AD-Sync for Multi-Domain Structure

Hello, we would like to globally rollout DUO Security to our users and therfore synchronize a specific AD-Group or AD-Groups that spread over multiple geographic domain trees (e.g.,,, etc.).

To achive the user synchronization we would like to build a redundant pair of authentication proxy servers within our DMZ which will synchronize all the users from the different sub domains.

Would that be a valid setup and is it possible to synchronize all the sub domains from just one respectively two authentication proxys or would we have to spinn up an authentication proxy for each sub domain (two for redundancy reasons) ?

Are there any documentations regarding such a setup or do you know about where to find help about it? (Blogs, YouTube, etc.)

Thank you guys, regards

Hi Thomas,

Yes, this is possible in cases such as you describe here where you have child domains that exist under the same namespace as the root domain (i.e., and

To sync users from multiple child domains in an AD forest into Duo, use the Active Directory (AD) Global Catalog port. The default Global Catalog ports are 3268 (LDAP) and 3269 (LDAPS). Read more here.

Since you plan to have two servers, you may also want to check our best practices for setting up the Duo Authentication Proxy for high availability. We recommend using a load balancer over a failover pool. You can learn more about that here

1 Like