There is a need to add another Active Directory (AD) domain that will be managed by Identity Manager (IDM). This new domain is not in the same network as the existing AD, but IDM can reach it. The question is: What is the best practice indicated by Broadcom for managing two different domains in the same IDM? Is a separate userstore necessary? Assuming that a user in an AD can only make requests for roles made for their domain, would it be through policies with rules filtering by defined user attributes or another method?

Identity Suite Virtual Appliance 14.5

1. Separate AD Endpoints: Each domain will require its own separate AD endpoint. This ensures that IDM can manage each domain independently and effectively

2. Unique UPNs: User Principal Names (UPNs) need to be unique across the domains. This prevents conflicts and ensures that each user is uniquely identifiable within the IDM system

3. Userstore Considerations: A separate userstore is not strictly necessary, but it can be beneficial depending on your specific requirements and the complexity of your environment. if you choose to use separate userstore you will need deploy one different Identity Manager cluster.  If you choose to use a single userstore, ensure that it can handle the attributes and policies for users from both domains

4. Best Practices:

   • Endpoint Configuration: Properly configure each AD endpoint in IDM to ensure seamless communication and management.
   • Policy Enforcement: Implement and enforce policies that restrict role requests based on user attributes to maintain security and compliance
      

By following these best practices, you can effectively manage multiple AD domains within a single IDM instance, ensuring both security and operational efficiency.