While integrating your Active Directory with Workspace ONE Access, follow these best practices for setting up the Workspace ONE Access connector and Active Directory domain controllers to avoid issues with network latency. This information is applicable for directories of type Active Directory over LDAP or Active Directory over Integrated Windows Authentication (IWA) in Workspace ONE Access.

  • Avoid firewalls and Virtual IP Addresses (VIPs) on the path from the Workspace ONE Access connectors to the domain controllers. Firewalls and VIPs add more hops when the connector connects to the domain controllers.
  • Ensure that network latency for LDAP simple bind between the connector nodes and the domain controllers is in milliseconds only, ideally less than 20 ms.
  • Set the DNS A* records to point to the closest domain controllers for the connector's site specific configuration in Active Directory. This helps reduce latency.
  • Configure multiple domain controllers for the domains to provide resiliency.
  • Use the following commands from the connector server to help identify the nearest domain controllers for the domain:

    nltest /dsgetdc:domain /try_next_closest_site

    (This command gets the closest domain controller cached by the OS.)

    nltest /dsgetdc:domain /force

    (This command clears the OS cache and tries to identify the closest domain controller again.)

Note: To determine if domain controller network latency is an issue in your installation, see Troubleshooting Workspace ONE Access Directory Integration.