Realms and Trusted Domains

When you configure a realm in the CDO, it is associated with an Active Directory or LDAP domain.

A grouping of Microsoft Active Directory (AD) domains that trust each other is commonly referred to as a forest. This trust relationship can enable domains to access each other's resources in different ways. For example, a user account defined in domain A can be marked as a member of a group defined in domain B.

The system and trusted domains

The system supports AD forests that are configured in a trust relationship. There are several types of trust relationships; this guide discusses two-way, transitive forest trust relationships. The following simple example shows two forests: forest.example.com and eastforest.example.com . Users and groups in each forest can be authenticated by AD in the other forest, provided you configure the forests that way.

If you set up the system with one realm for each forest and one directory for each domain controller, the system can use all of the users and groups in both forests in identity policy.

The simplest way for the Firepower System to access users in Active Directory forests is to set up each forest as a realm in the Firpower System. The forests must be configured with a two-way transitive forest trust relationship.

To continue the example, suppose you have three AD forests (one of which could be a subdomain or an independent forest), all set up as two-way transitive forest relationships, all users and groups are available in all three forests as well as in the system. (As in the preceding example, all three AD forests must be set up as realms and all domain controllers must be configured as directories in those realms.)

You can extend the preceding example by setting up a third forest also configured with two-way transitive forest trust. All three Active Directory forests must be configured with a realm in the Firepower System.

Finally, you can set up the CDO to be able to enforce identity policies on users and groups in a two-forest system with two-way transitive forest trust. Suppose each forest has at least one domain controller, each of which authenticates different users and groups. For the CDO to be able to enforce identity policies on those users and groups, you must set up each forest as CDO realm and each domain controller as CDO directory in the respective realm.

Failure to properly configure the CDO prevents some of the users and groups from being able to be used in policies. You will see warnings when you try to synchronize users and groups in that case.

A more realstic example is for Active Directory forests to each have subdomains consisting of one ore more domain controllers. In this case, each forest corresponds to a realm and each domain controller corresponds to a directory server.

Using the preceding example, set up the CDO as follows:

  • Realm for forest.example.com

    • Directory in the realm for AMERICAS.forest.example.com

    • Directory in the realm for ASIA.forest.example.com

  • Realm for eastforest.example.com

    • Directory in the realm for EUROPE.eastforest.example.com

Note

The CDO uses the AD field msDS-PrincipalName to resolve references to find user and group names in each domain controller. msDS-PrincipalName returns a NetBIOS name.