Firewall unable to retrieve members of Active Directory Users and Groups

Firewall is unable to retrieve users/members of certain Active Directory User Groups, though all group-mapping profiles point towards the same LDAP server.

• Palo Alto Firewalls
• Supported PAN-OS
• Active Directory (AD) Server
• LDAP Server Profile
• Group-Mapping Profile

• Group-mapping profile will only retrieve the users and groups within the scope of the AD Base DN.
• For example, if the Base DN configured on the LDAP server profile is "ou=north,dc=company,dc=com", it will not have any access to users and groups outside of that scope like "ou=south,dc=company,dc=com", "ou=east,dc=company,dc=com", or "ou=west,dc=company,dc=com" sections of the forest.

1. SINGLE DOMAIN IN THE FOREST:
   1. Only the AD path that has "dc=" need to be used for the Base DN.  For example: "dc=company,dc=com".
2. MULTIPLE DOMAINS IN THE FOREST:
   1. Method 1: The entire AD path that leads to the root of each domain that is going to be monitored can be typed in the Base DN. For example: "ou=domain-1,dc=company,dc=com", "ou=domain-2,dc=company,dc=com", or "ou=domain-3,dc=company,dc=com".
   2. Method 2: All of the domains in the forest can be accessed by making the connection to a domain controller with Global Catalog. This is the recommended configuration as it is the top-level domain.

The active directory path is composed of the following:

• DC (Domain Component)
• OU (Organizational Unit) - Used only to access a specific sub-domain.
• CN (Common Name) - Used only to identity a specific group.