This section describes Windows NT provisioning across multiple domains with two-way trusts. The following constraints apply when managing multiple domains from a single domain.
Terms referenced in this section are:
Gateway domain – Domain that the gateway machine is a member of.
Resource admin account – Administrative account defined in the Identity Manager resource.
Service account – Account that the gateway service is running as.
These trusts must be established:
The gateway domain needs to trust each domain in which a resource admin account is defined.
The gateway does a local login using the resource admin account, so its domain must trust the domain that the account lives in.
The gateway domain needs to trust each domain for which you will be doing pass-through authentication.
The gateway does a local login to authenticate user accounts, so its domain needs to trust the domain for those accounts.
The resource admin account must be a member of the Account Operators group in each domain that will be used to manage accounts. Each of these domains must trust the domain that contains the resource admin account.
You cannot add an account to a local group unless the account's domain is trusted by the local group's domain.
The domain of the service account must be trusted by the gateway domain.
When the gateway service is started, a local login of the service account is done. If any of the resource admin accounts are different than the service account or you will be doing pass-through authentication for any of the domains, then the service account needs the Act As Operating System and Bypass Traverse Checking user rights in the gateway domain. These rights are required for the service account to login as and impersonate another.
If you will be creating home directories, then the resource admin account needs to be able to create directories on the file system on which the directories will be created. If the home directory will be created on a network drive, the resource admin account must have write access to the file system in the Temp or TMP environmental variables of the gateway process; or, if not defined, the gateway process's working directory (this is either WINNT or WINNT\system32).
If you will be running before, after, or resource actions, the resource admin account needs read and write access to the file system in the TEMP or TMP environment variables of the gateway process; or, if not defined, the gateway processes' working directory (this is either WINNT or WINNT\system32).
The gateway writes the scripts and the script output to one of these directories (the directory is selected in the order in which they are mentioned).
Configure a separate resource adapter for each domain. The same gateway host can be used.
It should be possible to manage multiple domains using a single resource by overriding any domain-specific resource attributes (the domain and possibly the administrator and password) for each user.
Since a domain trusts itself, some of the trust relationships do not need to be made explicit when the two domains in questions are really the same domain.
You can use the same account for the resource admin account for all managed domains, as well as the service account, if you set up the appropriate trust relationships, group membership, and user rights.