Is there any impact to the Service Desk LDAP integration if an Active Directory (AD) Domain or Forest is changed or migrated.


Article ID: 50738


Updated On:


CA IT Asset Manager CA Software Asset Manager (CA SAM) ASSET PORTFOLIO MGMT- SERVER SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager



This document explains what will happen to Service Desk Contact information if LDAP integration is used and the AD Domain is changed. It also outlines the steps that need to be taken if that AD domain is changed.


If the AD Domain that is integrated with Service Desk is changed and the pdm_ldap_sync utility is run, all Contacts with LDAP attributes will be set to inactive. This is because their existing ldap_dn attribute does not match that of the new AD domain.

You need to update the value in the ldap_dn attribute in the Contact object (in the usp_contact table) with the new AD domain name before you run the pdm_ldap_sync utility. You can do this using the following steps:

  1. Take an extract of the usp_contact table as follows:

    pdm_extract usp_contact > contacts.txt

  2. Edit the contacts.txt file and change all the occurrences of the old domain values in the ldap_dn attribute to the new domain value.
    For example, change "DC=domain1,DC=company,DC=com" to "DC=domain2,DC=company,DC=com"

  3. Update the LDAP options in options manager (Administration tab -> Options Manager -> LDAP) to reflect the new AD domain.

  4. Restart the Service Desk services.

  5. Run pdm_load to update the ldap_dn value for the contacts using the file edited in step 2 as follows:

    pdm_load -a -v -f contacts.txt

  6. Run the pdm_ldap_sync utility and verify that the utility synchronises the contacts correctly.


Component: ARGIS