LDAP Configuration For A Complex AD Forest

Hello all.

I have gotten Wildfire to work for the most part in my complex AD forest (100k+ users, 500+ domain controllers, etc). The only problem I am having now is with LDAP groups.

First, here is my AD structure:

Top domain: top.foo.bar

8 child domains based upon region: region1.top.foo.bar, region2.top.foo.bar, etc

I have set my to this universal group, no groups show up in the admin console.

But, if I keep everything the same but use a global catalog server in one of the regional domains (region1.top.foo.bar for example), I can see the global groups from that regional domain, but no others.

Is this a problem with group nesting in AD, or something else?

Any suggestions would be appreciated.


After some research, it looks like this is a limitation of Active Directory Universal Groups.

If anyone has info to the contrary, I would like to see it.

Right now, it looks like I’'m going to set up a wildfire server for each domain (8 total!) and use S2S and the auto accept subscriptions plugin to manage shared rosters with users from other servers.