AD Connector – cross-forest tricks

It is possible to import objects from domain which is in some other forest than your console. You can also import data from untrusted domain, or domain your current domain doesn’t trust. You can even use console from another forest domain.


Data source address


Let’s say there is a domain you want to import objects from and this domain is not enlisted in Browse window (you won’t see that domain when you click Browse button). Then you need to specify data source address in the format shown below.



Address would be like this: LDAP://other.domain.com/OU=your-ou,DC=other,DC=domain,DC=com.If you don’t need to import objects from specific OU just skip OU part in the address.


Run As account


To be able to import data from another domain you need to provide account which has permissions to read data from the specified data source.


Because of domain you are trying to connect is not listed in the Domain dropdown box you need to provide domain name in user name as shown on screenshot below.



Pay attention to the fact that when you provide domain name in User name edit box Doman control is disabled.


After Run As account is created you can use it to connect to the specified data source.



Select objects


With provided domain/OU address and Run As account you can choose which objects you want to import on Select objects page.


When you are trying to add individual objects to the connector configuration, the Find window lists users, groups, computers or printers not from your current domain, but from domain you specified before on Domain/OU page.


Untrusted domain


There’s nothing special about untrusted domains – if need to import any data from one of them just provide an account which has enough permissions to read from specified address.


Console from another forest


You can have a console in a domain other than your SM Server domain.  It’s even possible to have standalone console in domain which is not trusted by your SM Server domain. The only thing you need to keep in mind is that address you specify from you console should be also successfully resolved by SM Server.


Let’s say you have console in domain dom1.prod.com and you need to create connector C1 for domain dom2.prod.com which is in the same forest and observable from console machine when you click Browse button on Domain/OU page. And you create connector for data source dom2.prod.net. You can even create Run As account for dom2\admin user and add individual objects to the connector filter.


But now with you SM server in another forest domain company.domain.com neither address dom2.prod.net nor dom2 (from Run As account) can be resolved. To solve the issue you need to specify data source address for connector C1 in format LDAP://dom2.prod.net/DC=dom2,DC=prod,DC=net.


In other words when using console from another domain always remember about SM Server domain and it’s able to resolve address you provide and Run As Account you create.