Multi-forest configurations

Shopping is designed to cater for two types of multi-forest Active Directory configurations: root-level forest trusts and external trusts. Each trust type has different requirements for where Shopping components must be installed, and rules that must be followed when creating Shopping accounts and groups.

The AD forests may be single or multi-domain. Multi-domain considerations are decribed in Multi-domain configurations.

For both trust types, Shopping components are installed as follows:

  • On the AD forest where the Configuration Manager central site is located, install the following on the domain where the trust originates:

    • Shopping Web and API, Central service, Shopping database, and Shopping Admin Console

    • Shopping installation accounts

  • On either AD forest, where appropriate, install the following on the accessible domains (shown in orange in the below diagrams):

    • Shopping Receivers, clients, and end-user accounts (for example, Shopping approvers)

Root-level forest trust

When a root-level forest trust is used, install Shopping Central (Web, API and service) on the root domain of the forest. This is the forest where the Configuration Manager site used by Shopping as its central site is located. In this scenario, all domains in the trusted forest is accessible, in addition to all the domains in the local forest.

External trust

When an external trust is used, install Shopping central on the domain where the external trust originates. This is the forest where the Configuration Manager site used by Shopping as its central site is located. Shopping supports external trusts where these exist one-level down from the forest root domain. In this scenario, only the external trusted domain is accessible, in addition to the domains in the local forest.

Restrictions on multi-forest environments

Though Shopping supports the dual-forest domain scenarios illustrated above, there are specific restrictions on the configuration of groups to be used with Shopping and certain implications associated with the way that the domain and trust relationships work with it.

  • Groups must be uniform. They must only contain AD objects from the same domain and forest. All the contained users, machines, or groups must be in the same domain and forest as the group itself. If you need to add objects from another domain or forest, add them to a group that belongs to that domain or forest.

  • Shopping only supports security type groups. You can only use security type groups with Shopping but they may have any scope type.

  • Installation domain and accounts: The domain specified during installation is set as the starting point for all AD searches. Any accounts used during installation must belong to that domain and associated forest. Node security users and groups added later using the Shopping Admin console must come from the same domain/forest specified during installation. All other AD groups used in Shopping may come from either forest.

  • Trust relationship and type: Shopping supports two-way trusts where there is an up-level trust between the domains. Both domain controllers in the supported dual forest scenarios must be Windows 2000 server or above.

  • Trusted domains must be configured correctly and the trusted domain must exist. AD searches in Shopping are severely impacted if there is a trust relationship for a domain that no longer exists.