Independent domains in multiple forests

You use this model when the users’ Active Directory accounts are in independent domain trees or forests; that is, there are domain controllers that do not have a two-way, transitive trust relationships with each other.

In this model, you have a separate connector for each independent domain tree or forest. Privileged Access Service picks which connector to use for the authentication request based on the login-suffix-to-domain mapping it creates and maintains. When the user account is in the connector’s domain controller, the authentication requests are handled according to the tree-root, parent-child, forest, and shortcut trust relationship settings between the domain controllers in that forest or domain tree.

After you install the first connector for each independent domain tree or forest, you should install one or more on separate host computers for each one. The host computer for each connector must be joined to the same Active Directory domain controller as the initial connector for this tree or forest. See Creating administrator consoles and adding additional connectors for the details.

Privileged Access Service automatically creates a login suffix for the domain to which the host computer is joined plus all of the domains that the connectors for each independent domain can see.

When Admin Portal searches Active Directory domains for users and groups (for example, when you are adding a user or group to a role), it only searches the Active Directory Users container in the domain controllers that can be seen by the connectors. Which domains can be seen depends upon two criteria:

The trust relationship between the domain controllers.

Only domain controllers with a two-way transitive trust meet this criteria. When you configure the trust relationship, be sure to select Forest trust. This establishes a transitive trust between one forest root domain and another forest root domain. See How Domain and Forest Trusts Work in Microsoft TechNet for more about trust relationships. The connector’s user account permissions.

By default the connector is installed as a Local System user account on the Windows host. The permissions you grant to this account can affect its ability to see other domains. See Permissions required for alternate accounts and organizational units for more information.

If you are using this model, use the Centrify directory policy service to set mobile device policies (see How to select the policy service for device management) and Privileged Access Service roles to enable users to register devices.