Multiple Active Directories in one service now instance

ryan_percival · ‎11-04-2014

Hi Guys,

So basically as it says in the title we are going to be using around 18 AD servers to get user records but these are all for the same company so domain separation isn't really an option for us.

The reason we have so many AD servers is that each one is a franchise and we aren't allowed to merge the AD servers with our main one, we basically need some way to be able to import the AD records from the 18 servers into one service now.

We were initially thinking of coalescing on the GUID with it being globally unique but i not sure if this would work as we would potentially still end up with some users having the same login name.

Any suggestions or help is very much appreciated.

Thanks

Ryan

poyntzj · ‎11-04-2014

ahh.

I feel the user_name field will come into play I'm afraid. It is a unique index in Servicenow and when I did look to ask them to remove this and make objectGUID a unqiue index, it ended up with a long discussion with a developer who indicated it had the potential to break quite a lot by making user_name non unique.

After that I went down the prefix route.

View solution in original post

poyntzj · ‎11-04-2014

We had the same here with a couple of domains (internal and external) and for name changes

We ended up with either a single account for a user who was on both domains or two accounts for the change of name.

While we could get objectGUID added and use it as a coalese field, we still had the problem of the user_name field being used.

In the end, we left all the users on the internal domain with their normal user_name - julian.poyntz

any user on the external domain were prefixed with the domain prefix - EXT\julian.poyntz

that sorted out the first problem

for people who get married, their old account is disabled and a new one is created- not totally ideal, but it works

Cheers

ryan_percival · ‎11-04-2014

Thanks for the reply Julian, the prefixing may be an option but the thing is that the user accounts are for people who work in different companies that are owned by our parent company, we are basically awarded the contracts to run a franchise and then we have to support their IT, so they all have separate AD servers as we may lose the contract after a few years so we can't link them all into one AD.

poyntzj · ‎11-04-2014

Hi Ryan

our domain structure is setup as follows

ad.abc.com
ext.abc.com
devint.abc.com

We use SSO as well

for our users they know that the need to enter ad\julian.poyntz (internal) or ext\julian.poyntz (external) if they ever get prompted to sign on - only if they are out of the office

are you using SSO or are the users login on as needed ?

Sounds like we are a similar set up - multi country, multi company (and their sub companies), various contracts which may come and go (or transfer to another internal company) and need seperation of data.

two different approaches

ryan_percival · ‎11-04-2014

HI Julian,

We aren't using SSO at the moment as we are only telephone based for the time being, we will be eventually moving to have the self-service portal available so they will need to be able to log in as needed we have some employees that share a desktop as we work in the rail industry and have people at booking offices that don't need a PC each.

we need everyones incidents to be in one place so that each of our reslover groups can see all the data for each franchise.

Thanks