Sync universal groups and users in a multi-domain Active Directory

Organizations can have multiple Active Directory (AD) domains for different geographical regions. To sync all of the users in all groups, EAA has the global catalog server option. When this option is not selected, groups and users belonging to other domains with the same AD forest will not be synced.

Organizations may deploy an Active Directory (AD) forest containing many domains. Each domain may represent a separate geographical region, or teams within a company like the marketing, engineering, and customer-support. A domain is controlled by the AD domain-controller. It's added to Enterprise Application Access (EAA) for syncing groups and users within that domain. To sync groups and users belonging to other domains within the same forest, EAA has the global catalog option. When this option is not selected, groups and users belonging to other domains within the AD same forest are not synced from the server. Complete this procedure to sync universal groups and users belonging to other domains within the AD forest.

How to

  1. Log in to the EAA Management Portal as an administrator.
  2. From the top menu bar select Identity > Directories.
  3. Locate the directory card you want to enable global sync across multiple domains in the Active Directory. Click Settings (gear icon).
  4. Click Show additional attributes and select Global catalog server.
  5. Click Save directory.
  6. Return to the directory card and click Sync. You should see all users synced across multiple domains.
    Note: EAA uses ports 3268 and 3269 on the global catalog server to sync groups and users. Administrators should make sure EAA can communicate with the Active Directory on these ports and configure firewall rules to whitelist these ports.