Windows Desktop Login Multi Domain Connector

Starting in v.2.95.0, an experimental setting was added to the Domain Connector to speed up Domain Controller replication. When this setting is enabled, the Domain Connector gets a list of all the Domain Controllers when a user enrolls in Desktop Login. Then, the Domain Connector will attempt to modify the user records on all of the detected domains explicitly. When a user unenrolls from Desktop Login, Domain Controller replication will be used. 

To enable this feature

1. Download and install the Beyond Identity Windows Desktop Login Domain Connector.
   1. Go to https://app.byndid.com/desktop-login/downloads and click Download Domain Connector (.msi).
      
   2. Install the Domain Connector on a Windows server. 
2. On the Windows Server, navigate to the C:\Program Files\Domain Connector directory and open the settings.ini file.
   
3. Add the line multiDC=yes to the ini file.
   IMPORTANT: Make sure that multiDC=yes is capitalized exactly as shown because this entry is case-sensitive
   
4. Save the file. Make sure the file saves as an .ini file and not a .txt file. 
5. Open Services, right-click the Beyond Identity Domain Connector service, and select Restart to apply the updated configuration.
   
6. When a user enrolls, the logs under C:\Program Files\DomainConnector\logs will show the connector trying to enroll the user in multiple domains. 
   

Troubleshooting

The Log file shows "Multi domain controller support disabled." 

Open the settings.ini file in Step 2 above and verify that:

• The new entry looks exactly like the following:  multiDC=yes 
  This entry is case-sensitive so it must use the exact capitalization shown above. 
• The value for multiDC is set to yes. 

The Log file shows "Multi domain controller support enabled" but no domain controllers are listed.

If you don't see an domain controllers listed when multi-domain controller support is enabled, there may be an issue with the key administrator who is running the Domain Connector service. To verify: 

1. Open Services, view the user listed under Log On As for the Beyond Identity Domain Connector service.
2. Verify that the user's password is not expired. 

PKINIT Error

If you encounter a PKINIT error after setting the multiDC flag to "yes," it is essential to verify that the domain specified during the Domain Connector installation matches the domain to which the machines are joined. This mismatch can lead to authentication issues. For example, if the machines are joined to the domain contoso.com, this must be reflected in the installation settings of the Domain Connector. If you already have installed the connector, you can modify it from the settings.ini file and then restart the service. 

Frequently Asked Questions

What happens if I remove the Windows Desktop Login Domain Connector from my server? 

Existing users who enrolled using the Domain Connector will not be impacted. Future user enrollments will not be able to use the Domain Connector for enrollment.