using AD connector in a multi-domain environment

Options
brtvngl
brtvngl Posts: 2 ✭✭

We are looking to use the AD connector, but our TeamVewer users are spread out over multiple security groups in different domains.

When testing the integration on domain A, it looks like the the AD connector will deactivate all users not part of that specific domain, so how do we make it work that the AD connector will look at all domains and keep the active users of all domains, and deactivate only the users no longer found in any of the security groups.

Thanks!

Tagged:

Best Answer

  • Tech_Tharsis
    Tech_Tharsis Posts: 3 ✭✭
    edited April 30 Answer ✓
    Options

    I received a response from TeamViewer Support, so i will post it here in case anyone else is looking for this: the solution is to first run the configuration script, configure it and save the config for the json file to be created, then edit the TeamViewerADConnector.config.json file, and modify the following line in this way:

    "ActiveDirectoryRoot": "GC://fqdn-of-one-of-your-AD-global-catalog-servers"

    Obviously, replace "fqdn-of-one-of-your-AD-global-catalog-servers" for the actual FQDN of one of your AD global catalog servers.

    After modifying that, the script correctly detects users on every domain in the forest.

Answers

  • JeanK
    JeanK Posts: 7,015 Community Manager 🌍
    Options

    Hello @brtvngl,

    I'd recommend you to open a ticket and ask our engineers:


    Community Manager

  • Tech_Tharsis
    Tech_Tharsis Posts: 3 ✭✭
    Options

    We have the same problem. I created a support ticket, but i will also write it here in case someone already has the solution:

    We were using the previous AD Synchronization script. It's quite old, but it had a variable named $dcLdapPort that we set to "3268" so that the script queries the Global Catalog, which returns results from the entire AD Forest (the normal "389" port only queries the local domain, and nothing else). This is needed, because we have an Universal Group in Active Directory with users from the main domain and two child domains, and by setting the port to 3268, it returned the users from all the domains.

    As the old script is not compatible anymore, we tried to use the new AD Connector script, but it only detects users from the main domain. The new script seems to have no way for it to query the Global Catalog / changing the port for the ldap query to 3268. Fortunately we used the "test run" option to see what would happen, as it would have deactivated all teamviewer users from the child domains.

    How can we get the new script working for all subdomains (the entire forest)?

    Regards

  • Tech_Tharsis
    Tech_Tharsis Posts: 3 ✭✭
    edited April 30 Answer ✓
    Options

    I received a response from TeamViewer Support, so i will post it here in case anyone else is looking for this: the solution is to first run the configuration script, configure it and save the config for the json file to be created, then edit the TeamViewerADConnector.config.json file, and modify the following line in this way:

    "ActiveDirectoryRoot": "GC://fqdn-of-one-of-your-AD-global-catalog-servers"

    Obviously, replace "fqdn-of-one-of-your-AD-global-catalog-servers" for the actual FQDN of one of your AD global catalog servers.

    After modifying that, the script correctly detects users on every domain in the forest.