cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3921
Views
1
Helpful
1
Replies

Is it possible to AD-sync users from multiple child domains in a forest into Duo?

thomas.busse
Level 1
Level 1

Hello, we would like to globally rollout DUO Security to our users and therfore synchronize a specific AD-Group or AD-Groups that spread over multiple geographic domain trees (e.g. us.acme.com, de.acme.com, es.acme.com, etc.).

To achive the user synchronization we would like to build a redundant pair of authentication proxy servers within our DMZ which will synchronize all the users from the different sub domains.

Would that be a valid setup and is it possible to synchronize all the sub domains from just one respectively two authentication proxys or would we have to spinn up an authentication proxy for each sub domain (two for redundancy reasons) ?

Are there any documentations regarding such a setup or do you know about where to find help about it? (Blogs, YouTube, etc.)

Thank you guys, regards
Thomas

1 Accepted Solution

Accepted Solutions

Amy2
Level 5
Level 5

Hi Thomas,

Yes, this is possible in cases such as you describe here where you have child domains that exist under the same namespace as the root domain (i.e., us.acme.com and emea.acme.com).

To sync users from multiple child domains in an AD forest into Duo, use the Active Directory (AD) Global Catalog port. The default Global Catalog ports are 3268 (LDAP) and 3269 (LDAPS). Read more here.

Since you plan to have two servers, you may also want to check our best practices for setting up the Duo Authentication Proxy for high availability. We recommend using a load balancer over a failover pool. You can learn more about that here

View solution in original post

1 Reply 1

Amy2
Level 5
Level 5

Hi Thomas,

Yes, this is possible in cases such as you describe here where you have child domains that exist under the same namespace as the root domain (i.e., us.acme.com and emea.acme.com).

To sync users from multiple child domains in an AD forest into Duo, use the Active Directory (AD) Global Catalog port. The default Global Catalog ports are 3268 (LDAP) and 3269 (LDAPS). Read more here.

Since you plan to have two servers, you may also want to check our best practices for setting up the Duo Authentication Proxy for high availability. We recommend using a load balancer over a failover pool. You can learn more about that here

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links