12 April,16 at 11:37 AM
Applies to:
All versions of Centrify Zone Provisioning Agent on Windows platforms
Question:
How do you configure or set up ZPA to provision users cross forest in a two-way trust with unique gid?
Answer:
This is a basic set up for ZPA to provision cross forest users. Follow the steps below:
1. In Domain 1, create a Domain Local Security Group call it Group_domain1
2. In Domain 2, Create another group with Domain Local Security Group call it Group_domain2
3. Add users from both Domains into Group_domain1, i.g. user1@domain1.com and user2@domain2.com
4. Add users that you want to provision from Domain2 into Group_domain2 - if you don't do this, ZPA will error with "No primary group found".
5. In the ZPA zone, go to Groups, and add both Group_domain1 and Group_domain2.
6. Add Group_domain1 into an AD group called ZPA_MasterGroup. Meaning, in the ZPA source group, you would select ZPA_MasterGroup which contains Group_domain1.
7. In ZPA, add ZPA_Mastergroup to Source Group.
KB-4214: ZPA cannot find user's primary group for provisioning
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)
KB-2434: Why does ZPA allow groups to be added from accounts domain in a 1-way trust?
KB-6041: How to show current license type in use by adclient
KB-1638: How to configure DirectControl running inside a firewall DMZ for user authentication with cross-forest trust?
KB-6040: How to change the license type in use after adclient successful joined to the AD?
KB-1931: Using the CDC console, Is it possible to add unix groups from a remote forest?
KB-6056: How to report the group policy settings that are in effect for the local computer?
KB-3925: How to add Centrify parameter to a group policy