Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
4
Replies

Is it possible to have three different domains in the same forest with one [ad_client]?

dorel1
Level 1
Level 1

‎12-10-2019 02:46 PM

Is it possible to AD-Sync multiple domain in the same forest ? example: abc.com , xyz.com and have an Auth Proxy with only an ad_client section and with port 3268 and that DUO Proxy can read the different domains ?

0 Helpful
4 Replies 4

Amy2
Level 5
Level 5

‎12-11-2019 06:12 AM

Hi @dorel

Great question! I’m going to move your post to its own topic to increase visibility. You are more likely to get an answer this way. It also helps others who have the same question find the answer later.

As a friendly reminder, please don’t create duplicate posts, as it makes it harder to find information in the community. Thank you!

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎12-11-2019 07:01 AM

First, you do not create an ad_client config section for AD Sync. Please re-read the AD directory sync instructions.

As for sync support for multiple domains:

  • abc.foo.com and zyx.foo.com where abc and zyx are domains in the foo.com forest - Yes, you can sync these domains in with a single sync and single Authentication Proxy. Point to a DC in the forest root domain, use the global catalog port, and set the base DN to the forest root. Ensure there are no duplicate usernames in the domains, as those users won’t sync correctly. Here is a KB article with more details: https://help.duo.com/s/article/2061.

  • abc.com and zyx.com where abc and zyx are separate forests with two-way trust, or domains in the same forest with disjoint namespace - No, you cannot sync these domains in with a single sync. You would need a separate Authentication proxy and sync config for each domain.

Duo, not DUO.
0 Helpful

dorel1
Level 1
Level 1
In response to DuoKristina

‎12-11-2019 11:59 AM

Ok I understand now, I believe that, that was possible, I wanted Sync two differents domains in the same forest (abc.com and xyz.com) in Admin Panel with Global Catalog 3268, and also I wanted to have two primary authentication in my Auth Proxy using port 3268 in ad_client section because the Global Catalog port 3268 can be using to read two differents domain, now I can see that was my mistake.
New Case:
I am using now child domains foo.com and xyz.foo.com but the Admin Panel doesnt see the groups immediately, When I create a new group in the child domain ( xyz.foo.com ) Admin Panel can sync the new group 4 hours later or more (root domain foo.com doesnt have issues). Why it is happening with the child domain? I appretiate your feedback and comments.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to dorel1

‎12-12-2019 02:26 PM

It sounds like you may have latency with child domain replication back to the global catalog in the root.

Please contact Duo Support. This forum isn’t really intended for 1:1 troubleshooting of individual customer issues. A support engineer will be able to walk through your sync configuration with you in detail.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents