Purpose:
You are a Systems Administrator who is responsible for multiple domains and you wish to manage them all from a single PDQ server.
Resolution:
This guide will cover environmental requirements, how to add credentials, sync multiple domains with AD Sync, using Central Server mode, scanning computers, and deploying to computers across multiple domains.
If you need to work with computers that aren't on a domain, please refer to our Knowledge Base article Working with Non-Domain (Workgroup) Machines.
Environmental Configurations:
Just like working in a single domain, your PDQ server will need to meet the following criteria in order to be able to Deploy and Scan to your targets in different domains:
- The PDQ server will need to be able to resolve the target computer's hostnames via DNS.
- The PDQ server will need to be able to ping the target computers.
- The PDQ server will need to be able to communicate bi-directionally with the target computers via SMB using the Deploy and Scan User's credentials.
Background Service, Repository, and Copy Modes:
The general permissions for your PDQ service account are covered in the Knowledge Base article PDQ Credentials Explained. For a multi-domain environment the permissions required for your Deploy Users to the PDQ Deploy repository will be determined by the copy mode you are using.
If you are using the Push Copy Mode: Only the Background Service will require Read / Write access to the PDQ Deploy repository.
If you are using the Pull Copy Mode: All Deploy Users and your Background Service will require Read / Write access to your PDQ Deploy repository.
In a multi-domain environment, we also recommend that your Background Service User be a local account on your PDQ server instead of a domain account. This account will also need to be an Administrator on the PDQ server. The Background Service Account can be changed in both applications by navigating to Options > Background Service > Change.
Adding Credentials From Different Domains:
In both PDQ Deploy and PDQ Inventory, credentials for the Deploy & Scan Users are added in the same way, and this process is covered in the following article.
Adding and Using Multiple Credentials in PDQ
Adding Computers to PDQ Inventory From Multiple Domains:
When adding computers, the Scan User that you use to import the computer will be assigned as the Scan User for those computers. If you need to change the Scan User for your computers, you can right click an individual or group of computers and choose Select Scan User.
Active Directory Sync:
Navigate to Add Computers > Active Directory - Sync.
Select Include Container.
Select Change Domain.
Select Add Domain, uncheck Current User, and either choose the Scan User with the drop down or add a new Scan User using the Edit Credentials button.
Once you've added the domain with the proper credentials, choose the OUs you wish to sync.
Active Directory - Browse By Name:
Navigate to Add Computers > Active Directory - Browse by Name.
To add the new domain, select Change Domain.
Select Add Domain, uncheck Current User, and either choose the Scan User with the drop down or add a new Scan User using the Edit Credentials button.
Once you've added your other domain, you can browse your OUs and choose computers to add.
By Name:
Navigate to Add Computers > By Name. Choose the Scan User with the drop down or add a new Scan User using the Edit Credentials button.
You can type in an individual computer's hostname in the Add section or you can import a list of computers with a TXT or CSV file by selecting Import.
Deploying Packages to Targets Across Multiple Domains:
Deploy Once:
If you are deploying to targets in a single domain, you will need to either choose the Deploy User with the drop down or add a new Deploy User using the Edit Credentials button.
If you are deploying to targets across multiple domains, be sure to check the option Use PDQ Inventory Scan User credentials first, when available.
Using Schedules:
If your Schedule is targeting computers in a single domain, you will need to either choose the Deploy User with the drop down or add a new Deploy User using the Edit Credentials button.
If your schedule is targeting computers across multiple domains, be sure to check the option Use PDQ Inventory Scan User credentials first, when available, in the Options tab of the schedule.
Using Central Server Mode Across Multiple Domains:
Central Server Requirements:
The general requirements for using Central Server mode can be found in our Knowledge Base article Windows Firewall Ports and Exceptions. The only difference in a multi-domain environment is your PDQ server will need to be able to authenticate any Console Users against their Domain Controller.
Adding Console Users:
From your Central Server Console, navigate to Options > Console Users > Add
Enter the Domain and Username for the user that you wish to add, as well as the password for the Background Service User.
Configuring the Client Console:
When installing the Client Console, after entering your PDQ License you will be asked to install Local, Central Server, or Client Console. Choose Client, and on the next menu enter the FQDN of the PDQ Central Server. If your Client Console computer is capable of communicating with your PDQ Central Server over the designated ports, then your Client Console will now connect back to your PDQ server in a different domain. The default ports are 6336 for PDQ Deploy and 7337 for PDQ Inventory.
See Also:
Article - Working with Non-Domain (Workgroup) Machines
Article - PDQ Credentials Explained