Would like to ask for some guidance. I have 2 Active Directory domain controllers in separate domains with a trust established. I also have an application that supports LDAP authentication, but not multiple LDAP servers. I did some research on ADAM (Active Directory Application Mode) and would like to clarify a few things. 1. When creating a partition within ADAM, must I create a partition matching the naming context of AD. In other words, if your AD is DC=abc,DC=org your ADAM naming context should be DC=abc,DC=org. Is this true? If so, how do I get around synchronizing to the second AD DC. Will I need another partition? if so, then i think i'm back to square one as far as application LDAP auth is concerned. Is there a better way to combine users from multiple Active Directory instances?
-
You don't provide details of yor OS. I assume Windows 2003 is in use here. You don't have to create partitions with same FQDN as AD. I assume you are asking for ADAMSync purposes? Please provide more details of what you are attempting – maweeras Aug 09 '11 at 06:58
-
The 2 AD DC's are Windows 2003 and Windows 2008. I was thinking to create a totally separate partition with a different naming context other than the ones on either DCs. I would like to synchronize data from both Active directories into a single ADAM partition to be able to authenticate against that adam partition. I remember reading taht in order to synchronize between AD and ADAM, i would need to have identical partition name as the AD context name. The limitation is that the application is only capable of authenticating against only one LDAP instance. – tbapb Aug 09 '11 at 16:53
1 Answers
ADAMSync supports different DNs for source and destination DN. So you can have DC=Domain,DC=Com for source and O=Domain,C=US for ADAM partition as an example. No problems here.
What you will run into issues with is syncing both domains to the same partition. You wont be able to have DC=Domain1,DC=COM and DC=Domain2,DC=Org both sync to O=Domain,C=US. You can only have one of those sources sync to the the destination partition.
The reason why you will run into issues is because adamsync needs to store the configuration on the destination ADAM partition. You cannot store two configurations simultaneously on the NC. In this case, if you chose DC=Domain1,DC=COM , it will write the relevant configuration to do that sync. If you try to store DC=Domain2,DC=COM , the previous configuration for DC=Domain1,DC=COM is lost.
You do have the option of doing a /install for the DC=Domain1,DC=COM related XML, then doing a /sync. Next /install the DC=Domain2,DC=COM XML and do a /sync for that. So you keep swapping between configurations and doing /syncs.
This works but IMHO is not elegant. it may suit the purposes of some.
- 2,674
- 2
- 16
- 23
-
Thank YOu for your reply. This is my ultimate goal here. If you have a few mins, plese take a peek at the document, it describes a potential solution to what i'm planning on doing, but does not coincide with your answer :) – tbapb Aug 09 '11 at 23:07
-
-
I have gotten this to work without an issue. Syncing both domains - One out in each to a single partition like O=Domain,C=US. ADAM allows you to do this without an issue. I cant go into much detail at this point due to time constraints, but can answer any questions you may have – tbapb Oct 30 '11 at 18:09
-