Guides
ProductDeveloperPartnerPersonal

Change the Connector Account Password

For regulatory compliance, you may need to change the password for this account. You can modify this password without impacting the functionality of the connector.

Changing the password ensures that the connector can connect to AD using the new credentials. Failure to change the connector account password results in the connector being unable to subscribe to login events and AD changes. If the password is not changed, you will lose AD attribution for your DNS requests and be unable to propagate AD changes to Umbrella.

Table of Contents

Prerequisites

Connector Server

You must configure a server that is a member of the AD domain with the following environment:

  • Windows Server 2012, 2012 R2, 2016, 2019 or 2022 with the latest service packs and 100MB free hard disk drive space. Service packs prior to SP2 are not supported.
  • .NET Framework 4.5 or above
  • If a local anti-virus application is running, allow list the OpenDNSAuditClient.exe and OpenDNSAuditService.exe processes.

The Connector may be deployed directly on the Domain controller. In this case, the domain controller must meet all prerequisites listed above. Only one connector is required to provision identities from an AD domain, with an optional second connector for redundancy if required.

Outbound Network Access to Cisco Umbrella

The Connector server requires outbound access as specified below:

  • 443 (TCP) to api.opendns.com for syncing
  • Access to additional URLs on port 80/443 (TCP) may be required for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see Communication Flow and Troubleshooting.
  • 443 (TCP) to disthost.umbrella.com (for downloading upgrades)

If you are using a transparent HTTP web proxy, ensure that the above URLs on port 80/443 are excluded from the proxy, and not subject to authentication.

Connector Account

The connector deployment requires you to create a new user account in the AD domain. This account should have:

  • The logon name (sAMAccountName) set to OpenDNS_Connector. A custom username can also be used but must be configured with the required permissions as listed below.
  • 'Password never expires'  selected
    Note: Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons.
  • ‘Read’ and ‘Replicating Directory Changes’ permission assigned. Alternately, you can make the connector account a member of the built-in ‘Enterprise Read-only Domain Controllers’ group which will automatically assign these permissions.
    Note: The Connector does an initial synchronization of the AD structure to Umbrella. After this, it detects changes to the AD structure and communicate these changes only. The detection of changes requires the ‘Replicating Directory Changes’ permission, so the Connector cannot function without this permission. The ‘Replicating Directory Changes’ permission is different from the ‘Replicating Directory Changes All’ permission which enables retrieval of password hashes. The Connector does not read password hashes and hence does not require the ‘Replicating Directory Changes All’ permission.

Procedure

  1. Log into the account from any system that is a member of the domain and then set the new password.
  2. Stop the OpenDNS Connector service.
  3. Navigate to C:\Program Files (x86)\OpenDNS\OpenDNS Connector and run the file OpenDNSPasswordManager.exe. If you see any errors, you may need to run this utility as an administrator.
  4. When prompted, add your new password.
  5. Start the OpenDNS Connector service.
  6. Repeat steps 2 and 3 for each deployed connector.

Connect Active Directory to Umbrella to Provision Users and Groups < Change the Connector Account Password > Communication Flow and Troubleshooting