Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What should be the correct ADSI URL?

GauravJain
Regular Contributor III
Regular Contributor III

‎06/17/2024 12:30 AM

Hi

We are trying to onboard Active Directory onto Saviynt which consist of N number of forests, M number of domains within those forests and each domain have several domain controllers. We wanted to perform import / provisioning operations across domains in one forest and cross forest so we have chosen ADSI connector. But we are not sure what should be the correct value for URL parameter.

Our understanding is we should define one domain url (not using multiple domains as comma separated) with port 389/636 and grant required privileges to service account to import Accounts / entitlements data from all domains in a forest OR across forest (trust setup is already there across domains in a forest and cross forest). Is it correct understanding?

If we are using one domain URL (similar to above) then a successful connection will automatically populate all forests / domains / domain controllers in FOREST_DETAILS field on connector UI. Is it also correct?

Lastly, what we understand from HA (high availability) is, if we define one domain in URL (similar to above) and if that domain (or any of the domain controller within that domain) is not available for some reason then Saviynt will use FOREST_DETAILS information to find out another domain / domain controller to perform import / provisioning operation. which means the ADSI connector will pull all accounts from all different domains available in our AD environment. is it correct?

Regards

Gaurav

 

 

Labels:
0 Kudos
2 REPLIES 2

adarshk
Saviynt Employee
Saviynt Employee

‎06/23/2024 11:26 PM - edited ‎06/23/2024 11:29 PM

All the DC's need to be defined as comma separated values

In the URL parameter, specify the primary or root domain URL. It will manage the failover scenarios automatically based on the forest details populated while saving the ADSI connection. If the first DC is not active, EIC checks for the next available DC in the list. If the DC is active, EIC uses it for connecting to Active Directory.

In the FOREST_DETAILS parameter, add information about domains and domain controllers of the forests listed in the FORESTLIST parameter. This value gets populated in the Connections page after the connection is successfully established with the forest. You can use this attribute to discover active domains while connecting to Active Directory for provisioning.

For more on ADSI integration, please follow the below:
https://docs.saviyntcloud.com/bundle/ADSI-v24x/page/Content/ADSI-Integration-Overview.htm

0 Kudos

GauravJain
Regular Contributor III
Regular Contributor III
In response to adarshk

‎06/24/2024 03:54 AM

Thanks for your revert.

So, whatever forest information we mention in FORESTLIST param in connection configuration, Saviynt will pull all domains and DC's w.r.t to that list and populate it in FOREST_DETAILS param after successful connection. If that's the case then i think i am on right path.

Secondly, to import accounts / entitlements and to perform provisioning operations across domains and forests - it will also depend upon this FORESTLIST param right? for example if we have 3 forests but we configure only 2 in FORESTLIST param then import and provisioning will work only for those 2 forests (across domains in a forest or across forest). We wont be able to perform any operations on 3rd forest domains. is that understanding correct?

Regards

Gaurav

 

0 Kudos
Copyright © 2024 Khoros, LLC