Guides
ProductDeveloperPartnerPersonal

Prepare Your Active Directory Environment

To prepare for an Active Directory (AD) integration, we recommend that you deploy at least one virtual appliance before proceeding with the configuration steps. You can configure AD integration for the Virtual Appliances by 1. Configuring the Connector to read login events from individual domain controllers or 2. Configuring the Connector to read login events from a centralized Windows Event Log Collector.

Table of Contents

Prerequisites

Connector Server

To support Umbrella Active Directory (AD) integration, you must configure a server that is a member of the AD domain with the following environment:

  • Windows Server 2012, 2012 R2, 2016, 2019, or 2022 with the latest service packs and 100MB free hard disk drive space.
  • Service pack SP2 or above
  • .NET Framework 4.5 or above
  • If a local anti-virus application is running, Allow List the OpenDNSAuditClient.exe and OpenDNSAuditService.exe processes.
  • AD Domain Services Snap-ins and Command-line Tools feature installed through Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools. This is required for troubleshooting purposes.

There are two methods to deploy the connector effectively:

  • If you have already deployed a centralized Windows Event Log Collector to which all domain controllers forward login events, and you wish to deploy AD integration with virtual appliances using this Windows Event Log Collector, you must deploy a single AD connector for all AD domains, with an optional second connector for redundancy.
  • If you are deploying AD integration with virtual appliances through integration with domain controllers, you must deploy one connector per AD domain—with an optional second connector per AD domain for redundancy. For more information about registering a Domain Controller, see the section "Run the Configuration Script on the Domain Controllers".

Outbound Network Access to Cisco Umbrella

The Connector server requires outbound access as specified below:

  • 443 (TCP) to api.opendns.com for syncing
  • Access to additional URLs on port 80/443 (TCP) may be required for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see the section on Communication Flow and Troubleshooting.
  • 443 (TCP) to disthost.umbrella.com (for downloading upgrades)

If you are using a transparent HTTP web proxy, ensure that the URLs on port 80/443 are excluded from the proxy, and not subject to authentication.

Connector Account

The connector deployment requires you to create a new user account in each AD domain that needs to be integrated. This account should have:

  • The logon name (sAMAccountName) set to OpenDNS_Connector. A custom username can be configured, but this custom username should be specified as a parameter when running the Configuration Script on the Domain Controller.
  • Password never expires selected
    Note: Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons.
  • The Connector account (OpenDNS_Connector or custom username) must be a member of the following built-in groups on each AD domain:
  • Enterprise Read-only Domain Controllers
  • Event Log Readers

Note: In a parent/child domain scenario, the "Enterprise Read-only Domain Controller" only exists in the parent domain. In this case, follow the instructions listed here to provide the required permissions for the Connector account. You must add other missing groups.

AD Integration with Domain Controllers

Verify That Auditing of Logon Events is Enabled on the Domain Controllers

AD integration with Domain Controllers requires each domain controller to audit logon events.

On each domain controller (except read-only domain controllers), you may need to set the "Audit account logon events" to include Success and Failure if it has been set to "No Auditing." By default, this group policy is set to log Success logon events and you should not modify it. This is needed by the Umbrella software so that it knows whether a user has logged in successfully and can then compare that log in to subsequent events generated by that user.

The error you will see when running the OpenDNS Windows Configuration Script OpenDNS-WindowsConfigurationScript-20130627.wsf if the Audit Policy is not set is:

"ERROR: " 

 

----------------------------------------------------------------------------- 

Your Group Policy for this Domain Controller is set to NOT audit successful logon events! 

You MUST edit the following Group Policy for all DCs: 

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events 

 

Define that policy to audit Success attempts, gpupdate, and re-run this script!

Run the Configuration Script on the Domain Controllers

Run the Windows configuration script on all of the domain controllers at each site, excluding read-only domain controllers (RODCs) on each domain that needs to be integrated with Umbrella. The configuration script prepares the domain controllers to communicate with the connector.

For information on changes made by the script, see Required Permissions for the OpenDNS_Connector User.

  1. Navigate to Deployments > Configuration > Sites and Active Directory and click Download.
  2. Click Download for Windows Configuration Script for Domain Controller
868
  1. Download and save the Windows Configuration Script file to a location on the machine where you plan to run it.
    Note: The configuration script is written in Visual Basic Script and is human readable. For reference, the configuration script automates the setting of permissions captured in Required Permissions for the OpenDNS_Connector User. For more information, contact Umbrella Support.
  2. As an administrator, open an elevated command prompt.
    Note: The Connector user must be created before running the script, as detailed in the prerequisites. There are also several Group Policies that affect system operation that may need manual configuration. The script displays the status of these settings and, if needed, provides instructions on how to change them.
  3. Locate the Windows Configuration Script file and run the script in the command prompt.

Note:  Substitute the Windows configuration script filename (including the wsf file extension) for in the cscript command.

  • Use the command: cscript <*filename*> or cscript <*filename*> --username <sAMAccountName for custom user> 

The script displays your current configuration, then offers to auto-configure the domain controller for operation. If the auto-configure steps are successful, the script offers to registers the domain controller with the Umbrella dashboard. Registration only occurs if you accept this offer.

430

Register a Domain Controller in the Umbrella Dashboard

The configuration script will attempt to automatically register the domain controller with Umbrella. This registration requires the domain controller to support outbound connectivity to Umbrella. If your domain controller can support outbound connectivity to the Internet, ensure that network connectivity requirements specified in Communication Flow and Troubleshooting are met for the domain controller to automatically register with Umbrella.

  1. In Umbrella, navigate to Deployments > Configuration > Sites and Active Directory and click Add.
  2. Select Domain Controller and click Next.
996
  1. Check the box to confirm that you have provided permissions for the Connector account and click Next.
1008
  1. Enter the Hostname, Internal IP address, and the Domain of the DC.
996
  1. Select the appropriate Umbrella Site for the DC and click Save.

Verify the Domain Controller Registration in the Umbrella Dashboard

In the Umbrella dashboard Deployments > Configuration > Sites and Active Directory.
The hostname of the domain controller you just ran the script on appears in the Inactive state. If you have configured multiple Umbrella sites and have deployed Virtual Appliances, make sure that the AD server is in the same Umbrella site as the VAs that will receive DNS queries from the users in that AD domain.

Repeat the steps in Register a Domain Controller in the Umbrella Dashboard to prepare additional DCs in each AD domain environment to communicate with the connector successfully. It is essential that each domain controller in each AD domain environment has the configuration script run on it in order for the service to work as expected, both for high availability and overall reliability.

Note: The configuration script only runs once; it is not an application nor a service. If you change the IP address or hostname of the domain controller, remove the previous instance of the domain controller and repeat step 1 through 5 to re-register the domain controller.

Multi-AD domain and Multi-Forest Support

If you wish to integrate multiple AD domains or AD forests with Umbrella through integrations with domain controllers, then a connector deployment (with an additional connector for redundancy) is required for each AD domain that needs to be integrated with Umbrella.

AD Integration with a Centralized Windows Event Log Collector

If you have already deployed a centralized Windows Event Log Collector where domain controllers are forwarding login events, you can use that for AD integration with Umbrella. A single Windows Event Log Collector where login events are being forwarded for multiple AD domains or AD forests can be integrated for these AD domains.

Note: Setting up a centralized Windows Event Log Collector is outside the scope of Umbrella. Refer to Microsoft documentation for the same.

1. Additional Prerequisites

  • The connector account (OpenDNS_Connector or custom account as configured) should be added to the local Event Log Readers group on the Windows Event Log Collector machine.
  • The following firewall rules need to be enabled on the Windows Event Log Collector machine to allow the connector machine to read the logs:
    • Remote Event Log Management (NP-In)
    • Remote Event Log Management (RPC)
    • Remote Event Log Management (RPC-EPMAP)
  • All network access requirements specified in Communication Flow and Troubleshooting should be met.

2. Register the Windows Event Log Collector with Umbrella

You will need to manually add the Event Log Collector on the Umbrella dashboard.

  1. In the Umbrella dashboard, navigate to Deployments > Configuration > Sites and Active Directory and click Add.
  2. Select Windows Event Log Collector and click Next.
994
  1. Check the box to confirm that you have provided the required permissions on the Event Log Collector and click Next.
992
  1. Enter the Hostname, Log Path, Internal IP address, and the Domain of the Event Log Collector.
996
  1. Select the appropriate Umbrella Site for the Event Log Collector and click Save.

3. Register the AD Domains with Umbrella

You will need to register each AD domain for which logon events are being sent to the Windows Event Log Collector. This registration is required for the connector to be able to retrieve the list of AD users, groups, and computers from these individual AD domains.

  1. In the Umbrella dashboard, navigate to Deployments > Configuration > Sites and Active Directory and click Add.
  2. Select Domain and click Next.
1000
  1. Enter the Domain, select the appropriate Umbrella Site for the domain and click Save.
998

Active Directory User Exceptions < Prepare Your Active Directory Environment > Connect Active Directory to Umbrella