Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADSI connection - more than one forest

piotrj
New Contributor III
New Contributor III

‎01/29/2024 04:09 AM

Hi,

Looking for advice and pointers to the best practice. We have one ADSI connection to our main forest and it took a lot of effort, numerous issues to be addressed to set it up and have stable. The forest contains in excess of 100000 accounts (including service accounts) and even higher number of entitlements (groups).

We now need to set up another forest connection (much smaller though) and looking for advice and best practices. How do you schedule imports? What did you do to optimise import jobs and make them run faster? Do you use endpoint filter to create child endpoints? Do you manage to overcome this method limitation (5000 entitlements)?

 

Kind regards,

Piotr

0 Kudos
2 REPLIES 2

stalluri
Regular Contributor II
Regular Contributor II

‎01/29/2024 09:40 PM

@piotrj 

I have implemented ADSI in two projects.


Best practice:
ADSI connector is not as efficient as a regular AD connector.
I scheduled the jobs in the below format.

Full imports will run daily once when there is not much environmental activity.
I created a trigger for account and Access import.

I scheduled one more trigger for incremental which will run every 4 or 6 hours.
Incremental will not take more than 5-10 mins.

Config:
importNestedMembership: FALSE
ObjectFilter: This can also help to reduce the datasets.
EndpointFilter: This can also help to reduce the datasets.

Limitation:
ADSI will not support entitlement to Owner mapping will not work.
ADSI will only accept lowercase attributes  in the AD attribute mapping in Account_Attribute, groupImportMapping.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

piotrj
New Contributor III
New Contributor III
In response to stalluri

‎01/31/2024 05:15 AM

Thank you.

Have you had opportunity to implement multiple ADSI connections in the same system?

0 Kudos
Copyright © 2024 Khoros, LLC