Skip to Content
Author's profile photo Former Member

SAP Afaria 7.0 – Multiple Active Directory Configuration; one installation

In this blog, we are going to see, how we can configure two different Active Directory Domains, with in single installation of Afaria 7.0. Also we will see how to move the users between these domains securely, without loosing any apps and policies. This method is more useful when same Afaria to be used with different Active Directory domains, which can be of different business units, different geography for same company.



  1. Installed SAP Afaria 7.0 SP08 and above. The installation can be of Master only or with slaves installation.
  2. Two identified Active Directory domains are accessible (pin-gable) from the installed servers of Afaria.
  3. User ids in Active Directories have access to full path with in the Active Directory.
  4. Have Administrator access to the Afaria Admin page.
  5. Have details about the configuration policies, application policies and groups created in the Afaria Tenant.
  6. Device Enrollment and App downloads are working normal in a tenant, which is already configured with one Active Directory Domain.

For an example we take Active Directory names as and

Detailed Steps:

Tenant Creation for to Configure with new Active Directory Domain

Logon to Afaria Admin Page, with Administrator Access.

In main tenant, navigate to Server > Configuration > Tenant > New

Provide Tenant Name and Note about the new Tenant

Configuration of new Active Directory

Restart the Afaria Server and launch back Afaria Admin page. Navigate to the newly created Tenant.

In the new tenant, navigate to Server > Configuration > Security and provide details about new AD details, as Server Address (eg:, User, password, Search root path etc.


Configure further with Certificate Authority, Enrollment SSP URL and Enrollment Policy.

Now the main step is that we need to create similar configuration policy, application policy with same app version that was created in the Tenant 1, which is connected to There is no transfer or import of policies between tenants and so it needs to be created manually.

Create User Groups mapping to Active Directory and link to the respective configuration and application policies.

Ensure that you have maintained exactly the same policies and groups between the tenants. This will ensure there will be no app loss when migrating users to the newly created tenants.

Before migrating the users, check the newly configured tenant by enrolling a device, with a user that is created in domain and has necessary groups assigned.

Migrating devices between tenants

Navigate to the Tenant1 connected to

Select the device which needs to be migrated between the Active Directory.

Unapprove the device, while prepared for migrating the device between the tenants.

Now select the device to move between Tenant and click the “Move to Tenant” button. Select the newly created tenant, where the device needs to be moved.

Once the device is moved to newly created Tenant2 configured with, ensure you have similar user account in the Acitive Directory with necessary groups assigned to the user account.

Ensure that the device is moved to new tenant, by navigating to the Tenant2 from Afaria Admin Page.

Now keeping the device unapproved, select the device and click “Edit” action link


When clicked “Edit” it would bring in a screen as below

Edit the “(SSP) Registered User” from to and click Save

This would now change the Active Domain, that is registered with the device to the new AD Domain.

We can ensure this by clicking the Show Inspector button, by selecting the device.


Now approve the device and Apply Policy to get the new configuration policies that is linked to the new Active Directory group.

Looking forward to your feedback and comments.



Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.