Symantec IGA

Expand all | Collapse all

CA Identity manager AD end point to change from One AD to another AD(different forest than the first AD)

  • 1.  CA Identity manager AD end point to change from One AD to another AD(different forest than the first AD)

    Posted 11-08-2017 04:06 AM

    Hi,

     

    We are using CA Identity manager 12.6 version where Active directory is integrated as end point and working. In the company we have multiple AD which are integrated with End applications.Now we are building a Global AD with a combination of both AD's informations. Now we want to make the CA Identity Manager to point to this new AD which is different forest. Could you please help us of how to achieve this.

     

    Thanks,

    Rajesh



  • 2.  Re: CA Identity manager AD end point to change from One AD to another AD(different forest than the first AD)

    Broadcom Employee
    Posted 11-13-2017 05:36 AM

    Hi Rajesh? it is not clear to me whether you want to modify the existing endpoint to point to a different AD server or whether you want to create a new endpoint with this new AD server. What issue are you running into?

     

    Thanks
    Russi



  • 3.  Re: CA Identity manager AD end point to change from One AD to another AD(different forest than the first AD)

    Posted 11-13-2017 11:23 PM

    Hi Russi,

     

    Thanks for your response. My Issue is we have one AD server which is integrated with CA Identity Manager for provisioning. Now the client is bringing a new AD where the base domain and the forest is completely different from the earlier AD. So I am just checking to integrate the New AD with CA Identity Manager as a different Endpoint without touching the existing Endpoint. So Could you please suggest me all the steps that need to take care to integrate the new AD with CA Identity Manager. All the user present in Existing AD will be there in the New AD.

     

    Thanks,

    Rajesh



  • 4.  Re: CA Identity manager AD end point to change from One AD to another AD(different forest than the first AD)

    Broadcom Employee
    Posted 11-15-2017 11:08 AM

    Hi Rajesh,

     

    This may not be a complete list of steps to perform but assuming you want to add this new AD as a new IM endpoint this is what I would do:

     

    1. Configure SSL for your new Active Directory (AD) server to be able to manage AD users passwords from CA Identity Manager. Also make sure you know your AD password policy to ensure that you can successfully create users from IM in your AD.

    2. decide if you want local Windows-based CA IAM connector servers for performance and load balancing, if so, install CA IAM connector server(s) including c++ connector server component on the Windows machines closer to your new AD Domain controllers - you don't need to do this if you plan on using the same Windows-based IAM connector servers as before. Just remember that to provision Active Directory from CA Identity Manager you need to have a Windows-based IAM Connector Server with C++ Connector server.

    3. Make sure all the required ports are open (in case you have firewalls) from the CA IAM connector server machine to connect to the new Active Directory servers. I always use JXplorer LDAP browser (you can download for free from internet) for connectivity tests. If you are able to connect with JXplorer to your active directory server on port 389 from the Windows-based CA IAM connector server than the connectivity is fine.

    4. Whether you deploy a new IAM connector server or want to use an existing IAM connector server, if the IAM CCS is NOT installed on the ADS machine you want to manage, then you need to configure trust for the root certification authority that issued the certificate in step 1 above. If this is a self-signed certificate, import this self-signed certificate as a trusted authority. You may also need to modify C++ connector service on the windows machines to make sure that the account being used to run the service is the same account that was installed to run the root CA. If you make changes restart C++ connector. You can do tests using the ADS SSL diagnostics utility included in provisioning server/bin to diagnose the SSL connectivity towards Active Directory. if this works than fine. I also use JXplorer connectivity towards Active Directory on port 636 with ssl+user+password option to test whether AD SSL works fine.

    5. From Connector xPress you can configure which connector servers you want to manage your Active Directory endpoints.

    6. Now that you have the IAM connector servers and SSL configured just create a new AD endpoint in IM. And then follow the usual procedure of exploring and correlating AD accounts with IM users, defining account templates, defining provisioning roles, etc. What is not clear to me is whether IM users need to have accounts in both AD systems (i.e. one IM user should be correlated with accounts on the 2 AD endpoints) or what your expectations are. Understanding your requirements more clearly is important for correctly defining the AD account templates and IM behavior.

     

    KR
    Russi