Hi,
I'm using the Active Directory 2016 feature of Shadow Principals / Privileged Access Management (PAM) with an extra Admin Domain.
My admin accounts are in domain A and I'm trying to install SfB 2015 in domain B. My admin account from domain A has shadow principals set for the Domain Admins, Schema Admins and Enterprise Admins group from domain B set. It's working fine. If I'm logged
on to a machine in domain B with the admin account from domain A and I run 'whoami /groups' it shows that my admin account is a member of the Domain Admins, Schema Admins and Enterprise Admins of domain B.
Now the problem is the SfB Server 2015 Deployment Wizards or more precise the Enable-CsAdForest cmdlet. It fails to run because it checks if the user which I'm running the cmdlet with is a member of the Enterprise Admins. Of course this group has no members
because I'm using Shadow Principals. It was easy to workaround the Schema Prep but I don't find a manual workaround for the Forest Prep.
I know I can always use a local account temporarily but I want to make it work with the Shadow Principals.
Does someone has any input to this?
best,
Matthias
