Domain boundaries in an AD Forest are far more complicated than people might think.
We cannot just simply change a port number and search the Global Catalog (GC) instead of a local domain controller because the GC, while it has a replica of each object, doesn’t have a replica of each property on that object. And a very important property missing is Last-Logon-Timestamp on computer accounts which we absolutely need in Supercharger for both load balanced subscriptions and deterministic forwarder analysis. Without that information we would not know about dormant computer accounts, which would result in very unbalanced subscriptions and bogus reporting of unhealthy forwarders.
We do not support load balanced subscriptions where the cohort group or LDAP query attempts to pull in computers from other domains as forwarders. This is because of related complexities. Because of the vast number of ways you can architect AD domains, trees and forests and trust relationships between them it is not feasible for us to build something that would work in every AD environment.
With the one requirement that collectors serve forwarders within their domain, we are able to support every AD architecture regardless of domains, trees and forests and trust relationships between them. It is rock solid, and it works in every AD environment.
Bottom line, if you need load balanced subscriptions and/or deterministic forwarder analysis, your collector needs to be in the same domain as its forwarders.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!