Symantec Privileged Access Management

Hi All,

We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.

Thanks,

Original Message------

Hi All,

We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.

Thanks,

Thanks for your suggestion.
Original Message:
Sent: 11-21-2019 05:16 AM
From: Andreas Müller
Subject: Multiple Active Directory

Hello Vijay,

 

I guess you can address such issue by using a compound for the different AD accounts with the same name on the different servers.

 

Please see

 

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/implementing/protect-privileged-account-credentials/add-target-accounts-to-target-applications.html#concept.dita_d1dc95fccb58a055fd0472b300d27882e0f9f70c_AddaCompoundTargetAccountOptional

 

In case this does not help please open a formal Support case and we can have a closer look.

 

Best Regards,

Andreas

 

Original Message------

Hi All,

We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.

Thanks,

Or just try a target group and scheduled job for both
Original Message:
Sent: 11-23-2019 03:14 AM
From: vijayakumarc chandrasekaran
Subject: Multiple Active Directory

Thanks for your suggestion.
Original Message:
Sent: 11-21-2019 05:16 AM
From: Andreas Müller
Subject: Multiple Active Directory

Hello Vijay,

 

I guess you can address such issue by using a compound for the different AD accounts with the same name on the different servers.

 

Please see

 

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/implementing/protect-privileged-account-credentials/add-target-accounts-to-target-applications.html#concept.dita_d1dc95fccb58a055fd0472b300d27882e0f9f70c_AddaCompoundTargetAccountOptional

 

In case this does not help please open a formal Support case and we can have a closer look.

 

Best Regards,

Andreas

 

Original Message------

Hi All,

We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.

Thanks,

Vijay,

Just to clarify, you have two AD Domain Controllers in the same domain, correct?

If so, don't look at the individual domain controllers as distinct... they are ONE domain, and therefore you should only have ONE target account in PAM corresponding to the domain credentials.

When accessing target devices, those devices authenticate against the DOMAIN, and use DNS to locate an online domain controller.  If one domain controller goes down, those target devices will authenticate against the other automatically.  Therefore, it doesn't really matter which domain controller you change the password on, it's replicated to the other.

If you want PAM to be able to update passwords, even if a domain controller goes down, then I would configure your domain like this:

1. Create a device with the name 'AD' or however you would like to refer to your domain, set the address of your.domain.com or whatever the dns domain name of your domain is.  (rather than using a specific domain controller)
2. Create the AD target application against that device
3. Configure the AD target application to use DNS to locate a domain controller (see the settings in the target application)
4. Configure a single target account for each account you want to manage in that domain.

This will allow PAM to dynamically locate a domain controller when it updates passwords, just like your target devices use DNS to locate a domain controller during login.

I hope that makes sense.
Original Message:
Sent: 11-21-2019 04:32 AM
From: vijayakumarc chandrasekaran
Subject: Multiple Active Directory

Hi All,

We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.

Thanks,

Thanks for your suggestion. It is working as expected.
Original Message:
Sent: 11-22-2019 09:18 AM
From: Joseph Fry
Subject: Multiple Active Directory

Vijay,

Just to clarify, you have two AD Domain Controllers in the same domain, correct?

If so, don't look at the individual domain controllers as distinct... they are ONE domain, and therefore you should only have ONE target account in PAM corresponding to the domain credentials.

When accessing target devices, those devices authenticate against the DOMAIN, and use DNS to locate an online domain controller.  If one domain controller goes down, those target devices will authenticate against the other automatically.  Therefore, it doesn't really matter which domain controller you change the password on, it's replicated to the other.

If you want PAM to be able to update passwords, even if a domain controller goes down, then I would configure your domain like this:

1. Create a device with the name 'AD' or however you would like to refer to your domain, set the address of your.domain.com or whatever the dns domain name of your domain is.  (rather than using a specific domain controller)
2. Create the AD target application against that device
3. Configure the AD target application to use DNS to locate a domain controller (see the settings in the target application)
4. Configure a single target account for each account you want to manage in that domain.

This will allow PAM to dynamically locate a domain controller when it updates passwords, just like your target devices use DNS to locate a domain controller during login.

I hope that makes sense.
Original Message:
Sent: 11-21-2019 04:32 AM
From: vijayakumarc chandrasekaran
Subject: Multiple Active Directory

Hi All,

We have two AD servers in our environment and are in sync. I am using AD connector for domain account password management. Currently i have configured two target account with same username but with two different AD. I can verify account without any issues, but when do the password rotation, one account going to unverified status in this case AD2. So I have to manually copy password from the synchronized account that is AD1 and then put it to another account which is in AD2 to make it verified account again. So my question is, in multiple AD server environment how to configure target accounts, so that if one AD is down there wont be any issues in accessing target devices.

Thanks,