ACTIVE DIRCTORY GUIDE

Active Directory

B.L.S.L.PAVANKUMAR System Administrator Mobile:9908472773/8886131131 Email:pavankumar.byra@gmail.com

Overview

The Active Directory integration consists of two components that must reside in your network at

each independent AD site:

NOTE:An “Active Directory site” in the context of this document means an independent location with its own

DomainController server(s), DNS server(s), and connection to the Internet.

1. The Virtual Appliance (“VA” for short), which

Runs in a virtualized server environment,

Forwards local DNS queries to your existing DNS servers and

Forwards external DNS queries with non-sensitive metadata to the OpenDNS Global Network

NOTE:The recommended requirements for installation include a second VA for redundancy (not

shown inthe diagram) to ensure uptime during upgrade and high availability.

IMPORTANT!In order for the Virtual Appliance to properly route local DNS queries and external DNS queries, all

clientsthat are to be managed by PAVAN need to have their DNS addresses be the addresses of your VAs.

2. The Connector, which

Runs in your Active Directory environment,

Securely communicates non-sensitive user and computer login info to the Virtual Appliances and

Securely communicates non-sensitive user and computer group info to the OpenDNS Global Network

NOTE:If your security policy requires it, the Connector can be installed on a different non-

DomainController (see Appendix A for details).

ACTIVE DIRCTORY GUIDE

This guide explains how to install the components to integrate with Active Directory and verify that

they are working properly before you deploy them.

Prerequisites To support the Active Directory integration, you must have a Virtual Appliance configured. Virtualized Server Environment on VMware or Hyper-V

Requirements for VMware:

VMware ESXi 4.1 update 2 or newer to create the Virtual Appliances.

Your ESXi server host is set to the correct date and time for predictable VA behavior.

Your ESXi server host has at least one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space

available to be provisioned per Virtual Appliance instance.

We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of

outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the

VA and the network.

ACTIVE DIRCTORY GUIDE

Requirements for Hyper-V:

Windows Server 2012, Window Server 2012 SP1 or Windows Server 2012 R2 (Standard or Data

Center) with Hyper-V.

Your Windows 2012 server is set to the correct date and time for predictable VA behavior. In addition to the minimum required hardware to run Windows Server 2012, we recommend:

o An additional 512Mb of RAM for each Virtual Appliance o

Allocation of 7GB of disk space for each Virtual Appliance o An additional CPU core for each Virtual Appliance. (Note: This may not be necessary if the

server provisioned for Hyper-V is highly spec'd).

We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of

outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the

VA and the network.

Active Directory Environment

Windows Server 2003, 2003 R2, 2008 or 2008 R2, 2012 or 2012 R2 with the latest service packs and

100Mb free hard disk drive space.

IMPORTANT!Read Only Domain Controllers (RODCs) should not have the script run on them, or have

theConnector installed. RODCs can be present in a domain and will report as Identities,

but should not be used for the Active Directory Integration.

Only a single domain environment (child domains and trusts are not supported at this time). Multi-domain

environments require a multi-dashboard experience. Please contact support@opendns.com with

information regarding your domain structure if you have any questions about whether it is supported. If you

would like to see multi-domain support, please e-mail the Support team to let us know!

IMPORTANT!When deploying Active Directory Components at more than one WAN-linked (MPLS-

typenetwork) AD site, repeat steps 1-5 after verifying a complete, functioning

installation at current site before moving on to the next.

A new user account must be created with the following information:

o The logon name (aka. sAMAccountName) set to

OpenDNS_Connector. o The box ‘Password never expires’ checked.

o A password entered without backslash or quotation characters.

o Make sure the OpenDNS_Connector user is a member of the following groups and if not, please add

the missing ones:

Event Log Readers

Distributed COM users

Enterprise Read-only Domain Controllers

IMPORTANT!For environments on Windows Server 2003 and Windows Server 2003 R2, several

manualsteps are required (see Appendix B for instructions).

ACTIVE DIRCTORY GUIDE

Network Environment The following requirements are for your Network Environment to ensure you can communicate with OpenDNS.

These requirements apply to both VMware and Hyper-V. Set the following outbound ports to be open from the VAs to the 67.215.92.0/24 subnet and the OpenDNS DNS resolvers:

53 TCP & UDP (208.67.220.220 and 208.67.222.222)

443 TCP & UDP (67.215.92.0/24)

80 TCP (67.215.92.0/24)

2222 TCP (67.215.92.0/24)

Do not place devices with network address translation (NAT), or that in any manner obfuscates the internal

IP address(es) between the computers and the Virtual Appliance at each site.

Make sure you do not have transparent proxies on your network to avoid issues.

Step 1: Setup DNS Forwarding via Virtual Appliances The purpose of Virtual Appliances is to map internal source IP addresses to AD users and computers then forward

external DNS queries from your network to the OpenDNS Global Network data centers. Local DNS queries are

forwarded to your internal DNS servers. To create Virtual Appliances, follow the steps outlined in the Virtual Appliance Setup Guide for PAVAN guide. An important step that is worth re-iterating here is the routing of the local DNS queries for your network when

configuring the Virtual Appliances, as often the existing DNS servers may also be part of your Active Directory

resources (a domain controller)

Route Local DNS Queries

To ensure correct DNS responses to local hosts inside your internal network, you will want to configure your VAs

to route queries to your existing DNS servers.

To add internal DNS zones:

1. From the VMware console, select Edit.

2. Use Tab until you have highlighted the “Add domain” option.

3. Add your internal zone(s) (e.g. example.com).

4. Add your reverse zone(s) (e.g. if your network is 192.168.1.0/24 you should add: 1.168.192.in-addr.arpa).

5. Select Save and hit Enter.

To add A & PTR records for your VAs

1. On your local DNS server, click Start, Run and type dnsmgmt.msc

2. Navigate to your forward lookup zones for your local domain (e.g. corp.domain.com).

3. Select the local zone (e.g. corp.domain.com).

4. On the right hand side right-click, select New Host.

5. Enter a hostname for the VA, an IP and make sure the box ‘Create associated pointer (PTR) record’ is checked.

ACTIVE DIRCTORY GUIDE

6. Click Add Host.

To verify if the records were created correctly, you can test with nslookup:

1. Enter: nslookup (IP ADDRESS of the VA). For example:

nslookup 192.168.1.2

Server:192.168.1.1

Address:192.168.1.1#53

Non-authoritative answer:

1.168.192.in-addr.arpaname = va01.corp.domain.com.

2. Enter: nslookup (HOSTNAME of the VA). For example:

nslookup va01.corp.domain.com

Server: 192.168.1.1

Address: 192.168.1.1#53 Non-

authoritative answer: Name:

va01.corp.domain.com

Address: 67.215.92.152

ACTIVE DIRCTORY GUIDE

Step 2: Prepare your Active Directory Environment Running the Windows Configuration script on at least 1 of the Domain Controllers (DCs) at each Site prepares

them to communicate with the Connector, which will be installed in Step 3. IMPORTANT!For environments running on Windows Server 2003 or Windows Server 2003 R2, several manual

stepsare required before completing step 2 (see Appendix B for instructions). IMPORTANT! Do not run this script on any Read Only Domain Controllers (RODCs) in your environment.RODCs

are notsupported.

Run the Configuration Script on the Domain Controller

1. From the 'Active Directory Configuration' page, click ‘download components’ and then 'Windows Configuration'. 2. Download the file and save it to a location on the machine you plan to run it on.

NOTE: The configuration script is written in Visual Basic Script and is human readable. For reference,

itautomates the instructions you’ll find in Appendix B, plus more. Contact support for more

details.

3. As Admin, open an elevated command prompt.

4. Enter: cscript <filename> where <filename> is the name of the configuration script you downloaded in Step

2. The script will display your current configuration, then offer to auto-configure the Domain Controller for

operation. If the auto-configure steps are successful, the script will register the Domain Controller with the

PAVAN dashboard.

NOTE: The OpenDNS_Connector user must be created before running the script, as detailed in

theprerequisites. There are also several Group Policies that affect system operation that

may need manual configuration. The script will display the status of these settings and, if

needed, provide instructions on changing them. Verify the Domain Controller Reports to the Dashboard

When you return to the Dashboard, you will see the hostname of the Domain Controller you just ran the script on

in the ‘Inactive’ state on the 'Active Directory Configuration' page.

NOTE: The configuration script only runs once; it is not an application or service. If you change the IP

addressor hostname of the Domain Controllers, remove the previous instance of the Domain

Controller by clicking the round X icon, and repeat tasks 1-4.

Repeat for other Domain Controller Servers

Repeat the above steps to prepare additional Domain Controllers in your single domain environment to

successfully communicate with the Connector. It’s a good idea to have another Connector for the purposes of

High Availability in case of downtime associated with patching or upgrades.

Step 3: Connect Active Directory to PAVAN

The purpose of the Connector is to monitor one or more Domain Controllers. It listens to user and computer logins via

the security event logs, and subsequently enables IP-to-user and IP-to-computer mappings on the Virtual Appliances.

It synchronizes user-to-group, computer-to-group and group-to-group memberships within PAVAN, enabling you to

create and enforce group-based settings and view user, computer and group-based reports.

ACTIVE DIRCTORY GUIDE

The connector helps import your Active Directory Users, Groups and Computers to provide these mappings. Other

Active Directory objects, including Organization Units (OUs) are not imported. NOTE:You only need to install one Connector per site, but you may install more than one. If your security policy

doesnot allow you to install software directly on your Domain Controller you can install it on a separate

Windows machine (see Appendix A), otherwise it is recommended to install the Connector on one or more of

your Domain Controllers.

Install the Connector

1. From the Active Directory Configuration page, click ‘download components’ and then 'Windows Service'. IMPORTANT! You must download the zip file to the local machine where you plan to run it or copy it

locallyfrom another machine. Issues have been observed attempting to install the

connector from networked drives.

2. As Admin, select the zip file and extract the setup.msi file.

3. Run setup.msi.

4. Enter the password you configured for the OpenDNS_Connector user you created. (see Prerequisites)

5. Follow the setup wizard prompts.

6. When finished, click Close.

7. Return to the Dashboard. Verify the Connector Syncs with the Dashboard

1. When you return to the Dashboard, you will see the hostname of the Domain Controller or other Windows

machine that you installed the Connector on the 'System Settings > Sites & Active Directory' page.

2. PAVAN automatically configures and connects the VAs to the Domain Controllers via the Connectors for

each configured site, and the status of all of your VAs, Domain Controllers, and Connectors should change

from “Inactive” to “Active” . If not, contact support.

3. Navigate to 'Configuration > Policies'.

i. The Domain Controllers should automatically synchronize user and computer group memberships,

and any subsequent changes, with PAVAN via the Connector. You can verify that this has occurred

successfully by clicking 'add a new policy' and confirming that your groups are present.

ii. As such, you should see all of your AD Groups, included those nested within other groups, within

the identity picker of the policy wizard.

iii. If you don’t see your groups, check the 'System Settings > Sites & Active Directory' page to see if

the status of all components is ‘Active’ . If not, contact support@opendns.com.

NOTE: It can take up to 10 minutes for large numbers of AD user, computer and group objects

tosynchronize for the first time.

Verify all Active Directory Components are Operational

1. Before you deploy your PAVAN configuration, confirm that you can resolve DNS traffic by entering the

following command that sends a query to opendns.com through your VA:

C:\>nslookup

ACTIVE DIRCTORY GUIDE

> server {{enter the IP of one of your VA's}} > opendns.com

2. You can further verify DNS traffic by entering the following command to send a TXT Record query

to debug.opendns.com through the VA:

> set type=TXT > debug.opendns.com > exit

This query returns a string of information if you are going through the VA. If you receive a non-existent domain

result from that query, there is still something wrong with your configuration and you should contact support.

ACTIVE DIRCTORY GUIDE

Step 4: Configure Settings in Dashboard Once verifying that all Active Directory components were integrated successfully, define

and apply security and acceptable use policies to AD Groups.

1. Navigate to Configuration > Policies, and click ‘add a new policy’ or click the name of an existing policy.

2. Check the ‘AD Groups’ box if you want to apply a single policy for all AD users

and/or computers, or check the box next to one or more specific groups via the

identity picker. To remove a selected group, either uncheck its box via the

identity picker or click the red X icon to the right of its name. Then click ‘next’.

IMPORTANT: Clicking on a group will show its members including nested

groups, user accounts or computeraccounts. Selecting the

group will apply the policy to all its members. You can select

only a nested group, but not an individual user or computer

account. As a best practice, centrally manage your group

memberships in Active Directory. Any changes will be synced

with PAVAN within a few minutes.

3. Select the 'Policy Settings', including the Security Settings, Category Settings

and Domain Lists for your identity.

4. Click ‘next’ then select 'Block Page Settings' you would like enforced for this policy. Then click ‘next’.

NOTE:If you have not yet created any non-default settings, go to the

'Policy Settings' or 'Block Page Settings'pages to do so.

5. Set a meaningful description for the policy, then click ‘save’.

NOTE:The policy you created will be applied within 60-90 seconds

to any new connections coming intoPAVAN from the

selected computers.

6. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.

NOTE: Policy execution follows a top-down, first-match order of operations.

The first policy assigned to anidentity is enforced. Any

subsequent policies assigned to the same identity are ignored.

There is an editable, but immutable, Default Policy always ordered

last, which is a catchall for any identity.

Step 5: Route DNS Traffic through the Virtual Appliances In order for you to begin enforcing your settings, all DNS traffic from the clients on your

network should be routed through your Virtual Appliances.

ACTIVE DIRCTORY GUIDE

1. First, start by testing on a few devices by manually configuring their DNS

settings to use the Virtual Appliances. Try different operating systems or

hardware types to ensure compatibility with all your devices.

IMPORTANT: When testing the policy enforcement, some DNS

responses may already be cached for severalminutes to

days. You may want to flush the DNS cache via both the

browser and the OS to avoid waiting for the cached

responses to expire.

2. If possible, a good next step is to change the DNS settings for a specific

DHCP server pool or scope in your organization.

3. Once you’ve verified correct enforcement of policies with your pilot group of

computers, you can either stage the cut over to using the Virtual Appliances

for DNS or cut over the entire organization. The best time to affect the cut

over is typically after users log out for the day.

4. When users log in after the installation is complete, they should begin

sending all DNS queries to the one of the VAs forwarding DNS traffic.

NOTE: Most stub DNS resolvers, those that reside on endpoint

devices, do not have a true primary vs.secondary DNS

server relationship. Stub DNS resolvers’ behavior on many

operating systems are undocumented in regards to which DNS

server they will use at any time.

Multiple AD Sites A site is a separate physical location or network which does not have a direct, or very fast connection to

another node of your network.

Follow the previous steps 1-5 again, and after each sub-step to verify

that the component has synced or reported to the dashboard, assign the

component to a site by clicking on its name and selecting an existing site

or creating a new site.

You may also rename the default or any existing sites.

IMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several minutes to

days. You may want to flush the DNS cache via both the browser

and the OS to avoid waiting for the cached responses to expire.

Appendix A: Prepare a Separate non-Domain Controller to Install the Connector If your security policy requires it, the Connector can be installed on a non-Domain

Controller machine, but it must be joined to the same domain as the Domain

ACTIVE DIRCTORY GUIDE

Controllers that the Connector will be monitoring.

1. Provision a virtual or physical machine using a static IP.

2. Install one of the three supported Windows OS and other components below.

a) Windows Server 2008 R2 SP1 (Preferred)

i. Install AD Domain Services Snap-ins and Command-line Tools feature via

Rem

ote

Serv

er

Adm

inistr

ation

Tool

s >

Role

Adm

inistr

ation

Tool

s >

AD DS & AD

Lightweight

Directory

Services Tools >

AD DS Tools

ii. Install .NET v3.5

b) Windows Server 2008 SP2

i. Install Active Directory Lightweight Directory Services role

ii. Install .NET v3.5

c) Windows 7 (non-home license)

i. Install Remote Support Administration Tools - download available from http://go.microsoft.com/fwlink/?LinkID=137379

ii. Install .NET v3.5

3. Join machine to the same domain as the Domain Controller (domain

controller) being connected to

4. Open WMI ports via the following command run as Administrator: netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

5. [Optional] If there is no access to a network file share to retrieve the file locally,

download and/or unrestrict Internet Explorer

(http://www.microsoft.com/download/en/details.aspx?id=25150) or install a

different browser.

ACTIVE DIRCTORY GUIDE

Appendix B: Configuring Domain Controllers on Windows Server 2003 and 2003 R2 Setting the ‘Manage auditing and security log’ Group Policy NOTE:Adding the OpenDNS_Connector user to this group policy for all Domain

Controllers is also required in certainWindows Server 2008 configurations.

1. By default, Windows Server 2003 does not come with the Group Policy

Management Console (GPMC) and it may be downloaded here:

http://www.microsoft.com/en-us/download/details.aspx?id=21895.

NOTE:Alternatively, 2008 R2 servers should have GPMC

installed and you can apply the followingpermissions

from this server to be replicated to the 2003 or 2003 R2

server.

2. Open the GPMC (via Start > Administrative Tools), and select a

Group Policy that applies to Domain Controllers.

NOTE:If you aren’t sure what policy to change, open a command

prompt and type the following command:"gpresult /scope

computer /r". Look for the ‘Applied Group Policy Objects’ line.

Under it will be a list of policies applied to that Domain Controller.

Make note of one that is likely to be applied to all Domain

Controllers (e.g. ‘Default Domain Controllers Policy’).

3. Right-click that policy and select ‘Edit’ to bring up the Group Policy Management Editor.

ACTIVE DIRCTORY GUIDE

Browse to the ‘Computer Configuration\Policies\Windows Settings\Security

Settings\Local Policies\User Rights Assignment’ folder and select ‘Manage audit

and security log’ to view its properties.

5. Check "Define these policy settings", click "Add user or group", browse and

select the OpenDNS_Connector user.

6. Run the "gpupdate" command on the Domain Controller to make sure the policy is applied.

Setting DCOM permissions

1. From a command line run dcomcnfg.

2. Console Root > Component Services > Computers.

3. Right-click on ‘My Computer’ and select ‘Properties’.

4. From ‘My Computer Properties’ select ‘COM Security’ tab.

5. In ‘Launch and Activation Permissions’ area click ‘Edit Limits’.

6. Add OpenDNS_Connector user and allow ‘Remote Launch’ and ‘Remote Activation’ permissions.

7. Click OK to confirm and close My Computer Properties.

Setting WMI permissions

1. Run wmimgmt.msc (Windows Management Infrastructure Control console).

2. Right-click on ‘WMI Control’. Click ‘Properties’ > ‘Security’ tab.

3. Select Root > CIMV2 namespace and click the Security button.

4. Add the OpenDNS_Connector user and Allow the following permissions:

‘Enable Account’, ‘Remote Enable’ and ‘Read Security’.

5. Click OK to exit each dialog window, then click Save to apply changes.