Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

What should be the correct ADSI URL?

GauravJain
Regular Contributor II
Regular Contributor II

Hi

We are trying to onboard Active Directory onto Saviynt which consist of N number of forests, M number of domains within those forests and each domain have several domain controllers. We wanted to perform import / provisioning operations across domains in one forest and cross forest so we have chosen ADSI connector. But we are not sure what should be the correct value for URL parameter.

Our understanding is we should define one domain url (not using multiple domains as comma separated) with port 389/636 and grant required privileges to service account to import Accounts / entitlements data from all domains in a forest OR across forest (trust setup is already there across domains in a forest and cross forest). Is it correct understanding?

If we are using one domain URL (similar to above) then a successful connection will automatically populate all forests / domains / domain controllers in FOREST_DETAILS field on connector UI. Is it also correct?

Lastly, what we understand from HA (high availability) is, if we define one domain in URL (similar to above) and if that domain (or any of the domain controller within that domain) is not available for some reason then Saviynt will use FOREST_DETAILS information to find out another domain / domain controller to perform import / provisioning operation. which means the ADSI connector will pull all accounts from all different domains available in our AD environment. is it correct?

Regards

Gaurav

 

 

2 REPLIES 2

adarshk
Saviynt Employee
Saviynt Employee

All the DC's need to be defined as comma separated values

In the URL parameter, specify the primary or root domain URL. It will manage the failover scenarios automatically based on the forest details populated while saving the ADSI connection. If the first DC is not active, EIC checks for the next available DC in the list. If the DC is active, EIC uses it for connecting to Active Directory.

In the FOREST_DETAILS parameter, add information about domains and domain controllers of the forests listed in the FORESTLIST parameter. This value gets populated in the Connections page after the connection is successfully established with the forest. You can use this attribute to discover active domains while connecting to Active Directory for provisioning.

For more on ADSI integration, please follow the below:
https://docs.saviyntcloud.com/bundle/ADSI-v24x/page/Content/ADSI-Integration-Overview.htm

GauravJain
Regular Contributor II
Regular Contributor II

Thanks for your revert.

So, whatever forest information we mention in FORESTLIST param in connection configuration, Saviynt will pull all domains and DC's w.r.t to that list and populate it in FOREST_DETAILS param after successful connection. If that's the case then i think i am on right path.

Secondly, to import accounts / entitlements and to perform provisioning operations across domains and forests - it will also depend upon this FORESTLIST param right? for example if we have 3 forests but we configure only 2 in FORESTLIST param then import and provisioning will work only for those 2 forests (across domains in a forest or across forest). We wont be able to perform any operations on 3rd forest domains. is that understanding correct?

Regards

Gaurav