Single Oracle Connector Server Provisioning to Multiple Active Directory Domains

We’ve encountered an issue when clients have multiple active directory domains and the IDM needs to provision into multiple AD Domains (and domains are in separate forest.)

Oracle’s active directory connector documentation states that the connector server should be on the same domain that you intend to provision into. So, for multiple AD Domains, a separate individual connector server would be required.

If we adhere to this design, then we would eventually require as many connector servers as the number of AD domains.  Having many connector server processes would require significant system resources and it would become very cumbersome to manage over time.

The Solution

The restriction by Oracle that “the connector server should be on the same domain that you intended to provision into” is due the fact that the PowerShell commands internally used by the connector require the domain verification. If there is Active Directory cross domain trust between the domain hosting the connector server and the target Active Directory domain, then this would work:

In the Diagram – there are three different Active Directory Domains (A, B, C), OIM needs to provision into A, B and C.  Suppose, Domain B has two “Domain Trust” with Domain A and Domain C.

As Domain B has Domain Trust with A and C, we can keep the connector server on Domain B.

So final design would be as shown in the figure below: