https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317202#M81539 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; So WMI authentication in user mapping is not really a show stopper to pull the user details from AD sitting in different domain, it must be something else, because of which i cant pull the user details in group mapping?</P> Thu, 19 Mar 2020 02:34:51 GMT vmtechzakirhussain 2020-03-19T02:34:51Z https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317182#M81531 <P>One of my customer is been acquired by a much bigger company.</P><P>&nbsp;</P><P>they are in the middle of AD migration from their old root domain to new root domain.</P><P>&nbsp;</P><P>Their firewall has existing AD integration with old root domain AD, with user mapping and WMI Authentication. and users are using it actively. For me to add a new AD integration sitting in a new different root domain, i need to add usermapping and enter username and password in WMI authentication as i dont have an option to add more than one, am afraid it will overwrite the existing one and impact the active users still connected to old AD, in their old root domain.</P><P>&nbsp;</P><P>Before i ask them to wait until they finish AD migration to their new root domain, and we clean up the WMI authentication in the firewall for it. We cant add their new AD in new root domain and run in parallel, can any experts here, help me with the advise please. I have logged a ticket with support on the same topic to advise. if i get a response i will update here in this topic.&nbsp;</P> Thu, 19 Mar 2020 01:19:22 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317182#M81531 vmtechzakirhussain 2020-03-19T01:19:22Z https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317194#M81535 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108362">@vmtechzakirhussain</a>,</P><P>This is only a limitation of the built-in user-id agent; if you setup the agent on antoher Windows machine the firewall can pull information from two different domains easily.&nbsp;</P> Thu, 19 Mar 2020 01:55:50 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317194#M81535 BPry 2020-03-19T01:55:50Z https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317202#M81539 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; So WMI authentication in user mapping is not really a show stopper to pull the user details from AD sitting in different domain, it must be something else, because of which i cant pull the user details in group mapping?</P> Thu, 19 Mar 2020 02:34:51 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317202#M81539 vmtechzakirhussain 2020-03-19T02:34:51Z https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317207#M81541 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108362">@vmtechzakirhussain</a>,</P><P>To verify that what I'm saying was understood; if you want to pull data from two different domains you would do this by installing the standalone user-id agent on windows server, instead of using the integrated user-id agent on the firewall. You would simply configure the firewall to connect to these windows-based user-id agents and pull the information from these agents.&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/configure-the-windows-based-user-id-agent-for-user-mapping.html#id4ca6e511-47b4-4f65-ba87-381392077945" target="_self">Windows-user-id Agent Configuration</A></P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/deploy-user-id-for-numerous-mapping-information-sources/configure-user-id-for-numerous-mapping-information-sources.html#id68391fd4-5234-4420-836a-44a6119a5985" target="_self">Numerous Mapping Sources Documentation</A></P> Thu, 19 Mar 2020 03:09:26 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/317207#M81541 BPry 2020-03-19T03:09:26Z https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/324969#M82914 <P>To Answer my own question, two AD with different root domains agentless can be integrated and works fine.</P> Mon, 27 Apr 2020 04:08:34 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-integrate-two-different-ad-that-has-two-different-root/m-p/324969#M82914 vmtechzakirhussain 2020-04-27T04:08:34Z