How to Configure Group Mapping for Users in Multiple Domains

Details

The key to getting group mappings to work for groups that have users existing in multiple domains is to make sure that the mappings are configured against the root domain, and not a child domain.

The reason for this is that even if the group mapping is pointing at a Global Catalog, only the DN strings for the users in a group will be pulled down. Then, a query is executed through LDAP for the sAMAccountName that matches the DN string. This is done because the system needs the usernames in the group to match what it has in the ip-user-mapping database, which is in the form of Domain\Username. Since the DN string won't match this, the second LDAP query provides this information.

If this is done with a child domain, the Global Catalog will provide all of the DN strings for users in other domains; however, the sAMAccountName will only return the users that exist in that child domain, because they only exist in that child partition.

Even if the root is completely empty, it still has a full 'read-only' partition of all of the users that exist in all of the child domains. Therefore, the best way to do this is to configure a Global Catalog (3268) to the root domain controllers, while also configuring an LDAP (369) for the root domain controllers. Set the 'Server Profile' in the Group Mapping object to use the Global Catalog configured (so all of the groups in all of the domains can be seen). Then, when the sAMAccountName query gets executed, it will happen against the root domain and return all of the users in all of the domains.

owner: jhillon