Up to PAN-OS 6.1, for later OS versions, see this article
Overview
This document describes how to correctly configure group-mapping to avoid inconsistencies in username format for cross-domain users in a multi-domain Active Directory Domain Services (AD DS) forest. If fetching all objects (user or groups) from any other domain in the forest, use AD server defined as Global Catalog in group-mapping. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain members of the forest.
Important! If not configured properly, there can be issues where some users in group-mapping are formatted as fqdn-domain-name/username (dummy.example.com/username) instead of netbios/domain-name (dummydomain/username), leading to inconsistencies with ip-user-mapping fetched from User-ID Agent or by the agentless User-ID service.
Steps
AD server configured as Global Catalog role (usually the root domain) needs to be configured under LDAP server profiles. Connect to this server on port 3268 (or 3269 for SSL).
As usual, configure the Domain field to have PAN-OS replace the domain name. Leave it blank otherwise. Note: Be aware that doing this on Global Catalog will replace domain name for ALL users and groups fetched from this server, including those from other domains (members of the forest). Only add a domain name into this field if keeping it blank causes problems. For example, if the domain is "acme.local" but "acme" is needed, then enter "acme" in the Domain field.
Use this profile to configure the Group-Mapping (and configured included list if needed)
If the Domain Name was not configured manually in step 2, it is mandatory to configure an additional group-mapping using another LDAP server profile, querying the same AD server on regular port 389 (or 636 for SSL). This operation is mandatory to correctly populate domain-map used to normalize user format as netbios_domain_name/username
This profile will only be using to fetch domain-map; configuring Domain field is not necessary and may be left blank. The AD server used here can be another Domain Controller of your forest and the partition container we query for domain-map is replicated through all Domain Controllers. Please see the note on Step 2.
If Active Directory contains a large number of users and groups, you are advised to configure some search filters for users and groups in the GM-AD setting. This is to mitigate the impact of LDAP query results on the Management-Plane resources for this Group-Mapping.
As this Group-Mapping is only used to determine the domain-map, getting and handling the results for users and group is not necessary.
In this example, search filters are configured with a 'Dummy' string that must be contained in the description field of users and groups to guarantee LDAP query results in 0.