Use Multiple Active Direcory Domains

[Peter]

I am currently involved in creating a cognos8.4 installation.
We want to use SSO based on AD, which leaved me with one major challange
our AD is quite large and divided into 2 domain trees with multiple domains.
The majority of our users are in domain NL.organisation.com, and since I am domain administrator for that domain, all AD groups for cognos are also in NL.organisation.com.

the problem is that we have approx 10 users from another domain (DE.organisation, FR.organisation.com, etc). When I set the chaseReferrals of our AD namespace to use  in cognos to True and use the top domain (organisation.com) as root, all users are able to login, but we (cognos admins) are not able to browse the AD namespace in cognos connection to add AD groups to the cognos role. Probably because we have 20.000+ users in AD, and all dc's are located around the globe.

Since we only have a few users from other domains, any suggestions how we can configure this, so we can have sso for all users and a browsable namespace for the admins?

[SomeClown]

The option MultiDomainTree   (set to True) allows for searching across the forest.

I'm not an AD expert but I'm wondering if you set the main security source to nl.organisation.com  with the chaseReferrals and MultiDomainTree options set to True might limit your main browsing but let you use the search box to find the smaller number of users in other trees.

[Rosario0413]

I had the same problems setting up the configuration with SSO to search multiple trees, so I tried another approach. I am in the process of implementing multiple gateways: one per tree. It seems to be working out well. Each of the gateways is dedicated to one AD LDAP and setup with SSO. One gateway is not dedicated to any specific AD LDAP and this is the one we use for administration. This one lets you log into any of the available namespaces and is not setup for SSO. Read this:
http://www.ibm.com/developerworks/data/library/cognos/page5.html