Troubleshoot Cross-Domain Trust

Typical issues with troubleshooting the management center configuration for cross-domain trust include the following:

Not adding realms or directories for all forests that have shared groups.
Configure a realm to exclude users from being downloaded and those users are referenced in a group in a different realm.
Certain temporary issues.

Understand the issues

If there are issues with the management center being able to synchronize users and groups with your Active Directory forests, the Sync Results tab page is displayed similar to the following.

You can troubleshoot user download errors when users are stored in different Active Directory repositories. Read the columns left to right. Click the triangular icon to get more information.

The following table explains how to interpret the information.


Column	Meaning
Realms	Displays all realms configured in the system. Click Refresh () to update the list of realms. Yellow Triangle () is displayed to indicate issues in the realm. Nothing is displayed next to a realm if all users and groups synchronized successfully.
Groups	Click Groups to display all groups in the realm. As with realms, Yellow Triangle () is displayed to indicate issues. Click Yellow Triangle () to see more detail about the issue.
Users	Click Users to display all users, sorted by group.
Users contained in the selected group	Displays all users in the group you selected in the Groups column. Clicking Yellow Triangle () displays more information to the right of the table.
Groups that contain selected user	Displays all groups the selected user belongs to. Clicking Yellow Triangle () displays more information to the right of the table.
Error detail information (displayed to the right of the table).	The system displays the NetBIOS forest name and group name it could not synchronize. Typical reasons the system cannot synchronize these users and groups follow: Problem: The forest containing the groups and users do not have corresponding realms configured in the management center. Solution: Add a realm for the forest that contains the group as discussed in Create an LDAP Realm or an Active Directory Realm and Realm Directory. Problem: You excluded groups from being downloaded to the management center. Solution: Click the Realms tab page, click Edit (), then move the indicated group or user from the Excluded Groups and Users list.

Try downloading users and groups again

If there is a possibility the issues are temporary, download users and groups for all realms.

If you haven't done so already, log in to the management center.
Click Integration > Other Integrations > Realms.
Click Download ().
Click the Sync Results tab page.
If no indicator is displayed for entries in the Realms column, the issues have been resolved.

Add a realm for all forests

Make sure you configured:

management center realm for each forest that has users you want to use in identity policies.
management center directory for each domain controller in that forest with users you want to use in identity polices.

The following figure shows an example.

To avoid issues with your identity deployment, make sure you either configure one realm per Active Directory forest or one directory for each Active Directory domain controller.