--- alias: operation-guide-multipledomains description: "Configure Multiple Active Directory Domains for seamless integration within the system" --- # Multiple Active Directory Domains Configuration Critical Manufacturing MES supports multiple Active Directory domains. You need to perform three simple steps to enable multiple domains: ## Host configuration file Set the different fully qualified domain names (FQDN) on the `LDAPPATH` variable key on the `BusinessTier\Cmf.Foundation.Services.HostService.dll.config` file. As an example: ```xml ``` !!! info For more information on the variables, see the [[operation-guide-configurationfiles]] page. ## GUI Configuration entries Set the configuration entries referencing the inserted LDAPs, specifically: * `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/DisableCertificateValidation` * `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/Port` * `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/UseSSL` * `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/UserName/` * `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/UserPassword/` * `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/Domain/` !!! warning Each set of configurations must exist for every different configured domain. !!! info The configuration entry `/Cmf/System/Configuration/LDAP/Credentials/[FQDN]/Domain` for each domain is optional. When specified, it allows the system to retrieve the domain directly from the configuration during startup, thereby eliminating the need for LDAP queries to discover this information. The configuration entry `/Cmf/System/Configuration/LDAP/EnableMultipleDomain/` enables role synchronization across multiple domains. When activated, the system leverages the user's domain context, automatically manages referrals, and searches for roles across all configured domains. For more information, see [[system-configuration-entries]]. ## Security Portal In order for the Security Portal to interact with multiple domains, it has to be configured with one Active Directory strategy per domain. This can be achieved by modifying its `config.json` file and configuring the additional entries. The file is located in `/app/src/config.json` (in the Security Portal container) and you can see an example below: ```json { "id": "ExampleFirstDomain", "type": "local-ActiveDirectory", "config": { "defaultDomain": "examplefirstdomain", "ldap": { "url": "ldap://examplefirstdomain.local", "base": "DC=examplefirstdomain,DC=local", "user": "EXAMPLEFIRSTDOMAIN\\messervice", "password": "" } } }, { "id": "ExampleSecondDomain", "type": "local-ActiveDirectory", "config": { "defaultDomain": "exampleseconddomain.company.com", "ldap": { "url": "ldap://exampleseconddomain.company.com", "base": "DC=exampleseconddomain,DC=company,DC=com", "user": "EXAMPLESECONDDOMAIN\\mesadmin", "password": "" } } } ``` !!! info It is not possible to configure more than one strategy through the DevOps Center. !!! info For more information, see the [[operation-guide-security-portal-index]] page.