cancel
Showing results for 
Search instead for 
Did you mean: 

Connecting multiple AD domains with IDM

anujkhator
Explorer
0 Kudos
539

Hello,

I am working with a customer which has multiple AD domains (One Parent,mutliple child domains). Each domain has a different domain controller.Before proceeding with the configuration, I need your suggestion on the below queries:

  1. Can multiple AD domains be connected to IDM using a single Repository or One repository per domain?
  2. Microsoft provides ADMT (Active Directory Migration Tool) to migrate users between domain. Can SAP IDM has a pass/task to perform similar action? Can modRDN be used to move users across domains?   

Thanks,

Anuj Khator

View Entire Topic
former_member2987
Active Contributor
0 Kudos

Anuj ,

Yes, you can do modRDN via IDM.  Take a look here.

As others had mentioned, you'll want to set up one repository per domain. 

You could move users from one domain to another, but I think you would need to design a workflow for that.

Matt

anujkhator
Explorer
0 Kudos

Thanks Matt for the blog

If I set up one repository per domain, then I will not be able to use modRDN operation for moving the users from one domain to another.Since, modRDN change works only movement within a domain.Will the user's password remain same after modRDN operation?

The customer wants the user's password to remain same after the movement from one domain to the other, so I believe the workflows will not be of help. Using workflows I can only delete and recreate user in another domain. I will recommend manual operation for cross-domain movement.

former_member2987
Active Contributor
0 Kudos

Anuj,

I don't even know if you can modRDN between different domains.

The password should not be changed unless you specify it in the workflow as they are stored in IDM as attributes.  So you could do something like the following assuming that you are using a user and referencing the same MSKEYVALUE.

1. Remove / disable / Move old Account connected to Repository A

2, Create new account using Repository B.

You'd need to do some relatively fancy footwork, but it could be done.

Any interest in seeing something like this as a Blog / Document?

Matt

anujkhator
Explorer
0 Kudos

Matt,

Using modRDN the password for the user will not remain the same because of the below reason:

  1. User's current password is stored in Active Directory not in IDM
  2. modRDN task copies a AD account to new RDN and deletes it. I believe it doesn't copy the password attribute from one AD accoun to another

Please correct me if I am wrong .

Yes, a blog or document on this would be definitely helpful.  I ncase the password changes after modRDN operation,  you may add a statement in the blog 'that after modRDN the password for the user account doesn't remain same'.

Thanks,

Anuj

former_member2987
Active Contributor
0 Kudos

Anuj,

I've never known modRDN to change the password.  You're modifying the DN only not recreating the whole entry.

Take a look at my existing modRDN blog.  I'll look into moving a user from one domain to another.

Matt

former_member2987
Active Contributor
0 Kudos

I did some thinking about this and it should be relatively easy.

To do this, you'll need to set up two repositories, one for the first domain, another for the second.

Next, create initial load jobs and run for both repositories

Then your workflow is simple, you can drop Domain A repository and then add Domain B Repository.

If you have people editing the user directly in AD, then you might need to do a quick reconciliation to update that user.

Does this help? If you need help with the user Recon, I will focus on that next.

Matt

anujkhator
Explorer
0 Kudos

Thanks Matt

The comments were helpful. I believe I will need some manual tasks to retaing the passwords while changing the user's domain.

Regards,

Anuj

former_member2987
Active Contributor
0 Kudos

Anuj,

You can use MX_ENCRYPTED_PASSWORD (you'll need to decrypt it first, there's a script already created for that) and then pass it to the new domain.  Note that you'll need SSL configured to set the password using a ToLDAP pass.

Matt