Realm Configuration (Active Directory)

Active Directory authentication can be configured in three different levels: single-realm, multi-realm, and entire forest. In an Active Directory forest, if a cross-domain group membership involves any Domain Local Group, the group membership is one-way, and it is not replicated to the Active Directory Global Catalog. The forward group membership search presents no problems: given a group in one domain, FileNet® P8 can easily find all its members in other domains.

However, the backward group membership search can be very resource intensive. FileNet P8 would have to iterate through all other domains to find all the parent groups of which this group is a member. Since large enterprises might have 30 or more domains in a single forest, this iterative approach for cross-domain backward group membership search can be unacceptably slow.

In order to address this problem, you can split the cross-domain group membership and add a new group in between. For example, a Domain Local Group in Domain A might contain a Global Group in Domain B. The following figure shows a Universal Group in Domain A that has been configured as a member of the Domain Local Group. Then the Global Group in Domain B has been configured to be a member of the newly created Universal Group.

A Universal Group in Domain A is a member of the Domain Local Group, while the Global Group in Domain B is a member of the Universal Group.

To summarize:

Group membership in the same domain is two-way, regardless the group scope.
If the cross-domain group membership does not involve a Domain Local Group, it is two-way in the Global Catalog.