Skip to main content



How can we help you?


Druva Documentation

How to configure AD mapping from a single AD security group for multiple domain environments

Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

Article by:

Deepjyoti Das

Case Number: NA

Publish date:


Article type: 

Approved by:  Nishesh Saxena Feature category: Installation and configuration

This article applies to:

  • Product edition: inSync Cloud


If you want to import users into inSync from separate domains in your environment, it is not necessary to create separate connections to those domains. 

Importing users into inSync from separate domains does not require creating separate connections to the domains. AD mapping can be configured such that inSync can import users from separate parent and child domains using a single AD security group. 

Configure AD mapping 

The configuration of AD mapping from a single AD security group for multiple domain environments is performed as follows:

  1. Configure the inSync Connector and AD security group
  2. Register the AD/LDAP account
  3. Create AD mapping

Configure the inSync Connector and AD security group

  1. Log in to the inSync Management Console.
  2. Go to wheel.png > Settings > Connectors tab, add the AD connector and copy the registration key.

  3. Install the inSync AD connector software on a server joined with the parent domain and then register it with the registration key.

  4. Create a universal security group on the parent domain Active Directory.

  5. Import users to this security group from both the parent and child domains.


Ensure both the domains have 2-way trust.

Register the AD/LDAP account

  1. Log in to the inSync Management Console.
  2. Go to Manage>Deployments>AD/LDAP>Accounts tab.
  3. Click Register AD/LDAP account and provide the below details:
    • Host: FQDN/IP address of any domain controller on the parent domain. ( where the security group exists).
    • Port: 3268 (the port for the global catalog)

  4. Open the inSync Connector installed on the Server and click Manage AD accounts.

  5. Enter the domain account credentials that can provide access to both parent and child domains.

Create AD mapping

  1.  On the Mappings tab of the AD/LDAP page, click New Mapping.
  2. Click the Switch to manual AD/LDAP filters link.

  3. On the Create AD/LDAP Mapping window, enter the field values based on the descriptions provided below and click Next.
    • AD/LDAP mapping name:  Name for the AD Mapping
    • AD/LDAP Server: Select the AD server from the drop-down list
    • Base DN: Part of the base domain name that is common across the domain names of the users that are members of the AD security group.
    • Name to be used for creation: Username based on the organizational nomenclature.
    • Organizational unit: Keep this field blank.
    • AD Security group: Distinguished name of the AD security group  (For example, CN=Deep_Security,OU=Deep,DC=Tier2,DC=local)
    • Department: This field is optional
    • Country: This field is optional


Once the mapping is created, inSync must succeed in importing users from the parent and child domains.