Let’s say we want to use IDN to perform provisioning activities on Active Directory “DomainA” , then do we need IQService host machine joined to that “DomainA” ?
In other words, can “IQService host machine” not be added to any domain and still perform provisioning activities to a particular Domain (DomainA in this case)?
The IQService machine needs to be in the same domain as the of the AD its trying to provision. That being said, it depends on how the trust relationship is setup between the different domains in a forest and which server we are installing IQService.
For Example : Domain A and domain B - No trust relationship, then separate IQService.
Domain A and Domain B - With Trust relationship
The multi-domain AD application configuration applies only where there is a two-way trust relationship between all the domains to be represented as a single AD application in IdentityIQ.
The multi-forest AD application configuration can be used when the forests have two-way or one-way trust relationships, but there are limitations on provisioning options with one-way trusts, as explained in the Provisioning with multiple domains/forests section.