Skip To Content

Configure the domain controller used by ArcGIS Server

When you configure your ArcGIS Server site to enforce security with users and roles managed in Microsoft Active Directory, it uses the Active Directory Global Catalog to obtain user and role information. However, ArcGIS Server cannot enforce security if the site binds to a domain controller that does not also serve as a global catalog. For example, you might see the following error when attempting to view the User and Role tab in the Security module in Manager:

An error occurred while searching for [users\roles]: [IP Address]:3268

If your Active Directory deployment includes multiple domain controllers, but not all domain controllers are configured as global catalog servers, you'll need to manually specify the domain controller or controllers used by ArcGIS Server. The following steps detail how to do this. Alternatively, you can also use the ASP.NET membership provider for Active Directory by following the instructions in Using a Windows identity store that has nested groups.

  1. Open the ArcGIS Server Administrator Directory and log in with a user with administrative privileges. The URL to the Administrator Directory is formatted http://gisserver.domain.com:6080/arcgis/admin.
  2. Click security > config > updateIdentityStore.
  3. Copy and paste the following text into the User Store Configuration dialog box on the Operation - updateIdentityStore page.
    {
     "type": "WINDOWS",
     "properties": {
      "adminUserPassword": "[password]",
      "adminUser": "[domain]\\[user name]",
      "domainControllerAddress": "[IP Address], [alternate IP Address]"
     }
    }
  4. Update the adminUserPassword, adminUser, and domainControllerAddress properties with the appropriate values. Optionally, more than one IP address can be listed for the domainControllerAddress property. If multiple IP addresses are listed, they should be ordered based on priority. ArcGIS Server will attempt to communicate with the first one listed and will fall back to subsequent ones only if the first one becomes unavailable.
  5. If your Active Directory environment includes multiple domains within a forest, and you want to include IP addresses for the domain controllers assigned to each domain, use the domainControllerMapping parameter in both the User Store Configuration and Group Store Configuration dialog boxes. Multiple IP addresses can be listed for each domain if desired.
    {
     "type": "WINDOWS",
     "properties": {
      "adminUserPassword": "[password]",
      "adminUser": "[domain]\\[user name]",
      "domainControllerAddress": "[IP Address], [alternate IP Address]",
      "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]"
     }
    }
  6. If you will be using built-in roles, skip to the next step. If you will be using Active Directory roles, copy and paste the text from Step 3 into the Role Store Configuration dialog box on the Operation - updateIdentityStore page.
  7. Click Update to save your configuration.
  8. Open ArcGIS Server Manager and log in with a user who has administrative permissions to your site.
  9. Click Security > Users. Verify that users from your Active Directory are displayed.