Is Multi-forest Active Directory Environment Supported?

Is Multi-forest Active Directory Environment Supported?

39316
Created On 09/25/18 19:21 PM - Last Modified 06/14/23 05:38 AM


Resolution


Palo Alto Networks does not support a multi-forest Active Directory environment, even if there is a trust between the two forests.

For example, there are two different forests (forest A and forest B), and each forest has its own domain (domain 1 and domain 2). There is a trust between the two forests. When a security policy is created with the source user “domain1\auth_users” (there is a member domain2\user1 in that security group), this type of rule will not work.

Workaround

The best work around for this is to have a separate user ID agent installed for each domain in each forest. You must also have individual security polices for each set of groups within each domain.

See Also

What is a Global Catalog : http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx

The role of the Global Catalog: http://technet.microsoft.com/en-us/library/cc736934(v=ws.10).aspx

owner: rvanderveken
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWJCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language