How To Restrict The Number Of Domains That Are Queried When Adding AD Users In The Orchestrator?

How to limit the domains queried while adding users into the Orchestrator? There are unused domains in the AD and there is insufficient permissions to query the forest.

Sometimes, the following errors may be encountered while attempting to add AD users to their Orchestrator:

  • Could not retrieve '______' forest. ActiveDirectoryObjectNotFoundException*The specified forest does not exist or cannot be contacted. (Within the Event Viewer logs in the Orchestrator server)
  • 500 error while a call to "https://{Orchestrator URL}/api/DirectoryService/GetDomains" is made. (Within the HAR trace while inspecting the Orchestrator website)

This error indicates that access to some of the domains in an organization might be restricted. Alternately, sometimes the service account used for AD integration might not have sufficient permissions to query all the forests, making it desirable to limit the scope to a target domain. This is mostly seen in large AD environments with numerous forests and domains.

Orchestrator (more precisely the Identity Service) retrieves domains and forests in trusts with the domain, to which the Orchestrator server is a member of, and tries to access them. Orchestrator checks under what domain the Orchestrator machine is and constructs a union between the machine domain and the domains with which it has 2-way trust and lists down all of them while adding AD users. As such, there should be unrestricted access to all the domains.

  • Starting version 2022.4, there is a way to enable the domain filter, however, it is more scenario-specific. It applies to only legacy AD adapters and only if upgraded from an Orchestrator version that had AD enabled to 2021.10 or later. Read more about this here --> Enabling Domain Filter .
  • For all other scenarios, as of now, there is no direct way of filtering/limiting the domains that are queried. Consequently, all the domains need to be reachable from the Orchestrator.

In the meantime, here are some helpful resources for reference: