When ArcGIS Enterprise is configured to use groups and users managed in Microsoft Active Directory and is in an environment with multiple domains in a single forest, it uses the Active Directory Global Catalog to obtain user and group information from all domains. However, ArcGIS Enterprise is unable to collect this information if it binds to a domain controller that does not also serve as a global catalog. For example, it may only return information about users and groups from the domain where ArcGIS Enterprise resides.
If your Active Directory deployment includes multiple domain controllers, but not all domain controllers are configured as global catalog servers, you must manually specify the domain controller or controllers used by ArcGIS Enterprise. To do so, follow the steps below.
- Open the Portal Administrator Directory and sign in as a member with administrative privileges.
The URL to the Portal Administrator Directory is formatted https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click security > config > Update Identity Store.
- On the Update Identity Store page, copy and paste the following text on the User store configuration dialog box:
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "userFullnameAttribute": "cn", "userEmailAttribute": "mail", "caseSensitive": "false", "domainControllerAddress": "[IP Address], [alternate IP Address]", "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]" } }
Optionally, more than one IP address can be listed for the domainControllerAddress property. If multiple IP addresses are listed, order them based on priority. Your portal will attempt to communicate with the first one listed and will fall back to subsequent ones only if the first one becomes unavailable.
If your Active Directory environment includes multiple domains within a forest and you want to include IP addresses for the domain controllers assigned to each domain, use the domainControllerMapping parameter on both the User store configuration and Group store configuration dialog boxes. You can list multiple IP addresses for each domain.
- If the portal will leverage existing Active Directory groups, copy and paste the following text on the Group store configuration dialog box:
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "domainControllerAddress": "[IP Address], [alternate IP Address]", "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]" } }
- Update the userPassword and user properties, and optionally, the domainControllerAddress and domainControllerMapping properties, with the appropriate values.
- Click Update Configuration to save your configuration.