Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) offers a Microsoft Active Directory (AD) bridge that enables organizations to maintain AD as the authoritative source for identities, while allowing those identities to access systems and applications that are not integrated with AD directly. The bridge establishes a connection between on-premises AD environment and OCI IAM. This connection enables synchronizing any changes made to user or group records in AD, including additions, updates, or deletions to an OCI IAM identity domain.
The most typical errors encountered during initial setup of the Microsoft AD Bridge are related to synchronization. This blog post provides essential information, tips, and useful links to help you establish successful connections to your source and target endpoints. Before proceeding, we recommend that you review the guidelines provided in About the Microsoft Active Directory (AD) Bridge to set up the AD bridge connection.
One potential synchronization issue is where users synchronize, but the corresponding groups don’t. In these cases, the logs might display an error such as "ERROR IDBridge - GetResponseAsync: The server cannot handle directory requests". Use any of the following troubleshooting methods to determine the cause.
In certain cases, the on-premises environment might consist of a single AD domain, while different environments, such as developer, QA, and production, are segregated at the network level. Each of these environments has its own set of users and groups that need to be synchronized. However, if the requirement is to have separate AD bridge connectors for each environment, it’s not feasible in this scenario. The AD bridge can only recognize the domain name, which remains the same across all environments. So, you can only establish one AD bridge connection.
If you have a hierarchical Active Directory structure with a root AD domain and child domains, and you have configured an AD bridge in the root domain, it may not work as expected if you're hoping to retrieve users and groups from the child domains. To synchronize those users, you must configure an AD bridge separately for each child domain.
The primary objective is to enable high availability for the AD bridge configuration in the production environment. You must set up an AD bridge on two distinct Windows machines and submit a service request with Oracle support to activate the high availability feature. Even with high availability enabled, you don’t have automatic domain discovery to connect to the other node if one domain controller becomes unreachable. In such cases, you can initiate manual discovery by utilizing the Detect Domain Controller button in the AD bridge connector agent.
These examples represent a few possible scenarios that you might encounter when configuring the Oracle Cloud Infrastructure IAM Microsoft AD bridge. We hope that these scenarios are useful during troubleshooting. If you refer to the AD bridge installation documentation and follow the instructions provided, you can successfully establish a synchronization process. To learn more, visit the Oracle Identity Cloud Service documentation.
Ranjini Rajendran is a senior cloud engineer with good experience in OCI. The expert area covers Identity and Access Management, Security, Federation with IDCS/Identity Domain for enabling single sign on, automatic user provisioning and has knowledge on OCI infrastrucutre, Terraform, python and OCI CLI.