In this blog, we are going to see, how we can configure two different Active Directory Domains, with in single installation of Afaria 7.0. Also we will see how to move the users between these domains securely, without loosing any apps and policies. This method is more useful when same Afaria to be used with different Active Directory domains, which can be of different business units, different geography for same company.
Prerequisite:
For an example we take Active Directory names as ADDomain1.com and ADDomain2.com
Logon to Afaria Admin Page, with Administrator Access.
In main tenant, navigate to Server > Configuration > Tenant > New
Provide Tenant Name and Note about the new Tenant
Restart the Afaria Server and launch back Afaria Admin page. Navigate to the newly created Tenant.
In the new tenant, navigate to Server > Configuration > Security and provide details about new AD details, as Server Address (eg: ADDomain2.com), User, password, Search root path etc.
Configure further with Certificate Authority, Enrollment SSP URL and Enrollment Policy.
Now the main step is that we need to create similar configuration policy, application policy with same app version that was created in the Tenant 1, which is connected to ADDomain1.com. There is no transfer or import of policies between tenants and so it needs to be created manually.
Create User Groups mapping to Active Directory ADDomain2.com and link to the respective configuration and application policies.
Ensure that you have maintained exactly the same policies and groups between the tenants. This will ensure there will be no app loss when migrating users to the newly created tenants.
Before migrating the users, check the newly configured tenant by enrolling a device, with a user that is created in ADDomain2.com domain and has necessary groups assigned.
Navigate to the Tenant1 connected to ADDomain1.com
Select the device which needs to be migrated between the Active Directory.
Unapprove the device, while prepared for migrating the device between the tenants.
Now select the device to move between Tenant and click the "Move to Tenant" button. Select the newly created tenant, where the device needs to be moved.
Once the device is moved to newly created Tenant2 configured with ADDomain2.com, ensure you have similar user account in the ADDomain2.com Acitive Directory with necessary groups assigned to the user account.
Ensure that the device is moved to new tenant, by navigating to the Tenant2 from Afaria Admin Page.
Now keeping the device unapproved, select the device and click "Edit" action link
When clicked "Edit" it would bring in a screen as below
Edit the "(SSP) Registered User" from testuser01@ADDomain1.com to testuser01@ADDomain2.com and click Save
This would now change the Active Domain, that is registered with the device to the new AD Domain.
We can ensure this by clicking the Show Inspector button, by selecting the device.
Now approve the device and Apply Policy to get the new configuration policies that is linked to the new Active Directory group.
Looking forward to your feedback and comments.
Prerequisite:
- Installed SAP Afaria 7.0 SP08 and above. The installation can be of Master only or with slaves installation.
- Two identified Active Directory domains are accessible (pin-gable) from the installed servers of Afaria.
- User ids in Active Directories have access to full path with in the Active Directory.
- Have Administrator access to the Afaria Admin page.
- Have details about the configuration policies, application policies and groups created in the Afaria Tenant.
- Device Enrollment and App downloads are working normal in a tenant, which is already configured with one Active Directory Domain.
For an example we take Active Directory names as ADDomain1.com and ADDomain2.com
Detailed Steps:
Tenant Creation for to Configure with new Active Directory Domain
Logon to Afaria Admin Page, with Administrator Access.
In main tenant, navigate to Server > Configuration > Tenant > New
Provide Tenant Name and Note about the new Tenant
Configuration of new Active Directory
Restart the Afaria Server and launch back Afaria Admin page. Navigate to the newly created Tenant.
In the new tenant, navigate to Server > Configuration > Security and provide details about new AD details, as Server Address (eg: ADDomain2.com), User, password, Search root path etc.
Configure further with Certificate Authority, Enrollment SSP URL and Enrollment Policy.
Now the main step is that we need to create similar configuration policy, application policy with same app version that was created in the Tenant 1, which is connected to ADDomain1.com. There is no transfer or import of policies between tenants and so it needs to be created manually.
Create User Groups mapping to Active Directory ADDomain2.com and link to the respective configuration and application policies.
Ensure that you have maintained exactly the same policies and groups between the tenants. This will ensure there will be no app loss when migrating users to the newly created tenants.
Before migrating the users, check the newly configured tenant by enrolling a device, with a user that is created in ADDomain2.com domain and has necessary groups assigned.
Migrating devices between tenants
Navigate to the Tenant1 connected to ADDomain1.com
Select the device which needs to be migrated between the Active Directory.
Unapprove the device, while prepared for migrating the device between the tenants.
Now select the device to move between Tenant and click the "Move to Tenant" button. Select the newly created tenant, where the device needs to be moved.
Once the device is moved to newly created Tenant2 configured with ADDomain2.com, ensure you have similar user account in the ADDomain2.com Acitive Directory with necessary groups assigned to the user account.
Ensure that the device is moved to new tenant, by navigating to the Tenant2 from Afaria Admin Page.
Now keeping the device unapproved, select the device and click "Edit" action link
When clicked "Edit" it would bring in a screen as below
Edit the "(SSP) Registered User" from testuser01@ADDomain1.com to testuser01@ADDomain2.com and click Save
This would now change the Active Domain, that is registered with the device to the new AD Domain.
We can ensure this by clicking the Show Inspector button, by selecting the device.
Now approve the device and Apply Policy to get the new configuration policies that is linked to the new Active Directory group.
Looking forward to your feedback and comments.
- SAP Managed Tags:
