12 April,16 at 11:37 AM
Applies to:
All versions of Centrify Zone Provisioning Agent on Windows platforms
Question:
How do you configure or set up ZPA to provision users cross forest in a two-way trust with unique gid?
Answer:
This is a basic set up for ZPA to provision cross forest users. Follow the steps below:
1. In Domain 1, create a Domain Local Security Group call it Group_domain1
2. In Domain 2, Create another group with Domain Local Security Group call it Group_domain2
3. Add users from both Domains into Group_domain1, i.g. user1@domain1.com and user2@domain2.com
4. Add users that you want to provision from Domain2 into Group_domain2 - if you don't do this, ZPA will error with "No primary group found".
5. In the ZPA zone, go to Groups, and add both Group_domain1 and Group_domain2.
6. Add Group_domain1 into an AD group called ZPA_MasterGroup. Meaning, in the ZPA source group, you would select ZPA_MasterGroup which contains Group_domain1.
7. In ZPA, add ZPA_Mastergroup to Source Group.