We have integrated already the AD ( 3 Servers for redundancy)
The User id we are using is the default one which is on the PA FW
The domain is abc.nl . The setup is working .
Now we are building an entirely new domain called abc.es . migration may take time
There is no trust and the forest is different .
So is it possible to have two different domain from two different forest . ?
What is the recommendation ?
and is it possible to have user id agent for this new domain on PA or we have to install it on AD server ?
From my view it is more complex to have both but the catch here is that domain abc is same so i need to know what are the limitations of using two different domain
one is to have to add it in each policy where old one is being used ?
Last week I have worked in the same case, of multiple domains.
If you don't use the User-ID Agent and configure multiple domains, perhaps you will have inconsistent domain issues. Some users will be authenticated with the NetBIOS (netbios\user) and some others with the FQDN (fqdn\user).
If you don't want to install the agent on the AD server, you can install it on another computer. It is gonna work. If you decide to install the agent on the AD Server, the Agent will have access to all Security logs of the AD, but the Agent is gonna filter the logs based on what it needs to UserID.
My recommendation is to install it.
I hope it helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!