How to configure an additional domain in ADSelfService Plus
Last updated on:In this article
Objective
This article provides instructions on adding additional domains in ADSelfService Plus. Integrating multiple domains enables administrators to manage self-service password resets, account unlocks, and authentication policies across different AD environments.
Steps to configure an additional domain
- Log in to the ADSelfService Plus admin console with the default admin account.
- Click Domain Settings located in the top left corner.
- Click on the Add New Domain button.
- Enter the domain name of the second domain.
- Click the Discover button to auto-detect domain controllers.
- If domain controllers are not automatically discovered, manually add them by entering their details in the Add Domain Controllers field.
- Enable the Authentication checkbox and provide the necessary credentials with sufficient privileges to manage the domain.
- Click Save to apply the configurations.
Validation and confirmation
- Ensure the newly added domain appears under Domain Settings in ADSelfService Plus.
- Confirm that ADSelfService Plus can communicate with the domain controllers of the second domain by verifying firewall rules and RPC connectivity.
Troubleshooting tips
If you encounter issues while configuring additional domains, ensure that you have followed these steps:
- Log in using the default admin account. The option to add a second domain will not be visible if you are logged in with any other account.
- The ADSelfService Plus application is installed and running.
- Verify that the required AD-related ports listed below are open to allow communication between the ADSelfService Plus server and the domain controllers of the second domain.
| Port | Protocol | Service |
|---|---|---|
| 53 | TCP/UDP | Domain Name System (DNS) |
| 88 | TCP/UDP | Kerberos authentication |
| 123 | UDP | Windows Time service (W32Time) |
| 135 | TCP | RPC Endpoint Mapper |
| 389 | TCP/UDP | Lightweight Directory Access Protocol (LDAP) |
| 445 | TCP | Server Message Block (SMB) |
| 464 | TCP/UDP | Kerberos password change |
| 636 | TCP | LDAP over SSL |
| 3268 | TCP | Global Catalog LDAP |
| 3269 | TCP | Global Catalog LDAP over SSL |
| 49152-65535 | TCP | RPC dynamic ports |
Why are RPC dynamic ports required?
- Remote Procedure Call (RPC) is used for remote management and AD replication between domain controllers.
- ADSelfService Plus communicates with domain controllers via the RPC Endpoint Mapper (port 135), which assigns dynamic ports from the range 49152-65535 for subsequent connections.
- These dynamic ports are necessary for AD-related queries, user authentication, and group policy updates.
- If RPC dynamic ports are blocked, ADSelfService Plus may fail to retrieve domain information or authenticate users against the second domain.
