Multi-domain organizations

Ithicos Solutions applications are intended for use within a single Active Directory forest. The IIS server that hosts our applications such as Directory Update, Directory Manager, Directory Password, and Directory Search must be on a server that is in the same Active Directory forest as the users it will serve. All applications, when installed, are configured out of the box to function within a single Active Directory domain, but that can be configured.

Licensing

Directory Update, Directory Password, and Directory Manager are all licensed on a per-domain basis. You must create a new domain instance for each domain in your forest that you plan on using. Only domains in which there are user accounts need to be configured, though. For example, a resource domain would not have any user accounts and would thus not need to be configured. You must configure each domain that you will be using through the Configuraiton wizard.

Note: You must have a license for each domain in which there are user accounts that will use the software.

The Configuration wizard for each application can be found on the Windows Start menu. For example, the Directory Update Configuration wizard can be found at Start -> All Programs -> Directory Update -> Configuration. To add a new domain instance , follow these steps:

  1. Click the Add A New Domain Instance radio button and click the Next button
  2. On Directory Settings page, provide the NetBIOS (shortname) of the domain controller, the DNS domain name, a service/proxy account, and the service/proxy account's password. It is very important that the service/proxy account have permissions to edit user accounts in the domain you are adding. Click the Test Directory Settings button and then click OK. Click Next once the Next button is available.

    Adding a new domain instance

  3. On the License Information screen, enter the organization name that was used to generate your license key. This will be provided with the license key that we send you. We recommend copying and pasting the licensing information directly from the e-mail that we send you. Click Next when finished.
  4. Click Finish to close the wizard.

Directory Update

Even in a multi-domain environment, Dirctory Update is almost entirely focused on the domain account in which the user that is using it is logged on. This is because changes to use objects must be made to a domain controller in the user's home domain. The one exception to that is lookup field such as the Manager, Assistant, or Secretary fields. These fields do not store textual information, but rather the distinguished name (DN) of an Active Directory object. This object can either be a user or a contact.

In a multi-domain forest, a user's Manager may be in a different domain from the user, therefore Directory Update needs to be able to lookup users from a Global Catalog server rather than a domain controller. In the Directory Update AppSettings.XML file, you can configure Directory Update to search the Global Catalog. Look for the useGlobalCatalog option and set it to "yes".

<lookupFields useGlobalCatalog="yes" showOnlyExchangeEnabledUsers="no" showContacts="yes" showDisabledUsers="no" maxResults="20"/>

Directory Manager

For updates to the Active Directory, Directory Manager focuses on a domain controller in the domain in which the user account is located. Like Directory Update, though, Directory Manager may need to seach the Global Catalog for look up fields. Like Directory Update, you can configure this by locating the lookup tab within the AppSettings.XML file. Set the useGlobalCatalog option to "yes".

<lookupFields useGlobalCatalog="yes" showOnlyExchangeEnabledUsers="no" showContacts="yes" showDisabledUsers="no" maxResults="20"/>

Directory Manager also allows an authorized user to logon to Directory Manager and edit users in multiple domains. This is, of course, provided the service/proxy account configured for each domain has the permissions nececssary to update the user accounts in that domain. Note that Directory Manager can only view a single domain's user accounts at one time. By default, Directory Manager will only show one domain's accounts. To enable the drop-down list to show the other configured domains, locate the domainList tag and set the visible option to "yes."

<domainList visible="yes" />

When the domainList option is enabled, the domain list drop-down option will enable the Directory Manager user to see all of the configured domains.

Enabling the domain dropdown list


Directory Search

By default, Directory Search queries the domain controller in the domain in which it is configured for directory information. This works fine provided the organization has a single domain. However, if you have more than one domain in your Active Directory forest you must configure Directory Search to query a Global Catalog server instead. There are two places in the AppSettings.XML file that must be changed. The first place is the lookup fields section. Lookup fields are used in Directory Search is for filtering, such as looking up everyone who shares a common manager.

<lookupFields showOnlyExchangeEnabledUsers="no" maxResults="20" useGlobalCatalog="yes"/>

The second place in Directory Search that must be configured to use a Global Catalog server is the userList section. This controls the search results.

<userList useGlobalCatalog="yes" maxResults="100" pageSize="20" sortBy="displayName" showOnlyExchangeEnabledUsers="no" showContacts="yes" showDisabledUsers="no" showInitialResults="yes" showDetailPanel="yes">

Directory Search and Attributes in the Global Catalog

By default, not all attributes are flagged for replication to the Global Catalog (aka the partial attribute set). Two good examples of this are the thumbnailPhoto attribute and the division attribute. Microsoft flags many additional attributes to be included in Global Catalog replication when Exchange Server is installed (technically, when the Exchange schema prep process is done.)

If you choose to use Directory Search with the Global Catalog option enabled, you may find that some data will not display. A common issue reported is that the photo disappears once the Global Catalog search is enabled. This is because thumbnailPhoto is not part of the partial attribute set (Microsoft did include thumbnailPhoto in the partial attribute set starting with the schema prep included in Exchange 2010 SP1 and later. You may have to edit the schema and flag attributes for replication to the Global Catalog.

To do this, you must enable the Active Directory Schema management console as it is not enabled by default. The following is an excample of how to flag the thumbnailPhoto attribute to be included with the Global Catalog. Follow these steps:

  1. Logon to a server with a user account that is a member of Schema Admins
  2. Open a command prompt and type regsvr32.exe schmmgmt.dll Click OK when prompted. - This enables the Active Directory Schema management console.
  3. Run MMC.EXE to open an empty management console
  4. Add the Active Directory Schema snapin (File -> Add/Remove Snap-in -> Add -> select Active Directory Schema -> Click Add and OK
  5. Navigate to Active Directory Schema -> Attributes
  6. Locate the thumbnailPhoto attribute, right click on choose Properties
  7. Check the "Replicate this attribute to the Global Catalog" checkbox and click OK

    Image
  8. This should take about 15 - 20 minutes to take effect.

For more information on adding an additional attribute to the Global Catalog, see the KB article: How to Modify Attributes That Replicate to the Global Catalog