Forest Settings

An Active Directory forest is a set of all the directory partitions in a particular Active Directory instance that includes all domain, configuration, schema, and optional application information. Multiple forests can share the Active Directory responsibilities across an enterprise. To support a multi-forest configuration for the Active Directory source, configure multiple forests.

You can find the details of your existing configuration by using PowerShell commands. For more information, refer to Active Directory PowerShell Commands.

To configure forest settings, complete the following:

  1. Enter the Forest Name you want to set for a new forest to use in an organization. For example, corp.exampleorg.com

  2. (Optional) Enter the Global Catalog Server information using the following format: IP address or FQDN:Port Number

    Note
    The Active Directory connector validates the configuration of global catalog during the test connection and health check operations.

  3. (Optional) Select Use gMSA as a Service Account to use group Managed Service Account (gMSA) as a Service Account and provide the Service Account in the UPN format.

    Note
    Ensure you select Strong (SASL) as the Authentication Type . IQService configuration is also mandatory to use gMSA as a Service Account. For more information, refer to Configuring IQService to use gMSA as a service account for Active Directory.

  4. (Optional) Enter the Service Account with the required permissions using the following format: Domain Name\User Name

  5. (Not required when Use gMSA as a Service Account is selected) Enter the Password for the service account.

  6. Select the Authentication Type from the drop-down menu.

    • Simple - The account to authenticate is identified by the DN of the entry for that account, and the proof identity comes in the form of a password. SailPoint recommends that you Use Transport Layer Security (TLS) with simple authentication as this encrypts data during transit.

    • Strong (SASL) - Strong (SASL) authentication bind is performed, which uses kerberos or NTLM depending upon whether the Identity Security Cloud (ISC) system is in a network (of service account domain) or outside network. Strong (SASL) has implicit security layer for data encryption.

      For Strong (SASL) authentication to work, you must use the following format: UserName@DNSDomainName.com. For more information, refer to Required Permissions.

  7. (Not required when Use gMSA as a Service Account is selected) By default, the Use Transport Layer Security (TLS) checkbox is selected. When selected, you must also specify the TLS port in the Global Catalog Server field. For more information on TLS communication, refer to Securing the Active Directory Application.

  8. (Optional) Select the Resource Forest checkbox if this is a dedicated resource forest to manage Microsoft Exchange resources. For more information, refer to Active Directory Resource Forest Topology Exchange Management.

  9. (Optional) To create another forest, select Add Another and repeat the previous steps.

  10. Select Save.