A single Cloud Identity agent can communicate with multiple domains. The service account you use to query the Active Directory must have permission to query all domains you configure on the agent. We recommend configuring multiple domain controllers for each domain so that if a domain controller is unavailable, the agent can try the next available domain controller.

To ensure agent redundancy for a domain, configure multiple agents for that domain. The server hosting the agent should be physically located near the domain controllers from which the agent will collect attributes. If the domain controllers are in different locations, we recommend that you configure multiple agents and install each agent on a host server that is physically located near the domain controllers from which the agent will collect attributes.

To obtain cross-domain memberships for groups with members from other domains in the forest, configure those domains on the Cloud Identity agent(s). In this scenario, you must configure the agent to connect to the domain controllers using the LDAP or LDAPS port (by default, 389 and 636 respectively).

Ensure that your Azure Active Directory (Azure AD) does not contain any circular references, where a group is a direct or indirect member of itself (for example, Group 2 is a member of Group 1 and Group 1 is a member of Group 2). If your Azure AD contains circular references, the Cloud Identity Engine cannot accurately populate the membership of the groups and you must change the membership of the groups to remove the circular references. After removing the circular references, sync the attributes to verify that the Cloud Identity Engine can successfully collect the attributes.