Can two domains without trusts be governed by one Data Governance server? For example:
Two domains with no trust relationships between them. One domain works fine. When configuring Data Governance for the second domain receive errors. Both domains are synchronized.
When trying to create a new service account in the Data Governance View:
- Browse and select the service account.
- Enter the password.
Error:
"[1025012] Object (customer.domain2.com/ Administrative/Users - Service Accounts / SVC-Identitymgr [USER]) could not be saved!
The security database on the server does not have a computer account for this workstation trust relationship at VI.DialogEngine.DialogEngine.SaveDocument(IDocument[] documents, Schedule schedule)"
In order to add a DGE service account to govern a second domain, the account must be able to log on locally to the machine where the DGE server has been installed. These accounts are used to access resources on remote machines, and in order for the DGE service to impersonate those accounts, the "log on locally" right is required. If the foreign domain doesn't have at least a one-way trust with the DGE server's domain it will be unable to accomplish this task.
If there are no trusts between domains, you would need to have DGE (+D1IM) installation in each domain.
Enhancement request TFS 354996 has been submitted to enable this feature in a future version of the product.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center