× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Adding users from other AD domain

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Participant III
Posts: 33
Registered: ‎11-07-2013
#1 of 8 3,108
Accepted Solution

Adding users from other AD domain

Hello,

 

We currently use Centrify to authenticate one on premise Active Directory domain (say, "domain1.local") users. We have recently setup another domain (say, "domain2.local") and synchronized its users by using the same UPN suffix of "domain1.local" to Office 365. The issue that we face is "domain2.local" users are not loaded in the Centrify Cloud Manager. This causes the "domain2.local" users unable to logon to the Office 365 portal.

 

Can anybody assist in this problem?

 

Regards,
Ganesan

Centrify Guru I
Posts: 1,784
Registered: ‎07-26-2012
#2 of 8 3,098

Re: Adding users from other AD domain

@Ganesan,

 

Welcome back.

 

I am going by the example that you just mentioned.  You have added a new parallel forest (not a child domain e.g. north.contoso.com vs south.contoso.com).  Since these two forests are disjointed, you have several options based on your infrastructure or security posture.

 

With AD using a trust relationship:  If both forests (domain1.local and domain2.local) have a transitive two-way trust relationship, the cloud connector will recognize the new forests and will start including users from the newly-trusted forest, however this may not be aligned with your security goals.

 

With Centrify Identity Service adding a cloud connector in a properly sized Windows sytem to provide AD Proxy services to domain2.local.  This way you can pick users, sync identities, provide SSO and provisioning for O365 for users from both forests.

 

Check the cloud connector help for more info:  https://docs.centrify.com/en/centrify/adminref/index.html?version=141#page/cloudhelp%2Fcloud-admin-c...

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 33
Registered: ‎11-07-2013
#3 of 8 3,070

Re: Adding users from other AD domain

Hi Robertson,

 

I have already installed cloud connector for domain1.local. If I try to click "Add cloud connector" again, it always shows "Add cloud connector" screen with "DOWNLOAD", "INSTALL" and "REGISTER" options. 

 

How can we add cloud connector for other domain (domain2.local). Do we have to setup another certificate?

 

Thanks for your help in advance.

 

Regards,

Ganesan

Centrify Guru I
Posts: 1,784
Registered: ‎07-26-2012
#4 of 8 3,065

Re: Adding users from other AD domain

Adding another cloud connector in that forest, should be as simple as downloading and installing the cloud connector via wizard on a properly sized 64-bit Windows server that is a member of that forest.

 

I am not sure what Certificate you're talking about;  please be specific?

 

All certs are provided to you (publicly rooted) unless you choose to use your on Certification Authorithy.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 33
Registered: ‎11-07-2013
#5 of 8 3,062

Re: Adding users from other AD domain

Thanks for your explanation.

 

Do you mean setting up another member server (in forest2) having Centrify Cloud Connector alone?

 

Don't we have to configure anything in the Cloud Manager or setup another Centrify server like what we did for forest 1?

Centrify Guru I
Posts: 1,784
Registered: ‎07-26-2012
#6 of 8 3,058

Re: Adding users from other AD domain

[ Edited ]

@Ganesan,

 

Do you mean setting up another member server (in forest2) having Centrify Cloud Connector alone?

 

Please understand that there's a design decision to be made first.  I am not sure you understood my original reply.

 

Will forest1 adn forest2 ever have a two-way trust relationship?

  • If the answer is Yes, you may not have to do anything else, you'll be able to see users from the other forests due to the transitive nature of two-way trusts.
  • If the answer is No, then you need to add a cloud connector in Forest2 that provides an AD proxy to your CIS tenant to expose users and groups from that forest.

 

Let me illustrate an example from one of my demo environments.   

 

I have a local forest running in one of my virtual environments called centrifyimage.vms;  but I also have another forest in AWS called corp.centrifying.net.   Sometimes I need to provide demos outlining exactly what you just inquired about.  Here's a diagram:

multi-forest.png

 

So what I did, was to add Cloud Connectors on member servers on both forests:

ccs.png

Now when I need to pick users or groups, I can do it from both disjointed forests:

multi-forest.png

 

For example, if I want to invite a user, notice that I can pick from the different forests.

dual users.png

 

This is a very powerful capability that allows Centrify Identity Service and Privilege service to bridge and provide SSO, Application and Privilege (vaulting, session, etc) to organizations that may have different forests with no relationship.

 

I hope this helps.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 33
Registered: ‎11-07-2013
#7 of 8 3,054

Re: Adding users from other AD domain

The two forests *DO NOT* and *CANNOT* have a trust relationship with each other. I will setup a new Cloud Connector in a member server of forest and let you know how it goes.

 

Thanks for your help.

Participant III
Posts: 33
Registered: ‎11-07-2013
#8 of 8 3,017

Re: Adding users from other AD domain

This worked like a charm, albeit requires Centrify Cloud Connector restart to make the other forest visible in Invite Users page.