Vijay,
Just to clarify, you have two AD Domain Controllers in the same domain, correct?
If so, don't look at the individual domain controllers as distinct... they are ONE domain, and therefore you should only have ONE target account in PAM corresponding to the domain credentials.
When accessing target devices, those devices authenticate against the DOMAIN, and use DNS to locate an online domain controller. If one domain controller goes down, those target devices will authenticate against the other automatically. Therefore, it doesn't really matter which domain controller you change the password on, it's replicated to the other.
If you want PAM to be able to update passwords, even if a domain controller goes down, then I would configure your domain like this:
- Create a device with the name 'AD' or however you would like to refer to your domain, set the address of your.domain.com or whatever the dns domain name of your domain is. (rather than using a specific domain controller)
- Create the AD target application against that device
- Configure the AD target application to use DNS to locate a domain controller (see the settings in the target application)
- Configure a single target account for each account you want to manage in that domain.
This will allow PAM to dynamically locate a domain controller when it updates passwords, just like your target devices use DNS to locate a domain controller during login.
I hope that makes sense.
Original Message:
Sent: 11-21-2019 04:32 AM
From: vijayakumarc chandrasekaran
Subject: Multiple Active Directory
Hi All,
We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.
Thanks,