Multiple Active Directories in one service now instance

ryan_percival
Kilo Explorer

Hi Guys,

 

So basically as it says in the title we are going to be using around 18 AD servers to get user records but these are all for the same company so domain separation isn't really an option for us.

 

The reason we have so many AD servers is that each one is a franchise and we aren't allowed to merge the AD servers with our main one, we basically need some way to be able to import the AD records from the 18 servers into one service now.

 

We were initially thinking of coalescing on the GUID with it being globally unique but i not sure if this would work as we would potentially still end up with some users having the same login name.

 

Any suggestions or help is very much appreciated.

 

Thanks

 

Ryan

1 ACCEPTED SOLUTION

ahh.


I feel the user_name field will come into play I'm afraid.   It is a unique index in Servicenow and when I did look to ask them to remove this and make objectGUID a unqiue index, it ended up with a long discussion with a developer who indicated it had the potential to break quite a lot by making user_name non unique.



After that I went down the prefix route.


View solution in original post

9 REPLIES 9

poyntzj
Kilo Sage

We had the same here with a couple of domains (internal and external) and for name changes


We ended up with either a single account for a user who was on both domains or two accounts for the change of name.



While we could get objectGUID added and use it as a coalese field, we still had the problem of the user_name field being used.


In the end, we left all the users on the internal domain with their normal user_name - julian.poyntz


any user on the external domain were prefixed with the domain prefix - EXT\julian.poyntz


that sorted out the first problem


for people who get married, their old account is disabled and a new one is created- not totally ideal, but it works



Cheers


Thanks for the reply Julian, the prefixing may be an option but the thing is that the user accounts are for people who work in different companies that are owned by our parent company, we are basically awarded the contracts to run a franchise and then we have to support their IT, so they all have separate AD servers as we may lose the contract after a few years so we can't link them all into one AD.


Hi Ryan


our domain structure is setup as follows


  • ad.abc.com
  • ext.abc.com
  • devint.abc.com

We use SSO as well


for our users they know that the need to enter ad\julian.poyntz (internal) or ext\julian.poyntz (external) if they ever get prompted to sign on - only if they are out of the office



are you using SSO or are the users login on as needed ?




Sounds like we are a similar set up - multi country, multi company (and their sub companies), various contracts which may come and go (or transfer to another internal company) and need seperation of data.


two different approaches


HI Julian,



We aren't using SSO at the moment as we are only telephone based for the time being, we will be eventually moving to have the self-service portal available so they will need to be able to log in as needed we have some employees that share a desktop as we work in the rail industry and have people at booking offices that don't need a PC each.



we need everyones incidents to be in one place so that each of our reslover groups can see all the data for each franchise.



Thanks