Skip To Content

Configure the domain controller

When ArcGIS Enterprise is configured to use groups and users managed in Microsoft Active Directory and is in an environment with multiple domains in a single forest, it uses the Active Directory Global Catalog to obtain user and group information from all domains. However, ArcGIS Enterprise will be unable to collect this information if it binds to a domain controller that does not also serve as a global catalog. For example, it might only return information about users and groups from the domain where ArcGIS Enterprise resides.

If your Active Directory deployment includes multiple domain controllers, but not all domain controllers are configured as global catalog servers, you must manually specify the domain controller or controllers used by ArcGIS Enterprise. To do so, follow the steps below.

  1. Open the ArcGIS Portal Directory and sign in as a member with administrative privileges.

    The URL to the ArcGIS Portal Directory is formatted https://webadaptorhost.domain.com/webadaptorname/portaladmin.

  2. Click security > config > Update Identity Store.
  3. On the Update Identity Store page, copy and paste the following text into the User store configuration dialog box:
    {
     "type": "WINDOWS",
     "properties": {
      "userPassword": "secret",
      "isPasswordEncrypted": "false",
      "user": "mydomain\\winaccount",
      "userFullnameAttribute": "cn",
      "userEmailAttribute": "mail",
      "caseSensitive": "false",
      "domainControllerAddress": "[IP Address], [alternate IP Address]",
      "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]"
     }
    }

    Optionally, more than one IP address can be listed for the domainControllerAddress property. If multiple IP addresses are listed, order them based on priority. Your ArcGIS Enterprise portal will attempt to communicate with the first one listed and will fall back to subsequent ones only if the first one becomes unavailable.

    If your Active Directory environment includes multiple domains within a forest and you want to include IP addresses for the domain controllers assigned to each domain, use the domainControllerMapping parameter in both the User store configuration and Group store configuration dialog boxes. You can list multiple IP addresses for each domain.

  4. If the portal will leverage existing Active Directory groups, copy and paste the following text into the Group store configuration dialog box:
    {
     "type": "WINDOWS",
     "properties": {
      "userPassword": "secret",
      "isPasswordEncrypted": "false",
      "user": "mydomain\\winaccount",
      "domainControllerAddress": "[IP Address], [alternate IP Address]",
      "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]"
     }
    }
  5. Update the userPassword and user properties (required), and the domainControllerAddress and domainControllerMapping properties (optional) with the appropriate values.
  6. Click Update Configuration to save your configuration.