Re: Directory Synchronization - Global Catalog (189 Views)
Reply
Advisor
Erik Wold
Posts: 25
Registered: ‎06-09-2009
Message 1 of 5 (189 Views)

Directory Synchronization - Global Catalog

Does anyone know if the TRIM DS tool can query against multi-domain active directories from a Global Catalog?

 

I know its simple to do different domains with different DS configurations, but I have a client that uses Global Catalog where only 1 config and LDAP server would be able to query all domains.  They have demonstrated that other tools query that way, but TRIMDS is unable query the base DN of the directory without being domain specific (thus not using the global catalog).

 

Anyone have success using a global catalog?

Advisor
Ross Phillips
Posts: 20
Registered: ‎08-26-2009
Message 2 of 5 (189 Views)

Re: Directory Synchronization - Global Catalog

I can confirm that TrimDS is happily syncing from a GC here (two distinct domains each with it's own TRIM user/security group).

 

My TrimDS LDAP connection string connects to the GC at the top level

e.g. gcldap.example.com.au

search base dc=example,dc=com,dc=au

 

I then use two "entries" to query each domain separately:

 

Entry 1 search dn = dc=domain1,dc=example,dc=com,dc=au

(memberOf=CN=TRIMUsers,OU=Security Groups,OU=Groups,dc=domain1,dc=example,dc=com,dc=au)

 

Entry 2 search dn = dc=domain2,dc=example,dc=com,dc=au

(memberOf=CN=TRIMUsers,OU=Security Groups,OU=Groups,dc=domain2,dc=example,dc=com,dc=au)

 

It took a bit of fiddling on the AD side to get it to work, but it beats running separate synchronisations for each domain. I'm a TRIM user, not an AD tech, but I hope that's of some help!

Advisor
Erik Wold
Posts: 25
Registered: ‎06-09-2009
Message 3 of 5 (189 Views)

Re: Directory Synchronization - Global Catalog

Are you able to provide any info on the fiddling that was done with AD? 

 

Your description was excellent, but we ran into an empty search window with the 2nd domain filter running against the 2nd domain search base. 

 

Our work around was to use different connection details for each entry and that allowed us 1 config with multiple servers.

 

Advisor
Ross Phillips
Posts: 20
Registered: ‎08-26-2009
Message 4 of 5 (189 Views)

Re: Directory Synchronization - Global Catalog

I'm afraid I can't provide any insight into how the GC was established - I'm well separated from that side of things sorry!

 

In case it's of any help, I've attached a quick working example TrimDS configuration from our UAT environment (with a few details changed to protect the guilty) :smileywink:

 

Also consider enabling verbose logging when running in report-only mode to track down any errors.

 

 

Honored Contributor
EWillsey
Posts: 1,930
Registered: ‎04-20-2010
Message 5 of 5 (189 Views)

Re: Directory Synchronization - Global Catalog

If the second query string is returning an empty search window then I'd bet that the domain trust isn't transitive and bidirectional.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.