Note: Applies to Directory Premium hybrid (on-premises AD) deployments only
Prerequisites
Before you start, make sure you are using a supported version of the Directory Agent (3.9.0 or higher). You can always find out which agent version you have installed, and download the latest agent from Settings -> General in the Directory web application.
Upgrade instructions can be found here.
Also, make sure you have credentials to a service account local to the domain(s) you wish to join to the existing Directory -connected AD experience, with the same read/write permissions to attributes that you want Directory to manage.
Configuration
1 Stop the Directory Service from the services.msc snap-in console
2 Using a text editor of your choice, open ADProviderSettings.json from C:\Users\<hyperfishsvc>\AppData\Local\Hyperfish\Connectors\ where <hyperfishsvc> is the name of the service account running the Directory Service
3 The initial detected domain should already be configured in the settings file.
- Create a new entry for each additional domain, following the existing format.
- Enter the name of the AD Server for the additional domain
- If the service account has permissions to that other domain, you do not need to add credentials, and can skip step 4
4 If you do need to add credentials, you need to provide a username and password under “ADCredentials”:
Username – the username of a domain administrator for the additional domain
EncryptedPassword (generated using encryptor.exe) -- To generate an encrypted string for the password, you will need to use Encryptor.exe, an included command line utility, which uses the Windows Data Protection API (DPAPI).
Open a command prompt session and use the runas command to start a command prompt session as the Directory Service account
e.g. "runas /user:DOMAIN\user cmd"
You will be prompted to enter a password for the Directory Service account.
In the new command prompt session, navigate to "C:\Users\<hyperfishsvc>\AppData\Local\Hyperfish\versions\<version number>\agent", where <hyperfishsvc> is the name of your Directory service account, and <version number> is your current Directory agent version
e.g. "cd C:\Users\hyperfishsvc\AppData\Local\Hyperfish\versions\3.5.X\agent"
Run Encryptor.exe followed by the domain admin password
e.g. "Encryptor.exe secret", where "secret" is the password (without quotes):
Warning: The plaintext input will be visible as cleartext during this step
Copy the resulting encrypted string, remove line breaks, and paste it into the field for EncryptedPassword:
Save the file, then start the Directory Service.
Confirm Functionality
- Within the Directory Web Application, navigate to Settings -> General. Directory details should show comma separated domains.
- From the Directory scope selection section, open the OU diagram. There should be a dropdown for each domain. Selecting one should show the new domain map
- Search for users from the newly added domain from any people picker in the Directory Web App, for example, Pilot users.
Things to Consider
If your company does not use the default AD ObjectGUID, we would recommend reviewing the article linked below on configuring Source Anchor Attributes.
Configuring Source Anchor Attributes
If you need any assistance setting this up, please contact support@livetilesglobal.com
Comments
0 comments
Please sign in to leave a comment.