@jezkerwin
1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)
No. Each security group has user accounts in the respective domains
2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)
1 Bind DN per domain. LDAP/389
3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.
Yeah, just the default settings minus Base/Bind DN
4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?
Yes. Essentially domains A, B, C, D, E, F, G, H. The UIAs are loaded on a 2012 server in domain "A" using a service account which exists in domain "A", which for all intents and purposes is the "parent" domain. There are domain trusts with domain A and every other domain. In this contstruct we're getting user attribution from the other domains.
... View more
