One of our application teams chose to use SecureAuth to facilitate single sign-on (SSO) for user portal authentication. The process makes an LDAP call on specific Active Directory attributes on user accounts. One of the AD attribute requirements in the LDAP call was departmentNumber which is not natively in the global catalog replication set. Therefore, we needed to add the attribute to the Global Catalog replication in Active Directory to support the process.
Below are the steps we took to add an attribute to global catalog replication.
- Add the performer’s AD user account to the Schema Admins group.
- Log on to the domain controller that hosts the schema master FSMO role.
- Open a blank MMC console by typing mmc.exe from Start/Run.
- Within the MMC, select File and then Add/Remove Snap-in.
- From the resulting list, select Active Directory Schema.
- From within the Active Directory Schema snap-in, navigate to the Attributes folder and scroll down on the right until you see the departmentNumber attribute to be added to the Partial Attribute Set.
- Right-click the departmentNumber attribute and select Properties.
- In the resulting window, select the check box that says Replicate this attribute to the Global Catalog and select OK to close the window.
- Close the snap-in.
- Remove the performer’s AD user account from the Schema Admins group.