You use this model when the users’ Active Directory accounts are in domains with domain controllers that have a two-way, transitive trust relationship with the domain controller to which the connector is joined.
In this model, you have a single connector for the entire domain tree or forest. Privileged Access Service communicates through this connector for all authentication requests. When the user account is in another domain, the authentication requests are handled according to the tree-root, parent-child, forest, and shortcut trust relationship settings between the domain controllers.
If you are using Active Directory for device and policy management, all object management communications are done through the same connector as well.
By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. When you configure the trust relationship, be sure to select Forest trust. This establishes a transitive trust between one forest root domain and another forest root domain. See How Domain and Forest Trusts Work in Microsoft TechNet for more about trust relationships.
Important: For tenants created after the Privileged Access Service 17.1 release, the connector by default does not perform cross forest user lookup from a local forest. To enable this functionality, contact Centrify Support.
After you install the first connector, you should install one or more on separate host computers. The host computer for each connector must be joined to the same Active Directory domain controller. See Creating administrator consoles and adding additional connectors for the details.
Privileged Access Service automatically creates a login suffix for the domain to which the host computer is joined plus all of the domains that the connector can see. Which domains can be seen depends upon two criteria:
- The trust relationship between the domain controllers.
- The connector’s user account permissions.
Only domain controllers with a two-way transitive trust meet this criteria
By default the connector is installed as a Local System user account on the Windows host. (See Permissions required for alternate accounts and organizational units for more information.) The permissions you grant to this account can affect its ability to see other domains.
Note: When Admin Portal searches Active Directory domains for users and groups (for example, when you are adding a user or group to a role), it only searches the Active Directory Users container in the domain controllers that can be seen by the connector.