Configuring Active Directory child domains
When configuring Active Directory child domains, you can use either the securityconfig tool (the recommended method), or you can manually edit the services.cfg file.
When using the securityconfig tool, you must first configure the Application Service to connect to the parent Active Directory domain, and then modify the ads_port
property in services.cfg, as described in the following list of requirements and restrictions.
Requirements and restrictions for configuring the ads_port
property:
- The Active Directory User Principal Name (UPN) for all users must use a suffix matching the
ads_domainname
property in services.cfg (for example, userName@my.ad.domain, where "ads_domainname=my.ad.domain"). - You must change the
ads_port
property in services.cfg to the global catalog ports of the domain controllers, LDAP port 3268 and LDAPS on port 3269. Using the default LDAP port (389) causes slow logins, while using LDAPS on port 636 does not work. - BMC recommends that you not specify the domain name as
ads_hostname
property in services.cfg. Define the set of domain controllers hosting the global catalog role instead, unless every domain controller in the domain is hosting the global catalog role, in which case the domain name can be used.
Note that logins from domains in the same Active Directory forest but different domain tree and logins from domains, which are trusted but from a different forest, are not supported.
Was this page helpful? Yes No
Submitting...
Thank you
Comments
Log in or register to comment.