none
Error trying to configure trusted forest in IPAM RRS feed

  • Question

  • Scenario

    This is a lab experiment.  I have created two single domain forests, ABC and XYZ.  Both forests are at Win2008R2 functionality but both are user Server 2012R2 for the DCs.  I have established a two way transitive forest trust between ABC and XYZ.

    In domain ABC, I have installed a Server 2016 machine and installed IPAM.  I have provisioned the IPAM server, opting for GPO provisioning, and I can manager the DNS servers and DHCP servers in the ABC domain.

    Problem

    The reason for deploying IPAM on Server 2016 is that I want to be able to manage multiple forests from one IPAM server.

    I am trying to run the following command:    Invoke-IpamGpoProvisioning -Domain xyz.local -GpoPrefixName IPAM1_ -Force

    If I try and run this command in a PowerShell window running as administrator@xyz.local, it fails with:

    Invoke-IpamGpoProvisioning : Failed to add computer abcipam01.abc.local to group IPAMUG. Exception calling
    "Invoke" with "2" argument(s): "The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)"
    At line:1 char:1
    + Invoke-IpamGpoProvisioning -Domain xyz.local -GpoPrefixName IPAM1_ ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Invoke-IpamGpoProvisioning], Exception
        + FullyQualifiedErrorId : InvalidOperation,Invoke-IpamGpoProvisioning

    Just to be thorough, I added administrator@xyz.local to the administrators, IPAM Administrators and Remote Desktop Users groups on the IPAM server, logged on to the server with administrator@xyz.local, opened an elevated PowerShell window and tried again and got the same result.

    According to this page https://technet.microsoft.com/en-gb/windows-server-docs/networking/technologies/ipam/manage-resources-in-multiple-active-directory-forests I'm doing things in the correct manner but it isn't working.

    Any help would be greatly appreciated.

    Wednesday, November 2, 2016 3:07 PM

Answers

  • Sorted it myself.

    After thinking about it, it occurred to me that I was trying to do admin-level stuff in two domains but using an account that only had admin rights in one domain or the other.  Adding administrator@abc.local to the Administrators group in xyz.local allowed me to create the IPAM GPOs.

    Obviously, this solution is fine for use in a lab/dev environment but not best practice for a production environment.

    Mike

    • Marked as answer by M. A. Walter Thursday, November 3, 2016 8:32 AM
    Thursday, November 3, 2016 8:31 AM

All replies

  • Sorted it myself.

    After thinking about it, it occurred to me that I was trying to do admin-level stuff in two domains but using an account that only had admin rights in one domain or the other.  Adding administrator@abc.local to the Administrators group in xyz.local allowed me to create the IPAM GPOs.

    Obviously, this solution is fine for use in a lab/dev environment but not best practice for a production environment.

    Mike

    • Marked as answer by M. A. Walter Thursday, November 3, 2016 8:32 AM
    Thursday, November 3, 2016 8:31 AM
  • Hi Walter,

    Have you tried to run command on other servers? How about the result?

    I have tested it on my lab, it works. Please check if IPAM server was joined AD.

    Please reference the picture below for further understanding:

    Here is information about command for your reference:

    Invoke-IpamGpoProvisioning

    https://technet.microsoft.com/en-us/library/jj553805.aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 3, 2016 9:49 AM
  • Hi John,

    I have the same problem and can confirm that official article does not help

    When an admin of IPAM domain is added to another forest domain as a member built-in administrators group, it works. However if not, then I receive this message:

    Invoke-IpamGpoProvisioning : Failed to add computer SITE1-SRV1.lab.local to group IPAMUG. Exception calling "Invoke"
    with "2" argument(s): "The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)"

    It sounds OK because the IPAMUG group is universal and cannot contain members from trusted forests. However - again however - if I run this cmdlet after adding myself to trusted domain Administrators group as I said before - the IPAMUG group is not created, but I receive no errors.

    So, summa sumarum:

    the technet article states: "To run this cmdlet, you must be a member of the Domain Admins group in the fabrikam.com forest."

    I have two domains, lab and lab2, two-way forest trust enabled, IPAM is installed in LAB domain.

    1. if I run Invoke-IpamFpoProvisioning under LAB2\Admin credentials (which is Domain Admin in the LAB2), it fails with the error above

    2. if I run cmdlet under LAB\Admin and LAB\Admin is a member of LAB2\Administrators group, the cmdlet is completed successfully and after a few moments I can manage LAB2 servers within IPAM. (ofk at first I should enable security filtering of the newly created GPOs)

    I must state that there is an inaccuracy in the technet article.


    Monday, November 28, 2016 8:34 AM