Question: Does ServiceDesk support using Active Directory (AD) child domains that are part of parent domains? Specifically, can these be synced, used to log users in when referring to the child and/or the parent domain, or with automatic passthrough authentication?
Answer: No, ServiceDesk does not support having child domains part of parent domains. Trying to use ServiceDesk in this manner will result in the lack of functionality for child domain users as described below.
Technical Information
Review the user table to see how this is failing to work. For example:
USE Ensemble
SELECT * FROM [user]
Review the two fields PrimaryEmail and ADLoginName. The listed AD domain is where the user is attempted to be authenticated from. For a child in "child_domain", such as [email protected]_domain.com, if they try to log in as [email protected]_domain.com, the authentication will fail because they are not direct members of "parent_domain". Note: If the user exists in both domains, this presents other issues. Specifically, the user is then duplicated in ServiceDesk, which treats this as two separate accounts. Tickets assigned to [email protected]_domain.com would not cross-reference those from [email protected]_domain.com, they would be completely separate.
Workaround
More than one AD Server can be set up in ServiceDesk. One can be set to go to the parent domain, a second to the child domain. This will then enable users to be imported, synced, log in, and automatic passthrough authentication to work, for either domain. However, the users would need to specifically log into ServiceDesk as that account. This would not enable [email protected]_domain.com to log in as [email protected]_domain.com.
Related Resources
Users that are members of a group membership are not synced into ServiceDesk
http://www.symantec.com/business/support/index?page=content&id=TECH122202