Third-Party Directory Integration Concepts and Considerations 16-25 Figure 16–6 Mapping Between Oracle Internet Directory and a Forest in Microsoft Active Directory In this directory, two domain trees constitute a forest. These trees are in a trust relationship, that is, users in one domain are authenticated by the domain controller in the other domain. This forest in Microsoft Active Directory maps to an identically structured subtree in Oracle Internet Directory. Considerations for Deployments where Oracle Internet Directory is the Central Directory If there are multiple Microsoft Active Directory domains, the syncProfileBootstrap command must be run as many times as there are Microsoft Active Directory domains. Each time you do this, you choose the specific data set required by the target Microsoft Active Directory domain. The Oracle Directory Integration Platform provisions users and groups in the respective Microsoft Active Directory domains. Before provisioning can take place, you must configure a one-way synchronization from Oracle Internet Directory to the Microsoft Active Directory domain. Considerations for Deployments where Microsoft Active Directory as the Central Directory If there are multiple Microsoft Active Directory servers, then you must bootstrap the data from each Microsoft Active Directory domain. If you use the Global Catalog for one-way synchronization from Microsoft Active Directory to Oracle Internet Directory, then you need to bootstrap only once from the Global Catalog server. The Oracle Directory Integration Platform synchronizes users and groups from the respective Microsoft Active Directory domains into Oracle Internet Directory. Before the provisioning can take place, a one-way synchronization between Oracle Internet Directory and a domain controller on each Microsoft Active Directory domain must be established.

16.3.6 Synchronizing with a Multiple-Domain Microsoft Active Directory Environment

This section describes considerations for synchronizing with a multiple-domain Microsoft Active Directory environment. It contains these topics: Oracle Internet Directory dc=uk dc=us dc=MyCompany dc=com Mapping Base [Root DSE] Microsoft Active Directory dc=b dc=c dc=b dc=c dc=a b.us.MyCompany.com a.us.MyCompany.com us.MyCompany.com c.us.MyCompany.com uk.MyCompany.com b.uk.MyCompany.com c.b.uk.MyCompany.com Trust Relationship 16-26 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory ■ Configuration Required for Importing from Microsoft Active Directory Lightweight Directory Service to Oracle Internet Directory ■ Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory ■ Example: Integration with Multiple Third-Party Directory Domains 16.3.6.1 Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory Normally, importing requires configuring one import profile for each Microsoft Active Directory domain regardless of whether you are using the DirSync approach or the USN-Changed approach. However, if you are using the USN-Changed approach, you can use the Global Catalog to import from an entire Microsoft Active Directory forest. You only need to configure a single import profile to use Global Catalog, but keep in mind the following considerations: ■ Because Global Catalog is read-only, you can use it only for importing data into Oracle Internet Directory ■ Global Catalog does not contain all the attributes, although the available attributes can be configured in Microsoft Active Directory ■ Because Global Catalog is a point of authentication, you may incur additional overhead if synchronization is started from this point 16.3.6.2 Configuration Required for Importing from Microsoft Active Directory Lightweight Directory Service to Oracle Internet Directory Unlike Microsoft Active Directory, only the USN changed approach is used for synchronizing from Microsoft Active Directory Lightweight Directory Service AD LDS, which was previously known as Active Directory Application Mode or ADAM, to Oracle Internet Directory. To import entries from Microsoft AD LDS to Oracle Internet Directory, you must configure an import profile connecting to Microsoft AD LDS with the respective port details. 16.3.6.3 Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory To integrate with multiple-domain Microsoft Active Directory environments, the Oracle Directory Integration Platform obtains configuration information from each Microsoft Active Directory domain. You must configure as many export profiles as there are Microsoft Active Directory domains.

16.3.6.4 Example: Integration with Multiple Third-Party Directory Domains

A deployment of a third-party directory with multiple domains can have either a single DIT or a combination of two or more DITs. Figure 16–7 shows how multiple domains in a third-party directory are mapped to a DIT in Oracle Internet Directory. See Also: The Microsoft Knowledge Base Article 256938 available from Microsoft Help and Support at http:support.microsoft.com for information about Global Catalog attributes in the Microsoft Active Directory schema