User-ID domain is displayed in FQDN format instead of NetBIOS format when users are mapped from a Child Domain

• User-ID domains are not conforming to NetBIOS format, and are instead using the FQDN domain
• No domain-map is present for the child domain when using the command 'debug user-id dump domain-map'

admin@vm-100> show user ip-user-mapping all

IP                          Vsys                From     User                             IdleTimeout(s) MaxTimeout(s)
--------------------------- ------------------- ------- -------------------------------- -------------- -------------
10.50.200.10                vsys1               AD      child.dan.lab\user1                   7063           7063
10.50.200.1                 vsys1               AD      child.dan.lab\administrator           6799           6799
10.50.10.13                 vsys1               AD      child.dan.lab\john.doe                2868           2868

admin@vm-100> debug user-id dump domain-map

admin@vm-100>

• Palo Alto Firewalls
• PAN-OS 9.1 and above
• User-ID IP Mapping
• User-ID Group Mapping configured for the Child Domain
• Active Directory Child Domain

• A domain-map is necessary for the device to map between the FQDN domain name and the NetBIOS domain format. 
• All about User-ID domain map has more information about the domain-map.
• The domain-map is retrieved through a Group Mapping refresh, and targets the configuration partition in LDAP

CN=Partitions,CN=Configuration,DC=<domaincomponent>DC,<domaincomponent>

• In a Child Domain, the LDAP query will target the Child Domain DN, but the configuration partition is stored on the Child Domain Controller using the Root Domain's DN.
• This can be seen when connecting to the configuration partition in ADSI Edit.
• ADSI Edit is connected to the configuration partition on Domain Controller [dandc2.child.dan.lab]
• But the configuration DN is [CN=Configuration,DC=dan,DC=lab] - This is [dan.lab]

• The LDAP Query will start from the Base DN configured in the LDAP Profile used for Group Mapping.
• For a Child Domain, this Base DN will not cover the Root Domain DN where the configuration partition is. 
• This causes the LDAP query to return "No such object" exists.

Add a second Group Mapping configuration connecting to the same Child Domain Controller with Base DN of Root Domain. 
 

1. Create a new LDAP Server Profile. This Server Profile should have the same servers and settings as the existing LDAP Server Profile currently used for Group Mapping, but the Base DN should be modified to be the Root Domain instead of the Child Domain
2. Create a new Group Mapping configuration using the new LDAP Server Profile. This Group Mapping is only going to be used to retrieve the domain-map, and not for retrieving any users or groups
3. To ensure this Group Mapping configuration doesn't fetch any users or groups, configure Search Filters for User and Group objects with an LDAP filter which will not match any valid Groups or Users

4. Click OK and commit the configuration
5. Once the configuration has been committed, the 'debug user-id dump domain-map' should now display Domain Maps retrieved from the root domain.

admin@vm-100> debug user-id dump domain-map

dan.lab                                            : dan
 vsys1 dc=dan,dc=lab
child.dan.lab                                      : danchild
 vsys1 dc=child,dc=dan,dc=lab