Forest Settings

An Active Directory forest is a set of all the directory partitions in a particular Active Directory instance that includes all domain, configuration, schema, and optional application information. Multiple forests can share the Active Directory responsibilities across an enterprise. To support a multi-forest configuration for the Active Directory source, configure multiple forests.

You can find the details of your existing configuration by using PowerShell commands. For more information, refer to Active Directory PowerShell Commands.

To configure forest settings, complete the following:

  1. Enter the Forest Name you want to set for a new forest to use in an organization. For example, corp.exampleorg.com

  2. (Optional) Enter the Global Catalog Server information using the following format: IP address / FQDN:Port Number

    Configuring the Global Catalog details also helps improve the pass-through authentication performance. The Active Directory connector provides preference to connect to the Global Catalog if details are provided, if not details are provided it uses the server configured for respective domains to authenticate the users.

    The Global Catalog configuration also facilitates domain discovery within that forest.

  3. (Optional) Select Use gMSA as a Service Account to use group Managed Service Account (gMSA) as a Service Account and provide the Service Account in the UPN format.

    Note
    Ensure you select Strong (SASL) as the Authentication Type . IQService configuration is also mandatory to use gMSA as a Service Account. For more information, refer to Configuring IQService to use gMSA as a service account for Active Directory.

  4. (Optional) Enter the User with the required permissions using the following format: Domain Name/User Name

  5. (Not required when Use gMSA as a Service Account is selected) Enter the Password for the service account.

  6. (Optional) Select the Authentication and Security from the drop-down menu.

    • Simple - The account to authenticate is identified by the DN of the entry for that account, and the proof identity comes in the form of a password. SailPoint recommends that you Use TLS with simple authentication as this encrypts data during transit.

    • Strong - Strong authentication bind is performed, which uses kerberos or NTLM depending upon whether the IdentityIQ system is in a network (of service account domain) or outside network. Strong has implicit security layer for data encryption.

      For Strong authentication to work, you must use the following format: UserName@DNSDomainName.com. For more information, refer to Required Permissions.

  7. (Not required when Use gMSA as a Service Account is selected) By default, the Use TLS checkbox is selected. When selected, you must also specify the TLS port in the Global Catalog Server field. For more information on TLS communication, refer to Securing the Active Directory Application.

  8. (Optional) Select the Resource Forest checkbox if this is a dedicated resource forest to manage Microsoft Exchange resources. For more information, refer to Active Directory Resource Forest Topology Exchange Management.

  9. (Optional) Select Manage All Domains to manage all domains under that forest using the forest credential. If selected, you do not have to configure the domain configuration section. For domains that the application manages, you can preview them by selecting the Preview button. If you do not select this option, domains in this forest can be enumerated in the domain configuration by selecting the Discover button.

    Note
    If you change the Authentication and Security type, ensure that the Manage All Domains attribute is reloaded to view the updated configuration.

  10. (Optional) To create another forest, select Add and repeat the previous steps.

  11. Select Save.