Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Universal Server and Multiple Active Directory Domains

Created: 27 Jan 2013 • Updated: 19 Mar 2013 | 8 comments
This issue has been solved. See solution.

I am trying to ascertain whether Univeral Server is able to integrate with multiple Active Directory domains.  

We are looking to migrate all of our users and workstations from our current Active Directory to a new domain in a different forest - there will be a two-way trust in place.  We use PGP Desktop for Email, Virtual Disk and Netshare.  

Has anybody had any experience of this scenario - if so would appreciate any pointers or links.

Thanks,

Phil.

Comments 8 CommentsJump to latest comment

Alex_CST's picture

Yes, you can add multiple AD syncs and domains.  You just add the multiple domains as you would normally.  And as long as your PGP server can communicate with the other DC's just add the other full name as you would the normal way it'll work fine

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

phil_h's picture

Thanks Alex.

Must admit that I've only seen the admin portal for a 2.12 server and it appeared that you could only sync with one domain.  Presumably the ability to have multiple domains is something that has been added in 3.x+

Do you know if anything needs doing on the client PC once it and the user moves from one domain to the other (i.e. to re-register with the server), or is it seamless (assuming equivalent Internal User Policies are defined?)

Mehmood's picture

No need to make any changes on the client PC side. If the client PC moves from one domian to another, the latter domain must already have been added in the list of managed domains in the universal server.

phil_h's picture

ok thanks.  I'll give it a try once the servers have been updated to a current version as they are lagging behind at present.

Phil.

sven_frank's picture

Hi Phil,

also when already answered there are multiple options within Dir Sync:

1. You can add multiple Directories and they will be searched in the Order you have defined

2. If you have an Forest you can also add the Global Directory on Port 3389(should be correct) when your AD is organized in a logical structure wihtin Forest

3. Multiple forests is also possible but I recommend having no duplicates

  • Super Silent Enroll uses per default the Samaccountname so be aware if it finds it in the directory it will try to authenticate it in the first directory where it succeds
  • Silent Enrollment: Gives you the abiltiy to utilize the upn which can be even added as search filter in the universal Dir Sync Configuration:
  •    This allows you to speed up the enrollment since not all AD's will be searched when the filter  matches
  • Last but not least you can utilize Directory Custimization: But this should be conducted with a Partner or an Admin who is familiar with this modification

So i have iplemented myself multiple directories utilizing all methods I mentioning here and they usually work wonderfull within the envrionment you have.

Be aware Dir Sync is so smart and caches where it found the user the first time and is utilizing this for further lookups. So be aware that you might have only a slower response time for enrolling when you need to go down one by one.

It really needs to be remembered when you add 20 Directories and the user is in NR. 20. It will search the other 19 first until it has found him.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

SOLUTION
phil_h's picture

Hi Sven,

Thanks for the detailed post.  I'm now sufficiently confident that our domain migration shouldn't have a problem as far as PGP Desktop goes.

We are effectively migrating users and workstations from our current domain to a new domain within a global forest - albeit we will only configure our domain on the Universal Server.  Users will retain their sAMAccountName and we will take care of joiners/leavers/renames and the sync of group membership so hopefully shouldn't fall down any of the holes that you refer to

sven_frank's picture

Actually when you perform a domain Migration you probably have a schema extension with flags that show if the account is enabled or disabled in one Forest.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

phil_h's picture

agreed - assuming that all of our legacy applications will work with the user credentials from the new domain - if not we will need to retain the old account - albeit there are plenty of attributes we can use to denote migrated users if required.

Thanks again