network.   in windows server 2008, fdp ( function discovery providers ) uses various providers enumerate discoverable resources. built-in providers netbios, pnp, registry, ssdp, wcn , wsd.   provider description netbios provider the netbios provider enumerates netbios discoverable devices using wnet functions. plug , play (pnp) provider the pnp provider constructs function instance each functional device object (fdo) installed on system. pnp provider discovers network connected devices (ncd) have been associated system through

hello, i'm searching solution schedule task trigged event (like here:  http://social.technet.microsoft.com/forums/en-us/winservergen/thread/fac16f3c-d088-4d66-83d8-7139261dea83 ) , time. should looks like:   start b when finished (a finished @ 4 pm.), not before 8 pm. clue is, task should run every day.  another question: possible schedule task sth. depending on filename? like in c:\temp\ file named "failure.txt". if isn't there @ defined time, sth. else.   hi, thank post. i think difficult run scheduled task after another, more information, please read blog: http://blogs.msdn.com/b/davethompson/archive/2011/10/25/running-a-scheduled-task-after-another.aspx regards, nick gu - msft Windows Server  >  Windows Server General Forum

hi we have following scenario in 1 of our customer network (see picture below) and havent been able find detailed information these questions have. think have  found of needed ports able succed there still som concerns dynamic rpc ports. perhaps customer have change design because firewall need lot of openings. questions 1a. able join server or client domain ports need opened if dc located behind firewall? b. also need dynamic rpc actiion? 2 able run different administration tools active directory user , computers need enable dynamic rpc? 3. if domain mode in windows 2003 correct rpc port have in scope of 1025-5000 default? know might possible change scope regards thomas z ------------------------------------------------------------------------------------------------------------- thomas z hi, http://support.microsoft.com/kb/832017 shows windows services , related ports. http://support.microsoft.com/kb/179442  shows rpc requirements specific domains

hello,   does tell me can download nap client xp ?   the link in msconnect bad ... ( http://blogs.technet.com/nap/archive/2007/05/14/network-access-protection-client-for-windows-xp-beta-3-update.aspx )   thanks. it's not due bad link. it's because not part of beta programme.   you can participate in beta programme write email jeff.sigman@online.microsoft.com  (remove "online" email address).   there thread on topic: http://forums.microsoft.com/technet/showpost.aspx?postid=1814411&siteid=17 .        Windows Server  >  Network Access Protection

we have root empty domain called company.local , child domain our users located corp.company.local there 2-way transitive parent-child trust between company.local , corp.company.local we have application running in aws runs own ad forest called app.aws.local we need setup one-way trust users in corp.company.local can authenticate on app.aws.local servers i have tried create trust between corp.company.local , a pp.aws.local fails time, if try create trust between company.local (the root domain) , app.aws.local succeeds can browse resources in root domain not child. what missing , should trust direction? thinking making one-way incoming trust company.local , one-way outgoing trust app.aws.local hi, you need outgoing trust aws.local to company.local able authenticate against aws app. https://technet.microsoft.com/en-us/library/cc794933%28v=ws.10%29.aspx?f=255&mspperror=-2147217396