Sync users in the Active Directory

Sync universal groups and users in a multi-domain Active Directory (AD).
Organizations can have multiple Active Directory domains for different geographical regions. To sync all of the users in all groups, Enterprise Application Access (EAA) has the global catalog server option. When this option is not selected, groups and users belonging to other domains with the same AD forest are not to be synced. For more information, see Add users and invite them to the cloud directory and Add users to an overlay group.

Organizations may deploy an Active Directory forest containing many domains. Each domain may represent a separate geographical region, or team within a company like the marketing, engineering, and customer support. A domain is controlled by the AD domain controller. It's added to Enterprise Application Access (EAA) for syncing groups and users within that domain. To sync groups and users belonging to other domains within the same forest, EAA has the global catalog option. When this option is not selected, groups and users belonging to other domains within the AD same forest are not synced from the server. Complete this procedure to sync universal groups and users belonging to other domains within the AD forest.

1. In the EAA Management Portal navigation menu, select Identity > Directories.
   The Directory cards appear.

2. On to the directory card you want to enable global sync across multiple domains in the Active Directory, click Configure Directory.

3. Click Show additional attributes and select Global catalog server.

4. Click Save directory.

5. Return to the directory card and click Sync.
   You should see all users synced across multiple domains.

📘

EAA uses ports 3268 and 3269 on the global catalog server to sync groups and users. Make sure EAA can communicate with the Active Directory on these ports and configure firewall rules to add these ports to allow list.