Configuring Active Directory child domains

When configuring Active Directory child domains, you can use either the securityconfig tool (the recommended method), or you can manually edit the services.cfg file.

When using the securityconfig tool, you must first configure the Application Service to connect to the parent Active Directory domain, and then modify the ads_port property in services.cfg, as described in the following list of requirements and restrictions.

Requirements and restrictions for configuring the ads_port property:

• The Active Directory User Principal Name (UPN) for all users must use a suffix matching the ads_domainname property in services.cfg (for example, userName@my.ad.domain, where "ads_domainname=my.ad.domain").
• You must change the ads_port property in services.cfg to the global catalog ports of the domain controllers, LDAP port 3268 and LDAPS on port 3269. Using the default LDAP port (389) causes slow logins, while using LDAPS on port 636 does not work.
• BMC recommends that you not specify the domain name as ads_hostname property in services.cfg. Define the set of domain controllers hosting the global catalog role instead, unless every domain controller in the domain is hosting the global catalog role, in which case the domain name can be used.

Note that logins from domains in the same Active Directory forest but different domain tree and logins from domains, which are trusted but from a different forest, are not supported.