-
Title
Directory Services Configuration - how to configure for Parent and Child Domains in AD Forest? -
Description
I have 3 domains setup in a Parent/Child/Child Active Directory configuration.
I would like to be able to login to Foglight with accounts from all 3 Domains.
It seems that we can only set the search context of the LDAP Servers to one of the domains in the Directory Services Configuration in Foglight.
Admin Console | Dashboards | Administration | Users & Security | Configure Directory Services
If we set the search context of the Nearest/Secondary LDAP Server to domain controllers in the Parent AD Domain, will the Child Domains (subtrees) be included in the searching, allowing us to login to Foglight with accounts from all 3 Domains? -
Cause
The child domains will not be searched when pointing to Domain Controllers in the Parent Domain.
Example:
Nearest LDAP server: ldap://dc1.parent.com:389/
Secondary LDAP server URL: ldap://dc2.parent.com:389/Windows Active Directory has 3 scope types for security groups.
- Universal
- Global
- Domain Local
If you have users in groups that belong to different domains within your AD forest, then you have to use the Global Catalog server to search for the groups.
If you are using the Global catalog to search for said groups, then the groups CANNOT be Domain Local groups.
This is because a Global Catalog search does not return Domain Local groups, and as such Foglight will not find the groups for import. -
Resolution
Point the LDAP server search to the Active Directory Global Catalog Server with dc_host_name:port_name.
The Active Directory Global Catalog Server has a copy of every object in the AD tree, ie: the Parent Domain and all sub-domains (Child Domains) objects.
Admin Console | Dashboards | Administration | Users & Security | Configure Directory Services
from
Nearest LDAP server: ldap://dc1.parent.com:389/
to
Nearest LDAP server: ldap://dc1.parent.com:3268/
3268 points to the Global Catalog Server port number.This is assuming that dc1 is the Global Catalog server for the domain.
See Microsoft Support for determining the Global Catalog Servers for the domain (by default, it is the first domain controller setup in a Active Direcotry domain, but could be changed).The LDAP query suffix, scope(s) to search for groups, and the LDAP context for user searching should all be set to the top level of the parent domain.
After making those changes, try logging in as one of the child domain accounts.