Is it possible to have three different domains in the same forest with one [ad_client]?

Is it possible to AD-Sync multiple domain in the same forest ? example: abc.com , xyz.com and have an Auth Proxy with only an ad_client section and with port 3268 and that DUO Proxy can read the different domains ?

Hi @dorel

Great question! I’m going to move your post to its own topic to increase visibility. You are more likely to get an answer this way. :slight_smile: It also helps others who have the same question find the answer later.

As a friendly reminder, please don’t create duplicate posts, as it makes it harder to find information in the community. Thank you!

First, you do not create an ad_client config section for AD Sync. Please re-read the AD directory sync instructions.

As for sync support for multiple domains:

  • abc.foo.com and zyx.foo.com where abc and zyx are domains in the foo.com forest - Yes, you can sync these domains in with a single sync and single Authentication Proxy. Point to a DC in the forest root domain, use the global catalog port, and set the base DN to the forest root. Ensure there are no duplicate usernames in the domains, as those users won’t sync correctly. Here is a KB article with more details: https://help.duo.com/s/article/2061.

  • abc.com and zyx.com where abc and zyx are separate forests with two-way trust, or domains in the same forest with disjoint namespace - No, you cannot sync these domains in with a single sync. You would need a separate Authentication proxy and sync config for each domain.

Ok I understand now, I believe that, that was possible, I wanted Sync two differents domains in the same forest (abc.com and xyz.com) in Admin Panel with Global Catalog 3268, and also I wanted to have two primary authentication in my Auth Proxy using port 3268 in ad_client section because the Global Catalog port 3268 can be using to read two differents domain, now I can see that was my mistake.
New Case:
I am using now child domains foo.com and xyz.foo.com but the Admin Panel doesnt see the groups immediately, When I create a new group in the child domain ( xyz.foo.com ) Admin Panel can sync the new group 4 hours later or more (root domain foo.com doesnt have issues). Why it is happening with the child domain? I appretiate your feedback and comments.

It sounds like you may have latency with child domain replication back to the global catalog in the root.

Please contact Duo Support. This forum isn’t really intended for 1:1 troubleshooting of individual customer issues. A support engineer will be able to walk through your sync configuration with you in detail.