Link Jamf Pro to TWO different Active Directory Domain for authentication (mobile devices only)

conitsupport
Contributor

Hi we are in the process of taking over a primary school and already have our school linked to Jamf Pro via Active Directory(AD) and im wondering whether we can simply just add another AD server to our JAMF Pro for authentication. At present our server is internal BUT we do have a DMZ server setup for outside of school connections / access.

Is it feasible and has anyone done this? if so how?

Thanks.

4 ACCEPTED SOLUTIONS

mike_paul
Contributor III

It would use both. It would start searching in the one with the lower JSS ID as shown in the JSS url when in the object, essentially always prioritizing the one that was created first. Some orgs use this logic if they have a really large directory and actually add the same AD multiple times, first starting with the main OU they plan to search and then adding it again with the full or larger OU so that way it would search one specific one first prior to moving on to the entire domain.

View solution in original post

gabester
Contributor III

Similar but different...
An org I worked with had scoped their LDAP connection to a particular OU and I needed to add an account from another OU. I added another LDAP connection to the other OU where the desired account resided and I was able to add it. It took me more time to figure out why I couldn't add the desired account to begin with... I hadn't realized they had restricted the scope to that one OU. I suspect adding two different LDAP domains will work similarly... although beware issues that may arise if there are duplicate account names in both directories!
g=

View solution in original post

conitsupport
Contributor

Thanks for the responses, im really just waiting on JAMF to say yes it wont break what you've got setup, but with this information i think i may try / test it out, Sterritt. as for duplicated we have different naming conventions for the AD Accounts (or will have)

View solution in original post

Emmert
Valued Contributor

You can absolutely add two. We have both a staff and a student domain set up slightly differently and it's worked fine for many years.

View solution in original post

6 REPLIES 6

conitsupport
Contributor

41f8b84c4bb0478f93a2eaf378b88e4f
Basically if i add another Active directory server here, would it overwrite our existing school one? or would it now look at both AD servers for authenticating users when enrolling iPad?

mike_paul
Contributor III

It would use both. It would start searching in the one with the lower JSS ID as shown in the JSS url when in the object, essentially always prioritizing the one that was created first. Some orgs use this logic if they have a really large directory and actually add the same AD multiple times, first starting with the main OU they plan to search and then adding it again with the full or larger OU so that way it would search one specific one first prior to moving on to the entire domain.

View solution in original post

gabester
Contributor III

Similar but different...
An org I worked with had scoped their LDAP connection to a particular OU and I needed to add an account from another OU. I added another LDAP connection to the other OU where the desired account resided and I was able to add it. It took me more time to figure out why I couldn't add the desired account to begin with... I hadn't realized they had restricted the scope to that one OU. I suspect adding two different LDAP domains will work similarly... although beware issues that may arise if there are duplicate account names in both directories!
g=

View solution in original post

conitsupport
Contributor

Thanks for the responses, im really just waiting on JAMF to say yes it wont break what you've got setup, but with this information i think i may try / test it out, Sterritt. as for duplicated we have different naming conventions for the AD Accounts (or will have)

View solution in original post

Emmert
Valued Contributor

You can absolutely add two. We have both a staff and a student domain set up slightly differently and it's worked fine for many years.

View solution in original post

conitsupport
Contributor

Thanks people for your replies, ive set it up and its working.