AD Connector - cross-forest tricks

AD Connector - cross-forest tricks

  • Comments 4
  • Likes

It is possible to import objects from domain which is in some other forest than your console. You can also import data from untrusted domain, or domain your current domain doesn’t trust. You can even use console from another forest domain.

Data source address

Let’s say there is a domain you want to import objects from and this domain is not enlisted in Browse window (you won’t see that domain when you click Browse button). Then you need to specify data source address in the format shown below.

Address would be like this: LDAP://other.domain.com/OU=your-ou,DC=other,DC=domain,DC=com.If you don’t need to import objects from specific OU just skip OU part in the address.

Run As account

To be able to import data from another domain you need to provide account which has permissions to read data from the specified data source.

Because of domain you are trying to connect is not listed in the Domain dropdown box you need to provide domain name in user name as shown on screenshot below.

Pay attention to the fact that when you provide domain name in User name edit box Doman control is disabled.

After Run As account is created you can use it to connect to the specified data source.

Select objects

With provided domain/OU address and Run As account you can choose which objects you want to import on Select objects page.

When you are trying to add individual objects to the connector configuration, the Find window lists users, groups, computers or printers not from your current domain, but from domain you specified before on Domain/OU page.

Untrusted domain

There’s nothing special about untrusted domains – if need to import any data from one of them just provide an account which has enough permissions to read from specified address.

Console from another forest

You can have a console in a domain other than your SM Server domain.  It’s even possible to have standalone console in domain which is not trusted by your SM Server domain. The only thing you need to keep in mind is that address you specify from you console should be also successfully resolved by SM Server.

Let’s say you have console in domain dom1.prod.com and you need to create connector C1 for domain dom2.prod.com which is in the same forest and observable from console machine when you click Browse button on Domain/OU page. And you create connector for data source dom2.prod.net. You can even create Run As account for dom2\admin user and add individual objects to the connector filter.

But now with you SM server in another forest domain company.domain.com neither address dom2.prod.net nor dom2 (from Run As account) can be resolved. To solve the issue you need to specify data source address for connector C1 in format LDAP://dom2.prod.net/DC=dom2,DC=prod,DC=net.

In other words when using console from another domain always remember about SM Server domain and it’s able to resolve address you provide and Run As Account you create.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • If you import users from an untrusted domain, then those users will ned to authenticate each time they try to access the web portals if I got it right.

  • Yes, users need to authentificate to access the portal, but this is not related to AD Connector.

    AD Connector is just one of the ways you can bring your organization infrastructure into SM CMDB, which means you can import users, user groups, computers and printers from the Active Directory domains you have. This post just shows how you can do it for cross-forest domains.

  • Thanks, great posts. I am windering why the official MS docs not includes this kind of configuration.

  • After I inputted the LDAP string and use the domain name\user name as the "Run As account" and test the connection, I got the following error:

    ===

    The account entered is not valid. Enter a valid account.

    ===

    How to resolve this ?