Multi-domain AD synchronization
Context
If your company has multiple legal entities or IT domains, Avanteam can merge these sources into a single organizational chart.
Prerequisites
Prerequisites
- Access to multiple Active Directory domains
- Service accounts with read rights on each domain
- Avanteam system administration rights
- Network configuration allowing communication between domains
Operating principle
Logical Merge
An employee from domain A can be hierarchically attached to a manager from domain B. The system unifies this information in a single coherent organizational chart.
Multi-domain architecture
- Multiple AD forests: Support for multiple distinct Active Directory directories
- Unification: Data merge into a single Avanteam organizational chart
- Conflict management: Priority rules in case of duplicates
Configuration
Define source domains
For each AD domain, configure:
- LDAP path:
LDAP://DC=domain1,DC=com,LDAP://DC=domain2,DC=com - Service account: Credentials with read rights on each domain
- Connection port: Default 389 (LDAP) or 636 (LDAPS)
LDAP filters by domain
Configure distinct filters per entity to feed a single, coherent organizational chart during automatic synchronizations.
Example of filter by domain:
Domain 1 (Headquarters):
(&(objectCategory=person)(objectClass=user)(company=Headquarters))
Domain 2 (Subsidiary):
(&(objectCategory=person)(objectClass=user)(company=Subsidiary))
Attribute mapping
Associate AD attributes from each domain to Avanteam fields:
| AD Attribute | Avanteam Field | Notes |
|---|---|---|
| sAMAccountName | Identifier | Prefix with domain name if necessary |
| displayName | Full name | |
| manager | Manager | Can point to another domain |
| department | Department | |
| company | Company | To identify origin |
Inter-domain relationship management
The system allows to:
- Assign a manager from domain A to an employee from domain B
- Create cross-domain departments grouping multiple domains
- Manage delegations between domains
Synchronization scheduling
Recommended frequency
- Daily: For stable environments
- Several times per day: For rapidly evolving environments
- Real-time: Use Azure AD with webhook (for Azure AD only)
Synchronization order
- User synchronization from each domain
- Department and hierarchy synchronization
- Inter-domain relationship resolution (managers, delegations)
- Final organizational chart consistency verification
Conflict management
Potential duplicates
When a user exists in multiple domains:
- Merge strategy: Define which domain takes priority
- Unique identifier: Use email as identification key
- Markers: Add a prefix to login (e.g.: DOM1\user, DOM2\user)
Broken relationships
If a manager is not found in any domain:
- Alert log: The system records the anomaly
- Manual action: The administrator must correct the relationship
- Fallback: Possibility to define a default manager
Monitoring
Synchronization dashboard
Access synchronization statistics:
- Number of users synchronized per domain
- Number of hierarchical relationships created
- List of errors and conflicts
- Duration of last synchronization
Detailed logs
Consult logs to:
- Identify non-synchronized users
- Detect inter-domain relationships
- Verify attribute mappings
- Trace modifications made
Use case: International group
Context
A company has:
- A headquarters in France (FR domain)
- A subsidiary in Germany (DE domain)
- A subsidiary in the United States (US domain)
Configuration
- Three LDAP connections configured in Avanteam
- Filters by country to target each domain
- Unified organizational chart: The CEO (France) manages directors of each subsidiary
- Cross-functional workflows: A project can involve validators from all 3 countries
Result
- Global visibility of the organization
- International validation workflows
- Centralized rights management
- Consolidated reporting
Security
Best practices
- Dedicated service accounts: One per domain with minimal rights
- LDAPS: Use secure LDAP (port 636) to encrypt communications
- Firewall: Authorize only necessary flows between domains
- Audit: Trace all synchronizations in logs
Rights management
- Rights are centrally managed in Avanteam
- Synchronization only modifies directory data
- Business profiles and roles remain under control of Avanteam administrators
Troubleshooting
Issue: Users not synchronized
Possible causes:
- LDAP filter too restrictive
- Service account without sufficient rights
- Network connectivity problem
Solution:
- Check synchronization logs
- Test LDAP connection with external tool (LDP.exe)
- Adjust filters if necessary
Issue: Incorrect hierarchical relationships
Possible causes:
- "manager" attribute incorrectly filled in AD
- Incompatible DN (Distinguished Name) format
- Manager in non-synchronized domain
Solution:
- Verify data in source AD
- Adjust attribute mapping
- Manually create missing relationships