jmoody5824
Contributor
Contributor

Native Active Directory - Multi-domain Forest

All the documentation that I have read mention it but do not exactly describe what it means.  I am able to add a single domain in my forest but when I go to add another domain I get a "Duplication Identify store" error.

In our environment we have 3 domains that are part of the Active Directory Forest.

Root, which no users are typically in, it is there simply to hold any universal groups and forest level roles.

Then two sub domains

Accounts, which is a domain that all of our user accounts exist and is the primary logon domain for all users in the company.

Resource, which is a domain that all of the resource servers and administration accounts exist for my division in the company.

Our administrators typically would have accounts in Resource for managing any of the servers and resources in that domain, but to access all standard services they would use and account in the accounts domain.

In our implementation we are looking to setup a single tenant configuration,  I would like to setup the Administration of the default tenant using accounts from the Resource domain, but then allow users from the Accounts domain to consume any of the blueprints that we advertise.

How do I go about setting this up?

Our planned configuration

vCloud suite 5.5 standard, vCenter upgraded to 5.5b, and vCAC 6.0.  Using SSO that is included with vCAC 6.0 for Automation Center.

0 Kudos
1 Reply
pricemc1
Enthusiast
Enthusiast

I think you only need to define one identity store for your 3 domain environment that you have described. vCenter will use the trusts in place between the domains to look up accounts. If you attempt to define more than one identity store for a set of domains that are all trusted then you will actually end up with your domain browser list in vCenter showing the same domain twice (or more). This will definitely cause permissions issues. You probably will want to define an AD indentity store for your root domain and then remove the resource domain AD identity store that was probably created for your resource domain when you set up vCenter. Hope that helps.

0 Kudos