- 24 Jun 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
CI Agent Multi Domain Support
- Updated on 24 Jun 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Overview
Cross Identity can connect to multiple domain controllers in the Active Directory domain which is on-boarded as Directory in CI. Once the domain is configured in CI, the On-Prem agent automatically identifies the list of Domain Controllers in that AD domain and uses list of any transactions (Authentication, User Import, Change Password etc.) with that AD domain. The below section provides the details of this feature.
A new component called the DC List Finder module is introduced in CI’s On-Prem agent to support detecting the list of domain controllers in an AD Domain.
CI can be integrated with only one or multiple AD domains. The deployment of CI’s On-Prem agent is based on this integration scenario:
Single Domain Integration
Multiple Domain Integration
CI On-Prem Agent Deployment for Single AD Domain
This section provides the details of Cross Identity’s On-Prem agent deployment. Below diagram shows the high-level architecture of this deployment:
How it works?
In the Single Active Directory Domain scenario, both the On-Prem Agent and DC List Finder module should be deployed on a Domain-joined Windows Server. DC List Finder module detects the list of domain controllers in the Active Directory domain and passes that list of On-Prem Agents. On-Prem agents use the list for establishing communication with Active Directory domain to perform any action on that domain.
CI On-Prem Agent Deployment for Multiple AD Domain
This section provides the details of Cross Identity’s On-Prem agent deployment. Below diagram shows the high-level architecture of this deployment:
How it works?
In a Multiple Active Directory Domain scenario, the On-Prem Agent can be deployed on any Windows server (which has connectivity to all the AD Domains integrated with CI).
The DC List Finder module should be deployed on the “Domain-joined” Windows Server of each Active Directory Domain. DC List Finder module detects the list of domain controllers in that Active Directory domain and passes that list of On-Prem Agents. On-prem agents use this list for establishing communication with that Active Directory domain to perform any action on that domain.
Configuration
To obtain a list of multiple domain controllers, it is essential to have the DCListFinder in place. The DCListFinder should be located on the CIDAgent server, where it contains the logic to collect the list of multiple domain controllers.
To enable this functionality, a few changes are required in the Parameters.properties file:
Set DCListFinder=true
Set BIND_WITH_UPN=true
These configurations ensure that the CIDAgent successfully gather and manage the domain controller list.
DCListFinder=true -> CIDAgent sends the request to DCListFinder to get the DC list.
MULTI_DOMAIN_CONTROLLERS_JAR_PORT -> Port of the CIDAgent.
Note:
In the current version CIDAgent and DCListFinder should always be run on a domain-joined system to achieve DCllistFinder.